SM : Cleanup - trusted sharing test cases 92/95792/3
authorZofia Abramowska <z.abramowska@samsung.com>
Fri, 4 Nov 2016 16:11:41 +0000 (17:11 +0100)
committerKrzysztof Jackiewicz <k.jackiewicz@samsung.com>
Wed, 30 Nov 2016 19:54:05 +0000 (20:54 +0100)
Change-Id: I3114a2e711b2d73d5fcc34a8a86a690098388b00

src/security-manager-tests/test_cases_trusted_sharing.cpp

index 531d9f285888492a2a2cda22c7e27b2938ca0c67..0060fa24ff922d2df9eaead4565ce155db1078b8 100644 (file)
 #include <string>
 #include <sys/smack.h>
 #include <vector>
+#include <unistd.h>
 
 #include <security-manager.h>
 
 #include <app_install_helper.h>
 #include <dpl/test/test_runner.h>
+#include <dpl/test/test_runner_child.h>
+#include <scoped_installer.h>
 #include <sm_api.h>
 #include <sm_commons.h>
 #include <sm_db.h>
 #include <sm_request.h>
+#include <temp_test_user.h>
 #include <tests_common.h>
 #include <tzplatform.h>
 
 using namespace SecurityManagerTest;
 
-static const std::string SM_TRUSTED_PATH =
-        TzPlatformConfig::globalAppDir() + "/sm_test_02_pkg_id_full/app_dir_trusted";
-
-static void check_exact_access(const std::string& subject, const std::string& object, const std::string& access)
-{
-    // check access
-    if (!access.empty()) {
-        int result = smack_have_access(subject.c_str(), object.c_str(), access.c_str());
-        RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
-        RUNNER_ASSERT_MSG(result == 1,
-          "No smack access: " << subject << " " << object << " " << access);
-    }
-    // check excessive access
-    auto foundInAccess = [&access](std::string::value_type c) {
-        return access.find(c) != std::string::npos; };
-
-    std::string negative = "rwxatl";
-    auto end = std::remove_if(negative.begin(), negative.end(), foundInAccess);
-    negative.erase(end, negative.end());
-
-    for(const auto& c : negative) {
-        int result = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
-        RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
-        RUNNER_ASSERT_MSG(result == 0, "Unexpected access for" <<
-            " subject:" << subject <<
-            " object:" << object <<
-            " right:" << std::string(1,c) <<
-            " result:" << result <<
-            " expected:0");
-    }
-}
-
 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING)
 
 RUNNER_TEST(security_manager_40_set_wrong_author_id)
@@ -88,92 +60,64 @@ RUNNER_TEST(security_manager_41_set_author_id_multiple_times)
     }
 }
 
-RUNNER_TEST(security_manager_43_app_install_with_trusted_path)
+RUNNER_CHILD_TEST(security_manager_43_app_install_with_trusted_path)
 {
-    std::vector<AppInstallHelper> helper {{"app43a"}, {"app43b"}, {"app43c"}};
-    auto &provider  = helper[0];
-    auto &user      = helper[1];
-    auto &untrusted = helper[2];
+    TemporaryTestUser user("sm_test_43_user_name", GUM_USERTYPE_NORMAL);
+    user.create();
 
-    TestSecurityManagerDatabase dbtest;
-    const char *author_id = "custom_author_id_test 41";
+    const std::string authorId = "sm_test_43_author_id";
 
-    const char *const trusted_access = "rwxatl";
-    const char *const system_access = "rwxatl";
+    AppInstallHelper provider("sm_test_43_provider", user.getUid());
+    provider.createTrustedDir();
+    provider.setAuthor(authorId);
 
-    int result;
-
-    // cleanup
-    for (auto &e : helper) {
-        e.revokeRules();
-        e.createTrustedDir();
-    }
+    AppInstallHelper trusted("sm_test_43_user", user.getUid());
+    trusted.setAuthor(authorId);
 
