2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
22 * @brief libprivilege-control test runer
34 #include <dpl/test/test_runner.h>
35 #include <dpl/test/test_runner_child.h>
36 #include <dpl/log/log.h>
37 #include <sys/types.h>
40 #include <sys/xattr.h>
41 #include <sys/smack.h>
42 #include <sys/types.h>
43 #include <sys/socket.h>
46 #include <privilege-control.h>
50 #include <tests_common.h>
52 #define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/"
53 #define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules"
54 #define SMACK_LOAD2 "/smack/load2"
55 #define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
56 #define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
57 #define APPID_DIR "test_APP_ID_dir"
58 #define APPID_SHARED_DIR "test_APP_ID_shared_dir"
59 #define CANARY_LABEL "tiny_yellow_canary"
61 #define APP_ID "test_APP"
62 #define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
63 #define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
65 #define EFL_APP_ID "EFL_APP_ID"
67 #define WGT_APP_ID "QwCqJ0ttyS"
68 #define WGT_PARTNER_APP_ID "7btsV1Y0sX"
69 #define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
70 #define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123"
71 #define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner"
72 #define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform"
73 #define OSP_APP_ID "uqNfgEjqc7"
74 #define OSP_PARTNER_APP_ID "j4RuPsZrNt"
75 #define OSP_PLATFORM_APP_ID "V5LKqDFBXm"
76 #define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp"
77 #define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner"
78 #define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform"
79 #define EARLY_RULE_SUBJECT "livebox.web-provider"
80 #define EARLY_RULE_RIGHTS "rwx---"
82 const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
83 const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
84 const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
85 const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
86 const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
87 const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
88 const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };
89 const char *PRIVS_EFL[] = { "test_privilege_control_rules_efl", NULL };
92 #define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
93 #define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
94 #define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
95 #define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac"
97 #define APP_TEST_APP_1 "test-application1"
98 #define APP_TEST_APP_2 "test-application_2"
99 #define APP_TEST_APP_3 "test-app-3"
100 #define APP_TEST_AV_1 "test-antivirus1"
101 #define APP_TEST_AV_2 "test-antivirus_2"
102 #define APP_TEST_AV_3 "test-av-3"
104 #define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1"
105 #define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2"
106 #define APP_TEST_AV_ASP1 "test-app-av-asp1"
107 #define APP_TEST_AV_ASP2 "test-app-av-asp2"
109 #define SOCK_PATH "/tmp/test-smack-socket"
113 #define APP_USER_NAME "app"
114 #define APP_HOME_DIR "/opt/home/app"
116 #define APP_FRIEND_1 "app_friend_1"
117 #define APP_FRIEND_2 "app_friend_2"
119 #define SMACK_ACC_LEN 6
121 // How many open file descriptors should ftw() function use?
122 #define FTW_MAX_FDS 16
124 // ---- Macros and arrays used in stress tests ----
125 #define TEST_OSP_FEATURE_APP_ID "test-osp-feature-app"
126 #define TEST_WGT_FEATURE_APP_ID "test-wgt-feature-app"
127 #define TEST_OSP_FEATURE "OSP_test-feature.osp_rxl"
128 #define TEST_WGT_FEATURE "WGT_test-feature.wgt_rxl"
129 // OSP Api Feature Test data - gives rxl access to OSP app and rl access to WGT app also!
130 const char *FILE_PATH_TEST_OSP_FEATURE = "/usr/share/privilege-control/OSP_test-feature.osp_rxl.smack";
131 const char *test_osp_feature_rule_set[] = { "~APP~ " TEST_OSP_FEATURE_APP_ID " rxl",
132 "~APP~ " TEST_WGT_FEATURE_APP_ID " rl",
134 const char *TEST_OSP_FEATURE_PRIVS[] = { TEST_OSP_FEATURE, NULL };
135 // WGT Api Feature Test data - rwx access only to WGT app
136 const char *FILE_PATH_TEST_WGT_FEATURE = "/usr/share/privilege-control/WRT_test-feature.wgt_rwx.smack";
137 const char *test_wgt_feature_rule_set[] = { "~APP~ " TEST_WGT_FEATURE_APP_ID " rwx",
139 const char *TEST_WGT_FEATURE_PRIVS[] = { TEST_WGT_FEATURE, NULL };
141 const std::vector< std::vector<std::string> > rules_to_test_any_access1 = {
142 { TEST_OSP_FEATURE_APP_ID, APP_ID, "r" },
143 { TEST_OSP_FEATURE_APP_ID, APP_ID, "w" },
144 { TEST_OSP_FEATURE_APP_ID, APP_ID, "x" },
145 { TEST_OSP_FEATURE_APP_ID, APP_ID, "a" },
146 { TEST_OSP_FEATURE_APP_ID, APP_ID, "t" },
147 { TEST_OSP_FEATURE_APP_ID, APP_ID, "l" }
150 const std::vector< std::vector<std::string> > rules_to_test_any_access2 = {
151 { APP_ID, TEST_OSP_FEATURE_APP_ID, "r" },
152 { APP_ID, TEST_OSP_FEATURE_APP_ID, "x" },
153 { APP_ID, TEST_OSP_FEATURE_APP_ID, "l" },
154 { APP_ID, TEST_WGT_FEATURE_APP_ID, "r" },
155 { APP_ID, TEST_WGT_FEATURE_APP_ID, "w" },
156 { APP_ID, TEST_WGT_FEATURE_APP_ID, "x" },
157 { APP_ID, TEST_WGT_FEATURE_APP_ID, "l" }
160 #define FMT_VECTOR_TO_TEST_ANY_ACCESS(sub,obj) \
161 (const std::vector< std::vector<std::string> >) { \
169 // Rules from test_privilege_control_rules.smack
170 const std::vector< std::vector<std::string> > rules = {
171 { APP_ID, "test_book_1", "r" },
172 { APP_ID, "test_book_2", "w" },
173 { APP_ID, "test_book_3", "x" },
174 { APP_ID, "test_book_4", "rw" },
175 { APP_ID, "test_book_5", "rx" },
176 { APP_ID, "test_book_6", "wx" },
177 { APP_ID, "test_book_7", "rwx" },
178 { "test_subject_1", APP_ID, "r" },
179 { "test_subject_2", APP_ID, "w" },
180 { "test_subject_3", APP_ID, "x" },
181 { "test_subject_4", APP_ID, "rw" },
182 { "test_subject_5", APP_ID, "rx" },
183 { "test_subject_6", APP_ID, "wx" },
184 { "test_subject_7", APP_ID, "rwx" },
185 { APP_ID, APPID_SHARED_DIR, "rwxat"}
188 // Rules from WRT_test_privilege_control_rules2.smack
189 const std::vector< std::vector<std::string> > rules2 = {
190 { WGT_APP_ID, "test_book_8", "r" },
191 { WGT_APP_ID, "test_book_9", "w" },
192 { WGT_APP_ID, "test_book_10", "x" },
193 { WGT_APP_ID, "test_book_11", "rw" },
194 { WGT_APP_ID, "test_book_12", "rx" },
195 { WGT_APP_ID, "test_book_13", "wx" },
196 { WGT_APP_ID, "test_book_14", "rwx" },
197 { WGT_APP_ID, "test_book_15", "rwxat" },
198 { "test_subject_8", WGT_APP_ID, "r" },
199 { "test_subject_9", WGT_APP_ID, "w" },
200 { "test_subject_10", WGT_APP_ID, "x" },
201 { "test_subject_11", WGT_APP_ID, "rw" },
202 { "test_subject_12", WGT_APP_ID, "rx" },
203 { "test_subject_13", WGT_APP_ID, "wx" },
204 { "test_subject_14", WGT_APP_ID, "rwx" },
205 { "test_subject_15", WGT_APP_ID, "rwxat" }
208 // Rules from WRT_test_privilege_control_rules_no_r.smack
209 const std::vector< std::vector<std::string> > rules2_no_r = {
210 { WGT_APP_ID, "test_book_9", "w" },
211 { WGT_APP_ID, "test_book_10", "x" },
212 { WGT_APP_ID, "test_book_11", "w" },
213 { WGT_APP_ID, "test_book_12", "x" },
214 { WGT_APP_ID, "test_book_13", "x" },
215 { WGT_APP_ID, "test_book_14", "wx" },
216 { WGT_APP_ID, "test_book_15", "wxat" },
217 { "test_subject_9", WGT_APP_ID, "w" },
218 { "test_subject_10", WGT_APP_ID, "x" },
219 { "test_subject_11", WGT_APP_ID, "w" },
220 { "test_subject_12", WGT_APP_ID, "x" },
221 { "test_subject_13", WGT_APP_ID, "x" },
222 { "test_subject_14", WGT_APP_ID, "wx" },
223 { "test_subject_15", WGT_APP_ID, "wxat" }
226 // Rules from test_privilege_control_rules.smack
227 // minus WRT_test_privilege_control_rules_no_r.smack
228 const std::vector< std::vector<std::string> > rules2_r = {
229 { WGT_APP_ID, "test_book_8", "r" },
230 { WGT_APP_ID, "test_book_11", "r" },
231 { WGT_APP_ID, "test_book_12", "r" },
232 { WGT_APP_ID, "test_book_14", "r" },
233 { WGT_APP_ID, "test_book_15", "r" },
234 { "test_subject_8", WGT_APP_ID, "r" },
235 { "test_subject_11", WGT_APP_ID, "r" },
236 { "test_subject_12", WGT_APP_ID, "r" },
237 { "test_subject_14", WGT_APP_ID, "r" },
238 { "test_subject_15", WGT_APP_ID, "r" }
241 // Rules from WRT_test_privilege_control_rules_wgt.smack for wgt
242 const std::vector< std::vector<std::string> > rules_wgt = {
243 { WGT_APP_ID, "test_book_8", "r" },
244 { WGT_APP_ID, "test_book_9", "w" },
245 { WGT_APP_ID, "test_book_10", "x" },
246 { WGT_APP_ID, "test_book_11", "rw" },
247 { WGT_APP_ID, "test_book_12", "rx" },
248 { WGT_APP_ID, "test_book_13", "wx" },
249 { WGT_APP_ID, "test_book_14", "rwx" },
250 { WGT_APP_ID, "test_book_15", "rwxat" },
251 { "test_subject_8", WGT_APP_ID, "r" },
252 { "test_subject_9", WGT_APP_ID, "w" },
253 { "test_subject_10", WGT_APP_ID, "x" },
254 { "test_subject_11", WGT_APP_ID, "rw" },
255 { "test_subject_12", WGT_APP_ID, "rx" },
256 { "test_subject_13", WGT_APP_ID, "wx" },
257 { "test_subject_14", WGT_APP_ID, "rwx" },
258 { "test_subject_15", WGT_APP_ID, "rwxat" }
261 // Rules from WRT_test_privilege_control_rules.smack for wgt
262 const std::vector< std::vector<std::string> > rules_wgt2 = {
263 { WGT_APP_ID, "test_book_1", "r" },
264 { WGT_APP_ID, "test_book_2", "w" },
265 { WGT_APP_ID, "test_book_3", "x" },
266 { WGT_APP_ID, "test_book_4", "rw" },
267 { WGT_APP_ID, "test_book_5", "rx" },
268 { WGT_APP_ID, "test_book_6", "wx" },
269 { WGT_APP_ID, "test_book_7", "rwx" },
270 { "test_subject_1", WGT_APP_ID, "r" },
271 { "test_subject_2", WGT_APP_ID, "w" },
272 { "test_subject_3", WGT_APP_ID, "x" },
273 { "test_subject_4", WGT_APP_ID, "rw" },
274 { "test_subject_5", WGT_APP_ID, "rx" },
275 { "test_subject_6", WGT_APP_ID, "wx" },
276 { "test_subject_7", WGT_APP_ID, "rwx" }
279 // Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_partner
280 const std::vector< std::vector<std::string> > rules_wgt_partner = {
281 { WGT_PARTNER_APP_ID, "test_book_8", "r" },
282 { WGT_PARTNER_APP_ID, "test_book_9", "w" },
283 { WGT_PARTNER_APP_ID, "test_book_10", "x" },
284 { WGT_PARTNER_APP_ID, "test_book_11", "rw" },
285 { WGT_PARTNER_APP_ID, "test_book_12", "rx" },
286 { WGT_PARTNER_APP_ID, "test_book_13", "wx" },
287 { WGT_PARTNER_APP_ID, "test_book_14", "rwx" },
288 { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" },
289 { "test_subject_8", WGT_PARTNER_APP_ID, "r" },
290 { "test_subject_9", WGT_PARTNER_APP_ID, "w" },
291 { "test_subject_10", WGT_PARTNER_APP_ID, "x" },
292 { "test_subject_11", WGT_PARTNER_APP_ID, "rw" },
293 { "test_subject_12", WGT_PARTNER_APP_ID, "rx" },
294 { "test_subject_13", WGT_PARTNER_APP_ID, "wx" },
295 { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" },
296 { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }
299 // Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_platform
300 const std::vector< std::vector<std::string> > rules_wgt_platform = {
301 { WGT_PLATFORM_APP_ID, "test_book_8", "r" },
302 { WGT_PLATFORM_APP_ID, "test_book_9", "w" },
303 { WGT_PLATFORM_APP_ID, "test_book_10", "x" },
304 { WGT_PLATFORM_APP_ID, "test_book_11", "rw" },
305 { WGT_PLATFORM_APP_ID, "test_book_12", "rx" },
306 { WGT_PLATFORM_APP_ID, "test_book_13", "wx" },
307 { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" },
308 { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" },
309 { "test_subject_8", WGT_PLATFORM_APP_ID, "r" },
310 { "test_subject_9", WGT_PLATFORM_APP_ID, "w" },
311 { "test_subject_10", WGT_PLATFORM_APP_ID, "x" },
312 { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" },
313 { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" },
314 { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" },
315 { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" },
316 { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }
319 // Rules from OSP_test_privilege_control_rules_osp.smack for osp
320 const std::vector< std::vector<std::string> > rules_osp = {
321 { OSP_APP_ID, "test_book_8", "r" },
322 { OSP_APP_ID, "test_book_9", "w" },
323 { OSP_APP_ID, "test_book_10", "x" },
324 { OSP_APP_ID, "test_book_11", "rw" },
325 { OSP_APP_ID, "test_book_12", "rx" },
326 { OSP_APP_ID, "test_book_13", "wx" },
327 { OSP_APP_ID, "test_book_14", "rwx" },
328 { OSP_APP_ID, "test_book_15", "rwxat" },
329 { "test_subject_8", OSP_APP_ID, "r" },
330 { "test_subject_9", OSP_APP_ID, "w" },
331 { "test_subject_10", OSP_APP_ID, "x" },
332 { "test_subject_11", OSP_APP_ID, "rw" },
333 { "test_subject_12", OSP_APP_ID, "rx" },
334 { "test_subject_13", OSP_APP_ID, "wx" },
335 { "test_subject_14", OSP_APP_ID, "rwx" },
336 { "test_subject_15", OSP_APP_ID, "rwxat" }
339 // Rules from OSP_test_privilege_control_rules_osp.smack for osp_partner
340 const std::vector< std::vector<std::string> > rules_osp_partner = {
341 { OSP_PARTNER_APP_ID, "test_book_8", "r" },
342 { OSP_PARTNER_APP_ID, "test_book_9", "w" },
343 { OSP_PARTNER_APP_ID, "test_book_10", "x" },
344 { OSP_PARTNER_APP_ID, "test_book_11", "rw" },
345 { OSP_PARTNER_APP_ID, "test_book_12", "rx" },
346 { OSP_PARTNER_APP_ID, "test_book_13", "wx" },
347 { OSP_PARTNER_APP_ID, "test_book_14", "rwx" },
348 { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" },
349 { "test_subject_8", OSP_PARTNER_APP_ID, "r" },
350 { "test_subject_9", OSP_PARTNER_APP_ID, "w" },
351 { "test_subject_10", OSP_PARTNER_APP_ID, "x" },
352 { "test_subject_11", OSP_PARTNER_APP_ID, "rw" },
353 { "test_subject_12", OSP_PARTNER_APP_ID, "rx" },
354 { "test_subject_13", OSP_PARTNER_APP_ID, "wx" },
355 { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" },
356 { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" }
359 // Rules from OSP_test_privilege_control_rules_osp.smack for osp_platform
360 const std::vector< std::vector<std::string> > rules_osp_platform = {
361 { OSP_PLATFORM_APP_ID, "test_book_8", "r" },
362 { OSP_PLATFORM_APP_ID, "test_book_9", "w" },
363 { OSP_PLATFORM_APP_ID, "test_book_10", "x" },
364 { OSP_PLATFORM_APP_ID, "test_book_11", "rw" },
365 { OSP_PLATFORM_APP_ID, "test_book_12", "rx" },
366 { OSP_PLATFORM_APP_ID, "test_book_13", "wx" },
367 { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" },
368 { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" },
369 { "test_subject_8", OSP_PLATFORM_APP_ID, "r" },
370 { "test_subject_9", OSP_PLATFORM_APP_ID, "w" },
371 { "test_subject_10", OSP_PLATFORM_APP_ID, "x" },
372 { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" },
373 { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" },
374 { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" },
375 { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" },
376 { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" }
379 // Rules from EFL_test_privilege_control_rules_osp.smack for osp_platform
380 const std::vector< std::vector<std::string> > rules_efl = {
381 { APP_ID, "test_book_efl", "r" }
384 typedef std::unique_ptr<smack_accesses,std::function<void (smack_accesses*)> > SmackUniquePtr;
386 void closefdptr(int* fd) { close(*fd); }
387 typedef std::unique_ptr<int, std::function<void (int*)> > FDUniquePtr;
389 std::vector<std::string> gen_names(std::string prefix, std::string suffix, size_t size)
391 std::vector<std::string> names;
392 for(int i = 0; i < size; ++i) {
393 names.push_back(prefix + "_" + std::to_string(i) + suffix);
398 const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
399 const char *WRT_BLAHBLAH ="/usr/share/privilege-control/WGT_blahblah.smack";
400 const char *OTHER_BLAHBLAH ="/usr/share/privilege-control/blahblah.smack";
401 const std::vector<std::string> OSP_BLAHBLAH_DAC = gen_names("/usr/share/privilege-control/OSP_feature.blah.blahblah", ".dac", 16);
402 const char *WRT_BLAHBLAH_DAC ="/usr/share/privilege-control/WGT_blahblah.dac";
403 const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
404 const std::vector<std::string> BLAHBLAH_FEATURE = gen_names("http://feature/blah/blahblah", "", 16);
407 //correct and incorrect PID used in incorrect params test
408 const pid_t PID_CORRECT = 0;
409 const pid_t PID_INCORRECT = -1;
412 * Check if every rule is true.
