2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
22 * @brief libprivilege-control test runner
35 #include <sys/types.h>
38 #include <sys/socket.h>
40 #include <sys/smack.h>
42 #include <privilege-control.h>
43 #include <dpl/test/test_runner.h>
44 #include <dpl/test/test_runner_child.h>
45 #include <dpl/test/test_runner_multiprocess.h>
46 #include <dpl/log/log.h>
47 #include <tests_common.h>
48 #include <libprivilege-control_test_common.h>
52 #define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules"
54 #define EFL_APP_ID "EFL_APP_ID"
56 #define EARLY_RULE_SUBJECT "livebox.web-provider"
57 #define EARLY_RULE_RIGHTS "rwx---"
59 #define SMACK_ACC_LEN 6
62 #define APP_1_DIR "/tmp/app_1"
65 #define APP_2_DIR "/tmp/app_2"
67 #define APP_TEST "app_test"
69 #define APP_NPRUNTIME "app_np_test"
70 #define APP_NPRUNTIME_FILE "/etc/smack/test_privilege_control_DIR/app_dir/exec"
74 const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
75 const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
76 const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
77 const char *PRIVS_EFL[] = { "test_privilege_control_rules_efl", NULL };
79 std::vector<std::string> gen_names(std::string prefix, std::string suffix, size_t size)
81 std::vector<std::string> names;
82 for(size_t i = 0; i < size; ++i) {
83 names.push_back(prefix + "_" + std::to_string(i) + suffix);
88 const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
89 const char *WRT_BLAHBLAH ="/usr/share/privilege-control/WGT_blahblah.smack";
90 const char *OTHER_BLAHBLAH ="/usr/share/privilege-control/blahblah.smack";
91 const std::vector<std::string> OSP_BLAHBLAH_DAC = gen_names("/usr/share/privilege-control/OSP_feature.blah.blahblah", ".dac", 16);
92 const char *WRT_BLAHBLAH_DAC ="/usr/share/privilege-control/WGT_blahblah.dac";
93 const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
94 const std::vector<std::string> BLAHBLAH_FEATURE = gen_names("http://feature/blah/blahblah", "", 16);
96 int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
97 int /*typeflag*/, struct FTW* /*ftwbuf*/)
103 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
104 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
105 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
106 result = strcmp(APPID_SHARED_DIR, label);
107 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
109 result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxatl");
110 RUNNER_ASSERT_MSG(result == 1,
111 "Error rwxatl access was not given shared dir. Subject: " <<
112 APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
114 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
115 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
116 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
119 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
120 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
121 if (S_ISDIR(sb->st_mode)) {
122 RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
123 result = strcmp("TRUE", label);
124 RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set");
126 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
131 int check_labels_dir(const char *fpath, const struct stat *sb,
132 const char *labels_db_path, const char *dir_db_path,
138 char *scanf_label_format;
139 char label_temp[SMACK_LABEL_LEN + 1];
143 result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
144 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
145 RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
148 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
151 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
156 RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
160 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
164 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
166 if (S_ISDIR(sb->st_mode)) {
170 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
172 result = strcmp("TRUE", label);
176 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
178 } else if (label != NULL) {
181 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
186 if (0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)) {
188 RUNNER_ASSERT_MSG(false, "asprintf failed");
191 file_db = fopen(labels_db_path, "r");
192 if (file_db == NULL) {
194 free(scanf_label_format);
195 RUNNER_ASSERT_MSG(false, "Can not open database for apps");
197 while (fscanf(file_db, scanf_label_format, label_temp) == 1) {
198 result = smack_have_access(label_temp, label_gen, access);
202 free(scanf_label_format);
203 RUNNER_ASSERT_MSG(false,
204 "Error " << access << " access was not given for subject: "
205 << label_temp << ". Result: " << result);
210 file_db = fopen(dir_db_path, "r");
211 if (file_db == NULL) {
213 free(scanf_label_format);
214 RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
217 free(scanf_label_format);
224 void osp_blahblah_check(int line_no, const std::vector<std::string> &rules)
226 std::ifstream smack_file(OSP_BLAHBLAH);
227 RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
229 auto it = rules.begin();
231 while (std::getline(smack_file,line)) {
232 RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
233 RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
237 RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
242 void osp_blahblah_dac_check(int line_no, const std::vector<unsigned> &gids, std::string dac_file_path)
244 std::ifstream dac_file(dac_file_path);
245 RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << dac_file_path);
247 auto it = gids.begin();
249 while (std::getline(dac_file,line)) {
250 std::istringstream is(line);
253 RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
254 RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
258 RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
263 void remove_smack_files()
266 unlink(OSP_BLAHBLAH);
267 unlink(WRT_BLAHBLAH);
268 unlink(OTHER_BLAHBLAH);
269 unlink(WRT_BLAHBLAH_DAC);
270 unlink(OTHER_BLAHBLAH_DAC);
272 for(size_t i=0; i<OSP_BLAHBLAH_DAC.size(); ++i)
273 unlink(OSP_BLAHBLAH_DAC[i].c_str());
275 for(size_t i=0; i<OSP_BLAHBLAH_DAC.size(); ++i)
276 unlink(OSP_BLAHBLAH_DAC[i].c_str());
281 RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
284 * Test setting labels for all files and folders in given path.
286 RUNNER_TEST(privilege_control02_app_label_dir)
290 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
291 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
293 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
294 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
296 result = perm_app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
297 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
299 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
300 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
302 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
303 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
306 RUNNER_TEST_SMACK(privilege_control03_app_label_shared_dir)
312 result = perm_app_install(APP_ID);
313 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
315 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
316 RUNNER_ASSERT_MSG(result != 0, "perm_app_setup_path(APP_ID, APP_ID) didn't fail");
318 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
319 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
321 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
322 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
324 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
325 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
329 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
330 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
332 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
333 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
335 result = perm_app_uninstall(APP_ID);
336 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
340 * Simple enabling EFL permissions;.
342 RUNNER_TEST_SMACK(privilege_control04_add_permissions)
347 result = perm_app_uninstall(APP_ID);
348 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
350 result = perm_app_install(APP_ID);
351 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
354 result = perm_app_enable_permissions(APP_ID, APP_TYPE_EFL, PRIVS_EFL, TRUE);
355 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
356 " perm_app_enable_permissions failed with result: " << result);
360 // Check if the accesses are realy applied..
