1 #include <dpl/test/test_runner.h>
5 #include <summary_collector.h>
10 #include <linux/xattr.h>
12 #include <libprivilege-control_test_common.h>
13 #include <tests_common.h>
15 #include <security-manager.h>
17 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
19 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
20 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
22 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
23 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
25 static const uid_t SM_ALLOWED_UID1 = 6666;
26 static const uid_t SM_ALLOWED_UID2 = 7777;
28 static const char *const SM_ALLOWED_PERMISSION1 = "security_manager_test_rules2_r";
29 static const char *const SM_ALLOWED_PERMISSION2 = "security_manager_test_rules2_no_r";
30 static const char *const XATTR_NAME_TIZENEXEC = XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL";
32 static const rules_t SM_ALLOWED_RULES = {
33 { USER_APP_ID, "test_sm_book_8", "r" },
34 { USER_APP_ID, "test_sm_book_9", "w" },
35 { USER_APP_ID, "test_sm_book_10", "x" },
36 { USER_APP_ID, "test_sm_book_11", "rw" },
37 { USER_APP_ID, "test_sm_book_12", "rx" },
38 { USER_APP_ID, "test_sm_book_13", "wx" },
39 { USER_APP_ID, "test_sm_book_14", "rwx" },
40 { USER_APP_ID, "test_sm_book_15", "rwxat" },
41 { "test_sm_subject_8", USER_APP_ID, "r" },
42 { "test_sm_subject_9", USER_APP_ID, "w" },
43 { "test_sm_subject_10", USER_APP_ID, "x" },
44 { "test_sm_subject_11", USER_APP_ID, "rw" },
45 { "test_sm_subject_12", USER_APP_ID, "rx" },
46 { "test_sm_subject_13", USER_APP_ID, "wx" },
47 { "test_sm_subject_14", USER_APP_ID, "rwx" },
48 { "test_sm_subject_15", USER_APP_ID, "rwxat" }
50 static const rules_t SM_DENIED_RULES = {
51 { USER_APP_ID, "test_sm_book_1", "r" },
52 { USER_APP_ID, "test_sm_book_2", "w" },
53 { USER_APP_ID, "test_sm_book_3", "x" },
54 { USER_APP_ID, "test_sm_book_4", "rw" },
55 { USER_APP_ID, "test_sm_book_5", "rx" },
56 { USER_APP_ID, "test_sm_book_6", "wx" },
57 { USER_APP_ID, "test_sm_book_7", "rwx" },
58 { "test_sm_subject_1", USER_APP_ID, "r" },
59 { "test_sm_subject_2", USER_APP_ID, "w" },
60 { "test_sm_subject_3", USER_APP_ID, "x" },
61 { "test_sm_subject_4", USER_APP_ID, "rw" },
62 { "test_sm_subject_5", USER_APP_ID, "rx" },
63 { "test_sm_subject_6", USER_APP_ID, "wx" },
64 { "test_sm_subject_7", USER_APP_ID, "rwx" }
67 static const char *const SM_DENIED_PERMISSION1 = "security_manager_test_rules1";
68 static const char *const SM_DENIED_PERMISSION2 = "security_manager_test_rules2";
70 static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
71 static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
72 static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
73 static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
76 static bool isLinkToExec(const char *fpath, const struct stat *sb)
83 // check if it's a link
84 if ( !S_ISLNK(sb->st_mode))
87 target = realpath(fpath, NULL);
88 RUNNER_ASSERT_MSG_BT(target != 0, "Could not obtain real path from link.");
90 ret = stat(target, &buf);
91 RUNNER_ASSERT_MSG_BT(ret == 0, "Could not obtain real path's stat from link.");
93 if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG))
100 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
101 const char* correctLabel, bool transmute_test, bool exec_test)
108 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
109 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
110 labelPtr.reset(label);
111 RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
112 result = strcmp(correctLabel, label);
113 RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect"
114 " (should be '" << correctLabel << "' and is '" << label << "')");
118 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
119 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
120 labelPtr.reset(label);
122 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
123 RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set");
124 result = strcmp(correctLabel, label);
125 RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect EXEC label on executable file " << fpath);
127 RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
131 if (isLinkToExec(fpath, sb) && exec_test) {
132 char buf[SMACK_LABEL_LEN+1];
133 result = lgetxattr(fpath, XATTR_NAME_TIZENEXEC, buf, sizeof(buf));
134 RUNNER_ASSERT_MSG_BT(result != -1, "Could not get label for the path "
135 << fpath << "("<<strerror(errno)<<")");
137 result = strcmp(correctLabel, buf);
138 RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect TIZEN_EXEC_LABEL attribute"
139 " on link to executable " << fpath);
145 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
146 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
147 labelPtr.reset(label);
149 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
150 RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set at all");
151 RUNNER_ASSERT_MSG_BT(strcmp(label,"TRUE") == 0,
152 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
154 RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
161 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
162 int /*typeflag*/, struct FTW* /*ftwbuf*/)
164 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
167 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
168 int /*typeflag*/, struct FTW* /*ftwbuf*/)
171 return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
174 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
175 int /*typeflag*/, struct FTW* /*ftwbuf*/)
178 return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
182 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
184 static app_inst_req* do_app_inst_req_new()
187 app_inst_req *req = NULL;
189 result = security_manager_app_inst_req_new(&req);
190 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
191 "creation of new request failed. Result: " << result);
