2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
22 * @brief libprivilege-control test runer
34 #include <dpl/test/test_runner.h>
35 #include <dpl/test/test_runner_child.h>
36 #include <dpl/log/log.h>
37 #include <sys/types.h>
40 #include <sys/xattr.h>
41 #include <sys/smack.h>
42 #include <sys/types.h>
43 #include <sys/socket.h>
46 #include <privilege-control.h>
50 #include <tests_common.h>
52 #define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/"
53 #define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules"
54 #define SMACK_LOAD2 "/smack/load2"
55 #define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
56 #define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
57 #define APPID_DIR "test_APP_ID_dir"
58 #define APPID_SHARED_DIR "test_APP_ID_shared_dir"
59 #define CANARY_LABEL "tiny_yellow_canary"
61 #define APP_ID "test_APP"
62 #define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
63 #define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
65 #define WGT_APP_ID "QwCqJ0ttyS"
66 #define WGT_PARTNER_APP_ID "7btsV1Y0sX"
67 #define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
68 #define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123"
69 #define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner"
70 #define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform"
71 #define OSP_APP_ID "uqNfgEjqc7"
72 #define OSP_PARTNER_APP_ID "j4RuPsZrNt"
73 #define OSP_PLATFORM_APP_ID "V5LKqDFBXm"
74 #define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp"
75 #define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner"
76 #define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform"
77 #define EARLY_RULE_SUBJECT "livebox.web-provider"
78 #define EARLY_RULE_RIGHTS "rwx---"
80 const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
81 const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
82 const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
83 const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
84 const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
85 const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
86 const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };
88 #define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
89 #define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
90 #define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
91 #define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac"
93 #define APP_TEST_APP_1 "test-application1"
94 #define APP_TEST_APP_2 "test-application_2"
95 #define APP_TEST_APP_3 "test-app-3"
96 #define APP_TEST_AV_1 "test-antivirus1"
97 #define APP_TEST_AV_2 "test-antivirus_2"
98 #define APP_TEST_AV_3 "test-av-3"
100 #define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db"
101 #define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db"
102 #define SMACK_PUBLIC_DIRS_DATABASE "/opt/dbspace/.privilege_control_public_dirs.db"
103 #define SMACK_APPS_SETTINGS_LABELS_DATABASE "/opt/dbspace/.privilege_control_app_setting.db"
104 #define SMACK_SETTINGS_DIRS_DATABASE "/opt/dbspace/.privilege_control_setting_dir.db"
106 #define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1"
107 #define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2"
108 #define APP_TEST_AV_ASP1 "test-app-av-asp1"
109 #define APP_TEST_AV_ASP2 "test-app-av-asp2"
111 #define SOCK_PATH "/tmp/test-smack-socket"
115 #define APP_USER_NAME "app"
116 #define APP_HOME_DIR "/opt/home/app"
118 #define APP_FRIEND_1 "app_friend_1"
119 #define APP_FRIEND_2 "app_friend_2"
121 #define SMACK_ACC_LEN 6
123 // How many open file descriptors should ftw() function use?
124 #define FTW_MAX_FDS 16
126 // Rules from test_privilege_control_rules.smack
127 const std::vector< std::vector<std::string> > rules = {
128 { APP_ID, "test_book_1", "r" },
129 { APP_ID, "test_book_2", "w" },
130 { APP_ID, "test_book_3", "x" },
131 { APP_ID, "test_book_4", "rw" },
132 { APP_ID, "test_book_5", "rx" },
133 { APP_ID, "test_book_6", "wx" },
134 { APP_ID, "test_book_7", "rwx" },
135 { "test_subject_1", APP_ID, "r" },
136 { "test_subject_2", APP_ID, "w" },
137 { "test_subject_3", APP_ID, "x" },
138 { "test_subject_4", APP_ID, "rw" },
139 { "test_subject_5", APP_ID, "rx" },
140 { "test_subject_6", APP_ID, "wx" },
141 { "test_subject_7", APP_ID, "rwx" },
142 { APP_ID, APPID_SHARED_DIR, "rwxat"}
145 // Rules from test_privilege_control_rules2.smack
146 const std::vector< std::vector<std::string> > rules2 = {
147 { APP_ID, "test_book_8", "r" },
148 { APP_ID, "test_book_9", "w" },
149 { APP_ID, "test_book_10", "x" },
150 { APP_ID, "test_book_11", "rw" },
151 { APP_ID, "test_book_12", "rx" },
152 { APP_ID, "test_book_13", "wx" },
153 { APP_ID, "test_book_14", "rwx" },
154 { APP_ID, "test_book_15", "rwxat" },
155 { "test_subject_8", APP_ID, "r" },
156 { "test_subject_9", APP_ID, "w" },
157 { "test_subject_10", APP_ID, "x" },
158 { "test_subject_11", APP_ID, "rw" },
159 { "test_subject_12", APP_ID, "rx" },
160 { "test_subject_13", APP_ID, "wx" },
161 { "test_subject_14", APP_ID, "rwx" },
162 { "test_subject_15", APP_ID, "rwxat" }
165 // Rules from test_privilege_control_rules_no_r.smack
166 const std::vector< std::vector<std::string> > rules2_no_r = {
167 { APP_ID, "test_book_9", "w" },
168 { APP_ID, "test_book_10", "x" },
169 { APP_ID, "test_book_11", "w" },
170 { APP_ID, "test_book_12", "x" },
171 { APP_ID, "test_book_13", "wx" },
172 { APP_ID, "test_book_14", "wx" },
173 { APP_ID, "test_book_15", "wxat" },
174 { "test_subject_9", APP_ID, "w" },
175 { "test_subject_10", APP_ID, "x" },
176 { "test_subject_11", APP_ID, "w" },
177 { "test_subject_12", APP_ID, "x" },
178 { "test_subject_13", APP_ID, "wx" },
179 { "test_subject_14", APP_ID, "wx" },
180 { "test_subject_15", APP_ID, "wxat" }
183 // Rules from test_privilege_control_rules.smack
184 // minus test_privilege_control_rules_no_r.smack
185 const std::vector< std::vector<std::string> > rules2_r = {
186 { APP_ID, "test_book_8", "r" },
187 { APP_ID, "test_book_11", "r" },
188 { APP_ID, "test_book_12", "r" },
189 { APP_ID, "test_book_14", "r" },
190 { APP_ID, "test_book_15", "r" },
191 { "test_subject_8", APP_ID, "r" },
192 { "test_subject_11", APP_ID, "r" },
193 { "test_subject_12", APP_ID, "r" },
194 { "test_subject_14", APP_ID, "r" },
195 { "test_subject_15", APP_ID, "r" }
198 // Rules from test_privilege_control_rules_wgt.smack for wgt
199 const std::vector< std::vector<std::string> > rules_wgt = {
200 { WGT_APP_ID, "test_book_8", "r" },
