X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=tests%2Flibprivilege-control-tests%2Ftest_cases.cpp;h=5c341c56c70309d2bcaac682babdc0be242a360d;hb=1f4ae3969f80f4fb96ca81f27d7e1f29f3226562;hp=546a3708c3d031b4b343fb0845087586bcaa67b9;hpb=8135d83ddbfdb4daa84d480816ce5a37f0047b45;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git diff --git a/tests/libprivilege-control-tests/test_cases.cpp b/tests/libprivilege-control-tests/test_cases.cpp index 546a370..5c341c5 100644 --- a/tests/libprivilege-control-tests/test_cases.cpp +++ b/tests/libprivilege-control-tests/test_cases.cpp @@ -12,434 +12,79 @@ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - */ +*/ /* * @file test_cases.cpp * @author Jan Olszak (j.olszak@samsung.com) * @author Rafal Krypa (r.krypa@samsung.com) + * @author Lukasz Wojciechowski (l.wojciechow@partner.samsung.com) * @version 1.0 - * @brief libprivilege-control test runer + * @brief libprivilege-control test runner */ #include -#include -#include -#include #include -#include #include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include #include #include -#include - -#define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/" -#define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/WRT" -#define SMACK_LOAD2 "/smack/load2" -#define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir" -#define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir" -#define APPID_DIR "test_APP_ID_dir" -#define APPID_SHARED_DIR "test_APP_ID_shared_dir" -#define CANARY_LABEL "tiny_yellow_canary" - -#define APP_ID "test_APP" -#define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP" -#define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL" - -#define WGT_APP_ID "QwCqJ0ttyS" -#define WGT_PARTNER_APP_ID "7btsV1Y0sX" -#define WGT_PLATFORM_APP_ID "G4DE3U2vmW" -#define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123" -#define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner" -#define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform" -#define OSP_APP_ID "uqNfgEjqc7" -#define OSP_PARTNER_APP_ID "j4RuPsZrNt" -#define OSP_PLATFORM_APP_ID "V5LKqDFBXm" -#define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp" -#define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner" -#define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform" -#define EARLY_RULE_SUBJECT "livebox.web-provider" -#define EARLY_RULE_RIGHTS "rwx--" - -const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL }; -const char *PRIVS2[] = { "test_privilege_control_rules2", NULL }; -const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL }; -const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL }; -const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL }; -const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL }; -const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL }; - -#define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list" -#define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac" -#define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac" -#define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac" - -#define APP_TEST_APP_1 "test-application1" -#define APP_TEST_APP_2 "test-application_2" -#define APP_TEST_APP_3 "test-app-3" -#define APP_TEST_AV_1 "test-antivirus1" -#define APP_TEST_AV_2 "test-antivirus_2" -#define APP_TEST_AV_3 "test-av-3" - -#define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db" -#define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db" -#define SMACK_PUBLIC_DIRS_DATABASE "/opt/dbspace/.privilege_control_public_dirs.db" -#define SMACK_APPS_SETTINGS_LABELS_DATABASE "/opt/dbspace/.privilege_control_app_setting.db" -#define SMACK_SETTINGS_DIRS_DATABASE "/opt/dbspace/.privilege_control_setting_dir.db" - -#define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1" -#define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2" -#define APP_TEST_AV_ASP1 "test-app-av-asp1" -#define APP_TEST_AV_ASP2 "test-app-av-asp2" - -#define SOCK_PATH "/tmp/test-smack-socket" - -#define APP_GID 5000 -#define APP_UID 5000 -#define APP_USER_NAME "app" -#define APP_HOME_DIR "/opt/home/app" - -#define APP_FRIEND_1 "app_friend_1" -#define APP_FRIEND_2 "app_friend_2" - -// How many open file descriptors should ftw() function use? -#define FTW_MAX_FDS 16 - -// Rules from test_privilege_control_rules.smack -const std::vector< std::vector > rules = { - { APP_ID, "test_book_1", "r" }, - { APP_ID, "test_book_2", "w" }, - { APP_ID, "test_book_3", "x" }, - { APP_ID, "test_book_4", "rw" }, - { APP_ID, "test_book_5", "rx" }, - { APP_ID, "test_book_6", "wx" }, - { APP_ID, "test_book_7", "rwx" }, - { "test_subject_1", APP_ID, "r" }, - { "test_subject_2", APP_ID, "w" }, - { "test_subject_3", APP_ID, "x" }, - { "test_subject_4", APP_ID, "rw" }, - { "test_subject_5", APP_ID, "rx" }, - { "test_subject_6", APP_ID, "wx" }, - { "test_subject_7", APP_ID, "rwx" }, - { APP_ID, APPID_SHARED_DIR, "rwxat"} -}; -// Rules from test_privilege_control_rules2.smack -const std::vector< std::vector > rules2 = { - { APP_ID, "test_book_8", "r" }, - { APP_ID, "test_book_9", "w" }, - { APP_ID, "test_book_10", "x" }, - { APP_ID, "test_book_11", "rw" }, - { APP_ID, "test_book_12", "rx" }, - { APP_ID, "test_book_13", "wx" }, - { APP_ID, "test_book_14", "rwx" }, - { APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", APP_ID, "r" }, - { "test_subject_9", APP_ID, "w" }, - { "test_subject_10", APP_ID, "x" }, - { "test_subject_11", APP_ID, "rw" }, - { "test_subject_12", APP_ID, "rx" }, - { "test_subject_13", APP_ID, "wx" }, - { "test_subject_14", APP_ID, "rwx" }, - { "test_subject_15", APP_ID, "rwxat" } -}; +#include +#include +#include -// Rules from test_privilege_control_rules_no_r.smack -const std::vector< std::vector > rules2_no_r = { - { APP_ID, "test_book_9", "w" }, - { APP_ID, "test_book_10", "x" }, - { APP_ID, "test_book_11", "w" }, - { APP_ID, "test_book_12", "x" }, - { APP_ID, "test_book_13", "wx" }, - { APP_ID, "test_book_14", "wx" }, - { APP_ID, "test_book_15", "wxat" }, - { "test_subject_9", APP_ID, "w" }, - { "test_subject_10", APP_ID, "x" }, - { "test_subject_11", APP_ID, "w" }, - { "test_subject_12", APP_ID, "x" }, - { "test_subject_13", APP_ID, "wx" }, - { "test_subject_14", APP_ID, "wx" }, - { "test_subject_15", APP_ID, "wxat" } -}; +#include +#include -// Rules from test_privilege_control_rules.smack -// minus test_privilege_control_rules_no_r.smack -const std::vector< std::vector > rules2_r = { - { APP_ID, "test_book_8", "r" }, - { APP_ID, "test_book_11", "r" }, - { APP_ID, "test_book_12", "r" }, - { APP_ID, "test_book_14", "r" }, - { APP_ID, "test_book_15", "r" }, - { "test_subject_8", APP_ID, "r" }, - { "test_subject_11", APP_ID, "r" }, - { "test_subject_12", APP_ID, "r" }, - { "test_subject_14", APP_ID, "r" }, - { "test_subject_15", APP_ID, "r" } -}; +#include +#include +#include -// Rules from test_privilege_control_rules_wgt.smack for wgt -const std::vector< std::vector > rules_wgt = { - { WGT_APP_ID, "test_book_8", "r" }, - { WGT_APP_ID, "test_book_9", "w" }, - { WGT_APP_ID, "test_book_10", "x" }, - { WGT_APP_ID, "test_book_11", "rw" }, - { WGT_APP_ID, "test_book_12", "rx" }, - { WGT_APP_ID, "test_book_13", "wx" }, - { WGT_APP_ID, "test_book_14", "rwx" }, - { WGT_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", WGT_APP_ID, "r" }, - { "test_subject_9", WGT_APP_ID, "w" }, - { "test_subject_10", WGT_APP_ID, "x" }, - { "test_subject_11", WGT_APP_ID, "rw" }, - { "test_subject_12", WGT_APP_ID, "rx" }, - { "test_subject_13", WGT_APP_ID, "wx" }, - { "test_subject_14", WGT_APP_ID, "rwx" }, - { "test_subject_15", WGT_APP_ID, "rwxat" } -}; +#include +#include +#include +#include +#include +#include +#include +#include +#include "common/db.h" -// Rules from test_privilege_control_rules_wgt.smack for wgt_partner -const std::vector< std::vector > rules_wgt_partner = { - { WGT_PARTNER_APP_ID, "test_book_8", "r" }, - { WGT_PARTNER_APP_ID, "test_book_9", "w" }, - { WGT_PARTNER_APP_ID, "test_book_10", "x" }, - { WGT_PARTNER_APP_ID, "test_book_11", "rw" }, - { WGT_PARTNER_APP_ID, "test_book_12", "rx" }, - { WGT_PARTNER_APP_ID, "test_book_13", "wx" }, - { WGT_PARTNER_APP_ID, "test_book_14", "rwx" }, - { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", WGT_PARTNER_APP_ID, "r" }, - { "test_subject_9", WGT_PARTNER_APP_ID, "w" }, - { "test_subject_10", WGT_PARTNER_APP_ID, "x" }, - { "test_subject_11", WGT_PARTNER_APP_ID, "rw" }, - { "test_subject_12", WGT_PARTNER_APP_ID, "rx" }, - { "test_subject_13", WGT_PARTNER_APP_ID, "wx" }, - { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" }, - { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" } -}; +#include -// Rules from test_privilege_control_rules_wgt.smack for wgt_platform -const std::vector< std::vector > rules_wgt_platform = { - { WGT_PLATFORM_APP_ID, "test_book_8", "r" }, - { WGT_PLATFORM_APP_ID, "test_book_9", "w" }, - { WGT_PLATFORM_APP_ID, "test_book_10", "x" }, - { WGT_PLATFORM_APP_ID, "test_book_11", "rw" }, - { WGT_PLATFORM_APP_ID, "test_book_12", "rx" }, - { WGT_PLATFORM_APP_ID, "test_book_13", "wx" }, - { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" }, - { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", WGT_PLATFORM_APP_ID, "r" }, - { "test_subject_9", WGT_PLATFORM_APP_ID, "w" }, - { "test_subject_10", WGT_PLATFORM_APP_ID, "x" }, - { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" }, - { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" }, - { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" }, - { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" }, - { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" } -}; +#define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules" -// Rules from test_privilege_control_rules_osp.smack for osp -const std::vector< std::vector > rules_osp = { - { OSP_APP_ID, "test_book_8", "r" }, - { OSP_APP_ID, "test_book_9", "w" }, - { OSP_APP_ID, "test_book_10", "x" }, - { OSP_APP_ID, "test_book_11", "rw" }, - { OSP_APP_ID, "test_book_12", "rx" }, - { OSP_APP_ID, "test_book_13", "wx" }, - { OSP_APP_ID, "test_book_14", "rwx" }, - { OSP_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", OSP_APP_ID, "r" }, - { "test_subject_9", OSP_APP_ID, "w" }, - { "test_subject_10", OSP_APP_ID, "x" }, - { "test_subject_11", OSP_APP_ID, "rw" }, - { "test_subject_12", OSP_APP_ID, "rx" }, - { "test_subject_13", OSP_APP_ID, "wx" }, - { "test_subject_14", OSP_APP_ID, "rwx" }, - { "test_subject_15", OSP_APP_ID, "rwxat" } -}; +#define EARLY_RULE_SUBJECT "livebox.web-provider" +#define EARLY_RULE_RIGHTS "rwx---" -// Rules from test_privilege_control_rules_osp.smack for osp_partner -const std::vector< std::vector > rules_osp_partner = { - { OSP_PARTNER_APP_ID, "test_book_8", "r" }, - { OSP_PARTNER_APP_ID, "test_book_9", "w" }, - { OSP_PARTNER_APP_ID, "test_book_10", "x" }, - { OSP_PARTNER_APP_ID, "test_book_11", "rw" }, - { OSP_PARTNER_APP_ID, "test_book_12", "rx" }, - { OSP_PARTNER_APP_ID, "test_book_13", "wx" }, - { OSP_PARTNER_APP_ID, "test_book_14", "rwx" }, - { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", OSP_PARTNER_APP_ID, "r" }, - { "test_subject_9", OSP_PARTNER_APP_ID, "w" }, - { "test_subject_10", OSP_PARTNER_APP_ID, "x" }, - { "test_subject_11", OSP_PARTNER_APP_ID, "rw" }, - { "test_subject_12", OSP_PARTNER_APP_ID, "rx" }, - { "test_subject_13", OSP_PARTNER_APP_ID, "wx" }, - { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" }, - { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" } -}; +#define SMACK_ACC_LEN 6 -// Rules from test_privilege_control_rules_osp.smack for osp_platform -const std::vector< std::vector > rules_osp_platform = { - { OSP_PLATFORM_APP_ID, "test_book_8", "r" }, - { OSP_PLATFORM_APP_ID, "test_book_9", "w" }, - { OSP_PLATFORM_APP_ID, "test_book_10", "x" }, - { OSP_PLATFORM_APP_ID, "test_book_11", "rw" }, - { OSP_PLATFORM_APP_ID, "test_book_12", "rx" }, - { OSP_PLATFORM_APP_ID, "test_book_13", "wx" }, - { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" }, - { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", OSP_PLATFORM_APP_ID, "r" }, - { "test_subject_9", OSP_PLATFORM_APP_ID, "w" }, - { "test_subject_10", OSP_PLATFORM_APP_ID, "x" }, - { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" }, - { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" }, - { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" }, - { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" }, - { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" } +// Error