* @author Jan Olszak (j.olszak@samsung.com)
* @author Rafal Krypa (r.krypa@samsung.com)
* @version 1.0
- * @brief libprivilege-control test runer
+ * @brief libprivilege-control test runner
*/
#include <string>
-#include <stdio.h>
-#include <fcntl.h>
-#include <stdio.h>
#include <vector>
-#include <errno.h>
#include <memory>
-#include <ftw.h>
+#include <fstream>
+#include <sstream>
+
+#include <fcntl.h>
+#include <errno.h>
#include <unistd.h>
-#include <dpl/test/test_runner.h>
-#include <dpl/test/test_runner_child.h>
-#include <dpl/test/test_runner_multiprocess.h>
-#include <dpl/log/log.h>
+
#include <sys/types.h>
#include <sys/stat.h>
-#include <sys/mman.h>
-#include <sys/xattr.h>
-#include <sys/smack.h>
-#include <sys/types.h>
+
#include <sys/socket.h>
#include <sys/un.h>
+#include <sys/smack.h>
+
#include <privilege-control.h>
-#include <fstream>
-#include <sstream>
-#include <sys/stat.h>
+#include <dpl/test/test_runner.h>
+#include <dpl/test/test_runner_child.h>
+#include <dpl/test/test_runner_multiprocess.h>
+#include <dpl/log/log.h>
#include <tests_common.h>
+#include <libprivilege-control_test_common.h>
-#define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/"
-#define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules"
-#define SMACK_LOAD2 "/smack/load2"
-#define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
-#define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
-#define APPID_DIR "test_APP_ID_dir"
-#define APPID_SHARED_DIR "test_APP_ID_shared_dir"
-#define CANARY_LABEL "tiny_yellow_canary"
+#include <iostream>
-#define APP_ID "test_APP"
-#define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
-#define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
+#define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules"
#define EFL_APP_ID "EFL_APP_ID"
-#define WGT_APP_ID "QwCqJ0ttyS"
-#define WGT_PARTNER_APP_ID "7btsV1Y0sX"
-#define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
-#define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123"
-#define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner"
-#define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform"
-#define OSP_APP_ID "uqNfgEjqc7"
-#define OSP_PARTNER_APP_ID "j4RuPsZrNt"
-#define OSP_PLATFORM_APP_ID "V5LKqDFBXm"
-#define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp"
-#define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner"
-#define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform"
#define EARLY_RULE_SUBJECT "livebox.web-provider"
#define EARLY_RULE_RIGHTS "rwx---"
-const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
-const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
-const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
-const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
-const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
-const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
-const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };
-const char *PRIVS_EFL[] = { "test_privilege_control_rules_efl", NULL };
-
-
-#define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
-#define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
-#define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
-#define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac"
-
-#define APP_TEST_APP_1 "test-application1"
-#define APP_TEST_APP_2 "test-application_2"
-#define APP_TEST_APP_3 "test-app-3"
-#define APP_TEST_AV_1 "test-antivirus1"
-#define APP_TEST_AV_2 "test-antivirus_2"
-#define APP_TEST_AV_3 "test-av-3"
-
-#define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1"
-#define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2"
-#define APP_TEST_AV_ASP1 "test-app-av-asp1"
-#define APP_TEST_AV_ASP2 "test-app-av-asp2"
-
-#define SOCK_PATH "/tmp/test-smack-socket"
+#define SMACK_ACC_LEN 6
-#define APP_GID 5000
-#define APP_UID 5000
-#define APP_USER_NAME "app"
-#define APP_HOME_DIR "/opt/home/app"
+#define APP_1 "app_1"
+#define APP_1_DIR "/tmp/app_1"
-#define APP_FRIEND_1 "app_friend_1"
-#define APP_FRIEND_2 "app_friend_2"
+#define APP_2 "app_2"
+#define APP_2_DIR "/tmp/app_2"
-#define SMACK_ACC_LEN 6
+#define APP_TEST "app_test"
-// How many open file descriptors should ftw() function use?
-#define FTW_MAX_FDS 16
-
-// ---- Macros and arrays used in stress tests ----
-#define TEST_OSP_FEATURE_APP_ID "test-osp-feature-app"
-#define TEST_WGT_FEATURE_APP_ID "test-wgt-feature-app"
-#define TEST_OSP_FEATURE "OSP_test-feature.osp_rxl"
-#define TEST_WGT_FEATURE "WGT_test-feature.wgt_rxl"
-// OSP Api Feature Test data - gives rxl access to OSP app and rl access to WGT app also!
-const char *FILE_PATH_TEST_OSP_FEATURE = "/usr/share/privilege-control/OSP_test-feature.osp_rxl.smack";
-const char *test_osp_feature_rule_set[] = { "~APP~ " TEST_OSP_FEATURE_APP_ID " rxl",
- "~APP~ " TEST_WGT_FEATURE_APP_ID " rl",
- NULL };
-const char *TEST_OSP_FEATURE_PRIVS[] = { TEST_OSP_FEATURE, NULL };
-// WGT Api Feature Test data - rwx access only to WGT app
-const char *FILE_PATH_TEST_WGT_FEATURE = "/usr/share/privilege-control/WRT_test-feature.wgt_rwx.smack";
-const char *test_wgt_feature_rule_set[] = { "~APP~ " TEST_WGT_FEATURE_APP_ID " rwx",
- NULL };
-const char *TEST_WGT_FEATURE_PRIVS[] = { TEST_WGT_FEATURE, NULL };
-
-const std::vector< std::vector<std::string> > rules_to_test_any_access1 = {
- { TEST_OSP_FEATURE_APP_ID, APP_ID, "r" },
- { TEST_OSP_FEATURE_APP_ID, APP_ID, "w" },
- { TEST_OSP_FEATURE_APP_ID, APP_ID, "x" },
- { TEST_OSP_FEATURE_APP_ID, APP_ID, "a" },
- { TEST_OSP_FEATURE_APP_ID, APP_ID, "t" },
- { TEST_OSP_FEATURE_APP_ID, APP_ID, "l" }
-};
-
-const std::vector< std::vector<std::string> > rules_to_test_any_access2 = {
- { APP_ID, TEST_OSP_FEATURE_APP_ID, "r" },
- { APP_ID, TEST_OSP_FEATURE_APP_ID, "x" },
- { APP_ID, TEST_OSP_FEATURE_APP_ID, "l" },
- { APP_ID, TEST_WGT_FEATURE_APP_ID, "r" },
- { APP_ID, TEST_WGT_FEATURE_APP_ID, "w" },
- { APP_ID, TEST_WGT_FEATURE_APP_ID, "x" },
- { APP_ID, TEST_WGT_FEATURE_APP_ID, "l" }
-};
-
-#define FMT_VECTOR_TO_TEST_ANY_ACCESS(sub,obj) \
- (const std::vector< std::vector<std::string> >) { \
- { sub, obj, "r" }, \
- { sub, obj, "w" }, \
- { sub, obj, "x" }, \
- { sub, obj, "a" }, \
- { sub, obj, "t" }, \
- { sub, obj, "l" } }
-
-// Rules from test_privilege_control_rules.smack
-const std::vector< std::vector<std::string> > rules = {
- { APP_ID, "test_book_1", "r" },
- { APP_ID, "test_book_2", "w" },
- { APP_ID, "test_book_3", "x" },
- { APP_ID, "test_book_4", "rw" },
- { APP_ID, "test_book_5", "rx" },
- { APP_ID, "test_book_6", "wx" },
- { APP_ID, "test_book_7", "rwx" },
- { "test_subject_1", APP_ID, "r" },
- { "test_subject_2", APP_ID, "w" },
- { "test_subject_3", APP_ID, "x" },
- { "test_subject_4", APP_ID, "rw" },
- { "test_subject_5", APP_ID, "rx" },
- { "test_subject_6", APP_ID, "wx" },
- { "test_subject_7", APP_ID, "rwx" },
- { APP_ID, APPID_SHARED_DIR, "rwxat"}
-};
-
-// Rules from WRT_test_privilege_control_rules2.smack
-const std::vector< std::vector<std::string> > rules2 = {
- { WGT_APP_ID, "test_book_8", "r" },
- { WGT_APP_ID, "test_book_9", "w" },
- { WGT_APP_ID, "test_book_10", "x" },
- { WGT_APP_ID, "test_book_11", "rw" },
- { WGT_APP_ID, "test_book_12", "rx" },
- { WGT_APP_ID, "test_book_13", "wx" },
- { WGT_APP_ID, "test_book_14", "rwx" },
- { WGT_APP_ID, "test_book_15", "rwxat" },
- { "test_subject_8", WGT_APP_ID, "r" },
- { "test_subject_9", WGT_APP_ID, "w" },
- { "test_subject_10", WGT_APP_ID, "x" },
- { "test_subject_11", WGT_APP_ID, "rw" },
- { "test_subject_12", WGT_APP_ID, "rx" },
- { "test_subject_13", WGT_APP_ID, "wx" },
- { "test_subject_14", WGT_APP_ID, "rwx" },
- { "test_subject_15", WGT_APP_ID, "rwxat" }
-};
-
-// Rules from WRT_test_privilege_control_rules_no_r.smack
-const std::vector< std::vector<std::string> > rules2_no_r = {
- { WGT_APP_ID, "test_book_9", "w" },
- { WGT_APP_ID, "test_book_10", "x" },
- { WGT_APP_ID, "test_book_11", "w" },
- { WGT_APP_ID, "test_book_12", "x" },
- { WGT_APP_ID, "test_book_13", "x" },
- { WGT_APP_ID, "test_book_14", "wx" },
- { WGT_APP_ID, "test_book_15", "wxat" },
- { "test_subject_9", WGT_APP_ID, "w" },
- { "test_subject_10", WGT_APP_ID, "x" },
- { "test_subject_11", WGT_APP_ID, "w" },
- { "test_subject_12", WGT_APP_ID, "x" },
- { "test_subject_13", WGT_APP_ID, "x" },
- { "test_subject_14", WGT_APP_ID, "wx" },
- { "test_subject_15", WGT_APP_ID, "wxat" }
-};
-
-// Rules from test_privilege_control_rules.smack
-// minus WRT_test_privilege_control_rules_no_r.smack
-const std::vector< std::vector<std::string> > rules2_r = {
- { WGT_APP_ID, "test_book_8", "r" },
- { WGT_APP_ID, "test_book_11", "r" },
- { WGT_APP_ID, "test_book_12", "r" },
- { WGT_APP_ID, "test_book_14", "r" },
- { WGT_APP_ID, "test_book_15", "r" },
- { "test_subject_8", WGT_APP_ID, "r" },
- { "test_subject_11", WGT_APP_ID, "r" },
- { "test_subject_12", WGT_APP_ID, "r" },
- { "test_subject_14", WGT_APP_ID, "r" },
- { "test_subject_15", WGT_APP_ID, "r" }
-};
-
-// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt
-const std::vector< std::vector<std::string> > rules_wgt = {
- { WGT_APP_ID, "test_book_8", "r" },
- { WGT_APP_ID, "test_book_9", "w" },
- { WGT_APP_ID, "test_book_10", "x" },
- { WGT_APP_ID, "test_book_11", "rw" },
- { WGT_APP_ID, "test_book_12", "rx" },
- { WGT_APP_ID, "test_book_13", "wx" },
- { WGT_APP_ID, "test_book_14", "rwx" },
- { WGT_APP_ID, "test_book_15", "rwxat" },
- { "test_subject_8", WGT_APP_ID, "r" },
- { "test_subject_9", WGT_APP_ID, "w" },
- { "test_subject_10", WGT_APP_ID, "x" },
- { "test_subject_11", WGT_APP_ID, "rw" },
- { "test_subject_12", WGT_APP_ID, "rx" },
- { "test_subject_13", WGT_APP_ID, "wx" },
- { "test_subject_14", WGT_APP_ID, "rwx" },
- { "test_subject_15", WGT_APP_ID, "rwxat" }
-};
-
-// Rules from WRT_test_privilege_control_rules.smack for wgt
-const std::vector< std::vector<std::string> > rules_wgt2 = {
- { WGT_APP_ID, "test_book_1", "r" },
- { WGT_APP_ID, "test_book_2", "w" },
- { WGT_APP_ID, "test_book_3", "x" },
- { WGT_APP_ID, "test_book_4", "rw" },
- { WGT_APP_ID, "test_book_5", "rx" },