361 result = test_have_all_accesses(rules_efl);
362 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
364 result = perm_app_uninstall(APP_ID);
365 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
369 * Revoke permissions from the list. Should be executed as privileged user.
371 RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
378 result = perm_app_uninstall(WGT_APP_ID);
379 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
380 result = perm_app_uninstall(WGT_PARTNER_APP_ID);
381 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
382 result = perm_app_uninstall(WGT_PLATFORM_APP_ID);
383 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
384 result = perm_app_uninstall(OSP_APP_ID);
385 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
386 result = perm_app_uninstall(OSP_PARTNER_APP_ID);
387 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
388 result = perm_app_uninstall(OSP_PLATFORM_APP_ID);
389 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
391 // Close transaction to commit uninstallation before further actions
397 result = perm_app_install(WGT_APP_ID);
398 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
399 result = perm_app_install(WGT_PARTNER_APP_ID);
400 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
401 result = perm_app_install(WGT_PLATFORM_APP_ID);
402 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
403 result = perm_app_install(OSP_APP_ID);
404 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
405 result = perm_app_install(OSP_PARTNER_APP_ID);
406 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
407 result = perm_app_install(OSP_PLATFORM_APP_ID);
408 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
410 // Close transaction to commit installation before further actions
416 // Revoke permissions
417 result = perm_app_revoke_permissions(WGT_APP_ID);
418 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
419 "Error revoking app permissions. Result: " << result);
420 result = perm_app_revoke_permissions(WGT_PARTNER_APP_ID);
421 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
422 "Error revoking app permissions. Result: " << result);
423 result = perm_app_revoke_permissions(WGT_PLATFORM_APP_ID);
424 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
425 "Error revoking app permissions. Result: " << result);
426 result = perm_app_revoke_permissions(OSP_APP_ID);
427 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
428 "Error revoking app permissions. Result: " << result);
429 result = perm_app_revoke_permissions(OSP_PARTNER_APP_ID);
430 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
431 "Error revoking app permissions. Result: " << result);
432 result = perm_app_revoke_permissions(OSP_PLATFORM_APP_ID);
433 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
434 "Error revoking app permissions. Result: " << result);
438 // Are all the permissions revoked?
439 result = test_have_any_accesses(rules_wgt);
440 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
441 result = test_have_any_accesses(rules_wgt_partner);
442 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
443 result = test_have_any_accesses(rules_wgt_platform);
444 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
445 result = test_have_any_accesses(rules_osp);
446 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
447 result = test_have_any_accesses(rules_osp_partner);
448 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
449 result = test_have_any_accesses(rules_osp_platform);
450 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
454 // Cleanup - uninstall test apps
455 result = perm_app_uninstall(WGT_APP_ID);
456 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
457 result = perm_app_uninstall(WGT_PARTNER_APP_ID);
458 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
459 result = perm_app_uninstall(WGT_PLATFORM_APP_ID);
460 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
461 result = perm_app_uninstall(OSP_APP_ID);
462 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
463 result = perm_app_uninstall(OSP_PARTNER_APP_ID);
464 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
465 result = perm_app_uninstall(OSP_PLATFORM_APP_ID);
466 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
472 void set_app_privilege(int line_no,
473 const char* app_id, app_type_t APP_TYPE,
474 const char** privileges, const char* type,
475 const char* app_path, const char* dac_file,
476 const std::vector< std::vector<std::string> > &rules) {
477 check_app_installed(line_no, app_path);
479 int result = perm_app_uninstall(app_id);
480 RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
481 " perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
485 result = perm_app_install(app_id);
486 RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
487 " perm_app_install returned " << result << ". Errno: " << strerror(errno));
490 result = perm_app_enable_permissions(app_id, APP_TYPE, privileges, 1);
491 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
492 " Error enabling app permissions. Result: " << result);
496 result = test_have_all_accesses(rules);
497 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
499 result = perm_app_set_privilege(app_id, type, app_path);
500 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
501 " Error in perm_app_set_privilege. Error: " << result);
503 // Check if SMACK label really set
505 result = smack_new_label_from_self(&label);
506 RUNNER_ASSERT_MSG(result >= 0, "Line: " << line_no <<
507 " Error getting current process label");
508 RUNNER_ASSERT_MSG(label != NULL, "Line: " << line_no <<
509 " Process label is not set");
510 result = strcmp(app_id, label);
511 RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
512 " Process label " << label << " is incorrect");
514 check_groups(dac_file);
518 * Set APP privileges. wgt.
520 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt)
522 set_app_privilege(__LINE__,WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH,
523 LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt);
527 * Set APP privileges. wgt_partner.
529 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_partner)
531 set_app_privilege(__LINE__, WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT,
532 "wgt_partner", WGT_PARTNER_APP_PATH,
533 LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_partner);
537 * Set APP privileges. wgt_platform.
539 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_platform)
541 set_app_privilege(__LINE__, WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT,
542 "wgt_platform", WGT_PLATFORM_APP_PATH,
543 LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_platform);
547 * Set APP privileges. osp app.
549 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp)
551 set_app_privilege(__LINE__, OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, NULL, OSP_APP_PATH,
552 LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp);
556 * Set APP privileges. partner osp app.
558 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_partner)
560 set_app_privilege(__LINE__, OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP,
561 NULL, OSP_PARTNER_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_partner);
565 * Set APP privileges. platform osp app.
567 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_platform)
569 set_app_privilege(__LINE__, OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP,
570 NULL, OSP_PLATFORM_APP_PATH,
571 LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_platform);
575 * Add new API feature
577 RUNNER_TEST(privilege_control11_add_api_feature)
581 remove_smack_files();
585 // argument validation
586 result = perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
587 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
589 result = perm_add_api_feature(APP_TYPE_OSP,"", NULL, NULL, 0);
590 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
593 // Already existing feature:
594 // TODO: Database will be malformed. (Rules for these features will be removed.)