413 * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
415 int test_have_all_accesses(const std::vector< std::vector<std::string> > &rules)
418 for (uint i = 0; i < rules.size(); ++i) {
419 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
427 * Check if every rule is true.
428 * @return 1 if ANY rule in SMACK, 0 if
430 int test_have_any_accesses(const std::vector< std::vector<std::string> > &rules)
433 for (uint i = 0; i < rules.size(); ++i) {
434 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
441 int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/,
442 int /*typeflag*/, struct FTW* /*ftwbuf*/)
444 smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
445 smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
446 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
451 int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
452 int /*typeflag*/, struct FTW* /*ftwbuf*/)
454 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
455 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
456 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
461 int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
462 int /*typeflag*/, struct FTW* /*ftwbuf*/)
468 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
469 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
470 result = strcmp(CANARY_LABEL, label);
471 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
474 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
475 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
476 result = strcmp(CANARY_LABEL, label);
477 RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
480 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
481 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
482 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
487 int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
488 int /*typeflag*/, struct FTW* /*ftwbuf*/)
494 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
495 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
496 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
497 result = strcmp(APPID_DIR, label);
498 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
501 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
502 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
503 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
504 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
505 result = strcmp(APPID_DIR, label);
506 RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
507 } else if (S_ISLNK(sb->st_mode)) {
509 char *target = realpath(fpath, NULL);
510 RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
512 if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
513 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
515 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
516 result = strcmp(APPID_DIR, label);
517 RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
520 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
523 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
524 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
525 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
530 int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
531 int /*typeflag*/, struct FTW* /*ftwbuf*/)
537 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
538 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
539 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
540 result = strcmp(APPID_SHARED_DIR, label);
541 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
543 result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxatl");
544 RUNNER_ASSERT_MSG(result == 1,
545 "Error rwxatl access was not given shared dir. Subject: " <<
546 APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
548 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
549 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
550 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
553 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
554 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
555 if (S_ISDIR(sb->st_mode)) {
556 RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
557 result = strcmp("TRUE", label);
558 RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set");
560 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
565 int check_labels_dir(const char *fpath, const struct stat *sb,
566 const char *labels_db_path, const char *dir_db_path,
572 char *scanf_label_format;
573 char label_temp[SMACK_LABEL_LEN + 1];
577 result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
578 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
579 RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
582 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
585 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
590 RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
594 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
598 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
600 if (S_ISDIR(sb->st_mode)) {
604 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
606 result = strcmp("TRUE", label);
610 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
612 } else if (label != NULL) {
615 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
620 if (0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)) {
622 RUNNER_ASSERT_MSG(false, "asprintf failed");
625 file_db = fopen(labels_db_path, "r");
626 if (file_db == NULL) {
628 free(scanf_label_format);
629 RUNNER_ASSERT_MSG(false, "Can not open database for apps");
631 while (fscanf(file_db, scanf_label_format, label_temp) == 1) {
632 result = smack_have_access(label_temp, label_gen, access);
636 free(scanf_label_format);
637 RUNNER_ASSERT_MSG(false,
638 "Error " << access << " access was not given for subject: "
639 << label_temp << ". Result: " << result);
644 file_db = fopen(dir_db_path, "r");
645 if (file_db == NULL) {
647 free(scanf_label_format);
648 RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
651 free(scanf_label_format);
658 int file_exists(const char *path)
660 FILE *file = fopen(path, "r");
668 void osp_blahblah_check(int line_no, const std::vector<std::string> &rules)
670 std::ifstream smack_file(OSP_BLAHBLAH);
671 RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
673 auto it = rules.begin();
675 while (std::getline(smack_file,line)) {
676 RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
677 RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
681 RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
686 void osp_blahblah_dac_check(int line_no, const std::vector<unsigned> &gids, std::string dac_file_path)
688 std::ifstream dac_file(dac_file_path);
689 RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << dac_file_path);
691 auto it = gids.begin();
693 while (std::getline(dac_file,line)) {
694 std::istringstream is(line);
697 RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
698 RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
702 RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
707 void remove_smack_files()
710 unlink(OSP_BLAHBLAH);
711 unlink(WRT_BLAHBLAH);
712 unlink(OTHER_BLAHBLAH);
713 unlink(WRT_BLAHBLAH_DAC);
714 unlink(OTHER_BLAHBLAH_DAC);
716 for(int i=0;i<OSP_BLAHBLAH_DAC.size();++i )
717 unlink(OSP_BLAHBLAH_DAC[i].c_str());
719 for(int i=0;i<OSP_BLAHBLAH_DAC.size();++i )
720 unlink(OSP_BLAHBLAH_DAC[i].c_str());
723 int cleaning_smack_app_files (void)
725 unlink(SMACK_RULES_DIR APP_TEST_APP_1);
727 unlink(SMACK_RULES_DIR APP_TEST_APP_2);
729 unlink(SMACK_RULES_DIR APP_TEST_APP_3);
731 unlink(SMACK_RULES_DIR APP_TEST_AV_1);
733 unlink(SMACK_RULES_DIR APP_TEST_AV_2);
735 unlink(SMACK_RULES_DIR APP_TEST_AV_3);
742 RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
745 * Test setting labels for all files and folders in given path.
747 RUNNER_TEST(privilege_control02_app_label_dir)
751 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
752 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
754 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
755 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
757 result = perm_app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
758 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
760 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
761 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
763 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
764 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
767 RUNNER_TEST_SMACK(privilege_control03_app_label_shared_dir)
770 result = perm_app_install(APP_ID);
771 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
773 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
774 RUNNER_ASSERT_MSG(result != 0, "perm_app_setup_path(APP_ID, APP_ID) didn't fail");
776 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
777 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
779 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
780 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
782 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
783 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
785 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
786 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
788 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
789 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
791 result = perm_app_uninstall(APP_ID);
792 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
796 * Simple enabling EFL permissions;.
798 RUNNER_TEST_SMACK(privilege_control04_add_permissions)
800 int result = perm_app_uninstall(APP_ID);
801 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
803 result = perm_app_install(APP_ID);
804 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
807 result = perm_app_enable_permissions(APP_ID, APP_TYPE_EFL, PRIVS_EFL, TRUE);
808 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
809 " perm_app_enable_permissions failed with result: " << result);
811 // Check if the accesses are realy applied..
812 result = test_have_all_accesses(rules_efl);
813 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
815 result = perm_app_uninstall(APP_ID);
816 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
820 * Revoke permissions from the list. Should be executed as privileged user.
822 RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
827 result = perm_app_uninstall(WGT_APP_ID);
828 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
829 result = perm_app_uninstall(WGT_PARTNER_APP_ID);
830 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
831 result = perm_app_uninstall(WGT_PLATFORM_APP_ID);
832 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
833 result = perm_app_uninstall(OSP_APP_ID);
834 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
835 result = perm_app_uninstall(OSP_PARTNER_APP_ID);
836 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
837 result = perm_app_uninstall(OSP_PLATFORM_APP_ID);
838 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
841 result = perm_app_install(WGT_APP_ID);
842 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
843 result = perm_app_install(WGT_PARTNER_APP_ID);
844 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
845 result = perm_app_install(WGT_PLATFORM_APP_ID);
846 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
847 result = perm_app_install(OSP_APP_ID);
848 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
849 result = perm_app_install(OSP_PARTNER_APP_ID);
850 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
851 result = perm_app_install(OSP_PLATFORM_APP_ID);
852 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
856 // Revoke permissions
857 result = perm_app_revoke_permissions(WGT_APP_ID);
858 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
859 "Error revoking app permissions. Result: " << result);
860 result = perm_app_revoke_permissions(WGT_PARTNER_APP_ID);
861 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
862 "Error revoking app permissions. Result: " << result);
863 result = perm_app_revoke_permissions(WGT_PLATFORM_APP_ID);
864 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
865 "Error revoking app permissions. Result: " << result);
866 result = perm_app_revoke_permissions(OSP_APP_ID);
867 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
868 "Error revoking app permissions. Result: " << result);
869 result = perm_app_revoke_permissions(OSP_PARTNER_APP_ID);
870 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
871 "Error revoking app permissions. Result: " << result);
872 result = perm_app_revoke_permissions(OSP_PLATFORM_APP_ID);
873 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
874 "Error revoking app permissions. Result: " << result);
876 // Are all the permissions revoked?
877 result = test_have_any_accesses(rules_wgt);
878 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
879 result = test_have_any_accesses(rules_wgt_partner);
880 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
881 result = test_have_any_accesses(rules_wgt_platform);
882 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
883 result = test_have_any_accesses(rules_osp);
884 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
885 result = test_have_any_accesses(rules_osp_partner);
886 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
887 result = test_have_any_accesses(rules_osp_platform);
888 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
890 // Cleanup - uninstall test apps
891 result = perm_app_uninstall(WGT_APP_ID);
892 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
893 result = perm_app_uninstall(WGT_PARTNER_APP_ID);
894 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
895 result = perm_app_uninstall(WGT_PLATFORM_APP_ID);
896 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
897 result = perm_app_uninstall(OSP_APP_ID);
898 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
899 result = perm_app_uninstall(OSP_PARTNER_APP_ID);
900 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
901 result = perm_app_uninstall(OSP_PLATFORM_APP_ID);
902 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
905 static void read_gids(std::set<unsigned> &set, const char *file_path)
907 FILE *f = fopen(file_path, "r");
908 RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
910 while (fscanf(f, "%u\n", &gid) == 1) {
917 * Set APP privileges.
919 void check_groups(const char *dac_file)
921 std::set<unsigned> groups_check;
922 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
923 read_gids(groups_check, dac_file);
925 int groups_cnt = getgroups(0, NULL);
926 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
927 gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
928 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
929 RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list));
931 for (int i = 0; i < groups_cnt; ++i) {
932 //getgroups() can return multiple number of the same group
933 //they are returned in sequence, so we will given number when last
934 //element of this number is reached
935 if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i]))
937 if (groups_check.erase(groups_list[i]) == 0) {
938 // getgroups() may also return process' main group
939 if (groups_list[i] != getgid())
940 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
944 std::string groups_left;
945 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
946 groups_left.append(std::to_string(*it)).append(" ");
948 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
952 * Set APP privileges. wgt.
954 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt)
956 int result = perm_app_uninstall(WGT_APP_ID);
957 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
958 result = perm_app_install(WGT_APP_ID);
959 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
962 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
963 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
964 " Error enabling app permissions. Result: " << result);
966 result = test_have_all_accesses(rules_wgt);
967 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
969 result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
970 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
972 // Check if SMACK label really set
974 result = smack_new_label_from_self(&label);
975 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
976 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
977 result = strcmp(WGT_APP_ID, label);
978 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
980 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
984 * Set APP privileges. wgt_partner.
986 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_partner)
988 int result = perm_app_uninstall(WGT_PARTNER_APP_ID);
989 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
990 result = perm_app_install(WGT_PARTNER_APP_ID);
991 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
994 result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
995 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
996 " Error enabling app permissions. Result: " << result);
998 result = test_have_all_accesses(rules_wgt_partner);
999 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1001 result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
1002 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1004 // Check if SMACK label really set
1006 result = smack_new_label_from_self(&label);
1007 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1008 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1009 result = strcmp(WGT_PARTNER_APP_ID, label);
1010 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1012 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1016 * Set APP privileges. wgt_platform.
1018 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_platform)
1020 int result = perm_app_uninstall(WGT_PLATFORM_APP_ID);
1021 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1022 result = perm_app_install(WGT_PLATFORM_APP_ID);
1023 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1026 result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
1027 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1028 " Error enabling app permissions. Result: " << result);
1030 result = test_have_all_accesses(rules_wgt_platform);
1031 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1033 result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
1034 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1036 // Check if SMACK label really set
1038 result = smack_new_label_from_self(&label);
1039 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1040 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1041 result = strcmp(WGT_PLATFORM_APP_ID, label);
1042 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1044 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1048 * Set APP privileges. osp app.
1050 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp)
1052 int result = perm_app_uninstall(OSP_APP_ID);
1053 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1054 result = perm_app_install(OSP_APP_ID);
1055 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1058 result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1);
1059 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1060 " Error enabling app permissions. Result: " << result);
1062 result = test_have_all_accesses(rules_osp);
1063 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1065 result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH);
1066 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1068 // Check if SMACK label really set
1070 result = smack_new_label_from_self(&label);
1071 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1072 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1073 result = strcmp(OSP_APP_ID, label);
1074 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1076 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1080 * Set APP privileges. partner osp app.
1082 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_partner)
1084 int result = perm_app_uninstall(OSP_PARTNER_APP_ID);
1085 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1086 result = perm_app_install(OSP_PARTNER_APP_ID);
1087 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1090 result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1);
1091 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1092 "Error enabling app permissions. Result: " << result);
1094 result = test_have_all_accesses(rules_osp_partner);
1095 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1097 result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH);
1098 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1100 // Check if SMACK label really set
1102 result = smack_new_label_from_self(&label);
1103 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1104 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1105 result = strcmp(OSP_PARTNER_APP_ID, label);
1106 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1108 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1112 * Set APP privileges. platform osp app.
