X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=tests%2Flibprivilege-control-tests%2Ftest_cases.cpp;h=197aa83beac2b5f631d00565ce2be78b4ed5af8c;hb=554f9de26fc15c3fbde1e4811d44a3ba90a8f7b4;hp=c8ecb56d9386936a0c1f5d58d72186b50be22edf;hpb=24115de696aea481d10bc8b0da1cec5a1e036a02;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git diff --git a/tests/libprivilege-control-tests/test_cases.cpp b/tests/libprivilege-control-tests/test_cases.cpp index c8ecb56..197aa83 100644 --- a/tests/libprivilege-control-tests/test_cases.cpp +++ b/tests/libprivilege-control-tests/test_cases.cpp @@ -12,474 +12,144 @@ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - */ +*/ /* * @file test_cases.cpp * @author Jan Olszak (j.olszak@samsung.com) * @author Rafal Krypa (r.krypa@samsung.com) + * @author Lukasz Wojciechowski (l.wojciechow@partner.samsung.com) * @version 1.0 - * @brief libprivilege-control test runer + * @brief libprivilege-control test runner */ #include -#include -#include -#include #include +#include +#include +#include + +#include #include -#include -#include -#include -#include -#include +#include + #include #include -#include -#include -#include -#include + #include #include -#include -#include -#include -#include +#include -#define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/" -#define SMACK_LOAD2 "/smack/load2" -#define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir" -#define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir" -#define APPID_DIR "test_APP_ID_dir" -#define APPID_SHARED_DIR "test_APP_ID_shared_dir" -#define CANARY_LABEL "tiny_yellow_canary" - -#define APP_ID "test_APP" -#define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP" -#define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL" - -#define WGT_APP_ID "QwCqJ0ttyS" -#define WGT_PARTNER_APP_ID "7btsV1Y0sX" -#define WGT_PLATFORM_APP_ID "G4DE3U2vmW" -#define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123" -#define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner" -#define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform" - -const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL }; -const char *PRIVS2[] = { "test_privilege_control_rules2", NULL }; -const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL }; -const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL }; -const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL }; -const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL }; - -#define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list" -#define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac" -#define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac" - -#define APP_TEST_APP_1 "test-application1" -#define APP_TEST_APP_2 "test-application_2" -#define APP_TEST_APP_3 "test-app-3" -#define APP_TEST_AV_1 "test-antivirus1" -#define APP_TEST_AV_2 "test-antivirus_2" -#define APP_TEST_AV_3 "test-av-3" -#define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db" -#define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db" - -#define SOCK_PATH "/tmp/test-smack-socket" - -#define APP_GID 5000 -#define APP_UID 5000 -#define APP_USER_NAME "app" -#define APP_HOME_DIR "/opt/home/app" - -#define APP_FRIEND_1 "app_friend_1" -#define APP_FRIEND_2 "app_friend_2" - -// How many open file descriptors should ftw() function use? -#define FTW_MAX_FDS 16 - -// Rules from test_privilege_control_rules.smack -const std::vector< std::vector > rules = { - { APP_ID, "test_book_1", "r" }, - { APP_ID, "test_book_2", "w" }, - { APP_ID, "test_book_3", "x" }, - { APP_ID, "test_book_4", "rw" }, - { APP_ID, "test_book_5", "rx" }, - { APP_ID, "test_book_6", "wx" }, - { APP_ID, "test_book_7", "rwx" }, - { "test_subject_1", APP_ID, "r" }, - { "test_subject_2", APP_ID, "w" }, - { "test_subject_3", APP_ID, "x" }, - { "test_subject_4", APP_ID, "rw" }, - { "test_subject_5", APP_ID, "rx" }, - { "test_subject_6", APP_ID, "wx" }, - { "test_subject_7", APP_ID, "rwx" }, - { APP_ID, APPID_SHARED_DIR, "rwxat"}}; - -// Rules from test_privilege_control_rules2.smack -const std::vector< std::vector > rules2 = { - { APP_ID, "test_book_8", "r" }, - { APP_ID, "test_book_9", "w" }, - { APP_ID, "test_book_10", "x" }, - { APP_ID, "test_book_11", "rw" }, - { APP_ID, "test_book_12", "rx" }, - { APP_ID, "test_book_13", "wx" }, - { APP_ID, "test_book_14", "rwx" }, - { APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", APP_ID, "r" }, - { "test_subject_9", APP_ID, "w" }, - { "test_subject_10", APP_ID, "x" }, - { "test_subject_11", APP_ID, "rw" }, - { "test_subject_12", APP_ID, "rx" }, - { "test_subject_13", APP_ID, "wx" }, - { "test_subject_14", APP_ID, "rwx" }, - { "test_subject_15", APP_ID, "rwxat" }}; - -// Rules from test_privilege_control_rules_no_r.smack -const std::vector< std::vector > rules2_no_r = { - { APP_ID, "test_book_9", "w" }, - { APP_ID, "test_book_10", "x" }, - { APP_ID, "test_book_11", "w" }, - { APP_ID, "test_book_12", "x" }, - { APP_ID, "test_book_13", "wx" }, - { APP_ID, "test_book_14", "wx" }, - { APP_ID, "test_book_15", "wxat" }, - { "test_subject_9", APP_ID, "w" }, - { "test_subject_10", APP_ID, "x" }, - { "test_subject_11", APP_ID, "w" }, - { "test_subject_12", APP_ID, "x" }, - { "test_subject_13", APP_ID, "wx" }, - { "test_subject_14", APP_ID, "wx" }, - { "test_subject_15", APP_ID, "wxat" }}; - -// Rules from test_privilege_control_rules.smack -// minus test_privilege_control_rules_no_r.smack -const std::vector< std::vector > rules2_r = { - { APP_ID, "test_book_8", "r" }, - { APP_ID, "test_book_11", "r" }, - { APP_ID, "test_book_12", "r" }, - { APP_ID, "test_book_14", "r" }, - { APP_ID, "test_book_15", "r" }, - { "test_subject_8", APP_ID, "r" }, - { "test_subject_11", APP_ID, "r" }, - { "test_subject_12", APP_ID, "r" }, - { "test_subject_14", APP_ID, "r" }, - { "test_subject_15", APP_ID, "r" }}; - -// Rules from test_privilege_control_rules_wgt.smack for wgt -const std::vector< std::vector > rules_wgt = { - { WGT_APP_ID, "test_book_8", "r" }, - { WGT_APP_ID, "test_book_9", "w" }, - { WGT_APP_ID, "test_book_10", "x" }, - { WGT_APP_ID, "test_book_11", "rw" }, - { WGT_APP_ID, "test_book_12", "rx" }, - { WGT_APP_ID, "test_book_13", "wx" }, - { WGT_APP_ID, "test_book_14", "rwx" }, - { WGT_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", WGT_APP_ID, "r" }, - { "test_subject_9", WGT_APP_ID, "w" }, - { "test_subject_10", WGT_APP_ID, "x" }, - { "test_subject_11", WGT_APP_ID, "rw" }, - { "test_subject_12", WGT_APP_ID, "rx" }, - { "test_subject_13", WGT_APP_ID, "wx" }, - { "test_subject_14", WGT_APP_ID, "rwx" }, - { "test_subject_15", WGT_APP_ID, "rwxat" }}; - -// Rules from test_privilege_control_rules_wgt.smack for wgt_partner -const std::vector< std::vector > rules_wgt_partner = { - { WGT_PARTNER_APP_ID, "test_book_8", "r" }, - { WGT_PARTNER_APP_ID, "test_book_9", "w" }, - { WGT_PARTNER_APP_ID, "test_book_10", "x" }, - { WGT_PARTNER_APP_ID, "test_book_11", "rw" }, - { WGT_PARTNER_APP_ID, "test_book_12", "rx" }, - { WGT_PARTNER_APP_ID, "test_book_13", "wx" }, - { WGT_PARTNER_APP_ID, "test_book_14", "rwx" }, - { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", WGT_PARTNER_APP_ID, "r" }, - { "test_subject_9", WGT_PARTNER_APP_ID, "w" }, - { "test_subject_10", WGT_PARTNER_APP_ID, "x" }, - { "test_subject_11", WGT_PARTNER_APP_ID, "rw" }, - { "test_subject_12", WGT_PARTNER_APP_ID, "rx" }, - { "test_subject_13", WGT_PARTNER_APP_ID, "wx" }, - { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" }, - { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }}; - -// Rules from test_privilege_control_rules_wgt.smack for wgt_platform -const std::vector< std::vector > rules_wgt_platform = { - { WGT_PLATFORM_APP_ID, "test_book_8", "r" }, - { WGT_PLATFORM_APP_ID, "test_book_9", "w" }, - { WGT_PLATFORM_APP_ID, "test_book_10", "x" }, - { WGT_PLATFORM_APP_ID, "test_book_11", "rw" }, - { WGT_PLATFORM_APP_ID, "test_book_12", "rx" }, - { WGT_PLATFORM_APP_ID, "test_book_13", "wx" }, - { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" }, - { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", WGT_PLATFORM_APP_ID, "r" }, - { "test_subject_9", WGT_PLATFORM_APP_ID, "w" }, - { "test_subject_10", WGT_PLATFORM_APP_ID, "x" }, - { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" }, - { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" }, - { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" }, - { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" }, - { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }}; +#include +#include +#include +#include +#include +#include +#include +#include "common/duplicates.h" +#include "common/db.h" +#include "memory.h" + +// Error codes for test_libprivilege_strerror +const std::vector error_codes { + PC_OPERATION_SUCCESS, PC_ERR_FILE_OPERATION, PC_ERR_MEM_OPERATION, PC_ERR_NOT_PERMITTED, + PC_ERR_INVALID_PARAM, PC_ERR_INVALID_OPERATION, PC_ERR_DB_OPERATION, PC_ERR_DB_LABEL_TAKEN, + PC_ERR_DB_QUERY_PREP, PC_ERR_DB_QUERY_BIND, PC_ERR_DB_QUERY_STEP, PC_ERR_DB_CONNECTION, + PC_ERR_DB_NO_SUCH_APP, PC_ERR_DB_PERM_FORBIDDEN +}; namespace { -typedef std::unique_ptr> SmackUniquePtr; - -const char* OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack"; -const char* WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack"; -const char* OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack"; -const char* OSP_BLAHBLAH_DAC = "/usr/share/privilege-control/OSP_feature.blah.blahblah.dac"; -const char* WRT_BLAHBLAH_DAC = "/usr/share/privilege-control/WGT_blahblah.dac"; -const char* OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac"; -const char* BLAHBLAH_FEATURE = "http://feature/blah/blahblah"; - -/** - * Check if every rule is true. - * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't - */ -int test_have_all_accesses(const std::vector< std::vector >& rules){ - int result; - for(uint i =0; i >& rules){ - int result; - for(uint i =0; i gen_names(std::string prefix, std::string suffix, size_t size) { - smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS); - smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC); - smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE); - - return 0; -} - -int nftw_set_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/, - int /*typeflag*/, struct FTW * /*ftwbuf*/) -{ - smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS); - smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC); - smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE); - - return 0; -} - -int nftw_check_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/, - int /*typeflag*/, struct FTW * /*ftwbuf*/) -{ - int result; - char* label; - - /* ACCESS */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - result = strcmp(CANARY_LABEL, label); - RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten"); - - /* EXEC */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - result = strcmp(CANARY_LABEL, label); - RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten"); - - /* TRANSMUTE */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); - - return 0; + std::vector names; + for(size_t i = 0; i < size; ++i) { + names.push_back(prefix + "_" + std::to_string(i) + suffix); + } + return names; } -int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb, - int /*typeflag*/, struct FTW * /*ftwbuf*/) -{ - int result; - char* label; - - /* ACCESS */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set"); - result = strcmp(APPID_DIR, label); - RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"); - - /* EXEC */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) { - RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set"); - result = strcmp(APPID_DIR, label); - RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect"); - } else if(S_ISLNK(sb->st_mode)) { - struct stat buf; - char* target = realpath(fpath, NULL); - RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath); - free(target); - if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) { - RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); - } else { - RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set"); - result = strcmp(APPID_DIR, label); - RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect"); - } - } else - RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); - - /* TRANSMUTE */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); - - return 0; -} +const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack"; +const char *WRT_BLAHBLAH ="/usr/share/privilege-control/WGT_blahblah.smack"; +const char *OTHER_BLAHBLAH ="/usr/share/privilege-control/blahblah.smack"; +const std::vector OSP_BLAHBLAH_DAC = gen_names("/usr/share/privilege-control/OSP_feature.blah.blahblah", ".dac", 16); +const char *WRT_BLAHBLAH_DAC ="/usr/share/privilege-control/WGT_blahblah.dac"; +const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac"; +const std::vector BLAHBLAH_FEATURE = gen_names("http://feature/blah/blahblah", "", 16); int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb, - int /*typeflag*/, struct FTW * /*ftwbuf*/) + int /*typeflag*/, struct FTW* /*ftwbuf*/) { int result; - char* label; + char *label; /* ACCESS */ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set"); + RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); + RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set"); result = strcmp(APPID_SHARED_DIR, label); - RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"); + RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect"); + result = smack_have_access(USER_APP_ID, APPID_SHARED_DIR, "rwxatl"); + RUNNER_ASSERT_MSG_BT(result == 1, + "Error rwxatl access was not given shared dir. Subject: " << + USER_APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result); /* EXEC */ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); + RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); + RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set"); /* TRANSMUTE */ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); + RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); if (S_ISDIR(sb->st_mode)) { - RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set"); + RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set"); result = strcmp("TRUE", label); - RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set"); + RUNNER_ASSERT_MSG_BT(result == 0, "TRANSMUTE label on " << fpath << " is not set"); } else - RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); + RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set"); return 0; } -int file_exists(const char* path) +void osp_blahblah_dac_check(int line_no, const std::vector &gids, std::string dac_file_path) { - FILE* file = fopen(path, "r"); - if (file) { - fclose(file); - return 0; - } - return -1; -} + std::ifstream dac_file(dac_file_path); + RUNNER_ASSERT_MSG_BT(dac_file, "Line: " << line_no << " Failed to create " << dac_file_path); -void osp_blahblah_check(int line_no, const std::vector& rules) -{ - std::ifstream smack_file(OSP_BLAHBLAH); - RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH); - - auto it = rules.begin(); + auto it = gids.begin(); std::string line; - while(std::getline(smack_file,line)) { - RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line); - RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line); + while (std::getline(dac_file,line)) { + std::istringstream is(line); + unsigned gid; + is >> gid; + RUNNER_ASSERT_MSG_BT(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid); + RUNNER_ASSERT_MSG_BT(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid); it++; } - RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it); - - smack_file.close(); -} + RUNNER_ASSERT_MSG_BT(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it); -void osp_blahblah_dac_check(int line_no, const std::vector& gids) -{ - std::ifstream dac_file(OSP_BLAHBLAH_DAC); - RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH_DAC); - - auto it = gids.begin(); - std::string line; - while(std::getline(dac_file,line)) { - std::istringstream is(line); - unsigned gid; - is >> gid; - RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid); - RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid); - it++; - } - - RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it); - - dac_file.close(); + dac_file.close(); } void remove_smack_files() { - // TODO array + // TODO array unlink(OSP_BLAHBLAH); unlink(WRT_BLAHBLAH); unlink(OTHER_BLAHBLAH); - unlink(OSP_BLAHBLAH_DAC); unlink(WRT_BLAHBLAH_DAC); unlink(OTHER_BLAHBLAH_DAC); -} -int cleaning_smack_app_files (void) -{ - unlink(SMACK_RULES_DIR APP_TEST_APP_1); - - unlink(SMACK_RULES_DIR APP_TEST_APP_2); - - unlink(SMACK_RULES_DIR APP_TEST_APP_3); - - unlink(SMACK_RULES_DIR APP_TEST_AV_1); + for(size_t i=0; i0, - "SMACK file empty, but privileges list was not empty.. Errno: " << errno); + DB_BEGIN - if (pFile != NULL) - fclose(pFile); + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); + DB_END } /** * Revoke permissions from the list. Should be executed as privileged user. */ -RUNNER_CHILD_TEST(privilege_control06_revoke_permissions) +RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt) { - int result; - int fd; - - // Revoke permissions - result = app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - result = app_revoke_permissions(WGT_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(WGT_PARTNER_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(WGT_PLATFORM_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - // Are all the permissions revoked? - result = test_have_any_accesses(rules); - RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked."); - result = test_have_any_accesses(rules_wgt); - RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked."); - result = test_have_any_accesses(rules_wgt_partner); - RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked."); - result = test_have_any_accesses(rules_wgt_platform); - RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked."); - - //// File exists? - FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - if(pFile!