X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=tests%2Flibprivilege-control-tests%2Ftest_cases.cpp;h=9eaca16d1efc6bd3a84882d1f74a703b18ae2fa9;hb=3d93f730121b94256e9c38a0b731cd031ac84455;hp=e52010e2630c1d64251908a716c023a8f88db624;hpb=8246487cba6ec7fdd9e57e2bf9cc85e082729496;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git diff --git a/tests/libprivilege-control-tests/test_cases.cpp b/tests/libprivilege-control-tests/test_cases.cpp index e52010e..9eaca16 100644 --- a/tests/libprivilege-control-tests/test_cases.cpp +++ b/tests/libprivilege-control-tests/test_cases.cpp @@ -23,78 +23,292 @@ */ #include +#include #include #include #include #include +#include #include #include +#include #include #include #include #include #include #include +#include +#include +#include +#include #include +#include +#include +#include - -#define SMACK_RULES_DIR "/etc/smack/accesses.d/" +#define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/" +#define SMACK_LOAD2 "/smack/load2" #define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir" #define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir" -#define APPID_ADD "test_APP_ID_add" -#define APPID_REVOKE "test_APP_ID_revoke" #define APPID_DIR "test_APP_ID_dir" #define APPID_SHARED_DIR "test_APP_ID_shared_dir" #define CANARY_LABEL "tiny_yellow_canary" -#define APP_SET_PRIV "test_APP" +#define APP_ID "test_APP" #define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP" +#define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL" + +#define WGT_APP_ID "QwCqJ0ttyS" +#define WGT_PARTNER_APP_ID "7btsV1Y0sX" +#define WGT_PLATFORM_APP_ID "G4DE3U2vmW" +#define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123" +#define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner" +#define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform" +#define OSP_APP_ID "uqNfgEjqc7" +#define OSP_PARTNER_APP_ID "j4RuPsZrNt" +#define OSP_PLATFORM_APP_ID "V5LKqDFBXm" +#define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp" +#define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner" +#define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform" const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL }; +const char *PRIVS2[] = { "test_privilege_control_rules2", NULL }; +const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL }; +const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL }; +const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL }; +const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL }; +const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL }; + +#define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list" +#define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac" +#define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac" +#define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac" + +#define APP_TEST_APP_1 "test-application1" +#define APP_TEST_APP_2 "test-application_2" +#define APP_TEST_APP_3 "test-app-3" +#define APP_TEST_AV_1 "test-antivirus1" +#define APP_TEST_AV_2 "test-antivirus_2" +#define APP_TEST_AV_3 "test-av-3" + +#define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db" +#define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db" +#define SMACK_PUBLIC_DIRS_DATABASE "/opt/dbspace/.privilege_control_public_dirs.db" +#define SMACK_APPS_SETTINGS_LABELS_DATABASE "/opt/dbspace/.privilege_control_app_setting.db" +#define SMACK_SETTINGS_DIRS_DATABASE "/opt/dbspace/.privilege_control_setting_dir.db" + +#define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1" +#define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2" +#define APP_TEST_AV_ASP1 "test-app-av-asp1" +#define APP_TEST_AV_ASP2 "test-app-av-asp2" + +#define SOCK_PATH "/tmp/test-smack-socket" #define APP_GID 5000 #define APP_UID 5000 #define APP_USER_NAME "app" #define APP_HOME_DIR "/opt/home/app" +#define APP_FRIEND_1 "app_friend_1" +#define APP_FRIEND_2 "app_friend_2" + // How many open file descriptors should ftw() function use? #define FTW_MAX_FDS 16 // Rules from test_privilege_control_rules.smack -const std::vector< std::vector > rulesAdd = { - { APPID_ADD, "test_book_1", "r" }, - { APPID_ADD, "test_book_2", "w" }, - { APPID_ADD, "test_book_3", "x" }, - { APPID_ADD, "test_book_4", "rw" }, - { APPID_ADD, "test_book_5", "rx" }, - { APPID_ADD, "test_book_6", "wx" }, - { APPID_ADD, "test_book_7", "rwx" }, - { "test_subject_1", APPID_ADD, "r" }, - { "test_subject_2", APPID_ADD, "w" }, - { "test_subject_3", APPID_ADD, "x" }, - { "test_subject_4", APPID_ADD, "rw" }, - { "test_subject_5", APPID_ADD, "rx" }, - { "test_subject_6", APPID_ADD, "wx" }, - { "test_subject_7", APPID_ADD, "rwx" }, - { APPID_ADD, APPID_SHARED_DIR, "rwxat"}}; - +const std::vector< std::vector > rules = { + { APP_ID, "test_book_1", "r" }, + { APP_ID, "test_book_2", "w" }, + { APP_ID, "test_book_3", "x" }, + { APP_ID, "test_book_4", "rw" }, + { APP_ID, "test_book_5", "rx" }, + { APP_ID, "test_book_6", "wx" }, + { APP_ID, "test_book_7", "rwx" }, + { "test_subject_1", APP_ID, "r" }, + { "test_subject_2", APP_ID, "w" }, + { "test_subject_3", APP_ID, "x" }, + { "test_subject_4", APP_ID, "rw" }, + { "test_subject_5", APP_ID, "rx" }, + { "test_subject_6", APP_ID, "wx" }, + { "test_subject_7", APP_ID, "rwx" }, + { APP_ID, APPID_SHARED_DIR, "rwxat"}}; + +// Rules from test_privilege_control_rules2.smack +const std::vector< std::vector > rules2 = { + { APP_ID, "test_book_8", "r" }, + { APP_ID, "test_book_9", "w" }, + { APP_ID, "test_book_10", "x" }, + { APP_ID, "test_book_11", "rw" }, + { APP_ID, "test_book_12", "rx" }, + { APP_ID, "test_book_13", "wx" }, + { APP_ID, "test_book_14", "rwx" }, + { APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", APP_ID, "r" }, + { "test_subject_9", APP_ID, "w" }, + { "test_subject_10", APP_ID, "x" }, + { "test_subject_11", APP_ID, "rw" }, + { "test_subject_12", APP_ID, "rx" }, + { "test_subject_13", APP_ID, "wx" }, + { "test_subject_14", APP_ID, "rwx" }, + { "test_subject_15", APP_ID, "rwxat" }}; + +// Rules from test_privilege_control_rules_no_r.smack +const std::vector< std::vector > rules2_no_r = { + { APP_ID, "test_book_9", "w" }, + { APP_ID, "test_book_10", "x" }, + { APP_ID, "test_book_11", "w" }, + { APP_ID, "test_book_12", "x" }, + { APP_ID, "test_book_13", "wx" }, + { APP_ID, "test_book_14", "wx" }, + { APP_ID, "test_book_15", "wxat" }, + { "test_subject_9", APP_ID, "w" }, + { "test_subject_10", APP_ID, "x" }, + { "test_subject_11", APP_ID, "w" }, + { "test_subject_12", APP_ID, "x" }, + { "test_subject_13", APP_ID, "wx" }, + { "test_subject_14", APP_ID, "wx" }, + { "test_subject_15", APP_ID, "wxat" }}; // Rules from test_privilege_control_rules.smack -const std::vector< std::vector > rulesRevoke = { - { APPID_REVOKE, "test_book_1", "r" }, - { APPID_REVOKE, "test_book_2", "w" }, - { APPID_REVOKE, "test_book_3", "x" }, - { APPID_REVOKE, "test_book_4", "rw" }, - { APPID_REVOKE, "test_book_5", "rx" }, - { APPID_REVOKE, "test_book_6", "wx" }, - { APPID_REVOKE, "test_book_7", "rwx" }, - { "test_subject_1", APPID_REVOKE, "r" }, - { "test_subject_2", APPID_REVOKE, "w" }, - { "test_subject_3", APPID_REVOKE, "x" }, - { "test_subject_4", APPID_REVOKE, "rw" }, - { "test_subject_5", APPID_REVOKE, "rx" }, - { "test_subject_6", APPID_REVOKE, "wx" }, - { "test_subject_7", APPID_REVOKE, "rwx" }}; +// minus test_privilege_control_rules_no_r.smack +const std::vector< std::vector > rules2_r = { + { APP_ID, "test_book_8", "r" }, + { APP_ID, "test_book_11", "r" }, + { APP_ID, "test_book_12", "r" }, + { APP_ID, "test_book_14", "r" }, + { APP_ID, "test_book_15", "r" }, + { "test_subject_8", APP_ID, "r" }, + { "test_subject_11", APP_ID, "r" }, + { "test_subject_12", APP_ID, "r" }, + { "test_subject_14", APP_ID, "r" }, + { "test_subject_15", APP_ID, "r" }}; + +// Rules from test_privilege_control_rules_wgt.smack for wgt +const std::vector< std::vector > rules_wgt = { + { WGT_APP_ID, "test_book_8", "r" }, + { WGT_APP_ID, "test_book_9", "w" }, + { WGT_APP_ID, "test_book_10", "x" }, + { WGT_APP_ID, "test_book_11", "rw" }, + { WGT_APP_ID, "test_book_12", "rx" }, + { WGT_APP_ID, "test_book_13", "wx" }, + { WGT_APP_ID, "test_book_14", "rwx" }, + { WGT_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", WGT_APP_ID, "r" }, + { "test_subject_9", WGT_APP_ID, "w" }, + { "test_subject_10", WGT_APP_ID, "x" }, + { "test_subject_11", WGT_APP_ID, "rw" }, + { "test_subject_12", WGT_APP_ID, "rx" }, + { "test_subject_13", WGT_APP_ID, "wx" }, + { "test_subject_14", WGT_APP_ID, "rwx" }, + { "test_subject_15", WGT_APP_ID, "rwxat" }}; + +// Rules from test_privilege_control_rules_wgt.smack for wgt_partner +const std::vector< std::vector > rules_wgt_partner = { + { WGT_PARTNER_APP_ID, "test_book_8", "r" }, + { WGT_PARTNER_APP_ID, "test_book_9", "w" }, + { WGT_PARTNER_APP_ID, "test_book_10", "x" }, + { WGT_PARTNER_APP_ID, "test_book_11", "rw" }, + { WGT_PARTNER_APP_ID, "test_book_12", "rx" }, + { WGT_PARTNER_APP_ID, "test_book_13", "wx" }, + { WGT_PARTNER_APP_ID, "test_book_14", "rwx" }, + { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", WGT_PARTNER_APP_ID, "r" }, + { "test_subject_9", WGT_PARTNER_APP_ID, "w" }, + { "test_subject_10", WGT_PARTNER_APP_ID, "x" }, + { "test_subject_11", WGT_PARTNER_APP_ID, "rw" }, + { "test_subject_12", WGT_PARTNER_APP_ID, "rx" }, + { "test_subject_13", WGT_PARTNER_APP_ID, "wx" }, + { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" }, + { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }}; + +// Rules