#include <string>
#include <sys/smack.h>
#include <vector>
+#include <unistd.h>
#include <security-manager.h>
#include <app_install_helper.h>
#include <dpl/test/test_runner.h>
+#include <dpl/test/test_runner_child.h>
+#include <scoped_installer.h>
#include <sm_api.h>
#include <sm_commons.h>
#include <sm_db.h>
#include <sm_request.h>
+#include <temp_test_user.h>
#include <tests_common.h>
#include <tzplatform.h>
using namespace SecurityManagerTest;
-static const std::string SM_TRUSTED_PATH =
- TzPlatformConfig::globalAppDir() + "/sm_test_02_pkg_id_full/app_dir_trusted";
-
-static void check_exact_access(const std::string& subject, const std::string& object, const std::string& access)
-{
- // check access
- if (!access.empty()) {
- int result = smack_have_access(subject.c_str(), object.c_str(), access.c_str());
- RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
- RUNNER_ASSERT_MSG(result == 1,
- "No smack access: " << subject << " " << object << " " << access);
- }
- // check excessive access
- auto foundInAccess = [&access](std::string::value_type c) {
- return access.find(c) != std::string::npos; };
-
- std::string negative = "rwxatl";
- auto end = std::remove_if(negative.begin(), negative.end(), foundInAccess);
- negative.erase(end, negative.end());
-
- for(const auto& c : negative) {
- int result = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
- RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
- RUNNER_ASSERT_MSG(result == 0, "Unexpected access for" <<
- " subject:" << subject <<
- " object:" << object <<
- " right:" << std::string(1,c) <<
- " result:" << result <<
- " expected:0");
- }
-}
-
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING)
RUNNER_TEST(security_manager_40_set_wrong_author_id)
}
}
-RUNNER_TEST(security_manager_43_app_install_with_trusted_path)
+RUNNER_CHILD_TEST(security_manager_43_app_install_with_trusted_path)
{
- std::vector<AppInstallHelper> helper {{"app43a"}, {"app43b"}, {"app43c"}};
- auto &provider = helper[0];
- auto &user = helper[1];
- auto &untrusted = helper[2];
+ TemporaryTestUser user("sm_test_43_user_name", GUM_USERTYPE_NORMAL);
+ user.create();
- TestSecurityManagerDatabase dbtest;
- const char *author_id = "custom_author_id_test 41";
+ const std::string authorId = "sm_test_43_author_id";
- const char *const trusted_access = "rwxatl";
- const char *const system_access = "rwxatl";
+ AppInstallHelper provider("sm_test_43_provider", user.getUid());
+ provider.createTrustedDir();
+ provider.setAuthor(authorId);
- int result;
-
- // cleanup
- for (auto &e : helper) {
- e.revokeRules();
- e.createTrustedDir();
- }
+ AppInstallHelper trusted("sm_test_43_user", user.getUid());
+ trusted.setAuthor(authorId);
- result = nftw(provider.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_TRUSTED_PATH);
+ AppInstallHelper untrusted("sm_test_43_untrusted");
// install app with shared/trusted dir
- InstallRequest trustingApp;
- trustingApp.setAppId(provider.getAppId());
- trustingApp.setPkgId(provider.getPkgId());
- trustingApp.setAuthorId("author id to be overwritten");
- trustingApp.setAuthorId(author_id);
- trustingApp.addPath(provider.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
- Api::install(trustingApp);
-
- int64_t authorDb = dbtest.get_author_id(author_id);
- const std::string trusted_label = std::string("User::Author::") + std::to_string(authorDb);
-
- // check trusted path label
- check_path(provider.getTrustedDir(), trusted_label);
-
- // check rules
- check_exact_access("System", trusted_label, system_access);
- check_exact_access("User", trusted_label, system_access);
- check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()),
- trusted_label, trusted_access);
+ InstallRequest providerInstallReq;
+ providerInstallReq.setAppId(provider.getAppId());
+ providerInstallReq.setPkgId(provider.getPkgId());
+ providerInstallReq.setUid(provider.getUID());
+ providerInstallReq.setAuthorId("author id to be overwritten");
+ providerInstallReq.setAuthorId(provider.getAuthor());
+ providerInstallReq.addPath(provider.getTrustedDir(), SECURITY_MANAGER_PATH_TRUSTED_RW);
+ Api::install(providerInstallReq);
- // install trusted app
- InstallRequest trustedApp;
- trustedApp.setAppId(user.getAppId());
- trustedApp.setPkgId(user.getPkgId());
- trustedApp.setAuthorId(author_id);
- Api::install(trustedApp);
