2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
22 * @brief libprivilege-control test runer
33 #include <dpl/test/test_runner.h>
34 #include <dpl/test/test_runner_child.h>
35 #include <dpl/log/log.h>
36 #include <sys/types.h>
39 #include <sys/xattr.h>
40 #include <sys/smack.h>
41 #include <sys/types.h>
42 #include <sys/socket.h>
45 #include <privilege-control.h>
50 #define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/"
51 #define SMACK_LOAD2 "/smack/load2"
52 #define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
53 #define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
54 #define APPID_DIR "test_APP_ID_dir"
55 #define APPID_SHARED_DIR "test_APP_ID_shared_dir"
56 #define CANARY_LABEL "tiny_yellow_canary"
58 #define APP_ID "test_APP"
59 #define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
60 #define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
62 #define WGT_APP_ID "QwCqJ0ttyS"
63 #define WGT_PARTNER_APP_ID "7btsV1Y0sX"
64 #define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
65 #define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123"
66 #define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner"
67 #define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform"
68 #define OSP_APP_ID "uqNfgEjqc7"
69 #define OSP_PARTNER_APP_ID "j4RuPsZrNt"
70 #define OSP_PLATFORM_APP_ID "V5LKqDFBXm"
71 #define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp"
72 #define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner"
73 #define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform"
75 const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
76 const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
77 const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
78 const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
79 const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
80 const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
81 const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };
83 #define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
84 #define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
85 #define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
86 #define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac"
88 #define APP_TEST_APP_1 "test-application1"
89 #define APP_TEST_APP_2 "test-application_2"
90 #define APP_TEST_APP_3 "test-app-3"
91 #define APP_TEST_AV_1 "test-antivirus1"
92 #define APP_TEST_AV_2 "test-antivirus_2"
93 #define APP_TEST_AV_3 "test-av-3"
95 #define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db"
96 #define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db"
97 #define SMACK_PUBLIC_DIRS_DATABASE "/opt/dbspace/.privilege_control_public_dirs.db"
98 #define SMACK_APPS_SETTINGS_LABELS_DATABASE "/opt/dbspace/.privilege_control_app_setting.db"
99 #define SMACK_SETTINGS_DIRS_DATABASE "/opt/dbspace/.privilege_control_setting_dir.db"
101 #define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1"
102 #define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2"
103 #define APP_TEST_AV_ASP1 "test-app-av-asp1"
104 #define APP_TEST_AV_ASP2 "test-app-av-asp2"
106 #define SOCK_PATH "/tmp/test-smack-socket"
110 #define APP_USER_NAME "app"
111 #define APP_HOME_DIR "/opt/home/app"
113 #define APP_FRIEND_1 "app_friend_1"
114 #define APP_FRIEND_2 "app_friend_2"
116 // How many open file descriptors should ftw() function use?
117 #define FTW_MAX_FDS 16
119 // Rules from test_privilege_control_rules.smack
120 const std::vector< std::vector<std::string> > rules = {
121 { APP_ID, "test_book_1", "r" },
122 { APP_ID, "test_book_2", "w" },
123 { APP_ID, "test_book_3", "x" },
124 { APP_ID, "test_book_4", "rw" },
125 { APP_ID, "test_book_5", "rx" },
126 { APP_ID, "test_book_6", "wx" },
127 { APP_ID, "test_book_7", "rwx" },
128 { "test_subject_1", APP_ID, "r" },
129 { "test_subject_2", APP_ID, "w" },
130 { "test_subject_3", APP_ID, "x" },
131 { "test_subject_4", APP_ID, "rw" },
132 { "test_subject_5", APP_ID, "rx" },
133 { "test_subject_6", APP_ID, "wx" },
134 { "test_subject_7", APP_ID, "rwx" },
135 { APP_ID, APPID_SHARED_DIR, "rwxat"}};
137 // Rules from test_privilege_control_rules2.smack
138 const std::vector< std::vector<std::string> > rules2 = {
139 { APP_ID, "test_book_8", "r" },
140 { APP_ID, "test_book_9", "w" },
141 { APP_ID, "test_book_10", "x" },
142 { APP_ID, "test_book_11", "rw" },
143 { APP_ID, "test_book_12", "rx" },
144 { APP_ID, "test_book_13", "wx" },
145 { APP_ID, "test_book_14", "rwx" },
146 { APP_ID, "test_book_15", "rwxat" },
147 { "test_subject_8", APP_ID, "r" },
148 { "test_subject_9", APP_ID, "w" },
149 { "test_subject_10", APP_ID, "x" },
150 { "test_subject_11", APP_ID, "rw" },
151 { "test_subject_12", APP_ID, "rx" },
152 { "test_subject_13", APP_ID, "wx" },
153 { "test_subject_14", APP_ID, "rwx" },
154 { "test_subject_15", APP_ID, "rwxat" }};
156 // Rules from test_privilege_control_rules_no_r.smack
157 const std::vector< std::vector<std::string> > rules2_no_r = {
158 { APP_ID, "test_book_9", "w" },
159 { APP_ID, "test_book_10", "x" },
160 { APP_ID, "test_book_11", "w" },
161 { APP_ID, "test_book_12", "x" },
162 { APP_ID, "test_book_13", "wx" },
163 { APP_ID, "test_book_14", "wx" },
164 { APP_ID, "test_book_15", "wxat" },
165 { "test_subject_9", APP_ID, "w" },
166 { "test_subject_10", APP_ID, "x" },
167 { "test_subject_11", APP_ID, "w" },
168 { "test_subject_12", APP_ID, "x" },
169 { "test_subject_13", APP_ID, "wx" },
170 { "test_subject_14", APP_ID, "wx" },
171 { "test_subject_15", APP_ID, "wxat" }};
173 // Rules from test_privilege_control_rules.smack
174 // minus test_privilege_control_rules_no_r.smack
175 const std::vector< std::vector<std::string> > rules2_r = {
176 { APP_ID, "test_book_8", "r" },
177 { APP_ID, "test_book_11", "r" },
178 { APP_ID, "test_book_12", "r" },
179 { APP_ID, "test_book_14", "r" },
180 { APP_ID, "test_book_15", "r" },
181 { "test_subject_8", APP_ID, "r" },
182 { "test_subject_11", APP_ID, "r" },
183 { "test_subject_12", APP_ID, "r" },
184 { "test_subject_14", APP_ID, "r" },
185 { "test_subject_15", APP_ID, "r" }};
187 // Rules from test_privilege_control_rules_wgt.smack for wgt
188 const std::vector< std::vector<std::string> > rules_wgt = {
189 { WGT_APP_ID, "test_book_8", "r" },
190 { WGT_APP_ID, "test_book_9", "w" },
191 { WGT_APP_ID, "test_book_10", "x" },
192 { WGT_APP_ID, "test_book_11", "rw" },
