2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
22 * @brief libprivilege-control test runner
33 #include <sys/socket.h>
37 #include <dpl/test/test_runner.h>
38 #include <dpl/test/test_runner_multiprocess.h>
39 #include <sys/smack.h>
40 #include <privilege-control.h>
41 #include <tests_common.h>
42 #include <libprivilege-control_test_common.h>
47 #define APP_USER_NAME "app"
48 #define APP_HOME_DIR "/opt/home/app"
51 #define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
54 typedef std::unique_ptr<smack_accesses,std::function<void (smack_accesses*)> > SmackUniquePtr;
56 void closefdptr(int* fd) { close(*fd); }
57 typedef std::unique_ptr<int, std::function<void (int*)> > FDUniquePtr;
60 /////////////////////////////////////////
61 //////NOSMACK ENVIRONMENT TESTS//////////
62 /////////////////////////////////////////
65 * NOSMACK version of nftw_check_labels_app_shared_dir function.
67 * This function used with nftw should expect -1 result from smack_have_access instead of 1.
69 int nftw_check_labels_app_shared_dir_nosmack(const char *fpath, const struct stat *sb,
70 int /*typeflag*/, struct FTW* /*ftwbuf*/)
75 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
76 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
77 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
79 result = strcmp(APPID_SHARED_DIR, label);
80 RUNNER_ASSERT_MSG(result == 0,
81 "ACCESS label on " << fpath << " is incorrect. Result: " << result);
83 //The only exception in nftw_check_labels_app_shared_dir
84 //smack_have_access returns -1 because of no SMACK.
85 result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
86 RUNNER_ASSERT_MSG(result == -1,
87 "smack_have_access should return error (SMACK is off). Result: " << result);
89 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
90 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
91 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
93 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
94 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
95 if (S_ISDIR(sb->st_mode)) {
96 RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
97 result = strcmp("TRUE", label);
98 RUNNER_ASSERT_MSG(result == 0,
99 "TRANSMUTE label on " << fpath << " is not set. Result: " << result);
101 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
106 RUNNER_TEST_GROUP_INIT(libprivilegecontrol_nosmack)
109 * NOSMACK version of privilege_control03 test.
111 * Uses nosmack version of nftw_check_labels_app_shared_dir (defined above).
113 RUNNER_TEST_NOSMACK(privilege_control03_app_label_shared_dir_nosmack)
117 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
118 RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
119 "perm_app_setup_path should fail here. Result: " << result);
121 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
122 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
123 "Unable to clean up Smack labels in " << TEST_APP_DIR);
125 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
126 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
127 "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
129 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
130 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
131 "perm_app_setup_path() failed. Result: " << result);
133 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir_nosmack, FTW_MAX_FDS, FTW_PHYS);
134 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
135 "Unable to check Smack labels for shared app dir");
137 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
138 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
139 "Unable to check Smack labels for non-app dir");
143 * NOSMACK version of test_have_accesses functions.
145 * This will be used in many tests. Checks if for every rule smack_have_access returns error.
146 * If for any of rules smack_have_access will return something different than error, this result
147 * is being returned to caller.
149 int test_have_nosmack_accesses(const std::vector< std::vector<std::string> > &rules)
152 for (uint i = 0; i < rules.size(); ++i) {
153 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
161 * NOSMACK version of privilege_control04 test.
163 * Tries to add permisions from test_privilege_control_rules template and checks if
164 * smack_have_access returns -1 on check between every rule.
166 RUNNER_TEST_NOSMACK(privilege_control04_add_permissions_nosmack)
169 auto result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
170 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
171 "Error adding app permissions. Result: " << result);
173 //Check if smack_have_access always fails on every rule
174 result = test_have_nosmack_accesses(rules);
175 RUNNER_ASSERT_MSG(result == -1,
176 "Despite SMACK being off some accesses were added. Result: " << result);
179 std::fstream fs(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary);
180 RUNNER_ASSERT_MSG(fs.good(), "SMACK file NOT created!. Errno: " << strerror(errno));
182 fs.seekg(0, std::ifstream::end);
183 RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty, but privileges list was not empty.");
187 * NOSMACK version of privilege_control05_add_shared_dir_readers test.
