}
};
-static void generateAppLabel(const std::string &appId, std::string &label)
+static std::string generateAppLabel(const std::string &appId)
{
- (void) appId;
- label = "User";
+ return "User::App::" + appId;
}
static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
return 0;
}
+// nftw doesn't allow passing user data to functions. Work around by using global variable
+static std::string nftw_expected_label;
+bool nftw_expected_transmute;
+bool nftw_expected_exec;
-static int nftw_check_sm_labels_app_rw_dir(const char *fpath, const struct stat *sb,
+static int nftw_check_sm_labels(const char *fpath, const struct stat *sb,
int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
- return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
-}
-
-static int nftw_check_sm_labels_app_ro_dir(const char *fpath, const struct stat *sb,
- int /*typeflag*/, struct FTW* /*ftwbuf*/)
-{
-
- return nftw_check_sm_labels_app_dir(fpath, sb, "User::Home", true, false);
+ return nftw_check_sm_labels_app_dir(fpath, sb,
+ nftw_expected_label.c_str(), nftw_expected_transmute, nftw_expected_exec);
}
static void prepare_app_path()
prepare_app_path();
}
-/* TODO: add parameters to this function */
-static void check_app_path_after_install()
+static void check_app_path_after_install(const char *appId)
{
int result;
- result = nftw(SM_RW_PATH, &nftw_check_sm_labels_app_rw_dir, FTW_MAX_FDS, FTW_PHYS);
+ nftw_expected_label = generateAppLabel(appId);
+ nftw_expected_transmute = false;
+ nftw_expected_exec = true;
+
+ result = nftw(SM_RW_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RW_PATH);
- result = nftw(SM_RO_PATH, &nftw_check_sm_labels_app_ro_dir, FTW_MAX_FDS, FTW_PHYS);
+ nftw_expected_label = "User::Home";
+ nftw_expected_transmute = true;
+ nftw_expected_exec = false;
+
+ result = nftw(SM_RO_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RO_PATH);
result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
const privileges_t &allowed_privs, const privileges_t &denied_privs)
{
(void) pkg_id;
- std::string smackLabel;
- generateAppLabel(app_id, smackLabel);
+ std::string smackLabel = generateAppLabel(app_id);
CynaraTestClient::Client ctc;
SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
/* TODO: add parameters to this function */
- check_app_path_after_install();
+ check_app_path_after_install(sm_app_id);
InstallRequest requestUninst;
requestUninst.setAppId(sm_app_id);
{
const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
- const char *const expected_label = USER_APP_ID;
const char *const socketLabel = "not_expected_label";
+ std::string expected_label = generateAppLabel(app_id);
char *label = nullptr;
CStringPtr labelPtr;
int result;
result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
//Set socket label to something different than expecedLabel
- result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
- strlen(socketLabel), 0);
+ result = smack_set_label_for_file(sock, XATTR_NAME_SMACKIPIN, socketLabel);
RUNNER_ASSERT_ERRNO_MSG(result == 0,
"Can't set socket label. Result: " << result);
- result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
- strlen(socketLabel), 0);
+ result = smack_set_label_for_file(sock, XATTR_NAME_SMACKIPOUT, socketLabel);
RUNNER_ASSERT_ERRNO_MSG(result == 0,
"Can't set socket label. Result: " << result);
Api::setProcessLabel(app_id);
- char value[SMACK_LABEL_LEN + 1];
- ssize_t size;
- size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
- RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
- result = strcmp(expected_label, value);
+ result = smack_new_label_from_file(sock, XATTR_NAME_SMACKIPIN, &label);
+ RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
+ labelPtr.reset(label);
+ result = expected_label.compare(label);
RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
- expected_label << " Actual: " << value);
+ expected_label << " Actual: " << label);
- size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
- RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
- result = strcmp(expected_label, value);
+ result = smack_new_label_from_file(sock, XATTR_NAME_SMACKIPOUT, &label);
+ RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
+ labelPtr.reset(label);