193 { WGT_APP_ID, "test_book_12", "rx" },
194 { WGT_APP_ID, "test_book_13", "wx" },
195 { WGT_APP_ID, "test_book_14", "rwx" },
196 { WGT_APP_ID, "test_book_15", "rwxat" },
197 { "test_subject_8", WGT_APP_ID, "r" },
198 { "test_subject_9", WGT_APP_ID, "w" },
199 { "test_subject_10", WGT_APP_ID, "x" },
200 { "test_subject_11", WGT_APP_ID, "rw" },
201 { "test_subject_12", WGT_APP_ID, "rx" },
202 { "test_subject_13", WGT_APP_ID, "wx" },
203 { "test_subject_14", WGT_APP_ID, "rwx" },
204 { "test_subject_15", WGT_APP_ID, "rwxat" }};
206 // Rules from test_privilege_control_rules_wgt.smack for wgt_partner
207 const std::vector< std::vector<std::string> > rules_wgt_partner = {
208 { WGT_PARTNER_APP_ID, "test_book_8", "r" },
209 { WGT_PARTNER_APP_ID, "test_book_9", "w" },
210 { WGT_PARTNER_APP_ID, "test_book_10", "x" },
211 { WGT_PARTNER_APP_ID, "test_book_11", "rw" },
212 { WGT_PARTNER_APP_ID, "test_book_12", "rx" },
213 { WGT_PARTNER_APP_ID, "test_book_13", "wx" },
214 { WGT_PARTNER_APP_ID, "test_book_14", "rwx" },
215 { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" },
216 { "test_subject_8", WGT_PARTNER_APP_ID, "r" },
217 { "test_subject_9", WGT_PARTNER_APP_ID, "w" },
218 { "test_subject_10", WGT_PARTNER_APP_ID, "x" },
219 { "test_subject_11", WGT_PARTNER_APP_ID, "rw" },
220 { "test_subject_12", WGT_PARTNER_APP_ID, "rx" },
221 { "test_subject_13", WGT_PARTNER_APP_ID, "wx" },
222 { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" },
223 { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }};
225 // Rules from test_privilege_control_rules_wgt.smack for wgt_platform
226 const std::vector< std::vector<std::string> > rules_wgt_platform = {
227 { WGT_PLATFORM_APP_ID, "test_book_8", "r" },
228 { WGT_PLATFORM_APP_ID, "test_book_9", "w" },
229 { WGT_PLATFORM_APP_ID, "test_book_10", "x" },
230 { WGT_PLATFORM_APP_ID, "test_book_11", "rw" },
231 { WGT_PLATFORM_APP_ID, "test_book_12", "rx" },
232 { WGT_PLATFORM_APP_ID, "test_book_13", "wx" },
233 { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" },
234 { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" },
235 { "test_subject_8", WGT_PLATFORM_APP_ID, "r" },
236 { "test_subject_9", WGT_PLATFORM_APP_ID, "w" },
237 { "test_subject_10", WGT_PLATFORM_APP_ID, "x" },
238 { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" },
239 { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" },
240 { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" },
241 { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" },
242 { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }};
244 // Rules from test_privilege_control_rules_osp.smack for osp
245 const std::vector< std::vector<std::string> > rules_osp = {
246 { OSP_APP_ID, "test_book_8", "r" },
247 { OSP_APP_ID, "test_book_9", "w" },
248 { OSP_APP_ID, "test_book_10", "x" },
249 { OSP_APP_ID, "test_book_11", "rw" },
250 { OSP_APP_ID, "test_book_12", "rx" },
251 { OSP_APP_ID, "test_book_13", "wx" },
252 { OSP_APP_ID, "test_book_14", "rwx" },
253 { OSP_APP_ID, "test_book_15", "rwxat" },
254 { "test_subject_8", OSP_APP_ID, "r" },
255 { "test_subject_9", OSP_APP_ID, "w" },
256 { "test_subject_10", OSP_APP_ID, "x" },
257 { "test_subject_11", OSP_APP_ID, "rw" },
258 { "test_subject_12", OSP_APP_ID, "rx" },
259 { "test_subject_13", OSP_APP_ID, "wx" },
260 { "test_subject_14", OSP_APP_ID, "rwx" },
261 { "test_subject_15", OSP_APP_ID, "rwxat" }};
263 // Rules from test_privilege_control_rules_osp.smack for osp_partner
264 const std::vector< std::vector<std::string> > rules_osp_partner = {
265 { OSP_PARTNER_APP_ID, "test_book_8", "r" },
266 { OSP_PARTNER_APP_ID, "test_book_9", "w" },
267 { OSP_PARTNER_APP_ID, "test_book_10", "x" },
268 { OSP_PARTNER_APP_ID, "test_book_11", "rw" },
269 { OSP_PARTNER_APP_ID, "test_book_12", "rx" },
270 { OSP_PARTNER_APP_ID, "test_book_13", "wx" },
271 { OSP_PARTNER_APP_ID, "test_book_14", "rwx" },
272 { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" },
273 { "test_subject_8", OSP_PARTNER_APP_ID, "r" },
274 { "test_subject_9", OSP_PARTNER_APP_ID, "w" },
275 { "test_subject_10", OSP_PARTNER_APP_ID, "x" },
276 { "test_subject_11", OSP_PARTNER_APP_ID, "rw" },
277 { "test_subject_12", OSP_PARTNER_APP_ID, "rx" },
278 { "test_subject_13", OSP_PARTNER_APP_ID, "wx" },
279 { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" },
280 { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" }};
282 // Rules from test_privilege_control_rules_osp.smack for osp_platform
283 const std::vector< std::vector<std::string> > rules_osp_platform = {
284 { OSP_PLATFORM_APP_ID, "test_book_8", "r" },
285 { OSP_PLATFORM_APP_ID, "test_book_9", "w" },
286 { OSP_PLATFORM_APP_ID, "test_book_10", "x" },
287 { OSP_PLATFORM_APP_ID, "test_book_11", "rw" },
288 { OSP_PLATFORM_APP_ID, "test_book_12", "rx" },
289 { OSP_PLATFORM_APP_ID, "test_book_13", "wx" },
290 { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" },
291 { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" },
292 { "test_subject_8", OSP_PLATFORM_APP_ID, "r" },
293 { "test_subject_9", OSP_PLATFORM_APP_ID, "w" },
294 { "test_subject_10", OSP_PLATFORM_APP_ID, "x" },
295 { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" },
296 { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" },
297 { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" },
298 { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" },
299 { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" }};
303 typedef std::unique_ptr<smack_accesses,std::function<void(smack_accesses*)>> SmackUniquePtr;
305 const char* OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
306 const char* WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack";
307 const char* OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack";
308 const char* OSP_BLAHBLAH_DAC = "/usr/share/privilege-control/OSP_feature.blah.blahblah.dac";
309 const char* WRT_BLAHBLAH_DAC = "/usr/share/privilege-control/WGT_blahblah.dac";
310 const char* OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
311 const char* BLAHBLAH_FEATURE = "http://feature/blah/blahblah";
314 * Check if every rule is true.
315 * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
317 int test_have_all_accesses(const std::vector< std::vector<std::string> >& rules){
319 for(uint i =0; i<rules.size();++i ){
320 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
328 * Check if every rule is true.
