#include <string>
#include <vector>
-#include <memory>
#include <fstream>
#include <sstream>
+#include <set>
#include <fcntl.h>
#include <errno.h>
#include <libprivilege-control_test_common.h>
#include "common/duplicates.h"
#include "common/db.h"
-
-#define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules"
-
-#define EARLY_RULE_SUBJECT "livebox.web-provider"
-#define EARLY_RULE_RIGHTS "rwx---"
-
-#define SMACK_ACC_LEN 6
+#include "memory.h"
// Error codes for test_libprivilege_strerror
const std::vector<int> error_codes {
result = strcmp(APPID_SHARED_DIR, label);
RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect");
- result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxatl");
+ result = smack_have_access(USER_APP_ID, APPID_SHARED_DIR, "rwxatl");
RUNNER_ASSERT_MSG_BT(result == 1,
"Error rwxatl access was not given shared dir. Subject: " <<
- APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
+ USER_APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
/* EXEC */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
return 0;
}
-int check_labels_dir(const char *fpath, const struct stat *sb,
- const char *labels_db_path, const char *dir_db_path,
- const char *access)
-{
- int result;
- char *label;
- char *label_gen;
- char *scanf_label_format;
- char label_temp[SMACK_LABEL_LEN + 1];
- FILE *file_db;
-
- /* ACCESS */
- result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG_BT(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
-
- /* EXEC */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- if (result != 0) {
- free(label_gen);
- RUNNER_ASSERT_MSG_BT(false, "Could not get label for the path");
- }
- if (label != NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "EXEC label on " << fpath << " is set.");
- }
-
- /* TRANSMUTE */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- if (result != 0) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "Could not get label for the path");
- }
- if (S_ISDIR(sb->st_mode)) {
- if (label == NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is not set");
- }
- result = strcmp("TRUE", label);
- if (result != 0) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
- }
- } else if (label != NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is set");
- }
-
- free(label);
-
- if (0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)) {
- free(label_gen);
- RUNNER_ASSERT_MSG_BT(false, "asprintf failed");
- }
-
- file_db = fopen(labels_db_path, "r");
- if (file_db == NULL) {
- free(label_gen);
- free(scanf_label_format);
- RUNNER_ASSERT_MSG_BT(false, "Can not open database for apps");
- }
- while (fscanf(file_db, scanf_label_format, label_temp) == 1) {
- result = smack_have_access(label_temp, label_gen, access);
- if (result != 1) {
- fclose(file_db);
- free(label_gen);
- free(scanf_label_format);
- RUNNER_ASSERT_MSG_BT(false,
- "Error " << access << " access was not given for subject: "
- << label_temp << ". Result: " << result);
- }
- }
- fclose(file_db);
-
- file_db = fopen(dir_db_path, "r");
- if (file_db == NULL) {
- free(label_gen);
- free(scanf_label_format);
- RUNNER_ASSERT_MSG_BT(false, "Can not open database for dirs");
- }
-
- free(scanf_label_format);
- free(label_gen);
- fclose(file_db);
-
- return 0;
-}
-
-void osp_blahblah_check(int line_no, const std::vector<std::string> &rules)
-{
- std::ifstream smack_file(OSP_BLAHBLAH);
- RUNNER_ASSERT_MSG_BT(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
-
- auto it = rules.begin();
- std::string line;
- while (std::getline(smack_file,line)) {
- RUNNER_ASSERT_MSG_BT(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
- RUNNER_ASSERT_MSG_BT(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
- it++;
- }
-
- RUNNER_ASSERT_MSG_BT(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
-
- smack_file.close();
-}
-
void osp_blahblah_dac_check(int line_no, const std::vector<unsigned> &gids, std::string dac_file_path)
{
std::ifstream dac_file(dac_file_path);
result = perm_app_install(APP_ID);
RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
- RUNNER_ASSERT_MSG_BT(result != 0, "perm_app_setup_path(APP_ID, APP_ID) didn't fail");
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, USER_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result != 0, "perm_app_setup_path(APP_ID, USER_APP_ID) didn't fail");
DB_END
}
/**
- * Simple enabling EFL permissions;.
- */
-RUNNER_TEST_SMACK(privilege_control04_add_permissions)
-{
- int result = 0;
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
-
- result = perm_app_setup_permissions(APP_ID, APP_TYPE_EFL, PRIVS_EFL);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- " perm_app_setup_permissions failed with result: " << result);
-
- DB_END
-
- // Check if permission is assigned to app in db
- check_app_has_permission(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
-
- // Check if the accesses are realy applied..