from test_privilege_control_rules_wgt.smack for wgt_platform +const std::vector< std::vector > rules_wgt_platform = { + { WGT_PLATFORM_APP_ID, "test_book_8", "r" }, + { WGT_PLATFORM_APP_ID, "test_book_9", "w" }, + { WGT_PLATFORM_APP_ID, "test_book_10", "x" }, + { WGT_PLATFORM_APP_ID, "test_book_11", "rw" }, + { WGT_PLATFORM_APP_ID, "test_book_12", "rx" }, + { WGT_PLATFORM_APP_ID, "test_book_13", "wx" }, + { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" }, + { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", WGT_PLATFORM_APP_ID, "r" }, + { "test_subject_9", WGT_PLATFORM_APP_ID, "w" }, + { "test_subject_10", WGT_PLATFORM_APP_ID, "x" }, + { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" }, + { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" }, + { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" }, + { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" }, + { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }}; + +// Rules from test_privilege_control_rules_osp.smack for osp +const std::vector< std::vector > rules_osp = { + { OSP_APP_ID, "test_book_8", "r" }, + { OSP_APP_ID, "test_book_9", "w" }, + { OSP_APP_ID, "test_book_10", "x" }, + { OSP_APP_ID, "test_book_11", "rw" }, + { OSP_APP_ID, "test_book_12", "rx" }, + { OSP_APP_ID, "test_book_13", "wx" }, + { OSP_APP_ID, "test_book_14", "rwx" }, + { OSP_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", OSP_APP_ID, "r" }, + { "test_subject_9", OSP_APP_ID, "w" }, + { "test_subject_10", OSP_APP_ID, "x" }, + { "test_subject_11", OSP_APP_ID, "rw" }, + { "test_subject_12", OSP_APP_ID, "rx" }, + { "test_subject_13", OSP_APP_ID, "wx" }, + { "test_subject_14", OSP_APP_ID, "rwx" }, + { "test_subject_15", OSP_APP_ID, "rwxat" }}; + +// Rules from test_privilege_control_rules_osp.smack for osp_partner +const std::vector< std::vector > rules_osp_partner = { + { OSP_PARTNER_APP_ID, "test_book_8", "r" }, + { OSP_PARTNER_APP_ID, "test_book_9", "w" }, + { OSP_PARTNER_APP_ID, "test_book_10", "x" }, + { OSP_PARTNER_APP_ID, "test_book_11", "rw" }, + { OSP_PARTNER_APP_ID, "test_book_12", "rx" }, + { OSP_PARTNER_APP_ID, "test_book_13", "wx" }, + { OSP_PARTNER_APP_ID, "test_book_14", "rwx" }, + { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", OSP_PARTNER_APP_ID, "r" }, + { "test_subject_9", OSP_PARTNER_APP_ID, "w" }, + { "test_subject_10", OSP_PARTNER_APP_ID, "x" }, + { "test_subject_11", OSP_PARTNER_APP_ID, "rw" }, + { "test_subject_12", OSP_PARTNER_APP_ID, "rx" }, + { "test_subject_13", OSP_PARTNER_APP_ID, "wx" }, + { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" }, + { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" }}; + +// Rules from test_privilege_control_rules_osp.smack for osp_platform +const std::vector< std::vector > rules_osp_platform = { + { OSP_PLATFORM_APP_ID, "test_book_8", "r" }, + { OSP_PLATFORM_APP_ID, "test_book_9", "w" }, + { OSP_PLATFORM_APP_ID, "test_book_10", "x" }, + { OSP_PLATFORM_APP_ID, "test_book_11", "rw" }, + { OSP_PLATFORM_APP_ID, "test_book_12", "rx" }, + { OSP_PLATFORM_APP_ID, "test_book_13", "wx" }, + { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" }, + { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", OSP_PLATFORM_APP_ID, "r" }, + { "test_subject_9", OSP_PLATFORM_APP_ID, "w" }, + { "test_subject_10", OSP_PLATFORM_APP_ID, "x" }, + { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" }, + { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" }, + { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" }, + { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" }, + { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" }}; + +namespace { + +typedef std::unique_ptr> SmackUniquePtr; + +const char* OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack"; +const char* WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack"; +const char* OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack"; +const char* OSP_BLAHBLAH_DAC = "/usr/share/privilege-control/OSP_feature.blah.blahblah.dac"; +const char* WRT_BLAHBLAH_DAC = "/usr/share/privilege-control/WGT_blahblah.dac"; +const char* OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac"; +const char* BLAHBLAH_FEATURE = "http://feature/blah/blahblah"; /** * Check if every rule is true. @@ -124,10 +338,8 @@ int test_have_any_accesses(const std::vector< std::vector >& rules) return 0; } -RUNNER_TEST_GROUP_INIT(libprivilegecontrol) - -static int nftw_remove_labels(const char *fpath, const struct stat *sb, - int typeflag, struct FTW *ftwbuf) +int nftw_remove_labels(const char *fpath, const struct stat * /*sb*/, + int /*typeflag*/, struct FTW * /*ftwbuf*/) { smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS); smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC); @@ -136,8 +348,8 @@ static int nftw_remove_labels(const char *fpath, const struct stat *sb, return 0; } -static int nftw_set_labels_non_app_dir(const char *fpath, const struct stat *sb, - int typeflag, struct FTW *ftwbuf) +int nftw_set_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/, + int /*typeflag*/, struct FTW * /*ftwbuf*/) { smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS); smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC); @@ -146,8 +358,8 @@ static int nftw_set_labels_non_app_dir(const char *fpath, const struct stat *sb, return 0; } -static int nftw_check_labels_non_app_dir(const char *fpath, const struct stat *sb, - int typeflag, struct FTW *ftwbuf) +int nftw_check_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/, + int /*typeflag*/, struct FTW * /*ftwbuf*/) { int result; char* label; @@ -172,8 +384,8 @@ static int nftw_check_labels_non_app_dir(const char *fpath, const struct stat *s return 0; } -static int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb, - int typeflag, struct FTW *ftwbuf) +int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb, + int /*typeflag*/, struct FTW * /*ftwbuf*/) { int result; char* label; @@ -192,6 +404,18 @@ static int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb, RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set"); result = strcmp(APPID_DIR, label); RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect"); + } else if(S_ISLNK(sb->st_mode)) { + struct stat buf; + char* target = realpath(fpath, NULL); + RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath); + free(target); + if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) { + RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); + } else { + RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set"); + result = strcmp(APPID_DIR, label); + RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect"); + } } else RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); @@ -203,8 +427,8 @@ static int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb, return 0; } -static int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb, - int typeflag, struct FTW *ftwbuf) +int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb, + int /*typeflag*/, struct FTW * /*ftwbuf*/) { int result; char* label; @@ -216,6 +440,10 @@ static int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat result = strcmp(APPID_SHARED_DIR, label); RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"); + result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat"); + RUNNER_ASSERT_MSG(result == 1, + "Error rwxat access was not given shared dir. Subject: " << + APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result); /* EXEC */ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); @@ -234,10 +462,301 @@ static int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat return 0; } +int check_labels_dir(const char *fpath, const struct stat *sb, + const char* labels_db_path, const char* dir_db_path, + const char* access) +{ + int result; + char* label; + char* label_gen; + char* scanf_label_format; + char label_temp[SMACK_LABEL_LEN + 1]; + FILE* file_db; + + /* ACCESS */ + result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); + RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set"); + + /* EXEC */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); + if(result != 0){ + free(label_gen); + RUNNER_ASSERT_MSG(false, "Could not get label for the path"); + } + if(label != NULL){ + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set."); + } + + /* TRANSMUTE */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); + if(result != 0){ + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "Could not get label for the path"); + } + if (S_ISDIR(sb->st_mode)) { + if(label == NULL){ + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set"); + } + result = strcmp("TRUE", label); + if(result != 0){ + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set to TRUE"); + } + } else if(label != NULL){ + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set"); + } + + free(label); + + if(0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)){ + free(label_gen); + RUNNER_ASSERT_MSG(false, "asprintf