New design provides only three ways of labelling path in libprivilege-control.
See:
-> 'Added APP_PATH_PUBLIC and APP_PATH_FLOOR types to perm_app_setup_path function.'
Verification:
-> libprivilege-control-test --output=text --runignored
(following tests should pass:
-> privilege_control02_perm_app_setup_path_01_PRIVATE
-> privilege_control02_perm_app_setup_path_02_FLOOR
-> privilege_control02_perm_app_setup_path_03_PUBLIC_RO
-> privilege_control02_perm_app_setup_path_03_PUBLIC_RO_nosmack)
Change-Id: I90ffeaf1eac585bf0c999705940544263ac3214c
#define APP_ID "test_APP"
#define APPID_DIR "test_APP_ID_dir"
-#define APPID_SHARED_DIR "test_APP_ID_shared_dir"
#define APP_1 "app_1"
#define APP_1_DIR "/tmp/app_1"
int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/,
int /*typeflag*/, struct FTW* /*ftwbuf*/);
-int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
- int /*typeflag*/, struct FTW* /*ftwbuf*/);
+int nftw_check_labels_app_private_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/);
+int nftw_check_labels_app_floor_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/);
int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
int /*typeflag*/, struct FTW* /*ftwbuf*/);
int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
int /*typeflag*/, struct FTW* /*ftwbuf*/);
+void test_perm_app_setup_path_PUBLIC_RO(bool smack);
void test_revoke_permissions(int line_no, const char* app_id);
void test_app_enable_permissions_efl(bool smack);
void test_app_disable_permissions_efl(bool smack);
void test_app_disable_permissions(bool smack);
-void test_appsettings_privilege(bool smack);
bool check_all_accesses(bool smack, const rules_t &rules);
bool check_no_accesses(bool smack, const rules_t &rules);
}
int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
- int /*typeflag*/, struct FTW* /*ftwbuf*/)
+ const char* correctLabel)
{
int result;
CStringPtr labelPtr;
/* ACCESS */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
- labelPtr.reset(label);
RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG_BT(labelPtr.get() != NULL, "ACCESS label on " << fpath << " is not set");
- result = strcmp(USER_APP_ID, labelPtr.get());
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
+ result = strcmp(correctLabel, label);
RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect");
/* EXEC */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- labelPtr.reset(label);
RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ labelPtr.reset(label);
if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
- RUNNER_ASSERT_MSG_BT(labelPtr.get() != NULL, "EXEC label on " << fpath << " is not set");
- result = strcmp(USER_APP_ID, labelPtr.get());
+ RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set");
+ result = strcmp(correctLabel, label);
RUNNER_ASSERT_MSG_BT(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
} else
- RUNNER_ASSERT_MSG_BT(labelPtr.get() == NULL, "EXEC label on " << fpath << " is set");
+ RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
/* TRANSMUTE */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
labelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+
+ return 0;
+}
+
+
+int nftw_check_labels_app_private_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+ return nftw_check_labels_app_dir(fpath, sb, USER_APP_ID);
+}
+
+int nftw_check_labels_app_floor_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+ return nftw_check_labels_app_dir(fpath, sb, "_");
+}
+
+int nftw_check_labels_app_public_ro_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+ int result;
+ CStringPtr labelPtr;
+ char *label;
+
+ /* ACCESS */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG_BT(labelPtr.get() == NULL, "TRANSMUTE label on " << fpath << " is set");
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
+ result = strcmp(LABEL_FOR_PUBLIC_SHARED_DIRS, label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect");
+
+ /* EXEC */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
+
+ /* TRANSMUTE */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ labelPtr.reset(label);
+ if (S_ISDIR(sb->st_mode)) {
+ RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
+ result = strcmp("TRUE", label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "TRANSMUTE label on " << fpath << " is not set");
+ } else
+ RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
return 0;
- }
+}
int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
int /*typeflag*/, struct FTW* /*ftwbuf*/)
return 0;
}
+void test_perm_app_setup_path_PUBLIC_RO(bool smack)
+{
+ int result;