201 { WGT_APP_ID, "test_book_9", "w" },
202 { WGT_APP_ID, "test_book_10", "x" },
203 { WGT_APP_ID, "test_book_11", "rw" },
204 { WGT_APP_ID, "test_book_12", "rx" },
205 { WGT_APP_ID, "test_book_13", "wx" },
206 { WGT_APP_ID, "test_book_14", "rwx" },
207 { WGT_APP_ID, "test_book_15", "rwxat" },
208 { "test_subject_8", WGT_APP_ID, "r" },
209 { "test_subject_9", WGT_APP_ID, "w" },
210 { "test_subject_10", WGT_APP_ID, "x" },
211 { "test_subject_11", WGT_APP_ID, "rw" },
212 { "test_subject_12", WGT_APP_ID, "rx" },
213 { "test_subject_13", WGT_APP_ID, "wx" },
214 { "test_subject_14", WGT_APP_ID, "rwx" },
215 { "test_subject_15", WGT_APP_ID, "rwxat" }
218 // Rules from test_privilege_control_rules_wgt.smack for wgt_partner
219 const std::vector< std::vector<std::string> > rules_wgt_partner = {
220 { WGT_PARTNER_APP_ID, "test_book_8", "r" },
221 { WGT_PARTNER_APP_ID, "test_book_9", "w" },
222 { WGT_PARTNER_APP_ID, "test_book_10", "x" },
223 { WGT_PARTNER_APP_ID, "test_book_11", "rw" },
224 { WGT_PARTNER_APP_ID, "test_book_12", "rx" },
225 { WGT_PARTNER_APP_ID, "test_book_13", "wx" },
226 { WGT_PARTNER_APP_ID, "test_book_14", "rwx" },
227 { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" },
228 { "test_subject_8", WGT_PARTNER_APP_ID, "r" },
229 { "test_subject_9", WGT_PARTNER_APP_ID, "w" },
230 { "test_subject_10", WGT_PARTNER_APP_ID, "x" },
231 { "test_subject_11", WGT_PARTNER_APP_ID, "rw" },
232 { "test_subject_12", WGT_PARTNER_APP_ID, "rx" },
233 { "test_subject_13", WGT_PARTNER_APP_ID, "wx" },
234 { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" },
235 { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }
238 // Rules from test_privilege_control_rules_wgt.smack for wgt_platform
239 const std::vector< std::vector<std::string> > rules_wgt_platform = {
240 { WGT_PLATFORM_APP_ID, "test_book_8", "r" },
241 { WGT_PLATFORM_APP_ID, "test_book_9", "w" },
242 { WGT_PLATFORM_APP_ID, "test_book_10", "x" },
243 { WGT_PLATFORM_APP_ID, "test_book_11", "rw" },
244 { WGT_PLATFORM_APP_ID, "test_book_12", "rx" },
245 { WGT_PLATFORM_APP_ID, "test_book_13", "wx" },
246 { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" },
247 { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" },
248 { "test_subject_8", WGT_PLATFORM_APP_ID, "r" },
249 { "test_subject_9", WGT_PLATFORM_APP_ID, "w" },
250 { "test_subject_10", WGT_PLATFORM_APP_ID, "x" },
251 { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" },
252 { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" },
253 { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" },
254 { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" },
255 { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }
258 // Rules from test_privilege_control_rules_osp.smack for osp
259 const std::vector< std::vector<std::string> > rules_osp = {
260 { OSP_APP_ID, "test_book_8", "r" },
261 { OSP_APP_ID, "test_book_9", "w" },
262 { OSP_APP_ID, "test_book_10", "x" },
263 { OSP_APP_ID, "test_book_11", "rw" },
264 { OSP_APP_ID, "test_book_12", "rx" },
265 { OSP_APP_ID, "test_book_13", "wx" },
266 { OSP_APP_ID, "test_book_14", "rwx" },
267 { OSP_APP_ID, "test_book_15", "rwxat" },
268 { "test_subject_8", OSP_APP_ID, "r" },
269 { "test_subject_9", OSP_APP_ID, "w" },
270 { "test_subject_10", OSP_APP_ID, "x" },
271 { "test_subject_11", OSP_APP_ID, "rw" },
272 { "test_subject_12", OSP_APP_ID, "rx" },
273 { "test_subject_13", OSP_APP_ID, "wx" },
274 { "test_subject_14", OSP_APP_ID, "rwx" },
275 { "test_subject_15", OSP_APP_ID, "rwxat" }
278 // Rules from test_privilege_control_rules_osp.smack for osp_partner
279 const std::vector< std::vector<std::string> > rules_osp_partner = {
280 { OSP_PARTNER_APP_ID, "test_book_8", "r" },
281 { OSP_PARTNER_APP_ID, "test_book_9", "w" },
282 { OSP_PARTNER_APP_ID, "test_book_10", "x" },
283 { OSP_PARTNER_APP_ID, "test_book_11", "rw" },
284 { OSP_PARTNER_APP_ID, "test_book_12", "rx" },
285 { OSP_PARTNER_APP_ID, "test_book_13", "wx" },
286 { OSP_PARTNER_APP_ID, "test_book_14", "rwx" },
287 { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" },
288 { "test_subject_8", OSP_PARTNER_APP_ID, "r" },
289 { "test_subject_9", OSP_PARTNER_APP_ID, "w" },
290 { "test_subject_10", OSP_PARTNER_APP_ID, "x" },
291 { "test_subject_11", OSP_PARTNER_APP_ID, "rw" },
292 { "test_subject_12", OSP_PARTNER_APP_ID, "rx" },
293 { "test_subject_13", OSP_PARTNER_APP_ID, "wx" },
294 { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" },
295 { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" }
298 // Rules from test_privilege_control_rules_osp.smack for osp_platform
299 const std::vector< std::vector<std::string> > rules_osp_platform = {
300 { OSP_PLATFORM_APP_ID, "test_book_8", "r" },
301 { OSP_PLATFORM_APP_ID, "test_book_9", "w" },
302 { OSP_PLATFORM_APP_ID, "test_book_10", "x" },
303 { OSP_PLATFORM_APP_ID, "test_book_11", "rw" },
304 { OSP_PLATFORM_APP_ID, "test_book_12", "rx" },
305 { OSP_PLATFORM_APP_ID, "test_book_13", "wx" },
306 { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" },
307 { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" },
308 { "test_subject_8", OSP_PLATFORM_APP_ID, "r" },
309 { "test_subject_9", OSP_PLATFORM_APP_ID, "w" },
310 { "test_subject_10", OSP_PLATFORM_APP_ID, "x" },
311 { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" },
312 { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" },
313 { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" },
314 { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" },
315 { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" }
319 typedef std::unique_ptr<smack_accesses,std::function<void (smack_accesses*)> > SmackUniquePtr;
321 const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
322 const char *WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack";
323 const char *OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack";
324 const char *OSP_BLAHBLAH_DAC = "/usr/share/privilege-control/OSP_feature.blah.blahblah.dac";
325 const char *WRT_BLAHBLAH_DAC = "/usr/share/privilege-control/WGT_blahblah.dac";
326 const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
327 const char *BLAHBLAH_FEATURE = "http://feature/blah/blahblah";
330 * Check if every rule is true.
331 * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
333 int test_have_all_accesses(const std::vector< std::vector<std::string> > &rules)
336 for (uint i = 0; i < rules.size(); ++i) {
337 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
345 * Check if every rule is true.
