tests/security-manager-tests/security_manager_tests.cpp

   1 #include <dpl/test/test_runner.h>
   2 #include <fcntl.h>
   3 #include <stdio.h>
   4 #include <memory.h>
   5 #include <summary_collector.h>
   6
   7 #include <sys/types.h>
   8 #include <sys/stat.h>
   9 #include <sys/xattr.h>
  10
  11 #include <libprivilege-control_test_common.h>
  12 #include <tests_common.h>
  13
  14 #include <security-manager.h>
  15
  16 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
  17
  18 static const char* SM_APP_ID = "sm_test_app_id";
  19 static const char* SM_PKG_ID = "sm_test_pkg_id";
  20
  21 static uid_t SM_ALLOWED_UID1 = 6666;
  22 static uid_t SM_ALLOWED_UID2 = 7777;
  23
  24 static const char* SM_ALLOWED_PERMISSION1 = "security_manager_test_rules2_r";
  25 static const char* SM_ALLOWED_PERMISSION2 = "security_manager_test_rules2_no_r";
  26
  27 static const rules_t SM_ALLOWED_RULES = {
  28     { USER_APP_ID, "test_sm_book_8", "r" },
  29     { USER_APP_ID, "test_sm_book_9", "w" },
  30     { USER_APP_ID, "test_sm_book_10", "x" },
  31     { USER_APP_ID, "test_sm_book_11", "rw" },
  32     { USER_APP_ID, "test_sm_book_12", "rx" },
  33     { USER_APP_ID, "test_sm_book_13", "wx" },
  34     { USER_APP_ID, "test_sm_book_14", "rwx" },
  35     { USER_APP_ID, "test_sm_book_15", "rwxat" },
  36     { "test_sm_subject_8", USER_APP_ID, "r" },
  37     { "test_sm_subject_9", USER_APP_ID, "w" },
  38     { "test_sm_subject_10", USER_APP_ID, "x" },
  39     { "test_sm_subject_11", USER_APP_ID, "rw" },
  40     { "test_sm_subject_12", USER_APP_ID, "rx" },
  41     { "test_sm_subject_13", USER_APP_ID, "wx" },
  42     { "test_sm_subject_14", USER_APP_ID, "rwx" },
  43     { "test_sm_subject_15", USER_APP_ID, "rwxat" }
  44 };
  45 static const rules_t SM_DENIED_RULES = {
  46     { USER_APP_ID, "test_sm_book_1", "r" },
  47     { USER_APP_ID, "test_sm_book_2", "w" },
  48     { USER_APP_ID, "test_sm_book_3", "x" },
  49     { USER_APP_ID, "test_sm_book_4", "rw" },
  50     { USER_APP_ID, "test_sm_book_5", "rx" },
  51     { USER_APP_ID, "test_sm_book_6", "wx" },
  52     { USER_APP_ID, "test_sm_book_7", "rwx" },
  53     { "test_sm_subject_1", USER_APP_ID, "r" },
  54     { "test_sm_subject_2", USER_APP_ID, "w" },
  55     { "test_sm_subject_3", USER_APP_ID, "x" },
  56     { "test_sm_subject_4", USER_APP_ID, "rw" },
  57     { "test_sm_subject_5", USER_APP_ID, "rx" },
  58     { "test_sm_subject_6", USER_APP_ID, "wx" },
  59     { "test_sm_subject_7", USER_APP_ID, "rwx" }
  60 };
  61
  62 static const char* SM_DENIED_PERMISSION1 = "security_manager_test_rules1";
  63 static const char* SM_DENIED_PERMISSION2 = "security_manager_test_rules2";
  64
  65 static const char* SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
  66 static const char* SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
  67 static const char* SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
  68 static const char* SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
  69
  70
  71 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
  72                               const char* correctLabel, bool transmute_test, bool exec_test)
  73 {
  74     int result;
  75     CStringPtr labelPtr;
  76     char* label = NULL;
  77
  78     /* ACCESS */
  79     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
  80     RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
  81     labelPtr.reset(label);
  82     RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
  83     result = strcmp(correctLabel, label);
  84     RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect"
  85             " (should be '" << correctLabel << "' and is '" << label << "')");
  86
  87
  88     /* EXEC */
  89     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
  90     RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
  91     labelPtr.reset(label);
  92
  93     if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
  94         RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set");
  95         result = strcmp(correctLabel, label);
  96         RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect EXEC label on executable file " << fpath);
  97     } else
  98         RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
  99
 100
 101     /* TRANSMUTE */
 102     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
 103     RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
 104     labelPtr.reset(label);
 105
 106     if (S_ISDIR(sb->st_mode) && transmute_test == true) {
 107         RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set at all");
 108         RUNNER_ASSERT_MSG_BT(strcmp(label,"TRUE") == 0,
 109                 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
 110     } else {
 111         RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
 112     }
 113
 114     return 0;
 115 }
 116
 117
 118 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
 119                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 120 {
 121     return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
 122 }
 123
 124 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
 125                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 126 {
 127
 128     return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
 129 }
 130
 131 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
 132                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 133 {
 134
 135     return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
 136 }
 137
 138
 139 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
 140
 141 static app_inst_req* do_app_inst_req_new()
 142 {
 143     int result;
 144     app_inst_req *req = NULL;
