close(fd);
}
-void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment)
-{
- int result;
- result = smack_have_access(av_id, app_id, "rwx");
- RUNNER_ASSERT_MSG(result == 1,
- "Error while checking " << av_id << " rwx access to "
- << app_id << " " << comment << " Result: " << result);
- result = smack_have_access(av_id, app_id, "a");
- RUNNER_ASSERT_MSG(result == 0,
- "Error while checking " << av_id << " a access to "
- << app_id << " " << comment << " Result: " << result);
- result = smack_have_access(av_id, app_id, "t");
- RUNNER_ASSERT_MSG(result == 0,
- "Error while checking " << av_id << " t access to "
- << app_id << " " << comment << " Result: " << result);
-}
-
/*
* Check app_register_av function
* Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
}
+
+/**
+ * AV Privilege test cases.
+ *
+ * Each privilege_control24* test case tests antivirus privileges for each app_type_t, except for
+ * deprecated APP_TYPE_OTHER type.
+ */
+
+int nftw_remove_dir(const char* filename, const struct stat* /*statptr*/, int /*fileflags*/,
+ struct FTW* /*pfwt*/)
+{
+ int result = -1;
+
+ struct stat filestat;
+
+ result = stat(filename, &filestat);
+ RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to get file statistics. Result: "
+ << result << ", error: " << strerror(errno) << ", file: " << filename);
+
+ if(S_ISREG(filestat.st_mode)) {
+ result = unlink(filename);
+ RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to unlink file. Result: "
+ << result << ", error: " << strerror(errno) << ", file: " << filename);
+ } else if(S_ISDIR(filestat.st_mode)) {
+ result = rmdir(filename);
+ RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to remove dir. Result: "
+ << result << ", error: " << strerror(errno) << ", file: " << filename);
+ }
+
+ return 0;
+}
+
+void InstallApp(const char* pkg_id, const char* path, app_path_type_t app_path_type,
+ const char* shared_label)
+{
+ int result = -1;
+
+ result = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP);
+ RUNNER_ASSERT_MSG(result == 0, "Can't create dir for tests. Result: " << result <<
+ ", error: " << strerror(errno) << ", app_path_type: " << app_path_type);
+
+ DB_BEGIN
+
+ result = perm_app_revoke_permissions(pkg_id);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: "
+ << result << ", app_path_type: " << app_path_type);
+ result = perm_app_uninstall(pkg_id);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: "
+ << result << ", app_path_type: " << app_path_type);
+
+ result = perm_app_install(pkg_id);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: "
+ << result << ", app_path_type: " << app_path_type);
+ result = perm_app_setup_path(pkg_id, path, app_path_type, shared_label);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_setup_path failed. Result: "
+ << result << ", app_path_type: " << app_path_type);
+
+ DB_END
+}
+
+void InstallAV(const char* av_id, app_type_t av_type)
+{
+ int result = -1;
+
+ DB_BEGIN
+
+ result = perm_app_revoke_permissions(av_id);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: "
+ << result << ", av_type: " << av_type);
+ result = perm_app_uninstall(av_id);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: "
+ << result << ", av_type: " << av_type);
+
+ result = perm_app_install(av_id);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: "
+ << result << ", av_type: " << av_type);
+ result = perm_app_enable_permissions(av_id, av_type, PRIVS_AV, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "enable_permissions failed. Result: "
+ << result << ", av_type: " << av_type);
+
+ DB_END
+}
+
+void CheckAVPrivilege(app_type_t av_type, app_path_type_t app_path_type)
+{
+ int result = -1;
+
+ //clean before test
+ result = nftw(APP_TEST_APP_1_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
+ ", error " << strerror(errno));
+
+ result = nftw(APP_TEST_APP_2_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
+ ", error " << strerror(errno));
+
+ result = nftw(APP_TEST_APP_3_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
+ ", error " << strerror(errno));
+
+ InstallApp(APP_TEST_APP_1, APP_TEST_APP_1_DIR, app_path_type, APP_TEST_APP_1_SHARED_LABEL);
+ InstallAV(APP_TEST_AV_1, av_type);
+ InstallApp(APP_TEST_APP_2, APP_TEST_APP_2_DIR, app_path_type, APP_TEST_APP_2_SHARED_LABEL);
