tests/security-manager-tests/security_manager_tests.cpp

   1 #include <dpl/test/test_runner.h>
   2 #include <fcntl.h>
   3 #include <stdio.h>
   4 #include <memory.h>
   5 #include <summary_collector.h>
   6
   7 #include <sys/types.h>
   8 #include <sys/stat.h>
   9 #include <sys/xattr.h>
  10 #include <linux/xattr.h>
  11
  12 #include <libprivilege-control_test_common.h>
  13 #include <tests_common.h>
  14
  15 #include <security-manager.h>
  16
  17 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
  18
  19 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
  20 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
  21
  22 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
  23 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
  24
  25 static const uid_t SM_ALLOWED_UID1 = 6666;
  26 static const uid_t SM_ALLOWED_UID2 = 7777;
  27
  28 static const char *const SM_ALLOWED_PERMISSION1 = "security_manager_test_rules2_r";
  29 static const char *const SM_ALLOWED_PERMISSION2 = "security_manager_test_rules2_no_r";
  30 static const char *const XATTR_NAME_TIZENEXEC =  XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL";
  31
  32 static const rules_t SM_ALLOWED_RULES = {
  33     { USER_APP_ID, "test_sm_book_8", "r" },
  34     { USER_APP_ID, "test_sm_book_9", "w" },
  35     { USER_APP_ID, "test_sm_book_10", "x" },
  36     { USER_APP_ID, "test_sm_book_11", "rw" },
  37     { USER_APP_ID, "test_sm_book_12", "rx" },
  38     { USER_APP_ID, "test_sm_book_13", "wx" },
  39     { USER_APP_ID, "test_sm_book_14", "rwx" },
  40     { USER_APP_ID, "test_sm_book_15", "rwxat" },
  41     { "test_sm_subject_8", USER_APP_ID, "r" },
  42     { "test_sm_subject_9", USER_APP_ID, "w" },
  43     { "test_sm_subject_10", USER_APP_ID, "x" },
  44     { "test_sm_subject_11", USER_APP_ID, "rw" },
  45     { "test_sm_subject_12", USER_APP_ID, "rx" },
  46     { "test_sm_subject_13", USER_APP_ID, "wx" },
  47     { "test_sm_subject_14", USER_APP_ID, "rwx" },
  48     { "test_sm_subject_15", USER_APP_ID, "rwxat" }
  49 };
  50 static const rules_t SM_DENIED_RULES = {
  51     { USER_APP_ID, "test_sm_book_1", "r" },
  52     { USER_APP_ID, "test_sm_book_2", "w" },
  53     { USER_APP_ID, "test_sm_book_3", "x" },
  54     { USER_APP_ID, "test_sm_book_4", "rw" },
  55     { USER_APP_ID, "test_sm_book_5", "rx" },
  56     { USER_APP_ID, "test_sm_book_6", "wx" },
  57     { USER_APP_ID, "test_sm_book_7", "rwx" },
  58     { "test_sm_subject_1", USER_APP_ID, "r" },
  59     { "test_sm_subject_2", USER_APP_ID, "w" },
  60     { "test_sm_subject_3", USER_APP_ID, "x" },
  61     { "test_sm_subject_4", USER_APP_ID, "rw" },
  62     { "test_sm_subject_5", USER_APP_ID, "rx" },
  63     { "test_sm_subject_6", USER_APP_ID, "wx" },
  64     { "test_sm_subject_7", USER_APP_ID, "rwx" }
  65 };
  66
  67 static const char *const SM_DENIED_PERMISSION1 = "security_manager_test_rules1";
  68 static const char *const SM_DENIED_PERMISSION2 = "security_manager_test_rules2";
  69
  70 static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
  71 static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
  72 static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
  73 static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
  74
  75
  76 static bool isLinkToExec(const char *fpath, const struct stat *sb)
  77 {
  78
  79     struct stat buf;
  80     char *target;
  81     int ret;
  82
  83     // check if it's a link
  84     if ( !S_ISLNK(sb->st_mode))
  85         return false;
  86
  87     target = realpath(fpath, NULL);
  88     RUNNER_ASSERT_MSG_BT(target != 0, "Could not obtain real path from link.");
  89
  90     ret = stat(target, &buf);
  91     RUNNER_ASSERT_MSG_BT(ret == 0, "Could not obtain real path's stat from link.");
  92
  93     if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG))
  94         return false;
  95
  96
  97     return true;
  98 }
  99
 100 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
 101                               const char* correctLabel, bool transmute_test, bool exec_test)
 102 {
 103     int result;
 104     CStringPtr labelPtr;
 105     char* label = NULL;
 106
 107     /* ACCESS */
 108     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
 109     RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
 110     labelPtr.reset(label);
 111     RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
 112     result = strcmp(correctLabel, label);
 113     RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect"
 114             " (should be '" << correctLabel << "' and is '" << label << "')");
 115
 116
 117     /* EXEC */
 118     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
 119     RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
 120     labelPtr.reset(label);
 121
 122     if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
 123         RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set");
 124         result = strcmp(correctLabel, label);
 125         RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect EXEC label on executable file " << fpath);
 126     } else
 127         RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
 128
 129
 130     /* LINK TO EXEC */
 131     if (isLinkToExec(fpath, sb) && exec_test) {
 132         char buf[SMACK_LABEL_LEN+1];
 133         result = lgetxattr(fpath, XATTR_NAME_TIZENEXEC, buf, sizeof(buf));
 134         RUNNER_ASSERT_MSG_BT(result != -1, "Could not get label for the path "
 135                 << fpath << "("<<strerror(errno)<<")");
 136         buf[result]='\0';
 137         result = strcmp(correctLabel, buf);
 138         RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect TIZEN_EXEC_LABEL attribute"
 139                 " on link to executable " << fpath);
 140     }
 141
 142
 143
 144     /* TRANSMUTE */
 145     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
 146     RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
 147     labelPtr.reset(label);
 148
 149     if (S_ISDIR(sb->st_mode) && transmute_test == true) {
 150         RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set at all");
 151         RUNNER_ASSERT_MSG_BT(strcmp(label,"TRUE") == 0,
 152                 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
 153     } else {
 154         RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
 155     }
 156
 157     return 0;
 158 }
 159
 160
 161 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
 162                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 163 {
 164     return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
 165 }
 166
 167 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
 168                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 169 {
 170
 171     return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
 172 }
 173
 174 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
 175                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 176 {
 177
 178     return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
 179 }
 180
 181
 182 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
 183
 184 static app_inst_req* do_app_inst_req_new()
 185 {
 186     int result;
 187     app_inst_req *req = NULL;
 188
 189     result = security_manager_app_inst_req_new(&req);
