Add antivirus privilege test cases

[Issue#]        SSDWSSP-491
[Feature]       Add test cases checking if AV has access to every type of folders set by
                perm_app_setup_path - GROUP_RW, SETTINGS_RW, PUBLIC_RO. Both SMACK and NOSMACK
                version of tests was added.
[Cause]         N/A
[Solution]      N/A
[Verification]  Build and run libprivilege-control-test. Test should pass both on SMACK and NOSMACK
                environment.

Change-Id: Ie073095f4ca78e86f9d7a7e1d5ec5e7014229504

diff --git a/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h b/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h
index 9973fab..446306b 100644 (file)
--- a/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h
+++ b/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h
@@ -57,6 +57,12 @@
 #define APP_TEST_AV_1  "test-antivirus1"
 #define APP_TEST_AV_2  "test-antivirus_2"
 #define APP_TEST_AV_3  "test-av-3"
+#define APP_TEST_APP_1_DIR "/tmp/test-application1/"
+#define APP_TEST_APP_2_DIR "/tmp/test-application2/"
+#define APP_TEST_APP_3_DIR "/tmp/test-application3/"
+#define APP_TEST_APP_1_SHARED_LABEL "test-application1-shared"
+#define APP_TEST_APP_2_SHARED_LABEL "test-application2-shared"
+#define APP_TEST_APP_3_SHARED_LABEL "test-application3-shared"
 
 #define WGT_APP_ID            "QwCqJ0ttyS"
 #define WGT_PARTNER_APP_ID    "7btsV1Y0sX"
@@ -87,6 +93,7 @@ extern const char *PRIVS_WGT[];
 extern const char *PRIVS_OSP[];
 
 extern const char* PRIV_APPSETTING[];
+extern const char* PRIVS_AV[];
 
 // Rules from test_privilege_control_rules.smack
 const std::vector< std::vector<std::string> > rules = {
@@ -320,5 +327,8 @@ int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
 int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
                                   int /*typeflag*/, struct FTW* /*ftwbuf*/);
 
+void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment);
+void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment);
+
 
 #endif /* LIBPRIVILEGE_CONTROL_TEST_COMMON_H_ */

diff --git a/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp b/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp
index 180cd92..9e815f7 100644 (file)
--- a/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp
+++ b/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp
@@ -36,6 +36,8 @@ const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };
 
 const char* PRIV_APPSETTING[] {"org.tizen.privilege.appsetting", NULL};
 
+const char* PRIVS_AV[] = { "org.tizen.privilege.antivirus", NULL };
+
 void cleaning_smack_app_files (void)
 {
     unlink(SMACK_RULES_DIR APP_TEST_APP_1);
@@ -206,3 +208,42 @@ int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
 
     return 0;
 }
+
+void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment)
+{
+    int result;
+    result = smack_have_access(av_id, app_id, "rwx");
+    RUNNER_ASSERT_MSG(result == 1,
+        "Error while checking " << av_id << " rwx access to "
+        << app_id << " " << comment << " Result: " << result);
+    result = smack_have_access(av_id, app_id, "a");
+    RUNNER_ASSERT_MSG(result == 0,
+        "Error while checking " << av_id << " a access to "
+        << app_id << " " << comment << " Result: " << result);
+    result = smack_have_access(av_id, app_id, "t");
+    RUNNER_ASSERT_MSG(result == 0,
+        "Error while checking " << av_id << " t access to "
+        << app_id << " " << comment << " Result: " << result);
+}
+
+/**
+ * NOSMACK version of checkOnlyAvAccess function.
+ *
+ * Expects error instead of access granted/forbidden from smack_have_access.
+ */
+void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment)
+{
+    int result;
+    result = smack_have_access(av_id, app_id, "rwx");
+    RUNNER_ASSERT_MSG(result == -1,
+            "smack_have_access should return error (SMACK is off). Result: " << result
+            << " when testing " << comment);
+    result = smack_have_access(av_id, app_id, "a");
+    RUNNER_ASSERT_MSG(result == -1,
+            "smack_have_access should return error (SMACK is off). Result: " << result
+            << " when testing " << comment);
+    result = smack_have_access(av_id, app_id, "t");
+    RUNNER_ASSERT_MSG(result == -1,
+            "smack_have_access should return error (SMACK is off). Result: " << result
+            << " when testing " << comment);
+}