- { WGT_APP_ID, "test_book_6", "wx" },
- { WGT_APP_ID, "test_book_7", "rwx" },
- { "test_subject_1", WGT_APP_ID, "r" },
- { "test_subject_2", WGT_APP_ID, "w" },
- { "test_subject_3", WGT_APP_ID, "x" },
- { "test_subject_4", WGT_APP_ID, "rw" },
- { "test_subject_5", WGT_APP_ID, "rx" },
- { "test_subject_6", WGT_APP_ID, "wx" },
- { "test_subject_7", WGT_APP_ID, "rwx" }
-};
-
-// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_partner
-const std::vector< std::vector<std::string> > rules_wgt_partner = {
- { WGT_PARTNER_APP_ID, "test_book_8", "r" },
- { WGT_PARTNER_APP_ID, "test_book_9", "w" },
- { WGT_PARTNER_APP_ID, "test_book_10", "x" },
- { WGT_PARTNER_APP_ID, "test_book_11", "rw" },
- { WGT_PARTNER_APP_ID, "test_book_12", "rx" },
- { WGT_PARTNER_APP_ID, "test_book_13", "wx" },
- { WGT_PARTNER_APP_ID, "test_book_14", "rwx" },
- { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" },
- { "test_subject_8", WGT_PARTNER_APP_ID, "r" },
- { "test_subject_9", WGT_PARTNER_APP_ID, "w" },
- { "test_subject_10", WGT_PARTNER_APP_ID, "x" },
- { "test_subject_11", WGT_PARTNER_APP_ID, "rw" },
- { "test_subject_12", WGT_PARTNER_APP_ID, "rx" },
- { "test_subject_13", WGT_PARTNER_APP_ID, "wx" },
- { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" },
- { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }
-};
-
-// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_platform
-const std::vector< std::vector<std::string> > rules_wgt_platform = {
- { WGT_PLATFORM_APP_ID, "test_book_8", "r" },
- { WGT_PLATFORM_APP_ID, "test_book_9", "w" },
- { WGT_PLATFORM_APP_ID, "test_book_10", "x" },
- { WGT_PLATFORM_APP_ID, "test_book_11", "rw" },
- { WGT_PLATFORM_APP_ID, "test_book_12", "rx" },
- { WGT_PLATFORM_APP_ID, "test_book_13", "wx" },
- { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" },
- { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" },
- { "test_subject_8", WGT_PLATFORM_APP_ID, "r" },
- { "test_subject_9", WGT_PLATFORM_APP_ID, "w" },
- { "test_subject_10", WGT_PLATFORM_APP_ID, "x" },
- { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" },
- { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" },
- { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" },
- { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" },
- { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }
-};
-
-// Rules from OSP_test_privilege_control_rules_osp.smack for osp
-const std::vector< std::vector<std::string> > rules_osp = {
- { OSP_APP_ID, "test_book_8", "r" },
- { OSP_APP_ID, "test_book_9", "w" },
- { OSP_APP_ID, "test_book_10", "x" },
- { OSP_APP_ID, "test_book_11", "rw" },
- { OSP_APP_ID, "test_book_12", "rx" },
- { OSP_APP_ID, "test_book_13", "wx" },
- { OSP_APP_ID, "test_book_14", "rwx" },
- { OSP_APP_ID, "test_book_15", "rwxat" },
- { "test_subject_8", OSP_APP_ID, "r" },
- { "test_subject_9", OSP_APP_ID, "w" },
- { "test_subject_10", OSP_APP_ID, "x" },
- { "test_subject_11", OSP_APP_ID, "rw" },
- { "test_subject_12", OSP_APP_ID, "rx" },
- { "test_subject_13", OSP_APP_ID, "wx" },
- { "test_subject_14", OSP_APP_ID, "rwx" },
- { "test_subject_15", OSP_APP_ID, "rwxat" }
-};
-
-// Rules from OSP_test_privilege_control_rules_osp.smack for osp_partner
-const std::vector< std::vector<std::string> > rules_osp_partner = {
- { OSP_PARTNER_APP_ID, "test_book_8", "r" },
- { OSP_PARTNER_APP_ID, "test_book_9", "w" },
- { OSP_PARTNER_APP_ID, "test_book_10", "x" },
- { OSP_PARTNER_APP_ID, "test_book_11", "rw" },
- { OSP_PARTNER_APP_ID, "test_book_12", "rx" },
- { OSP_PARTNER_APP_ID, "test_book_13", "wx" },
- { OSP_PARTNER_APP_ID, "test_book_14", "rwx" },
- { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" },
- { "test_subject_8", OSP_PARTNER_APP_ID, "r" },
- { "test_subject_9", OSP_PARTNER_APP_ID, "w" },
- { "test_subject_10", OSP_PARTNER_APP_ID, "x" },
- { "test_subject_11", OSP_PARTNER_APP_ID, "rw" },
- { "test_subject_12", OSP_PARTNER_APP_ID, "rx" },
- { "test_subject_13", OSP_PARTNER_APP_ID, "wx" },
- { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" },
- { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" }
-};
-
-// Rules from OSP_test_privilege_control_rules_osp.smack for osp_platform
-const std::vector< std::vector<std::string> > rules_osp_platform = {
- { OSP_PLATFORM_APP_ID, "test_book_8", "r" },
- { OSP_PLATFORM_APP_ID, "test_book_9", "w" },
- { OSP_PLATFORM_APP_ID, "test_book_10", "x" },
- { OSP_PLATFORM_APP_ID, "test_book_11", "rw" },
- { OSP_PLATFORM_APP_ID, "test_book_12", "rx" },
- { OSP_PLATFORM_APP_ID, "test_book_13", "wx" },
- { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" },
- { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" },
- { "test_subject_8", OSP_PLATFORM_APP_ID, "r" },
- { "test_subject_9", OSP_PLATFORM_APP_ID, "w" },
- { "test_subject_10", OSP_PLATFORM_APP_ID, "x" },
- { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" },
- { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" },
- { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" },
- { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" },
- { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" }
-};
-
-// Rules from EFL_test_privilege_control_rules_osp.smack for osp_platform
-const std::vector< std::vector<std::string> > rules_efl = {
- { APP_ID, "test_book_efl", "r" }
-};
namespace {
-typedef std::unique_ptr<smack_accesses,std::function<void (smack_accesses*)> > SmackUniquePtr;
-void closefdptr(int* fd) { close(*fd); }
-typedef std::unique_ptr<int, std::function<void (int*)> > FDUniquePtr;
+const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
+const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
+const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
+const char *PRIVS_EFL[] = { "test_privilege_control_rules_efl", NULL };
std::vector<std::string> gen_names(std::string prefix, std::string suffix, size_t size)
{
const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
const std::vector<std::string> BLAHBLAH_FEATURE = gen_names("http://feature/blah/blahblah", "", 16);
-
-//correct and incorrect PID used in incorrect params test
-const pid_t PID_CORRECT = 0;
-const pid_t PID_INCORRECT = -1;
-
-/**
- * Check if every rule is true.
- * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
- */
-int test_have_all_accesses(const std::vector< std::vector<std::string> > &rules)
-{
- int result;
- for (uint i = 0; i < rules.size(); ++i) {
- result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result != 1)
- return result;
- }
- return 1;
-}
-
-/**
- * Check if every rule is true.
- * @return 1 if ANY rule in SMACK, 0 if
- */
-int test_have_any_accesses(const std::vector< std::vector<std::string> > &rules)
-{
- int result;
- for (uint i = 0; i < rules.size(); ++i) {
- result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result == 1)
- return 1;
- }
- return 0;
-}
-
-int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/,
- int /*typeflag*/, struct FTW* /*ftwbuf*/)
-{
- smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
- smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
- smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
-
- return 0;
-}
-
-int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
- int /*typeflag*/, struct FTW* /*ftwbuf*/)
-{
- smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
- smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
- smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
-
- return 0;
-}
-
-int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
- int /*typeflag*/, struct FTW* /*ftwbuf*/)
-{
- int result;
- char *label;
-
- /* ACCESS */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- result = strcmp(CANARY_LABEL, label);
- RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
-
- /* EXEC */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- result = strcmp(CANARY_LABEL, label);
- RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
-
- /* TRANSMUTE */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
-
- return 0;
-}
-
-int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
- int /*typeflag*/, struct FTW* /*ftwbuf*/)
-{
- int result;
- char *label;
-
- /* ACCESS */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, label);
- RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
-
- /* EXEC */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
- RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, label);
- RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
- } else if (S_ISLNK(sb->st_mode)) {
- struct stat buf;
- char *target = realpath(fpath, NULL);
- RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
- free(target);
- if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
- RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
- } else {
- RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, label);
- RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
- }
- } else
- RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
-
- /* TRANSMUTE */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
-
- return 0;
-}
-
int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
unlink(WRT_BLAHBLAH_DAC);
unlink(OTHER_BLAHBLAH_DAC);
- for (size_t i = 0; i < OSP_BLAHBLAH_DAC.size(); ++i)
+ for(size_t i=0; i<OSP_BLAHBLAH_DAC.size(); ++i)
unlink(OSP_BLAHBLAH_DAC[i].c_str());
- for (size_t i = 0; i < OSP_BLAHBLAH_DAC.size(); ++i)
+ for(size_t i=0; i<OSP_BLAHBLAH_DAC.size(); ++i)
unlink(OSP_BLAHBLAH_DAC[i].c_str());
}
-int cleaning_smack_app_files (void)
-{
- unlink(SMACK_RULES_DIR APP_TEST_APP_1);
-
- unlink(SMACK_RULES_DIR APP_TEST_APP_2);
-
- unlink(SMACK_RULES_DIR APP_TEST_APP_3);
-
- unlink(SMACK_RULES_DIR APP_TEST_AV_1);
-
- unlink(SMACK_RULES_DIR APP_TEST_AV_2);
-
- unlink(SMACK_RULES_DIR APP_TEST_AV_3);
-
- return 0;
-}
-
} // namespace
RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
}
-static void read_gids(std::set<unsigned> &set, const char *file_path)
-{
- FILE *f = fopen(file_path, "r");
- RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
- unsigned gid;
- while (fscanf(f, "%u\n", &gid) == 1) {
- set.insert(gid);
- }
-}
-
-
-/**
- * Set APP privileges.
