* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- */
+*/
/*
* @file test_cases.cpp
* @author Jan Olszak (j.olszak@samsung.com)
* @author Rafal Krypa (r.krypa@samsung.com)
+ * @author Lukasz Wojciechowski (l.wojciechow@partner.samsung.com)
* @version 1.0
- * @brief libprivilege-control test runer
+ * @brief libprivilege-control test runner
*/
#include <string>
-#include <fcntl.h>
-#include <stdio.h>
#include <vector>
+#include <memory>
+#include <fstream>
+#include <sstream>
+
+#include <fcntl.h>
#include <errno.h>
-#include <ftw.h>
-#include <dpl/test/test_runner.h>
-#include <dpl/log/log.h>
+#include <unistd.h>
+
#include <sys/types.h>
#include <sys/stat.h>
-#include <sys/mman.h>
-#include <sys/xattr.h>
+
+#include <sys/socket.h>
+#include <sys/un.h>
#include <sys/smack.h>
+
#include <privilege-control.h>
+#include <dpl/test/test_runner.h>
+#include <dpl/test/test_runner_child.h>
+#include <dpl/test/test_runner_multiprocess.h>
+#include <dpl/log/log.h>
+#include <tests_common.h>
+#include <libprivilege-control_test_common.h>
+#include "common/duplicates.h"
+#include "common/db.h"
+#define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules"
-#define SMACK_RULES_DIR "/etc/smack/accesses.d/"
-#define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
-#define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
-#define APPID_ADD "test_APP_ID_add"
-#define APPID_REVOKE "test_APP_ID_revoke"
-#define APPID_DIR "test_APP_ID_dir"
-#define APPID_SHARED_DIR "test_APP_ID_shared_dir"
-#define CANARY_LABEL "tiny_yellow_canary"
-
-#define APP_SET_PRIV "test_APP"
-#define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
-
-const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
-
-#define APP_GID 5000
-#define APP_UID 5000
-#define APP_USER_NAME "app"
-#define APP_HOME_DIR "/opt/home/app"
-
-// How many open file descriptors should ftw() function use?
-#define FTW_MAX_FDS 16
-
-// Rules from test_privilege_control_rules.smack
-const std::vector< std::vector<std::string> > rulesAdd = {
- { APPID_ADD, "test_book_1", "r" },
- { APPID_ADD, "test_book_2", "w" },
- { APPID_ADD, "test_book_3", "x" },
- { APPID_ADD, "test_book_4", "rw" },
- { APPID_ADD, "test_book_5", "rx" },
- { APPID_ADD, "test_book_6", "wx" },
- { APPID_ADD, "test_book_7", "rwx" },
- { "test_subject_1", APPID_ADD, "r" },
- { "test_subject_2", APPID_ADD, "w" },
- { "test_subject_3", APPID_ADD, "x" },
- { "test_subject_4", APPID_ADD, "rw" },
- { "test_subject_5", APPID_ADD, "rx" },
- { "test_subject_6", APPID_ADD, "wx" },
- { "test_subject_7", APPID_ADD, "rwx" },
- { APPID_ADD, APPID_SHARED_DIR, "rwxat"}};
-
-
-// Rules from test_privilege_control_rules.smack
-const std::vector< std::vector<std::string> > rulesRevoke = {
- { APPID_REVOKE, "test_book_1", "r" },
- { APPID_REVOKE, "test_book_2", "w" },
- { APPID_REVOKE, "test_book_3", "x" },
- { APPID_REVOKE, "test_book_4", "rw" },
- { APPID_REVOKE, "test_book_5", "rx" },
- { APPID_REVOKE, "test_book_6", "wx" },
- { APPID_REVOKE, "test_book_7", "rwx" },
- { "test_subject_1", APPID_REVOKE, "r" },
- { "test_subject_2", APPID_REVOKE, "w" },
- { "test_subject_3", APPID_REVOKE, "x" },
- { "test_subject_4", APPID_REVOKE, "rw" },
- { "test_subject_5", APPID_REVOKE, "rx" },
- { "test_subject_6", APPID_REVOKE, "wx" },
- { "test_subject_7", APPID_REVOKE, "rwx" }};
+#define EARLY_RULE_SUBJECT "livebox.web-provider"
+#define EARLY_RULE_RIGHTS "rwx---"
-/**
- * Check if every rule is true.
- * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
- */
-int test_have_all_accesses(const std::vector< std::vector<std::string> >& rules){
- int result;
- for(uint i =0; i<rules.size();++i ){
- result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result !=1)
- return result;
- }
- return 1;
-}
+#define SMACK_ACC_LEN 6
-/**
- * Check if every rule is true.
- * @return 1 if ANY rule in SMACK, 0 if
- */
-int test_have_any_accesses(const std::vector< std::vector<std::string> >& rules){
- int result;
- for(uint i =0; i<rules.size();++i ){
- result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result ==1)
- return 1;
- }
- return 0;
-}
+// Error codes for test_libprivilege_strerror
+const std::vector<int> error_codes {
+ PC_OPERATION_SUCCESS, PC_ERR_FILE_OPERATION, PC_ERR_MEM_OPERATION, PC_ERR_NOT_PERMITTED,
+ PC_ERR_INVALID_PARAM, PC_ERR_INVALID_OPERATION, PC_ERR_DB_OPERATION, PC_ERR_DB_LABEL_TAKEN,
+ PC_ERR_DB_QUERY_PREP, PC_ERR_DB_QUERY_BIND, PC_ERR_DB_QUERY_STEP, PC_ERR_DB_CONNECTION,
+ PC_ERR_DB_NO_SUCH_APP, PC_ERR_DB_PERM_FORBIDDEN
+};
-RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
+namespace {
-static int nftw_remove_labels(const char *fpath, const struct stat *sb,
- int typeflag, struct FTW *ftwbuf)
+std::vector<std::string> gen_names(std::string prefix, std::string suffix, size_t size)
{
- smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
- smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
- smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
-
- return 0;
+ std::vector<std::string> names;
+ for(size_t i = 0; i < size; ++i) {
+ names.push_back(prefix + "_" + std::to_string(i) + suffix);
+ }
+ return names;
}
-static int nftw_set_labels_non_app_dir(const char *fpath, const struct stat *sb,
- int typeflag, struct FTW *ftwbuf)
-{
- smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
- smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
- smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
-
- return 0;
-}
+const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
+const char *WRT_BLAHBLAH ="/usr/share/privilege-control/WGT_blahblah.smack";
+const char *OTHER_BLAHBLAH ="/usr/share/privilege-control/blahblah.smack";
+const std::vector<std::string> OSP_BLAHBLAH_DAC = gen_names("/usr/share/privilege-control/OSP_feature.blah.blahblah", ".dac", 16);
+const char *WRT_BLAHBLAH_DAC ="/usr/share/privilege-control/WGT_blahblah.dac";
+const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
+const std::vector<std::string> BLAHBLAH_FEATURE = gen_names("http://feature/blah/blahblah", "", 16);
-static int nftw_check_labels_non_app_dir(const char *fpath, const struct stat *sb,
- int typeflag, struct FTW *ftwbuf)
+int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
int result;
- char* label;
+ char *label;
/* ACCESS */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- result = strcmp(CANARY_LABEL, label);
- RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
+ result = strcmp(APPID_SHARED_DIR, label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect");
+ result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxatl");
+ RUNNER_ASSERT_MSG_BT(result == 1,
+ "Error rwxatl access was not given shared dir. Subject: " <<
+ APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
/* EXEC */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- result = strcmp(CANARY_LABEL, label);
- RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
/* TRANSMUTE */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ if (S_ISDIR(sb->st_mode)) {
+ RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
+ result = strcmp("TRUE", label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "TRANSMUTE label on " << fpath << " is not set");
+ } else
+ RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
return 0;
}
