/*
- * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2016 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include <fcntl.h>
#include <stdio.h>
-#include <memory.h>
#include <unistd.h>
-#include <attr/xattr.h>
-#include <linux/xattr.h>
-
#include <sys/inotify.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <sys/un.h>
#include <sys/wait.h>
-#include <sys/smack.h>
#include <ctime>
#include <algorithm>
#include <fstream>
-#include <poll.h>
#include <regex>
#include <string>
#include <unordered_set>
#include <ftw.h>
#include <grp.h>
-#include <pwd.h>
-
-#include <security-manager.h>
+#include <poll.h>
#include <access_provider.h>
+#include <app_install_helper.h>
+#include <cynara_test_admin.h>
+#include <cynara_test_client.h>
#include <dpl/log/log.h>
#include <dpl/test/test_runner.h>
+#include <memory.h>
#include <passwd_access.h>
-#include <tests_common.h>
-#include <scoped_label.h>
+#include <service_manager.h>
#include <sm_api.h>
#include <sm_commons.h>
#include <sm_db.h>
#include <sm_request.h>
-#include <sm_sharing_request.h>
#include <sm_user_request.h>
-#include <app_install_helper.h>
#include <synchronization_pipe.h>
#include <temp_test_user.h>
+#include <tests_common.h>
#include <tzplatform.h>
#include <uds.h>
-#include <cynara_test_client.h>
-#include <cynara_test_admin.h>
-#include <service_manager.h>
-#include <cynara_test_admin.h>
-#include <memory.h>
using namespace SecurityManagerTest;
}
}
-std::string access_opposite(std::string &access) {
- static const std::map<char, int> access_mapping = {{'r', 0}, {'w', 1}, {'x', 2}, {'a', 3},
- {'t', 4}, {'l', 5}};
- //May write implies may lock
- if (access.find('w') != std::string::npos && access.find('l') == std::string::npos) {
- access.append("l");
- }
- std::string access_opposite = "rwxatl";
- for (char c : access) {
- access_opposite[access_mapping.at(c)] = '-';
- }
- auto it = std::remove_if(access_opposite.begin(), access_opposite.end(), [](char c) {return c == '-';});
- access_opposite.erase(it, access_opposite.end());
- return access_opposite;
-}
-
-void check_exact_smack_accesses(const std::string &subject, const std::string &object, const std::string &access) {
- std::string access_str(access);
- auto no_access = access_opposite(access_str);
- for (char c : access_str) {
- int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
- RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object << ">, <" << c << "> errno=" << strerror(errno));
- RUNNER_ASSERT_MSG(ret == 1, "Access " << c << " from " << subject << " to "
- << object << " not given");
- }
-
- for (char c : no_access) {
- int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
- RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object << ">, <" << c << "> errno=" << strerror(errno));
- RUNNER_ASSERT_MSG(ret == 0, "Access " << c << " from " << subject << " to "
- << object << " unnecessarily given");
- }
-}
-
-
-
+RUNNER_TEST_GROUP_INIT(SECRUTIY_MANAGER_POLICY)
RUNNER_TEST(security_manager_18_user_cynara_policy)
{
admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
}
-RUNNER_TEST(security_manager_19_security_manager_cmd_install)
-{
- int ret;
- const int SUCCESS = 0;
- const int FAILURE = 256;
- const std::string app_id = "security_manager_10_app";
- const std::string pkg_id = "security_manager_10_pkg";
- const std::string username("sm_test_10_user_name");
- std::string uid_string;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
- user.create();
- user.getUidString(uid_string);
- const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1";
- const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2";
- const std::string pkgopt = " --pkg=" + pkg_id;
- const std::string appopt = " --app=" + app_id;
- const std::string uidopt = " --uid=" + uid_string;
-
- mktreeSafe(path1.c_str(), 0);
- mktreeSafe(path2.c_str(), 0);
-
- const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
-
- struct operation {
- std::string command;
- int expected_result;
- };
- std::vector<struct operation> operations = {
- {"security-manager-cmd", FAILURE},//no option
- {"security-manager-cmd --blah", FAILURE},//blah option is not known
- {"security-manager-cmd --help", SUCCESS},
- {"security-manager-cmd --install", FAILURE},//no params
- {"security-manager-cmd -i", FAILURE},//no params
- {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
- {installcmd, SUCCESS},
- {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
- {installcmd + " --path " + path1 + " rw", SUCCESS},
- {installcmd + " --path " + path1, FAILURE},//no path type
- {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
- {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
- {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
- };
-
- for (auto &op : operations) {
- ret = system((op.command + " 1>/dev/null 2>&1").c_str());
- RUNNER_ASSERT_MSG(ret == op.expected_result,
- "Unexpected result for command '" << op.command <<"': "
- << ret << " Expected was: "<< op.expected_result);
- }
-}
-
-RUNNER_TEST(security_manager_20_security_manager_cmd_users)
-{
- int ret;
- const int SUCCESS = 0;
- const int FAILURE = 256;
- const std::string username("sm_test_11_user_name");
- std::string uid_string;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
- user.create();
- user.getUidString(uid_string);
- const std::string uidopt = " --uid=" + uid_string;
-
- struct operation {
- std::string command;
- int expected_result;
- };
- std::vector<struct operation> operations = {
- {"security-manager-cmd --manage-users=remove", FAILURE},//no params
- {"security-manager-cmd -m", FAILURE},//no params
- {"security-manager-cmd -mr", FAILURE},//no uid
- {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
- {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
- {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
- {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
- {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
- {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
- {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
- {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
- };
-
- for (auto &op : operations) {
- ret = system((op.command + " 1>/dev/null 2>&1").c_str());
- RUNNER_ASSERT_MSG(ret == op.expected_result,
- "Unexpected result for command '" << op.command <<"': "
- << ret << " Expected was: "<< op.expected_result);
- }
-}
-
RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv)
{
const int BUFFER_SIZE = 128;
}
}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD)
+
+RUNNER_TEST(security_manager_19_security_manager_cmd_install)
+{
+ int ret;
+ const int SUCCESS = 0;
+ const int FAILURE = 256;
+ const std::string app_id = "security_manager_10_app";
+ const std::string pkg_id = "security_manager_10_pkg";
+ const std::string username("sm_test_10_user_name");
+ std::string uid_string;
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ user.create();
+ user.getUidString(uid_string);
+ const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1";
+ const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2";
+ const std::string pkgopt = " --pkg=" + pkg_id;
+ const std::string appopt = " --app=" + app_id;