329 * @return 1 if ANY rule in SMACK, 0 if
331 int test_have_any_accesses(const std::vector< std::vector<std::string> >& rules){
333 for(uint i =0; i<rules.size();++i ){
334 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
341 int nftw_remove_labels(const char *fpath, const struct stat * /*sb*/,
342 int /*typeflag*/, struct FTW * /*ftwbuf*/)
344 smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
345 smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
346 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
351 int nftw_set_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/,
352 int /*typeflag*/, struct FTW * /*ftwbuf*/)
354 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
355 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
356 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
361 int nftw_check_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/,
362 int /*typeflag*/, struct FTW * /*ftwbuf*/)
368 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
369 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
370 result = strcmp(CANARY_LABEL, label);
371 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
374 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
375 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
376 result = strcmp(CANARY_LABEL, label);
377 RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
380 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
381 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
382 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
387 int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
388 int /*typeflag*/, struct FTW * /*ftwbuf*/)
394 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
395 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
396 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
397 result = strcmp(APPID_DIR, label);
398 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
401 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
402 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
403 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
404 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
405 result = strcmp(APPID_DIR, label);
406 RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
407 } else if(S_ISLNK(sb->st_mode)) {
409 char* target = realpath(fpath, NULL);
410 RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
412 if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
413 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
415 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
416 result = strcmp(APPID_DIR, label);
417 RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
420 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
423 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
424 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
425 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
430 int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
431 int /*typeflag*/, struct FTW * /*ftwbuf*/)
437 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
438 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
439 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
440 result = strcmp(APPID_SHARED_DIR, label);
441 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
443 result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
444 RUNNER_ASSERT_MSG(result == 1,
445 "Error rwxat access was not given shared dir. Subject: " <<
446 APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
448 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
449 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
450 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
453 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
454 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
455 if (S_ISDIR(sb->st_mode)) {
456 RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
457 result = strcmp("TRUE", label);
458 RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set");
460 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
465 int check_labels_dir(const char *fpath, const struct stat *sb,
466 const char* labels_db_path, const char* dir_db_path,
472 char* scanf_label_format;
473 char label_temp[SMACK_LABEL_LEN + 1];
477 result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
478 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
479 RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
482 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
485 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
490 RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
494 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
498 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
500 if (S_ISDIR(sb->st_mode)) {
504 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
506 result = strcmp("TRUE", label);
510 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
512 } else if(label != NULL){
515 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
520 if(0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)){
522 RUNNER_ASSERT_MSG(false, "asprintf failed");
525 file_db = fopen(labels_db_path, "r");
528 free(scanf_label_format);
529 RUNNER_ASSERT_MSG(false, "Can not open database for apps");
531 while(fscanf(file_db, scanf_label_format, label_temp)==1){
532 result = smack_have_access(label_temp, label_gen, access);
536 free(scanf_label_format);
537 RUNNER_ASSERT_MSG(false,
538 "Error " << access << " access was not given for subject: "
539 << label_temp << ". Result: " << result);
544 file_db = fopen(dir_db_path, "r");
547 free(scanf_label_format);
548 RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
551 while(fscanf(file_db, scanf_label_format, label_temp)==1){
552 if(strcmp(label_gen, label_temp) == 0){
557 free(scanf_label_format);
561 RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db.");
566 int nftw_check_labels_app_public_dir(const char *fpath, const struct stat *sb,
567 int /*typeflag*/, struct FTW * /*ftwbuf*/)
569 return check_labels_dir(fpath, sb,
570 SMACK_APPS_LABELS_DATABASE,
571 SMACK_PUBLIC_DIRS_DATABASE, "rx");
574 int nftw_check_labels_app_settings_dir(const char *fpath, const struct stat *sb,
575 int /*typeflag*/, struct FTW * /*ftwbuf*/)
577 return check_labels_dir(fpath, sb,
578 SMACK_APPS_SETTINGS_LABELS_DATABASE,
579 SMACK_SETTINGS_DIRS_DATABASE, "rwx");
582 int file_exists(const char* path)
584 FILE* file = fopen(path, "r");
592 void osp_blahblah_check(int line_no, const std::vector<std::string>& rules)
594 std::ifstream smack_file(OSP_BLAHBLAH);
595 RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
597 auto it = rules.begin();
599 while(std::getline(smack_file,line)) {
600 RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
601 RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
605 RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
610 void osp_blahblah_dac_check(int line_no, const std::vector<unsigned>& gids)
612 std::ifstream dac_file(OSP_BLAHBLAH_DAC);
613 RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH_DAC);
615 auto it = gids.begin();
617 while(std::getline(dac_file,line)) {
618 std::istringstream is(line);
621 RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
622 RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
626 RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
631 void remove_smack_files()
634 unlink(OSP_BLAHBLAH);
635 unlink(WRT_BLAHBLAH);
636 unlink(OTHER_BLAHBLAH);
637 unlink(OSP_BLAHBLAH_DAC);
638 unlink(WRT_BLAHBLAH_DAC);
639 unlink(OTHER_BLAHBLAH_DAC);
642 int cleaning_smack_app_files (void)
644 unlink(SMACK_RULES_DIR APP_TEST_APP_1);
646 unlink(SMACK_RULES_DIR APP_TEST_APP_2);
648 unlink(SMACK_RULES_DIR APP_TEST_APP_3);
650 unlink(SMACK_RULES_DIR APP_TEST_AV_1);
652 unlink(SMACK_RULES_DIR APP_TEST_AV_2);
654 unlink(SMACK_RULES_DIR APP_TEST_AV_3);
659 int cleaning_smack_database_files (void)
664 unlink(SMACK_APPS_LABELS_DATABASE);
665 fd = open(SMACK_APPS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
671 unlink(SMACK_AVS_LABELS_DATABASE);
672 fd = open(SMACK_AVS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
677 //clean app settings database
678 unlink(SMACK_APPS_SETTINGS_LABELS_DATABASE);
679 fd = open(SMACK_APPS_SETTINGS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
684 //clean public dirs database
685 unlink(SMACK_PUBLIC_DIRS_DATABASE);
686 fd = open(SMACK_PUBLIC_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
691 //clean settings dirs database
692 unlink(SMACK_SETTINGS_DIRS_DATABASE);
693 fd = open(SMACK_SETTINGS_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
701 void add_lables_to_db()
705 file_db = fopen(SMACK_AVS_LABELS_DATABASE, "a");
706 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
707 << SMACK_AVS_LABELS_DATABASE << " can not be opened to apend!");
708 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
710 RUNNER_ASSERT_MSG(false, "Error writing to database file");
712 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
714 RUNNER_ASSERT_MSG(false, "Error writing to database file");
718 file_db = fopen(SMACK_APPS_SETTINGS_LABELS_DATABASE, "a");
719 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
720 << SMACK_APPS_SETTINGS_LABELS_DATABASE << " can not be opened to apend!");
721 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
723 RUNNER_ASSERT_MSG(false, "Error writing to database file");
725 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
727 RUNNER_ASSERT_MSG(false, "Error writing to database file");
731 file_db = fopen(SMACK_APPS_LABELS_DATABASE, "a");
732 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
733 << SMACK_APPS_LABELS_DATABASE << " can not be opened to apend!");
734 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
736 RUNNER_ASSERT_MSG(false, "Error writing to database file");
738 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
740 RUNNER_ASSERT_MSG(false, "Error writing to database file");
742 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
744 RUNNER_ASSERT_MSG(false, "Error writing to database file");
746 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
748 RUNNER_ASSERT_MSG(false, "Error writing to database file");
754 RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
757 * Test setting labels for all files and folders in given path.
759 RUNNER_TEST(privilege_control02_app_label_dir)
763 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
764 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
766 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
767 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
769 result = app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
770 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
772 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
773 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
775 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
776 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
779 RUNNER_TEST(privilege_control03_app_label_shared_dir)
783 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
784 RUNNER_ASSERT_MSG(result != 0, "app_setup_path(APP_ID, APP_ID) didn't fail");
786 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
787 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
789 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
790 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
792 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
793 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
795 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
796 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
798 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
799 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
803 * Add permisions from test_privilege_control_rules template
805 RUNNER_TEST(privilege_control04_add_permissions)
807 int result = app_add_permissions(APP_ID, PRIVS);
808 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
809 " Error adding app permissions. Result: " << result);
811 // Check if the accesses are realy applied..
812 result = test_have_all_accesses(rules);
813 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
816 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
817 RUNNER_ASSERT_MSG(pFile != NULL,
818 "SMACK file NOT created!. Errno: " << errno);
821 fseek(pFile, 0L, SEEK_END);
822 int smack_file_length = ftell(pFile);
823 RUNNER_ASSERT_MSG(smack_file_length>0,
824 "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
832 * Revoke permissions from the list. Should be executed as privileged user.
834 RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
839 // Revoke permissions
840 result = app_revoke_permissions(APP_ID);
841 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
842 "Error revoking app permissions. Result: " << result);
844 result = app_revoke_permissions(WGT_APP_ID);
845 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
846 "Error revoking app permissions. Result: " << result);
847 result = app_revoke_permissions(WGT_PARTNER_APP_ID);
848 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
849 "Error revoking app permissions. Result: " << result);
850 result = app_revoke_permissions(WGT_PLATFORM_APP_ID);
851 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
852 "Error revoking app permissions. Result: " << result);
854 result = app_revoke_permissions(OSP_APP_ID);
855 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
856 "Error revoking app permissions. Result: " << result);
857 result = app_revoke_permissions(OSP_PARTNER_APP_ID);
858 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
859 "Error revoking app permissions. Result: " << result);
860 result = app_revoke_permissions(OSP_PLATFORM_APP_ID);
861 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
862 "Error revoking app permissions. Result: " << result);
864 // Are all the permissions revoked?
