}
std::string generateAppLabel() const {
- return generateProcessLabel(getAppId());
+ return generateProcessLabel(getAppId(), getPkgId());
}
std::string generatePkgLabel() const {
// Common implementation details
-std::string generateProcessLabel(const std::string &appId)
+std::string generateProcessLabel(const std::string &appId, const std::string &pkgId, bool isHybrid)
{
+ (void) pkgId;
+ (void) isHybrid;
return "User::App::" + appId;
}
const privileges_t &denied_privs)
{
(void) pkg_id;
- std::string smackLabel = generateProcessLabel(app_id);
+ std::string smackLabel = generateProcessLabel(app_id, pkg_id);
CynaraTestClient::Client ctc;
const std::string uidToStr(const uid_t uid);
-std::string generateProcessLabel(const std::string &appId);
+std::string generateProcessLabel(const std::string &appId, const std::string &pkgId, bool isHybrid = false);
std::string generatePathRWLabel(const std::string &pkgId);
std::string genRWPath(int app_num);
std::string genROPath(int app_num);
const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
const char *const socketLabel = "not_expected_label";
- std::string expected_label = generateProcessLabel(app_id);
+ std::string expected_label = generateProcessLabel(app_id, pkg_id);
std::string expected_socket_label = socketLabel;
char *label = nullptr;
CStringPtr labelPtr;
Api::install(requestInst);
- std::string smackLabel = generateProcessLabel(sm_app_id);
+ std::string smackLabel = generateProcessLabel(sm_app_id, sm_pkg_id);
clientTestTemplate([&] (int sock, pid_t) {
std::string rcvPkgId, rcvAppId;
Api::install(requestInst);
- std::string smackLabel = generateProcessLabel(sm_app_id);
+ std::string smackLabel = generateProcessLabel(sm_app_id, sm_pkg_id);
clientTestTemplate([&] (int sock, pid_t) {
std::string rcvPkgId, rcvAppId;
Api::install(requestInst);
- std::string smackLabel = generateProcessLabel(sm_app_id);
+ std::string smackLabel = generateProcessLabel(sm_app_id, sm_pkg_id);
clientTestTemplate([&] (int sock, pid_t) {
std::string rcvPkgId;
Api::install(requestInst);
- std::string smackLabel = generateProcessLabel(sm_app_id);
+ std::string smackLabel = generateProcessLabel(sm_app_id, sm_pkg_id);
clientTestTemplate([&] (int sock, pid_t) {
std::string rcvAppId;
Api::install(requestInst);
- std::string smackLabel = generateProcessLabel(sm_app_id);
+ std::string smackLabel = generateProcessLabel(sm_app_id, sm_pkg_id);
clientTestTemplate([&] (int sock, pid_t) {
Api::getPkgIdBySocket(sock, nullptr, nullptr, SECURITY_MANAGER_ERROR_INPUT_PARAM);
Api::install(requestInst);
- std::string smackLabel = generateProcessLabel(sm_app_id);
+ std::string smackLabel = generateProcessLabel(sm_app_id, sm_pkg_id);
clientTestTemplate([&] (int, pid_t pid) {
std::string rcvPkgId, rcvAppId;
Api::install(requestInst);
- std::string smackLabel = generateProcessLabel(sm_app_id);
+ std::string smackLabel = generateProcessLabel(sm_app_id, sm_pkg_id);
clientTestTemplate([&] (int, pid_t pid) {
std::string rcvPkgId, rcvAppId;
Api::install(requestInst);
- std::string smackLabel = generateProcessLabel(sm_app_id);
+ std::string smackLabel = generateProcessLabel(sm_app_id, sm_pkg_id);
clientTestTemplate([&] (int, pid_t pid) {
std::string rcvPkgId;
Api::install(requestInst);
- std::string smackLabel = generateProcessLabel(sm_app_id);
+ std::string smackLabel = generateProcessLabel(sm_app_id, sm_pkg_id);
clientTestTemplate([&] (int, pid_t pid) {
std::string rcvAppId;
Api::install(requestInst);
- std::string smackLabel = generateProcessLabel(sm_app_id);
+ std::string smackLabel = generateProcessLabel(sm_app_id, sm_pkg_id);
clientTestTemplate([&] (int sock, pid_t) {
Api::getPkgIdByPid(sock, nullptr, nullptr, SECURITY_MANAGER_ERROR_INPUT_PARAM);
return msg;
}
-static void testSetLabelForSelf(const char *app_id, bool expected_success)
+static void testSetLabelForSelf(const std::string &appName, const std::string &pkgName,
+ bool expected_success)
{
- std::string label = generateProcessLabel(app_id);
+ std::string label = generateProcessLabel(appName, pkgName);
int result = smack_set_label_for_self(label.c_str());
if (expected_success)
RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self(" << label <<
Api::labelsProcess(monitor);
Api::labelsMonitorFinish(monitor);
setCaps("cap_mac_admin-eip");
- testSetLabelForSelf(sm_app_id_a, false); // local installation by another user
- testSetLabelForSelf(sm_app_id_b, true); // global installation by another user
+ testSetLabelForSelf(sm_app_id_a, sm_pkg_id_a, false); // local installation by another user
+ testSetLabelForSelf(sm_app_id_b, sm_pkg_id_b, true); // global installation by another user
s_pipe.post(); //C
}
}
Api::labelsProcess(monitor);
Api::labelsMonitorFinish(monitor);
setCaps("cap_mac_admin-eip");
- testSetLabelForSelf(sm_app_id_a, true); // global installation (OK)
- testSetLabelForSelf(sm_app_id_b, false); //second change
- testSetLabelForSelf(sm_app_id_c, false); //second change
+ testSetLabelForSelf(sm_app_id_a, sm_pkg_id_a, true); // global installation (OK)
+ testSetLabelForSelf(sm_app_id_b, sm_pkg_id_b, false); //second change
+ testSetLabelForSelf(sm_app_id_c, sm_pkg_id_c, false); //second change
s_pipe.post(); //B
}
}
Api::labelsProcess(monitor);
Api::labelsMonitorFinish(monitor);
setCaps("cap_mac_admin-eip");
- testSetLabelForSelf(bad_seed, false); //not premitted
- testSetLabelForSelf(sm_app_id_a, false); //uninstalled
- testSetLabelForSelf(sm_app_id_b, true); //installed
- testSetLabelForSelf(sm_app_id_c, false); //second change
+ testSetLabelForSelf(bad_seed, "", false); //not premitted
+ testSetLabelForSelf(sm_app_id_a, sm_pkg_id_a, false); //uninstalled
+ testSetLabelForSelf(sm_app_id_b, sm_pkg_id_b, true); //installed
+ testSetLabelForSelf(sm_app_id_c, sm_pkg_id_c, false); //second change
s_pipe.post(); //B
}
}
waitPid(pid);
- admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id).c_str(),
+ admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id, "").c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
if(pid == 0)
result = drop_root_privileges(msg.uid, msg.gid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ // FIXME - Application has to be installed for it to have policy set in SM
PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
entry.setMaxLevel("Allow");
waitPid(pid);
- admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_other_app_id).c_str(),
+ admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_other_app_id, "").c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
if(pid == 0)
waitPid(pid);
- admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id).c_str(),
+ admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id, "").c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
if(pid == 0)
result = drop_root_privileges(msg.uid, msg.gid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ // FIXME - Application has to be installed for it to have policy set in SM
PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
entry.setLevel("Allow");
waitPid(pid[0]);
- admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id).c_str(),
+ admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id, "").c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
pid[1] = fork();
waitPid(pid[1]);
- admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id).c_str(),
+ admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id, "").c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
}
if(pid[1] == 0)
// delete this entry
PolicyRequest deletePolicyRequest;
+ // FIXME - Application has to be installed for it to have policy set in SM
PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
result = drop_root_privileges(msg.uid, msg.gid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ // FIXME - Application has to be installed for it to have policy set in SM
PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
entry.setLevel("Allow");
RUNNER_ASSERT_ERRNO_MSG(0 == setuid(uid), "Error in setuid.");
}
-void test_success_worker(const std::string &appName, int test_num)
+void test_success_worker(const std::string &appName, const std::string &pkgName, int test_num)
{
std::string SM_OWNER_RW_OTHERS_RO_PATH = genOwnerRWOthersROPath(test_num);
- changeSecurityContext(generateProcessLabel(appName), APP_UID, APP_GID);
