*/
#include <string>
+#include <stdio.h>
#include <fcntl.h>
#include <stdio.h>
#include <vector>
#include <errno.h>
+#include <memory>
#include <ftw.h>
#include <dpl/test/test_runner.h>
+#include <dpl/test/test_runner_child.h>
#include <dpl/log/log.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/xattr.h>
#include <sys/smack.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/wait.h>
#include <privilege-control.h>
+#include <fstream>
+#include <sstream>
+#include <sys/stat.h>
-
-#define SMACK_RULES_DIR "/etc/smack/accesses.d/"
+#define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/"
+#define SMACK_LOAD2 "/smack/load2"
#define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
#define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
-#define APPID_ADD "test_APP_ID_add"
-#define APPID_REVOKE "test_APP_ID_revoke"
#define APPID_DIR "test_APP_ID_dir"
#define APPID_SHARED_DIR "test_APP_ID_shared_dir"
#define CANARY_LABEL "tiny_yellow_canary"
-#define APP_SET_PRIV "test_APP"
+#define APP_ID "test_APP"
#define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
+#define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
+
+#define WGT_APP_ID "QwCqJ0ttyS"
+#define WGT_PARTNER_APP_ID "7btsV1Y0sX"
+#define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
+#define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123"
+#define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner"
+#define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform"
+#define OSP_APP_ID "uqNfgEjqc7"
+#define OSP_PARTNER_APP_ID "j4RuPsZrNt"
+#define OSP_PLATFORM_APP_ID "V5LKqDFBXm"
+#define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp"
+#define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner"
+#define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform"
const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
+const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
+const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
+const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
+const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
+const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
+const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };
+
+#define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
+#define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
+#define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
+#define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac"
+
+#define APP_TEST_APP_1 "test-application1"
+#define APP_TEST_APP_2 "test-application_2"
+#define APP_TEST_APP_3 "test-app-3"
+#define APP_TEST_AV_1 "test-antivirus1"
+#define APP_TEST_AV_2 "test-antivirus_2"
+#define APP_TEST_AV_3 "test-av-3"
+
+#define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db"
+#define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db"
+#define SMACK_PUBLIC_DIRS_DATABASE "/opt/dbspace/.privilege_control_public_dirs.db"
+#define SMACK_APPS_SETTINGS_LABELS_DATABASE "/opt/dbspace/.privilege_control_app_setting.db"
+#define SMACK_SETTINGS_DIRS_DATABASE "/opt/dbspace/.privilege_control_setting_dir.db"
+
+#define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1"
+#define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2"
+#define APP_TEST_AV_ASP1 "test-app-av-asp1"
+#define APP_TEST_AV_ASP2 "test-app-av-asp2"
+
+#define SOCK_PATH "/tmp/test-smack-socket"
#define APP_GID 5000
#define APP_UID 5000
#define APP_USER_NAME "app"
#define APP_HOME_DIR "/opt/home/app"
+#define APP_FRIEND_1 "app_friend_1"
+#define APP_FRIEND_2 "app_friend_2"
+
// How many open file descriptors should ftw() function use?
#define FTW_MAX_FDS 16
// Rules from test_privilege_control_rules.smack
-const std::vector< std::vector<std::string> > rulesAdd = {
- { APPID_ADD, "test_book_1", "r" },
- { APPID_ADD, "test_book_2", "w" },
- { APPID_ADD, "test_book_3", "x" },
- { APPID_ADD, "test_book_4", "rw" },
- { APPID_ADD, "test_book_5", "rx" },
- { APPID_ADD, "test_book_6", "wx" },
- { APPID_ADD, "test_book_7", "rwx" },
- { "test_subject_1", APPID_ADD, "r" },
- { "test_subject_2", APPID_ADD, "w" },
- { "test_subject_3", APPID_ADD, "x" },
- { "test_subject_4", APPID_ADD, "rw" },
- { "test_subject_5", APPID_ADD, "rx" },
- { "test_subject_6", APPID_ADD, "wx" },
- { "test_subject_7", APPID_ADD, "rwx" },
- { APPID_ADD, APPID_SHARED_DIR, "rwxat"}};
-
+const std::vector< std::vector<std::string> > rules = {
+ { APP_ID, "test_book_1", "r" },
+ { APP_ID, "test_book_2", "w" },
+ { APP_ID, "test_book_3", "x" },
+ { APP_ID, "test_book_4", "rw" },
+ { APP_ID, "test_book_5", "rx" },
+ { APP_ID, "test_book_6", "wx" },
+ { APP_ID, "test_book_7", "rwx" },
+ { "test_subject_1", APP_ID, "r" },
+ { "test_subject_2", APP_ID, "w" },
+ { "test_subject_3", APP_ID, "x" },
+ { "test_subject_4", APP_ID, "rw" },
+ { "test_subject_5", APP_ID, "rx" },
+ { "test_subject_6", APP_ID, "wx" },
+ { "test_subject_7", APP_ID, "rwx" },
+ { APP_ID, APPID_SHARED_DIR, "rwxat"}};
+
+// Rules from test_privilege_control_rules2.smack
+const std::vector< std::vector<std::string> > rules2 = {
+ { APP_ID, "test_book_8", "r" },
+ { APP_ID, "test_book_9", "w" },
+ { APP_ID, "test_book_10", "x" },
+ { APP_ID, "test_book_11", "rw" },
+ { APP_ID, "test_book_12", "rx" },
+ { APP_ID, "test_book_13", "wx" },
+ { APP_ID, "test_book_14", "rwx" },
+ { APP_ID, "test_book_15", "rwxat" },
+ { "test_subject_8", APP_ID, "r" },
+ { "test_subject_9", APP_ID, "w" },
+ { "test_subject_10", APP_ID, "x" },
+ { "test_subject_11", APP_ID, "rw" },
+ { "test_subject_12", APP_ID, "rx" },
+ { "test_subject_13", APP_ID, "wx" },
+ { "test_subject_14", APP_ID, "rwx" },
+ { "test_subject_15", APP_ID, "rwxat" }};
+
+// Rules from test_privilege_control_rules_no_r.smack
+const std::vector< std::vector<std::string> > rules2_no_r = {
+ { APP_ID, "test_book_9", "w" },
+ { APP_ID, "test_book_10", "x" },
+ { APP_ID, "test_book_11", "w" },
+ { APP_ID, "test_book_12", "x" },
+ { APP_ID, "test_book_13", "wx" },
+ { APP_ID, "test_book_14", "wx" },
+ { APP_ID, "test_book_15", "wxat" },
+ { "test_subject_9", APP_ID, "w" },
+ { "test_subject_10", APP_ID, "x" },
+ { "test_subject_11", APP_ID, "w" },
+ { "test_subject_12", APP_ID, "x" },
+ { "test_subject_13", APP_ID, "wx" },
+ { "test_subject_14", APP_ID, "wx" },
+ { "test_subject_15", APP_ID, "wxat" }};
// Rules from test_privilege_control_rules.smack
-const std::vector< std::vector<std::string> > rulesRevoke = {
- { APPID_REVOKE, "test_book_1", "r" },
- { APPID_REVOKE, "test_book_2", "w" },
- { APPID_REVOKE, "test_book_3", "x" },
- { APPID_REVOKE, "test_book_4", "rw" },
- { APPID_REVOKE, "test_book_5", "rx" },
- { APPID_REVOKE, "test_book_6", "wx" },
- { APPID_REVOKE, "test_book_7", "rwx" },
- { "test_subject_1", APPID_REVOKE, "r" },
- { "test_subject_2", APPID_REVOKE, "w" },
- { "test_subject_3", APPID_REVOKE, "x" },
