2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
21 * @author Lukasz Wojciechowski (l.wojciechow@partner.samsung.com)
23 * @brief libprivilege-control test runner
35 #include <sys/socket.h>
39 #include <dpl/test/test_runner.h>
40 #include <dpl/test/test_runner_multiprocess.h>
41 #include <sys/smack.h>
42 #include <privilege-control.h>
43 #include <tests_common.h>
44 #include <libprivilege-control_test_common.h>
45 #include "common/db.h"
47 #define APP_USER_NAME "app"
48 #define APP_HOME_DIR "/opt/home/app"
51 #define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
54 /////////////////////////////////////////
55 //////NOSMACK ENVIRONMENT TESTS//////////
56 /////////////////////////////////////////
59 * NOSMACK version of nftw_check_labels_app_shared_dir function.
61 * This function used with nftw should expect -1 result from smack_have_access instead of 1.
63 int nftw_check_labels_app_shared_dir_nosmack(const char *fpath, const struct stat *sb,
64 int /*typeflag*/, struct FTW* /*ftwbuf*/)
69 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
70 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path. Result: " << result);
71 RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
73 result = strcmp(APPID_SHARED_DIR, label);
74 RUNNER_ASSERT_MSG_BT(result == 0,
75 "ACCESS label on " << fpath << " is incorrect. Result: " << result);
77 //The only exception in nftw_check_labels_app_shared_dir
78 //smack_have_access returns -1 because of no SMACK.
79 result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
80 RUNNER_ASSERT_MSG_BT(result == -1,
81 "smack_have_access should return error (SMACK is off). Result: " << result);
83 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
84 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path. Result: " << result);
85 RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
87 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
88 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path. Result: " << result);
89 if (S_ISDIR(sb->st_mode)) {
90 RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
91 result = strcmp("TRUE", label);
92 RUNNER_ASSERT_MSG_BT(result == 0,
93 "TRANSMUTE label on " << fpath << " is not set. Result: " << result);
95 RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
100 RUNNER_TEST_GROUP_INIT(libprivilegecontrol_nosmack)
103 * NOSMACK version of privilege_control03 test.
105 * Uses nosmack version of nftw_check_labels_app_shared_dir (defined above).
107 RUNNER_TEST_NOSMACK(privilege_control03_app_label_shared_dir_nosmack)
113 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
114 RUNNER_ASSERT_MSG_BT(result != PC_OPERATION_SUCCESS,
115 "perm_app_setup_path should fail here. Result: " << result);
119 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
120 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
121 "Unable to clean up Smack labels in " << TEST_APP_DIR);
123 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
124 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
125 "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
129 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
130 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
131 "perm_app_setup_path() failed. Result: " << result);
135 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir_nosmack, FTW_MAX_FDS, FTW_PHYS);
136 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
137 "Unable to check Smack labels for shared app dir");
139 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
140 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
141 "Unable to check Smack labels for non-app dir");
145 * NOSMACK version of privilege_control04 test.
147 * Tries to add permisions from test_privilege_control_rules template and checks if
148 * smack_have_access returns -1 on check between every rule.
150 RUNNER_TEST_NOSMACK(privilege_control04_add_permissions_nosmack)
156 result = perm_app_uninstall(APP_ID);
157 RUNNER_ASSERT_MSG_BT(result == 0,
158 "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
160 result = perm_app_install(APP_ID);
161 RUNNER_ASSERT_MSG_BT(result == 0,
162 "perm_app_install returned " << result << ". Errno: " << strerror(errno));
165 result = perm_app_enable_permissions(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
166 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
167 "Error adding app permissions. Result: " << result);
171 //Check if smack_have_access always fails on every rule
172 result = test_have_nosmack_accesses(rules_efl);
173 RUNNER_ASSERT_MSG_BT(result == -1,
174 "Despite SMACK being off some accesses were added. Result: " << result);
176 TestLibPrivilegeControlDatabase db_test;
177 db_test.test_db_after__perm_app_install(APP_ID);
178 db_test.test_db_after__perm_app_enable_permissions(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
182 result = perm_app_disable_permissions(APP_ID, APP_TYPE_EFL, PRIVS_EFL);
183 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
184 "Error disabling permissions: " << perm_strerror(result));
188 void test_set_app_privilege_nosmack(
189 const char* app_id, app_type_t app_type,
190 const char** privileges, const char* type,
191 const char* app_path, const char* dac_file,
192 const rules_t &rules)
194 check_app_installed(app_path);
200 result = perm_app_uninstall(app_id);
201 RUNNER_ASSERT_MSG_BT(result == 0,
202 "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
204 result = perm_app_install(app_id);
205 RUNNER_ASSERT_MSG_BT(result == 0,
206 "perm_app_install returned " << result << ". Errno: " << strerror(errno));
208 result = perm_app_enable_permissions(app_id, app_type, privileges, 1);
209 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
210 " Error enabling app permissions. Result: " << result);
214 result = test_have_nosmack_accesses(rules);
215 RUNNER_ASSERT_MSG_BT(result == -1,
216 " Permissions shouldn't be added. Result: " << result);
218 std::set<unsigned> groups_before;
219 read_user_gids(groups_before, APP_UID);
221 result = perm_app_set_privilege(app_id, type, app_path);
222 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
223 " Error in perm_app_set_privilege. Error: " << result);
225 //Even though app privileges are set, no smack label should be extracted.
