2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
22 * @brief libprivilege-control test runer
33 #include <dpl/test/test_runner.h>
34 #include <dpl/test/test_runner_child.h>
35 #include <dpl/log/log.h>
36 #include <sys/types.h>
39 #include <sys/xattr.h>
40 #include <sys/smack.h>
41 #include <sys/types.h>
42 #include <sys/socket.h>
45 #include <privilege-control.h>
50 #define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/"
51 #define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/WRT"
52 #define SMACK_LOAD2 "/smack/load2"
53 #define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
54 #define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
55 #define APPID_DIR "test_APP_ID_dir"
56 #define APPID_SHARED_DIR "test_APP_ID_shared_dir"
57 #define CANARY_LABEL "tiny_yellow_canary"
59 #define APP_ID "test_APP"
60 #define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
61 #define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
63 #define WGT_APP_ID "QwCqJ0ttyS"
64 #define WGT_PARTNER_APP_ID "7btsV1Y0sX"
65 #define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
66 #define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123"
67 #define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner"
68 #define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform"
69 #define OSP_APP_ID "uqNfgEjqc7"
70 #define OSP_PARTNER_APP_ID "j4RuPsZrNt"
71 #define OSP_PLATFORM_APP_ID "V5LKqDFBXm"
72 #define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp"
73 #define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner"
74 #define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform"
75 #define EARLY_RULE_SUBJECT "livebox.web-provider"
76 #define EARLY_RULE_RIGHTS "rwx--"
78 const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
79 const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
80 const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
81 const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
82 const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
83 const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
84 const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };
86 #define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
87 #define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
88 #define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
89 #define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac"
91 #define APP_TEST_APP_1 "test-application1"
92 #define APP_TEST_APP_2 "test-application_2"
93 #define APP_TEST_APP_3 "test-app-3"
94 #define APP_TEST_AV_1 "test-antivirus1"
95 #define APP_TEST_AV_2 "test-antivirus_2"
96 #define APP_TEST_AV_3 "test-av-3"
98 #define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db"
99 #define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db"
100 #define SMACK_PUBLIC_DIRS_DATABASE "/opt/dbspace/.privilege_control_public_dirs.db"
101 #define SMACK_APPS_SETTINGS_LABELS_DATABASE "/opt/dbspace/.privilege_control_app_setting.db"
102 #define SMACK_SETTINGS_DIRS_DATABASE "/opt/dbspace/.privilege_control_setting_dir.db"
104 #define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1"
105 #define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2"
106 #define APP_TEST_AV_ASP1 "test-app-av-asp1"
107 #define APP_TEST_AV_ASP2 "test-app-av-asp2"
109 #define SOCK_PATH "/tmp/test-smack-socket"
113 #define APP_USER_NAME "app"
114 #define APP_HOME_DIR "/opt/home/app"
116 #define APP_FRIEND_1 "app_friend_1"
117 #define APP_FRIEND_2 "app_friend_2"
119 // How many open file descriptors should ftw() function use?
120 #define FTW_MAX_FDS 16
122 // Rules from test_privilege_control_rules.smack
123 const std::vector< std::vector<std::string> > rules = {
124 { APP_ID, "test_book_1", "r" },
125 { APP_ID, "test_book_2", "w" },
126 { APP_ID, "test_book_3", "x" },
127 { APP_ID, "test_book_4", "rw" },
128 { APP_ID, "test_book_5", "rx" },
129 { APP_ID, "test_book_6", "wx" },
130 { APP_ID, "test_book_7", "rwx" },
131 { "test_subject_1", APP_ID, "r" },
132 { "test_subject_2", APP_ID, "w" },
133 { "test_subject_3", APP_ID, "x" },
134 { "test_subject_4", APP_ID, "rw" },
135 { "test_subject_5", APP_ID, "rx" },
136 { "test_subject_6", APP_ID, "wx" },
137 { "test_subject_7", APP_ID, "rwx" },
138 { APP_ID, APPID_SHARED_DIR, "rwxat"}
141 // Rules from test_privilege_control_rules2.smack
142 const std::vector< std::vector<std::string> > rules2 = {
143 { APP_ID, "test_book_8", "r" },
144 { APP_ID, "test_book_9", "w" },
145 { APP_ID, "test_book_10", "x" },
146 { APP_ID, "test_book_11", "rw" },
147 { APP_ID, "test_book_12", "rx" },
148 { APP_ID, "test_book_13", "wx" },
149 { APP_ID, "test_book_14", "rwx" },
150 { APP_ID, "test_book_15", "rwxat" },
151 { "test_subject_8", APP_ID, "r" },
152 { "test_subject_9", APP_ID, "w" },
153 { "test_subject_10", APP_ID, "x" },
154 { "test_subject_11", APP_ID, "rw" },
155 { "test_subject_12", APP_ID, "rx" },
156 { "test_subject_13", APP_ID, "wx" },
157 { "test_subject_14", APP_ID, "rwx" },
158 { "test_subject_15", APP_ID, "rwxat" }
161 // Rules from test_privilege_control_rules_no_r.smack
162 const std::vector< std::vector<std::string> > rules2_no_r = {
163 { APP_ID, "test_book_9", "w" },
164 { APP_ID, "test_book_10", "x" },
165 { APP_ID, "test_book_11", "w" },
166 { APP_ID, "test_book_12", "x" },
167 { APP_ID, "test_book_13", "wx" },
168 { APP_ID, "test_book_14", "wx" },
169 { APP_ID, "test_book_15", "wxat" },
170 { "test_subject_9", APP_ID, "w" },
171 { "test_subject_10", APP_ID, "x" },
172 { "test_subject_11", APP_ID, "w" },
173 { "test_subject_12", APP_ID, "x" },
174 { "test_subject_13", APP_ID, "wx" },
175 { "test_subject_14", APP_ID, "wx" },
176 { "test_subject_15", APP_ID, "wxat" }
179 // Rules from test_privilege_control_rules.smack
180 // minus test_privilege_control_rules_no_r.smack
181 const std::vector< std::vector<std::string> > rules2_r = {
182 { APP_ID, "test_book_8", "r" },
183 { APP_ID, "test_book_11", "r" },
184 { APP_ID, "test_book_12", "r" },
185 { APP_ID, "test_book_14", "r" },
186 { APP_ID, "test_book_15", "r" },
187 { "test_subject_8", APP_ID, "r" },
188 { "test_subject_11", APP_ID, "r" },
189 { "test_subject_12", APP_ID, "r" },
190 { "test_subject_14", APP_ID, "r" },
191 { "test_subject_15", APP_ID, "r" }
194 // Rules from test_privilege_control_rules_wgt.smack for wgt
195 const std::vector< std::vector<std::string> > rules_wgt = {
196 { WGT_APP_ID, "test_book_8", "r" },
197 { WGT_APP_ID, "test_book_9", "w" },