1114 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_platform)
1116 int result = perm_app_uninstall(OSP_PLATFORM_APP_ID);
1117 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1118 result = perm_app_install(OSP_PLATFORM_APP_ID);
1119 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1122 result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1);
1123 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1124 " Error enabling app permissions. Result: " << result);
1126 result = test_have_all_accesses(rules_osp_platform);
1127 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1129 result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH);
1130 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1132 // Check if SMACK label really set
1134 result = smack_new_label_from_self(&label);
1135 RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
1136 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1137 result = strcmp(OSP_PLATFORM_APP_ID, label);
1138 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1140 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1144 * Add new API feature
1146 RUNNER_TEST(privilege_control11_add_api_feature)
1150 remove_smack_files();
1153 // argument validation
1154 result = perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
1155 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1157 result = perm_add_api_feature(APP_TYPE_OSP,"", NULL, NULL, 0);
1158 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1161 // Already existing feature:
1162 // TODO: Database will be malformed. (Rules for these features will be removed.)
1163 result = perm_add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read", NULL, NULL, 0);
1164 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1166 result = perm_add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms", NULL, NULL, 0);
1167 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1170 result = perm_add_api_feature(APP_TYPE_OSP,"blahblah", NULL, NULL, 0);
1171 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1173 result = perm_add_api_feature(APP_TYPE_WGT,"blahblah", NULL, NULL, 0);
1174 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1178 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[0].c_str(), { NULL }, NULL, 0);
1179 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1181 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[1].c_str(), (const char*[]) { "", NULL }, NULL, 0);
1182 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1184 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[2].c_str(), (const char*[]) { " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0);
1185 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1188 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[3].c_str(), (const char*[]) { "malformed", NULL }, NULL, 0);
1189 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
1191 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[4].c_str(), (const char*[]) { "malformed malformed", NULL }, NULL, 0);
1192 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
1194 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[5].c_str(), (const char*[]) { "-malformed malformed rwxat", NULL }, NULL, 0);
1195 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
1197 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[6].c_str(), (const char*[]) { "~/\"\\ malformed rwxat", NULL }, NULL, 0);
1198 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
1200 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[7].c_str(), (const char*[]) { "subject object rwxat something else", NULL }, NULL, 0);
1201 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
1205 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[8].c_str(), (const char*[]) {
1206 "~APP~ object\t rwxatl",
1208 "subject2\t~APP~ ltxarw",
1212 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1214 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[9].c_str(), (const char*[]) {
1215 "Sub::jE,ct ~APP~ a-rwxl",
1218 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1220 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[10].c_str(), (const char*[]) {
1221 "Sub::sjE,ct ~APP~ a-RwXL", // TODO This fails.
1224 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1227 // TODO For now identical/complementary rules are not merged.
1228 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[11].c_str(), (const char*[]) {
1229 "subject1 ~APP~ rwxatl",
1231 "subject2 ~APP~ ltxarw",
1235 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1239 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[12].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {0,1,2},0);
1240 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1241 result = file_exists(OSP_BLAHBLAH_DAC[12].c_str());
1242 RUNNER_ASSERT(result == -1);
1243 remove_smack_files();
1247 result = perm_add_api_feature(APP_TYPE_OSP,BLAHBLAH_FEATURE[13].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {0,1,2},3);
1248 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1249 osp_blahblah_dac_check(__LINE__, {0,1,2}, OSP_BLAHBLAH_DAC[13]);
1250 remove_smack_files();
1252 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[14].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {0,1,2},1);
1253 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1254 osp_blahblah_dac_check(__LINE__, {0}, OSP_BLAHBLAH_DAC[14]);
1255 remove_smack_files();
1257 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[15].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {1,1,1},3);
1258 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
1259 osp_blahblah_dac_check(__LINE__, {1,1,1},OSP_BLAHBLAH_DAC[15]);
1260 remove_smack_files();
1264 * Check perm_app_install function
1266 RUNNER_TEST(privilege_control01_app_install)
1271 perm_app_uninstall(APP_ID);
1273 result = perm_app_install(APP_ID);
1274 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1276 // try install second time app with the same ID - it should pass.
1277 result = perm_app_install(APP_ID);
1278 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1282 * Check perm_app_install function
1284 RUNNER_TEST(privilege_control07_app_uninstall)
1289 result = perm_app_uninstall(APP_ID);
1290 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1292 // checking if file really exists
1293 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1294 RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after perm_app_uninstall");
1298 void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment)
1301 result = smack_have_access(av_id, app_id, "rwx");
1302 RUNNER_ASSERT_MSG(result == 1,
1303 "Error while checking " << av_id << " rwx access to "
1304 << app_id << " " << comment << " Result: " << result);
1305 result = smack_have_access(av_id, app_id, "a");
1306 RUNNER_ASSERT_MSG(result == 0,
1307 "Error while checking " << av_id << " a access to "
1308 << app_id << " " << comment << " Result: " << result);
1309 result = smack_have_access(av_id, app_id, "t");
1310 RUNNER_ASSERT_MSG(result == 0,
1311 "Error while checking " << av_id << " t access to "
1312 << app_id << " " << comment << " Result: " << result);
1316 * Check app_register_av function
1317 * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
1319 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
1320 RUNNER_TEST_SMACK(privilege_control10_app_register_av)
1322 RUNNER_IGNORED_MSG("app_register_av is not implemented");
1326 smack_revoke_subject(APP_TEST_AV_1);
1327 smack_revoke_subject(APP_TEST_AV_2);
1329 cleaning_smack_app_files();
1331 // Adding two apps before antivir
1332 result = perm_app_install(APP_TEST_APP_1);
1333 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1335 result = perm_app_install(APP_TEST_APP_2);
1336 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1339 result = app_register_av(APP_TEST_AV_1);
1340 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
1342 // Checking added apps accesses
1343 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
1344 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
1347 result = perm_app_install(APP_TEST_APP_3);
1348 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1350 // Checking app accesses
1351 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
1352 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
1353 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)");
1355 // Adding second antivir
1356 result = app_register_av(APP_TEST_AV_2);
1357 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
1359 // Checking app accesses
1360 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1361 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1362 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1363 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1364 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1365 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1368 smack_revoke_subject(APP_TEST_AV_1);
1369 smack_revoke_subject(APP_TEST_AV_2);
1371 cleaning_smack_app_files();
1373 #pragma GCC diagnostic warning "-Wdeprecated-declarations"
1376 * Grant SMACK permissions based on permissions list.
1378 RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions)
1382 // Clean up after test:
1383 result = perm_app_uninstall(WGT_APP_ID);
1384 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1385 result = perm_app_install(WGT_APP_ID);
1386 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1389 * Test - Enabling all permissions with persistant mode enabled
1391 result = perm_app_revoke_permissions(WGT_APP_ID);
1392 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1393 "Error revoking app permissions. Result: " << result);
1395 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
1396 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1397 " Error enabling app permissions. Result: " << result);
1399 // Check if the accesses are realy applied..
1400 result = test_have_all_accesses(rules2);
1401 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1404 result = perm_app_revoke_permissions(WGT_APP_ID);
1405 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1406 "Error revoking app permissions. Result: " << result);
1409 * Test - Enabling all permissions with persistant mode disabled
1412 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 0);
1413 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1414 " Error enabling app permissions. Result: " << result);
1416 // Check if the accesses are realy applied..
1417 result = test_have_all_accesses(rules2);
1418 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1421 result = perm_app_revoke_permissions(WGT_APP_ID);
1422 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1423 "Error revoking app permissions. Result: " << result);
1426 * Test - Enabling all permissions in two complementary files
1429 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, 1);
1430 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1431 " Error enabling app permissions. Result: " << result);
1433 // Check if the accesses are realy applied..
1434 result = test_have_all_accesses(rules2_no_r);
1435 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1438 result = perm_app_revoke_permissions(WGT_APP_ID);
1439 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1440 "Error revoking app permissions. Result: " << result);
1443 * Test - Enabling some permissions and then enabling complementary permissions
1446 // Enable permission for rules 2 no r
1447 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1);
1448 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1449 " Error enabling app permissions without r. Result: " << result);
1451 // Check if the accesses are realy applied..
1452 result = test_have_all_accesses(rules2_no_r);
1453 RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
1455 // Enable permission for rules 2
1456 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
1457 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1458 " Error enabling app all permissions. Result: " << result);
1460 // Check if the accesses are realy applied..
1461 result = test_have_all_accesses(rules2);
1462 RUNNER_ASSERT_MSG(result == 1, "Permissions all not added.");
1465 result = perm_app_revoke_permissions(WGT_APP_ID);
1466 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1467 "Error revoking app permissions. Result: " << result);
1470 * Test - Enabling some permissions and then enabling all permissions
1473 // Enable permission for rules 2 no r
1474 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1);
1475 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1476 " Error enabling app permissions without r. Result: " << result);
1478 // Check if the accesses are realy applied..
1479 result = test_have_all_accesses(rules2_no_r);
1480 RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
1482 // Enable permission for rules 2
1483 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, 1);
1484 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1485 " Error enabling app permissions with only r. Result: " << result);
1487 // Check if the accesses are realy applied..
1488 result = test_have_all_accesses(rules2_r);
1489 RUNNER_ASSERT_MSG(result == 1, "Permissions with only r not added.");
1492 result = perm_app_revoke_permissions(WGT_APP_ID);
1493 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1494 "Error revoking app permissions. Result: " << result);
1498 // Clean up after test:
1499 result = perm_app_uninstall(WGT_APP_ID);
1500 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1504 RUNNER_CHILD_TEST(privilege_control11_app_enable_permissions_efl)
1509 result = perm_app_uninstall(EFL_APP_ID);
1510 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1511 "perm_app_uninstall failed: " << result);
1512 result = perm_app_install(EFL_APP_ID);
1513 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1514 "perm_app_install failed: " << result);
1516 // Enable a permission:
1517 result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, 0);
1518 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1519 "Error enabling app permissions. Result: " << result);
1521 RUNNER_ASSERT_MSG(smack_have_access(EFL_APP_ID,"test_book_efl", "r"),
1522 "SMACK accesses not granted for EFL_APP");
1525 result = perm_app_uninstall(EFL_APP_ID);
1526 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1527 "perm_app_uninstall failed: " << result);
1531 * Check perm_app_install function
1533 RUNNER_CHILD_TEST(privilege_control12_app_disable_permissions_efl)
1538 result = perm_app_uninstall(EFL_APP_ID);
1539 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1540 "perm_app_uninstall failed: " << result);
1542 result = perm_app_install(EFL_APP_ID);
1543 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1544 "perm_app_install failed: " << result);
1546 // Enable a permission
1547 result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, 0);
1548 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1549 "Error enabling app permissions. Result: " << result);
1551 RUNNER_ASSERT_MSG(smack_have_access(EFL_APP_ID,"test_book_efl", "r"),
1552 "SMACK accesses not granted for EFL_APP");
1554 // Disable a permission
1555 result = perm_app_disable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL);
1556 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1557 "Error disabling app permissions. Result: " << result);
1559 RUNNER_ASSERT_MSG(!smack_have_access(EFL_APP_ID,"test_book_efl", "r"),
1560 "SMACK accesses not granted for EFL_APP");
1563 result = perm_app_uninstall(EFL_APP_ID);
1564 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1565 "perm_app_uninstall failed: " << result);
1570 * Remove previously granted SMACK permissions based on permissions list.
1572 RUNNER_TEST(privilege_control12_app_disable_permissions)
1577 result = perm_app_uninstall(WGT_APP_ID);
1578 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1579 "perm_app_uninstall failed: " << result);
1581 result = perm_app_install(WGT_APP_ID);
1582 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1583 "perm_app_install failed: " << result);
1585 * Test - disable all granted permissions.
1588 // Prepare permissions that we want to disable
1589 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
1590 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1591 " Error enabling app permissions. Result: " << result);
1593 // Are all the permissions enabled?
1594 result = test_have_any_accesses(rules2);
1595 RUNNER_ASSERT_MSG(result==1, "Not all permisions enabled.");
1597 // Disable permissions
1598 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
1599 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1600 "Error disabling app permissions. Result: " << result);
1602 // Are all the permissions disabled?
1603 result = test_have_any_accesses(rules2);
1604 RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
1607 * Test - disable some granted permissions leaving non complementary and then disabling those too.
1610 // Prepare permissions that will not be disabled
1611 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS, 1);
1612 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1613 " Error adding app first permissions. Result: " << result);
1615 // Prepare permissions that we want to disable
1616 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
1617 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1618 " Error adding app second permissions. Result: " << result);
1620 // Disable second permissions
1621 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
1622 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1623 "Error disabling app second permissions. Result: " << result);
1625 // Are all second permissions disabled?
1626 result = test_have_any_accesses(rules2);
1627 RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
1629 // Are all first permissions not disabled?
1630 result = test_have_all_accesses(rules_wgt2);
1631 RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
1633 // Disable first permissions
1634 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS);
1635 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1636 "Error disabling app first permissions. Result: " << result);
1638 // Are all second permissions disabled?
1639 result = test_have_any_accesses(rules_wgt2);
1640 RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
1643 * Test - disable only no r granted permissions.
1646 // Prepare permissions
1647 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, 1);
1648 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1649 " Error adding app permissions. Result: " << result);
1651 // Disable same permissions without r
1652 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
1653 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1654 "Error disabling app no r permissions. Result: " << result);
1656 // Is any r permissions disabled?
1657 result = test_have_all_accesses(rules2_r);
1658 RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
1659 // Are all no r permissions disabled?
1660 result = test_have_any_accesses(rules2_no_r);
1661 RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
1663 // Prepare permissions
1664 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1);
1665 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1666 " Error adding app no r permissions. Result: " << result);
1667 result = test_have_any_accesses(rules2_no_r);
1668 RUNNER_ASSERT_MSG(result=1, "Not all no r permissions enabled.");
1670 // Disable all permissions
1671 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
1672 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1673 "Error disabling app permissions. Result: " << result);
1674 result = test_have_any_accesses(rules2_r);
1675 RUNNER_ASSERT_MSG(result!=1, "Not all r permissions disabled.");
1679 // Clean up after test:
1680 result = perm_app_uninstall(WGT_APP_ID);
1681 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1685 * Reset SMACK permissions for an application by revoking all previously
1686 * granted rules and enabling them again from a rules file from disk.
1688 // TODO: This test is incomplete.
1689 RUNNER_TEST_SMACK(privilege_control13_app_reset_permissions)
1694 * Test - doing reset and checking if rules exist again.
1697 result = perm_app_install(WGT_APP_ID);
1698 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1700 // Prepare permissions to reset
1701 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
1702 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1703 " Error adding app permissions. Result: " << result);
1705 // Reset permissions
1706 result = perm_app_reset_permissions(WGT_APP_ID);
1707 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1708 "Error reseting app permissions. Result: " << result);
1710 // Are all second permissions not disabled?