865 result = test_have_any_accesses(rules);
866 RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked.");
867 result = test_have_any_accesses(rules_wgt);
868 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
869 result = test_have_any_accesses(rules_wgt_partner);
870 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
871 result = test_have_any_accesses(rules_wgt_platform);
872 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
874 result = test_have_any_accesses(rules);
875 RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked.");
876 result = test_have_any_accesses(rules_osp);
877 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
878 result = test_have_any_accesses(rules_osp_partner);
879 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
880 result = test_have_any_accesses(rules_osp_platform);
881 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
883 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
884 RUNNER_ASSERT_MSG(pFile != NULL,
885 "SMACK file removed!. Errno: " << errno);
887 fseek(pFile, 0L, SEEK_END);
888 int smack_file_length = ftell(pFile);
891 RUNNER_ASSERT_MSG(smack_file_length==0,
892 "SMACK file not empty.. Errno: " << errno);
894 pFile = fopen(SMACK_RULES_DIR WGT_APP_ID, "rb");
895 RUNNER_ASSERT_MSG(pFile != NULL,
896 "SMACK file removed!. Errno: " << errno);
898 fseek(pFile, 0L, SEEK_END);
899 smack_file_length = ftell(pFile);
902 RUNNER_ASSERT_MSG(smack_file_length==0,
903 "SMACK file not empty.. Errno: " << errno);
905 pFile = fopen(SMACK_RULES_DIR WGT_PARTNER_APP_ID, "rb");
906 RUNNER_ASSERT_MSG(pFile != NULL,
907 "SMACK file removed!. Errno: " << errno);
909 fseek(pFile, 0L, SEEK_END);
910 smack_file_length = ftell(pFile);
913 RUNNER_ASSERT_MSG(smack_file_length==0,
914 "SMACK file not empty.. Errno: " << errno);
916 pFile = fopen(SMACK_RULES_DIR WGT_PLATFORM_APP_ID, "rb");
917 RUNNER_ASSERT_MSG(pFile != NULL,
918 "SMACK file removed!. Errno: " << errno);
920 fseek(pFile, 0L, SEEK_END);
921 smack_file_length = ftell(pFile);
924 RUNNER_ASSERT_MSG(smack_file_length==0,
925 "SMACK file not empty.. Errno: " << errno);
927 pFile = fopen(SMACK_RULES_DIR OSP_APP_ID, "rb");
928 RUNNER_ASSERT_MSG(pFile != NULL,
929 "SMACK file removed!. Errno: " << errno);
931 fseek(pFile, 0L, SEEK_END);
932 smack_file_length = ftell(pFile);
935 RUNNER_ASSERT_MSG(smack_file_length==0,
936 "SMACK file not empty.. Errno: " << errno);
938 pFile = fopen(SMACK_RULES_DIR OSP_PARTNER_APP_ID, "rb");
939 RUNNER_ASSERT_MSG(pFile != NULL,
940 "SMACK file removed!. Errno: " << errno);
942 fseek(pFile, 0L, SEEK_END);
943 smack_file_length = ftell(pFile);
946 RUNNER_ASSERT_MSG(smack_file_length==0,
947 "SMACK file not empty.. Errno: " << errno);
949 pFile = fopen(SMACK_RULES_DIR OSP_PLATFORM_APP_ID, "rb");
950 RUNNER_ASSERT_MSG(pFile != NULL,
951 "SMACK file removed!. Errno: " << errno);
953 fseek(pFile, 0L, SEEK_END);
954 smack_file_length = ftell(pFile);
957 RUNNER_ASSERT_MSG(smack_file_length==0,
958 "SMACK file not empty.. Errno: " << errno);
961 static void read_gids(std::set<unsigned> &set, const char* file_path)
963 FILE *f = fopen(file_path, "r");
964 RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
966 while (fscanf(f, "%u\n", &gid) == 1) {
971 RUNNER_TEST(privilege_control05_add_shared_dir_readers)
974 #define TEST_OBJ "TEST_OBJECT"
975 #define TEST_OBJ_SOME_OTHER "TEST_OBJA"
976 #define test_string_01 "TEST_raz TEST_OBJECT r-x-- -----"
977 #define test_string_21 "TEST_trzy TEST_OBJA -wx--\n"
978 #define test_string_22 "TEST_trzy TEST_OBJECT r-x-- -----\n"
985 const char *app_labels_wrong[] = {"-TEST_raz", NULL};
986 const char *app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
987 const int READ_BUF_SIZE = 1000;
988 char buf[READ_BUF_SIZE];
990 struct smack_accesses * rules = NULL;
992 //test what happens when the label is not correct SMACK label
993 result = smack_accesses_new(&rules);
994 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
996 result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong);
997 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "add_shared_dir_readers should fail here");
999 result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx");
1000 RUNNER_ASSERT_MSG(result != 1, "add_shared_dir_readers should not grant permission here");
1002 smack_accesses_free(rules);
1004 //ok, now the correct list of apps
1005 result = smack_accesses_new(&rules);
1006 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
1008 for (i = 0; i < 3; i++) {
1010 (void)app_uninstall(app_labels[i]);
1011 result = app_install(app_labels[i]);
1012 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in app_install.");
1014 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[i]));
1015 fd = open(path, O_WRONLY, 0644);
1016 RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path);
1019 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt");
1020 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
1023 smack_accesses_free(rules);
1024 result = smack_accesses_new(&rules);
1025 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx");
1026 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
1028 result = smack_accesses_apply(rules);
1029 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
1031 result = smack_accesses_save(rules, fd);
1032 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
1039 smack_accesses_free(rules);
1041 // THE TEST - accesses
1043 result = add_shared_dir_readers(TEST_OBJ,app_labels);
1044 RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed");
1046 result = smack_have_access(app_labels[0],TEST_OBJ,"rx");
1047 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1049 result = smack_have_access(app_labels[1],TEST_OBJ,"rx");
1050 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1052 result = smack_have_access(app_labels[2],TEST_OBJ,"rx");
1053 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1055 result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt");
1056 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1058 result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx");
1059 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1062 //TEST the operations on empty files
1064 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[0]));
1065 file = fopen(path, "r");
1067 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
1069 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1070 result = strcmp(buf, test_string_01);
1071 RUNNER_ASSERT_MSG( result!=0, "add_shared_dir_readers ERROR, file not formatted" << path );
1076 //TEST the operations on non empty files
1077 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[2]));
1079 file = fopen(path, "r");
1080 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
1082 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1083 result = strcmp(buf, test_string_21);
1084 RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" );
1086 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1087 result = strcmp(buf, test_string_22);
1088 RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" );
1096 * Set APP privileges.
1099 void check_groups(const char* dac_file) {
1100 std::set<unsigned> groups_check;
1101 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
1102 read_gids(groups_check, dac_file);
1104 int groups_cnt = getgroups(0, NULL);
1105 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
1106 gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
1107 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
1108 RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list));
1110 for (int i = 0; i < groups_cnt; ++i) {
1111 //getgroups() can return multiple number of the same group
1112 //they are returned in sequence, so we will given number when last
1113 //element of this number is reached
1114 if( (i < groups_cnt - 1) && (groups_list[i+1] == groups_list[i]))
1116 if (groups_check.erase(groups_list[i]) == 0) {
1117 // getgroups() may also return process' main group
1118 if (groups_list[i] != getgid())
1119 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
1123 std::string groups_left;
1124 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
1125 groups_left.append(std::to_string(*it)).append(" ");
1127 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
1130 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege)
1134 // Preset exec label
1135 smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
1136 smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
1139 * TODO This test should also verify set_app_privilege behavior for OSP and
1140 * WRT apps. To do that we'll have to install real apps on device as a
1144 // Set APP privileges
1145 result = set_app_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
1146 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1148 // Check if SMACK label really set
1150 result = smack_new_label_from_self(&label);
1151 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1152 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1153 result = strcmp(APP_ID, label);
1154 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1156 // Check if DAC privileges really set
1157 RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
1158 RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
1160 result = strcmp(getenv("HOME"), APP_HOME_DIR);
1161 RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR");
1163 result = strcmp(getenv("USER"), APP_USER_NAME);
1164 RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME");
1166 check_groups(LIBPRIVILEGE_TEST_DAC_FILE);
1170 * Set APP privileges. wgt.