=NULL){ - fclose(pFile); - RUNNER_ASSERT_MSG(false, - "SMACK file exists after revoke!"); - } - - fd = open(SMACK_RULES_DIR WGT_APP_ID, O_RDONLY); - RUNNER_ASSERT_MSG(fd >= 0, "SMACK file deleted after app_revoke_permissions"); - RUNNER_ASSERT_MSG(lseek(fd, 0, SEEK_END) == 0, "SMACK file not empty after app_revoke_permissions"); - close(fd); - - fd = open(SMACK_RULES_DIR WGT_PARTNER_APP_ID, O_RDONLY); - RUNNER_ASSERT_MSG(fd >= 0, "SMACK file deleted after app_revoke_permissions"); - RUNNER_ASSERT_MSG(lseek(fd, 0, SEEK_END) == 0, "SMACK file not empty after app_revoke_permissions"); - close(fd); - - fd = open(SMACK_RULES_DIR WGT_PLATFORM_APP_ID, O_RDONLY); - RUNNER_ASSERT_MSG(fd >= 0, "SMACK file deleted after app_revoke_permissions"); - RUNNER_ASSERT_MSG(lseek(fd, 0, SEEK_END) == 0, "SMACK file not empty after app_revoke_permissions"); - close(fd); - + test_revoke_permissions(__LINE__, WGT_APP_ID); } -static void read_gids(std::set &set, const char* file_path) +/** + * Revoke permissions from the list. Should be executed as privileged user. + */ +RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp) { - FILE *f = fopen(file_path, "r"); - RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path); - unsigned gid; - while (fscanf(f, "%u\n", &gid) == 1) { - set.insert(gid); - } + test_revoke_permissions(__LINE__, OSP_APP_ID); } -RUNNER_TEST(privilege_control05_add_shared_dir_readers) -{ - -#define TEST_OBJ "TEST_OBJECT" -#define TEST_OBJ_SOME_OTHER "TEST_OBJA" -#define test_string_01 "TEST_raz TEST_OBJECT r-x-- -----" -#define test_string_21 "TEST_trzy TEST_OBJA -wx--\n" -#define test_string_22 "TEST_trzy TEST_OBJECT r-x-- -----\n" +void test_set_app_privilege( + const char* app_id, app_type_t APP_TYPE, + const char** privileges, const char* type, + const char* app_path, const char* dac_file, + const rules_t &rules) { + check_app_installed(app_path); int result; - int i; - int fd = -1; - char *path; - - const char *app_labels_wrong[] = {"-TEST_raz", NULL}; - const char *app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL}; - const int READ_BUF_SIZE = 1000; - char buf[READ_BUF_SIZE]; - FILE *file = NULL; - struct smack_accesses * rules = NULL; - - //test what happens when the label is not correct SMACK label - result = smack_accesses_new(&rules); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result); - - result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong); - RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "add_shared_dir_readers should fail here"); - - result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx"); - RUNNER_ASSERT_MSG(result != 1, "add_shared_dir_readers should not grant permission here"); - - smack_accesses_free(rules); - - //ok, now the correct list of apps - result = smack_accesses_new(&rules); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result); - for (i = 0; i < 3; i++) { + DB_BEGIN - (void)app_uninstall(app_labels[i]); - result = app_install(app_labels[i]); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in app_install."); + result = perm_app_uninstall(app_id); + RUNNER_ASSERT_MSG_BT(result == 0, + " perm_app_uninstall returned " << result << ". " + "Errno: " << strerror(errno)); - RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[i])); - fd = open(path, O_WRONLY, 0644); - RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path); + result = perm_app_install(app_id); + RUNNER_ASSERT_MSG_BT(result == 0, + " perm_app_install returned " << result << ". " + "Errno: " << strerror(errno)); - if (i == 1) { - result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt"); - RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed"); - } - if (i == 2) { - smack_accesses_free(rules); - result = smack_accesses_new(&rules); - result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx"); - RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed"); - } - result = smack_accesses_apply(rules); - RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed"); - - result = smack_accesses_save(rules, fd); - RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed"); - - free(path); - close(fd); - - } - - smack_accesses_free(rules); - - // THE TEST - accesses - - result = add_shared_dir_readers(TEST_OBJ,app_labels); - RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed"); - - result = smack_have_access(app_labels[0],TEST_OBJ,"rx"); - RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); - - result = smack_have_access(app_labels[1],TEST_OBJ,"rx"); - RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); - - result = smack_have_access(app_labels[2],TEST_OBJ,"rx"); - RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); - - result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt"); - RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); + // TEST: + result = perm_app_enable_permissions(app_id, APP_TYPE, privileges, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + " Error registering app permissions. Result: " << result); - result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx"); - RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); + DB_END + result = test_have_all_accesses(rules); + RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added."); - //TEST the operations on empty files - - RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[0])); - file = fopen(path, "r"); - - RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno); - - RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file)); - result = strcmp(buf, test_string_01); - RUNNER_ASSERT_MSG( result!=0, "add_shared_dir_readers ERROR, file not formatted" << path ); - - free(path); - fclose(file); - - //TEST the operations on non empty files - RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[2])); - file = NULL; - file = fopen(path, "r"); - RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno); - - RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file)); - result = strcmp(buf, test_string_21); - RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" ); - - RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file)); - result = strcmp(buf, test_string_22); - RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" ); - - free(path); - fclose(file); -} - - -/** - * Set APP privileges. - */ -RUNNER_CHILD_TEST(privilege_control05_set_app_privilege) -{ - int result; - - // Preset exec label - smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC); - smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC); - - /** - * TODO This test should also verify set_app_privilege behavior for OSP and - * WRT apps. To do that we'll have to install real apps on device as a - * precondition. - */ + std::set groups_before; + read_user_gids(groups_before, APP_UID); - // Set APP privileges - result = set_app_privilege(APP_ID, NULL, APP_SET_PRIV_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); + result = perm_app_set_privilege(app_id, type, app_path); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + " Error in perm_app_set_privilege. Error: " << result); // Check if SMACK label really set - char * label; + char *label; result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - // Check if DAC privileges really set - RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID"); - RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID"); - - result = strcmp(getenv("HOME"), APP_HOME_DIR); - RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR"); - - result = strcmp(getenv("USER"), APP_USER_NAME); - RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME"); - - std::set groups_check; - read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST); - read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE); - - int groups_cnt = getgroups(0, NULL); - RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt"); - gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t)); - RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed"); - RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list)); - - for (int i = 0; i < groups_cnt; ++i) { - if (groups_check.erase(groups_list[i]) == 0) { - // getgroups() may also return process' main group - if (groups_list[i] != getgid()) - RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")"); - } - } - std::string groups_left; - for (std::set::iterator it = groups_check.begin(); it != groups_check.end(); it++) { - groups_left.append(std::to_string(*it)).append(" "); - } - RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left); -} + RUNNER_ASSERT_MSG_BT(result >= 0, + " Error