// How many open file descriptors should ftw() function use?
#define FTW_MAX_FDS 16
+// ---- Macros and arrays used in stress tests ----
+#define TEST_OSP_FEATURE_APP_ID "test-osp-feature-app"
+#define TEST_WGT_FEATURE_APP_ID "test-wgt-feature-app"
+#define TEST_OSP_FEATURE "http://test-feature/osp_rxl"
+#define TEST_WGT_FEATURE "http://test-feature/wgt_rwx"
+// OSP Api Feature Test data - gives rxl access to OSP app and rl access to WGT app also!
+const char *FILE_PATH_TEST_OSP_FEATURE = "/usr/share/privilege-control/OSP_test-feature.osp_rxl.smack";
+const char *test_osp_feature_rule_set[] = { "~APP~ " TEST_OSP_FEATURE_APP_ID " rxl",
+ "~APP~ " TEST_WGT_FEATURE_APP_ID " rl",
+ NULL };
+const char *TEST_OSP_FEATURE_PRIVS[] = { TEST_OSP_FEATURE, NULL };
+// WGT Api Feature Test data - rwx access only to WGT app
+const char *FILE_PATH_TEST_WGT_FEATURE = "/usr/share/privilege-control/WRT_test-feature.wgt_rwx.smack";
+const char *test_wgt_feature_rule_set[] = { "~APP~ " TEST_WGT_FEATURE_APP_ID " rwx",
+ NULL };
+const char *TEST_WGT_FEATURE_PRIVS[] = { TEST_WGT_FEATURE, NULL };
+
+const std::vector< std::vector<std::string> > rules_to_test_any_access1 = {
+ { TEST_OSP_FEATURE_APP_ID, APP_ID, "r" },
+ { TEST_OSP_FEATURE_APP_ID, APP_ID, "w" },
+ { TEST_OSP_FEATURE_APP_ID, APP_ID, "x" },
+ { TEST_OSP_FEATURE_APP_ID, APP_ID, "a" },
+ { TEST_OSP_FEATURE_APP_ID, APP_ID, "t" },
+ { TEST_OSP_FEATURE_APP_ID, APP_ID, "l" }
+};
+
+const std::vector< std::vector<std::string> > rules_to_test_any_access2 = {
+ { APP_ID, TEST_OSP_FEATURE_APP_ID, "r" },
+ { APP_ID, TEST_OSP_FEATURE_APP_ID, "x" },
+ { APP_ID, TEST_OSP_FEATURE_APP_ID, "l" },
+ { APP_ID, TEST_WGT_FEATURE_APP_ID, "r" },
+ { APP_ID, TEST_WGT_FEATURE_APP_ID, "w" },
+ { APP_ID, TEST_WGT_FEATURE_APP_ID, "x" },
+ { APP_ID, TEST_WGT_FEATURE_APP_ID, "l" }
+};
+
+#define FMT_VECTOR_TO_TEST_ANY_ACCESS(sub,obj) \
+ (const std::vector< std::vector<std::string> >) { \
+ { sub, obj, "r" }, \
+ { sub, obj, "w" }, \
+ { sub, obj, "x" }, \
+ { sub, obj, "a" }, \
+ { sub, obj, "t" }, \
+ { sub, obj, "l" } }
+
// Rules from test_privilege_control_rules.smack
const std::vector< std::vector<std::string> > rules = {
{ APP_ID, "test_book_1", "r" },
RUNNER_ASSERT_MSG(result == 1,
"smack_pid_have_access should return access granted. Result: " << result);
}
+
+/**
+ * Test - Simulation of 100 installations and uninstallations of one application.
+ * Installed application will have various kind of permissions from api
+ * features and shared folders.
