#ifndef LIBPRIVILEGE_CONTROL_TEST_COMMON_H_
#define LIBPRIVILEGE_CONTROL_TEST_COMMON_H_
+#include <memory>
#include <vector>
#include <string>
#include <set>
#define APPID_DIR "test_APP_ID_dir"
#define APPID_SHARED_DIR "test_APP_ID_shared_dir"
+#define APP_1 "app_1"
+#define APP_1_DIR "/tmp/app_1"
+
+#define APP_2 "app_2"
+#define APP_2_DIR "/tmp/app_2"
+
+#define APP_TEST "app_test"
+
+#define EFL_APP_ID "EFL_APP_ID"
+
#define APP_FRIEND_1 "app_friend_1"
#define APP_FRIEND_2 "app_friend_2"
extern const char *PRIVS[];
extern const char *PRIVS2[];
+extern const char *PRIVS2_NO_R[];
+extern const char *PRIVS2_R[];
+extern const char *PRIVS2_R_AND_NO_R[];
extern const char *PRIVS_WGT[];
extern const char *PRIVS_OSP[];
+extern const char *PRIVS_EFL[];
extern const char* PRIV_APPSETTING[];
extern const char* PRIVS_AV[];
+typedef std::vector< std::vector<std::string> > rules_t;
+
+struct free_deleter {
+ void operator()(void* p) {
+ free(p);
+ }
+};
+typedef std::unique_ptr<char, free_deleter> CStringPtr;
+
// Rules from test_privilege_control_rules.smack
-const std::vector< std::vector<std::string> > rules = {
+const rules_t rules = {
{ APP_ID, "test_book_1", "r" },
{ APP_ID, "test_book_2", "w" },
{ APP_ID, "test_book_3", "x" },
};
// Rules from WRT_test_privilege_control_rules2.smack
-const std::vector< std::vector<std::string> > rules2 = {
+const rules_t rules2 = {
{ WGT_APP_ID, "test_book_8", "r" },
{ WGT_APP_ID, "test_book_9", "w" },
{ WGT_APP_ID, "test_book_10", "x" },
};
// Rules from WRT_test_privilege_control_rules_no_r.smack
-const std::vector< std::vector<std::string> > rules2_no_r = {
+const rules_t rules2_no_r = {
{ WGT_APP_ID, "test_book_9", "w" },
{ WGT_APP_ID, "test_book_10", "x" },
{ WGT_APP_ID, "test_book_11", "w" },
// Rules from test_privilege_control_rules.smack
// minus WRT_test_privilege_control_rules_no_r.smack
-const std::vector< std::vector<std::string> > rules2_r = {
+const rules_t rules2_r = {
{ WGT_APP_ID, "test_book_8", "r" },
{ WGT_APP_ID, "test_book_11", "r" },
{ WGT_APP_ID, "test_book_12", "r" },
};
// Rules from EFL_test_privilege_control_rules_osp.smack for osp_platform
-const std::vector< std::vector<std::string> > rules_efl = {
+const rules_t rules_efl = {
{ APP_ID, "test_book_efl", "r" }
};
// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt
-const std::vector< std::vector<std::string> > rules_wgt = {
+const rules_t rules_wgt = {
{ WGT_APP_ID, "test_book_8", "r" },
{ WGT_APP_ID, "test_book_9", "w" },
{ WGT_APP_ID, "test_book_10", "x" },
};
// Rules from WRT_test_privilege_control_rules.smack for wgt
-const std::vector< std::vector<std::string> > rules_wgt2 = {
+const rules_t rules_wgt2 = {
{ WGT_APP_ID, "test_book_1", "r" },
{ WGT_APP_ID, "test_book_2", "w" },
{ WGT_APP_ID, "test_book_3", "x" },
};
// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_partner
-const std::vector< std::vector<std::string> > rules_wgt_partner = {
+const rules_t rules_wgt_partner = {
{ WGT_PARTNER_APP_ID, "test_book_8", "r" },
{ WGT_PARTNER_APP_ID, "test_book_9", "w" },
{ WGT_PARTNER_APP_ID, "test_book_10", "x" },
};
// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_platform
-const std::vector< std::vector<std::string> > rules_wgt_platform = {
+const rules_t rules_wgt_platform = {
{ WGT_PLATFORM_APP_ID, "test_book_8", "r" },
{ WGT_PLATFORM_APP_ID, "test_book_9", "w" },
{ WGT_PLATFORM_APP_ID, "test_book_10", "x" },
};
// Rules from OSP_test_privilege_control_rules_osp.smack for osp
-const std::vector< std::vector<std::string> > rules_osp = {
+const rules_t rules_osp = {
{ OSP_APP_ID, "test_book_8", "r" },
{ OSP_APP_ID, "test_book_9", "w" },
{ OSP_APP_ID, "test_book_10", "x" },
};
// Rules from OSP_test_privilege_control_rules_osp.smack for osp_partner
-const std::vector< std::vector<std::string> > rules_osp_partner = {
+const rules_t rules_osp_partner = {
{ OSP_PARTNER_APP_ID, "test_book_8", "r" },
{ OSP_PARTNER_APP_ID, "test_book_9", "w" },
{ OSP_PARTNER_APP_ID, "test_book_10", "x" },
};
// Rules from OSP_test_privilege_control_rules_osp.smack for osp_platform
-const std::vector< std::vector<std::string> > rules_osp_platform = {
+const rules_t rules_osp_platform = {
{ OSP_PLATFORM_APP_ID, "test_book_8", "r" },
{ OSP_PLATFORM_APP_ID, "test_book_9", "w" },
{ OSP_PLATFORM_APP_ID, "test_book_10", "x" },
{ "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" }
};
-int test_have_all_accesses(const std::vector< std::vector<std::string> > &rules);
-int test_have_any_accesses(const std::vector< std::vector<std::string> > &rules);
+int test_have_all_accesses(const rules_t &rules);
+int test_have_any_accesses(const rules_t &rules);
+int test_have_nosmack_accesses(const rules_t &rules);
void cleaning_smack_app_files (void);
void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment);
void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment);
+void test_revoke_permissions(int line_no, const char* app_id, const rules_t &rules, bool smack);
+void test_app_enable_permissions_efl(bool smack);
+void test_app_disable_permissions_efl(bool smack);
+void test_app_disable_permissions(bool smack);
+void test_appsettings_privilege(bool smack);
#endif /* LIBPRIVILEGE_CONTROL_TEST_COMMON_H_ */
#include <string>
#include <set>
#include <libprivilege-control_test_common.h>
+#include <tests_common.h>
#include <sys/smack.h>
#include <dpl/test/test_runner.h>
const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
+const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
+const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
+const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };
+const char *PRIVS_EFL[] = { "test_privilege_control_rules_efl", NULL };
const char* PRIV_APPSETTING[] {"org.tizen.privilege.appsetting", NULL};
/**
* Check if every rule is true.
- * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
+ * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't, -1 on failure
*/
-int test_have_all_accesses(const std::vector< std::vector<std::string> > &rules)
+int test_have_all_accesses(const rules_t &rules)
{
- int result;
+ int result = 1;
for (uint i = 0; i < rules.size(); ++i) {
- result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result != 1)
- return result;
+ int access = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
+ if (access < 0)
+ return -1;
+ if (access == 0)
+ result = 0;
}
- return 1;
+ return result;
}
/**
* Check if every rule is true.
- * @return 1 if ANY rule in SMACK, 0 if
+ * @return 1 if ANY rule in SMACK, 0 if NO rule in SMACK, -1 on failure
+ */
+int test_have_any_accesses(const rules_t &rules)
+{
+ int result = 0;
+ for (uint i = 0; i < rules.size(); ++i) {
+ int access = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
+ if (access < 0)
+ return -1;
+ if (access > 0)
+ result = 1;
+ }
+ return result;
+}
+
+/**
+ * NOSMACK version of test_have_accesses functions.
+ *
+ * This will be used in many tests. Checks if for every rule smack_have_access returns error.
+ * If for any of rules smack_have_access will return something different than error, this result
+ * is being returned to caller.
*/
-int test_have_any_accesses(const std::vector< std::vector<std::string> > &rules)
+int test_have_nosmack_accesses(const rules_t &rules)
{
int result;
for (uint i = 0; i < rules.size(); ++i) {
result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result == 1)
- return 1;
+ if (result != -1)
+ return result;
}
- return 0;
+ return -1;
+}
+
+bool check_all_accesses(bool smack, const rules_t &rules)
+{
+ if (smack)
+ return test_have_all_accesses(rules) == 1;
+ else
+ return test_have_nosmack_accesses(rules) == -1;
+}
+
+bool check_no_accesses(bool smack, const rules_t &rules)
+{
+ if (smack)
+ return test_have_any_accesses(rules) == 0;
+ else
+ return test_have_nosmack_accesses(rules) == -1;
}
void read_gids(std::set<unsigned> &set, const char *file_path)
while (fscanf(f, "%u\n", &gid) == 1) {
set.insert(gid);
}
+ fclose(f);
}
void check_groups(const char *dac_file)
int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
int result;
- char *label;
+ CStringPtr labelPtr;
+ char* label = NULL;
/* ACCESS */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
+ labelPtr.reset(label);
RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, label);
+ RUNNER_ASSERT_MSG(labelPtr.get() != NULL, "ACCESS label on " << fpath << " is not set");
+ result = strcmp(APPID_DIR, labelPtr.get());
RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
/* EXEC */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ labelPtr.reset(label);
RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
- RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, label);
+ RUNNER_ASSERT_MSG(labelPtr.get() != NULL, "EXEC label on " << fpath << " is not set");
+ result = strcmp(APPID_DIR, labelPtr.get());
RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
} else if (S_ISLNK(sb->st_mode)) {
struct stat buf;
RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
free(target);
if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
- RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
+ RUNNER_ASSERT_MSG(labelPtr.get() == NULL, "EXEC label on " << fpath << " is set");
} else {
- RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
- result = strcmp(APPID_DIR, label);
+ RUNNER_ASSERT_MSG(labelPtr.get() != NULL, "EXEC label on " << fpath << " is not set");
+ result = strcmp(APPID_DIR, labelPtr.get());
RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
}
} else
- RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
+ RUNNER_ASSERT_MSG(labelPtr.get() == NULL, "EXEC label on " << fpath << " is set");
/* TRANSMUTE */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ labelPtr.reset(label);
RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+ RUNNER_ASSERT_MSG(labelPtr.get() == NULL, "TRANSMUTE label on " << fpath << " is set");
return 0;
}
int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
int result;
- char *label;
+ CStringPtr labelPtr;
+ char* label = NULL;
/* ACCESS */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
+ labelPtr.reset(label);
RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- result = strcmp(CANARY_LABEL, label);
+ result = strcmp(CANARY_LABEL, labelPtr.get());
RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
/* EXEC */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ labelPtr.reset(label);
RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- result = strcmp(CANARY_LABEL, label);
+ result = strcmp(CANARY_LABEL, labelPtr.get());
RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
/* TRANSMUTE */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ labelPtr.reset(label);
RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+ RUNNER_ASSERT_MSG(labelPtr.get() == NULL, "TRANSMUTE label on " << fpath << " is set");
return 0;
}
"smack_have_access should return error (SMACK is off). Result: " << result
<< " when testing " << comment);
}
+
+void test_revoke_permissions(int line_no, const char* app_id, const rules_t &rules, bool smack)
+{
+ int result;
+
+ // Cleanup
+ DB_BEGIN
+
+ result = perm_app_uninstall(app_id);
+ RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
+ "perm_app_uninstall returned " << result);
+
+ // Close transaction to commit uninstallation before further actions
+ DB_END
+
+ DB_BEGIN
+
+ // Install test apps
+ result = perm_app_install(app_id);
+ RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
+ "perm_app_install returned " << result);
+
+ // Close transaction to commit installation before further actions
+ DB_END
+
+ DB_BEGIN
+
+ // TEST:
+ // Revoke permissions
+ result = perm_app_revoke_permissions(app_id);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
+ "Error revoking app permissions. Result: " << result);
+
+ DB_END
+
+ // Are all the permissions revoked?
