1 #include <dpl/test/test_runner.h>
5 #include <summary_collector.h>
11 #include <libprivilege-control_test_common.h>
12 #include <tests_common.h>
14 #include <security-manager.h>
16 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
18 static const char* SM_APP_ID = "sm_test_app_id";
19 static const char* SM_PKG_ID = "sm_test_pkg_id";
21 static uid_t SM_ALLOWED_UID1 = 6666;
22 static uid_t SM_ALLOWED_UID2 = 7777;
24 static const char* SM_ALLOWED_PERMISSION1 = "security_manager_test_rules2_r";
25 static const char* SM_ALLOWED_PERMISSION2 = "security_manager_test_rules2_no_r";
27 static const rules_t SM_ALLOWED_RULES = {
28 { USER_APP_ID, "test_sm_book_8", "r" },
29 { USER_APP_ID, "test_sm_book_9", "w" },
30 { USER_APP_ID, "test_sm_book_10", "x" },
31 { USER_APP_ID, "test_sm_book_11", "rw" },
32 { USER_APP_ID, "test_sm_book_12", "rx" },
33 { USER_APP_ID, "test_sm_book_13", "wx" },
34 { USER_APP_ID, "test_sm_book_14", "rwx" },
35 { USER_APP_ID, "test_sm_book_15", "rwxat" },
36 { "test_sm_subject_8", USER_APP_ID, "r" },
37 { "test_sm_subject_9", USER_APP_ID, "w" },
38 { "test_sm_subject_10", USER_APP_ID, "x" },
39 { "test_sm_subject_11", USER_APP_ID, "rw" },
40 { "test_sm_subject_12", USER_APP_ID, "rx" },
41 { "test_sm_subject_13", USER_APP_ID, "wx" },
42 { "test_sm_subject_14", USER_APP_ID, "rwx" },
43 { "test_sm_subject_15", USER_APP_ID, "rwxat" }
45 static const rules_t SM_DENIED_RULES = {
46 { USER_APP_ID, "test_sm_book_1", "r" },
47 { USER_APP_ID, "test_sm_book_2", "w" },
48 { USER_APP_ID, "test_sm_book_3", "x" },
49 { USER_APP_ID, "test_sm_book_4", "rw" },
50 { USER_APP_ID, "test_sm_book_5", "rx" },
51 { USER_APP_ID, "test_sm_book_6", "wx" },
52 { USER_APP_ID, "test_sm_book_7", "rwx" },
53 { "test_sm_subject_1", USER_APP_ID, "r" },
54 { "test_sm_subject_2", USER_APP_ID, "w" },
55 { "test_sm_subject_3", USER_APP_ID, "x" },
56 { "test_sm_subject_4", USER_APP_ID, "rw" },
57 { "test_sm_subject_5", USER_APP_ID, "rx" },
58 { "test_sm_subject_6", USER_APP_ID, "wx" },
59 { "test_sm_subject_7", USER_APP_ID, "rwx" }
62 static const char* SM_DENIED_PERMISSION1 = "security_manager_test_rules1";
63 static const char* SM_DENIED_PERMISSION2 = "security_manager_test_rules2";
65 static const char* SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
66 static const char* SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
67 static const char* SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
68 static const char* SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
71 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
72 const char* correctLabel, bool transmute_test, bool exec_test)
79 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
80 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
81 labelPtr.reset(label);
82 RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
83 result = strcmp(correctLabel, label);
84 RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect"
85 " (should be '" << correctLabel << "' and is '" << label << "')");
89 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
90 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
91 labelPtr.reset(label);
93 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
94 RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set");
95 result = strcmp(correctLabel, label);
96 RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect EXEC label on executable file " << fpath);
98 RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
102 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
103 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
104 labelPtr.reset(label);
106 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
107 RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set at all");
108 RUNNER_ASSERT_MSG_BT(strcmp(label,"TRUE") == 0,
109 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
111 RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
118 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
119 int /*typeflag*/, struct FTW* /*ftwbuf*/)
121 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
124 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
125 int /*typeflag*/, struct FTW* /*ftwbuf*/)
128 return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
131 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
132 int /*typeflag*/, struct FTW* /*ftwbuf*/)
135 return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
139 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
141 static app_inst_req* do_app_inst_req_new()
144 app_inst_req *req = NULL;
146 result = security_manager_app_inst_req_new(&req);
147 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
148 "creation of new request failed. Result: " << result);
149 RUNNER_ASSERT_MSG_BT(req != NULL, "creation of new request did not allocate memory");
153 static void prepare_app_path()
157 result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
158 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
160 result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
161 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
163 result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
164 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
166 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
167 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
170 static void check_app_path_after_install()
174 result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
175 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
177 result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
178 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
180 result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
181 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
183 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
184 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
187 static void check_app_permission_after_install()
191 result = check_all_accesses(smack_check(), SM_ALLOWED_RULES);
192 RUNNER_ASSERT_MSG_BT(result, "Permissions not added.");
193 result = check_no_accesses(smack_check(), SM_DENIED_RULES);
194 RUNNER_ASSERT_MSG_BT(result, "Permissions added.");
196 check_perm_app_has_permission(USER_APP_ID, SM_ALLOWED_PERMISSION1, true);
197 check_perm_app_has_permission(USER_APP_ID, SM_ALLOWED_PERMISSION2, true);
198 check_perm_app_has_permission(USER_APP_ID, SM_DENIED_PERMISSION1, false);
199 check_perm_app_has_permission(USER_APP_ID, SM_DENIED_PERMISSION2, false);
202 static void prepare_app_env()
207 static void check_app_env_after_install()
209 check_app_path_after_install();
210 check_app_permission_after_install();
213 RUNNER_TEST(security_manager_01_app_install_unsinstall)
216 AppInstReqUniquePtr request;
220 request.reset(do_app_inst_req_new());
222 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID);
223 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
224 "setting app id failed. Result: " << result);
226 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID);
227 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
228 "setting pkg id failed. Result: " << result);
230 result = security_manager_app_inst_req_add_allowed_user(request.get(), SM_ALLOWED_UID1);
231 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
232 "setting allowed user failed. Result: " << result);
233 result = security_manager_app_inst_req_add_allowed_user(request.get(), SM_ALLOWED_UID2);
234 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
235 "setting allowed user failed. Result: " << result);
237 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PERMISSION1);
238 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
239 "setting allowed permission failed. Result: " << result);
240 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PERMISSION2);
241 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
242 "setting allowed permission failed. Result: " << result);
244 result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
245 SECURITY_MANAGER_PATH_PRIVATE);
246 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
247 "setting allowed path failed. Result: " << result);
249 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
250 SECURITY_MANAGER_PATH_PUBLIC);
251 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
252 "setting allowed path failed. Result: " << result);
254 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
255 SECURITY_MANAGER_PATH_PUBLIC_RO);
256 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
257 "setting allowed path failed. Result: " << result);
259 result = security_manager_app_install(request.get());
260 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
261 "installing app failed. Result: " << result);
263 check_app_env_after_install();
265 request.reset(do_app_inst_req_new());
267 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID);
268 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
269 "setting app id failed. Result: " << result);
271 result = security_manager_app_uninstall(request.get());
272 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
273 "uninstalling app failed. Result: " << result);
277 int main(int argc, char *argv[])
279 SummaryCollector::Register();
280 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);