595 result = perm_add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read", NULL, NULL, 0);
596 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
598 result = perm_add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms", NULL, NULL, 0);
599 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
602 result = perm_add_api_feature(APP_TYPE_OSP,"blahblah", NULL, NULL, 0);
603 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
605 result = perm_add_api_feature(APP_TYPE_WGT,"blahblah", NULL, NULL, 0);
606 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
610 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[0].c_str(), { NULL }, NULL, 0);
611 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
613 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[1].c_str(), (const char*[]) { "", NULL }, NULL, 0);
614 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
616 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[2].c_str(), (const char*[]) { " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0);
617 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
620 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[3].c_str(), (const char*[]) { "malformed", NULL }, NULL, 0);
621 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
623 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[4].c_str(), (const char*[]) { "malformed malformed", NULL }, NULL, 0);
624 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
626 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[5].c_str(), (const char*[]) { "-malformed malformed rwxat", NULL }, NULL, 0);
627 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
629 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[6].c_str(), (const char*[]) { "~/\"\\ malformed rwxat", NULL }, NULL, 0);
630 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
632 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[7].c_str(), (const char*[]) { "subject object rwxat something else", NULL }, NULL, 0);
633 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
637 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[8].c_str(), (const char*[]) {
638 "~APP~ object\t rwxatl",
640 "subject2\t~APP~ ltxarw",
644 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
646 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[9].c_str(), (const char*[]) {
647 "Sub::jE,ct ~APP~ a-rwxl",
650 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
652 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[10].c_str(), (const char*[]) {
653 "Sub::sjE,ct ~APP~ a-RwXL", // TODO This fails.
656 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
659 // TODO For now identical/complementary rules are not merged.
660 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[11].c_str(), (const char*[]) {
661 "subject1 ~APP~ rwxatl",
663 "subject2 ~APP~ ltxarw",
667 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
672 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[12].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {0,1,2},0);
673 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
674 result = file_exists(OSP_BLAHBLAH_DAC[12].c_str());
675 RUNNER_ASSERT(result == -1);
676 remove_smack_files();
680 result = perm_add_api_feature(APP_TYPE_OSP,BLAHBLAH_FEATURE[13].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {0,1,2},3);
681 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
682 osp_blahblah_dac_check(__LINE__, {0,1,2}, OSP_BLAHBLAH_DAC[13]);
683 remove_smack_files();
685 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[14].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {0,1,2},1);
686 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
687 osp_blahblah_dac_check(__LINE__, {0}, OSP_BLAHBLAH_DAC[14]);
688 remove_smack_files();
690 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[15].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {1,1,1},3);
691 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
692 osp_blahblah_dac_check(__LINE__, {1,1,1},OSP_BLAHBLAH_DAC[15]);
693 remove_smack_files();
697 * Check perm_app_install function
699 RUNNER_TEST(privilege_control01_app_install)
704 perm_app_uninstall(APP_ID);
706 result = perm_app_install(APP_ID);
707 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
709 // try install second time app with the same ID - it should pass.
710 result = perm_app_install(APP_ID);
711 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
715 * Check perm_app_uninstall function
717 RUNNER_TEST(privilege_control07_app_uninstall)
722 result = perm_app_uninstall(APP_ID);
723 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
725 // checking if file really exists
726 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
727 RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after perm_app_uninstall");
732 * Check app_register_av function
733 * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
735 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
736 RUNNER_TEST_SMACK(privilege_control10_app_register_av)
738 RUNNER_IGNORED_MSG("app_register_av is not implemented");
742 smack_revoke_subject(APP_TEST_AV_1);
743 smack_revoke_subject(APP_TEST_AV_2);
745 cleaning_smack_app_files();
749 // Adding two apps before antivir
750 result = perm_app_install(APP_TEST_APP_1);
751 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
753 result = perm_app_install(APP_TEST_APP_2);
754 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
757 result = app_register_av(APP_TEST_AV_1);
758 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
762 // Checking added apps accesses
763 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
764 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
767 result = perm_app_install(APP_TEST_APP_3);
768 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
770 // Checking app accesses
771 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
772 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
773 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)");
775 // Adding second antivir
776 result = app_register_av(APP_TEST_AV_2);
777 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
779 // Checking app accesses
780 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
781 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
782 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
783 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
784 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
785 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
788 smack_revoke_subject(APP_TEST_AV_1);
789 smack_revoke_subject(APP_TEST_AV_2);
791 cleaning_smack_app_files();
793 #pragma GCC diagnostic warning "-Wdeprecated-declarations"
796 * Grant SMACK permissions based on permissions list.
798 RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions)
802 // Clean up after test:
805 result = perm_app_uninstall(WGT_APP_ID);
806 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
807 result = perm_app_install(WGT_APP_ID);
808 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
811 * Test - Enabling all permissions with persistant mode enabled
813 result = perm_app_revoke_permissions(WGT_APP_ID);
814 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
815 "Error revoking app permissions. Result: " << result);
817 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
818 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
819 " Error enabling app permissions. Result: " << result);
823 // Check if the accesses are realy applied..
824 result = test_have_all_accesses(rules2);
825 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
830 result = perm_app_revoke_permissions(WGT_APP_ID);
831 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
832 "Error revoking app permissions. Result: " << result);
835 * Test - Enabling all permissions with persistant mode disabled
838 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 0);
839 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
840 " Error enabling app permissions. Result: " << result);
844 // Check if the accesses are realy applied..
845 result = test_have_all_accesses(rules2);
846 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
851 result = perm_app_revoke_permissions(WGT_APP_ID);
852 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
853 "Error revoking app permissions. Result: " << result);
856 * Test - Enabling all permissions in two complementary files
859 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, 1);
860 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
861 " Error enabling app permissions. Result: " << result);
865 // Check if the accesses are realy applied..
866 result = test_have_all_accesses(rules2_no_r);
867 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
872 result = perm_app_revoke_permissions(WGT_APP_ID);
873 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
874 "Error revoking app permissions. Result: " << result);
877 * Test - Enabling some permissions and then enabling complementary permissions
880 // Enable permission for rules 2 no r
881 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1);
882 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
883 " Error enabling app permissions without r. Result: " << result);
887 // Check if the accesses are realy applied..
888 result = test_have_all_accesses(rules2_no_r);
889 RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
891 // Enable permission for rules 2
892 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
893 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
894 " Error enabling app all permissions. Result: " << result);
896 // Check if the accesses are realy applied..