346 * @return 1 if ANY rule in SMACK, 0 if
348 int test_have_any_accesses(const std::vector< std::vector<std::string> > &rules)
351 for (uint i = 0; i < rules.size(); ++i) {
352 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
359 int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/,
360 int /*typeflag*/, struct FTW* /*ftwbuf*/)
362 smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
363 smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
364 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
369 int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
370 int /*typeflag*/, struct FTW* /*ftwbuf*/)
372 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
373 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
374 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
379 int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
380 int /*typeflag*/, struct FTW* /*ftwbuf*/)
386 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
387 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
388 result = strcmp(CANARY_LABEL, label);
389 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
392 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
393 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
394 result = strcmp(CANARY_LABEL, label);
395 RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
398 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
399 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
400 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
405 int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
406 int /*typeflag*/, struct FTW* /*ftwbuf*/)
412 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
413 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
414 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
415 result = strcmp(APPID_DIR, label);
416 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
419 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
420 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
421 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
422 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
423 result = strcmp(APPID_DIR, label);
424 RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
425 } else if (S_ISLNK(sb->st_mode)) {
427 char *target = realpath(fpath, NULL);
428 RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
430 if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
431 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
433 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
434 result = strcmp(APPID_DIR, label);
435 RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
438 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
441 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
442 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
443 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
448 int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
449 int /*typeflag*/, struct FTW* /*ftwbuf*/)
455 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
456 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
457 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
458 result = strcmp(APPID_SHARED_DIR, label);
459 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
461 result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
462 RUNNER_ASSERT_MSG(result == 1,
463 "Error rwxat access was not given shared dir. Subject: " <<
464 APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
466 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
467 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
468 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
471 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
472 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
473 if (S_ISDIR(sb->st_mode)) {
474 RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
475 result = strcmp("TRUE", label);
476 RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set");
478 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
483 int check_labels_dir(const char *fpath, const struct stat *sb,
484 const char *labels_db_path, const char *dir_db_path,
490 char *scanf_label_format;
491 char label_temp[SMACK_LABEL_LEN + 1];
495 result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
496 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
497 RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
500 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
503 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
508 RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
512 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
516 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
518 if (S_ISDIR(sb->st_mode)) {
522 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
524 result = strcmp("TRUE", label);
528 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
530 } else if (label != NULL) {
533 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
538 if (0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)) {
540 RUNNER_ASSERT_MSG(false, "asprintf failed");
543 file_db = fopen(labels_db_path, "r");
544 if (file_db == NULL) {
546 free(scanf_label_format);
547 RUNNER_ASSERT_MSG(false, "Can not open database for apps");
549 while (fscanf(file_db, scanf_label_format, label_temp) == 1) {
550 result = smack_have_access(label_temp, label_gen, access);
554 free(scanf_label_format);
555 RUNNER_ASSERT_MSG(false,
556 "Error " << access << " access was not given for subject: "
557 << label_temp << ". Result: " << result);
562 file_db = fopen(dir_db_path, "r");
563 if (file_db == NULL) {
565 free(scanf_label_format);
566 RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
569 while (fscanf(file_db, scanf_label_format, label_temp) == 1) {
570 if (strcmp(label_gen, label_temp) == 0) {
575 free(scanf_label_format);
579 RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db.");
584 int nftw_check_labels_app_public_dir(const char *fpath, const struct stat *sb,
585 int /*typeflag*/, struct FTW* /*ftwbuf*/)
587 return check_labels_dir(fpath, sb,
588 SMACK_APPS_LABELS_DATABASE,
589 SMACK_PUBLIC_DIRS_DATABASE, "rx");
592 int nftw_check_labels_app_settings_dir(const char *fpath, const struct stat *sb,
593 int /*typeflag*/, struct FTW* /*ftwbuf*/)
595 return check_labels_dir(fpath, sb,
596 SMACK_APPS_SETTINGS_LABELS_DATABASE,
597 SMACK_SETTINGS_DIRS_DATABASE, "rwx");
600 int file_exists(const char *path)
602 FILE *file = fopen(path, "r");
610 void osp_blahblah_check(int line_no, const std::vector<std::string> &rules)
612 std::ifstream smack_file(OSP_BLAHBLAH);
613 RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
615 auto it = rules.begin();
617 while (std::getline(smack_file,line)) {
618 RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
619 RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
623 RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
628 void osp_blahblah_dac_check(int line_no, const std::vector<unsigned> &gids)
630 std::ifstream dac_file(OSP_BLAHBLAH_DAC);
631 RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH_DAC);
633 auto it = gids.begin();
635 while (std::getline(dac_file,line)) {
636 std::istringstream is(line);
639 RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
640 RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
644 RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
649 void remove_smack_files()
652 unlink(OSP_BLAHBLAH);
653 unlink(WRT_BLAHBLAH);
654 unlink(OTHER_BLAHBLAH);
655 unlink(OSP_BLAHBLAH_DAC);
656 unlink(WRT_BLAHBLAH_DAC);
657 unlink(OTHER_BLAHBLAH_DAC);
660 int cleaning_smack_app_files (void)
662 unlink(SMACK_RULES_DIR APP_TEST_APP_1);
664 unlink(SMACK_RULES_DIR APP_TEST_APP_2);
666 unlink(SMACK_RULES_DIR APP_TEST_APP_3);
668 unlink(SMACK_RULES_DIR APP_TEST_AV_1);
670 unlink(SMACK_RULES_DIR APP_TEST_AV_2);
672 unlink(SMACK_RULES_DIR APP_TEST_AV_3);
677 int cleaning_smack_database_files (void)
682 unlink(SMACK_APPS_LABELS_DATABASE);
683 fd = open(SMACK_APPS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
689 unlink(SMACK_AVS_LABELS_DATABASE);
690 fd = open(SMACK_AVS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
695 //clean app settings database
696 unlink(SMACK_APPS_SETTINGS_LABELS_DATABASE);
697 fd = open(SMACK_APPS_SETTINGS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
702 //clean public dirs database
703 unlink(SMACK_PUBLIC_DIRS_DATABASE);
704 fd = open(SMACK_PUBLIC_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
709 //clean settings dirs database
710 unlink(SMACK_SETTINGS_DIRS_DATABASE);
711 fd = open(SMACK_SETTINGS_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
719 void add_lables_to_db()
723 file_db = fopen(SMACK_AVS_LABELS_DATABASE, "a");
724 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
725 << SMACK_AVS_LABELS_DATABASE << " can not be opened to apend!");
726 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
728 RUNNER_ASSERT_MSG(false, "Error writing to database file");
730 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
732 RUNNER_ASSERT_MSG(false, "Error writing to database file");
736 file_db = fopen(SMACK_APPS_SETTINGS_LABELS_DATABASE, "a");
737 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
738 << SMACK_APPS_SETTINGS_LABELS_DATABASE << " can not be opened to apend!");
739 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
741 RUNNER_ASSERT_MSG(false, "Error writing to database file");
743 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
745 RUNNER_ASSERT_MSG(false, "Error writing to database file");
749 file_db = fopen(SMACK_APPS_LABELS_DATABASE, "a");
750 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
751 << SMACK_APPS_LABELS_DATABASE << " can not be opened to apend!");
752 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
754 RUNNER_ASSERT_MSG(false, "Error writing to database file");
756 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
758 RUNNER_ASSERT_MSG(false, "Error writing to database file");
760 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
762 RUNNER_ASSERT_MSG(false, "Error writing to database file");
764 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
766 RUNNER_ASSERT_MSG(false, "Error writing to database file");
772 RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
775 * Test setting labels for all files and folders in given path.
777 RUNNER_TEST(privilege_control02_app_label_dir)
781 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
782 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
784 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
785 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
787 result = perm_app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
788 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
790 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
791 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
793 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
794 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
797 RUNNER_TEST_SMACK(privilege_control03_app_label_shared_dir)
801 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
802 RUNNER_ASSERT_MSG(result != 0, "perm_app_setup_path(APP_ID, APP_ID) didn't fail");
804 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
805 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
807 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
808 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
810 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
811 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
813 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
814 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
816 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
817 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
821 * Add permisions from test_privilege_control_rules template
823 RUNNER_TEST_SMACK(privilege_control04_add_permissions)
825 int result = app_add_permissions(APP_ID, PRIVS);
826 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
827 " Error adding app permissions. Result: " << result);
829 // Check if the accesses are realy applied..
830 result = test_have_all_accesses(rules);
831 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
834 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
835 RUNNER_ASSERT_MSG(pFile != NULL,
836 "SMACK file NOT created!. Errno: " << errno);
839 fseek(pFile, 0L, SEEK_END);
840 int smack_file_length = ftell(pFile);
841 RUNNER_ASSERT_MSG(smack_file_length > 0,
842 "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
849 * Revoke permissions from the list. Should be executed as privileged user.
851 RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
855 // Revoke permissions
856 result = perm_app_revoke_permissions(APP_ID);
857 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
858 "Error revoking app permissions. Result: " << result);
860 result = perm_app_revoke_permissions(WGT_APP_ID);
861 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
862 "Error revoking app permissions. Result: " << result);
863 result = perm_app_revoke_permissions(WGT_PARTNER_APP_ID);
864 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
865 "Error revoking app permissions. Result: " << result);
866 result = perm_app_revoke_permissions(WGT_PLATFORM_APP_ID);
867 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
868 "Error revoking app permissions. Result: " << result);
870 result = perm_app_revoke_permissions(OSP_APP_ID);
871 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
872 "Error revoking app permissions. Result: " << result);
873 result = perm_app_revoke_permissions(OSP_PARTNER_APP_ID);
874 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
875 "Error revoking app permissions. Result: " << result);
876 result = perm_app_revoke_permissions(OSP_PLATFORM_APP_ID);
877 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
878 "Error revoking app permissions. Result: " << result);
880 // Are all the permissions revoked?