-static int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
- int typeflag, struct FTW *ftwbuf)
+int check_labels_dir(const char *fpath, const struct stat *sb,
+ const char *labels_db_path, const char *dir_db_path,
+ const char *access)
{
int result;
- char* label;
+ char *label;
+ char *label_gen;
+ char *scanf_label_format;
+ char label_temp[SMACK_LABEL_LEN + 1];
+ FILE *file_db;
/* ACCESS */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, label);
- RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
+ result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG_BT(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
/* EXEC */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
- RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, label);
- RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
- } else
- RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
+ if (result != 0) {
+ free(label_gen);
+ RUNNER_ASSERT_MSG_BT(false, "Could not get label for the path");
+ }
+ if (label != NULL) {
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG_BT(false, "EXEC label on " << fpath << " is set.");
+ }
/* TRANSMUTE */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+ if (result != 0) {
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG_BT(false, "Could not get label for the path");
+ }
+ if (S_ISDIR(sb->st_mode)) {
+ if (label == NULL) {
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is not set");
+ }
+ result = strcmp("TRUE", label);
+ if (result != 0) {
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
+ }
+ } else if (label != NULL) {
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is set");
+ }
+
+ free(label);
+
+ if (0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)) {
+ free(label_gen);
+ RUNNER_ASSERT_MSG_BT(false, "asprintf failed");
+ }
+
+ file_db = fopen(labels_db_path, "r");
+ if (file_db == NULL) {
+ free(label_gen);
+ free(scanf_label_format);
+ RUNNER_ASSERT_MSG_BT(false, "Can not open database for apps");
+ }
+ while (fscanf(file_db, scanf_label_format, label_temp) == 1) {
+ result = smack_have_access(label_temp, label_gen, access);
+ if (result != 1) {
+ fclose(file_db);
+ free(label_gen);
+ free(scanf_label_format);
+ RUNNER_ASSERT_MSG_BT(false,
+ "Error " << access << " access was not given for subject: "
+ << label_temp << ". Result: " << result);
+ }
+ }
+ fclose(file_db);
+
+ file_db = fopen(dir_db_path, "r");
+ if (file_db == NULL) {
+ free(label_gen);
+ free(scanf_label_format);
+ RUNNER_ASSERT_MSG_BT(false, "Can not open database for dirs");
+ }
+
+ free(scanf_label_format);
+ free(label_gen);
+ fclose(file_db);
return 0;
}
-static int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
- int typeflag, struct FTW *ftwbuf)
+void osp_blahblah_check(int line_no, const std::vector<std::string> &rules)
{
- int result;
- char* label;
+ std::ifstream smack_file(OSP_BLAHBLAH);
+ RUNNER_ASSERT_MSG_BT(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
+
+ auto it = rules.begin();
+ std::string line;
+ while (std::getline(smack_file,line)) {
+ RUNNER_ASSERT_MSG_BT(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
+ RUNNER_ASSERT_MSG_BT(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
+ it++;
+ }
- /* ACCESS */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
- result = strcmp(APPID_SHARED_DIR, label);
- RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
+ RUNNER_ASSERT_MSG_BT(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
- /* EXEC */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
+ smack_file.close();
+}
- /* TRANSMUTE */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- if (S_ISDIR(sb->st_mode)) {
- RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
- result = strcmp("TRUE", label);
- RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set");
- } else
- RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+void osp_blahblah_dac_check(int line_no, const std::vector<unsigned> &gids, std::string dac_file_path)
+{
+ std::ifstream dac_file(dac_file_path);
+ RUNNER_ASSERT_MSG_BT(dac_file, "Line: " << line_no << " Failed to create " << dac_file_path);
+
+ auto it = gids.begin();
+ std::string line;
+ while (std::getline(dac_file,line)) {
+ std::istringstream is(line);
+ unsigned gid;
+ is >> gid;
+ RUNNER_ASSERT_MSG_BT(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
+ RUNNER_ASSERT_MSG_BT(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
+ it++;
+ }
- return 0;
+ RUNNER_ASSERT_MSG_BT(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
+
+ dac_file.close();
+}
+
+void remove_smack_files()
+{
+ // TODO array
+ unlink(OSP_BLAHBLAH);
+ unlink(WRT_BLAHBLAH);
+ unlink(OTHER_BLAHBLAH);
+ unlink(WRT_BLAHBLAH_DAC);
+ unlink(OTHER_BLAHBLAH_DAC);
+
+ for(size_t i=0; i<OSP_BLAHBLAH_DAC.size(); ++i)
+ unlink(OSP_BLAHBLAH_DAC[i].c_str());
+
+ for(size_t i=0; i<OSP_BLAHBLAH_DAC.size(); ++i)
+ unlink(OSP_BLAHBLAH_DAC[i].c_str());
}
+} // namespace
+
+RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
+
/**
* Test setting labels for all files and folders in given path.
*/
-RUNNER_TEST(privilege_control01_app_label_dir)
+RUNNER_TEST(privilege_control02_app_label_dir)
{
int result;
result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
- result = app_label_dir(APPID_DIR, TEST_APP_DIR);
- RUNNER_ASSERT_MSG(result == 0, "app_label_dir() failed");
+ DB_BEGIN
+
+ result = perm_app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed");
+
+ DB_END
result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for app dir");
result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for non-app dir");
}
-RUNNER_TEST(privilege_control02_app_label_shared_dir)
+RUNNER_TEST_SMACK(privilege_control03_app_label_shared_dir)
{
int result;
+ DB_BEGIN
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
+ RUNNER_ASSERT_MSG_BT(result != 0, "perm_app_setup_path(APP_ID, APP_ID) didn't fail");
+
+ DB_END
+
result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+
+ DB_BEGIN
+
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed");
- result = app_label_shared_dir(APPID_ADD, APPID_SHARED_DIR, TEST_APP_DIR);
- RUNNER_ASSERT_MSG(result == 0, "app_label_shared_dir() failed");
+ DB_END
result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for shared app dir");
result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
-}
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for non-app dir");
+
+ DB_BEGIN
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+}
/**
- * Add permisions from test_privilege_control_rules template
+ * Simple enabling EFL permissions;.
*/
-RUNNER_TEST(privilege_control03_add_permissions)
+RUNNER_TEST_SMACK(privilege_control04_add_permissions)
{
- char* path;
+ int result = 0;
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+
+ result = perm_app_setup_permissions(APP_ID, APP_TYPE_EFL, PRIVS_EFL);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " perm_app_setup_permissions failed with result: " << result);
- int result = app_add_permissions(APPID_ADD, PRIVS);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app permissions. Errno: " << result);
+ DB_END
+
+ // Check if permission is assigned to app in db
+ check_app_has_permission(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
// Check if the accesses are realy applied..