189 * This test is very similar to it's SMACK version - only difference is different result expected
190 * from smack_have_access.
192 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
193 RUNNER_TEST_NOSMACK(privilege_control05_add_shared_dir_readers_nosmack)
195 const char* test_obj = "TEST_OBJECT";
196 const char* test_obj_some_other = "TEST_OBJA";
197 const char* test_str_01 = "TEST_raz TEST_OBJECT r-x--- ------";
198 const char* test_str_21 = "TEST_trzy TEST_OBJA -wx---";
199 const char* test_str_22 = "TEST_trzy TEST_OBJECT r-x--- ------";
205 const char* app_labels_wrong[] = {"-TEST_raz", NULL};
206 const char* app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
207 const int READ_BUF_SIZE = 1000;
208 char buf[READ_BUF_SIZE];
209 smack_accesses* tmp = NULL;
211 //test environment cleaning
212 cleaning_smack_app_files();
214 //test what happens when the label is not correct SMACK label
215 result = add_shared_dir_readers(test_obj,app_labels_wrong);
216 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM,
217 "add_shared_dir_readers should fail here. Result: " << result);
218 result = smack_have_access(app_labels_wrong[0],test_obj,"rx");
219 RUNNER_ASSERT_MSG(result != 1,
220 "add_shared_dir_readers should not grant permission here. Result: " << result);
223 result = smack_accesses_new(&tmp);
224 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
225 "Error in smack_accesses_new. Result: " << result);
227 //Wrap rules and fd into unique_ptrs for garbage collection
228 SmackUniquePtr rules(tmp, smack_accesses_free);
229 FDUniquePtr fd_ptr(&fd, closefdptr);
231 std::stringstream path;
232 for (i = 0; i < 3; i++) {
233 result = perm_app_revoke_permissions(app_labels[i]);
234 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
235 "Error in perm_app_revoke_permissions. Result: " << result);
236 result = perm_app_uninstall(app_labels[i]);
237 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
238 "Error in perm_app_install. Result: " << result);
239 result = perm_app_install(app_labels[i]);
240 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
241 "Error in perm_app_install. Result: " << result);
243 path << SMACK_RULES_DIR << app_labels[i];
245 fd = open(path.str().c_str(), O_WRONLY, 0644);
246 RUNNER_ASSERT_MSG(fd != -1, "Error in opening file");
249 result = smack_accesses_add(rules.get(), app_labels[i], test_obj, "wt");
250 RUNNER_ASSERT_MSG(result == 0,
251 "smack_accesses_add failed. Result: " << result);
255 result = smack_accesses_new(&tmp);
256 RUNNER_ASSERT_MSG(result == 0,
257 "Failed to allocate memory for rules.");
261 result = smack_accesses_add(rules.get(), app_labels[i],
262 test_obj_some_other, "wx");
263 RUNNER_ASSERT_MSG(result == 0,
264 "smack_accesses_add failed. Result: " << result);
267 result = smack_accesses_apply(rules.get());
268 RUNNER_ASSERT_MSG(result == -1,
269 "smack_accesses_apply should fail (SMACK is off). Result: " << result);
271 result = smack_accesses_save(rules.get(), fd);
272 RUNNER_ASSERT_MSG(result == 0,
273 "smack_accesses_save failed. Result: " << result);
276 path.str(std::string());
279 //Use add_shared_dir_readers and check if smack_have_access still fails
280 result = add_shared_dir_readers(test_obj,app_labels);
281 RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed. Result: " << result);
283 result = smack_have_access(app_labels[0],test_obj,"rx");
284 RUNNER_ASSERT_MSG(result == -1,
285 "smack_have_access should return error (SMACK is off). Result: " << result);
287 result = smack_have_access(app_labels[1],test_obj,"rx");
288 RUNNER_ASSERT_MSG(result == -1,
289 "smack_have_access should return error (SMACK is off). Result: " << result);
291 result = smack_have_access(app_labels[2],test_obj,"rx");
292 RUNNER_ASSERT_MSG(result == -1,
293 "smack_have_access should return error (SMACK is off). Result: " << result);
295 result = smack_have_access(app_labels[1],test_obj,"rwxt");
296 RUNNER_ASSERT_MSG(result == -1,
297 "smack_have_access should return error (SMACK is off). Result: " << result);
299 result = smack_have_access(app_labels[2],test_obj_some_other,"wx");
300 RUNNER_ASSERT_MSG(result == -1,
301 "smack_have_access should return error (SMACK is off). Result: " << result);
303 //Test if files are properly formatted
304 path << SMACK_RULES_DIR << app_labels[0];