- */
-void check_groups(const char *dac_file)
-{
- std::set<unsigned> groups_check;
- read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
- read_gids(groups_check, dac_file);
-
- int groups_cnt = getgroups(0, NULL);
- RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
- gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
- RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
- RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list));
-
- for (int i = 0; i < groups_cnt; ++i) {
- //getgroups() can return multiple number of the same group
- //they are returned in sequence, so we will given number when last
- //element of this number is reached
- if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i]))
- continue;
- if (groups_check.erase(groups_list[i]) == 0) {
- // getgroups() may also return process' main group
- if (groups_list[i] != getgid())
- RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
- }
- }
- free(groups_list);
- std::string groups_left;
- for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
- groups_left.append(std::to_string(*it)).append(" ");
- }
- RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
-}
-/**
- * Set APP privileges. wgt.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt)
-{
- int result = perm_app_uninstall(WGT_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(WGT_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+void set_app_privilege(int line_no,
+ const char* app_id, app_type_t APP_TYPE,
+ const char** privileges, const char* type,
+ const char* app_path, const char* dac_file,
+ const std::vector< std::vector<std::string> > &rules) {
+ int result = perm_app_uninstall(app_id);
+ RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
+ " perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+ result = perm_app_install(app_id);
+ RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
+ " perm_app_install returned " << result << ". Errno: " << strerror(errno));
// TEST:
- result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ result = perm_app_enable_permissions(app_id, APP_TYPE, privileges, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
" Error enabling app permissions. Result: " << result);
- result = test_have_all_accesses(rules_wgt);
+ result = test_have_all_accesses(rules);
RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
- result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
+ result = perm_app_set_privilege(app_id, type, app_path);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error in perm_app_set_privilege. Error: " << result);
// Check if SMACK label really set
char *label;
result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
- RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
- result = strcmp(WGT_APP_ID, label);
- RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
+ RUNNER_ASSERT_MSG(result >= 0, "Line: " << line_no <<
+ " Error getting current process label");
+ RUNNER_ASSERT_MSG(label != NULL, "Line: " << line_no <<
+ " Process label is not set");
+ result = strcmp(app_id, label);
+ RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
+ " Process label " << label << " is incorrect");
+
+ check_groups(dac_file);
+}
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
+/**
+ * Set APP privileges. wgt.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt)
+{
+ set_app_privilege(__LINE__,WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt);
}
/**
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_partner)
{
- int result = perm_app_uninstall(WGT_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(WGT_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- // TEST:
- result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error enabling app permissions. Result: " << result);
-
- result = test_have_all_accesses(rules_wgt_partner);
- RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
-
- result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
-
- // Check if SMACK label really set
- char *label;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
- RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
- result = strcmp(WGT_PARTNER_APP_ID, label);
- RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
+ set_app_privilege(__LINE__, WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT,
+ "wgt_partner", WGT_PARTNER_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_partner);
}
/**
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_platform)
{
- int result = perm_app_uninstall(WGT_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(WGT_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- // TEST:
- result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error enabling app permissions. Result: " << result);
-
- result = test_have_all_accesses(rules_wgt_platform);
- RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
-
- result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
-
- // Check if SMACK label really set
- char *label;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
- RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
- result = strcmp(WGT_PLATFORM_APP_ID, label);
- RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
+ set_app_privilege(__LINE__, WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT,
+ "wgt_platform", WGT_PLATFORM_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_platform);
}
/**
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp)
{
- int result = perm_app_uninstall(OSP_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(OSP_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- // TEST:
- result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error enabling app permissions. Result: " << result);
-
- result = test_have_all_accesses(rules_osp);
- RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
-
- result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
-
- // Check if SMACK label really set
- char *label;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
- RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
- result = strcmp(OSP_APP_ID, label);
- RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
+ set_app_privilege(__LINE__, OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, NULL, OSP_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp);
}
/**
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_partner)
{
- int result = perm_app_uninstall(OSP_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(OSP_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- // TEST:
- result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error enabling app permissions. Result: " << result);
-
- result = test_have_all_accesses(rules_osp_partner);
- RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
-
- result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
-
- // Check if SMACK label really set
- char *label;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
- RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
- result = strcmp(OSP_PARTNER_APP_ID, label);
- RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
+ set_app_privilege(__LINE__, OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP,
+ NULL, OSP_PARTNER_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_partner);
}
/**
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_platform)
{
- int result = perm_app_uninstall(OSP_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(OSP_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- // TEST:
- result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error enabling app permissions. Result: " << result);
-
- result = test_have_all_accesses(rules_osp_platform);
- RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
-
- result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
-
- // Check if SMACK label really set
- char *label;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label");
- RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
- result = strcmp(OSP_PLATFORM_APP_ID, label);
- RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
+ set_app_privilege(__LINE__, OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP,
+ NULL, OSP_PLATFORM_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_platform);
}
/**
perm_app_uninstall(APP_FRIEND_2);
/**
- * Test - making friends with nonexisting friend
+ * Test - making friends with nonexistent friend
*/
// Installing one friend
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
" Error installing first app. Errno: " << result);
- // Adding imaginairy friend as second
+ // Adding imaginary friend as second
result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
" Error making friends (first) with imaginairy friend failed. Result: "
<< result);
- // Adding imaginairy friend as first
+ // Adding imaginary friend as first
result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
" Error making friends (second) with imaginairy friend failed. Result: "
RUNNER_TEST(privilege_control17_appsettings_privilege)
{
-#define APP_1 "app_1"
-#define APP_1_DIR "/tmp/app_1"
-
-#define APP_2 "app_2"
-#define APP_2_DIR "/tmp/app_2"
-
-#define APP_TEST "app_test"
-
-#define PRIV_APPSETTING (const char*[]) {"org.tizen.privilege.appsetting", NULL}
-
int ret;
char *app1_dir_label;
char *app2_dir_label;
//prepare test
-
(void)perm_app_uninstall(APP_TEST);
(void)perm_app_uninstall(APP_1);
(void)perm_app_uninstall(APP_2);
ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
-
RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,
" Error enabling app permissions. Result: " << ret);
//check if "app_test" has an RX access to the app "app_1"
ret = smack_have_access(APP_TEST, APP_1, "rx");
- RUNNER_ASSERT_MSG(ret,"access denies");
-
+ RUNNER_ASSERT_MSG(ret,"access denied");
//check if "app_test" has an RWX access to a folder registered by "app_1"
ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS );
(void)perm_app_uninstall(APP_2);
}
-RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public)
-{
+void test_app_setup_path(int line_no, app_path_type_t PATH_TYPE) {
int result;
result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error in perm_app_uninstall." << result);
result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install." << result);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error in perm_app_install." << result);
result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+ RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
+ " Unable to clean up Smack labels in " << TEST_APP_DIR);
result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+ RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
+ " Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, PATH_TYPE);
+ RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
+ " perm_app_setup_path() failed");
result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
+ RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
+ " Unable to check Smack labels for non-app dir");
result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error in perm_app_uninstall." << result);
}
-RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings)
+RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public)
{
- int result;
+ test_app_setup_path(__LINE__, APP_PATH_PUBLIC_RO);
+}
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result);
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install." << result);
-
- result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
-
- result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
-
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
-
- result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result);
-}
+RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings)
+{
+ test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW);
+}
RUNNER_TEST(privilege_control20_early_rules)
{
char *single_line_format = NULL;
char *perm = NULL;
FILE *file = NULL;
- char subject[SMACK_LABEL_LEN + 1];
- char object[SMACK_LABEL_LEN + 1];
- char rule_add[SMACK_ACC_LEN + 1];
- char rule_remove[SMACK_ACC_LEN + 1];
- subject[SMACK_LABEL_LEN] = '\0';
- object[SMACK_LABEL_LEN] = '\0';
- rule_add[SMACK_ACC_LEN] = '\0';
- rule_remove[SMACK_ACC_LEN] = '\0';
+ char subject[SMACK_LABEL_LEN + 1] = {0};
+ char object[SMACK_LABEL_LEN + 1] = {0};
+ char rule_add[SMACK_ACC_LEN + 1] = {0};
+ char rule_remove[SMACK_ACC_LEN + 1] = {0};
unlink(SMACK_RULES_DIR APP_ID);
RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
}
-
-
-//////////////////////////////////////////////////////
-//TEST FOR INCORRECT PARAMS CHECK IN LIBPRIVILEGE APIS
-//////////////////////////////////////////////////////
-
-RUNNER_TEST(privilege_control21a_incorrect_params_get_smack_label_from_process)
-{
- RUNNER_ASSERT_MSG(get_smack_label_from_process(PID_CORRECT, NULL) == PC_ERR_INVALID_PARAM, "get_smack_label_from_process didn't check if smack_label isn't NULL.");
-
- char aquired_smack_label[SMACK_LABEL_LEN+1];
- RUNNER_ASSERT_MSG(get_smack_label_from_process(PID_INCORRECT, aquired_smack_label) == PC_ERR_INVALID_PARAM, "get_smack_label_from_process didn't check for correct pid.");
-}
-
-RUNNER_TEST_SMACK(privilege_control21b_incorrect_params_smack_pid_have_access)
-{
- RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, "some_object", NULL) == -1, "smack_pid_have_access didn't check if access_type isn't NULL.");
- RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, NULL, "rw") == -1, "smack_pid_have_access didn't check if object isn't NULL.");
- RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, "", "rw") == -1, "smack_pid_have_access didn't check if object isn't empty.");
- RUNNER_ASSERT_MSG(smack_pid_have_access(PID_INCORRECT, "some_object", "rw") == -1, "smack_pid_have_access didn't check for correct pid.");
-}
-
-RUNNER_TEST(privilege_control21c_incorrect_params_perm_app_set_privilege)
-{
- RUNNER_ASSERT_MSG(perm_app_set_privilege(NULL, NULL, APP_SET_PRIV_PATH) == PC_ERR_INVALID_PARAM, "perm_app_set_privilege didn't check if package name isn't NULL.");
-}
-
-RUNNER_TEST(privilege_control21d_incorrect_params_perm_app_install)
-{
