using namespace SecurityManagerTest;
#define CONF_DIR "/usr/share/security-manager/policy/"
+#define SMACK_RULES_PATH "/sys/fs/smackfs/load2"
// Common DB/nftw checks
}
}
+static void assert_no_label_in_rule(const AccessRequest &rule, const std::string &label)
+{
+ RUNNER_ASSERT_MSG(rule.object != label && rule.subject != label,
+ "Smack rule left after uninstallation process." <<
+ " Subject: " << rule.subject <<
+ " object: " << rule.object <<
+ " access: " << rule.access);
+}
+
+static void check_pkg_smack_rules_after_uninstall(const std::string &appId, const std::string &pkgId)
+{
+ const std::vector<AccessRequest> rules(std::move(parseSmackRulesFile(SMACK_RULES_PATH)));
+ const std::string labels[] = {generatePathRWLabel(pkgId),
+ generatePathROLabel(pkgId),
+ generatePathSharedROLabel(pkgId),
+ generateProcessLabel(appId, pkgId, true),
+ generateProcessLabel(appId, pkgId)};
+ for (const auto &rule : rules) {
+ for (const auto &label : labels) {
+ assert_no_label_in_rule(rule, label);
+ }
+ }
+}
+
+static void check_hybrid_app_smack_rules_after_uninstall(const std::string &appId, const std::string &pkgId)
+{
+ const std::vector<AccessRequest> rules(std::move(parseSmackRulesFile(SMACK_RULES_PATH)));
+ const std::string appLabel = generateProcessLabel(appId, pkgId, true);
+ for (const auto &rule : rules) {
+ assert_no_label_in_rule(rule, appLabel);
+ }
+}
+
static void check_app(const std::string &appId, const std::string &pkgId,
- bool shouldBeInstalled, bool isHybrid)
+ bool shouldBeInstalled, bool isHybrid, bool removePkg)
{
char *retPkgId;
int ret = security_manager_get_app_pkgid(&retPkgId, appId.c_str());
check_app_smack_accesses(appId, pkgId, isHybrid);
} else {
RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, "The given appId is installed.");
+
+ if (removePkg) {
+ check_pkg_smack_rules_after_uninstall(appId, pkgId);
+ } else if (isHybrid) {
+ check_hybrid_app_smack_rules_after_uninstall(appId, pkgId);
+ }
}
}
void check_app_after_install(const std::string &app_id, const std::string &pkg_id, bool isHybrid)
{
- check_app(app_id, pkg_id, true, isHybrid);
+ check_app(app_id, pkg_id, true, isHybrid, false);
}
static void check_app_gids(const std::string &app_id, const std::vector<gid_t> &allowed_gids)
const privileges_t &denied_privs,
bool isHybrid)
{
- check_app(app_id, pkg_id, true, isHybrid);
+ check_app(app_id, pkg_id, true, isHybrid, false);
/* Privileges should be granted to all users if root installs app */
check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs, isHybrid);
}
void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
- bool isHybrid)
+ bool isHybrid, bool removePkg)
{
- check_app(app_id, pkg_id, false, isHybrid);
+ check_app(app_id, pkg_id, false, isHybrid, removePkg);
}
void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
- const privileges_t &privileges, bool isHybrid)
+ const privileges_t &privileges, bool isHybrid,
+ bool removePkg)
{
- check_app(app_id, pkg_id, false, isHybrid);
+ check_app(app_id, pkg_id, false, isHybrid, removePkg);
/* Privileges should not be granted anymore to any user */
check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, {}, privileges, isHybrid);
void check_path(const std::string &path, const std::string &label,
bool transmute = true, bool execute = false);
void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
- bool isHybrid = false);
+ bool isHybrid = false, bool removePkg = false);
void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
- const privileges_t &privileges, bool isHybrid = false);
-
+ const privileges_t &privileges, bool isHybrid = false,
+ bool removePkg = false);
std::string access_opposite(std::string &access);
void check_exact_smack_accesses(const std::string &subject,
const std::string &object,
check_app_after_install(appIds[1], pkgId, true);
// Package became hybrid properly,
// so app not included in updated version of package was uninstalled.
- check_app_after_uninstall(appIds[2], pkgId, false);
+ check_app_after_uninstall(appIds[2], pkgId);
}
for (const auto &appId : appIds) {
- check_app_after_uninstall(appId, pkgId, true);
+ check_app_after_uninstall(appId, pkgId, true, true);
+ }
+}
+
+RUNNER_TEST(security_manager_09d_uninstall_app_from_hybrid_package)
+{
+ const std::vector<std::string> appIds = {"sm_test_09d_app_id_0", "sm_test_09d_app_id_1", "sm_test_09d_app_id_2"};
+ const std::string pkgId = "sm_test_09d_pkg_id_0";
+ {
+ ScopedInstaller appsInstall(appIds, pkgId);
+
+ InstallRequest updateRequest;
+ updateRequest.setPkgId(pkgId);
+ for (unsigned int i = 0; i < appIds.size(); i++) {
+ if (i > 0) {
+ updateRequest.nextApp();
+ }
+ updateRequest.setAppId(appIds[i]);
+ }
+ updateRequest.setHybrid();
+ Api::update(updateRequest);
+
+ InstallRequest uninstRequest;
+ uninstRequest.setPkgId(pkgId);
+ uninstRequest.setAppId(appIds[0]);
+ Api::uninstall(uninstRequest);
+
+ check_app_after_uninstall(appIds[0], pkgId, true);
}
}