 190     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 191             "creation of new request failed. Result: " << result);
 192     RUNNER_ASSERT_MSG_BT(req != NULL, "creation of new request did not allocate memory");
 193     return req;
 194 }
 195
 196 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
 197 {
 198     int result;
 199     AppInstReqUniquePtr request;
 200
 201     request.reset(do_app_inst_req_new());
 202
 203     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
 204     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 205             "setting app id failed. Result: " << result);
 206
 207     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
 208     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 209             "setting pkg id failed. Result: " << result);
 210
 211     result = security_manager_app_install(request.get());
 212     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 213             "installing app failed. Result: " << result);
 214
 215     result = security_manager_app_install(request.get());
 216     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 217             "installing already installed app failed. Result: " << result);
 218
 219     request.reset(do_app_inst_req_new());
 220
 221     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
 222     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 223             "setting app id failed. Result: " << result);
 224
 225     result = security_manager_app_uninstall(request.get());
 226     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 227             "uninstalling app failed. Result: " << result);
 228
 229     result = security_manager_app_uninstall(request.get());
 230     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 231             "uninstalling already uninstalled app failed. Result: " << result);
 232 }
 233
 234 static void prepare_app_path()
 235 {
 236     int result;
 237
 238     result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 239     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
 240
 241     result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 242     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
 243
 244     result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 245     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
 246
 247     result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
 248     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
 249 }
 250
 251 static void check_app_path_after_install()
 252 {
 253     int result;
 254
 255     result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
 256     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
 257
 258     result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
 259     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
 260
 261     result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
 262     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
 263
 264     result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
 265     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
 266 }
 267
 268 static void check_app_permission_after_install()
 269 {
 270     bool result;
 271
 272     result = check_all_accesses(smack_check(), SM_ALLOWED_RULES);
 273     RUNNER_ASSERT_MSG_BT(result, "Permissions not added.");
 274     result = check_no_accesses(smack_check(), SM_DENIED_RULES);
 275     RUNNER_ASSERT_MSG_BT(result, "Permissions added.");
 276
 277     check_perm_app_has_permission(USER_APP_ID, SM_ALLOWED_PERMISSION1, true);
 278     check_perm_app_has_permission(USER_APP_ID, SM_ALLOWED_PERMISSION2, true);
 279     check_perm_app_has_permission(USER_APP_ID, SM_DENIED_PERMISSION1, false);
 280     check_perm_app_has_permission(USER_APP_ID, SM_DENIED_PERMISSION2, false);
 281 }
 282
 283 static void prepare_app_env()
 284 {
 285     prepare_app_path();
 286 }
 287
 288 static void check_app_env_after_install()
 289 {
 290     check_app_path_after_install();
 291     check_app_permission_after_install();
 292 }
 293
 294 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
 295 {
 296     int result;
 297     AppInstReqUniquePtr request;
 298
 299     prepare_app_env();
 300
 301     request.reset(do_app_inst_req_new());
 302
 303     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
 304     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 305             "setting app id failed. Result: " << result);
 306
 307     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
 308     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 309             "setting pkg id failed. Result: " << result);
 310
 311     result = security_manager_app_inst_req_add_allowed_user(request.get(), SM_ALLOWED_UID1);
 312     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 313             "setting allowed user failed. Result: " << result);
 314     result = security_manager_app_inst_req_add_allowed_user(request.get(), SM_ALLOWED_UID2);
 315     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 316             "setting allowed user failed. Result: " << result);
 317
 318     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PERMISSION1);
 319     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 320             "setting allowed permission failed. Result: " << result);
 321     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PERMISSION2);
 322     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 323             "setting allowed permission failed. Result: " << result);
 324
 325     result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
 326                                                     SECURITY_MANAGER_PATH_PRIVATE);
 327     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 328             "setting allowed path failed. Result: " << result);
 329
 330     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
 331                                                     SECURITY_MANAGER_PATH_PUBLIC);
 332     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 333             "setting allowed path failed. Result: " << result);
 334
 335     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
 336                                                     SECURITY_MANAGER_PATH_PUBLIC_RO);
 337     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 338             "setting allowed path failed. Result: " << result);
 339
 340     result = security_manager_app_install(request.get());
 341     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 342             "installing app failed. Result: " << result);
 343
 344     check_app_env_after_install();
 345
 346     request.reset(do_app_inst_req_new());
 347
 348     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
 349     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 350             "setting app id failed. Result: " << result);
 351
 352     result = security_manager_app_uninstall(request.get());
 353     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 354             "uninstalling app failed. Result: " << result);
 355
 356 }
 357
 358 int main(int argc, char *argv[])
 359 {
 360     SummaryCollector::Register();
 361     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
 362 }