- result = test_have_all_accesses(rules_efl);
- RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
-
- DB_END
-}
-
-/**
* Revoke permissions from the list. Should be executed as privileged user.
*/
RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt)
{
- test_revoke_permissions(__LINE__, WGT_APP_ID, rules_wgt, true);
-}
-
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_partner)
-{
- test_revoke_permissions(__LINE__, WGT_PARTNER_APP_ID, rules_wgt_partner, true);
-}
-
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_platform)
-{
- test_revoke_permissions(__LINE__, WGT_PLATFORM_APP_ID, rules_wgt_platform, true);
+ test_revoke_permissions(__LINE__, WGT_APP_ID);
}
/**
*/
RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp)
{
- test_revoke_permissions(__LINE__, OSP_APP_ID, rules_osp, true);
+ test_revoke_permissions(__LINE__, OSP_APP_ID);
}
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_partner)
-{
- test_revoke_permissions(__LINE__, OSP_PARTNER_APP_ID, rules_osp_partner, true);
-}
-
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_platform)
-{
- test_revoke_permissions(__LINE__, OSP_PLATFORM_APP_ID, rules_osp_platform, true);
-}
-
-
-void set_app_privilege(int line_no,
+void test_set_app_privilege(
const char* app_id, app_type_t APP_TYPE,
const char** privileges, const char* type,
const char* app_path, const char* dac_file,
const rules_t &rules) {
- check_app_installed(line_no, app_path);
+ check_app_installed(app_path);
int result;
DB_BEGIN
result = perm_app_uninstall(app_id);
- RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
- " perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+ RUNNER_ASSERT_MSG_BT(result == 0,
+ " perm_app_uninstall returned " << result << ". "
+ "Errno: " << strerror(errno));
result = perm_app_install(app_id);
- RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
- " perm_app_install returned " << result << ". Errno: " << strerror(errno));
+ RUNNER_ASSERT_MSG_BT(result == 0,
+ " perm_app_install returned " << result << ". "
+ "Errno: " << strerror(errno));
// TEST:
- result = perm_app_setup_permissions(app_id, APP_TYPE, privileges);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ result = perm_app_enable_permissions(app_id, APP_TYPE, privileges, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
DB_END
result = test_have_all_accesses(rules);
RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
+ std::set<unsigned> groups_before;
+ read_user_gids(groups_before, APP_UID);
+
result = perm_app_set_privilege(app_id, type, app_path);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error in perm_app_set_privilege. Error: " << result);
// Check if SMACK label really set
char *label;
result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG_BT(result >= 0, "Line: " << line_no <<
+ RUNNER_ASSERT_MSG_BT(result >= 0,
" Error getting current process label");
- RUNNER_ASSERT_MSG_BT(label != NULL, "Line: " << line_no <<
+ RUNNER_ASSERT_MSG_BT(label != NULL,
" Process label is not set");
- result = strcmp(app_id, label);
- RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+
+ result = strcmp(USER_APP_ID, label);
+ RUNNER_ASSERT_MSG_BT(result == 0,
" Process label " << label << " is incorrect");
- check_groups(dac_file);
+ check_groups(groups_before, dac_file);
}
/**
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt)
{
- set_app_privilege(__LINE__,WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH,
+ test_set_app_privilege(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH,
LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt);
}
/**
- * Set APP privileges. wgt_partner.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_partner)
-{
- set_app_privilege(__LINE__, WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT,
- "wgt_partner", WGT_PARTNER_APP_PATH,
- LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_partner);
-}
-
-/**
- * Set APP privileges. wgt_platform.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_platform)
-{
- set_app_privilege(__LINE__, WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT,
- "wgt_platform", WGT_PLATFORM_APP_PATH,
- LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_platform);
-}
-
-/**
* Set APP privileges. osp app.