failed"); + } + + file_db = fopen(labels_db_path, "r"); + if(file_db == NULL){ + free(label_gen); + free(scanf_label_format); + RUNNER_ASSERT_MSG(false, "Can not open database for apps"); + } + while(fscanf(file_db, scanf_label_format, label_temp)==1){ + result = smack_have_access(label_temp, label_gen, access); + if(result != 1){ + fclose(file_db); + free(label_gen); + free(scanf_label_format); + RUNNER_ASSERT_MSG(false, + "Error " << access << " access was not given for subject: " + << label_temp << ". Result: " << result); + } + } + fclose(file_db); + + file_db = fopen(dir_db_path, "r"); + if(file_db == NULL){ + free(label_gen); + free(scanf_label_format); + RUNNER_ASSERT_MSG(false, "Can not open database for dirs"); + } + bool is_dir = false; + while(fscanf(file_db, scanf_label_format, label_temp)==1){ + if(strcmp(label_gen, label_temp) == 0){ + is_dir = true; + break; + } + } + free(scanf_label_format); + free(label_gen); + fclose(file_db); + + RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db."); + + return 0; +} + +int nftw_check_labels_app_public_dir(const char *fpath, const struct stat *sb, + int /*typeflag*/, struct FTW * /*ftwbuf*/) +{ + return check_labels_dir(fpath, sb, + SMACK_APPS_LABELS_DATABASE, + SMACK_PUBLIC_DIRS_DATABASE, "rx"); +} + +int nftw_check_labels_app_settings_dir(const char *fpath, const struct stat *sb, + int /*typeflag*/, struct FTW * /*ftwbuf*/) +{ + return check_labels_dir(fpath, sb, + SMACK_APPS_SETTINGS_LABELS_DATABASE, + SMACK_SETTINGS_DIRS_DATABASE, "rwx"); +} + +int file_exists(const char* path) +{ + FILE* file = fopen(path, "r"); + if (file) { + fclose(file); + return 0; + } + return -1; +} + +void osp_blahblah_check(int line_no, const std::vector& rules) +{ + std::ifstream smack_file(OSP_BLAHBLAH); + RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH); + + auto it = rules.begin(); + std::string line; + while(std::getline(smack_file,line)) { + RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line); + RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line); + it++; + } + + RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it); + + smack_file.close(); +} + +void osp_blahblah_dac_check(int line_no, const std::vector& gids) +{ + std::ifstream dac_file(OSP_BLAHBLAH_DAC); + RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH_DAC); + + auto it = gids.begin(); + std::string line; + while(std::getline(dac_file,line)) { + std::istringstream is(line); + unsigned gid; + is >> gid; + RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid); + RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid); + it++; + } + + RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it); + + dac_file.close(); +} + +void remove_smack_files() +{ + // TODO array + unlink(OSP_BLAHBLAH); + unlink(WRT_BLAHBLAH); + unlink(OTHER_BLAHBLAH); + unlink(OSP_BLAHBLAH_DAC); + unlink(WRT_BLAHBLAH_DAC); + unlink(OTHER_BLAHBLAH_DAC); +} + +int cleaning_smack_app_files (void) +{ + unlink(SMACK_RULES_DIR APP_TEST_APP_1); + + unlink(SMACK_RULES_DIR APP_TEST_APP_2); + + unlink(SMACK_RULES_DIR APP_TEST_APP_3); + + unlink(SMACK_RULES_DIR APP_TEST_AV_1); + + unlink(SMACK_RULES_DIR APP_TEST_AV_2); + + unlink(SMACK_RULES_DIR APP_TEST_AV_3); + + return 0; +} + +int cleaning_smack_database_files (void) +{ + int fd = -1; + + //clean app database + unlink(SMACK_APPS_LABELS_DATABASE); + fd = open(SMACK_APPS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644); + if (fd == -1) { + return -1; + } + + //clean av database + unlink(SMACK_AVS_LABELS_DATABASE); + fd = open(SMACK_AVS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644); + if (fd == -1) { + return -1; + } + + //clean app settings database + unlink(SMACK_APPS_SETTINGS_LABELS_DATABASE); + fd = open(SMACK_APPS_SETTINGS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644); + if (fd == -1) { + return -1; + } + + //clean public dirs database + unlink(SMACK_PUBLIC_DIRS_DATABASE); + fd = open(SMACK_PUBLIC_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644); + if (fd == -1) { + return -1; + } + + //clean settings dirs database + unlink(SMACK_SETTINGS_DIRS_DATABASE); + fd = open(SMACK_SETTINGS_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644); + if (fd == -1) { + return -1; + } + + return 0; +} + +void add_lables_to_db() +{ + FILE* file_db; + + file_db = fopen(SMACK_AVS_LABELS_DATABASE, "a"); + RUNNER_ASSERT_MSG(file_db != NULL, "Error database file " + << SMACK_AVS_LABELS_DATABASE << " can not be opened to apend!"); + if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) { + fclose(file_db); + RUNNER_ASSERT_MSG(false, "Error writing to database file"); + } + if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) { + fclose(file_db); + RUNNER_ASSERT_MSG(false, "Error writing to database file"); + } + fclose(file_db); + + file_db = fopen(SMACK_APPS_SETTINGS_LABELS_DATABASE, "a"); + RUNNER_ASSERT_MSG(file_db != NULL, "Error database file " + << SMACK_APPS_SETTINGS_LABELS_DATABASE << " can not be opened to apend!"); + if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) { + fclose(file_db); + RUNNER_ASSERT_MSG(false, "Error writing to database file"); + } + if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) { + fclose(file_db); + RUNNER_ASSERT_MSG(false, "Error writing to database file"); + } + fclose(file_db); + + file_db = fopen(SMACK_APPS_LABELS_DATABASE, "a"); + RUNNER_ASSERT_MSG(file_db != NULL, "Error database file " + << SMACK_APPS_LABELS_DATABASE << " can not be opened to apend!"); + if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) { + fclose(file_db); + RUNNER_ASSERT_MSG(false, "Error writing to database file"); + } + if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) { + fclose(file_db); + RUNNER_ASSERT_MSG(false, "Error writing to database file"); + } + if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) { + fclose(file_db); + RUNNER_ASSERT_MSG(false, "Error writing to database file"); + } + if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) { + fclose(file_db); + RUNNER_ASSERT_MSG(false, "Error writing to database file"); + } + fclose(file_db); +} +} // namespace + +RUNNER_TEST_GROUP_INIT(libprivilegecontrol) + /** * Test setting labels for all files and folders in given path. */ -RUNNER_TEST(privilege_control01_app_label_dir) +RUNNER_TEST(privilege_control02_app_label_dir) { int result; @@ -247,8 +766,8 @@ RUNNER_TEST(privilege_control01_app_label_dir) result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); - result = app_label_dir(APPID_DIR, TEST_APP_DIR); - RUNNER_ASSERT_MSG(result == 0, "app_label_dir() failed"); + result = app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE); + RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed"); result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir"); @@ -257,18 +776,21 @@ RUNNER_TEST(privilege_control01_app_label_dir) RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir"); } -RUNNER_TEST(privilege_control02_app_label_shared_dir) +RUNNER_TEST(privilege_control03_app_label_shared_dir) { int result; + result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID); + RUNNER_ASSERT_MSG(result != 0, "app_setup_path(APP_ID, APP_ID) didn't fail"); + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR); result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); - result = app_label_shared_dir(APPID_ADD, APPID_SHARED_DIR, TEST_APP_DIR); - RUNNER_ASSERT_MSG(result == 0, "app_label_shared_dir() failed"); + result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR); + RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed"); result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir"); @@ -277,28 +799,21 @@ RUNNER_TEST(privilege_control02_app_label_shared_dir) RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir"); } - /** * Add permisions from test_privilege_control_rules template */ -RUNNER_TEST(privilege_control03_add_permissions) +RUNNER_TEST(privilege_control04_add_permissions) { - char* path; - - int result = app_add_permissions(APPID_ADD, PRIVS); + int result = app_add_permissions(APP_ID, PRIVS); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app permissions. Errno: " << result); + " Error adding app permissions. Result: " << result); // Check if the accesses are realy applied.. - result = test_have_all_accesses(rulesAdd); + result = test_have_all_accesses(rules); RUNNER_ASSERT_MSG(result==1, "Permissions not added."); - ///Investigate created SMACK rules files.. - RUNNER_ASSERT_MSG(asprintf(&path, SMACK_RULES_DIR "%s", APPID_ADD) != -1, - "Error in asprintf"); - //// File exists? - FILE *pFile = fopen(path, "rb"); + FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); RUNNER_ASSERT_MSG(pFile != NULL, "SMACK file NOT created!. Errno: " << errno); @@ -308,76 +823,335 @@ RUNNER_TEST(privilege_control03_add_permissions) RUNNER_ASSERT_MSG(smack_file_length>0, "SMACK file empty, but privileges list was not empty.. Errno: " << errno); - // Clean up - result = app_revoke_permissions(APPID_ADD); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Errno: " << result); - if (pFile != NULL) fclose(pFile); } - /** * Revoke permissions from the list. Should be executed as privileged user. */ -RUNNER_TEST(privilege_control04_revoke_permissions) +RUNNER_CHILD_TEST(privilege_control06_revoke_permissions) { int result; + int fd; - // Prepare permissions that we want to revoke - result = app_add_permissions(APPID_REVOKE, PRIVS); + // Revoke permissions + result = app_revoke_permissions(APP_ID); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app permissions. Errno: " << result); + "Error revoking app permissions. Result: " << result); - // Revoke permissions - result = app_revoke_permissions(APPID_REVOKE); + result = app_revoke_permissions(WGT_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = app_revoke_permissions(WGT_PARTNER_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = app_revoke_permissions(WGT_PLATFORM_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + result = app_revoke_permissions(OSP_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = app_revoke_permissions(OSP_PARTNER_APP_ID); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Errno: " << result); + "Error revoking app permissions. Result: " << result); + result = app_revoke_permissions(OSP_PLATFORM_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); // Are all the permissions revoked? - result = test_have_all_accesses(rulesRevoke); + result = test_have_any_accesses(rules); + RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked."); + result = test_have_any_accesses(rules_wgt); + RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked."); + result = test_have_any_accesses(rules_wgt_partner); + RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked."); + result = test_have_any_accesses(rules_wgt_platform); + RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked."); + + result = test_have_any_accesses(rules); RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked."); + result = test_have_any_accesses(rules_osp); + RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked."); + result = test_have_any_accesses(rules_osp_partner); + RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked."); + result = test_have_any_accesses(rules_osp_platform); + RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked."); + + FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file removed!. Errno: " << errno); + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + int smack_file_length = ftell(pFile); + if (pFile != NULL) + fclose(pFile); + RUNNER_ASSERT_MSG(smack_file_length==0, + "SMACK file not empty.. Errno: " << errno); + + pFile = fopen(SMACK_RULES_DIR WGT_APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file removed!. Errno: " << errno); + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + smack_file_length = ftell(pFile); + if (pFile != NULL) + fclose(pFile); + RUNNER_ASSERT_MSG(smack_file_length==0, + "SMACK file not empty.. Errno: " << errno); - // Investigate SMACK rules file - char* path; - RUNNER_ASSERT_MSG(asprintf(&path, SMACK_RULES_DIR "%s", APPID_REVOKE) != -1, - "Error in asprintf"); + pFile = fopen(SMACK_RULES_DIR WGT_PARTNER_APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file removed!. Errno: " << errno); + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + smack_file_length = ftell(pFile); + if (pFile != NULL) + fclose(pFile); + RUNNER_ASSERT_MSG(smack_file_length==0, + "SMACK file not empty.. Errno: " << errno); + + pFile = fopen(SMACK_RULES_DIR WGT_PLATFORM_APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file removed!. Errno: " << errno); + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + smack_file_length = ftell(pFile); + if (pFile != NULL) + fclose(pFile); + RUNNER_ASSERT_MSG(smack_file_length==0, + "SMACK file not empty.. Errno: " << errno); - //// Is the smack file deleted? - FILE *pFile = fopen(path, "rb"); - RUNNER_ASSERT_MSG(pFile == NULL, - "SMACK file NOT deleted after revoking ALL privileges. Errno: " << errno); + pFile = fopen(SMACK_RULES_DIR OSP_APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file removed!. Errno: " << errno); + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + smack_file_length = ftell(pFile); + if (pFile != NULL) + fclose(pFile); + RUNNER_ASSERT_MSG(smack_file_length==0, + "SMACK file not empty.. Errno: " << errno); - RUNNER_ASSERT_MSG(errno == ENOENT, - "SMACK file NOT deleted after revoking ALL privileges. Errno: " << errno); + pFile = fopen(SMACK_RULES_DIR OSP_PARTNER_APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file removed!. Errno: " << errno); + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + smack_file_length = ftell(pFile); + if (pFile != NULL) + fclose(pFile); + RUNNER_ASSERT_MSG(smack_file_length==0, + "SMACK file not empty.. Errno: " << errno); + pFile = fopen(SMACK_RULES_DIR OSP_PLATFORM_APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file removed!. Errno: " << errno); + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + smack_file_length = ftell(pFile); if (pFile != NULL) fclose(pFile); + RUNNER_ASSERT_MSG(smack_file_length==0, + "SMACK file not empty.. Errno: " << errno); +} + +static void read_gids(std::set &set, const char* file_path) +{ + FILE *f = fopen(file_path, "r"); + RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path); + unsigned gid; + while (fscanf(f, "%u\n", &gid) == 1) { + set.insert(gid); + } +} + +RUNNER_TEST(privilege_control05_add_shared_dir_readers) +{ + +#define TEST_OBJ "TEST_OBJECT" +#define TEST_OBJ_SOME_OTHER "TEST_OBJA" +#define test_string_01 "TEST_raz TEST_OBJECT r-x-- -----" +#define test_string_21 "TEST_trzy TEST_OBJA -wx--\n" +#define test_string_22 "TEST_trzy TEST_OBJECT r-x-- -----\n" + + int result; + int i; + int fd = -1; + char *path; + + const char *app_labels_wrong[] = {"-TEST_raz", NULL}; + const char *app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL}; + const int READ_BUF_SIZE = 1000; + char buf[READ_BUF_SIZE]; + FILE *file = NULL; + struct smack_accesses * rules = NULL; + + //test what happens when the label is not correct SMACK label + result = smack_accesses_new(&rules); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result); + + result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong); + RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "add_shared_dir_readers should fail here"); + + result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx"); + RUNNER_ASSERT_MSG(result != 1, "add_shared_dir_readers should not grant permission here"); + + smack_accesses_free(rules); + + //ok, now the correct list of apps + result = smack_accesses_new(&rules); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result); + + for (i = 0; i < 3; i++) { + + (void)app_uninstall(app_labels[i]); + result = app_install(app_labels[i]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in app_install."); + + RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[i])); + fd = open(path, O_WRONLY, 0644); + RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path); + + if (i == 1) { + result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt"); + RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed"); + } + if (i == 2) { + smack_accesses_free(rules); + result = smack_accesses_new(&rules); + result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx"); + RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed"); + } + result = smack_accesses_apply(rules); + RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed"); + + result = smack_accesses_save(rules, fd); + RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed"); + + free(path); + close(fd); + + } + + smack_accesses_free(rules); + + // THE TEST - accesses + + result = add_shared_dir_readers(TEST_OBJ,app_labels); + RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed"); + + result = smack_have_access(app_labels[0],TEST_OBJ,"rx"); + RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); + + result = smack_have_access(app_labels[1],TEST_OBJ,"rx"); + RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); + + result = smack_have_access(app_labels[2],TEST_OBJ,"rx"); + RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); + + result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt"); + RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); + + result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx"); + RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR"); + + + //TEST the operations on empty files + + RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[0])); + file = fopen(path, "r"); + + RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno); + + RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file)); + result = strcmp(buf, test_string_01); + RUNNER_ASSERT_MSG( result!