X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=tests%2Flibprivilege-control-tests%2Ftest_cases.cpp;h=197aa83beac2b5f631d00565ce2be78b4ed5af8c;hb=554f9de26fc15c3fbde1e4811d44a3ba90a8f7b4;hp=0cb300ca19a4fe974180d3e7b86d6c34c9df7d03;hpb=df839433a7c8d20d877097a1ade0f3d0ca46851e;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git diff --git a/tests/libprivilege-control-tests/test_cases.cpp b/tests/libprivilege-control-tests/test_cases.cpp index 0cb300c..197aa83 100644 --- a/tests/libprivilege-control-tests/test_cases.cpp +++ b/tests/libprivilege-control-tests/test_cases.cpp @@ -25,9 +25,9 @@ #include #include -#include #include #include +#include #include #include @@ -49,13 +49,7 @@ #include #include "common/duplicates.h" #include "common/db.h" - -#define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules" - -#define EARLY_RULE_SUBJECT "livebox.web-provider" -#define EARLY_RULE_RIGHTS "rwx---" - -#define SMACK_ACC_LEN 6 +#include "memory.h" // Error codes for test_libprivilege_strerror const std::vector error_codes { @@ -97,10 +91,10 @@ int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb, result = strcmp(APPID_SHARED_DIR, label); RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect"); - result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxatl"); + result = smack_have_access(USER_APP_ID, APPID_SHARED_DIR, "rwxatl"); RUNNER_ASSERT_MSG_BT(result == 1, "Error rwxatl access was not given shared dir. Subject: " << - APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result); + USER_APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result); /* EXEC */ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); @@ -119,117 +113,6 @@ int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb, return 0; } -int check_labels_dir(const char *fpath, const struct stat *sb, - const char *labels_db_path, const char *dir_db_path, - const char *access) -{ - int result; - char *label; - char *label_gen; - char *scanf_label_format; - char label_temp[SMACK_LABEL_LEN + 1]; - FILE *file_db; - - /* ACCESS */ - result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG_BT(label_gen != NULL, "ACCESS label on " << fpath << " is not set"); - - /* EXEC */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - if (result != 0) { - free(label_gen); - RUNNER_ASSERT_MSG_BT(false, "Could not get label for the path"); - } - if (label != NULL) { - free(label_gen); - free(label); - RUNNER_ASSERT_MSG_BT(false, "EXEC label on " << fpath << " is set."); - } - - /* TRANSMUTE */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); - if (result != 0) { - free(label_gen); - free(label); - RUNNER_ASSERT_MSG_BT(false, "Could not get label for the path"); - } - if (S_ISDIR(sb->st_mode)) { - if (label == NULL) { - free(label_gen); - free(label); - RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is not set"); - } - result = strcmp("TRUE", label); - if (result != 0) { - free(label_gen); - free(label); - RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is not set to TRUE"); - } - } else if (label != NULL) { - free(label_gen); - free(label); - RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is set"); - } - - free(label); - - if (0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)) { - free(label_gen); - RUNNER_ASSERT_MSG_BT(false, "asprintf failed"); - } - - file_db = fopen(labels_db_path, "r"); - if (file_db == NULL) { - free(label_gen); - free(scanf_label_format); - RUNNER_ASSERT_MSG_BT(false, "Can not open database for apps"); - } - while (fscanf(file_db, scanf_label_format, label_temp) == 1) { - result = smack_have_access(label_temp, label_gen, access); - if (result != 1) { - fclose(file_db); - free(label_gen); - free(scanf_label_format); - RUNNER_ASSERT_MSG_BT(false, - "Error " << access << " access was not given for subject: " - << label_temp << ". Result: " << result); - } - } - fclose(file_db); - - file_db = fopen(dir_db_path, "r"); - if (file_db == NULL) { - free(label_gen); - free(scanf_label_format); - RUNNER_ASSERT_MSG_BT(false, "Can not open database for dirs"); - } - - free(scanf_label_format); - free(label_gen); - fclose(file_db); - - return 0; -} - -void osp_blahblah_check(int line_no, const std::vector &rules) -{ - std::ifstream smack_file(OSP_BLAHBLAH); - RUNNER_ASSERT_MSG_BT(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH); - - auto it = rules.begin(); - std::string line; - while (std::getline(smack_file,line)) { - RUNNER_ASSERT_MSG_BT(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line); - RUNNER_ASSERT_MSG_BT(*it == line, "Line: " << line_no << " " << *it << "!=" << line); - it++; - } - - RUNNER_ASSERT_MSG_BT(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it); - - smack_file.close(); -} - void osp_blahblah_dac_check(int line_no, const std::vector &gids, std::string dac_file_path) { std::ifstream dac_file(dac_file_path); @@ -307,8 +190,8 @@ RUNNER_TEST_SMACK(privilege_control03_app_label_shared_dir) result = perm_app_install(APP_ID); RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID); - RUNNER_ASSERT_MSG_BT(result != 0, "perm_app_setup_path(APP_ID, APP_ID) didn't fail"); + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, USER_APP_ID); + RUNNER_ASSERT_MSG_BT(result != 0, "perm_app_setup_path(APP_ID, USER_APP_ID) didn't fail"); DB_END @@ -340,63 +223,11 @@ RUNNER_TEST_SMACK(privilege_control03_app_label_shared_dir) } /** - * Simple enabling EFL permissions;. - */ -RUNNER_TEST_SMACK(privilege_control04_add_permissions) -{ - int result = 0; - DB_BEGIN - - result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - - result = perm_app_install(APP_ID); - RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - - result = perm_app_setup_permissions(APP_ID, APP_TYPE_EFL, PRIVS_EFL); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - " perm_app_setup_permissions failed with result: " << result); - - DB_END - - // Check if permission is assigned to app in db - check_app_has_permission(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true); - - // Check if the accesses are realy applied.. - result = test_have_all_accesses(rules_efl); - RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added."); - - DB_BEGIN - - result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - - DB_END -} - -/** * Revoke permissions from the list. Should be executed as privileged user. */ RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt) { - test_revoke_permissions(__LINE__, WGT_APP_ID, rules_wgt, true); -} - -/** - * Revoke permissions from the list. Should be executed as privileged user. - */ -RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_partner) -{ - test_revoke_permissions(__LINE__, WGT_PARTNER_APP_ID, rules_wgt_partner, true); -} - -/** - * Revoke permissions from the list. Should be executed as privileged user. - */ -RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_platform) -{ - test_revoke_permissions(__LINE__, WGT_PLATFORM_APP_ID, rules_wgt_platform, true); + test_revoke_permissions(__LINE__, WGT_APP_ID); } /** @@ -404,48 +235,33 @@ RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_platform) */ RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp) { - test_revoke_permissions(__LINE__, OSP_APP_ID, rules_osp, true); + test_revoke_permissions(__LINE__, OSP_APP_ID); } -/** - * Revoke permissions from the list. Should be executed as privileged user. - */ -RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_partner) -{ - test_revoke_permissions(__LINE__, OSP_PARTNER_APP_ID, rules_osp_partner, true); -} - -/** - * Revoke permissions from the list. Should be executed as privileged user. - */ -RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_platform) -{ - test_revoke_permissions(__LINE__, OSP_PLATFORM_APP_ID, rules_osp_platform, true); -} - - -void set_app_privilege(int line_no, +void test_set_app_privilege( const char* app_id, app_type_t APP_TYPE, const char** privileges, const char* type, const char* app_path, const char* dac_file, const rules_t &rules) { - check_app_installed(line_no, app_path); + check_app_installed(app_path); int result; DB_BEGIN result = perm_app_uninstall(app_id); - RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no << - " perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); + RUNNER_ASSERT_MSG_BT(result == 0, + " perm_app_uninstall returned " << result << ". " + "Errno: " << strerror(errno)); result = perm_app_install(app_id); - RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no << - " perm_app_install returned " << result << ". Errno: " << strerror(errno)); + RUNNER_ASSERT_MSG_BT(result == 0, + " perm_app_install returned " << result << ". " + "Errno: " << strerror(errno)); // TEST: - result = perm_app_setup_permissions(app_id, APP_TYPE, privileges); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + result = perm_app_enable_permissions(app_id, APP_TYPE, privileges, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error registering app permissions. Result: " << result); DB_END @@ -453,22 +269,26 @@ void set_app_privilege(int line_no, result = test_have_all_accesses(rules); RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added."); + std::set groups_before; + read_user_gids(groups_before, APP_UID); + result = perm_app_set_privilege(app_id, type, app_path); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error in perm_app_set_privilege. Error: " << result); // Check if SMACK label really set char *label; result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG_BT(result >= 0, "Line: " << line_no << + RUNNER_ASSERT_MSG_BT(result >= 0, " Error getting current process label"); - RUNNER_ASSERT_MSG_BT(label != NULL, "Line: " << line_no << + RUNNER_ASSERT_MSG_BT(label != NULL, " Process label is not set"); - result = strcmp(app_id, label); - RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no << + + result = strcmp(USER_APP_ID, label); + RUNNER_ASSERT_MSG_BT(result == 0, " Process label " << label << " is incorrect"); - check_groups(dac_file); + check_groups(groups_before, dac_file); } /** @@ -476,56 +296,24 @@ void set_app_privilege(int line_no, */ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt) { - set_app_privilege(__LINE__,WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH, + test_set_app_privilege(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt); } /** - * Set APP privileges. wgt_partner. - */ -RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_partner) -{ - set_app_privilege(__LINE__, WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, - "wgt_partner", WGT_PARTNER_APP_PATH, - LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_partner); -} - -/** - * Set APP privileges. wgt_platform. - */ -RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_platform) -{ - set_app_privilege(__LINE__, WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, - "wgt_platform", WGT_PLATFORM_APP_PATH, - LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_platform); -} - -/** * Set APP privileges. osp app. */ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp) { - set_app_privilege(__LINE__, OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, NULL, OSP_APP_PATH, + test_set_app_privilege(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, "tpk", OSP_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp); } -/** - * Set APP privileges. partner osp app. - */ -RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_partner) +RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_efl) { - set_app_privilege(__LINE__, OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, - NULL, OSP_PARTNER_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_partner); -} - -/** - * Set