+ RUNNER_ASSERT_MSG(check_no_accesses(smack, rules), "Line: " << line_no <<
+ "Not all permisions revoked.");
+
+ DB_BEGIN
+
+ // Cleanup - uninstall test apps
+ result = perm_app_uninstall(app_id);
+ RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
+ "perm_app_uninstall returned " << result);
+
+ DB_END
+}
+
+void test_app_enable_permissions_efl(bool smack)
+{
+ int result;
+
+ DB_BEGIN
+
+ // Prepare
+ result = perm_app_uninstall(EFL_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << result);
+ result = perm_app_install(EFL_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_install failed: " << result);
+
+ // Enable a permission:
+ result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, 0);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error enabling app permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
+ "SMACK accesses not granted for EFL_APP");
+
+ DB_BEGIN
+
+ // Cleanup
+ result = perm_app_uninstall(EFL_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << result);
+
+ DB_END
+}
+
+void test_app_disable_permissions_efl(bool smack)
+{
+ int result;
+
+ DB_BEGIN
+
+ // Prepare
+ result = perm_app_uninstall(EFL_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << result);
+
+ result = perm_app_install(EFL_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_install failed: " << result);
+
+ // Enable a permission
+ result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, 0);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error enabling app permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
+ "SMACK accesses not granted for EFL_APP");
+
+ DB_BEGIN
+
+ // Disable a permission
+ result = perm_app_disable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG(check_no_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
+ "SMACK accesses not disabled for EFL_APP");
+
+ DB_BEGIN
+
+ // Cleanup
+ result = perm_app_uninstall(EFL_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << result);
+
+ DB_END
+}
+
+void test_app_disable_permissions(bool smack)
+{
+ int result;
+
+ DB_BEGIN
+
+ // Prepare
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall failed: " << result);
+
+ result = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_install failed: " << result);
+/**
+ * Test - disable all granted permissions.
+ */
+
+ // Prepare permissions that we want to disable
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ DB_END
+
+ // Are all the permissions enabled?
+ RUNNER_ASSERT_MSG(check_all_accesses(smack, rules2), "Not all permisions enabled.");
+
+ DB_BEGIN
+
+ // Disable permissions
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ DB_END
+
+ // Are all the permissions disabled?
+ RUNNER_ASSERT_MSG(check_no_accesses(smack, rules2), "Not all permisions disabled.");
+
+/**
+ * Test - disable some granted permissions leaving non complementary and then disabling those too.
+ */
+
+ DB_BEGIN
+
+ // Prepare permissions that will not be disabled
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app first permissions. Result: " << result);
+
+ // Prepare permissions that we want to disable
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app second permissions. Result: " << result);
+
+ // Disable second permissions
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app second permissions. Result: " << result);
+
+ DB_END
+
+ // Are all second permissions disabled?
+ RUNNER_ASSERT_MSG(check_no_accesses(smack, rules2), "Not all first permisions disabled.");
+
+ // Are all first permissions not disabled?
+ RUNNER_ASSERT_MSG(check_all_accesses(smack, rules_wgt2), "Some of second permissions disabled.");
+
+ DB_BEGIN
+
+ // Disable first permissions
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app first permissions. Result: " << result);
+
+ DB_END
+
+ // Are all second permissions disabled?
+ RUNNER_ASSERT_MSG(check_no_accesses(smack, rules_wgt2), "Not all second permisions disabled.");
+
+/**
+ * Test - disable only no r granted permissions.
+ */
+
+ DB_BEGIN
+
+ // Prepare permissions
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app permissions. Result: " << result);
+
+ // Disable same permissions without r
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app no r permissions. Result: " << result);
+
+ DB_END
+
+ // Is any r permissions disabled?
+ RUNNER_ASSERT_MSG(check_all_accesses(smack, rules2_r), "Some of r permissions disabled.");
+ // Are all no r permissions disabled?