227 result = smack_new_label_from_self(&label);
228 RUNNER_ASSERT_MSG_BT(result == -1,
229 " new_label_from_self should return error (SMACK is off). Result: " << result);
230 RUNNER_ASSERT_MSG_BT(label == NULL,
231 " new_label_from_self shouldn't allocate memory for label.");
233 check_groups(groups_before, dac_file);
237 * NOSMACK version of privilege_control05_set_app_privilege test.
239 * Another very similar test to it's SMACK version, this time smack_new_label_from_self is
240 * expected to return different result.
242 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack)
246 check_app_installed(APP_SET_PRIV_PATH);
249 smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
250 smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
253 perm_app_uninstall(APP_ID);
256 std::set<unsigned> groups_before;
257 read_user_gids(groups_before, APP_UID);
260 result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
261 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
262 "Error in perm_app_set_privilege. Error: " << result);
264 //Even though app privileges are set, no smack label should be extracted.
266 result = smack_new_label_from_self(&label);
267 RUNNER_ASSERT_MSG_BT(result == -1,
268 "new_label_from_self should return error (SMACK is off). Result: " << result);
269 RUNNER_ASSERT_MSG_BT(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
271 //Check if DAC privileges really set
272 RUNNER_ASSERT_MSG_BT(getuid() == APP_UID, "Wrong UID");
273 RUNNER_ASSERT_MSG_BT(getgid() == APP_GID, "Wrong GID");
275 result = strcmp(getenv("HOME"), APP_HOME_DIR);
276 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong HOME DIR. Result: " << result);
278 result = strcmp(getenv("USER"), APP_USER_NAME);
279 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong user USER NAME. Result: " << result);
281 check_groups(groups_before, NULL);
285 * NOSMACK version of privilege_control05_set_app_privilege_wgt test.
287 * Same as the above, plus uses test_have_nosmack_accesses instead of test_have_all_accesses.
289 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_nosmack)
291 test_set_app_privilege_nosmack(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH,
292 LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt);
296 * NOSMACK version of privilege_control05_set_app_privilege_osp test.
300 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_nosmack)
302 test_set_app_privilege_nosmack(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, "tpk", OSP_APP_PATH,
303 LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp);
306 RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_efl_nosmack)
308 test_set_app_privilege_nosmack(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL,
310 LIBPRIVILEGE_TEST_DAC_FILE_EFL, rules_efl);
314 * Revoke permissions from the list. Should be executed as privileged user.
316 RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_wgt_nosmack)
318 test_revoke_permissions(__LINE__, WGT_APP_ID, rules_wgt, false);
322 * Revoke permissions from the list. Should be executed as privileged user.
324 RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_osp_nosmack)
326 test_revoke_permissions(__LINE__, OSP_APP_ID, rules_osp, false);
330 * NOSMACK version of privilege_control11_app_enable_permissions test.
332 * Since the original test did the same thing around five times, there is no need to redo the
333 * same test for perm_app_enable_permissions. perm_app_enable_permissions will be called once,
334 * test_have_nosmack_accesses will check if smack_have_access still returns error and then
335 * we will check if SMACK file was correctly created.
337 RUNNER_TEST_NOSMACK(privilege_control11_app_enable_permissions_nosmack)
343 result = perm_app_uninstall(WGT_APP_ID);
344 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
345 "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
347 result = perm_app_install(WGT_APP_ID);
348 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
349 "perm_app_install returned " << result << ". Errno: " << strerror(errno));
351 result = perm_app_revoke_permissions(WGT_APP_ID);
352 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
353 "Error revoking app permissions. Result: " << result);
355 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
356 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
357 "Error enabling app permissions. Result: " << result);
361 //Check if accesses aren't added
362 result = test_have_nosmack_accesses(rules2);
363 RUNNER_ASSERT_MSG_BT(result == -1, "Permissions shouldn't be added. Result: " << result);
365 TestLibPrivilegeControlDatabase db_test;
366 db_test.test_db_after__perm_app_install(WGT_APP_ID);
367 db_test.test_db_after__perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
372 result = perm_app_revoke_permissions(WGT_APP_ID);
373 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
374 "Error revoking app permissions. Result: " << result);
378 db_test.test_db_after__perm_app_install(WGT_APP_ID);
381 RUNNER_CHILD_TEST_NOSMACK(privilege_control11_app_enable_permissions_efl_nosmack)
383 test_app_enable_permissions_efl(false);
387 * Check perm_app_install function
389 RUNNER_CHILD_TEST_NOSMACK(privilege_control12_app_disable_permissions_efl_nosmack)
391 test_app_disable_permissions_efl(false);
395 * Remove previously granted SMACK permissions based on permissions list.