881 result = test_have_any_accesses(rules);
882 RUNNER_ASSERT_MSG(result != 1, "Not all permisions revoked.");
883 result = test_have_any_accesses(rules_wgt);
884 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
885 result = test_have_any_accesses(rules_wgt_partner);
886 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
887 result = test_have_any_accesses(rules_wgt_platform);
888 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
890 result = test_have_any_accesses(rules);
891 RUNNER_ASSERT_MSG(result != 1, "Not all permisions revoked.");
892 result = test_have_any_accesses(rules_osp);
893 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
894 result = test_have_any_accesses(rules_osp_partner);
895 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
896 result = test_have_any_accesses(rules_osp_platform);
897 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
899 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
900 RUNNER_ASSERT_MSG(pFile != NULL,
901 "SMACK file removed!. Errno: " << errno);
903 fseek(pFile, 0L, SEEK_END);
904 int smack_file_length = ftell(pFile);
907 RUNNER_ASSERT_MSG(smack_file_length == 0,
908 "SMACK file not empty.. Errno: " << errno);
910 pFile = fopen(SMACK_RULES_DIR WGT_APP_ID, "rb");
911 RUNNER_ASSERT_MSG(pFile != NULL,
912 "SMACK file removed!. Errno: " << errno);
914 fseek(pFile, 0L, SEEK_END);
915 smack_file_length = ftell(pFile);
918 RUNNER_ASSERT_MSG(smack_file_length == 0,
919 "SMACK file not empty.. Errno: " << errno);
921 pFile = fopen(SMACK_RULES_DIR WGT_PARTNER_APP_ID, "rb");
922 RUNNER_ASSERT_MSG(pFile != NULL,
923 "SMACK file removed!. Errno: " << errno);
925 fseek(pFile, 0L, SEEK_END);
926 smack_file_length = ftell(pFile);
929 RUNNER_ASSERT_MSG(smack_file_length == 0,
930 "SMACK file not empty.. Errno: " << errno);
932 pFile = fopen(SMACK_RULES_DIR WGT_PLATFORM_APP_ID, "rb");
933 RUNNER_ASSERT_MSG(pFile != NULL,
934 "SMACK file removed!. Errno: " << errno);
936 fseek(pFile, 0L, SEEK_END);
937 smack_file_length = ftell(pFile);
940 RUNNER_ASSERT_MSG(smack_file_length == 0,
941 "SMACK file not empty.. Errno: " << errno);
943 pFile = fopen(SMACK_RULES_DIR OSP_APP_ID, "rb");
944 RUNNER_ASSERT_MSG(pFile != NULL,
945 "SMACK file removed!. Errno: " << errno);
947 fseek(pFile, 0L, SEEK_END);
948 smack_file_length = ftell(pFile);
951 RUNNER_ASSERT_MSG(smack_file_length == 0,
952 "SMACK file not empty.. Errno: " << errno);
954 pFile = fopen(SMACK_RULES_DIR OSP_PARTNER_APP_ID, "rb");
955 RUNNER_ASSERT_MSG(pFile != NULL,
956 "SMACK file removed!. Errno: " << errno);
958 fseek(pFile, 0L, SEEK_END);
959 smack_file_length = ftell(pFile);
962 RUNNER_ASSERT_MSG(smack_file_length == 0,
963 "SMACK file not empty.. Errno: " << errno);
965 pFile = fopen(SMACK_RULES_DIR OSP_PLATFORM_APP_ID, "rb");
966 RUNNER_ASSERT_MSG(pFile != NULL,
967 "SMACK file removed!. Errno: " << errno);
969 fseek(pFile, 0L, SEEK_END);
970 smack_file_length = ftell(pFile);
973 RUNNER_ASSERT_MSG(smack_file_length == 0,
974 "SMACK file not empty.. Errno: " << errno);
977 static void read_gids(std::set<unsigned> &set, const char *file_path)
979 FILE *f = fopen(file_path, "r");
980 RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
982 while (fscanf(f, "%u\n", &gid) == 1) {
987 RUNNER_TEST_SMACK(privilege_control05_add_shared_dir_readers)
989 #define TEST_OBJ "TEST_OBJECT"
990 #define TEST_OBJ_SOME_OTHER "TEST_OBJA"
991 #define test_string_01 "TEST_raz TEST_OBJECT r-x--- ------"
992 #define test_string_21 "TEST_trzy TEST_OBJA -wx---\n"
993 #define test_string_22 "TEST_trzy TEST_OBJECT r-x--- ------\n"
1000 const char *app_labels_wrong[] = {"-TEST_raz", NULL};
1001 const char *app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
1002 const int READ_BUF_SIZE = 1000;
1003 char buf[READ_BUF_SIZE];
1005 struct smack_accesses *rules = NULL;
1007 //test environment cleaning
1008 cleaning_smack_app_files();
1009 cleaning_smack_database_files();
1011 //test what happens when the label is not correct SMACK label
1012 result = smack_accesses_new(&rules);
1013 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new.");
1015 result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong);
1016 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "add_shared_dir_readers should fail here");
1018 result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx");
1019 RUNNER_ASSERT_MSG(result != 1, "add_shared_dir_readers should not grant permission here");
1021 smack_accesses_free(rules);
1023 //ok, now the correct list of apps
1024 result = smack_accesses_new(&rules);
1025 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new.");
1027 for (i = 0; i < 3; i++) {
1029 result = perm_app_revoke_permissions(app_labels[i]);
1030 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_revoke_permissions.");
1031 result = perm_app_uninstall(app_labels[i]);
1032 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
1033 result = perm_app_install(app_labels[i]);
1034 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
1036 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[i]));
1037 fd = open(path, O_WRONLY, 0644);
1038 RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path);
1041 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt");
1042 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
1045 smack_accesses_free(rules);
1046 result = smack_accesses_new(&rules);
1047 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx");
1048 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
1050 result = smack_accesses_apply(rules);
1051 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
1053 result = smack_accesses_save(rules, fd);
1054 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
1060 smack_accesses_free(rules);
1062 // THE TEST - accesses
1064 result = add_shared_dir_readers(TEST_OBJ,app_labels);
1065 RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed");
1067 result = smack_have_access(app_labels[0],TEST_OBJ,"rx");
1068 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1070 result = smack_have_access(app_labels[1],TEST_OBJ,"rx");
1071 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1073 result = smack_have_access(app_labels[2],TEST_OBJ,"rx");
1074 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1076 result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt");
1077 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1079 result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx");
1080 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1083 //TEST the operations on empty files
1085 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[0]));
1086 file = fopen(path, "r");
1088 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
1090 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1091 result = strcmp(buf, test_string_01);
1092 RUNNER_ASSERT_MSG( result != 0, "add_shared_dir_readers ERROR, file not formatted" << path);
1097 //TEST the operations on non empty files
1098 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[2]));
1100 file = fopen(path, "r");
1101 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
1103 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1104 result = strcmp(buf, test_string_21);
1105 RUNNER_ASSERT_MSG( result == 0, "add_shared_dir_readers ERROR, file not formatted" << path);
1107 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1108 result = strcmp(buf, test_string_22);
1109 RUNNER_ASSERT_MSG( result == 0, "add_shared_dir_readers ERROR, file not formatted" << path);
1117 * Set APP privileges.
1120 void check_groups(const char *dac_file)
1122 std::set<unsigned> groups_check;
1123 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
1124 read_gids(groups_check, dac_file);
1126 int groups_cnt = getgroups(0, NULL);
1127 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
1128 gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
1129 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
1130 RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list));
1132 for (int i = 0; i < groups_cnt; ++i) {
1133 //getgroups() can return multiple number of the same group
1134 //they are returned in sequence, so we will given number when last
1135 //element of this number is reached
1136 if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i]))
1138 if (groups_check.erase(groups_list[i]) == 0) {
1139 // getgroups() may also return process' main group
1140 if (groups_list[i] != getgid())
1141 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
1145 std::string groups_left;
1146 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
1147 groups_left.append(std::to_string(*it)).append(" ");
1149 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
1152 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege)
1156 // Preset exec label
1157 smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
1158 smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
1161 * TODO This test should also verify perm_app_set_privilege behavior for OSP and
1162 * WRT apps. To do that we'll have to install real apps on device as a
1166 // Set APP privileges
1167 result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
1168 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1170 // Check if SMACK label really set
1172 result = smack_new_label_from_self(&label);
1173 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1174 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1175 result = strcmp(APP_ID, label);
1176 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1178 // Check if DAC privileges really set
1179 RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
1180 RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
1182 result = strcmp(getenv("HOME"), APP_HOME_DIR);
1183 RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR");
1185 result = strcmp(getenv("USER"), APP_USER_NAME);
1186 RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME");
1188 check_groups(LIBPRIVILEGE_TEST_DAC_FILE);
1192 * Set APP privileges. wgt.
1194 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt)
1198 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
1199 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1200 " Error enabling app permissions. Result: " << result);
1202 result = test_have_all_accesses(rules_wgt);
1203 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1205 result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
1206 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1208 // Check if SMACK label really set
1210 result = smack_new_label_from_self(&label);
1211 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1212 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1213 result = strcmp(WGT_APP_ID, label);
1214 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1217 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1221 * Set APP privileges. wgt_partner.