- { "test_subject_4", APPID_REVOKE, "rw" },
- { "test_subject_5", APPID_REVOKE, "rx" },
- { "test_subject_6", APPID_REVOKE, "wx" },
- { "test_subject_7", APPID_REVOKE, "rwx" }};
+// minus test_privilege_control_rules_no_r.smack
+const std::vector< std::vector<std::string> > rules2_r = {
+ { APP_ID, "test_book_8", "r" },
+ { APP_ID, "test_book_11", "r" },
+ { APP_ID, "test_book_12", "r" },
+ { APP_ID, "test_book_14", "r" },
+ { APP_ID, "test_book_15", "r" },
+ { "test_subject_8", APP_ID, "r" },
+ { "test_subject_11", APP_ID, "r" },
+ { "test_subject_12", APP_ID, "r" },
+ { "test_subject_14", APP_ID, "r" },
+ { "test_subject_15", APP_ID, "r" }};
+
+// Rules from test_privilege_control_rules_wgt.smack for wgt
+const std::vector< std::vector<std::string> > rules_wgt = {
+ { WGT_APP_ID, "test_book_8", "r" },
+ { WGT_APP_ID, "test_book_9", "w" },
+ { WGT_APP_ID, "test_book_10", "x" },
+ { WGT_APP_ID, "test_book_11", "rw" },
+ { WGT_APP_ID, "test_book_12", "rx" },
+ { WGT_APP_ID, "test_book_13", "wx" },
+ { WGT_APP_ID, "test_book_14", "rwx" },
+ { WGT_APP_ID, "test_book_15", "rwxat" },
+ { "test_subject_8", WGT_APP_ID, "r" },
+ { "test_subject_9", WGT_APP_ID, "w" },
+ { "test_subject_10", WGT_APP_ID, "x" },
+ { "test_subject_11", WGT_APP_ID, "rw" },
+ { "test_subject_12", WGT_APP_ID, "rx" },
+ { "test_subject_13", WGT_APP_ID, "wx" },
+ { "test_subject_14", WGT_APP_ID, "rwx" },
+ { "test_subject_15", WGT_APP_ID, "rwxat" }};
+
+// Rules from test_privilege_control_rules_wgt.smack for wgt_partner
+const std::vector< std::vector<std::string> > rules_wgt_partner = {
+ { WGT_PARTNER_APP_ID, "test_book_8", "r" },
+ { WGT_PARTNER_APP_ID, "test_book_9", "w" },
+ { WGT_PARTNER_APP_ID, "test_book_10", "x" },
+ { WGT_PARTNER_APP_ID, "test_book_11", "rw" },
+ { WGT_PARTNER_APP_ID, "test_book_12", "rx" },
+ { WGT_PARTNER_APP_ID, "test_book_13", "wx" },
+ { WGT_PARTNER_APP_ID, "test_book_14", "rwx" },
+ { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" },
+ { "test_subject_8", WGT_PARTNER_APP_ID, "r" },
+ { "test_subject_9", WGT_PARTNER_APP_ID, "w" },
+ { "test_subject_10", WGT_PARTNER_APP_ID, "x" },
+ { "test_subject_11", WGT_PARTNER_APP_ID, "rw" },
+ { "test_subject_12", WGT_PARTNER_APP_ID, "rx" },
+ { "test_subject_13", WGT_PARTNER_APP_ID, "wx" },
+ { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" },
+ { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }};
+
+// Rules from test_privilege_control_rules_wgt.smack for wgt_platform
+const std::vector< std::vector<std::string> > rules_wgt_platform = {
+ { WGT_PLATFORM_APP_ID, "test_book_8", "r" },
+ { WGT_PLATFORM_APP_ID, "test_book_9", "w" },
+ { WGT_PLATFORM_APP_ID, "test_book_10", "x" },
+ { WGT_PLATFORM_APP_ID, "test_book_11", "rw" },
+ { WGT_PLATFORM_APP_ID, "test_book_12", "rx" },
+ { WGT_PLATFORM_APP_ID, "test_book_13", "wx" },
+ { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" },
+ { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" },
+ { "test_subject_8", WGT_PLATFORM_APP_ID, "r" },
+ { "test_subject_9", WGT_PLATFORM_APP_ID, "w" },
+ { "test_subject_10", WGT_PLATFORM_APP_ID, "x" },
+ { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" },
+ { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" },
+ { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" },
+ { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" },
+ { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }};
+
+// Rules from test_privilege_control_rules_osp.smack for osp
+const std::vector< std::vector<std::string> > rules_osp = {
+ { OSP_APP_ID, "test_book_8", "r" },
+ { OSP_APP_ID, "test_book_9", "w" },
+ { OSP_APP_ID, "test_book_10", "x" },
+ { OSP_APP_ID, "test_book_11", "rw" },
+ { OSP_APP_ID, "test_book_12", "rx" },
+ { OSP_APP_ID, "test_book_13", "wx" },
+ { OSP_APP_ID, "test_book_14", "rwx" },
+ { OSP_APP_ID, "test_book_15", "rwxat" },
+ { "test_subject_8", OSP_APP_ID, "r" },
+ { "test_subject_9", OSP_APP_ID, "w" },
+ { "test_subject_10", OSP_APP_ID, "x" },
+ { "test_subject_11", OSP_APP_ID, "rw" },
+ { "test_subject_12", OSP_APP_ID, "rx" },
+ { "test_subject_13", OSP_APP_ID, "wx" },
+ { "test_subject_14", OSP_APP_ID, "rwx" },
+ { "test_subject_15", OSP_APP_ID, "rwxat" }};
+
+// Rules from test_privilege_control_rules_osp.smack for osp_partner
+const std::vector< std::vector<std::string> > rules_osp_partner = {
+ { OSP_PARTNER_APP_ID, "test_book_8", "r" },
+ { OSP_PARTNER_APP_ID, "test_book_9", "w" },
+ { OSP_PARTNER_APP_ID, "test_book_10", "x" },
+ { OSP_PARTNER_APP_ID, "test_book_11", "rw" },
+ { OSP_PARTNER_APP_ID, "test_book_12", "rx" },
+ { OSP_PARTNER_APP_ID, "test_book_13", "wx" },
+ { OSP_PARTNER_APP_ID, "test_book_14", "rwx" },
+ { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" },
+ { "test_subject_8", OSP_PARTNER_APP_ID, "r" },
+ { "test_subject_9", OSP_PARTNER_APP_ID, "w" },
+ { "test_subject_10", OSP_PARTNER_APP_ID, "x" },
+ { "test_subject_11", OSP_PARTNER_APP_ID, "rw" },
+ { "test_subject_12", OSP_PARTNER_APP_ID, "rx" },
+ { "test_subject_13", OSP_PARTNER_APP_ID, "wx" },
+ { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" },
+ { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" }};
+
+// Rules from test_privilege_control_rules_osp.smack for osp_platform
+const std::vector< std::vector<std::string> > rules_osp_platform = {
+ { OSP_PLATFORM_APP_ID, "test_book_8", "r" },
+ { OSP_PLATFORM_APP_ID, "test_book_9", "w" },
+ { OSP_PLATFORM_APP_ID, "test_book_10", "x" },
+ { OSP_PLATFORM_APP_ID, "test_book_11", "rw" },
+ { OSP_PLATFORM_APP_ID, "test_book_12", "rx" },
+ { OSP_PLATFORM_APP_ID, "test_book_13", "wx" },
+ { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" },
+ { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" },
+ { "test_subject_8", OSP_PLATFORM_APP_ID, "r" },
+ { "test_subject_9", OSP_PLATFORM_APP_ID, "w" },
+ { "test_subject_10", OSP_PLATFORM_APP_ID, "x" },
+ { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" },
+ { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" },
+ { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" },
+ { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" },
+ { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" }};
+
+namespace {
+
+typedef std::unique_ptr<smack_accesses,std::function<void(smack_accesses*)>> SmackUniquePtr;
+
+const char* OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
+const char* WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack";
+const char* OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack";
+const char* OSP_BLAHBLAH_DAC = "/usr/share/privilege-control/OSP_feature.blah.blahblah.dac";
+const char* WRT_BLAHBLAH_DAC = "/usr/share/privilege-control/WGT_blahblah.dac";
+const char* OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
+const char* BLAHBLAH_FEATURE = "http://feature/blah/blahblah";
/**
* Check if every rule is true.