codes for test_libprivilege_strerror +const std::vector error_codes { + PC_OPERATION_SUCCESS, PC_ERR_FILE_OPERATION, PC_ERR_MEM_OPERATION, PC_ERR_NOT_PERMITTED, + PC_ERR_INVALID_PARAM, PC_ERR_INVALID_OPERATION, PC_ERR_DB_OPERATION, PC_ERR_DB_LABEL_TAKEN, + PC_ERR_DB_QUERY_PREP, PC_ERR_DB_QUERY_BIND, PC_ERR_DB_QUERY_STEP, PC_ERR_DB_CONNECTION, + PC_ERR_DB_NO_SUCH_APP, PC_ERR_DB_PERM_FORBIDDEN }; namespace { -typedef std::unique_ptr > SmackUniquePtr; - -const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack"; -const char *WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack"; -const char *OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack"; -const char *OSP_BLAHBLAH_DAC = "/usr/share/privilege-control/OSP_feature.blah.blahblah.dac"; -const char *WRT_BLAHBLAH_DAC = "/usr/share/privilege-control/WGT_blahblah.dac"; -const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac"; -const char *BLAHBLAH_FEATURE = "http://feature/blah/blahblah"; -/** - * Check if every rule is true. - * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't - */ -int test_have_all_accesses(const std::vector< std::vector > &rules) +std::vector gen_names(std::string prefix, std::string suffix, size_t size) { - int result; - for (uint i = 0; i < rules.size(); ++i) { - result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str()); - if (result != 1) - return result; + std::vector names; + for(size_t i = 0; i < size; ++i) { + names.push_back(prefix + "_" + std::to_string(i) + suffix); } - return 1; + return names; } -/** - * Check if every rule is true. - * @return 1 if ANY rule in SMACK, 0 if - */ -int test_have_any_accesses(const std::vector< std::vector > &rules) -{ - int result; - for (uint i = 0; i < rules.size(); ++i) { - result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str()); - if (result == 1) - return 1; - } - return 0; -} - -int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS); - smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC); - smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE); - - return 0; -} - -int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS); - smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC); - smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE); - - return 0; -} - -int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - int result; - char *label; - - /* ACCESS */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - result = strcmp(CANARY_LABEL, label); - RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten"); - - /* EXEC */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - result = strcmp(CANARY_LABEL, label); - RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten"); - - /* TRANSMUTE */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); - - return 0; -} - -int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - int result; - char *label; - - /* ACCESS */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set"); - result = strcmp(APPID_DIR, label); - RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"); - - /* EXEC */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) { - RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set"); - result = strcmp(APPID_DIR, label); - RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect"); - } else if (S_ISLNK(sb->st_mode)) { - struct stat buf; - char *target = realpath(fpath, NULL); - RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath); - free(target); - if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) { - RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); - } else { - RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set"); - result = strcmp(APPID_DIR, label); - RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect"); - } - } else - RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); - - /* TRANSMUTE */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); - - return 0; -} +const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack"; +const char *WRT_BLAHBLAH ="/usr/share/privilege-control/WGT_blahblah.smack"; +const char *OTHER_BLAHBLAH ="/usr/share/privilege-control/blahblah.smack"; +const std::vector OSP_BLAHBLAH_DAC = gen_names("/usr/share/privilege-control/OSP_feature.blah.blahblah", ".dac", 16); +const char *WRT_BLAHBLAH_DAC ="/usr/share/privilege-control/WGT_blahblah.dac"; +const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac"; +const std::vector BLAHBLAH_FEATURE = gen_names("http://feature/blah/blahblah", "", 16); int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb, int /*typeflag*/, struct FTW* /*ftwbuf*/) @@ -454,9 +99,9 @@ int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb, result = strcmp(APPID_SHARED_DIR, label); RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"); - result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat"); + result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxatl"); RUNNER_ASSERT_MSG(result == 1, - "Error rwxat access was not given shared dir. Subject: " << + "Error rwxatl access was not given shared dir. Subject: " << APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result); /* EXEC */ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); @@ -561,48 +206,14 @@ int check_labels_dir(const char *fpath, const struct stat *sb, free(scanf_label_format); RUNNER_ASSERT_MSG(false, "Can not open database for dirs"); } - bool is_dir = false; - while (fscanf(file_db, scanf_label_format, label_temp) == 1) { - if (strcmp(label_gen, label_temp) == 0) { - is_dir = true; - break; - } - } + free(scanf_label_format); free(label_gen); fclose(file_db); - RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db."); - return 0; } -int nftw_check_labels_app_public_dir(const char *fpath, const struct stat *sb, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - return check_labels_dir(fpath, sb, - SMACK_APPS_LABELS_DATABASE, - SMACK_PUBLIC_DIRS_DATABASE, "rx"); -} - -int nftw_check_labels_app_settings_dir(const char *fpath, const struct stat *sb, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - return check_labels_dir(fpath, sb, - SMACK_APPS_SETTINGS_LABELS_DATABASE, - SMACK_SETTINGS_DIRS_DATABASE, "rwx"); -} - -int file_exists(const char *path) -{ - FILE *file = fopen(path, "r"); - if (file) { - fclose(file); - return 0; - } - return -1; -} - void osp_blahblah_check(int line_no, const std::vector &rules) { std::ifstream smack_file(OSP_BLAHBLAH); @@ -621,10 +232,10 @@ void osp_blahblah_check(int line_no, const std::vector &rules) smack_file.close(); } -void osp_blahblah_dac_check(int line_no, const std::vector &gids) +void osp_blahblah_dac_check(int line_no, const std::vector &gids, std::string dac_file_path) { - std::ifstream dac_file(OSP_BLAHBLAH_DAC); - RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH_DAC); + std::ifstream dac_file(dac_file_path); + RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << dac_file_path); auto it = gids.begin(); std::string line; @@ -648,121 +259,16 @@ void remove_smack_files() unlink(OSP_BLAHBLAH); unlink(WRT_BLAHBLAH); unlink(OTHER_BLAHBLAH); - unlink(OSP_BLAHBLAH_DAC); unlink(WRT_BLAHBLAH_DAC); unlink(OTHER_BLAHBLAH_DAC); -} - -int cleaning_smack_app_files (void) -{ - unlink(SMACK_RULES_DIR APP_TEST_APP_1); - - unlink(SMACK_RULES_DIR APP_TEST_APP_2); - - unlink(SMACK_RULES_DIR APP_TEST_APP_3); - - unlink(SMACK_RULES_DIR APP_TEST_AV_1); - - unlink(SMACK_RULES_DIR APP_TEST_AV_2); - - unlink(SMACK_RULES_DIR APP_TEST_AV_3); - - return 0; -} - -int cleaning_smack_database_files (void) -{ - int fd = -1; - - //clean app database - unlink(SMACK_APPS_LABELS_DATABASE); - fd = open(SMACK_APPS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644); - if (fd == -1) { - return -1; - } - - //clean av database - unlink(SMACK_AVS_LABELS_DATABASE); - fd = open(SMACK_AVS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644); - if (fd == -1) { - return -1; - } - - //clean app settings database - unlink(SMACK_APPS_SETTINGS_LABELS_DATABASE); - fd = open(SMACK_APPS_SETTINGS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644); - if (fd == -1) { - return -1; - } - - //clean public dirs database - unlink(SMACK_PUBLIC_DIRS_DATABASE); - fd = open(SMACK_PUBLIC_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644); - if (fd == -1) { - return -1; - } - //clean settings dirs database - unlink(SMACK_SETTINGS_DIRS_DATABASE); - fd = open(SMACK_SETTINGS_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644); - if (fd == -1) { - return -1; - } + for(size_t i=0; i fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) { - fclose(file_db); - RUNNER_ASSERT_MSG(false, "Error writing to database file"); - } - if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) { - fclose(file_db); - RUNNER_ASSERT_MSG(false, "Error writing to database file"); - } - fclose(file_db); - - file_db = fopen(SMACK_APPS_SETTINGS_LABELS_DATABASE, "a"); - RUNNER_ASSERT_MSG(file_db != NULL, "Error database file " - << SMACK_APPS_SETTINGS_LABELS_DATABASE << " can not be opened to apend!"); - if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) { - fclose(file_db); - RUNNER_ASSERT_MSG(false, "Error writing to database file"); - } - if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) { - fclose(file_db); - RUNNER_ASSERT_MSG(false, "Error writing to database file"); - } - fclose(file_db); - - file_db = fopen(SMACK_APPS_LABELS_DATABASE, "a"); - RUNNER_ASSERT_MSG(file_db != NULL, "Error database file " - << SMACK_APPS_LABELS_DATABASE << " can not be opened to apend!"); - if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) { - fclose(file_db); - RUNNER_ASSERT_MSG(false, "Error writing to database file"); - } - if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) { - fclose(file_db); - RUNNER_ASSERT_MSG(false, "Error writing to database file"); - } - if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) { - fclose(file_db); - RUNNER_ASSERT_MSG(false, "Error writing to database file"); - } - if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) { - fclose(file_db); - RUNNER_ASSERT_MSG(false, "Error writing to database file"); - } - fclose(file_db); -} } // namespace RUNNER_TEST_GROUP_INIT(libprivilegecontrol) @@ -780,8 +286,12 @@ RUNNER_TEST(privilege_control02_app_label_dir) result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); - result = app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE); - RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed"); + DB_BEGIN + + result = perm_app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE); + RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed"); + + DB_END result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir"); @@ -790,12 +300,19 @@ RUNNER_TEST(privilege_control02_app_label_dir) RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir"); } -RUNNER_TEST(privilege_control03_app_label_shared_dir) +RUNNER_TEST_SMACK(privilege_control03_app_label_shared_dir) { int result; - result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID); - RUNNER_ASSERT_MSG(result != 0, "app_setup_path(APP_ID, APP_ID) didn't fail"); + DB_BEGIN + + result = perm_app_install(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID); + RUNNER_ASSERT_MSG(result != 0, "perm_app_setup_path(APP_ID, APP_ID) didn't fail"); + + DB_END result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR); @@ -803,607 +320,214 @@ RUNNER_TEST(privilege_control03_app_label_shared_dir) result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); - result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR); - RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed"); + DB_BEGIN + + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR); + RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed"); + + DB_END result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir"); result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir"); + + DB_BEGIN + + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); + + DB_END } /** - * Add permisions from test_privilege_control_rules template + * Simple enabling EFL permissions;. */ -RUNNER_TEST(privilege_control04_add_permissions) +RUNNER_TEST_SMACK(privilege_control04_add_permissions) { - int result = app_add_permissions(APP_ID, PRIVS); + int result = 0; + DB_BEGIN + + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); + + result = perm_app_install(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + + + result = perm_app_enable_permissions(APP_ID, APP_TYPE_EFL, PRIVS_EFL, TRUE); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app permissions. Result: " << result); + " perm_app_enable_permissions failed with result: " << result); + + DB_END + + // Check if permission is assigned to app in db + check_app_has_permission(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true); // Check if the accesses are realy applied.. - result = test_have_all_accesses(rules); + result = test_have_all_accesses(rules_efl); RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - //// File exists? - FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file NOT created!. Errno: " << errno); + DB_BEGIN - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - int smack_file_length = ftell(pFile); - RUNNER_ASSERT_MSG(smack_file_length > 0, - "SMACK file empty, but privileges list was not empty.. Errno: " << errno); + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - if (pFile != NULL) - fclose(pFile); + DB_END } /** * Revoke permissions from the list. Should be executed as privileged user. */ -RUNNER_CHILD_TEST(privilege_control06_revoke_permissions) +RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt) { - int result; - int fd; - - // Revoke permissions - result = app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - result = app_revoke_permissions(WGT_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(WGT_PARTNER_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(WGT_PLATFORM_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - result = app_revoke_permissions(OSP_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(OSP_PARTNER_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(OSP_PLATFORM_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - // Are all the permissions revoked? - result = test_have_any_accesses(rules); - RUNNER_ASSERT_MSG(result != 1, "Not all permisions revoked."); - result = test_have_any_accesses(rules_wgt); - RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked."); - result = test_have_any_accesses(rules_wgt_partner); - RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked."); - result = test_have_any_accesses(rules_wgt_platform); - RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked."); - - result = test_have_any_accesses(rules); - RUNNER_ASSERT_MSG(result != 1, "Not all permisions revoked."); - result = test_have_any_accesses(rules_osp); - RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked."); - result = test_have_any_accesses(rules_osp_partner); - RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked."); - result = test_have_any_accesses(rules_osp_platform); - RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked."); - - FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file removed!. Errno: " << errno); - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - int smack_file_length = ftell(pFile); - if (pFile != NULL) - fclose(pFile); - RUNNER_ASSERT_MSG(smack_file_length == 0, - "SMACK file not empty.. Errno: " << errno); - - pFile = fopen(SMACK_RULES_DIR WGT_APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file removed!. Errno: " << errno); - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - if (pFile != NULL) - fclose(pFile); - RUNNER_ASSERT_MSG(smack_file_length == 0, - "SMACK file not empty.. Errno: " << errno); - - pFile = fopen(SMACK_RULES_DIR WGT_PARTNER_APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file removed!. Errno: " << errno); - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - if (pFile != NULL) - fclose(pFile); - RUNNER_ASSERT_MSG(smack_file_length == 0, - "SMACK file not empty.. Errno: " << errno); - - pFile = fopen(SMACK_RULES_DIR WGT_PLATFORM_APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file removed!. Errno: " << errno); - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - if (pFile != NULL) - fclose(pFile); - RUNNER_ASSERT_MSG(smack_file_length == 0, - "SMACK file not empty.. Errno: " << errno); - - pFile = fopen(SMACK_RULES_DIR OSP_APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file removed!. Errno: " << errno); - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - if (pFile != NULL) - fclose(pFile); - RUNNER_ASSERT_MSG(smack_file_length == 0, - "SMACK file not empty.. Errno: " << errno); - - pFile = fopen(SMACK_RULES_DIR OSP_PARTNER_APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file removed!. Errno: " << errno); - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - if (pFile != NULL) - fclose(pFile); - RUNNER_ASSERT_MSG(smack_file_length == 0, - "SMACK file not empty.. Errno: " << errno); - - pFile = fopen(SMACK_RULES_DIR OSP_PLATFORM_APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file removed!. Errno: " << errno); - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - if (pFile != NULL) - fclose(pFile); - RUNNER_ASSERT_MSG(smack_file_length == 0, - "SMACK file not empty.. Errno: " << errno); + test_revoke_permissions(__LINE__, WGT_APP_ID, rules_wgt, true); } -static void read_gids(std::set &set, const char *file_path) +/** + * Revoke permissions from the list. Should be executed as privileged user. + */ +RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_partner) { - FILE *f = fopen(file_path, "r"); - RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path); - unsigned gid; - while (fscanf(f, "%u\n", &gid) == 1) { - set.insert(gid); - } + test_revoke_permissions(__LINE__, WGT_PARTNER_APP_ID, rules_wgt_partner, true); } -RUNNER_TEST(privilege_control05_add_shared_dir_readers) +/** + * Revoke permissions from the list. Should be executed as privileged user. + */ +RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_platform) { -#define TEST_OBJ "TEST_OBJECT" -#define TEST_OBJ_SOME_OTHER "TEST_OBJA" -#define test_string_01 "TEST_raz TEST_OBJECT r-x-- -----" -#define test_string_21 "TEST_trzy TEST_OBJA -wx--\n" -#define test_string_22 "TEST_trzy TEST_OBJECT r-x-- -----\n" - - int result; - int i; - int fd = -1; - char *path; - - const char *app_labels_wrong[] = {"-TEST_raz", NULL}; - const char *app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL}; - const int READ_BUF_SIZE = 1000; - char buf[READ_BUF_SIZE]; - FILE *file = NULL; - struct smack_accesses *rules = NULL; - - //test what happens when the label is not correct SMACK label - result = smack_accesses_new(&rules); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result); - - result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong); - RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "add_shared_dir_readers should fail here"); - - result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx"); - RUNNER_ASSERT_MSG(result != 1, "add_shared_dir_readers should not grant permission here"); - - smack_accesses_free(rules); - - //ok, now the correct list of apps - result = smack_accesses_new(&rules); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result); - - for (i = 0; i < 3; i++) { - (void)app_uninstall(app_labels[i]); - result = app_install(app_labels[i]); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in app_install."); - - RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[i])); - fd = open(path, O_WRONLY, 0644); - RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path); - - if (i == 1) { - result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt"); - RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed"); - } - if (i == 2) { - smack_accesses_free(rules); - result = smack_accesses_new(&rules); - result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx"); - RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed"); - } - result = smack_accesses_apply(rules); - RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed"); - - result = smack_accesses_save(rules, fd); - RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed"); - - free(path); - close(fd); - } - - smack_accesses_free(rules); - - // THE TEST - accesses - - result = add_shared_dir_readers(TEST_OBJ,app_labels); - RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed"); - - result = smack_have_access(app_labels[0],TEST_OBJ,"rx"); - RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); - - result = smack_have_access(app_labels[1],TEST_OBJ,"rx"); - RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); - - result = smack_have_access(app_labels[2],TEST_OBJ,"rx"); - RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); - - result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt"); - RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); - - result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx"); - RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); - - - //TEST the operations on empty files - - RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[0])); - file = fopen(path, "r"); - - RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno); - - RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file)); - result = strcmp(buf, test_string_01); - RUNNER_ASSERT_MSG( result != 0, "add_shared_dir_readers ERROR, file not formatted" << path ); - - free(path); - fclose(file); - - //TEST the operations on non empty files - RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[2])); - file = NULL; - file = fopen(path, "r"); - RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno); - - RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file)); - result = strcmp(buf, test_string_21); - RUNNER_ASSERT_MSG( result == 0, "add_shared_dir_readers ERROR, file not formatted" ); - - RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file)); - result = strcmp(buf, test_string_22); - RUNNER_ASSERT_MSG( result == 0, "add_shared_dir_readers ERROR, file not formatted" ); - - free(path); - fclose(file); + test_revoke_permissions(__LINE__, WGT_PLATFORM_APP_ID, rules_wgt_platform, true); } - /** - * Set APP privileges. + * Revoke permissions from the list. Should be executed as privileged user. */ - -void check_groups(const char *dac_file) +RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp) { - std::set groups_check; - read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST); - read_gids(groups_check, dac_file); - - int groups_cnt = getgroups(0, NULL); - RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt"); - gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t)); - RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed"); - RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list)); - - for (int i = 0; i < groups_cnt; ++i) { - //getgroups() can return multiple number of the same group - //they are returned in sequence, so we will given number when last - //element of this number is reached - if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i])) - continue; - if (groups_check.erase(groups_list[i]) == 0) { - // getgroups() may also return process' main group - if (groups_list[i] != getgid()) - RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")"); - } - } - free(groups_list); - std::string groups_left; - for (std::set::iterator it = groups_check.begin(); it != groups_check.end(); it++) { - groups_left.append(std::to_string(*it)).append(" "); - } - RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left); + test_revoke_permissions(__LINE__, OSP_APP_ID, rules_osp, true); } -RUNNER_CHILD_TEST(privilege_control05_set_app_privilege) +/** + * Revoke permissions from the list. Should be executed as privileged user. + */ +RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_partner) { - int result; - - // Preset exec label - smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC); - smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC); - - /** - * TODO