305 RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno));
307 std::fstream fs(path.str().c_str(), std::ios_base::in);
308 RUNNER_ASSERT_MSG(fs.good(), "Opening file stream failed. Error: " << strerror(errno));
310 fs.get(buf, READ_BUF_SIZE);
311 result = strcmp(buf, test_str_01);
312 RUNNER_ASSERT_MSG(result == 0,
313 "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() <<
314 ". Result: " << result);
316 //Clean up before another test
317 path.str(std::string());
320 path << SMACK_RULES_DIR << app_labels[2];
321 RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno));
323 fs.open(path.str().c_str(), std::ios_base::in);
324 RUNNER_ASSERT_MSG(fs.good(), "fopen failed, errno:" << strerror(errno));
326 fs.getline(buf, READ_BUF_SIZE);
327 result = strcmp(buf, test_str_21);
328 RUNNER_ASSERT_MSG( result == 0,
329 "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str()
330 << ". Result: " << result);
332 fs.getline(buf, READ_BUF_SIZE);
333 result = strcmp(buf, test_str_22);
334 RUNNER_ASSERT_MSG( result == 0,
335 "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str()
336 << ". Result: " << result);
338 #pragma GCC diagnostic warning "-Wdeprecated-declarations"
342 * NOSMACK version of privilege_control05_set_app_privilege test.
344 * Another very similar test to it's SMACK version, this time smack_new_label_from_self is
345 * expected to return different result.
347 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack)
352 smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
353 smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
356 result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
357 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
358 "Error in perm_app_set_privilege. Result: " << result);
360 //Even though app privileges are set, no smack label should be extracted.
362 result = smack_new_label_from_self(&label);
363 RUNNER_ASSERT_MSG(result == -1,
364 "new_label_from_self should return error (SMACK is off). Result: " << result);
365 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
367 //Check if DAC privileges really set
368 RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
369 RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
371 result = strcmp(getenv("HOME"), APP_HOME_DIR);
372 RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR. Result: " << result);
374 result = strcmp(getenv("USER"), APP_USER_NAME);
375 RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME. Result: " << result);
377 check_groups(LIBPRIVILEGE_TEST_DAC_FILE);
381 * NOSMACK version of privilege_control05_set_app_privilege_wgt test.
383 * Same as the above, plus uses test_have_nosmack_accesses instead of test_have_all_accesses.
385 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_nosmack)
389 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
390 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
391 " Error enabling app permissions. Result: " << result);
393 result = test_have_nosmack_accesses(rules_wgt);
394 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
396 result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
397 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
398 "Error in perm_app_set_privilege. Result: " << result);
400 //Even though app privileges are set, no smack label should be extracted.
402 result = smack_new_label_from_self(&label);
403 RUNNER_ASSERT_MSG(result == -1,
404 "new_label_from_self should return error (SMACK is off). Result: " << result);
405 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
407 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
411 * NOSMACK version of privilege_control05_set_app_privilege_wgt_partner test.
415 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_partner_nosmack)
419 result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
420 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
421 " Error enabling app permissions. Result: " << result);
423 result = test_have_nosmack_accesses(rules_wgt_partner);
424 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
426 result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
427 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
428 "Error in perm_app_set_privilege. Result: " << result);
430 //Even though app privileges are set, no smack label should be extracted.