+ const std::string uidopt = " --uid=" + uid_string;
+
+ mktreeSafe(path1.c_str(), 0);
+ mktreeSafe(path2.c_str(), 0);
+
+ const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
+
+ struct operation {
+ std::string command;
+ int expected_result;
+ };
+ std::vector<struct operation> operations = {
+ {"security-manager-cmd", FAILURE},//no option
+ {"security-manager-cmd --blah", FAILURE},//blah option is not known
+ {"security-manager-cmd --help", SUCCESS},
+ {"security-manager-cmd --install", FAILURE},//no params
+ {"security-manager-cmd -i", FAILURE},//no params
+ {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
+ {installcmd, SUCCESS},
+ {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
+ {installcmd + " --path " + path1 + " rw", SUCCESS},
+ {installcmd + " --path " + path1, FAILURE},//no path type
+ {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
+ {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
+ {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
+ };
+
+ for (auto &op : operations) {
+ ret = system((op.command + " 1>/dev/null 2>&1").c_str());
+ RUNNER_ASSERT_MSG(ret == op.expected_result,
+ "Unexpected result for command '" << op.command <<"': "
+ << ret << " Expected was: "<< op.expected_result);
+ }
+}
+
+RUNNER_TEST(security_manager_20_security_manager_cmd_users)
+{
+ int ret;
+ const int SUCCESS = 0;
+ const int FAILURE = 256;
+ const std::string username("sm_test_11_user_name");
+ std::string uid_string;
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ user.create();
+ user.getUidString(uid_string);
+ const std::string uidopt = " --uid=" + uid_string;
+
+ struct operation {
+ std::string command;
+ int expected_result;
+ };
+ std::vector<struct operation> operations = {
+ {"security-manager-cmd --manage-users=remove", FAILURE},//no params
+ {"security-manager-cmd -m", FAILURE},//no params
+ {"security-manager-cmd -mr", FAILURE},//no uid
+ {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
+ {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
+ {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
+ {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
+ {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
+ {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
+ {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
+ {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
+ };
+
+ for (auto &op : operations) {
+ ret = system((op.command + " 1>/dev/null 2>&1").c_str());
+ RUNNER_ASSERT_MSG(ret == op.expected_result,
+ "Unexpected result for command '" << op.command <<"': "
+ << ret << " Expected was: "<< op.expected_result);
+ }
+}
+
void setupPrivilegeGroups(const privileges_t &privileges, const std::vector<std::string> &groups)
{
TestSecurityManagerDatabase db;
return groups;
}
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_GROUPS)
+
RUNNER_TEST(security_manager_22_groups_get)
{
setupPrivilegeGroups(SM_ALLOWED_PRIVILEGES, SM_ALLOWED_GROUPS);
};
}
-namespace {
-const char *const owner_access = "rwxat";
-const char *const target_path_access = "rxl";
-const char *const target_dir_access = "x";
-const char *const no_access = "";
-
-void check_system_access(const std::string pathLabel, bool apply = true) {
- check_exact_smack_accesses("User", pathLabel, (apply ? owner_access : no_access));
- check_exact_smack_accesses("System", pathLabel, (apply ? owner_access : no_access));
-}
-
-void check_owner_access(const std::string &ownerLabel, const std::string &pathLabel, bool apply = true) {
- check_exact_smack_accesses(ownerLabel, pathLabel, (apply ? owner_access : no_access));
-}
-
-void check_target_access(const std::string &ownerPkgLabel, const std::string &targetLabel,
- const std::string &pathLabel, bool pathShared = true, bool anyPathShared = true) {
- check_exact_smack_accesses(targetLabel, pathLabel, (pathShared ? target_path_access : no_access));
- check_exact_smack_accesses(targetLabel, ownerPkgLabel, (anyPathShared ? target_dir_access : no_access));
-}
-
-void check_path_label(const std::string &path, const std::string &expectedLabel) {
- char *label = nullptr;
- int ret = smack_new_label_from_path(path.c_str(), XATTR_NAME_SMACK, 0, &label);
- RUNNER_ASSERT_MSG(ret > 0, "smack_new_label_from_path failed for " << path);
- SmackLabelPtr realLabel(label);
- RUNNER_ASSERT_MSG(realLabel.get() == expectedLabel, "Fetched label from " << path << " different"
- " than expected, is : " << realLabel.get() << " should be " << expectedLabel);
-}
-
-void createFile(const std::string &filePath)
-{
- //create temporary file and set label for it
- mode_t systemMask;
-
- unlink(filePath.c_str());
- //allow to create file with 777 rights
- systemMask = umask(0000);
- int fd = open(filePath.c_str(), O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
- //restore system mask
- umask(systemMask);
- RUNNER_ASSERT_ERRNO_MSG(fd > -1, "Unable to create file for tests");
-
- //for descriptor protection
- FdUniquePtr fd_ptr(&fd);
-
- //change owner and group to user APP
- int ret = chown(filePath.c_str(), APP_UID, APP_GID);
- RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Unable to change file owner");
-}
-
-}
-
-RUNNER_TEST_GROUP_INIT(SECURIT_MANAGER_PRIVATE_SHARING)
-
-RUNNER_TEST(security_manager_30a_send_incomplete_req1)
-{
- SharingRequest request;
- Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
- request.setOwnerAppId("someOwner");
- Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
- request.setTargetAppId("someTarget");
- Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
-}
-
-RUNNER_TEST(security_manager_30b_send_incomplete_req2)
-{
- SharingRequest request;
- request.setTargetAppId("someTarget");
- Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
- request.setOwnerAppId("someOwner");
- Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
-}
-
-RUNNER_TEST(security_manager_30c_send_incomplete_req3)
-{
- SharingRequest request;
- const char *somePaths[] = {"path1", "path2"};
- request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
- Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
- request.setOwnerAppId("someOwner");
- Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
-}
-
-RUNNER_TEST(security_manager_30d_unknown_owner)
-{
- // This test depends on order of checks in security-manager service implementation
- SharingRequest request;
- request.setOwnerAppId("ImPrettySureIDontExist");
- request.setTargetAppId("IDontMatter");
- const char *somePaths[] = {"path1", "path2"};
- request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
- Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
-}
-
-struct PathInfo {
- const std::string &path;
- app_install_path_type path_type;
-};
-
-static InstallRequest createInstallReq(const std::string &appName, const std::string &pkgName,
- const std::vector<PathInfo> &paths){
- InstallRequest req;
- req.setAppId(appName);
- req.setPkgId(pkgName);
- for (const auto &pathInfo : paths) {
- req.addPath(pathInfo.path, pathInfo.path_type);
- }
- return req;
-}
-
-static InstallRequest createInstallReq(const AppInstallHelper &info,
- const std::vector<PathInfo> &paths = std::vector<PathInfo>()){
- return createInstallReq(info.getAppId(), info.getPkgId(), paths);