198 { WGT_APP_ID, "test_book_10", "x" },
199 { WGT_APP_ID, "test_book_11", "rw" },
200 { WGT_APP_ID, "test_book_12", "rx" },
201 { WGT_APP_ID, "test_book_13", "wx" },
202 { WGT_APP_ID, "test_book_14", "rwx" },
203 { WGT_APP_ID, "test_book_15", "rwxat" },
204 { "test_subject_8", WGT_APP_ID, "r" },
205 { "test_subject_9", WGT_APP_ID, "w" },
206 { "test_subject_10", WGT_APP_ID, "x" },
207 { "test_subject_11", WGT_APP_ID, "rw" },
208 { "test_subject_12", WGT_APP_ID, "rx" },
209 { "test_subject_13", WGT_APP_ID, "wx" },
210 { "test_subject_14", WGT_APP_ID, "rwx" },
211 { "test_subject_15", WGT_APP_ID, "rwxat" }
214 // Rules from test_privilege_control_rules_wgt.smack for wgt_partner
215 const std::vector< std::vector<std::string> > rules_wgt_partner = {
216 { WGT_PARTNER_APP_ID, "test_book_8", "r" },
217 { WGT_PARTNER_APP_ID, "test_book_9", "w" },
218 { WGT_PARTNER_APP_ID, "test_book_10", "x" },
219 { WGT_PARTNER_APP_ID, "test_book_11", "rw" },
220 { WGT_PARTNER_APP_ID, "test_book_12", "rx" },
221 { WGT_PARTNER_APP_ID, "test_book_13", "wx" },
222 { WGT_PARTNER_APP_ID, "test_book_14", "rwx" },
223 { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" },
224 { "test_subject_8", WGT_PARTNER_APP_ID, "r" },
225 { "test_subject_9", WGT_PARTNER_APP_ID, "w" },
226 { "test_subject_10", WGT_PARTNER_APP_ID, "x" },
227 { "test_subject_11", WGT_PARTNER_APP_ID, "rw" },
228 { "test_subject_12", WGT_PARTNER_APP_ID, "rx" },
229 { "test_subject_13", WGT_PARTNER_APP_ID, "wx" },
230 { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" },
231 { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }
234 // Rules from test_privilege_control_rules_wgt.smack for wgt_platform
235 const std::vector< std::vector<std::string> > rules_wgt_platform = {
236 { WGT_PLATFORM_APP_ID, "test_book_8", "r" },
237 { WGT_PLATFORM_APP_ID, "test_book_9", "w" },
238 { WGT_PLATFORM_APP_ID, "test_book_10", "x" },
239 { WGT_PLATFORM_APP_ID, "test_book_11", "rw" },
240 { WGT_PLATFORM_APP_ID, "test_book_12", "rx" },
241 { WGT_PLATFORM_APP_ID, "test_book_13", "wx" },
242 { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" },
243 { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" },
244 { "test_subject_8", WGT_PLATFORM_APP_ID, "r" },
245 { "test_subject_9", WGT_PLATFORM_APP_ID, "w" },
246 { "test_subject_10", WGT_PLATFORM_APP_ID, "x" },
247 { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" },
248 { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" },
249 { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" },
250 { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" },
251 { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }
254 // Rules from test_privilege_control_rules_osp.smack for osp
255 const std::vector< std::vector<std::string> > rules_osp = {
256 { OSP_APP_ID, "test_book_8", "r" },
257 { OSP_APP_ID, "test_book_9", "w" },
258 { OSP_APP_ID, "test_book_10", "x" },
259 { OSP_APP_ID, "test_book_11", "rw" },
260 { OSP_APP_ID, "test_book_12", "rx" },
261 { OSP_APP_ID, "test_book_13", "wx" },
262 { OSP_APP_ID, "test_book_14", "rwx" },
263 { OSP_APP_ID, "test_book_15", "rwxat" },
264 { "test_subject_8", OSP_APP_ID, "r" },
265 { "test_subject_9", OSP_APP_ID, "w" },
266 { "test_subject_10", OSP_APP_ID, "x" },
267 { "test_subject_11", OSP_APP_ID, "rw" },
268 { "test_subject_12", OSP_APP_ID, "rx" },
269 { "test_subject_13", OSP_APP_ID, "wx" },
270 { "test_subject_14", OSP_APP_ID, "rwx" },
271 { "test_subject_15", OSP_APP_ID, "rwxat" }
274 // Rules from test_privilege_control_rules_osp.smack for osp_partner
275 const std::vector< std::vector<std::string> > rules_osp_partner = {
276 { OSP_PARTNER_APP_ID, "test_book_8", "r" },
277 { OSP_PARTNER_APP_ID, "test_book_9", "w" },
278 { OSP_PARTNER_APP_ID, "test_book_10", "x" },
279 { OSP_PARTNER_APP_ID, "test_book_11", "rw" },
280 { OSP_PARTNER_APP_ID, "test_book_12", "rx" },
281 { OSP_PARTNER_APP_ID, "test_book_13", "wx" },
282 { OSP_PARTNER_APP_ID, "test_book_14", "rwx" },
283 { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" },
284 { "test_subject_8", OSP_PARTNER_APP_ID, "r" },
285 { "test_subject_9", OSP_PARTNER_APP_ID, "w" },
286 { "test_subject_10", OSP_PARTNER_APP_ID, "x" },
287 { "test_subject_11", OSP_PARTNER_APP_ID, "rw" },
288 { "test_subject_12", OSP_PARTNER_APP_ID, "rx" },
289 { "test_subject_13", OSP_PARTNER_APP_ID, "wx" },
290 { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" },
291 { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" }
294 // Rules from test_privilege_control_rules_osp.smack for osp_platform
295 const std::vector< std::vector<std::string> > rules_osp_platform = {
296 { OSP_PLATFORM_APP_ID, "test_book_8", "r" },
297 { OSP_PLATFORM_APP_ID, "test_book_9", "w" },
298 { OSP_PLATFORM_APP_ID, "test_book_10", "x" },
299 { OSP_PLATFORM_APP_ID, "test_book_11", "rw" },
300 { OSP_PLATFORM_APP_ID, "test_book_12", "rx" },
301 { OSP_PLATFORM_APP_ID, "test_book_13", "wx" },
302 { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" },
303 { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" },
304 { "test_subject_8", OSP_PLATFORM_APP_ID, "r" },
305 { "test_subject_9", OSP_PLATFORM_APP_ID, "w" },
306 { "test_subject_10", OSP_PLATFORM_APP_ID, "x" },
307 { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" },
308 { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" },
309 { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" },
310 { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" },
311 { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" }
315 typedef std::unique_ptr<smack_accesses,std::function<void (smack_accesses*)> > SmackUniquePtr;
317 const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
318 const char *WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack";
319 const char *OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack";
320 const char *OSP_BLAHBLAH_DAC = "/usr/share/privilege-control/OSP_feature.blah.blahblah.dac";
321 const char *WRT_BLAHBLAH_DAC = "/usr/share/privilege-control/WGT_blahblah.dac";
322 const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
323 const char *BLAHBLAH_FEATURE = "http://feature/blah/blahblah";
326 * Check if every rule is true.
327 * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
329 int test_have_all_accesses(const std::vector< std::vector<std::string> > &rules)
332 for (uint i = 0; i < rules.size(); ++i) {
333 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
341 * Check if every rule is true.
