#include <sys/stat.h>
#include <sys/types.h>
#include <vector>
+#include <grp.h>
+#include <pwd.h>
#include <libprivilege-control_test_common.h>
#include <tests_common.h>
#include "common/duplicates.h"
+#include <memory.h>
#define CANARY_LABEL "tiny_yellow_canary"
-const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
+const char *USER_APP_ID = "User";
+
+const char *PRIVS1[] = { "WRT", "test_privilege_control_rules1", NULL };
const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };
const char *PRIVS_EFL[] = { "test_privilege_control_rules_efl", NULL };
-const char* PRIV_APPSETTING[] {"org.tizen.privilege.appsetting", NULL};
-
-const char* PRIVS_AV[] = { "org.tizen.privilege.antivirus", NULL };
-
-bool DBBackup::backupfile(const std::string& src, const std::string& dst)
-{
- int fdsrc = TEMP_FAILURE_RETRY(open(src.c_str(), O_RDONLY));
- if (fdsrc == -1)
- return false;
- FDUniquePtr FdPtrSrc(&fdsrc, closeFdPtr);
-
- struct stat stat_source;
- if (fstat(fdsrc, &stat_source) == -1)
- return false;
-
- int fddst = TEMP_FAILURE_RETRY(open(dst.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0644));
- if (fddst == -1)
- return false;
- FDUniquePtr FdPtrDst(&fddst, closeFdPtr);
-
- if (sendfile(fddst, fdsrc, 0, stat_source.st_size) == -1)
- return false;
-
- return true;
-}
-
-bool DBBackup::restorefile(const std::string& src, const std::string& dst)
-{
- if (rename(src.c_str(), dst.c_str()) == -1)
- return false;
-
- return true;
-}
-
-DBBackup::DBBackup()
-{
- RUNNER_ASSERT_MSG_BT(backupfile(RDB_PATH, RDB_PATH_BACKUP),
- "libprivilege DB backup failed. Errno: " << strerror(errno));
-}
-
-DBBackup::~DBBackup()
-{
- if (!restorefile(RDB_PATH_BACKUP, RDB_PATH)) {
-
- std::string fatal_error =
- "\n\n"
- "!!! !!!\n"
- "!!! FATAL ERROR - libprivilege DB restoring failed. !!!\n"
- "!!! libprivilege-control tests are not valid. !!!\n"
- "!!! Reinstall libprivilege-control package. !!!\n"
- "!!! !!!\n";
-
- if (std::uncaught_exception()) // don't throw!
- std::cerr << fatal_error << std::flush;
- else
- RUNNER_ASSERT_MSG_BT(false, fatal_error);
- }
-}
-
+const char *PRIV_APPSETTING[] {"org.tizen.privilege.appsetting", NULL};
+const char *PRIV_APPSETTING_RULES[] = { "~APP~ ~SETTINGS_PATH~ rwx",
+ "~APP~ ~ALL_APPS~ rx",
+ NULL};
/**
* Check if every rule is true.
* @return 1 if ALL rules in SMACK, 0 if ANY rule isn't, -1 on failure
fclose(f);
}
-void check_groups(const char *dac_file)
+void read_user_gids(std::set<unsigned> &set, const uid_t user_id)
{
- std::set<unsigned> groups_check;
- read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
- read_gids(groups_check, dac_file);
+ int ret;
+
+ struct passwd *pw = getpwuid(user_id);
+ RUNNER_ASSERT_MSG_BT(pw != NULL, "getpwuid() failed.");
+
+ int groups_cnt = 0;
+ gid_t *groups_list = NULL;
+ ret = getgrouplist(pw->pw_name, pw->pw_gid, groups_list, &groups_cnt);
+ RUNNER_ASSERT_MSG_BT(ret == -1, "getgrouplist() failed.");
+ if (groups_cnt == 0)
+ return;
+ groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
+ RUNNER_ASSERT_MSG_BT(groups_list != NULL, "Memory allocation failed.");
+
+ ret = getgrouplist(pw->pw_name, pw->pw_gid, groups_list, &groups_cnt);
+ if (ret == -1) {
+ free(groups_list);
+ RUNNER_ASSERT_MSG_BT(false, "getgrouplist() failed.");
+ }
+ for (int i = 0; i < groups_cnt; ++i) {
+ set.insert(groups_list[i]);
+ }
+ free(groups_list);
+}
+
+void read_current_gids(std::set<unsigned> &set)
+{
int groups_cnt = getgroups(0, NULL);
- RUNNER_ASSERT_MSG_BT(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
+ RUNNER_ASSERT_MSG_BT(groups_cnt > 0, "Wrong number of supplementary groups.");
gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
- RUNNER_ASSERT_MSG_BT(groups_list != NULL, "Memory allocation failed");
- RUNNER_ASSERT_BT(-1 != getgroups(groups_cnt, groups_list));
+ RUNNER_ASSERT_MSG_BT(groups_list != NULL, "Memory allocation failed.");
+ if (getgroups(groups_cnt, groups_list) == -1){
+ free(groups_list);
+ RUNNER_ASSERT_MSG_BT(false, "getgroups failed.");
+ }
for (int i = 0; i < groups_cnt; ++i) {
- //getgroups() can return multiple number of the same group
- //they are returned in sequence, so we will given number when last
- //element of this number is reached
- if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i]))
- continue;
- if (groups_check.erase(groups_list[i]) == 0) {
- // getgroups() may also return process' main group