return 0;
}
-RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
-
-static int nftw_remove_labels(const char *fpath, const struct stat *sb,
- int typeflag, struct FTW *ftwbuf)
+int nftw_remove_labels(const char *fpath, const struct stat * /*sb*/,
+ int /*typeflag*/, struct FTW * /*ftwbuf*/)
{
smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
return 0;
}
-static int nftw_set_labels_non_app_dir(const char *fpath, const struct stat *sb,
- int typeflag, struct FTW *ftwbuf)
+int nftw_set_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/,
+ int /*typeflag*/, struct FTW * /*ftwbuf*/)
{
smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
return 0;
}
-static int nftw_check_labels_non_app_dir(const char *fpath, const struct stat *sb,
- int typeflag, struct FTW *ftwbuf)
+int nftw_check_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/,
+ int /*typeflag*/, struct FTW * /*ftwbuf*/)
{
int result;
char* label;
return 0;
}
-static int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
- int typeflag, struct FTW *ftwbuf)
+int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW * /*ftwbuf*/)
{
int result;
char* label;
RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
result = strcmp(APPID_DIR, label);
RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
+ } else if(S_ISLNK(sb->st_mode)) {
+ struct stat buf;
+ char* target = realpath(fpath, NULL);
+ RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
+ free(target);
+ if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
+ RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
+ } else {
+ RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
+ result = strcmp(APPID_DIR, label);
+ RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
+ }
} else
RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
return 0;
}
-static int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
- int typeflag, struct FTW *ftwbuf)
+int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW * /*ftwbuf*/)
{
int result;
char* label;
result = strcmp(APPID_SHARED_DIR, label);
RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
+ result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ "Error rwxat access was not given shared dir. Subject: " <<
+ APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
/* EXEC */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
return 0;
}
+int check_labels_dir(const char *fpath, const struct stat *sb,
+ const char* labels_db_path, const char* dir_db_path,
+ const char* access)
+{
+ int result;
+ char* label;
+ char* label_gen;
+ char* scanf_label_format;
+ char label_temp[SMACK_LABEL_LEN + 1];
+ FILE* file_db;
+
+ /* ACCESS */
+ result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
+
+ /* EXEC */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ if(result != 0){
+ free(label_gen);
+ RUNNER_ASSERT_MSG(false, "Could not get label for the path");
+ }
+ if(label != NULL){
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
+ }
+
+ /* TRANSMUTE */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ if(result != 0){
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "Could not get label for the path");
+ }
+ if (S_ISDIR(sb->st_mode)) {
+ if(label == NULL){
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
+ }
+ result = strcmp("TRUE", label);
+ if(result != 0){
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
+ }
+ } else if(label != NULL){
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
+ }
+
+ free(label);
+
+ if(0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)){
+ free(label_gen);
+ RUNNER_ASSERT_MSG(false, "asprintf failed");
+ }
+
+ file_db = fopen(labels_db_path, "r");
+ if(file_db == NULL){
+ free(label_gen);
+ free(scanf_label_format);
+ RUNNER_ASSERT_MSG(false, "Can not open database for apps");
+ }
+ while(fscanf(file_db, scanf_label_format, label_temp)==1){
+ result = smack_have_access(label_temp, label_gen, access);
+ if(result != 1){
+ fclose(file_db);
+ free(label_gen);
+ free(scanf_label_format);
+ RUNNER_ASSERT_MSG(false,
+ "Error " << access << " access was not given for subject: "
+ << label_temp << ". Result: " << result);
+ }
+ }
+ fclose(file_db);
+
+ file_db = fopen(dir_db_path, "r");
+ if(file_db == NULL){
+ free(label_gen);
+ free(scanf_label_format);
+ RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
+ }
+ bool is_dir = false;
+ while(fscanf(file_db, scanf_label_format, label_temp)==1){
+ if(strcmp(label_gen, label_temp) == 0){
+ is_dir = true;
+ break;
+ }
+ }
+ free(scanf_label_format);
+ free(label_gen);
+ fclose(file_db);
+
+ RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db.");
+
+ return 0;
+}
+
+int nftw_check_labels_app_public_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW * /*ftwbuf*/)
+{
+ return check_labels_dir(fpath, sb,
+ SMACK_APPS_LABELS_DATABASE,
+ SMACK_PUBLIC_DIRS_DATABASE, "rx");
+}
+
+int nftw_check_labels_app_settings_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW * /*ftwbuf*/)
+{
+ return check_labels_dir(fpath, sb,
+ SMACK_APPS_SETTINGS_LABELS_DATABASE,
+ SMACK_SETTINGS_DIRS_DATABASE, "rwx");
+}
+
+int file_exists(const char* path)
+{
+ FILE* file = fopen(path, "r");
+ if (file) {
+ fclose(file);
+ return 0;
+ }
+ return -1;
+}
+
+void osp_blahblah_check(int line_no, const std::vector<std::string>& rules)
+{
+ std::ifstream smack_file(OSP_BLAHBLAH);
+ RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
+
+ auto it = rules.begin();
+ std::string line;
+ while(std::getline(smack_file,line)) {
+ RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
+ RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
+ it++;
+ }
+
+ RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
+
+ smack_file.close();
+}
+
+void osp_blahblah_dac_check(int line_no, const std::vector<unsigned>& gids)
+{
+ std::ifstream dac_file(OSP_BLAHBLAH_DAC);
+ RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH_DAC);
+
+ auto it = gids.begin();
+ std::string line;
+ while(std::getline(dac_file,line)) {
+ std::istringstream is(line);
+ unsigned gid;
+ is >> gid;
+ RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
+ RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
+ it++;
+ }
+
+ RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
+
+ dac_file.close();
+}
+
+void remove_smack_files()
+{
+ // TODO array
+ unlink(OSP_BLAHBLAH);
+ unlink(WRT_BLAHBLAH);
+ unlink(OTHER_BLAHBLAH);
+ unlink(OSP_BLAHBLAH_DAC);
+ unlink(WRT_BLAHBLAH_DAC);
+ unlink(OTHER_BLAHBLAH_DAC);
+}
+
+int cleaning_smack_app_files (void)
+{
+ unlink(SMACK_RULES_DIR APP_TEST_APP_1);
+
+ unlink(SMACK_RULES_DIR APP_TEST_APP_2);
+
+ unlink(SMACK_RULES_DIR APP_TEST_APP_3);
+
+ unlink(SMACK_RULES_DIR APP_TEST_AV_1);
+
+ unlink(SMACK_RULES_DIR APP_TEST_AV_2);
+
+ unlink(SMACK_RULES_DIR APP_TEST_AV_3);
+
+ return 0;
+}
+
+int cleaning_smack_database_files (void)
+{
+ int fd = -1;
+
+ //clean app database
+ unlink(SMACK_APPS_LABELS_DATABASE);
+ fd = open(SMACK_APPS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
+ if (fd == -1) {
+ return -1;
+ }
+
+ //clean av database
+ unlink(SMACK_AVS_LABELS_DATABASE);
+ fd = open(SMACK_AVS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
+ if (fd == -1) {
+ return -1;
+ }
+
+ //clean app settings database
+ unlink(SMACK_APPS_SETTINGS_LABELS_DATABASE);
+ fd = open(SMACK_APPS_SETTINGS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
+ if (fd == -1) {
+ return -1;
+ }
+
+ //clean public dirs database
+ unlink(SMACK_PUBLIC_DIRS_DATABASE);
+ fd = open(SMACK_PUBLIC_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
+ if (fd == -1) {
+ return -1;
+ }
+
+ //clean settings dirs database
+ unlink(SMACK_SETTINGS_DIRS_DATABASE);
+ fd = open(SMACK_SETTINGS_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
+ if (fd == -1) {
+ return -1;
+ }
+
+ return 0;
+}
+
+void add_lables_to_db()
+{
+ FILE* file_db;
+
+ file_db = fopen(SMACK_AVS_LABELS_DATABASE, "a");
+ RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
+ << SMACK_AVS_LABELS_DATABASE << " can not be opened to apend!");
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ fclose(file_db);
+
+ file_db = fopen(SMACK_APPS_SETTINGS_LABELS_DATABASE, "a");
+ RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
+ << SMACK_APPS_SETTINGS_LABELS_DATABASE << " can not be opened to apend!");
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ fclose(file_db);
+
+ file_db = fopen(SMACK_APPS_LABELS_DATABASE, "a");
+ RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
+ << SMACK_APPS_LABELS_DATABASE << " can not be opened to apend!");
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ fclose(file_db);
+}
+} // namespace
+
+RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
+
/**
* Test setting labels for all files and folders in given path.