897 result = test_have_all_accesses(rules2);
898 RUNNER_ASSERT_MSG(result == 1, "Permissions all not added.");
903 result = perm_app_revoke_permissions(WGT_APP_ID);
904 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
905 "Error revoking app permissions. Result: " << result);
908 * Test - Enabling some permissions and then enabling all permissions
911 // Enable permission for rules 2 no r
912 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1);
913 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
914 " Error enabling app permissions without r. Result: " << result);
918 // Check if the accesses are realy applied..
919 result = test_have_all_accesses(rules2_no_r);
920 RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
922 // Enable permission for rules 2
923 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, 1);
924 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
925 " Error enabling app permissions with only r. Result: " << result);
927 // Check if the accesses are realy applied..
928 result = test_have_all_accesses(rules2_r);
929 RUNNER_ASSERT_MSG(result == 1, "Permissions with only r not added.");
934 result = perm_app_revoke_permissions(WGT_APP_ID);
935 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
936 "Error revoking app permissions. Result: " << result);
940 // Clean up after test:
941 result = perm_app_uninstall(WGT_APP_ID);
942 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
947 RUNNER_CHILD_TEST(privilege_control11_app_enable_permissions_efl)
954 result = perm_app_uninstall(EFL_APP_ID);
955 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
956 "perm_app_uninstall failed: " << result);
957 result = perm_app_install(EFL_APP_ID);
958 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
959 "perm_app_install failed: " << result);
961 // Enable a permission:
962 result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, 0);
963 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
964 "Error enabling app permissions. Result: " << result);
968 RUNNER_ASSERT_MSG(smack_have_access(EFL_APP_ID,"test_book_efl", "r"),
969 "SMACK accesses not granted for EFL_APP");
972 result = perm_app_uninstall(EFL_APP_ID);
973 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
974 "perm_app_uninstall failed: " << result);
978 * Check perm_app_install function
980 RUNNER_CHILD_TEST(privilege_control12_app_disable_permissions_efl)
987 result = perm_app_uninstall(EFL_APP_ID);
988 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
989 "perm_app_uninstall failed: " << result);
991 result = perm_app_install(EFL_APP_ID);
992 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
993 "perm_app_install failed: " << result);
995 // Enable a permission
996 result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, 0);
997 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
998 "Error enabling app permissions. Result: " << result);
1002 RUNNER_ASSERT_MSG(smack_have_access(EFL_APP_ID,"test_book_efl", "r"),
1003 "SMACK accesses not granted for EFL_APP");
1005 // Disable a permission
1006 result = perm_app_disable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL);
1007 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1008 "Error disabling app permissions. Result: " << result);
1010 RUNNER_ASSERT_MSG(!smack_have_access(EFL_APP_ID,"test_book_efl", "r"),
1011 "SMACK accesses not granted for EFL_APP");
1014 result = perm_app_uninstall(EFL_APP_ID);
1015 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1016 "perm_app_uninstall failed: " << result);
1021 * Remove previously granted SMACK permissions based on permissions list.
1023 RUNNER_TEST(privilege_control12_app_disable_permissions)
1030 result = perm_app_uninstall(WGT_APP_ID);
1031 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1032 "perm_app_uninstall failed: " << result);
1034 result = perm_app_install(WGT_APP_ID);
1035 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1036 "perm_app_install failed: " << result);
1038 * Test - disable all granted permissions.
1041 // Prepare permissions that we want to disable
1042 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
1043 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1044 " Error enabling app permissions. Result: " << result);
1048 // Are all the permissions enabled?
1049 result = test_have_any_accesses(rules2);
1050 RUNNER_ASSERT_MSG(result==1, "Not all permisions enabled.");
1052 // Disable permissions
1053 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
1054 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1055 "Error disabling app permissions. Result: " << result);
1057 // Are all the permissions disabled?
1058 result = test_have_any_accesses(rules2);
1059 RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
1062 * Test - disable some granted permissions leaving non complementary and then disabling those too.
1067 // Prepare permissions that will not be disabled
1068 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS, 1);
1069 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1070 " Error adding app first permissions. Result: " << result);
1072 // Prepare permissions that we want to disable
1073 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
1074 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1075 " Error adding app second permissions. Result: " << result);
1077 // Disable second permissions
1078 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
1079 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1080 "Error disabling app second permissions. Result: " << result);
1084 // Are all second permissions disabled?
1085 result = test_have_any_accesses(rules2);
1086 RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
1088 // Are all first permissions not disabled?
1089 result = test_have_all_accesses(rules_wgt2);
1090 RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
1092 // Disable first permissions
1093 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS);
1094 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1095 "Error disabling app first permissions. Result: " << result);
1097 // Are all second permissions disabled?
1098 result = test_have_any_accesses(rules_wgt2);
1099 RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
1102 * Test - disable only no r granted permissions.
1107 // Prepare permissions
1108 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, 1);
1109 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1110 " Error adding app permissions. Result: " << result);
1112 // Disable same permissions without r
1113 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
1114 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1115 "Error disabling app no r permissions. Result: " << result);
1119 // Is any r permissions disabled?
1120 result = test_have_all_accesses(rules2_r);
1121 RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
1122 // Are all no r permissions disabled?
1123 result = test_have_any_accesses(rules2_no_r);
1124 RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
1126 // Prepare permissions
1127 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1);
1128 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1129 " Error adding app no r permissions. Result: " << result);
1130 result = test_have_any_accesses(rules2_no_r);
1131 RUNNER_ASSERT_MSG(result=1, "Not all no r permissions enabled.");
1133 // Disable all permissions
1134 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
1135 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1136 "Error disabling app permissions. Result: " << result);
1137 result = test_have_any_accesses(rules2_r);
1138 RUNNER_ASSERT_MSG(result!=1, "Not all r permissions disabled.");
1142 // Clean up after test:
1143 result = perm_app_uninstall(WGT_APP_ID);
1144 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1148 * Reset SMACK permissions for an application by revoking all previously
1149 * granted rules and enabling them again from a rules file from disk.
1151 // TODO: This test is incomplete.
1152 RUNNER_TEST_SMACK(privilege_control13_app_reset_permissions)
1157 * Test - doing reset and checking if rules exist again.
1162 result = perm_app_install(WGT_APP_ID);
1163 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1165 // Prepare permissions to reset
1166 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
1167 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1168 " Error adding app permissions. Result: " << result);
1170 // Reset permissions
1171 result = perm_app_reset_permissions(WGT_APP_ID);
1172 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1173 "Error reseting app permissions. Result: " << result);
1177 // Are all second permissions not disabled?