1223 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_partner)
1227 result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
1228 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1229 " Error enabling app permissions. Result: " << result);
1231 result = test_have_all_accesses(rules_wgt_partner);
1232 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1234 result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
1235 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1237 // Check if SMACK label really set
1239 result = smack_new_label_from_self(&label);
1240 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1241 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1242 result = strcmp(WGT_PARTNER_APP_ID, label);
1243 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1245 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1249 * Set APP privileges. wgt_platform.
1251 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_platform)
1255 result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
1256 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1257 " Error enabling app permissions. Result: " << result);
1259 result = test_have_all_accesses(rules_wgt_platform);
1260 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1262 result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
1263 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1265 // Check if SMACK label really set
1267 result = smack_new_label_from_self(&label);
1268 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1269 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1270 result = strcmp(WGT_PLATFORM_APP_ID, label);
1271 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1273 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1277 * Set APP privileges. osp app.
1279 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp)
1283 result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1);
1284 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1285 " Error enabling app permissions. Result: " << result);
1287 result = test_have_all_accesses(rules_osp);
1288 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1290 result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH);
1291 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1293 // Check if SMACK label really set
1295 result = smack_new_label_from_self(&label);
1296 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1297 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1298 result = strcmp(OSP_APP_ID, label);
1299 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1301 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1305 * Set APP privileges. partner osp app.
1307 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_partner)
1311 result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1);
1312 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1313 " Error enabling app permissions. Result: " << result);
1315 result = test_have_all_accesses(rules_osp_partner);
1316 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1318 result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH);
1319 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1321 // Check if SMACK label really set
1323 result = smack_new_label_from_self(&label);
1324 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1325 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1326 result = strcmp(OSP_PARTNER_APP_ID, label);
1327 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1329 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1333 * Set APP privileges. platform osp app.
1335 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_platform)
1339 result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1);
1340 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1341 " Error enabling app permissions. Result: " << result);
1343 result = test_have_all_accesses(rules_osp_platform);
1344 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1346 result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH);
1347 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1349 // Check if SMACK label really set
1351 result = smack_new_label_from_self(&label);
1352 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1353 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1354 result = strcmp(OSP_PLATFORM_APP_ID, label);
1355 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1357 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1361 * Add new API feature
1363 RUNNER_TEST(privilege_control11_add_api_feature)
1367 remove_smack_files();
1370 // argument validation
1371 result = perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
1372 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1374 result = perm_add_api_feature(APP_TYPE_OSP,"", NULL, NULL, 0);
1375 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1378 // already existing features
1379 result = perm_add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read", NULL, NULL, 0);
1380 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1382 result = perm_add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms", NULL, NULL, 0);
1383 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1385 result = perm_add_api_feature(APP_TYPE_OTHER,"http://tizen.org/privilege/messaging", NULL, NULL, 0);
1386 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1388 result = perm_add_api_feature(APP_TYPE_OTHER,"http://tizen.org/messaging", NULL, NULL, 0);
1389 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1391 result = perm_add_api_feature(APP_TYPE_OTHER,"http://messaging", NULL, NULL, 0);
1392 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1394 result = perm_add_api_feature(APP_TYPE_OTHER,"messaging.read", NULL, NULL, 0);
1395 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1399 result = perm_add_api_feature(APP_TYPE_OSP,"blahblah", NULL, NULL, 0);
1400 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1402 result = perm_add_api_feature(APP_TYPE_WGT,"blahblah", NULL, NULL, 0);
1403 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1405 result = perm_add_api_feature(APP_TYPE_OTHER,"blahblah", NULL, NULL, 0);
1406 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1409 // smack files existence
1410 result = file_exists(OSP_BLAHBLAH);
1411 RUNNER_ASSERT(result == -1);
1413 result = file_exists(WRT_BLAHBLAH);
1414 RUNNER_ASSERT(result == -1);
1416 result = file_exists(OTHER_BLAHBLAH);
1417 RUNNER_ASSERT(result == -1);
1421 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, { NULL }, NULL, 0);
1422 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1423 result = file_exists(OSP_BLAHBLAH);
1424 RUNNER_ASSERT(result == -1);
1426 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "", NULL }, NULL, 0);
1427 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1428 result = file_exists(OSP_BLAHBLAH);
1429 RUNNER_ASSERT(result == 0);
1430 remove_smack_files();
1432 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0);
1433 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1434 result = file_exists(OSP_BLAHBLAH);
1435 RUNNER_ASSERT(result == 0);
1436 remove_smack_files();
1440 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed", NULL }, NULL, 0);
1441 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1442 result = file_exists(OSP_BLAHBLAH);
1443 RUNNER_ASSERT(result == -1);
1445 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed malformed", NULL }, NULL, 0);
1446 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1447 result = file_exists(OSP_BLAHBLAH);
1448 RUNNER_ASSERT(result == -1);
1450 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "-malformed malformed rwxat", NULL }, NULL, 0);
1451 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1452 result = file_exists(OSP_BLAHBLAH);
1453 RUNNER_ASSERT(result == -1);
1455 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "~/\"\\ malformed rwxat", NULL }, NULL, 0);
1456 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1457 result = file_exists(OSP_BLAHBLAH);
1458 RUNNER_ASSERT(result == -1);
1460 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "subject object rwxat something else", NULL }, NULL, 0);
1461 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1462 result = file_exists(OSP_BLAHBLAH);
1463 RUNNER_ASSERT(result == -1);
1467 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed malformed maaaaaalformed", NULL }, NULL, 0);
1468 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1469 osp_blahblah_check(__LINE__, { "malformed malformed r--a-l ------" });
1470 remove_smack_files();
1472 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "subject object foo", NULL }, NULL, 0);
1473 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1474 osp_blahblah_check(__LINE__, { "subject object ------ ------" });
1475 remove_smack_files();
1477 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {
1478 "subject object\t rwxatl",
1480 "subject2\tobject2 ltxarw",
1484 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1485 osp_blahblah_check(__LINE__, { "subject object rwxatl ------", "subject2 object2 rwxatl ------"});
1486 remove_smack_files();
1488 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {
1489 "Sub::jE,ct object a-RwXL",
1492 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1493 osp_blahblah_check(__LINE__, { "Sub::jE,ct object rwxa-l ------"});
1494 remove_smack_files();
1496 // TODO For now identical/complementary rules are not merged.
1497 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {
1498 "subject object rwxatl",
1500 "subject object ltxarw",
1504 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1505 osp_blahblah_check(__LINE__, { "subject object rwxatl ------", "subject object rwxatl ------"});
1506 remove_smack_files();
1510 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},0);
1511 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1512 osp_blahblah_check(__LINE__, { "a a ---a-- ------"});
1513 result = file_exists(OSP_BLAHBLAH_DAC);
1514 RUNNER_ASSERT(result == -1);
1515 remove_smack_files();
1519 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},3);
1520 printf("%d \n", result);
1521 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1522 osp_blahblah_check(__LINE__, { "a a ---a-- ------"});
1523 osp_blahblah_dac_check(__LINE__, {0,1,2});
1524 remove_smack_files();
1526 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},1);
1527 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1528 osp_blahblah_check(__LINE__, { "a a ---a-- ------"});
1529 osp_blahblah_dac_check(__LINE__, {0});
1530 remove_smack_files();
1532 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {1,1,1},3);
1533 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1534 osp_blahblah_check(__LINE__, { "a a ---a-- ------"});
1535 osp_blahblah_dac_check(__LINE__, {1,1,1});
1536 remove_smack_files();
1540 * Check perm_app_install function
1542 RUNNER_TEST(privilege_control01_app_install)
1547 unlink(SMACK_RULES_DIR APP_ID);
1549 perm_app_uninstall(APP_ID);
1551 result = perm_app_install(APP_ID);
1552 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1554 // checking if file really exists
1555 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1556 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << SMACK_RULES_DIR << APP_ID << " : " << fd << ". Errno: " << strerror(errno));
1559 // try install second time app with the same ID - it should pass.