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp)
{
- set_app_privilege(__LINE__, OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, NULL, OSP_APP_PATH,
+ test_set_app_privilege(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, "tpk", OSP_APP_PATH,
LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp);
}
-/**
- * Set APP privileges. partner osp app.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_partner)
+RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_efl)
{
- set_app_privilege(__LINE__, OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP,
- NULL, OSP_PARTNER_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_partner);
-}
-
-/**
- * Set APP privileges. platform osp app.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_platform)
-{
- set_app_privilege(__LINE__, OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP,
- NULL, OSP_PLATFORM_APP_PATH,
- LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_platform);
+ test_set_app_privilege(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL,
+ "rpm", EFL_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_EFL, rules_efl);
}
/**
RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned: " << perm_strerror(result));
DB_END
-
- TestLibPrivilegeControlDatabase db_test;
- db_test.test_db_after__perm_app_uninstall(pkg_id);
}
RUNNER_TEST(privilege_control07_app_uninstall)
DB_END
TestLibPrivilegeControlDatabase db_test;
- db_test.test_db_after__perm_app_install(pkg_id);
+ db_test.test_db_after__perm_app_install(USER_APP_ID);
}
RUNNER_TEST(privilege_control01_app_install)
RUNNER_ASSERT_MSG_BT(result == 0, "perm_rollback returned: " << perm_strerror(result));
DB_END
-
- TestLibPrivilegeControlDatabase db_test;
- db_test.test_db_after__perm_app_uninstall(APP_ID);
-
}
RUNNER_TEST(privilege_control07_app_rollback_2)
DB_END
TestLibPrivilegeControlDatabase db_test;
- db_test.test_db_after__perm_app_install(APP_ID);
-}
-/*
- * Check app_register_av function
- * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
- */
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-RUNNER_TEST_SMACK(privilege_control10_app_register_av)
-{
- RUNNER_IGNORED_MSG("app_register_av is not implemented");
- int result;
-
- // cleaning
- smack_revoke_subject(APP_TEST_AV_1);
- smack_revoke_subject(APP_TEST_AV_2);
-
- DB_BEGIN
-
- // Adding two apps before antivir
- result = perm_app_install(APP_TEST_APP_1);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- result = perm_app_install(APP_TEST_APP_2);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- // Adding antivir
- result = app_register_av(APP_TEST_AV_1);
- RUNNER_ASSERT_MSG_BT(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
-
- DB_END
-
- // Checking added apps accesses
- checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
- checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
-
- DB_BEGIN
-
- // Adding third app
- result = perm_app_install(APP_TEST_APP_3);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- DB_END
-
- // Checking app accesses
- checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
- checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
- checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)");
-
- // Adding second antivir
- result = app_register_av(APP_TEST_AV_2);
- RUNNER_ASSERT_MSG_BT(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
-
- // Checking app accesses
- checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
- checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
- checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
- checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
- checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
- checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
-
- // cleaning
- smack_revoke_subject(APP_TEST_AV_1);
- smack_revoke_subject(APP_TEST_AV_2);
+ db_test.test_db_after__perm_app_install(USER_APP_ID);
}
-#pragma GCC diagnostic warning "-Wdeprecated-declarations"
/**
* Grant SMACK permissions based on permissions list.
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error revoking app permissions. Result: " << result);
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
result = test_have_all_accesses(rules2);
RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
- // Check if permission is assigned to app in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
-
DB_BEGIN
// Clean up
DB_END
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
-
/**
* Test - Enabling all permissions with persistant mode disabled
*/
DB_BEGIN
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
- result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 0);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error enabling app permissions. Result: " << result);
result = test_have_all_accesses(rules2);
RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
- // Check if permission is assigned to app in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
-
DB_BEGIN
// Clean up
DB_END
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
-
/**
* Test - Registering new permissions in two complementary files
*/
DB_BEGIN
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
result = test_have_all_accesses(rules2_no_r);
RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
- // Check if permissions are assigned to app in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, true);
-
DB_BEGIN
// Clean up
DB_END
- // Check if permissions are disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false);
-
/**
* Test - Enabling some permissions and then enabling complementary permissions
*/
DB_BEGIN
// Register permission for rules 2 no r
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions without r. Result: " << result);
DB_BEGIN
// Register permission for rules 2
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app all permissions. Result: " << result);
*/
// Enable permission for rules 2 no r
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions without r. Result: " << result);
DB_BEGIN
// Enable permission for rules 2
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions with only r. Result: " << result);
result = perm_app_install(WGT_APP_ID);
RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+ // Disable permissions
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
// Prepare permissions to reset
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
DB_BEGIN
// Disable permissions
- result = perm_app_revoke_permissions(WGT_APP_ID);
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error disabling app permissions. Result: " << result);
DB_END
}
-/**
- * Make two applications "friends", by giving them both full permissions on
- * each other.
