/**
* @file libprivilege-control-test.cpp
* @author Jan Olszak (j.olszak@samsung.com)
+ * @author Lukasz Wojciechowski (l.wojciechow@partner.samsung.com)
* @version 1.0
* @brief Main file for libprivilege-control unit tests.
*/
-#include <string>
+#include <fcntl.h>
+#include <fstream>
+#include <iostream>
#include <set>
-#include <libprivilege-control_test_common.h>
+#include <string>
+#include <string.h>
+#include <sys/sendfile.h>
#include <sys/smack.h>
-#include <dpl/test/test_runner.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <vector>
+#include <grp.h>
+#include <pwd.h>
+
+#include <libprivilege-control_test_common.h>
+#include <tests_common.h>
+#include "common/duplicates.h"
#define CANARY_LABEL "tiny_yellow_canary"
-const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
+const char *PRIVS1[] = { "WRT", "test_privilege_control_rules1", NULL };
const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
+const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
+const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
+const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };
+const char *PRIVS_EFL[] = { "test_privilege_control_rules_efl", NULL };
-const char* PRIV_APPSETTING[] {"org.tizen.privilege.appsetting", NULL};
-
-void cleaning_smack_app_files (void)
+const char *PRIV_APPSETTING[] {"org.tizen.privilege.appsetting", NULL};
+const char *PRIV_APPSETTING_RULES[] = { "~APP~ ~SETTINGS_PATH~ rwx",
+ "~APP~ ~ALL_APPS~ rx",
+ NULL};
+/**
+ * Check if every rule is true.
+ * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't, -1 on failure
+ */
+int test_have_all_accesses(const rules_t &rules)
{
- unlink(SMACK_RULES_DIR APP_TEST_APP_1);
- unlink(SMACK_RULES_DIR APP_TEST_APP_2);
- unlink(SMACK_RULES_DIR APP_TEST_APP_3);
- unlink(SMACK_RULES_DIR APP_TEST_AV_1);
- unlink(SMACK_RULES_DIR APP_TEST_AV_2);
- unlink(SMACK_RULES_DIR APP_TEST_AV_3);
+ int result = 1;
+ for (uint i = 0; i < rules.size(); ++i) {
+ int access = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
+ if (access < 0)
+ return -1;
+ if (access == 0)
+ result = 0;
+ }
+ return result;
}
/**
* Check if every rule is true.
- * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
+ * @return 1 if ANY rule in SMACK, 0 if NO rule in SMACK, -1 on failure
*/
-int test_have_all_accesses(const std::vector< std::vector<std::string> > &rules)
+int test_have_any_accesses(const rules_t &rules)
{
- int result;
+ int result = 0;
for (uint i = 0; i < rules.size(); ++i) {
- result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result != 1)
- return result;
+ int access = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
+ if (access < 0)
+ return -1;
+ if (access > 0)
+ result = 1;
}
- return 1;
+ return result;
}
/**
- * Check if every rule is true.
- * @return 1 if ANY rule in SMACK, 0 if
+ * NOSMACK version of test_have_accesses functions.
+ *
+ * This will be used in many tests. Checks if for every rule smack_have_access returns error.
+ * If for any of rules smack_have_access will return something different than error, this result
+ * is being returned to caller.