1172 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt)
1176 result = app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
1177 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1178 " Error enabling app permissions. Result: " << result);
1180 result = test_have_all_accesses(rules_wgt);
1181 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1183 result = set_app_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
1184 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1186 // Check if SMACK label really set
1188 result = smack_new_label_from_self(&label);
1189 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1190 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1191 result = strcmp(WGT_APP_ID, label);
1192 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1195 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1201 * Set APP privileges. wgt_partner.
1203 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_partner)
1207 result = app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
1208 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1209 " Error enabling app permissions. Result: " << result);
1211 result = test_have_all_accesses(rules_wgt_partner);
1212 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1214 result = set_app_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
1215 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1217 // Check if SMACK label really set
1219 result = smack_new_label_from_self(&label);
1220 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1221 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1222 result = strcmp(WGT_PARTNER_APP_ID, label);
1223 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1225 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1229 * Set APP privileges. wgt_platform.
1231 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_platform)
1235 result = app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
1236 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1237 " Error enabling app permissions. Result: " << result);
1239 result = test_have_all_accesses(rules_wgt_platform);
1240 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1242 result = set_app_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
1243 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1245 // Check if SMACK label really set
1247 result = smack_new_label_from_self(&label);
1248 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1249 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1250 result = strcmp(WGT_PLATFORM_APP_ID, label);
1251 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1253 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1257 * Set APP privileges. osp app.
1259 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp)
1263 result = app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1);
1264 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1265 " Error enabling app permissions. Result: " << result);
1267 result = test_have_all_accesses(rules_osp);
1268 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1270 result = set_app_privilege(OSP_APP_ID, NULL, OSP_APP_PATH);
1271 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1273 // Check if SMACK label really set
1275 result = smack_new_label_from_self(&label);
1276 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1277 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1278 result = strcmp(OSP_APP_ID, label);
1279 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1281 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1285 * Set APP privileges. partner osp app.
1287 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_partner)
1291 result = app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1);
1292 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1293 " Error enabling app permissions. Result: " << result);
1295 result = test_have_all_accesses(rules_osp_partner);
1296 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1298 result = set_app_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH);
1299 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1301 // Check if SMACK label really set
1303 result = smack_new_label_from_self(&label);
1304 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1305 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1306 result = strcmp(OSP_PARTNER_APP_ID, label);
1307 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1309 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1313 * Set APP privileges. platform osp app.
1315 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_platform)
1319 result = app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1);
1320 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1321 " Error enabling app permissions. Result: " << result);
1323 result = test_have_all_accesses(rules_osp_platform);
1324 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1326 result = set_app_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH);
1327 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1329 // Check if SMACK label really set
1331 result = smack_new_label_from_self(&label);
1332 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1333 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1334 result = strcmp(OSP_PLATFORM_APP_ID, label);
1335 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1337 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1340 RUNNER_TEST(privilege_control08_app_give_access)
1342 const char *subject = "lkjq345v34sfa";
1343 const char *object = "lk9290f92lkjz";
1344 smack_accesses *tmp = NULL;
1346 RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
1348 SmackUniquePtr smack(tmp, smack_accesses_free);
1350 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "r--a-"));
1351 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1353 app_give_access(subject, object, "wt");
1355 RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwat"));
1356 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
1358 app_revoke_access(subject, object);
1360 RUNNER_ASSERT(1 == smack_have_access(subject, object, "ra"));
1361 RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
1362 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
1363 RUNNER_ASSERT(0 == smack_have_access(subject, object, "t"));
1365 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-"));
1366 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1369 RUNNER_TEST(privilege_control09_app_give_access)
1371 const char *subject = "ljk132flkjv";
1372 const char *object = "jjsiqsc32vs";
1373 smack_accesses *tmp = NULL;
1375 RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
1377 SmackUniquePtr smack(tmp, smack_accesses_free);
1379 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "---t-"));
1380 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1382 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rw"));
1383 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rwx"));
1385 RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxt"));
1386 RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
1388 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_revoke_access(subject, object));
1390 RUNNER_ASSERT(1 == smack_have_access(subject, object, "t"));
1391 RUNNER_ASSERT(0 == smack_have_access(subject, object, "r"));
1392 RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
1393 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
1394 RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
1396 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-----"));
1397 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1401 * Add new API feature
1403 RUNNER_TEST(privilege_control11_add_api_feature)
1407 remove_smack_files();
1410 // argument validation
1411 result = add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
1412 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1414 result = add_api_feature(APP_TYPE_OSP,"" , NULL, NULL, 0);
1415 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1418 // already existing features
1419 result = add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read" , NULL, NULL, 0);
1420 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1422 result = add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms" , NULL, NULL, 0);
1423 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1425 result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/privilege/messaging" , NULL, NULL, 0);
1426 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1428 result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/messaging" , NULL, NULL, 0);
1429 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1431 result = add_api_feature(APP_TYPE_OTHER,"http://messaging" , NULL, NULL, 0);
1432 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1434 result = add_api_feature(APP_TYPE_OTHER,"messaging.read" , NULL, NULL, 0);
1435 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1439 result = add_api_feature(APP_TYPE_OSP,"blahblah" , NULL, NULL, 0);
1440 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1442 result = add_api_feature(APP_TYPE_WGT,"blahblah" , NULL, NULL, 0);
1443 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1445 result = add_api_feature(APP_TYPE_OTHER,"blahblah" , NULL, NULL, 0);
1446 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1449 // smack files existence
1450 result = file_exists(OSP_BLAHBLAH);
1451 RUNNER_ASSERT(result == -1);
1453 result = file_exists(WRT_BLAHBLAH);
1454 RUNNER_ASSERT(result == -1);
1456 result = file_exists(OTHER_BLAHBLAH);
1457 RUNNER_ASSERT(result == -1);
1461 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , { NULL }, NULL, 0);
1462 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1463 result = file_exists(OSP_BLAHBLAH);
1464 RUNNER_ASSERT(result == -1);
1466 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "", NULL }, NULL, 0);
1467 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1468 result = file_exists(OSP_BLAHBLAH);
1469 RUNNER_ASSERT(result == 0);
1470 remove_smack_files();
1472 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0);
1473 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1474 result = file_exists(OSP_BLAHBLAH);
1475 RUNNER_ASSERT(result == 0);
1476 remove_smack_files();
1480 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed", NULL }, NULL, 0);
1481 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1482 result = file_exists(OSP_BLAHBLAH);
1483 RUNNER_ASSERT(result == -1);
1485 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed", NULL }, NULL, 0);
1486 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1487 result = file_exists(OSP_BLAHBLAH);
1488 RUNNER_ASSERT(result == -1);
1490 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "-malformed malformed rwxat", NULL }, NULL, 0);
1491 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1492 result = file_exists(OSP_BLAHBLAH);
1493 RUNNER_ASSERT(result == -1);
1495 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "~/\"\\ malformed rwxat", NULL }, NULL, 0);
1496 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1497 result = file_exists(OSP_BLAHBLAH);
1498 RUNNER_ASSERT(result == -1);
1500 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object rwxat something else", NULL }, NULL, 0);
1501 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1502 result = file_exists(OSP_BLAHBLAH);
1503 RUNNER_ASSERT(result == -1);
1507 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed maaaaaalformed", NULL }, NULL, 0);
1508 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1509 osp_blahblah_check(__LINE__, { "malformed malformed r--a- -----" });
1510 remove_smack_files();
1512 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object foo", NULL }, NULL, 0);
1513 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1514 osp_blahblah_check(__LINE__, { "subject object ----- -----" });
1515 remove_smack_files();
1517 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
1518 "subject object\t rwxat",
1520 "subject2\tobject2 txarw",
1523 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1524 osp_blahblah_check(__LINE__, { "subject object rwxat -----", "subject2 object2 rwxat -----"});
1525 remove_smack_files();
1527 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
1528 "Sub::jE,ct object a-RwX",
1530 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1531 osp_blahblah_check(__LINE__, { "Sub::jE,ct object rwxa- -----"});
1532 remove_smack_files();
1534 // TODO For now identical/complementary rules are not merged.