*/
-RUNNER_TEST(privilege_control01_app_label_dir)
+RUNNER_TEST(privilege_control02_app_label_dir)
{
int result;
result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
- result = app_label_dir(APPID_DIR, TEST_APP_DIR);
- RUNNER_ASSERT_MSG(result == 0, "app_label_dir() failed");
+ result = app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
+ RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
}
-RUNNER_TEST(privilege_control02_app_label_shared_dir)
+RUNNER_TEST(privilege_control03_app_label_shared_dir)
{
int result;
+ result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
+ RUNNER_ASSERT_MSG(result != 0, "app_setup_path(APP_ID, APP_ID) didn't fail");
+
result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
- result = app_label_shared_dir(APPID_ADD, APPID_SHARED_DIR, TEST_APP_DIR);
- RUNNER_ASSERT_MSG(result == 0, "app_label_shared_dir() failed");
+ result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
}
-
/**
* Add permisions from test_privilege_control_rules template
*/
-RUNNER_TEST(privilege_control03_add_permissions)
+RUNNER_TEST(privilege_control04_add_permissions)
{
- char* path;
-
- int result = app_add_permissions(APPID_ADD, PRIVS);
+ int result = app_add_permissions(APP_ID, PRIVS);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app permissions. Errno: " << result);
+ " Error adding app permissions. Result: " << result);
// Check if the accesses are realy applied..
- result = test_have_all_accesses(rulesAdd);
+ result = test_have_all_accesses(rules);
RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
- ///Investigate created SMACK rules files..
- RUNNER_ASSERT_MSG(asprintf(&path, SMACK_RULES_DIR "%s", APPID_ADD) != -1,
- "Error in asprintf");
-
//// File exists?
- FILE *pFile = fopen(path, "rb");
+ FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
RUNNER_ASSERT_MSG(pFile != NULL,
"SMACK file NOT created!. Errno: " << errno);
RUNNER_ASSERT_MSG(smack_file_length>0,
"SMACK file empty, but privileges list was not empty.. Errno: " << errno);
- // Clean up
- result = app_revoke_permissions(APPID_ADD);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Errno: " << result);
-
if (pFile != NULL)
fclose(pFile);
}
-
/**
* Revoke permissions from the list. Should be executed as privileged user.
*/
-RUNNER_TEST(privilege_control04_revoke_permissions)
+RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
{
int result;
+ int fd;
- // Prepare permissions that we want to revoke
- result = app_add_permissions(APPID_REVOKE, PRIVS);
+ // Revoke permissions
+ result = app_revoke_permissions(APP_ID);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app permissions. Errno: " << result);
+ "Error revoking app permissions. Result: " << result);
- // Revoke permissions
- result = app_revoke_permissions(APPID_REVOKE);
+ result = app_revoke_permissions(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(WGT_PARTNER_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(WGT_PLATFORM_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ result = app_revoke_permissions(OSP_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(OSP_PARTNER_APP_ID);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Errno: " << result);
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(OSP_PLATFORM_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
// Are all the permissions revoked?
- result = test_have_all_accesses(rulesRevoke);
+ result = test_have_any_accesses(rules);
+ RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked.");
+ result = test_have_any_accesses(rules_wgt);
+ RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
+ result = test_have_any_accesses(rules_wgt_partner);
+ RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
+ result = test_have_any_accesses(rules_wgt_platform);
+ RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
+
+ result = test_have_any_accesses(rules);
RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked.");
+ result = test_have_any_accesses(rules_osp);
+ RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
+ result = test_have_any_accesses(rules_osp_partner);
+ RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
+ result = test_have_any_accesses(rules_osp_platform);
+ RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
+
+ FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file removed!. Errno: " << errno);
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ int smack_file_length = ftell(pFile);
+ if (pFile != NULL)
+ fclose(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length==0,
+ "SMACK file not empty.. Errno: " << errno);
+
+ pFile = fopen(SMACK_RULES_DIR WGT_APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file removed!. Errno: " << errno);
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ if (pFile != NULL)
+ fclose(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length==0,
+ "SMACK file not empty.. Errno: " << errno);
- // Investigate SMACK rules file
- char* path;
- RUNNER_ASSERT_MSG(asprintf(&path, SMACK_RULES_DIR "%s", APPID_REVOKE) != -1,
- "Error in asprintf");
+ pFile = fopen(SMACK_RULES_DIR WGT_PARTNER_APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file removed!. Errno: " << errno);
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ if (pFile != NULL)
+ fclose(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length==0,
+ "SMACK file not empty.. Errno: " << errno);
+
+ pFile = fopen(SMACK_RULES_DIR WGT_PLATFORM_APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file removed!. Errno: " << errno);
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ if (pFile != NULL)
+ fclose(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length==0,
+ "SMACK file not empty.. Errno: " << errno);
- //// Is the smack file deleted?