+ changeSecurityContext(generateProcessLabel(appName, pkgName), APP_UID, APP_GID);
RUNNER_ASSERT_ERRNO_MSG(::access(SM_OWNER_RW_OTHERS_RO_PATH.c_str(), R_OK|X_OK) != -1,
"access (" << SM_OWNER_RW_OTHERS_RO_PATH << ") from " << appName << " failed " << " to " << SM_OWNER_RW_OTHERS_RO_PATH );
}
-void test_fail_worker(const std::string &appName, int test_num)
+void test_fail_worker(const std::string &appName, const std::string &pkgName, int test_num)
{
std::string SM_OWNER_RW_OTHERS_RO_PATH = genOwnerRWOthersROPath(test_num);
- changeSecurityContext(generateProcessLabel(appName), APP_UID, APP_GID);
+ changeSecurityContext(generateProcessLabel(appName, pkgName), APP_UID, APP_GID);
RUNNER_ASSERT_MSG(::access(SM_OWNER_RW_OTHERS_RO_PATH.c_str(), R_OK|X_OK) == -1,
"access (" << SM_OWNER_RW_OTHERS_RO_PATH << ") from " << appName
RUNNER_CHILD_TEST(security_manager_27b_owner_1_have_access)
{
- test_success_worker(sm_app_shared_id, sm_app_shared_test_id);
+ test_success_worker(sm_app_shared_id, sm_pkg_shared_id, sm_app_shared_test_id);
}
RUNNER_CHILD_TEST(security_manager_27c_owner_2_have_access)
{
- test_success_worker(sm_app_shared_another_in_package_id, sm_app_shared_test_id);
+ test_success_worker(sm_app_shared_another_in_package_id, sm_pkg_shared_id, sm_app_shared_test_id);
}
RUNNER_CHILD_TEST(security_manager_27d_API2X_apps_have_access_app_1)
{
- test_success_worker("security_manager_10_app_1", sm_app_shared_test_id);
+ test_success_worker("security_manager_10_app_1", "security_manager_10_pkg_1", sm_app_shared_test_id);
}
RUNNER_CHILD_TEST(security_manager_27e_API2X_apps_dont_have_access_app_2)
{
- test_fail_worker("security_manager_10_app_2", sm_app_shared_test_id);
+ test_fail_worker("security_manager_10_app_2", "security_manager_10_pkg_2", sm_app_shared_test_id);
}
RUNNER_CHILD_TEST(security_manager_27f_API2X_apps_have_access_app_3)
{
- test_success_worker("security_manager_10_app_3", sm_app_shared_test_id);
+ test_success_worker("security_manager_10_app_3", "security_manager_10_pkg_3", sm_app_shared_test_id);
}
RUNNER_CHILD_TEST(security_manager_27g_API2X_apps_dont_have_access_app_4)
{
- test_fail_worker("security_manager_10_app_4", sm_app_shared_test_id);
+ test_fail_worker("security_manager_10_app_4", "security_manager_10_pkg_4", sm_app_shared_test_id);
}
RUNNER_CHILD_TEST(security_manager_27h_API2X_apps_have_access_app_5)
{
- test_success_worker("security_manager_10_app_5", sm_app_shared_test_id);
+ test_success_worker("security_manager_10_app_5", "security_manager_10_pkg_5", sm_app_shared_test_id);
}
RUNNER_CHILD_TEST(security_manager_27k_API30_apps_dont_have_access_app_1)
{
- test_fail_worker("security_manager_10_app_1", sm_app_shared_test_id);
+ test_fail_worker("security_manager_10_app_1", "security_manager_10_pkg_1", sm_app_shared_test_id);
}
RUNNER_CHILD_TEST(security_manager_27l_API30_apps_dont_have_access_app_2)
{
- test_fail_worker("security_manager_10_app_2", sm_app_shared_test_id);
+ test_fail_worker("security_manager_10_app_2", "security_manager_10_pkg_2", sm_app_shared_test_id);
}
RUNNER_CHILD_TEST(security_manager_27m_API30_apps_dont_have_access_app_3)
{
- test_fail_worker("security_manager_10_app_3", sm_app_shared_test_id);
+ test_fail_worker("security_manager_10_app_3", "security_manager_10_pkg_3", sm_app_shared_test_id);
}
RUNNER_CHILD_TEST(security_manager_27n_API30_apps_dont_have_access_app_4)
{
- test_fail_worker("security_manager_10_app_4", sm_app_shared_test_id);
+ test_fail_worker("security_manager_10_app_4", "security_manager_10_pkg_4", sm_app_shared_test_id);
}
RUNNER_CHILD_TEST(security_manager_27o_API30_apps_dont_have_access_app_5)
{
- test_fail_worker("security_manager_10_app_5", sm_app_shared_test_id);
+ test_fail_worker("security_manager_10_app_5", "security_manager_10_pkg_5", sm_app_shared_test_id);
}
RUNNER_TEST(security_manager_27p_API30_app_uninstall)
// check rules
check_exact_access("System", trusted_label, system_access);
check_exact_access("User", trusted_label, system_access);
- check_exact_access(generateProcessLabel(provider.getAppId()), trusted_label, trusted_access);