*/
-int test_have_any_accesses(const std::vector< std::vector<std::string> > &rules)
+int test_have_nosmack_accesses(const rules_t &rules)
{
int result;
for (uint i = 0; i < rules.size(); ++i) {
result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result == 1)
- return 1;
+ if (result != -1)
+ return result;
}
- return 0;
+ return -1;
+}
+
+bool check_all_accesses(bool smack, const rules_t &rules)
+{
+ if (smack)
+ return test_have_all_accesses(rules) == 1;
+ else
+ return test_have_nosmack_accesses(rules) == -1;
+}
+
+bool check_no_accesses(bool smack, const rules_t &rules)
+{
+ if (smack)
+ return test_have_any_accesses(rules) == 0;
+ else
+ return test_have_nosmack_accesses(rules) == -1;
}
void read_gids(std::set<unsigned> &set, const char *file_path)
{
FILE *f = fopen(file_path, "r");
- RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
+ RUNNER_ASSERT_MSG_BT(f != NULL, "Unable to open file " << file_path);
unsigned gid;
while (fscanf(f, "%u\n", &gid) == 1) {
set.insert(gid);
}
+ fclose(f);
}
-void check_groups(const char *dac_file)
+void read_user_gids(std::set<unsigned> &set, const uid_t user_id)
{
- std::set<unsigned> groups_check;
- read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
- read_gids(groups_check, dac_file);
+ int ret;
+
+ struct passwd *pw = getpwuid(user_id);
+ RUNNER_ASSERT_MSG_BT(pw != NULL, "getpwuid() failed.");
+
+ int groups_cnt = 0;
+ gid_t *groups_list = NULL;
+ ret = getgrouplist(pw->pw_name, pw->pw_gid, groups_list, &groups_cnt);
+ RUNNER_ASSERT_MSG_BT(ret == -1, "getgrouplist() failed.");
+ if (groups_cnt == 0)
+ return;
+ groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
+ RUNNER_ASSERT_MSG_BT(groups_list != NULL, "Memory allocation failed.");
+
+ ret = getgrouplist(pw->pw_name, pw->pw_gid, groups_list, &groups_cnt);
+ if (ret == -1) {
+ free(groups_list);
+ RUNNER_ASSERT_MSG_BT(false, "getgrouplist() failed.");
+ }
+
+ for (int i = 0; i < groups_cnt; ++i) {
+ set.insert(groups_list[i]);
+ }
+ free(groups_list);
+}
+void read_current_gids(std::set<unsigned> &set)
+{
int groups_cnt = getgroups(0, NULL);
- RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
+ RUNNER_ASSERT_MSG_BT(groups_cnt > 0, "Wrong number of supplementary groups.");
gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
- RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
- RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list));
+ RUNNER_ASSERT_MSG_BT(groups_list != NULL, "Memory allocation failed.");
+ if (getgroups(groups_cnt, groups_list) == -1){
+ free(groups_list);
+ RUNNER_ASSERT_MSG_BT(false, "getgroups failed.");
+ }
for (int i = 0; i < groups_cnt; ++i) {
- //getgroups() can return multiple number of the same group
- //they are returned in sequence, so we will given number when last
- //element of this number is reached
- if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i]))
- continue;
- if (groups_check.erase(groups_list[i]) == 0) {
- // getgroups() may also return process' main group
- if (groups_list[i] != getgid())
- RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
- }
+ set.insert(groups_list[i]);
}
free(groups_list);
+}
+
+void check_groups(const std::set<unsigned> &groups_prev, const char *dac_file)
+{
+ std::set<unsigned> groups_check;
+ std::set<unsigned> groups_current;
+ if(dac_file != NULL)
+ read_gids(groups_check, dac_file);
+ read_current_gids(groups_current);
+
std::string groups_left;
- for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
+ for (auto it = groups_prev.begin(); it != groups_prev.end(); ++it)
+ {
+ (void)groups_check.erase(*it);
+ if(groups_current.erase(*it) == 0)
+ groups_left.append(std::to_string(*it)).append(" ");
+ }
+ RUNNER_ASSERT_MSG_BT(groups_left.empty(),
+ "Application lost some groups: " << groups_left);
+
+ for (auto it = groups_check.begin(); it != groups_check.end(); ++it)
+ {
+ if(groups_current.erase(*it) == 0)
+ groups_left.append(std::to_string(*it)).append(" ");
+ }
+ RUNNER_ASSERT_MSG_BT(groups_left.empty(),
+ "Application doesn't belong to some required groups: " << groups_left);
+
+ for (auto it = groups_current.begin(); it != groups_current.end(); ++it)
+ {
groups_left.append(std::to_string(*it)).append(" ");
}
- RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
+ RUNNER_ASSERT_MSG_BT(groups_left.empty(),
+ "Application belongs to groups it should't belong to: " << groups_left);
+}
+
+int file_exists(const char *path)
+{
+ FILE *file = fopen(path, "r");
+ if (file) {
+ fclose(file);
+ return 0;
+ }
+ return -1;
+}
+
+void check_app_installed(const char *app_path)
+{
+ RUNNER_ASSERT_MSG_BT(file_exists(app_path) == 0,
+ " App not installed: " << app_path);
}
int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/,
int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
int result;
- char *label;
+ CStringPtr labelPtr;
+ char* label = NULL;
/* ACCESS */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, label);
- RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG_BT(labelPtr.get() != NULL, "ACCESS label on " << fpath << " is not set");
+ result = strcmp(APPID_DIR, labelPtr.get());
+ RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect");
/* EXEC */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
- RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, label);
- RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
+ RUNNER_ASSERT_MSG_BT(labelPtr.get() != NULL, "EXEC label on " << fpath << " is not set");
+ result = strcmp(APPID_DIR, labelPtr.get());
