1 #include <dpl/test/test_runner.h>
5 #include <summary_collector.h>
10 #include <linux/xattr.h>
12 #include <libprivilege-control_test_common.h>
13 #include <tests_common.h>
15 #include <security-manager.h>
18 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
20 static const char *const LABELLED_BINARY_PATH = "/usr/bin/test-app-efl";
22 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
23 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
25 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
26 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
28 static const privileges_t SM_ALLOWED_PRIVILEGES = {
29 "security_manager_test_rules2_r",
30 "security_manager_test_rules2_no_r"
33 static const privileges_t SM_DENIED_PRIVILEGES = {
34 "security_manager_test_rules1",
35 "security_manager_test_rules2"
38 static const char *const XATTR_NAME_TIZENEXEC = XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL";
40 static const rules_t SM_ALLOWED_RULES = {
41 { USER_APP_ID, "test_sm_book_8", "r" },
42 { USER_APP_ID, "test_sm_book_9", "w" },
43 { USER_APP_ID, "test_sm_book_10", "x" },
44 { USER_APP_ID, "test_sm_book_11", "rw" },
45 { USER_APP_ID, "test_sm_book_12", "rx" },
46 { USER_APP_ID, "test_sm_book_13", "wx" },
47 { USER_APP_ID, "test_sm_book_14", "rwx" },
48 { USER_APP_ID, "test_sm_book_15", "rwxat" },
49 { "test_sm_subject_8", USER_APP_ID, "r" },
50 { "test_sm_subject_9", USER_APP_ID, "w" },
51 { "test_sm_subject_10", USER_APP_ID, "x" },
52 { "test_sm_subject_11", USER_APP_ID, "rw" },
53 { "test_sm_subject_12", USER_APP_ID, "rx" },
54 { "test_sm_subject_13", USER_APP_ID, "wx" },
55 { "test_sm_subject_14", USER_APP_ID, "rwx" },
56 { "test_sm_subject_15", USER_APP_ID, "rwxat" }
58 static const rules_t SM_DENIED_RULES = {
59 { USER_APP_ID, "test_sm_book_1", "r" },
60 { USER_APP_ID, "test_sm_book_2", "w" },
61 { USER_APP_ID, "test_sm_book_3", "x" },
62 { USER_APP_ID, "test_sm_book_4", "rw" },
63 { USER_APP_ID, "test_sm_book_5", "rx" },
64 { USER_APP_ID, "test_sm_book_6", "wx" },
65 { USER_APP_ID, "test_sm_book_7", "rwx" },
66 { "test_sm_subject_1", USER_APP_ID, "r" },
67 { "test_sm_subject_2", USER_APP_ID, "w" },
68 { "test_sm_subject_3", USER_APP_ID, "x" },
69 { "test_sm_subject_4", USER_APP_ID, "rw" },
70 { "test_sm_subject_5", USER_APP_ID, "rx" },
71 { "test_sm_subject_6", USER_APP_ID, "wx" },
72 { "test_sm_subject_7", USER_APP_ID, "rwx" }
75 static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
76 static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
77 static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
78 static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
81 static bool isLinkToExec(const char *fpath, const struct stat *sb)
88 // check if it's a link
89 if ( !S_ISLNK(sb->st_mode))
92 target = realpath(fpath, NULL);
93 RUNNER_ASSERT_MSG_BT(target != 0, "Could not obtain real path from link.");
95 ret = stat(target, &buf);
96 RUNNER_ASSERT_MSG_BT(ret == 0, "Could not obtain real path's stat from link.");
98 if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG))
105 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
106 const char* correctLabel, bool transmute_test, bool exec_test)
113 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
114 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
115 labelPtr.reset(label);
116 RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
117 result = strcmp(correctLabel, label);
118 RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect"
119 " (should be '" << correctLabel << "' and is '" << label << "')");
123 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
124 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
125 labelPtr.reset(label);
127 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
128 RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set");
129 result = strcmp(correctLabel, label);
130 RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect EXEC label on executable file " << fpath);
132 RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
136 if (isLinkToExec(fpath, sb) && exec_test) {
137 char buf[SMACK_LABEL_LEN+1];
138 result = lgetxattr(fpath, XATTR_NAME_TIZENEXEC, buf, sizeof(buf));
139 RUNNER_ASSERT_MSG_BT(result != -1, "Could not get label for the path "
140 << fpath << "("<<strerror(errno)<<")");
142 result = strcmp(correctLabel, buf);
143 RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect TIZEN_EXEC_LABEL attribute"
144 " on link to executable " << fpath);
150 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
151 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
152 labelPtr.reset(label);
154 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
155 RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set at all");
156 RUNNER_ASSERT_MSG_BT(strcmp(label,"TRUE") == 0,
157 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
159 RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
166 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
167 int /*typeflag*/, struct FTW* /*ftwbuf*/)
169 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
172 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
173 int /*typeflag*/, struct FTW* /*ftwbuf*/)
176 return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
179 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
180 int /*typeflag*/, struct FTW* /*ftwbuf*/)
183 return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
186 static app_inst_req* do_app_inst_req_new()
189 app_inst_req *req = NULL;
191 result = security_manager_app_inst_req_new(&req);
192 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
193 "creation of new request failed. Result: " << result);
194 RUNNER_ASSERT_MSG_BT(req != NULL, "creation of new request did not allocate memory");
198 static void prepare_app_path()
