* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- */
+*/
/*
* @file test_cases.cpp
* @author Jan Olszak (j.olszak@samsung.com)
+ * @author Rafal Krypa (r.krypa@samsung.com)
+ * @author Lukasz Wojciechowski (l.wojciechow@partner.samsung.com)
* @version 1.0
- * @brief libprivilege-control test runer
+ * @brief libprivilege-control test runner
*/
#include <string>
-#include <fcntl.h>
-#include <stdio.h>
#include <vector>
-#include <errno.h>
+#include <fstream>
+#include <sstream>
+#include <set>
-
-#include <dpl/test/test_runner.h>
-#include <dpl/log/log.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
-#include <sys/mman.h>
-#include <sys/xattr.h>
+
+#include <sys/socket.h>
+#include <sys/un.h>
#include <sys/smack.h>
#include <privilege-control.h>
+#include <dpl/test/test_runner.h>
+#include <dpl/test/test_runner_child.h>
+#include <dpl/test/test_runner_multiprocess.h>
+#include <dpl/log/log.h>
+#include <tests_common.h>
+#include <libprivilege-control_test_common.h>
+#include "common/duplicates.h"
+#include "common/db.h"
+#include "memory.h"
+
+// Error codes for test_libprivilege_strerror
+const std::vector<int> error_codes {
+ PC_OPERATION_SUCCESS, PC_ERR_FILE_OPERATION, PC_ERR_MEM_OPERATION, PC_ERR_NOT_PERMITTED,
+ PC_ERR_INVALID_PARAM, PC_ERR_INVALID_OPERATION, PC_ERR_DB_OPERATION, PC_ERR_DB_LABEL_TAKEN,
+ PC_ERR_DB_QUERY_PREP, PC_ERR_DB_QUERY_BIND, PC_ERR_DB_QUERY_STEP, PC_ERR_DB_CONNECTION,
+ PC_ERR_DB_NO_SUCH_APP, PC_ERR_DB_PERM_FORBIDDEN
+};
+namespace {
-#define SMACK_RULES_DIR "/etc/smack/accesses.d/"
-#define TEST_DIR_TREE "/etc/smack/test_privilege_control_DIR"
-#define APPID_ADD "test_APP_ID_add"
-#define APPID_REVOKE "test_APP_ID_revoke"
-#define APPID_DIR "test_APP_ID_dir"
-const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
-
-// Rules from test_privilege_control_rules.smack
-const std::vector< std::vector<std::string> > rulesAdd = {
- { APPID_ADD, "test_book_1", "r" },
- { APPID_ADD, "test_book_2", "w" },
- { APPID_ADD, "test_book_3", "x" },
- { APPID_ADD, "test_book_4", "rw" },
- { APPID_ADD, "test_book_5", "rx" },
- { APPID_ADD, "test_book_6", "wx" },
- { APPID_ADD, "test_book_7", "rwx" },
- { "test_subject_1", APPID_ADD, "r" },
- { "test_subject_2", APPID_ADD, "w" },
- { "test_subject_3", APPID_ADD, "x" },
- { "test_subject_4", APPID_ADD, "rw" },
- { "test_subject_5", APPID_ADD, "rx" },
- { "test_subject_6", APPID_ADD, "wx" },
- { "test_subject_7", APPID_ADD, "rwx" }};
-
-
-// Rules from test_privilege_control_rules.smack
-const std::vector< std::vector<std::string> > rulesRevoke = {
- { APPID_REVOKE, "test_book_1", "r" },
- { APPID_REVOKE, "test_book_2", "w" },
- { APPID_REVOKE, "test_book_3", "x" },
- { APPID_REVOKE, "test_book_4", "rw" },
- { APPID_REVOKE, "test_book_5", "rx" },
- { APPID_REVOKE, "test_book_6", "wx" },
- { APPID_REVOKE, "test_book_7", "rwx" },
- { "test_subject_1", APPID_REVOKE, "r" },
- { "test_subject_2", APPID_REVOKE, "w" },
- { "test_subject_3", APPID_REVOKE, "x" },
- { "test_subject_4", APPID_REVOKE, "rw" },
- { "test_subject_5", APPID_REVOKE, "rx" },
- { "test_subject_6", APPID_REVOKE, "wx" },
- { "test_subject_7", APPID_REVOKE, "rwx" }};
-
-// Files added in spec file
-const std::vector<std::string> paths = {
- "/etc/smack/test_privilege_control_DIR",
- "/etc/smack/test_privilege_control_DIR/test_file",
- "/etc/smack/test_privilege_control_DIR/A",
- "/etc/smack/test_privilege_control_DIR/A/test_file",
- "/etc/smack/test_privilege_control_DIR/A/.test_file",
- "/etc/smack/test_privilege_control_DIR/A/B/test_file" };
+std::vector<std::string> gen_names(std::string prefix, std::string suffix, size_t size)
+{
+ std::vector<std::string> names;
+ for(size_t i = 0; i < size; ++i) {
+ names.push_back(prefix + "_" + std::to_string(i) + suffix);
+ }
+ return names;
+}
+
+const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
+const char *WRT_BLAHBLAH ="/usr/share/privilege-control/WGT_blahblah.smack";