1535 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
1536 "subject object rwxat",
1538 "subject object txarw",
1541 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1542 osp_blahblah_check(__LINE__, { "subject object rwxat -----", "subject object rwxat -----"});
1543 remove_smack_files();
1547 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},0);
1548 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1549 osp_blahblah_check(__LINE__, { "a a ---a- -----"});
1550 result = file_exists(OSP_BLAHBLAH_DAC);
1551 RUNNER_ASSERT(result == -1);
1552 remove_smack_files();
1556 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},3);
1557 printf("%d \n", result);
1558 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1559 osp_blahblah_check(__LINE__, { "a a ---a- -----"});
1560 osp_blahblah_dac_check(__LINE__, {0,1,2});
1561 remove_smack_files();
1563 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},1);
1564 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1565 osp_blahblah_check(__LINE__, { "a a ---a- -----"});
1566 osp_blahblah_dac_check(__LINE__, {0});
1567 remove_smack_files();
1569 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){1,1,1},3);
1570 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1571 osp_blahblah_check(__LINE__, { "a a ---a- -----"});
1572 osp_blahblah_dac_check(__LINE__, {1,1,1});
1573 remove_smack_files();
1577 * Check app_install function
1579 RUNNER_TEST(privilege_control01_app_install)
1585 unlink(SMACK_RULES_DIR APP_ID);
1587 app_uninstall(APP_ID);
1589 result = app_install(APP_ID);
1590 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1592 // checking if file really exists
1593 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1594 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << path << " : " << result << ". Errno: " << strerror(errno));
1598 // try install second time app with the same ID - it should pass.
1599 result = app_install(APP_ID);
1600 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1604 * Check app_install function
1606 RUNNER_TEST(privilege_control07_app_uninstall)
1612 result = app_uninstall(APP_ID);
1613 RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result <<". Errno: " << strerror(errno));
1615 // checking if file really exists
1616 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1617 RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after app_uninstall");
1622 void checkOnlyAvAccess(const char* av_id, const char* app_id, const char* comment){
1624 result = smack_have_access(av_id, app_id, "rwx");
1625 RUNNER_ASSERT_MSG(result == 1,
1626 "Error while checking " << av_id << " rwx access to "
1627 << app_id << " " << comment << " Result: " << result);
1628 result = smack_have_access(av_id, app_id, "a");
1629 RUNNER_ASSERT_MSG(result == 0,
1630 "Error while checking " << av_id << " a access to "
1631 << app_id << " " << comment << " Result: " << result);
1632 result = smack_have_access(av_id, app_id, "t");
1633 RUNNER_ASSERT_MSG(result == 0,
1634 "Error while checking " << av_id << " t access to "
1635 << app_id << " " << comment << " Result: " << result);
1639 * Check app_register_av function
1640 * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
1642 RUNNER_TEST(privilege_control10_app_register_av)
1647 smack_revoke_subject(APP_TEST_AV_1);
1648 smack_revoke_subject(APP_TEST_AV_2);
1650 cleaning_smack_app_files();
1651 cleaning_smack_database_files();
1653 // Adding two apps before antivir
1654 result = app_install(APP_TEST_APP_1);
1655 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1657 result = app_install(APP_TEST_APP_2);
1658 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1661 result = app_register_av(APP_TEST_AV_1);
1662 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno));
1664 // Checking added apps accesses
1665 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
1666 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
1669 result = app_install(APP_TEST_APP_3);
1670 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1672 // Checking app accesses
1673 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_install(APP_TEST_APP_3)");
1674 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_install(APP_TEST_APP_3)");
1675 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_install(APP_TEST_APP_3)");
1677 // Adding second antivir
1678 result = app_register_av(APP_TEST_AV_2);
1679 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno));
1681 // Checking app accesses
1682 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1683 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1684 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1685 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1686 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1687 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1690 smack_revoke_subject(APP_TEST_AV_1);
1691 smack_revoke_subject(APP_TEST_AV_2);
1693 cleaning_smack_app_files();
1694 cleaning_smack_database_files();
1698 * Grant SMACK permissions based on permissions list.
1700 RUNNER_TEST(privilege_control11_app_enable_permissions)
1703 int smack_file_length;
1707 * Test - Enabling all permissions with persistant mode enabled
1710 result = app_revoke_permissions(APP_ID);
1711 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1712 "Error revoking app permissions. Result: " << result);
1714 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1715 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1716 " Error enabling app permissions. Result: " << result);
1718 // Check if the accesses are realy applied..
1719 result = test_have_all_accesses(rules2);
1720 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1723 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1724 RUNNER_ASSERT_MSG(pFile != NULL,
1725 "SMACK file NOT created!. Errno: " << errno);
1728 fseek(pFile, 0L, SEEK_END);
1729 smack_file_length = ftell(pFile);
1730 RUNNER_ASSERT_MSG(smack_file_length>0,
1731 "SMACK file empty with persistant mode 1. Errno: " << errno);
1737 result = app_revoke_permissions(APP_ID);
1738 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1739 "Error revoking app permissions. Result: " << result);
1742 * Test - Enabling all permissions with persistant mode disabled
1745 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0);
1746 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1747 " Error enabling app permissions. Result: " << result);
1749 // Check if the accesses are realy applied..
1750 result = test_have_all_accesses(rules2);
1751 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1754 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1755 RUNNER_ASSERT_MSG(pFile != NULL,
1756 "SMACK file NOT created!. Errno: " << errno);
1759 fseek(pFile, 0L, SEEK_END);
1760 smack_file_length = ftell(pFile);
1761 RUNNER_ASSERT_MSG(smack_file_length==0,
1762 "SMACK file not empty with persistant mode 0. Errno: " << errno);
1768 result = app_revoke_permissions(APP_ID);
1769 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1770 "Error revoking app permissions. Result: " << result);
1773 * Test - Enabling all permissions in two complementary files
1776 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1);
1777 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1778 " Error enabling app permissions. Result: " << result);
1780 // Check if the accesses are realy applied..
1781 result = test_have_all_accesses(rules2);
1782 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1785 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1786 RUNNER_ASSERT_MSG(pFile != NULL,
1787 "SMACK file NOT created!. Errno: " << errno);
1790 fseek(pFile, 0L, SEEK_END);
1791 smack_file_length = ftell(pFile);
1792 RUNNER_ASSERT_MSG(smack_file_length>0,
1793 "SMACK file empty with persistant mode 1. Errno: " << errno);
1799 result = app_revoke_permissions(APP_ID);
1800 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1801 "Error revoking app permissions. Result: " << result);
1804 * Test - Enabling some permissions and then enabling complementary permissions
1807 // Enable permission for rules 2 no r
1808 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1809 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1810 " Error enabling app permissions without r. Result: " << result);
1812 // Check if the accesses are realy applied..
1813 result = test_have_all_accesses(rules2_no_r);
1814 RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
1817 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1818 RUNNER_ASSERT_MSG(pFile != NULL,
1819 "SMACK file NOT created!. Errno: " << errno);
1822 fseek(pFile, 0L, SEEK_END);
1823 smack_file_length = ftell(pFile);
1824 RUNNER_ASSERT_MSG(smack_file_length>0,
1825 "SMACK file empty with persistant mode 1. Errno: " << errno);
1830 // Enable permission for rules 2
1831 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1832 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1833 " Error enabling app all permissions. Result: " << result);
1835 // Check if the accesses are realy applied..