- FILE *pFile = fopen(path, "rb");
- RUNNER_ASSERT_MSG(pFile == NULL,
- "SMACK file NOT deleted after revoking ALL privileges. Errno: " << errno);
+ pFile = fopen(SMACK_RULES_DIR OSP_APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file removed!. Errno: " << errno);
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ if (pFile != NULL)
+ fclose(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length==0,
+ "SMACK file not empty.. Errno: " << errno);
- RUNNER_ASSERT_MSG(errno == ENOENT,
- "SMACK file NOT deleted after revoking ALL privileges. Errno: " << errno);
+ pFile = fopen(SMACK_RULES_DIR OSP_PARTNER_APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file removed!. Errno: " << errno);
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ if (pFile != NULL)
+ fclose(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length==0,
+ "SMACK file not empty.. Errno: " << errno);
+ pFile = fopen(SMACK_RULES_DIR OSP_PLATFORM_APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file removed!. Errno: " << errno);
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
if (pFile != NULL)
fclose(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length==0,
+ "SMACK file not empty.. Errno: " << errno);
+}
+
+static void read_gids(std::set<unsigned> &set, const char* file_path)
+{
+ FILE *f = fopen(file_path, "r");
+ RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
+ unsigned gid;
+ while (fscanf(f, "%u\n", &gid) == 1) {
+ set.insert(gid);
+ }
+}
+
+RUNNER_TEST(privilege_control05_add_shared_dir_readers)
+{
+
+#define TEST_OBJ "TEST_OBJECT"
+#define TEST_OBJ_SOME_OTHER "TEST_OBJA"
+#define test_string_01 "TEST_raz TEST_OBJECT r-x-- -----"
+#define test_string_21 "TEST_trzy TEST_OBJA -wx--\n"
+#define test_string_22 "TEST_trzy TEST_OBJECT r-x-- -----\n"
+
+ int result;
+ int i;
+ int fd = -1;
+ char *path;
+
+ const char *app_labels_wrong[] = {"-TEST_raz", NULL};
+ const char *app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
+ const int READ_BUF_SIZE = 1000;
+ char buf[READ_BUF_SIZE];
+ FILE *file = NULL;
+ struct smack_accesses * rules = NULL;
+
+ //test what happens when the label is not correct SMACK label
+ result = smack_accesses_new(&rules);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
+
+ result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong);
+ RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "add_shared_dir_readers should fail here");
+
+ result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx");
+ RUNNER_ASSERT_MSG(result != 1, "add_shared_dir_readers should not grant permission here");
+
+ smack_accesses_free(rules);
+
+ //ok, now the correct list of apps
+ result = smack_accesses_new(&rules);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
+
+ for (i = 0; i < 3; i++) {
+
+ (void)app_uninstall(app_labels[i]);
+ result = app_install(app_labels[i]);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in app_install.");
+
+ RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[i]));
+ fd = open(path, O_WRONLY, 0644);
+ RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path);
+
+ if (i == 1) {
+ result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt");
+ RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
+ }
+ if (i == 2) {
+ smack_accesses_free(rules);
+ result = smack_accesses_new(&rules);
+ result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx");
+ RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
+ }
+ result = smack_accesses_apply(rules);
+ RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
+
+ result = smack_accesses_save(rules, fd);
+ RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
+
+ free(path);
+ close(fd);
+
+ }
+
+ smack_accesses_free(rules);
+
+ // THE TEST - accesses
+
+ result = add_shared_dir_readers(TEST_OBJ,app_labels);
+ RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed");
+
+ result = smack_have_access(app_labels[0],TEST_OBJ,"rx");
+ RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
+
+ result = smack_have_access(app_labels[1],TEST_OBJ,"rx");
+ RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
+
+ result = smack_have_access(app_labels[2],TEST_OBJ,"rx");
+ RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
+
+ result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt");
+ RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
+
+ result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx");
+ RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
+
+
+ //TEST the operations on empty files
+
+ RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[0]));
+ file = fopen(path, "r");
+
+ RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
+
+ RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
+ result = strcmp(buf, test_string_01);
+ RUNNER_ASSERT_MSG( result!=0, "add_shared_dir_readers ERROR, file not formatted" << path );
+
+ free(path);
+ fclose(file);
+
+ //TEST the operations on non empty files
+ RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[2]));
+ file = NULL;
+ file = fopen(path, "r");
+ RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
+
+ RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
+ result = strcmp(buf, test_string_21);
+ RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" );
+
+ RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
+ result = strcmp(buf, test_string_22);
+ RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" );
+
+ free(path);
+ fclose(file);
}
+
/**
* Set APP privileges.
*/
-RUNNER_TEST(privilege_control05_set_app_privilege)
+
+void check_groups(const char* dac_file) {
+ std::set<unsigned> groups_check;
+ read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
+ read_gids(groups_check, dac_file);
+
+ int groups_cnt = getgroups(0, NULL);
+ RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
+ gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
+ RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
+ RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list));
+
+ for (int i = 0; i < groups_cnt; ++i) {
+ //getgroups() can return multiple number of the same group
+ //they are returned in sequence, so we will given number when last
+ //element of this number is reached
+ if( (i < groups_cnt - 1) && (groups_list[i+1] == groups_list[i]))
+ continue;
+ if (groups_check.erase(groups_list[i]) == 0) {
+ // getgroups() may also return process' main group
+ if (groups_list[i] != getgid())
+ RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
+ }
+ }
+ free(groups_list);
+ std::string groups_left;
+ for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
+ groups_left.append(std::to_string(*it)).append(" ");
+ }
+ RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
+}
+
+RUNNER_CHILD_TEST(privilege_control05_set_app_privilege)
{
int result;
- char* labelApp = "test_pc_label";
// Preset exec label
- smack_setlabel(APP_SET_PRIV_PATH,labelApp, SMACK_LABEL_EXEC);
+ smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
+ smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
+
+ /**
+ * TODO This test should also verify set_app_privilege behavior for OSP and
+ * WRT apps. To do that we'll have to install real apps on device as a
+ * precondition.
+ */
// Set APP privileges
- result = set_app_privilege(APP_SET_PRIV, NULL, APP_SET_PRIV_PATH);
+ result = set_app_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
// Check if SMACK label really set
char * label;
result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result == 0, "Error setting label for exec" << result);
- result = strcmp(labelApp, label);
- RUNNER_ASSERT_MSG(result == 0, "Label NOT set");
+ RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
+ RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
+ result = strcmp(APP_ID, label);
+ RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
// Check if DAC privileges really set
RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
result = strcmp(getenv("USER"), APP_USER_NAME);
RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE);
+}
+
+/**
+ * Set APP privileges. wgt.
+ */
+RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt)
+{
+ int result;
+
+ result = app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_all_accesses(rules_wgt);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ result = set_app_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
+
+ // Check if SMACK label really set
+ char * label;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
+ RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
+ result = strcmp(WGT_APP_ID, label);
+ RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
+
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
+
+
+}
+
+/**
+ * Set APP privileges. wgt_partner.
+ */
+RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_partner)
+{
+ int result;
+
+ result = app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_all_accesses(rules_wgt_partner);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ result = set_app_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
+
+ // Check if SMACK label really set
+ char * label;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
+ RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
+ result = strcmp(WGT_PARTNER_APP_ID, label);
+ RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
}
+/**
+ * Set APP privileges. wgt_platform.
+ */
+RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_platform)
+{
+ int result;
+
+ result = app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_all_accesses(rules_wgt_platform);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ result = set_app_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
+
+ // Check if SMACK label really set
+ char * label;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
+ RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
+ result = strcmp(WGT_PLATFORM_APP_ID, label);
+ RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
+}
+
+/**
+ * Set APP privileges. osp app.
+ */
+RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp)
+{
+ int result;
+
+ result = app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_all_accesses(rules_osp);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ result = set_app_privilege(OSP_APP_ID, NULL, OSP_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
+
+ // Check if SMACK label really set
+ char * label;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
+ RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
+ result = strcmp(OSP_APP_ID, label);
+ RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
+}
+
+/**
+ * Set APP privileges. partner osp app.
+ */
+RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_partner)
+{
+ int result;
+
+ result = app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_all_accesses(rules_osp_partner);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ result = set_app_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
+
+ // Check if SMACK label really set
+ char * label;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
+ RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
+ result = strcmp(OSP_PARTNER_APP_ID, label);
+ RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
+}
+
+/**
+ * Set APP privileges. platform osp app.