+ check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()),
+ trusted_label, trusted_access);
check_exact_access(generatePathRWLabel(provider.getPkgId()), trusted_label, "");
// install trusted app
Api::install(trustedApp);
// check rules
- check_exact_access(generateProcessLabel(user.getAppId()), trusted_label, trusted_access);
+ check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
+ trusted_label, trusted_access);
check_exact_access(generatePathRWLabel(user.getPkgId()), trusted_label, "");
// install untrusted app
Api::install(untrustedApp);
// check rules
- check_exact_access(generateProcessLabel(untrusted.getAppId()), trusted_label, "");
+ check_exact_access(generateProcessLabel(untrusted.getAppId(), untrusted.getPkgId()),
+ trusted_label, "");
check_exact_access(generatePathRWLabel(untrusted.getPkgId()), trusted_label, "");
// uninstall trusting app
// there's still one app with author id, rules should be kept
check_exact_access("System", trusted_label, system_access);
check_exact_access("User", trusted_label, system_access);
- check_exact_access(generateProcessLabel(provider.getAppId()), trusted_label, "");
+ check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()),
+ trusted_label, "");
check_exact_access(generatePathRWLabel(provider.getPkgId()), trusted_label, "");
- check_exact_access(generateProcessLabel(user.getAppId()), trusted_label, trusted_access);
+ check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
+ trusted_label, trusted_access);
check_exact_access(generatePathRWLabel(user.getPkgId()), trusted_label, "");
Api::uninstall(trustedApp);
// no more apps with author id
check_exact_access("System", trusted_label, "");
check_exact_access("User", trusted_label, "");
- check_exact_access(generateProcessLabel(user.getAppId()), trusted_label, "");
+ check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
+ trusted_label, "");
check_exact_access(generatePathRWLabel(user.getPkgId()), trusted_label, "");
Api::uninstall(untrustedApp);
trustingApp2.setAuthorId(authorId1);
Api::install(trustingApp2);
- check_exact_access("System", generateProcessLabel(trusted1.getAppId()), "rwxl");
- check_exact_access("User", generateProcessLabel(trusted1.getAppId()), "rwxl");
+ check_exact_access("System", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
+ "rwxl");
+ check_exact_access("User", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
+ "rwxl");
check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
- check_exact_access("System", generateProcessLabel(trusted2.getAppId()), "rwxl");
- check_exact_access("User", generateProcessLabel(trusted2.getAppId()), "rwxl");
+ check_exact_access("System", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()),
+ "rwxl");
+ check_exact_access("User", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()),
+ "rwxl");
Api::uninstall(trustingApp2);
- check_exact_access("System", generateProcessLabel(trusted1.getAppId()), "rwxl");
- check_exact_access("User", generateProcessLabel(trusted1.getAppId()), "rwxl");
+ check_exact_access("System", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
+ "rwxl");
+ check_exact_access("User", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
+ "rwxl");
check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
- check_exact_access("System", generateProcessLabel(trusted2.getAppId()), "");
- check_exact_access("User", generateProcessLabel(trusted2.getAppId()), "");
+ check_exact_access("System", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()), "");
+ check_exact_access("User", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()), "");
Api::uninstall(trustingApp);
- check_exact_access("System", generateProcessLabel(trusted1.getAppId()), "");
- check_exact_access("User", generateProcessLabel(trusted1.getAppId()), "");
+ check_exact_access("System", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()), "");
+ check_exact_access("User", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()), "");
check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "");
check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "");
}