 145
 146     result = security_manager_app_inst_req_new(&req);
 147     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 148             "creation of new request failed. Result: " << result);
 149     RUNNER_ASSERT_MSG_BT(req != NULL, "creation of new request did not allocate memory");
 150     return req;
 151 }
 152
 153 static void prepare_app_path()
 154 {
 155     int result;
 156
 157     result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 158     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
 159
 160     result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 161     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
 162
 163     result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 164     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
 165
 166     result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
 167     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
 168 }
 169
 170 static void check_app_path_after_install()
 171 {
 172     int result;
 173
 174     result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
 175     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
 176
 177     result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
 178     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
 179
 180     result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
 181     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
 182
 183     result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
 184     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
 185 }
 186
 187 static void check_app_permission_after_install()
 188 {
 189     bool result;
 190
 191     result = check_all_accesses(smack_check(), SM_ALLOWED_RULES);
 192     RUNNER_ASSERT_MSG_BT(result, "Permissions not added.");
 193     result = check_no_accesses(smack_check(), SM_DENIED_RULES);
 194     RUNNER_ASSERT_MSG_BT(result, "Permissions added.");
 195
 196     check_perm_app_has_permission(USER_APP_ID, SM_ALLOWED_PERMISSION1, true);
 197     check_perm_app_has_permission(USER_APP_ID, SM_ALLOWED_PERMISSION2, true);
 198     check_perm_app_has_permission(USER_APP_ID, SM_DENIED_PERMISSION1, false);
 199     check_perm_app_has_permission(USER_APP_ID, SM_DENIED_PERMISSION2, false);
 200 }
 201
 202 static void prepare_app_env()
 203 {
 204     prepare_app_path();
 205 }
 206
 207 static void check_app_env_after_install()
 208 {
 209     check_app_path_after_install();
 210     check_app_permission_after_install();
 211 }
 212
 213 RUNNER_TEST(security_manager_01_app_install_unsinstall)
 214 {
 215     int result;
 216     AppInstReqUniquePtr request;
 217
 218     prepare_app_env();
 219
 220     request.reset(do_app_inst_req_new());
 221
 222     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID);
 223     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 224             "setting app id failed. Result: " << result);
 225
 226     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID);
 227     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 228             "setting pkg id failed. Result: " << result);
 229
 230     result = security_manager_app_inst_req_add_allowed_user(request.get(), SM_ALLOWED_UID1);
 231     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 232             "setting allowed user failed. Result: " << result);
 233     result = security_manager_app_inst_req_add_allowed_user(request.get(), SM_ALLOWED_UID2);
 234     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 235             "setting allowed user failed. Result: " << result);
 236
 237     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PERMISSION1);
 238     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 239             "setting allowed permission failed. Result: " << result);
 240     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PERMISSION2);
 241     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 242             "setting allowed permission failed. Result: " << result);
 243
 244     result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
 245                                                     SECURITY_MANAGER_PATH_PRIVATE);
 246     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 247             "setting allowed path failed. Result: " << result);
 248
 249     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
 250                                                     SECURITY_MANAGER_PATH_PUBLIC);
 251     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 252             "setting allowed path failed. Result: " << result);
 253
 254     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
 255                                                     SECURITY_MANAGER_PATH_PUBLIC_RO);
 256     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 257             "setting allowed path failed. Result: " << result);
 258
 259     result = security_manager_app_install(request.get());
 260     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 261             "installing app failed. Result: " << result);
 262
 263     check_app_env_after_install();
 264
 265     request.reset(do_app_inst_req_new());
 266
 267     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID);
 268     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 269             "setting app id failed. Result: " << result);
 270
 271     result = security_manager_app_uninstall(request.get());
 272     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 273             "uninstalling app failed. Result: " << result);
 274
 275 }
 276
 277 int main(int argc, char *argv[])
 278 {
 279     SummaryCollector::Register();
 280     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
 281 }