- */
-RUNNER_TEST_SMACK(privilege_control14_app_add_friend)
-{
- RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented");
-
- int result;
-
-/**
- * Test - making friends with no permissions on each other
- */
-
- DB_BEGIN
-
- result = perm_app_revoke_permissions(APP_FRIEND_1);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(APP_FRIEND_2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
-
- perm_app_uninstall(APP_FRIEND_1);
- perm_app_uninstall(APP_FRIEND_2);
-
- // Installing friends to be
- result = perm_app_install(APP_FRIEND_1);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- " Error installing first app. Result: " << result);
- result = perm_app_install(APP_FRIEND_2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- " Error installing second app. Result: " << result);
-
- // Making friends
- result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- " Error making friends. Errno: " << result);
-
- DB_END
-
- // Checking if friends were made
- result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
- RUNNER_ASSERT_MSG_BT(result == 1,
- " Error first one sided friednship failed. Result: " << result);
- result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
- RUNNER_ASSERT_MSG_BT(result == 1,
- " Error second one sided friednship failed. Result: " << result);
-
- DB_BEGIN
-
- // Clean up
- result = perm_app_revoke_permissions(APP_FRIEND_1);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(APP_FRIEND_2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
-
- perm_app_uninstall(APP_FRIEND_1);
- perm_app_uninstall(APP_FRIEND_2);
-
- DB_END
-
-/**
- * Test - making friends with nonexistent friend
- */
-
- DB_BEGIN
-
- // Installing one friend
- result = perm_app_install(APP_FRIEND_1);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- " Error installing first app. Errno: " << result);
-
- // Adding imaginary friend as second
- result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- " Error making friends (first) with imaginairy friend failed. Result: "
- << result);
- // Adding imaginary friend as first
- result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- " Error making friends (second) with imaginairy friend failed. Result: "
- << result);
- // Clean up
- result = perm_app_revoke_permissions(APP_FRIEND_1);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(APP_FRIEND_2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
-
- perm_app_uninstall(APP_FRIEND_1);
- perm_app_uninstall(APP_FRIEND_2);
-
- DB_END
-
-/**
- * Test - making friends with some permissions already added
- */
- unsigned int i;
- unsigned int j;
-
- struct smack_accesses *rulesFriend = NULL;
-
- std::vector<std::string> accessesFriend =
- { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
-
- DB_BEGIN
-
- // Installing friends to be
- result = perm_app_install(APP_FRIEND_1);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- " Error installing first app. Result: " << result);
- result = perm_app_install(APP_FRIEND_2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- " Error installing second app. Result: " << result);
-
- DB_END
-
- for (i = 0; i < accessesFriend.size(); ++i)
- {
- for (j = 0; j < accessesFriend.size(); ++j)
- {
- // Adding rules before making friends
- result = smack_accesses_new(&rulesFriend);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error in smack_accesses_new. Result: " << result);
-
- result = smack_accesses_add(rulesFriend,
- APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
- RUNNER_ASSERT_MSG_BT(result == 0,
- "Unable to add modify rulesFirend (first). Result: " << result);
- result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
- APP_FRIEND_1, accessesFriend[j].c_str());
- RUNNER_ASSERT_MSG_BT(result == 0,
- "Unable to add modify rulesFirend (second). Result: " << result);
-
- result = smack_accesses_apply(rulesFriend);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error in smack_accesses_apply. Result: " << result);
-
- DB_BEGIN
-
- // Adding friends
- result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- " Error making friends. Result: " << result);
-
- DB_END
-
- // Checking if friends were made
- result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
- RUNNER_ASSERT_MSG_BT(result == 1,
- " Error first one sided friednship failed. Result: " << result);
- result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
- RUNNER_ASSERT_MSG_BT(result == 1,
- " Error second one sided friednship failed. Result: " << result);
-
- // Deleting all rules between friends
- smack_accesses_add_modify(rulesFriend,
- APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
- smack_accesses_add_modify(rulesFriend,
- APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
-
- result = smack_accesses_apply(rulesFriend);
-
- smack_accesses_free(rulesFriend);
- rulesFriend = NULL;
- }
- }
-
- DB_BEGIN
-
- // Clean up
- result = perm_app_revoke_permissions(APP_FRIEND_1);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(APP_FRIEND_2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
-
- perm_app_uninstall(APP_FRIEND_1);
- perm_app_uninstall(APP_FRIEND_2);
-
- DB_END
-}
-
static void smack_set_random_label_based_on_pid_on_self(void)
{
int result;
test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW);
}
-RUNNER_TEST_SMACK(privilege_control20_app_setup_path_npruntime)
+void check_perm_app_has_permission(const char* app_label, const char* permission, bool is_enabled_expected)
{
- int result = 0;