=0, "add_shared_dir_readers ERROR, file not formatted" << path ); + + free(path); + fclose(file); + + //TEST the operations on non empty files + RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[2])); + file = NULL; + file = fopen(path, "r"); + RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno); + + RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file)); + result = strcmp(buf, test_string_21); + RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" ); + + RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file)); + result = strcmp(buf, test_string_22); + RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" ); + + free(path); + fclose(file); } + /** * Set APP privileges. */ -RUNNER_TEST(privilege_control05_set_app_privilege) + +void check_groups(const char* dac_file) { + std::set groups_check; + read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST); + read_gids(groups_check, dac_file); + + int groups_cnt = getgroups(0, NULL); + RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt"); + gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t)); + RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed"); + RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list)); + + for (int i = 0; i < groups_cnt; ++i) { + //getgroups() can return multiple number of the same group + //they are returned in sequence, so we will given number when last + //element of this number is reached + if( (i < groups_cnt - 1) && (groups_list[i+1] == groups_list[i])) + continue; + if (groups_check.erase(groups_list[i]) == 0) { + // getgroups() may also return process' main group + if (groups_list[i] != getgid()) + RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")"); + } + } + free(groups_list); + std::string groups_left; + for (std::set::iterator it = groups_check.begin(); it != groups_check.end(); it++) { + groups_left.append(std::to_string(*it)).append(" "); + } + RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left); +} + +RUNNER_CHILD_TEST(privilege_control05_set_app_privilege) { int result; - char* labelApp = "test_pc_label"; // Preset exec label - smack_setlabel(APP_SET_PRIV_PATH,labelApp, SMACK_LABEL_EXEC); + smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC); + smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC); + + /** + * TODO This test should also verify set_app_privilege behavior for OSP and + * WRT apps. To do that we'll have to install real apps on device as a + * precondition. + */ // Set APP privileges - result = set_app_privilege(APP_SET_PRIV, NULL, APP_SET_PRIV_PATH); + result = set_app_privilege(APP_ID, NULL, APP_SET_PRIV_PATH); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); // Check if SMACK label really set char * label; result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == 0, "Error setting label for exec" << result); - result = strcmp(labelApp, label); - RUNNER_ASSERT_MSG(result == 0, "Label NOT set"); + RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); + RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); + result = strcmp(APP_ID, label); + RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); // Check if DAC privileges really set RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID"); @@ -388,5 +1162,1321 @@ RUNNER_TEST(privilege_control05_set_app_privilege) result = strcmp(getenv("USER"), APP_USER_NAME); RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME"); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE); +} + +/** + * Set APP privileges. wgt. + */ +RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt) +{ + int result; + + result = app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_all_accesses(rules_wgt); + RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + + result = set_app_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); + + // Check if SMACK label really set + char * label; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); + RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); + result = strcmp(WGT_APP_ID, label); + RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); + + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); + + +} + +/** + * Set APP privileges. wgt_partner. + */ +RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_partner) +{ + int result; + + result = app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_all_accesses(rules_wgt_partner); + RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + + result = set_app_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); + + // Check if SMACK label really set + char * label; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); + RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); + result = strcmp(WGT_PARTNER_APP_ID, label); + RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); } +/** + * Set APP privileges. wgt_platform. + */ +RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_platform) +{ + int result; + + result = app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_all_accesses(rules_wgt_platform); + RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + + result = set_app_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); + + // Check if SMACK label really set + char * label; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); + RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); + result = strcmp(WGT_PLATFORM_APP_ID, label); + RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); +} + +/** + * Set APP privileges. osp app. + */ +RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp) +{ + int result; + + result = app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_all_accesses(rules_osp); + RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + + result = set_app_privilege(OSP_APP_ID, NULL, OSP_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); + + // Check if SMACK label really set + char * label; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); + RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); + result = strcmp(OSP_APP_ID, label); + RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); +} + +/** + * Set APP privileges. partner osp app. + */ +RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_partner) +{ + int result; + + result = app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_all_accesses(rules_osp_partner); + RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + + result = set_app_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); + + // Check if SMACK label really set + char * label; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); + RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); + result = strcmp(OSP_PARTNER_APP_ID, label); + RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); +} + +/** + * Set APP privileges. platform osp app. + */ +RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_platform) +{ + int result; + + result = app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_all_accesses(rules_osp_platform); + RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + + result = set_app_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result); + + // Check if SMACK label really set + char * label; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == 0, "Error getting current process label"); + RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); + result = strcmp(OSP_PLATFORM_APP_ID, label); + RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); +} + +RUNNER_TEST(privilege_control08_app_give_access) +{ + const char *subject = "lkjq345v34sfa"; + const char *object = "lk9290f92lkjz"; + smack_accesses *tmp = NULL; + + RUNNER_ASSERT(0 == smack_accesses_new(&tmp)); + + SmackUniquePtr smack(tmp, smack_accesses_free); + + RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "r--a-")); + RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); + + app_give_access(subject, object, "wt"); + + RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwat")); + RUNNER_ASSERT(0 == smack_have_access(subject, object, "x")); + + app_revoke_access(subject, object); + + RUNNER_ASSERT(1 == smack_have_access(subject, object, "ra")); + RUNNER_ASSERT(0 == smack_have_access(subject, object, "w")); + RUNNER_ASSERT(0 == smack_have_access(subject, object, "x")); + RUNNER_ASSERT(0 == smack_have_access(subject, object, "t")); + + RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-")); + RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); +} + +RUNNER_TEST(privilege_control09_app_give_access) +{ + const char *subject = "ljk132flkjv"; + const char *object = "jjsiqsc32vs"; + smack_accesses *tmp = NULL; + + RUNNER_ASSERT(0 == smack_accesses_new(&tmp)); + + SmackUniquePtr smack(tmp, smack_accesses_free); + + RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "---t-")); + RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); + + RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rw")); + RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rwx")); + + RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxt")); + RUNNER_ASSERT(0 == smack_have_access(subject, object, "a")); + + RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_revoke_access(subject, object)); + + RUNNER_ASSERT(1 == smack_have_access(subject, object, "t")); + RUNNER_ASSERT(0 == smack_have_access(subject, object, "r")); + RUNNER_ASSERT(0 == smack_have_access(subject, object, "w")); + RUNNER_ASSERT(0 == smack_have_access(subject, object, "x")); + RUNNER_ASSERT(0 == smack_have_access(subject, object, "a")); + + RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-----")); + RUNNER_ASSERT(0 == smack_accesses_apply(smack.get())); +} + +/** + * Add new API feature + */ +RUNNER_TEST(privilege_control11_add_api_feature) +{ + int result; + + remove_smack_files(); + + + // argument validation + result = add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0); + RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); + + result = add_api_feature(APP_TYPE_OSP,"" , NULL, NULL, 0); + RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); + + + // already existing features + result = add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read" , NULL, NULL, 0); + RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); + + result = add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms" , NULL, NULL, 0); + RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); + + result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/privilege/messaging" , NULL, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + + result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/messaging" , NULL, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + + result = add_api_feature(APP_TYPE_OTHER,"http://messaging" , NULL, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + + result = add_api_feature(APP_TYPE_OTHER,"messaging.read" , NULL, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + + + // empty features + result = add_api_feature(APP_TYPE_OSP,"blahblah" , NULL, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + + result = add_api_feature(APP_TYPE_WGT,"blahblah" , NULL, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + + result = add_api_feature(APP_TYPE_OTHER,"blahblah" , NULL, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + + + // smack files existence + result = file_exists(OSP_BLAHBLAH); + RUNNER_ASSERT(result == -1); + + result = file_exists(WRT_BLAHBLAH); + RUNNER_ASSERT(result == -1); + + result = file_exists(OTHER_BLAHBLAH); + RUNNER_ASSERT(result == -1); + + + // empty rules + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , { NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + result = file_exists(OSP_BLAHBLAH); + RUNNER_ASSERT(result == -1); + + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "", NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + result = file_exists(OSP_BLAHBLAH); + RUNNER_ASSERT(result == 0); + remove_smack_files(); + + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + result = file_exists(OSP_BLAHBLAH); + RUNNER_ASSERT(result == 0); + remove_smack_files(); + + + // malformed rules + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed", NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); + result = file_exists(OSP_BLAHBLAH); + RUNNER_ASSERT(result == -1); + + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed", NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); + result = file_exists(OSP_BLAHBLAH); + RUNNER_ASSERT(result == -1); + + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "-malformed malformed rwxat", NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); + result = file_exists(OSP_BLAHBLAH); + RUNNER_ASSERT(result == -1); + + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "~/\"\\ malformed rwxat", NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); + result = file_exists(OSP_BLAHBLAH); + RUNNER_ASSERT(result == -1); + + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object rwxat something else", NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM); + result = file_exists(OSP_BLAHBLAH); + RUNNER_ASSERT(result == -1); + + + // correct rules + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed maaaaaalformed", NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + osp_blahblah_check(__LINE__, { "malformed malformed r--a- -----" }); + remove_smack_files(); + + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object foo", NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + osp_blahblah_check(__LINE__, { "subject object ----- -----" }); + remove_smack_files(); + + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ + "subject object\t rwxat", + " \t \n", + "subject2\tobject2 txarw", + "", + NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + osp_blahblah_check(__LINE__, { "subject object rwxat -----", "subject2 object2 rwxat -----"}); + remove_smack_files(); + + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ + "Sub::jE,ct object a-RwX", + NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + osp_blahblah_check(__LINE__, { "Sub::jE,ct object rwxa- -----"}); + remove_smack_files(); + + // TODO For now identical/complementary rules are not merged. + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ + "subject object rwxat", + " \t \n", + "subject object txarw", + "", + NULL }, NULL, 0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + osp_blahblah_check(__LINE__, { "subject object rwxat -----", "subject object rwxat -----"}); + remove_smack_files(); + + + // empty group ids + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},0); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + osp_blahblah_check(__LINE__, { "a a ---a- -----"}); + result = file_exists(OSP_BLAHBLAH_DAC); + RUNNER_ASSERT(result == -1); + remove_smack_files(); + + + // valid group ids + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},3); + printf("%d \n", result); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + osp_blahblah_check(__LINE__, { "a a ---a- -----"}); + osp_blahblah_dac_check(__LINE__, {0,1,2}); + remove_smack_files(); + + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},1); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + osp_blahblah_check(__LINE__, { "a a ---a- -----"}); + osp_blahblah_dac_check(__LINE__, {0}); + remove_smack_files(); + + result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){1,1,1},3); + RUNNER_ASSERT(result == PC_OPERATION_SUCCESS); + osp_blahblah_check(__LINE__, { "a a ---a- -----"}); + osp_blahblah_dac_check(__LINE__, {1,1,1}); + remove_smack_files(); +} + +/* + * Check app_install function + */ +RUNNER_TEST(privilege_control01_app_install) +{ + int result; + char *path = NULL; + int fd = -1; + + unlink(SMACK_RULES_DIR APP_ID); + + app_uninstall(APP_ID); + + result = app_install(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno)); + + // checking if file really exists + fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY); + RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << path << " : " << result << ". Errno: " << strerror(errno)); + close(fd); + free(path); + + // try install second time app with the same ID - it should pass. + result = app_install(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno)); +} + +/* + * Check app_install function + */ +RUNNER_TEST(privilege_control07_app_uninstall) +{ + int result; + char *path = NULL; + int fd = -1; + + result = app_uninstall(APP_ID); + RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result <<". Errno: " << strerror(errno)); + + // checking if file really exists + fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY); + RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after app_uninstall"); + close(fd); + free(path); +} + +void checkOnlyAvAccess(const char* av_id, const char* app_id, const char* comment){ + int result; + result = smack_have_access(av_id, app_id, "rwx"); + RUNNER_ASSERT_MSG(result == 1, + "Error while checking " << av_id << " rwx access to " + << app_id << " " << comment << " Result: " << result); + result = smack_have_access(av_id, app_id, "a"); + RUNNER_ASSERT_MSG(result == 0, + "Error while checking " << av_id << " a access to " + << app_id << " " << comment << " Result: " << result); + result = smack_have_access(av_id, app_id, "t"); + RUNNER_ASSERT_MSG(result == 0, + "Error while checking " << av_id << " t access to " + << app_id << " " << comment << " Result: " << result); +} + +/* + * Check app_register_av function + * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install) + */ +RUNNER_TEST(privilege_control10_app_register_av) +{ + int result; + + // cleaning + smack_revoke_subject(APP_TEST_AV_1); + smack_revoke_subject(APP_TEST_AV_2); + + cleaning_smack_app_files(); + cleaning_smack_database_files(); + + // Adding two apps before antivir + result = app_install(APP_TEST_APP_1); + RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno)); + + result = app_install(APP_TEST_APP_2); + RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno)); + + // Adding antivir + result = app_register_av(APP_TEST_AV_1); + RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno)); + + // Checking added apps accesses + checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)"); + checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)"); + + // Adding third app + result = app_install(APP_TEST_APP_3); + RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno)); + + // Checking app accesses + checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_install(APP_TEST_APP_3)"); + checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_install(APP_TEST_APP_3)"); + checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_install(APP_TEST_APP_3)"); + + // Adding second antivir + result = app_register_av(APP_TEST_AV_2); + RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno)); + + // Checking app accesses + checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); + + // cleaning + smack_revoke_subject(APP_TEST_AV_1); + smack_revoke_subject(APP_TEST_AV_2); + + cleaning_smack_app_files(); + cleaning_smack_database_files(); +} + +/** + * Grant SMACK permissions based on permissions