1 #include <dpl/test/test_runner.h>
5 #include <summary_collector.h>
8 #include <libprivilege-control_test_common.h>
9 #include <tests_common.h>
11 #include <security-manager.h>
13 #include <cynara_test_client.h>
15 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
17 static const char *const LABELLED_BINARY_PATH = "/usr/bin/test-app-efl";
19 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
20 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
22 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
23 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
25 static const char *const SM_APP_ID3 = "sm_test_app_id_uid";
26 static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid";
28 static const privileges_t SM_ALLOWED_PRIVILEGES = {
29 "security_manager_test_rules2_r",
30 "security_manager_test_rules2_no_r"
33 static const privileges_t SM_DENIED_PRIVILEGES = {
34 "security_manager_test_rules1",
35 "security_manager_test_rules2"
38 static const privileges_t SM_NO_PRIVILEGES = {
41 static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
42 static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
43 static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
44 static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
45 static const char *const SM_PRIVATE_PATH_FOR_USER_5000 = "/home/app/securitytests/test_DIR";
46 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
48 static void generateAppLabel(const std::string &pkgId, std::string &label)
54 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
55 const char* correctLabel, bool transmute_test, bool exec_test)
59 char* label = nullptr;
62 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
63 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
64 labelPtr.reset(label);
65 RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
66 result = strcmp(correctLabel, label);
67 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
68 " (should be '" << correctLabel << "' and is '" << label << "')");
72 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
73 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
74 labelPtr.reset(label);
76 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
77 RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
78 result = strcmp(correctLabel, label);
79 RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
81 RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
85 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
86 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
87 labelPtr.reset(label);
89 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
90 RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
91 RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
92 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
94 RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
101 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
102 int /*typeflag*/, struct FTW* /*ftwbuf*/)
104 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
107 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
108 int /*typeflag*/, struct FTW* /*ftwbuf*/)
111 return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
114 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
115 int /*typeflag*/, struct FTW* /*ftwbuf*/)
118 return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
121 static app_inst_req* do_app_inst_req_new()
124 app_inst_req *req = nullptr;
126 result = security_manager_app_inst_req_new(&req);
127 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
128 "creation of new request failed. Result: " << result);
129 RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
133 static void prepare_app_path()
137 result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
138 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
140 result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
141 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
143 result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
144 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
146 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
147 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
150 static void prepare_app_env()
155 /* TODO: add parameters to this function */
156 static void check_app_path_after_install()
160 result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
161 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
163 result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
164 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
166 result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
167 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
169 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
170 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
174 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
175 const privileges_t &allowed_privs, const privileges_t &denied_privs)
178 std::string smackLabel;
179 generateAppLabel(pkg_id, smackLabel);
181 CynaraTestClient ctc;
183 for (auto &priv : allowed_privs) {
184 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_SUCCESS);
187 for (auto &priv : denied_privs) {
188 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
192 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
193 const privileges_t &allowed_privs,
194 const privileges_t &denied_privs)
196 TestSecurityManagerDatabase dbtest;
197 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
198 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
200 /*Privileges should be granted to all users if root installs app*/
201 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
204 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
206 TestSecurityManagerDatabase dbtest;
207 dbtest.test_db_after__app_install(app_id, pkg_id);
210 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
211 const privileges_t &privileges, const bool is_pkg_removed)
213 TestSecurityManagerDatabase dbtest;
214 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
217 /*Privileges should not be granted anymore to any user*/
218 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
221 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
222 const bool is_pkg_removed)
224 TestSecurityManagerDatabase dbtest;
225 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
228 static void install_app(const char *app_id, const char *pkg_id)
231 AppInstReqUniquePtr request;
232 request.reset(do_app_inst_req_new());
234 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
235 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
236 "setting app id failed. Result: " << result);
238 result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
239 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
240 "setting pkg id failed. Result: " << result);
242 result = security_manager_app_install(request.get());
243 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
244 "installing app failed. Result: " << result);
246 check_app_after_install(app_id, pkg_id);
250 static void uninstall_app(const char *app_id, const char *pkg_id,
251 bool expect_installed, bool expect_pkg_removed)
254 AppInstReqUniquePtr request;
255 request.reset(do_app_inst_req_new());
257 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
258 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
259 "setting app id failed. Result: " << result);
261 result = security_manager_app_uninstall(request.get());
262 RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
263 "uninstalling app failed. Result: " << result);
265 check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
269 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
272 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
275 AppInstReqUniquePtr request;
277 request.reset(do_app_inst_req_new());
279 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
280 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
281 "setting app id failed. Result: " << result);
283 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
284 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
285 "setting pkg id failed. Result: " << result);
287 result = security_manager_app_install(request.get());
288 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
289 "installing app failed. Result: " << result);
291 result = security_manager_app_install(request.get());
292 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
293 "installing already installed app failed. Result: " << result);
295 /* Check records in the security-manager database */
296 check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
298 request.reset(do_app_inst_req_new());
300 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
301 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
302 "setting app id failed. Result: " << result);