+ result = expected_label.compare(label);
RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
- expected_label << " Actual: " << value);
+ expected_label << " Actual: " << label);
result = smack_new_label_from_self(&label);
RUNNER_ASSERT_MSG(result >= 0,
" Process label is not set");
labelPtr.reset(label);
- result = strcmp(expected_label, label);
+ result = expected_label.compare(label);
RUNNER_ASSERT_MSG(result == 0,
" Process label is incorrect. Expected: \"" << expected_label <<
"\" Actual: \"" << label << "\"");
return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
}
-static const std::string appDirPath(const TemporaryTestUser &user)
+static const std::string appDirPath(const TemporaryTestUser &user,
+ const std::string &appId, const std::string &pkgId)
{
struct tzplatform_context *tzCtxPtr = nullptr;
"tzplatform_context_getenv failed"
<< "for getting sys rw app of user <" << user.getUserName() << ">");
- return appDir;
+ return std::string(appDir) + "/" + pkgId + "/" + appId;
}
static const std::string nonAppDirPath(const TemporaryTestUser &user)
mode_t execFileMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
mode_t normalFileMode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH;
- mkdirSafe(dir, dirMode);
+ mktreeSafe(dir, dirMode);
creatSafe(dir + "/" + EXEC_FILE, execFileMode);
creatSafe(dir + "/" + NORMAL_FILE, normalFileMode);
symlinkSafe(dir + "/" + EXEC_FILE, dir + "/" + LINK_PREFIX + EXEC_FILE);
dir + "/" + LINK_PREFIX + "non_app_" + NORMAL_FILE);
}
-static void generateAppDir(const TemporaryTestUser &user)
+static void generateAppDir(const TemporaryTestUser &user,
+ const std::string &appId, const std::string &pkgId)
{
- const std::string dir = appDirPath(user);
+ const std::string dir = appDirPath(user, appId, pkgId);
const std::string nonAppDir = nonAppDirPath(user);
createInnerAppDir(dir, nonAppDir);
createTestDir(dir + "/inner_dir");
}
-static void createTestDirs(const TemporaryTestUser &user)
+static void createTestDirs(const TemporaryTestUser &user,
+ const std::string &appId, const std::string &pkgId)
{
- generateAppDir(user);
+ generateAppDir(user, appId, pkgId);
generateNonAppDir(user);
}
-static void removeTestDirs(const TemporaryTestUser &user)
+static void removeTestDirs(const TemporaryTestUser &user,
+ const std::string &appId, const std::string &pkgId)
{
- removeDir(appDirPath(user));
+ removeDir(appDirPath(user, appId, pkgId));
removeDir(nonAppDirPath(user));
}
TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
testUser.create();
- removeTestDirs(testUser);
- createTestDirs(testUser);
+ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
+ createTestDirs(testUser, sm_app_id, sm_pkg_id);
- const std::string userAppDirPath = appDirPath(testUser);
+ const std::string userAppDirPath = appDirPath(testUser, sm_app_id, sm_pkg_id);
//switch user to non-root
result = drop_root_privileges(testUser.getUid(), testUser.getGid());
TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
testUser.create();
- removeTestDirs(testUser);
- createTestDirs(testUser);
+ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
+ createTestDirs(testUser, sm_app_id, sm_pkg_id);
- install_and_check(sm_app_id, sm_pkg_id, testUser, appDirPath(testUser), true);
+ install_and_check(sm_app_id, sm_pkg_id, testUser, appDirPath(testUser, sm_app_id, sm_pkg_id), true);
//switch user to non-root - root may not uninstall apps for specified users
result = drop_root_privileges(testUser.getUid(), testUser.getGid());
{
const char *const app_id = "sm_test_06_app_id_install_app_offline";
const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
- ServiceManager serviceManager("security-manager.service");
+ // Uninstall app on-line, off-line mode doesn't support it
uninstall_app(app_id, pkg_id, true);
- serviceManager.maskService();
+
+ ServiceManager("security-manager.service").stopService();
+
+ ServiceManager serviceManager("security-manager.socket");
serviceManager.stopService();
install_app(app_id, pkg_id);
- serviceManager.unmaskService();
serviceManager.startService();
uninstall_app(app_id, pkg_id, true);
test_user.create();
test_user.getUidString(uid_string);
- removeTestDirs(test_user);
- createTestDirs(test_user);
+ removeTestDirs(test_user, sm_app_id, sm_pkg_id);