- RUNNER_ASSERT_MSG(perm_app_install(NULL) == PC_ERR_INVALID_PARAM, "perm_app_install didn't check if pkg_id isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_install("") == PC_ERR_INVALID_PARAM, "perm_app_install didn't check if pkg_id isn't empty.");
-}
-
-RUNNER_TEST(privilege_control21e_incorrect_params_perm_app_uninstall)
-{
- RUNNER_ASSERT_MSG(perm_app_uninstall(NULL) == PC_ERR_INVALID_PARAM, "perm_app_uninstall didn't check if pkg_id isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_uninstall("") == PC_ERR_INVALID_PARAM, "perm_app_uninstall didn't check if pkg_id isn't empty.");
-}
-
-RUNNER_TEST(privilege_control21f_incorrect_params_perm_app_enable_permissions)
-{
- RUNNER_ASSERT_MSG(perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, NULL, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if perm_list isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_enable_permissions(NULL, APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if pkg_id isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_enable_permissions("", APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if pkg_id isn't empty.");
- RUNNER_ASSERT_MSG(perm_app_enable_permissions("~APP~", APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if pkg_id is valid");
-}
-
-RUNNER_TEST(privilege_control21g_incorrect_params_app_revoke_permissions)
-{
- RUNNER_ASSERT_MSG(perm_app_revoke_permissions(NULL) == PC_ERR_INVALID_PARAM, "perm_app_revoke_permissions didn't check if pkg_id isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_revoke_permissions("") == PC_ERR_INVALID_PARAM, "perm_app_revoke_permissions didn't check if pkg_id isn't empty.");
- RUNNER_ASSERT_MSG(perm_app_revoke_permissions("~APP~") == PC_ERR_INVALID_PARAM, "perm_app_revoke_permissions didn't check if pkg_id is valid.");
-}
-
-RUNNER_TEST(privilege_control21h_incorrect_params_app_reset_permissions)
-{
- RUNNER_ASSERT_MSG(perm_app_reset_permissions(NULL) == PC_ERR_INVALID_PARAM, "perm_app_reset_permissions didn't check if pkg_id isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_reset_permissions("") == PC_ERR_INVALID_PARAM, "perm_app_reset_permissions didn't check if pkg_id isn't empty.");
- RUNNER_ASSERT_MSG(perm_app_reset_permissions("~APP~") == PC_ERR_INVALID_PARAM, "perm_app_reset_permissions didn't check if pkg_id is valid.");
-}
-
-RUNNER_TEST(privilege_control21i_incorrect_params_app_setup_path)
-{
- RUNNER_ASSERT_MSG(perm_app_setup_path(APPID_DIR, NULL, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if path isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_setup_path(NULL, TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if pkg_id isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_setup_path("", TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if pkg_id isn't empty.");
- RUNNER_ASSERT_MSG(perm_app_setup_path("~APP~", TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if pkg_id is valid.");
-}
-
-RUNNER_TEST(privilege_control21j_incorrect_params_app_add_friend)
-{
- RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented");
-
- RUNNER_ASSERT_MSG(perm_app_add_friend(NULL, APP_FRIEND_2) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id1 isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_add_friend("", APP_FRIEND_2) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id1 isn't empty.");
- RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, NULL) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id2 isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, "") == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id2 isn't empty.");
- RUNNER_ASSERT_MSG(perm_app_add_friend("~APP~", APP_FRIEND_2) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id1 is valid.");
- RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, "~APP~") == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id2 is valid.");
-}
-
-RUNNER_TEST(privilege_control21k_incorrect_params_add_api_feature)
-{
- RUNNER_ASSERT_MSG(perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0) == PC_ERR_INVALID_PARAM, "perm_add_api_feature didn't check if api_feature_name isn't NULL.");
- RUNNER_ASSERT_MSG(perm_add_api_feature(APP_TYPE_OSP, "", NULL, NULL, 0) == PC_ERR_INVALID_PARAM, "perm_add_api_feature didn't check if api_feature_name isn't empty.");
-}
-
-RUNNER_TEST(privilege_control21l_incorrect_params_ignored_disable_permissions)
-{
- RUNNER_ASSERT_MSG(perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, NULL) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if perm_list isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_disable_permissions(NULL, APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id isn't NULL.");
- RUNNER_ASSERT_MSG(perm_app_disable_permissions("", APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id isn't empty.");
- RUNNER_ASSERT_MSG(perm_app_disable_permissions("~APP~", APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id is valid.");
-}
-
-
-/////////////////////////////////////////
-//////NOSMACK ENVIRONMENT TESTS//////////
-/////////////////////////////////////////
-
-/**
- * NOSMACK version of nftw_check_labels_app_shared_dir function.
- *
- * This function used with nftw should expect -1 result from smack_have_access instead of 1.
- */
-int nftw_check_labels_app_shared_dir_nosmack(const char *fpath, const struct stat *sb,
- int /*typeflag*/, struct FTW* /*ftwbuf*/)
-{
- int result;
- char* label;
-
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
- RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
-
- result = strcmp(APPID_SHARED_DIR, label);
- RUNNER_ASSERT_MSG(result == 0,
- "ACCESS label on " << fpath << " is incorrect. Result: " << result);
-
- //The only exception in nftw_check_labels_app_shared_dir
- //smack_have_access returns -1 because of no SMACK.
- result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result);
-
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
- RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
-
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
- if (S_ISDIR(sb->st_mode)) {
- RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
- result = strcmp("TRUE", label);
- RUNNER_ASSERT_MSG(result == 0,
- "TRANSMUTE label on " << fpath << " is not set. Result: " << result);
- } else
- RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
-
- return 0;
-}
-
-/**
- * NOSMACK version of privilege_control03 test.
- *
- * Uses nosmack version of nftw_check_labels_app_shared_dir (defined above).
- */
-RUNNER_TEST_NOSMACK(privilege_control03_app_label_shared_dir_nosmack)
-{
- int result;
-
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
- RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
- "perm_app_setup_path should fail here. Result: " << result);
-
- result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Unable to clean up Smack labels in " << TEST_APP_DIR);
-
- result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
-
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "perm_app_setup_path() failed. Result: " << result);
-
- result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir_nosmack, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Unable to check Smack labels for shared app dir");
-
- result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Unable to check Smack labels for non-app dir");
-}
-
-/**
- * NOSMACK version of test_have_accesses functions.
- *
- * This will be used in many tests. Checks if for every rule smack_have_access returns error.
- * If for any of rules smack_have_access will return something different than error, this result
- * is being returned to caller.
- */
-int test_have_nosmack_accesses(const std::vector< std::vector<std::string> > &rules)
-{
- int result;
- for (uint i = 0; i < rules.size(); ++i) {
- result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result != -1)
- return result;
- }
- return -1;
-}
-
-/**
- * NOSMACK version of privilege_control04 test.
- *
- * Tries to add permisions from test_privilege_control_rules template and checks if
- * smack_have_access returns -1 on check between every rule.
- */
-RUNNER_TEST_NOSMACK(privilege_control04_add_permissions_nosmack)
-{
- //Add permissions
- auto result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error adding app permissions. Result: " << result);
-
- //Check if smack_have_access always fails on every rule
- result = test_have_nosmack_accesses(rules);
- RUNNER_ASSERT_MSG(result == -1,
- "Despite SMACK being off some accesses were added. Result: " << result);
-
- //Does file exist?
- std::fstream fs(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary);
- RUNNER_ASSERT_MSG(fs.good(), "SMACK file NOT created!. Errno: " << strerror(errno));
-
- fs.seekg(0, std::ifstream::end);
- RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty, but privileges list was not empty.");
-}
-
-/**
- * NOSMACK version of privilege_control05_add_shared_dir_readers test.
- *
- * This test is very similar to it's SMACK version - only difference is different result expected
- * from smack_have_access.
- */
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-RUNNER_TEST_NOSMACK(privilege_control05_add_shared_dir_readers_nosmack)
-{
- const char* test_obj = "TEST_OBJECT";
- const char* test_obj_some_other = "TEST_OBJA";
- const char* test_str_01 = "TEST_raz TEST_OBJECT r-x--- ------";
- const char* test_str_21 = "TEST_trzy TEST_OBJA -wx---";
- const char* test_str_22 = "TEST_trzy TEST_OBJECT r-x--- ------";
-
- int result;
- int i;
- int fd = -1;
-
- const char* app_labels_wrong[] = {"-TEST_raz", NULL};
- const char* app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
- const int READ_BUF_SIZE = 1000;
- char buf[READ_BUF_SIZE];
- smack_accesses* tmp = NULL;
-
- //test environment cleaning
- cleaning_smack_app_files();
-
- //test what happens when the label is not correct SMACK label
- result = add_shared_dir_readers(test_obj,app_labels_wrong);
- RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM,
- "add_shared_dir_readers should fail here. Result: " << result);
- result = smack_have_access(app_labels_wrong[0],test_obj,"rx");
- RUNNER_ASSERT_MSG(result != 1,
- "add_shared_dir_readers should not grant permission here. Result: " << result);
-
- //install new apps
- result = smack_accesses_new(&tmp);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in smack_accesses_new. Result: " << result);
-
- //Wrap rules and fd into unique_ptrs for garbage collection
- SmackUniquePtr rules(tmp, smack_accesses_free);
- FDUniquePtr fd_ptr(&fd, closefdptr);
-
- std::stringstream path;
- for (i = 0; i < 3; i++) {
- result = perm_app_revoke_permissions(app_labels[i]);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_revoke_permissions. Result: " << result);
- result = perm_app_uninstall(app_labels[i]);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_install. Result: " << result);
- result = perm_app_install(app_labels[i]);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_install. Result: " << result);
-
- path << SMACK_RULES_DIR << app_labels[i];
-
- fd = open(path.str().c_str(), O_WRONLY, 0644);
- RUNNER_ASSERT_MSG(fd != -1, "Error in opening file");
-
- if (i == 1) {
- result = smack_accesses_add(rules.get(), app_labels[i], test_obj, "wt");
- RUNNER_ASSERT_MSG(result == 0,
- "smack_accesses_add failed. Result: " << result);
- }
-
- if (i == 2) {
- result = smack_accesses_new(&tmp);
- RUNNER_ASSERT_MSG(result == 0,
- "Failed to allocate memory for rules.");
-
- rules.reset(tmp);
-
- result = smack_accesses_add(rules.get(), app_labels[i],
- test_obj_some_other, "wx");
- RUNNER_ASSERT_MSG(result == 0,
- "smack_accesses_add failed. Result: " << result);
- }
-
- result = smack_accesses_apply(rules.get());
- RUNNER_ASSERT_MSG(result == -1,
- "smack_accesses_apply should fail (SMACK is off). Result: " << result);
-
- result = smack_accesses_save(rules.get(), fd);
- RUNNER_ASSERT_MSG(result == 0,
- "smack_accesses_save failed. Result: " << result);
-
- //cleanup
- path.str(std::string());
- }
-
- //Use add_shared_dir_readers and check if smack_have_access still fails
- result = add_shared_dir_readers(test_obj,app_labels);
- RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed. Result: " << result);
-
- result = smack_have_access(app_labels[0],test_obj,"rx");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result);
-
- result = smack_have_access(app_labels[1],test_obj,"rx");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result);
-
- result = smack_have_access(app_labels[2],test_obj,"rx");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result);
-
- result = smack_have_access(app_labels[1],test_obj,"rwxt");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result);
-
- result = smack_have_access(app_labels[2],test_obj_some_other,"wx");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result);
-
- //Test if files are properly formatted
- path << SMACK_RULES_DIR << app_labels[0];
- RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno));
-
- std::fstream fs(path.str().c_str(), std::ios_base::in);
- RUNNER_ASSERT_MSG(fs.good(), "Opening file stream failed. Error: " << strerror(errno));
-
- fs.get(buf, READ_BUF_SIZE);
- result = strcmp(buf, test_str_01);
- RUNNER_ASSERT_MSG(result == 0,
- "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() <<
- ". Result: " << result);
-
- //Clean up before another test
- path.str(std::string());
- fs.close();
-
- path << SMACK_RULES_DIR << app_labels[2];
- RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno));
-
- fs.open(path.str().c_str(), std::ios_base::in);
- RUNNER_ASSERT_MSG(fs.good(), "fopen failed, errno:" << strerror(errno));
-
- fs.getline(buf, READ_BUF_SIZE);
- result = strcmp(buf, test_str_21);
- RUNNER_ASSERT_MSG( result == 0,
- "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str()
- << ". Result: " << result);
-
- fs.getline(buf, READ_BUF_SIZE);
- result = strcmp(buf, test_str_22);
- RUNNER_ASSERT_MSG( result == 0,
- "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str()
- << ". Result: " << result);
-}
-#pragma GCC diagnostic warning "-Wdeprecated-declarations"
-
-
-/**
- * NOSMACK version of privilege_control05_set_app_privilege test.