1836 result = test_have_all_accesses(rules2);
1837 RUNNER_ASSERT_MSG(result==1, "Permissions all not added.");
1840 result = app_revoke_permissions(APP_ID);
1841 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1842 "Error revoking app permissions. Result: " << result);
1845 * Test - Enabling some permissions and then enabling all permissions
1848 // Enable permission for rules 2 no r
1849 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1850 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1851 " Error enabling app permissions without r. Result: " << result);
1853 // Check if the accesses are realy applied..
1854 result = test_have_all_accesses(rules2_no_r);
1855 RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
1858 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1859 RUNNER_ASSERT_MSG(pFile != NULL,
1860 "SMACK file NOT created!. Errno: " << errno);
1863 fseek(pFile, 0L, SEEK_END);
1864 smack_file_length = ftell(pFile);
1865 RUNNER_ASSERT_MSG(smack_file_length>0,
1866 "SMACK file empty with persistant mode 1. Errno: " << errno);
1871 // Enable permission for rules 2
1872 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1);
1873 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1874 " Error enabling app permissions with only r. Result: " << result);
1876 // Check if the accesses are realy applied..
1877 result = test_have_all_accesses(rules2);
1878 RUNNER_ASSERT_MSG(result==1, "Permissions with only r not added.");
1881 result = app_revoke_permissions(APP_ID);
1882 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1883 "Error revoking app permissions. Result: " << result);
1887 * Until app_disable_permissions is not fixed this test should remain
1891 * Remove previously granted SMACK permissions based on permissions list.
1893 /*RUNNER_TEST(privilege_control12_app_disable_permissions)
1897 * Test - disable all granted permissions.
1901 // Prepare permissions that we want to disable
1902 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1903 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1904 " Error enabling app permissions. Result: " << result);
1906 // Disable permissions
1907 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1908 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1909 "Error disabling app permissions. Result: " << result);
1911 // Are all the permissions disabled?
1912 result = test_have_any_accesses(rules2);
1913 RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
1916 * Test - disable some granted permissions leaving non complementary and then disabling those too.
1919 // Prepare permissions that will not be disabled
1920 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
1921 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1922 " Error adding app first permissions. Result: " << result);
1924 // Prepare permissions that we want to disable
1925 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1926 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1927 " Error adding app second permissions. Result: " << result);
1929 // Disable second permissions
1930 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1931 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1932 "Error disabling app second permissions. Result: " << result);
1934 // Are all second permissions disabled?
1935 result = test_have_any_accesses(rules2);
1936 RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
1938 // Are all first permissions not disabled?
1939 result = test_have_all_accesses(rules);
1940 RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
1942 // Disable first permissions
1943 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS);
1944 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1945 "Error disabling app first permissions. Result: " << result);
1947 // Are all second permissions disabled?
1948 result = test_have_any_accesses(rules);
1949 RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
1952 * Test - disable only no r granted permissions.
1955 // Prepare permissions
1956 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1957 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1958 " Error adding app permissions. Result: " << result);
1960 // Disable same permissions without r
1961 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R);
1962 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1963 "Error disabling app no r permissions. Result: " << result);
1965 // Is any r permissions disabled?
1966 result = test_have_all_accesses(rules2_r);
1967 RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
1968 // Are all no r permissions disabled?
1969 result = test_have_any_accesses(rules2_no_r);
1970 RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
1972 // Prepare permissions
1973 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1974 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1975 " Error adding app no r permissions. Result: " << result);
1977 // Disable all permissions
1978 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1979 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1980 "Error disabling app permissions. Result: " << result);
1984 * Reset SMACK permissions for an application by revoking all previously
1985 * granted rules and enabling them again from a rules file from disk.
1988 RUNNER_TEST(privilege_control13_app_reset_permissions)
1994 * Test - doing reset and checking if rules exist again.
1997 // Prepare permissions to reset
1998 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1999 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2000 " Error adding app permissions. Result: " << result);
2002 // Reset permissions
2003 result = app_reset_permissions(APP_ID);
2004 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2005 "Error reseting app permissions. Result: " << result);
2007 // Are all second permissions not disabled?
2008 result = test_have_all_accesses(rules2);
2009 RUNNER_ASSERT_MSG(result==1, "Not all permissions added.");
2011 // Disable permissions
2012 result = app_revoke_permissions(APP_ID);
2013 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2014 "Error disabling app permissions. Result: " << result);
2019 * Make two applications "friends", by giving them both full permissions on
2022 RUNNER_TEST(privilege_control14_app_add_friend)
2027 * Test - making friends with no permissions on each other
2030 result = app_revoke_permissions(APP_FRIEND_1);
2031 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2032 "Error revoking app permissions. Result: " << result);
2033 result = app_revoke_permissions(APP_FRIEND_2);
2034 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2035 "Error revoking app permissions. Result: " << result);
2037 app_uninstall(APP_FRIEND_1);
2038 app_uninstall(APP_FRIEND_2);
2040 // Installing friends to be
2041 result = app_install(APP_FRIEND_1);
2042 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2043 " Error installing first app. Result: " << result);
2044 result = app_install(APP_FRIEND_2);
2045 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2046 " Error installing second app. Result: " << result);
2049 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2050 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2051 " Error making friends. Errno: " << result);
2053 // Checking if friends were made
2054 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
2055 RUNNER_ASSERT_MSG(result == 1,
2056 " Error first one sided friednship failed. Result: " << result);
2057 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
2058 RUNNER_ASSERT_MSG(result == 1,
2059 " Error second one sided friednship failed. Result: " << result);
2062 result = app_revoke_permissions(APP_FRIEND_1);
2063 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2064 "Error revoking app permissions. Result: " << result);
2065 result = app_revoke_permissions(APP_FRIEND_2);
2066 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2067 "Error revoking app permissions. Result: " << result);
2069 app_uninstall(APP_FRIEND_1);
2070 app_uninstall(APP_FRIEND_2);
2073 * Test - making friends with nonexisting friend
2076 // Installing one friend
2077 result = app_install(APP_FRIEND_1);
2078 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2079 " Error installing first app. Errno: " << result);
2081 // Adding imaginairy friend as second
2082 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2083 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2084 " Error making friends (first) with imaginairy friend failed. Result: "
2086 // Adding imaginairy friend as first
2087 result = app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
2088 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2089 " Error making friends (second) with imaginairy friend failed. Result: "
2092 result = app_revoke_permissions(APP_FRIEND_1);
2093 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2094 "Error revoking app permissions. Result: " << result);
2095 result = app_revoke_permissions(APP_FRIEND_2);
2096 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2097 "Error revoking app permissions. Result: " << result);
2099 app_uninstall(APP_FRIEND_1);
2100 app_uninstall(APP_FRIEND_2);
2103 * Test - making friends with some permissions already added
2108 struct smack_accesses * rulesFriend = NULL;
2110 std::vector<std::string> accessesFriend =
2111 { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
2113 // Installing friends to be
2114 result = app_install(APP_FRIEND_1);
2115 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2116 " Error installing first app. Result: " << result);
2117 result = app_install(APP_FRIEND_2);
2118 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2119 " Error installing second app. Result: " << result);
2121 for(i = 0; i<accessesFriend.size(); ++i)
2123 for(j = 0; j<accessesFriend.size(); ++j)
2126 // Adding rules before making friends
2127 result = smack_accesses_new(&rulesFriend);