+ RUNNER_ASSERT_MSG(check_no_accesses(smack, rules2_no_r), "Not all no r permissions disabled.");
+
+ DB_BEGIN
+
+ // Prepare permissions
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app no r permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG(check_all_accesses(smack, rules2_no_r), "Not all no r permissions enabled.");
+
+ DB_BEGIN
+
+ // Disable all permissions
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ DB_END
+
+ RUNNER_ASSERT_MSG(check_no_accesses(smack, rules2_r), "Not all r permissions disabled.");
+
+ DB_BEGIN
+
+ // Clean up after test:
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
+}
+
+void test_appsettings_privilege(bool smack)
+{
+ int ret;
+ CStringPtr app1DirLabelPtr;
+ CStringPtr app2DirLabelPtr;
+ char* label = NULL;
+
+ DB_BEGIN
+
+ (void)perm_app_uninstall(APP_TEST);
+ (void)perm_app_uninstall(APP_1);
+ (void)perm_app_uninstall(APP_2);
+
+ //install some app 1
+ ret = perm_app_install(APP_1);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install." << ret);
+
+ mkdir(APP_1_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
+
+ //register settings folder for app 1
+ ret = perm_app_setup_path(APP_1, APP_1_DIR, APP_PATH_SETTINGS_RW );
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
+
+ //install "app_test" and give it appsettings privilege
+ ret = perm_app_install(APP_TEST);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
+
+
+ ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << ret);
+
+ DB_END
+
+ //check if "app_test" has an RX access to the app "app_1"
+ RUNNER_ASSERT_MSG(check_all_accesses(smack, {{APP_TEST, APP_1, "rx"}}), "access denied");
+
+ //check if "app_test" has an RWX access to a folder registered by "app_1"
+ ret = smack_getlabel(APP_1_DIR, &label, SMACK_LABEL_ACCESS );
+ app1DirLabelPtr.reset(label);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
+ RUNNER_ASSERT_MSG(check_all_accesses(smack, {{APP_TEST, app1DirLabelPtr.get(), "rwx"}}), "access denied to smack label: " << app1DirLabelPtr.get());
+
+
+ DB_BEGIN
+
+ //intstall another app: "app_2"
+ ret = perm_app_install(APP_2);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
+
+ mkdir(APP_2_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
+ //register settings folder for that "app_2"
+ ret = perm_app_setup_path(APP_2, APP_2_DIR, APP_PATH_SETTINGS_RW );
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
+
+ DB_END
+
+ //check if "app_test" has an RX access to the app "app_2"
+ RUNNER_ASSERT_MSG(check_all_accesses(smack, {{APP_TEST, APP_2, "rx"}}), "access denied");
+
+ //check if "app_test" has an RWX access to a folder registered by "app_2"
+ ret = smack_getlabel(APP_2_DIR, &label, SMACK_LABEL_ACCESS );
+ app2DirLabelPtr.reset(label);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
+ RUNNER_ASSERT_MSG(check_all_accesses(smack, {{APP_TEST, app2DirLabelPtr.get(), "rwx"}}), "access denies");
+
+ rmdir(APP_1_DIR);
+ rmdir(APP_2_DIR);
+
+ DB_BEGIN
+
+ (void)perm_app_uninstall(APP_TEST);
+ (void)perm_app_uninstall(APP_1);
+ (void)perm_app_uninstall(APP_2);
+
+ DB_END
+}
#define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules"
-#define EFL_APP_ID "EFL_APP_ID"
-
#define EARLY_RULE_SUBJECT "livebox.web-provider"
#define EARLY_RULE_RIGHTS "rwx---"
#define SMACK_ACC_LEN 6
-#define APP_1 "app_1"
-#define APP_1_DIR "/tmp/app_1"
-
-#define APP_2 "app_2"
-#define APP_2_DIR "/tmp/app_2"
-
-#define APP_TEST "app_test"
-
namespace {
-const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
-const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
-const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
-const char *PRIVS_EFL[] = { "test_privilege_control_rules_efl", NULL };
-
std::vector<std::string> gen_names(std::string prefix, std::string suffix, size_t size)
{
std::vector<std::string> names;
result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+ DB_BEGIN
+
result = perm_app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
+ DB_END
+
result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
RUNNER_ASSERT_MSG(result != 0, "perm_app_setup_path(APP_ID, APP_ID) didn't fail");
+ DB_END
+
result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+ DB_BEGIN
+
result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
+ DB_BEGIN
+
result = perm_app_uninstall(APP_ID);
RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
}
/**
result = test_have_all_accesses(rules_efl);
RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
+ DB_BEGIN
+
result = perm_app_uninstall(APP_ID);
RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
}
/**
* Revoke permissions from the list. Should be executed as privileged user.
*/
-RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt)
{
- int result;
-
- // Cleanup
- DB_BEGIN
-
- result = perm_app_uninstall(WGT_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_uninstall(WGT_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_uninstall(WGT_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_uninstall(OSP_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_uninstall(OSP_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_uninstall(OSP_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
-
- // Close transaction to commit uninstallation before further actions
- DB_END
-
- DB_BEGIN
-
- // Install test apps
- result = perm_app_install(WGT_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(WGT_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(WGT_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(OSP_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(OSP_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(OSP_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- // Close transaction to commit installation before further actions
- DB_END
-
- DB_BEGIN
-
- // TEST:
- // Revoke permissions
- result = perm_app_revoke_permissions(WGT_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(WGT_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(WGT_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(OSP_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(OSP_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
- result = perm_app_revoke_permissions(OSP_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Result: " << result);
+ test_revoke_permissions(__LINE__, WGT_APP_ID, rules_wgt, true);
+}
- DB_END
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_partner)
+{
+ test_revoke_permissions(__LINE__, WGT_PARTNER_APP_ID, rules_wgt_partner, true);
+}
- // Are all the permissions revoked?
- result = test_have_any_accesses(rules_wgt);
- RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
- result = test_have_any_accesses(rules_wgt_partner);
- RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
- result = test_have_any_accesses(rules_wgt_platform);
- RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
- result = test_have_any_accesses(rules_osp);
- RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
- result = test_have_any_accesses(rules_osp_partner);
- RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
- result = test_have_any_accesses(rules_osp_platform);
- RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_platform)
+{
+ test_revoke_permissions(__LINE__, WGT_PLATFORM_APP_ID, rules_wgt_platform, true);
+}
- DB_BEGIN
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp)
+{
+ test_revoke_permissions(__LINE__, OSP_APP_ID, rules_osp, true);
+}
- // Cleanup - uninstall test apps
- result = perm_app_uninstall(WGT_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_uninstall(WGT_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_uninstall(WGT_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_uninstall(OSP_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_uninstall(OSP_PARTNER_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_uninstall(OSP_PLATFORM_APP_ID);
- RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_partner)
+{
+ test_revoke_permissions(__LINE__, OSP_PARTNER_APP_ID, rules_osp_partner, true);
+}
- DB_END
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_platform)
+{
+ test_revoke_permissions(__LINE__, OSP_PLATFORM_APP_ID, rules_osp_platform, true);
}
const char* app_id, app_type_t APP_TYPE,
const char** privileges, const char* type,
const char* app_path, const char* dac_file,
- const std::vector< std::vector<std::string> > &rules) {
+ const rules_t &rules) {
check_app_installed(line_no, app_path);
- int result = perm_app_uninstall(app_id);
- RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
- " perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+ int result;
DB_BEGIN
+ result = perm_app_uninstall(app_id);
+ RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
+ " perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
result = perm_app_install(app_id);
RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
" perm_app_install returned " << result << ". Errno: " << strerror(errno));
result = test_have_all_accesses(rules);
RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
+ DB_BEGIN
+
result = perm_app_set_privilege(app_id, type, app_path);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
" Error in perm_app_set_privilege. Error: " << result);
+ DB_END
+
// Check if SMACK label really set
char *label;
result = smack_new_label_from_self(&label);
}, NULL, 0);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
- DB_END
-
// empty group ids
result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[12].c_str(), (const char*[]) {"~APP~ b a",NULL},(const gid_t[]) {0,1,2},0);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
osp_blahblah_dac_check(__LINE__, {1,1,1},OSP_BLAHBLAH_DAC[15]);
remove_smack_files();
+
+ DB_END
}
/*
{
int result;
+ DB_BEGIN
perm_app_uninstall(APP_ID);
// try install second time app with the same ID - it should pass.