This test should also verify set_app_privilege behavior for OSP and - * WRT apps. To do that we'll have to install real apps on device as a - * precondition. - */ + test_revoke_permissions(__LINE__, OSP_PARTNER_APP_ID, rules_osp_partner, true); +} - // Set APP privileges - result = set_app_privilege(APP_ID, NULL, APP_SET_PRIV_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); +/** + * Revoke permissions from the list. Should be executed as privileged user. + */ +RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_platform) +{ + test_revoke_permissions(__LINE__, OSP_PLATFORM_APP_ID, rules_osp_platform, true); +} - // Check if SMACK label really set - char *label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - // Check if DAC privileges really set - RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID"); - RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID"); +void set_app_privilege(int line_no, + const char* app_id, app_type_t APP_TYPE, + const char** privileges, const char* type, + const char* app_path, const char* dac_file, + const rules_t &rules) { + check_app_installed(line_no, app_path); - result = strcmp(getenv("HOME"), APP_HOME_DIR); - RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR"); + int result; - result = strcmp(getenv("USER"), APP_USER_NAME); - RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME"); + DB_BEGIN - check_groups(LIBPRIVILEGE_TEST_DAC_FILE); -} + result = perm_app_uninstall(app_id); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); -/** - * Set APP privileges. wgt. - */ -RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt) -{ - int result; + result = perm_app_install(app_id); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " perm_app_install returned " << result << ". Errno: " << strerror(errno)); - result = app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + // TEST: + result = perm_app_enable_permissions(app_id, APP_TYPE, privileges, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no << " Error enabling app permissions. Result: " << result); - result = test_have_all_accesses(rules_wgt); + DB_END + + result = test_have_all_accesses(rules); RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - result = set_app_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); + result = perm_app_set_privilege(app_id, type, app_path); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + " Error in perm_app_set_privilege. Error: " << result); // Check if SMACK label really set char *label; result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(WGT_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - + RUNNER_ASSERT_MSG(result >= 0, "Line: " << line_no << + " Error getting current process label"); + RUNNER_ASSERT_MSG(label != NULL, "Line: " << line_no << + " Process label is not set"); + result = strcmp(app_id, label); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " Process label " << label << " is incorrect"); + + check_groups(dac_file); +} - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); +/** + * Set APP privileges. wgt. + */ +RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt) +{ + set_app_privilege(__LINE__,WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt); } /** * Set APP privileges. wgt_partner. */ -RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_partner) +RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_partner) { - int result; - - result = app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_wgt_partner); - RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - - result = set_app_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); - - // Check if SMACK label really set - char *label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(WGT_PARTNER_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); + set_app_privilege(__LINE__, WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, + "wgt_partner", WGT_PARTNER_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_partner); } /** * Set APP privileges. wgt_platform. */ -RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_platform) +RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_platform) { - int result; - - result = app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_wgt_platform); - RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - - result = set_app_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); - - // Check if SMACK label really set - char *label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(WGT_PLATFORM_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); + set_app_privilege(__LINE__, WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, + "wgt_platform", WGT_PLATFORM_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_platform); } /** * Set APP privileges. osp app. */ -RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp) +RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp) { - int result; - - result = app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_osp); - RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - - result = set_app_privilege(OSP_APP_ID, NULL, OSP_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); - - // Check if SMACK label really set - char *label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(OSP_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); + set_app_privilege(__LINE__, OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, NULL, OSP_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp); } /** * Set APP privileges. partner osp app. */ -RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_partner) +RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_partner) { - int result; - - result = app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_osp_partner); - RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - - result = set_app_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); - - // Check if SMACK label really set - char *label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(OSP_PARTNER_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); + set_app_privilege(__LINE__, OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, + NULL, OSP_PARTNER_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_partner); } /** * Set APP privileges. platform osp app. */ -RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_platform) -{ - int result; - - result = app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_osp_platform); - RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - - result = set_app_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); - - // Check if SMACK label really set - char *label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(OSP_PLATFORM_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); -} - -RUNNER_TEST(privilege_control08_app_give_access) +RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_platform) { - const char *subject = "lkjq345v34sfa"; - const char *object = "lk9290f92lkjz"; - smack_accesses *tmp = NULL; - - RUNNER_ASSERT(0 == smack_accesses_new(&tmp)); - - SmackUniquePtr smack(tmp, smack_accesses_free); - - RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "r--a-")); - RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); - - app_give_access(subject, object, "wt"); - - RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwat")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "x")); - - app_revoke_access(subject, object); - - RUNNER_ASSERT(1 == smack_have_access(subject, object, "ra")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "w")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "x")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "t")); - - RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-")); - RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); -} - -RUNNER_TEST(privilege_control09_app_give_access) -{ - const char *subject = "ljk132flkjv"; - const char *object = "jjsiqsc32vs"; - smack_accesses *tmp = NULL; - - RUNNER_ASSERT(0 == smack_accesses_new(&tmp)); - - SmackUniquePtr smack(tmp, smack_accesses_free); - - RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "---t-")); - RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); - - RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rw")); - RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rwx")); - - RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxt")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "a")); - - RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_revoke_access(subject, object)); - - RUNNER_ASSERT(1 == smack_have_access(subject, object, "t")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "r")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "w")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "x")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "a")); - - RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-----")); - RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); + set_app_privilege(__LINE__, OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, + NULL, OSP_PLATFORM_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_platform); } /** @@ -1415,273 +539,203 @@ RUNNER_TEST(privilege_control11_add_api_feature) remove_smack_files(); + DB_BEGIN // argument validation - result = add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - - result = add_api_feature(APP_TYPE_OSP,"", NULL, NULL, 0); + result = perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0); RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - - // already existing features - result = add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read", NULL, NULL, 0); + result = perm_add_api_feature(APP_TYPE_OSP,"", NULL, NULL, 0); RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms", NULL, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/privilege/messaging", NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + // Already existing feature: + // TODO: Database will be malformed. (Rules for these features will be removed.) + result = perm_add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read", NULL, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/messaging", NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + result = perm_add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms", NULL, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OTHER,"http://messaging", NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - - result = add_api_feature(APP_TYPE_OTHER,"messaging.read", NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - - - // empty features - result = add_api_feature(APP_TYPE_OSP,"blahblah", NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - - result = add_api_feature(APP_TYPE_WGT,"blahblah", NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - - result = add_api_feature(APP_TYPE_OTHER,"blahblah", NULL, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - - - // smack files existence - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); - - result = file_exists(WRT_BLAHBLAH); - RUNNER_ASSERT(result == -1); + // empty features + result = perm_add_api_feature(APP_TYPE_OSP,"blahblah", NULL, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); - result = file_exists(OTHER_BLAHBLAH); - RUNNER_ASSERT(result == -1); + result = perm_add_api_feature(APP_TYPE_WGT,"blahblah", NULL, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); // empty rules - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, { NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); - - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == 0); - remove_smack_files(); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[0].c_str(), { NULL }, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == 0); - remove_smack_files(); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[1].c_str(), (const char*[]) { "", NULL }, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[2].c_str(), (const char*[]) { " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); // malformed rules - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[3].c_str(), (const