+ */
+RUNNER_TEST(privilege_control22_app_installation_1x100)
+{
+ int result;
+ std::string shared_dir_auto_label;
+
+ // Clear any previously created apps, files, labels and permissions
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to clean up Smack labels in: " << TEST_APP_DIR
+ << ". Result: " << result);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to clean up Smack labels in: " << TEST_NON_APP_DIR
+ << ". Result: " << result);
+
+ result = perm_app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_revoke_permissions. Result: " << result);
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_uninstall. Result: " << result);
+
+ // remove api features by deleting files
+ unlink(FILE_PATH_TEST_OSP_FEATURE);
+ unlink(FILE_PATH_TEST_WGT_FEATURE);
+
+ cleaning_smack_database_files();
+
+ // Install setting app and give it app-setting permissions
+ result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_revoke_permissions. Result: " << result);
+ result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_uninstall. Result: " << result);
+ result = perm_app_install(APP_TEST_SETTINGS_ASP1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_install. Result: " << result);
+ result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1,
+ APP_TYPE_OSP, PRIV_APPSETTING, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error enabling App-Setting permissions. Result: " << result);
+
+ // Install one additional app (used to check perm to shared directories)
+ result = perm_app_revoke_permissions(TEST_OSP_FEATURE_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_revoke_permissions. Result: " << result);
+ result = perm_app_uninstall(TEST_OSP_FEATURE_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_uninstall. Result: " << result);
+ result = perm_app_install(TEST_OSP_FEATURE_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_install. Result: " << result);
+
+ // Register two valid api features
+ result = perm_add_api_feature(APP_TYPE_OSP, TEST_OSP_FEATURE,
+ test_osp_feature_rule_set, NULL, 0);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_add_api_feature. Cannot add TEST_OSP_FEATURE: "
+ << TEST_OSP_FEATURE << ". Result: " << result);
+
+ result = perm_add_api_feature(APP_TYPE_WGT, TEST_WGT_FEATURE,
+ test_wgt_feature_rule_set, NULL, 0);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_add_api_feature. Cannot add TEST_WGT_FEATURE: "
+ << TEST_WGT_FEATURE << ". Result: " << result);
+
+
+ // Check whether api-feature's smack files are created
+// TODO Remove this check when new database is introduced
+ result = file_exists(FILE_PATH_TEST_OSP_FEATURE);
+ RUNNER_ASSERT_MSG(result == 0, "Test OSP Api Feature file is not created.");
+ result = file_exists(FILE_PATH_TEST_WGT_FEATURE);
+ RUNNER_ASSERT_MSG(result == 0, "Test WGT API Feature file is not created.");
+
+ // Install app loop
+ for (int i = 0; i < 100; ++i)
+ {
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_install. Loop index: " << i
+ << ". Result: " << result);
+
+ // add persistent api feature permissions
+ result = perm_app_enable_permissions(APP_ID, APP_TYPE_OSP,
+ TEST_OSP_FEATURE_PRIVS, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_enable_permissions from OSP Feature. Loop index: "
+ << i << ". Result: " << result);
+
+ result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT,
+ TEST_WGT_FEATURE_PRIVS, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_enable_permissions from WGT Feature. Loop index: "
+ << i << ". Result: " << result);
+
+ // add shared dirs
+ switch (i%2) // separate odd and even loop runs
+ {
+ case 0: // Shared dirs: APP_PATH_PRIVATE & APP_PATH_PUBLIC_RO
+ {
+ // Add app shared dir - APP_PATH_PRIVATE
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR,
+ APP_PATH_PRIVATE);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. Loop index: " << i
+ << ". Result: " << result);
+
+ // Add app shared dir - APP_PATH_PUBLIC_RO
+ result = perm_app_setup_path(APP_ID, TEST_NON_APP_DIR,
+ APP_PATH_PUBLIC_RO);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. Loop index: " << i
+ << ". Result: " << result);
+
+ // Verify that some previously installed app does not have any acces
+ // to APP_ID private label
+ result = test_have_any_accesses(rules_to_test_any_access1);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Error - other app has access to private label. Loop index: "
+ << i);
+
+ // Get autogenerated Public RO label
+ char *label;
+ result = smack_getlabel(TEST_NON_APP_DIR, &label,
+ SMACK_LABEL_ACCESS );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Cannot get access label from Public RO shared dir. Loop index: "
+ << i << ". Result: " << result);
+ shared_dir_auto_label = label;
+ free(label);
+
+ // Verify that all permissions to public dir have been added
+ // correctly, also to other app
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { APP_ID, shared_dir_auto_label.c_str(), "rwxatl" },