432 result = smack_new_label_from_self(&label);
433 RUNNER_ASSERT_MSG(result == -1,
434 "new_label_from_self should return error (SMACK is off). Result: " << result);
435 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
437 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
441 * NOSMACK version of privilege_control05_set_app_privilege_wgt_platform test.
445 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_platform_nosmack)
449 result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
450 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
451 " Error enabling app permissions. Result: " << result);
453 result = test_have_nosmack_accesses(rules_wgt_platform);
454 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
456 result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
457 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
458 "Error in perm_app_set_privilege. Result: " << result);
460 //Even though app privileges are set, no smack label should be extracted.
462 result = smack_new_label_from_self(&label);
463 RUNNER_ASSERT_MSG(result == -1,
464 "new_label_from_self should return error (SMACK is off). Result: " << result);
465 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
467 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
471 * NOSMACK version of privilege_control05_set_app_privilege_osp test.
475 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_nosmack)
479 result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1);
480 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
481 " Error enabling app permissions. Result: " << result);
483 result = test_have_nosmack_accesses(rules_osp);
484 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
486 result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH);
487 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
488 "Error in perm_app_set_privilege. Result: " << result);
490 //Even though app privileges are set, no smack label should be extracted.
492 result = smack_new_label_from_self(&label);
493 RUNNER_ASSERT_MSG(result == -1,
494 "new_label_from_self should return error (SMACK is off). Result: " << result);
495 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
497 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
501 * NOSMACK version of privilege_control05_set_app_privilege_osp_partner test.
505 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_partner_nosmack)
509 result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1);
510 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
511 "Error enabling app permissions. Result: " << result);
513 result = test_have_nosmack_accesses(rules_osp_partner);
514 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added.");
516 result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH);
517 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
518 "Error in perm_app_set_privilege. Result: " << result);
520 //Even though app privileges are set, no smack label should be extracted.
522 result = smack_new_label_from_self(&label);
523 RUNNER_ASSERT_MSG(result == -1,
524 "new_label_from_self should return error (SMACK is off). Result: " << result);
525 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
527 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
531 * NOSMACK version of privilege_control05_set_app_privilege_osp_platform test.
535 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_platform_nosmack)
539 result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1);
540 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
541 " Error enabling app permissions. Result: " << result);
543 result = test_have_nosmack_accesses(rules_osp_platform);
544 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
546 result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH);
547 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
548 "Error in perm_app_set_privilege. Result: " << result);
550 //Even though app privileges are set, no smack label should be extracted.
552 result = smack_new_label_from_self(&label);
553 RUNNER_ASSERT_MSG(result == -1,
554 "new_label_from_self should return error (SMACK is off). Result: " << result);
555 RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
557 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
561 * NOSMACK version of checkOnlyAvAccess function.
563 * Expects error instead of access granted/forbidden from smack_have_access.
565 void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment)
568 result = smack_have_access(av_id, app_id, "rwx");
569 RUNNER_ASSERT_MSG(result == -1,
570 "smack_have_access should return error (SMACK is off). Result: " << result
571 << " when testing " << comment);
572 result = smack_have_access(av_id, app_id, "a");
573 RUNNER_ASSERT_MSG(result == -1,
574 "smack_have_access should return error (SMACK is off). Result: " << result
575 << " when testing " << comment);
576 result = smack_have_access(av_id, app_id, "t");
577 RUNNER_ASSERT_MSG(result == -1,
578 "smack_have_access should return error (SMACK is off). Result: " << result
579 << " when testing " << comment);
583 * NOSMACK version of privilege_control10_app_register_av test.
585 * Uses NOSMACK version of checkOnlyAvAccess (mentioned above), rest of the test is identical to
586 * it's SMACK version.