1178 result = test_have_all_accesses(rules2);
1179 RUNNER_ASSERT_MSG(result == 1, "Not all permissions added.");
1183 // Disable permissions
1184 result = perm_app_revoke_permissions(WGT_APP_ID);
1185 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1186 "Error disabling app permissions. Result: " << result);
1188 result = perm_app_uninstall(WGT_APP_ID);
1189 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1195 * Make two applications "friends", by giving them both full permissions on
1198 RUNNER_TEST_SMACK(privilege_control14_app_add_friend)
1200 RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented");
1205 * Test - making friends with no permissions on each other
1208 result = perm_app_revoke_permissions(APP_FRIEND_1);
1209 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1210 "Error revoking app permissions. Result: " << result);
1211 result = perm_app_revoke_permissions(APP_FRIEND_2);
1212 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1213 "Error revoking app permissions. Result: " << result);
1215 perm_app_uninstall(APP_FRIEND_1);
1216 perm_app_uninstall(APP_FRIEND_2);
1218 // Installing friends to be
1219 result = perm_app_install(APP_FRIEND_1);
1220 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1221 " Error installing first app. Result: " << result);
1222 result = perm_app_install(APP_FRIEND_2);
1223 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1224 " Error installing second app. Result: " << result);
1227 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1228 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1229 " Error making friends. Errno: " << result);
1231 // Checking if friends were made
1232 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
1233 RUNNER_ASSERT_MSG(result == 1,
1234 " Error first one sided friednship failed. Result: " << result);
1235 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
1236 RUNNER_ASSERT_MSG(result == 1,
1237 " Error second one sided friednship failed. Result: " << result);
1240 result = perm_app_revoke_permissions(APP_FRIEND_1);
1241 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1242 "Error revoking app permissions. Result: " << result);
1243 result = perm_app_revoke_permissions(APP_FRIEND_2);
1244 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1245 "Error revoking app permissions. Result: " << result);
1247 perm_app_uninstall(APP_FRIEND_1);
1248 perm_app_uninstall(APP_FRIEND_2);
1251 * Test - making friends with nonexistent friend
1254 // Installing one friend
1255 result = perm_app_install(APP_FRIEND_1);
1256 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1257 " Error installing first app. Errno: " << result);
1259 // Adding imaginary friend as second
1260 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1261 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1262 " Error making friends (first) with imaginairy friend failed. Result: "
1264 // Adding imaginary friend as first
1265 result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
1266 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1267 " Error making friends (second) with imaginairy friend failed. Result: "
1270 result = perm_app_revoke_permissions(APP_FRIEND_1);
1271 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1272 "Error revoking app permissions. Result: " << result);
1273 result = perm_app_revoke_permissions(APP_FRIEND_2);
1274 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1275 "Error revoking app permissions. Result: " << result);
1277 perm_app_uninstall(APP_FRIEND_1);
1278 perm_app_uninstall(APP_FRIEND_2);
1281 * Test - making friends with some permissions already added
1286 struct smack_accesses *rulesFriend = NULL;
1288 std::vector<std::string> accessesFriend =
1289 { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
1291 // Installing friends to be
1292 result = perm_app_install(APP_FRIEND_1);
1293 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1294 " Error installing first app. Result: " << result);
1295 result = perm_app_install(APP_FRIEND_2);
1296 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1297 " Error installing second app. Result: " << result);
1299 for (i = 0; i < accessesFriend.size(); ++i)
1301 for (j = 0; j < accessesFriend.size(); ++j)
1303 // Adding rules before making friends
1304 result = smack_accesses_new(&rulesFriend);
1305 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1306 "Error in smack_accesses_new. Result: " << result);
1308 result = smack_accesses_add(rulesFriend,
1309 APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
1310 RUNNER_ASSERT_MSG(result == 0,
1311 "Unable to add modify rulesFirend (first). Result: " << result);
1312 result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
1313 APP_FRIEND_1, accessesFriend[j].c_str());
1314 RUNNER_ASSERT_MSG(result == 0,
1315 "Unable to add modify rulesFirend (second). Result: " << result);
1317 result = smack_accesses_apply(rulesFriend);
1318 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1319 "Error in smack_accesses_apply. Result: " << result);
1322 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1323 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1324 " Error making friends. Result: " << result);
1326 // Checking if friends were made
1327 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
1328 RUNNER_ASSERT_MSG(result == 1,
1329 " Error first one sided friednship failed. Result: " << result);
1330 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
1331 RUNNER_ASSERT_MSG(result == 1,
1332 " Error second one sided friednship failed. Result: " << result);
1334 // Deleting all rules between friends
1335 smack_accesses_add_modify(rulesFriend,
1336 APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
1337 smack_accesses_add_modify(rulesFriend,
1338 APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
1340 result = smack_accesses_apply(rulesFriend);
1342 smack_accesses_free(rulesFriend);
1348 result = perm_app_revoke_permissions(APP_FRIEND_1);
1349 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1350 "Error revoking app permissions. Result: " << result);
1351 result = perm_app_revoke_permissions(APP_FRIEND_2);
1352 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1353 "Error revoking app permissions. Result: " << result);
1355 perm_app_uninstall(APP_FRIEND_1);
1356 perm_app_uninstall(APP_FRIEND_2);
1359 static void smack_set_random_label_based_on_pid_on_self(void)
1362 std::stringstream ss;
1364 ss << "s-" << getpid() << "-" << getppid();
1365 result = smack_set_label_for_self(ss.str().c_str());
1366 RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self("
1367 << ss.str().c_str() << ") failed");
1370 static void smack_unix_sock_server(int sock)
1376 fd = accept(sock, NULL, NULL);
1380 result = smack_new_label_from_self(&smack_label);
1385 RUNNER_ASSERT_MSG(0, "smack_new_label_from_self() failed");
1387 result = write(fd, smack_label, strlen(smack_label));
1388 if (result != (int)strlen(smack_label)) {
1392 RUNNER_ASSERT_MSG(0, "write() failed: " << strerror(errno));
1398 RUNNER_MULTIPROCESS_TEST_SMACK(privilege_control15_app_id_from_socket)
1401 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
1405 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
1407 smack_set_random_label_based_on_pid_on_self();
1409 if (!pid) { /* child process, server */
1412 /* Set the process label before creating a socket */
1413 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1414 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
1416 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
1419 RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno));
1421 result = listen(sock, 1);
1424 RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno));
1426 smack_unix_sock_server(sock);
1428 /* Change the process label with listening socket */
1429 smack_unix_sock_server(sock);
1432 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
1433 /* Now running two concurrent servers.