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << TEST_APP_DIR);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to set Smack labels in " << TEST_NON_APP_DIR);
+
+ DB_BEGIN
+
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed");
+
+ DB_END
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_ro_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for app dir");
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for non-app dir");
+
+ RUNNER_ASSERT_BT(check_all_accesses(smack, {{ USER_APP_ID, LABEL_FOR_PUBLIC_SHARED_DIRS, "r"}}));
+}
+
void test_revoke_permissions(int line_no, const char* app_id)
{
int result;
DB_END
}
-
-void test_appsettings_privilege(bool smack)
-{
- int ret;
- CStringPtr app1DirLabelPtr;
- CStringPtr app2DirLabelPtr;
- char* label = NULL;
-
- DB_BEGIN
-
- (void)perm_app_uninstall(APP_TEST);
- (void)perm_app_uninstall(APP_1);
- (void)perm_app_uninstall(APP_2);
-
- //install some app 1
- ret = perm_app_install(APP_1);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install." << ret);
-
- mkdir(APP_1_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
-
- //register settings folder for app 1
- ret = perm_app_setup_path(APP_1, APP_1_DIR, APP_PATH_SETTINGS_RW );
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
-
- //install "app_test" and give it appsettings privilege
- ret = perm_app_install(APP_TEST);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
-
- //register appsettings feature
- ret = perm_add_api_feature(APP_TYPE_OSP, PRIV_APPSETTING[0], PRIV_APPSETTING_RULES, NULL, 0);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
- " Error registering api feature. Result: " << ret);
-
- ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, false);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
- " Error registering app permissions. Result: " << ret);
-
- DB_END
-
- //check if "app_test" has an RWX access to a folder registered by "app_1"
- ret = smack_getlabel(APP_1_DIR, &label, SMACK_LABEL_ACCESS );
- app1DirLabelPtr.reset(label);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
- RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{USER_APP_ID, app1DirLabelPtr.get(), "rwx"}}), "access denied to smack label: " << app1DirLabelPtr.get());
-
-
- DB_BEGIN
-
- //intstall another app: "app_2"
- ret = perm_app_install(APP_2);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
-
- mkdir(APP_2_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
- //register settings folder for that "app_2"
- ret = perm_app_setup_path(APP_2, APP_2_DIR, APP_PATH_SETTINGS_RW );
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
-
- DB_END
-
- //check if "app_test" has an RWX access to a folder registered by "app_2"
- ret = smack_getlabel(APP_2_DIR, &label, SMACK_LABEL_ACCESS );
- app2DirLabelPtr.reset(label);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
- RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{USER_APP_ID, app2DirLabelPtr.get(), "rwx"}}), "access denies");
-
- rmdir(APP_1_DIR);
- rmdir(APP_2_DIR);
-
- DB_BEGIN
-
- (void)perm_app_uninstall(APP_TEST);
- (void)perm_app_uninstall(APP_1);
- (void)perm_app_uninstall(APP_2);
-
- DB_END
-}
const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
const std::vector<std::string> BLAHBLAH_FEATURE = gen_names("http://feature/blah/blahblah", "", 16);
-int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
- int /*typeflag*/, struct FTW* /*ftwbuf*/)
-{
- int result;
- char *label;
-
- /* ACCESS */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
- result = strcmp(APPID_SHARED_DIR, label);
- RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect");
-
- result = smack_have_access(USER_APP_ID, APPID_SHARED_DIR, "rwxatl");
- RUNNER_ASSERT_MSG_BT(result == 1,
- "Error rwxatl access was not given shared dir. Subject: " <<
- USER_APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
- /* EXEC */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
-
- /* TRANSMUTE */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
- if (S_ISDIR(sb->st_mode)) {
- RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
- result = strcmp("TRUE", label);
- RUNNER_ASSERT_MSG_BT(result == 0, "TRANSMUTE label on " << fpath << " is not set");
- } else
- RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
-
- return 0;
-}
-
void osp_blahblah_dac_check(int line_no, const std::vector<unsigned> &gids, std::string dac_file_path)
{
std::ifstream dac_file(dac_file_path);
RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
-/**
- * Test setting labels for all files and folders in given path.