+ { TEST_OSP_FEATURE_APP_ID, shared_dir_auto_label.c_str(), "rx" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all accesses to Public RO dir are granted. Loop index: "
+ << i);
+
+ break;
+ }
+ case 1: // Shared dirs: APP_PATH_APPSETTING_RW & APP_PATH_GROUP_RW
+ {
+ // Add app shared dir - APP_PATH_SETTINGS_RW
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR,
+ APP_PATH_SETTINGS_RW);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. Loop index: " << i
+ << ". Result: " << result);
+
+ // Add app shared dir - APP_PATH_GROUP_RW
+ result = perm_app_setup_path(APP_ID, TEST_NON_APP_DIR,
+ APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. Loop index: " << i
+ << ". Result: " << result);
+
+ // Get autogenerated App-Setting label
+ char *label;
+ result = smack_getlabel(TEST_APP_DIR, &label,
+ SMACK_LABEL_ACCESS );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Cannot get access label from App-Setting shared dir. Loop index: "
+ << i << ". Result: " << result);
+ shared_dir_auto_label = label;
+ free(label);
+
+ // Verify that setting app has rwx permission to app dir
+ // and rx permissions to app
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { APP_ID, shared_dir_auto_label.c_str(), "rwxatl" },
+ { APP_TEST_SETTINGS_ASP1, shared_dir_auto_label.c_str(), "rwx" },
+ { APP_TEST_SETTINGS_ASP1, APP_ID, "rx" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all accesses to App-Setting dir are granted. Loop index: "
+ << i);
+
+ // Verify that all permissions to public dir have been added
+ // correctly, also to other app
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { APP_ID, APPID_SHARED_DIR, "rwxatl" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all accesses to Group RW dir are granted. Loop index: "
+ << i);
+
+ break;
+ }
+ } // END switch
+
+ // check if api-features permissions are added properly
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { APP_ID, TEST_OSP_FEATURE_APP_ID, "rxl" },
+ { APP_ID, TEST_WGT_FEATURE_APP_ID, "rwxl" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all permisions from api features added. Loop index: "
+ << i);
+
+ // revoke permissions
+ result = perm_app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_revoke_permissions. Loop index: " << i
+ << ". Result: " << result);
+ result = perm_app_revoke_permissions(TEST_OSP_FEATURE_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_revoke_permissions. Loop index: " << i
+ << ". Result: " << result);
+ result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_revoke_permissions. Loop index: " << i
+ << ". Result: " << result);
+
+ // check if api-features permissions are removed properly
+ result = test_have_any_accesses(rules_to_test_any_access2);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Not all permisions revoked. Loop index: " << i);
+
+ // check if shared dir and app-setting permissions are removed properly
+ result = test_have_any_accesses(
+ FMT_VECTOR_TO_TEST_ANY_ACCESS(APP_ID, shared_dir_auto_label.c_str()));
+ RUNNER_ASSERT_MSG(result == 0,
+ "Not all permisions to shared dirs revoked. Loop index: " << i);
+ result = test_have_any_accesses(
+ FMT_VECTOR_TO_TEST_ANY_ACCESS(APP_ID, APPID_SHARED_DIR));
+ RUNNER_ASSERT_MSG(result == 0,
+ "Not all permisions to shared dirs revoked. Loop index: " << i);
+ result = test_have_any_accesses(
+ FMT_VECTOR_TO_TEST_ANY_ACCESS(TEST_OSP_FEATURE_APP_ID,
+ shared_dir_auto_label.c_str()));
+ RUNNER_ASSERT_MSG(result == 0,
+ "Not all permisions to shared dirs revoked. Loop index: " << i);
+ result = test_have_any_accesses(
+ FMT_VECTOR_TO_TEST_ANY_ACCESS(APP_TEST_SETTINGS_ASP1,
+ shared_dir_auto_label.c_str()));
+ RUNNER_ASSERT_MSG(result == 0,
+ "Not all permisions to shared dirs revoked. Loop index: " << i);
+
+ // remove labels from app folder
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to clean up Smack labels in " << TEST_APP_DIR
+ << " . Loop index: " << i << ". Result: " << result);
+ // remove labels from shared folder
+ result = nftw(TEST_NON_APP_DIR, &nftw_remove_labels,
+ FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to clean up Smack labels in " << TEST_NON_APP_DIR
+ << " . Loop index: " << i << ". Result: " << result);
+
+ // uninstall app
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_uninstall. Loop index: " << i
+ << ". Result: " << result);
+ } // END Install app loop
+
+ // Uninstall setting app and additional app
+ result = perm_app_uninstall(TEST_OSP_FEATURE_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_uninstall. Result: " << result);
+ result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_uninstall. Result: " << result);
+ // Remove api features
+ unlink(FILE_PATH_TEST_OSP_FEATURE);
+ unlink(FILE_PATH_TEST_WGT_FEATURE);
+
+ cleaning_smack_database_files();
+}
+
+/**
+ * Test - Simulation of 10 installations and uninstallations of set of 10 applications.