result = perm_app_install(APP_ID);
RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ DB_END
}
/*
int result;
int fd = -1;
+ DB_BEGIN
+
result = perm_app_uninstall(APP_ID);
RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+ DB_END
+
// checking if file really exists
fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after perm_app_uninstall");
checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
+ DB_BEGIN
+
// Adding third app
result = perm_app_install(APP_TEST_APP_3);
RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+ DB_END
+
// Checking app accesses
checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
result = test_have_all_accesses(rules2_no_r);
RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
+ DB_BEGIN
+
// Enable permission for rules 2
result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
" Error enabling app all permissions. Result: " << result);
+ DB_END
+
// Check if the accesses are realy applied..
result = test_have_all_accesses(rules2);
RUNNER_ASSERT_MSG(result == 1, "Permissions all not added.");
result = test_have_all_accesses(rules2_no_r);
RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
+ DB_BEGIN
+
// Enable permission for rules 2
result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, 1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
" Error enabling app permissions with only r. Result: " << result);
+ DB_END
+
// Check if the accesses are realy applied..
result = test_have_all_accesses(rules2_r);
RUNNER_ASSERT_MSG(result == 1, "Permissions with only r not added.");
DB_END
}
-RUNNER_CHILD_TEST(privilege_control11_app_enable_permissions_efl)
+RUNNER_CHILD_TEST_SMACK(privilege_control11_app_enable_permissions_efl)
{
- int result;
-
- DB_BEGIN
-
- // Prepare
- result = perm_app_uninstall(EFL_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "perm_app_uninstall failed: " << result);
- result = perm_app_install(EFL_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "perm_app_install failed: " << result);
-
- // Enable a permission:
- result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, 0);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error enabling app permissions. Result: " << result);
-
- DB_END
-
- RUNNER_ASSERT_MSG(smack_have_access(EFL_APP_ID,"test_book_efl", "r"),
- "SMACK accesses not granted for EFL_APP");
-
- // Cleanup
- result = perm_app_uninstall(EFL_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "perm_app_uninstall failed: " << result);
+ test_app_enable_permissions_efl(true);
}
/*
* Check perm_app_install function
*/
-RUNNER_CHILD_TEST(privilege_control12_app_disable_permissions_efl)
+RUNNER_CHILD_TEST_SMACK(privilege_control12_app_disable_permissions_efl)
{
- int result;
-
- DB_BEGIN
-
- // Prepare
- result = perm_app_uninstall(EFL_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "perm_app_uninstall failed: " << result);
-
- result = perm_app_install(EFL_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "perm_app_install failed: " << result);
-
- // Enable a permission
- result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, 0);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error enabling app permissions. Result: " << result);
-
- DB_END
-
- RUNNER_ASSERT_MSG(smack_have_access(EFL_APP_ID,"test_book_efl", "r"),
- "SMACK accesses not granted for EFL_APP");
-
- // Disable a permission
- result = perm_app_disable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error disabling app permissions. Result: " << result);
-
- RUNNER_ASSERT_MSG(!smack_have_access(EFL_APP_ID,"test_book_efl", "r"),
- "SMACK accesses not granted for EFL_APP");
-
- // Cleanup
- result = perm_app_uninstall(EFL_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "perm_app_uninstall failed: " << result);
+ test_app_disable_permissions_efl(true);
}
/**
* Remove previously granted SMACK permissions based on permissions list.
*/
-RUNNER_TEST(privilege_control12_app_disable_permissions)
+RUNNER_TEST_SMACK(privilege_control12_app_disable_permissions)
{
- int result;
-
- DB_BEGIN
-
- // Prepare
- result = perm_app_uninstall(WGT_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "perm_app_uninstall failed: " << result);
-
- result = perm_app_install(WGT_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "perm_app_install failed: " << result);
-/**
- * Test - disable all granted permissions.
- */
-
- // Prepare permissions that we want to disable
- result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error enabling app permissions. Result: " << result);
-
- DB_END
-
- // Are all the permissions enabled?
- result = test_have_any_accesses(rules2);
- RUNNER_ASSERT_MSG(result==1, "Not all permisions enabled.");
-
- // Disable permissions
- result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error disabling app permissions. Result: " << result);
-
- // Are all the permissions disabled?
- result = test_have_any_accesses(rules2);
- RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
-
-/**
- * Test - disable some granted permissions leaving non complementary and then disabling those too.
- */
-
- DB_BEGIN
-
- // Prepare permissions that will not be disabled
- result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app first permissions. Result: " << result);
-
- // Prepare permissions that we want to disable
- result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app second permissions. Result: " << result);
-
- // Disable second permissions
- result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error disabling app second permissions. Result: " << result);
-
- DB_END
-
- // Are all second permissions disabled?
- result = test_have_any_accesses(rules2);
- RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
-
- // Are all first permissions not disabled?
- result = test_have_all_accesses(rules_wgt2);
- RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
-
- // Disable first permissions
- result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error disabling app first permissions. Result: " << result);
-
- // Are all second permissions disabled?
- result = test_have_any_accesses(rules_wgt2);
- RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
-
-/**
- * Test - disable only no r granted permissions.