304 result = security_manager_app_uninstall(request.get());
305 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
306 "uninstalling app failed. Result: " << result);
308 result = security_manager_app_uninstall(request.get());
309 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
310 "uninstalling already uninstalled app failed. Result: " << result);
312 /* Check records in the security-manager database */
313 check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
316 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
319 AppInstReqUniquePtr request;
323 request.reset(do_app_inst_req_new());
325 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
326 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
327 "setting app id failed. Result: " << result);
329 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
330 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
331 "setting pkg id failed. Result: " << result);
333 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
334 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
335 "setting allowed permission failed. Result: " << result);
336 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
337 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
338 "setting allowed permission failed. Result: " << result);
340 result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
341 SECURITY_MANAGER_PATH_PRIVATE);
342 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
343 "setting allowed path failed. Result: " << result);
345 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
346 SECURITY_MANAGER_PATH_PUBLIC);
347 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
348 "setting allowed path failed. Result: " << result);
350 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
351 SECURITY_MANAGER_PATH_PUBLIC_RO);
352 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
353 "setting allowed path failed. Result: " << result);
355 result = security_manager_app_install(request.get());
356 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
357 "installing app failed. Result: " << result);
359 /* Check records in the security-manager database */
360 check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
361 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
363 /* TODO: add parameters to this function */
364 check_app_path_after_install();
366 request.reset(do_app_inst_req_new());
368 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
369 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
370 "setting app id failed. Result: " << result);
372 result = security_manager_app_uninstall(request.get());
373 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
374 "uninstalling app failed. Result: " << result);
376 /* Check records in the security-manager database,
377 * all previously allowed privileges should be removed */
378 check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
379 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
382 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_binary)
384 const char *const testBinaryPath = LABELLED_BINARY_PATH;
385 const char *const expectedLabel = USER_APP_ID;
387 char *label = nullptr;
390 result = security_manager_set_process_label_from_binary(testBinaryPath);
391 RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
392 "security_manager_set_process_label_from_binary(" <<
393 testBinaryPath << ") failed. Result: " << result);
395 result = smack_new_label_from_self(&label);
396 RUNNER_ASSERT_MSG(result >= 0,
397 " Error getting current process label");
398 RUNNER_ASSERT_MSG(label != nullptr,
399 " Process label is not set");
400 labelPtr.reset(label);
402 result = strcmp(expectedLabel, label);
403 RUNNER_ASSERT_MSG(result == 0,
404 " Process label is incorrect. Expected: \"" << expectedLabel << "\" Actual: \""
408 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_binary_nosmack)
410 const char *const testBinaryPath = LABELLED_BINARY_PATH;
413 result = security_manager_set_process_label_from_binary(testBinaryPath);
414 RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
415 "security_manager_set_process_label_from_binary(" <<
416 testBinaryPath << ") failed. Result: " << result);
419 RUNNER_CHILD_TEST_SMACK(security_manager_04_set_label_from_appid)
421 const char *const app_id = "sm_test_app_id_set_label_from_appid";
422 const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
423 const char *const expected_label = USER_APP_ID;
424 char *label = nullptr;
428 uninstall_app(app_id, pkg_id, false, true);
429 install_app(app_id, pkg_id);
431 result = security_manager_set_process_label_from_appid(app_id);
432 RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
433 "security_manager_set_process_label_from_appid(" <<
434 app_id << ") failed. Result: " << result);
436 result = smack_new_label_from_self(&label);
437 RUNNER_ASSERT_MSG(result >= 0,
438 " Error getting current process label");
439 RUNNER_ASSERT_MSG(label != nullptr,
440 " Process label is not set");
441 labelPtr.reset(label);
443 result = strcmp(expected_label, label);
444 RUNNER_ASSERT_MSG(result == 0,
445 " Process label is incorrect. Expected: \"" << expected_label <<
446 "\" Actual: \"" << label << "\"");
448 uninstall_app(app_id, pkg_id, true, true);
451 RUNNER_CHILD_TEST_NOSMACK(security_manager_04_set_label_from_appid_nosmack)
453 const char *const app_id = "sm_test_app_id_set_label_from_appid";
454 const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
457 uninstall_app(app_id, pkg_id, false, true);
458 install_app(app_id, pkg_id);
460 result = security_manager_set_process_label_from_appid(app_id);
461 RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
462 "security_manager_set_process_label_from_appid(" <<
463 app_id << ") failed. Result: " << result);
465 uninstall_app(app_id, pkg_id, true, true);
470 static void prepare_request(AppInstReqUniquePtr &request,
471 const char *const app_id,
472 const char *const pkg_id,
473 app_install_path_type pathType,
474 const char *const path)
477 request.reset(do_app_inst_req_new());
479 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
480 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
481 "setting app id failed. Result: " << result);
483 result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
484 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
485 "setting pkg id failed. Result: " << result);
487 result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
488 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
489 "setting allowed path failed. Result: " << result);
494 RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_uid_5000)
497 AppInstReqUniquePtr request;
498 const std::string user = std::to_string(static_cast<unsigned int>(APP_UID));
501 //switch user to non-root
502 result = drop_root_privileges();
503 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
505 //install app as non-root user and try to register public path (should fail)
506 prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER_5000);
508 result = security_manager_app_install(request.get());
509 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
510 "installing app not failed. Result: " << result);
512 //install app as non-root user
513 //should fail (non-root users may only register folders inside their home)
514 prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH);
516 result = security_manager_app_install(request.get());
517 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
518 "installing app not failed. Result: " << result);
520 //install app as non-root user
521 //should succeed - this time i register folder inside user's home dir
522 prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER_5000);
524 for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
525 result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
526 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
527 "setting allowed permission failed. Result: " << result);
530 result = security_manager_app_install(request.get());
531 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
532 "installing app failed. Result: " << result);
534 check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
536 //uninstall app as non-root user
537 request.reset(do_app_inst_req_new());
539 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3);
540 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
541 "setting app id failed. Result: " << result);
543 result = security_manager_app_uninstall(request.get());
544 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
545 "uninstalling app failed. Result: " << result);
547 check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
551 int main(int argc, char *argv[])
553 SummaryCollector::Register();
554 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);