+const char *OTHER_BLAHBLAH ="/usr/share/privilege-control/blahblah.smack";
+const std::vector<std::string> OSP_BLAHBLAH_DAC = gen_names("/usr/share/privilege-control/OSP_feature.blah.blahblah", ".dac", 16);
+const char *WRT_BLAHBLAH_DAC ="/usr/share/privilege-control/WGT_blahblah.dac";
+const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
+const std::vector<std::string> BLAHBLAH_FEATURE = gen_names("http://feature/blah/blahblah", "", 16);
+
+int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+ int result;
+ char *label;
+
+ /* ACCESS */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
+ result = strcmp(APPID_SHARED_DIR, label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect");
+
+ result = smack_have_access(USER_APP_ID, APPID_SHARED_DIR, "rwxatl");
+ RUNNER_ASSERT_MSG_BT(result == 1,
+ "Error rwxatl access was not given shared dir. Subject: " <<
+ USER_APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
+ /* EXEC */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
+
+ /* TRANSMUTE */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ if (S_ISDIR(sb->st_mode)) {
+ RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
+ result = strcmp("TRUE", label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "TRANSMUTE label on " << fpath << " is not set");
+ } else
+ RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+
+ return 0;
+}
+
+void osp_blahblah_dac_check(int line_no, const std::vector<unsigned> &gids, std::string dac_file_path)
+{
+ std::ifstream dac_file(dac_file_path);
+ RUNNER_ASSERT_MSG_BT(dac_file, "Line: " << line_no << " Failed to create " << dac_file_path);
+
+ auto it = gids.begin();
+ std::string line;
+ while (std::getline(dac_file,line)) {
+ std::istringstream is(line);
+ unsigned gid;
+ is >> gid;
+ RUNNER_ASSERT_MSG_BT(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
+ RUNNER_ASSERT_MSG_BT(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
+ it++;
+ }
+
+ RUNNER_ASSERT_MSG_BT(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
+
+ dac_file.close();
+}
+
+void remove_smack_files()
+{
+ // TODO array
+ unlink(OSP_BLAHBLAH);
+ unlink(WRT_BLAHBLAH);
+ unlink(OTHER_BLAHBLAH);
+ unlink(WRT_BLAHBLAH_DAC);
+ unlink(OTHER_BLAHBLAH_DAC);
+
+ for(size_t i=0; i<OSP_BLAHBLAH_DAC.size(); ++i)
+ unlink(OSP_BLAHBLAH_DAC[i].c_str());
+
+ for(size_t i=0; i<OSP_BLAHBLAH_DAC.size(); ++i)
+ unlink(OSP_BLAHBLAH_DAC[i].c_str());
+}
+
+} // namespace
+
+RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
/**
- * Check if every rule is true.
- * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
+ * Test setting labels for all files and folders in given path.
*/
-int test_have_all_accesses(const std::vector< std::vector<std::string> >& rules){
+RUNNER_TEST(privilege_control02_app_label_dir)
+{
int result;
- for(uint i =0; i<rules.size();++i ){
- result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result !=1)
- return result;
- }
- return 1;
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+
+ DB_BEGIN
+
+ result = perm_app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed");
+
+ DB_END
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for app dir");
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for non-app dir");
+}
+
+RUNNER_TEST_SMACK(privilege_control03_app_label_shared_dir)
+{
+ int result;
+
+ DB_BEGIN
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, USER_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result != 0, "perm_app_setup_path(APP_ID, USER_APP_ID) didn't fail");
+
+ DB_END
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+
+ DB_BEGIN
+
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed");
+
+ DB_END
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for shared app dir");
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for non-app dir");
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
}
/**
- * Check if every rule is true.