getting current process label"); + RUNNER_ASSERT_MSG_BT(label != NULL, + " Process label is not set"); -/** - * Set APP privileges. wgt. - */ -RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt) -{ - int result; + result = strcmp(USER_APP_ID, label); + RUNNER_ASSERT_MSG_BT(result == 0, + " Process label " << label << " is incorrect"); - result = app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_wgt); - RUNNER_ASSERT_MSG(result==1, "Permissions not added."); - - result = set_app_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); - - // Check if SMACK label really set - char * label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(WGT_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - std::set groups_check; - read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST); - read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT); - - int groups_cnt = getgroups(0, NULL); - RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt"); - gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t)); - RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed"); - getgroups(groups_cnt, groups_list); - - for (int i = 0; i < groups_cnt; ++i) { - if (groups_check.erase(groups_list[i]) == 0) { - // getgroups() may also return process' main group - if (groups_list[i] != getgid()) - RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")"); - } - } - std::string groups_left; - for (std::set::iterator it = groups_check.begin(); it != groups_check.end(); it++) { - groups_left.append(std::to_string(*it)).append(" "); - } - RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left); + check_groups(groups_before, dac_file); } /** - * Set APP privileges. wgt_partner. + * Set APP privileges. wgt. */ -RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_partner) +RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt) { - int result; - - result = app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_wgt_partner); - RUNNER_ASSERT_MSG(result==1, "Permissions not added."); - - result = set_app_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); - - // Check if SMACK label really set - char * label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(WGT_PARTNER_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - std::set groups_check; - read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST); - read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT); - - int groups_cnt = getgroups(0, NULL); - RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt"); - gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t)); - RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed"); - getgroups(groups_cnt, groups_list); - - for (int i = 0; i < groups_cnt; ++i) { - if (groups_check.erase(groups_list[i]) == 0) { - // getgroups() may also return process' main group - if (groups_list[i] != getgid()) - RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")"); - } - } - std::string groups_left; - for (std::set::iterator it = groups_check.begin(); it != groups_check.end(); it++) { - groups_left.append(std::to_string(*it)).append(" "); - } - RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left); + test_set_app_privilege(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt); } /** - * Set APP privileges. wgt_platform. + * Set APP privileges. osp app. */ -RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_platform) +RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp) { - int result; - - result = app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_wgt_platform); - RUNNER_ASSERT_MSG(result==1, "Permissions not added."); - - result = set_app_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); - - // Check if SMACK label really set - char * label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(WGT_PLATFORM_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - std::set groups_check; - read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST); - read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT); - - int groups_cnt = getgroups(0, NULL); - RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt"); - gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t)); - RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed"); - getgroups(groups_cnt, groups_list); - - for (int i = 0; i < groups_cnt; ++i) { - if (groups_check.erase(groups_list[i]) == 0) { - // getgroups() may also return process' main group - if (groups_list[i] != getgid()) - RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")"); - } - } - std::string groups_left; - for (std::set::iterator it = groups_check.begin(); it != groups_check.end(); it++) { - groups_left.append(std::to_string(*it)).append(" "); - } - RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left); + test_set_app_privilege(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, "tpk", OSP_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp); } -RUNNER_TEST(privilege_control08_app_give_access) +RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_efl) { - const char *subject = "lkjq345v34sfa"; - const char *object = "lk9290f92lkjz"; - smack_accesses *tmp = NULL; - - RUNNER_ASSERT(0 == smack_accesses_new(&tmp)); - - SmackUniquePtr smack(tmp, smack_accesses_free); - - RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "r--a-")); - RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); - - app_give_access(subject, object, "wt"); - - RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwat")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "x")); - - app_revoke_access(subject, object); - - RUNNER_ASSERT(1 == smack_have_access(subject, object, "ra")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "w")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "x")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "t")); - - RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-")); - RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); -} - -RUNNER_TEST(privilege_control09_app_give_access) -{ - const char *subject = "ljk132flkjv"; - const char *object = "jjsiqsc32vs"; - smack_accesses *tmp = NULL; - - RUNNER_ASSERT(0 == smack_accesses_new(&tmp)); - - SmackUniquePtr smack(tmp, smack_accesses_free); - - RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "---t-")); - RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); - - RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rw")); - RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rwx")); - - RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxt")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "a")); - - RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_revoke_access(subject, object)); - - RUNNER_ASSERT(1 == smack_have_access(subject, object, "t")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "r")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "w")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "x")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "a")); - - RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-----")); - RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); + test_set_app_privilege(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, + "rpm", EFL_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_EFL, rules_efl); } /** @@ -1031,774 +325,463 @@ RUNNER_TEST(privilege_control11_add_api_feature) remove_smack_files(); + DB_BEGIN // argument validation - result = add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - - result = add_api_feature(APP_TYPE_OSP,"" , NULL, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - + result = perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0); + RUNNER_ASSERT_BT(result == PC_ERR_INVALID_PARAM); - // already existing features - result = add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read" , NULL, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); + result = perm_add_api_feature(APP_TYPE_OSP,"", NULL, NULL, 0); + RUNNER_ASSERT_BT(result == PC_ERR_INVALID_PARAM); - result = add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms" , NULL, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/privilege/messaging" , NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - - result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/messaging" , NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - - result = add_api_feature(APP_TYPE_OTHER,"http://messaging" , NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - - result = add_api_feature(APP_TYPE_OTHER,"messaging.read" , NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + // Already existing feature: + // TODO: Database will be malformed. (Rules for these features will be removed.) + result = perm_add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read", NULL, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + result = perm_add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms", NULL, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); // empty