- */
-
- DB_BEGIN
-
- // Prepare permissions
- result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app permissions. Result: " << result);
-
- // Disable same permissions without r
- result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error disabling app no r permissions. Result: " << result);
-
- DB_END
-
- // Is any r permissions disabled?
- result = test_have_all_accesses(rules2_r);
- RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
- // Are all no r permissions disabled?
- result = test_have_any_accesses(rules2_no_r);
- RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
-
- // Prepare permissions
- result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app no r permissions. Result: " << result);
- result = test_have_any_accesses(rules2_no_r);
- RUNNER_ASSERT_MSG(result=1, "Not all no r permissions enabled.");
-
- // Disable all permissions
- result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error disabling app permissions. Result: " << result);
- result = test_have_any_accesses(rules2_r);
- RUNNER_ASSERT_MSG(result!=1, "Not all r permissions disabled.");
-
-
-
- // Clean up after test:
- result = perm_app_uninstall(WGT_APP_ID);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+ test_app_disable_permissions(true);
}
/**
* Test - making friends with no permissions on each other
*/
+ DB_BEGIN
+
result = perm_app_revoke_permissions(APP_FRIEND_1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error revoking app permissions. Result: " << result);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
" Error making friends. Errno: " << result);
+ DB_END
+
// Checking if friends were made
result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
RUNNER_ASSERT_MSG(result == 1,
RUNNER_ASSERT_MSG(result == 1,
" Error second one sided friednship failed. Result: " << result);
+ DB_BEGIN
+
// Clean up
result = perm_app_revoke_permissions(APP_FRIEND_1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
perm_app_uninstall(APP_FRIEND_1);
perm_app_uninstall(APP_FRIEND_2);
+ DB_END
+
/**
* Test - making friends with nonexistent friend
*/
+ DB_BEGIN
+
// Installing one friend
result = perm_app_install(APP_FRIEND_1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
perm_app_uninstall(APP_FRIEND_1);
perm_app_uninstall(APP_FRIEND_2);
+ DB_END
+
/**
* Test - making friends with some permissions already added
*/
std::vector<std::string> accessesFriend =
{ "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
+ DB_BEGIN
+
// Installing friends to be
result = perm_app_install(APP_FRIEND_1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
" Error installing second app. Result: " << result);
+ DB_END
+
for (i = 0; i < accessesFriend.size(); ++i)
{
for (j = 0; j < accessesFriend.size(); ++j)
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error in smack_accesses_apply. Result: " << result);
+ DB_BEGIN
+
// Adding friends
result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
" Error making friends. Result: " << result);
+ DB_END
+
// Checking if friends were made
result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
RUNNER_ASSERT_MSG(result == 1,
}
}
+ DB_BEGIN
+
// Clean up
result = perm_app_revoke_permissions(APP_FRIEND_1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
perm_app_uninstall(APP_FRIEND_1);
perm_app_uninstall(APP_FRIEND_2);
+
+ DB_END
}
static void smack_set_random_label_based_on_pid_on_self(void)
const char *label1 = "qwert123456za";
const char *label2 = "trewq654123az";
- std::unique_ptr<char, std::function<void(void*)> > labelPtr(NULL,free);
+ CStringPtr labelPtr;
mkdir(path1,0);
mkdir(path2,0);
char *label = NULL;
+ DB_BEGIN
+
RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
+
+ DB_END
+
RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
labelPtr.reset(label);
label = NULL;
RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1));
+ DB_BEGIN
+
RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
+
+ DB_END
+
RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
labelPtr.reset(label);
label = NULL;
RUNNER_ASSERT(labelPtr.get() == NULL);
}
-RUNNER_TEST(privilege_control17_appsettings_privilege)
+RUNNER_TEST_SMACK(privilege_control17_appsettings_privilege)
{
- int ret;
- char *app1_dir_label;
- char *app2_dir_label;
- //prepare test
-
- (void)perm_app_uninstall(APP_TEST);
- (void)perm_app_uninstall(APP_1);
- (void)perm_app_uninstall(APP_2);
-
- DB_BEGIN
-
- //install some app 1
- ret = perm_app_install(APP_1);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install." << ret);
-
- mkdir(APP_1_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
-
- //register settings folder for app 1
- ret = perm_app_setup_path(APP_1, APP_1_DIR, APP_PATH_SETTINGS_RW );
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
-
- //install "app_test" and give it appsettings privilege
- ret = perm_app_install(APP_TEST);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
-
-
- ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,
- " Error enabling app permissions. Result: " << ret);
-
- DB_END
-
- //check if "app_test" has an RX access to the app "app_1"
- ret = smack_have_access(APP_TEST, APP_1, "rx");
- RUNNER_ASSERT_MSG(ret,"access denied");
-
- //check if "app_test" has an RWX access to a folder registered by "app_1"
- ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS );
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
- ret = smack_have_access(APP_TEST, app1_dir_label, "rwx");
- RUNNER_ASSERT_MSG(ret,"access denied to smack label: " << app1_dir_label);
-
-
- DB_BEGIN
-
- //intstall another app: "app_2"
- ret = perm_app_install(APP_2);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
-
- mkdir(APP_2_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
- //register settings folder for that "app_2"
- ret = perm_app_setup_path(APP_2, APP_2_DIR, APP_PATH_SETTINGS_RW );
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
-
- DB_END
-
- //check if "app_test" has an RX access to the app "app_2"
- ret = smack_have_access(APP_TEST, APP_2, "rx");
- RUNNER_ASSERT_MSG(ret,"access denies");
-
- //check if "app_test" has an RWX access to a folder registered by "app_2"
- ret = smack_getlabel(APP_2_DIR, &app2_dir_label, SMACK_LABEL_ACCESS );
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
- ret = smack_have_access(APP_TEST, app2_dir_label, "rwx");
- RUNNER_ASSERT_MSG(ret,"access denies");
-
- free (app1_dir_label);
- free (app2_dir_label);
- rmdir(APP_1_DIR);
- rmdir(APP_2_DIR);
-
- DB_BEGIN
-
- (void)perm_app_uninstall(APP_TEST);
- (void)perm_app_uninstall(APP_1);