+ RUNNER_ASSERT_MSG_BT(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
} else if (S_ISLNK(sb->st_mode)) {
struct stat buf;
char *target = realpath(fpath, NULL);
- RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
+ RUNNER_ASSERT_MSG_BT(0 == stat(target, &buf),"Stat failed for " << fpath);
free(target);
if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
- RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
+ RUNNER_ASSERT_MSG_BT(labelPtr.get() == NULL, "EXEC label on " << fpath << " is set");
} else {
- RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, label);
- RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
+ RUNNER_ASSERT_MSG_BT(labelPtr.get() != NULL, "EXEC label on " << fpath << " is not set");
+ result = strcmp(APPID_DIR, labelPtr.get());
+ RUNNER_ASSERT_MSG_BT(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
}
} else
- RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
+ RUNNER_ASSERT_MSG_BT(labelPtr.get() == NULL, "EXEC label on " << fpath << " is set");
/* TRANSMUTE */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG_BT(labelPtr.get() == NULL, "TRANSMUTE label on " << fpath << " is set");
return 0;
}
int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
int result;
- char *label;
+ CStringPtr labelPtr;
+ char* label = NULL;
/* ACCESS */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- result = strcmp(CANARY_LABEL, label);
- RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ result = strcmp(CANARY_LABEL, labelPtr.get());
+ RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is overwritten");
/* EXEC */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- result = strcmp(CANARY_LABEL, label);
- RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ result = strcmp(CANARY_LABEL, labelPtr.get());
+ RUNNER_ASSERT_MSG_BT(result == 0, "EXEC label on " << fpath << " is overwritten");
/* TRANSMUTE */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG_BT(labelPtr.get() == NULL, "TRANSMUTE label on " << fpath << " is set");
return 0;
}
+
+void test_revoke_permissions(int line_no, const char* app_id, const rules_t &rules, bool smack)
+{
+ int result;
+
+ // Cleanup
+ DB_BEGIN
+
+ result = perm_app_uninstall(app_id);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ "perm_app_uninstall returned " << result);
+
+ // Close transaction to commit uninstallation before further actions
+ DB_END
+
+ DB_BEGIN
+
+ // Install test apps
+ result = perm_app_install(app_id);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ "perm_app_install returned " << result);
+
+ // Close transaction to commit installation before further actions
+ DB_END
+
+ DB_BEGIN
+
+ // TEST:
+ // Revoke permissions
+ result = perm_app_revoke_permissions(app_id);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ "Error revoking app permissions. Result: " << result);
+
+ DB_END
+
+ // Are all the permissions revoked?
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules), "Line: " << line_no <<
+ "Not all permisions revoked.");
+
+ DB_BEGIN
+
+ // Cleanup - uninstall test apps
+ result = perm_app_uninstall(app_id);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ "perm_app_uninstall returned " << result);
+
+ DB_END
+}
+
+void test_app_enable_permissions_efl(bool smack)
+{
+ int result;
+
+ DB_BEGIN
+
+ // Prepare
+ result = perm_app_uninstall(EFL_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << result);
+ result = perm_app_install(EFL_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_install failed: " << result);
+
+ // Register a permission:
+ result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error registering app permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
+ "SMACK accesses not granted for EFL_APP");
+
+ DB_BEGIN
+
+ // Cleanup
+ result = perm_app_uninstall(EFL_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << result);
+
+ DB_END
+}
+
+void test_app_disable_permissions_efl(bool smack)
+{
+ int result;
+
+ DB_BEGIN
+
+ // Prepare
+ result = perm_app_uninstall(EFL_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << result);
+
+ result = perm_app_install(EFL_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_install failed: " << result);
+
+ // Register a permission
+ result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error registering app permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
+ "SMACK accesses not granted for EFL_APP");
+
+ DB_BEGIN
+
+ // Disable a permission
+ result = perm_app_disable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
+ "SMACK accesses not disabled for EFL_APP");
+
+ DB_BEGIN
+
+ // Cleanup
+ result = perm_app_uninstall(EFL_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << result);
+
+ DB_END
+}
+
+void test_app_disable_permissions(bool smack)
+{
+ int result;
+
+ DB_BEGIN
+
+ // Prepare
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << result);
+
+ result = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_install failed: " << result);
+/**
+ * Test - disable all granted permissions.
+ */
+
+ // Prepare permissions that we want to disable
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions. Result: " << result);
+
+ DB_END
+
+ // Are all the permissions enabled?
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, rules2), "Not all permisions enabled.");
+
+ DB_BEGIN
+
+ // Disable permissions
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ DB_END
+
+ // Are all the permissions disabled?