588 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
589 RUNNER_TEST_NOSMACK(privilege_control10_app_register_av_nosmack)
591 RUNNER_IGNORED_MSG("app_register_av is not implemented");
595 smack_revoke_subject(APP_TEST_AV_1);
596 smack_revoke_subject(APP_TEST_AV_2);
598 cleaning_smack_app_files();
600 // Adding two apps before antivir
601 result = perm_app_install(APP_TEST_APP_1);
602 RUNNER_ASSERT_MSG(result == 0,
603 "perm_app_install returned " << result << ". Errno: " << strerror(errno));
605 result = perm_app_install(APP_TEST_APP_2);
606 RUNNER_ASSERT_MSG(result == 0,
607 "perm_app_install returned " << result << ". Errno: " << strerror(errno));
610 result = app_register_av(APP_TEST_AV_1);
611 RUNNER_ASSERT_MSG(result == 0,
612 "app_register_av returned " << result << ". Errno: " << strerror(errno));
614 // Checking added apps accesses
615 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
616 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
619 result = perm_app_install(APP_TEST_APP_3);
620 RUNNER_ASSERT_MSG(result == 0,
621 "perm_app_install returned " << result << ". Errno: " << strerror(errno));
623 // Checking app accesses
624 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
625 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
626 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)");
628 // Adding second antivir
629 result = app_register_av(APP_TEST_AV_2);
630 RUNNER_ASSERT_MSG(result == 0,
631 "app_register_av returned " << result << ". Errno: " << strerror(errno));
633 // Checking app accesses
634 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
635 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
636 checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
637 checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
638 checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
639 checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
642 smack_revoke_subject(APP_TEST_AV_1);
643 smack_revoke_subject(APP_TEST_AV_2);
645 cleaning_smack_app_files();
648 #pragma GCC diagnostic warning "-Wdeprecated-declarations"
651 * NOSMACK version of privilege_control11_app_enable_permissions test.
653 * Since the original test did the same thing around five times, there is no need to redo the
654 * same test for perm_app_enable_permissions. perm_app_enable_permissions will be called once,
655 * test_have_nosmack_accesses will check if smack_have_access still returns error and then
656 * we will check if SMACK file was correctly created.
658 RUNNER_TEST_NOSMACK(privilege_control11_app_enable_permissions_nosmack)
663 result = perm_app_revoke_permissions(APP_ID);
664 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
665 "Error revoking app permissions. Result: " << result);
667 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
668 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
669 "Error enabling app permissions. Result: " << result);
671 //Check if accesses aren't added
672 result = test_have_nosmack_accesses(rules2);
673 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
676 fs.open(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary);
677 RUNNER_ASSERT_MSG(fs.good(), "Couldn't open SMACK file.");
680 fs.seekg(0, std::ifstream::end);
681 RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty with persistant mode 1.");
684 result = perm_app_revoke_permissions(APP_ID);
685 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
686 "Error revoking app permissions. Result: " << result);
690 * NOSMACK version of privilege_control13 test.
692 * Uses perm_app_reset_permissions and checks with test_have_nosmack_accesses if nothing has
695 RUNNER_TEST_NOSMACK(privilege_control13_app_reset_permissions_nosmack)
699 // Prepare permissions to reset
700 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
701 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
702 " Error adding app permissions. Result: " << result);
705 result = perm_app_reset_permissions(APP_ID);
706 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
707 "Error reseting app permissions. Result: " << result);
709 result = test_have_nosmack_accesses(rules2);
710 RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be changed. Result: " << result);
712 // Disable permissions
713 result = perm_app_revoke_permissions(APP_ID);
714 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
715 "Error disabling app permissions. Result: " << result);
719 * NOSMACK version of privilege_control14 test.
721 * Similarily as app_enable_permissions test. This time perm_app_add_friend is called twice, once
722 * when both friends exist, and then when one of them doesn't exist. Other tests are not required -
723 * results would be the same as earlier.
725 RUNNER_TEST_NOSMACK(privilege_control14_app_add_friend_nosmack)
727 RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented");
731 result = perm_app_revoke_permissions(APP_FRIEND_1);
732 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
733 "Error revoking app permissions. Result: " << result);
734 result = perm_app_revoke_permissions(APP_FRIEND_2);
735 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
736 "Error revoking app permissions. Result: " << result);
738 perm_app_uninstall(APP_FRIEND_1);
739 perm_app_uninstall(APP_FRIEND_2);
743 //Installing friends to be
744 result = perm_app_install(APP_FRIEND_1);
745 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
746 "Error installing first app. Result: " << result);
747 result = perm_app_install(APP_FRIEND_2);
748 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
749 "Error installing second app. Result: " << result);
752 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
753 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
754 "Error during friend making. Result: " << result);
756 //Same as previous tests, smack_have_access should error.