features - result = add_api_feature(APP_TYPE_OSP,"blahblah" , NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - - result = add_api_feature(APP_TYPE_WGT,"blahblah" , NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - - result = add_api_feature(APP_TYPE_OTHER,"blahblah" , NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - - - // smack files existence - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); - - result = file_exists(WRT_BLAHBLAH); - RUNNER_ASSERT(result == -1); - - result = file_exists(OTHER_BLAHBLAH); - RUNNER_ASSERT(result == -1); + result = perm_add_api_feature(APP_TYPE_OSP,"blahblah", NULL, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + result = perm_add_api_feature(APP_TYPE_WGT,"blahblah", NULL, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); // empty rules - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , { NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); - - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == 0); - remove_smack_files(); + const char *test1[] = { NULL }; + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[0].c_str(), test1, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == 0); - remove_smack_files(); + const char *test2[] = { "", NULL }; + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[1].c_str(), test2, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + const char *test3[] = { " \t\n", "\t \n", "\n\t ", NULL }; + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[2].c_str(), test3, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); // malformed rules - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); + const char *test4[] = { "malformed", NULL }; + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[3].c_str(), test4, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); + const char *test5[] = { "malformed malformed", NULL }; + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[4].c_str(), test5, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "-malformed malformed rwxat", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); + const char *test6[] = { "-malformed malformed rwxat", NULL }; + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[5].c_str(), test6, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "~/\"\\ malformed rwxat", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); + const char *test7[] = { "~/\"\\ malformed rwxat", NULL }; + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[6].c_str(), test7, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object rwxat something else", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); + const char *test8[] = { "subject object rwxat something else", NULL }; + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[7].c_str(), test8, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result); // correct rules - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed maaaaaalformed", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "malformed malformed r--a-" }); - remove_smack_files(); + const char *test9[] = { + "~APP~ object\t rwxatl", + " \t \n", + "subject2\t~APP~ ltxarw", + "", + NULL}; - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object foo", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "subject object -----" }); - remove_smack_files(); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[8].c_str(), test9, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ - "subject object\t rwxat", - " \t \n", - "subject2\tobject2 txarw", - "", - NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "subject object rwxat", "subject2 object2 rwxat"}); - remove_smack_files(); + const char *test10[] = { "Sub::jE,ct ~APP~ a-rwxl", NULL }; + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[9].c_str(), test10, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ - "Sub::jE,ct object a-RwX", - NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "Sub::jE,ct object rwxa-"}); - remove_smack_files(); + const char *test11[] = { "Sub::sjE,ct ~APP~ a-RwXL", NULL }; // TODO This fails. + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[10].c_str(), test11, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); - // TODO For now identical/complementary rules are not merged. - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ - "subject object rwxat", - " \t \n", - "subject object txarw", - "", - NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "subject object rwxat", "subject object rwxat"}); - remove_smack_files(); + // TODO For now identical/complementary rules are not merged. + const char *test12[] = { + "subject1 ~APP~ rwxatl", + " \t \n", + "subject2 ~APP~ ltxarw", + "", + NULL}; + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[11].c_str(), test12, NULL, 0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); // empty group ids - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "a a ---a-"}); - result = file_exists(OSP_BLAHBLAH_DAC); - RUNNER_ASSERT(result == -1); + const char *test13[] = { "~APP~ b a", NULL}; + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[12].c_str(), test13,(const gid_t[]) {0,1,2},0); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + result = file_exists(OSP_BLAHBLAH_DAC[12].c_str()); + RUNNER_ASSERT_BT(result == -1); remove_smack_files(); // valid group ids - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},3); - printf("%d \n", result); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "a a ---a-"}); - osp_blahblah_dac_check(__LINE__, {0,1,2}); + result = perm_add_api_feature(APP_TYPE_OSP,BLAHBLAH_FEATURE[13].c_str(), test13,(const gid_t[]) {0,1,2},3); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + osp_blahblah_dac_check(__LINE__, {0,1,2}, OSP_BLAHBLAH_DAC[13]); remove_smack_files(); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},1); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "a a ---a-"}); - osp_blahblah_dac_check(__LINE__, {0}); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[14].c_str(), test13,(const gid_t[]) {0,1,2},1); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + osp_blahblah_dac_check(__LINE__, {0}, OSP_BLAHBLAH_DAC[14]); remove_smack_files(); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){1,1,1},3); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "a a ---a-"}); - osp_blahblah_dac_check(__LINE__, {1,1,1}); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[15].c_str(), test13,(const gid_t[]) {1,1,1},3); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + osp_blahblah_dac_check(__LINE__, {1,1,1},OSP_BLAHBLAH_DAC[15]); remove_smack_files(); + + DB_END } /* - * Check app_install function + * Check perm_app_uninstall function */ -RUNNER_TEST(privilege_control01_app_install) +void check_perm_app_uninstall(const char* pkg_id) { int result; - char *path = NULL; - int fd = -1; - unlink(SMACK_RULES_DIR APP_ID); + DB_BEGIN - app_uninstall(APP_ID); + result = perm_app_uninstall(pkg_id); + RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned: " << perm_strerror(result)); - result = app_install(APP_ID); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno)); - - // checking if file really exists - fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY); - RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << path << " : " << result << ". Errno: " << strerror(errno)); - close(fd); - free(path); + DB_END +} - // try install second time app with the same ID - it should pass. - result = app_install(APP_ID); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno)); +RUNNER_TEST(privilege_control07_app_uninstall) +{ + check_perm_app_uninstall(APP_ID); } /* - * Check app_install function + * Check perm_app_install function */ -RUNNER_TEST(privilege_control07_app_uninstall) +void check_perm_app_install(const char* pkg_id) { int result; - char *path = NULL; - int fd = -1; - result = app_uninstall(APP_ID); - RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result <<". Errno: " << strerror(errno)); + DB_BEGIN - // checking if file really exists - fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY); - RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after app_uninstall"); - close(fd); - free(path); + result = perm_app_install(pkg_id); + RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result)); + + DB_END + + TestLibPrivilegeControlDatabase db_test; + db_test.test_db_after__perm_app_install(USER_APP_ID); } -void checkOnlyAvAccess(const char* av_id, const char* app_id, const char* comment){ - int result; - result = smack_have_access(av_id, app_id, "rwx"); - RUNNER_ASSERT_MSG(result == 1, - "Error while checking " << av_id << " rwx access to " - << app_id << " " << comment << " Result: " << result); - result = smack_have_access(av_id, app_id, "a"); - RUNNER_ASSERT_MSG(result == 0, - "Error while checking " << av_id << " a access