+ createTestDirs(test_user, sm_app_id, sm_pkg_id);
install_app(sm_app_id, sm_pkg_id, test_user.getUid());
test_user.create();
test_user.getUidString(uid_string);
- removeTestDirs(test_user);
- createTestDirs(test_user);
+ removeTestDirs(test_user, sm_app_id, sm_pkg_id);
+ createTestDirs(test_user, sm_app_id, sm_pkg_id);
addUserRequest.setUid(test_user.getUid());
addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
const char *const app_id = "security_manager_09_add_user_offline_app";
const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
const std::string new_user_name("sm_test_09_user_name");
- ServiceManager serviceManager("security-manager.service");
- serviceManager.maskService();
+
+ ServiceManager("security-manager.service").stopService();
+
+ ServiceManager serviceManager("security-manager.socket");
serviceManager.stopService();
TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
test_user.create();
- removeTestDirs(test_user);
- createTestDirs(test_user);
+ removeTestDirs(test_user, app_id, pkg_id);
+ createTestDirs(test_user, app_id, pkg_id);
install_app(app_id, pkg_id, test_user.getUid());
check_app_after_install(app_id, pkg_id);
- serviceManager.unmaskService();
serviceManager.startService();
test_user.remove();
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
- std::string smackLabel;
- generateAppLabel(update_app_id, smackLabel);
-
struct message {
uid_t uid;
gid_t gid;
//wait for child
RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
- admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
if(pid == 0)
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
- std::string smackLabel;
- generateAppLabel(update_other_app_id, smackLabel);
-
struct message {
uid_t uid;
gid_t gid;
//wait for child
RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
- admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
if(pid == 0)
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
- std::string smackLabel;
- generateAppLabel(update_app_id, smackLabel);
-
struct message {
uid_t uid;
gid_t gid;
//wait for child
RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
- admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
if(pid == 0)
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
- std::string smackLabel;
- generateAppLabel(update_app_id, smackLabel);
-
struct message {
uid_t uid;
gid_t gid;
//wait for child
RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
- admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
pid = fork();
//wait for child
waitpid(-1, &result, 0);
- admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
}
if(pid == 0)
TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
user.create();
user.getUidString(uid_string);
- const std::string path1 = "/home/" + username + "/p1";
- const std::string path2 = "/home/" + username + "/p2";
+ const std::string path1 = appDirPath(user, app_id, pkg_id) + "/p1";
+ const std::string path2 = appDirPath(user, app_id, pkg_id) + "/p2";
const std::string pkgopt = " --pkg=" + pkg_id;
const std::string appopt = " --app=" + app_id;
const std::string uidopt = " --uid=" + uid_string;
- mkdir(path1.c_str(), 0);
- mkdir(path2.c_str(), 0);
+ mktreeSafe(path1.c_str(), 0);
+ mktreeSafe(path2.c_str(), 0);
const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
{"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
{installcmd, SUCCESS},
{"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
- {installcmd + " --path " + path1 + " private", SUCCESS},
+ {installcmd + " --path " + path1 + " writable", SUCCESS},
{installcmd + " --path " + path1, FAILURE},//no path type
- {installcmd + " --path " + path1 + " private" + " --path " + path2 + " private", SUCCESS},
- {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " public", FAILURE},//wrong path type
- {installcmd + " --path " + path1 + " private" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
+ {installcmd + " --path " + path1 + " writable" + " --path " + path2 + " readable", SUCCESS},
+ {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " readable", FAILURE},//wrong path type
+ {installcmd + " --path " + path1 + " writable" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
};
for (auto &op : operations) {