- */
-RUNNER_TEST(privilege_control02_app_label_dir)
+RUNNER_TEST(privilege_control02_perm_app_setup_path_01_PRIVATE)
{
int result;
result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << TEST_APP_DIR);
result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to set Smack labels in " << TEST_NON_APP_DIR);
DB_BEGIN
result = perm_app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed");
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() for APP_PATH_PRIVATE failed");
DB_END
- result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for app dir");
result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for non-app dir");
}
-RUNNER_TEST_SMACK(privilege_control03_app_label_shared_dir)
+RUNNER_TEST(privilege_control02_perm_app_setup_path_02_FLOOR)
{
int result;
- DB_BEGIN
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, USER_APP_ID);
- RUNNER_ASSERT_MSG_BT(result != 0, "perm_app_setup_path(APP_ID, USER_APP_ID) didn't fail");
-
- DB_END
-
result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << TEST_APP_DIR);
result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to set Smack labels in " << TEST_NON_APP_DIR);
DB_BEGIN
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed");
+ result = perm_app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_FLOOR);
+ RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() for APP_PATH_FLOOR type failed");
DB_END
- result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for shared app dir");
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for app dir");
result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for non-app dir");
+}
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- DB_END
+RUNNER_TEST_SMACK(privilege_control02_perm_app_setup_path_03_PUBLIC_RO)
+{
+ test_perm_app_setup_path_PUBLIC_RO(true);
}
/**
}
}
-RUNNER_TEST(privilege_control16_app_setup_path){
- const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
- const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
- const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
- const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
- const char *label1 = "qwert123456za";
- const char *label2 = "trewq654123az";
-
- CStringPtr labelPtr;
-
- mkdir(path1,0);
- mkdir(path2,0);
-
- int fd = creat(path3, S_IRWXU);
- if (fd >= 0)
- close(fd);
- fd = creat(path4, S_IRWXU);
- if (fd >= 0)
- close(fd);
-
- char *label = NULL;
-
- DB_BEGIN
-
- RUNNER_ASSERT_BT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
-
- DB_END
-
- RUNNER_ASSERT_BT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
- labelPtr.reset(label);
- label = NULL;
- RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), label1));
-
- DB_BEGIN
-
- RUNNER_ASSERT_BT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
-
- DB_END
-
- RUNNER_ASSERT_BT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
- labelPtr.reset(label);
- label = NULL;
- RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), label2));
-
- RUNNER_ASSERT_BT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
- labelPtr.reset(label);
- label = NULL;
- RUNNER_ASSERT_BT(labelPtr.get() == NULL);
-}
-
-RUNNER_TEST_SMACK(privilege_control17_appsettings_privilege)
-{
- test_appsettings_privilege(true);
-}
-
-void test_app_setup_path(int line_no, app_path_type_t PATH_TYPE) {
- int result;
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
- " Error in perm_app_uninstall." << result);
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
- " Error in perm_app_install." << result);
-
- DB_END
-
- result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
- " Unable to clean up Smack labels in " << TEST_APP_DIR);
-
- result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
- " Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
-
- DB_BEGIN
-
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, PATH_TYPE);
- RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
- " perm_app_setup_path() failed");
-
- DB_END
-
- result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
- " Unable to check Smack labels for non-app dir");
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
- " Error in perm_app_uninstall." << result);
-
- DB_END
-}
-
-RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public)
-{
- test_app_setup_path(__LINE__, APP_PATH_PUBLIC_RO);
-}
-
-RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings)
-{
- test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW);
-}
-
void check_perm_app_has_permission(const char* app_label, const char* permission, bool is_enabled_expected)
{
int result;
//////NOSMACK ENVIRONMENT TESTS//////////
/////////////////////////////////////////
-/**
- * NOSMACK version of nftw_check_labels_app_shared_dir function.
- *
- * This function used with nftw should expect -1 result from smack_have_access instead of 1.
- */
-int nftw_check_labels_app_shared_dir_nosmack(const char *fpath, const struct stat *sb,
- int /*typeflag*/, struct FTW* /*ftwbuf*/)
-{
- int result;
- char* label;
-
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path. Result: " << result);
- RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
-
- result = strcmp(APPID_SHARED_DIR, label);
- RUNNER_ASSERT_MSG_BT(result == 0,
- "ACCESS label on " << fpath << " is incorrect. Result: " << result);
-
- //The only exception in nftw_check_labels_app_shared_dir
- //smack_have_access returns -1 because of no SMACK.
- result = smack_have_access(USER_APP_ID, APPID_SHARED_DIR, "rwxat");
- RUNNER_ASSERT_MSG_BT(result == -1,
- "smack_have_access should return error (SMACK is off). Result: " << result);
-
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path. Result: " << result);
- RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
-
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path. Result: " << result);
- if (S_ISDIR(sb->st_mode)) {
- RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
- result = strcmp("TRUE", label);
- RUNNER_ASSERT_MSG_BT(result == 0,
- "TRANSMUTE label on " << fpath << " is not set. Result: " << result);
- } else
- RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
-
- return 0;
-}
-
RUNNER_TEST_GROUP_INIT(libprivilegecontrol_nosmack)
-/**
- * NOSMACK version of privilege_control03 test.
- *
- * Uses nosmack version of nftw_check_labels_app_shared_dir (defined above).