- result = test_have_all_accesses(rulesAdd);
- RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+ result = test_have_all_accesses(rules_efl);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
- ///Investigate created SMACK rules files..
- RUNNER_ASSERT_MSG(asprintf(&path, SMACK_RULES_DIR "%s", APPID_ADD) != -1,
- "Error in asprintf");
+ DB_BEGIN
- //// File exists?
- FILE *pFile = fopen(path, "rb");
- RUNNER_ASSERT_MSG(pFile != NULL,
- "SMACK file NOT created!. Errno: " << errno);
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- //// Is it empty?
- fseek(pFile, 0L, SEEK_END);
- int smack_file_length = ftell(pFile);
- RUNNER_ASSERT_MSG(smack_file_length>0,
- "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
+ DB_END
+}
- // Clean up
- result = app_revoke_permissions(APPID_ADD);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Errno: " << result);
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt)
+{
+ test_revoke_permissions(__LINE__, WGT_APP_ID, rules_wgt, true);
+}
- if (pFile != NULL)
- fclose(pFile);
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_partner)
+{
+ test_revoke_permissions(__LINE__, WGT_PARTNER_APP_ID, rules_wgt_partner, true);
+}
+
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_platform)
+{
+ test_revoke_permissions(__LINE__, WGT_PLATFORM_APP_ID, rules_wgt_platform, true);
+}
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp)
+{
+ test_revoke_permissions(__LINE__, OSP_APP_ID, rules_osp, true);
}
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_partner)
+{
+ test_revoke_permissions(__LINE__, OSP_PARTNER_APP_ID, rules_osp_partner, true);
+}
/**
* Revoke permissions from the list. Should be executed as privileged user.
*/
-RUNNER_TEST(privilege_control04_revoke_permissions)
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_platform)
{
+ test_revoke_permissions(__LINE__, OSP_PLATFORM_APP_ID, rules_osp_platform, true);
+}
+
+
+void set_app_privilege(int line_no,
+ const char* app_id, app_type_t APP_TYPE,
+ const char** privileges, const char* type,
+ const char* app_path, const char* dac_file,
+ const rules_t &rules) {
+ check_app_installed(line_no, app_path);
+
int result;
- // Prepare permissions that we want to revoke
- result = app_add_permissions(APPID_REVOKE, PRIVS);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app permissions. Errno: " << result);
+ DB_BEGIN
+
+ result = perm_app_uninstall(app_id);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ " perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ result = perm_app_install(app_id);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ " perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ // TEST:
+ result = perm_app_setup_permissions(app_id, APP_TYPE, privileges);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error registering app permissions. Result: " << result);
+
+ DB_END
+
+ result = test_have_all_accesses(rules);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
+
+ result = perm_app_set_privilege(app_id, type, app_path);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error in perm_app_set_privilege. Error: " << result);
+
+ // Check if SMACK label really set
+ char *label;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG_BT(result >= 0, "Line: " << line_no <<
+ " Error getting current process label");
+ RUNNER_ASSERT_MSG_BT(label != NULL, "Line: " << line_no <<
+ " Process label is not set");
+ result = strcmp(app_id, label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ " Process label " << label << " is incorrect");
+
+ check_groups(dac_file);
+}
- // Revoke permissions
- result = app_revoke_permissions(APPID_REVOKE);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Errno: " << result);
+/**
+ * Set APP privileges. wgt.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt)
+{
+ set_app_privilege(__LINE__,WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt);
+}
- // Are all the permissions revoked?
- result = test_have_all_accesses(rulesRevoke);
- RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked.");
+/**
+ * Set APP privileges. wgt_partner.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_partner)
+{
+ set_app_privilege(__LINE__, WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT,
+ "wgt_partner", WGT_PARTNER_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_partner);
+}
- // Investigate SMACK rules file
- char* path;
- RUNNER_ASSERT_MSG(asprintf(&path, SMACK_RULES_DIR "%s", APPID_REVOKE) != -1,
- "Error in asprintf");
+/**
+ * Set APP privileges. wgt_platform.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_platform)
+{
+ set_app_privilege(__LINE__, WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT,
+ "wgt_platform", WGT_PLATFORM_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_platform);
+}
- //// Is the smack file deleted?
- FILE *pFile = fopen(path, "rb");
- RUNNER_ASSERT_MSG(pFile == NULL,
- "SMACK file NOT deleted after revoking ALL privileges. Errno: " << errno);
+/**
+ * Set APP privileges. osp app.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp)
+{
+ set_app_privilege(__LINE__, OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, NULL, OSP_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp);
+}
- RUNNER_ASSERT_MSG(errno == ENOENT,
- "SMACK file NOT deleted after revoking ALL privileges. Errno: " << errno);
+/**
+ * Set APP privileges. partner osp app.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_partner)
+{
+ set_app_privilege(__LINE__, OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP,
+ NULL, OSP_PARTNER_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_partner);
+}
- if (pFile != NULL)
- fclose(pFile);
+/**
+ * Set APP privileges. platform osp app.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_platform)
+{
+ set_app_privilege(__LINE__, OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP,
+ NULL, OSP_PLATFORM_APP_PATH,
+ LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_platform);
}
/**
- * Set APP privileges.
+ * Add new API feature
*/
-RUNNER_TEST(privilege_control05_set_app_privilege)
+RUNNER_TEST(privilege_control11_add_api_feature)
{
int result;
- char* labelApp = "test_pc_label";
- // Preset exec label
- smack_setlabel(APP_SET_PRIV_PATH,labelApp, SMACK_LABEL_EXEC);
+ remove_smack_files();
- // Set APP privileges
- result = set_app_privilege(APP_SET_PRIV, NULL, APP_SET_PRIV_PATH);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
+ DB_BEGIN
- // Check if SMACK label really set
- char * label;
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result == 0, "Error setting label for exec" << result);
- result = strcmp(labelApp, label);
- RUNNER_ASSERT_MSG(result == 0, "Label NOT set");
+ // argument validation
+ result = perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
+ RUNNER_ASSERT_BT(result == PC_ERR_INVALID_PARAM);
+
+ result = perm_add_api_feature(APP_TYPE_OSP,"", NULL, NULL, 0);
+ RUNNER_ASSERT_BT(result == PC_ERR_INVALID_PARAM);
+
+
+ // Already existing feature:
+ // TODO: Database will be malformed. (Rules for these features will be removed.)
+ result = perm_add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read", NULL, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ result = perm_add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms", NULL, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ // empty features
+ result = perm_add_api_feature(APP_TYPE_OSP,"blahblah", NULL, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ result = perm_add_api_feature(APP_TYPE_WGT,"blahblah", NULL, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ // empty rules
+ const char *test1[] = { NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[0].c_str(), test1, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ const char *test2[] = { "", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[1].c_str(), test2, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ const char *test3[] = { " \t\n", "\t \n", "\n\t ", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[2].c_str(), test3, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ // malformed rules
+ const char *test4[] = { "malformed", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[3].c_str(), test4, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
+
+ const char *test5[] = { "malformed malformed", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[4].c_str(), test5, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
+
+ const char *test6[] = { "-malformed malformed rwxat", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[5].c_str(), test6, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
+
+ const char *test7[] = { "~/\"\\ malformed rwxat", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[6].c_str(), test7, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
+
+ const char *test8[] = { "subject object rwxat something else", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[7].c_str(), test8, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
+
+
+ // correct rules
+ const char *test9[] = {
+ "~APP~ object\t rwxatl",
+ " \t \n",
+ "subject2\t~APP~ ltxarw",
+ "",
+ NULL};
+
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[8].c_str(), test9, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ const char *test10[] = { "Sub::jE,ct ~APP~ a-rwxl", NULL };
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[9].c_str(), test10, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ const char *test11[] = { "Sub::sjE,ct ~APP~ a-RwXL", NULL }; // TODO This fails.