1711 result = test_have_all_accesses(rules2);
1712 RUNNER_ASSERT_MSG(result == 1, "Not all permissions added.");
1714 // Disable permissions
1715 result = perm_app_revoke_permissions(WGT_APP_ID);
1716 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1717 "Error disabling app permissions. Result: " << result);
1719 result = perm_app_uninstall(WGT_APP_ID);
1720 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1725 * Make two applications "friends", by giving them both full permissions on
1728 RUNNER_TEST_SMACK(privilege_control14_app_add_friend)
1730 RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented");
1735 * Test - making friends with no permissions on each other
1738 result = perm_app_revoke_permissions(APP_FRIEND_1);
1739 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1740 "Error revoking app permissions. Result: " << result);
1741 result = perm_app_revoke_permissions(APP_FRIEND_2);
1742 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1743 "Error revoking app permissions. Result: " << result);
1745 perm_app_uninstall(APP_FRIEND_1);
1746 perm_app_uninstall(APP_FRIEND_2);
1748 // Installing friends to be
1749 result = perm_app_install(APP_FRIEND_1);
1750 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1751 " Error installing first app. Result: " << result);
1752 result = perm_app_install(APP_FRIEND_2);
1753 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1754 " Error installing second app. Result: " << result);
1757 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1758 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1759 " Error making friends. Errno: " << result);
1761 // Checking if friends were made
1762 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
1763 RUNNER_ASSERT_MSG(result == 1,
1764 " Error first one sided friednship failed. Result: " << result);
1765 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
1766 RUNNER_ASSERT_MSG(result == 1,
1767 " Error second one sided friednship failed. Result: " << result);
1770 result = perm_app_revoke_permissions(APP_FRIEND_1);
1771 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1772 "Error revoking app permissions. Result: " << result);
1773 result = perm_app_revoke_permissions(APP_FRIEND_2);
1774 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1775 "Error revoking app permissions. Result: " << result);
1777 perm_app_uninstall(APP_FRIEND_1);
1778 perm_app_uninstall(APP_FRIEND_2);
1781 * Test - making friends with nonexisting friend
1784 // Installing one friend
1785 result = perm_app_install(APP_FRIEND_1);
1786 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1787 " Error installing first app. Errno: " << result);
1789 // Adding imaginairy friend as second
1790 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1791 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1792 " Error making friends (first) with imaginairy friend failed. Result: "
1794 // Adding imaginairy friend as first
1795 result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
1796 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1797 " Error making friends (second) with imaginairy friend failed. Result: "
1800 result = perm_app_revoke_permissions(APP_FRIEND_1);
1801 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1802 "Error revoking app permissions. Result: " << result);
1803 result = perm_app_revoke_permissions(APP_FRIEND_2);
1804 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1805 "Error revoking app permissions. Result: " << result);
1807 perm_app_uninstall(APP_FRIEND_1);
1808 perm_app_uninstall(APP_FRIEND_2);
1811 * Test - making friends with some permissions already added
1816 struct smack_accesses *rulesFriend = NULL;
1818 std::vector<std::string> accessesFriend =
1819 { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
1821 // Installing friends to be
1822 result = perm_app_install(APP_FRIEND_1);
1823 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1824 " Error installing first app. Result: " << result);
1825 result = perm_app_install(APP_FRIEND_2);
1826 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1827 " Error installing second app. Result: " << result);
1829 for (i = 0; i < accessesFriend.size(); ++i)
1831 for (j = 0; j < accessesFriend.size(); ++j)
1833 // Adding rules before making friends
1834 result = smack_accesses_new(&rulesFriend);
1835 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1836 "Error in smack_accesses_new. Result: " << result);
1838 result = smack_accesses_add(rulesFriend,
1839 APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
1840 RUNNER_ASSERT_MSG(result == 0,
1841 "Unable to add modify rulesFirend (first). Result: " << result);
1842 result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
1843 APP_FRIEND_1, accessesFriend[j].c_str());
1844 RUNNER_ASSERT_MSG(result == 0,
1845 "Unable to add modify rulesFirend (second). Result: " << result);
1847 result = smack_accesses_apply(rulesFriend);
1848 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1849 "Error in smack_accesses_apply. Result: " << result);
1852 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1853 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1854 " Error making friends. Result: " << result);
1856 // Checking if friends were made
1857 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
1858 RUNNER_ASSERT_MSG(result == 1,
1859 " Error first one sided friednship failed. Result: " << result);
1860 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
1861 RUNNER_ASSERT_MSG(result == 1,
1862 " Error second one sided friednship failed. Result: " << result);
1864 // Deleting all rules between friends
1865 smack_accesses_add_modify(rulesFriend,
1866 APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
1867 smack_accesses_add_modify(rulesFriend,
1868 APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
1870 result = smack_accesses_apply(rulesFriend);
1872 smack_accesses_free(rulesFriend);
1878 result = perm_app_revoke_permissions(APP_FRIEND_1);
1879 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1880 "Error revoking app permissions. Result: " << result);
1881 result = perm_app_revoke_permissions(APP_FRIEND_2);
1882 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1883 "Error revoking app permissions. Result: " << result);
1885 perm_app_uninstall(APP_FRIEND_1);
1886 perm_app_uninstall(APP_FRIEND_2);
1889 static void smack_set_random_label_based_on_pid_on_self(void)
1892 std::stringstream ss;
1894 ss << "s-" << getpid() << "-" << getppid();
1895 result = smack_set_label_for_self(ss.str().c_str());
1896 RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self("
1897 << ss.str().c_str() << ") failed");
1900 static void smack_unix_sock_server(int sock)
1906 fd = accept(sock, NULL, NULL);
1910 result = smack_new_label_from_self(&smack_label);
1915 RUNNER_ASSERT_MSG(0, "smack_new_label_from_self() failed");
1917 result = write(fd, smack_label, strlen(smack_label));
1918 if (result != (int)strlen(smack_label)) {
1922 RUNNER_ASSERT_MSG(0, "write() failed: " << strerror(errno));
1928 RUNNER_TEST_SMACK(privilege_control15_app_id_from_socket)
1931 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
1935 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
1937 smack_set_random_label_based_on_pid_on_self();
1939 if (!pid) { /* child process, server */
1942 /* Set the process label before creating a socket */
1943 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1944 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
1946 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
1949 RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno));
1951 result = listen(sock, 1);
1954 RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno));
1956 smack_unix_sock_server(sock);
1958 /* Change the process label with listening socket */
1959 smack_unix_sock_server(sock);
1962 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
1963 /* Now running two concurrent servers.
1964 Test if socket label was unaffected by fork() */
1965 smack_unix_sock_server(sock);
1966 /* Let's give the two servers different labels */
1967 smack_unix_sock_server(sock);
1969 waitpid(pid, NULL, 0);
1971 } else { /* parent process, client */
1972 sleep(1); /* Give server some time to setup listening socket */
1974 for (i = 0; i < 4; ++i) {
1977 char smack_label1[SMACK_LABEL_LEN + 1];
1980 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1981 RUNNER_ASSERT_MSG(sock >= 0,
1982 "socket failed: " << strerror(errno));
1983 result = connect(sock,
1984 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
1987 RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
1991 result = read(sock, smack_label1, SMACK_LABEL_LEN);
1995 RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno));
1997 smack_label1[result] = '\0';
1998 smack_label2 = perm_app_id_from_socket(sock);
1999 if (smack_label2 == NULL) {
2001 RUNNER_ASSERT_MSG(0, "perm_app_id_from_socket failed");
2003 result = strcmp(smack_label1, smack_label2);
2006 RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1
2007 << "' != '" << smack_label2 << "-" << random() << "'");
2011 waitpid(pid, NULL, 0);
2015 RUNNER_TEST(privilege_control16_app_setup_path){
2016 const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
2017 const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
2018 const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
2019 const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
2020 const char *label1 = "qwert123456za";
2021 const char *label2 = "trewq654123az";
2023 std::unique_ptr<char, std::function<void(void*)> > labelPtr(NULL,free);
2028 int fd = creat(path3, S_IRWXU);
2031 fd = creat(path4, S_IRWXU);
2037 RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
2038 RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
2039 labelPtr.reset(label);
2041 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1));
2043 RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
2044 RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
2045 labelPtr.reset(label);
2047 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label2));
2049 RUNNER_ASSERT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
2050 labelPtr.reset(label);
2052 RUNNER_ASSERT(labelPtr.get() == NULL);
2055 RUNNER_TEST(privilege_control17_appsettings_privilege)
2057 #define APP_1 "app_1"
2058 #define APP_1_DIR "/tmp/app_1"
2060 #define APP_2 "app_2"
2061 #define APP_2_DIR "/tmp/app_2"
2063 #define APP_TEST "app_test"
2065 #define PRIV_APPSETTING (const char*[]) {"org.tizen.privilege.appsetting", NULL}
2068 char *app1_dir_label;
2069 char *app2_dir_label;
2073 (void)perm_app_uninstall(APP_TEST);
2074 (void)perm_app_uninstall(APP_1);
2075 (void)perm_app_uninstall(APP_2);
2077 //install some app 1
2078 ret = perm_app_install(APP_1);
2079 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install." << ret);
2081 mkdir(APP_1_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
2083 //register settings folder for app 1
2084 ret = perm_app_setup_path(APP_1, APP_1_DIR, APP_PATH_SETTINGS_RW );
2085 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
2087 //install "app_test" and give it appsettings privilege
2088 ret = perm_app_install(APP_TEST);
2089 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
2092 ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
2094 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,
2095 " Error enabling app permissions. Result: " << ret);
2097 //check if "app_test" has an RX access to the app "app_1"
2098 ret = smack_have_access(APP_TEST, APP_1, "rx");
2099 RUNNER_ASSERT_MSG(ret,"access denies");
2102 //check if "app_test" has an RWX access to a folder registered by "app_1"
2103 ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS );
2104 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2105 ret = smack_have_access(APP_TEST, app1_dir_label, "rwx");
2106 RUNNER_ASSERT_MSG(ret,"access denied to smack label: " << app1_dir_label);
2109 //intstall another app: "app_2"
2110 ret = perm_app_install(APP_2);
2111 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
2113 mkdir(APP_2_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
2114 //register settings folder for that "app_2"
2115 ret = perm_app_setup_path(APP_2, APP_2_DIR, APP_PATH_SETTINGS_RW );
2116 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
2118 //check if "app_test" has an RX access to the app "app_2"
2119 ret = smack_have_access(APP_TEST, APP_2, "rx");
2120 RUNNER_ASSERT_MSG(ret,"access denies");
2122 //check if "app_test" has an RWX access to a folder registered by "app_2"
2123 ret = smack_getlabel(APP_2_DIR, &app2_dir_label, SMACK_LABEL_ACCESS );
2124 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2125 ret = smack_have_access(APP_TEST, app2_dir_label, "rwx");
2126 RUNNER_ASSERT_MSG(ret,"access denies");
2128 free (app1_dir_label);
2129 free (app2_dir_label);
2133 (void)perm_app_uninstall(APP_TEST);
2134 (void)perm_app_uninstall(APP_1);
2135 (void)perm_app_uninstall(APP_2);
2138 RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public)
2142 result = perm_app_uninstall(APP_ID);
2143 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result);
2145 result = perm_app_install(APP_ID);
2146 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install." << result);
2148 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2149 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2151 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2152 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2154 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
2155 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
2157 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2158 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2160 result = perm_app_uninstall(APP_ID);
2161 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result);
2164 RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings)
2168 result = perm_app_uninstall(APP_ID);
2169 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result);
2171 result = perm_app_install(APP_ID);
2172 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install." << result);
2174 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2175 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2177 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2178 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2180 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
2181 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
2183 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2184 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2186 result = perm_app_uninstall(APP_ID);
2187 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result);
2190 RUNNER_TEST(privilege_control20_early_rules)
2192 RUNNER_IGNORED_MSG("early rules are not implemented");
2198 char *single_line_format = NULL;
2201 char subject[SMACK_LABEL_LEN + 1];
2202 char object[SMACK_LABEL_LEN + 1];
2203 char rule_add[SMACK_ACC_LEN + 1];
2204 char rule_remove[SMACK_ACC_LEN + 1];
2206 subject[SMACK_LABEL_LEN] = '\0';
2207 object[SMACK_LABEL_LEN] = '\0';
2208 rule_add[SMACK_ACC_LEN] = '\0';
2209 rule_remove[SMACK_ACC_LEN] = '\0';
2211 unlink(SMACK_RULES_DIR APP_ID);
2213 perm_app_uninstall(APP_ID);
2215 result = perm_app_install(APP_ID);
2216 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
2217 result = perm_app_install(APP_TEST_APP_1);
2218 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
2220 // checking if file really exists
2221 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
2223 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << SMACK_RULES_DIR << APP_ID << " : " << fd << ". Errno: " << strerror(errno));
2226 result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm, 1);
2227 RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result);
2228 result = perm_app_enable_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm, 1);
2229 RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result);
2231 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2232 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2234 result = asprintf(&single_line_format, "%%%ds %%%ds %%%ds %%%ds\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN, SMACK_ACC_LEN, SMACK_ACC_LEN);
2236 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2237 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2238 pass_1 = 1; // Found rule for APP_ID
2241 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2242 pass_2 = 1; // Found rule for APP_TEST_APP_1
2249 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " not found");
2250 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
2252 // Checking if "early rule" for APP_ID was really removed
2253 // We also should make sure that "early rules" for other apps wasn't removed
2254 result = perm_app_uninstall(APP_ID);
2255 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
2259 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2260 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2262 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2263 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2264 pass_1 = 0; // Found rule for APP_ID - it should NOT be here
2267 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2268 pass_2 = 1; // Found rule for APP_TEST_APP_1
2275 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
2276 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
2278 // Removing and checking "early rule" for APP_TEST_APP_1
2279 result = perm_app_uninstall(APP_TEST_APP_1);
2280 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
2284 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2285 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2287 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2288 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2289 pass_1 = 0; // Found rule for APP_ID - it should NOT be here
2292 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2293 pass_2 = 0; // Found rule for APP_TEST_APP_1 - it should NOT be here
2297 free(single_line_format);
2300 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
2301 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
2305 //////////////////////////////////////////////////////
2306 //TEST FOR INCORRECT PARAMS CHECK IN LIBPRIVILEGE APIS
2307 //////////////////////////////////////////////////////
2309 RUNNER_TEST(privilege_control21a_incorrect_params_get_smack_label_from_process)
2311 RUNNER_ASSERT_MSG(get_smack_label_from_process(PID_CORRECT, NULL) == PC_ERR_INVALID_PARAM, "get_smack_label_from_process didn't check if smack_label isn't NULL.");
2313 char aquired_smack_label[SMACK_LABEL_LEN+1];
2314 RUNNER_ASSERT_MSG(get_smack_label_from_process(PID_INCORRECT, aquired_smack_label) == PC_ERR_INVALID_PARAM, "get_smack_label_from_process didn't check for correct pid.");
2317 RUNNER_TEST_SMACK(privilege_control21b_incorrect_params_smack_pid_have_access)
2319 RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, "some_object", NULL) == -1, "smack_pid_have_access didn't check if access_type isn't NULL.");
2320 RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, NULL, "rw") == -1, "smack_pid_have_access didn't check if object isn't NULL.");
2321 RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, "", "rw") == -1, "smack_pid_have_access didn't check if object isn't empty.");
2322 RUNNER_ASSERT_MSG(smack_pid_have_access(PID_INCORRECT, "some_object", "rw") == -1, "smack_pid_have_access didn't check for correct pid.");
2325 RUNNER_TEST(privilege_control21c_incorrect_params_perm_app_set_privilege)
2327 RUNNER_ASSERT_MSG(perm_app_set_privilege(NULL, NULL, APP_SET_PRIV_PATH) == PC_ERR_INVALID_PARAM, "perm_app_set_privilege didn't check if package name isn't NULL.");
2330 RUNNER_TEST(privilege_control21d_incorrect_params_perm_app_install)
2332 RUNNER_ASSERT_MSG(perm_app_install(NULL) == PC_ERR_INVALID_PARAM, "perm_app_install didn't check if pkg_id isn't NULL.");
2333 RUNNER_ASSERT_MSG(perm_app_install("") == PC_ERR_INVALID_PARAM, "perm_app_install didn't check if pkg_id isn't empty.");
2336 RUNNER_TEST(privilege_control21e_incorrect_params_perm_app_uninstall)
2338 RUNNER_ASSERT_MSG(perm_app_uninstall(NULL) == PC_ERR_INVALID_PARAM, "perm_app_uninstall didn't check if pkg_id isn't NULL.");
2339 RUNNER_ASSERT_MSG(perm_app_uninstall("") == PC_ERR_INVALID_PARAM, "perm_app_uninstall didn't check if pkg_id isn't empty.");
2342 RUNNER_TEST(privilege_control21f_incorrect_params_perm_app_enable_permissions)
2344 RUNNER_ASSERT_MSG(perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, NULL, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if perm_list isn't NULL.");
2345 RUNNER_ASSERT_MSG(perm_app_enable_permissions(NULL, APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if pkg_id isn't NULL.");
2346 RUNNER_ASSERT_MSG(perm_app_enable_permissions("", APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if pkg_id isn't empty.");
2347 RUNNER_ASSERT_MSG(perm_app_enable_permissions("~APP~", APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if pkg_id is valid");
2350 RUNNER_TEST(privilege_control21g_incorrect_params_app_revoke_permissions)
2352 RUNNER_ASSERT_MSG(perm_app_revoke_permissions(NULL) == PC_ERR_INVALID_PARAM, "perm_app_revoke_permissions didn't check if pkg_id isn't NULL.");
2353 RUNNER_ASSERT_MSG(perm_app_revoke_permissions("") == PC_ERR_INVALID_PARAM, "perm_app_revoke_permissions didn't check if pkg_id isn't empty.");
2354 RUNNER_ASSERT_MSG(perm_app_revoke_permissions("~APP~") == PC_ERR_INVALID_PARAM, "perm_app_revoke_permissions didn't check if pkg_id is valid.");
2357 RUNNER_TEST(privilege_control21h_incorrect_params_app_reset_permissions)
2359 RUNNER_ASSERT_MSG(perm_app_reset_permissions(NULL) == PC_ERR_INVALID_PARAM, "perm_app_reset_permissions didn't check if pkg_id isn't NULL.");
2360 RUNNER_ASSERT_MSG(perm_app_reset_permissions("") == PC_ERR_INVALID_PARAM, "perm_app_reset_permissions didn't check if pkg_id isn't empty.");
2361 RUNNER_ASSERT_MSG(perm_app_reset_permissions("~APP~") == PC_ERR_INVALID_PARAM, "perm_app_reset_permissions didn't check if pkg_id is valid.");
2364 RUNNER_TEST(privilege_control21i_incorrect_params_app_setup_path)
2366 RUNNER_ASSERT_MSG(perm_app_setup_path(APPID_DIR, NULL, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if path isn't NULL.");
2367 RUNNER_ASSERT_MSG(perm_app_setup_path(NULL, TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if pkg_id isn't NULL.");
2368 RUNNER_ASSERT_MSG(perm_app_setup_path("", TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if pkg_id isn't empty.");
2369 RUNNER_ASSERT_MSG(perm_app_setup_path("~APP~", TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if pkg_id is valid.");
2372 RUNNER_TEST(privilege_control21j_incorrect_params_app_add_friend)
2374 RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented");
2376 RUNNER_ASSERT_MSG(perm_app_add_friend(NULL, APP_FRIEND_2) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id1 isn't NULL.");
2377 RUNNER_ASSERT_MSG(perm_app_add_friend("", APP_FRIEND_2) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id1 isn't empty.");
2378 RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, NULL) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id2 isn't NULL.");
2379 RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, "") == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id2 isn't empty.");
2380 RUNNER_ASSERT_MSG(perm_app_add_friend("~APP~", APP_FRIEND_2) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id1 is valid.");
2381 RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, "~APP~") == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id2 is valid.");
2384 RUNNER_TEST(privilege_control21k_incorrect_params_add_api_feature)
2386 RUNNER_ASSERT_MSG(perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0) == PC_ERR_INVALID_PARAM, "perm_add_api_feature didn't check if api_feature_name isn't NULL.");
2387 RUNNER_ASSERT_MSG(perm_add_api_feature(APP_TYPE_OSP, "", NULL, NULL, 0) == PC_ERR_INVALID_PARAM, "perm_add_api_feature didn't check if api_feature_name isn't empty.");
2390 RUNNER_TEST(privilege_control21l_incorrect_params_ignored_disable_permissions)
2392 RUNNER_ASSERT_MSG(perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, NULL) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if perm_list isn't NULL.");
2393 RUNNER_ASSERT_MSG(perm_app_disable_permissions(NULL, APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id isn't NULL.");
2394 RUNNER_ASSERT_MSG(perm_app_disable_permissions("", APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id isn't empty.");
2395 RUNNER_ASSERT_MSG(perm_app_disable_permissions("~APP~", APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id is valid.");
2399 /////////////////////////////////////////
2400 //////NOSMACK ENVIRONMENT TESTS//////////
2401 /////////////////////////////////////////
2404 * NOSMACK version of nftw_check_labels_app_shared_dir function.