202 result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
203 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
205 result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
206 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
208 result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
209 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
211 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
212 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
215 static void prepare_app_env()
220 /* TODO: add parameters to this function */
221 static void check_app_path_after_install()
225 result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
226 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
228 result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
229 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
231 result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
232 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
234 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
235 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
238 static void check_app_permissions(const char *const app_id, const char *const pkg_id,
239 const privileges_t &allowed_privs, const privileges_t &denied_privs,
240 const rules_t &allowed_rules, const rules_t &denied_rules)
244 result = check_all_accesses(smack_check(), allowed_rules);
245 RUNNER_ASSERT_MSG_BT(result, "Permissions not added.");
246 result = check_no_accesses(smack_check(), denied_rules);
247 RUNNER_ASSERT_MSG_BT(result, "Permissions added.");
249 /* TODO: USER_APP_ID is hardcoded in the following checks, because libprivilege always generate
250 * label "User" for all installed apps. Adjust it when libprivilege is upgraded. */
251 (void)app_id; // unused parameter
252 (void)pkg_id; // unused parameter
254 for (auto it = allowed_privs.begin(); it != allowed_privs.end(); ++it)
255 check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), true);
257 for (auto it = denied_privs.begin(); it != denied_privs.end(); ++it)
258 check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), false);
261 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
262 const privileges_t &allowed_privs, const privileges_t &denied_privs,
263 const rules_t &allowed_rules, const rules_t &denied_rules)
265 TestSecurityManagerDatabase dbtest;
266 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
267 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
269 check_app_permissions(app_id, pkg_id,
270 allowed_privs, denied_privs,
271 allowed_rules, denied_rules);
274 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
276 TestSecurityManagerDatabase dbtest;
277 dbtest.test_db_after__app_install(app_id, pkg_id);
280 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
281 const privileges_t &privileges, const bool is_pkg_removed)
283 TestSecurityManagerDatabase dbtest;
284 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
287 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
288 const bool is_pkg_removed)
290 TestSecurityManagerDatabase dbtest;
291 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
294 static void install_app(const char *app_id, const char *pkg_id)
297 AppInstReqUniquePtr request;
298 request.reset(do_app_inst_req_new());
300 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
301 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
302 "setting app id failed. Result: " << result);
304 result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
305 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
306 "setting pkg id failed. Result: " << result);
308 result = security_manager_app_install(request.get());
309 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
310 "installing app failed. Result: " << result);
312 check_app_after_install(app_id, pkg_id);
316 static void uninstall_app(const char *app_id, const char *pkg_id,
317 bool expect_installed, bool expect_pkg_removed)
320 AppInstReqUniquePtr request;
321 request.reset(do_app_inst_req_new());
323 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
324 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
325 "setting app id failed. Result: " << result);
327 result = security_manager_app_uninstall(request.get());
328 RUNNER_ASSERT_MSG_BT(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
329 "uninstalling app failed. Result: " << result);
331 check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
335 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
338 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
341 AppInstReqUniquePtr request;
343 request.reset(do_app_inst_req_new());
345 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
346 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
347 "setting app id failed. Result: " << result);
349 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
350 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
351 "setting pkg id failed. Result: " << result);
353 result = security_manager_app_install(request.get());
354 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
355 "installing app failed. Result: " << result);
357 result = security_manager_app_install(request.get());
358 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
359 "installing already installed app failed. Result: " << result);
361 /* Check records in the security-manager database */
362 check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
364 request.reset(do_app_inst_req_new());
366 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
367 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
368 "setting app id failed. Result: " << result);
370 result = security_manager_app_uninstall(request.get());
371 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
372 "uninstalling app failed. Result: " << result);