1560 result = perm_app_install(APP_ID);
1561 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1565 * Check perm_app_install function
1567 RUNNER_TEST(privilege_control07_app_uninstall)
1572 result = perm_app_uninstall(APP_ID);
1573 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1575 // checking if file really exists
1576 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1577 RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after perm_app_uninstall");
1581 void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment)
1584 result = smack_have_access(av_id, app_id, "rwx");
1585 RUNNER_ASSERT_MSG(result == 1,
1586 "Error while checking " << av_id << " rwx access to "
1587 << app_id << " " << comment << " Result: " << result);
1588 result = smack_have_access(av_id, app_id, "a");
1589 RUNNER_ASSERT_MSG(result == 0,
1590 "Error while checking " << av_id << " a access to "
1591 << app_id << " " << comment << " Result: " << result);
1592 result = smack_have_access(av_id, app_id, "t");
1593 RUNNER_ASSERT_MSG(result == 0,
1594 "Error while checking " << av_id << " t access to "
1595 << app_id << " " << comment << " Result: " << result);
1599 * Check app_register_av function
1600 * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
1602 RUNNER_TEST_SMACK(privilege_control10_app_register_av)
1607 smack_revoke_subject(APP_TEST_AV_1);
1608 smack_revoke_subject(APP_TEST_AV_2);
1610 cleaning_smack_app_files();
1611 cleaning_smack_database_files();
1613 // Adding two apps before antivir
1614 result = perm_app_install(APP_TEST_APP_1);
1615 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1617 result = perm_app_install(APP_TEST_APP_2);
1618 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1621 result = app_register_av(APP_TEST_AV_1);
1622 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
1624 // Checking added apps accesses
1625 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
1626 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
1629 result = perm_app_install(APP_TEST_APP_3);
1630 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1632 // Checking app accesses
1633 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
1634 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
1635 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)");
1637 // Adding second antivir
1638 result = app_register_av(APP_TEST_AV_2);
1639 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
1641 // Checking app accesses
1642 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1643 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1644 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1645 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1646 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1647 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1650 smack_revoke_subject(APP_TEST_AV_1);
1651 smack_revoke_subject(APP_TEST_AV_2);
1653 cleaning_smack_app_files();
1654 cleaning_smack_database_files();
1658 * Grant SMACK permissions based on permissions list.
1660 RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions)
1663 int smack_file_length;
1667 * Test - Enabling all permissions with persistant mode enabled
1670 result = perm_app_revoke_permissions(APP_ID);
1671 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1672 "Error revoking app permissions. Result: " << result);
1674 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1675 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1676 " Error enabling app permissions. Result: " << result);
1678 // Check if the accesses are realy applied..
1679 result = test_have_all_accesses(rules2);
1680 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1683 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1684 RUNNER_ASSERT_MSG(pFile != NULL,
1685 "SMACK file NOT created!. Errno: " << errno);
1688 fseek(pFile, 0L, SEEK_END);
1689 smack_file_length = ftell(pFile);
1690 RUNNER_ASSERT_MSG(smack_file_length > 0,
1691 "SMACK file empty with persistant mode 1. Errno: " << errno);
1697 result = perm_app_revoke_permissions(APP_ID);
1698 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1699 "Error revoking app permissions. Result: " << result);
1702 * Test - Enabling all permissions with persistant mode disabled
1705 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0);
1706 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1707 " Error enabling app permissions. Result: " << result);
1709 // Check if the accesses are realy applied..
1710 result = test_have_all_accesses(rules2);
1711 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1714 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1715 RUNNER_ASSERT_MSG(pFile != NULL,
1716 "SMACK file NOT created!. Errno: " << errno);
1719 fseek(pFile, 0L, SEEK_END);
1720 smack_file_length = ftell(pFile);
1721 RUNNER_ASSERT_MSG(smack_file_length == 0,
1722 "SMACK file not empty with persistant mode 0. Errno: " << errno);
1728 result = perm_app_revoke_permissions(APP_ID);
1729 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1730 "Error revoking app permissions. Result: " << result);
1733 * Test - Enabling all permissions in two complementary files
1736 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1);
1737 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1738 " Error enabling app permissions. Result: " << result);
1740 // Check if the accesses are realy applied..
1741 result = test_have_all_accesses(rules2);
1742 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1745 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1746 RUNNER_ASSERT_MSG(pFile != NULL,
1747 "SMACK file NOT created!. Errno: " << errno);
1750 fseek(pFile, 0L, SEEK_END);
1751 smack_file_length = ftell(pFile);
1752 RUNNER_ASSERT_MSG(smack_file_length > 0,
1753 "SMACK file empty with persistant mode 1. Errno: " << errno);
1759 result = perm_app_revoke_permissions(APP_ID);
1760 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1761 "Error revoking app permissions. Result: " << result);
1764 * Test - Enabling some permissions and then enabling complementary permissions
1767 // Enable permission for rules 2 no r
1768 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1769 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1770 " Error enabling app permissions without r. Result: " << result);
1772 // Check if the accesses are realy applied..
1773 result = test_have_all_accesses(rules2_no_r);
1774 RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
1777 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1778 RUNNER_ASSERT_MSG(pFile != NULL,
1779 "SMACK file NOT created!. Errno: " << errno);
1782 fseek(pFile, 0L, SEEK_END);
1783 smack_file_length = ftell(pFile);
1784 RUNNER_ASSERT_MSG(smack_file_length > 0,
1785 "SMACK file empty with persistant mode 1. Errno: " << errno);
1790 // Enable permission for rules 2
1791 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1792 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1793 " Error enabling app all permissions. Result: " << result);
1795 // Check if the accesses are realy applied..
1796 result = test_have_all_accesses(rules2);
1797 RUNNER_ASSERT_MSG(result == 1, "Permissions all not added.");
1800 result = perm_app_revoke_permissions(APP_ID);
1801 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1802 "Error revoking app permissions. Result: " << result);
1805 * Test - Enabling some permissions and then enabling all permissions
1808 // Enable permission for rules 2 no r
1809 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1810 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1811 " Error enabling app permissions without r. Result: " << result);
1813 // Check if the accesses are realy applied..
1814 result = test_have_all_accesses(rules2_no_r);
1815 RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
1818 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1819 RUNNER_ASSERT_MSG(pFile != NULL,
1820 "SMACK file NOT created!. Errno: " << errno);
1823 fseek(pFile, 0L, SEEK_END);
1824 smack_file_length = ftell(pFile);
1825 RUNNER_ASSERT_MSG(smack_file_length > 0,
1826 "SMACK file empty with persistant mode 1. Errno: " << errno);
1831 // Enable permission for rules 2
1832 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1);
1833 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1834 " Error enabling app permissions with only r. Result: " << result);
1836 // Check if the accesses are realy applied..
1837 result = test_have_all_accesses(rules2);
1838 RUNNER_ASSERT_MSG(result == 1, "Permissions with only r not added.");
1841 result = perm_app_revoke_permissions(APP_ID);
1842 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1843 "Error revoking app permissions. Result: " << result);
1846 RUNNER_CHILD_TEST(privilege_control11_app_enable_permissions_efl)
1849 const char *PRIVS_EFL[] = { "test_privilege_control_rules_efl", NULL };
1851 result = perm_app_install("EFL_APP");
1852 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1853 "perm_app_install failed: " << result);
1855 result = perm_app_enable_permissions("EFL_APP", APP_TYPE_EFL, PRIVS_EFL, 0);
1856 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1857 "Error enabling app permissions. Result: " << result);
1859 RUNNER_ASSERT_MSG( smack_have_access("EFL_APP","test_book_efl", "r"),
1860 "SMACK accesses not granted for EFL_APP");
1862 (void)perm_app_uninstall("EFL_APP");
1867 * Until perm_app_disable_permissions is not fixed this test should remain
1871 * Remove previously granted SMACK permissions based on permissions list.
1873 /*RUNNER_TEST(privilege_control12_app_disable_permissions)
1877 * Test - disable all granted permissions.
1881 // Prepare permissions that we want to disable
1882 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1883 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1884 " Error enabling app permissions. Result: " << result);
1886 // Disable permissions
1887 result = perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1888 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1889 "Error disabling app permissions. Result: " << result);
1891 // Are all the permissions disabled?
1892 result = test_have_any_accesses(rules2);
1893 RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
1896 * Test - disable some granted permissions leaving non complementary and then disabling those too.
1899 // Prepare permissions that will not be disabled
1900 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
1901 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1902 " Error adding app first permissions. Result: " << result);
1904 // Prepare permissions that we want to disable
1905 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1906 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1907 " Error adding app second permissions. Result: " << result);
1909 // Disable second permissions
1910 result = perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1911 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1912 "Error disabling app second permissions. Result: " << result);
1914 // Are all second permissions disabled?