2406 * This function used with nftw should expect -1 result from smack_have_access instead of 1.
2408 int nftw_check_labels_app_shared_dir_nosmack(const char *fpath, const struct stat *sb,
2409 int /*typeflag*/, struct FTW* /*ftwbuf*/)
2414 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
2415 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
2416 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
2418 result = strcmp(APPID_SHARED_DIR, label);
2419 RUNNER_ASSERT_MSG(result == 0,
2420 "ACCESS label on " << fpath << " is incorrect. Result: " << result);
2422 //The only exception in nftw_check_labels_app_shared_dir
2423 //smack_have_access returns -1 because of no SMACK.
2424 result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
2425 RUNNER_ASSERT_MSG(result == -1,
2426 "smack_have_access should return error (SMACK is off). Result: " << result);
2428 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
2429 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
2430 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
2432 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
2433 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
2434 if (S_ISDIR(sb->st_mode)) {
2435 RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
2436 result = strcmp("TRUE", label);
2437 RUNNER_ASSERT_MSG(result == 0,
2438 "TRANSMUTE label on " << fpath << " is not set. Result: " << result);
2440 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
2446 * NOSMACK version of privilege_control03 test.
2448 * Uses nosmack version of nftw_check_labels_app_shared_dir (defined above).
2450 RUNNER_TEST_NOSMACK(privilege_control03_app_label_shared_dir_nosmack)
2454 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
2455 RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
2456 "perm_app_setup_path should fail here. Result: " << result);
2458 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2459 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2460 "Unable to clean up Smack labels in " << TEST_APP_DIR);
2462 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2463 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2464 "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2466 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
2467 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2468 "perm_app_setup_path() failed. Result: " << result);
2470 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir_nosmack, FTW_MAX_FDS, FTW_PHYS);
2471 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2472 "Unable to check Smack labels for shared app dir");
2474 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2475 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2476 "Unable to check Smack labels for non-app dir");
2480 * NOSMACK version of test_have_accesses functions.
2482 * This will be used in many tests. Checks if for every rule smack_have_access returns error.
2483 * If for any of rules smack_have_access will return something different than error, this result
2484 * is being returned to caller.
2486 int test_have_nosmack_accesses(const std::vector< std::vector<std::string> > &rules)
2489 for (uint i = 0; i < rules.size(); ++i) {
2490 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
2498 * NOSMACK version of privilege_control04 test.
2500 * Tries to add permisions from test_privilege_control_rules template and checks if
2501 * smack_have_access returns -1 on check between every rule.
2503 RUNNER_TEST_NOSMACK(privilege_control04_add_permissions_nosmack)
2506 auto result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
2507 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2508 "Error adding app permissions. Result: " << result);
2510 //Check if smack_have_access always fails on every rule
2511 result = test_have_nosmack_accesses(rules);
2512 RUNNER_ASSERT_MSG(result == -1,
2513 "Despite SMACK being off some accesses were added. Result: " << result);
2516 std::fstream fs(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary);
2517 RUNNER_ASSERT_MSG(fs.good(), "SMACK file NOT created!. Errno: " << strerror(errno));
2519 fs.seekg(0, std::ifstream::end);
2520 RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty, but privileges list was not empty.");
2524 * NOSMACK version of privilege_control05_add_shared_dir_readers test.
2526 * This test is very similar to it's SMACK version - only difference is different result expected
2527 * from smack_have_access.
2529 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
2530 RUNNER_TEST_NOSMACK(privilege_control05_add_shared_dir_readers_nosmack)
2532 const char* test_obj = "TEST_OBJECT";
2533 const char* test_obj_some_other = "TEST_OBJA";
2534 const char* test_str_01 = "TEST_raz TEST_OBJECT r-x--- ------";
2535 const char* test_str_21 = "TEST_trzy TEST_OBJA -wx---";
2536 const char* test_str_22 = "TEST_trzy TEST_OBJECT r-x--- ------";
2542 const char* app_labels_wrong[] = {"-TEST_raz", NULL};
2543 const char* app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
2544 const int READ_BUF_SIZE = 1000;
2545 char buf[READ_BUF_SIZE];
2546 smack_accesses* tmp = NULL;
2548 //test environment cleaning
2549 cleaning_smack_app_files();
2551 //test what happens when the label is not correct SMACK label
2552 result = add_shared_dir_readers(test_obj,app_labels_wrong);
2553 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM,
2554 "add_shared_dir_readers should fail here. Result: " << result);
2555 result = smack_have_access(app_labels_wrong[0],test_obj,"rx");
2556 RUNNER_ASSERT_MSG(result != 1,
2557 "add_shared_dir_readers should not grant permission here. Result: " << result);
2560 result = smack_accesses_new(&tmp);
2561 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2562 "Error in smack_accesses_new. Result: " << result);
2564 //Wrap rules and fd into unique_ptrs for garbage collection
2565 SmackUniquePtr rules(tmp, smack_accesses_free);
2566 FDUniquePtr fd_ptr(&fd, closefdptr);
2568 std::stringstream path;
2569 for (i = 0; i < 3; i++) {
2570 result = perm_app_revoke_permissions(app_labels[i]);
2571 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2572 "Error in perm_app_revoke_permissions. Result: " << result);
2573 result = perm_app_uninstall(app_labels[i]);
2574 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2575 "Error in perm_app_install. Result: " << result);
2576 result = perm_app_install(app_labels[i]);
2577 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2578 "Error in perm_app_install. Result: " << result);
2580 path << SMACK_RULES_DIR << app_labels[i];
2582 fd = open(path.str().c_str(), O_WRONLY, 0644);
2583 RUNNER_ASSERT_MSG(fd != -1, "Error in opening file");
2586 result = smack_accesses_add(rules.get(), app_labels[i], test_obj, "wt");
2587 RUNNER_ASSERT_MSG(result == 0,
2588 "smack_accesses_add failed. Result: " << result);
2592 result = smack_accesses_new(&tmp);
2593 RUNNER_ASSERT_MSG(result == 0,
2594 "Failed to allocate memory for rules.");
2598 result = smack_accesses_add(rules.get(), app_labels[i],
2599 test_obj_some_other, "wx");
2600 RUNNER_ASSERT_MSG(result == 0,
2601 "smack_accesses_add failed. Result: " << result);
2604 result = smack_accesses_apply(rules.get());
2605 RUNNER_ASSERT_MSG(result == -1,
2606 "smack_accesses_apply should fail (SMACK is off). Result: " << result);
2608 result = smack_accesses_save(rules.get(), fd);
2609 RUNNER_ASSERT_MSG(result == 0,
2610 "smack_accesses_save failed. Result: " << result);
2613 path.str(std::string());
2616 //Use add_shared_dir_readers and check if smack_have_access still fails
2617 result = add_shared_dir_readers(test_obj,app_labels);
2618 RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed. Result: " << result);
2620 result = smack_have_access(app_labels[0],test_obj,"rx");
2621 RUNNER_ASSERT_MSG(result == -1,
2622 "smack_have_access should return error (SMACK is off). Result: " << result);
2624 result = smack_have_access(app_labels[1],test_obj,"rx");
2625 RUNNER_ASSERT_MSG(result == -1,
2626 "smack_have_access should return error (SMACK is off). Result: " << result);
2628 result = smack_have_access(app_labels[2],test_obj,"rx");
2629 RUNNER_ASSERT_MSG(result == -1,
2630 "smack_have_access should return error (SMACK is off). Result: " << result);
2632 result = smack_have_access(app_labels[1],test_obj,"rwxt");
2633 RUNNER_ASSERT_MSG(result == -1,
2634 "smack_have_access should return error (SMACK is off). Result: " << result);
2636 result = smack_have_access(app_labels[2],test_obj_some_other,"wx");
2637 RUNNER_ASSERT_MSG(result == -1,
2638 "smack_have_access should return error (SMACK is off). Result: " << result);
2640 //Test if files are properly formatted
2641 path << SMACK_RULES_DIR << app_labels[0];
2642 RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno));
2644 std::fstream fs(path.str().c_str(), std::ios_base::in);
2645 RUNNER_ASSERT_MSG(fs.good(), "Opening file stream failed. Error: " << strerror(errno));
2647 fs.get(buf, READ_BUF_SIZE);
2648 result = strcmp(buf, test_str_01);
2649 RUNNER_ASSERT_MSG(result == 0,
2650 "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() <<
2651 ". Result: " << result);
2653 //Clean up before another test
2654 path.str(std::string());
2657 path << SMACK_RULES_DIR << app_labels[2];
2658 RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno));
2660 fs.open(path.str().c_str(), std::ios_base::in);
2661 RUNNER_ASSERT_MSG(fs.good(), "fopen failed, errno:" << strerror(errno));
2663 fs.getline(buf, READ_BUF_SIZE);
2664 result = strcmp(buf, test_str_21);
2665 RUNNER_ASSERT_MSG( result == 0,
2666 "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str()
2667 << ". Result: " << result);
2669 fs.getline(buf, READ_BUF_SIZE);
2670 result = strcmp(buf, test_str_22);
2671 RUNNER_ASSERT_MSG( result == 0,
2672 "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str()
2673 << ". Result: " << result);
2675 #pragma GCC diagnostic warning "-Wdeprecated-declarations"
2679 * NOSMACK version of privilege_control05_set_app_privilege test.
2681 * Another very similar test to it's SMACK version, this time smack_new_label_from_self is
2682 * expected to return different result.
2684 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack)
2689 smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
2690 smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
2692 //Set app privileges
2693 result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
2694 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2695 "Error in perm_app_set_privilege. Result: " << result);
2697 //Even though app privileges are set, no smack label should be extracted.
2699 result = smack_new_label_from_self(&label);
2700 RUNNER_ASSERT_MSG(result == -1,
2701 "new_label_from_self should return error (SMACK is off). Result: " << result);
2702 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
2704 //Check if DAC privileges really set
2705 RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
2706 RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
2708 result = strcmp(getenv("HOME"), APP_HOME_DIR);
2709 RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR. Result: " << result);
2711 result = strcmp(getenv("USER"), APP_USER_NAME);
2712 RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME. Result: " << result);
2714 check_groups(LIBPRIVILEGE_TEST_DAC_FILE);
2718 * NOSMACK version of privilege_control05_set_app_privilege_wgt test.
2720 * Same as the above, plus uses test_have_nosmack_accesses instead of test_have_all_accesses.
2722 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_nosmack)
2726 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
2727 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2728 " Error enabling app permissions. Result: " << result);
2730 result = test_have_nosmack_accesses(rules_wgt);
2731 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
2733 result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
2734 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2735 "Error in perm_app_set_privilege. Result: " << result);
2737 //Even though app privileges are set, no smack label should be extracted.
2739 result = smack_new_label_from_self(&label);
2740 RUNNER_ASSERT_MSG(result == -1,
2741 "new_label_from_self should return error (SMACK is off). Result: " << result);
2742 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
2744 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
2748 * NOSMACK version of privilege_control05_set_app_privilege_wgt_partner test.
2750 * Same as the above.
2752 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_partner_nosmack)
2756 result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
2757 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2758 " Error enabling app permissions. Result: " << result);
2760 result = test_have_nosmack_accesses(rules_wgt_partner);
2761 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
2763 result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
2764 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2765 "Error in perm_app_set_privilege. Result: " << result);
2767 //Even though app privileges are set, no smack label should be extracted.
2769 result = smack_new_label_from_self(&label);
2770 RUNNER_ASSERT_MSG(result == -1,
2771 "new_label_from_self should return error (SMACK is off). Result: " << result);
2772 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
2774 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
2778 * NOSMACK version of privilege_control05_set_app_privilege_wgt_platform test.
2780 * Same as the above.
2782 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_platform_nosmack)
2786 result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
2787 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2788 " Error enabling app permissions. Result: " << result);
2790 result = test_have_nosmack_accesses(rules_wgt_platform);
2791 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
2793 result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
2794 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2795 "Error in perm_app_set_privilege. Result: " << result);
2797 //Even though app privileges are set, no smack label should be extracted.