397 RUNNER_TEST_NOSMACK(privilege_control12_app_disable_permissions_nosmack)
399 test_app_disable_permissions(false);
403 * NOSMACK version of privilege_control13 test.
405 * Uses perm_app_reset_permissions and checks with test_have_nosmack_accesses if nothing has
408 RUNNER_TEST_NOSMACK(privilege_control13_app_reset_permissions_nosmack)
414 result = perm_app_uninstall(WGT_APP_ID);
415 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
416 "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
418 result = perm_app_install(WGT_APP_ID);
419 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
420 "perm_app_install returned " << result << ". Errno: " << strerror(errno));
422 // Prepare permissions to reset
423 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
424 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
425 " Error adding app permissions. Result: " << result);
428 result = perm_app_reset_permissions(WGT_APP_ID);
429 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
430 "Error reseting app permissions. Result: " << result);
434 result = test_have_nosmack_accesses(rules2);
435 RUNNER_ASSERT_MSG_BT(result == -1, "Permissions shouldn't be changed. Result: " << result);
439 // Disable permissions
440 result = perm_app_revoke_permissions(WGT_APP_ID);
441 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
442 "Error disabling app permissions. Result: " << result);
448 * NOSMACK version of privilege_control15_app_id_from_socket.
450 * SMACK version of this test case utilized smack_new_label_from_self and smack_set_label_for_self.
451 * Those functions rely on /proc/self/attr/current file, which is unreadable and has no contents on
452 * NOSMACK environment. Functions mentioned above were tested during libsmack tests, so they are
453 * assumed to react correctly and are not tested in this test case.
455 * This test works similarly to libsmack test smack09_new_label_from_socket. At first server and
456 * client are created then sockets are set up and perm_app_id_from_socket is used. On NOSMACK env
457 * correct behavior for perm_app_id_from_socket would be returning NULL label.
459 RUNNER_MULTIPROCESS_TEST_NOSMACK(privilege_control15_app_id_from_socket_nosmack)
462 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
464 //Clean up before creating socket
467 //Create our server and client with fork
469 RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed");
471 if (!pid) { //child (server)
472 int sock, result, fd;
475 sock = socket(AF_UNIX, SOCK_STREAM, 0);
476 RUNNER_ASSERT_MSG_BT(sock >= 0, "socket failed: " << strerror(errno));
478 //Bind socket to address
479 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
482 RUNNER_ASSERT_MSG_BT(false, "bind failed: " << strerror(errno));
485 //Prepare for listening
486 result = listen(sock, 1);
489 RUNNER_ASSERT_MSG_BT(false, "listen failed: " << strerror(errno));
494 fd = accept(sock, NULL, NULL);
496 RUNNER_ASSERT_MSG_BT(fd >= 0, "accept failed: " << strerror(errno));
498 //Wait a little bit for client to use perm_app_id_from_socket
504 } else { //parent (client)
505 // Give server some time to setup listening socket
508 char* smack_label = NULL;
511 sock = socket(AF_UNIX, SOCK_STREAM, 0);
512 RUNNER_ASSERT_MSG_BT(sock >= 0, "socket failed: " << strerror(errno));
514 //Try connecting to address
515 result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
518 RUNNER_ASSERT_MSG_BT(0, "connect failed: " << strerror(errno));
521 //Use perm_app_id_from_socket. Should fail and return NULL smack_label.
522 smack_label = perm_app_id_from_socket(sock);
523 if (smack_label != NULL) {
525 RUNNER_ASSERT_MSG_BT(0, "perm_app_id_from_socket should fail.");
530 RUNNER_ASSERT_MSG_BT(smack_label == NULL, "perm_app_id_from_socket should fail.");
534 RUNNER_TEST_NOSMACK(privilege_control17_appsettings_privilege_nosmack)
536 test_appsettings_privilege(false);
540 * NOSMACK version of privilege_control18 test.
542 * Uses NOSMACK version of nftw_check_labels_app_public_dir.
544 RUNNER_TEST_NOSMACK(privilege_control18_app_setup_path_public_nosmack)
548 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
549 RUNNER_ASSERT_MSG_BT(result == 0,
550 "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
552 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
553 RUNNER_ASSERT_MSG_BT(result == 0,
554 "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
558 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
559 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed. Result: " << result);
563 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
564 RUNNER_ASSERT_MSG_BT(result == 0,
565 "Unable to check Smack labels for non-app dir. Result: " << result);
570 * NOSMACK version of privilege_control19 test.
572 * Uses NOSMACK version of nftw_check_labels_app_settings_dir.
574 RUNNER_TEST_NOSMACK(privilege_control19_app_setup_path_settings_nosmack)
578 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
579 RUNNER_ASSERT_MSG_BT(result == 0,
580 "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
582 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
583 RUNNER_ASSERT_MSG_BT(result == 0,
584 "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
588 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
589 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed. Result: " << result);
593 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
594 RUNNER_ASSERT_MSG_BT(result == 0,
595 "Unable to check Smack labels for non-app dir. Result: " << result);