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2), "Not all permisions disabled.");
+
+/**
+ * Test - disable some granted permissions leaving non complementary and then disabling those too.
+ */
+
+ DB_BEGIN
+
+ // Prepare permissions that will not be disabled
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS1, true);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error adding app first permissions. Result: " << result);
+
+ // Prepare permissions that we want to disable
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error adding app second permissions. Result: " << result);
+
+ // Disable second permissions
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app second permissions. Result: " << result);
+
+ DB_END
+
+ // Are all second permissions disabled?
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2), "Not all first permisions disabled.");
+
+ // Are all first permissions not disabled?
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, rules1), "Some of second permissions disabled.");
+
+ DB_BEGIN
+
+ // Disable first permissions
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app first permissions. Result: " << result);
+
+ DB_END
+
+ // Are all second permissions disabled?
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules1), "Not all second permisions disabled.");
+
+/**
+ * Test - disable only no r granted permissions.
+ */
+
+ DB_BEGIN
+
+ // Prepare permissions
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, true);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app r permissions. Result: " << result);
+
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, true);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app no r permissions. Result: " << result);
+
+ // Disable same permissions without r
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app no r permissions. Result: " << result);
+
+ DB_END
+
+ // Is any r permissions disabled?
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, rules2_r), "Some of r permissions disabled.");
+ // Are all no r permissions disabled?
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2_no_r), "Not all no r permissions disabled.");
+
+ DB_BEGIN
+
+ // Prepare permissions
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error adding app no r permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, rules2_no_r), "Not all no r permissions enabled.");
+
+ DB_BEGIN
+
+ // Disable all permissions
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2_r), "Not all r permissions disabled.");
+
+ DB_BEGIN
+
+ // Clean up after test:
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+}
+
+void test_appsettings_privilege(bool smack)
+{
+ int ret;
+ CStringPtr app1DirLabelPtr;
+ CStringPtr app2DirLabelPtr;
+ char* label = NULL;
+
+ DB_BEGIN
+
+ (void)perm_app_uninstall(APP_TEST);
+ (void)perm_app_uninstall(APP_1);
+ (void)perm_app_uninstall(APP_2);
+
+ //install some app 1
+ ret = perm_app_install(APP_1);
+ RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install." << ret);
+
+ mkdir(APP_1_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
+
+ //register settings folder for app 1
+ ret = perm_app_setup_path(APP_1, APP_1_DIR, APP_PATH_SETTINGS_RW );
+ RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
+
+ //install "app_test" and give it appsettings privilege
+ ret = perm_app_install(APP_TEST);
+ RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
+
+ //register appsettings feature
+ ret = perm_add_api_feature(APP_TYPE_OSP, PRIV_APPSETTING[0], PRIV_APPSETTING_RULES, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
+ " Error registering api feature. Result: " << ret);
+
+ ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
+ RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
+ " Error registering app permissions. Result: " << ret);
+
+ DB_END
+
+ //check if "app_test" has an RX access to the app "app_1"
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{APP_TEST, APP_1, "rx"}}), "access denied");
+
+ //check if "app_test" has an RWX access to a folder registered by "app_1"
+ ret = smack_getlabel(APP_1_DIR, &label, SMACK_LABEL_ACCESS );
+ app1DirLabelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{APP_TEST, app1DirLabelPtr.get(), "rwx"}}), "access denied to smack label: " << app1DirLabelPtr.get());
+
+
+ DB_BEGIN
+
+ //intstall another app: "app_2"
+ ret = perm_app_install(APP_2);
+ RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
+
+ mkdir(APP_2_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
+ //register settings folder for that "app_2"
+ ret = perm_app_setup_path(APP_2, APP_2_DIR, APP_PATH_SETTINGS_RW );
+ RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
+
+ DB_END
+
+ //check if "app_test" has an RX access to the app "app_2"
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{APP_TEST, APP_2, "rx"}}), "access denied");
+
+ //check if "app_test" has an RWX access to a folder registered by "app_2"
+ ret = smack_getlabel(APP_2_DIR, &label, SMACK_LABEL_ACCESS );
+ app2DirLabelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{APP_TEST, app2DirLabelPtr.get(), "rwx"}}), "access denies");
+
+ rmdir(APP_1_DIR);
+ rmdir(APP_2_DIR);
+
+ DB_BEGIN
+
+ (void)perm_app_uninstall(APP_TEST);
+ (void)perm_app_uninstall(APP_1);
+ (void)perm_app_uninstall(APP_2);
+
+ DB_END
+}
projects / platform / core / test / security-tests.git / blobdiff