342 * @return 1 if ANY rule in SMACK, 0 if
344 int test_have_any_accesses(const std::vector< std::vector<std::string> > &rules)
347 for (uint i = 0; i < rules.size(); ++i) {
348 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
355 int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/,
356 int /*typeflag*/, struct FTW* /*ftwbuf*/)
358 smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
359 smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
360 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
365 int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
366 int /*typeflag*/, struct FTW* /*ftwbuf*/)
368 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
369 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
370 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
375 int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
376 int /*typeflag*/, struct FTW* /*ftwbuf*/)
382 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
383 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
384 result = strcmp(CANARY_LABEL, label);
385 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
388 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
389 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
390 result = strcmp(CANARY_LABEL, label);
391 RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
394 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
395 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
396 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
401 int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
402 int /*typeflag*/, struct FTW* /*ftwbuf*/)
408 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
409 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
410 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
411 result = strcmp(APPID_DIR, label);
412 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
415 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
416 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
417 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
418 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
419 result = strcmp(APPID_DIR, label);
420 RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
421 } else if (S_ISLNK(sb->st_mode)) {
423 char *target = realpath(fpath, NULL);
424 RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
426 if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
427 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
429 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
430 result = strcmp(APPID_DIR, label);
431 RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
434 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
437 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
438 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
439 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
444 int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
445 int /*typeflag*/, struct FTW* /*ftwbuf*/)
451 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
452 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
453 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
454 result = strcmp(APPID_SHARED_DIR, label);
455 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
457 result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
458 RUNNER_ASSERT_MSG(result == 1,
459 "Error rwxat access was not given shared dir. Subject: " <<
460 APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
462 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
463 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
464 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
467 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
468 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
469 if (S_ISDIR(sb->st_mode)) {
470 RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
471 result = strcmp("TRUE", label);
472 RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set");
474 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
479 int check_labels_dir(const char *fpath, const struct stat *sb,
480 const char *labels_db_path, const char *dir_db_path,
486 char *scanf_label_format;
487 char label_temp[SMACK_LABEL_LEN + 1];
491 result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
492 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
493 RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
496 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
499 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
504 RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
508 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
512 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
514 if (S_ISDIR(sb->st_mode)) {
518 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
520 result = strcmp("TRUE", label);
524 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
526 } else if (label != NULL) {
529 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
534 if (0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)) {
536 RUNNER_ASSERT_MSG(false, "asprintf failed");
539 file_db = fopen(labels_db_path, "r");
540 if (file_db == NULL) {
542 free(scanf_label_format);
543 RUNNER_ASSERT_MSG(false, "Can not open database for apps");
545 while (fscanf(file_db, scanf_label_format, label_temp) == 1) {
546 result = smack_have_access(label_temp, label_gen, access);
550 free(scanf_label_format);
551 RUNNER_ASSERT_MSG(false,
552 "Error " << access << " access was not given for subject: "
553 << label_temp << ". Result: " << result);
558 file_db = fopen(dir_db_path, "r");
559 if (file_db == NULL) {
561 free(scanf_label_format);
562 RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
565 while (fscanf(file_db, scanf_label_format, label_temp) == 1) {
566 if (strcmp(label_gen, label_temp) == 0) {
571 free(scanf_label_format);
575 RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db.");
580 int nftw_check_labels_app_public_dir(const char *fpath, const struct stat *sb,
581 int /*typeflag*/, struct FTW* /*ftwbuf*/)
583 return check_labels_dir(fpath, sb,
584 SMACK_APPS_LABELS_DATABASE,
585 SMACK_PUBLIC_DIRS_DATABASE, "rx");
588 int nftw_check_labels_app_settings_dir(const char *fpath, const struct stat *sb,
589 int /*typeflag*/, struct FTW* /*ftwbuf*/)
591 return check_labels_dir(fpath, sb,
592 SMACK_APPS_SETTINGS_LABELS_DATABASE,
593 SMACK_SETTINGS_DIRS_DATABASE, "rwx");
596 int file_exists(const char *path)
598 FILE *file = fopen(path, "r");
606 void osp_blahblah_check(int line_no, const std::vector<std::string> &rules)
608 std::ifstream smack_file(OSP_BLAHBLAH);
609 RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
611 auto it = rules.begin();
613 while (std::getline(smack_file,line)) {
614 RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
615 RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
619 RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
624 void osp_blahblah_dac_check(int line_no, const std::vector<unsigned> &gids)
626 std::ifstream dac_file(OSP_BLAHBLAH_DAC);
627 RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH_DAC);
629 auto it = gids.begin();
631 while (std::getline(dac_file,line)) {
632 std::istringstream is(line);
635 RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
636 RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
640 RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
645 void remove_smack_files()
648 unlink(OSP_BLAHBLAH);
649 unlink(WRT_BLAHBLAH);
650 unlink(OTHER_BLAHBLAH);
651 unlink(OSP_BLAHBLAH_DAC);
652 unlink(WRT_BLAHBLAH_DAC);
653 unlink(OTHER_BLAHBLAH_DAC);
656 int cleaning_smack_app_files (void)
658 unlink(SMACK_RULES_DIR APP_TEST_APP_1);
660 unlink(SMACK_RULES_DIR APP_TEST_APP_2);
662 unlink(SMACK_RULES_DIR APP_TEST_APP_3);
664 unlink(SMACK_RULES_DIR APP_TEST_AV_1);
666 unlink(SMACK_RULES_DIR APP_TEST_AV_2);
668 unlink(SMACK_RULES_DIR APP_TEST_AV_3);
673 int cleaning_smack_database_files (void)
678 unlink(SMACK_APPS_LABELS_DATABASE);
679 fd = open(SMACK_APPS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
685 unlink(SMACK_AVS_LABELS_DATABASE);
686 fd = open(SMACK_AVS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
691 //clean app settings database
692 unlink(SMACK_APPS_SETTINGS_LABELS_DATABASE);
693 fd = open(SMACK_APPS_SETTINGS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
698 //clean public dirs database
699 unlink(SMACK_PUBLIC_DIRS_DATABASE);
700 fd = open(SMACK_PUBLIC_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
705 //clean settings dirs database
706 unlink(SMACK_SETTINGS_DIRS_DATABASE);
707 fd = open(SMACK_SETTINGS_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
715 void add_lables_to_db()
719 file_db = fopen(SMACK_AVS_LABELS_DATABASE, "a");
720 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
721 << SMACK_AVS_LABELS_DATABASE << " can not be opened to apend!");
722 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
724 RUNNER_ASSERT_MSG(false, "Error writing to database file");
726 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
728 RUNNER_ASSERT_MSG(false, "Error writing to database file");
732 file_db = fopen(SMACK_APPS_SETTINGS_LABELS_DATABASE, "a");
733 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
734 << SMACK_APPS_SETTINGS_LABELS_DATABASE << " can not be opened to apend!");
735 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
737 RUNNER_ASSERT_MSG(false, "Error writing to database file");
739 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
741 RUNNER_ASSERT_MSG(false, "Error writing to database file");
745 file_db = fopen(SMACK_APPS_LABELS_DATABASE, "a");
746 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
747 << SMACK_APPS_LABELS_DATABASE << " can not be opened to apend!");
748 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
750 RUNNER_ASSERT_MSG(false, "Error writing to database file");
752 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
754 RUNNER_ASSERT_MSG(false, "Error writing to database file");
756 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
758 RUNNER_ASSERT_MSG(false, "Error writing to database file");
760 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
762 RUNNER_ASSERT_MSG(false, "Error writing to database file");
768 RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
771 * Test setting labels for all files and folders in given path.
773 RUNNER_TEST(privilege_control02_app_label_dir)
777 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
778 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
780 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
781 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
783 result = app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
784 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
786 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
787 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
789 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
790 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
793 RUNNER_TEST(privilege_control03_app_label_shared_dir)
797 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
798 RUNNER_ASSERT_MSG(result != 0, "app_setup_path(APP_ID, APP_ID) didn't fail");
800 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
801 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
803 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
804 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
806 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
807 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
809 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
810 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
812 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
813 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
817 * Add permisions from test_privilege_control_rules template
819 RUNNER_TEST(privilege_control04_add_permissions)
821 int result = app_add_permissions(APP_ID, PRIVS);
822 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
823 " Error adding app permissions. Result: " << result);
825 // Check if the accesses are realy applied..
826 result = test_have_all_accesses(rules);
827 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
830 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
831 RUNNER_ASSERT_MSG(pFile != NULL,
832 "SMACK file NOT created!. Errno: " << errno);
835 fseek(pFile, 0L, SEEK_END);
836 int smack_file_length = ftell(pFile);
837 RUNNER_ASSERT_MSG(smack_file_length > 0,
838 "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
845 * Revoke permissions from the list. Should be executed as privileged user.
847 RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
852 // Revoke permissions
853 result = app_revoke_permissions(APP_ID);
854 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
855 "Error revoking app permissions. Result: " << result);
857 result = app_revoke_permissions(WGT_APP_ID);
858 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
859 "Error revoking app permissions. Result: " << result);
860 result = app_revoke_permissions(WGT_PARTNER_APP_ID);
861 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
862 "Error revoking app permissions. Result: " << result);
863 result = app_revoke_permissions(WGT_PLATFORM_APP_ID);
864 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
865 "Error revoking app permissions. Result: " << result);
867 result = app_revoke_permissions(OSP_APP_ID);
868 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
869 "Error revoking app permissions. Result: " << result);
870 result = app_revoke_permissions(OSP_PARTNER_APP_ID);
871 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
872 "Error revoking app permissions. Result: " << result);
873 result = app_revoke_permissions(OSP_PLATFORM_APP_ID);
874 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
875 "Error revoking app permissions. Result: " << result);
877 // Are all the permissions revoked?