APP privileges. platform osp app. - */ -RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_platform) -{ - set_app_privilege(__LINE__, OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, - NULL, OSP_PLATFORM_APP_PATH, - LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_platform); + test_set_app_privilege(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, + "rpm", EFL_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_EFL, rules_efl); } /** @@ -668,9 +456,6 @@ void check_perm_app_uninstall(const char* pkg_id) RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned: " << perm_strerror(result)); DB_END - - TestLibPrivilegeControlDatabase db_test; - db_test.test_db_after__perm_app_uninstall(pkg_id); } RUNNER_TEST(privilege_control07_app_uninstall) @@ -693,7 +478,7 @@ void check_perm_app_install(const char* pkg_id) DB_END TestLibPrivilegeControlDatabase db_test; - db_test.test_db_after__perm_app_install(pkg_id); + db_test.test_db_after__perm_app_install(USER_APP_ID); } RUNNER_TEST(privilege_control01_app_install) @@ -723,10 +508,6 @@ RUNNER_TEST(privilege_control07_app_rollback) RUNNER_ASSERT_MSG_BT(result == 0, "perm_rollback returned: " << perm_strerror(result)); DB_END - - TestLibPrivilegeControlDatabase db_test; - db_test.test_db_after__perm_app_uninstall(APP_ID); - } RUNNER_TEST(privilege_control07_app_rollback_2) @@ -751,71 +532,8 @@ RUNNER_TEST(privilege_control07_app_rollback_2) DB_END TestLibPrivilegeControlDatabase db_test; - db_test.test_db_after__perm_app_install(APP_ID); -} -/* - * Check app_register_av function - * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install) - */ -#pragma GCC diagnostic ignored "-Wdeprecated-declarations" -RUNNER_TEST_SMACK(privilege_control10_app_register_av) -{ - RUNNER_IGNORED_MSG("app_register_av is not implemented"); - int result; - - // cleaning - smack_revoke_subject(APP_TEST_AV_1); - smack_revoke_subject(APP_TEST_AV_2); - - DB_BEGIN - - // Adding two apps before antivir - result = perm_app_install(APP_TEST_APP_1); - RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - result = perm_app_install(APP_TEST_APP_2); - RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - // Adding antivir - result = app_register_av(APP_TEST_AV_1); - RUNNER_ASSERT_MSG_BT(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno)); - - DB_END - - // Checking added apps accesses - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)"); - - DB_BEGIN - - // Adding third app - result = perm_app_install(APP_TEST_APP_3); - RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - DB_END - - // Checking app accesses - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)"); - - // Adding second antivir - result = app_register_av(APP_TEST_AV_2); - RUNNER_ASSERT_MSG_BT(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno)); - - // Checking app accesses - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); - - // cleaning - smack_revoke_subject(APP_TEST_AV_1); - smack_revoke_subject(APP_TEST_AV_2); + db_test.test_db_after__perm_app_install(USER_APP_ID); } -#pragma GCC diagnostic warning "-Wdeprecated-declarations" /** * Grant SMACK permissions based on permissions list. @@ -839,7 +557,7 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); - result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error registering app permissions. Result: " << result); @@ -849,9 +567,6 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) result = test_have_all_accesses(rules2); RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added."); - // Check if permission is assigned to app in db - check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true); - DB_BEGIN // Clean up @@ -861,19 +576,16 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) DB_END - // Check if permission is disabled in db - check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); - /** * Test - Enabling all permissions with persistant mode disabled */ DB_BEGIN - result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error registering app permissions. Result: " << result); - result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 0); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error enabling app permissions. Result: " << result); @@ -883,9 +595,6 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) result = test_have_all_accesses(rules2); RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added."); - // Check if permission is assigned to app in db - check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true); - DB_BEGIN // Clean up @@ -895,16 +604,13 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) DB_END - // Check if permission is disabled in db - check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); - /** * Test - Registering new permissions in two complementary files */ DB_BEGIN - result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error registering app permissions. Result: " << result); @@ -914,9 +620,6 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) result = test_have_all_accesses(rules2_no_r); RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added."); - // Check if permissions are assigned to app in db - check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, true); - DB_BEGIN // Clean up @@ -926,9 +629,6 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) DB_END - // Check if permissions are disabled in db - check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false); - /** * Test - Enabling some permissions and then enabling complementary permissions */ @@ -936,7 +636,7 