+ */
+RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_platform)
+{
+ int result;
+
+ result = app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_all_accesses(rules_osp_platform);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ result = set_app_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
+
+ // Check if SMACK label really set
+ char * label;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
+ RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
+ result = strcmp(OSP_PLATFORM_APP_ID, label);
+ RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
+}
+
+RUNNER_TEST(privilege_control08_app_give_access)
+{
+ const char *subject = "lkjq345v34sfa";
+ const char *object = "lk9290f92lkjz";
+ smack_accesses *tmp = NULL;
+
+ RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
+
+ SmackUniquePtr smack(tmp, smack_accesses_free);
+
+ RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "r--a-"));
+ RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
+
+ app_give_access(subject, object, "wt");
+
+ RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwat"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
+
+ app_revoke_access(subject, object);
+
+ RUNNER_ASSERT(1 == smack_have_access(subject, object, "ra"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "t"));
+
+ RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-"));
+ RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
+}
+
+RUNNER_TEST(privilege_control09_app_give_access)
+{
+ const char *subject = "ljk132flkjv";
+ const char *object = "jjsiqsc32vs";
+ smack_accesses *tmp = NULL;
+
+ RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
+
+ SmackUniquePtr smack(tmp, smack_accesses_free);
+
+ RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "---t-"));
+ RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
+
+ RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rw"));
+ RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rwx"));
+
+ RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxt"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
+
+ RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_revoke_access(subject, object));
+
+ RUNNER_ASSERT(1 == smack_have_access(subject, object, "t"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "r"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
+
+ RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-----"));
+ RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
+}
+
+/**
+ * Add new API feature
+ */
+RUNNER_TEST(privilege_control11_add_api_feature)
+{
+ int result;
+
+ remove_smack_files();
+
+
+ // argument validation
+ result = add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
+ RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
+
+ result = add_api_feature(APP_TYPE_OSP,"" , NULL, NULL, 0);
+ RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
+
+
+ // already existing features
+ result = add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read" , NULL, NULL, 0);
+ RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
+
+ result = add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms" , NULL, NULL, 0);
+ RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
+
+ result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/privilege/messaging" , NULL, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+
+ result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/messaging" , NULL, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+
+ result = add_api_feature(APP_TYPE_OTHER,"http://messaging" , NULL, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+
+ result = add_api_feature(APP_TYPE_OTHER,"messaging.read" , NULL, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+
+
+ // empty features
+ result = add_api_feature(APP_TYPE_OSP,"blahblah" , NULL, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+
+ result = add_api_feature(APP_TYPE_WGT,"blahblah" , NULL, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+
+ result = add_api_feature(APP_TYPE_OTHER,"blahblah" , NULL, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+
+
+ // smack files existence
+ result = file_exists(OSP_BLAHBLAH);
+ RUNNER_ASSERT(result == -1);
+
+ result = file_exists(WRT_BLAHBLAH);
+ RUNNER_ASSERT(result == -1);
+
+ result = file_exists(OTHER_BLAHBLAH);
+ RUNNER_ASSERT(result == -1);
+
+
+ // empty rules
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , { NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ result = file_exists(OSP_BLAHBLAH);
+ RUNNER_ASSERT(result == -1);
+
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "", NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ result = file_exists(OSP_BLAHBLAH);
+ RUNNER_ASSERT(result == 0);
+ remove_smack_files();
+
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ result = file_exists(OSP_BLAHBLAH);
+ RUNNER_ASSERT(result == 0);
+ remove_smack_files();
+
+
+ // malformed rules
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed", NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
+ result = file_exists(OSP_BLAHBLAH);
+ RUNNER_ASSERT(result == -1);
+
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed", NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
+ result = file_exists(OSP_BLAHBLAH);
+ RUNNER_ASSERT(result == -1);
+
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "-malformed malformed rwxat", NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
+ result = file_exists(OSP_BLAHBLAH);
+ RUNNER_ASSERT(result == -1);
+
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "~/\"\\ malformed rwxat", NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
+ result = file_exists(OSP_BLAHBLAH);
+ RUNNER_ASSERT(result == -1);
+
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object rwxat something else", NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
+ result = file_exists(OSP_BLAHBLAH);
+ RUNNER_ASSERT(result == -1);
+
+
+ // correct rules
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed maaaaaalformed", NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ osp_blahblah_check(__LINE__, { "malformed malformed r--a- -----" });
+ remove_smack_files();
+
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object foo", NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ osp_blahblah_check(__LINE__, { "subject object ----- -----" });
+ remove_smack_files();
+
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
+ "subject object\t rwxat",
+ " \t \n",
+ "subject2\tobject2 txarw",
+ "",
+ NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ osp_blahblah_check(__LINE__, { "subject object rwxat -----", "subject2 object2 rwxat -----"});
+ remove_smack_files();
+
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
+ "Sub::jE,ct object a-RwX",
+ NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ osp_blahblah_check(__LINE__, { "Sub::jE,ct object rwxa- -----"});
+ remove_smack_files();
+
+ // TODO For now identical/complementary rules are not merged.
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
+ "subject object rwxat",
+ " \t \n",
+ "subject object txarw",
+ "",
+ NULL }, NULL, 0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ osp_blahblah_check(__LINE__, { "subject object rwxat -----", "subject object rwxat -----"});
+ remove_smack_files();
+
+
+ // empty group ids
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},0);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ osp_blahblah_check(__LINE__, { "a a ---a- -----"});
+ result = file_exists(OSP_BLAHBLAH_DAC);
+ RUNNER_ASSERT(result == -1);
+ remove_smack_files();
+
+
+ // valid group ids
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},3);
+ printf("%d \n", result);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ osp_blahblah_check(__LINE__, { "a a ---a- -----"});
+ osp_blahblah_dac_check(__LINE__, {0,1,2});
+ remove_smack_files();
+
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},1);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ osp_blahblah_check(__LINE__, { "a a ---a- -----"});
+ osp_blahblah_dac_check(__LINE__, {0});
+ remove_smack_files();
+
+ result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){1,1,1},3);
+ RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
+ osp_blahblah_check(__LINE__, { "a a ---a- -----"});
+ osp_blahblah_dac_check(__LINE__, {1,1,1});
+ remove_smack_files();
+}
+
+/*
+ * Check app_install function
+ */
+RUNNER_TEST(privilege_control01_app_install)
+{
+ int result;
+ char *path = NULL;
+ int fd = -1;
+
+ unlink(SMACK_RULES_DIR APP_ID);
+
+ app_uninstall(APP_ID);
+
+ result = app_install(APP_ID);
+ RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
+
+ // checking if file really exists
+ fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
+ RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << path << " : " << result << ". Errno: " << strerror(errno));
+ close(fd);
+ free(path);
+
+ // try install second time app with the same ID - it should pass.
+ result = app_install(APP_ID);
+ RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
+}
+
+/*
+ * Check app_install function
+ */
+RUNNER_TEST(privilege_control07_app_uninstall)
+{
+ int result;
+ char *path = NULL;
+ int fd = -1;
+
+ result = app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result <<". Errno: " << strerror(errno));
+
+ // checking if file really exists
+ fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
+ RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after app_uninstall");
+ close(fd);
+ free(path);
+}
+
+void checkOnlyAvAccess(const char* av_id, const char* app_id, const char* comment){
+ int result;
+ result = smack_have_access(av_id, app_id, "rwx");
+ RUNNER_ASSERT_MSG(result == 1,
+ "Error while checking " << av_id << " rwx access to "
+ << app_id << " " << comment << " Result: " << result);
+ result = smack_have_access(av_id, app_id, "a");
+ RUNNER_ASSERT_MSG(result == 0,
+ "Error while checking " << av_id << " a access to "
+ << app_id << " " << comment << " Result: " << result);
+ result = smack_have_access(av_id, app_id, "t");
+ RUNNER_ASSERT_MSG(result == 0,
+ "Error while checking " << av_id << " t access to "
+ << app_id << " " << comment << " Result: " << result);
+}
+
+/*
+ * Check app_register_av function
+ * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
+ */
+RUNNER_TEST(privilege_control10_app_register_av)
+{
+ int result;
+
+ // cleaning
+ smack_revoke_subject(APP_TEST_AV_1);
+ smack_revoke_subject(APP_TEST_AV_2);
+
+ cleaning_smack_app_files();
+ cleaning_smack_database_files();
+
+ // Adding two apps before antivir
+ result = app_install(APP_TEST_APP_1);
+ RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
+
+ result = app_install(APP_TEST_APP_2);
+ RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
+
+ // Adding antivir
+ result = app_register_av(APP_TEST_AV_1);
+ RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno));
+
+ // Checking added apps accesses
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
+
+ // Adding third app
+ result = app_install(APP_TEST_APP_3);
+ RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
+
+ // Checking app accesses
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_install(APP_TEST_APP_3)");
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_install(APP_TEST_APP_3)");
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_install(APP_TEST_APP_3)");
+
+ // Adding second antivir
+ result = app_register_av(APP_TEST_AV_2);
+ RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno));
+
+ // Checking app accesses
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
+
+ // cleaning
+ smack_revoke_subject(APP_TEST_AV_1);
+ smack_revoke_subject(APP_TEST_AV_2);
+
+ cleaning_smack_app_files();
+ cleaning_smack_database_files();
+}
+
+/**
+ * Grant SMACK permissions based on permissions list.