+ * Installed applications will have various kind of permissions to each other
+ * from api-features and shared folders.
+ *
+ * APP_TEST_SETTINGS_ASP1 ("test-app-settings-asp1") - registered as setting app
+ *
+ * Permissions:
+ * test_APP0-4 - receive test_osp_feature_rule_set2
+ * test_APP5-9 - receive test_wgt_feature_rule_set2
+ *
+ * During this test there is one directory created for each app for each loop run,
+ * dir name syntax is: /tmp/<app_name>_<i-loop_run>
+ *
+ * test_APP0 & test_APP5 register their directories as APP_PATH_PRIVATE
+ * test_APP1, test_APP2 & test_APP6 register their directories as
+ * APP_PATH_GROUP_RW using the same label
+ * APPID_SHARED_DIR = "test_APP_ID_shared_dir"
+ * test_APP3, test_APP7 & test_APP8 register their directories as
+ * APP_PATH_PUBLIC_RO
+ * test_APP4 & test_APP9 register their directories as
+ * APP_PATH_SETTINGS_RW
+ */
+RUNNER_TEST(privilege_control23_app_installation2_10x10)
+{
+ int result;
+ const int app_count = 10;
+ std::string shared_dir3_auto_label;
+ std::string shared_dir7_auto_label;
+ std::string shared_dir8_auto_label;
+ std::string setting_dir4_auto_label;
+ std::string setting_dir9_auto_label;
+ char app_ids[app_count][strlen(APP_ID) + 3];
+ char app_dirs[app_count][strlen(APP_ID) + 12];
+ const char *test_osp_feature_rule_set2[] = { "~APP~ " APP_ID "6 r",
+ "~APP~ " APP_ID "7 rxl",
+ "~APP~ " APP_ID "8 rwxal",
+ "~APP~ " APP_ID "9 rwxatl",
+ NULL };
+ const char *test_wgt_feature_rule_set2[] = { "~APP~ " APP_ID "1 r",
+ "~APP~ " APP_ID "2 rxl",
+ "~APP~ " APP_ID "3 rwxal",
+ "~APP~ " APP_ID "4 rwxatl",
+ NULL };
+
+
+ // generate app ids: test_APP0, test_APP1, test_APP2 etc
+ for (int i = 0; i < app_count; ++i)
+ {
+ result = sprintf(app_ids[i], APP_ID "%d", i);
+ RUNNER_ASSERT_MSG(result > 0, "Cannot generate name for app nr: " << i);
+ }
+
+ // Clear any previously created apps, files, labels and permissions
+ for (int i = 0; i < app_count; ++i)
+ {
+ result = perm_app_revoke_permissions(app_ids[i]);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_revoke_permissions for app: "
+ << app_ids[i] << ". Result: " << result);
+
+ result = perm_app_uninstall(app_ids[i]);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_uninstall for app: "
+ << app_ids[i] << ". Result: " << result);
+ }
+
+ // remove api feature by deleting the file
+ unlink(FILE_PATH_TEST_OSP_FEATURE);
+ unlink(FILE_PATH_TEST_WGT_FEATURE);
+
+ cleaning_smack_database_files();
+
+ // Install setting app and give it app-setting permissions
+ result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_revoke_permissions."