878 result = test_have_any_accesses(rules);
879 RUNNER_ASSERT_MSG(result != 1, "Not all permisions revoked.");
880 result = test_have_any_accesses(rules_wgt);
881 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
882 result = test_have_any_accesses(rules_wgt_partner);
883 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
884 result = test_have_any_accesses(rules_wgt_platform);
885 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
887 result = test_have_any_accesses(rules);
888 RUNNER_ASSERT_MSG(result != 1, "Not all permisions revoked.");
889 result = test_have_any_accesses(rules_osp);
890 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
891 result = test_have_any_accesses(rules_osp_partner);
892 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
893 result = test_have_any_accesses(rules_osp_platform);
894 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
896 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
897 RUNNER_ASSERT_MSG(pFile != NULL,
898 "SMACK file removed!. Errno: " << errno);
900 fseek(pFile, 0L, SEEK_END);
901 int smack_file_length = ftell(pFile);
904 RUNNER_ASSERT_MSG(smack_file_length == 0,
905 "SMACK file not empty.. Errno: " << errno);
907 pFile = fopen(SMACK_RULES_DIR WGT_APP_ID, "rb");
908 RUNNER_ASSERT_MSG(pFile != NULL,
909 "SMACK file removed!. Errno: " << errno);
911 fseek(pFile, 0L, SEEK_END);
912 smack_file_length = ftell(pFile);
915 RUNNER_ASSERT_MSG(smack_file_length == 0,
916 "SMACK file not empty.. Errno: " << errno);
918 pFile = fopen(SMACK_RULES_DIR WGT_PARTNER_APP_ID, "rb");
919 RUNNER_ASSERT_MSG(pFile != NULL,
920 "SMACK file removed!. Errno: " << errno);
922 fseek(pFile, 0L, SEEK_END);
923 smack_file_length = ftell(pFile);
926 RUNNER_ASSERT_MSG(smack_file_length == 0,
927 "SMACK file not empty.. Errno: " << errno);
929 pFile = fopen(SMACK_RULES_DIR WGT_PLATFORM_APP_ID, "rb");
930 RUNNER_ASSERT_MSG(pFile != NULL,
931 "SMACK file removed!. Errno: " << errno);
933 fseek(pFile, 0L, SEEK_END);
934 smack_file_length = ftell(pFile);
937 RUNNER_ASSERT_MSG(smack_file_length == 0,
938 "SMACK file not empty.. Errno: " << errno);
940 pFile = fopen(SMACK_RULES_DIR OSP_APP_ID, "rb");
941 RUNNER_ASSERT_MSG(pFile != NULL,
942 "SMACK file removed!. Errno: " << errno);
944 fseek(pFile, 0L, SEEK_END);
945 smack_file_length = ftell(pFile);
948 RUNNER_ASSERT_MSG(smack_file_length == 0,
949 "SMACK file not empty.. Errno: " << errno);
951 pFile = fopen(SMACK_RULES_DIR OSP_PARTNER_APP_ID, "rb");
952 RUNNER_ASSERT_MSG(pFile != NULL,
953 "SMACK file removed!. Errno: " << errno);
955 fseek(pFile, 0L, SEEK_END);
956 smack_file_length = ftell(pFile);
959 RUNNER_ASSERT_MSG(smack_file_length == 0,
960 "SMACK file not empty.. Errno: " << errno);
962 pFile = fopen(SMACK_RULES_DIR OSP_PLATFORM_APP_ID, "rb");
963 RUNNER_ASSERT_MSG(pFile != NULL,
964 "SMACK file removed!. Errno: " << errno);
966 fseek(pFile, 0L, SEEK_END);
967 smack_file_length = ftell(pFile);
970 RUNNER_ASSERT_MSG(smack_file_length == 0,
971 "SMACK file not empty.. Errno: " << errno);
974 static void read_gids(std::set<unsigned> &set, const char *file_path)
976 FILE *f = fopen(file_path, "r");
977 RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
979 while (fscanf(f, "%u\n", &gid) == 1) {
984 RUNNER_TEST(privilege_control05_add_shared_dir_readers)
986 #define TEST_OBJ "TEST_OBJECT"
987 #define TEST_OBJ_SOME_OTHER "TEST_OBJA"
988 #define test_string_01 "TEST_raz TEST_OBJECT r-x-- -----"
989 #define test_string_21 "TEST_trzy TEST_OBJA -wx--\n"
990 #define test_string_22 "TEST_trzy TEST_OBJECT r-x-- -----\n"
997 const char *app_labels_wrong[] = {"-TEST_raz", NULL};
998 const char *app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
999 const int READ_BUF_SIZE = 1000;
1000 char buf[READ_BUF_SIZE];
1002 struct smack_accesses *rules = NULL;
1004 //test what happens when the label is not correct SMACK label
1005 result = smack_accesses_new(&rules);
1006 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
1008 result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong);
1009 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "add_shared_dir_readers should fail here");
1011 result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx");
1012 RUNNER_ASSERT_MSG(result != 1, "add_shared_dir_readers should not grant permission here");
1014 smack_accesses_free(rules);
1016 //ok, now the correct list of apps
1017 result = smack_accesses_new(&rules);
1018 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
1020 for (i = 0; i < 3; i++) {
1021 (void)app_uninstall(app_labels[i]);
1022 result = app_install(app_labels[i]);
1023 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in app_install.");
1025 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[i]));
1026 fd = open(path, O_WRONLY, 0644);
1027 RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path);
1030 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt");
1031 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
1034 smack_accesses_free(rules);
1035 result = smack_accesses_new(&rules);
1036 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx");
1037 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
1039 result = smack_accesses_apply(rules);
1040 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
1042 result = smack_accesses_save(rules, fd);
1043 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
1049 smack_accesses_free(rules);
1051 // THE TEST - accesses
1053 result = add_shared_dir_readers(TEST_OBJ,app_labels);
1054 RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed");
1056 result = smack_have_access(app_labels[0],TEST_OBJ,"rx");
1057 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1059 result = smack_have_access(app_labels[1],TEST_OBJ,"rx");
1060 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1062 result = smack_have_access(app_labels[2],TEST_OBJ,"rx");
1063 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1065 result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt");
1066 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1068 result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx");
1069 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1072 //TEST the operations on empty files
1074 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[0]));
1075 file = fopen(path, "r");
1077 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
1079 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1080 result = strcmp(buf, test_string_01);
1081 RUNNER_ASSERT_MSG( result != 0, "add_shared_dir_readers ERROR, file not formatted" << path );
1086 //TEST the operations on non empty files
1087 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[2]));
1089 file = fopen(path, "r");
1090 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
1092 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1093 result = strcmp(buf, test_string_21);
1094 RUNNER_ASSERT_MSG( result == 0, "add_shared_dir_readers ERROR, file not formatted" );
1096 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1097 result = strcmp(buf, test_string_22);
1098 RUNNER_ASSERT_MSG( result == 0, "add_shared_dir_readers ERROR, file not formatted" );
1106 * Set APP privileges.
1109 void check_groups(const char *dac_file)
1111 std::set<unsigned> groups_check;
1112 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
1113 read_gids(groups_check, dac_file);
1115 int groups_cnt = getgroups(0, NULL);
1116 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
1117 gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
1118 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
1119 RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list));
1121 for (int i = 0; i < groups_cnt; ++i) {
1122 //getgroups() can return multiple number of the same group
1123 //they are returned in sequence, so we will given number when last
1124 //element of this number is reached
1125 if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i]))
1127 if (groups_check.erase(groups_list[i]) == 0) {
1128 // getgroups() may also return process' main group
1129 if (groups_list[i] != getgid())
1130 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
1134 std::string groups_left;
1135 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
1136 groups_left.append(std::to_string(*it)).append(" ");
1138 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
1141 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege)
1145 // Preset exec label
1146 smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
1147 smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
1150 * TODO This test should also verify set_app_privilege behavior for OSP and
1151 * WRT apps. To do that we'll have to install real apps on device as a
1155 // Set APP privileges
1156 result = set_app_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
1157 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1159 // Check if SMACK label really set
1161 result = smack_new_label_from_self(&label);
1162 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1163 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1164 result = strcmp(APP_ID, label);
1165 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1167 // Check if DAC privileges really set
1168 RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
1169 RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
1171 result = strcmp(getenv("HOME"), APP_HOME_DIR);
1172 RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR");
1174 result = strcmp(getenv("USER"), APP_USER_NAME);
1175 RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME");
1177 check_groups(LIBPRIVILEGE_TEST_DAC_FILE);
1181 * Set APP privileges. wgt.
1183 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt)
1187 result = app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
1188 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1189 " Error enabling app permissions. Result: " << result);
1191 result = test_have_all_accesses(rules_wgt);
1192 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1194 result = set_app_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
1195 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1197 // Check if SMACK label really set
1199 result = smack_new_label_from_self(&label);
1200 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1201 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1202 result = strcmp(WGT_APP_ID, label);
1203 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1206 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1210 * Set APP privileges. wgt_partner.