char*[]) { "malformed", NULL }, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed malformed", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[4].c_str(), (const char*[]) { "malformed malformed", NULL }, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "-malformed malformed rwxat", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[5].c_str(), (const char*[]) { "-malformed malformed rwxat", NULL }, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "~/\"\\ malformed rwxat", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[6].c_str(), (const char*[]) { "~/\"\\ malformed rwxat", NULL }, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "subject object rwxat something else", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); - result = file_exists(OSP_BLAHBLAH); - RUNNER_ASSERT(result == -1); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[7].c_str(), (const char*[]) { "subject object rwxat something else", NULL }, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result); // correct rules - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed malformed maaaaaalformed", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "malformed malformed r--a- -----" }); - remove_smack_files(); - - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "subject object foo", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "subject object ----- -----" }); - remove_smack_files(); - - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { - "subject object\t rwxat", + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[8].c_str(), (const char*[]) { + "~APP~ object\t rwxatl", " \t \n", - "subject2\tobject2 txarw", + "subject2\t~APP~ ltxarw", "", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "subject object rwxat -----", "subject2 object2 rwxat -----"}); - remove_smack_files(); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { - "Sub::jE,ct object a-RwX", + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[9].c_str(), (const char*[]) { + "Sub::jE,ct ~APP~ a-rwxl", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "Sub::jE,ct object rwxa- -----"}); - remove_smack_files(); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[10].c_str(), (const char*[]) { + "Sub::sjE,ct ~APP~ a-RwXL", // TODO This fails. + NULL + }, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + // TODO For now identical/complementary rules are not merged. - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { - "subject object rwxat", + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[11].c_str(), (const char*[]) { + "subject1 ~APP~ rwxatl", " \t \n", - "subject object txarw", + "subject2 ~APP~ ltxarw", "", NULL }, NULL, 0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "subject object rwxat -----", "subject object rwxat -----"}); - remove_smack_files(); - + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); // empty group ids - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},0); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "a a ---a- -----"}); - result = file_exists(OSP_BLAHBLAH_DAC); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[12].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {0,1,2},0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + result = file_exists(OSP_BLAHBLAH_DAC[12].c_str()); RUNNER_ASSERT(result == -1); remove_smack_files(); // valid group ids - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},3); - printf("%d \n", result); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "a a ---a- -----"}); - osp_blahblah_dac_check(__LINE__, {0,1,2}); + result = perm_add_api_feature(APP_TYPE_OSP,BLAHBLAH_FEATURE[13].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {0,1,2},3); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + osp_blahblah_dac_check(__LINE__, {0,1,2}, OSP_BLAHBLAH_DAC[13]); remove_smack_files(); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},1); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "a a ---a- -----"}); - osp_blahblah_dac_check(__LINE__, {0}); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[14].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {0,1,2},1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + osp_blahblah_dac_check(__LINE__, {0}, OSP_BLAHBLAH_DAC[14]); remove_smack_files(); - result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {1,1,1},3); - RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); - osp_blahblah_check(__LINE__, { "a a ---a- -----"}); - osp_blahblah_dac_check(__LINE__, {1,1,1}); + result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[15].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {1,1,1},3); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result); + osp_blahblah_dac_check(__LINE__, {1,1,1},OSP_BLAHBLAH_DAC[15]); remove_smack_files(); + + DB_END } /* - * Check app_install function + * Check perm_app_install function */ RUNNER_TEST(privilege_control01_app_install) { int result; - int fd = -1; - - unlink(SMACK_RULES_DIR APP_ID); - app_uninstall(APP_ID); + DB_BEGIN - result = app_install(APP_ID); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno)); + perm_app_uninstall(APP_ID); - // checking if file really exists - fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY); - RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << SMACK_RULES_DIR << APP_ID << " : " << fd << ". Errno: " << strerror(errno)); - close(fd); + result = perm_app_install(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); // try install second time app with the same ID - it should pass. - result = app_install(APP_ID); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno)); + result = perm_app_install(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + + DB_END } /* - * Check app_install function + * Check perm_app_uninstall function */ RUNNER_TEST(privilege_control07_app_uninstall) { int result; - int fd = -1; - result = app_uninstall(APP_ID); - RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result << ". Errno: " << strerror(errno)); + DB_BEGIN - // checking if file really exists - fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY); - RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after app_uninstall"); - close(fd); -} + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); -void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment) -{ - int result; - result = smack_have_access(av_id, app_id, "rwx"); - RUNNER_ASSERT_MSG(result == 1, - "Error while checking " << av_id << " rwx access to " - << app_id << " " << comment << " Result: " << result); - result = smack_have_access(av_id, app_id, "a"); - RUNNER_ASSERT_MSG(result == 0, - "Error while checking " << av_id << " a access to " - << app_id << " " << comment << " Result: " << result); - result = smack_have_access(av_id, app_id, "t"); - RUNNER_ASSERT_MSG(result == 0, - "Error while checking " << av_id << " t access to " - << app_id << " " << comment << " Result: " << result); + DB_END + + TestLibPrivilegeControlDatabase db_test; + db_test.test_db_after__perm_app_uninstall(TRACE_FROM_HERE, APP_ID); } /* * Check app_register_av function * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install) */ -RUNNER_TEST(privilege_control10_app_register_av) +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +RUNNER_TEST_SMACK(privilege_control10_app_register_av) { + RUNNER_IGNORED_MSG("app_register_av is not implemented"); int result; // cleaning smack_revoke_subject(APP_TEST_AV_1); smack_revoke_subject(APP_TEST_AV_2); - cleaning_smack_app_files(); - cleaning_smack_database_files(); + DB_BEGIN // Adding two apps before antivir - result = app_install(APP_TEST_APP_1); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno)); + result = perm_app_install(APP_TEST_APP_1); + RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - result = app_install(APP_TEST_APP_2); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno)); + result = perm_app_install(APP_TEST_APP_2); + RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); // Adding antivir result = app_register_av(APP_TEST_AV_1); RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno)); + DB_END + // Checking added apps accesses checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)"); checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)"); + DB_BEGIN + // Adding third app - result = app_install(APP_TEST_APP_3); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno)); + result = perm_app_install(APP_TEST_APP_3); + RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + + DB_END // Checking app accesses - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_install(APP_TEST_APP_3)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_install(APP_TEST_APP_3)"); - checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_install(APP_TEST_APP_3)"); + checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)"); + checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)"); + checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)"); // Adding second antivir result = app_register_av(APP_TEST_AV_2); @@ -1698,155 +752,152 @@ RUNNER_TEST(privilege_control10_app_register_av) // cleaning smack_revoke_subject(APP_TEST_AV_1); smack_revoke_subject(APP_TEST_AV_2); - - cleaning_smack_app_files(); - cleaning_smack_database_files(); } +#pragma GCC diagnostic warning "-Wdeprecated-declarations" /** * Grant SMACK permissions based on permissions list. */ -RUNNER_TEST(privilege_control11_app_enable_permissions) +RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) { int result; - int smack_file_length; - FILE *pFile; + + // Clean up after test: + DB_BEGIN + + result = perm_app_uninstall(WGT_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); + result = perm_app_install(WGT_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); /** * Test - Enabling all permissions with persistant mode enabled */ - - result = app_revoke_permissions(APP_ID); + result = perm_app_revoke_permissions(WGT_APP_ID); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error enabling app permissions. Result: " << result); + DB_END + // Check if the accesses are realy applied.. result = test_have_all_accesses(rules2); RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - //// File exists? - pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file NOT created!. Errno: " << errno); + // Check if permission is assigned to app in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true); - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - RUNNER_ASSERT_MSG(smack_file_length > 0, - "SMACK file empty with persistant mode 1. Errno: " << errno); - - if (pFile != NULL) - fclose(pFile); + DB_BEGIN // Clean up - result = app_revoke_permissions(APP_ID); + result = perm_app_revoke_permissions(WGT_APP_ID); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); + DB_END + + // Check if permission is disabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); + /** * Test - Enabling all permissions with persistant mode disabled */ - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0); + DB_BEGIN + + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 0); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error enabling app permissions. Result: " << result); + DB_END + // Check if the accesses are realy applied.. result = test_have_all_accesses(rules2); RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - //// File exists? - pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file NOT created!. Errno: " << errno); - - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - RUNNER_ASSERT_MSG(smack_file_length == 0, - "SMACK file not empty with persistant mode 0. Errno: " << errno); + // Check if permission is assigned to app in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true); - if (pFile != NULL) - fclose(pFile); + DB_BEGIN // Clean up - result = app_revoke_permissions(APP_ID); + result = perm_app_revoke_permissions(WGT_APP_ID); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); + DB_END + + // Check if permission is disabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); + /** * Test - Enabling all permissions in two complementary files */ - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1); + DB_BEGIN + + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, 1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error enabling app permissions. Result: " << result); + DB_END + // Check if the accesses are realy applied.. - result = test_have_all_accesses(rules2); + result = test_have_all_accesses(rules2_no_r); RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - //// File exists? - pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file NOT created!. Errno: " << errno); + // Check if permissions are assigned to app in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, true); - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - RUNNER_ASSERT_MSG(smack_file_length > 0, - "SMACK file empty with persistant mode 1. Errno: " << errno); - - if (pFile != NULL) - fclose(pFile); + DB_BEGIN // Clean up - result = app_revoke_permissions(APP_ID); + result = perm_app_revoke_permissions(WGT_APP_ID); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); + DB_END + + // Check if permissions are disabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false); + /** * Test - Enabling some permissions and then enabling complementary permissions */ + DB_BEGIN + // Enable permission for rules 2 no r - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error enabling app permissions without r. Result: " << result); + DB_END + // Check if the accesses are realy applied.. result = test_have_all_accesses(rules2_no_r); RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added."); - //// File exists? - pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file NOT created!. Errno: " << errno); - - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - RUNNER_ASSERT_MSG(smack_file_length > 0, - "SMACK file empty with persistant mode 1. Errno: " << errno); - - if (pFile != NULL) - fclose(pFile); + DB_BEGIN // Enable permission for rules 2 - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error enabling app all permissions. Result: " << result); + DB_END + // Check if the accesses are realy applied.. result = test_have_all_accesses(rules2); RUNNER_ASSERT_MSG(result == 1, "Permissions all not added."); + DB_BEGIN + // Clean up - result = app_revoke_permissions(APP_ID); + result = perm_app_revoke_permissions(WGT_APP_ID); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); @@ -1855,146 +906,73 @@ RUNNER_TEST(privilege_control11_app_enable_permissions) */ // Enable permission for rules 2 no r - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error enabling app permissions without r. Result: " << result); + DB_END + // Check if the accesses are realy applied.. result = test_have_all_accesses(rules2_no_r); RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added."); - //// File exists? - pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); - RUNNER_ASSERT_MSG(pFile != NULL, - "SMACK file NOT created!. Errno: " << errno); - - //// Is it empty? - fseek(pFile, 0L, SEEK_END); - smack_file_length = ftell(pFile); - RUNNER_ASSERT_MSG(smack_file_length > 0, - "SMACK file empty with persistant mode 1. Errno: " << errno); - - if (pFile != NULL) - fclose(pFile); + DB_BEGIN // Enable permission for rules 2 - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, 1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error enabling app permissions with only r. Result: " << result); + DB_END + // Check if the accesses are realy applied.. - result = test_have_all_accesses(rules2); + result = test_have_all_accesses(rules2_r); RUNNER_ASSERT_MSG(result == 1, "Permissions with only r not added."); + DB_BEGIN + // Clean up - result = app_revoke_permissions(APP_ID); + result = perm_app_revoke_permissions(WGT_APP_ID); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); -} - -/* - * Until app_disable_permissions is not fixed this test should remain - * commented - */ -/** - * Remove previously granted SMACK permissions based on permissions list. - */ -/*RUNNER_TEST(privilege_control12_app_disable_permissions) -{ -*/ -/** - * Test - disable all granted permissions. - */ -/* int result; - - // Prepare permissions that we want to disable - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - // Disable permissions - result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app permissions. Result: " << result); - // Are all the permissions disabled? - result = test_have_any_accesses(rules2); - RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled."); -*/ -/** - * Test - disable some granted permissions leaving non complementary and then disabling those too. - */ -/* - // Prepare permissions that will not be disabled - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app first permissions. Result: " << result); - // Prepare permissions that we want to disable - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app second permissions. Result: " << result); + // Clean up after test: + result = perm_app_uninstall(WGT_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - // Disable second permissions - result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app second permissions. Result: " << result); + DB_END +} - // Are all second permissions disabled? - result = test_have_any_accesses(rules2); - RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled."); +RUNNER_CHILD_TEST_SMACK(privilege_control11_app_enable_permissions_efl) +{ + test_app_enable_permissions_efl(true); +} - // Are all first permissions not disabled? - result = test_have_all_accesses(rules); - RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled."); +/* + * Check perm_app_install function + */ +RUNNER_CHILD_TEST_SMACK(privilege_control12_app_disable_permissions_efl) +{ + test_app_disable_permissions_efl(true); +} - // Disable first permissions - result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app first permissions. Result: " << result); - // Are all second permissions disabled? - result = test_have_any_accesses(rules); - RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled."); -*/ /** - * Test - disable only no r granted permissions. + * Remove previously granted SMACK permissions based on permissions list. */ -/* - // Prepare permissions - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app permissions. Result: " << result); - - // Disable same permissions without r - result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app no r permissions. Result: " << result); - - // Is any r permissions disabled? - result = test_have_all_accesses(rules2_r); - RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled."); - // Are all no r permissions disabled? - result = test_have_any_accesses(rules2_no_r); - RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled."); - - // Prepare permissions - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app no r permissions. Result: " << result); - - // Disable all permissions - result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app permissions. Result: " << result); +RUNNER_TEST_SMACK(privilege_control12_app_disable_permissions) +{ + test_app_disable_permissions(true); } -*/ + /** * Reset SMACK permissions for an application by revoking all previously * granted rules and enabling them again from a rules file from disk. */ - -RUNNER_TEST(privilege_control13_app_reset_permissions) +// TODO: This test is incomplete. +RUNNER_TEST_SMACK(privilege_control13_app_reset_permissions) { int result; @@ -2002,61 +980,81 @@ RUNNER_TEST(privilege_control13_app_reset_permissions) * Test - doing reset and checking if rules exist again. */ + DB_BEGIN + + result = perm_app_install(WGT_APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + // Prepare permissions to reset - result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error adding app permissions. Result: " << result); // Reset permissions - result = app_reset_permissions(APP_ID); + result = perm_app_reset_permissions(WGT_APP_ID); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error reseting app permissions. Result: " << result); + DB_END + // Are all second permissions not disabled? result = test_have_all_accesses(rules2); RUNNER_ASSERT_MSG(result == 1, "Not all permissions added."); + DB_BEGIN + // Disable permissions - result = app_revoke_permissions(APP_ID); + result = perm_app_revoke_permissions(WGT_APP_ID); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error disabling app permissions. Result: " << result); + + result = perm_app_uninstall(WGT_APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); + + DB_END } /** * Make two applications "friends", by giving them both full permissions on * each other. */ -RUNNER_TEST(privilege_control14_app_add_friend) +RUNNER_TEST_SMACK(privilege_control14_app_add_friend) { + RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented"); + int result; /** * Test - making friends with no permissions on each other */ - result = app_revoke_permissions(APP_FRIEND_1); + DB_BEGIN + + result = perm_app_revoke_permissions(APP_FRIEND_1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(APP_FRIEND_2); + result = perm_app_revoke_permissions(APP_FRIEND_2); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); - app_uninstall(APP_FRIEND_1); - app_uninstall(APP_FRIEND_2); + perm_app_uninstall(APP_FRIEND_1); + perm_app_uninstall(APP_FRIEND_2); // Installing friends to be - result = app_install(APP_FRIEND_1); + result = perm_app_install(APP_FRIEND_1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error installing first app. Result: " << result); - result = app_install(APP_FRIEND_2); + result = perm_app_install(APP_FRIEND_2); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error installing second app. Result: " << result); // Making friends - result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2); + result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error making friends. Errno: " << result); + DB_END + // Checking if friends were made result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat"); RUNNER_ASSERT_MSG(result == 1, @@ -2065,46 +1063,54 @@ RUNNER_TEST(privilege_control14_app_add_friend) RUNNER_ASSERT_MSG(result == 1, " Error second one sided friednship failed. Result: " << result); + DB_BEGIN + // Clean up - result = app_revoke_permissions(APP_FRIEND_1); + result = perm_app_revoke_permissions(APP_FRIEND_1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(APP_FRIEND_2); + result = perm_app_revoke_permissions(APP_FRIEND_2); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); - app_uninstall(APP_FRIEND_1); - app_uninstall(APP_FRIEND_2); + perm_app_uninstall(APP_FRIEND_1); + perm_app_uninstall(APP_FRIEND_2); + + DB_END /** - * Test - making friends with nonexisting friend + * Test - making friends with nonexistent friend */ + DB_BEGIN + // Installing one friend - result = app_install(APP_FRIEND_1); + result = perm_app_install(APP_FRIEND_1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error installing first app. Errno: " << result); - // Adding imaginairy friend as second - result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2); + // Adding imaginary friend as second + result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error making friends (first) with imaginairy friend failed. Result: " << result); - // Adding imaginairy friend as first - result = app_add_friend(APP_FRIEND_2, APP_FRIEND_1); + // Adding imaginary friend as first + result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error making friends (second) with imaginairy friend failed. Result: " << result); // Clean up - result = app_revoke_permissions(APP_FRIEND_1); + result = perm_app_revoke_permissions(APP_FRIEND_1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(APP_FRIEND_2); + result = perm_app_revoke_permissions(APP_FRIEND_2); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); - app_uninstall(APP_FRIEND_1); - app_uninstall(APP_FRIEND_2); + perm_app_uninstall(APP_FRIEND_1); + perm_app_uninstall(APP_FRIEND_2); + + DB_END /** * Test - making friends with some permissions already added @@ -2117,14 +1123,18 @@ RUNNER_TEST(privilege_control14_app_add_friend) std::vector accessesFriend = { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" }; + DB_BEGIN + // Installing friends to be - result = app_install(APP_FRIEND_1); + result = perm_app_install(APP_FRIEND_1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error installing first app. Result: " << result); - result = app_install(APP_FRIEND_2); + result = perm_app_install(APP_FRIEND_2); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error installing second app. Result: " << result); + DB_END + for (i = 0; i < accessesFriend.size(); ++i) { for (j = 0; j < accessesFriend.size(); ++j) @@ -2147,11 +1157,15 @@ RUNNER_TEST(privilege_control14_app_add_friend) RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_apply. Result: " << result); + DB_BEGIN + // Adding friends - result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2); + result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error making friends. Result: " << result); + DB_END + // Checking if friends were made result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat"); RUNNER_ASSERT_MSG(result == 1, @@ -2173,16 +1187,20 @@ RUNNER_TEST(privilege_control14_app_add_friend) } } + DB_BEGIN + // Clean up - result = app_revoke_permissions(APP_FRIEND_1); + result = perm_app_revoke_permissions(APP_FRIEND_1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); - result = app_revoke_permissions(APP_FRIEND_2); + result = perm_app_revoke_permissions(APP_FRIEND_2); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); - app_uninstall(APP_FRIEND_1); - app_uninstall(APP_FRIEND_2); + perm_app_uninstall(APP_FRIEND_1); + perm_app_uninstall(APP_FRIEND_2); + + DB_END } static void smack_set_random_label_based_on_pid_on_self(void) @@ -2207,7 +1225,7 @@ static void smack_unix_sock_server(int sock) if (fd < 0) return; result = smack_new_label_from_self(&smack_label); - if (result != 0) { + if (result < 0) { close(fd); close(sock); free(smack_label); @@ -2224,7 +1242,7 @@ static void smack_unix_sock_server(int sock) free(smack_label); } -RUNNER_TEST(privilege_control15_app_id_from_socket) +RUNNER_MULTIPROCESS_TEST_SMACK(privilege_control15_app_id_from_socket) { int pid; struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH}; @@ -2265,7 +1283,7 @@ RUNNER_TEST(privilege_control15_app_id_from_socket) /* Let's give the two servers different labels */ smack_unix_sock_server(sock); close(sock); - waitpid(pid, NULL, 0); + exit(0); } else { /* parent process, client */ sleep(1); /* Give server some time to setup listening socket */ @@ -2294,10 +1312,10 @@ RUNNER_TEST(privilege_control15_app_id_from_socket) RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno)); } smack_label1[result] = '\0'; - smack_label2 = app_id_from_socket(sock); + smack_label2 = perm_app_id_from_socket(sock); if (smack_label2 == NULL) { close(sock); - RUNNER_ASSERT_MSG(0, "app_id_from_socket failed"); + RUNNER_ASSERT_MSG(0, "perm_app_id_from_socket failed"); } result = strcmp(smack_label1, smack_label2); if (result != 0) { @@ -2307,7 +1325,6 @@ RUNNER_TEST(privilege_control15_app_id_from_socket) } close(sock); } - waitpid(pid, NULL, 0); } } @@ -2319,7 +1336,7 @@ RUNNER_TEST(privilege_control16_app_setup_path){ const char *label1 = "qwert123456za"; const char *label2 = "trewq654123az"; - std::unique_ptr > labelPtr(NULL,free); + CStringPtr labelPtr; mkdir(path1,0); mkdir(path2,0); @@ -2333,13 +1350,23 @@ RUNNER_TEST(privilege_control16_app_setup_path){ char *label = NULL; - RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1)); + DB_BEGIN + + RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1)); + + DB_END + RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS)); labelPtr.reset(label); label = NULL; RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1)); - RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2)); + DB_BEGIN + + RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2)); + + DB_END + RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC)); labelPtr.reset(label); label = NULL; @@ -2351,182 +1378,157 @@ RUNNER_TEST(privilege_control16_app_setup_path){ RUNNER_ASSERT(labelPtr.get() == NULL); } -RUNNER_TEST(privilege_control17_appsettings_privilege) +RUNNER_TEST_SMACK(privilege_control17_appsettings_privilege) { -#define APP_1 "app_1" -#define APP_1_DIR "/tmp/app_1" - -#define APP_2 "app_2" -#define APP_2_DIR "/tmp/app_2" - -#define APP_TEST "app_test" - -#define PRIV_APPSETTING (const char*[]) {"http://tizen.org/privilege/appsetting", NULL} - - int ret; - char *app1_dir_label; - char *app2_dir_label; - //prepare test - - - (void)app_uninstall(APP_TEST); - (void)app_uninstall(APP_1); - (void)app_uninstall(APP_2); - - //install some app 1 - ret = app_install(APP_1); - RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install." << ret); - - mkdir(APP_1_DIR, S_IRWXU | S_IRGRP | S_IXGRP); - - //register settings folder for app 1 - ret = app_setup_path(APP_1, APP_1_DIR, APP_PATH_SETTINGS_RW ); - RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret); + test_appsettings_privilege(true); +} - //install "app_test" and give it appsettings privilege - ret = app_install(APP_TEST); - RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install."); +void test_app_setup_path(int line_no, app_path_type_t PATH_TYPE) { + int result; + DB_BEGIN - ret = app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true); + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + " Error in perm_app_uninstall." << result); - RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << ret); + result = perm_app_install(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + " Error in perm_app_install." << result); - //check if "app_test" has an RX access to the app "app_1" - ret = smack_have_access(APP_TEST, APP_1, "rx"); - RUNNER_ASSERT_MSG(ret,"access denies"); + DB_END + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " Unable to clean up Smack labels in " << TEST_APP_DIR); - //check if "app_test" has an RWX access to a folder registered by "app_1" - ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS ); - RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed"); - ret = smack_have_access(APP_TEST, app1_dir_label, "rwx"); - RUNNER_ASSERT_MSG(ret,"access denies"); + result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " Unable to clean up Smack labels in " << TEST_NON_APP_DIR); + DB_BEGIN - //intstall another app: "app_2" - ret = app_install(APP_2); - RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install."); + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, PATH_TYPE); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " perm_app_setup_path() failed"); - mkdir(APP_2_DIR, S_IRWXU | S_IRGRP | S_IXGRP); - //register settings folder for that "app_2" - ret = app_setup_path(APP_2, APP_2_DIR, APP_PATH_SETTINGS_RW ); - RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret); + DB_END - //check if "app_test" has an RX access to the app "app_2" - ret = smack_have_access(APP_TEST, APP_2, "rx"); - RUNNER_ASSERT_MSG(ret,"access denies"); + result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " Unable to check Smack labels for non-app dir"); - //check if "app_test" has an RWX access to a folder registered by "app_2" - ret = smack_getlabel(APP_2_DIR, &app2_dir_label, SMACK_LABEL_ACCESS ); - RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed"); - ret = smack_have_access(APP_TEST, app2_dir_label, "rwx"); - RUNNER_ASSERT_MSG(ret,"access denies"); + DB_BEGIN - free (app1_dir_label); - free (app2_dir_label); - rmdir(APP_1_DIR); - rmdir(APP_2_DIR); + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + " Error in perm_app_uninstall." << result); - (void)app_uninstall(APP_TEST); - (void)app_uninstall(APP_1); - (void)app_uninstall(APP_2); + DB_END } -RUNNER_TEST(privilege_control18_app_setup_path_public) +RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public) { - int result; - - cleaning_smack_database_files(); - add_lables_to_db(); - - result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR); - - result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); - - result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO); - RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed"); - - result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir"); - - result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir"); + test_app_setup_path(__LINE__, APP_PATH_PUBLIC_RO); +} - cleaning_smack_database_files(); +RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings) +{ + test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW); } -RUNNER_TEST(privilege_control19_app_setup_path_settings) +RUNNER_TEST_SMACK(privilege_control20_app_setup_path_npruntime) { - int result; + int result = 0; + CStringPtr labelPtr; + std::string nptargetlabel = std::string(APP_NPRUNTIME) + ".npruntime"; + char *label = NULL; - cleaning_smack_database_files(); - add_lables_to_db(); + DB_BEGIN - result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR); + result = perm_app_uninstall(APP_NPRUNTIME); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result); - result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); + result = perm_app_install(APP_NPRUNTIME); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install. " << result); - result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW); - RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed"); + result = perm_app_setup_path(APP_NPRUNTIME, APP_NPRUNTIME_FILE, PERM_APP_PATH_NPRUNTIME); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path. " << result); - result = nftw(TEST_APP_DIR, &nftw_check_labels_app_settings_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir"); + DB_END - result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir"); + RUNNER_ASSERT(0 == smack_lgetlabel(APP_NPRUNTIME_FILE, &label, SMACK_LABEL_EXEC)); + labelPtr.reset(label); + label = NULL; + RUNNER_ASSERT(0 == strcmp(labelPtr.get(), nptargetlabel.c_str())); + + // Rules to test + const std::vector< std::vector > np_rules = { + { APP_NPRUNTIME, nptargetlabel, "rw" }, + { nptargetlabel, APP_NPRUNTIME, "rxat" }, + { nptargetlabel, "system::homedir", "rxat" }, + { nptargetlabel, "xorg", "rw" }, + { nptargetlabel, "crash-worker", "rwxa" }, + { nptargetlabel, "sys-assert::core", "rwxat" }, + { nptargetlabel, "syslogd", "rw" }, + }; + + // Test smack accesses + result = test_have_all_accesses(np_rules); + RUNNER_ASSERT_MSG(result == 1, "Not all permissions added."); + + DB_BEGIN + + result = perm_app_uninstall(APP_NPRUNTIME); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result); - cleaning_smack_database_files(); + DB_END } -RUNNER_TEST(privilege_control20_early_rules) +RUNNER_TEST(privilege_control21_early_rules) { + RUNNER_IGNORED_MSG("early rules are not implemented"); + int result; - int fd = -1; int pass_1 = 0; int pass_2 = 0; char *single_line_format = NULL; char *perm = NULL; FILE *file = NULL; - char subject[SMACK_LABEL_LEN + 1]; - char object[SMACK_LABEL_LEN + 1]; - char rule_add[6]; // "rwxat" + '\0' - char rule_remove[6]; // "rwxat" + '\0' - subject[SMACK_LABEL_LEN] = '\0'; - object[SMACK_LABEL_LEN] = '\0'; - rule_add[5] = '\0'; - rule_remove[5] = '\0'; + char subject[SMACK_LABEL_LEN + 1] = {0}; + char object[SMACK_LABEL_LEN + 1] = {0}; + char rule_add[SMACK_ACC_LEN + 1] = {0}; + char rule_remove[SMACK_ACC_LEN + 1] = {0}; - unlink(SMACK_RULES_DIR APP_ID); + DB_BEGIN - app_uninstall(APP_ID); + perm_app_uninstall(APP_ID); - result = app_install(APP_ID); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno)); - result = app_install(APP_TEST_APP_1); - RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result << ". Errno: " << strerror(errno)); + result = perm_app_install(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + result = perm_app_install(APP_TEST_APP_1); + RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - // checking if file really exists - fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY); - close(fd); - RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << SMACK_RULES_DIR << APP_ID << " : " << fd << ". Errno: " << strerror(errno)); - fd = -1; + DB_END + + TestLibPrivilegeControlDatabase db_test; + db_test.test_db_after__perm_app_install(TRACE_FROM_HERE, APP_ID); + db_test.test_db_after__perm_app_install(TRACE_FROM_HERE, APP_TEST_APP_1); + + DB_BEGIN - result = app_enable_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm, 1); + result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm, 1); RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result); - result = app_enable_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm, 1); + result = perm_app_enable_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm, 1); RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result); + DB_END + file = fopen(SMACK_STARTUP_RULES_FILE, "r"); RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno)); - result = asprintf(&single_line_format, "%%%ds %%%ds %%5s %%5s\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN); + result = asprintf(&single_line_format, "%%%ds %%%ds %%%ds %%%ds\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN, SMACK_ACC_LEN, SMACK_ACC_LEN); while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) { if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) { @@ -2538,8 +1540,6 @@ RUNNER_TEST(privilege_control20_early_rules) continue; } } - free(single_line_format); - single_line_format = NULL; fclose(file); file = NULL; @@ -2548,16 +1548,16 @@ RUNNER_TEST(privilege_control20_early_rules) // Checking if "early rule" for APP_ID was really removed // We also should make sure that "early rules" for other apps wasn't removed - result = app_uninstall(APP_ID); - RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result << ". Errno: " << strerror(errno)); + DB_BEGIN + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); + DB_END pass_1 = 1; pass_2 = 0; file = fopen(SMACK_STARTUP_RULES_FILE, "r"); RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno)); - result = asprintf(&single_line_format, "%%%ds %%%ds %%5s %%5s\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN); - while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) { if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) { pass_1 = 0; // Found rule for APP_ID - it should NOT be here @@ -2568,8 +1568,6 @@ RUNNER_TEST(privilege_control20_early_rules) continue; } } - free(single_line_format); - single_line_format = NULL; fclose(file); file = NULL; @@ -2577,16 +1575,16 @@ RUNNER_TEST(privilege_control20_early_rules) RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found"); // Removing and checking "early rule" for APP_TEST_APP_1 - result = app_uninstall(APP_TEST_APP_1); - RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result << ". Errno: " << strerror(errno)); + DB_BEGIN + result = perm_app_uninstall(APP_TEST_APP_1); + RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); + DB_END pass_1 = 1; pass_2 = 1; file = fopen(SMACK_STARTUP_RULES_FILE, "r"); RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno)); - result = asprintf(&single_line_format, "%%%ds %%%ds %%5s %%5s\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN); - while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) { if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) { pass_1 = 0; // Found rule for APP_ID - it should NOT be here @@ -2598,10 +1596,272 @@ RUNNER_TEST(privilege_control20_early_rules) } } free(single_line_format); - single_line_format = NULL; fclose(file); - file = NULL; RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found"); RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found"); } + +/** + * AV Privilege test cases. + * + * Each privilege_control24* test case tests antivirus privileges for each app_type_t, except for + * deprecated APP_TYPE_OTHER type. + */ + +int nftw_remove_dir(const char* filename, const struct stat* /*statptr*/, int /*fileflags*/, + struct FTW* /*pfwt*/) +{ + int result = -1; + + struct stat filestat; + + result = stat(filename, &filestat); + RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to get file statistics. Result: " + << result << ", error: " << strerror(errno) << ", file: " << filename); + + if(S_ISREG(filestat.st_mode)) { + result = unlink(filename); + RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to unlink file. Result: " + << result << ", error: " << strerror(errno) << ", file: " << filename); + } else if(S_ISDIR(filestat.st_mode)) { + result = rmdir(filename); + RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to remove dir. Result: " + << result << ", error: " << strerror(errno) << ", file: " << filename); + } + + return 0; +} + +void InstallApp(const char* pkg_id, const char* path, app_path_type_t app_path_type, + const char* shared_label) +{ + int result = -1; + + result = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP); + RUNNER_ASSERT_MSG(result == 0, "Can't create dir for tests. Result: " << result << + ", error: " << strerror(errno) << ", app_path_type: " << app_path_type); + + DB_BEGIN + + result = perm_app_revoke_permissions(pkg_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: " + << result << ", app_path_type: " << app_path_type); + result = perm_app_uninstall(pkg_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: " + << result << ", app_path_type: " << app_path_type); + + result = perm_app_install(pkg_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: " + << result << ", app_path_type: " << app_path_type); + result = perm_app_setup_path(pkg_id, path, app_path_type, shared_label); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_setup_path failed. Result: " + << result << ", app_path_type: " << app_path_type); + + DB_END +} + +void InstallAV(const char* av_id, app_type_t av_type) +{ + int result = -1; + + DB_BEGIN + + result = perm_app_revoke_permissions(av_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: " + << result << ", av_type: " << av_type); + result = perm_app_uninstall(av_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: " + << result << ", av_type: " << av_type); + + result = perm_app_install(av_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: " + << result << ", av_type: " << av_type); + result = perm_app_enable_permissions(av_id, av_type, PRIVS_AV, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "enable_permissions failed. Result: " + << result << ", av_type: " << av_type); + + DB_END +} + +void CheckAVPrivilege(app_type_t av_type, app_path_type_t app_path_type) +{ + int result = -1; + + //clean before test + result = nftw(APP_TEST_APP_1_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result << + ", error " << strerror(errno)); + + result = nftw(APP_TEST_APP_2_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result << + ", error " << strerror(errno)); + + result = nftw(APP_TEST_APP_3_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result << + ", error " << strerror(errno)); + + InstallApp(APP_TEST_APP_1, APP_TEST_APP_1_DIR, app_path_type, APP_TEST_APP_1_SHARED_LABEL); + InstallAV(APP_TEST_AV_1, av_type); + InstallApp(APP_TEST_APP_2, APP_TEST_APP_2_DIR, app_path_type, APP_TEST_APP_2_SHARED_LABEL); + InstallAV(APP_TEST_AV_2, av_type); + InstallApp(APP_TEST_APP_3, APP_TEST_APP_3_DIR, app_path_type, APP_TEST_APP_3_SHARED_LABEL); + + //test - get ACCESS label and check AV privilege + + char* tmp; + + //get labels + result = smack_lgetlabel(APP_TEST_APP_1_DIR, &tmp, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result + << ", av_type: " << av_type << ", app_path_type: " << app_path_type); + std::string label1(tmp); + free(tmp); + + result = smack_lgetlabel(APP_TEST_APP_2_DIR, &tmp, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result + << ", av_type: " << av_type << ", app_path_type: " << app_path_type); + std::string label2(tmp); + free(tmp); + + result = smack_lgetlabel(APP_TEST_APP_3_DIR, &tmp, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result + << ", av_type: " << av_type << ", app_path_type: " << app_path_type); + std::string label3(tmp); + free(tmp); + + if(app_path_type == APP_PATH_GROUP_RW) + { + result = label1.compare(APP_TEST_APP_1_SHARED_LABEL); + RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 << + ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result << + ", av_type: " << av_type << ", app_path_type: " << app_path_type); + + result = label2.compare(APP_TEST_APP_2_SHARED_LABEL); + RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 << + ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result << + ", av_type: " << av_type << ", app_path_type: " << app_path_type); + + result = label3.compare(APP_TEST_APP_3_SHARED_LABEL); + RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 << + ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result << + ", av_type: " << av_type << ", app_path_type: " << app_path_type); + } + + std::stringstream ss; + + //check AV accesses + if(smack_check()) + { + ss << "APP_TEST_APP_1, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_1, label1.c_str(), ss.str().c_str()); + ss.str(std::string()); + + ss << "APP_TEST_APP_2, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_1, label2.c_str(), ss.str().c_str()); + ss.str(std::string()); + + ss << "APP_TEST_APP_3, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_1, label3.c_str(), ss.str().c_str()); + + ss << "APP_TEST_APP_1, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_2, label1.c_str(), ss.str().c_str()); + ss.str(std::string()); + + ss << "APP_TEST_APP_2, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_2, label2.c_str(), ss.str().c_str()); + ss.str(std::string()); + + ss << "APP_TEST_APP_3, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_2, label3.c_str(), ss.str().c_str()); + } + else + { + ss << "APP_TEST_APP_1, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_1, label1.c_str(), ss.str().c_str()); + + ss.str(std::string()); + ss << "APP_TEST_APP_2, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_1, label2.c_str(), ss.str().c_str()); + + ss.str(std::string()); + ss << "APP_TEST_APP_3, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_1, label3.c_str(), ss.str().c_str()); + + ss << "APP_TEST_APP_1, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_2, label1.c_str(), ss.str().c_str()); + + ss.str(std::string()); + ss << "APP_TEST_APP_2, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_2, label2.c_str(), ss.str().c_str()); + + ss.str(std::string()); + ss << "APP_TEST_APP_3, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_2, label3.c_str(), ss.str().c_str()); + } + + DB_BEGIN + + //Clean up + perm_app_revoke_permissions(APP_TEST_AV_1); + perm_app_revoke_permissions(APP_TEST_AV_2); + perm_app_uninstall(APP_TEST_AV_1); + perm_app_uninstall(APP_TEST_AV_2); + perm_app_uninstall(APP_TEST_APP_1); + perm_app_uninstall(APP_TEST_APP_2); + perm_app_uninstall(APP_TEST_APP_3); + + DB_END +} + +RUNNER_TEST(privilege_control24a_av_privilege_group_rw) +{ + CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_GROUP_RW); + CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_GROUP_RW); + CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_GROUP_RW); +} + +RUNNER_TEST(privilege_control24b_av_privilege_settings_rw) +{ + CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_SETTINGS_RW); + CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_SETTINGS_RW); + CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_SETTINGS_RW); +} + +RUNNER_TEST(privilege_control24c_av_privilege_public_ro) +{ + CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_PUBLIC_RO); + CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_PUBLIC_RO); + CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_PUBLIC_RO); +} + +RUNNER_TEST(privilege_control25_test_libprivilege_strerror) { + int POSITIVE_ERROR_CODE = 1; + int NONEXISTING_ERROR_CODE = -239042; + const char *result; + + for (auto itr = error_codes.begin(); itr != error_codes.end(); ++itr) { + RUNNER_ASSERT_MSG(strcmp(perm_strerror(*itr), "Unknown error") != 0, + "Returned invalid error code description."); + } + + result = perm_strerror(POSITIVE_ERROR_CODE); + RUNNER_ASSERT_MSG(strcmp(result, "Unknown error") == 0, + "Bad message returned for invalid error code: \"" << result << "\""); + + result = perm_strerror(NONEXISTING_ERROR_CODE); + RUNNER_ASSERT_MSG(strcmp(result, "Unknown error") == 0, + "Bad message returned for invalid error code: \"" << result << "\""); +}