-}
-
-static void clearLabels(const std::string &path) {
- int result = nftw(path.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to remove Smack labels in " << path);
-}
-
-
-RUNNER_TEST(security_manager_30e_unknown_target)
-{
- // This test depends on order of checks in security-manager service implementation
- AppInstallHelper owner("installedApp");
- owner.revokeRules();
- owner.createInstallDir();
- InstallRequest ownerInst;
- ownerInst.setAppId(owner.getAppId());
- ownerInst.setPkgId(owner.getPkgId());
- Api::install(ownerInst);
-
- SharingRequest request;
- request.setOwnerAppId(owner.getAppId());
- request.setTargetAppId("NowImPrettySureIDontExist");
- const char *somePaths[] = {"path1", "path2"};
- request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
- Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
-
- Api::uninstall(ownerInst);
-}
-
-RUNNER_TEST(security_manager_30f_bad_paths)
-{
- // This test depends on order of checks in security-manager service implementation
- AppInstallHelper owner("installedApp");
- owner.revokeRules();
- owner.createInstallDir();
- InstallRequest ownerInst = createInstallReq(owner);
- Api::install(ownerInst);
-
- AppInstallHelper target("secondInstalledApp");
- target.revokeRules();
- target.createInstallDir();
- InstallRequest targetInst = createInstallReq(target);
- Api::install(targetInst);
-
- SharingRequest request;
- request.setOwnerAppId(owner.getAppId());
- request.setTargetAppId(target.getAppId());
-
- const char *somePath = "/tmp/somePath";
- createFile(somePath);
- const char *somePaths[] = {somePath};
- request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
- Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER);
-
- Api::uninstall(ownerInst);
- Api::uninstall(targetInst);
-}
-
-RUNNER_TEST(security_manager_31_simple_share)
-{
- std::vector<AppInstallHelper> helper {{"app31a"}, {"app31b"}};
- auto &owner = helper[0];
- auto &target = helper[1];
-
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
-
- owner.createPrivateDir();
- owner.createSharedFile();
- clearLabels(owner.getInstallDir());
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
- InstallRequest targetReq = createInstallReq(target);
- Api::install(targetReq);
-
- SharingRequest share1;
- std::string sharedPath = owner.getSharedPath();
- share1.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target.getAppId());
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- Api::applySharing(share1);
-
- TestSecurityManagerDatabase db;
- std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath, pathLabel1);
-
- Api::dropSharing(share1);
- check_system_access(pathLabel1, false);
- check_owner_access(owner.generateAppLabel(), pathLabel1, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
- check_path_label(sharedPath, owner.generatePkgLabel());
-
- Api::uninstall(ownerReq);
- Api::uninstall(targetReq);
-}
-
-RUNNER_TEST(security_manager_32_double_share)
-{
- std::vector<AppInstallHelper> helper {{"app32a"}, {"app32b"}};
- auto &owner = helper[0];
- auto &target = helper[1];
-
- // cleanup
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
- owner.createPrivateDir();
- owner.createSharedFile();
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
- InstallRequest targetReq = createInstallReq(target);
- Api::install(targetReq);
-
- SharingRequest share1;
- std::string sharedPath = owner.getSharedPath(0);
- share1.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target.getAppId());
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- Api::applySharing(share1);
-
- TestSecurityManagerDatabase db;
- std::string pathLabel = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel);
- check_owner_access(owner.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel);
- check_path_label(sharedPath, pathLabel);
-
- Api::applySharing(share1);
- check_system_access(pathLabel);
- check_owner_access(owner.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel);
- check_path_label(sharedPath, pathLabel);
-
- Api::dropSharing(share1);
- check_system_access(pathLabel);
- check_owner_access(owner.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel);
- check_path_label(sharedPath, pathLabel);
-
- Api::dropSharing(share1);
- check_system_access(pathLabel, false);
- check_owner_access(owner.generateAppLabel(), pathLabel, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel, false, false);
- check_path_label(sharedPath, owner.generatePkgLabel());
-
- Api::uninstall(ownerReq);
- Api::uninstall(targetReq);
-}
-RUNNER_TEST(security_manager_33_share_two_with_one)
-{
- std::vector<AppInstallHelper> helper {{"app33a"}, {"app33b"}};
- auto &owner = helper[0];
- auto &target = helper[1];
-
- // cleanup
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
- owner.createPrivateDir();
- owner.createSharedFile(0);
- owner.createSharedFile(1);
- clearLabels(owner.getInstallDir());
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW},
- PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
- InstallRequest targetReq = createInstallReq(target);
- Api::install(targetReq);
-
- SharingRequest share1, share2;
- std::string sharedPath1 = owner.getSharedPath(0);
- std::string sharedPath2 = owner.getSharedPath(1);
- share1.setOwnerAppId(owner.getAppId());
- share2.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target.getAppId());
- share2.setTargetAppId(target.getAppId());
- const char *path1[] = {sharedPath1.c_str()};
- const char *path2[] = {sharedPath2.c_str()};
- share1.addPaths(path1, 1);
- share2.addPaths(path2, 1);
-
- Api::applySharing(share1);
- TestSecurityManagerDatabase db;
- std::string pathLabel1 = db.get_path_label(sharedPath1.c_str());
- RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath1);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath1, pathLabel1);
-
- Api::applySharing(share2);
- std::string pathLabel2 = db.get_path_label(sharedPath2.c_str());
- RUNNER_ASSERT_MSG(!pathLabel2.empty(), "Couldn't fetch path label from database for file " << sharedPath2);
- RUNNER_ASSERT_MSG(pathLabel1 != pathLabel2, "Labels for private shared paths should be unique!");
-
- check_system_access(pathLabel1);
- check_system_access(pathLabel2);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel2);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2);
- check_path_label(sharedPath1, pathLabel1);
- check_path_label(sharedPath2, pathLabel2);
-
- Api::dropSharing(share1);
- check_system_access(pathLabel1, false);
- check_system_access(pathLabel2);
- check_owner_access(owner.generateAppLabel(), pathLabel1, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2);
- check_path_label(sharedPath1, owner.generatePkgLabel());
- check_path_label(sharedPath2, pathLabel2);
-
- Api::dropSharing(share2);
- check_system_access(pathLabel1, false);
- check_system_access(pathLabel2, false);
- check_owner_access(owner.generateAppLabel(), pathLabel1, false);
- check_owner_access(owner.generateAppLabel(), pathLabel2, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2, false, false);
- check_path_label(sharedPath1, owner.generatePkgLabel());
- check_path_label(sharedPath2, owner.generatePkgLabel());
-
- Api::uninstall(ownerReq);