1434 Test if socket label was unaffected by fork() */
1435 smack_unix_sock_server(sock);
1436 /* Let's give the two servers different labels */
1437 smack_unix_sock_server(sock);
1441 } else { /* parent process, client */
1442 sleep(1); /* Give server some time to setup listening socket */
1444 for (i = 0; i < 4; ++i) {
1447 char smack_label1[SMACK_LABEL_LEN + 1];
1450 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1451 RUNNER_ASSERT_MSG(sock >= 0,
1452 "socket failed: " << strerror(errno));
1453 result = connect(sock,
1454 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
1457 RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
1461 result = read(sock, smack_label1, SMACK_LABEL_LEN);
1465 RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno));
1467 smack_label1[result] = '\0';
1468 smack_label2 = perm_app_id_from_socket(sock);
1469 if (smack_label2 == NULL) {
1471 RUNNER_ASSERT_MSG(0, "perm_app_id_from_socket failed");
1473 result = strcmp(smack_label1, smack_label2);
1476 RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1
1477 << "' != '" << smack_label2 << "-" << random() << "'");
1484 RUNNER_TEST(privilege_control16_app_setup_path){
1485 const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
1486 const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
1487 const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
1488 const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
1489 const char *label1 = "qwert123456za";
1490 const char *label2 = "trewq654123az";
1492 std::unique_ptr<char, std::function<void(void*)> > labelPtr(NULL,free);
1497 int fd = creat(path3, S_IRWXU);
1500 fd = creat(path4, S_IRWXU);
1506 RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
1507 RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
1508 labelPtr.reset(label);
1510 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1));
1512 RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
1513 RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
1514 labelPtr.reset(label);
1516 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label2));
1518 RUNNER_ASSERT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
1519 labelPtr.reset(label);
1521 RUNNER_ASSERT(labelPtr.get() == NULL);
1524 RUNNER_TEST(privilege_control17_appsettings_privilege)
1527 char *app1_dir_label;
1528 char *app2_dir_label;
1531 (void)perm_app_uninstall(APP_TEST);
1532 (void)perm_app_uninstall(APP_1);
1533 (void)perm_app_uninstall(APP_2);
1537 //install some app 1
1538 ret = perm_app_install(APP_1);
1539 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install." << ret);
1541 mkdir(APP_1_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
1543 //register settings folder for app 1
1544 ret = perm_app_setup_path(APP_1, APP_1_DIR, APP_PATH_SETTINGS_RW );
1545 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
1547 //install "app_test" and give it appsettings privilege
1548 ret = perm_app_install(APP_TEST);
1549 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
1552 ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
1553 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,
1554 " Error enabling app permissions. Result: " << ret);
1558 //check if "app_test" has an RX access to the app "app_1"
1559 ret = smack_have_access(APP_TEST, APP_1, "rx");
1560 RUNNER_ASSERT_MSG(ret,"access denied");
1562 //check if "app_test" has an RWX access to a folder registered by "app_1"
1563 ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS );
1564 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
1565 ret = smack_have_access(APP_TEST, app1_dir_label, "rwx");
1566 RUNNER_ASSERT_MSG(ret,"access denied to smack label: " << app1_dir_label);
1571 //intstall another app: "app_2"
1572 ret = perm_app_install(APP_2);
1573 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
1575 mkdir(APP_2_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
1576 //register settings folder for that "app_2"
1577 ret = perm_app_setup_path(APP_2, APP_2_DIR, APP_PATH_SETTINGS_RW );
1578 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
1582 //check if "app_test" has an RX access to the app "app_2"
1583 ret = smack_have_access(APP_TEST, APP_2, "rx");
1584 RUNNER_ASSERT_MSG(ret,"access denies");
1586 //check if "app_test" has an RWX access to a folder registered by "app_2"
1587 ret = smack_getlabel(APP_2_DIR, &app2_dir_label, SMACK_LABEL_ACCESS );
1588 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
1589 ret = smack_have_access(APP_TEST, app2_dir_label, "rwx");
1590 RUNNER_ASSERT_MSG(ret,"access denies");
1592 free (app1_dir_label);
1593 free (app2_dir_label);
1599 (void)perm_app_uninstall(APP_TEST);
1600 (void)perm_app_uninstall(APP_1);
1601 (void)perm_app_uninstall(APP_2);
1606 void test_app_setup_path(int line_no, app_path_type_t PATH_TYPE) {
1611 result = perm_app_uninstall(APP_ID);
1612 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
1613 " Error in perm_app_uninstall." << result);
1615 result = perm_app_install(APP_ID);
1616 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
1617 " Error in perm_app_install." << result);
1619 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
1620 RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
1621 " Unable to clean up Smack labels in " << TEST_APP_DIR);
1623 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
1624 RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
1625 " Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
1627 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, PATH_TYPE);
1628 RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
1629 " perm_app_setup_path() failed");
1633 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
1634 RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
1635 " Unable to check Smack labels for non-app dir");
1637 result = perm_app_uninstall(APP_ID);
1638 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
1639 " Error in perm_app_uninstall." << result);
1642 RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public)
1644 test_app_setup_path(__LINE__, APP_PATH_PUBLIC_RO);
1647 RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings)
1649 test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW);
1652 RUNNER_TEST(privilege_control20_app_setup_path_npruntime)
1655 std::unique_ptr<char, std::function<void(void*)> > labelPtr(NULL,free);
1656 std::string nptargetlabel = std::string(APP_NPRUNTIME) + ".npruntime";
1661 result = perm_app_uninstall(APP_NPRUNTIME);
1662 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
1664 result = perm_app_install(APP_NPRUNTIME);
1665 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install. " << result);
1667 result = perm_app_setup_path(APP_NPRUNTIME, APP_NPRUNTIME_FILE, PERM_APP_PATH_NPRUNTIME);
1668 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path. " << result);