- *
- * Another very similar test to it's SMACK version, this time smack_new_label_from_self is
- * expected to return different result.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack)
-{
- int result;
-
- //Preset exec label
- smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
- smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
-
- //Set app privileges
- result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_set_privilege. Result: " << result);
-
- //Even though app privileges are set, no smack label should be extracted.
- char* label = NULL;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result == -1,
- "new_label_from_self should return error (SMACK is off). Result: " << result);
- RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
-
- //Check if DAC privileges really set
- RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
- RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
-
- result = strcmp(getenv("HOME"), APP_HOME_DIR);
- RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR. Result: " << result);
-
- result = strcmp(getenv("USER"), APP_USER_NAME);
- RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME. Result: " << result);
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE);
-}
-
-/**
- * NOSMACK version of privilege_control05_set_app_privilege_wgt test.
- *
- * Same as the above, plus uses test_have_nosmack_accesses instead of test_have_all_accesses.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_nosmack)
-{
- int result;
-
- result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error enabling app permissions. Result: " << result);
-
- result = test_have_nosmack_accesses(rules_wgt);
- RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
-
- result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_set_privilege. Result: " << result);
-
- //Even though app privileges are set, no smack label should be extracted.
- char* label = NULL;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result == -1,
- "new_label_from_self should return error (SMACK is off). Result: " << result);
- RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
-}
-
-/**
- * NOSMACK version of privilege_control05_set_app_privilege_wgt_partner test.
- *
- * Same as the above.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_partner_nosmack)
-{
- int result;
-
- result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error enabling app permissions. Result: " << result);
-
- result = test_have_nosmack_accesses(rules_wgt_partner);
- RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
-
- result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_set_privilege. Result: " << result);
-
- //Even though app privileges are set, no smack label should be extracted.
- char* label = NULL;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result == -1,
- "new_label_from_self should return error (SMACK is off). Result: " << result);
- RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
-}
-
-/**
- * NOSMACK version of privilege_control05_set_app_privilege_wgt_platform test.
- *
- * Same as the above.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_platform_nosmack)
-{
- int result;
-
- result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error enabling app permissions. Result: " << result);
-
- result = test_have_nosmack_accesses(rules_wgt_platform);
- RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
-
- result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_set_privilege. Result: " << result);
-
- //Even though app privileges are set, no smack label should be extracted.
- char* label = NULL;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result == -1,
- "new_label_from_self should return error (SMACK is off). Result: " << result);
- RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
-}
-
-/**
- * NOSMACK version of privilege_control05_set_app_privilege_osp test.
- *
- * Same as the above.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_nosmack)
-{
- int result;
-
- result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error enabling app permissions. Result: " << result);
-
- result = test_have_nosmack_accesses(rules_osp);
- RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
-
- result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_set_privilege. Result: " << result);
-
- //Even though app privileges are set, no smack label should be extracted.
- char* label = NULL;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result == -1,
- "new_label_from_self should return error (SMACK is off). Result: " << result);
- RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
-}
-
-/**
- * NOSMACK version of privilege_control05_set_app_privilege_osp_partner test.
- *
- * Same as the above.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_partner_nosmack)
-{
- int result;
-
- result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error enabling app permissions. Result: " << result);
-
- result = test_have_nosmack_accesses(rules_osp_partner);
- RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added.");
-
- result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_set_privilege. Result: " << result);
-
- //Even though app privileges are set, no smack label should be extracted.
- char* label = NULL;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result == -1,
- "new_label_from_self should return error (SMACK is off). Result: " << result);
- RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
-}
-
-/**
- * NOSMACK version of privilege_control05_set_app_privilege_osp_platform test.
- *
- * Same as the above.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_platform_nosmack)
-{
- int result;
-
- result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error enabling app permissions. Result: " << result);
-
- result = test_have_nosmack_accesses(rules_osp_platform);
- RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
-
- result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_set_privilege. Result: " << result);
-
- //Even though app privileges are set, no smack label should be extracted.
- char* label = NULL;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result == -1,
- "new_label_from_self should return error (SMACK is off). Result: " << result);
- RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
-
- check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
-}
-
-/**
- * NOSMACK version of checkOnlyAvAccess function.
- *
- * Expects error instead of access granted/forbidden from smack_have_access.
- */
-void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment)
-{
- int result;
- result = smack_have_access(av_id, app_id, "rwx");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result
- << " when testing " << comment);
- result = smack_have_access(av_id, app_id, "a");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result
- << " when testing " << comment);
- result = smack_have_access(av_id, app_id, "t");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result
- << " when testing " << comment);
-}
-
-/*
- * NOSMACK version of privilege_control10_app_register_av test.
- *
- * Uses NOSMACK version of checkOnlyAvAccess (mentioned above), rest of the test is identical to
- * it's SMACK version.
- */
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-RUNNER_TEST_NOSMACK(privilege_control10_app_register_av_nosmack)
-{
- RUNNER_IGNORED_MSG("app_register_av is not implemented");
- int result;
-
- // cleaning
- smack_revoke_subject(APP_TEST_AV_1);
- smack_revoke_subject(APP_TEST_AV_2);
-
- cleaning_smack_app_files();
-
- // Adding two apps before antivir
- result = perm_app_install(APP_TEST_APP_1);
- RUNNER_ASSERT_MSG(result == 0,
- "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- result = perm_app_install(APP_TEST_APP_2);
- RUNNER_ASSERT_MSG(result == 0,
- "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- // Adding antivir
- result = app_register_av(APP_TEST_AV_1);
- RUNNER_ASSERT_MSG(result == 0,
- "app_register_av returned " << result << ". Errno: " << strerror(errno));
-
- // Checking added apps accesses
- checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
- checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
-
- // Adding third app
- result = perm_app_install(APP_TEST_APP_3);
- RUNNER_ASSERT_MSG(result == 0,
- "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- // Checking app accesses
- checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
- checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
- checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)");
-
- // Adding second antivir
- result = app_register_av(APP_TEST_AV_2);
- RUNNER_ASSERT_MSG(result == 0,
- "app_register_av returned " << result << ". Errno: " << strerror(errno));
-
- // Checking app accesses
- checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
- checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
- checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
- checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
- checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
- checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
-
- // cleaning
- smack_revoke_subject(APP_TEST_AV_1);
- smack_revoke_subject(APP_TEST_AV_2);
-
- cleaning_smack_app_files();
-
-}
-#pragma GCC diagnostic warning "-Wdeprecated-declarations"
-
-/**
- * NOSMACK version of privilege_control11_app_enable_permissions test.
- *
- * Since the original test did the same thing around five times, there is no need to redo the
- * same test for perm_app_enable_permissions. perm_app_enable_permissions will be called once,
- * test_have_nosmack_accesses will check if smack_have_access still returns error and then
- * we will check if SMACK file was correctly created.
- */
-RUNNER_TEST_NOSMACK(privilege_control11_app_enable_permissions_nosmack)
-{
- int result;
- std::fstream fs;
-
- result = perm_app_revoke_permissions(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
-
- result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error enabling app permissions. Result: " << result);
-
- //Check if accesses aren't added
- result = test_have_nosmack_accesses(rules2);
- RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
-
- //File exists?
- fs.open(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary);
- RUNNER_ASSERT_MSG(fs.good(), "Couldn't open SMACK file.");
-
- //Is it empty?
- fs.seekg(0, std::ifstream::end);
- RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty with persistant mode 1.");
-
- //Clean up
- result = perm_app_revoke_permissions(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
-}
-
-/**
- * NOSMACK version of privilege_control13 test.
- *
- * Uses perm_app_reset_permissions and checks with test_have_nosmack_accesses if nothing has
- * changed.
- */
-RUNNER_TEST_NOSMACK(privilege_control13_app_reset_permissions_nosmack)
-{
- int result;
-
- // Prepare permissions to reset
- result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app permissions. Result: " << result);
-
- // Reset permissions
- result = perm_app_reset_permissions(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error reseting app permissions. Result: " << result);
-
- result = test_have_nosmack_accesses(rules2);
- RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be changed. Result: " << result);
-
- // Disable permissions
- result = perm_app_revoke_permissions(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error disabling app permissions. Result: " << result);
-}
-
-/**
- * NOSMACK version of privilege_control14 test.
- *
- * Similarily as app_enable_permissions test. This time perm_app_add_friend is called twice, once
- * when both friends exist, and then when one of them doesn't exist. Other tests are not required -
- * results would be the same as earlier.
- */
-RUNNER_TEST_NOSMACK(privilege_control14_app_add_friend_nosmack)
-{
- RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented");
-
- int result;
-
- result = perm_app_revoke_permissions(APP_FRIEND_1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(APP_FRIEND_2);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
-
- perm_app_uninstall(APP_FRIEND_1);
- perm_app_uninstall(APP_FRIEND_2);
-
- //Regular test.
-
- //Installing friends to be
- result = perm_app_install(APP_FRIEND_1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error installing first app. Result: " << result);
- result = perm_app_install(APP_FRIEND_2);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error installing second app. Result: " << result);
-
- //Making friends
- result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error during friend making. Result: " << result);
-
- //Same as previous tests, smack_have_access should error.
- result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result);
- result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result);
-
- //Clean up
- result = perm_app_revoke_permissions(APP_FRIEND_1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(APP_FRIEND_2);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
-
- perm_app_uninstall(APP_FRIEND_1);
- perm_app_uninstall(APP_FRIEND_2);
-
-
- //Befriending with imaginary friend.
-
- //Installing one friend
- result = perm_app_install(APP_FRIEND_1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error installing first app. Result: " << result);
-
- //Adding imaginairy friend as second
- result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error making friends (first) with imaginairy friend failed. Result: " << result);
- //Adding imaginairy friend as first
- result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error making friends (second) with imaginairy friend failed. Result: " << result);
-
- //Same as previous tests, smack_have_access should error.
- result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result);
- result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result);
-
- //Clean up
- result = perm_app_revoke_permissions(APP_FRIEND_1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(APP_FRIEND_2);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
-
- perm_app_uninstall(APP_FRIEND_1);
- perm_app_uninstall(APP_FRIEND_2);
-}
-
-/**
- * NOSMACK version of privilege_control15_app_id_from_socket.