-    result = nftw(provider.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
-    RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_TRUSTED_PATH);
+    AppInstallHelper untrusted("sm_test_43_untrusted");
 
     // install app with shared/trusted dir
-    InstallRequest trustingApp;
-    trustingApp.setAppId(provider.getAppId());
-    trustingApp.setPkgId(provider.getPkgId());
-    trustingApp.setAuthorId("author id to be overwritten");
-    trustingApp.setAuthorId(author_id);
-    trustingApp.addPath(provider.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
-    Api::install(trustingApp);
-
-    int64_t authorDb = dbtest.get_author_id(author_id);
-    const std::string trusted_label = std::string("User::Author::") + std::to_string(authorDb);
-
-    // check trusted path label
-    check_path(provider.getTrustedDir(), trusted_label);
-
-    // check rules
-    check_exact_access("System", trusted_label, system_access);
-    check_exact_access("User", trusted_label, system_access);
-    check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()),
-                       trusted_label, trusted_access);
+    InstallRequest providerInstallReq;
+    providerInstallReq.setAppId(provider.getAppId());
+    providerInstallReq.setPkgId(provider.getPkgId());
+    providerInstallReq.setUid(provider.getUID());
+    providerInstallReq.setAuthorId("author id to be overwritten");
+    providerInstallReq.setAuthorId(provider.getAuthor());
+    providerInstallReq.addPath(provider.getTrustedDir(), SECURITY_MANAGER_PATH_TRUSTED_RW);
+    Api::install(providerInstallReq);
 
-    // install trusted app
-    InstallRequest trustedApp;
-    trustedApp.setAppId(user.getAppId());
-    trustedApp.setPkgId(user.getPkgId());
-    trustedApp.setAuthorId(author_id);
-    Api::install(trustedApp);
+    std::string trustedPath = provider.getTrustedDir();
 
-    // check rules
-    check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
-                       trusted_label, trusted_access);
+    // Second installation only for scoped uninstall
+    ScopedInstaller providerInstall(provider);
 
-    // install untrusted app
-    InstallRequest untrustedApp;
-    untrustedApp.setAppId(untrusted.getAppId());
-    untrustedApp.setPkgId(untrusted.getPkgId());
-    Api::install(untrustedApp);
+    runAccessTest(provider, trustedPath, R_OK|W_OK|X_OK);
+    runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK);
 
-    // check rules
-    check_exact_access(generateProcessLabel(untrusted.getAppId(), untrusted.getPkgId()),
-                       trusted_label, "");
+    // install trusted app
+    ScopedInstaller userInstall(trusted);
+    runAccessTest(trusted, provider.getTrustedDir(), R_OK|W_OK|X_OK);
 
-    // uninstall trusting app
-    Api::uninstall(trustingApp);
+    // install untrusted app
+    ScopedInstaller untrustedInstall(untrusted);
+    runAccessTest(untrusted, trustedPath, 0);
+
+    providerInstall.uninstallApp();
 
     // there's still one app with author id, rules should be kept
-    check_exact_access("System", trusted_label, system_access);
-    check_exact_access("User", trusted_label, system_access);
-    check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()),
-                       trusted_label, "");
-    check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
-                       trusted_label, trusted_access);
+    runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK);
+    runAccessTest(trusted, provider.getTrustedDir(), R_OK|W_OK|X_OK);
+    runAccessTest(untrusted, trustedPath, 0);
 
-    Api::uninstall(trustedApp);
+    //Second install of provider, but without authorid, to check if there is no access
+    AppInstallHelper provider2("sm_test_43_provider");
+    ScopedInstaller providerInstall2(provider2);
+    runAccessTest(provider2, trustedPath, 0);
 
-    // no more apps with author id
-    check_exact_access("System", trusted_label, "");
-    check_exact_access("User", trusted_label, "");
-    check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
-                       trusted_label, "");
+    userInstall.uninstallApp();
 
-    Api::uninstall(untrustedApp);
+    // no more apps with author id
+    runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, 0);
 }
 