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[10].c_str(), test11, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+
+ // TODO For now identical/complementary rules are not merged.
+ const char *test12[] = {
+ "subject1 ~APP~ rwxatl",
+ " \t \n",
+ "subject2 ~APP~ ltxarw",
+ "",
+ NULL};
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[11].c_str(), test12, NULL, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+
+ // empty group ids
+ const char *test13[] = { "~APP~ b a", NULL};
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[12].c_str(), test13,(const gid_t[]) {0,1,2},0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+ result = file_exists(OSP_BLAHBLAH_DAC[12].c_str());
+ RUNNER_ASSERT_BT(result == -1);
+ remove_smack_files();
+
+
+ // valid group ids
+ result = perm_add_api_feature(APP_TYPE_OSP,BLAHBLAH_FEATURE[13].c_str(), test13,(const gid_t[]) {0,1,2},3);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+ osp_blahblah_dac_check(__LINE__, {0,1,2}, OSP_BLAHBLAH_DAC[13]);
+ remove_smack_files();
+
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[14].c_str(), test13,(const gid_t[]) {0,1,2},1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+ osp_blahblah_dac_check(__LINE__, {0}, OSP_BLAHBLAH_DAC[14]);
+ remove_smack_files();
+
+ result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[15].c_str(), test13,(const gid_t[]) {1,1,1},3);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
+ osp_blahblah_dac_check(__LINE__, {1,1,1},OSP_BLAHBLAH_DAC[15]);
+ remove_smack_files();
+
+ DB_END
+}
+
+/*
+ * Check perm_app_install function
+ */
+RUNNER_TEST(privilege_control01_app_install)
+{
+ int result;
+
+ DB_BEGIN
+
+ perm_app_uninstall(APP_ID);
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ // try install second time app with the same ID - it should pass.
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+}
+
+/*
+ * Check perm_app_uninstall function
+ */
+RUNNER_TEST(privilege_control07_app_uninstall)
+{
+ int result;
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+
+ TestLibPrivilegeControlDatabase db_test;
+ db_test.test_db_after__perm_app_uninstall(APP_ID);
+}
+
+/*
+ * Check app_register_av function
+ * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
+ */
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+RUNNER_TEST_SMACK(privilege_control10_app_register_av)
+{
+ RUNNER_IGNORED_MSG("app_register_av is not implemented");
+ int result;
+
+ // cleaning
+ smack_revoke_subject(APP_TEST_AV_1);
+ smack_revoke_subject(APP_TEST_AV_2);
+
+ DB_BEGIN
- // Check if DAC privileges really set
- RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
- RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
+ // Adding two apps before antivir
+ result = perm_app_install(APP_TEST_APP_1);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
- result = strcmp(getenv("HOME"), APP_HOME_DIR);
- RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR");
+ result = perm_app_install(APP_TEST_APP_2);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
- result = strcmp(getenv("USER"), APP_USER_NAME);
- RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME");
+ // Adding antivir
+ result = app_register_av(APP_TEST_AV_1);
+ RUNNER_ASSERT_MSG_BT(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+
+ // Checking added apps accesses
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
+
+ DB_BEGIN
+
+ // Adding third app
+ result = perm_app_install(APP_TEST_APP_3);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+
+ // Checking app accesses
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)");
+
+ // Adding second antivir
+ result = app_register_av(APP_TEST_AV_2);
+ RUNNER_ASSERT_MSG_BT(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
+
+ // Checking app accesses
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
+
+ // cleaning
+ smack_revoke_subject(APP_TEST_AV_1);
+ smack_revoke_subject(APP_TEST_AV_2);
}
+#pragma GCC diagnostic warning "-Wdeprecated-declarations"
+
+/**
+ * Grant SMACK permissions based on permissions list.
+ */
+RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions)
+{
+ int result;
+
+ // Clean up after test:
+ DB_BEGIN
+
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+ result = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+/**
+ * Test - Enabling all permissions with persistant mode enabled
+ */
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
+
+ // Check if permission is assigned to app in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
+
+ DB_BEGIN
+
+ // Clean up
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ DB_END
+
+ // Check if permission is disabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
+
+/**
+ * Test - Enabling all permissions with persistant mode disabled
+ */
+
+ DB_BEGIN
+ result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions. Result: " << result);
+
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 0);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
+
+ // Check if permission is assigned to app in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
+
+ DB_BEGIN
+
+ // Clean up
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ DB_END
+
+ // Check if permission is disabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
+
+/**
+ * Test - Registering new permissions in two complementary files
+ */
+
+ DB_BEGIN
+
+ result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions. Result: " << result);
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
+
+ // Check if permissions are assigned to app in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, true);
+
+ DB_BEGIN
+
+ // Clean up
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ DB_END
+
+ // Check if permissions are disabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false);
+
+/**
+ * Test - Enabling some permissions and then enabling complementary permissions
+ */
+
+ DB_BEGIN
+
+ // Register permission for rules 2 no r
+ result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions without r. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions without r not added.");
+
+ DB_BEGIN
+
+ // Register permission for rules 2
+ result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app all permissions. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions all not added.");
+
+ DB_BEGIN
+
+ // Clean up
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+/**
+ * Test - Enabling some permissions and then enabling all permissions
+ */
+
+ // Enable permission for rules 2 no r
+ result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions without r. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions without r not added.");
+
+ DB_BEGIN
+
+ // Enable permission for rules 2
+ result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions with only r. Result: " << result);
+
+ DB_END
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_r);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Permissions with only r not added.");
+
+ DB_BEGIN
+
+ // Clean up
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+
+
+ // Clean up after test:
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+}
+
+RUNNER_CHILD_TEST_SMACK(privilege_control11_app_enable_permissions_efl)
+{
+ test_app_enable_permissions_efl(true);
+}
+
+/*
+ * Check perm_app_install function
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control12_app_disable_permissions_efl)
+{
+ test_app_disable_permissions_efl(true);
+}
+
+
+/**
+ * Remove previously granted SMACK permissions based on permissions list.
+ */
+RUNNER_TEST_SMACK(privilege_control12_app_disable_permissions)
+{
+ test_app_disable_permissions(true);
+}
+
+/**
+ * Reset SMACK permissions for an application by revoking all previously
+ * granted rules and enabling them again from a rules file from disk.
+ */
+// TODO: This test is incomplete.
+RUNNER_TEST_SMACK(privilege_control13_app_reset_permissions)
+{
+ int result;
+
+/**
+ * Test - doing reset and checking if rules exist again.