- */
-RUNNER_TEST_NOSMACK(privilege_control03_app_label_shared_dir_nosmack)
+RUNNER_TEST_NOSMACK(privilege_control02_perm_app_setup_path_03_PUBLIC_RO_nosmack)
{
- int result;
-
- DB_BEGIN
-
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, USER_APP_ID);
- RUNNER_ASSERT_MSG_BT(result != PC_OPERATION_SUCCESS,
- "perm_app_setup_path should fail here. Result: " << result);
-
- DB_END
-
- result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Unable to clean up Smack labels in " << TEST_APP_DIR);
-
- result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
-
- DB_BEGIN
-
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_setup_path() failed. Result: " << result);
-
- DB_END
-
- result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir_nosmack, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Unable to check Smack labels for shared app dir");
-
- result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Unable to check Smack labels for non-app dir");
+ test_perm_app_setup_path_PUBLIC_RO(false);
}
/**
RUNNER_ASSERT_MSG_BT(smack_label == NULL, "perm_app_id_from_socket should fail.");
}
}
-
-RUNNER_TEST_NOSMACK(privilege_control17_appsettings_privilege_nosmack)
-{
- test_appsettings_privilege(false);
-}
-
-/**
- * NOSMACK version of privilege_control18 test.
- *
- * Uses NOSMACK version of nftw_check_labels_app_public_dir.
- */
-RUNNER_TEST_NOSMACK(privilege_control18_app_setup_path_public_nosmack)
-{
- int result;
-
- result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0,
- "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
-
- result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0,
- "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
-
- DB_BEGIN
-
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed. Result: " << result);
-
- DB_END
-
- result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0,
- "Unable to check Smack labels for non-app dir. Result: " << result);
-
-}
-
-/**
- * NOSMACK version of privilege_control19 test.
- *
- * Uses NOSMACK version of nftw_check_labels_app_settings_dir.
- */
-RUNNER_TEST_NOSMACK(privilege_control19_app_setup_path_settings_nosmack)
-{
- int result;
-
- result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0,
- "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
-
- result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0,
- "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
-
- DB_BEGIN
-
- result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed. Result: " << result);
-
- DB_END
-
- result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0,
- "Unable to check Smack labels for non-app dir. Result: " << result);
-
-}
// Add app shared dir - APP_PATH_GROUP_RW
result = perm_app_setup_path(APP_ID, TEST_NON_APP_DIR,
- APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ APP_PATH_GROUP_RW);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error in perm_app_setup_path. Loop index: " << i
<< ". Result: " << result);
// Verify that all permissions to public dir have been added
// correctly, also to other app
- result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxatl");
+ result = smack_have_access(APP_ID, LABEL_FOR_PUBLIC_SHARED_DIRS, "rwxatl");
RUNNER_ASSERT_MSG_BT(result == expected_smack_result,
"Not all accesses to Group RW dir are granted. Loop index: "
<< i);
* test_APP0 & test_APP5 register their directories as APP_PATH_PRIVATE
* test_APP1, test_APP2 & test_APP6 register their directories as
* APP_PATH_GROUP_RW using the same label
- * APPID_SHARED_DIR = "test_APP_ID_shared_dir"
+ * LABEL_FOR_PUBLIC_SHARED_DIRS
* test_APP3, test_APP7 & test_APP8 register their directories as
* APP_PATH_PUBLIC_RO
* test_APP4 & test_APP9 register their directories as
// Add app shared dir - APP_PATH_GROUP_RW (apps 1, 2, 6)
result = perm_app_setup_path(app_ids[1], app_dirs[1],
- APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ APP_PATH_GROUP_RW);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error in perm_app_setup_path. App id: " << app_ids[1]
<< " Loop index: " << i << ". Result: " << result);
result = perm_app_setup_path(app_ids[2], app_dirs[2],
- APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ APP_PATH_GROUP_RW);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error in perm_app_setup_path. App id: " << app_ids[2]
<< " Loop index: " << i << ". Result: " << result);
result = perm_app_setup_path(app_ids[6], app_dirs[6],
- APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ APP_PATH_GROUP_RW);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error in perm_app_setup_path. App id: " << app_ids[6]
<< " Loop index: " << i << ". Result: " << result);
// Verify that apps 1, 2 and 6 have all accesses to GROUP_RW folders
result = check_all_accesses(smack,
(const rules_t) {
- { app_ids[1], APPID_SHARED_DIR, "rwxatl" },
- { app_ids[2], APPID_SHARED_DIR, "rwxatl" },
- { app_ids[6], APPID_SHARED_DIR, "rwxatl" } } );
+ { app_ids[1], LABEL_FOR_PUBLIC_SHARED_DIRS, "rwxatl" },
+ { app_ids[2], LABEL_FOR_PUBLIC_SHARED_DIRS, "rwxatl" },
+ { app_ids[6], LABEL_FOR_PUBLIC_SHARED_DIRS, "rwxatl" } } );
RUNNER_ASSERT_MSG_BT(result == 1,
"Not all accesses to Group RW dir are granted. Loop index: "
<< i);
projects / platform / core / test / security-tests.git / commitdiff