757 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat");
758 RUNNER_ASSERT_MSG(result == -1,
759 "smack_have_access should return error (SMACK is off). Result: " << result);
760 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat");
761 RUNNER_ASSERT_MSG(result == -1,
762 "smack_have_access should return error (SMACK is off). Result: " << result);
765 result = perm_app_revoke_permissions(APP_FRIEND_1);
766 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
767 "Error revoking app permissions. Result: " << result);
768 result = perm_app_revoke_permissions(APP_FRIEND_2);
769 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
770 "Error revoking app permissions. Result: " << result);
772 perm_app_uninstall(APP_FRIEND_1);
773 perm_app_uninstall(APP_FRIEND_2);
776 //Befriending with imaginary friend.
778 //Installing one friend
779 result = perm_app_install(APP_FRIEND_1);
780 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
781 "Error installing first app. Result: " << result);
783 //Adding imaginairy friend as second
784 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
785 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
786 "Error making friends (first) with imaginairy friend failed. Result: " << result);
787 //Adding imaginairy friend as first
788 result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
789 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
790 "Error making friends (second) with imaginairy friend failed. Result: " << result);
792 //Same as previous tests, smack_have_access should error.
793 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat");
794 RUNNER_ASSERT_MSG(result == -1,
795 "smack_have_access should return error (SMACK is off). Result: " << result);
796 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat");
797 RUNNER_ASSERT_MSG(result == -1,
798 "smack_have_access should return error (SMACK is off). Result: " << result);
801 result = perm_app_revoke_permissions(APP_FRIEND_1);
802 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
803 "Error revoking app permissions. Result: " << result);
804 result = perm_app_revoke_permissions(APP_FRIEND_2);
805 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
806 "Error revoking app permissions. Result: " << result);
808 perm_app_uninstall(APP_FRIEND_1);
809 perm_app_uninstall(APP_FRIEND_2);
813 * NOSMACK version of privilege_control15_app_id_from_socket.
815 * SMACK version of this test case utilized smack_new_label_from_self and smack_set_label_for_self.
816 * Those functions rely on /proc/self/attr/current file, which is unreadable and has no contents on
817 * NOSMACK environment. Functions mentioned above were tested during libsmack tests, so they are
818 * assumed to react correctly and are not tested in this test case.
820 * This test works similarly to libsmack test smack09_new_label_from_socket. At first server and
821 * client are created then sockets are set up and perm_app_id_from_socket is used. On NOSMACK env
822 * correct behavior for perm_app_id_from_socket would be returning NULL label.
824 RUNNER_MULTIPROCESS_TEST_NOSMACK(privilege_control15_app_id_from_socket_nosmack)
827 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
829 //Clean up before creating socket
832 //Create our server and client with fork
834 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
836 if (!pid) { //child (server)
837 int sock, result, fd;
840 sock = socket(AF_UNIX, SOCK_STREAM, 0);
841 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
843 //Bind socket to address
844 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
847 RUNNER_ASSERT_MSG(false, "bind failed: " << strerror(errno));
850 //Prepare for listening
851 result = listen(sock, 1);
854 RUNNER_ASSERT_MSG(false, "listen failed: " << strerror(errno));
859 fd = accept(sock, NULL, NULL);
861 RUNNER_ASSERT_MSG(fd >= 0, "accept failed: " << strerror(errno));
863 //Wait a little bit for client to use perm_app_id_from_socket
869 } else { //parent (client)
870 // Give server some time to setup listening socket
873 char* smack_label = NULL;
876 sock = socket(AF_UNIX, SOCK_STREAM, 0);
877 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
879 //Try connecting to address
880 result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
883 RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
886 //Use perm_app_id_from_socket. Should fail and return NULL smack_label.