diff --git a/tests/libprivilege-control-tests/test_cases.cpp b/tests/libprivilege-control-tests/test_cases.cpp
index 8894234..79636b8 100644 (file)
--- a/tests/libprivilege-control-tests/test_cases.cpp
+++ b/tests/libprivilege-control-tests/test_cases.cpp
@@ -734,23 +734,6 @@ RUNNER_TEST(privilege_control07_app_uninstall)
     close(fd);
 }
 
-void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment)
-{
-    int result;
-    result = smack_have_access(av_id, app_id, "rwx");
-    RUNNER_ASSERT_MSG(result == 1,
-        "Error while checking " << av_id << " rwx access to "
-        << app_id << " " << comment << " Result: " << result);
-    result = smack_have_access(av_id, app_id, "a");
-    RUNNER_ASSERT_MSG(result == 0,
-        "Error while checking " << av_id << " a access to "
-        << app_id << " " << comment << " Result: " << result);
-    result = smack_have_access(av_id, app_id, "t");
-    RUNNER_ASSERT_MSG(result == 0,
-        "Error while checking " << av_id << " t access to "
-        << app_id << " " << comment << " Result: " << result);
-}
-
 /*
  * Check app_register_av function
  * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
@@ -1785,3 +1768,244 @@ RUNNER_TEST(privilege_control20_early_rules)
        RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
        RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
 }
+
+/**
+ * AV Privilege test cases.
+ *
+ * Each privilege_control24* test case tests antivirus privileges for each app_type_t, except for
+ * deprecated APP_TYPE_OTHER type.
+ */
+
+int nftw_remove_dir(const char* filename, const struct stat* /*statptr*/, int /*fileflags*/,
+                    struct FTW* /*pfwt*/)
+{
+    int result = -1;
+
+    struct stat filestat;
+
+    result = stat(filename, &filestat);
+    RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to get file statistics. Result: "
+            << result << ", error: " << strerror(errno) << ", file: " << filename);
+
+    if(S_ISREG(filestat.st_mode)) {
+        result = unlink(filename);
+        RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to unlink file. Result: "
+                << result << ", error: " << strerror(errno) << ", file: " << filename);
+    } else if(S_ISDIR(filestat.st_mode)) {
+        result = rmdir(filename);
+        RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to remove dir. Result: "
+                << result << ", error: " << strerror(errno) << ", file: " << filename);
+    }
+
+    return 0;
+}
+
+void InstallApp(const char* pkg_id, const char* path, app_path_type_t app_path_type,
+                const char* shared_label)
+{
+    int result = -1;
+
+    result = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP);
+    RUNNER_ASSERT_MSG(result == 0, "Can't create dir for tests. Result: " << result <<
+            ", error: " << strerror(errno) << ", app_path_type: " << app_path_type);
+
+    DB_BEGIN
+
+    result = perm_app_revoke_permissions(pkg_id);
+    RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: "
+            << result << ", app_path_type: " << app_path_type);
+    result = perm_app_uninstall(pkg_id);
+    RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: "
+            << result << ", app_path_type: " << app_path_type);
+
+    result = perm_app_install(pkg_id);
+    RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: "
+            << result << ", app_path_type: " << app_path_type);
+    result = perm_app_setup_path(pkg_id, path, app_path_type, shared_label);
+    RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_setup_path failed. Result: "
+            << result << ", app_path_type: " << app_path_type);
+
+    DB_END
+}
+
+void InstallAV(const char* av_id, app_type_t av_type)
+{
+    int result = -1;
+
+    DB_BEGIN
+
+    result = perm_app_revoke_permissions(av_id);
+    RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: "
+            << result << ", av_type: " << av_type);
+    result = perm_app_uninstall(av_id);
+    RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: "
+            << result << ", av_type: " << av_type);
+
+    result = perm_app_install(av_id);
+    RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: "
+            << result << ", av_type: " << av_type);
+    result = perm_app_enable_permissions(av_id, av_type, PRIVS_AV, 1);
+    RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "enable_permissions failed. Result: "
+            << result << ", av_type: " << av_type);
+
+    DB_END
+}
+
+void CheckAVPrivilege(app_type_t av_type, app_path_type_t app_path_type)
+{
+    int result = -1;
+
+    //clean before test
+    result = nftw(APP_TEST_APP_1_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
+    RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
+            ", error " << strerror(errno));
+
+    result = nftw(APP_TEST_APP_2_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
+    RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
+            ", error " << strerror(errno));
+
+    result = nftw(APP_TEST_APP_3_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS);
+    RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result <<
+            ", error " << strerror(errno));
+
+    InstallApp(APP_TEST_APP_1, APP_TEST_APP_1_DIR, app_path_type, APP_TEST_APP_1_SHARED_LABEL);
+    InstallAV(APP_TEST_AV_1, av_type);