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) DB_BEGIN // Register permission for rules 2 no r - result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error registering app permissions without r. Result: " << result); @@ -949,7 +649,7 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) DB_BEGIN // Register permission for rules 2 - result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error registering app all permissions. Result: " << result); @@ -971,7 +671,7 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) */ // Enable permission for rules 2 no r - result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error registering app permissions without r. Result: " << result); @@ -984,7 +684,7 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) DB_BEGIN // Enable permission for rules 2 - result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error registering app permissions with only r. Result: " << result); @@ -1050,8 +750,13 @@ RUNNER_TEST_SMACK(privilege_control13_app_reset_permissions) result = perm_app_install(WGT_APP_ID); RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + // Disable permissions + result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error disabling app permissions. Result: " << result); + // Prepare permissions to reset - result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error registering app permissions. Result: " << result); @@ -1069,7 +774,7 @@ RUNNER_TEST_SMACK(privilege_control13_app_reset_permissions) DB_BEGIN // Disable permissions - result = perm_app_revoke_permissions(WGT_APP_ID); + result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error disabling app permissions. Result: " << result); @@ -1079,195 +784,6 @@ RUNNER_TEST_SMACK(privilege_control13_app_reset_permissions) DB_END } -/** - * Make two applications "friends", by giving them both full permissions on - * each other. - */ -RUNNER_TEST_SMACK(privilege_control14_app_add_friend) -{ - RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented"); - - int result; - -/** - * Test - making friends with no permissions on each other - */ - - DB_BEGIN - - result = perm_app_revoke_permissions(APP_FRIEND_1); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = perm_app_revoke_permissions(APP_FRIEND_2); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - perm_app_uninstall(APP_FRIEND_1); - perm_app_uninstall(APP_FRIEND_2); - - // Installing friends to be - result = perm_app_install(APP_FRIEND_1); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - " Error installing first app. Result: " << result); - result = perm_app_install(APP_FRIEND_2); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - " Error installing second app. Result: " << result); - - // Making friends - result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - " Error making friends. Errno: " << result); - - DB_END - - // Checking if friends were made - result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat"); - RUNNER_ASSERT_MSG_BT(result == 1, - " Error first one sided friednship failed. Result: " << result); - result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat"); - RUNNER_ASSERT_MSG_BT(result == 1, - " Error second one sided friednship failed. Result: " << result); - - DB_BEGIN - - // Clean up - result = perm_app_revoke_permissions(APP_FRIEND_1); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = perm_app_revoke_permissions(APP_FRIEND_2); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - perm_app_uninstall(APP_FRIEND_1); - perm_app_uninstall(APP_FRIEND_2); - - DB_END - -/** - * Test - making friends with nonexistent friend - */ - - DB_BEGIN - - // Installing one friend - result = perm_app_install(APP_FRIEND_1); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - " Error installing first app. Errno: " << result); - - // Adding imaginary friend as second - result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - " Error making friends (first) with imaginairy friend failed. Result: " - << result); - // Adding imaginary friend as first - result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - " Error making friends (second) with imaginairy friend failed. Result: " - << result); - // Clean up - result = perm_app_revoke_permissions(APP_FRIEND_1); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = perm_app_revoke_permissions(APP_FRIEND_2); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - perm_app_uninstall(APP_FRIEND_1); - perm_app_uninstall(APP_FRIEND_2); - - DB_END - -/** - * Test - making friends with some permissions already added - */ - unsigned int i; - unsigned int j; - - struct smack_accesses *rulesFriend = NULL; - - std::vector accessesFriend = - { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" }; - - DB_BEGIN - - // Installing friends to be - result = perm_app_install(APP_FRIEND_1); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - " Error installing first app. Result: " << result); - result = perm_app_install(APP_FRIEND_2); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - " Error installing second app. Result: " << result); - - DB_END - - for (i = 0; i < accessesFriend.size(); ++i) - { - for (j = 0; j < accessesFriend.size(); ++j) - { - // Adding rules before making friends - result = smack_accesses_new(&rulesFriend); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "Error in smack_accesses_new. Result: " << result); - - result = smack_accesses_add(rulesFriend, - APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str()); - RUNNER_ASSERT_MSG_BT(result == 0, - "Unable to add modify rulesFirend (first). Result: " << result); - result = smack_accesses_add(rulesFriend, APP_FRIEND_2, - APP_FRIEND_1, accessesFriend[j].c_str()); - RUNNER_ASSERT_MSG_BT(result == 0, - "Unable to add modify