1672 RUNNER_ASSERT(0 == smack_lgetlabel(APP_NPRUNTIME_FILE, &label, SMACK_LABEL_EXEC));
1673 labelPtr.reset(label);
1675 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), nptargetlabel.c_str()));
1677 // test smack accesses
1678 result = smack_have_access(APP_NPRUNTIME, nptargetlabel.c_str(), "rw");
1679 RUNNER_ASSERT_MSG(result == 1,
1680 "Error: subject: " << APP_NPRUNTIME << " has not rw access to object: "
1681 << nptargetlabel.c_str() << ". Result: " << result);
1683 result = smack_have_access(nptargetlabel.c_str(), APP_NPRUNTIME, "rxat");
1684 RUNNER_ASSERT_MSG(result == 1,
1685 "Error: subject: " << nptargetlabel.c_str() << " has not rxat access to object: "
1686 << APP_NPRUNTIME << ". Result: " << result);
1688 result = smack_have_access(nptargetlabel.c_str(), "system::homedir", "rxat");
1689 RUNNER_ASSERT_MSG(result == 1,
1690 "Error: subject: " << nptargetlabel.c_str() << " has not rxat access to object: "
1691 << "system::homedir. Result: " << result);
1693 result = smack_have_access(nptargetlabel.c_str(), "xorg", "rw");
1694 RUNNER_ASSERT_MSG(result == 1,
1695 "Error: subject: " << nptargetlabel.c_str() << " has not rw access to object: "
1696 << "xorg. Result: " << result);
1698 result = perm_app_uninstall(APP_NPRUNTIME);
1699 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
1702 RUNNER_TEST(privilege_control21_early_rules)
1704 RUNNER_IGNORED_MSG("early rules are not implemented");
1710 char *single_line_format = NULL;
1714 char subject[SMACK_LABEL_LEN + 1] = {0};
1715 char object[SMACK_LABEL_LEN + 1] = {0};
1716 char rule_add[SMACK_ACC_LEN + 1] = {0};
1717 char rule_remove[SMACK_ACC_LEN + 1] = {0};
1719 unlink(SMACK_RULES_DIR APP_ID);
1723 perm_app_uninstall(APP_ID);
1725 result = perm_app_install(APP_ID);
1726 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1727 result = perm_app_install(APP_TEST_APP_1);
1728 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1730 // checking if file really exists
1731 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1733 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << SMACK_RULES_DIR << APP_ID << " : " << fd << ". Errno: " << strerror(errno));
1736 result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm, 1);
1737 RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result);
1738 result = perm_app_enable_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm, 1);
1739 RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result);
1743 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
1744 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
1746 result = asprintf(&single_line_format, "%%%ds %%%ds %%%ds %%%ds\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN, SMACK_ACC_LEN, SMACK_ACC_LEN);
1748 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
1749 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
1750 pass_1 = 1; // Found rule for APP_ID
1753 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
1754 pass_2 = 1; // Found rule for APP_TEST_APP_1
1761 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " not found");
1762 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
1764 // Checking if "early rule" for APP_ID was really removed
1765 // We also should make sure that "early rules" for other apps wasn't removed
1766 result = perm_app_uninstall(APP_ID);
1767 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1771 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
1772 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
1774 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
1775 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
1776 pass_1 = 0; // Found rule for APP_ID - it should NOT be here
1779 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
1780 pass_2 = 1; // Found rule for APP_TEST_APP_1
1787 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
1788 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
1790 // Removing and checking "early rule" for APP_TEST_APP_1
1791 result = perm_app_uninstall(APP_TEST_APP_1);
1792 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1796 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
1797 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
1799 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
1800 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
1801 pass_1 = 0; // Found rule for APP_ID - it should NOT be here
1804 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
1805 pass_2 = 0; // Found rule for APP_TEST_APP_1 - it should NOT be here
1809 free(single_line_format);
1812 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
1813 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
1817 * AV Privilege test cases.
1819 * Each privilege_control24* test case tests antivirus privileges for each app_type_t, except for
1820 * deprecated APP_TYPE_OTHER type.
1823 int nftw_remove_dir(const char* filename, const struct stat* /*statptr*/, int /*fileflags*/,
1824 struct FTW* /*pfwt*/)
1828 struct stat filestat;
1830 result = stat(filename, &filestat);
1831 RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to get file statistics. Result: "
1832 << result << ", error: " << strerror(errno) << ", file: " << filename);
1834 if(S_ISREG(filestat.st_mode)) {
1835 result = unlink(filename);
1836 RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to unlink file. Result: "
1837 << result << ", error: " << strerror(errno) << ", file: " << filename);
1838 } else if(S_ISDIR(filestat.st_mode)) {
1839 result = rmdir(filename);
1840 RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to remove dir. Result: "
1841 << result << ", error: " << strerror(errno) << ", file: " << filename);
1847 void InstallApp(const char* pkg_id, const char* path, app_path_type_t app_path_type,
1848 const char* shared_label)
1852 result = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP);
1853 RUNNER_ASSERT_MSG(result == 0, "Can't create dir for tests. Result: " << result <<
1854 ", error: " << strerror(errno) << ", app_path_type: " << app_path_type);
1858 result = perm_app_revoke_permissions(pkg_id);
1859 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: "
1860 << result << ", app_path_type: " << app_path_type);
1861 result = perm_app_uninstall(pkg_id);
1862 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: "
1863 << result << ", app_path_type: " << app_path_type);
1865 result = perm_app_install(pkg_id);
1866 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: "
1867 << result << ", app_path_type: " << app_path_type);
1868 result = perm_app_setup_path(pkg_id, path, app_path_type, shared_label);
1869 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_setup_path failed. Result: "
1870 << result << ", app_path_type: " << app_path_type);
1875 void InstallAV(const char* av_id, app_type_t av_type)
1881 result = perm_app_revoke_permissions(av_id);