+ */
+
+ DB_BEGIN
+
+ result = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ // Prepare permissions to reset
+ result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error registering app permissions. Result: " << result);
+
+ // Reset permissions
+ result = perm_app_reset_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error reseting app permissions. Result: " << result);
+
+ DB_END
+
+ // Are all second permissions not disabled?
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Not all permissions added.");
+
+ DB_BEGIN
+
+ // Disable permissions
+ result = perm_app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+}
+
+/**
+ * Make two applications "friends", by giving them both full permissions on
+ * each other.
+ */
+RUNNER_TEST_SMACK(privilege_control14_app_add_friend)
+{
+ RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented");
+
+ int result;
+
+/**
+ * Test - making friends with no permissions on each other
+ */
+
+ DB_BEGIN
+
+ result = perm_app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = perm_app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ perm_app_uninstall(APP_FRIEND_1);
+ perm_app_uninstall(APP_FRIEND_2);
+
+ // Installing friends to be
+ result = perm_app_install(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error installing first app. Result: " << result);
+ result = perm_app_install(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error installing second app. Result: " << result);
+
+ // Making friends
+ result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error making friends. Errno: " << result);
+
+ DB_END
+
+ // Checking if friends were made
+ result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
+ RUNNER_ASSERT_MSG_BT(result == 1,
+ " Error first one sided friednship failed. Result: " << result);
+ result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
+ RUNNER_ASSERT_MSG_BT(result == 1,
+ " Error second one sided friednship failed. Result: " << result);
+
+ DB_BEGIN
+
+ // Clean up
+ result = perm_app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = perm_app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ perm_app_uninstall(APP_FRIEND_1);
+ perm_app_uninstall(APP_FRIEND_2);
+
+ DB_END
+
+/**
+ * Test - making friends with nonexistent friend
+ */
+
+ DB_BEGIN
+
+ // Installing one friend
+ result = perm_app_install(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error installing first app. Errno: " << result);
+
+ // Adding imaginary friend as second
+ result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error making friends (first) with imaginairy friend failed. Result: "
+ << result);
+ // Adding imaginary friend as first
+ result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error making friends (second) with imaginairy friend failed. Result: "
+ << result);
+ // Clean up
+ result = perm_app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = perm_app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ perm_app_uninstall(APP_FRIEND_1);
+ perm_app_uninstall(APP_FRIEND_2);
+
+ DB_END
+
+/**
+ * Test - making friends with some permissions already added
+ */
+ unsigned int i;
+ unsigned int j;
+
+ struct smack_accesses *rulesFriend = NULL;
+
+ std::vector<std::string> accessesFriend =
+ { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
+
+ DB_BEGIN
+
+ // Installing friends to be
+ result = perm_app_install(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error installing first app. Result: " << result);
+ result = perm_app_install(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error installing second app. Result: " << result);
+
+ DB_END
+
+ for (i = 0; i < accessesFriend.size(); ++i)
+ {
+ for (j = 0; j < accessesFriend.size(); ++j)
+ {
+ // Adding rules before making friends
+ result = smack_accesses_new(&rulesFriend);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error in smack_accesses_new. Result: " << result);
+
+ result = smack_accesses_add(rulesFriend,
+ APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
+ RUNNER_ASSERT_MSG_BT(result == 0,
+ "Unable to add modify rulesFirend (first). Result: " << result);
+ result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
+ APP_FRIEND_1, accessesFriend[j].c_str());
+ RUNNER_ASSERT_MSG_BT(result == 0,
+ "Unable to add modify rulesFirend (second). Result: " << result);
+
+ result = smack_accesses_apply(rulesFriend);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error in smack_accesses_apply. Result: " << result);
+
+ DB_BEGIN
+
+ // Adding friends
+ result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ " Error making friends. Result: " << result);
+
+ DB_END
+
+ // Checking if friends were made
+ result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
+ RUNNER_ASSERT_MSG_BT(result == 1,
+ " Error first one sided friednship failed. Result: " << result);
+ result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
+ RUNNER_ASSERT_MSG_BT(result == 1,
+ " Error second one sided friednship failed. Result: " << result);
+
+ // Deleting all rules between friends
+ smack_accesses_add_modify(rulesFriend,
+ APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
+ smack_accesses_add_modify(rulesFriend,
+ APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
+
+ result = smack_accesses_apply(rulesFriend);
+
+ smack_accesses_free(rulesFriend);
+ rulesFriend = NULL;
+ }
+ }
+
+ DB_BEGIN
+
+ // Clean up
+ result = perm_app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = perm_app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ perm_app_uninstall(APP_FRIEND_1);
+ perm_app_uninstall(APP_FRIEND_2);
+
+ DB_END
+}
+
+static void smack_set_random_label_based_on_pid_on_self(void)
+{
+ int result;
+ std::stringstream ss;
+
+ ss << "s-" << getpid() << "-" << getppid();
+ result = smack_set_label_for_self(ss.str().c_str());
+ RUNNER_ASSERT_MSG_BT(result == 0, "smack_set_label_for_self("
+ << ss.str().c_str() << ") failed");
+}
+
+static void smack_unix_sock_server(int sock)
+{
+ int fd, result;
+ char *smack_label;
+
+ alarm(2);
+ fd = accept(sock, NULL, NULL);
+ alarm(0);
+ if (fd < 0)
+ return;
+ result = smack_new_label_from_self(&smack_label);
+ if (result < 0) {
+ close(fd);
+ close(sock);
+ free(smack_label);
+ RUNNER_ASSERT_MSG_BT(0, "smack_new_label_from_self() failed");
+ }
+ result = write(fd, smack_label, strlen(smack_label));
+ if (result != (int)strlen(smack_label)) {
+ close(fd);
+ close(sock);
+ free(smack_label);
+ RUNNER_ASSERT_MSG_BT(0, "write() failed: " << strerror(errno));
+ }
+ close(fd);
+ free(smack_label);
+}
+
+RUNNER_MULTIPROCESS_TEST_SMACK(privilege_control15_app_id_from_socket)
+{
+ int pid;
+ struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
+
+ unlink(SOCK_PATH);
+ pid = fork();
+ RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed");
+
+ smack_set_random_label_based_on_pid_on_self();
+
+ if (!pid) { /* child process, server */
+ int sock, result;
+
+ /* Set the process label before creating a socket */
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG_BT(sock >= 0, "socket failed: " << strerror(errno));
+ result = bind(sock,
+ (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "bind failed: " << strerror(errno));
+ }
+ result = listen(sock, 1);
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "listen failed: " << strerror(errno));
+ }
+ smack_unix_sock_server(sock);
+
+ /* Change the process label with listening socket */
+ smack_unix_sock_server(sock);
+
+ pid = fork();
+ RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed");
+ /* Now running two concurrent servers.