- Api::uninstall(targetReq);
-}
-
-RUNNER_TEST(security_manager_34_share_one_with_two)
-{
- std::vector<AppInstallHelper> helper {{"app34a"}, {"app34b"}, {"app34c"}};
- auto &owner = helper[0];
- auto &target1 = helper[1];
- auto &target2 = helper[2];
-
- // cleanup
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
- owner.createPrivateDir();
- owner.createSharedFile();
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
- for (size_t i = 1; i < helper.size(); i++) {
- InstallRequest targetReq = createInstallReq(helper[i]);
- Api::install(targetReq);
- }
-
- SharingRequest share1, share2;
- std::string sharedPath = owner.getSharedPath(0).c_str();
- share1.setOwnerAppId(owner.getAppId());
- share2.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target1.getAppId());
- share2.setTargetAppId(target2.getAppId());
-
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- share2.addPaths(path, 1);
-
- Api::applySharing(share1);
- TestSecurityManagerDatabase db;
- std::string pathLabel = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel);
- check_owner_access(owner.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
- check_path_label(sharedPath, pathLabel);
-
- Api::applySharing(share2);
- check_system_access(pathLabel);
- check_owner_access(owner.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
- check_path_label(sharedPath, pathLabel);
-
- Api::dropSharing(share1);
- check_system_access(pathLabel);
- check_owner_access(owner.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
- check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
- check_path_label(sharedPath, pathLabel);
-
- Api::dropSharing(share2);
- check_system_access(pathLabel, false);
- check_owner_access(owner.generateAppLabel(), pathLabel, false);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
- check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false);
- check_path_label(sharedPath, owner.generatePkgLabel());
-
- Api::uninstall(ownerReq);
- for (size_t i = 1; i < helper.size(); i++) {
- InstallRequest targetReq = createInstallReq(helper[i]);
- Api::uninstall(targetReq);
- }
-}
-
-RUNNER_TEST(security_manager_35_share_two_with_two)
-{
- std::vector<AppInstallHelper> helper {{"app35a"}, {"app35b"}, {"app35c"}};
- auto &owner = helper[0];
- auto &target1 = helper[1];
- auto &target2 = helper[2];
-
- // cleanup
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
- owner.createPrivateDir();
- owner.createSharedFile(0);
- owner.createSharedFile(1);
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW},
- PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}});
-
- Api::install(ownerReq);
-
- for (size_t i = 1; i < helper.size(); i++) {
- InstallRequest targetReq = createInstallReq(helper[i]);
- Api::install(targetReq);
- }
-
- SharingRequest share1, share2;
- std::string sharedPath1 = owner.getSharedPath(0).c_str();
- std::string sharedPath2 = owner.getSharedPath(1).c_str();
- share1.setOwnerAppId(owner.getAppId());
- share2.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target1.getAppId());
- share2.setTargetAppId(target2.getAppId());
-
- const char *path1[] = {sharedPath1.c_str()};
- const char *path2[] = {sharedPath2.c_str()};
- share1.addPaths(path1, 1);
- share2.addPaths(path2, 1);
-
- Api::applySharing(share1);
- TestSecurityManagerDatabase db;
- std::string pathLabel1 = db.get_path_label(sharedPath1.c_str());
- RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath1);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath1, pathLabel1);
-
- Api::applySharing(share2);
- std::string pathLabel2 = db.get_path_label(sharedPath2.c_str());
- RUNNER_ASSERT_MSG(!pathLabel2.empty(), "Couldn't fetch path label from database for file " << sharedPath2);
- RUNNER_ASSERT_MSG(pathLabel1 != pathLabel2, "Labels for shared files should be unique!");
-
- check_system_access(pathLabel1);
- check_system_access(pathLabel2);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel2);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2);
- check_path_label(sharedPath1, pathLabel1);
- check_path_label(sharedPath2, pathLabel2);
-
- Api::dropSharing(share2);
- check_system_access(pathLabel1);
- check_system_access(pathLabel2, false);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel2, false);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2, false, false);
- check_path_label(sharedPath1, pathLabel1);
- check_path_label(sharedPath2, owner.generatePkgLabel());
-
- Api::dropSharing(share1);
- check_system_access(pathLabel1, false);
- check_system_access(pathLabel2, false);
- check_owner_access(owner.generateAppLabel(), pathLabel1, false);
- check_owner_access(owner.generateAppLabel(), pathLabel2, false);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1, false, false);
- check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2, false, false);
- check_path_label(sharedPath1, owner.generatePkgLabel());
- check_path_label(sharedPath2, owner.generatePkgLabel());
- Api::uninstall(ownerReq);
- for (size_t i = 1; i < helper.size(); i++) {
- InstallRequest targetReq;
- targetReq.setAppId(helper[i].getAppId());
- targetReq.setPkgId(helper[i].getAppId());
- Api::uninstall(targetReq);
- }
-}
-
-RUNNER_TEST(security_manager_35_share_uninstall_target) {
- std::vector<AppInstallHelper> helper {{"app35aa"}, {"app35bb"}};
- auto &owner = helper[0];
- auto &target = helper[1];
-
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
-
- owner.createPrivateDir();
- owner.createSharedFile();
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
- InstallRequest targetReq = createInstallReq(target);
- Api::install(targetReq);
-
- SharingRequest share1;
- std::string sharedPath = owner.getSharedPath();
- share1.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target.getAppId());
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- Api::applySharing(share1);
-
- TestSecurityManagerDatabase db;
- std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath, pathLabel1);
-
- Api::uninstall(targetReq);
-
- check_system_access(pathLabel1, false);
- check_owner_access(owner.generateAppLabel(), pathLabel1, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
- check_path_label(sharedPath, owner.generatePkgLabel());
-
- Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
- Api::uninstall(ownerReq);
-}
-
-RUNNER_TEST(security_manager_35_share_uninstall_owner) {
- std::vector<AppInstallHelper> helper {{"app35aaa"}, {"app35bbb"}};
- auto &owner = helper[0];
- auto &target = helper[1];
-
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
-
- owner.createPrivateDir();
- owner.createSharedFile();
-
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
- InstallRequest targetReq = createInstallReq(target);
- Api::install(targetReq);
-
- SharingRequest share1;
- std::string sharedPath = owner.getSharedPath();
- share1.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target.getAppId());
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- Api::applySharing(share1);
-
- TestSecurityManagerDatabase db;
- std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath, pathLabel1);
-
- owner.removePaths();
- Api::uninstall(ownerReq);
-
- check_system_access(pathLabel1, false);