2799 result = smack_new_label_from_self(&label);
2800 RUNNER_ASSERT_MSG(result == -1,
2801 "new_label_from_self should return error (SMACK is off). Result: " << result);
2802 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
2804 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
2808 * NOSMACK version of privilege_control05_set_app_privilege_osp test.
2810 * Same as the above.
2812 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_nosmack)
2816 result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1);
2817 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2818 " Error enabling app permissions. Result: " << result);
2820 result = test_have_nosmack_accesses(rules_osp);
2821 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
2823 result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH);
2824 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2825 "Error in perm_app_set_privilege. Result: " << result);
2827 //Even though app privileges are set, no smack label should be extracted.
2829 result = smack_new_label_from_self(&label);
2830 RUNNER_ASSERT_MSG(result == -1,
2831 "new_label_from_self should return error (SMACK is off). Result: " << result);
2832 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
2834 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
2838 * NOSMACK version of privilege_control05_set_app_privilege_osp_partner test.
2840 * Same as the above.
2842 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_partner_nosmack)
2846 result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1);
2847 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2848 "Error enabling app permissions. Result: " << result);
2850 result = test_have_nosmack_accesses(rules_osp_partner);
2851 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added.");
2853 result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH);
2854 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2855 "Error in perm_app_set_privilege. Result: " << result);
2857 //Even though app privileges are set, no smack label should be extracted.
2859 result = smack_new_label_from_self(&label);
2860 RUNNER_ASSERT_MSG(result == -1,
2861 "new_label_from_self should return error (SMACK is off). Result: " << result);
2862 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
2864 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
2868 * NOSMACK version of privilege_control05_set_app_privilege_osp_platform test.
2870 * Same as the above.
2872 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_platform_nosmack)
2876 result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1);
2877 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2878 " Error enabling app permissions. Result: " << result);
2880 result = test_have_nosmack_accesses(rules_osp_platform);
2881 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
2883 result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH);
2884 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2885 "Error in perm_app_set_privilege. Result: " << result);
2887 //Even though app privileges are set, no smack label should be extracted.
2889 result = smack_new_label_from_self(&label);
2890 RUNNER_ASSERT_MSG(result == -1,
2891 "new_label_from_self should return error (SMACK is off). Result: " << result);
2892 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
2894 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
2898 * NOSMACK version of checkOnlyAvAccess function.
2900 * Expects error instead of access granted/forbidden from smack_have_access.
2902 void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment)
2905 result = smack_have_access(av_id, app_id, "rwx");
2906 RUNNER_ASSERT_MSG(result == -1,
2907 "smack_have_access should return error (SMACK is off). Result: " << result
2908 << " when testing " << comment);
2909 result = smack_have_access(av_id, app_id, "a");
2910 RUNNER_ASSERT_MSG(result == -1,
2911 "smack_have_access should return error (SMACK is off). Result: " << result
2912 << " when testing " << comment);
2913 result = smack_have_access(av_id, app_id, "t");
2914 RUNNER_ASSERT_MSG(result == -1,
2915 "smack_have_access should return error (SMACK is off). Result: " << result
2916 << " when testing " << comment);
2920 * NOSMACK version of privilege_control10_app_register_av test.
2922 * Uses NOSMACK version of checkOnlyAvAccess (mentioned above), rest of the test is identical to
2923 * it's SMACK version.
2925 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
2926 RUNNER_TEST_NOSMACK(privilege_control10_app_register_av_nosmack)
2928 RUNNER_IGNORED_MSG("app_register_av is not implemented");
2932 smack_revoke_subject(APP_TEST_AV_1);
2933 smack_revoke_subject(APP_TEST_AV_2);
2935 cleaning_smack_app_files();
2937 // Adding two apps before antivir
2938 result = perm_app_install(APP_TEST_APP_1);
2939 RUNNER_ASSERT_MSG(result == 0,
2940 "perm_app_install returned " << result << ". Errno: " << strerror(errno));
2942 result = perm_app_install(APP_TEST_APP_2);
2943 RUNNER_ASSERT_MSG(result == 0,
2944 "perm_app_install returned " << result << ". Errno: " << strerror(errno));
2947 result = app_register_av(APP_TEST_AV_1);
2948 RUNNER_ASSERT_MSG(result == 0,
2949 "app_register_av returned " << result << ". Errno: " << strerror(errno));
2951 // Checking added apps accesses
2952 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
2953 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
2956 result = perm_app_install(APP_TEST_APP_3);
2957 RUNNER_ASSERT_MSG(result == 0,
2958 "perm_app_install returned " << result << ". Errno: " << strerror(errno));
2960 // Checking app accesses
2961 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
2962 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
2963 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)");
2965 // Adding second antivir
2966 result = app_register_av(APP_TEST_AV_2);
2967 RUNNER_ASSERT_MSG(result == 0,
2968 "app_register_av returned " << result << ". Errno: " << strerror(errno));
2970 // Checking app accesses
2971 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
2972 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
2973 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
2974 checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
2975 checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
2976 checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
2979 smack_revoke_subject(APP_TEST_AV_1);
2980 smack_revoke_subject(APP_TEST_AV_2);
2982 cleaning_smack_app_files();
2985 #pragma GCC diagnostic warning "-Wdeprecated-declarations"
2988 * NOSMACK version of privilege_control11_app_enable_permissions test.
2990 * Since the original test did the same thing around five times, there is no need to redo the
2991 * same test for perm_app_enable_permissions. perm_app_enable_permissions will be called once,
2992 * test_have_nosmack_accesses will check if smack_have_access still returns error and then
2993 * we will check if SMACK file was correctly created.
2995 RUNNER_TEST_NOSMACK(privilege_control11_app_enable_permissions_nosmack)
3000 result = perm_app_revoke_permissions(APP_ID);
3001 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3002 "Error revoking app permissions. Result: " << result);
3004 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
3005 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3006 "Error enabling app permissions. Result: " << result);
3008 //Check if accesses aren't added
3009 result = test_have_nosmack_accesses(rules2);
3010 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
3013 fs.open(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary);
3014 RUNNER_ASSERT_MSG(fs.good(), "Couldn't open SMACK file.");
3017 fs.seekg(0, std::ifstream::end);
3018 RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty with persistant mode 1.");
3021 result = perm_app_revoke_permissions(APP_ID);
3022 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3023 "Error revoking app permissions. Result: " << result);
3027 * NOSMACK version of privilege_control13 test.
3029 * Uses perm_app_reset_permissions and checks with test_have_nosmack_accesses if nothing has
3032 RUNNER_TEST_NOSMACK(privilege_control13_app_reset_permissions_nosmack)
3036 // Prepare permissions to reset
3037 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
3038 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3039 " Error adding app permissions. Result: " << result);
3041 // Reset permissions
3042 result = perm_app_reset_permissions(APP_ID);
3043 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3044 "Error reseting app permissions. Result: " << result);
3046 result = test_have_nosmack_accesses(rules2);
3047 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be changed. Result: " << result);
3049 // Disable permissions
3050 result = perm_app_revoke_permissions(APP_ID);
3051 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3052 "Error disabling app permissions. Result: " << result);
3056 * NOSMACK version of privilege_control14 test.
3058 * Similarily as app_enable_permissions test. This time perm_app_add_friend is called twice, once
3059 * when both friends exist, and then when one of them doesn't exist. Other tests are not required -
3060 * results would be the same as earlier.
3062 RUNNER_TEST_NOSMACK(privilege_control14_app_add_friend_nosmack)
3064 RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented");
3068 result = perm_app_revoke_permissions(APP_FRIEND_1);
3069 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3070 "Error revoking app permissions. Result: " << result);
3071 result = perm_app_revoke_permissions(APP_FRIEND_2);
3072 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3073 "Error revoking app permissions. Result: " << result);
3075 perm_app_uninstall(APP_FRIEND_1);
3076 perm_app_uninstall(APP_FRIEND_2);
3080 //Installing friends to be
3081 result = perm_app_install(APP_FRIEND_1);
3082 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3083 "Error installing first app. Result: " << result);
3084 result = perm_app_install(APP_FRIEND_2);
3085 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3086 "Error installing second app. Result: " << result);
3089 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
3090 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3091 "Error during friend making. Result: " << result);
3093 //Same as previous tests, smack_have_access should error.
3094 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat");
3095 RUNNER_ASSERT_MSG(result == -1,
3096 "smack_have_access should return error (SMACK is off). Result: " << result);
3097 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat");
3098 RUNNER_ASSERT_MSG(result == -1,
3099 "smack_have_access should return error (SMACK is off). Result: " << result);
3102 result = perm_app_revoke_permissions(APP_FRIEND_1);
3103 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3104 "Error revoking app permissions. Result: " << result);
3105 result = perm_app_revoke_permissions(APP_FRIEND_2);
3106 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3107 "Error revoking app permissions. Result: " << result);
3109 perm_app_uninstall(APP_FRIEND_1);
3110 perm_app_uninstall(APP_FRIEND_2);
3113 //Befriending with imaginary friend.
3115 //Installing one friend
3116 result = perm_app_install(APP_FRIEND_1);
3117 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3118 "Error installing first app. Result: " << result);
3120 //Adding imaginairy friend as second
3121 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
3122 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3123 "Error making friends (first) with imaginairy friend failed. Result: " << result);
3124 //Adding imaginairy friend as first
3125 result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
3126 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3127 "Error making friends (second) with imaginairy friend failed. Result: " << result);
3129 //Same as previous tests, smack_have_access should error.
3130 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat");
3131 RUNNER_ASSERT_MSG(result == -1,
3132 "smack_have_access should return error (SMACK is off). Result: " << result);
3133 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat");
3134 RUNNER_ASSERT_MSG(result == -1,
3135 "smack_have_access should return error (SMACK is off). Result: " << result);
3138 result = perm_app_revoke_permissions(APP_FRIEND_1);
3139 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3140 "Error revoking app permissions. Result: " << result);
3141 result = perm_app_revoke_permissions(APP_FRIEND_2);
3142 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3143 "Error revoking app permissions. Result: " << result);
3145 perm_app_uninstall(APP_FRIEND_1);
3146 perm_app_uninstall(APP_FRIEND_2);
3150 * NOSMACK version of privilege_control15_app_id_from_socket.
3152 * SMACK version of this test case utilised smack_new_label_from_self and smack_set_label_for_self.
3153 * Those functions rely on /proc/self/attr/current file, which is unreadable and has no contents on
3154 * NOSMACK environment. Functions mentioned above were tested during libsmack tests, so they are
3155 * assumed to react correctly and are not tested in this test case.
3157 * This test works similarily to libsmack test smack09_new_label_from_socket. At first server and
3158 * client are created then sockets are set up and perm_app_id_from_socket is used. On NOSMACK env
3159 * correct behaviour for perm_app_id_from_socket would be returning NULL label.
3161 RUNNER_TEST_NOSMACK(privilege_control15_app_id_from_socket_nosmack)
3164 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
3166 //Clean up before creating socket
3169 //Create our server and client with fork
3171 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
3173 if (!pid) { //child (server)
3174 int sock, result, fd;
3177 sock = socket(AF_UNIX, SOCK_STREAM, 0);
3178 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
3180 //Bind socket to address
3181 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
3184 RUNNER_ASSERT_MSG(false, "bind failed: " << strerror(errno));
3187 //Prepare for listening
3188 result = listen(sock, 1);
3191 RUNNER_ASSERT_MSG(false, "listen failed: " << strerror(errno));
3196 fd = accept(sock, NULL, NULL);
3198 RUNNER_ASSERT_MSG(fd >= 0, "accept failed: " << strerror(errno));
3200 //Wait a little bit for client to use perm_app_id_from_socket
3206 } else { //parent (client)
3207 // Give server some time to setup listening socket
3210 char* smack_label = NULL;
3213 sock = socket(AF_UNIX, SOCK_STREAM, 0);
3214 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
3216 //Try connecting to address
3217 result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
3220 RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
3223 //Use perm_app_id_from_socket. Should fail and return NULL smack_label.
3224 smack_label = perm_app_id_from_socket(sock);
3225 if (smack_label != NULL) {
3227 RUNNER_ASSERT_MSG(0, "perm_app_id_from_socket should fail.");
3232 waitpid(pid, NULL, 0);
3237 * Next three functions are defined only because of NOSMACK environment.
3239 * Inside check_labels_dir_nosmack, smack_have_access should expect error, not access granted.
3241 int check_labels_dir_nosmack(const char *fpath, const struct stat *sb,
3242 const char *labels_db_path, const char *dir_db_path,
3248 char label_temp[SMACK_LABEL_LEN + 1];
3252 result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
3253 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
3254 RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
3257 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
3260 RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result);
3262 if (label != NULL) {
3265 RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
3269 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
3273 RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result);
3275 if (S_ISDIR(sb->st_mode)) {
3276 if (label == NULL) {
3279 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
3281 result = strcmp("TRUE", label);
3285 RUNNER_ASSERT_MSG(false,
3286 "TRANSMUTE label on " << fpath << " is not set to TRUE Result: " << result);
3288 } else if (label != NULL) {
3291 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
3296 fs_db.open(labels_db_path, std::ios_base::in);
3297 if (!(fs_db.good())) {
3299 RUNNER_ASSERT_MSG(false, "Can not open database for apps");
3302 while(!fs_db.eof()) {
3303 fs_db.getline(label_temp, 255);
3304 result = smack_have_access(label_temp, label_gen, access);
3305 if (result != -1) { //expect error, not access granted
3307 RUNNER_ASSERT_MSG(false, "smack_have_access should fail. Result: " << result);
3313 fs_db.open(dir_db_path, std::ios_base::in);
3314 if (!fs_db.good()) {
3316 RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
3319 bool is_dir = false;
3320 while(!fs_db.eof()) {
3321 fs_db.getline(label_temp, 255);
3322 if (strcmp(label_gen, label_temp) == 0) {
3330 RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db.");
3336 * NOSMACK version of privilege_control18 test.
3338 * Uses NOSMACK version of nftw_check_labels_app_public_dir.
3340 RUNNER_TEST_NOSMACK(privilege_control18_app_setup_path_public_nosmack)
3344 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
3345 RUNNER_ASSERT_MSG(result == 0,
3346 "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
3348 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
3349 RUNNER_ASSERT_MSG(result == 0,
3350 "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
3352 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
3353 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result);
3355 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
3356 RUNNER_ASSERT_MSG(result == 0,
3357 "Unable to check Smack labels for non-app dir. Result: " << result);
3362 * NOSMACK version of privilege_control19 test.
3364 * Uses NOSMACK version of nftw_check_labels_app_settings_dir.
3366 RUNNER_TEST_NOSMACK(privilege_control19_app_setup_path_settings_nosmack)
3370 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
3371 RUNNER_ASSERT_MSG(result == 0,
3372 "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
3374 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
3375 RUNNER_ASSERT_MSG(result == 0,
3376 "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
3378 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
3379 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result);
3381 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
3382 RUNNER_ASSERT_MSG(result == 0,
3383 "Unable to check Smack labels for non-app dir. Result: " << result);
3388 * NOSMACK version of privielge_control21b test.
3390 * Instead of error caused by incorrect params expect access granted, becuase SMACK is off.
3392 RUNNER_TEST_NOSMACK(privilege_control21b_incorrect_params_smack_pid_have_access_nosmack)
3394 int result = smack_pid_have_access(PID_CORRECT, "some_object", NULL);
3395 RUNNER_ASSERT_MSG(result == 1,
3396 "smack_pid_have_access should return access granted. Result: " << result);
3398 result = smack_pid_have_access(PID_CORRECT, NULL, "rw");
3399 RUNNER_ASSERT_MSG(result == 1,
3400 "smack_pid_have_access should return access granted. Result: " << result);
3402 result = smack_pid_have_access(PID_CORRECT, NULL, "rw");
3403 RUNNER_ASSERT_MSG(result == 1,
3404 "smack_pid_have_access should return access granted. Result: " << result);
3406 result = smack_pid_have_access(PID_INCORRECT, "some_object", "rw");
3407 RUNNER_ASSERT_MSG(result == 1,
3408 "smack_pid_have_access should return access granted. Result: " << result);
3412 * Test - Simulation of 100 installations and uninstallations of one application.