+ Test if socket label was unaffected by fork() */
+ smack_unix_sock_server(sock);
+ /* Let's give the two servers different labels */
+ smack_unix_sock_server(sock);
+ close(sock);
+
+ exit(0);
+ } else { /* parent process, client */
+ sleep(1); /* Give server some time to setup listening socket */
+ int i;
+ for (i = 0; i < 4; ++i) {
+ int sock;
+ int result;
+ char smack_label1[SMACK_LABEL_LEN + 1];
+ char *smack_label2;
+
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG_BT(sock >= 0,
+ "socket failed: " << strerror(errno));
+ result = connect(sock,
+ (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "connect failed: " << strerror(errno));
+ }
+
+ alarm(2);
+ result = read(sock, smack_label1, SMACK_LABEL_LEN);
+ alarm(0);
+ if (result < 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "read failed: " << strerror(errno));
+ }
+ smack_label1[result] = '\0';
+ smack_label2 = perm_app_id_from_socket(sock);
+ if (smack_label2 == NULL) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "perm_app_id_from_socket failed");
+ }
+ result = strcmp(smack_label1, smack_label2);
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG_BT(0, "smack labels differ: '" << smack_label1
+ << "' != '" << smack_label2 << "-" << random() << "'");
+ }
+ close(sock);
+ }
+ }
+}
+
+RUNNER_TEST(privilege_control16_app_setup_path){
+ const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
+ const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
+ const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
+ const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
+ const char *label1 = "qwert123456za";
+ const char *label2 = "trewq654123az";
+
+ CStringPtr labelPtr;
+
+ mkdir(path1,0);
+ mkdir(path2,0);
+
+ int fd = creat(path3, S_IRWXU);
+ if (fd >= 0)
+ close(fd);
+ fd = creat(path4, S_IRWXU);
+ if (fd >= 0)
+ close(fd);
+
+ char *label = NULL;
+
+ DB_BEGIN
+
+ RUNNER_ASSERT_BT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
+
+ DB_END
+
+ RUNNER_ASSERT_BT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
+ labelPtr.reset(label);
+ label = NULL;
+ RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), label1));
+
+ DB_BEGIN
+
+ RUNNER_ASSERT_BT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
+
+ DB_END
+
+ RUNNER_ASSERT_BT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
+ labelPtr.reset(label);
+ label = NULL;
+ RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), label2));
+
+ RUNNER_ASSERT_BT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
+ labelPtr.reset(label);
+ label = NULL;
+ RUNNER_ASSERT_BT(labelPtr.get() == NULL);
+}
+
+RUNNER_TEST_SMACK(privilege_control17_appsettings_privilege)
+{
+ test_appsettings_privilege(true);
+}
+
+void test_app_setup_path(int line_no, app_path_type_t PATH_TYPE) {
+ int result;
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error in perm_app_uninstall." << result);
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error in perm_app_install." << result);
+
+ DB_END
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ " Unable to clean up Smack labels in " << TEST_APP_DIR);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ " Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+
+ DB_BEGIN
+
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, PATH_TYPE);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ " perm_app_setup_path() failed");
+
+ DB_END
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
+ " Unable to check Smack labels for non-app dir");
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ " Error in perm_app_uninstall." << result);
+
+ DB_END
+}
+
+RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public)
+{
+ test_app_setup_path(__LINE__, APP_PATH_PUBLIC_RO);
+}
+
+RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings)
+{
+ test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW);
+}
+
+RUNNER_TEST_SMACK(privilege_control20_app_setup_path_npruntime)
+{
+ int result = 0;
+ CStringPtr labelPtr;
+ std::string nptargetlabel = std::string(APP_NPRUNTIME) + ".npruntime";
+ char *label = NULL;
+
+ restore_original_additional_rules();
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_NPRUNTIME);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
+
+ result = perm_app_install(APP_NPRUNTIME);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_install. " << result);
+
+ result = perm_app_setup_path(APP_NPRUNTIME, APP_NPRUNTIME_FILE, PERM_APP_PATH_NPRUNTIME);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path. " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_BT(0 == smack_lgetlabel(APP_NPRUNTIME_FILE, &label, SMACK_LABEL_EXEC));
+ labelPtr.reset(label);
+ label = NULL;
+ RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), nptargetlabel.c_str()));
+
+ // Rules to test
+ const std::vector< std::vector<std::string> > np_rules = {
+ { APP_NPRUNTIME, nptargetlabel, "rw" },
+ { nptargetlabel, APP_NPRUNTIME, "rxat" },
+ { nptargetlabel, "system::homedir", "rxat" },
+ { nptargetlabel, "xorg", "rw" },
+ { nptargetlabel, "crash-worker", "rwxa" },
+ { nptargetlabel, "sys-assert::core", "rwxat" },
+ { nptargetlabel, "syslogd", "rw" },
+ };
+
+ // Test smack accesses
+ result = test_have_all_accesses(np_rules);
+ RUNNER_ASSERT_MSG_BT(result == 1, "Not all permissions added.");
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_NPRUNTIME);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
+
+ DB_END
+}
+
+RUNNER_TEST(privilege_control21_early_rules)
+{
+ RUNNER_IGNORED_MSG("early rules are not implemented");
+
+ int result;
+ int pass_1 = 0;
+ int pass_2 = 0;
+ char *single_line_format = NULL;
+ char *perm = NULL;
+ FILE *file = NULL;
+
+ char subject[SMACK_LABEL_LEN + 1] = {0};
+ char object[SMACK_LABEL_LEN + 1] = {0};
+ char rule_add[SMACK_ACC_LEN + 1] = {0};
+ char rule_remove[SMACK_ACC_LEN + 1] = {0};
+
+ DB_BEGIN
+
+ perm_app_uninstall(APP_ID);
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+ result = perm_app_install(APP_TEST_APP_1);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+
+ TestLibPrivilegeControlDatabase db_test;
+ db_test.test_db_after__perm_app_install(APP_ID);
+ db_test.test_db_after__perm_app_install(APP_TEST_APP_1);
+
+ DB_BEGIN
+
+ result = perm_app_setup_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm);
+ RUNNER_ASSERT_MSG_BT(result == 0, "app_register_permissions failed: " << result);
+ result = perm_app_setup_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm);
+ RUNNER_ASSERT_MSG_BT(result == 0, "app_register_permissions failed: " << result);
+
+ DB_END
+
+ file = fopen(SMACK_STARTUP_RULES_FILE, "r");
+ RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
+
+ result = asprintf(&single_line_format, "%%%ds %%%ds %%%ds %%%ds\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN, SMACK_ACC_LEN, SMACK_ACC_LEN);
+
+ while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
+ if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
+ pass_1 = 1; // Found rule for APP_ID
+ continue;
+ }
+ if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
+ pass_2 = 1; // Found rule for APP_TEST_APP_1
+ continue;
+ }
+ }
+ fclose(file);
+ file = NULL;
+
+ RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " not found");
+ RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
+
+ // Checking if "early rule" for APP_ID was really removed
+ // We also should make sure that "early rules" for other apps wasn't removed
+ DB_BEGIN
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+ DB_END
+ pass_1 = 1;
+ pass_2 = 0;
+
+ file = fopen(SMACK_STARTUP_RULES_FILE, "r");
+ RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
+
+ while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
+ if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
+ pass_1 = 0; // Found rule for APP_ID - it should NOT be here
+ continue;
+ }
+ if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
+ pass_2 = 1; // Found rule for APP_TEST_APP_1
+ continue;
+ }
+ }
+ fclose(file);
+ file = NULL;
+
+ RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
+ RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
+
+ // Removing and checking "early rule" for APP_TEST_APP_1
+ DB_BEGIN
+ result = perm_app_uninstall(APP_TEST_APP_1);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+ DB_END
+ pass_1 = 1;
+ pass_2 = 1;
+
+ file = fopen(SMACK_STARTUP_RULES_FILE, "r");
+ RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
+
+ while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
+ if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
+ pass_1 = 0; // Found rule for APP_ID - it should NOT be here
+ continue;
+ }
+ if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
+ pass_2 = 0; // Found rule for APP_TEST_APP_1 - it should NOT be here
+ continue;
+ }
+ }
+ free(single_line_format);
+ fclose(file);
+
+ RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
+ RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
+}
+
+/**
+ * AV Privilege test cases.