- * @return 1 if ANY rule in SMACK, 0 if
+ * Revoke permissions from the list. Should be executed as privileged user.
*/
-int test_have_any_accesses(const std::vector< std::vector<std::string> >& rules){
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt)
+{
+ test_revoke_permissions(__LINE__, WGT_APP_ID);
+}
+
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp)
+{
+ test_revoke_permissions(__LINE__, OSP_APP_ID);
+}
+
+void test_set_app_privilege(
+ const char* app_id, app_type_t APP_TYPE,
+ const char** privileges, const char* type,
+ const char* app_path, const char* dac_file,
+ const rules_t &rules) {
+ check_app_installed(app_path);
+
int result;
- for(uint i =0; i<rules.size();++i ){
- result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result ==1)
- return 1;
- }
- return 0;
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(app_id);
+ RUNNER_ASSERT_MSG_BT(result == 0,
+ " perm_app_uninstall returned " << result << ". "
+ "Errno: " << strerror(errno));
+
+ result = perm_app_install(app_id);
+ RUNNER_ASSERT_MSG_BT(result == 0,
+ " perm_app_install returned " << result << ". "
+ "Errno: " << strerror(errno));
+
+ // TEST:
+ result = perm_app_enable_permissions(app_id, APP_TYPE, privileges, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions. Result: " << result);
+
+ DB_END
+
+ result = test_have_all_accesses(rules);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
+
+ std::set<unsigned> groups_before;
+ read_user_gids(groups_before, APP_UID);
+
+ result = perm_app_set_privilege(app_id, type, app_path);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error in perm_app_set_privilege. Error: " << result);
+
+ // Check if SMACK label really set
+ char *label;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG_BT(result >= 0,
+ " Error getting current process label");
+ RUNNER_ASSERT_MSG_BT(label != NULL,
+ " Process label is not set");
+
+ result = strcmp(USER_APP_ID, label);
+ RUNNER_ASSERT_MSG_BT(result == 0,
+ " Process label " << label << " is incorrect");
+
+ check_groups(groups_before, dac_file);
}
-RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
+/**
+ * Set APP privileges. wgt.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt)
+{
+ test_set_app_privilege(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt);
+}
+
+/**
+ * Set APP privileges. osp app.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp)
+{
+ test_set_app_privilege(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, "tpk", OSP_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp);
+}
+
+RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_efl)
+{
+ test_set_app_privilege(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL,
+ "rpm", EFL_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_EFL, rules_efl);
+}
/**
- * Add permisions from test_privilege_control_rules template
+ * Add new API feature
*/
-RUNNER_TEST(privilege_control_add_permissions)
+RUNNER_TEST(privilege_control11_add_api_feature)
{
- char* path;
+ int result;
+
+ remove_smack_files();
+
+ DB_BEGIN
+
+ // argument validation
+ result = perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
+ RUNNER_ASSERT_BT(result == PC_ERR_INVALID_PARAM);
+
+ result = perm_add_api_feature(APP_TYPE_OSP,"", NULL, NULL, 0);
+ RUNNER_ASSERT_BT(result == PC_ERR_INVALID_PARAM);
+
+
+ // Already existing feature:
+ // TODO: Database will be malformed. (Rules for these features will be removed.)
+ result = perm_add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read", NULL, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ result = perm_add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms", NULL, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ // empty features
+ result = perm_add_api_feature(APP_TYPE_OSP,"blahblah", NULL, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ result = perm_add_api_feature(APP_TYPE_WGT,"blahblah", NULL, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ // empty rules
+ const char *test1[] = { NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[0].c_str(), test1, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ const char *test2[] = { "", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[1].c_str(), test2, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ const char *test3[] = { " \t\n", "\t \n", "\n\t ", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[2].c_str(), test3, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
- int result = app_add_permissions(APPID_ADD, PRIVS);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app permissions. Errno: " << result);
+ // malformed rules
+ const char *test4[] = { "malformed", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[3].c_str(), test4, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
+
+ const char *test5[] = { "malformed malformed", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[4].c_str(), test5, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
+
+ const char *test6[] = { "-malformed malformed rwxat", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[5].c_str(), test6, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
+
+ const char *test7[] = { "~/\"\\ malformed rwxat", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[6].c_str(), test7, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
+
+ const char *test8[] = { "subject object rwxat something else", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[7].c_str(), test8, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
+
+
+ // correct rules
+ const char *test9[] = {
+ "~APP~ object\t rwxatl",
+ " \t \n",
+ "subject2\t~APP~ ltxarw",
+ "",
+ NULL};
+
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[8].c_str(), test9, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ const char *test10[] = { "Sub::jE,ct ~APP~ a-rwxl", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[9].c_str(), test10, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ const char *test11[] = { "Sub::sjE,ct ~APP~ a-RwXL", NULL }; // TODO This fails.