+ << " Result: " << result);
+ result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_uninstall."
+ << " Result: " << result);
+ result = perm_app_install(APP_TEST_SETTINGS_ASP1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_install."
+ << " Result: " << result);
+ result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1,
+ APP_TYPE_OSP, PRIV_APPSETTING, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error enabling App-Setting permissions."
+ << " Result: " << result);
+
+ // Register two valid api features
+ result = perm_add_api_feature(APP_TYPE_OSP, TEST_OSP_FEATURE,
+ test_osp_feature_rule_set2, NULL, 0);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_add_api_feature. Cannot add TEST_OSP_FEATURE: "
+ << TEST_OSP_FEATURE << ". Result: " << result);
+
+ result = perm_add_api_feature(APP_TYPE_WGT, TEST_WGT_FEATURE,
+ test_wgt_feature_rule_set2, NULL, 0);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_add_api_feature. Cannot add TEST_WGT_FEATURE: "
+ << TEST_WGT_FEATURE << ". Result: " << result);
+
+
+ // Check whether api-feature's smack files are created
+// TODO Remove this check when new database is introduced
+ result = file_exists(FILE_PATH_TEST_OSP_FEATURE);
+ RUNNER_ASSERT_MSG(result == 0, "Test OSP Api Feature file is not created.");
+ result = file_exists(FILE_PATH_TEST_WGT_FEATURE);
+ RUNNER_ASSERT_MSG(result == 0, "Test WGT API Feature file is not created.");
+
+ // Install apps loop
+ for (int i = 0; i < 10; ++i)
+ {
+ // Install 10 apps
+ for (int j = 0; j < app_count; ++j)
+ {
+ result = perm_app_install(app_ids[j]);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_install. App id: "
+ << app_ids[j]
+ << " Loop index: " << i
+ << ". Result: " << result);
+
+ // Create 10 directories
+ result = sprintf(app_dirs[j],"/tmp/" APP_ID "%d_%d", j, i);
+ RUNNER_ASSERT_MSG(result > 0,
+ "Cannot generate directory name for app nr: " << j
+ << " Loop index: " << i);
+ result = mkdir(app_dirs[j], S_IRWXU | S_IRGRP | S_IXGRP);
+ RUNNER_ASSERT_MSG(result == 0 || errno == EEXIST,
+ "Cannot create directory: " << app_dirs[j]);
+ result = nftw(app_dirs[j], &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to clean up Smack labels in: " << app_dirs[j]
+ << ". Result: " << result);
+ }
+
+ // Give permissions from api-features
+ for (int j = 0; j < (app_count/2); ++j)
+ {
+ // add persistent api feature permissions
+ result = perm_app_enable_permissions(app_ids[j], APP_TYPE_OSP,
+ TEST_OSP_FEATURE_PRIVS, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_enable_permissions from OSP Feature. App id: "
+ << app_ids[j] << " Loop index: " << i << ". Result: " << result);
+
+ result = perm_app_enable_permissions(app_ids[j+5], APP_TYPE_WGT,
+ TEST_WGT_FEATURE_PRIVS, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_enable_permissions from WGT Feature. App id: "
+ << app_ids[j] << " Loop index: " << i << ". Result: " << result);
+ }
+
+ // Add app shared dirs - APP_PATH_PRIVATE (apps 0, 5)
+ result = perm_app_setup_path(app_ids[0], app_dirs[0], APP_PATH_PRIVATE);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. App id: " << app_ids[0]
+ << " Loop index: " << i << ". Result: " << result);
+ result = perm_app_setup_path(app_ids[5], app_dirs[5], APP_PATH_PRIVATE);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. App id: " << app_ids[5]
+ << " Loop index: " << i << ". Result: " << result);
+
+ // Add app shared dir - APP_PATH_GROUP_RW (apps 1, 2, 6)
+ result = perm_app_setup_path(app_ids[1], app_dirs[1],
+ APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. App id: " << app_ids[1]
+ << " Loop index: " << i << ". Result: " << result);
+ result = perm_app_setup_path(app_ids[2], app_dirs[2],
+ APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. App id: " << app_ids[2]
+ << " Loop index: " << i << ". Result: " << result);
+ result = perm_app_setup_path(app_ids[6], app_dirs[6],
+ APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. App id: " << app_ids[6]
+ << " Loop index: " << i << ". Result: " << result);
+
+ // Add app shared dir - APP_PATH_PUBLIC_RO (apps 3, 7, 8)
+ result = perm_app_setup_path(app_ids[3], app_dirs[3],
+ APP_PATH_PUBLIC_RO);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. App id: " << app_ids[1]
+ << " Loop index: " << i << ". Result: " << result);
+ result = perm_app_setup_path(app_ids[7], app_dirs[7],
+ APP_PATH_PUBLIC_RO);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. App id: " << app_ids[7]
+ << " Loop index: " << i << ". Result: " << result);
+ result = perm_app_setup_path(app_ids[8], app_dirs[8],
+ APP_PATH_PUBLIC_RO);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. App id: " << app_ids[8]
+ << " Loop index: " << i << ". Result: " << result);
+
+ // Add app shared dir - APP_PATH_SETTINGS_RW (apps ,4, 9)
+ result = perm_app_setup_path(app_ids[4], app_dirs[4],
+ APP_PATH_SETTINGS_RW);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. App id: " << app_ids[4]
+ << " Loop index: " << i << ". Result: " << result);
+ result = perm_app_setup_path(app_ids[9], app_dirs[9],
+ APP_PATH_SETTINGS_RW);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_setup_path. App id: " << app_ids[9]
+ << " Loop index: " << i << ". Result: " << result);
+
+ // Verify that some previously installed app does not have
+ // any acces to app 0 and app 5 PRIVATE folders
+ for (int j = 0; j < app_count; ++j)
+ {
+ // Apps 1-9 should not have any access to app 0
+ if (j != 0)
+ {
+ result = test_have_any_accesses(
+ FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[0])
+ );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Other app (app id: " << app_ids[j] <<
+ ") has access to private label of: " << app_ids[0] <<
+ ". It may not be shared. Loop index: " << i << ".");
+ }
+
+ // Apps 0-4 and 6-9 should not have any access to app 5
+ if (j != 5)
+ {
+ result = test_have_any_accesses(
+ FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[5])
+ );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Other app (app id: " << app_ids[j] <<
+ ") has access to private label of: " << app_ids[5] <<
+ ". It may not be shared. Loop index: " << i << ".");
+ }
+ } // End for Verify PRIVATE
+
+ // Verify that apps 1, 2 and 6 have all accesses to GROUP_RW folders
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { app_ids[1], APPID_SHARED_DIR, "rwxatl" },
+ { app_ids[2], APPID_SHARED_DIR, "rwxatl" },
+ { app_ids[6], APPID_SHARED_DIR, "rwxatl" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all accesses to Group RW dir are granted. Loop index: "
+ << i);
+
+ // Get autogenerated Public_RO labels
+ char *label;
+ result = smack_getlabel(app_dirs[3], &label,
+ SMACK_LABEL_ACCESS );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Cannot get access label from Public RO shared dir: " << app_dirs[3]
+ << " . Loop index: " << i << ". Result: " << result);
+ shared_dir3_auto_label = label;
+ free(label);
+
+ result = smack_getlabel(app_dirs[7], &label,
+ SMACK_LABEL_ACCESS );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Cannot get access label from Public RO shared dir: " << app_dirs[7]
+ << " . Loop index: " << i << ". Result: " << result);
+ shared_dir7_auto_label = label;
+ free(label);
+
+ result = smack_getlabel(app_dirs[8], &label,
+ SMACK_LABEL_ACCESS );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Cannot get access label from Public RO shared dir: " << app_dirs[8]
+ << " . Loop index: " << i << ". Result: " << result);
+ shared_dir8_auto_label = label;
+ free(label);
+
+ // Verify that all apps have ro permissions to public folders of apps 3, 7 and 8
+ // Also apps 3, 7 and 8 should have all permisisons to their own PUBLIC_RO dirs
+ for (int j = 0; j < app_count; ++j)
+ {
+ if (j == 3)
+ {