+ *
+ * Each privilege_control24* test case tests antivirus privileges for each app_type_t, except for
+ * deprecated APP_TYPE_OTHER type.
+ */
+
+int nftw_remove_dir(const char* filename, const struct stat* /*statptr*/, int /*fileflags*/,
+ struct FTW* /*pfwt*/)
+{
+ int result = -1;
+
+ struct stat filestat;
+
+ result = stat(filename, &filestat);
+ RUNNER_ASSERT_MSG_BT(result == 0, "NFTW error: Failed to get file statistics. Result: "
+ << result << ", error: " << strerror(errno) << ", file: " << filename);
+
+ if(S_ISREG(filestat.st_mode)) {
+ result = unlink(filename);
+ RUNNER_ASSERT_MSG_BT(result == 0, "NFTW error: Failed to unlink file. Result: "
+ << result << ", error: " << strerror(errno) << ", file: " << filename);
+ } else if(S_ISDIR(filestat.st_mode)) {
+ result = rmdir(filename);
+ RUNNER_ASSERT_MSG_BT(result == 0, "NFTW error: Failed to remove dir. Result: "
+ << result << ", error: " << strerror(errno) << ", file: " << filename);
+ }
+
+ return 0;
+}
+
+void InstallApp(const char* pkg_id, const char* path, app_path_type_t app_path_type,
+ const char* shared_label)
+{
+ int result = -1;
+
+ result = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Can't create dir for tests. Result: " << result <<
+ ", error: " << strerror(errno) << ", app_path_type: " << app_path_type);
+
+ DB_BEGIN
+
+ result = perm_app_revoke_permissions(pkg_id);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: "
+ << result << ", app_path_type: " << app_path_type);
+ result = perm_app_uninstall(pkg_id);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: "
+ << result << ", app_path_type: " << app_path_type);
+
+ result = perm_app_install(pkg_id);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: "
+ << result << ", app_path_type: " << app_path_type);
+ result = perm_app_setup_path(pkg_id, path, app_path_type, shared_label);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_setup_path failed. Result: "
+ << result << ", app_path_type: " << app_path_type);
+
+ DB_END
+}
+
+void InstallAV(const char* av_id, app_type_t av_type)
+{
+ int result = -1;
+
+ DB_BEGIN
+
+ result = perm_app_revoke_permissions(av_id);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: "
+ << result << ", av_type: " << av_type);
+ result = perm_app_uninstall(av_id);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: "
+ << result << ", av_type: " << av_type);
+
+ result = perm_app_install(av_id);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: "
+ << result << ", av_type: " << av_type);
+ result = perm_app_setup_permissions(av_id, av_type, PRIVS_AV);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "register_permissions failed. Result: "
+ << result << ", av_type: " << av_type);
+
+ DB_END
+}
+
+void CheckAVPrivilege(app_type_t av_type, app_path_type_t app_path_type)
+{
+ int result = -1;
+
+ //clean before test
+ result = nftw(APP_TEST_APP_1_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
+ ", error " << strerror(errno));
+
+ result = nftw(APP_TEST_APP_2_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
+ ", error " << strerror(errno));
+
+ result = nftw(APP_TEST_APP_3_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
+ ", error " << strerror(errno));
+
+ InstallApp(APP_TEST_APP_1, APP_TEST_APP_1_DIR, app_path_type, APP_TEST_APP_1_SHARED_LABEL);
+ InstallAV(APP_TEST_AV_1, av_type);
+ InstallApp(APP_TEST_APP_2, APP_TEST_APP_2_DIR, app_path_type, APP_TEST_APP_2_SHARED_LABEL);
+ InstallAV(APP_TEST_AV_2, av_type);
+ InstallApp(APP_TEST_APP_3, APP_TEST_APP_3_DIR, app_path_type, APP_TEST_APP_3_SHARED_LABEL);
+
+ //test - get ACCESS label and check AV privilege
+
+ char* tmp;
+
+ //get labels
+ result = smack_lgetlabel(APP_TEST_APP_1_DIR, &tmp, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "smack_lgetlabel failed. Result: " << result
+ << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+ std::string label1(tmp);
+ free(tmp);
+
+ result = smack_lgetlabel(APP_TEST_APP_2_DIR, &tmp, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "smack_lgetlabel failed. Result: " << result
+ << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+ std::string label2(tmp);
+ free(tmp);
+
+ result = smack_lgetlabel(APP_TEST_APP_3_DIR, &tmp, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "smack_lgetlabel failed. Result: " << result
+ << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+ std::string label3(tmp);
+ free(tmp);
+
+ if(app_path_type == APP_PATH_GROUP_RW)
+ {
+ result = label1.compare(APP_TEST_APP_1_SHARED_LABEL);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Labels do not equal. Acquired " << label1 <<
+ ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+
+ result = label2.compare(APP_TEST_APP_2_SHARED_LABEL);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Labels do not equal. Acquired " << label1 <<
+ ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+
+ result = label3.compare(APP_TEST_APP_3_SHARED_LABEL);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Labels do not equal. Acquired " << label1 <<
+ ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+ }
+
+ std::stringstream ss;
+
+ //check AV accesses
+ if(smack_check())
+ {
+ ss << "APP_TEST_APP_1, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_1, label1.c_str(), ss.str().c_str());
+ ss.str(std::string());
+
+ ss << "APP_TEST_APP_2, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_1, label2.c_str(), ss.str().c_str());
+ ss.str(std::string());
+
+ ss << "APP_TEST_APP_3, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_1, label3.c_str(), ss.str().c_str());
+
+ ss << "APP_TEST_APP_1, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_2, label1.c_str(), ss.str().c_str());
+ ss.str(std::string());
+
+ ss << "APP_TEST_APP_2, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_2, label2.c_str(), ss.str().c_str());
+ ss.str(std::string());
+
+ ss << "APP_TEST_APP_3, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_2, label3.c_str(), ss.str().c_str());
+ }
+ else
+ {
+ ss << "APP_TEST_APP_1, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, label1.c_str(), ss.str().c_str());
+
+ ss.str(std::string());
+ ss << "APP_TEST_APP_2, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, label2.c_str(), ss.str().c_str());
+
+ ss.str(std::string());
+ ss << "APP_TEST_APP_3, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, label3.c_str(), ss.str().c_str());
+
+ ss << "APP_TEST_APP_1, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_2, label1.c_str(), ss.str().c_str());
+
+ ss.str(std::string());
+ ss << "APP_TEST_APP_2, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_2, label2.c_str(), ss.str().c_str());
+
+ ss.str(std::string());