2128 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2129 "Error in smack_accesses_new. Result: " << result);
2131 result = smack_accesses_add(rulesFriend,
2132 APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
2133 RUNNER_ASSERT_MSG(result == 0,
2134 "Unable to add modify rulesFirend (first). Result: " << result);
2135 result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
2136 APP_FRIEND_1, accessesFriend[j].c_str());
2137 RUNNER_ASSERT_MSG(result == 0,
2138 "Unable to add modify rulesFirend (second). Result: " << result);
2140 result = smack_accesses_apply(rulesFriend);
2141 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2142 "Error in smack_accesses_apply. Result: " << result);
2145 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2146 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2147 " Error making friends. Result: " << result);
2149 // Checking if friends were made
2150 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
2151 RUNNER_ASSERT_MSG(result == 1,
2152 " Error first one sided friednship failed. Result: " << result);
2153 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
2154 RUNNER_ASSERT_MSG(result == 1,
2155 " Error second one sided friednship failed. Result: " << result);
2157 // Deleting all rules between friends
2158 smack_accesses_add_modify(rulesFriend,
2159 APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
2160 smack_accesses_add_modify(rulesFriend,
2161 APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
2163 result = smack_accesses_apply(rulesFriend);
2165 smack_accesses_free(rulesFriend);
2172 result = app_revoke_permissions(APP_FRIEND_1);
2173 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2174 "Error revoking app permissions. Result: " << result);
2175 result = app_revoke_permissions(APP_FRIEND_2);
2176 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2177 "Error revoking app permissions. Result: " << result);
2179 app_uninstall(APP_FRIEND_1);
2180 app_uninstall(APP_FRIEND_2);
2183 static void smack_set_random_label_based_on_pid_on_self(void)
2186 std::stringstream ss;
2188 ss << "s-" << getpid() << "-" << getppid();
2189 result = smack_set_label_for_self(ss.str().c_str());
2190 RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self("
2191 << ss.str().c_str() << ") failed");
2194 static void smack_unix_sock_server(int sock)
2200 fd = accept(sock, NULL, NULL);
2204 result = smack_new_label_from_self(&smack_label);
2209 RUNNER_ASSERT_MSG(0, "smack_new_label_from_self() failed");
2211 result = write(fd, smack_label, strlen(smack_label));
2212 if(result != (int)strlen(smack_label)){
2216 RUNNER_ASSERT_MSG(0, "write() failed: " << strerror(errno));
2222 RUNNER_TEST(privilege_control15_app_id_from_socket)
2225 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
2229 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
2231 smack_set_random_label_based_on_pid_on_self();
2233 if (!pid) { /* child process, server */
2236 /* Set the process label before creating a socket */
2237 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2238 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
2240 (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
2243 RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno));
2245 result = listen(sock, 1);
2248 RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno));
2250 smack_unix_sock_server(sock);
2252 /* Change the process label with listening socket */
2253 smack_unix_sock_server(sock);
2256 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
2257 /* Now running two concurrent servers.
2258 Test if socket label was unaffected by fork() */
2259 smack_unix_sock_server(sock);
2260 /* Let's give the two servers different labels */
2261 smack_unix_sock_server(sock);
2263 waitpid(pid, NULL, 0);
2265 } else { /* parent process, client */
2266 sleep(1); /* Give server some time to setup listening socket */
2268 for (i = 0; i < 4; ++i) {
2271 char smack_label1[SMACK_LABEL_LEN + 1];
2274 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2275 RUNNER_ASSERT_MSG(sock >= 0,
2276 "socket failed: " << strerror(errno));
2277 result = connect(sock,
2278 (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
2281 RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
2285 result = read(sock, smack_label1, SMACK_LABEL_LEN);
2289 RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno));
2291 smack_label1[result] = '\0';
2292 smack_label2 = app_id_from_socket(sock);
2293 if(smack_label2 == NULL){
2295 RUNNER_ASSERT_MSG(0, "app_id_from_socket failed");
2297 result = strcmp(smack_label1, smack_label2);
2300 RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1
2301 << "' != '" << smack_label2 << "-" << random() << "'");
2305 waitpid(pid, NULL, 0);
2309 RUNNER_TEST(privilege_control16_app_setup_path){
2310 const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
2311 const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
2312 const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
2313 const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
2314 const char *label1 = "qwert123456za";
2315 const char *label2 = "trewq654123az";
2317 std::unique_ptr<char, std::function<void(void*)>> labelPtr(NULL,free);
2322 int fd = creat(path3, S_IRWXU);
2325 fd = creat(path4, S_IRWXU);
2331 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
2332 RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
2333 labelPtr.reset(label);
2335 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1));
2337 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
2338 RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
2339 labelPtr.reset(label);
2341 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label2));
2343 RUNNER_ASSERT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
2344 labelPtr.reset(label);
2346 RUNNER_ASSERT(labelPtr.get() == NULL);
2349 RUNNER_TEST(privilege_control17_appsettings_privilege)
2351 #define APP_1 "app_1"
2352 #define APP_1_DIR "/tmp/app_1"
2354 #define APP_2 "app_2"
2355 #define APP_2_DIR "/tmp/app_2"
2357 #define APP_TEST "app_test"
2359 #define PRIV_APPSETTING (const char*[]){"http://tizen.org/privilege/appsetting", NULL}
2362 char* app1_dir_label;
2363 char* app2_dir_label;
2367 (void)app_uninstall(APP_TEST);
2368 (void)app_uninstall(APP_1);
2369 (void)app_uninstall(APP_2);
2371 //install some app 1
2372 ret = app_install(APP_1);
2373 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install." << ret);
2375 mkdir(APP_1_DIR, S_IRWXU|S_IRGRP|S_IXGRP);
2377 //register settings folder for app 1
2378 ret = app_setup_path(APP_1, APP_1_DIR , APP_PATH_SETTINGS_RW );
2379 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret);
2381 //install "app_test" and give it appsettings privilege
2382 ret = app_install(APP_TEST);
2383 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install.");
2386 ret = app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
2388 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,
2389 " Error enabling app permissions. Result: " << ret);
2391 //check if "app_test" has an RX access to the app "app_1"
2392 ret = smack_have_access(APP_TEST, APP_1, "rx");
2393 RUNNER_ASSERT_MSG(ret,"access denies");
2396 //check if "app_test" has an RWX access to a folder registered by "app_1"
2397 ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS );
2398 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2399 ret = smack_have_access(APP_TEST, app1_dir_label, "rwx");
2400 RUNNER_ASSERT_MSG(ret,"access denies");
2403 //intstall another app: "app_2"
2404 ret = app_install(APP_2);
2405 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install.");
2407 mkdir(APP_2_DIR, S_IRWXU|S_IRGRP|S_IXGRP);
2408 //register settings folder for that "app_2"
2409 ret = app_setup_path(APP_2, APP_2_DIR , APP_PATH_SETTINGS_RW );
2410 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret);
2412 //check if "app_test" has an RX access to the app "app_2"
2413 ret = smack_have_access(APP_TEST, APP_2, "rx");
2414 RUNNER_ASSERT_MSG(ret,"access denies");
2416 //check if "app_test" has an RWX access to a folder registered by "app_2"
2417 ret = smack_getlabel(APP_2_DIR, &app2_dir_label, SMACK_LABEL_ACCESS );
2418 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2419 ret = smack_have_access(APP_TEST, app2_dir_label, "rwx");
2420 RUNNER_ASSERT_MSG(ret,"access denies");
2422 free (app1_dir_label);
2423 free (app2_dir_label);
2427 (void)app_uninstall(APP_TEST);
2428 (void)app_uninstall(APP_1);
2429 (void)app_uninstall(APP_2);
2434 RUNNER_TEST(privilege_control18_app_setup_path_public)
2438 cleaning_smack_database_files();
2441 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2442 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2444 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2445 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2447 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
2448 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
2450 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
2451 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
2453 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2454 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2456 cleaning_smack_database_files();
2459 RUNNER_TEST(privilege_control19_app_setup_path_settings)
2463 cleaning_smack_database_files();
2466 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2467 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2469 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2470 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2472 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
2473 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
2475 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_settings_dir, FTW_MAX_FDS, FTW_PHYS);
2476 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
2478 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2479 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2481 cleaning_smack_database_files();