- CStringPtr labelPtr;
- std::string nptargetlabel = std::string(APP_NPRUNTIME) + ".npruntime";
- char *label = NULL;
-
- restore_original_additional_rules();
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
-
- result = perm_app_install(APP_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_install. " << result);
-
- result = perm_app_setup_path(APP_NPRUNTIME, APP_NPRUNTIME_FILE, PERM_APP_PATH_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path. " << result);
-
- DB_END
-
- RUNNER_ASSERT_BT(0 == smack_lgetlabel(APP_NPRUNTIME_FILE, &label, SMACK_LABEL_EXEC));
- labelPtr.reset(label);
- label = NULL;
- RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), nptargetlabel.c_str()));
-
- // Rules to test
- const std::vector< std::vector<std::string> > np_rules = {
- { APP_NPRUNTIME, nptargetlabel, "rw" },
- { nptargetlabel, APP_NPRUNTIME, "rxat" },
- { nptargetlabel, "system::homedir", "rxat" },
- { nptargetlabel, "xorg", "rw" },
- { nptargetlabel, "crash-worker", "rwxa" },
- { nptargetlabel, "sys-assert::core", "rwxat" },
- { nptargetlabel, "syslogd", "rw" },
- };
-
- // Test smack accesses
- result = test_have_all_accesses(np_rules);
- RUNNER_ASSERT_MSG_BT(result == 1, "Not all permissions added.");
-
- DB_BEGIN
+ int result;
+ bool is_enabled;
- result = perm_app_uninstall(APP_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
+ result = perm_app_has_permission(app_label, APP_TYPE_WGT, permission, &is_enabled);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error calling perm_app_has_permission. Result: " << result);
- DB_END
+ RUNNER_ASSERT_MSG_BT(is_enabled == is_enabled_expected,
+ "Result of perm_app_has_permission should be: " << is_enabled_expected);
}
-RUNNER_TEST(privilege_control21_early_rules)
+RUNNER_TEST(privilege_control20_perm_app_has_permission)
{
- RUNNER_IGNORED_MSG("early rules are not implemented");
-
int result;
- int pass_1 = 0;
- int pass_2 = 0;
- char *single_line_format = NULL;
- char *perm = NULL;
- FILE *file = NULL;
-
- char subject[SMACK_LABEL_LEN + 1] = {0};
- char object[SMACK_LABEL_LEN + 1] = {0};
- char rule_add[SMACK_ACC_LEN + 1] = {0};
- char rule_remove[SMACK_ACC_LEN + 1] = {0};
+ const char *other_app_label = "test_other_app_label";
DB_BEGIN
- perm_app_uninstall(APP_ID);
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(APP_TEST_APP_1);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- DB_END
-
- TestLibPrivilegeControlDatabase db_test;
- db_test.test_db_after__perm_app_install(APP_ID);
- db_test.test_db_after__perm_app_install(APP_TEST_APP_1);
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error uninstalling app. Result" << result);
- DB_BEGIN
+ result = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error installing app. Result" << result);
- result = perm_app_setup_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm);
- RUNNER_ASSERT_MSG_BT(result == 0, "app_register_permissions failed: " << result);
- result = perm_app_setup_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm);
- RUNNER_ASSERT_MSG_BT(result == 0, "app_register_permissions failed: " << result);
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app r and no r permissions. Result: " << result);
DB_END
- file = fopen(SMACK_STARTUP_RULES_FILE, "r");
- RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
-
- result = asprintf(&single_line_format, "%%%ds %%%ds %%%ds %%%ds\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN, SMACK_ACC_LEN, SMACK_ACC_LEN);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
- while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
- pass_1 = 1; // Found rule for APP_ID
- continue;
- }
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
- pass_2 = 1; // Found rule for APP_TEST_APP_1
- continue;
- }
- }
- fclose(file);
- file = NULL;
-
- RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " not found");
- RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
-
- // Checking if "early rule" for APP_ID was really removed
- // We also should make sure that "early rules" for other apps wasn't removed
DB_BEGIN
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- DB_END
- pass_1 = 1;
- pass_2 = 0;
-
- file = fopen(SMACK_STARTUP_RULES_FILE, "r");
- RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
-
- while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
- pass_1 = 0; // Found rule for APP_ID - it should NOT be here
- continue;
- }
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
- pass_2 = 1; // Found rule for APP_TEST_APP_1
- continue;
- }
- }
- fclose(file);
- file = NULL;
-
- RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
- RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
-
- // Removing and checking "early rule" for APP_TEST_APP_1
- DB_BEGIN
- result = perm_app_uninstall(APP_TEST_APP_1);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- DB_END
- pass_1 = 1;
- pass_2 = 1;
-
- file = fopen(SMACK_STARTUP_RULES_FILE, "r");
- RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
-
- while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
- pass_1 = 0; // Found rule for APP_ID - it should NOT be here
- continue;
- }
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
- pass_2 = 0; // Found rule for APP_TEST_APP_1 - it should NOT be here
- continue;
- }
- }
- free(single_line_format);
- fclose(file);
-
- RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
- RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
-}
-/**
- * AV Privilege test cases.