 
@@ -190,139 +134,86 @@ RUNNER_TEST(security_manager_44_app_install_with_trusted_path_no_author_id)
     Api::install(app, SECURITY_MANAGER_ERROR_INPUT_PARAM);
 }
 
-RUNNER_TEST(security_manager_45_test_authorId_identificator_creation)
+RUNNER_CHILD_TEST(security_manager_45_test_authorId_identificator_creation)
 {
-    std::vector<AppInstallHelper> helper {{"a45"}, {"b45"}};
-    auto &trusted1 = helper[0];
-    auto &trusted2 = helper[1];
-
-    TestSecurityManagerDatabase dbtest;
-    const char *authorId1 = "custom_author_id_test a45";
-    const char *authorId2 = "custom_author_id_test b45";
-
-    // cleanup
-    for (auto &e : helper) {
-        e.revokeRules();
-        e.createTrustedDir();
-    }
 
-    // install app with shared/trusted dir
-    InstallRequest trustingApp;
-    trustingApp.setAppId(trusted1.getAppId());
-    trustingApp.setPkgId(trusted1.getPkgId());
-    trustingApp.setAuthorId(authorId1);
-    trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
-    Api::install(trustingApp);
+    AppInstallHelper trusted1("sm_test_45_1");
+    trusted1.setAuthor("sm_test_45_1_author_id");
+    trusted1.createTrustedDir();
 
-    int64_t authorDb1 = dbtest.get_author_id(authorId1);
+    AppInstallHelper trusted2("sm_test_45_2");
+    trusted2.setAuthor("sm_test_45_2_author_id");
+    trusted2.createTrustedDir();
 
-    // install trusted app
-    InstallRequest trustedApp;
-    trustedApp.setAppId(trusted2.getAppId());
-    trustedApp.setPkgId(trusted2.getPkgId());
-    trustedApp.setAuthorId(authorId2);
-    Api::install(trustedApp);
+    ScopedInstaller trustedInstall1(trusted1);
+    ScopedInstaller trustedInstall2(trusted2);
 
-    int64_t authorDb2 = dbtest.get_author_id(authorId2);
+    std::string trustedPath1 = trusted1.getTrustedDir();
+    std::string trustedPath2 = trusted2.getTrustedDir();
 
-    Api::uninstall(trustingApp);
-    Api::uninstall(trustedApp);
+    runAccessTest(trusted1, trustedPath1, R_OK|W_OK|X_OK);
+    runAccessTest(trusted2, trustedPath1, 0);
+    runSystemAccessTest(geteuid(), getegid(), trustedPath1, R_OK | W_OK | X_OK);
 
-    RUNNER_ASSERT(authorDb1 != authorDb2);
+    runAccessTest(trusted2, trustedPath2, R_OK|W_OK|X_OK);
+    runAccessTest(trusted1, trustedPath2, 0);
+    runSystemAccessTest(geteuid(), getegid(), trustedPath2, R_OK | W_OK | X_OK);
 }
 /* Description:
  * Lets assume that app1 and app2 are part of pkg1.
- * Deinstalation of app1 mustnot remove rules:
- * System PKG1Label rwxatl
- * User PKGLabel rwxatl
+ * Deinstalation of app1 must not remove access from system processes to trusted paths
  */
-void test_46_pkgId_deinstallation(bool isHybrid) {
-    std::vector<AppInstallHelper> helper {{"a46", "a46"}, {"b46", "a46"}};
-    auto &trusted1 = helper[0];
-    auto &trusted2 = helper[1];
+void test_46_pkgId_deinstallation(bool isFirstOneHybrid, bool isSecondOneHybrid) {
+    TemporaryTestUser user("sm_test_46_user_name", GUM_USERTYPE_NORMAL);
+    user.create();
 
-    std::string authorId1 = "author46XYZ";
+    const std::string authorId = "sm_test_46_author_id";
 