+ InstallAV(APP_TEST_AV_2, av_type);
+ InstallApp(APP_TEST_APP_3, APP_TEST_APP_3_DIR, app_path_type, APP_TEST_APP_3_SHARED_LABEL);
+
+ //test - get ACCESS label and check AV privilege
+
+ char* tmp;
+
+ //get labels
+ result = smack_lgetlabel(APP_TEST_APP_1_DIR, &tmp, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result
+ << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+ std::string label1(tmp);
+ free(tmp);
+
+ result = smack_lgetlabel(APP_TEST_APP_2_DIR, &tmp, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result
+ << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+ std::string label2(tmp);
+ free(tmp);
+
+ result = smack_lgetlabel(APP_TEST_APP_3_DIR, &tmp, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result
+ << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+ std::string label3(tmp);
+ free(tmp);
+
+ if(app_path_type == APP_PATH_GROUP_RW)
+ {
+ result = label1.compare(APP_TEST_APP_1_SHARED_LABEL);
+ RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 <<
+ ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+
+ result = label2.compare(APP_TEST_APP_2_SHARED_LABEL);
+ RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 <<
+ ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+
+ result = label3.compare(APP_TEST_APP_3_SHARED_LABEL);
+ RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 <<
+ ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+ }
+
+ std::stringstream ss;
+
+ //check AV accesses
+ if(smack_check())
+ {
+ ss << "APP_TEST_APP_1, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_1, label1.c_str(), ss.str().c_str());
+ ss.str(std::string());
+
+ ss << "APP_TEST_APP_2, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_1, label2.c_str(), ss.str().c_str());
+ ss.str(std::string());
+
+ ss << "APP_TEST_APP_3, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_1, label3.c_str(), ss.str().c_str());
+
+ ss << "APP_TEST_APP_1, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_2, label1.c_str(), ss.str().c_str());
+ ss.str(std::string());
+
+ ss << "APP_TEST_APP_2, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_2, label2.c_str(), ss.str().c_str());
+ ss.str(std::string());
+
+ ss << "APP_TEST_APP_3, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccess(APP_TEST_AV_2, label3.c_str(), ss.str().c_str());
+ }
+ else
+ {
+ ss << "APP_TEST_APP_1, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, label1.c_str(), ss.str().c_str());
+
+ ss.str(std::string());
+ ss << "APP_TEST_APP_2, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, label2.c_str(), ss.str().c_str());
+
+ ss.str(std::string());
+ ss << "APP_TEST_APP_3, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, label3.c_str(), ss.str().c_str());
+
+ ss << "APP_TEST_APP_1, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_2, label1.c_str(), ss.str().c_str());
+
+ ss.str(std::string());
+ ss << "APP_TEST_APP_2, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_2, label2.c_str(), ss.str().c_str());
+
+ ss.str(std::string());
+ ss << "APP_TEST_APP_3, line " << __LINE__ <<
+ ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+ checkOnlyAvAccessNosmack(APP_TEST_AV_2, label3.c_str(), ss.str().c_str());
+ }
+
+ //Clean up
+ perm_app_revoke_permissions(APP_TEST_AV_1);
+ perm_app_revoke_permissions(APP_TEST_AV_2);
+ perm_app_uninstall(APP_TEST_AV_1);
+ perm_app_uninstall(APP_TEST_AV_2);
+ perm_app_uninstall(APP_TEST_APP_1);
+ perm_app_uninstall(APP_TEST_APP_2);
+ perm_app_uninstall(APP_TEST_APP_3);
+}
+
+RUNNER_TEST(privilege_control24a_av_privilege_group_rw)
+{
+ CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_GROUP_RW);
+ CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_GROUP_RW);
+ CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_GROUP_RW);
+}
+
+RUNNER_TEST(privilege_control24b_av_privilege_settings_rw)
+{
+ CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_SETTINGS_RW);
+ CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_SETTINGS_RW);
+ CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_SETTINGS_RW);
+}
+
+RUNNER_TEST(privilege_control24c_av_privilege_public_ro)
+{
+ CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_PUBLIC_RO);
+ CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_PUBLIC_RO);
+ CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_PUBLIC_RO);
+}