- if (groups_list[i] != getgid())
- RUNNER_ASSERT_MSG_BT(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
- }
+ set.insert(groups_list[i]);
}
free(groups_list);
+}
+
+void check_groups(const std::set<unsigned> &groups_prev, const char *dac_file)
+{
+ std::set<unsigned> groups_check;
+ std::set<unsigned> groups_current;
+ if(dac_file != NULL)
+ read_gids(groups_check, dac_file);
+ read_current_gids(groups_current);
+
std::string groups_left;
- for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
+ for (auto it = groups_prev.begin(); it != groups_prev.end(); ++it)
+ {
+ (void)groups_check.erase(*it);
+ if(groups_current.erase(*it) == 0)
+ groups_left.append(std::to_string(*it)).append(" ");
+ }
+ RUNNER_ASSERT_MSG_BT(groups_left.empty(),
+ "Application lost some groups: " << groups_left);
+
+ for (auto it = groups_check.begin(); it != groups_check.end(); ++it)
+ {
+ if(groups_current.erase(*it) == 0)
+ groups_left.append(std::to_string(*it)).append(" ");
+ }
+ RUNNER_ASSERT_MSG_BT(groups_left.empty(),
+ "Application doesn't belong to some required groups: " << groups_left);
+
+ for (auto it = groups_current.begin(); it != groups_current.end(); ++it)
+ {
groups_left.append(std::to_string(*it)).append(" ");
}
- RUNNER_ASSERT_MSG_BT(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
+ RUNNER_ASSERT_MSG_BT(groups_left.empty(),
+ "Application belongs to groups it should't belong to: " << groups_left);
}
int file_exists(const char *path)
return -1;
}
-void check_app_installed(int line_no, const char *app_path)
+void check_app_installed(const char *app_path)
{
- RUNNER_ASSERT_MSG_BT(file_exists(app_path) == 0, "Line: " << line_no <<
+ RUNNER_ASSERT_MSG_BT(file_exists(app_path) == 0,
" App not installed: " << app_path);
}
labelPtr.reset(label);
RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
RUNNER_ASSERT_MSG_BT(labelPtr.get() != NULL, "ACCESS label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, labelPtr.get());
+ result = strcmp(USER_APP_ID, labelPtr.get());
RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect");
/* EXEC */
RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
RUNNER_ASSERT_MSG_BT(labelPtr.get() != NULL, "EXEC label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, labelPtr.get());
+ result = strcmp(USER_APP_ID, labelPtr.get());
RUNNER_ASSERT_MSG_BT(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
- } else if (S_ISLNK(sb->st_mode)) {
- struct stat buf;
- char *target = realpath(fpath, NULL);
- RUNNER_ASSERT_MSG_BT(0 == stat(target, &buf),"Stat failed for " << fpath);
- free(target);
- if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
- RUNNER_ASSERT_MSG_BT(labelPtr.get() == NULL, "EXEC label on " << fpath << " is set");
- } else {
- RUNNER_ASSERT_MSG_BT(labelPtr.get() != NULL, "EXEC label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, labelPtr.get());
- RUNNER_ASSERT_MSG_BT(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
- }
} else
RUNNER_ASSERT_MSG_BT(labelPtr.get() == NULL, "EXEC label on " << fpath << " is set");
return 0;
}
-void check_app_has_permission(const char* app_id, const app_type_t app_type,
- const char *perm_list[], const int expected_result)
-{
- int result = PC_OPERATION_SUCCESS;
- bool has_permission = false;
-
- for (int i = 0; perm_list[i] != NULL; i++) {
- result = perm_app_has_permission(app_id, app_type, perm_list[i], &has_permission);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_has_permission failed with result: " << result);
- RUNNER_ASSERT_MSG_BT(has_permission == expected_result,
- "Unexpected result, perm_app_has_permission returned: " << has_permission
- << ", expected: " << expected_result);
- }
-}
-void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment)
-{
- int result;
- result = smack_have_access(av_id, app_id, "rwx");
- RUNNER_ASSERT_MSG_BT(result == 1,
- "Error while checking " << av_id << " rwx access to "
- << app_id << " " << comment << " Result: " << result);
- result = smack_have_access(av_id, app_id, "a");
- RUNNER_ASSERT_MSG_BT(result == 0,
- "Error while checking " << av_id << " a access to "
- << app_id << " " << comment << " Result: " << result);
- result = smack_have_access(av_id, app_id, "t");
- RUNNER_ASSERT_MSG_BT(result == 0,
- "Error while checking " << av_id << " t access to "
- << app_id << " " << comment << " Result: " << result);
-}
-
-/**
- * NOSMACK version of checkOnlyAvAccess function.