1212 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_partner)
1216 result = app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
1217 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1218 " Error enabling app permissions. Result: " << result);
1220 result = test_have_all_accesses(rules_wgt_partner);
1221 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1223 result = set_app_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
1224 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1226 // Check if SMACK label really set
1228 result = smack_new_label_from_self(&label);
1229 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1230 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1231 result = strcmp(WGT_PARTNER_APP_ID, label);
1232 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1234 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1238 * Set APP privileges. wgt_platform.
1240 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_platform)
1244 result = app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
1245 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1246 " Error enabling app permissions. Result: " << result);
1248 result = test_have_all_accesses(rules_wgt_platform);
1249 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1251 result = set_app_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
1252 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1254 // Check if SMACK label really set
1256 result = smack_new_label_from_self(&label);
1257 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1258 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1259 result = strcmp(WGT_PLATFORM_APP_ID, label);
1260 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1262 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1266 * Set APP privileges. osp app.
1268 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp)
1272 result = app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1);
1273 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1274 " Error enabling app permissions. Result: " << result);
1276 result = test_have_all_accesses(rules_osp);
1277 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1279 result = set_app_privilege(OSP_APP_ID, NULL, OSP_APP_PATH);
1280 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1282 // Check if SMACK label really set
1284 result = smack_new_label_from_self(&label);
1285 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1286 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1287 result = strcmp(OSP_APP_ID, label);
1288 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1290 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1294 * Set APP privileges. partner osp app.
1296 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_partner)
1300 result = app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1);
1301 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1302 " Error enabling app permissions. Result: " << result);
1304 result = test_have_all_accesses(rules_osp_partner);
1305 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1307 result = set_app_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH);
1308 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1310 // Check if SMACK label really set
1312 result = smack_new_label_from_self(&label);
1313 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1314 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1315 result = strcmp(OSP_PARTNER_APP_ID, label);
1316 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1318 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1322 * Set APP privileges. platform osp app.
1324 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_platform)
1328 result = app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1);
1329 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1330 " Error enabling app permissions. Result: " << result);
1332 result = test_have_all_accesses(rules_osp_platform);
1333 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1335 result = set_app_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH);
1336 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1338 // Check if SMACK label really set
1340 result = smack_new_label_from_self(&label);
1341 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1342 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1343 result = strcmp(OSP_PLATFORM_APP_ID, label);
1344 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1346 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1349 RUNNER_TEST(privilege_control08_app_give_access)
1351 const char *subject = "lkjq345v34sfa";
1352 const char *object = "lk9290f92lkjz";
1353 smack_accesses *tmp = NULL;
1355 RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
1357 SmackUniquePtr smack(tmp, smack_accesses_free);
1359 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "r--a-"));
1360 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1362 app_give_access(subject, object, "wt");
1364 RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwat"));
1365 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
1367 app_revoke_access(subject, object);
1369 RUNNER_ASSERT(1 == smack_have_access(subject, object, "ra"));
1370 RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
1371 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
1372 RUNNER_ASSERT(0 == smack_have_access(subject, object, "t"));
1374 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-"));
1375 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1378 RUNNER_TEST(privilege_control09_app_give_access)
1380 const char *subject = "ljk132flkjv";
1381 const char *object = "jjsiqsc32vs";
1382 smack_accesses *tmp = NULL;
1384 RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
1386 SmackUniquePtr smack(tmp, smack_accesses_free);
1388 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "---t-"));
1389 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1391 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rw"));
1392 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rwx"));
1394 RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxt"));
1395 RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
1397 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_revoke_access(subject, object));
1399 RUNNER_ASSERT(1 == smack_have_access(subject, object, "t"));
1400 RUNNER_ASSERT(0 == smack_have_access(subject, object, "r"));
1401 RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
1402 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
1403 RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
1405 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-----"));
1406 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1410 * Add new API feature
1412 RUNNER_TEST(privilege_control11_add_api_feature)
1416 remove_smack_files();
1419 // argument validation
1420 result = add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
1421 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1423 result = add_api_feature(APP_TYPE_OSP,"", NULL, NULL, 0);
1424 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1427 // already existing features
1428 result = add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read", NULL, NULL, 0);
1429 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1431 result = add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms", NULL, NULL, 0);
1432 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1434 result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/privilege/messaging", NULL, NULL, 0);
1435 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1437 result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/messaging", NULL, NULL, 0);
1438 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1440 result = add_api_feature(APP_TYPE_OTHER,"http://messaging", NULL, NULL, 0);
1441 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1443 result = add_api_feature(APP_TYPE_OTHER,"messaging.read", NULL, NULL, 0);
1444 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1448 result = add_api_feature(APP_TYPE_OSP,"blahblah", NULL, NULL, 0);
1449 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1451 result = add_api_feature(APP_TYPE_WGT,"blahblah", NULL, NULL, 0);
1452 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1454 result = add_api_feature(APP_TYPE_OTHER,"blahblah", NULL, NULL, 0);
1455 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1458 // smack files existence
1459 result = file_exists(OSP_BLAHBLAH);
1460 RUNNER_ASSERT(result == -1);
1462 result = file_exists(WRT_BLAHBLAH);
1463 RUNNER_ASSERT(result == -1);
1465 result = file_exists(OTHER_BLAHBLAH);
1466 RUNNER_ASSERT(result == -1);
1470 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, { NULL }, NULL, 0);
1471 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1472 result = file_exists(OSP_BLAHBLAH);
1473 RUNNER_ASSERT(result == -1);
1475 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "", NULL }, NULL, 0);
1476 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1477 result = file_exists(OSP_BLAHBLAH);
1478 RUNNER_ASSERT(result == 0);
1479 remove_smack_files();
1481 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0);
1482 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1483 result = file_exists(OSP_BLAHBLAH);
1484 RUNNER_ASSERT(result == 0);
1485 remove_smack_files();
1489 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed", NULL }, NULL, 0);
1490 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1491 result = file_exists(OSP_BLAHBLAH);
1492 RUNNER_ASSERT(result == -1);
1494 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed malformed", NULL }, NULL, 0);
1495 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1496 result = file_exists(OSP_BLAHBLAH);
1497 RUNNER_ASSERT(result == -1);
1499 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "-malformed malformed rwxat", NULL }, NULL, 0);
1500 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1501 result = file_exists(OSP_BLAHBLAH);
1502 RUNNER_ASSERT(result == -1);
1504 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "~/\"\\ malformed rwxat", NULL }, NULL, 0);
1505 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1506 result = file_exists(OSP_BLAHBLAH);
1507 RUNNER_ASSERT(result == -1);
1509 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "subject object rwxat something else", NULL }, NULL, 0);
1510 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1511 result = file_exists(OSP_BLAHBLAH);
1512 RUNNER_ASSERT(result == -1);
1516 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed malformed maaaaaalformed", NULL }, NULL, 0);
1517 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1518 osp_blahblah_check(__LINE__, { "malformed malformed r--a- -----" });
1519 remove_smack_files();
1521 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "subject object foo", NULL }, NULL, 0);
1522 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1523 osp_blahblah_check(__LINE__, { "subject object ----- -----" });
1524 remove_smack_files();
1526 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {
1527 "subject object\t rwxat",
1529 "subject2\tobject2 txarw",
1533 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1534 osp_blahblah_check(__LINE__, { "subject object rwxat -----", "subject2 object2 rwxat -----"});
1535 remove_smack_files();
1537 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {
1538 "Sub::jE,ct object a-RwX",
1541 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1542 osp_blahblah_check(__LINE__, { "Sub::jE,ct object rwxa- -----"});
1543 remove_smack_files();
1545 // TODO For now identical/complementary rules are not merged.