- *
- * SMACK version of this test case utilised smack_new_label_from_self and smack_set_label_for_self.
- * Those functions rely on /proc/self/attr/current file, which is unreadable and has no contents on
- * NOSMACK environment. Functions mentioned above were tested during libsmack tests, so they are
- * assumed to react correctly and are not tested in this test case.
- *
- * This test works similarily to libsmack test smack09_new_label_from_socket. At first server and
- * client are created then sockets are set up and perm_app_id_from_socket is used. On NOSMACK env
- * correct behaviour for perm_app_id_from_socket would be returning NULL label.
- */
-RUNNER_MULTIPROCESS_TEST_NOSMACK(privilege_control15_app_id_from_socket_nosmack)
-{
- int pid;
- struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
-
- //Clean up before creating socket
- unlink(SOCK_PATH);
-
- //Create our server and client with fork
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
-
- if (!pid) { //child (server)
- int sock, result, fd;
-
- //Create a socket
- sock = socket(AF_UNIX, SOCK_STREAM, 0);
- RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
-
- //Bind socket to address
- result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
- if (result != 0) {
- close(sock);
- RUNNER_ASSERT_MSG(false, "bind failed: " << strerror(errno));
- }
-
- //Prepare for listening
- result = listen(sock, 1);
- if (result != 0) {
- close(sock);
- RUNNER_ASSERT_MSG(false, "listen failed: " << strerror(errno));
- }
-
- //Accept connection
- alarm(2);
- fd = accept(sock, NULL, NULL);
- alarm(0);
- RUNNER_ASSERT_MSG(fd >= 0, "accept failed: " << strerror(errno));
-
- //Wait a little bit for client to use perm_app_id_from_socket
- usleep(200);
-
- //cleanup
- close(sock);
- exit(0);
- } else { //parent (client)
- // Give server some time to setup listening socket
- sleep(1);
- int sock, result;
- char* smack_label = NULL;
-
- //Create socket
- sock = socket(AF_UNIX, SOCK_STREAM, 0);
- RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
-
- //Try connecting to address
- result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
- if (result != 0) {
- close(sock);
- RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
- }
-
- //Use perm_app_id_from_socket. Should fail and return NULL smack_label.
- smack_label = perm_app_id_from_socket(sock);
- close(sock);
- RUNNER_ASSERT_MSG(smack_label == NULL, "perm_app_id_from_socket should fail.");
- }
-}
-
-/**
- * Next three functions are defined only because of NOSMACK environment.
- *
- * Inside check_labels_dir_nosmack, smack_have_access should expect error, not access granted.
- */
-int check_labels_dir_nosmack(const char *fpath, const struct stat *sb,
- const char *labels_db_path, const char *dir_db_path,
- const char *access)
-{
- int result;
- char* label;
- char* label_gen;
- char label_temp[SMACK_LABEL_LEN + 1];
- std::fstream fs_db;
-
- /* ACCESS */
- result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
- RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
-
- /* EXEC */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- if (result != 0) {
- free(label_gen);
- RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result);
- }
- if (label != NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
- }
-
- /* TRANSMUTE */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- if (result != 0) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result);
- }
- if (S_ISDIR(sb->st_mode)) {
- if (label == NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
- }
- result = strcmp("TRUE", label);
- if (result != 0) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG(false,
- "TRANSMUTE label on " << fpath << " is not set to TRUE Result: " << result);
- }
- } else if (label != NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
- }
-
- free(label);
-
- fs_db.open(labels_db_path, std::ios_base::in);
- if (!(fs_db.good())) {
- free(label_gen);
- RUNNER_ASSERT_MSG(false, "Can not open database for apps");
- }
-
- while(!fs_db.eof()) {
- fs_db.getline(label_temp, 255);
- result = smack_have_access(label_temp, label_gen, access);
- if (result != -1) { //expect error, not access granted
- free(label_gen);
- RUNNER_ASSERT_MSG(false, "smack_have_access should fail. Result: " << result);
- }
- }
-
- fs_db.close();
-
- fs_db.open(dir_db_path, std::ios_base::in);
- if (!fs_db.good()) {
- free(label_gen);
- RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
- }
-
- bool is_dir = false;
- while(!fs_db.eof()) {
- fs_db.getline(label_temp, 255);
- if (strcmp(label_gen, label_temp) == 0) {
- is_dir = true;
- break;
- }
- }
-
- free(label_gen);
-
- RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db.");
-
- return 0;
-}
-
-/**
- * NOSMACK version of privilege_control18 test.
- *
- * Uses NOSMACK version of nftw_check_labels_app_public_dir.
- */
-RUNNER_TEST_NOSMACK(privilege_control18_app_setup_path_public_nosmack)
-{
- int result;
-
- result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
-
- result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
-
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result);
-
- result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to check Smack labels for non-app dir. Result: " << result);
-
-}
-
-/**
- * NOSMACK version of privilege_control19 test.
- *
- * Uses NOSMACK version of nftw_check_labels_app_settings_dir.
- */
-RUNNER_TEST_NOSMACK(privilege_control19_app_setup_path_settings_nosmack)
-{
- int result;
-
- result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
-
- result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
-
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result);
-
- result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to check Smack labels for non-app dir. Result: " << result);
-
-}
-
-/**
- * NOSMACK version of privielge_control21b test.
- *
- * Instead of error caused by incorrect params expect access granted, becuase SMACK is off.
- */
-RUNNER_TEST_NOSMACK(privilege_control21b_incorrect_params_smack_pid_have_access_nosmack)
-{
- int result = smack_pid_have_access(PID_CORRECT, "some_object", NULL);
- RUNNER_ASSERT_MSG(result == 1,
- "smack_pid_have_access should return access granted. Result: " << result);
-
- result = smack_pid_have_access(PID_CORRECT, NULL, "rw");
- RUNNER_ASSERT_MSG(result == 1,
- "smack_pid_have_access should return access granted. Result: " << result);
-
- result = smack_pid_have_access(PID_CORRECT, NULL, "rw");
- RUNNER_ASSERT_MSG(result == 1,
- "smack_pid_have_access should return access granted. Result: " << result);
-
- result = smack_pid_have_access(PID_INCORRECT, "some_object", "rw");
- RUNNER_ASSERT_MSG(result == 1,
- "smack_pid_have_access should return access granted. Result: " << result);
-}
-
-/**
- * Test - Simulation of 100 installations and uninstallations of one application.
- * Installed application will have various kind of permissions from api
- * features and shared folders.
- */
-RUNNER_TEST(privilege_control22_app_installation_1x100)
-{
- int result;
- std::string shared_dir_auto_label;
-
- // Clear any previously created apps, files, labels and permissions
- result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to clean up Smack labels in: " << TEST_APP_DIR
- << ". Result: " << result);
-
- result = nftw(TEST_NON_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to clean up Smack labels in: " << TEST_NON_APP_DIR
- << ". Result: " << result);
-
- result = perm_app_revoke_permissions(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_revoke_permissions. Result: " << result);
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_uninstall. Result: " << result);
-
- // remove api features by deleting files
- // TODO: Rewrite deleting features
- unlink(FILE_PATH_TEST_OSP_FEATURE);
- unlink(FILE_PATH_TEST_WGT_FEATURE);
-
- // Install setting app and give it app-setting permissions
- result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_revoke_permissions. Result: " << result);
- result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_uninstall. Result: " << result);
- result = perm_app_install(APP_TEST_SETTINGS_ASP1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_install. Result: " << result);
- result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1,
- APP_TYPE_OSP, PRIV_APPSETTING, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error enabling App-Setting permissions. Result: " << result);
-
- // Install one additional app (used to check perm to shared directories)
- result = perm_app_revoke_permissions(TEST_OSP_FEATURE_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_revoke_permissions. Result: " << result);
- result = perm_app_uninstall(TEST_OSP_FEATURE_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_uninstall. Result: " << result);
- result = perm_app_install(TEST_OSP_FEATURE_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_install. Result: " << result);
- result = perm_app_enable_permissions(TEST_OSP_FEATURE_APP_ID,
- APP_TYPE_OSP,(const char*[]) {NULL}, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error enabling permissions. Result: " << result);
-
- // Register two valid api features
- result = perm_add_api_feature(APP_TYPE_OSP, TEST_OSP_FEATURE,
- test_osp_feature_rule_set, NULL, 0);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_add_api_feature. Cannot add TEST_OSP_FEATURE: "
- << TEST_OSP_FEATURE << ". Result: " << result);
-
- result = perm_add_api_feature(APP_TYPE_WGT, TEST_WGT_FEATURE,
- test_wgt_feature_rule_set, NULL, 0);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_add_api_feature. Cannot add TEST_WGT_FEATURE: "
- << TEST_WGT_FEATURE << ". Result: " << result);
-
-
- // Install app loop
- for (int i = 0; i < 100; ++i)
- {
- // Add application
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_install. Loop index: " << i
- << ". Result: " << result);
-
- // Add persistent permissions
- result = perm_app_enable_permissions(APP_ID, APP_TYPE_OSP,
- TEST_OSP_FEATURE_PRIVS, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_enable_permissions from OSP Feature. Loop index: "
- << i << ". Result: " << result);
-
- result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT,
- TEST_WGT_FEATURE_PRIVS, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_enable_permissions from WGT Feature. Loop index: "
- << i << ". Result: " << result);
-
- // add shared dirs
- switch (i%2) // separate odd and even loop runs
- {
- case 0: // Shared dirs: APP_PATH_PRIVATE & APP_PATH_PUBLIC_RO
- {
- // Add app shared dir - APP_PATH_PRIVATE
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR,
- APP_PATH_PRIVATE);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. Loop index: " << i
- << ". Result: " << result);
-
- // Add app shared dir - APP_PATH_PUBLIC_RO
- result = perm_app_setup_path(APP_ID, TEST_NON_APP_DIR,
- APP_PATH_PUBLIC_RO);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. Loop index: " << i
- << ". Result: " << result);
-
- // Verify that some previously installed app does not have any access
- // to APP_ID private label
- result = test_have_any_accesses(rules_to_test_any_access1);