+ std::string trustedPath = provider.getTrustedDir();
- // check rules
- check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
- trusted_label, trusted_access);
+ // Second installation only for scoped uninstall
+ ScopedInstaller providerInstall(provider);
- // install untrusted app
- InstallRequest untrustedApp;
- untrustedApp.setAppId(untrusted.getAppId());
- untrustedApp.setPkgId(untrusted.getPkgId());
- Api::install(untrustedApp);
+ runAccessTest(provider, trustedPath, R_OK|W_OK|X_OK);
+ runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK);
- // check rules
- check_exact_access(generateProcessLabel(untrusted.getAppId(), untrusted.getPkgId()),
- trusted_label, "");
+ // install trusted app
+ ScopedInstaller userInstall(trusted);
+ runAccessTest(trusted, provider.getTrustedDir(), R_OK|W_OK|X_OK);
- // uninstall trusting app
- Api::uninstall(trustingApp);
+ // install untrusted app
+ ScopedInstaller untrustedInstall(untrusted);
+ runAccessTest(untrusted, trustedPath, 0);
+
+ providerInstall.uninstallApp();
// there's still one app with author id, rules should be kept
- check_exact_access("System", trusted_label, system_access);
- check_exact_access("User", trusted_label, system_access);
- check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()),
- trusted_label, "");
- check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
- trusted_label, trusted_access);
+ runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK);
+ runAccessTest(trusted, provider.getTrustedDir(), R_OK|W_OK|X_OK);
+ runAccessTest(untrusted, trustedPath, 0);
- Api::uninstall(trustedApp);
+ //Second install of provider, but without authorid, to check if there is no access
+ AppInstallHelper provider2("sm_test_43_provider");
+ ScopedInstaller providerInstall2(provider2);
+ runAccessTest(provider2, trustedPath, 0);
- // no more apps with author id
- check_exact_access("System", trusted_label, "");
- check_exact_access("User", trusted_label, "");
- check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
- trusted_label, "");
+ userInstall.uninstallApp();
- Api::uninstall(untrustedApp);
+ // no more apps with author id
+ runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, 0);
}
Api::install(app, SECURITY_MANAGER_ERROR_INPUT_PARAM);
}
-RUNNER_TEST(security_manager_45_test_authorId_identificator_creation)
+RUNNER_CHILD_TEST(security_manager_45_test_authorId_identificator_creation)
{
- std::vector<AppInstallHelper> helper {{"a45"}, {"b45"}};
- auto &trusted1 = helper[0];
- auto &trusted2 = helper[1];
-
- TestSecurityManagerDatabase dbtest;
- const char *authorId1 = "custom_author_id_test a45";
- const char *authorId2 = "custom_author_id_test b45";
-
- // cleanup
- for (auto &e : helper) {
- e.revokeRules();
- e.createTrustedDir();
- }
- // install app with shared/trusted dir
- InstallRequest trustingApp;
- trustingApp.setAppId(trusted1.getAppId());
- trustingApp.setPkgId(trusted1.getPkgId());
- trustingApp.setAuthorId(authorId1);
- trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
- Api::install(trustingApp);
+ AppInstallHelper trusted1("sm_test_45_1");
+ trusted1.setAuthor("sm_test_45_1_author_id");
+ trusted1.createTrustedDir();
- int64_t authorDb1 = dbtest.get_author_id(authorId1);
+ AppInstallHelper trusted2("sm_test_45_2");
+ trusted2.setAuthor("sm_test_45_2_author_id");
+ trusted2.createTrustedDir();
- // install trusted app
- InstallRequest trustedApp;
- trustedApp.setAppId(trusted2.getAppId());
- trustedApp.setPkgId(trusted2.getPkgId());
- trustedApp.setAuthorId(authorId2);
- Api::install(trustedApp);
+ ScopedInstaller trustedInstall1(trusted1);
+ ScopedInstaller trustedInstall2(trusted2);
- int64_t authorDb2 = dbtest.get_author_id(authorId2);
+ std::string trustedPath1 = trusted1.getTrustedDir();
+ std::string trustedPath2 = trusted2.getTrustedDir();
- Api::uninstall(trustingApp);
- Api::uninstall(trustedApp);
+ runAccessTest(trusted1, trustedPath1, R_OK|W_OK|X_OK);
+ runAccessTest(trusted2, trustedPath1, 0);
+ runSystemAccessTest(geteuid(), getegid(), trustedPath1, R_OK | W_OK | X_OK);
- RUNNER_ASSERT(authorDb1 != authorDb2);
+ runAccessTest(trusted2, trustedPath2, R_OK|W_OK|X_OK);
+ runAccessTest(trusted1, trustedPath2, 0);
+ runSystemAccessTest(geteuid(), getegid(), trustedPath2, R_OK | W_OK | X_OK);
}
/* Description:
* Lets assume that app1 and app2 are part of pkg1.