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[10].c_str(), test11, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+
+ // TODO For now identical/complementary rules are not merged.
+ const char *test12[] = {
+ "subject1 ~APP~ rwxatl",
+ " \t \n",
+ "subject2 ~APP~ ltxarw",
+ "",
+ NULL};
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[11].c_str(), test12, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ // empty group ids
+ const char *test13[] = { "~APP~ b a", NULL};
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[12].c_str(), test13,(const gid_t[]) {0,1,2},0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+ result = file_exists(OSP_BLAHBLAH_DAC[12].c_str());
+ RUNNER_ASSERT_BT(result == -1);
+ remove_smack_files();
+
+
+ // valid group ids
+ result = perm_add_api_feature(APP_TYPE_OSP,BLAHBLAH_FEATURE[13].c_str(), test13,(const gid_t[]) {0,1,2},3);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+ osp_blahblah_dac_check(__LINE__, {0,1,2}, OSP_BLAHBLAH_DAC[13]);
+ remove_smack_files();
+
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[14].c_str(), test13,(const gid_t[]) {0,1,2},1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+ osp_blahblah_dac_check(__LINE__, {0}, OSP_BLAHBLAH_DAC[14]);
+ remove_smack_files();
+
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[15].c_str(), test13,(const gid_t[]) {1,1,1},3);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+ osp_blahblah_dac_check(__LINE__, {1,1,1},OSP_BLAHBLAH_DAC[15]);
+ remove_smack_files();
+
+ DB_END
+}
+
+/*
+ * Check perm_app_uninstall function
+ */
+void check_perm_app_uninstall(const char* pkg_id)
+{
+ int result;
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(pkg_id);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned: " << perm_strerror(result));
+
+ DB_END
+}
+
+RUNNER_TEST(privilege_control07_app_uninstall)
+{
+ check_perm_app_uninstall(APP_ID);
+}
+
+/*
+ * Check perm_app_install function
+ */
+void check_perm_app_install(const char* pkg_id)
+{
+ int result;
+
+ DB_BEGIN
+
+ result = perm_app_install(pkg_id);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result));
+
+ DB_END
+
+ TestLibPrivilegeControlDatabase db_test;
+ db_test.test_db_after__perm_app_install(USER_APP_ID);
+}
+
+RUNNER_TEST(privilege_control01_app_install)
+{
+ check_perm_app_uninstall(APP_ID);
+ check_perm_app_install(APP_ID);
+ // try install second time app with the same ID - it should pass.
+ check_perm_app_install(APP_ID);
+}
+
+/*
+ * Check perm_rollback function
+ */
+RUNNER_TEST(privilege_control07_app_rollback)
+{
+ check_perm_app_uninstall(APP_ID);
+
+ int result;
+
+ DB_BEGIN
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result));
+
+ // transaction rollback
+ result = perm_rollback();
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_rollback returned: " << perm_strerror(result));
+
+ DB_END
+}
+
+RUNNER_TEST(privilege_control07_app_rollback_2)
+{
+ check_perm_app_uninstall(APP_ID);
+
+ int result;
+
+ DB_BEGIN
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result));
+
+ // transaction rollback
+ result = perm_rollback();
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_rollback returned: " << perm_strerror(result));
+
+ // install once again after the rollback
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result));
+
+ DB_END
+
+ TestLibPrivilegeControlDatabase db_test;
+ db_test.test_db_after__perm_app_install(USER_APP_ID);
+}
+
+/**
+ * Grant SMACK permissions based on permissions list.
+ */
+RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions)
+{
+ int result;
+
+ // Clean up after test:
+ DB_BEGIN
+
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+ result = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+/**
+ * Test - Enabling all permissions with persistant mode enabled
+ */
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions. Result: " << result);
+
+ DB_END
// Check if the accesses are realy applied..