192 RUNNER_ASSERT_MSG_BT(req != NULL, "creation of new request did not allocate memory");
196 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
199 AppInstReqUniquePtr request;
201 request.reset(do_app_inst_req_new());
203 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
204 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
205 "setting app id failed. Result: " << result);
207 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
208 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
209 "setting pkg id failed. Result: " << result);
211 result = security_manager_app_install(request.get());
212 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
213 "installing app failed. Result: " << result);
215 result = security_manager_app_install(request.get());
216 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
217 "installing already installed app failed. Result: " << result);
219 request.reset(do_app_inst_req_new());
221 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
222 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
223 "setting app id failed. Result: " << result);
225 result = security_manager_app_uninstall(request.get());
226 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
227 "uninstalling app failed. Result: " << result);
229 result = security_manager_app_uninstall(request.get());
230 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
231 "uninstalling already uninstalled app failed. Result: " << result);
234 static void prepare_app_path()
238 result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
239 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
241 result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
242 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
244 result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
245 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
247 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
248 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
251 static void check_app_path_after_install()
255 result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
256 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
258 result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
259 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
261 result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
262 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
264 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
265 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
268 static void check_app_permission_after_install()
272 result = check_all_accesses(smack_check(), SM_ALLOWED_RULES);
273 RUNNER_ASSERT_MSG_BT(result, "Permissions not added.");
274 result = check_no_accesses(smack_check(), SM_DENIED_RULES);
275 RUNNER_ASSERT_MSG_BT(result, "Permissions added.");
277 check_perm_app_has_permission(USER_APP_ID, SM_ALLOWED_PERMISSION1, true);
278 check_perm_app_has_permission(USER_APP_ID, SM_ALLOWED_PERMISSION2, true);
279 check_perm_app_has_permission(USER_APP_ID, SM_DENIED_PERMISSION1, false);
280 check_perm_app_has_permission(USER_APP_ID, SM_DENIED_PERMISSION2, false);
283 static void prepare_app_env()
288 static void check_app_env_after_install()
290 check_app_path_after_install();
291 check_app_permission_after_install();
294 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
297 AppInstReqUniquePtr request;
301 request.reset(do_app_inst_req_new());
303 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
304 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
305 "setting app id failed. Result: " << result);
307 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
308 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
309 "setting pkg id failed. Result: " << result);
311 result = security_manager_app_inst_req_add_allowed_user(request.get(), SM_ALLOWED_UID1);
312 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
313 "setting allowed user failed. Result: " << result);
314 result = security_manager_app_inst_req_add_allowed_user(request.get(), SM_ALLOWED_UID2);
315 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
316 "setting allowed user failed. Result: " << result);
318 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PERMISSION1);
319 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
320 "setting allowed permission failed. Result: " << result);
321 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PERMISSION2);
322 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
323 "setting allowed permission failed. Result: " << result);
325 result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
326 SECURITY_MANAGER_PATH_PRIVATE);
327 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
328 "setting allowed path failed. Result: " << result);
330 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
331 SECURITY_MANAGER_PATH_PUBLIC);
332 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
333 "setting allowed path failed. Result: " << result);
335 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
336 SECURITY_MANAGER_PATH_PUBLIC_RO);
337 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
338 "setting allowed path failed. Result: " << result);
340 result = security_manager_app_install(request.get());
341 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
342 "installing app failed. Result: " << result);
344 check_app_env_after_install();
346 request.reset(do_app_inst_req_new());
348 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
349 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
350 "setting app id failed. Result: " << result);
352 result = security_manager_app_uninstall(request.get());
353 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
354 "uninstalling app failed. Result: " << result);
358 int main(int argc, char *argv[])
360 SummaryCollector::Register();
361 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);