1915 result = test_have_any_accesses(rules2);
1916 RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
1918 // Are all first permissions not disabled?
1919 result = test_have_all_accesses(rules);
1920 RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
1922 // Disable first permissions
1923 result = perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS);
1924 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1925 "Error disabling app first permissions. Result: " << result);
1927 // Are all second permissions disabled?
1928 result = test_have_any_accesses(rules);
1929 RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
1932 * Test - disable only no r granted permissions.
1935 // Prepare permissions
1936 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1937 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1938 " Error adding app permissions. Result: " << result);
1940 // Disable same permissions without r
1941 result = perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R);
1942 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1943 "Error disabling app no r permissions. Result: " << result);
1945 // Is any r permissions disabled?
1946 result = test_have_all_accesses(rules2_r);
1947 RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
1948 // Are all no r permissions disabled?
1949 result = test_have_any_accesses(rules2_no_r);
1950 RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
1952 // Prepare permissions
1953 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1954 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1955 " Error adding app no r permissions. Result: " << result);
1957 // Disable all permissions
1958 result = perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1959 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1960 "Error disabling app permissions. Result: " << result);
1964 * Reset SMACK permissions for an application by revoking all previously
1965 * granted rules and enabling them again from a rules file from disk.
1968 RUNNER_TEST_SMACK(privilege_control13_app_reset_permissions)
1973 * Test - doing reset and checking if rules exist again.
1976 // Prepare permissions to reset
1977 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1978 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1979 " Error adding app permissions. Result: " << result);
1981 // Reset permissions
1982 result = perm_app_reset_permissions(APP_ID);
1983 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1984 "Error reseting app permissions. Result: " << result);
1986 // Are all second permissions not disabled?
1987 result = test_have_all_accesses(rules2);
1988 RUNNER_ASSERT_MSG(result == 1, "Not all permissions added.");
1990 // Disable permissions
1991 result = perm_app_revoke_permissions(APP_ID);
1992 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1993 "Error disabling app permissions. Result: " << result);
1997 * Make two applications "friends", by giving them both full permissions on
2000 RUNNER_TEST_SMACK(privilege_control14_app_add_friend)
2005 * Test - making friends with no permissions on each other
2008 result = perm_app_revoke_permissions(APP_FRIEND_1);
2009 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2010 "Error revoking app permissions. Result: " << result);
2011 result = perm_app_revoke_permissions(APP_FRIEND_2);
2012 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2013 "Error revoking app permissions. Result: " << result);
2015 perm_app_uninstall(APP_FRIEND_1);
2016 perm_app_uninstall(APP_FRIEND_2);
2018 // Installing friends to be
2019 result = perm_app_install(APP_FRIEND_1);
2020 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2021 " Error installing first app. Result: " << result);
2022 result = perm_app_install(APP_FRIEND_2);
2023 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2024 " Error installing second app. Result: " << result);
2027 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2028 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2029 " Error making friends. Errno: " << result);
2031 // Checking if friends were made
2032 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
2033 RUNNER_ASSERT_MSG(result == 1,
2034 " Error first one sided friednship failed. Result: " << result);
2035 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
2036 RUNNER_ASSERT_MSG(result == 1,
2037 " Error second one sided friednship failed. Result: " << result);
2040 result = perm_app_revoke_permissions(APP_FRIEND_1);
2041 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2042 "Error revoking app permissions. Result: " << result);
2043 result = perm_app_revoke_permissions(APP_FRIEND_2);
2044 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2045 "Error revoking app permissions. Result: " << result);
2047 perm_app_uninstall(APP_FRIEND_1);
2048 perm_app_uninstall(APP_FRIEND_2);
2051 * Test - making friends with nonexisting friend
2054 // Installing one friend
2055 result = perm_app_install(APP_FRIEND_1);
2056 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2057 " Error installing first app. Errno: " << result);
2059 // Adding imaginairy friend as second
2060 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2061 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2062 " Error making friends (first) with imaginairy friend failed. Result: "
2064 // Adding imaginairy friend as first
2065 result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
2066 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2067 " Error making friends (second) with imaginairy friend failed. Result: "
2070 result = perm_app_revoke_permissions(APP_FRIEND_1);
2071 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2072 "Error revoking app permissions. Result: " << result);
2073 result = perm_app_revoke_permissions(APP_FRIEND_2);
2074 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2075 "Error revoking app permissions. Result: " << result);
2077 perm_app_uninstall(APP_FRIEND_1);
2078 perm_app_uninstall(APP_FRIEND_2);
2081 * Test - making friends with some permissions already added
2086 struct smack_accesses *rulesFriend = NULL;
2088 std::vector<std::string> accessesFriend =
2089 { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
2091 // Installing friends to be
2092 result = perm_app_install(APP_FRIEND_1);
2093 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2094 " Error installing first app. Result: " << result);
2095 result = perm_app_install(APP_FRIEND_2);
2096 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2097 " Error installing second app. Result: " << result);
2099 for (i = 0; i < accessesFriend.size(); ++i)
2101 for (j = 0; j < accessesFriend.size(); ++j)
2103 // Adding rules before making friends
2104 result = smack_accesses_new(&rulesFriend);
2105 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2106 "Error in smack_accesses_new. Result: " << result);
2108 result = smack_accesses_add(rulesFriend,
2109 APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
2110 RUNNER_ASSERT_MSG(result == 0,
2111 "Unable to add modify rulesFirend (first). Result: " << result);
2112 result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
2113 APP_FRIEND_1, accessesFriend[j].c_str());
2114 RUNNER_ASSERT_MSG(result == 0,
2115 "Unable to add modify rulesFirend (second). Result: " << result);
2117 result = smack_accesses_apply(rulesFriend);
2118 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2119 "Error in smack_accesses_apply. Result: " << result);
2122 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2123 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2124 " Error making friends. Result: " << result);
2126 // Checking if friends were made
2127 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
2128 RUNNER_ASSERT_MSG(result == 1,
2129 " Error first one sided friednship failed. Result: " << result);
2130 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
2131 RUNNER_ASSERT_MSG(result == 1,
2132 " Error second one sided friednship failed. Result: " << result);
2134 // Deleting all rules between friends
2135 smack_accesses_add_modify(rulesFriend,
2136 APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
2137 smack_accesses_add_modify(rulesFriend,
2138 APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
2140 result = smack_accesses_apply(rulesFriend);
2142 smack_accesses_free(rulesFriend);
2148 result = perm_app_revoke_permissions(APP_FRIEND_1);
2149 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2150 "Error revoking app permissions. Result: " << result);
2151 result = perm_app_revoke_permissions(APP_FRIEND_2);
2152 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2153 "Error revoking app permissions. Result: " << result);
2155 perm_app_uninstall(APP_FRIEND_1);
2156 perm_app_uninstall(APP_FRIEND_2);
2159 static void smack_set_random_label_based_on_pid_on_self(void)
2162 std::stringstream ss;
2164 ss << "s-" << getpid() << "-" << getppid();
2165 result = smack_set_label_for_self(ss.str().c_str());
2166 RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self("
2167 << ss.str().c_str() << ") failed");
2170 static void smack_unix_sock_server(int sock)
2176 fd = accept(sock, NULL, NULL);
2180 result = smack_new_label_from_self(&smack_label);
2185 RUNNER_ASSERT_MSG(0, "smack_new_label_from_self() failed");
2187 result = write(fd, smack_label, strlen(smack_label));
2188 if (result != (int)strlen(smack_label)) {
2192 RUNNER_ASSERT_MSG(0, "write() failed: " << strerror(errno));
2198 RUNNER_TEST_SMACK(privilege_control15_app_id_from_socket)
2201 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
2205 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
2207 smack_set_random_label_based_on_pid_on_self();
2209 if (!pid) { /* child process, server */
2212 /* Set the process label before creating a socket */
2213 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2214 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
2216 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
2219 RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno));
2221 result = listen(sock, 1);
2224 RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno));
2226 smack_unix_sock_server(sock);
2228 /* Change the process label with listening socket */
2229 smack_unix_sock_server(sock);
2232 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
2233 /* Now running two concurrent servers.