+    InstallApp(APP_TEST_APP_2, APP_TEST_APP_2_DIR, app_path_type, APP_TEST_APP_2_SHARED_LABEL);
+    InstallAV(APP_TEST_AV_2, av_type);
+    InstallApp(APP_TEST_APP_3, APP_TEST_APP_3_DIR, app_path_type, APP_TEST_APP_3_SHARED_LABEL);
+
+    //test - get ACCESS label and check AV privilege
+
+    char* tmp;
+
+    //get labels
+    result = smack_lgetlabel(APP_TEST_APP_1_DIR, &tmp, SMACK_LABEL_ACCESS);
+    RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result
+            << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+    std::string label1(tmp);
+    free(tmp);
+
+    result = smack_lgetlabel(APP_TEST_APP_2_DIR, &tmp, SMACK_LABEL_ACCESS);
+    RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result
+            << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+    std::string label2(tmp);
+    free(tmp);
+
+    result = smack_lgetlabel(APP_TEST_APP_3_DIR, &tmp, SMACK_LABEL_ACCESS);
+    RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result
+            << ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+    std::string label3(tmp);
+    free(tmp);
+
+    if(app_path_type == APP_PATH_GROUP_RW)
+    {
+        result = label1.compare(APP_TEST_APP_1_SHARED_LABEL);
+        RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 <<
+                ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
+                ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+
+        result = label2.compare(APP_TEST_APP_2_SHARED_LABEL);
+        RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 <<
+                ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
+                ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+
+        result = label3.compare(APP_TEST_APP_3_SHARED_LABEL);
+        RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 <<
+                ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result <<
+                ", av_type: " << av_type << ", app_path_type: " << app_path_type);
+    }
+
+    std::stringstream ss;
+
+    //check AV accesses
+    if(smack_check())
+    {
+        ss << "APP_TEST_APP_1, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccess(APP_TEST_AV_1, label1.c_str(), ss.str().c_str());
+        ss.str(std::string());
+
+        ss << "APP_TEST_APP_2, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccess(APP_TEST_AV_1, label2.c_str(), ss.str().c_str());
+        ss.str(std::string());
+
+        ss << "APP_TEST_APP_3, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccess(APP_TEST_AV_1, label3.c_str(), ss.str().c_str());
+
+        ss << "APP_TEST_APP_1, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccess(APP_TEST_AV_2, label1.c_str(), ss.str().c_str());
+        ss.str(std::string());
+
+        ss << "APP_TEST_APP_2, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccess(APP_TEST_AV_2, label2.c_str(), ss.str().c_str());
+        ss.str(std::string());
+
+        ss << "APP_TEST_APP_3, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccess(APP_TEST_AV_2, label3.c_str(), ss.str().c_str());
+    }
+    else
+    {
+        ss << "APP_TEST_APP_1, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccessNosmack(APP_TEST_AV_1, label1.c_str(), ss.str().c_str());
+
+        ss.str(std::string());
+        ss << "APP_TEST_APP_2, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccessNosmack(APP_TEST_AV_1, label2.c_str(), ss.str().c_str());
+
+        ss.str(std::string());
+        ss << "APP_TEST_APP_3, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccessNosmack(APP_TEST_AV_1, label3.c_str(), ss.str().c_str());
+
+        ss << "APP_TEST_APP_1, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccessNosmack(APP_TEST_AV_2, label1.c_str(), ss.str().c_str());
+
+        ss.str(std::string());
+        ss << "APP_TEST_APP_2, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccessNosmack(APP_TEST_AV_2, label2.c_str(), ss.str().c_str());
+
+        ss.str(std::string());
+        ss << "APP_TEST_APP_3, line " << __LINE__ <<
+              ", av_type: " << av_type << ", app_path_type: " << app_path_type;
+        checkOnlyAvAccessNosmack(APP_TEST_AV_2, label3.c_str(), ss.str().c_str());
+    }
+
+    //Clean up
+    perm_app_revoke_permissions(APP_TEST_AV_1);
+    perm_app_revoke_permissions(APP_TEST_AV_2);
+    perm_app_uninstall(APP_TEST_AV_1);
+    perm_app_uninstall(APP_TEST_AV_2);
+    perm_app_uninstall(APP_TEST_APP_1);
+    perm_app_uninstall(APP_TEST_APP_2);
+    perm_app_uninstall(APP_TEST_APP_3);
+}
+
+RUNNER_TEST(privilege_control24a_av_privilege_group_rw)
+{
+    CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_GROUP_RW);
+    CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_GROUP_RW);
+    CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_GROUP_RW);
+}
+
+RUNNER_TEST(privilege_control24b_av_privilege_settings_rw)
+{
+    CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_SETTINGS_RW);
+    CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_SETTINGS_RW);
+    CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_SETTINGS_RW);
+}
+
+RUNNER_TEST(privilege_control24c_av_privilege_public_ro)
+{
+    CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_PUBLIC_RO);
+    CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_PUBLIC_RO);
+    CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_PUBLIC_RO);
+}