- check_owner_access(owner.generateAppLabel(), pathLabel1, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
-
- Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
- Api::uninstall(targetReq);
-}
-
-RUNNER_TEST(security_manager_36_share_pkg_owner_uninstall) {
- std::vector<AppInstallHelper> helper {{"app36a", "pkg1"}, {"app36b", "pkg1"}, {"app36c", "pkg2"}};
- auto &owner = helper[0];
- auto &pkgApp = helper[1];
- auto &target = helper[2];
-
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
-
- owner.createPrivateDir();
- owner.createSharedFile();
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
- InstallRequest pkgAppReq = createInstallReq(pkgApp);
- Api::install(pkgAppReq);
- InstallRequest targetReq = createInstallReq(target);
- Api::install(targetReq);
-
- SharingRequest share1;
- std::string sharedPath = owner.getSharedPath();
- share1.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target.getAppId());
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- Api::applySharing(share1);
-
- TestSecurityManagerDatabase db;
- std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath, pathLabel1);
-
- owner.removePaths();
- Api::uninstall(ownerReq);
-
- check_system_access(pathLabel1, false);
- check_owner_access(owner.generateAppLabel(), pathLabel1, false);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
-
- Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
- Api::uninstall(pkgAppReq);
- Api::uninstall(targetReq);
-}
-
-RUNNER_TEST(security_manager_36_share_pkg_owner_drop) {
- std::vector<AppInstallHelper> helper {{"app36aa", "pkg1"}, {"app36bb", "pkg1"}, {"app36cc", "pkg2"}};
- auto &owner = helper[0];
- auto &pkgApp = helper[1];
- auto &target = helper[2];
-
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
-
- owner.createPrivateDir();
- owner.createSharedFile();
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
- InstallRequest pkgAppReq = createInstallReq(pkgApp);
- Api::install(pkgAppReq);
- InstallRequest targetReq = createInstallReq(target);
- Api::install(targetReq);
-
- SharingRequest share1;
- std::string sharedPath = owner.getSharedPath();
- share1.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target.getAppId());
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- Api::applySharing(share1);
-
- TestSecurityManagerDatabase db;
- std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath, pathLabel1);
-
- Api::dropSharing(share1);
-
- check_system_access(pathLabel1, false);
- check_owner_access(owner.generateAppLabel(), pathLabel1, false);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
- check_path_label(sharedPath, owner.generatePkgLabel());
-
- Api::uninstall(ownerReq);
- Api::uninstall(pkgAppReq);
- Api::uninstall(targetReq);
-}
-
-RUNNER_TEST(security_manager_36_share_pkg_target_uninstall) {
- std::vector<AppInstallHelper> helper {{"app36aaa", "pkg1"}, {"app36bbb", "pkg1"}, {"app36ccc", "pkg2"}};
- auto &owner = helper[0];
- auto &pkgApp = helper[1];
- auto &target = helper[2];
-
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
-
- owner.createPrivateDir();
- owner.createSharedFile();
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
- InstallRequest pkgAppReq = createInstallReq(pkgApp);
- Api::install(pkgAppReq);
- InstallRequest targetReq = createInstallReq(target);
- Api::install(targetReq);
-
- SharingRequest share1;
- std::string sharedPath = owner.getSharedPath();
- share1.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target.getAppId());
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- Api::applySharing(share1);
-
- TestSecurityManagerDatabase db;
- std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath, pathLabel1);
-
- Api::uninstall(targetReq);
-
- check_system_access(pathLabel1, false);
- check_owner_access(owner.generateAppLabel(), pathLabel1, false);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
- check_path_label(sharedPath, owner.generatePkgLabel());
-
- Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
-
- Api::uninstall(ownerReq);
- Api::uninstall(pkgAppReq);
-}
-
-RUNNER_TEST(security_manager_37_pkg_double_share_target_uninstall) {
- std::vector<AppInstallHelper> helper {{"app37a", "pkg1"}, {"app37b", "pkg1"}, {"app37c", "pkg2"}};
- auto &owner = helper[0];
- auto &pkgApp = helper[1];
- auto &target = helper[2];
-
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
-
- owner.createPrivateDir();
- owner.createSharedFile();
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
- InstallRequest pkgAppReq = createInstallReq(pkgApp);
- Api::install(pkgAppReq);
- InstallRequest targetReq = createInstallReq(target);
- Api::install(targetReq);
-
- SharingRequest share1;
- std::string sharedPath = owner.getSharedPath();
- share1.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target.getAppId());
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- Api::applySharing(share1);
-
- TestSecurityManagerDatabase db;
- std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath, pathLabel1);
-
- Api::applySharing(share1);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath, pathLabel1);
-
- Api::uninstall(targetReq);
-
- check_system_access(pathLabel1, false);
- check_owner_access(owner.generateAppLabel(), pathLabel1, false);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
- check_path_label(sharedPath, owner.generatePkgLabel());
-
- Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
-
- Api::uninstall(ownerReq);
- Api::uninstall(pkgAppReq);
-}
-
-RUNNER_TEST(security_manager_37_pkg_double_share_owner_uninstall) {
- std::vector<AppInstallHelper> helper {{"app37aa", "pkg1"}, {"app37bb", "pkg1"}, {"app37cc", "pkg2"}};
- auto &owner = helper[0];
- auto &pkgApp = helper[1];
- auto &target = helper[2];
-
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
-
- owner.createPrivateDir();
- owner.createSharedFile();
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
- InstallRequest pkgAppReq = createInstallReq(pkgApp);
- Api::install(pkgAppReq);
- InstallRequest targetReq = createInstallReq(target);
- Api::install(targetReq);
-
- SharingRequest share1;
- std::string sharedPath = owner.getSharedPath();
- share1.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target.getAppId());
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- Api::applySharing(share1);
-
- TestSecurityManagerDatabase db;
- std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath, pathLabel1);
-
- Api::applySharing(share1);
-
- check_system_access(pathLabel1);
- check_owner_access(owner.generateAppLabel(), pathLabel1);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
- check_path_label(sharedPath, pathLabel1);
-
- owner.removePaths();
- Api::uninstall(ownerReq);
-
- check_system_access(pathLabel1, false);
- check_owner_access(owner.generateAppLabel(), pathLabel1, false);
- check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
- check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
-
- Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
-
- Api::uninstall(targetReq);
- Api::uninstall(pkgAppReq);
-}
-
-RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_target)
-{
- std::vector<AppInstallHelper> helper {{"app38a"}, {"app38b"}, {"app38c"}};