to " - << app_id << " " << comment << " Result: " << result); - result = smack_have_access(av_id, app_id, "t"); - RUNNER_ASSERT_MSG(result == 0, - "Error while checking " << av_id << " t access to " - << app_id << " " << comment << " Result: " << result); +RUNNER_TEST(privilege_control01_app_install) +{ + check_perm_app_uninstall(APP_ID); + check_perm_app_install(APP_ID); + // try install second time app with the same ID - it should pass. + check_perm_app_install(APP_ID); } /* - * Check app_register_av function - * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install) + * Check perm_rollback function */ -RUNNER_TEST(privilege_control10_app_register_av) +RUNNER_TEST(privilege_control07_app_rollback) { + check_perm_app_uninstall(APP_ID); + int result; - // cleaning - smack_revoke_subject(APP_TEST_AV_1); - smack_revoke_subject(APP_TEST_AV_2); + DB_BEGIN - cleaning_smack_app_files(); - cleaning_smack_database_files(); + result = perm_app_install(APP_ID); + RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result)); - // Adding two apps before antivir - result = app_install(APP_TEST_APP_1); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno)); + // transaction rollback + result = perm_rollback(); + RUNNER_ASSERT_MSG_BT(result == 0, "perm_rollback returned: " << perm_strerror(result)); - result = app_install(APP_TEST_APP_2); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno)); + DB_END +} - // Adding antivir - result = app_register_av(APP_TEST_AV_1); - RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno)); +RUNNER_TEST(privilege_control07_app_rollback_2) +{ + check_perm_app_uninstall(APP_ID); - // Checking added apps accesses - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)"); + int result; - // Adding third app - result = app_install(APP_TEST_APP_3); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno)); + DB_BEGIN - // Checking app accesses - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_install(APP_TEST_APP_3)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_install(APP_TEST_APP_3)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_install(APP_TEST_APP_3)"); + result = perm_app_install(APP_ID); + RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result)); - // Adding second antivir - result = app_register_av(APP_TEST_AV_2); - RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno)); + // transaction rollback + result = perm_rollback(); + RUNNER_ASSERT_MSG_BT(result == 0, "perm_rollback returned: " << perm_strerror(result)); - // Checking app accesses - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); + // install once again after the rollback + result = perm_app_install(APP_ID); + RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result)); - // cleaning - smack_revoke_subject(APP_TEST_AV_1); - smack_revoke_subject(APP_TEST_AV_2); + DB_END - cleaning_smack_app_files(); - cleaning_smack_database_files(); + TestLibPrivilegeControlDatabase db_test; + db_test.test_db_after__perm_app_install(USER_APP_ID); } /** * Grant SMACK permissions based on permissions list. */ -RUNNER_TEST(privilege_control11_app_enable_permissions) +RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) { int result; - int smack_file_length; - FILE *pFile; + + // Clean up after test: + DB_BEGIN + + result = perm_app_uninstall(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); + result = perm_app_install(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); /** * Test - Enabling all permissions with persistant mode enabled */ + result = perm_app_revoke_permissions(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + " Error registering app permissions. Result: " << result); - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); + DB_END // Check if the accesses are realy applied.. result = test_have_all_accesses(rules2); - RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added."); - //// File exists? - pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file NOT created!. Errno: " << errno); - - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - RUNNER_ASSERT_MSG(smack_file_length>0, - "SMACK file empty with persistant mode 1. Errno: " << errno); - - if (pFile != NULL) - fclose(pFile); + DB_BEGIN // Clean up - result = app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); + result = perm_app_revoke_permissions(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + DB_END /** * Test - Enabling all permissions with persistant mode disabled */ - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); + DB_BEGIN + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + " Error registering app permissions. Result: " << result); - // Check if the accesses are realy applied.. - result = test_have_all_accesses(rules2); - RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); - //// File exists? - pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file NOT created!. Errno: " << errno); + DB_END - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - RUNNER_ASSERT_MSG(smack_file_length==0, - "SMACK file not empty with persistant mode 0. Errno: " << errno); + // Check if the accesses are realy applied.. + result = test_have_all_accesses(rules2); + RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added."); - if (pFile != NULL) - fclose(pFile); + DB_BEGIN // Clean up - result = app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); + result = perm_app_revoke_permissions(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + DB_END /** - * Test - Enabling all permissions in two complementary files + * Test - Registering new permissions in two complementary files */ - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); + DB_BEGIN - // Check if the accesses are realy applied.. - result = test_have_all_accesses(rules2); - RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + " Error registering app permissions. Result: " << result); - //// File exists? - pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file NOT created!. Errno: " << errno); + DB_END - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - RUNNER_ASSERT_MSG(smack_file_length>0, - "SMACK file empty with persistant mode 1. Errno: " << errno); + // Check if the accesses are realy applied.. + result = test_have_all_accesses(rules2_no_r); + RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added."); - if (pFile != NULL) - fclose(pFile); + DB_BEGIN // Clean up - result = app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); + result = perm_app_revoke_permissions(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + DB_END /** * Test - Enabling some permissions and then enabling complementary permissions */ - // Enable permission for rules 2 no r - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions without r. Result: " << result); + DB_BEGIN + + // Register permission for rules 2 no r + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + " Error registering app permissions without r. Result: " << result); + + DB_END // Check if the accesses are realy applied.. result = test_have_all_accesses(rules2_no_r); - RUNNER_ASSERT_MSG(result==1, "Permissions without r not added."); + RUNNER_ASSERT_MSG_BT(result == 1, "Permissions without r not added."); - //// File exists? - pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file NOT created!. Errno: " << errno); + DB_BEGIN - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - RUNNER_ASSERT_MSG(smack_file_length>0, - "SMACK file empty with persistant mode 1. Errno: " << errno); + // Register permission for rules 2 + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + " Error registering app all permissions. Result: " << result); - if (pFile != NULL) - fclose(pFile); - - // Enable permission for rules 2 - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app all permissions. Result: " << result); + DB_END // Check if the accesses are realy applied.. result = test_have_all_accesses(rules2); - RUNNER_ASSERT_MSG(result==1, "Permissions all not added."); + RUNNER_ASSERT_MSG_BT(result == 1, "Permissions all not added."); + + DB_BEGIN // Clean up - result = app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); + result = perm_app_revoke_permissions(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); /** * Test - Enabling some permissions and then enabling all permissions */ // Enable permission for rules 2 no r - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions without r. Result: " << result); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + " Error registering app permissions without r. Result: " << result); + + DB_END // Check if the accesses are realy applied.. result = test_have_all_accesses(rules2_no_r); - RUNNER_ASSERT_MSG(result==1, "Permissions without r not added."); + RUNNER_ASSERT_MSG_BT(result == 1, "Permissions without r not added."); - //// File exists? - pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file