- result = test_have_all_accesses(rulesAdd);
- RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
+
+ DB_BEGIN
+
+ // Clean up
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ DB_END
- ///Investigate created SMACK rules files..
- RUNNER_ASSERT_MSG(asprintf(&path, SMACK_RULES_DIR "%s", APPID_ADD) != -1,
- "Error in asprintf");
+/**
+ * Test - Enabling all permissions with persistant mode disabled
+ */
+
+ DB_BEGIN
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions. Result: " << result);
- //// File exists?
- FILE *pFile = fopen(path, "rb");
- RUNNER_ASSERT_MSG(pFile != NULL,
- "SMACK file NOT created!. Errno: " << errno);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
- //// Is it empty?
- fseek(pFile, 0L, SEEK_END);
- int smack_file_length = ftell(pFile);
- RUNNER_ASSERT_MSG(smack_file_length>0,
- "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
+ DB_BEGIN
// Clean up
- result = app_revoke_permissions(APPID_ADD);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Errno: " << result);
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
- if (pFile != NULL)
- fclose(pFile);
+ DB_END
-}
+/**
+ * Test - Registering new permissions in two complementary files
+ */
+
+ DB_BEGIN
+
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
+
+ DB_BEGIN
+
+ // Clean up
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ DB_END
/**
- * Test setting labels for all files and folders in given path.
+ * Test - Enabling some permissions and then enabling complementary permissions
+ */
+
+ DB_BEGIN
+
+ // Register permission for rules 2 no r
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions without r. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions without r not added.");
+
+ DB_BEGIN
+
+ // Register permission for rules 2
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app all permissions. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions all not added.");
+
+ DB_BEGIN
+
+ // Clean up
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+/**
+ * Test - Enabling some permissions and then enabling all permissions
*/
-RUNNER_TEST(privilege_control_dir_add)
+
+ // Enable permission for rules 2 no r
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions without r. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions without r not added.");
+
+ DB_BEGIN
+
+ // Enable permission for rules 2
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions with only r. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_r);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions with only r not added.");
+
+ DB_BEGIN
+
+ // Clean up
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+
+
+ // Clean up after test:
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+}
+
+RUNNER_CHILD_TEST_SMACK(privilege_control11_app_enable_permissions_efl)
{
- int result = app_label_dir(APPID_DIR, TEST_DIR_TREE);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Setting privileges for /etc/smack/test_privilege_control_DIR. Errno: " << result);
+ test_app_enable_permissions_efl(true);
+}
- // Check if labels are realy set.
- for(int i=0; i<paths.size(); ++i){
- char* label;
- result = smack_getlabel(paths[i].c_str(), &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- result = strcmp(APPID_DIR, label);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Label NOT set");
- free(label);
- }
+/*
+ * Check perm_app_install function
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control12_app_disable_permissions_efl)
+{
+ test_app_disable_permissions_efl(true);
}
+
/**
- * Revoke permissions from the list. Should be executed as privileged user.
+ * Remove previously granted SMACK permissions based on permissions list.
+ */
+RUNNER_TEST_SMACK(privilege_control12_app_disable_permissions)
+{
+ test_app_disable_permissions(true);
+}
+
+/**
+ * Reset SMACK permissions for an application by revoking all previously
+ * granted rules and enabling them again from a rules file from disk.
+ */
+// TODO: This test is incomplete.
+RUNNER_TEST_SMACK(privilege_control13_app_reset_permissions)
+{
+ int result;
+
+/**
+ * Test - doing reset and checking if rules exist again.
*/
-RUNNER_TEST(privilege_control_revoke_permissions)
+
+ DB_BEGIN
+
+ result = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ // Disable permissions
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ // Prepare permissions to reset
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions. Result: " << result);
+
+ // Reset permissions
+ result = perm_app_reset_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error reseting app permissions. Result: " << result);
+
+ DB_END
+
+ // Are all second permissions not disabled?