- * Deinstalation of app1 mustnot remove rules:
- * System PKG1Label rwxatl
- * User PKGLabel rwxatl
+ * Deinstalation of app1 must not remove access from system processes to trusted paths
*/
-void test_46_pkgId_deinstallation(bool isHybrid) {
- std::vector<AppInstallHelper> helper {{"a46", "a46"}, {"b46", "a46"}};
- auto &trusted1 = helper[0];
- auto &trusted2 = helper[1];
+void test_46_pkgId_deinstallation(bool isFirstOneHybrid, bool isSecondOneHybrid) {
+ TemporaryTestUser user("sm_test_46_user_name", GUM_USERTYPE_NORMAL);
+ user.create();
- std::string authorId1 = "author46XYZ";
+ const std::string authorId = "sm_test_46_author_id";
- for (auto &e : helper) {
- e.revokeRules();
- e.createTrustedDir();
- }
+ AppInstallHelper provider("sm_test_46_1", user.getUid());
+ provider.createTrustedDir();
+ provider.setAuthor(authorId);
+ if (isFirstOneHybrid)
+ provider.setHybrid();
+ ScopedInstaller providerInstaller(provider);
- InstallRequest trustingApp;
- trustingApp.setAppId(trusted1.getAppId());
- trustingApp.setPkgId(trusted1.getPkgId());
- trustingApp.setAuthorId(authorId1);
- if (isHybrid)
- trustingApp.setHybrid();
- trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
- Api::install(trustingApp);
-
- InstallRequest trustingApp2;
- trustingApp2.setAppId(trusted2.getAppId());
- trustingApp2.setPkgId(trusted2.getPkgId());
- trustingApp2.setAuthorId(authorId1);
- if (isHybrid)
- trustingApp2.setHybrid();
- Api::install(trustingApp2);
-
-
- check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
- check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
- if (isHybrid) {
- // Nonhybrid apps have the same label for process and private files
- check_exact_access("System",
- generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
- "rwxatl");
- check_exact_access("User",
- generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
- "rwxatl");
- check_exact_access("System",
- generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid),
- "rwxatl");
- check_exact_access("User",
- generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid),
- "rwxatl");
- }
+ AppInstallHelper trusted("sm_test_46_2", user.getUid());
+ trusted.setAuthor(authorId);
+ if (isSecondOneHybrid)
+ trusted.setHybrid();
+ ScopedInstaller trustedInstaller(trusted);
- Api::uninstall(trustingApp2);
-
- check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
- check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
-
- if (isHybrid) {
- // Nonhybrid apps from the same package share process label
- check_exact_access("System",
- generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
- "rwxatl");
- check_exact_access("User",
- generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
- "rwxatl");
- check_exact_access("System",
- generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid),
- "");
- check_exact_access("User",
- generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid),
- "");
- }
+ const std::string trustedPath = provider.getTrustedDir();
+
+ runAccessTest(provider, trustedPath, R_OK | W_OK | X_OK);
+ runAccessTest(trusted, trustedPath, R_OK | W_OK | X_OK);
+ runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK);
+
+ trustedInstaller.uninstallApp();
- Api::uninstall(trustingApp);
+ runAccessTest(provider, trustedPath, R_OK | W_OK | X_OK);
+ runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK);
- check_exact_access("System",
- generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
- "");
- check_exact_access("User",
- generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid),
- "");
- check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "");
- check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "");
+ providerInstaller.uninstallApp();
+
+ runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, 0);
+}
+
+RUNNER_CHILD_TEST(security_manager_46a_pkgId_deinstalation_test_hybrid)
+{
+ test_46_pkgId_deinstallation(true, true);
+}
+
+RUNNER_CHILD_TEST(security_manager_46b_pkgId_deinstalation_test_nonhybrid)
+{
+ test_46_pkgId_deinstallation(false, false);
}
-RUNNER_TEST(security_manager_46_pkgId_deinstalation_test_hybrid)
+RUNNER_CHILD_TEST(security_manager_46c_pkgId_deinstalation_test_hybrid_only_provider)
{
- test_46_pkgId_deinstallation(true);
+ test_46_pkgId_deinstallation(true, false);
}
-RUNNER_TEST(security_manager_46_pkgId_deinstalation_test_nonhybrid)
+RUNNER_CHILD_TEST(security_manager_46d_pkgId_deinstalation_test_hybrid_only_trusted)
{
- test_46_pkgId_deinstallation(false);
+ test_46_pkgId_deinstallation(false, true);
}