1882 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: "
1883 << result << ", av_type: " << av_type);
1884 result = perm_app_uninstall(av_id);
1885 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: "
1886 << result << ", av_type: " << av_type);
1888 result = perm_app_install(av_id);
1889 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: "
1890 << result << ", av_type: " << av_type);
1891 result = perm_app_enable_permissions(av_id, av_type, PRIVS_AV, 1);
1892 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "enable_permissions failed. Result: "
1893 << result << ", av_type: " << av_type);
1898 void CheckAVPrivilege(app_type_t av_type, app_path_type_t app_path_type)
1903 result = nftw(APP_TEST_APP_1_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
1904 RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
1905 ", error " << strerror(errno));
1907 result = nftw(APP_TEST_APP_2_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
1908 RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
1909 ", error " << strerror(errno));
1911 result = nftw(APP_TEST_APP_3_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
1912 RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
1913 ", error " << strerror(errno));
1915 InstallApp(APP_TEST_APP_1, APP_TEST_APP_1_DIR, app_path_type, APP_TEST_APP_1_SHARED_LABEL);
1916 InstallAV(APP_TEST_AV_1, av_type);
1917 InstallApp(APP_TEST_APP_2, APP_TEST_APP_2_DIR, app_path_type, APP_TEST_APP_2_SHARED_LABEL);
1918 InstallAV(APP_TEST_AV_2, av_type);
1919 InstallApp(APP_TEST_APP_3, APP_TEST_APP_3_DIR, app_path_type, APP_TEST_APP_3_SHARED_LABEL);
1921 //test - get ACCESS label and check AV privilege
1926 result = smack_lgetlabel(APP_TEST_APP_1_DIR, &tmp, SMACK_LABEL_ACCESS);
1927 RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result
1928 << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
1929 std::string label1(tmp);
1932 result = smack_lgetlabel(APP_TEST_APP_2_DIR, &tmp, SMACK_LABEL_ACCESS);
1933 RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result
1934 << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
1935 std::string label2(tmp);
1938 result = smack_lgetlabel(APP_TEST_APP_3_DIR, &tmp, SMACK_LABEL_ACCESS);
1939 RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result
1940 << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
1941 std::string label3(tmp);
1944 if(app_path_type == APP_PATH_GROUP_RW)
1946 result = label1.compare(APP_TEST_APP_1_SHARED_LABEL);
1947 RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 <<
1948 ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
1949 ", av_type: " << av_type << ", app_path_type: " << app_path_type);
1951 result = label2.compare(APP_TEST_APP_2_SHARED_LABEL);
1952 RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 <<
1953 ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
1954 ", av_type: " << av_type << ", app_path_type: " << app_path_type);
1956 result = label3.compare(APP_TEST_APP_3_SHARED_LABEL);
1957 RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 <<
1958 ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
1959 ", av_type: " << av_type << ", app_path_type: " << app_path_type);
1962 std::stringstream ss;
1967 ss << "APP_TEST_APP_1, line " << __LINE__ <<
1968 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
1969 checkOnlyAvAccess(APP_TEST_AV_1, label1.c_str(), ss.str().c_str());
1970 ss.str(std::string());
1972 ss << "APP_TEST_APP_2, line " << __LINE__ <<
1973 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
1974 checkOnlyAvAccess(APP_TEST_AV_1, label2.c_str(), ss.str().c_str());
1975 ss.str(std::string());
1977 ss << "APP_TEST_APP_3, line " << __LINE__ <<
1978 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
1979 checkOnlyAvAccess(APP_TEST_AV_1, label3.c_str(), ss.str().c_str());
1981 ss << "APP_TEST_APP_1, line " << __LINE__ <<
1982 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
1983 checkOnlyAvAccess(APP_TEST_AV_2, label1.c_str(), ss.str().c_str());
1984 ss.str(std::string());
1986 ss << "APP_TEST_APP_2, line " << __LINE__ <<
1987 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
1988 checkOnlyAvAccess(APP_TEST_AV_2, label2.c_str(), ss.str().c_str());
1989 ss.str(std::string());
1991 ss << "APP_TEST_APP_3, line " << __LINE__ <<
1992 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
1993 checkOnlyAvAccess(APP_TEST_AV_2, label3.c_str(), ss.str().c_str());
1997 ss << "APP_TEST_APP_1, line " << __LINE__ <<
1998 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
1999 checkOnlyAvAccessNosmack(APP_TEST_AV_1, label1.c_str(), ss.str().c_str());
2001 ss.str(std::string());
2002 ss << "APP_TEST_APP_2, line " << __LINE__ <<
2003 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
2004 checkOnlyAvAccessNosmack(APP_TEST_AV_1, label2.c_str(), ss.str().c_str());
2006 ss.str(std::string());
2007 ss << "APP_TEST_APP_3, line " << __LINE__ <<
2008 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
2009 checkOnlyAvAccessNosmack(APP_TEST_AV_1, label3.c_str(), ss.str().c_str());
2011 ss << "APP_TEST_APP_1, line " << __LINE__ <<
2012 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
2013 checkOnlyAvAccessNosmack(APP_TEST_AV_2, label1.c_str(), ss.str().c_str());
2015 ss.str(std::string());
2016 ss << "APP_TEST_APP_2, line " << __LINE__ <<
2017 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
2018 checkOnlyAvAccessNosmack(APP_TEST_AV_2, label2.c_str(), ss.str().c_str());
2020 ss.str(std::string());
2021 ss << "APP_TEST_APP_3, line " << __LINE__ <<
2022 ", av_type: " << av_type << ", app_path_type: " << app_path_type;
2023 checkOnlyAvAccessNosmack(APP_TEST_AV_2, label3.c_str(), ss.str().c_str());
2027 perm_app_revoke_permissions(APP_TEST_AV_1);
2028 perm_app_revoke_permissions(APP_TEST_AV_2);
2029 perm_app_uninstall(APP_TEST_AV_1);
2030 perm_app_uninstall(APP_TEST_AV_2);
2031 perm_app_uninstall(APP_TEST_APP_1);
2032 perm_app_uninstall(APP_TEST_APP_2);
2033 perm_app_uninstall(APP_TEST_APP_3);
2036 RUNNER_TEST(privilege_control24a_av_privilege_group_rw)
2038 CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_GROUP_RW);
2039 CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_GROUP_RW);
2040 CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_GROUP_RW);
2043 RUNNER_TEST(privilege_control24b_av_privilege_settings_rw)
2045 CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_SETTINGS_RW);
2046 CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_SETTINGS_RW);
2047 CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_SETTINGS_RW);
2050 RUNNER_TEST(privilege_control24c_av_privilege_public_ro)
2052 CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_PUBLIC_RO);
2053 CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_PUBLIC_RO);
2054 CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_PUBLIC_RO);