- auto &owner = helper[0];
- auto &target1 = helper[1];
- auto &target2 = helper[2];
-
- // cleanup
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
- owner.createPrivateDir();
- owner.createSharedFile();
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
-
- InstallRequest targetReq1 = createInstallReq(target1);
- Api::install(targetReq1);
- InstallRequest targetReq2 = createInstallReq(target2);
- Api::install(targetReq2);
-
- SharingRequest share1, share2;
- std::string sharedPath = owner.getSharedPath(0).c_str();
- share1.setOwnerAppId(owner.getAppId());
- share2.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target1.getAppId());
- share2.setTargetAppId(target2.getAppId());
-
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- share2.addPaths(path, 1);
-
- Api::applySharing(share1);
- TestSecurityManagerDatabase db;
- std::string pathLabel = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel);
- check_owner_access(owner.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
- check_path_label(sharedPath, pathLabel);
-
- Api::applySharing(share2);
- check_system_access(pathLabel);
- check_owner_access(owner.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
- check_path_label(sharedPath, pathLabel);
-
- Api::uninstall(targetReq1);
- check_system_access(pathLabel);
- check_owner_access(owner.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
- check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
- check_path_label(sharedPath, pathLabel);
-
- Api::dropSharing(share2);
- check_system_access(pathLabel, false);
- check_owner_access(owner.generateAppLabel(), pathLabel, false);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
- check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false);
- check_path_label(sharedPath, owner.generatePkgLabel());
-
- Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
- Api::uninstall(ownerReq);
- Api::uninstall(targetReq2);
-}
-
-RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_owner)
-{
- std::vector<AppInstallHelper> helper {{"app38aa"}, {"app38bb"}, {"app38cc"}};
- auto &owner = helper[0];
- auto &target1 = helper[1];
- auto &target2 = helper[2];
-
- // cleanup
- for (auto &e : helper) {
- e.revokeRules();
- e.createInstallDir();
- }
- owner.createPrivateDir();
- owner.createSharedFile();
- clearLabels(owner.getInstallDir());
-
- InstallRequest ownerReq = createInstallReq(owner,
- {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
- Api::install(ownerReq);
-
-
- InstallRequest targetReq1 = createInstallReq(target1);
- Api::install(targetReq1);
- InstallRequest targetReq2 = createInstallReq(target2);
- Api::install(targetReq2);
-
- SharingRequest share1, share2;
- std::string sharedPath = owner.getSharedPath(0).c_str();
- share1.setOwnerAppId(owner.getAppId());
- share2.setOwnerAppId(owner.getAppId());
- share1.setTargetAppId(target1.getAppId());
- share2.setTargetAppId(target2.getAppId());
-
- const char *path[] = {sharedPath.c_str()};
- share1.addPaths(path, 1);
- share2.addPaths(path, 1);
-
- Api::applySharing(share1);
- TestSecurityManagerDatabase db;
- std::string pathLabel = db.get_path_label(sharedPath.c_str());
- RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
-
- check_system_access(pathLabel);
- check_owner_access(owner.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
- check_path_label(sharedPath, pathLabel);
-
- Api::applySharing(share2);
- check_system_access(pathLabel);
- check_owner_access(owner.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
- check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
- check_path_label(sharedPath, pathLabel);
-
- owner.removePaths();
- Api::uninstall(ownerReq);
- check_system_access(pathLabel, false);
- check_owner_access(owner.generateAppLabel(), pathLabel,false);
- check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
- check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false);
-
- Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
- Api::dropSharing(share2, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
- Api::uninstall(targetReq1);
- Api::uninstall(targetReq2);
-}
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING)
return msg;
}
-
-
static void testSetLabelForSelf(const char *app_id, bool expected_success)
{
std::string label = generateAppLabel(app_id);
--- /dev/null
+/*
+ * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This has to be before xattr header, because it uses size_t and ssize_t and does not include this
+// I hate you, xattr
+#include <sys/types.h>
+#include <attr/xattr.h>
+#include <ftw.h>
+#include <string>
+#include <sys/smack.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <vector>
+
+#include <app_install_helper.h>
+#include <dpl/test/test_runner.h>
+#include <memory.h>
+#include <sm_api.h>
+#include <sm_commons.h>
+#include <sm_request.h>
+#include <sm_sharing_request.h>
+#include <tests_common.h>
+
+using namespace SecurityManagerTest;
+namespace {
+const char *const owner_access = "rwxat";
+const char *const target_path_access = "rxl";
+const char *const target_dir_access = "x";
+const char *const no_access = "";
+
+void check_system_access(const std::string pathLabel, bool apply = true) {
+ check_exact_smack_accesses("User", pathLabel, (apply ? owner_access : no_access));
+ check_exact_smack_accesses("System", pathLabel, (apply ? owner_access : no_access));
+}
+
+void check_owner_access(const std::string &ownerLabel, const std::string &pathLabel, bool apply = true) {
+ check_exact_smack_accesses(ownerLabel, pathLabel, (apply ? owner_access : no_access));
+}
+
+void check_target_access(const std::string &ownerPkgLabel, const std::string &targetLabel,
+ const std::string &pathLabel, bool pathShared = true, bool anyPathShared = true) {
+ check_exact_smack_accesses(targetLabel, pathLabel, (pathShared ? target_path_access : no_access));
+ check_exact_smack_accesses(targetLabel, ownerPkgLabel, (anyPathShared ? target_dir_access : no_access));
+}
+
+void check_path_label(const std::string &path, const std::string &expectedLabel) {
+ char *label = nullptr;
+ int ret = smack_new_label_from_path(path.c_str(), XATTR_NAME_SMACK, 0, &label);
+ RUNNER_ASSERT_MSG(ret > 0, "smack_new_label_from_path failed for " << path);
+ SmackLabelPtr realLabel(label);
+ RUNNER_ASSERT_MSG(realLabel.get() == expectedLabel, "Fetched label from " << path << " different"
+ " than expected, is : " << realLabel.get() << " should be " << expectedLabel);
+}
+
+void createFile(const std::string &filePath)
+{
+ //create temporary file and set label for it
+ mode_t systemMask;
+
+ unlink(filePath.c_str());
+ //allow to create file with 777 rights
+ systemMask = umask(0000);
+ int fd = open(filePath.c_str(), O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
+ //restore system mask
+ umask(systemMask);
+ RUNNER_ASSERT_ERRNO_MSG(fd > -1, "Unable to create file for tests");
+
+ //for descriptor protection
+ FdUniquePtr fd_ptr(&fd);
+
+ //change owner and group to user APP
+ int ret = chown(filePath.c_str(), APP_UID, APP_GID);
+ RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Unable to change file owner");
+}
+
+struct PathInfo {
+ const std::string &path;