- *
- * Each privilege_control24* test case tests antivirus privileges for each app_type_t, except for
- * deprecated APP_TYPE_OTHER type.
- */
-
-int nftw_remove_dir(const char* filename, const struct stat* /*statptr*/, int /*fileflags*/,
- struct FTW* /*pfwt*/)
-{
- int result = -1;
-
- struct stat filestat;
-
- result = stat(filename, &filestat);
- RUNNER_ASSERT_MSG_BT(result == 0, "NFTW error: Failed to get file statistics. Result: "
- << result << ", error: " << strerror(errno) << ", file: " << filename);
-
- if(S_ISREG(filestat.st_mode)) {
- result = unlink(filename);
- RUNNER_ASSERT_MSG_BT(result == 0, "NFTW error: Failed to unlink file. Result: "
- << result << ", error: " << strerror(errno) << ", file: " << filename);
- } else if(S_ISDIR(filestat.st_mode)) {
- result = rmdir(filename);
- RUNNER_ASSERT_MSG_BT(result == 0, "NFTW error: Failed to remove dir. Result: "
- << result << ", error: " << strerror(errno) << ", file: " << filename);
- }
-
- return 0;
-}
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error registering app r permissions. Result: " << result);
-void InstallApp(const char* pkg_id, const char* path, app_path_type_t app_path_type,
- const char* shared_label)
-{
- int result = -1;
+ DB_END
- result = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP);
- RUNNER_ASSERT_MSG_BT(result == 0, "Can't create dir for tests. Result: " << result <<
- ", error: " << strerror(errno) << ", app_path_type: " << app_path_type);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], true);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
DB_BEGIN
- result = perm_app_revoke_permissions(pkg_id);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: "
- << result << ", app_path_type: " << app_path_type);
- result = perm_app_uninstall(pkg_id);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: "
- << result << ", app_path_type: " << app_path_type);
-
- result = perm_app_install(pkg_id);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: "
- << result << ", app_path_type: " << app_path_type);
- result = perm_app_setup_path(pkg_id, path, app_path_type, shared_label);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_setup_path failed. Result: "
- << result << ", app_path_type: " << app_path_type);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error registering app r permissions. Result: " << result);
DB_END
-}
-void InstallAV(const char* av_id, app_type_t av_type)
-{
- int result = -1;
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], true);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], true);
+ check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
DB_BEGIN
- result = perm_app_revoke_permissions(av_id);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: "
- << result << ", av_type: " << av_type);
- result = perm_app_uninstall(av_id);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: "
- << result << ", av_type: " << av_type);
-
- result = perm_app_install(av_id);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: "
- << result << ", av_type: " << av_type);
- result = perm_app_setup_permissions(av_id, av_type, PRIVS_AV);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "register_permissions failed. Result: "
- << result << ", av_type: " << av_type);
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app r and no r permissions. Result: " << result);
DB_END
-}
-void CheckAVPrivilege(app_type_t av_type, app_path_type_t app_path_type)
-{
- int result = -1;
-
- //clean before test
- result = nftw(APP_TEST_APP_1_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
- ", error " << strerror(errno));
-
- result = nftw(APP_TEST_APP_2_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
- ", error " << strerror(errno));
-
- result = nftw(APP_TEST_APP_3_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
- ", error " << strerror(errno));
-
- InstallApp(APP_TEST_APP_1, APP_TEST_APP_1_DIR, app_path_type, APP_TEST_APP_1_SHARED_LABEL);
- InstallAV(APP_TEST_AV_1, av_type);
- InstallApp(APP_TEST_APP_2, APP_TEST_APP_2_DIR, app_path_type, APP_TEST_APP_2_SHARED_LABEL);
- InstallAV(APP_TEST_AV_2, av_type);
- InstallApp(APP_TEST_APP_3, APP_TEST_APP_3_DIR, app_path_type, APP_TEST_APP_3_SHARED_LABEL);
-
- //test - get ACCESS label and check AV privilege
-
- char* tmp;
-
- //get labels
- result = smack_lgetlabel(APP_TEST_APP_1_DIR, &tmp, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG_BT(result == 0, "smack_lgetlabel failed. Result: " << result
- << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
- std::string label1(tmp);
- free(tmp);
-
- result = smack_lgetlabel(APP_TEST_APP_2_DIR, &tmp, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG_BT(result == 0, "smack_lgetlabel failed. Result: " << result
- << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
- std::string label2(tmp);
- free(tmp);
-
- result = smack_lgetlabel(APP_TEST_APP_3_DIR, &tmp, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG_BT(result == 0, "smack_lgetlabel failed. Result: " << result
- << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
- std::string label3(tmp);
- free(tmp);
-
- if(app_path_type == APP_PATH_GROUP_RW)
- {
- result = label1.compare(APP_TEST_APP_1_SHARED_LABEL);
- RUNNER_ASSERT_MSG_BT(result == 0, "Labels do not equal. Acquired " << label1 <<
- ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type);
-
- result = label2.compare(APP_TEST_APP_2_SHARED_LABEL);
- RUNNER_ASSERT_MSG_BT(result == 0, "Labels do not equal. Acquired " << label1 <<
- ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type);
-
- result = label3.compare(APP_TEST_APP_3_SHARED_LABEL);
- RUNNER_ASSERT_MSG_BT(result == 0, "Labels do not equal. Acquired " << label1 <<
- ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type);
- }
-
- std::stringstream ss;
-
- //check AV accesses
- if(smack_check())
- {
- ss << "APP_TEST_APP_1, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccess(APP_TEST_AV_1, label1.c_str(), ss.str().c_str());
- ss.str(std::string());
-
- ss << "APP_TEST_APP_2, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccess(APP_TEST_AV_1, label2.c_str(), ss.str().c_str());
- ss.str(std::string());
-
- ss << "APP_TEST_APP_3, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccess(APP_TEST_AV_1, label3.c_str(), ss.str().c_str());
-
- ss << "APP_TEST_APP_1, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccess(APP_TEST_AV_2, label1.c_str(), ss.str().c_str());
- ss.str(std::string());
-
- ss << "APP_TEST_APP_2, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccess(APP_TEST_AV_2, label2.c_str(), ss.str().c_str());
- ss.str(std::string());
-
- ss << "APP_TEST_APP_3, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccess(APP_TEST_AV_2, label3.c_str(), ss.str().c_str());
- }
- else
- {
- ss << "APP_TEST_APP_1, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccessNosmack(APP_TEST_AV_1, label1.c_str(), ss.str().c_str());
-
- ss.str(std::string());
- ss << "APP_TEST_APP_2, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccessNosmack(APP_TEST_AV_1, label2.c_str(), ss.str().c_str());
-
- ss.str(std::string());
- ss << "APP_TEST_APP_3, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccessNosmack(APP_TEST_AV_1, label3.c_str(), ss.str().c_str());
-
- ss << "APP_TEST_APP_1, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccessNosmack(APP_TEST_AV_2, label1.c_str(), ss.str().c_str());
-
- ss.str(std::string());
- ss << "APP_TEST_APP_2, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccessNosmack(APP_TEST_AV_2, label2.c_str(), ss.str().c_str());
-
- ss.str(std::string());
- ss << "APP_TEST_APP_3, line " << __LINE__ <<
- ", av_type: " << av_type << ", app_path_type: " << app_path_type;
- checkOnlyAvAccessNosmack(APP_TEST_AV_2, label3.c_str(), ss.str().c_str());
- }
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], true);
+ check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
DB_BEGIN
- //Clean up
- perm_app_revoke_permissions(APP_TEST_AV_1);
- perm_app_revoke_permissions(APP_TEST_AV_2);
- perm_app_uninstall(APP_TEST_AV_1);
- perm_app_uninstall(APP_TEST_AV_2);
- perm_app_uninstall(APP_TEST_APP_1);
- perm_app_uninstall(APP_TEST_APP_2);
- perm_app_uninstall(APP_TEST_APP_3);
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app r and no r permissions. Result: " << result);
DB_END
-}
-RUNNER_TEST(privilege_control24a_av_privilege_group_rw)
-{
- CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_GROUP_RW);
- CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_GROUP_RW);
- CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_GROUP_RW);
-}
-
-RUNNER_TEST(privilege_control24b_av_privilege_settings_rw)
-{
- CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_SETTINGS_RW);
- CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_SETTINGS_RW);
- CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_SETTINGS_RW);
-}
-
-RUNNER_TEST(privilege_control24c_av_privilege_public_ro)
-{
- CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_PUBLIC_RO);
- CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_PUBLIC_RO);
- CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_PUBLIC_RO);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
}
RUNNER_TEST(privilege_control25_test_libprivilege_strerror) {
RUNNER_ASSERT_MSG_BT(strcmp(result, "Unknown error") == 0,
"Bad message returned for invalid error code: \"" << result << "\"");
}
-
-RUNNER_TEST(privilege_control27_perm_app_get_privileges_empty)