+ */
+RUNNER_TEST(privilege_control11_app_enable_permissions)
+{
+ int result;
+ int smack_file_length;
+ FILE *pFile;
+
+/**
+ * Test - Enabling all permissions with persistant mode enabled
+ */
+
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ //// File exists?
+ pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file NOT created!. Errno: " << errno);
+
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length>0,
+ "SMACK file empty with persistant mode 1. Errno: " << errno);
+
+ if (pFile != NULL)
+ fclose(pFile);
+
+ // Clean up
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+/**
+ * Test - Enabling all permissions with persistant mode disabled
+ */
+
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ //// File exists?
+ pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file NOT created!. Errno: " << errno);
+
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length==0,
+ "SMACK file not empty with persistant mode 0. Errno: " << errno);
+
+ if (pFile != NULL)
+ fclose(pFile);
+
+ // Clean up
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+/**
+ * Test - Enabling all permissions in two complementary files
+ */
+
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ //// File exists?
+ pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file NOT created!. Errno: " << errno);
+
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length>0,
+ "SMACK file empty with persistant mode 1. Errno: " << errno);
+
+ if (pFile != NULL)
+ fclose(pFile);
+
+ // Clean up
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+/**
+ * Test - Enabling some permissions and then enabling complementary permissions
+ */
+
+ // Enable permission for rules 2 no r
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions without r. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
+
+ //// File exists?
+ pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file NOT created!. Errno: " << errno);
+
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length>0,
+ "SMACK file empty with persistant mode 1. Errno: " << errno);
+
+ if (pFile != NULL)
+ fclose(pFile);
+
+ // Enable permission for rules 2
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app all permissions. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Permissions all not added.");
+
+ // Clean up
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+/**
+ * Test - Enabling some permissions and then enabling all permissions
+ */
+
+ // Enable permission for rules 2 no r
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions without r. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
+
+ //// File exists?
+ pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file NOT created!. Errno: " << errno);
+
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length>0,
+ "SMACK file empty with persistant mode 1. Errno: " << errno);
+
+ if (pFile != NULL)
+ fclose(pFile);
+
+ // Enable permission for rules 2
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions with only r. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Permissions with only r not added.");
+
+ // Clean up
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+}
+
+/*
+ * Until app_disable_permissions is not fixed this test should remain
+ * commented
+ */
+/**
+ * Remove previously granted SMACK permissions based on permissions list.
+ */
+/*RUNNER_TEST(privilege_control12_app_disable_permissions)
+{
+*/
+/**
+ * Test - disable all granted permissions.
+ */
+/* int result;
+
+ // Prepare permissions that we want to disable
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ // Disable permissions
+ result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ // Are all the permissions disabled?
+ result = test_have_any_accesses(rules2);
+ RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
+*/
+/**
+ * Test - disable some granted permissions leaving non complementary and then disabling those too.
+ */
+/*
+ // Prepare permissions that will not be disabled
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app first permissions. Result: " << result);
+
+ // Prepare permissions that we want to disable
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app second permissions. Result: " << result);
+
+ // Disable second permissions
+ result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app second permissions. Result: " << result);
+
+ // Are all second permissions disabled?
+ result = test_have_any_accesses(rules2);
+ RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
+
+ // Are all first permissions not disabled?
+ result = test_have_all_accesses(rules);
+ RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
+
+ // Disable first permissions
+ result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app first permissions. Result: " << result);
+
+ // Are all second permissions disabled?
+ result = test_have_any_accesses(rules);
+ RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
+*/
+/**
+ * Test - disable only no r granted permissions.
+ */
+/*
+ // Prepare permissions
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app permissions. Result: " << result);
+
+ // Disable same permissions without r
+ result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app no r permissions. Result: " << result);
+
+ // Is any r permissions disabled?
+ result = test_have_all_accesses(rules2_r);
+ RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
+ // Are all no r permissions disabled?
+ result = test_have_any_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
+
+ // Prepare permissions
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app no r permissions. Result: " << result);
+
+ // Disable all permissions
+ result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+}
+*/
+/**
+ * Reset SMACK permissions for an application by revoking all previously
+ * granted rules and enabling them again from a rules file from disk.
+ */
+
+RUNNER_TEST(privilege_control13_app_reset_permissions)
+{
+
+ int result;
+
+/**
+ * Test - doing reset and checking if rules exist again.
+ */
+
+ // Prepare permissions to reset
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app permissions. Result: " << result);
+
+ // Reset permissions
+ result = app_reset_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error reseting app permissions. Result: " << result);
+
+ // Are all second permissions not disabled?
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Not all permissions added.");
+
+ // Disable permissions
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+}
+
+/**
+ * Make two applications "friends", by giving them both full permissions on
+ * each other.
+ */
+RUNNER_TEST(privilege_control14_app_add_friend)
+{
+ int result;
+
+/**
+ * Test - making friends with no permissions on each other
+ */
+
+ result = app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ app_uninstall(APP_FRIEND_1);
+ app_uninstall(APP_FRIEND_2);
+
+ // Installing friends to be
+ result = app_install(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error installing first app. Result: " << result);
+ result = app_install(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error installing second app. Result: " << result);
+
+ // Making friends
+ result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error making friends. Errno: " << result);
+
+ // Checking if friends were made
+ result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error first one sided friednship failed. Result: " << result);
+ result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error second one sided friednship failed. Result: " << result);
+
+ // Clean up
+ result = app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ app_uninstall(APP_FRIEND_1);
+ app_uninstall(APP_FRIEND_2);
+
+/**
+ * Test - making friends with nonexisting friend
+ */
+
+ // Installing one friend
+ result = app_install(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error installing first app. Errno: " << result);
+
+ // Adding imaginairy friend as second
+ result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error making friends (first) with imaginairy friend failed. Result: "
+ << result);
+ // Adding imaginairy friend as first
+ result = app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error making friends (second) with imaginairy friend failed. Result: "
+ << result);
+ // Clean up
+ result = app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ app_uninstall(APP_FRIEND_1);
+ app_uninstall(APP_FRIEND_2);
+
+/**
+ * Test - making friends with some permissions already added
+ */
+ unsigned int i;
+ unsigned int j;
+
+ struct smack_accesses * rulesFriend = NULL;
+
+ std::vector<std::string> accessesFriend =
+ { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
+
+ // Installing friends to be
+ result = app_install(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error installing first app. Result: " << result);
+ result = app_install(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error installing second app. Result: " << result);
+
+ for(i = 0; i<accessesFriend.size(); ++i)
+ {
+ for(j = 0; j<accessesFriend.size(); ++j)
+ {
+
+ // Adding rules before making friends
+ result = smack_accesses_new(&rulesFriend);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in smack_accesses_new. Result: " << result);
+
+ result = smack_accesses_add(rulesFriend,
+ APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to add modify rulesFirend (first). Result: " << result);
+ result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
+ APP_FRIEND_1, accessesFriend[j].c_str());
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to add modify rulesFirend (second). Result: " << result);
+
+ result = smack_accesses_apply(rulesFriend);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in smack_accesses_apply. Result: " << result);
+
+ // Adding friends
+ result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error making friends. Result: " << result);
+
+ // Checking if friends were made
+ result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error first one sided friednship failed. Result: " << result);
+ result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error second one sided friednship failed. Result: " << result);
+
+ // Deleting all rules between friends
+ smack_accesses_add_modify(rulesFriend,
+ APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
+ smack_accesses_add_modify(rulesFriend,
+ APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
+
+ result = smack_accesses_apply(rulesFriend);
+
+ smack_accesses_free(rulesFriend);
+ rulesFriend = NULL;
+ }
+
+ }
+
+ // Clean up
+ result = app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ app_uninstall(APP_FRIEND_1);
+ app_uninstall(APP_FRIEND_2);
+}
+
+static void smack_set_random_label_based_on_pid_on_self(void)
+{
+ int result;
+ std::stringstream ss;
+
+ ss << "s-" << getpid() << "-" << getppid();
+ result = smack_set_label_for_self(ss.str().c_str());
+ RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self("
+ << ss.str().c_str() << ") failed");
+}
+
+static void smack_unix_sock_server(int sock)
+{
+ int fd, result;
+ char* smack_label;
+
+ alarm(2);
+ fd = accept(sock, NULL, NULL);
+ alarm(0);
+ if (fd < 0)
+ return;
+ result = smack_new_label_from_self(&smack_label);
+ if(result != 0){
+ close(fd);
+ close(sock);
+ free(smack_label);
+ RUNNER_ASSERT_MSG(0, "smack_new_label_from_self() failed");
+ }
+ result = write(fd, smack_label, strlen(smack_label));
+ if(result != (int)strlen(smack_label)){
+ close(fd);
+ close(sock);
+ free(smack_label);
+ RUNNER_ASSERT_MSG(0, "write() failed: " << strerror(errno));
+ }
+ close(fd);
+ free(smack_label);
+}
+
+RUNNER_TEST(privilege_control15_app_id_from_socket)
+{
+ int pid;
+ struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
+
+ unlink(SOCK_PATH);
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
+
+ smack_set_random_label_based_on_pid_on_self();
+
+ if (!pid) { /* child process, server */
+ int sock, result;
+
+ /* Set the process label before creating a socket */
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
+ result = bind(sock,
+ (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
+ if(result != 0){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno));
+ }
+ result = listen(sock, 1);
+ if(result != 0){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno));
+ }
+ smack_unix_sock_server(sock);
+
+ /* Change the process label with listening socket */
+ smack_unix_sock_server(sock);
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
+ /* Now running two concurrent servers.