- *
- * Expects error instead of access granted/forbidden from smack_have_access.
- */
-void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment)
-{
- int result;
- result = smack_have_access(av_id, app_id, "rwx");
- RUNNER_ASSERT_MSG_BT(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result
- << " when testing " << comment);
- result = smack_have_access(av_id, app_id, "a");
- RUNNER_ASSERT_MSG_BT(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result
- << " when testing " << comment);
- result = smack_have_access(av_id, app_id, "t");
- RUNNER_ASSERT_MSG_BT(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result
- << " when testing " << comment);
-}
-
-void test_revoke_permissions(int line_no, const char* app_id, const rules_t &rules, bool smack)
+void test_revoke_permissions(int line_no, const char* app_id)
{
int result;
DB_END
- // Are all the permissions revoked?
- RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules), "Line: " << line_no <<
- "Not all permisions revoked.");
-
DB_BEGIN
// Cleanup - uninstall test apps
"perm_app_install failed: " << result);
// Register a permission:
- result = perm_app_setup_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL);
+ result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error registering app permissions. Result: " << result);
DB_END
- RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{USER_APP_ID,"test_book_efl", "r"}}),
"SMACK accesses not granted for EFL_APP");
- // Check if permission is assigned to app in db
- check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
-
DB_BEGIN
// Cleanup
"perm_app_uninstall failed: " << result);
DB_END
-
- // Check if permission is disabled in db
- check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, false);
}
void test_app_disable_permissions_efl(bool smack)
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"perm_app_install failed: " << result);
+ result = perm_app_disable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, {{USER_APP_ID,"test_book_efl", "r"}}),
+ "SMACK accesses not disabled for EFL_APP");
+
+ DB_BEGIN
+
// Register a permission
- result = perm_app_setup_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL);
+ result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error registering app permissions. Result: " << result);
DB_END
- RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{USER_APP_ID,"test_book_efl", "r"}}),
"SMACK accesses not granted for EFL_APP");
- // Check if permission is assigned to app in db
- check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
-
DB_BEGIN
// Disable a permission
DB_END
- RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, {{USER_APP_ID,"test_book_efl", "r"}}),
"SMACK accesses not disabled for EFL_APP");
- // Check if permission is disabled in db
- check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, false);
-
DB_BEGIN
// Cleanup
result = perm_app_install(WGT_APP_ID);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"perm_app_install failed: " << result);
+
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app first permissions. Result: " << result);
+
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app no r permissions. Result: " << result);
+
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app r permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2),
+ "SMACK accesses not disabled.");
+
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules1),
+ "SMACK accesses not disabled.");
+
+ DB_BEGIN
+
/**
* Test - disable all granted permissions.
*/
// Prepare permissions that we want to disable
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
// Are all the permissions enabled?
RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, rules2), "Not all permisions enabled.");
- // Check if permissions are enabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
-
DB_BEGIN
// Disable permissions
// Are all the permissions disabled?
RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2), "Not all permisions disabled.");
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
-
/**
* Test - disable some granted permissions leaving non complementary and then disabling those too.
*/
DB_BEGIN
// Prepare permissions that will not be disabled
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS1, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error adding app first permissions. Result: " << result);
// Prepare permissions that we want to disable
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error adding app second permissions. Result: " << result);
RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2), "Not all first permisions disabled.");
// Are all first permissions not disabled?
- RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, rules_wgt2), "Some of second permissions disabled.");
-
- // Check if second permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
- // Check if first permission is enabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS, true);
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, rules1), "Some of second permissions disabled.");
DB_BEGIN
// Disable first permissions
- result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS);
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS1);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error disabling app first permissions. Result: " << result);
DB_END
// Are all second permissions disabled?
- RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules_wgt2), "Not all second permisions disabled.");
-
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS, false);
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules1), "Not all second permisions disabled.");
/**
* Test - disable only no r granted permissions.
DB_BEGIN
// Prepare permissions
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app r permissions. Result: " << result);
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app no r permissions. Result: " << result);
// Are all no r permissions disabled?
RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2_no_r), "Not all no r permissions disabled.");
- // Check if second permission is enabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, true);
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
-
DB_BEGIN
// Prepare permissions
- result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error adding app no r permissions. Result: " << result);
RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2_r), "Not all r permissions disabled.");
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false);
-
DB_BEGIN
// Clean up after test:
ret = perm_app_install(APP_TEST);
RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
+ //register appsettings feature
+ ret = perm_add_api_feature(APP_TYPE_OSP, PRIV_APPSETTING[0], PRIV_APPSETTING_RULES, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
+ " Error registering api feature. Result: " << ret);
- ret = perm_app_setup_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING);
+ ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, false);
RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << ret);
DB_END
- //check if "app_test" has an RX access to the app "app_1"
- RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{APP_TEST, APP_1, "rx"}}), "access denied");
-
//check if "app_test" has an RWX access to a folder registered by "app_1"
ret = smack_getlabel(APP_1_DIR, &label, SMACK_LABEL_ACCESS );
app1DirLabelPtr.reset(label);
RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
- RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{APP_TEST, app1DirLabelPtr.get(), "rwx"}}), "access denied to smack label: " << app1DirLabelPtr.get());
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{USER_APP_ID, app1DirLabelPtr.get(), "rwx"}}), "access denied to smack label: " << app1DirLabelPtr.get());
DB_BEGIN
DB_END
- //check if "app_test" has an RX access to the app "app_2"
- RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{APP_TEST, APP_2, "rx"}}), "access denied");
-
//check if "app_test" has an RWX access to a folder registered by "app_2"
ret = smack_getlabel(APP_2_DIR, &label, SMACK_LABEL_ACCESS );
app2DirLabelPtr.reset(label);
RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
- RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{APP_TEST, app2DirLabelPtr.get(), "rwx"}}), "access denies");
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{USER_APP_ID, app2DirLabelPtr.get(), "rwx"}}), "access denies");
rmdir(APP_1_DIR);
rmdir(APP_2_DIR);
DB_END
}
-
-// This function takes libprivilege additional smack_rules in same format as libprivilege,
-// parses them in same way as libprivilege.
-// If functions succeeds in parsing it returns true and fills rules parameter with parsed rules.
-// If smack_rules cannot be parsed false is returned.
-bool additional_rules_parse(const char** smack_rules, additional_rules& rules)
-{
- const size_t ACC_LEN = 6;
- rules.clear();
- for (int i = 0; smack_rules[i] != NULL ; ++i)
- {
- std::string line(smack_rules[i]);
- additional_rule rule;
-
- // Ignore empty lines
- if (line.find_first_not_of(" \t\n") == std::string::npos)
- continue;
-
- // Split
- std::stringstream(line) >> rule.subject >> rule.object >> rule.access;
- // If last element is empty - split failed
- if (rule.access.empty() || rule.object.length() > SMACK_LABEL_LEN ||
- rule.subject.length() > SMACK_LABEL_LEN || rule.access.length() > ACC_LEN)
- return false;
- rule.reverse = false;
-
- // Rearrange
- if (is_wildcard(rule.subject))
- {
- rule.subject.swap(rule.object);
- rule.reverse = true;
- }
-
- // Check validity of subject
- if (!smack_label_is_valid(rule.subject))
- return false;
-
- rules.push_back(rule);
- }
- return true;
-}
-
-void restore_original_additional_rules(void)
-{
- std::ifstream file("/usr/share/privilege-control/ADDITIONAL_RULES.smack");
- std::string line;
- std::vector<const char*> rules;
-
- while(std::getline(file, line))
- rules.push_back(strdupa(line.c_str()));
- rules.push_back(NULL);
-
- perm_add_additional_rules(rules.data());
-}