3413 * Installed application will have various kind of permissions from api
3414 * features and shared folders.
3416 RUNNER_TEST(privilege_control22_app_installation_1x100)
3419 std::string shared_dir_auto_label;
3421 // Clear any previously created apps, files, labels and permissions
3422 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
3423 RUNNER_ASSERT_MSG(result == 0,
3424 "Unable to clean up Smack labels in: " << TEST_APP_DIR
3425 << ". Result: " << result);
3427 result = nftw(TEST_NON_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
3428 RUNNER_ASSERT_MSG(result == 0,
3429 "Unable to clean up Smack labels in: " << TEST_NON_APP_DIR
3430 << ". Result: " << result);
3432 result = perm_app_revoke_permissions(APP_ID);
3433 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3434 "Error in perm_app_revoke_permissions. Result: " << result);
3436 result = perm_app_uninstall(APP_ID);
3437 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3438 "Error in perm_app_uninstall. Result: " << result);
3440 // remove api features by deleting files
3441 // TODO: Rewrite deleting features
3442 unlink(FILE_PATH_TEST_OSP_FEATURE);
3443 unlink(FILE_PATH_TEST_WGT_FEATURE);
3445 // Install setting app and give it app-setting permissions
3446 result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1);
3447 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3448 "Error in perm_app_revoke_permissions. Result: " << result);
3449 result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
3450 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3451 "Error in perm_app_uninstall. Result: " << result);
3452 result = perm_app_install(APP_TEST_SETTINGS_ASP1);
3453 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3454 "Error in perm_app_install. Result: " << result);
3455 result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1,
3456 APP_TYPE_OSP, PRIV_APPSETTING, 1);
3457 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3458 "Error enabling App-Setting permissions. Result: " << result);
3460 // Install one additional app (used to check perm to shared directories)
3461 result = perm_app_revoke_permissions(TEST_OSP_FEATURE_APP_ID);
3462 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3463 "Error in perm_app_revoke_permissions. Result: " << result);
3464 result = perm_app_uninstall(TEST_OSP_FEATURE_APP_ID);
3465 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3466 "Error in perm_app_uninstall. Result: " << result);
3467 result = perm_app_install(TEST_OSP_FEATURE_APP_ID);
3468 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3469 "Error in perm_app_install. Result: " << result);
3470 result = perm_app_enable_permissions(TEST_OSP_FEATURE_APP_ID,
3471 APP_TYPE_OSP,(const char*[]) {NULL}, 1);
3472 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3473 "Error enabling permissions. Result: " << result);
3475 // Register two valid api features
3476 result = perm_add_api_feature(APP_TYPE_OSP, TEST_OSP_FEATURE,
3477 test_osp_feature_rule_set, NULL, 0);
3478 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3479 "Error in perm_add_api_feature. Cannot add TEST_OSP_FEATURE: "
3480 << TEST_OSP_FEATURE << ". Result: " << result);
3482 result = perm_add_api_feature(APP_TYPE_WGT, TEST_WGT_FEATURE,
3483 test_wgt_feature_rule_set, NULL, 0);
3484 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3485 "Error in perm_add_api_feature. Cannot add TEST_WGT_FEATURE: "
3486 << TEST_WGT_FEATURE << ". Result: " << result);
3490 for (int i = 0; i < 100; ++i)
3493 result = perm_app_install(APP_ID);
3494 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3495 "Error in perm_app_install. Loop index: " << i
3496 << ". Result: " << result);
3498 // Add persistent permissions
3499 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OSP,
3500 TEST_OSP_FEATURE_PRIVS, 1);
3501 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3502 "Error in perm_app_enable_permissions from OSP Feature. Loop index: "
3503 << i << ". Result: " << result);
3505 result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT,
3506 TEST_WGT_FEATURE_PRIVS, 1);
3507 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3508 "Error in perm_app_enable_permissions from WGT Feature. Loop index: "
3509 << i << ". Result: " << result);
3512 switch (i%2) // separate odd and even loop runs
3514 case 0: // Shared dirs: APP_PATH_PRIVATE & APP_PATH_PUBLIC_RO
3516 // Add app shared dir - APP_PATH_PRIVATE
3517 result = perm_app_setup_path(APP_ID, TEST_APP_DIR,
3519 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3520 "Error in perm_app_setup_path. Loop index: " << i
3521 << ". Result: " << result);
3523 // Add app shared dir - APP_PATH_PUBLIC_RO
3524 result = perm_app_setup_path(APP_ID, TEST_NON_APP_DIR,
3525 APP_PATH_PUBLIC_RO);
3526 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3527 "Error in perm_app_setup_path. Loop index: " << i
3528 << ". Result: " << result);
3530 // Verify that some previously installed app does not have any access
3531 // to APP_ID private label
3532 result = test_have_any_accesses(rules_to_test_any_access1);
3533 RUNNER_ASSERT_MSG(result == 0,
3534 "Error - other app has access to private label. Loop index: "
3537 // Get autogenerated Public RO label
3539 result = smack_getlabel(TEST_NON_APP_DIR, &label,
3540 SMACK_LABEL_ACCESS );
3541 RUNNER_ASSERT_MSG(result == 0,
3542 "Cannot get access label from Public RO shared dir. Loop index: "
3543 << i << ". Result: " << result);
3544 shared_dir_auto_label = label;
3547 // Verify that all permissions to public dir have been added
3548 // correctly, also to other app
3549 result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl");
3550 RUNNER_ASSERT_MSG(result == 1,
3551 "Not all accesses to Public RO dir are granted. Loop index: "
3554 result = smack_have_access(TEST_OSP_FEATURE_APP_ID, shared_dir_auto_label.c_str(), "rx" );
3555 RUNNER_ASSERT_MSG(result == 1,
3556 "Not all accesses to Public RO dir are granted. Loop index: "
3561 case 1: // Shared dirs: APP_PATH_APPSETTING_RW & APP_PATH_GROUP_RW
3563 // Add app shared dir - APP_PATH_SETTINGS_RW
3564 result = perm_app_setup_path(APP_ID, TEST_APP_DIR,
3565 APP_PATH_SETTINGS_RW);
3566 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3567 "Error in perm_app_setup_path. Loop index: " << i
3568 << ". Result: " << result);
3570 // Add app shared dir - APP_PATH_GROUP_RW
3571 result = perm_app_setup_path(APP_ID, TEST_NON_APP_DIR,
3572 APP_PATH_GROUP_RW, APPID_SHARED_DIR);
3573 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3574 "Error in perm_app_setup_path. Loop index: " << i
3575 << ". Result: " << result);
3577 // Get autogenerated App-Setting label
3579 result = smack_getlabel(TEST_APP_DIR, &label,
3580 SMACK_LABEL_ACCESS );
3581 RUNNER_ASSERT_MSG(result == 0,
3582 "Cannot get access label from App-Setting shared dir. Loop index: "
3583 << i << ". Result: " << result);
3584 shared_dir_auto_label = label;
3587 // Verify that setting app has rwx permission to app dir
3588 // and rx permissions to app
3589 result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl");
3590 RUNNER_ASSERT_MSG(result == 1,
3591 "Not all accesses to App-Setting dir are granted. "
3592 << APP_ID << " "<< shared_dir_auto_label << " rwxatl "
3593 << "Loop index: " << i);
3595 result = smack_have_access(APP_TEST_SETTINGS_ASP1, shared_dir_auto_label.c_str(), "rwx");
3596 RUNNER_ASSERT_MSG(result == 1,
3597 "Not all accesses to App-Setting dir are granted. "
3598 << APP_TEST_SETTINGS_ASP1 << " " << shared_dir_auto_label << " rwx. "
3599 << "Loop index: " << i);
3601 result = smack_have_access(APP_TEST_SETTINGS_ASP1, APP_ID, "rx");
3602 RUNNER_ASSERT_MSG(result == 1,
3603 "Not all accesses to App-Setting dir are granted. "
3604 << APP_TEST_SETTINGS_ASP1 << " " << APP_ID << " rx"
3605 << "Loop index: " << i);
3607 // Verify that all permissions to public dir have been added
3608 // correctly, also to other app
3609 result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxatl");
3610 RUNNER_ASSERT_MSG(result == 1,
3611 "Not all accesses to Group RW dir are granted. Loop index: "
3618 // check if api-features permissions are added properly
3619 result = test_have_all_accesses(
3620 (const std::vector< std::vector<std::string> >) {
3621 { APP_ID, TEST_OSP_FEATURE_APP_ID, "rxl" },
3622 { APP_ID, TEST_WGT_FEATURE_APP_ID, "rwxl" } } );
3623 RUNNER_ASSERT_MSG(result == 1,
3624 "Not all permisions from api features added. Loop index: "
3627 // revoke permissions
3628 result = perm_app_revoke_permissions(APP_ID);
3629 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3630 "Error in perm_app_revoke_permissions. Loop index: " << i
3631 << ". Result: " << result);
3633 // check if api-features permissions are removed properly
3634 result = test_have_any_accesses(rules_to_test_any_access2);
3635 RUNNER_ASSERT_MSG(result == 0,
3636 "Not all permisions revoked. Loop index: " << i);
3638 // remove labels from app folder
3639 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
3640 RUNNER_ASSERT_MSG(result == 0,
3641 "Unable to clean up Smack labels in " << TEST_APP_DIR
3642 << " . Loop index: " << i << ". Result: " << result);
3643 // remove labels from shared folder
3644 result = nftw(TEST_NON_APP_DIR, &nftw_remove_labels,
3645 FTW_MAX_FDS, FTW_PHYS);
3646 RUNNER_ASSERT_MSG(result == 0,
3647 "Unable to clean up Smack labels in " << TEST_NON_APP_DIR
3648 << " . Loop index: " << i << ". Result: " << result);
3651 result = perm_app_uninstall(APP_ID);
3652 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3653 "Error in perm_app_uninstall. Loop index: " << i
3654 << ". Result: " << result);
3655 } // END Install app loop
3657 // Uninstall setting app and additional app
3658 result = perm_app_uninstall(TEST_OSP_FEATURE_APP_ID);
3659 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3660 "Error in perm_app_uninstall. Result: " << result);
3661 result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
3662 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3663 "Error in perm_app_uninstall. Result: " << result);
3665 // Remove api features
3666 // TODO: Rewrite removing features
3667 unlink(FILE_PATH_TEST_OSP_FEATURE);
3668 unlink(FILE_PATH_TEST_WGT_FEATURE);
3673 * Test - Simulation of 10 installations and uninstallations of set of 10 applications.
3674 * Installed applications will have various kind of permissions to each other
3675 * from api-features and shared folders.
3677 * APP_TEST_SETTINGS_ASP1 ("test-app-settings-asp1") - registered as setting app
3680 * test_APP0-4 - receive test_osp_feature_rule_set2
3681 * test_APP5-9 - receive test_wgt_feature_rule_set2
3683 * During this test there is one directory created for each app for each loop run,
3684 * dir name syntax is: /tmp/<app_name>_<i-loop_run>
3686 * test_APP0 & test_APP5 register their directories as APP_PATH_PRIVATE
3687 * test_APP1, test_APP2 & test_APP6 register their directories as
3688 * APP_PATH_GROUP_RW using the same label
3689 * APPID_SHARED_DIR = "test_APP_ID_shared_dir"
3690 * test_APP3, test_APP7 & test_APP8 register their directories as
3691 * APP_PATH_PUBLIC_RO
3692 * test_APP4 & test_APP9 register their directories as
3693 * APP_PATH_SETTINGS_RW
3695 RUNNER_TEST(privilege_control23_app_installation2_10x10)
3698 const int app_count = 10;
3699 std::string shared_dir3_auto_label;
3700 std::string shared_dir7_auto_label;
3701 std::string shared_dir8_auto_label;
3702 std::string setting_dir4_auto_label;
3703 std::string setting_dir9_auto_label;
3704 char app_ids[app_count][strlen(APP_ID) + 3];
3705 char app_dirs[app_count][strlen(APP_ID) + 12];
3706 const char *test_osp_feature_rule_set2[] = { "~APP~ " APP_ID "6 r",
3707 "~APP~ " APP_ID "7 rxl",
3708 "~APP~ " APP_ID "8 rwxal",
3709 "~APP~ " APP_ID "9 rwxatl",
3711 const char *test_wgt_feature_rule_set2[] = { "~APP~ " APP_ID "1 r",
3712 "~APP~ " APP_ID "2 rxl",
3713 "~APP~ " APP_ID "3 rwxal",
3714 "~APP~ " APP_ID "4 rwxatl",
3718 // generate app ids: test_APP0, test_APP1, test_APP2 etc.:
3719 for (int i = 0; i < app_count; ++i)
3721 result = sprintf(app_ids[i], APP_ID "%d", i);
3722 RUNNER_ASSERT_MSG(result > 0, "Cannot generate name for app nr: " << i);
3725 // Clear any previously created apps, files, labels and permissions
3726 for (int i = 0; i < app_count; ++i)
3728 result = perm_app_revoke_permissions(app_ids[i]);
3729 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3730 "Error in perm_app_revoke_permissions for app: "
3731 << app_ids[i] << ". Result: " << result);
3733 result = perm_app_uninstall(app_ids[i]);
3734 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3735 "Error in perm_app_uninstall for app: "
3736 << app_ids[i] << ". Result: " << result);
3739 // Install setting app and give it app-setting permissions
3740 result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1);
3741 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3742 "Error in perm_app_revoke_permissions."
3743 << " Result: " << result);
3744 result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
3745 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3746 "Error in perm_app_uninstall."
3747 << " Result: " << result);
3748 result = perm_app_install(APP_TEST_SETTINGS_ASP1);
3749 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3750 "Error in perm_app_install."
3751 << " Result: " << result);
3752 result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1,
3753 APP_TYPE_OSP, PRIV_APPSETTING, 1);
3754 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3755 "Error enabling App-Setting permissions."