- (void)perm_app_uninstall(APP_2);
-
- DB_END
+ test_appsettings_privilege(true);
}
void test_app_setup_path(int line_no, app_path_type_t PATH_TYPE) {
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
" Error in perm_app_install." << result);
+ DB_END
+
result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
" Unable to clean up Smack labels in " << TEST_APP_DIR);
RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
" Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+ DB_BEGIN
+
result = perm_app_setup_path(APP_ID, TEST_APP_DIR, PATH_TYPE);
RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
" perm_app_setup_path() failed");
RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no <<
" Unable to check Smack labels for non-app dir");
+ DB_BEGIN
+
result = perm_app_uninstall(APP_ID);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
" Error in perm_app_uninstall." << result);
+
+ DB_END
}
RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public)
RUNNER_TEST_SMACK(privilege_control20_app_setup_path_npruntime)
{
int result = 0;
- std::unique_ptr<char, std::function<void(void*)> > labelPtr(NULL,free);
+ CStringPtr labelPtr;
std::string nptargetlabel = std::string(APP_NPRUNTIME) + ".npruntime";
char *label = NULL;
result = test_have_all_accesses(np_rules);
RUNNER_ASSERT_MSG(result == 1, "Not all permissions added.");
+ DB_BEGIN
+
result = perm_app_uninstall(APP_NPRUNTIME);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
+
+ DB_END
}
RUNNER_TEST(privilege_control21_early_rules)
result = perm_app_install(APP_TEST_APP_1);
RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+ DB_END
+
// checking if file really exists
fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
close(fd);
RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << SMACK_RULES_DIR << APP_ID << " : " << fd << ". Errno: " << strerror(errno));
fd = -1;
+ DB_BEGIN
+
result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm, 1);
RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result);
result = perm_app_enable_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm, 1);
// Checking if "early rule" for APP_ID was really removed
// We also should make sure that "early rules" for other apps wasn't removed
+ DB_BEGIN
result = perm_app_uninstall(APP_ID);
RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+ DB_END
pass_1 = 1;
pass_2 = 0;
RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
// Removing and checking "early rule" for APP_TEST_APP_1
+ DB_BEGIN
result = perm_app_uninstall(APP_TEST_APP_1);
RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+ DB_END
pass_1 = 1;
pass_2 = 1;
checkOnlyAvAccessNosmack(APP_TEST_AV_2, label3.c_str(), ss.str().c_str());
}
+ DB_BEGIN
+
//Clean up
perm_app_revoke_permissions(APP_TEST_AV_1);
perm_app_revoke_permissions(APP_TEST_AV_2);
perm_app_uninstall(APP_TEST_APP_1);
perm_app_uninstall(APP_TEST_APP_2);
perm_app_uninstall(APP_TEST_APP_3);
+
+ DB_END
}
RUNNER_TEST(privilege_control24a_av_privilege_group_rw)
RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
"perm_app_setup_path should fail here. Result: " << result);
+ DB_END
+
result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Unable to clean up Smack labels in " << TEST_APP_DIR);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+ DB_BEGIN
+
result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"perm_app_setup_path() failed. Result: " << result);
}
/**
- * NOSMACK version of test_have_accesses functions.
- *
- * This will be used in many tests. Checks if for every rule smack_have_access returns error.
- * If for any of rules smack_have_access will return something different than error, this result
- * is being returned to caller.
- */
-int test_have_nosmack_accesses(const std::vector< std::vector<std::string> > &rules)
-{
- int result;
- for (uint i = 0; i < rules.size(); ++i) {
- result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
- if (result != -1)
- return result;
- }
- return -1;
-}
-
-/**
* NOSMACK version of privilege_control04 test.
*
* Tries to add permisions from test_privilege_control_rules template and checks if
*/
RUNNER_TEST_NOSMACK(privilege_control04_add_permissions_nosmack)
{
+ int result;
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_ID);
+ RUNNER_ASSERT_MSG(result == 0,
+ "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ result = perm_app_install(APP_ID);
+ RUNNER_ASSERT_MSG(result == 0,
+ "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
//Add permissions
- auto result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
+ result = perm_app_enable_permissions(APP_ID, APP_TYPE_EFL, PRIVS_EFL, TRUE);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error adding app permissions. Result: " << result);
+ DB_END
+
//Check if smack_have_access always fails on every rule
- result = test_have_nosmack_accesses(rules);
+ result = test_have_nosmack_accesses(rules_efl);
RUNNER_ASSERT_MSG(result == -1,
"Despite SMACK being off some accesses were added. Result: " << result);
- //Does file exist?
- std::fstream fs(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary);
- RUNNER_ASSERT_MSG(fs.good(), "SMACK file NOT created!. Errno: " << strerror(errno));
-
- fs.seekg(0, std::ifstream::end);
- RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty, but privileges list was not empty.");
+ // TODO check entry in database
}
void set_app_privilege_nosmack(int line_no,
const char* app_id, app_type_t app_type,
const char** privileges, const char* type,
const char* app_path, const char* dac_file,
- const std::vector< std::vector<std::string> > &rules)
+ const rules_t &rules)
{
check_app_installed(line_no, app_path);
int result;
+ DB_BEGIN
+
+ result = perm_app_uninstall(app_id);
+ RUNNER_ASSERT_MSG(result == 0,
+ "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ result = perm_app_install(app_id);
+ RUNNER_ASSERT_MSG(result == 0,
+ "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
result = perm_app_enable_permissions(app_id, app_type, privileges, 1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
" Error enabling app permissions. Result: " << result);
+ DB_END
+
result = test_have_nosmack_accesses(rules);
RUNNER_ASSERT_MSG(result == -1, "Line: " << line_no <<
" Permissions shouldn't be added. Result: " << result);
+ DB_BEGIN
+
result = perm_app_set_privilege(app_id, type, app_path);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
" Error in perm_app_set_privilege. Error: " << result);
+ DB_END
+
//Even though app privileges are set, no smack label should be extracted.