1546 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {
1547 "subject object rwxat",
1549 "subject object txarw",
1553 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1554 osp_blahblah_check(__LINE__, { "subject object rwxat -----", "subject object rwxat -----"});
1555 remove_smack_files();
1559 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},0);
1560 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1561 osp_blahblah_check(__LINE__, { "a a ---a- -----"});
1562 result = file_exists(OSP_BLAHBLAH_DAC);
1563 RUNNER_ASSERT(result == -1);
1564 remove_smack_files();
1568 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},3);
1569 printf("%d \n", result);
1570 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1571 osp_blahblah_check(__LINE__, { "a a ---a- -----"});
1572 osp_blahblah_dac_check(__LINE__, {0,1,2});
1573 remove_smack_files();
1575 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},1);
1576 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1577 osp_blahblah_check(__LINE__, { "a a ---a- -----"});
1578 osp_blahblah_dac_check(__LINE__, {0});
1579 remove_smack_files();
1581 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {1,1,1},3);
1582 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1583 osp_blahblah_check(__LINE__, { "a a ---a- -----"});
1584 osp_blahblah_dac_check(__LINE__, {1,1,1});
1585 remove_smack_files();
1589 * Check app_install function
1591 RUNNER_TEST(privilege_control01_app_install)
1596 unlink(SMACK_RULES_DIR APP_ID);
1598 app_uninstall(APP_ID);
1600 result = app_install(APP_ID);
1601 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno));
1603 // checking if file really exists
1604 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1605 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << SMACK_RULES_DIR << APP_ID << " : " << fd << ". Errno: " << strerror(errno));
1608 // try install second time app with the same ID - it should pass.
1609 result = app_install(APP_ID);
1610 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno));
1614 * Check app_install function
1616 RUNNER_TEST(privilege_control07_app_uninstall)
1621 result = app_uninstall(APP_ID);
1622 RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result << ". Errno: " << strerror(errno));
1624 // checking if file really exists
1625 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1626 RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after app_uninstall");
1630 void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment)
1633 result = smack_have_access(av_id, app_id, "rwx");
1634 RUNNER_ASSERT_MSG(result == 1,
1635 "Error while checking " << av_id << " rwx access to "
1636 << app_id << " " << comment << " Result: " << result);
1637 result = smack_have_access(av_id, app_id, "a");
1638 RUNNER_ASSERT_MSG(result == 0,
1639 "Error while checking " << av_id << " a access to "
1640 << app_id << " " << comment << " Result: " << result);
1641 result = smack_have_access(av_id, app_id, "t");
1642 RUNNER_ASSERT_MSG(result == 0,
1643 "Error while checking " << av_id << " t access to "
1644 << app_id << " " << comment << " Result: " << result);
1648 * Check app_register_av function
1649 * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
1651 RUNNER_TEST(privilege_control10_app_register_av)
1656 smack_revoke_subject(APP_TEST_AV_1);
1657 smack_revoke_subject(APP_TEST_AV_2);
1659 cleaning_smack_app_files();
1660 cleaning_smack_database_files();
1662 // Adding two apps before antivir
1663 result = app_install(APP_TEST_APP_1);
1664 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno));
1666 result = app_install(APP_TEST_APP_2);
1667 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno));
1670 result = app_register_av(APP_TEST_AV_1);
1671 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
1673 // Checking added apps accesses
1674 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
1675 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
1678 result = app_install(APP_TEST_APP_3);
1679 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno));
1681 // Checking app accesses
1682 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_install(APP_TEST_APP_3)");
1683 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_install(APP_TEST_APP_3)");
1684 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_install(APP_TEST_APP_3)");
1686 // Adding second antivir
1687 result = app_register_av(APP_TEST_AV_2);
1688 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
1690 // Checking app accesses
1691 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1692 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1693 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1694 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1695 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1696 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1699 smack_revoke_subject(APP_TEST_AV_1);
1700 smack_revoke_subject(APP_TEST_AV_2);
1702 cleaning_smack_app_files();
1703 cleaning_smack_database_files();
1707 * Grant SMACK permissions based on permissions list.
1709 RUNNER_TEST(privilege_control11_app_enable_permissions)
1712 int smack_file_length;
1716 * Test - Enabling all permissions with persistant mode enabled
1719 result = app_revoke_permissions(APP_ID);
1720 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1721 "Error revoking app permissions. Result: " << result);
1723 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1724 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1725 " Error enabling app permissions. Result: " << result);
1727 // Check if the accesses are realy applied..
1728 result = test_have_all_accesses(rules2);
1729 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1732 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1733 RUNNER_ASSERT_MSG(pFile != NULL,
1734 "SMACK file NOT created!. Errno: " << errno);
1737 fseek(pFile, 0L, SEEK_END);
1738 smack_file_length = ftell(pFile);
1739 RUNNER_ASSERT_MSG(smack_file_length > 0,
1740 "SMACK file empty with persistant mode 1. Errno: " << errno);
1746 result = app_revoke_permissions(APP_ID);
1747 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1748 "Error revoking app permissions. Result: " << result);
1751 * Test - Enabling all permissions with persistant mode disabled
1754 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0);
1755 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1756 " Error enabling app permissions. Result: " << result);
1758 // Check if the accesses are realy applied..
1759 result = test_have_all_accesses(rules2);
1760 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1763 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1764 RUNNER_ASSERT_MSG(pFile != NULL,
1765 "SMACK file NOT created!. Errno: " << errno);
1768 fseek(pFile, 0L, SEEK_END);
1769 smack_file_length = ftell(pFile);
1770 RUNNER_ASSERT_MSG(smack_file_length == 0,
1771 "SMACK file not empty with persistant mode 0. Errno: " << errno);
1777 result = app_revoke_permissions(APP_ID);
1778 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1779 "Error revoking app permissions. Result: " << result);
1782 * Test - Enabling all permissions in two complementary files
1785 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1);
1786 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1787 " Error enabling app permissions. Result: " << result);
1789 // Check if the accesses are realy applied..
1790 result = test_have_all_accesses(rules2);
1791 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1794 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1795 RUNNER_ASSERT_MSG(pFile != NULL,
1796 "SMACK file NOT created!. Errno: " << errno);
1799 fseek(pFile, 0L, SEEK_END);
1800 smack_file_length = ftell(pFile);
1801 RUNNER_ASSERT_MSG(smack_file_length > 0,
1802 "SMACK file empty with persistant mode 1. Errno: " << errno);
1808 result = app_revoke_permissions(APP_ID);
1809 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1810 "Error revoking app permissions. Result: " << result);
1813 * Test - Enabling some permissions and then enabling complementary permissions
1816 // Enable permission for rules 2 no r
1817 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1818 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1819 " Error enabling app permissions without r. Result: " << result);
1821 // Check if the accesses are realy applied..
1822 result = test_have_all_accesses(rules2_no_r);
1823 RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
1826 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1827 RUNNER_ASSERT_MSG(pFile != NULL,
1828 "SMACK file NOT created!. Errno: " << errno);
1831 fseek(pFile, 0L, SEEK_END);
1832 smack_file_length = ftell(pFile);
1833 RUNNER_ASSERT_MSG(smack_file_length > 0,
1834 "SMACK file empty with persistant mode 1. Errno: " << errno);
1839 // Enable permission for rules 2
1840 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1841 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1842 " Error enabling app all permissions. Result: " << result);
1844 // Check if the accesses are realy applied..
1845 result = test_have_all_accesses(rules2);
1846 RUNNER_ASSERT_MSG(result == 1, "Permissions all not added.");
1849 result = app_revoke_permissions(APP_ID);
1850 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1851 "Error revoking app permissions. Result: " << result);
1854 * Test - Enabling some permissions and then enabling all permissions
1857 // Enable permission for rules 2 no r
1858 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1859 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1860 " Error enabling app permissions without r. Result: " << result);
1862 // Check if the accesses are realy applied..
1863 result = test_have_all_accesses(rules2_no_r);
1864 RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
1867 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1868 RUNNER_ASSERT_MSG(pFile != NULL,
1869 "SMACK file NOT created!. Errno: " << errno);
1872 fseek(pFile, 0L, SEEK_END);
1873 smack_file_length = ftell(pFile);
1874 RUNNER_ASSERT_MSG(smack_file_length > 0,
1875 "SMACK file empty with persistant mode 1. Errno: " << errno);
1880 // Enable permission for rules 2
1881 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1);
1882 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1883 " Error enabling app permissions with only r. Result: " << result);
1885 // Check if the accesses are realy applied..
1886 result = test_have_all_accesses(rules2);
1887 RUNNER_ASSERT_MSG(result == 1, "Permissions with only r not added.");
1890 result = app_revoke_permissions(APP_ID);
1891 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1892 "Error revoking app permissions. Result: " << result);
1896 * Until app_disable_permissions is not fixed this test should remain
1900 * Remove previously granted SMACK permissions based on permissions list.
1902 /*RUNNER_TEST(privilege_control12_app_disable_permissions)
1906 * Test - disable all granted permissions.