2234 Test if socket label was unaffected by fork() */
2235 smack_unix_sock_server(sock);
2236 /* Let's give the two servers different labels */
2237 smack_unix_sock_server(sock);
2239 waitpid(pid, NULL, 0);
2241 } else { /* parent process, client */
2242 sleep(1); /* Give server some time to setup listening socket */
2244 for (i = 0; i < 4; ++i) {
2247 char smack_label1[SMACK_LABEL_LEN + 1];
2250 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2251 RUNNER_ASSERT_MSG(sock >= 0,
2252 "socket failed: " << strerror(errno));
2253 result = connect(sock,
2254 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
2257 RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
2261 result = read(sock, smack_label1, SMACK_LABEL_LEN);
2265 RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno));
2267 smack_label1[result] = '\0';
2268 smack_label2 = perm_app_id_from_socket(sock);
2269 if (smack_label2 == NULL) {
2271 RUNNER_ASSERT_MSG(0, "perm_app_id_from_socket failed");
2273 result = strcmp(smack_label1, smack_label2);
2276 RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1
2277 << "' != '" << smack_label2 << "-" << random() << "'");
2281 waitpid(pid, NULL, 0);
2285 RUNNER_TEST(privilege_control16_app_setup_path){
2286 const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
2287 const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
2288 const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
2289 const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
2290 const char *label1 = "qwert123456za";
2291 const char *label2 = "trewq654123az";
2293 std::unique_ptr<char, std::function<void(void*)> > labelPtr(NULL,free);
2298 int fd = creat(path3, S_IRWXU);
2301 fd = creat(path4, S_IRWXU);
2307 RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
2308 RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
2309 labelPtr.reset(label);
2311 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1));
2313 RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
2314 RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
2315 labelPtr.reset(label);
2317 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label2));
2319 RUNNER_ASSERT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
2320 labelPtr.reset(label);
2322 RUNNER_ASSERT(labelPtr.get() == NULL);
2325 RUNNER_TEST(privilege_control17_appsettings_privilege)
2327 #define APP_1 "app_1"
2328 #define APP_1_DIR "/tmp/app_1"
2330 #define APP_2 "app_2"
2331 #define APP_2_DIR "/tmp/app_2"
2333 #define APP_TEST "app_test"
2335 #define PRIV_APPSETTING (const char*[]) {"http://tizen.org/privilege/appsetting", NULL}
2338 char *app1_dir_label;
2339 char *app2_dir_label;
2343 (void)perm_app_uninstall(APP_TEST);
2344 (void)perm_app_uninstall(APP_1);
2345 (void)perm_app_uninstall(APP_2);
2347 //install some app 1
2348 ret = perm_app_install(APP_1);
2349 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install." << ret);
2351 mkdir(APP_1_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
2353 //register settings folder for app 1
2354 ret = perm_app_setup_path(APP_1, APP_1_DIR, APP_PATH_SETTINGS_RW );
2355 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
2357 //install "app_test" and give it appsettings privilege
2358 ret = perm_app_install(APP_TEST);
2359 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
2362 ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
2364 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,
2365 " Error enabling app permissions. Result: " << ret);
2367 //check if "app_test" has an RX access to the app "app_1"
2368 ret = smack_have_access(APP_TEST, APP_1, "rx");
2369 RUNNER_ASSERT_MSG(ret,"access denies");
2372 //check if "app_test" has an RWX access to a folder registered by "app_1"
2373 ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS );
2374 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2375 ret = smack_have_access(APP_TEST, app1_dir_label, "rwx");
2376 RUNNER_ASSERT_MSG(ret,"access denies");
2379 //intstall another app: "app_2"
2380 ret = perm_app_install(APP_2);
2381 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
2383 mkdir(APP_2_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
2384 //register settings folder for that "app_2"
2385 ret = perm_app_setup_path(APP_2, APP_2_DIR, APP_PATH_SETTINGS_RW );
2386 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
2388 //check if "app_test" has an RX access to the app "app_2"
2389 ret = smack_have_access(APP_TEST, APP_2, "rx");
2390 RUNNER_ASSERT_MSG(ret,"access denies");
2392 //check if "app_test" has an RWX access to a folder registered by "app_2"
2393 ret = smack_getlabel(APP_2_DIR, &app2_dir_label, SMACK_LABEL_ACCESS );
2394 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2395 ret = smack_have_access(APP_TEST, app2_dir_label, "rwx");
2396 RUNNER_ASSERT_MSG(ret,"access denies");
2398 free (app1_dir_label);
2399 free (app2_dir_label);
2403 (void)perm_app_uninstall(APP_TEST);
2404 (void)perm_app_uninstall(APP_1);
2405 (void)perm_app_uninstall(APP_2);
2408 RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public)
2412 cleaning_smack_database_files();
2415 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2416 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2418 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2419 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2421 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
2422 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
2424 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
2425 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
2427 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2428 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2430 cleaning_smack_database_files();
2433 RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings)
2437 cleaning_smack_database_files();
2440 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2441 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2443 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2444 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2446 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
2447 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
2449 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_settings_dir, FTW_MAX_FDS, FTW_PHYS);
2450 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
2452 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2453 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2455 cleaning_smack_database_files();
2458 RUNNER_TEST(privilege_control20_early_rules)
2464 char *single_line_format = NULL;
2467 char subject[SMACK_LABEL_LEN + 1];
2468 char object[SMACK_LABEL_LEN + 1];
2469 char rule_add[SMACK_ACC_LEN + 1];
2470 char rule_remove[SMACK_ACC_LEN + 1];
2472 subject[SMACK_LABEL_LEN] = '\0';
2473 object[SMACK_LABEL_LEN] = '\0';
2474 rule_add[SMACK_ACC_LEN] = '\0';
2475 rule_remove[SMACK_ACC_LEN] = '\0';
2477 unlink(SMACK_RULES_DIR APP_ID);
2479 perm_app_uninstall(APP_ID);
2481 result = perm_app_install(APP_ID);
2482 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
2483 result = perm_app_install(APP_TEST_APP_1);
2484 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
2486 // checking if file really exists
2487 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
2489 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << SMACK_RULES_DIR << APP_ID << " : " << fd << ". Errno: " << strerror(errno));
2492 result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm, 1);
2493 RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result);
2494 result = perm_app_enable_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm, 1);
2495 RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result);
2497 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2498 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2500 result = asprintf(&single_line_format, "%%%ds %%%ds %%%ds %%%ds\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN, SMACK_ACC_LEN, SMACK_ACC_LEN);
2502 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2503 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2504 pass_1 = 1; // Found rule for APP_ID
2507 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2508 pass_2 = 1; // Found rule for APP_TEST_APP_1
2515 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " not found");
2516 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
2518 // Checking if "early rule" for APP_ID was really removed
2519 // We also should make sure that "early rules" for other apps wasn't removed
2520 result = perm_app_uninstall(APP_ID);
2521 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
2525 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2526 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2528 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2529 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2530 pass_1 = 0; // Found rule for APP_ID - it should NOT be here
2533 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2534 pass_2 = 1; // Found rule for APP_TEST_APP_1
2541 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
2542 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
2544 // Removing and checking "early rule" for APP_TEST_APP_1
2545 result = perm_app_uninstall(APP_TEST_APP_1);
2546 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
2550 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2551 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2553 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2554 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2555 pass_1 = 0; // Found rule for APP_ID - it should NOT be here
2558 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2559 pass_2 = 0; // Found rule for APP_TEST_APP_1 - it should NOT be here
2563 free(single_line_format);
2566 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
2567 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
2570 RUNNER_TEST_SMACK(privilege_control24a_test_whether_macro_works_smack)
2572 RUNNER_IGNORED_MSG("STUB: I should be called on SMACK environment only.");
2575 RUNNER_TEST_NOSMACK(privilege_control24b_test_whether_macro_works_nosmack)
2577 RUNNER_IGNORED_MSG("STUB: I should be called on NOSMACK environment only.");
2580 RUNNER_CHILD_TEST_SMACK(privilege_control24c_test_whether_macro_works_child_smack)
2582 //Until a fix for RUNNER_IGNORED_MSG comes up to wrt-commons, this must be commented out.
2583 //RUNNER_IGNORED_MSG("STUB: I should be called on SMACK environment only.");
2586 RUNNER_CHILD_TEST_NOSMACK(privilege_control24d_test_whether_macro_works_child_nosmack)
2588 //Until a fix for RUNNER_IGNORED_MSG comes up to wrt-commons, this must be commented out.
2589 //RUNNER_IGNORED_MSG("STUB: I should be called on NOSMACK environment only.");
projects / platform / core / test / security-tests.git / blob