list. + */ +RUNNER_TEST(privilege_control11_app_enable_permissions) +{ + int result; + int smack_file_length; + FILE *pFile; + +/** + * Test - Enabling all permissions with persistant mode enabled + */ + + result = app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + // Check if the accesses are realy applied.. + result = test_have_all_accesses(rules2); + RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + + //// File exists? + pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file NOT created!. Errno: " << errno); + + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + smack_file_length = ftell(pFile); + RUNNER_ASSERT_MSG(smack_file_length>0, + "SMACK file empty with persistant mode 1. Errno: " << errno); + + if (pFile != NULL) + fclose(pFile); + + // Clean up + result = app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + +/** + * Test - Enabling all permissions with persistant mode disabled + */ + + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + // Check if the accesses are realy applied.. + result = test_have_all_accesses(rules2); + RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + + //// File exists? + pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file NOT created!. Errno: " << errno); + + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + smack_file_length = ftell(pFile); + RUNNER_ASSERT_MSG(smack_file_length==0, + "SMACK file not empty with persistant mode 0. Errno: " << errno); + + if (pFile != NULL) + fclose(pFile); + + // Clean up + result = app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + +/** + * Test - Enabling all permissions in two complementary files + */ + + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + // Check if the accesses are realy applied.. + result = test_have_all_accesses(rules2); + RUNNER_ASSERT_MSG(result==1, "Permissions not added."); + + //// File exists? + pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file NOT created!. Errno: " << errno); + + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + smack_file_length = ftell(pFile); + RUNNER_ASSERT_MSG(smack_file_length>0, + "SMACK file empty with persistant mode 1. Errno: " << errno); + + if (pFile != NULL) + fclose(pFile); + + // Clean up + result = app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + +/** + * Test - Enabling some permissions and then enabling complementary permissions + */ + + // Enable permission for rules 2 no r + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions without r. Result: " << result); + + // Check if the accesses are realy applied.. + result = test_have_all_accesses(rules2_no_r); + RUNNER_ASSERT_MSG(result==1, "Permissions without r not added."); + + //// File exists? + pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file NOT created!. Errno: " << errno); + + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + smack_file_length = ftell(pFile); + RUNNER_ASSERT_MSG(smack_file_length>0, + "SMACK file empty with persistant mode 1. Errno: " << errno); + + if (pFile != NULL) + fclose(pFile); + + // Enable permission for rules 2 + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app all permissions. Result: " << result); + + // Check if the accesses are realy applied.. + result = test_have_all_accesses(rules2); + RUNNER_ASSERT_MSG(result==1, "Permissions all not added."); + + // Clean up + result = app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + +/** + * Test - Enabling some permissions and then enabling all permissions + */ + + // Enable permission for rules 2 no r + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions without r. Result: " << result); + + // Check if the accesses are realy applied.. + result = test_have_all_accesses(rules2_no_r); + RUNNER_ASSERT_MSG(result==1, "Permissions without r not added."); + + //// File exists? + pFile = fopen(SMACK_RULES_DIR APP_ID, "rb"); + RUNNER_ASSERT_MSG(pFile != NULL, + "SMACK file NOT created!. Errno: " << errno); + + //// Is it empty? + fseek(pFile, 0L, SEEK_END); + smack_file_length = ftell(pFile); + RUNNER_ASSERT_MSG(smack_file_length>0, + "SMACK file empty with persistant mode 1. Errno: " << errno); + + if (pFile != NULL) + fclose(pFile); + + // Enable permission for rules 2 + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions with only r. Result: " << result); + + // Check if the accesses are realy applied.. + result = test_have_all_accesses(rules2); + RUNNER_ASSERT_MSG(result==1, "Permissions with only r not added."); + + // Clean up + result = app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); +} + +/* + * Until app_disable_permissions is not fixed this test should remain + * commented + */ +/** + * Remove previously granted SMACK permissions based on permissions list. + */ +/*RUNNER_TEST(privilege_control12_app_disable_permissions) +{ +*/ +/** + * Test - disable all granted permissions. + */ +/* int result; + + // Prepare permissions that we want to disable + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + // Disable permissions + result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error disabling app permissions. Result: " << result); + + // Are all the permissions disabled? + result = test_have_any_accesses(rules2); + RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled."); +*/ +/** + * Test - disable some granted permissions leaving non complementary and then disabling those too. + */ +/* + // Prepare permissions that will not be disabled + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error adding app first permissions. Result: " << result); + + // Prepare permissions that we want to disable + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error adding app second permissions. Result: " << result); + + // Disable second permissions + result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error disabling app second permissions. Result: " << result); + + // Are all second permissions disabled? + result = test_have_any_accesses(rules2); + RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled."); + + // Are all first permissions not disabled? + result = test_have_all_accesses(rules); + RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled."); + + // Disable first permissions + result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error disabling app first permissions. Result: " << result); + + // Are all second permissions disabled? + result = test_have_any_accesses(rules); + RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled."); +*/ +/** + * Test - disable only no r granted permissions. + */ +/* + // Prepare permissions + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error adding app permissions. Result: " << result); + + // Disable same permissions without r + result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error disabling app no r permissions. Result: " << result); + + // Is any r permissions disabled? + result = test_have_all_accesses(rules2_r); + RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled."); + // Are all no r permissions disabled? + result = test_have_any_accesses(rules2_no_r); + RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled."); + + // Prepare permissions + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error adding app no r permissions. Result: " << result); + + // Disable all permissions + result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error disabling app permissions. Result: " << result); +} +*/ +/** + * Reset SMACK permissions for an application by revoking all previously + * granted rules and enabling them again from a rules file from disk. + */ + +RUNNER_TEST(privilege_control13_app_reset_permissions) +{ + + int result; + +/** + * Test - doing reset and checking if rules exist again. + */ + + // Prepare permissions to reset + result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error adding app permissions. Result: " << result); + + // Reset permissions + result = app_reset_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error reseting app permissions. Result: " << result); + + // Are all second permissions not disabled? + result = test_have_all_accesses(rules2); + RUNNER_ASSERT_MSG(result==1, "Not all permissions added."); + + // Disable permissions + result = app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error disabling app permissions. Result: " << result); + +} + +/** + * Make two applications "friends", by giving them both full permissions on + * each other. + */ +RUNNER_TEST(privilege_control14_app_add_friend) +{ + int result; + +/** + * Test - making friends with no permissions on each other + */ + + result = app_revoke_permissions(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = app_revoke_permissions(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + app_uninstall(APP_FRIEND_1); + app_uninstall(APP_FRIEND_2); + + // Installing friends to be + result = app_install(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error installing first app. Result: " << result); + result = app_install(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error installing second app. Result: " << result); + + // Making friends + result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error making friends. Errno: " << result); + + // Checking if friends were made + result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat"); + RUNNER_ASSERT_MSG(result == 1, + " Error first one sided friednship failed. Result: " << result); + result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat"); + RUNNER_ASSERT_MSG(result == 1, + " Error second one sided friednship failed. Result: " << result); + + // Clean up + result = app_revoke_permissions(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = app_revoke_permissions(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + app_uninstall(APP_FRIEND_1); + app_uninstall(APP_FRIEND_2); + +/** + * Test - making friends with nonexisting friend + */ + + // Installing one friend + result = app_install(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error installing first app. Errno: " << result); + + // Adding imaginairy friend as second + result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error making friends (first) with imaginairy friend failed. Result: " + << result); + // Adding imaginairy friend as first + result = app_add_friend(APP_FRIEND_2, APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error making friends (second) with imaginairy friend failed. Result: " + << result); + // Clean up + result = app_revoke_permissions(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = app_revoke_permissions(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + app_uninstall(APP_FRIEND_1); + app_uninstall(APP_FRIEND_2); + +/** + * Test - making friends with some permissions already added + */ + unsigned int i; + unsigned int j; + + struct smack_accesses * rulesFriend = NULL; + + std::vector accessesFriend = + { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" }; + + // Installing friends to be + result = app_install(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error installing first app. Result: " << result); + result = app_install(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error installing second app. Result: " << result); + + for(i = 0; i= 0, "Fork failed"); + + smack_set_random_label_based_on_pid_on_self(); + + if (!pid) { /* child process, server */ + int sock, result; + + /* Set the process label before creating a socket */ + sock = socket(AF_UNIX, SOCK_STREAM, 0); + RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno)); + result = bind(sock, + (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un)); + if(result != 0){ + close(sock); + RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno)); + } + result = listen(sock, 1); + if(result != 0){ + close(sock); + RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno)); + } + smack_unix_sock_server(sock); + + /* Change the process label with listening socket */ + smack_unix_sock_server(sock); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "Fork failed"); + /* Now running two concurrent servers. + Test if socket label was unaffected by fork() */ + smack_unix_sock_server(sock); + /* Let's give the two servers different labels */ + smack_unix_sock_server(sock); + close(sock); + waitpid(pid, NULL, 0); + exit(0); + } else { /* parent process, client */ + sleep(1); /* Give server some time to setup listening socket */ + int i; + for (i = 0; i < 4; ++i) { + int sock; + int result; + char smack_label1[SMACK_LABEL_LEN + 1]; + char* smack_label2; + + sock = socket(AF_UNIX, SOCK_STREAM, 0); + RUNNER_ASSERT_MSG(sock >= 0, + "socket failed: " << strerror(errno)); + result = connect(sock, + (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un)); + if(result != 0){ + close(sock); + RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno)); + } + + alarm(2); + result = read(sock, smack_label1, SMACK_LABEL_LEN); + alarm(0); + if(result < 0){ + close(sock); + RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno)); + } + smack_label1[result] = '\0'; + smack_label2 = app_id_from_socket(sock); + if(smack_label2 == NULL){ + close(sock); + RUNNER_ASSERT_MSG(0, "app_id_from_socket failed"); + } + result = strcmp(smack_label1, smack_label2); + if(result != 0){ + close(sock); + RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1 + << "' != '" << smack_label2 << "-" << random() << "'"); + } + close(sock); + } + waitpid(pid, NULL, 0); + } +} + +RUNNER_TEST(privilege_control16_app_setup_path){ + const char *path1 = "/usr/share/privilege-control/app_setup_access_test"; + const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory"; + const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one"; + const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two"; + const char *label1 = "qwert123456za"; + const char *label2 = "trewq654123az"; + + std::unique_ptr> labelPtr(NULL,free); + + mkdir(path1,0); + mkdir(path2,0); + + int fd = creat(path3, S_IRWXU); + if (fd >= 0) + close(fd); + fd = creat(path4, S_IRWXU); + if (fd >= 0) + close(fd); + + char *label = NULL; + + RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1)); + RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS)); + labelPtr.reset(label); + label = NULL; + RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1)); + + RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2)); + RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC)); + labelPtr.reset(label); + label = NULL; + RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label2)); + + RUNNER_ASSERT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC)); + labelPtr.reset(label); + label = NULL; + RUNNER_ASSERT(labelPtr.get() == NULL); +} + +RUNNER_TEST(privilege_control17_appsettings_privilege) +{ +#define APP_1 "app_1" +#define APP_1_DIR "/tmp/app_1" + +#define APP_2 "app_2" +#define APP_2_DIR "/tmp/app_2" + +#define APP_TEST "app_test" + +#define PRIV_APPSETTING (const char*[]){"http://tizen.org/privilege/appsetting", NULL} + + int ret; + char* app1_dir_label; + char* app2_dir_label; + //prepare test + + + (void)app_uninstall(APP_TEST); + (void)app_uninstall(APP_1); + (void)app_uninstall(APP_2); + + //install some app 1 + ret = app_install(APP_1); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install." << ret); + + mkdir(APP_1_DIR, S_IRWXU|S_IRGRP|S_IXGRP); + + //register settings folder for app 1 + ret = app_setup_path(APP_1, APP_1_DIR , APP_PATH_SETTINGS_RW ); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret); + + //install "app_test" and give it appsettings privilege + ret = app_install(APP_TEST); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install."); + + + ret = app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true); + + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << ret); + + //check if "app_test" has an RX access to the app "app_1" + ret = smack_have_access(APP_TEST, APP_1, "rx"); + RUNNER_ASSERT_MSG(ret,"access denies"); + + + //check if "app_test" has an RWX access to a folder registered by "app_1" + ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS ); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed"); + ret = smack_have_access(APP_TEST, app1_dir_label, "rwx"); + RUNNER_ASSERT_MSG(ret,"access denies"); + + + //intstall another app: "app_2" + ret = app_install(APP_2); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install."); + + mkdir(APP_2_DIR, S_IRWXU|S_IRGRP|S_IXGRP); + //register settings folder for that "app_2" + ret = app_setup_path(APP_2, APP_2_DIR , APP_PATH_SETTINGS_RW ); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret); + + //check if "app_test" has an RX access to the app "app_2" + ret = smack_have_access(APP_TEST, APP_2, "rx"); + RUNNER_ASSERT_MSG(ret,"access denies"); + + //check if "app_test" has an RWX access to a folder registered by "app_2" + ret = smack_getlabel(APP_2_DIR, &app2_dir_label, SMACK_LABEL_ACCESS ); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed"); + ret = smack_have_access(APP_TEST, app2_dir_label, "rwx"); + RUNNER_ASSERT_MSG(ret,"access denies"); + + free (app1_dir_label); + free (app2_dir_label); + rmdir(APP_1_DIR); + rmdir(APP_2_DIR); + + (void)app_uninstall(APP_TEST); + (void)app_uninstall(APP_1); + (void)app_uninstall(APP_2); + + +} + +RUNNER_TEST(privilege_control18_app_setup_path_public) +{ + int result; + + cleaning_smack_database_files(); + add_lables_to_db(); + + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR); + + result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); + + result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO); + RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed"); + + result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir"); + + result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir"); + + cleaning_smack_database_files(); +} + +RUNNER_TEST(privilege_control19_app_setup_path_settings) +{ + int result; + + cleaning_smack_database_files(); + add_lables_to_db(); + + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR); + + result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); + + result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW); + RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed"); + + result = nftw(TEST_APP_DIR, &nftw_check_labels_app_settings_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir"); + + result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir"); + + cleaning_smack_database_files(); +}