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { app_ids[j], shared_dir3_auto_label.c_str(), "rwxatl" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all accesses to owned Public RO dir are granted. App id: "
+ << app_ids[j] << " Loop index: " << i);
+ // Verify that there are no extra permissions to public dirs
+ result = test_have_any_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { app_ids[j], shared_dir7_auto_label.c_str(), "w" },
+ { app_ids[j], shared_dir7_auto_label.c_str(), "t" },
+ { app_ids[j], shared_dir8_auto_label.c_str(), "w" },
+ { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unexpected extra permissions added for app:" << app_ids[j]
+ << ". Loop index: " << i);
+ }
+ if (j == 7)
+ {
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { app_ids[j], shared_dir7_auto_label.c_str(), "rwxatl" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all accesses to owned Public RO dir are granted. App id: "
+ << app_ids[j] << " Loop index: " << i);
+ // Verify that there are no extra permissions to public dirs
+ result = test_have_any_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { app_ids[j], shared_dir3_auto_label.c_str(), "w" },
+ { app_ids[j], shared_dir3_auto_label.c_str(), "t" },
+ { app_ids[j], shared_dir8_auto_label.c_str(), "w" },
+ { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unexpected extra permissions added for app:" << app_ids[j]
+ << ". Loop index: " << i);
+ }
+ if (j == 8)
+ {
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { app_ids[j], shared_dir8_auto_label.c_str(), "rwxatl" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all accesses to owned Public RO dir are granted. App id: "
+ << app_ids[j] << " Loop index: " << i);
+ // Verify that there are no extra permissions to other public dirs
+ result = test_have_any_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { app_ids[j], shared_dir3_auto_label.c_str(), "w" },
+ { app_ids[j], shared_dir3_auto_label.c_str(), "t" },
+ { app_ids[j], shared_dir7_auto_label.c_str(), "w" },
+ { app_ids[j], shared_dir7_auto_label.c_str(), "t" } } );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unexpected extra permissions added for app:" << app_ids[j]
+ << ". Loop index: " << i);
+ }
+
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { app_ids[j], shared_dir3_auto_label.c_str(), "rx" },
+ { app_ids[j], shared_dir7_auto_label.c_str(), "rx" },
+ { app_ids[j], shared_dir8_auto_label.c_str(), "rx" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all accesses to Public RO dirs are granted. App id: "
+ << app_ids[j] << ". Loop index: " << i);
+ } // End for Verify PUBLIC_RO
+
+ // Get autogenerated SETTING_RW labels
+ result = smack_getlabel(app_dirs[4], &label,
+ SMACK_LABEL_ACCESS );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Cannot get access label from App-Setting shared dir: "
+ << app_dirs[4] << " . Loop index: " << i
+ << ". Result: " << result);
+ setting_dir4_auto_label = label;
+ free(label);
+
+ result = smack_getlabel(app_dirs[9], &label,
+ SMACK_LABEL_ACCESS );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Cannot get access label from App-Setting shared dir: "
+ << app_dirs[9] << " . Loop index: " << i
+ << ". Result: " << result);
+ setting_dir9_auto_label = label;
+ free(label);
+
+ // Verify that setting app has rwx permission to app-settings dirs and rx to apps
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { app_ids[4], setting_dir4_auto_label.c_str(), "rwxatl" },
+ { app_ids[9], setting_dir9_auto_label.c_str(), "rwxatl" },
+ { APP_TEST_SETTINGS_ASP1, app_ids[4], "rx" },
+ { APP_TEST_SETTINGS_ASP1, app_ids[9], "rx" },
+ { APP_TEST_SETTINGS_ASP1, setting_dir4_auto_label.c_str(), "rwx" },
+ { APP_TEST_SETTINGS_ASP1, setting_dir9_auto_label.c_str(), "rwx" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all accesses to App-Setting dir are granted. Loop index: "
+ << i);
+
+
+
+ // Check if api-features permissions are added properly
+ for (int j = 0; j < 5; ++j)
+ {