374 result = security_manager_app_uninstall(request.get());
375 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
376 "uninstalling already uninstalled app failed. Result: " << result);
378 /* Check records in the security-manager database */
379 check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
382 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
385 AppInstReqUniquePtr request;
389 request.reset(do_app_inst_req_new());
391 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
392 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
393 "setting app id failed. Result: " << result);
395 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
396 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
397 "setting pkg id failed. Result: " << result);
399 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
400 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
401 "setting allowed permission failed. Result: " << result);
402 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
403 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
404 "setting allowed permission failed. Result: " << result);
406 result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
407 SECURITY_MANAGER_PATH_PRIVATE);
408 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
409 "setting allowed path failed. Result: " << result);
411 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
412 SECURITY_MANAGER_PATH_PUBLIC);
413 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
414 "setting allowed path failed. Result: " << result);
416 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
417 SECURITY_MANAGER_PATH_PUBLIC_RO);
418 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
419 "setting allowed path failed. Result: " << result);
421 result = security_manager_app_install(request.get());
422 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
423 "installing app failed. Result: " << result);
425 /* Check records in the security-manager database */
426 check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
427 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES,
428 SM_ALLOWED_RULES, SM_DENIED_RULES);
430 /* TODO: add parameters to this function */
431 check_app_path_after_install();
433 request.reset(do_app_inst_req_new());
435 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
436 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
437 "setting app id failed. Result: " << result);
439 result = security_manager_app_uninstall(request.get());
440 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
441 "uninstalling app failed. Result: " << result);
443 /* Check records in the security-manager database,
444 * all previously allowed privileges should be removed */
445 check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
446 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
449 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_binary)
451 const char *const testBinaryPath = LABELLED_BINARY_PATH;
452 const char *const expectedLabel = USER_APP_ID;
457 result = security_manager_set_process_label_from_binary(testBinaryPath);
458 RUNNER_ASSERT_MSG_BT(result == SECURITY_MANAGER_SUCCESS,
459 "security_manager_set_process_label_from_binary(" <<
460 testBinaryPath << ") failed. Result: " << result);
462 result = smack_new_label_from_self(&label);
463 RUNNER_ASSERT_MSG_BT(result >= 0,
464 " Error getting current process label");
465 RUNNER_ASSERT_MSG_BT(label != NULL,
466 " Process label is not set");
467 labelPtr.reset(label);
469 result = strcmp(expectedLabel, label);
470 RUNNER_ASSERT_MSG_BT(result == 0,
471 " Process label is incorrect. Expected: \"" << expectedLabel << "\" Actual: \""
475 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_binary_nosmack)
477 const char *const testBinaryPath = LABELLED_BINARY_PATH;
480 result = security_manager_set_process_label_from_binary(testBinaryPath);
481 RUNNER_ASSERT_MSG_BT(result == SECURITY_MANAGER_SUCCESS,
482 "security_manager_set_process_label_from_binary(" <<
483 testBinaryPath << ") failed. Result: " << result);
486 RUNNER_CHILD_TEST_SMACK(security_manager_04_set_label_from_appid)
488 const char *const app_id = "sm_test_app_id_set_label_from_appid";
489 const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
490 const char *const expected_label = USER_APP_ID;
495 uninstall_app(app_id, pkg_id, false, true);
496 install_app(app_id, pkg_id);
498 result = security_manager_set_process_label_from_appid(app_id);
499 RUNNER_ASSERT_MSG_BT(result == SECURITY_MANAGER_SUCCESS,
500 "security_manager_set_process_label_from_appid(" <<
501 app_id << ") failed. Result: " << result);
503 result = smack_new_label_from_self(&label);
504 RUNNER_ASSERT_MSG_BT(result >= 0,
505 " Error getting current process label");
506 RUNNER_ASSERT_MSG_BT(label != NULL,
507 " Process label is not set");
508 labelPtr.reset(label);
510 result = strcmp(expected_label, label);
511 RUNNER_ASSERT_MSG_BT(result == 0,
512 " Process label is incorrect. Expected: \"" << expected_label <<
513 "\" Actual: \"" << label << "\"");
515 uninstall_app(app_id, pkg_id, true, true);
518 RUNNER_CHILD_TEST_NOSMACK(security_manager_04_set_label_from_appid_nosmack)
520 const char *const app_id = "sm_test_app_id_set_label_from_appid";
521 const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
524 uninstall_app(app_id, pkg_id, false, true);
525 install_app(app_id, pkg_id);
527 result = security_manager_set_process_label_from_appid(app_id);
528 RUNNER_ASSERT_MSG_BT(result == SECURITY_MANAGER_SUCCESS,
529 "security_manager_set_process_label_from_appid(" <<
530 app_id << ") failed. Result: " << result);
532 uninstall_app(app_id, pkg_id, true, true);
535 int main(int argc, char *argv[])
537 SummaryCollector::Register();
538 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);