-{
- char** pp_privileges = NULL;
- int result;
- CStringListPtr privileges;
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_uninstall failed: " << perm_strerror(result));
-
- result = perm_app_install(APP_ID);
-
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_install failed: " << perm_strerror(result));
-
- DB_END
-
- result = perm_app_get_permissions(APP_ID, PERM_APP_TYPE_WGT, &pp_privileges);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_get_permissions failed: " << perm_strerror(result));
- privileges.reset(pp_privileges);
-
- RUNNER_ASSERT_MSG_BT(pp_privileges != NULL,
- "perm_app_get_permissions failed to set pointer to cstring array");
- RUNNER_ASSERT_MSG_BT(*pp_privileges == NULL,
- "perm_app_get_permissions found permissions when not supposed to");
-}
-
-RUNNER_TEST(privilege_control27_perm_app_get_privileges)
-{
- char** pp_privileges = NULL;
- int result;
- size_t i;
- CStringListPtr privileges;
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
-
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_uninstall failed: " << perm_strerror(result));
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_install failed: " << perm_strerror(result));
-
- result = perm_app_setup_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_register_permissions failed: " << perm_strerror(result));
-
- result = perm_app_setup_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_register_permissions failed: " << perm_strerror(result));
-
- result = perm_app_disable_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_disable_permissions failed: " << perm_strerror(result));
- DB_END
-
- result = perm_app_get_permissions(APP_ID, PERM_APP_TYPE_WGT, &pp_privileges);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_get_permissions returned " << result << ": " << perm_strerror(result));
- privileges.reset(pp_privileges);
-
- for(i = 0; pp_privileges[i] != NULL; ++i) {
- RUNNER_ASSERT_MSG_BT(PRIVS[i] != NULL,
- "perm_app_get_permissions returned too many permissions");
- RUNNER_ASSERT_MSG_BT(strcmp(pp_privileges[i], PRIVS[i]) == 0,
- "perm_app_get_permissions returned wrong permission, " << pp_privileges[i] <<
- " != " << PRIVS[i]);
- }
- RUNNER_ASSERT_MSG_BT(PRIVS[i] == NULL,
- "perm_app_get_permissions returned too few enabled permissions");
-}
-
-RUNNER_TEST(privilege_control28_perm_app_get_paths_empty)
-{
- char **pp_paths = NULL;
- int result;
- CStringListPtr paths;
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_uninstall failed: " << perm_strerror(result));
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed: " <<
- perm_strerror(result));
-
- DB_END
-
- result = perm_app_get_paths(APP_ID, PERM_APP_PATH_PUBLIC, &pp_paths);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_get_paths failed: " <<
- perm_strerror(result));
- paths.reset(pp_paths);
-
- RUNNER_ASSERT_MSG_BT(pp_paths != NULL,
- "perm_app_get_paths failed to set pointer to cstring array");
- RUNNER_ASSERT_MSG_BT(*pp_paths == NULL, "perm_app_get_paths found paths when not supposed to");
-}
-
-RUNNER_TEST(privilege_control28_perm_app_get_paths)
-{
- char **pp_paths = NULL;
- int result;
- size_t i;
- size_t DIR_NUM = 3;
- CStringListPtr paths;
- std::vector<Directory> test_paths;
-
- for (i = 0; i < DIR_NUM; ++i) {
- test_paths.push_back(Directory("/tmp/dir" + std::to_string(i), 0));
- RUNNER_ASSERT_MSG_BT(test_paths[i].isCreated(), "failed to create a directory " <<
- test_paths[i].path() << ": " << strerror(test_paths[i].errorCode()));
- }
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed: " <<
- perm_strerror(result));
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed: " <<
- perm_strerror(result));
-
- for (auto itr = test_paths.begin(); itr != test_paths.end(); ++itr) {
- result = perm_app_setup_path(APP_ID, itr->path().c_str(), PERM_APP_PATH_PUBLIC);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path failed: " << perm_strerror(result));
- }
-
- DB_END
-
- result = perm_app_get_paths(APP_ID, PERM_APP_PATH_PUBLIC, &pp_paths);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_get_paths failed: " <<
- perm_strerror(result));
- paths.reset(pp_paths);
-
- for(i = 0; pp_paths[i] != NULL; ++i) {
- RUNNER_ASSERT_MSG_BT(i < test_paths.size(), "perm_app_get_paths returned too many paths");
- RUNNER_ASSERT_MSG_BT(test_paths[i].path() == pp_paths[i],
- "perm_app_get_paths returned unexpected path, " << pp_paths[i] << " != " <<
- test_paths[i].path());
- }
- RUNNER_ASSERT_MSG_BT(i == test_paths.size(), "perm_app_get_paths returned too few paths");
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed: " <<
- perm_strerror(result));
-
- DB_END
-}
projects / platform / core / test / security-tests.git / blobdiff