char* label = NULL;
result = smack_new_label_from_self(&label);
smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
+ DB_BEGIN
+
//Set app privileges
result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error in perm_app_set_privilege. Error: " << result);
+ DB_END
+
//Even though app privileges are set, no smack label should be extracted.
char* label = NULL;
result = smack_new_label_from_self(&label);
LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_platform);
}
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_wgt_nosmack)
+{
+ test_revoke_permissions(__LINE__, WGT_APP_ID, rules_wgt, false);
+}
+
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_wgt_partner_nosmack)
+{
+ test_revoke_permissions(__LINE__, WGT_PARTNER_APP_ID, rules_wgt_partner, false);
+}
+
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_wgt_platform_nosmack)
+{
+ test_revoke_permissions(__LINE__, WGT_PLATFORM_APP_ID, rules_wgt_platform, false);
+}
+
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_osp_nosmack)
+{
+ test_revoke_permissions(__LINE__, OSP_APP_ID, rules_osp, false);
+}
+
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_osp_partner_nosmack)
+{
+ test_revoke_permissions(__LINE__, OSP_PARTNER_APP_ID, rules_osp_partner, false);
+}
+
+/**
+ * Revoke permissions from the list. Should be executed as privileged user.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_osp_platform_nosmack)
+{
+ test_revoke_permissions(__LINE__, OSP_PLATFORM_APP_ID, rules_osp_platform, false);
+}
+
/*
* NOSMACK version of privilege_control10_app_register_av test.
*
RUNNER_ASSERT_MSG(result == 0,
"perm_app_install returned " << result << ". Errno: " << strerror(errno));
+ DB_END
+
// Adding antivir
result = app_register_av(APP_TEST_AV_1);
RUNNER_ASSERT_MSG(result == 0,
"app_register_av returned " << result << ". Errno: " << strerror(errno));
- DB_END
-
// Checking added apps accesses
checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
+ DB_BEGIN
+
// Adding third app
result = perm_app_install(APP_TEST_APP_3);
RUNNER_ASSERT_MSG(result == 0,
"perm_app_install returned " << result << ". Errno: " << strerror(errno));
+ DB_END
+
// Checking app accesses
checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
RUNNER_TEST_NOSMACK(privilege_control11_app_enable_permissions_nosmack)
{
int result;
- std::fstream fs;
DB_BEGIN
- result = perm_app_revoke_permissions(APP_ID);
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ result = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ result = perm_app_revoke_permissions(WGT_APP_ID);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error revoking app permissions. Result: " << result);
- result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error enabling app permissions. Result: " << result);
result = test_have_nosmack_accesses(rules2);
RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
- //File exists?
- fs.open(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary);
- RUNNER_ASSERT_MSG(fs.good(), "Couldn't open SMACK file.");
+ // TODO check entry in database
- //Is it empty?
- fs.seekg(0, std::ifstream::end);
- RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty with persistant mode 1.");
+ DB_BEGIN
//Clean up
- result = perm_app_revoke_permissions(APP_ID);
+ result = perm_app_revoke_permissions(WGT_APP_ID);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error revoking app permissions. Result: " << result);
+
+ DB_END
+}
+
+RUNNER_CHILD_TEST_NOSMACK(privilege_control11_app_enable_permissions_efl_nosmack)
+{
+ test_app_enable_permissions_efl(false);
+}
+
+/*
+ * Check perm_app_install function
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control12_app_disable_permissions_efl_nosmack)
+{
+ test_app_disable_permissions_efl(false);
+}
+
+/**
+ * Remove previously granted SMACK permissions based on permissions list.
+ */
+RUNNER_TEST_NOSMACK(privilege_control12_app_disable_permissions_nosmack)
+{
+ test_app_disable_permissions(false);
}
/**
DB_BEGIN
+ result = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
+
+ result = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
// Prepare permissions to reset
- result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
" Error adding app permissions. Result: " << result);
// Reset permissions
- result = perm_app_reset_permissions(APP_ID);
+ result = perm_app_reset_permissions(WGT_APP_ID);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error reseting app permissions. Result: " << result);
result = test_have_nosmack_accesses(rules2);
RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be changed. Result: " << result);
+ DB_BEGIN
+
// Disable permissions
- result = perm_app_revoke_permissions(APP_ID);
+ result = perm_app_revoke_permissions(WGT_APP_ID);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error disabling app permissions. Result: " << result);
+
+ DB_END
}
/**
return 0;
}
+RUNNER_TEST_NOSMACK(privilege_control17_appsettings_privilege_nosmack)
+{
+ test_appsettings_privilege(false);
+}
+
/**
* NOSMACK version of privilege_control18 test.
*
RUNNER_ASSERT_MSG(result == 0,
"Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
+ DB_BEGIN
+
result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result);
+ DB_END
+
result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0,
"Unable to check Smack labels for non-app dir. Result: " << result);
RUNNER_ASSERT_MSG(result == 0,
"Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
+ DB_BEGIN
+
result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result);
+ DB_END
+
result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0,
"Unable to check Smack labels for non-app dir. Result: " << result);
RUNNER_TEST_NOSMACK(privilege_control20_app_setup_path_npruntime_nosmack)
{
int result = 0;
- std::unique_ptr<char, std::function<void(void*)> > labelPtr(NULL,free);
+ CStringPtr labelPtr;
std::string nptargetlabel = std::string(APP_NPRUNTIME) + ".npruntime";
char *label = NULL;
result = test_have_nosmack_accesses(np_rules);
RUNNER_ASSERT_MSG(result == -1, "Accesses shouldn't be added. Result: " << result);
+ DB_BEGIN
+
// Uninstall app runtime
result = perm_app_uninstall(APP_NPRUNTIME);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
+
+ DB_END
}
/**
projects / platform / core / test / security-tests.git / commitdiff