1910 // Prepare permissions that we want to disable
1911 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1912 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1913 " Error enabling app permissions. Result: " << result);
1915 // Disable permissions
1916 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1917 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1918 "Error disabling app permissions. Result: " << result);
1920 // Are all the permissions disabled?
1921 result = test_have_any_accesses(rules2);
1922 RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
1925 * Test - disable some granted permissions leaving non complementary and then disabling those too.
1928 // Prepare permissions that will not be disabled
1929 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
1930 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1931 " Error adding app first permissions. Result: " << result);
1933 // Prepare permissions that we want to disable
1934 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1935 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1936 " Error adding app second permissions. Result: " << result);
1938 // Disable second permissions
1939 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1940 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1941 "Error disabling app second permissions. Result: " << result);
1943 // Are all second permissions disabled?
1944 result = test_have_any_accesses(rules2);
1945 RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
1947 // Are all first permissions not disabled?
1948 result = test_have_all_accesses(rules);
1949 RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
1951 // Disable first permissions
1952 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS);
1953 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1954 "Error disabling app first permissions. Result: " << result);
1956 // Are all second permissions disabled?
1957 result = test_have_any_accesses(rules);
1958 RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
1961 * Test - disable only no r granted permissions.
1964 // Prepare permissions
1965 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1966 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1967 " Error adding app permissions. Result: " << result);
1969 // Disable same permissions without r
1970 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R);
1971 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1972 "Error disabling app no r permissions. Result: " << result);
1974 // Is any r permissions disabled?
1975 result = test_have_all_accesses(rules2_r);
1976 RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
1977 // Are all no r permissions disabled?
1978 result = test_have_any_accesses(rules2_no_r);
1979 RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
1981 // Prepare permissions
1982 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1983 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1984 " Error adding app no r permissions. Result: " << result);
1986 // Disable all permissions
1987 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1988 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1989 "Error disabling app permissions. Result: " << result);
1993 * Reset SMACK permissions for an application by revoking all previously
1994 * granted rules and enabling them again from a rules file from disk.
1997 RUNNER_TEST(privilege_control13_app_reset_permissions)
2002 * Test - doing reset and checking if rules exist again.
2005 // Prepare permissions to reset
2006 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
2007 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2008 " Error adding app permissions. Result: " << result);
2010 // Reset permissions
2011 result = app_reset_permissions(APP_ID);
2012 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2013 "Error reseting app permissions. Result: " << result);
2015 // Are all second permissions not disabled?
2016 result = test_have_all_accesses(rules2);
2017 RUNNER_ASSERT_MSG(result == 1, "Not all permissions added.");
2019 // Disable permissions
2020 result = app_revoke_permissions(APP_ID);
2021 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2022 "Error disabling app permissions. Result: " << result);
2026 * Make two applications "friends", by giving them both full permissions on
2029 RUNNER_TEST(privilege_control14_app_add_friend)
2034 * Test - making friends with no permissions on each other
2037 result = app_revoke_permissions(APP_FRIEND_1);
2038 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2039 "Error revoking app permissions. Result: " << result);
2040 result = app_revoke_permissions(APP_FRIEND_2);
2041 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2042 "Error revoking app permissions. Result: " << result);
2044 app_uninstall(APP_FRIEND_1);
2045 app_uninstall(APP_FRIEND_2);
2047 // Installing friends to be
2048 result = app_install(APP_FRIEND_1);
2049 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2050 " Error installing first app. Result: " << result);
2051 result = app_install(APP_FRIEND_2);
2052 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2053 " Error installing second app. Result: " << result);
2056 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2057 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2058 " Error making friends. Errno: " << result);
2060 // Checking if friends were made
2061 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
2062 RUNNER_ASSERT_MSG(result == 1,
2063 " Error first one sided friednship failed. Result: " << result);
2064 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
2065 RUNNER_ASSERT_MSG(result == 1,
2066 " Error second one sided friednship failed. Result: " << result);
2069 result = app_revoke_permissions(APP_FRIEND_1);
2070 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2071 "Error revoking app permissions. Result: " << result);
2072 result = app_revoke_permissions(APP_FRIEND_2);
2073 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2074 "Error revoking app permissions. Result: " << result);
2076 app_uninstall(APP_FRIEND_1);
2077 app_uninstall(APP_FRIEND_2);
2080 * Test - making friends with nonexisting friend
2083 // Installing one friend
2084 result = app_install(APP_FRIEND_1);
2085 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2086 " Error installing first app. Errno: " << result);
2088 // Adding imaginairy friend as second
2089 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2090 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2091 " Error making friends (first) with imaginairy friend failed. Result: "
2093 // Adding imaginairy friend as first
2094 result = app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
2095 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2096 " Error making friends (second) with imaginairy friend failed. Result: "
2099 result = app_revoke_permissions(APP_FRIEND_1);
2100 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2101 "Error revoking app permissions. Result: " << result);
2102 result = app_revoke_permissions(APP_FRIEND_2);
2103 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2104 "Error revoking app permissions. Result: " << result);
2106 app_uninstall(APP_FRIEND_1);
2107 app_uninstall(APP_FRIEND_2);
2110 * Test - making friends with some permissions already added
2115 struct smack_accesses *rulesFriend = NULL;
2117 std::vector<std::string> accessesFriend =
2118 { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
2120 // Installing friends to be
2121 result = app_install(APP_FRIEND_1);
2122 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2123 " Error installing first app. Result: " << result);
2124 result = app_install(APP_FRIEND_2);
2125 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2126 " Error installing second app. Result: " << result);
2128 for (i = 0; i < accessesFriend.size(); ++i)
2130 for (j = 0; j < accessesFriend.size(); ++j)
2132 // Adding rules before making friends
2133 result = smack_accesses_new(&rulesFriend);
2134 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2135 "Error in smack_accesses_new. Result: " << result);
2137 result = smack_accesses_add(rulesFriend,
2138 APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
2139 RUNNER_ASSERT_MSG(result == 0,
2140 "Unable to add modify rulesFirend (first). Result: " << result);
2141 result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
2142 APP_FRIEND_1, accessesFriend[j].c_str());
2143 RUNNER_ASSERT_MSG(result == 0,
2144 "Unable to add modify rulesFirend (second). Result: " << result);
2146 result = smack_accesses_apply(rulesFriend);
2147 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2148 "Error in smack_accesses_apply. Result: " << result);
2151 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2152 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2153 " Error making friends. Result: " << result);
2155 // Checking if friends were made
2156 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
2157 RUNNER_ASSERT_MSG(result == 1,
2158 " Error first one sided friednship failed. Result: " << result);
2159 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
2160 RUNNER_ASSERT_MSG(result == 1,
2161 " Error second one sided friednship failed. Result: " << result);
2163 // Deleting all rules between friends
2164 smack_accesses_add_modify(rulesFriend,
2165 APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
2166 smack_accesses_add_modify(rulesFriend,
2167 APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
2169 result = smack_accesses_apply(rulesFriend);
2171 smack_accesses_free(rulesFriend);
2177 result = app_revoke_permissions(APP_FRIEND_1);
2178 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2179 "Error revoking app permissions. Result: " << result);
2180 result = app_revoke_permissions(APP_FRIEND_2);
2181 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2182 "Error revoking app permissions. Result: " << result);
2184 app_uninstall(APP_FRIEND_1);
2185 app_uninstall(APP_FRIEND_2);
2188 static void smack_set_random_label_based_on_pid_on_self(void)
2191 std::stringstream ss;
2193 ss << "s-" << getpid() << "-" << getppid();
2194 result = smack_set_label_for_self(ss.str().c_str());
2195 RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self("
2196 << ss.str().c_str() << ") failed");
2199 static void smack_unix_sock_server(int sock)
2205 fd = accept(sock, NULL, NULL);
2209 result = smack_new_label_from_self(&smack_label);
2214 RUNNER_ASSERT_MSG(0, "smack_new_label_from_self() failed");
2216 result = write(fd, smack_label, strlen(smack_label));
2217 if (result != (int)strlen(smack_label)) {
2221 RUNNER_ASSERT_MSG(0, "write() failed: " << strerror(errno));
2227 RUNNER_TEST(privilege_control15_app_id_from_socket)
2230 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
2234 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
2236 smack_set_random_label_based_on_pid_on_self();
2238 if (!pid) { /* child process, server */
2241 /* Set the process label before creating a socket */
2242 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2243 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
2245 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
2248 RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno));
2250 result = listen(sock, 1);
2253 RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno));
2255 smack_unix_sock_server(sock);
2257 /* Change the process label with listening socket */
2258 smack_unix_sock_server(sock);
2261 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
2262 /* Now running two concurrent servers.