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Not all permissions added.");
+
+ DB_BEGIN
+
+ // Disable permissions
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+}
+
+static void smack_set_random_label_based_on_pid_on_self(void)
{
int result;
+ std::stringstream ss;
+
+ ss << "s-" << getpid() << "-" << getppid();
+ result = smack_set_label_for_self(ss.str().c_str());
+ RUNNER_ASSERT_MSG_BT(result == 0, "smack_set_label_for_self("
+ << ss.str().c_str() << ") failed");
+}
+
+static void smack_unix_sock_server(int sock)
+{
+ int fd, result;
+ char *smack_label;
+
+ alarm(2);
+ fd = accept(sock, NULL, NULL);
+ alarm(0);
+ if (fd < 0)
+ return;
+ result = smack_new_label_from_self(&smack_label);
+ if (result < 0) {
+ close(fd);
+ close(sock);
+ free(smack_label);
+ RUNNER_ASSERT_MSG_BT(0, "smack_new_label_from_self() failed");
+ }
+ result = write(fd, smack_label, strlen(smack_label));
+ if (result != (int)strlen(smack_label)) {
+ close(fd);
+ close(sock);
+ free(smack_label);
+ RUNNER_ASSERT_MSG_BT(0, "write() failed: " << strerror(errno));
+ }
+ close(fd);
+ free(smack_label);
+}
+
+RUNNER_MULTIPROCESS_TEST_SMACK(privilege_control15_app_id_from_socket)
+{
+ int pid;
+ struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
+
+ unlink(SOCK_PATH);
+ pid = fork();
+ RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed");
+
+ smack_set_random_label_based_on_pid_on_self();
+
+ if (!pid) { /* child process, server */
+ int sock, result;
+
+ /* Set the process label before creating a socket */
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG_BT(sock >= 0, "socket failed: " << strerror(errno));
+ result = bind(sock,
+ (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "bind failed: " << strerror(errno));
+ }
+ result = listen(sock, 1);
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "listen failed: " << strerror(errno));
+ }
+ smack_unix_sock_server(sock);
+
+ /* Change the process label with listening socket */
+ smack_unix_sock_server(sock);
+
+ pid = fork();
+ RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed");
+ /* Now running two concurrent servers.
+ Test if socket label was unaffected by fork() */
+ smack_unix_sock_server(sock);
+ /* Let's give the two servers different labels */
+ smack_unix_sock_server(sock);
+ close(sock);
+
+ exit(0);
+ } else { /* parent process, client */
+ sleep(1); /* Give server some time to setup listening socket */
+ int i;
+ for (i = 0; i < 4; ++i) {
+ int sock;
+ int result;
+ char smack_label1[SMACK_LABEL_LEN + 1];
+ char *smack_label2;
+
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG_BT(sock >= 0,
+ "socket failed: " << strerror(errno));
+ result = connect(sock,
+ (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "connect failed: " << strerror(errno));
+ }
+
+ alarm(2);
+ result = read(sock, smack_label1, SMACK_LABEL_LEN);
+ alarm(0);
+ if (result < 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "read failed: " << strerror(errno));
+ }
+ smack_label1[result] = '\0';
+ smack_label2 = perm_app_id_from_socket(sock);
+ if (smack_label2 == NULL) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "perm_app_id_from_socket failed");
+ }
+ result = strcmp(smack_label1, smack_label2);
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "smack labels differ: '" << smack_label1
+ << "' != '" << smack_label2 << "-" << random() << "'");
+ }
+ close(sock);
+ }
+ }
+}
+
+RUNNER_TEST(privilege_control16_app_setup_path){
+ const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
+ const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
+ const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
+ const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
+ const char *label1 = "qwert123456za";
+ const char *label2 = "trewq654123az";
+
+ CStringPtr labelPtr;
+
+ mkdir(path1,0);
+ mkdir(path2,0);
+
+ int fd = creat(path3, S_IRWXU);
+ if (fd >= 0)
+ close(fd);
+ fd = creat(path4, S_IRWXU);
+ if (fd >= 0)
+ close(fd);
+
+ char *label = NULL;
+
+ DB_BEGIN
+
+ RUNNER_ASSERT_BT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
+
+ DB_END
+
+ RUNNER_ASSERT_BT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
+ labelPtr.reset(label);
+ label = NULL;
+ RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), label1));
+
+ DB_BEGIN
+
+ RUNNER_ASSERT_BT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
+
+ DB_END
+
+ RUNNER_ASSERT_BT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
+ labelPtr.reset(label);
+ label = NULL;
+ RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), label2));
+
+ RUNNER_ASSERT_BT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
+ labelPtr.reset(label);
+ label = NULL;
+ RUNNER_ASSERT_BT(labelPtr.get() == NULL);
+}
+
+RUNNER_TEST_SMACK(privilege_control17_appsettings_privilege)
+{
+ test_appsettings_privilege(true);
+}
+
+void test_app_setup_path(int line_no, app_path_type_t PATH_TYPE) {
+ int result;
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error in perm_app_uninstall." << result);
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error in perm_app_install." << result);
+
+ DB_END
- // Prepare permissions that we want to revoke
- result = app_add_permissions(APPID_REVOKE, PRIVS);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app permissions. Errno: " << result);
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ " Unable to clean up Smack labels in " << TEST_APP_DIR);
- // Revoke permissions
- result = app_revoke_permissions(APPID_REVOKE);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Errno: " << result);
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ " Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
- // Are all the permissions revoked?