887 smack_label = perm_app_id_from_socket(sock);
888 if (smack_label != NULL) {
890 RUNNER_ASSERT_MSG(0, "perm_app_id_from_socket should fail.");
895 RUNNER_ASSERT_MSG(smack_label == NULL, "perm_app_id_from_socket should fail.");
900 * Next three functions are defined only because of NOSMACK environment.
902 * Inside check_labels_dir_nosmack, smack_have_access should expect error, not access granted.
904 int check_labels_dir_nosmack(const char *fpath, const struct stat *sb,
905 const char *labels_db_path, const char *dir_db_path,
911 char label_temp[SMACK_LABEL_LEN + 1];
915 result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
916 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
917 RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
920 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
923 RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result);
928 RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
932 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
936 RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result);
938 if (S_ISDIR(sb->st_mode)) {
942 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
944 result = strcmp("TRUE", label);
948 RUNNER_ASSERT_MSG(false,
949 "TRANSMUTE label on " << fpath << " is not set to TRUE Result: " << result);
951 } else if (label != NULL) {
954 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
959 fs_db.open(labels_db_path, std::ios_base::in);
960 if (!(fs_db.good())) {
962 RUNNER_ASSERT_MSG(false, "Can not open database for apps");
965 while(!fs_db.eof()) {
966 fs_db.getline(label_temp, 255);
967 result = smack_have_access(label_temp, label_gen, access);
968 if (result != -1) { //expect error, not access granted
970 RUNNER_ASSERT_MSG(false, "smack_have_access should fail. Result: " << result);
976 fs_db.open(dir_db_path, std::ios_base::in);
979 RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
983 while(!fs_db.eof()) {
984 fs_db.getline(label_temp, 255);
985 if (strcmp(label_gen, label_temp) == 0) {
993 RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db.");
999 * NOSMACK version of privilege_control18 test.
1001 * Uses NOSMACK version of nftw_check_labels_app_public_dir.
1003 RUNNER_TEST_NOSMACK(privilege_control18_app_setup_path_public_nosmack)
1007 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
1008 RUNNER_ASSERT_MSG(result == 0,
1009 "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
1011 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
1012 RUNNER_ASSERT_MSG(result == 0,
1013 "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
1015 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
1016 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result);
1018 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
1019 RUNNER_ASSERT_MSG(result == 0,
1020 "Unable to check Smack labels for non-app dir. Result: " << result);
1025 * NOSMACK version of privilege_control19 test.
1027 * Uses NOSMACK version of nftw_check_labels_app_settings_dir.
1029 RUNNER_TEST_NOSMACK(privilege_control19_app_setup_path_settings_nosmack)
1033 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
1034 RUNNER_ASSERT_MSG(result == 0,
1035 "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
1037 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
1038 RUNNER_ASSERT_MSG(result == 0,
1039 "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
1041 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
1042 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result);
1044 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
1045 RUNNER_ASSERT_MSG(result == 0,
1046 "Unable to check Smack labels for non-app dir. Result: " << result);
1051 * NOSMACK version of privielge_control21b test.
1053 * Instead of error caused by incorrect params expect access granted, becuase SMACK is off.
1055 RUNNER_TEST_NOSMACK(privilege_control21b_incorrect_params_smack_pid_have_access_nosmack)
1057 int result = smack_pid_have_access(PID_CORRECT, "some_object", NULL);
1058 RUNNER_ASSERT_MSG(result == 1,
1059 "smack_pid_have_access should return access granted. Result: " << result);
1061 result = smack_pid_have_access(PID_CORRECT, NULL, "rw");
1062 RUNNER_ASSERT_MSG(result == 1,
1063 "smack_pid_have_access should return access granted. Result: " << result);
1065 result = smack_pid_have_access(PID_CORRECT, NULL, "rw");
1066 RUNNER_ASSERT_MSG(result == 1,
1067 "smack_pid_have_access should return access granted. Result: " << result);
1069 result = smack_pid_have_access(PID_INCORRECT, "some_object", "rw");
1070 RUNNER_ASSERT_MSG(result == 1,
1071 "smack_pid_have_access should return access granted. Result: " << result);