2263 Test if socket label was unaffected by fork() */
2264 smack_unix_sock_server(sock);
2265 /* Let's give the two servers different labels */
2266 smack_unix_sock_server(sock);
2268 waitpid(pid, NULL, 0);
2270 } else { /* parent process, client */
2271 sleep(1); /* Give server some time to setup listening socket */
2273 for (i = 0; i < 4; ++i) {
2276 char smack_label1[SMACK_LABEL_LEN + 1];
2279 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2280 RUNNER_ASSERT_MSG(sock >= 0,
2281 "socket failed: " << strerror(errno));
2282 result = connect(sock,
2283 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
2286 RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
2290 result = read(sock, smack_label1, SMACK_LABEL_LEN);
2294 RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno));
2296 smack_label1[result] = '\0';
2297 smack_label2 = app_id_from_socket(sock);
2298 if (smack_label2 == NULL) {
2300 RUNNER_ASSERT_MSG(0, "app_id_from_socket failed");
2302 result = strcmp(smack_label1, smack_label2);
2305 RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1
2306 << "' != '" << smack_label2 << "-" << random() << "'");
2310 waitpid(pid, NULL, 0);
2314 RUNNER_TEST(privilege_control16_app_setup_path){
2315 const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
2316 const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
2317 const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
2318 const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
2319 const char *label1 = "qwert123456za";
2320 const char *label2 = "trewq654123az";
2322 std::unique_ptr<char, std::function<void(void*)> > labelPtr(NULL,free);
2327 int fd = creat(path3, S_IRWXU);
2330 fd = creat(path4, S_IRWXU);
2336 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
2337 RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
2338 labelPtr.reset(label);
2340 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1));
2342 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
2343 RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
2344 labelPtr.reset(label);
2346 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label2));
2348 RUNNER_ASSERT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
2349 labelPtr.reset(label);
2351 RUNNER_ASSERT(labelPtr.get() == NULL);
2354 RUNNER_TEST(privilege_control17_appsettings_privilege)
2356 #define APP_1 "app_1"
2357 #define APP_1_DIR "/tmp/app_1"
2359 #define APP_2 "app_2"
2360 #define APP_2_DIR "/tmp/app_2"
2362 #define APP_TEST "app_test"
2364 #define PRIV_APPSETTING (const char*[]) {"http://tizen.org/privilege/appsetting", NULL}
2367 char *app1_dir_label;
2368 char *app2_dir_label;
2372 (void)app_uninstall(APP_TEST);
2373 (void)app_uninstall(APP_1);
2374 (void)app_uninstall(APP_2);
2376 //install some app 1
2377 ret = app_install(APP_1);
2378 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install." << ret);
2380 mkdir(APP_1_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
2382 //register settings folder for app 1
2383 ret = app_setup_path(APP_1, APP_1_DIR, APP_PATH_SETTINGS_RW );
2384 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret);
2386 //install "app_test" and give it appsettings privilege
2387 ret = app_install(APP_TEST);
2388 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install.");
2391 ret = app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
2393 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,
2394 " Error enabling app permissions. Result: " << ret);
2396 //check if "app_test" has an RX access to the app "app_1"
2397 ret = smack_have_access(APP_TEST, APP_1, "rx");
2398 RUNNER_ASSERT_MSG(ret,"access denies");
2401 //check if "app_test" has an RWX access to a folder registered by "app_1"
2402 ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS );
2403 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2404 ret = smack_have_access(APP_TEST, app1_dir_label, "rwx");
2405 RUNNER_ASSERT_MSG(ret,"access denies");
2408 //intstall another app: "app_2"
2409 ret = app_install(APP_2);
2410 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install.");
2412 mkdir(APP_2_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
2413 //register settings folder for that "app_2"
2414 ret = app_setup_path(APP_2, APP_2_DIR, APP_PATH_SETTINGS_RW );
2415 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret);
2417 //check if "app_test" has an RX access to the app "app_2"
2418 ret = smack_have_access(APP_TEST, APP_2, "rx");
2419 RUNNER_ASSERT_MSG(ret,"access denies");
2421 //check if "app_test" has an RWX access to a folder registered by "app_2"
2422 ret = smack_getlabel(APP_2_DIR, &app2_dir_label, SMACK_LABEL_ACCESS );
2423 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2424 ret = smack_have_access(APP_TEST, app2_dir_label, "rwx");
2425 RUNNER_ASSERT_MSG(ret,"access denies");
2427 free (app1_dir_label);
2428 free (app2_dir_label);
2432 (void)app_uninstall(APP_TEST);
2433 (void)app_uninstall(APP_1);
2434 (void)app_uninstall(APP_2);
2437 RUNNER_TEST(privilege_control18_app_setup_path_public)
2441 cleaning_smack_database_files();
2444 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2445 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2447 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2448 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2450 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
2451 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
2453 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
2454 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
2456 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2457 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2459 cleaning_smack_database_files();
2462 RUNNER_TEST(privilege_control19_app_setup_path_settings)
2466 cleaning_smack_database_files();
2469 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2470 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2472 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2473 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2475 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
2476 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
2478 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_settings_dir, FTW_MAX_FDS, FTW_PHYS);
2479 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
2481 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2482 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2484 cleaning_smack_database_files();
2487 RUNNER_TEST(privilege_control20_early_rules)
2493 char *single_line_format = NULL;
2496 char subject[SMACK_LABEL_LEN + 1];
2497 char object[SMACK_LABEL_LEN + 1];
2498 char rule_add[6]; // "rwxat" + '\0'
2499 char rule_remove[6]; // "rwxat" + '\0'
2501 subject[SMACK_LABEL_LEN] = '\0';
2502 object[SMACK_LABEL_LEN] = '\0';
2504 rule_remove[5] = '\0';
2506 unlink(SMACK_RULES_DIR APP_ID);
2508 app_uninstall(APP_ID);
2510 result = app_install(APP_ID);
2511 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno));
2512 result = app_install(APP_TEST_APP_1);
2513 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno));
2515 // checking if file really exists
2516 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
2518 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << SMACK_RULES_DIR << APP_ID << " : " << fd << ". Errno: " << strerror(errno));
2521 result = app_enable_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm, 1);
2522 RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result);
2523 result = app_enable_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm, 1);
2524 RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result);
2526 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2527 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2529 result = asprintf(&single_line_format, "%%%ds %%%ds %%5s %%5s\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN);
2531 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2532 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2533 pass_1 = 1; // Found rule for APP_ID
2536 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2537 pass_2 = 1; // Found rule for APP_TEST_APP_1
2541 free(single_line_format);
2542 single_line_format = NULL;
2546 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " not found");
2547 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
2549 // Checking if "early rule" for APP_ID was really removed
2550 // We also should make sure that "early rules" for other apps wasn't removed
2551 result = app_uninstall(APP_ID);
2552 RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result << ". Errno: " << strerror(errno));
2556 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2557 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2559 result = asprintf(&single_line_format, "%%%ds %%%ds %%5s %%5s\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN);
2561 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2562 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2563 pass_1 = 0; // Found rule for APP_ID - it should NOT be here
2566 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2567 pass_2 = 1; // Found rule for APP_TEST_APP_1
2571 free(single_line_format);
2572 single_line_format = NULL;
2576 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
2577 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
2579 // Removing and checking "early rule" for APP_TEST_APP_1
2580 result = app_uninstall(APP_TEST_APP_1);
2581 RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result << ". Errno: " << strerror(errno));
2585 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2586 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2588 result = asprintf(&single_line_format, "%%%ds %%%ds %%5s %%5s\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN);
2590 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2591 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2592 pass_1 = 0; // Found rule for APP_ID - it should NOT be here
2595 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2596 pass_2 = 0; // Found rule for APP_TEST_APP_1 - it should NOT be here
2600 free(single_line_format);
2601 single_line_format = NULL;
2605 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
2606 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
projects / platform / core / test / security-tests.git / blob