- result = test_have_all_accesses(rulesRevoke);
- RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked.");
+ DB_BEGIN
- // Investigate SMACK rules file
- char* path;
- RUNNER_ASSERT_MSG(asprintf(&path, SMACK_RULES_DIR "%s", APPID_REVOKE) != -1,
- "Error in asprintf");
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, PATH_TYPE);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ " perm_app_setup_path() failed");
- //// Is the smack file deleted?
- FILE *pFile = fopen(path, "rb");
- RUNNER_ASSERT_MSG(pFile == NULL,
- "SMACK file NOT deleted after revoking ALL privileges. Errno: " << errno);
+ DB_END
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ " Unable to check Smack labels for non-app dir");
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error in perm_app_uninstall." << result);
+
+ DB_END
+}
+
+RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public)
+{
+ test_app_setup_path(__LINE__, APP_PATH_PUBLIC_RO);
+}
+
+RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings)
+{
+ test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW);
+}
+
+void check_perm_app_has_permission(const char* app_label, const char* permission, bool is_enabled_expected)
+{
+ int result;
+ bool is_enabled;
+
+ result = perm_app_has_permission(app_label, APP_TYPE_WGT, permission, &is_enabled);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error calling perm_app_has_permission. Result: " << result);
+
+ RUNNER_ASSERT_MSG_BT(is_enabled == is_enabled_expected,
+ "Result of perm_app_has_permission should be: " << is_enabled_expected);
+}
+
+RUNNER_TEST(privilege_control20_perm_app_has_permission)
+{
+ int result;
+ const char *other_app_label = "test_other_app_label";
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error uninstalling app. Result" << result);
+
+ result = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error installing app. Result" << result);
+
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app r and no r permissions. Result: " << result);
+
+ DB_END
+
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
+
+ DB_BEGIN
+
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error registering app r permissions. Result: " << result);
+
+ DB_END
+
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], true);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
+
+ DB_BEGIN
+
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error registering app r permissions. Result: " << result);
+
+ DB_END
+
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], true);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], true);
+ check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
+
+ DB_BEGIN
+
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app r and no r permissions. Result: " << result);
+
+ DB_END
+
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], true);
+ check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
+
+ DB_BEGIN
+
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app r and no r permissions. Result: " << result);
+
+ DB_END
+
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false);
+ check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
+ check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
+}
+
+RUNNER_TEST(privilege_control25_test_libprivilege_strerror) {
+ int POSITIVE_ERROR_CODE = 1;
+ int NONEXISTING_ERROR_CODE = -239042;
+ const char *result;
+
+ for (auto itr = error_codes.begin(); itr != error_codes.end(); ++itr) {
+ RUNNER_ASSERT_MSG_BT(strcmp(perm_strerror(*itr), "Unknown error") != 0,
+ "Returned invalid error code description.");
+ }
- RUNNER_ASSERT_MSG(errno == ENOENT,
- "SMACK file NOT deleted after revoking ALL privileges. Errno: " << errno);
+ result = perm_strerror(POSITIVE_ERROR_CODE);
+ RUNNER_ASSERT_MSG_BT(strcmp(result, "Unknown error") == 0,
+ "Bad message returned for invalid error code: \"" << result << "\"");
- if (pFile != NULL)
- fclose(pFile);
+ result = perm_strerror(NONEXISTING_ERROR_CODE);
+ RUNNER_ASSERT_MSG_BT(strcmp(result, "Unknown error") == 0,
+ "Bad message returned for invalid error code: \"" << result << "\"");
}
projects / platform / core / test / security-tests.git / blobdiff