projects / platform / core / test / security-tests.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Test labeling links to execs by security-manager
[platform/core/test/security-tests.git] / tests / security-manager-tests / security_manager_tests.cpp
1 #include <dpl/test/test_runner.h>
2 #include <fcntl.h>
3 #include <stdio.h>
4 #include <memory.h>
5 #include <summary_collector.h>
6
7 #include <sys/types.h>
8 #include <sys/stat.h>
9 #include <sys/xattr.h>
10 #include <linux/xattr.h>
11
12 #include <libprivilege-control_test_common.h>
13 #include <tests_common.h>
14
15 #include <security-manager.h>
16
17 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
18
19 static const char* SM_APP_ID = "sm_test_app_id";
20 static const char* SM_PKG_ID = "sm_test_pkg_id";
21
22 static uid_t SM_ALLOWED_UID1 = 6666;
23 static uid_t SM_ALLOWED_UID2 = 7777;
24
25 static const char* SM_ALLOWED_PERMISSION1 = "security_manager_test_rules2_r";
26 static const char* SM_ALLOWED_PERMISSION2 = "security_manager_test_rules2_no_r";
27 static const char *const XATTR_NAME_TIZENEXEC =  XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL";
28
29 static const rules_t SM_ALLOWED_RULES = {
30     { USER_APP_ID, "test_sm_book_8", "r" },
31     { USER_APP_ID, "test_sm_book_9", "w" },
32     { USER_APP_ID, "test_sm_book_10", "x" },
33     { USER_APP_ID, "test_sm_book_11", "rw" },
34     { USER_APP_ID, "test_sm_book_12", "rx" },
35     { USER_APP_ID, "test_sm_book_13", "wx" },
36     { USER_APP_ID, "test_sm_book_14", "rwx" },
37     { USER_APP_ID, "test_sm_book_15", "rwxat" },
38     { "test_sm_subject_8", USER_APP_ID, "r" },
39     { "test_sm_subject_9", USER_APP_ID, "w" },
40     { "test_sm_subject_10", USER_APP_ID, "x" },
41     { "test_sm_subject_11", USER_APP_ID, "rw" },
42     { "test_sm_subject_12", USER_APP_ID, "rx" },
43     { "test_sm_subject_13", USER_APP_ID, "wx" },
44     { "test_sm_subject_14", USER_APP_ID, "rwx" },
45     { "test_sm_subject_15", USER_APP_ID, "rwxat" }
46 };
47 static const rules_t SM_DENIED_RULES = {
48     { USER_APP_ID, "test_sm_book_1", "r" },
49     { USER_APP_ID, "test_sm_book_2", "w" },
50     { USER_APP_ID, "test_sm_book_3", "x" },
51     { USER_APP_ID, "test_sm_book_4", "rw" },
52     { USER_APP_ID, "test_sm_book_5", "rx" },
53     { USER_APP_ID, "test_sm_book_6", "wx" },
54     { USER_APP_ID, "test_sm_book_7", "rwx" },
55     { "test_sm_subject_1", USER_APP_ID, "r" },
56     { "test_sm_subject_2", USER_APP_ID, "w" },
57     { "test_sm_subject_3", USER_APP_ID, "x" },
58     { "test_sm_subject_4", USER_APP_ID, "rw" },
59     { "test_sm_subject_5", USER_APP_ID, "rx" },
60     { "test_sm_subject_6", USER_APP_ID, "wx" },
61     { "test_sm_subject_7", USER_APP_ID, "rwx" }
62 };
63
64 static const char* SM_DENIED_PERMISSION1 = "security_manager_test_rules1";
65 static const char* SM_DENIED_PERMISSION2 = "security_manager_test_rules2";
66
67 static const char* SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
68 static const char* SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
69 static const char* SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
70 static const char* SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
71
72
73 static bool isLinkToExec(const char *fpath, const struct stat *sb)
74 {
75
76     struct stat buf;
77     char *target;
78     int ret;
79
80     // check if it's a link
81     if ( !S_ISLNK(sb->st_mode))
82         return false;
83
84     target = realpath(fpath, NULL);
85     RUNNER_ASSERT_MSG_BT(target != 0, "Could not obtain real path from link.");
86
87     ret = stat(target, &buf);
88     RUNNER_ASSERT_MSG_BT(ret == 0, "Could not obtain real path's stat from link.");
89
90     if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG))
91         return false;
92
93
94     return true;
95 }
96
97 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
98                               const char* correctLabel, bool transmute_test, bool exec_test)
99 {
100     int result;
101     CStringPtr labelPtr;
102     char* label = NULL;
103
104     /* ACCESS */
105     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
106     RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
107     labelPtr.reset(label);
108     RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
109     result = strcmp(correctLabel, label);
110     RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect"
111             " (should be '" << correctLabel << "' and is '" << label << "')");
112
113
114     /* EXEC */
115     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
116     RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
117     labelPtr.reset(label);
118
119     if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
120         RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set");
121         result = strcmp(correctLabel, label);
122         RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect EXEC label on executable file " << fpath);
123     } else
124         RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
125
126
127     /* LINK TO EXEC */
128     if (isLinkToExec(fpath, sb) && exec_test) {
129         char buf[SMACK_LABEL_LEN+1];
130         result = lgetxattr(fpath, XATTR_NAME_TIZENEXEC, buf, sizeof(buf));
131         RUNNER_ASSERT_MSG_BT(result != -1, "Could not get label for the path "
132                 << fpath << "("<<strerror(errno)<<")");
133         buf[result]='\0';
134         result = strcmp(correctLabel, buf);
135         RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect TIZEN_EXEC_LABEL attribute"
136                 " on link to executable " << fpath);
137     }
138
139
140
141     /* TRANSMUTE */
142     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
143     RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
144     labelPtr.reset(label);
145
146     if (S_ISDIR(sb->st_mode) && transmute_test == true) {
147         RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set at all");
148         RUNNER_ASSERT_MSG_BT(strcmp(label,"TRUE") == 0,
149                 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
150     } else {
151         RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
152     }
153
154     return 0;
155 }
156
157
158 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
159                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