- RUNNER_ASSERT_MSG(result == 0,
- "Error - other app has access to private label. Loop index: "
- << i);
-
- // Get autogenerated Public RO label
- char *label;
- result = smack_getlabel(TEST_NON_APP_DIR, &label,
- SMACK_LABEL_ACCESS );
- RUNNER_ASSERT_MSG(result == 0,
- "Cannot get access label from Public RO shared dir. Loop index: "
- << i << ". Result: " << result);
- shared_dir_auto_label = label;
- free(label);
-
- // Verify that all permissions to public dir have been added
- // correctly, also to other app
- result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl");
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to Public RO dir are granted. Loop index: "
- << i);
-
- result = smack_have_access(TEST_OSP_FEATURE_APP_ID, shared_dir_auto_label.c_str(), "rx" );
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to Public RO dir are granted. Loop index: "
- << i);
-
- break;
- }
- case 1: // Shared dirs: APP_PATH_APPSETTING_RW & APP_PATH_GROUP_RW
- {
- // Add app shared dir - APP_PATH_SETTINGS_RW
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR,
- APP_PATH_SETTINGS_RW);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. Loop index: " << i
- << ". Result: " << result);
-
- // Add app shared dir - APP_PATH_GROUP_RW
- result = perm_app_setup_path(APP_ID, TEST_NON_APP_DIR,
- APP_PATH_GROUP_RW, APPID_SHARED_DIR);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. Loop index: " << i
- << ". Result: " << result);
-
- // Get autogenerated App-Setting label
- char *label;
- result = smack_getlabel(TEST_APP_DIR, &label,
- SMACK_LABEL_ACCESS );
- RUNNER_ASSERT_MSG(result == 0,
- "Cannot get access label from App-Setting shared dir. Loop index: "
- << i << ". Result: " << result);
- shared_dir_auto_label = label;
- free(label);
-
- // Verify that setting app has rwx permission to app dir
- // and rx permissions to app
- result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl");
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to App-Setting dir are granted. "
- << APP_ID << " "<< shared_dir_auto_label << " rwxatl "
- << "Loop index: " << i);
-
- result = smack_have_access(APP_TEST_SETTINGS_ASP1, shared_dir_auto_label.c_str(), "rwx");
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to App-Setting dir are granted. "
- << APP_TEST_SETTINGS_ASP1 << " " << shared_dir_auto_label << " rwx. "
- << "Loop index: " << i);
-
- result = smack_have_access(APP_TEST_SETTINGS_ASP1, APP_ID, "rx");
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to App-Setting dir are granted. "
- << APP_TEST_SETTINGS_ASP1 << " " << APP_ID << " rx"
- << "Loop index: " << i);
-
- // Verify that all permissions to public dir have been added
- // correctly, also to other app
- result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxatl");
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to Group RW dir are granted. Loop index: "
- << i);
-
- break;
- }
- } // END switch
-
- // check if api-features permissions are added properly
- result = test_have_all_accesses(
- (const std::vector< std::vector<std::string> >) {
- { APP_ID, TEST_OSP_FEATURE_APP_ID, "rxl" },
- { APP_ID, TEST_WGT_FEATURE_APP_ID, "rwxl" } } );
- RUNNER_ASSERT_MSG(result == 1,
- "Not all permisions from api features added. Loop index: "
- << i);
-
- // revoke permissions
- result = perm_app_revoke_permissions(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_revoke_permissions. Loop index: " << i
- << ". Result: " << result);
-
- // check if api-features permissions are removed properly
- result = test_have_any_accesses(rules_to_test_any_access2);
- RUNNER_ASSERT_MSG(result == 0,
- "Not all permisions revoked. Loop index: " << i);
-
- // remove labels from app folder
- result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to clean up Smack labels in " << TEST_APP_DIR
- << " . Loop index: " << i << ". Result: " << result);
- // remove labels from shared folder
- result = nftw(TEST_NON_APP_DIR, &nftw_remove_labels,
- FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to clean up Smack labels in " << TEST_NON_APP_DIR
- << " . Loop index: " << i << ". Result: " << result);
-
- // uninstall app
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_uninstall. Loop index: " << i
- << ". Result: " << result);
- } // END Install app loop
-
- // Uninstall setting app and additional app
- result = perm_app_uninstall(TEST_OSP_FEATURE_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_uninstall. Result: " << result);
- result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_uninstall. Result: " << result);
-
- // Remove api features
- // TODO: Rewrite removing features
- unlink(FILE_PATH_TEST_OSP_FEATURE);
- unlink(FILE_PATH_TEST_WGT_FEATURE);
-
-}
-
-/**
- * Test - Simulation of 10 installations and uninstallations of set of 10 applications.
- * Installed applications will have various kind of permissions to each other
- * from api-features and shared folders.
- *
- * APP_TEST_SETTINGS_ASP1 ("test-app-settings-asp1") - registered as setting app
- *
- * Permissions:
- * test_APP0-4 - receive test_osp_feature_rule_set2
- * test_APP5-9 - receive test_wgt_feature_rule_set2
- *
- * During this test there is one directory created for each app for each loop run,
- * dir name syntax is: /tmp/<app_name>_<i-loop_run>
- *
- * test_APP0 & test_APP5 register their directories as APP_PATH_PRIVATE
- * test_APP1, test_APP2 & test_APP6 register their directories as
- * APP_PATH_GROUP_RW using the same label
- * APPID_SHARED_DIR = "test_APP_ID_shared_dir"
- * test_APP3, test_APP7 & test_APP8 register their directories as
- * APP_PATH_PUBLIC_RO
- * test_APP4 & test_APP9 register their directories as
- * APP_PATH_SETTINGS_RW
- */
-RUNNER_TEST(privilege_control23_app_installation2_10x10)
-{
- int result;
- const int app_count = 10;
- std::string shared_dir3_auto_label;
- std::string shared_dir7_auto_label;
- std::string shared_dir8_auto_label;
- std::string setting_dir4_auto_label;
- std::string setting_dir9_auto_label;
- char app_ids[app_count][strlen(APP_ID) + 3];
- char app_dirs[app_count][strlen(APP_ID) + 12];
- const char *test_osp_feature_rule_set2[] = { "~APP~ " APP_ID "6 r",
- "~APP~ " APP_ID "7 rxl",
- "~APP~ " APP_ID "8 rwxal",
- "~APP~ " APP_ID "9 rwxatl",
- NULL };
- const char *test_wgt_feature_rule_set2[] = { "~APP~ " APP_ID "1 r",
- "~APP~ " APP_ID "2 rxl",
- "~APP~ " APP_ID "3 rwxal",
- "~APP~ " APP_ID "4 rwxatl",
- NULL };
-
-
- // generate app ids: test_APP0, test_APP1, test_APP2 etc.:
- for (int i = 0; i < app_count; ++i)
- {
- result = sprintf(app_ids[i], APP_ID "%d", i);
- RUNNER_ASSERT_MSG(result > 0, "Cannot generate name for app nr: " << i);
- }
-
- // Clear any previously created apps, files, labels and permissions
- for (int i = 0; i < app_count; ++i)
- {
- result = perm_app_revoke_permissions(app_ids[i]);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_revoke_permissions for app: "
- << app_ids[i] << ". Result: " << result);
-
- result = perm_app_uninstall(app_ids[i]);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_uninstall for app: "
- << app_ids[i] << ". Result: " << result);
- }
-
- // Install setting app and give it app-setting permissions
- result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_revoke_permissions."
- << " Result: " << result);
- result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_uninstall."
- << " Result: " << result);
- result = perm_app_install(APP_TEST_SETTINGS_ASP1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_install."
- << " Result: " << result);
- result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1,
- APP_TYPE_OSP, PRIV_APPSETTING, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error enabling App-Setting permissions."
- << " Result: " << result);
-
- // Register two valid api features
- result = perm_add_api_feature(APP_TYPE_OSP, TEST_OSP_FEATURE,
- test_osp_feature_rule_set2, NULL, 0);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_add_api_feature. Cannot add TEST_OSP_FEATURE: "
- << TEST_OSP_FEATURE << ". Result: " << result);
-
- result = perm_add_api_feature(APP_TYPE_WGT, TEST_WGT_FEATURE,
- test_wgt_feature_rule_set2, NULL, 0);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_add_api_feature. Cannot add TEST_WGT_FEATURE: "
- << TEST_WGT_FEATURE << ". Result: " << result);
-
-
- // Install apps loop
- for (int i = 0; i < 10; ++i)
- {
- // Install 10 apps
- for (int j = 0; j < app_count; ++j)
- {
- result = perm_app_install(app_ids[j]);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_install. App id: "
- << app_ids[j]
- << " Loop index: " << i
- << ". Result: " << result);
-
- // Create 10 directories
- result = sprintf(app_dirs[j],"/tmp/" APP_ID "%d_%d", j, i);
- RUNNER_ASSERT_MSG(result > 0,
- "Cannot generate directory name for app nr: " << j
- << " Loop index: " << i);
- result = mkdir(app_dirs[j], S_IRWXU | S_IRGRP | S_IXGRP);
- RUNNER_ASSERT_MSG(result == 0 || errno == EEXIST,
- "Cannot create directory: " << app_dirs[j]);
- result = nftw(app_dirs[j], &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to clean up Smack labels in: " << app_dirs[j]
- << ". Result: " << result);
- }
-
- // Give permissions from api-features
- for (int j = 0; j < (app_count/2); ++j)
- {
- // add persistent api feature permissions
- result = perm_app_enable_permissions(app_ids[j], APP_TYPE_OSP,
- TEST_OSP_FEATURE_PRIVS, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_enable_permissions from OSP Feature. App id: "
- << app_ids[j] << " Loop index: " << i << ". Result: " << result);
-
- result = perm_app_enable_permissions(app_ids[j+5], APP_TYPE_WGT,
- TEST_WGT_FEATURE_PRIVS, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_enable_permissions from WGT Feature. App id: "
- << app_ids[j+5] << " Loop index: " << i << ". Result: " << result);
- }
-
- // Add app shared dirs - APP_PATH_PRIVATE (apps 0, 5)
- result = perm_app_setup_path(app_ids[0], app_dirs[0], APP_PATH_PRIVATE);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. App id: " << app_ids[0]
- << " Loop index: " << i << ". Result: " << result);
- result = perm_app_setup_path(app_ids[5], app_dirs[5], APP_PATH_PRIVATE);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. App id: " << app_ids[5]
- << " Loop index: " << i << ". Result: " << result);
-
- // Add app shared dir - APP_PATH_GROUP_RW (apps 1, 2, 6)
- result = perm_app_setup_path(app_ids[1], app_dirs[1],
- APP_PATH_GROUP_RW, APPID_SHARED_DIR);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. App id: " << app_ids[1]
- << " Loop index: " << i << ". Result: " << result);
- result = perm_app_setup_path(app_ids[2], app_dirs[2],
- APP_PATH_GROUP_RW, APPID_SHARED_DIR);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. App id: " << app_ids[2]
- << " Loop index: " << i << ". Result: " << result);
- result = perm_app_setup_path(app_ids[6], app_dirs[6],
- APP_PATH_GROUP_RW, APPID_SHARED_DIR);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. App id: " << app_ids[6]
- << " Loop index: " << i << ". Result: " << result);
-
- // Add app shared dir - APP_PATH_PUBLIC_RO (apps 3, 7, 8)