3756 << " Result: " << result);
3758 // Register two valid api features
3759 result = perm_add_api_feature(APP_TYPE_OSP, TEST_OSP_FEATURE,
3760 test_osp_feature_rule_set2, NULL, 0);
3761 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3762 "Error in perm_add_api_feature. Cannot add TEST_OSP_FEATURE: "
3763 << TEST_OSP_FEATURE << ". Result: " << result);
3765 result = perm_add_api_feature(APP_TYPE_WGT, TEST_WGT_FEATURE,
3766 test_wgt_feature_rule_set2, NULL, 0);
3767 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3768 "Error in perm_add_api_feature. Cannot add TEST_WGT_FEATURE: "
3769 << TEST_WGT_FEATURE << ". Result: " << result);
3772 // Install apps loop
3773 for (int i = 0; i < 10; ++i)
3776 for (int j = 0; j < app_count; ++j)
3778 result = perm_app_install(app_ids[j]);
3779 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3780 "Error in perm_app_install. App id: "
3782 << " Loop index: " << i
3783 << ". Result: " << result);
3785 // Create 10 directories
3786 result = sprintf(app_dirs[j],"/tmp/" APP_ID "%d_%d", j, i);
3787 RUNNER_ASSERT_MSG(result > 0,
3788 "Cannot generate directory name for app nr: " << j
3789 << " Loop index: " << i);
3790 result = mkdir(app_dirs[j], S_IRWXU | S_IRGRP | S_IXGRP);
3791 RUNNER_ASSERT_MSG(result == 0 || errno == EEXIST,
3792 "Cannot create directory: " << app_dirs[j]);
3793 result = nftw(app_dirs[j], &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
3794 RUNNER_ASSERT_MSG(result == 0,
3795 "Unable to clean up Smack labels in: " << app_dirs[j]
3796 << ". Result: " << result);
3799 // Give permissions from api-features
3800 for (int j = 0; j < (app_count/2); ++j)
3802 // add persistent api feature permissions
3803 result = perm_app_enable_permissions(app_ids[j], APP_TYPE_OSP,
3804 TEST_OSP_FEATURE_PRIVS, 1);
3805 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3806 "Error in perm_app_enable_permissions from OSP Feature. App id: "
3807 << app_ids[j] << " Loop index: " << i << ". Result: " << result);
3809 result = perm_app_enable_permissions(app_ids[j+5], APP_TYPE_WGT,
3810 TEST_WGT_FEATURE_PRIVS, 1);
3811 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3812 "Error in perm_app_enable_permissions from WGT Feature. App id: "
3813 << app_ids[j+5] << " Loop index: " << i << ". Result: " << result);
3816 // Add app shared dirs - APP_PATH_PRIVATE (apps 0, 5)
3817 result = perm_app_setup_path(app_ids[0], app_dirs[0], APP_PATH_PRIVATE);
3818 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3819 "Error in perm_app_setup_path. App id: " << app_ids[0]
3820 << " Loop index: " << i << ". Result: " << result);
3821 result = perm_app_setup_path(app_ids[5], app_dirs[5], APP_PATH_PRIVATE);
3822 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3823 "Error in perm_app_setup_path. App id: " << app_ids[5]
3824 << " Loop index: " << i << ". Result: " << result);
3826 // Add app shared dir - APP_PATH_GROUP_RW (apps 1, 2, 6)
3827 result = perm_app_setup_path(app_ids[1], app_dirs[1],
3828 APP_PATH_GROUP_RW, APPID_SHARED_DIR);
3829 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3830 "Error in perm_app_setup_path. App id: " << app_ids[1]
3831 << " Loop index: " << i << ". Result: " << result);
3832 result = perm_app_setup_path(app_ids[2], app_dirs[2],
3833 APP_PATH_GROUP_RW, APPID_SHARED_DIR);
3834 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3835 "Error in perm_app_setup_path. App id: " << app_ids[2]
3836 << " Loop index: " << i << ". Result: " << result);
3837 result = perm_app_setup_path(app_ids[6], app_dirs[6],
3838 APP_PATH_GROUP_RW, APPID_SHARED_DIR);
3839 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3840 "Error in perm_app_setup_path. App id: " << app_ids[6]
3841 << " Loop index: " << i << ". Result: " << result);
3843 // Add app shared dir - APP_PATH_PUBLIC_RO (apps 3, 7, 8)
3844 result = perm_app_setup_path(app_ids[3], app_dirs[3],
3845 APP_PATH_PUBLIC_RO);
3846 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3847 "Error in perm_app_setup_path. App id: " << app_ids[1]
3848 << " Loop index: " << i << ". Result: " << result);
3849 result = perm_app_setup_path(app_ids[7], app_dirs[7],
3850 APP_PATH_PUBLIC_RO);
3851 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3852 "Error in perm_app_setup_path. App id: " << app_ids[7]
3853 << " Loop index: " << i << ". Result: " << result);
3854 result = perm_app_setup_path(app_ids[8], app_dirs[8],
3855 APP_PATH_PUBLIC_RO);
3856 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3857 "Error in perm_app_setup_path. App id: " << app_ids[8]
3858 << " Loop index: " << i << ". Result: " << result);
3860 // Add app shared dir - APP_PATH_SETTINGS_RW (apps ,4, 9)
3861 result = perm_app_setup_path(app_ids[4], app_dirs[4],
3862 APP_PATH_SETTINGS_RW);
3863 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3864 "Error in perm_app_setup_path. App id: " << app_ids[4]
3865 << " Loop index: " << i << ". Result: " << result);
3866 result = perm_app_setup_path(app_ids[9], app_dirs[9],
3867 APP_PATH_SETTINGS_RW);
3868 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
3869 "Error in perm_app_setup_path. App id: " << app_ids[9]
3870 << " Loop index: " << i << ". Result: " << result);
3872 // Verify that some previously installed app does not have
3873 // any acces to app 0 and app 5 PRIVATE folders
3874 for (int j = 0; j < app_count; ++j)
3876 // Apps 1-9 should not have any access to app 0
3879 result = test_have_any_accesses(
3880 FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[0])
3882 RUNNER_ASSERT_MSG(result == 0,
3883 "Other app (app id: " << app_ids[j] <<
3884 ") has access to private label of: " << app_ids[0] <<
3885 ". It may not be shared. Loop index: " << i << ".");
3888 // Apps 0-4 and 6-9 should not have any access to app 5
3891 result = test_have_any_accesses(
3892 FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[5])
3894 RUNNER_ASSERT_MSG(result == 0,
3895 "Other app (app id: " << app_ids[j] <<
3896 ") has access to private label of: " << app_ids[5] <<
3897 ". It may not be shared. Loop index: " << i << ".");
3899 } // End for Verify PRIVATE
3901 // Verify that apps 1, 2 and 6 have all accesses to GROUP_RW folders
3902 result = test_have_all_accesses(
3903 (const std::vector< std::vector<std::string> >) {
3904 { app_ids[1], APPID_SHARED_DIR, "rwxatl" },
3905 { app_ids[2], APPID_SHARED_DIR, "rwxatl" },
3906 { app_ids[6], APPID_SHARED_DIR, "rwxatl" } } );
3907 RUNNER_ASSERT_MSG(result == 1,
3908 "Not all accesses to Group RW dir are granted. Loop index: "
3911 // Get autogenerated Public_RO labels
3913 result = smack_getlabel(app_dirs[3], &label,
3914 SMACK_LABEL_ACCESS );
3915 RUNNER_ASSERT_MSG(result == 0,
3916 "Cannot get access label from Public RO shared dir: " << app_dirs[3]
3917 << " . Loop index: " << i << ". Result: " << result);
3918 shared_dir3_auto_label = label;
3921 result = smack_getlabel(app_dirs[7], &label,
3922 SMACK_LABEL_ACCESS );
3923 RUNNER_ASSERT_MSG(result == 0,
3924 "Cannot get access label from Public RO shared dir: " << app_dirs[7]
3925 << " . Loop index: " << i << ". Result: " << result);
3926 shared_dir7_auto_label = label;
3929 result = smack_getlabel(app_dirs[8], &label,
3930 SMACK_LABEL_ACCESS );
3931 RUNNER_ASSERT_MSG(result == 0,
3932 "Cannot get access label from Public RO shared dir: " << app_dirs[8]
3933 << " . Loop index: " << i << ". Result: " << result);
3934 shared_dir8_auto_label = label;
3937 // Verify that all apps have ro permissions to public folders of apps 3, 7 and 8
3938 // Also apps 3, 7 and 8 should have all permisisons to their own PUBLIC_RO dirs
3939 for (int j = 0; j < app_count; ++j)
3943 result = test_have_all_accesses(
3944 (const std::vector< std::vector<std::string> >) {
3945 { app_ids[j], shared_dir3_auto_label.c_str(), "rwxatl" } } );
3946 RUNNER_ASSERT_MSG(result == 1,
3947 "Not all accesses to owned Public RO dir are granted. App id: "
3948 << app_ids[j] << " Loop index: " << i);
3949 // Verify that there are no extra permissions to public dirs
3950 result = test_have_any_accesses(
3951 (const std::vector< std::vector<std::string> >) {
3952 { app_ids[j], shared_dir7_auto_label.c_str(), "w" },
3953 { app_ids[j], shared_dir7_auto_label.c_str(), "t" },
3954 { app_ids[j], shared_dir8_auto_label.c_str(), "w" },
3955 { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } );
3956 RUNNER_ASSERT_MSG(result == 0,
3957 "Unexpected extra permissions added for app:" << app_ids[j]
3958 << ". Loop index: " << i);
3962 result = test_have_all_accesses(
3963 (const std::vector< std::vector<std::string> >) {
3964 { app_ids[j], shared_dir7_auto_label.c_str(), "rwxatl" } } );
3965 RUNNER_ASSERT_MSG(result == 1,
3966 "Not all accesses to owned Public RO dir are granted. App id: "
3967 << app_ids[j] << " Loop index: " << i);
3968 // Verify that there are no extra permissions to public dirs
3969 result = test_have_any_accesses(
3970 (const std::vector< std::vector<std::string> >) {
3971 { app_ids[j], shared_dir3_auto_label.c_str(), "w" },
3972 { app_ids[j], shared_dir3_auto_label.c_str(), "t" },
3973 { app_ids[j], shared_dir8_auto_label.c_str(), "w" },
3974 { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } );
3975 RUNNER_ASSERT_MSG(result == 0,
3976 "Unexpected extra permissions added for app:" << app_ids[j]
3977 << ". Loop index: " << i);
3981 result = test_have_all_accesses(
3982 (const std::vector< std::vector<std::string> >) {
3983 { app_ids[j], shared_dir8_auto_label.c_str(), "rwxatl" } } );
3984 RUNNER_ASSERT_MSG(result == 1,
3985 "Not all accesses to owned Public RO dir are granted. App id: "
3986 << app_ids[j] << " Loop index: " << i);
3987 // Verify that there are no extra permissions to other public dirs
3988 result = test_have_any_accesses(
3989 (const std::vector< std::vector<std::string> >) {
3990 { app_ids[j], shared_dir3_auto_label.c_str(), "w" },
3991 { app_ids[j], shared_dir3_auto_label.c_str(), "t" },
3992 { app_ids[j], shared_dir7_auto_label.c_str(), "w" },
3993 { app_ids[j], shared_dir7_auto_label.c_str(), "t" } } );
3994 RUNNER_ASSERT_MSG(result == 0,
3995 "Unexpected extra permissions added for app:" << app_ids[j]
3996 << ". Loop index: " << i);
3999 result = test_have_all_accesses(
4000 (const std::vector< std::vector<std::string> >) {
4001 { app_ids[j], shared_dir3_auto_label.c_str(), "rx" },
4002 { app_ids[j], shared_dir7_auto_label.c_str(), "rx" },
4003 { app_ids[j], shared_dir8_auto_label.c_str(), "rx" } } );
4004 RUNNER_ASSERT_MSG(result == 1,
4005 "Not all accesses to Public RO dirs are granted. App id: "
4006 << app_ids[j] << ". Loop index: " << i);
4007 } // End for Verify PUBLIC_RO
4009 // Get autogenerated SETTING_RW labels
4010 result = smack_getlabel(app_dirs[4], &label,
4011 SMACK_LABEL_ACCESS );
4012 RUNNER_ASSERT_MSG(result == 0,
4013 "Cannot get access label from App-Setting shared dir: "
4014 << app_dirs[4] << " . Loop index: " << i
4015 << ". Result: " << result);
4016 setting_dir4_auto_label = label;
4019 result = smack_getlabel(app_dirs[9], &label,
4020 SMACK_LABEL_ACCESS );
4021 RUNNER_ASSERT_MSG(result == 0,
4022 "Cannot get access label from App-Setting shared dir: "
4023 << app_dirs[9] << " . Loop index: " << i
4024 << ". Result: " << result);
4025 setting_dir9_auto_label = label;
4028 // Verify that setting app has rwx permission to app-settings dirs and rx to apps
4029 result = smack_have_access(app_ids[4], setting_dir4_auto_label.c_str(), "rwxatl");
4030 RUNNER_ASSERT_MSG(result == 1,
4031 "Not all accesses to App-Setting dir are granted."
4032 << app_ids[4] << " " << setting_dir4_auto_label
4033 << " Loop index: " << i);
4034 result = smack_have_access(app_ids[9], setting_dir9_auto_label.c_str(), "rwxatl");
4035 RUNNER_ASSERT_MSG(result == 1,
4036 "Not all accesses to App-Setting dir are granted."
4037 << app_ids[9] << " " << setting_dir9_auto_label
4038 << " Loop index: " << i);
4039 result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[4], "rx");
4040 RUNNER_ASSERT_MSG(result == 1,
4041 "Not all accesses to App-Setting dir are granted."
4042 << APP_TEST_SETTINGS_ASP1 << " " << app_ids[4]
4043 << " Loop index: " << i);
4044 result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[9], "rx");
4045 RUNNER_ASSERT_MSG(result == 1,
4046 "Not all accesses to App-Setting dir are granted."
4047 << APP_TEST_SETTINGS_ASP1 << " " << app_ids[9]
4048 << " Loop index: " << i);
4049 result = smack_have_access(APP_TEST_SETTINGS_ASP1, setting_dir4_auto_label.c_str(), "rwx");
4050 RUNNER_ASSERT_MSG(result == 1,
4051 "Not all accesses to App-Setting dir are granted."
4052 << APP_TEST_SETTINGS_ASP1 << " " << setting_dir4_auto_label
4053 << " Loop index: " << i);
4054 result = smack_have_access(APP_TEST_SETTINGS_ASP1, setting_dir9_auto_label.c_str(), "rwx");
4055 RUNNER_ASSERT_MSG(result == 1,
4056 "Not all accesses to App-Setting dir are granted."
4057 << APP_TEST_SETTINGS_ASP1 << " " << setting_dir9_auto_label
4058 << " Loop index: " << i);
4062 // Check if api-features permissions are added properly
4063 for (int j = 0; j < 5; ++j)
4065 result = test_have_all_accesses(
4066 (const std::vector< std::vector<std::string> >) {
4067 { app_ids[j], app_ids[6], "r" },
4068 { app_ids[j], app_ids[7], "rxl" },
4069 { app_ids[j], app_ids[8], "rwxal" },
4070 { app_ids[j], app_ids[9], "rwxatl" } } );
4071 RUNNER_ASSERT_MSG(result == 1,
4072 "Not all permisions from api features added for app id: "
4073 << app_ids[j] << ". Loop index: " << i);
4076 for (int j = 5; j < app_count; ++j)
4078 result = test_have_all_accesses(
4079 (const std::vector< std::vector<std::string> >) {
4080 { app_ids[j], app_ids[1], "r" },
4081 { app_ids[j], app_ids[2], "rxl" },
4082 { app_ids[j], app_ids[3], "rwxal" },
4083 { app_ids[j], app_ids[4], "rwxatl" } } );
4084 RUNNER_ASSERT_MSG(result == 1,
4085 "Not all permisions from api features added for app id: "
4086 << app_ids[j] << ". Loop index: " << i);
4089 // Revoke permissions
4090 for (int j = 0; j < app_count; ++j)
4092 result = perm_app_revoke_permissions(app_ids[j]);
4093 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
4094 "Error in perm_app_revoke_permissions. App id: "
4095 << app_ids[j] << " Loop index: " << i
4096 << ". Result: " << result);
4099 // Check if permissions are removed properly
4100 for (int j = 0; j < app_count; ++j)
4102 // To all other apps
4103 for (int k = 0; k < app_count; ++k)
4106 result = test_have_any_accesses(
4107 FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[k])
4109 RUNNER_ASSERT_MSG(result == 0,
4110 "Not all permisions revoked. Subject: " << app_ids[j]
4111 << " Object: " << app_ids[k] << " Loop index: " << i);
4115 // Remove labels from folders and uninstall all apps
4116 for (int j = 0; j < app_count; ++j)
4118 result = nftw(app_dirs[j], &nftw_remove_labels,
4119 FTW_MAX_FDS, FTW_PHYS); // rm labels from app folder
4120 RUNNER_ASSERT_MSG(result == 0,
4121 "Unable to clean up Smack labels in: "
4122 << app_dirs[j] << " . Loop index: " << i
4123 << ". Result: " << result);
4125 result = perm_app_uninstall(app_ids[j]);
4126 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
4127 "Error in perm_app_uninstall for app: "
4128 << app_ids[j] << " . Loop index: " << i
4129 << ". Result: " << result);
4132 // Remove created dirs
4133 for (int j = 0; j < app_count; ++j)
4135 result = rmdir(app_dirs[j]);
4136 RUNNER_ASSERT_MSG(result == 0,
4137 "Cannot remove directory: " << app_dirs[j]);
4139 } // END Install app loop
4141 // Uninstall setting app
4142 result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
4143 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
4144 "Error in perm_app_uninstall. Result: " << result);