+ app_install_path_type path_type;
+};
+
+InstallRequest createInstallReq(const std::string &appName, const std::string &pkgName,
+ const std::vector<PathInfo> &paths){
+ InstallRequest req;
+ req.setAppId(appName);
+ req.setPkgId(pkgName);
+ for (const auto &pathInfo : paths) {
+ req.addPath(pathInfo.path, pathInfo.path_type);
+ }
+ return req;
+}
+
+InstallRequest createInstallReq(const AppInstallHelper &info,
+ const std::vector<PathInfo> &paths = std::vector<PathInfo>()){
+ return createInstallReq(info.getAppId(), info.getPkgId(), paths);
+}
+
+void clearLabels(const std::string &path) {
+ int result = nftw(path.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to remove Smack labels in " << path);
+}
+
+}
+
+RUNNER_TEST_GROUP_INIT(SECURIT_MANAGER_PRIVATE_SHARING)
+
+RUNNER_TEST(security_manager_30a_send_incomplete_req1)
+{
+ SharingRequest request;
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+ request.setOwnerAppId("someOwner");
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+ request.setTargetAppId("someTarget");
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+}
+
+RUNNER_TEST(security_manager_30b_send_incomplete_req2)
+{
+ SharingRequest request;
+ request.setTargetAppId("someTarget");
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+ request.setOwnerAppId("someOwner");
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+}
+
+RUNNER_TEST(security_manager_30c_send_incomplete_req3)
+{
+ SharingRequest request;
+ const char *somePaths[] = {"path1", "path2"};
+ request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+ request.setOwnerAppId("someOwner");
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+}
+
+RUNNER_TEST(security_manager_30d_unknown_owner)
+{
+ // This test depends on order of checks in security-manager service implementation
+ SharingRequest request;
+ request.setOwnerAppId("ImPrettySureIDontExist");
+ request.setTargetAppId("IDontMatter");
+ const char *somePaths[] = {"path1", "path2"};
+ request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+}
+
+RUNNER_TEST(security_manager_30e_unknown_target)
+{
+ // This test depends on order of checks in security-manager service implementation
+ AppInstallHelper owner("installedApp");
+ owner.revokeRules();
+ owner.createInstallDir();
+ InstallRequest ownerInst;
+ ownerInst.setAppId(owner.getAppId());
+ ownerInst.setPkgId(owner.getPkgId());
+ Api::install(ownerInst);
+
+ SharingRequest request;
+ request.setOwnerAppId(owner.getAppId());
+ request.setTargetAppId("NowImPrettySureIDontExist");
+ const char *somePaths[] = {"path1", "path2"};
+ request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+
+ Api::uninstall(ownerInst);
+}
+
+RUNNER_TEST(security_manager_30f_bad_paths)
+{
+ // This test depends on order of checks in security-manager service implementation
+ AppInstallHelper owner("installedApp");
+ owner.revokeRules();
+ owner.createInstallDir();
+ InstallRequest ownerInst = createInstallReq(owner);
+ Api::install(ownerInst);
+
+ AppInstallHelper target("secondInstalledApp");
+ target.revokeRules();
+ target.createInstallDir();
+ InstallRequest targetInst = createInstallReq(target);
+ Api::install(targetInst);
+
+ SharingRequest request;
+ request.setOwnerAppId(owner.getAppId());
+ request.setTargetAppId(target.getAppId());
+
+ const char *somePath = "/tmp/somePath";
+ createFile(somePath);
+ const char *somePaths[] = {somePath};
+ request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER);
+
+ Api::uninstall(ownerInst);
+ Api::uninstall(targetInst);
+}
+
+RUNNER_TEST(security_manager_31_simple_share)
+{
+ std::vector<AppInstallHelper> helper {{"app31a"}, {"app31b"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_32_double_share)
+{
+ std::vector<AppInstallHelper> helper {{"app32a"}, {"app32b"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath(0);
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::applySharing(share1);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(targetReq);
+}
+RUNNER_TEST(security_manager_33_share_two_with_one)
+{
+ std::vector<AppInstallHelper> helper {{"app33a"}, {"app33b"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile(0);
+ owner.createSharedFile(1);
+ clearLabels(owner.getInstallDir());
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW},
+ PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1, share2;
+ std::string sharedPath1 = owner.getSharedPath(0);
+ std::string sharedPath2 = owner.getSharedPath(1);
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ share2.setTargetAppId(target.getAppId());
+ const char *path1[] = {sharedPath1.c_str()};
+ const char *path2[] = {sharedPath2.c_str()};
+ share1.addPaths(path1, 1);
+ share2.addPaths(path2, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath1.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath1);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath1, pathLabel1);
+
+ Api::applySharing(share2);
+ std::string pathLabel2 = db.get_path_label(sharedPath2.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel2.empty(), "Couldn't fetch path label from database for file " << sharedPath2);
+ RUNNER_ASSERT_MSG(pathLabel1 != pathLabel2, "Labels for private shared paths should be unique!");
+
+ check_system_access(pathLabel1);
+ check_system_access(pathLabel2);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel2);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2);
+ check_path_label(sharedPath1, pathLabel1);
+ check_path_label(sharedPath2, pathLabel2);
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel1, false);
+ check_system_access(pathLabel2);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2);
+ check_path_label(sharedPath1, owner.generatePkgLabel());
+ check_path_label(sharedPath2, pathLabel2);
+
+ Api::dropSharing(share2);
+ check_system_access(pathLabel1, false);
+ check_system_access(pathLabel2, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel2, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2, false, false);
+ check_path_label(sharedPath1, owner.generatePkgLabel());
+ check_path_label(sharedPath2, owner.generatePkgLabel());
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_34_share_one_with_two)
+{
+ std::vector<AppInstallHelper> helper {{"app34a"}, {"app34b"}, {"app34c"}};
+ auto &owner = helper[0];
+ auto &target1 = helper[1];
+ auto &target2 = helper[2];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ for (size_t i = 1; i < helper.size(); i++) {
+ InstallRequest targetReq = createInstallReq(helper[i]);
+ Api::install(targetReq);
+ }
+
+ SharingRequest share1, share2;
+ std::string sharedPath = owner.getSharedPath(0).c_str();
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target1.getAppId());
+ share2.setTargetAppId(target2.getAppId());
+
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ share2.addPaths(path, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::applySharing(share2);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::dropSharing(share2);
+ check_system_access(pathLabel, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel, false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::uninstall(ownerReq);
+ for (size_t i = 1; i < helper.size(); i++) {