+ ss << "APP_TEST_APP_3, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_2, label3.c_str(), ss.str().c_str());
+ }
+
+ DB_BEGIN
+
+ //Clean up
+ perm_app_revoke_permissions(APP_TEST_AV_1);
+ perm_app_revoke_permissions(APP_TEST_AV_2);
+ perm_app_uninstall(APP_TEST_AV_1);
+ perm_app_uninstall(APP_TEST_AV_2);
+ perm_app_uninstall(APP_TEST_APP_1);
+ perm_app_uninstall(APP_TEST_APP_2);
+ perm_app_uninstall(APP_TEST_APP_3);
+
+ DB_END
+}
+
+RUNNER_TEST(privilege_control24a_av_privilege_group_rw)
+{
+ CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_GROUP_RW);
+ CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_GROUP_RW);
+ CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_GROUP_RW);
+}
+
+RUNNER_TEST(privilege_control24b_av_privilege_settings_rw)
+{
+ CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_SETTINGS_RW);
+ CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_SETTINGS_RW);
+ CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_SETTINGS_RW);
+}
+
+RUNNER_TEST(privilege_control24c_av_privilege_public_ro)
+{
+ CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_PUBLIC_RO);
+ CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_PUBLIC_RO);
+ CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_PUBLIC_RO);
+}
+
+RUNNER_TEST(privilege_control25_test_libprivilege_strerror) {
+ int POSITIVE_ERROR_CODE = 1;
+ int NONEXISTING_ERROR_CODE = -239042;
+ const char *result;
+
+ for (auto itr = error_codes.begin(); itr != error_codes.end(); ++itr) {
+ RUNNER_ASSERT_MSG_BT(strcmp(perm_strerror(*itr), "Unknown error") != 0,
+ "Returned invalid error code description.");
+ }
+
+ result = perm_strerror(POSITIVE_ERROR_CODE);
+ RUNNER_ASSERT_MSG_BT(strcmp(result, "Unknown error") == 0,
+ "Bad message returned for invalid error code: \"" << result << "\"");
+
+ result = perm_strerror(NONEXISTING_ERROR_CODE);
+ RUNNER_ASSERT_MSG_BT(strcmp(result, "Unknown error") == 0,
+ "Bad message returned for invalid error code: \"" << result << "\"");
+}
+
+RUNNER_TEST(privilege_control27_perm_app_get_privileges_empty)
+{
+ char** pp_privileges = NULL;
+ int result;
+ CStringListPtr privileges;
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << perm_strerror(result));
+
+ result = perm_app_install(APP_ID);
+
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_install failed: " << perm_strerror(result));
+
+ DB_END
+
+ result = perm_app_get_permissions(APP_ID, PERM_APP_TYPE_WGT, &pp_privileges);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_get_permissions failed: " << perm_strerror(result));
+ privileges.reset(pp_privileges);
+
+ RUNNER_ASSERT_MSG_BT(pp_privileges != NULL,
+ "perm_app_get_permissions failed to set pointer to cstring array");
+ RUNNER_ASSERT_MSG_BT(*pp_privileges == NULL,
+ "perm_app_get_permissions found permissions when not supposed to");
+}
+
+RUNNER_TEST(privilege_control27_perm_app_get_privileges)
+{
+ char** pp_privileges = NULL;
+ int result;
+ size_t i;
+ CStringListPtr privileges;
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << perm_strerror(result));
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_install failed: " << perm_strerror(result));
+
+ result = perm_app_setup_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_register_permissions failed: " << perm_strerror(result));
+
+ result = perm_app_setup_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_register_permissions failed: " << perm_strerror(result));
+
+ result = perm_app_disable_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_disable_permissions failed: " << perm_strerror(result));
+ DB_END
+
+ result = perm_app_get_permissions(APP_ID, PERM_APP_TYPE_WGT, &pp_privileges);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_get_permissions returned " << result << ": " << perm_strerror(result));
+ privileges.reset(pp_privileges);
+
+ for(i = 0; pp_privileges[i] != NULL; ++i) {
+ RUNNER_ASSERT_MSG_BT(PRIVS[i] != NULL,
+ "perm_app_get_permissions returned too many permissions");
+ RUNNER_ASSERT_MSG_BT(strcmp(pp_privileges[i], PRIVS[i]) == 0,
+ "perm_app_get_permissions returned wrong permission, " << pp_privileges[i] <<
+ " != " << PRIVS[i]);
+ }
+ RUNNER_ASSERT_MSG_BT(PRIVS[i] == NULL,
+ "perm_app_get_permissions returned too few enabled permissions");
+}
+
+RUNNER_TEST(privilege_control28_perm_app_get_paths_empty)
+{
+ char **pp_paths = NULL;
+ int result;
+ CStringListPtr paths;
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << perm_strerror(result));
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed: " <<
+ perm_strerror(result));
+
+ DB_END
+
+ result = perm_app_get_paths(APP_ID, PERM_APP_PATH_PUBLIC, &pp_paths);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_get_paths failed: " <<
+ perm_strerror(result));
+ paths.reset(pp_paths);
+
+ RUNNER_ASSERT_MSG_BT(pp_paths != NULL,
+ "perm_app_get_paths failed to set pointer to cstring array");
+ RUNNER_ASSERT_MSG_BT(*pp_paths == NULL, "perm_app_get_paths found paths when not supposed to");
+}
+
+RUNNER_TEST(privilege_control28_perm_app_get_paths)
+{
+ char **pp_paths = NULL;
+ int result;
+ size_t i;
+ size_t DIR_NUM = 3;
+ CStringListPtr paths;
+ std::vector<Directory> test_paths;
+
+ for (i = 0; i < DIR_NUM; ++i) {
+ test_paths.push_back(Directory("/tmp/dir" + std::to_string(i), 0));
+ RUNNER_ASSERT_MSG_BT(test_paths[i].isCreated(), "failed to create a directory " <<
+ test_paths[i].path() << ": " << strerror(test_paths[i].errorCode()));
+ }
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed: " <<
+ perm_strerror(result));
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed: " <<
+ perm_strerror(result));
+
+ for (auto itr = test_paths.begin(); itr != test_paths.end(); ++itr) {
+ result = perm_app_setup_path(APP_ID, itr->path().c_str(), PERM_APP_PATH_PUBLIC);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path failed: " << perm_strerror(result));
+ }
+
+ DB_END
+
+ result = perm_app_get_paths(APP_ID, PERM_APP_PATH_PUBLIC, &pp_paths);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_get_paths failed: " <<
+ perm_strerror(result));
+ paths.reset(pp_paths);
+
+ for(i = 0; pp_paths[i] != NULL; ++i) {
+ RUNNER_ASSERT_MSG_BT(i < test_paths.size(), "perm_app_get_paths returned too many paths");
+ RUNNER_ASSERT_MSG_BT(test_paths[i].path() == pp_paths[i],
+ "perm_app_get_paths returned unexpected path, " << pp_paths[i] << " != " <<
+ test_paths[i].path());
+ }
+ RUNNER_ASSERT_MSG_BT(i == test_paths.size(), "perm_app_get_paths returned too few paths");
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed: " <<
+ perm_strerror(result));
+
+ DB_END
+}
projects / platform / core / test / security-tests.git / blobdiff