- result = perm_app_setup_path(app_ids[3], app_dirs[3],
- APP_PATH_PUBLIC_RO);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. App id: " << app_ids[1]
- << " Loop index: " << i << ". Result: " << result);
- result = perm_app_setup_path(app_ids[7], app_dirs[7],
- APP_PATH_PUBLIC_RO);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. App id: " << app_ids[7]
- << " Loop index: " << i << ". Result: " << result);
- result = perm_app_setup_path(app_ids[8], app_dirs[8],
- APP_PATH_PUBLIC_RO);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. App id: " << app_ids[8]
- << " Loop index: " << i << ". Result: " << result);
-
- // Add app shared dir - APP_PATH_SETTINGS_RW (apps ,4, 9)
- result = perm_app_setup_path(app_ids[4], app_dirs[4],
- APP_PATH_SETTINGS_RW);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. App id: " << app_ids[4]
- << " Loop index: " << i << ". Result: " << result);
- result = perm_app_setup_path(app_ids[9], app_dirs[9],
- APP_PATH_SETTINGS_RW);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_path. App id: " << app_ids[9]
- << " Loop index: " << i << ". Result: " << result);
-
- // Verify that some previously installed app does not have
- // any acces to app 0 and app 5 PRIVATE folders
- for (int j = 0; j < app_count; ++j)
- {
- // Apps 1-9 should not have any access to app 0
- if (j != 0)
- {
- result = test_have_any_accesses(
- FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[0])
- );
- RUNNER_ASSERT_MSG(result == 0,
- "Other app (app id: " << app_ids[j] <<
- ") has access to private label of: " << app_ids[0] <<
- ". It may not be shared. Loop index: " << i << ".");
- }
-
- // Apps 0-4 and 6-9 should not have any access to app 5
- if (j != 5)
- {
- result = test_have_any_accesses(
- FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[5])
- );
- RUNNER_ASSERT_MSG(result == 0,
- "Other app (app id: " << app_ids[j] <<
- ") has access to private label of: " << app_ids[5] <<
- ". It may not be shared. Loop index: " << i << ".");
- }
- } // End for Verify PRIVATE
-
- // Verify that apps 1, 2 and 6 have all accesses to GROUP_RW folders
- result = test_have_all_accesses(
- (const std::vector< std::vector<std::string> >) {
- { app_ids[1], APPID_SHARED_DIR, "rwxatl" },
- { app_ids[2], APPID_SHARED_DIR, "rwxatl" },
- { app_ids[6], APPID_SHARED_DIR, "rwxatl" } } );
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to Group RW dir are granted. Loop index: "
- << i);
-
- // Get autogenerated Public_RO labels
- char *label;
- result = smack_getlabel(app_dirs[3], &label,
- SMACK_LABEL_ACCESS );
- RUNNER_ASSERT_MSG(result == 0,
- "Cannot get access label from Public RO shared dir: " << app_dirs[3]
- << " . Loop index: " << i << ". Result: " << result);
- shared_dir3_auto_label = label;
- free(label);
-
- result = smack_getlabel(app_dirs[7], &label,
- SMACK_LABEL_ACCESS );
- RUNNER_ASSERT_MSG(result == 0,
- "Cannot get access label from Public RO shared dir: " << app_dirs[7]
- << " . Loop index: " << i << ". Result: " << result);
- shared_dir7_auto_label = label;
- free(label);
-
- result = smack_getlabel(app_dirs[8], &label,
- SMACK_LABEL_ACCESS );
- RUNNER_ASSERT_MSG(result == 0,
- "Cannot get access label from Public RO shared dir: " << app_dirs[8]
- << " . Loop index: " << i << ". Result: " << result);
- shared_dir8_auto_label = label;
- free(label);
-
- // Verify that all apps have ro permissions to public folders of apps 3, 7 and 8
- // Also apps 3, 7 and 8 should have all permisisons to their own PUBLIC_RO dirs
- for (int j = 0; j < app_count; ++j)
- {
- if (j == 3)
- {
- result = test_have_all_accesses(
- (const std::vector< std::vector<std::string> >) {
- { app_ids[j], shared_dir3_auto_label.c_str(), "rwxatl" } } );
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to owned Public RO dir are granted. App id: "
- << app_ids[j] << " Loop index: " << i);
- // Verify that there are no extra permissions to public dirs
- result = test_have_any_accesses(
- (const std::vector< std::vector<std::string> >) {
- { app_ids[j], shared_dir7_auto_label.c_str(), "w" },
- { app_ids[j], shared_dir7_auto_label.c_str(), "t" },
- { app_ids[j], shared_dir8_auto_label.c_str(), "w" },
- { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } );
- RUNNER_ASSERT_MSG(result == 0,
- "Unexpected extra permissions added for app:" << app_ids[j]
- << ". Loop index: " << i);
- }
- if (j == 7)
- {
- result = test_have_all_accesses(
- (const std::vector< std::vector<std::string> >) {
- { app_ids[j], shared_dir7_auto_label.c_str(), "rwxatl" } } );
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to owned Public RO dir are granted. App id: "
- << app_ids[j] << " Loop index: " << i);
- // Verify that there are no extra permissions to public dirs
- result = test_have_any_accesses(
- (const std::vector< std::vector<std::string> >) {
- { app_ids[j], shared_dir3_auto_label.c_str(), "w" },
- { app_ids[j], shared_dir3_auto_label.c_str(), "t" },
- { app_ids[j], shared_dir8_auto_label.c_str(), "w" },
- { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } );
- RUNNER_ASSERT_MSG(result == 0,
- "Unexpected extra permissions added for app:" << app_ids[j]
- << ". Loop index: " << i);
- }
- if (j == 8)
- {
- result = test_have_all_accesses(
- (const std::vector< std::vector<std::string> >) {
- { app_ids[j], shared_dir8_auto_label.c_str(), "rwxatl" } } );
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to owned Public RO dir are granted. App id: "
- << app_ids[j] << " Loop index: " << i);
- // Verify that there are no extra permissions to other public dirs
- result = test_have_any_accesses(
- (const std::vector< std::vector<std::string> >) {
- { app_ids[j], shared_dir3_auto_label.c_str(), "w" },
- { app_ids[j], shared_dir3_auto_label.c_str(), "t" },
- { app_ids[j], shared_dir7_auto_label.c_str(), "w" },
- { app_ids[j], shared_dir7_auto_label.c_str(), "t" } } );
- RUNNER_ASSERT_MSG(result == 0,
- "Unexpected extra permissions added for app:" << app_ids[j]
- << ". Loop index: " << i);
- }
-
- result = test_have_all_accesses(
- (const std::vector< std::vector<std::string> >) {
- { app_ids[j], shared_dir3_auto_label.c_str(), "rx" },
- { app_ids[j], shared_dir7_auto_label.c_str(), "rx" },
- { app_ids[j], shared_dir8_auto_label.c_str(), "rx" } } );
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to Public RO dirs are granted. App id: "
- << app_ids[j] << ". Loop index: " << i);
- } // End for Verify PUBLIC_RO
-
- // Get autogenerated SETTING_RW labels
- result = smack_getlabel(app_dirs[4], &label,
- SMACK_LABEL_ACCESS );
- RUNNER_ASSERT_MSG(result == 0,
- "Cannot get access label from App-Setting shared dir: "
- << app_dirs[4] << " . Loop index: " << i
- << ". Result: " << result);
- setting_dir4_auto_label = label;
- free(label);
-
- result = smack_getlabel(app_dirs[9], &label,
- SMACK_LABEL_ACCESS );
- RUNNER_ASSERT_MSG(result == 0,
- "Cannot get access label from App-Setting shared dir: "
- << app_dirs[9] << " . Loop index: " << i
- << ". Result: " << result);
- setting_dir9_auto_label = label;
- free(label);
-
- // Verify that setting app has rwx permission to app-settings dirs and rx to apps
- result = smack_have_access(app_ids[4], setting_dir4_auto_label.c_str(), "rwxatl");
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to App-Setting dir are granted."
- << app_ids[4] << " " << setting_dir4_auto_label
- << " Loop index: " << i);
- result = smack_have_access(app_ids[9], setting_dir9_auto_label.c_str(), "rwxatl");
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to App-Setting dir are granted."
- << app_ids[9] << " " << setting_dir9_auto_label
- << " Loop index: " << i);
- result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[4], "rx");
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to App-Setting dir are granted."
- << APP_TEST_SETTINGS_ASP1 << " " << app_ids[4]
- << " Loop index: " << i);
- result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[9], "rx");
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to App-Setting dir are granted."
- << APP_TEST_SETTINGS_ASP1 << " " << app_ids[9]
- << " Loop index: " << i);
- result = smack_have_access(APP_TEST_SETTINGS_ASP1, setting_dir4_auto_label.c_str(), "rwx");
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to App-Setting dir are granted."
- << APP_TEST_SETTINGS_ASP1 << " " << setting_dir4_auto_label
- << " Loop index: " << i);
- result = smack_have_access(APP_TEST_SETTINGS_ASP1, setting_dir9_auto_label.c_str(), "rwx");
- RUNNER_ASSERT_MSG(result == 1,
- "Not all accesses to App-Setting dir are granted."
- << APP_TEST_SETTINGS_ASP1 << " " << setting_dir9_auto_label
- << " Loop index: " << i);
-
-
-
- // Check if api-features permissions are added properly
- for (int j = 0; j < 5; ++j)
- {
- result = test_have_all_accesses(
- (const std::vector< std::vector<std::string> >) {
- { app_ids[j], app_ids[6], "r" },
- { app_ids[j], app_ids[7], "rxl" },
- { app_ids[j], app_ids[8], "rwxal" },
- { app_ids[j], app_ids[9], "rwxatl" } } );
- RUNNER_ASSERT_MSG(result == 1,
- "Not all permisions from api features added for app id: "
- << app_ids[j] << ". Loop index: " << i);
- }
-
- for (int j = 5; j < app_count; ++j)
- {
- result = test_have_all_accesses(
- (const std::vector< std::vector<std::string> >) {
- { app_ids[j], app_ids[1], "r" },
- { app_ids[j], app_ids[2], "rxl" },
- { app_ids[j], app_ids[3], "rwxal" },
- { app_ids[j], app_ids[4], "rwxatl" } } );
- RUNNER_ASSERT_MSG(result == 1,
- "Not all permisions from api features added for app id: "
- << app_ids[j] << ". Loop index: " << i);
- }
-
- // Revoke permissions
- for (int j = 0; j < app_count; ++j)
- {
- result = perm_app_revoke_permissions(app_ids[j]);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_revoke_permissions. App id: "
- << app_ids[j] << " Loop index: " << i
- << ". Result: " << result);
- }
-
- // Check if permissions are removed properly
- for (int j = 0; j < app_count; ++j)
- {
- // To all other apps
- for (int k = 0; k < app_count; ++k)
- if (j != k)
- {
- result = test_have_any_accesses(
- FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[k])
- );
- RUNNER_ASSERT_MSG(result == 0,
- "Not all permisions revoked. Subject: " << app_ids[j]
- << " Object: " << app_ids[k] << " Loop index: " << i);
- }
- }
-
- // Remove labels from folders and uninstall all apps
- for (int j = 0; j < app_count; ++j)
- {
- result = nftw(app_dirs[j], &nftw_remove_labels,
- FTW_MAX_FDS, FTW_PHYS); // rm labels from app folder
- RUNNER_ASSERT_MSG(result == 0,
- "Unable to clean up Smack labels in: "
- << app_dirs[j] << " . Loop index: " << i
- << ". Result: " << result);
-
- result = perm_app_uninstall(app_ids[j]);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_uninstall for app: "
- << app_ids[j] << " . Loop index: " << i
- << ". Result: " << result);
- }
-
- // Remove created dirs
- for (int j = 0; j < app_count; ++j)
- {
- result = rmdir(app_dirs[j]);
- RUNNER_ASSERT_MSG(result == 0,
- "Cannot remove directory: " << app_dirs[j]);
- }
- } // END Install app loop
-
- // Uninstall setting app
- result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_uninstall. Result: " << result);
-
-}