+ InstallRequest targetReq = createInstallReq(helper[i]);
+ Api::uninstall(targetReq);
+ }
+}
+
+RUNNER_TEST(security_manager_35_share_two_with_two)
+{
+ std::vector<AppInstallHelper> helper {{"app35a"}, {"app35b"}, {"app35c"}};
+ auto &owner = helper[0];
+ auto &target1 = helper[1];
+ auto &target2 = helper[2];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile(0);
+ owner.createSharedFile(1);
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW},
+ PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}});
+
+ Api::install(ownerReq);
+
+ for (size_t i = 1; i < helper.size(); i++) {
+ InstallRequest targetReq = createInstallReq(helper[i]);
+ Api::install(targetReq);
+ }
+
+ SharingRequest share1, share2;
+ std::string sharedPath1 = owner.getSharedPath(0).c_str();
+ std::string sharedPath2 = owner.getSharedPath(1).c_str();
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target1.getAppId());
+ share2.setTargetAppId(target2.getAppId());
+
+ const char *path1[] = {sharedPath1.c_str()};
+ const char *path2[] = {sharedPath2.c_str()};
+ share1.addPaths(path1, 1);
+ share2.addPaths(path2, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath1.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath1);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath1, pathLabel1);
+
+ Api::applySharing(share2);
+ std::string pathLabel2 = db.get_path_label(sharedPath2.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel2.empty(), "Couldn't fetch path label from database for file " << sharedPath2);
+ RUNNER_ASSERT_MSG(pathLabel1 != pathLabel2, "Labels for shared files should be unique!");
+
+ check_system_access(pathLabel1);
+ check_system_access(pathLabel2);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel2);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2);
+ check_path_label(sharedPath1, pathLabel1);
+ check_path_label(sharedPath2, pathLabel2);
+
+ Api::dropSharing(share2);
+ check_system_access(pathLabel1);
+ check_system_access(pathLabel2, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel2, false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2, false, false);
+ check_path_label(sharedPath1, pathLabel1);
+ check_path_label(sharedPath2, owner.generatePkgLabel());
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel1, false);
+ check_system_access(pathLabel2, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel2, false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2, false, false);
+ check_path_label(sharedPath1, owner.generatePkgLabel());
+ check_path_label(sharedPath2, owner.generatePkgLabel());
+ Api::uninstall(ownerReq);
+ for (size_t i = 1; i < helper.size(); i++) {
+ InstallRequest targetReq;
+ targetReq.setAppId(helper[i].getAppId());
+ targetReq.setPkgId(helper[i].getAppId());
+ Api::uninstall(targetReq);
+ }
+}
+
+RUNNER_TEST(security_manager_35_share_uninstall_target) {
+ std::vector<AppInstallHelper> helper {{"app35aa"}, {"app35bb"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::uninstall(targetReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(ownerReq);
+}
+
+RUNNER_TEST(security_manager_35_share_uninstall_owner) {
+ std::vector<AppInstallHelper> helper {{"app35aaa"}, {"app35bbb"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_36_share_pkg_owner_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app36a", "pkg1"}, {"app36b", "pkg1"}, {"app36c", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(pkgAppReq);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_36_share_pkg_owner_drop) {
+ std::vector<AppInstallHelper> helper {{"app36aa", "pkg1"}, {"app36bb", "pkg1"}, {"app36cc", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::dropSharing(share1);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(pkgAppReq);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_36_share_pkg_target_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app36aaa", "pkg1"}, {"app36bbb", "pkg1"}, {"app36ccc", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::uninstall(targetReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(pkgAppReq);
+}
+
+RUNNER_TEST(security_manager_37_pkg_double_share_target_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app37a", "pkg1"}, {"app37b", "pkg1"}, {"app37c", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::applySharing(share1);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::uninstall(targetReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(pkgAppReq);
+}
+
+RUNNER_TEST(security_manager_37_pkg_double_share_owner_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app37aa", "pkg1"}, {"app37bb", "pkg1"}, {"app37cc", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::applySharing(share1);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+
+ Api::uninstall(targetReq);
+ Api::uninstall(pkgAppReq);
+}
+
+RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_target)
+{
+ std::vector<AppInstallHelper> helper {{"app38a"}, {"app38b"}, {"app38c"}};
+ auto &owner = helper[0];
+ auto &target1 = helper[1];
+ auto &target2 = helper[2];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+
+ InstallRequest targetReq1 = createInstallReq(target1);
+ Api::install(targetReq1);
+ InstallRequest targetReq2 = createInstallReq(target2);
+ Api::install(targetReq2);
+
+ SharingRequest share1, share2;
+ std::string sharedPath = owner.getSharedPath(0).c_str();
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target1.getAppId());
+ share2.setTargetAppId(target2.getAppId());
+
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ share2.addPaths(path, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::applySharing(share2);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::uninstall(targetReq1);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::dropSharing(share2);
+ check_system_access(pathLabel, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel, false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(ownerReq);
+ Api::uninstall(targetReq2);
+}
+
+RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_owner)
+{
+ std::vector<AppInstallHelper> helper {{"app38aa"}, {"app38bb"}, {"app38cc"}};
+ auto &owner = helper[0];
+ auto &target1 = helper[1];
+ auto &target2 = helper[2];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+
+ InstallRequest targetReq1 = createInstallReq(target1);
+ Api::install(targetReq1);
+ InstallRequest targetReq2 = createInstallReq(target2);
+ Api::install(targetReq2);
+
+ SharingRequest share1, share2;
+ std::string sharedPath = owner.getSharedPath(0).c_str();
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target1.getAppId());
+ share2.setTargetAppId(target2.getAppId());
+
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ share2.addPaths(path, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::applySharing(share2);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+ check_system_access(pathLabel, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel,false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::dropSharing(share2, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(targetReq1);
+ Api::uninstall(targetReq2);
+}
projects / platform / core / test / security-tests.git / commitdiff