160 {
161     return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
162 }
163
164 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
165                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
166 {
167
168     return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
169 }
170
171 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
172                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
173 {
174
175     return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
176 }
177
178
179 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
180
181 static app_inst_req* do_app_inst_req_new()
182 {
183     int result;
184     app_inst_req *req = NULL;
185
186     result = security_manager_app_inst_req_new(&req);
187     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
188             "creation of new request failed. Result: " << result);
189     RUNNER_ASSERT_MSG_BT(req != NULL, "creation of new request did not allocate memory");
190     return req;
191 }
192
193 static void prepare_app_path()
194 {
195     int result;
196
197     result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
198     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
199
200     result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
201     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
202
203     result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
204     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
205
206     result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
207     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
208 }
209
210 static void check_app_path_after_install()
211 {
212     int result;
213
214     result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
215     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
216
217     result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
218     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
219
220     result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
221     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
222
223     result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
224     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
225 }
226
227 static void check_app_permission_after_install()
228 {
229     bool result;
230
231     result = check_all_accesses(smack_check(), SM_ALLOWED_RULES);
232     RUNNER_ASSERT_MSG_BT(result, "Permissions not added.");
233     result = check_no_accesses(smack_check(), SM_DENIED_RULES);
234     RUNNER_ASSERT_MSG_BT(result, "Permissions added.");
235
236     check_perm_app_has_permission(USER_APP_ID, SM_ALLOWED_PERMISSION1, true);
237     check_perm_app_has_permission(USER_APP_ID, SM_ALLOWED_PERMISSION2, true);
238     check_perm_app_has_permission(USER_APP_ID, SM_DENIED_PERMISSION1, false);
239     check_perm_app_has_permission(USER_APP_ID, SM_DENIED_PERMISSION2, false);
240 }
241
242 static void prepare_app_env()
243 {
244     prepare_app_path();
245 }
246
247 static void check_app_env_after_install()
248 {
249     check_app_path_after_install();
250     check_app_permission_after_install();
251 }
252
253 RUNNER_TEST(security_manager_01_app_install_unsinstall)
254 {
255     int result;
256     AppInstReqUniquePtr request;
257
258     prepare_app_env();
259
260     request.reset(do_app_inst_req_new());
261
262     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID);
263     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
264             "setting app id failed. Result: " << result);
265
266     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID);
267     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
268             "setting pkg id failed. Result: " << result);
269
270     result = security_manager_app_inst_req_add_allowed_user(request.get(), SM_ALLOWED_UID1);
271     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
272             "setting allowed user failed. Result: " << result);
273     result = security_manager_app_inst_req_add_allowed_user(request.get(), SM_ALLOWED_UID2);
274     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
275             "setting allowed user failed. Result: " << result);
276
277     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PERMISSION1);
278     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
279             "setting allowed permission failed. Result: " << result);
280     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PERMISSION2);
281     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
282             "setting allowed permission failed. Result: " << result);
283
284     result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
285                                                     SECURITY_MANAGER_PATH_PRIVATE);
286     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
287             "setting allowed path failed. Result: " << result);
288
289     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
290                                                     SECURITY_MANAGER_PATH_PUBLIC);
291     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
292             "setting allowed path failed. Result: " << result);
293
294     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
295                                                     SECURITY_MANAGER_PATH_PUBLIC_RO);
296     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
297             "setting allowed path failed. Result: " << result);
298
299     result = security_manager_app_install(request.get());
300     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
301             "installing app failed. Result: " << result);
302
303     check_app_env_after_install();
304
305     request.reset(do_app_inst_req_new());
306
307     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID);
308     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
309             "setting app id failed. Result: " << result);
310
311     result = security_manager_app_uninstall(request.get());
312     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
313             "uninstalling app failed. Result: " << result);
314
315 }
316
317 int main(int argc, char *argv[])
318 {
319     SummaryCollector::Register();
320     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
321 }
Domain: Security / Uncategorized;