diff --git a/tests/libprivilege-control-tests/test_cases_nosmack.cpp b/tests/libprivilege-control-tests/test_cases_nosmack.cpp
index 79e7850..36df1ba 100644 (file)
--- a/tests/libprivilege-control-tests/test_cases_nosmack.cpp
+++ b/tests/libprivilege-control-tests/test_cases_nosmack.cpp
@@ -406,28 +406,6 @@ RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_platform_nos
     check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
 }
 
-/**
- * NOSMACK version of checkOnlyAvAccess function.
- *
- * Expects error instead of access granted/forbidden from smack_have_access.
- */
-void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment)
-{
-    int result;
-    result = smack_have_access(av_id, app_id, "rwx");
-    RUNNER_ASSERT_MSG(result == -1,
-            "smack_have_access should return error (SMACK is off). Result: " << result
-            << " when testing " << comment);
-    result = smack_have_access(av_id, app_id, "a");
-    RUNNER_ASSERT_MSG(result == -1,
-            "smack_have_access should return error (SMACK is off). Result: " << result
-            << " when testing " << comment);
-    result = smack_have_access(av_id, app_id, "t");
-    RUNNER_ASSERT_MSG(result == -1,
-            "smack_have_access should return error (SMACK is off). Result: " << result
-            << " when testing " << comment);
-}
-
 /*
  * NOSMACK version of privilege_control10_app_register_av test.
  *