rulesFirend (second). Result: " << result); - - result = smack_accesses_apply(rulesFriend); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "Error in smack_accesses_apply. Result: " << result); - - DB_BEGIN - - // Adding friends - result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - " Error making friends. Result: " << result); - - DB_END - - // Checking if friends were made - result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat"); - RUNNER_ASSERT_MSG_BT(result == 1, - " Error first one sided friednship failed. Result: " << result); - result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat"); - RUNNER_ASSERT_MSG_BT(result == 1, - " Error second one sided friednship failed. Result: " << result); - - // Deleting all rules between friends - smack_accesses_add_modify(rulesFriend, - APP_FRIEND_1, APP_FRIEND_2,"","rwxat"); - smack_accesses_add_modify(rulesFriend, - APP_FRIEND_2, APP_FRIEND_1,"","rwxat"); - - result = smack_accesses_apply(rulesFriend); - - smack_accesses_free(rulesFriend); - rulesFriend = NULL; - } - } - - DB_BEGIN - - // Clean up - result = perm_app_revoke_permissions(APP_FRIEND_1); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = perm_app_revoke_permissions(APP_FRIEND_2); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - perm_app_uninstall(APP_FRIEND_1); - perm_app_uninstall(APP_FRIEND_2); - - DB_END -} - static void smack_set_random_label_based_on_pid_on_self(void) { int result; @@ -1502,416 +1018,96 @@ RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings) test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW); } -RUNNER_TEST_SMACK(privilege_control20_app_setup_path_npruntime) +void check_perm_app_has_permission(const char* app_label, const char* permission, bool is_enabled_expected) { - int result = 0; - CStringPtr labelPtr; - std::string nptargetlabel = std::string(APP_NPRUNTIME) + ".npruntime"; - char *label = NULL; - - restore_original_additional_rules(); - - DB_BEGIN - - result = perm_app_uninstall(APP_NPRUNTIME); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result); - - result = perm_app_install(APP_NPRUNTIME); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_install. " << result); - - result = perm_app_setup_path(APP_NPRUNTIME, APP_NPRUNTIME_FILE, PERM_APP_PATH_NPRUNTIME); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path. " << result); - - DB_END - - RUNNER_ASSERT_BT(0 == smack_lgetlabel(APP_NPRUNTIME_FILE, &label, SMACK_LABEL_EXEC)); - labelPtr.reset(label); - label = NULL; - RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), nptargetlabel.c_str())); - - // Rules to test - const std::vector< std::vector > np_rules = { - { APP_NPRUNTIME, nptargetlabel, "rw" }, - { nptargetlabel, APP_NPRUNTIME, "rxat" }, - { nptargetlabel, "system::homedir", "rxat" }, - { nptargetlabel, "xorg", "rw" }, - { nptargetlabel, "crash-worker", "rwxa" }, - { nptargetlabel, "sys-assert::core", "rwxat" }, - { nptargetlabel, "syslogd", "rw" }, - }; - - // Test smack accesses - result = test_have_all_accesses(np_rules); - RUNNER_ASSERT_MSG_BT(result == 1, "Not all permissions added."); - - DB_BEGIN + int result; + bool is_enabled; - result = perm_app_uninstall(APP_NPRUNTIME); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result); + result = perm_app_has_permission(app_label, APP_TYPE_WGT, permission, &is_enabled); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error calling perm_app_has_permission. Result: " << result); - DB_END + RUNNER_ASSERT_MSG_BT(is_enabled == is_enabled_expected, + "Result of perm_app_has_permission should be: " << is_enabled_expected); } -RUNNER_TEST(privilege_control21_early_rules) +RUNNER_TEST(privilege_control20_perm_app_has_permission) { - RUNNER_IGNORED_MSG("early rules are not implemented"); - int result; - int pass_1 = 0; - int pass_2 = 0; - char *single_line_format = NULL; - char *perm = NULL; - FILE *file = NULL; - - char subject[SMACK_LABEL_LEN + 1] = {0}; - char object[SMACK_LABEL_LEN + 1] = {0}; - char rule_add[SMACK_ACC_LEN + 1] = {0}; - char rule_remove[SMACK_ACC_LEN + 1] = {0}; + const char *other_app_label = "test_other_app_label"; DB_BEGIN - perm_app_uninstall(APP_ID); - - result = perm_app_install(APP_ID); - RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - result = perm_app_install(APP_TEST_APP_1); - RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - DB_END - - TestLibPrivilegeControlDatabase db_test; - db_test.test_db_after__perm_app_install(APP_ID); - db_test.test_db_after__perm_app_install(APP_TEST_APP_1); + result = perm_app_uninstall(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error uninstalling app. Result" << result); - DB_BEGIN + result = perm_app_install(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error installing app. Result" << result); - result = perm_app_setup_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm); - RUNNER_ASSERT_MSG_BT(result == 0, "app_register_permissions failed: " << result); - result = perm_app_setup_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm); - RUNNER_ASSERT_MSG_BT(result == 0, "app_register_permissions failed: " << result); + result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error disabling app r and no r permissions. Result: " << result); DB_END - file = fopen(SMACK_STARTUP_RULES_FILE, "r"); - RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno)); - - result = asprintf(&single_line_format, "%%%ds %%%ds %%%ds %%%ds\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN, SMACK_ACC_LEN, SMACK_ACC_LEN); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false); - while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) { - if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) { - pass_1 = 1; // Found rule for APP_ID - continue; - } - if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) { - pass_2 = 1; // Found rule for APP_TEST_APP_1 - continue; - } - } - fclose(file); - file = NULL; - - RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " not found"); - RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found"); - - // Checking if "early rule" for APP_ID was really removed - // We also should make sure that "early rules" for other apps wasn't removed DB_BEGIN - result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - DB_END - pass_1 = 1; - pass_2 = 0; - - file = fopen(SMACK_STARTUP_RULES_FILE, "r"); - RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno)); - - while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) { - if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) { - pass_1 = 0; // Found rule for APP_ID - it should NOT be here - continue; - } - if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) { - pass_2 = 1; // Found rule for APP_TEST_APP_1 - continue; - } - } - fclose(file); - file = NULL; - - RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found"); - RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found"); - - // Removing and checking "early rule" for APP_TEST_APP_1 - DB_BEGIN - result = perm_app_uninstall(APP_TEST_APP_1); - RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - DB_END - pass_1 = 1; - pass_2 = 1; - - file = fopen(SMACK_STARTUP_RULES_FILE, "r"); - RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno)); - - while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) { - if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) { - pass_1 = 0; // Found rule for APP_ID - it should NOT be here - continue; - } - if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) { - pass_2 = 0; // Found rule for APP_TEST_APP_1 - it should NOT be here - continue; - } - } - free(single_line_format); - fclose(file); - - RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found"); - RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found"); -} -/** - * AV Privilege test cases. - * - * Each privilege_control24* test case tests antivirus privileges for each app_type_t, except for - * deprecated APP_TYPE_OTHER type. - */ - -int nftw_remove_dir(const char* filename, const struct stat* /*statptr*/, int /*fileflags*/, - struct FTW* /*pfwt*/) -{ - int result = -1; - - struct stat filestat; - - result = stat(filename, &filestat); - RUNNER_ASSERT_MSG_BT(result == 0, "NFTW error: Failed to get file statistics. Result: " - << result << ", error: " << strerror(errno) << ", file: " << filename); - - if(S_ISREG(filestat.st_mode)) { - result = unlink(filename); - RUNNER_ASSERT_MSG_BT(result == 0, "NFTW error: Failed to unlink file. Result: " - << result << ", error: " << strerror(errno) << ", file: " << filename); - } else if(S_ISDIR(filestat.st_mode)) { - result = rmdir(filename); - RUNNER_ASSERT_MSG_BT(result == 0, "NFTW error: Failed to remove dir. Result: " - << result << ", error: " << strerror(errno) << ", file: " << filename); - } - - return 0; -} + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error registering app r permissions. Result: " << result); -void InstallApp(const char* pkg_id, const char* path, app_path_type_t app_path_type, - const char* shared_label) -{ - int result = -1; + DB_END - result = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP); - RUNNER_ASSERT_MSG_BT(result == 0, "Can't create dir for tests. Result: " << result << - ", error: " << strerror(errno) << ", app_path_type: " << app_path_type); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], true); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false); DB_BEGIN - result = perm_app_revoke_permissions(pkg_id); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: " - << result << ", app_path_type: " << app_path_type); - result = perm_app_uninstall(pkg_id); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: " - << result << ", app_path_type: " << app_path_type); - - result = perm_app_install(pkg_id); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: " - << result << ", app_path_type: " << app_path_type); - result = perm_app_setup_path(pkg_id, path, app_path_type, shared_label); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_setup_path failed. Result: " - << result << ", app_path_type: " << app_path_type); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error registering app r permissions. Result: " << result); DB_END -} -void InstallAV(const char* av_id, app_type_t av_type) -{ - int result = -1; + check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], true); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], true); + check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false); DB_BEGIN - result = perm_app_revoke_permissions(av_id); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: " - << result << ", av_type: " << av_type); - result = perm_app_uninstall(av_id); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: " - << result << ", av_type: " << av_type); - - result = perm_app_install(av_id); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: " - << result << ", av_type: " << av_type); - result = perm_app_setup_permissions(av_id, av_type, PRIVS_AV); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "register_permissions failed. Result: " - << result << ", av_type: " << av_type); + result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error disabling app r and no r permissions. Result: " << result); DB_END -} -void CheckAVPrivilege(app_type_t av_type, app_path_type_t app_path_type) -{ - int result = -1; - - //clean before test - result = nftw(APP_TEST_APP_1_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS); - RUNNER_ASSERT_MSG_BT(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result << - ", error " << strerror(errno)); - - result = nftw(APP_TEST_APP_2_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS); - RUNNER_ASSERT_MSG_BT(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result << - ", error " << strerror(errno)); - - result = nftw(APP_TEST_APP_3_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS); - RUNNER_ASSERT_MSG_BT(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result << - ", error " << strerror(errno)); - - InstallApp(APP_TEST_APP_1, APP_TEST_APP_1_DIR, app_path_type, APP_TEST_APP_1_SHARED_LABEL); - InstallAV(APP_TEST_AV_1, av_type); - InstallApp(APP_TEST_APP_2, APP_TEST_APP_2_DIR, app_path_type, APP_TEST_APP_2_SHARED_LABEL); - InstallAV(APP_TEST_AV_2, av_type); - InstallApp(APP_TEST_APP_3, APP_TEST_APP_3_DIR, app_path_type, APP_TEST_APP_3_SHARED_LABEL); - - //test - get ACCESS label and check AV privilege - - char* tmp; - - //get labels - result = smack_lgetlabel(APP_TEST_APP_1_DIR, &tmp, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG_BT(result == 0, "smack_lgetlabel failed. Result: " << result - << ", av_type: " << av_type << ", app_path_type: " << app_path_type); - std::string label1(tmp); - free(tmp); - - result = smack_lgetlabel(APP_TEST_APP_2_DIR, &tmp, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG_BT(result == 0, "smack_lgetlabel failed. Result: " << result - << ", av_type: " << av_type << ", app_path_type: " << app_path_type); - std::string label2(tmp); - free(tmp); - - result = smack_lgetlabel(APP_TEST_APP_3_DIR, &tmp, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG_BT(result == 0, "smack_lgetlabel failed. Result: " << result - << ", av_type: " << av_type << ", app_path_type: " << app_path_type); - std::string label3(tmp); - free(tmp); - - if(app_path_type == APP_PATH_GROUP_RW) - { - result = label1.compare(APP_TEST_APP_1_SHARED_LABEL); - RUNNER_ASSERT_MSG_BT(result == 0, "Labels do not equal. Acquired " << label1 << - ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result << - ", av_type: " << av_type << ", app_path_type: " << app_path_type); - - result = label2.compare(APP_TEST_APP_2_SHARED_LABEL); - RUNNER_ASSERT_MSG_BT(result == 0, "Labels do not equal. Acquired " << label1 << - ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result << - ", av_type: " << av_type << ", app_path_type: " << app_path_type); - - result = label3.compare(APP_TEST_APP_3_SHARED_LABEL); - RUNNER_ASSERT_MSG_BT(result == 0, "Labels do not equal. Acquired " << label1 << - ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result << - ", av_type: " << av_type << ", app_path_type: " << app_path_type); - } - - std::stringstream ss; - - //check AV accesses - if(smack_check()) - { - ss << "APP_TEST_APP_1, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccess(APP_TEST_AV_1, label1.c_str(), ss.str().c_str()); - ss.str(std::string()); - - ss << "APP_TEST_APP_2, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccess(APP_TEST_AV_1, label2.c_str(), ss.str().c_str()); - ss.str(std::string()); - - ss << "APP_TEST_APP_3, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccess(APP_TEST_AV_1, label3.c_str(), ss.str().c_str()); - - ss << "APP_TEST_APP_1, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccess(APP_TEST_AV_2, label1.c_str(), ss.str().c_str()); - ss.str(std::string()); - - ss << "APP_TEST_APP_2, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccess(APP_TEST_AV_2, label2.c_str(), ss.str().c_str()); - ss.str(std::string()); - - ss << "APP_TEST_APP_3, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccess(APP_TEST_AV_2, label3.c_str(), ss.str().c_str()); - } - else - { - ss << "APP_TEST_APP_1, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccessNosmack(APP_TEST_AV_1, label1.c_str(), ss.str().c_str()); - - ss.str(std::string()); - ss << "APP_TEST_APP_2, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccessNosmack(APP_TEST_AV_1, label2.c_str(), ss.str().c_str()); - - ss.str(std::string()); - ss << "APP_TEST_APP_3, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccessNosmack(APP_TEST_AV_1, label3.c_str(), ss.str().c_str()); - - ss << "APP_TEST_APP_1, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccessNosmack(APP_TEST_AV_2, label1.c_str(), ss.str().c_str()); - - ss.str(std::string()); - ss << "APP_TEST_APP_2, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccessNosmack(APP_TEST_AV_2, label2.c_str(), ss.str().c_str()); - - ss.str(std::string()); - ss << "APP_TEST_APP_3, line " << __LINE__ << - ", av_type: " << av_type << ", app_path_type: " << app_path_type; - checkOnlyAvAccessNosmack(APP_TEST_AV_2, label3.c_str(), ss.str().c_str()); - } + check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], true); + check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false); DB_BEGIN - //Clean up - perm_app_revoke_permissions(APP_TEST_AV_1); - perm_app_revoke_permissions(APP_TEST_AV_2); - perm_app_uninstall(APP_TEST_AV_1); - perm_app_uninstall(APP_TEST_AV_2); - perm_app_uninstall(APP_TEST_APP_1); - perm_app_uninstall(APP_TEST_APP_2); - perm_app_uninstall(APP_TEST_APP_3); + result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error disabling app r and no r permissions. Result: " << result); DB_END -} -RUNNER_TEST(privilege_control24a_av_privilege_group_rw) -{ - CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_GROUP_RW); - CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_GROUP_RW); - CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_GROUP_RW); -} - -RUNNER_TEST(privilege_control24b_av_privilege_settings_rw) -{ - CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_SETTINGS_RW); - CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_SETTINGS_RW); - CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_SETTINGS_RW); -} - -RUNNER_TEST(privilege_control24c_av_privilege_public_ro) -{ - CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_PUBLIC_RO); - CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_PUBLIC_RO); - CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_PUBLIC_RO); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false); } RUNNER_TEST(privilege_control25_test_libprivilege_strerror) { @@ -1932,162 +1128,3 @@ RUNNER_TEST(privilege_control25_test_libprivilege_strerror) { RUNNER_ASSERT_MSG_BT(strcmp(result, "Unknown error") == 0, "Bad message returned for invalid error code: \"" << result << "\""); } - -RUNNER_TEST(privilege_control27_perm_app_get_privileges_empty) -{ - char** pp_privileges = NULL; - int result; - CStringListPtr privileges; - - DB_BEGIN - - result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "perm_app_uninstall failed: " << perm_strerror(result)); - - result = perm_app_install(APP_ID); - - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "perm_app_install failed: " << perm_strerror(result)); - - DB_END - - result = perm_app_get_permissions(APP_ID, PERM_APP_TYPE_WGT, &pp_privileges); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "perm_app_get_permissions failed: " << perm_strerror(result)); - privileges.reset(pp_privileges); - - RUNNER_ASSERT_MSG_BT(pp_privileges != NULL, - "perm_app_get_permissions failed to set pointer to cstring array"); - RUNNER_ASSERT_MSG_BT(*pp_privileges == NULL, - "perm_app_get_permissions found permissions when not supposed to"); -} - -RUNNER_TEST(privilege_control27_perm_app_get_privileges) -{ - char** pp_privileges = NULL; - int result; - size_t i; - CStringListPtr privileges; - - DB_BEGIN - - result = perm_app_uninstall(APP_ID); - - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "perm_app_uninstall failed: " << perm_strerror(result)); - - result = perm_app_install(APP_ID); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "perm_app_install failed: " << perm_strerror(result)); - - result = perm_app_setup_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "perm_app_register_permissions failed: " << perm_strerror(result)); - - result = perm_app_setup_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS2); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "perm_app_register_permissions failed: " << perm_strerror(result)); - - result = perm_app_disable_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS2); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "perm_app_disable_permissions failed: " << perm_strerror(result)); - DB_END - - result = perm_app_get_permissions(APP_ID, PERM_APP_TYPE_WGT, &pp_privileges); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "perm_app_get_permissions returned " << result << ": " << perm_strerror(result)); - privileges.reset(pp_privileges); - - for(i = 0; pp_privileges[i] != NULL; ++i) { - RUNNER_ASSERT_MSG_BT(PRIVS[i] != NULL, - "perm_app_get_permissions returned too many permissions"); - RUNNER_ASSERT_MSG_BT(strcmp(pp_privileges[i], PRIVS[i]) == 0, - "perm_app_get_permissions returned wrong permission, " << pp_privileges[i] << - " != " << PRIVS[i]); - } - RUNNER_ASSERT_MSG_BT(PRIVS[i] == NULL, - "perm_app_get_permissions returned too few enabled permissions"); -} - -RUNNER_TEST(privilege_control28_perm_app_get_paths_empty) -{ - char **pp_paths = NULL; - int result; - CStringListPtr paths; - - DB_BEGIN - - result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, - "perm_app_uninstall failed: " << perm_strerror(result)); - - result = perm_app_install(APP_ID); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed: " << - perm_strerror(result)); - - DB_END - - result = perm_app_get_paths(APP_ID, PERM_APP_PATH_PUBLIC, &pp_paths); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_get_paths failed: " << - perm_strerror(result)); - paths.reset(pp_paths); - - RUNNER_ASSERT_MSG_BT(pp_paths != NULL, - "perm_app_get_paths failed to set pointer to cstring array"); - RUNNER_ASSERT_MSG_BT(*pp_paths == NULL, "perm_app_get_paths found paths when not supposed to"); -} - -RUNNER_TEST(privilege_control28_perm_app_get_paths) -{ - char **pp_paths = NULL; - int result; - size_t i; - size_t DIR_NUM = 3; - CStringListPtr paths; - std::vector test_paths; - - for (i = 0; i < DIR_NUM; ++i) { - test_paths.push_back(Directory("/tmp/dir" + std::to_string(i), 0)); - RUNNER_ASSERT_MSG_BT(test_paths[i].isCreated(), "failed to create a directory " << - test_paths[i].path() << ": " << strerror(test_paths[i].errorCode())); - } - - DB_BEGIN - - result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed: " << - perm_strerror(result)); - - result = perm_app_install(APP_ID); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed: " << - perm_strerror(result)); - - for (auto itr = test_paths.begin(); itr != test_paths.end(); ++itr) { - result = perm_app_setup_path(APP_ID, itr->path().c_str(), PERM_APP_PATH_PUBLIC); - RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path failed: " << perm_strerror(result)); - } - - DB_END - - result = perm_app_get_paths(APP_ID, PERM_APP_PATH_PUBLIC, &pp_paths); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_get_paths failed: " << - perm_strerror(result)); - paths.reset(pp_paths); - - for(i = 0; pp_paths[i] != NULL; ++i) { - RUNNER_ASSERT_MSG_BT(i < test_paths.size(), "perm_app_get_paths returned too many paths"); - RUNNER_ASSERT_MSG_BT(test_paths[i].path() == pp_paths[i], - "perm_app_get_paths returned unexpected path, " << pp_paths[i] << " != " << - test_paths[i].path()); - } - RUNNER_ASSERT_MSG_BT(i == test_paths.size(), "perm_app_get_paths returned too few paths"); - - DB_BEGIN - - result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed: " << - perm_strerror(result)); - - DB_END -}