+ Test if socket label was unaffected by fork() */
+ smack_unix_sock_server(sock);
+ /* Let's give the two servers different labels */
+ smack_unix_sock_server(sock);
+ close(sock);
+ waitpid(pid, NULL, 0);
+ exit(0);
+ } else { /* parent process, client */
+ sleep(1); /* Give server some time to setup listening socket */
+ int i;
+ for (i = 0; i < 4; ++i) {
+ int sock;
+ int result;
+ char smack_label1[SMACK_LABEL_LEN + 1];
+ char* smack_label2;
+
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG(sock >= 0,
+ "socket failed: " << strerror(errno));
+ result = connect(sock,
+ (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
+ if(result != 0){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
+ }
+
+ alarm(2);
+ result = read(sock, smack_label1, SMACK_LABEL_LEN);
+ alarm(0);
+ if(result < 0){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno));
+ }
+ smack_label1[result] = '\0';
+ smack_label2 = app_id_from_socket(sock);
+ if(smack_label2 == NULL){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "app_id_from_socket failed");
+ }
+ result = strcmp(smack_label1, smack_label2);
+ if(result != 0){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1
+ << "' != '" << smack_label2 << "-" << random() << "'");
+ }
+ close(sock);
+ }
+ waitpid(pid, NULL, 0);
+ }
+}
+
+RUNNER_TEST(privilege_control16_app_setup_path){
+ const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
+ const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
+ const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
+ const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
+ const char *label1 = "qwert123456za";
+ const char *label2 = "trewq654123az";
+
+ std::unique_ptr<char, std::function<void(void*)>> labelPtr(NULL,free);
+
+ mkdir(path1,0);
+ mkdir(path2,0);
+
+ int fd = creat(path3, S_IRWXU);
+ if (fd >= 0)
+ close(fd);
+ fd = creat(path4, S_IRWXU);
+ if (fd >= 0)
+ close(fd);
+
+ char *label = NULL;
+
+ RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
+ RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
+ labelPtr.reset(label);
+ label = NULL;
+ RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1));
+
+ RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
+ RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
+ labelPtr.reset(label);
+ label = NULL;
+ RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label2));
+
+ RUNNER_ASSERT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
+ labelPtr.reset(label);
+ label = NULL;
+ RUNNER_ASSERT(labelPtr.get() == NULL);
+}
+
+RUNNER_TEST(privilege_control17_appsettings_privilege)
+{
+#define APP_1 "app_1"
+#define APP_1_DIR "/tmp/app_1"
+
+#define APP_2 "app_2"
+#define APP_2_DIR "/tmp/app_2"
+
+#define APP_TEST "app_test"
+
+#define PRIV_APPSETTING (const char*[]){"http://tizen.org/privilege/appsetting", NULL}
+
+ int ret;
+ char* app1_dir_label;
+ char* app2_dir_label;
+ //prepare test
+
+
+ (void)app_uninstall(APP_TEST);
+ (void)app_uninstall(APP_1);
+ (void)app_uninstall(APP_2);
+
+ //install some app 1
+ ret = app_install(APP_1);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install." << ret);
+
+ mkdir(APP_1_DIR, S_IRWXU|S_IRGRP|S_IXGRP);
+
+ //register settings folder for app 1
+ ret = app_setup_path(APP_1, APP_1_DIR , APP_PATH_SETTINGS_RW );
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret);
+
+ //install "app_test" and give it appsettings privilege
+ ret = app_install(APP_TEST);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install.");
+
+
+ ret = app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
+
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << ret);
+
+ //check if "app_test" has an RX access to the app "app_1"
+ ret = smack_have_access(APP_TEST, APP_1, "rx");
+ RUNNER_ASSERT_MSG(ret,"access denies");
+
+
+ //check if "app_test" has an RWX access to a folder registered by "app_1"
+ ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS );
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
+ ret = smack_have_access(APP_TEST, app1_dir_label, "rwx");
+ RUNNER_ASSERT_MSG(ret,"access denies");
+
+
+ //intstall another app: "app_2"
+ ret = app_install(APP_2);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install.");
+
+ mkdir(APP_2_DIR, S_IRWXU|S_IRGRP|S_IXGRP);
+ //register settings folder for that "app_2"
+ ret = app_setup_path(APP_2, APP_2_DIR , APP_PATH_SETTINGS_RW );
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret);
+
+ //check if "app_test" has an RX access to the app "app_2"
+ ret = smack_have_access(APP_TEST, APP_2, "rx");
+ RUNNER_ASSERT_MSG(ret,"access denies");
+
+ //check if "app_test" has an RWX access to a folder registered by "app_2"
+ ret = smack_getlabel(APP_2_DIR, &app2_dir_label, SMACK_LABEL_ACCESS );
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
+ ret = smack_have_access(APP_TEST, app2_dir_label, "rwx");
+ RUNNER_ASSERT_MSG(ret,"access denies");
+
+ free (app1_dir_label);
+ free (app2_dir_label);
+ rmdir(APP_1_DIR);
+ rmdir(APP_2_DIR);
+
+ (void)app_uninstall(APP_TEST);
+ (void)app_uninstall(APP_1);
+ (void)app_uninstall(APP_2);
+
+
+}
+
+RUNNER_TEST(privilege_control18_app_setup_path_public)
+{
+ int result;
+
+ cleaning_smack_database_files();
+ add_lables_to_db();
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+
+ result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
+ RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
+
+ cleaning_smack_database_files();
+}
+
+RUNNER_TEST(privilege_control19_app_setup_path_settings)
+{
+ int result;
+
+ cleaning_smack_database_files();
+ add_lables_to_db();
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+
+ result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
+ RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_settings_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
+
+ cleaning_smack_database_files();
+}
projects / platform / core / test / security-tests.git / blobdiff