-    for (auto &e : helper) {
-        e.revokeRules();
-        e.createTrustedDir();
-    }
+    AppInstallHelper provider("sm_test_46_1", user.getUid());
+    provider.createTrustedDir();
+    provider.setAuthor(authorId);
+    if (isFirstOneHybrid)
+        provider.setHybrid();
+    ScopedInstaller providerInstaller(provider);
 
-    InstallRequest trustingApp;
-    trustingApp.setAppId(trusted1.getAppId());
-    trustingApp.setPkgId(trusted1.getPkgId());
-    trustingApp.setAuthorId(authorId1);
-    if (isHybrid)
-        trustingApp.setHybrid();
-    trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
-    Api::install(trustingApp);
-
-    InstallRequest trustingApp2;
-    trustingApp2.setAppId(trusted2.getAppId());
-    trustingApp2.setPkgId(trusted2.getPkgId());
-    trustingApp2.setAuthorId(authorId1);
-    if (isHybrid)
-        trustingApp2.setHybrid();
-    Api::install(trustingApp2);
-
-
-    check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
-    check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
-    if (isHybrid) {
-        // Nonhybrid apps have the same label for process and private files
-        check_exact_access("System",
-                           generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
-                           "rwxatl");
-        check_exact_access("User",
-                           generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
-                            "rwxatl");
-        check_exact_access("System",
-                           generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid),
-                           "rwxatl");
-        check_exact_access("User",
-                           generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid),
-                           "rwxatl");
-    }
+    AppInstallHelper trusted("sm_test_46_2", user.getUid());
+    trusted.setAuthor(authorId);
+    if (isSecondOneHybrid)
+        trusted.setHybrid();
+    ScopedInstaller trustedInstaller(trusted);
 
-    Api::uninstall(trustingApp2);
-
-    check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
-    check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
-
-    if (isHybrid) {
-        // Nonhybrid apps from the same package share process label
-        check_exact_access("System",
-                           generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
-                           "rwxatl");
-        check_exact_access("User",
-                           generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
-                           "rwxatl");
-        check_exact_access("System",
-                           generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid),
-                           "");
-        check_exact_access("User",
-                           generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid),
-                           "");
-    }
+    const std::string trustedPath = provider.getTrustedDir();
+
+    runAccessTest(provider, trustedPath, R_OK | W_OK | X_OK);
+    runAccessTest(trusted, trustedPath, R_OK | W_OK | X_OK);
+    runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK);
+
+    trustedInstaller.uninstallApp();
 
-    Api::uninstall(trustingApp);
+    runAccessTest(provider, trustedPath, R_OK | W_OK | X_OK);
+    runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK);
 
-    check_exact_access("System",
-                       generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
-                       "");
-    check_exact_access("User",
-                       generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
-                       "");
-    check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "");
-    check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "");
+    providerInstaller.uninstallApp();
+
+    runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, 0);
+}
+
+RUNNER_CHILD_TEST(security_manager_46a_pkgId_deinstalation_test_hybrid)
+{
+    test_46_pkgId_deinstallation(true, true);
+}
+
+RUNNER_CHILD_TEST(security_manager_46b_pkgId_deinstalation_test_nonhybrid)
+{
+    test_46_pkgId_deinstallation(false, false);
 }
 
-RUNNER_TEST(security_manager_46_pkgId_deinstalation_test_hybrid)
+RUNNER_CHILD_TEST(security_manager_46c_pkgId_deinstalation_test_hybrid_only_provider)
 {
-    test_46_pkgId_deinstallation(true);
+    test_46_pkgId_deinstallation(true, false);
 }
 
-RUNNER_TEST(security_manager_46_pkgId_deinstalation_test_nonhybrid)
+RUNNER_CHILD_TEST(security_manager_46d_pkgId_deinstalation_test_hybrid_only_trusted)
 {
-    test_46_pkgId_deinstallation(false);
+    test_46_pkgId_deinstallation(false, true);
 }