NOT created!. Errno: " << errno); - - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - RUNNER_ASSERT_MSG(smack_file_length>0, - "SMACK file empty with persistant mode 1. Errno: " << errno); - - if (pFile != NULL) - fclose(pFile); + DB_BEGIN // Enable permission for rules 2 - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions with only r. Result: " << result); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + " Error registering app permissions with only r. Result: " << result); + + DB_END // Check if the accesses are realy applied.. - result = test_have_all_accesses(rules2); - RUNNER_ASSERT_MSG(result==1, "Permissions with only r not added."); + result = test_have_all_accesses(rules2_r); + RUNNER_ASSERT_MSG_BT(result == 1, "Permissions with only r not added."); + + DB_BEGIN // Clean up - result = app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); -} + result = perm_app_revoke_permissions(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); -/** - * Remove previously granted SMACK permissions based on permissions list. - */ -RUNNER_TEST(privilege_control12_app_disable_permissions) -{ -/** - * Test - disable all granted permissions. - */ - int result; - // Prepare permissions that we want to disable - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); + // Clean up after test: + result = perm_app_uninstall(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - // Disable permissions - result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app permissions. Result: " << result); + DB_END +} - // Are all the permissions disabled? - result = test_have_any_accesses(rules2); - RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled."); +RUNNER_CHILD_TEST_SMACK(privilege_control11_app_enable_permissions_efl) +{ + test_app_enable_permissions_efl(true); +} -/** - * Test - disable some granted permissions leaving non complementary and then disabling those too. +/* + * Check perm_app_install function */ +RUNNER_CHILD_TEST_SMACK(privilege_control12_app_disable_permissions_efl) +{ + test_app_disable_permissions_efl(true); +} - // Prepare permissions that will not be disabled - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app first permissions. Result: " << result); - - // Prepare permissions that we want to disable - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app second permissions. Result: " << result); - - // Disable second permissions - result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app second permissions. Result: " << result); - - // Are all second permissions disabled? - result = test_have_any_accesses(rules2); - RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled."); - - // Are all first permissions not disabled? - result = test_have_all_accesses(rules); - RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled."); - - // Disable first permissions - result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app first permissions. Result: " << result); - - // Are all second permissions disabled? - result = test_have_any_accesses(rules); - RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled."); /** - * Test - disable only no r granted permissions. + * Remove previously granted SMACK permissions based on permissions list. */ - - // Prepare permissions - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app permissions. Result: " << result); - - // Disable same permissions without r - result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app no r permissions. Result: " << result); - - // Is any r permissions disabled? - result = test_have_all_accesses(rules2_r); - RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled."); - // Are all no r permissions disabled? - result = test_have_any_accesses(rules2_no_r); - RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled."); - - // Prepare permissions - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app no r permissions. Result: " << result); - - // Disable all permissions - result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app permissions. Result: " << result); +RUNNER_TEST_SMACK(privilege_control12_app_disable_permissions) +{ + test_app_disable_permissions(true); } /** * Reset SMACK permissions for an application by revoking all previously * granted rules and enabling them again from a rules file from disk. */ - -RUNNER_TEST(privilege_control13_app_reset_permissions) +// TODO: This test is incomplete. +RUNNER_TEST_SMACK(privilege_control13_app_reset_permissions) { - int result; /** * Test - doing reset and checking if rules exist again. */ - // Prepare permissions to reset - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app permissions. Result: " << result); - - // Reset permissions - result = app_reset_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error reseting app permissions. Result: " << result); + DB_BEGIN - // Are all second permissions not disabled? - result = test_have_all_accesses(rules2); - RUNNER_ASSERT_MSG(result==1, "Not all permissions added."); + result = perm_app_install(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); // Disable permissions - result = app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app permissions. Result: " << result); + result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error disabling app permissions. Result: " << result); -} - -/** - * Make two applications "friends", by giving them both full permissions on - * each other. - */ -RUNNER_TEST(privilege_control14_app_add_friend) -{ - int result; - -/** - * Test - making friends with no permissions on each other - */ - - result = app_revoke_permissions(APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - app_uninstall(APP_FRIEND_1); - app_uninstall(APP_FRIEND_2); - - // Installing friends to be - result = app_install(APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error installing first app. Result: " << result); - result = app_install(APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error installing second app. Result: " << result); - - // Making friends - result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error making friends. Errno: " << result); - - // Checking if friends were made - result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat"); - RUNNER_ASSERT_MSG(result == 1, - " Error first one sided friednship failed. Result: " << result); - result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat"); - RUNNER_ASSERT_MSG(result == 1, - " Error second one sided friednship failed. Result: " << result); - - // Clean up - result = app_revoke_permissions(APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); + // Prepare permissions to reset + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + " Error registering app permissions. Result: " << result); - app_uninstall(APP_FRIEND_1); - app_uninstall(APP_FRIEND_2); + // Reset permissions + result = perm_app_reset_permissions(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error reseting app permissions. Result: " << result); -/** - * Test - making friends with nonexisting friend - */ + DB_END - // Installing one friend - result = app_install(APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error installing first app. Errno: " << result); - - // Adding imaginairy friend as second - result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error making friends (first) with imaginairy friend failed. Result: " - << result); - // Adding imaginairy friend as first - result = app_add_friend(APP_FRIEND_2, APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error making friends (second) with imaginairy friend failed. Result: " - << result); - // Clean up - result = app_revoke_permissions(APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); + // Are all second permissions not disabled? + result = test_have_all_accesses(rules2); + RUNNER_ASSERT_MSG_BT(result == 1, "Not all permissions added."); - app_uninstall(APP_FRIEND_1); - app_uninstall(APP_FRIEND_2); + DB_BEGIN -/** - * Test - making friends with some permissions already added - */ - unsigned int i; - unsigned int j; - - struct smack_accesses * rulesFriend = NULL; - - std::vector accessesFriend = - { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" }; - - // Installing friends to be - result = app_install(APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error installing first app. Result: " << result); - result = app_install(APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error installing second app. Result: " << result); - - for(i = 0; i= 0, "Fork failed"); + RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed"); smack_set_random_label_based_on_pid_on_self(); @@ -1856,17 +839,17 @@ RUNNER_TEST(privilege_control15_app_id_from_socket) /* Set the process label before creating a socket */ sock = socket(AF_UNIX, SOCK_STREAM, 0); - RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno)); + RUNNER_ASSERT_MSG_BT(sock >= 0, "socket failed: " << strerror(errno)); result = bind(sock, - (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un)); - if(result != 0){ + (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); + if (result != 0) { close(sock); - RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno)); + RUNNER_ASSERT_MSG_BT(0, "bind failed: " << strerror(errno)); } result = listen(sock, 1); - if(result != 0){ + if (result != 0) { close(sock); - RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno)); + RUNNER_ASSERT_MSG_BT(0, "listen failed: " << strerror(errno)); } smack_unix_sock_server(sock); @@ -1874,14 +857,14 @@ RUNNER_TEST(privilege_control15_app_id_from_socket) smack_unix_sock_server(sock); pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "Fork failed"); + RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed"); /* Now running two concurrent servers. Test if socket label was unaffected by fork() */ smack_unix_sock_server(sock); /* Let's give the two servers different labels */ smack_unix_sock_server(sock); close(sock); - waitpid(pid, NULL, 0); + exit(0); } else { /* parent process, client */ sleep(1); /* Give server some time to setup listening socket */ @@ -1890,40 +873,39 @@ RUNNER_TEST(privilege_control15_app_id_from_socket) int sock; int result; char smack_label1[SMACK_LABEL_LEN + 1]; - char* smack_label2; + char *smack_label2; sock = socket(AF_UNIX, SOCK_STREAM, 0); - RUNNER_ASSERT_MSG(sock >= 0, + RUNNER_ASSERT_MSG_BT(sock >= 0, "socket failed: " << strerror(errno)); result = connect(sock, - (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un)); - if(result != 0){ + (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); + if (result != 0) { close(sock); - RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno)); + RUNNER_ASSERT_MSG_BT(0, "connect failed: " << strerror(errno)); } alarm(2); result = read(sock, smack_label1, SMACK_LABEL_LEN); alarm(0); - if(result < 0){ + if (result < 0) { close(sock); - RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno)); + RUNNER_ASSERT_MSG_BT(0, "read failed: " << strerror(errno)); } smack_label1[result] = '\0'; - smack_label2 = app_id_from_socket(sock); - if(smack_label2 == NULL){ + smack_label2 = perm_app_id_from_socket(sock); + if (smack_label2 == NULL) { close(sock); - RUNNER_ASSERT_MSG(0, "app_id_from_socket failed"); + RUNNER_ASSERT_MSG_BT(0, "perm_app_id_from_socket failed"); } result = strcmp(smack_label1, smack_label2); - if(result != 0){ + if (result != 0) { close(sock); - RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1 + RUNNER_ASSERT_MSG_BT(0, "smack labels differ: '" << smack_label1 << "' != '" << smack_label2 << "-" << random() << "'"); } close(sock); } - waitpid(pid, NULL, 0); } } @@ -1935,7 +917,7 @@ RUNNER_TEST(privilege_control16_app_setup_path){ const char *label1 = "qwert123456za"; const char *label2 = "trewq654123az"; - std::unique_ptr> labelPtr(NULL,free); + CStringPtr labelPtr; mkdir(path1,0); mkdir(path2,0); @@ -1949,21 +931,200 @@ RUNNER_TEST(privilege_control16_app_setup_path){ char *label = NULL; - RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1)); - RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS)); + DB_BEGIN + + RUNNER_ASSERT_BT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1)); + + DB_END + + RUNNER_ASSERT_BT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS)); labelPtr.reset(label); label = NULL; - RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1)); + RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), label1)); + + DB_BEGIN + + RUNNER_ASSERT_BT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2)); - RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2)); - RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC)); + DB_END + + RUNNER_ASSERT_BT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC)); labelPtr.reset(label); label = NULL; - RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label2)); + RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), label2)); - RUNNER_ASSERT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC)); + RUNNER_ASSERT_BT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC)); labelPtr.reset(label); label = NULL; - RUNNER_ASSERT(labelPtr.get() == NULL); + RUNNER_ASSERT_BT(labelPtr.get() == NULL); +} + +RUNNER_TEST_SMACK(privilege_control17_appsettings_privilege) +{ + test_appsettings_privilege(true); } +void test_app_setup_path(int line_no, app_path_type_t PATH_TYPE) { + int result; + + DB_BEGIN + + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + " Error in perm_app_uninstall." << result); + + result = perm_app_install(APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + " Error in perm_app_install." << result); + + DB_END + + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no << + " Unable to clean up Smack labels in " << TEST_APP_DIR); + + result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no << + " Unable to clean up Smack labels in " << TEST_NON_APP_DIR); + + DB_BEGIN + + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, PATH_TYPE); + RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no << + " perm_app_setup_path() failed"); + + DB_END + + result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no << + " Unable to check Smack labels for non-app dir"); + + DB_BEGIN + + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + " Error in perm_app_uninstall." << result); + + DB_END +} + +RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public) +{ + test_app_setup_path(__LINE__, APP_PATH_PUBLIC_RO); +} + +RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings) +{ + test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW); +} + +void check_perm_app_has_permission(const char* app_label, const char* permission, bool is_enabled_expected) +{ + int result; + bool is_enabled; + + result = perm_app_has_permission(app_label, APP_TYPE_WGT, permission, &is_enabled); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error calling perm_app_has_permission. Result: " << result); + + RUNNER_ASSERT_MSG_BT(is_enabled == is_enabled_expected, + "Result of perm_app_has_permission should be: " << is_enabled_expected); +} + +RUNNER_TEST(privilege_control20_perm_app_has_permission) +{ + int result; + const char *other_app_label = "test_other_app_label"; + + DB_BEGIN + + result = perm_app_uninstall(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error uninstalling app. Result" << result); + + result = perm_app_install(WGT_APP_ID); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error installing app. Result" << result); + + result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error disabling app r and no r permissions. Result: " << result); + + DB_END + + check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false); + + DB_BEGIN + + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error registering app r permissions. Result: " << result); + + DB_END + + check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], true); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false); + + DB_BEGIN + + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error registering app r permissions. Result: " << result); + + DB_END + + check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], true); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], true); + check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false); + + DB_BEGIN + + result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error disabling app r and no r permissions. Result: " << result); + + DB_END + + check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], true); + check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false); + + DB_BEGIN + + result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R); + RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, + "Error disabling app r and no r permissions. Result: " << result); + + DB_END + + check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false); + check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false); + check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false); +} + +RUNNER_TEST(privilege_control25_test_libprivilege_strerror) { + int POSITIVE_ERROR_CODE = 1; + int NONEXISTING_ERROR_CODE = -239042; + const char *result; + + for (auto itr = error_codes.begin(); itr != error_codes.end(); ++itr) { + RUNNER_ASSERT_MSG_BT(strcmp(perm_strerror(*itr), "Unknown error") != 0, + "Returned invalid error code description."); + } + + result = perm_strerror(POSITIVE_ERROR_CODE); + RUNNER_ASSERT_MSG_BT(strcmp(result, "Unknown error") == 0, + "Bad message returned for invalid error code: \"" << result << "\""); + + result = perm_strerror(NONEXISTING_ERROR_CODE); + RUNNER_ASSERT_MSG_BT(strcmp(result, "Unknown error") == 0, + "Bad message returned for invalid error code: \"" << result << "\""); +}