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { app_ids[j], app_ids[6], "r" },
+ { app_ids[j], app_ids[7], "rxl" },
+ { app_ids[j], app_ids[8], "rwxal" },
+ { app_ids[j], app_ids[9], "rwxatl" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all permisions from api features added for app id: "
+ << app_ids[j] << ". Loop index: " << i);
+ }
+
+ for (int j = 5; j < app_count; ++j)
+ {
+ result = test_have_all_accesses(
+ (const std::vector< std::vector<std::string> >) {
+ { app_ids[j], app_ids[1], "r" },
+ { app_ids[j], app_ids[2], "rxl" },
+ { app_ids[j], app_ids[3], "rwxal" },
+ { app_ids[j], app_ids[4], "rwxatl" } } );
+ RUNNER_ASSERT_MSG(result == 1,
+ "Not all permisions from api features added for app id: "
+ << app_ids[j] << ". Loop index: " << i);
+ }
+
+ // Revoke permissions
+ for (int j = 0; j < app_count; ++j)
+ {
+ result = perm_app_revoke_permissions(app_ids[j]);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_revoke_permissions. App id: "
+ << app_ids[j] << " Loop index: " << i
+ << ". Result: " << result);
+ }
+ result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_revoke_permissions for setting app. Loop index: "
+ << i << ". Result: " << result);
+
+ // Check if permissions are removed properly
+ for (int j = 0; j < app_count; ++j)
+ {
+ // To all other apps
+ for (int k = 0; k < app_count; ++k)
+ if (j != k)
+ {
+ result = test_have_any_accesses(
+ FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[k])
+ );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Not all permisions revoked. Subject: " << app_ids[j]
+ << " Object: " << app_ids[k] << " Loop index: " << i);
+ }
+
+ // Check if permissions to shared dirs are removed properly
+ result = test_have_any_accesses(
+ FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j],
+ shared_dir3_auto_label.c_str())
+ );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Not all permisions to shared dirs revoked. App id: "
+ << app_ids[j] << " Loop index: " << i);
+ result = test_have_any_accesses(
+ FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j],
+ shared_dir7_auto_label.c_str())
+ );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Not all permisions to shared dirs revoked. App id: "
+ << app_ids[j] << " Loop index: " << i);
+ result = test_have_any_accesses(
+ FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j],
+ shared_dir8_auto_label.c_str())
+ );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Not all permisions to shared dirs revoked. App id: "
+ << app_ids[j] << " Loop index: " << i);
+ result = test_have_any_accesses(
+ FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j],
+ APPID_SHARED_DIR)
+ );
+ RUNNER_ASSERT_MSG(result == 0,
+ "Not all permisions to shared dirs revoked. App id: "
+ << app_ids[j] << " Loop index: " << i);
+ }
+
+ // Remove labels from folders and uninstall all apps
+ for (int j = 0; j < app_count; ++j)
+ {
+ result = nftw(app_dirs[j], &nftw_remove_labels,
+ FTW_MAX_FDS, FTW_PHYS); // rm labels from app folder
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to clean up Smack labels in: "
+ << app_dirs[j] << " . Loop index: " << i
+ << ". Result: " << result);
+
+ result = perm_app_uninstall(app_ids[j]);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_uninstall for app: "
+ << app_ids[j] << " . Loop index: " << i
+ << ". Result: " << result);
+ }
+
+ // Remove created dirs
+ for (int j = 0; j < app_count; ++j)
+ {
+ result = rmdir(app_dirs[j]);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Cannot remove directory: " << app_dirs[j]);
+ }
+ } // END Install app loop
+
+ // Uninstall setting app
+ result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_uninstall. Result: " << result);
+ // Remove api features
+ unlink(FILE_PATH_TEST_OSP_FEATURE);
+ unlink(FILE_PATH_TEST_WGT_FEATURE);
+
+ cleaning_smack_database_files();
+}
projects / platform / core / test / security-tests.git / commitdiff