/*
* @file test_cases.cpp
* @author Jan Olszak (j.olszak@samsung.com)
+ * @author Rafal Krypa (r.krypa@samsung.com)
* @version 1.0
* @brief libprivilege-control test runer
*/
#include <stdio.h>
#include <vector>
#include <errno.h>
+#include <ftw.h>
#include <dpl/test/test_runner.h>
#include <dpl/log/log.h>
#include <sys/types.h>
#define SMACK_RULES_DIR "/etc/smack/accesses.d/"
-#define TEST_DIR_TREE "/etc/smack/test_privilege_control_DIR"
+#define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
+#define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
#define APPID_ADD "test_APP_ID_add"
#define APPID_REVOKE "test_APP_ID_revoke"
#define APPID_DIR "test_APP_ID_dir"
+#define APPID_SHARED_DIR "test_APP_ID_shared_dir"
+#define CANARY_LABEL "tiny_yellow_canary"
#define APP_SET_PRIV "test_APP"
#define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
#define APP_USER_NAME "app"
#define APP_HOME_DIR "/opt/home/app"
+// How many open file descriptors should ftw() function use?
+#define FTW_MAX_FDS 16
// Rules from test_privilege_control_rules.smack
const std::vector< std::vector<std::string> > rulesAdd = {
{ "test_subject_4", APPID_ADD, "rw" },
{ "test_subject_5", APPID_ADD, "rx" },
{ "test_subject_6", APPID_ADD, "wx" },
- { "test_subject_7", APPID_ADD, "rwx" }};
+ { "test_subject_7", APPID_ADD, "rwx" },
+ { APPID_ADD, APPID_SHARED_DIR, "rwxat"}};
// Rules from test_privilege_control_rules.smack
{ "test_subject_6", APPID_REVOKE, "wx" },
{ "test_subject_7", APPID_REVOKE, "rwx" }};
-// Files added in spec file
-const std::vector<std::string> paths = {
- "/etc/smack/test_privilege_control_DIR",
- "/etc/smack/test_privilege_control_DIR/test_file",
- "/etc/smack/test_privilege_control_DIR/A",
- "/etc/smack/test_privilege_control_DIR/A/test_file",
- "/etc/smack/test_privilege_control_DIR/A/.test_file",
- "/etc/smack/test_privilege_control_DIR/A/B/test_file" };
-
/**
* Check if every rule is true.
* @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
+static int nftw_remove_labels(const char *fpath, const struct stat *sb,
+ int typeflag, struct FTW *ftwbuf)
+{
+ smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
+ smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
+ smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
+
+ return 0;
+}
+
+static int nftw_set_labels_non_app_dir(const char *fpath, const struct stat *sb,
+ int typeflag, struct FTW *ftwbuf)
+{
+ smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
+ smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
+ smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
+
+ return 0;
+}
+
+static int nftw_check_labels_non_app_dir(const char *fpath, const struct stat *sb,
+ int typeflag, struct FTW *ftwbuf)
+{
+ int result;
+ char* label;
+
+ /* ACCESS */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ result = strcmp(CANARY_LABEL, label);
+ RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
+
+ /* EXEC */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ result = strcmp(CANARY_LABEL, label);
+ RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
+
+ /* TRANSMUTE */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+
+ return 0;
+}
+
+static int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
+ int typeflag, struct FTW *ftwbuf)
+{
+ int result;
+ char* label;
+
+ /* ACCESS */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
+ result = strcmp(APPID_DIR, label);
+ RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
+
+ /* EXEC */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
+ RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
+ result = strcmp(APPID_DIR, label);
+ RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
+ } else
+ RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
+
+ /* TRANSMUTE */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+
+ return 0;
+}
+
+static int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
+ int typeflag, struct FTW *ftwbuf)
+{
+ int result;
+ char* label;
+
+ /* ACCESS */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
+ result = strcmp(APPID_SHARED_DIR, label);
+ RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
+
+ /* EXEC */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
+
+ /* TRANSMUTE */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ if (S_ISDIR(sb->st_mode)) {
+ RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
+ result = strcmp("TRUE", label);
+ RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set");
+ } else
+ RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+
+ return 0;
+}
+
+/**
+ * Test setting labels for all files and folders in given path.
+ */
+RUNNER_TEST(privilege_control01_app_label_dir)
+{
+ int result;
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+
+ result = app_label_dir(APPID_DIR, TEST_APP_DIR);
+ RUNNER_ASSERT_MSG(result == 0, "app_label_dir() failed");
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
+}
+
+RUNNER_TEST(privilege_control02_app_label_shared_dir)
+{
+ int result;
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+
+ result = app_label_shared_dir(APPID_ADD, APPID_SHARED_DIR, TEST_APP_DIR);
+ RUNNER_ASSERT_MSG(result == 0, "app_label_shared_dir() failed");
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
+}
+
+
/**
* Add permisions from test_privilege_control_rules template
*/
-RUNNER_TEST(privilege_control_add_permissions)
+RUNNER_TEST(privilege_control03_add_permissions)
{
char* path;
}
-/**
- * Test setting labels for all files and folders in given path.
- */
-RUNNER_TEST(privilege_control_dir_add)
-{
- int result = app_label_dir(APPID_DIR, TEST_DIR_TREE);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Setting privileges for /etc/smack/test_privilege_control_DIR. Errno: " << result);
-
- // Check if labels are realy set.
- for(int i=0; i<paths.size(); ++i){
- char* label;
- result = smack_getlabel(paths[i].c_str(), &label, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
- result = strcmp(APPID_DIR, label);
- RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Label NOT set");
- free(label);
- }
-}
/**
* Revoke permissions from the list. Should be executed as privileged user.
*/
-RUNNER_TEST(privilege_control_revoke_permissions)
+RUNNER_TEST(privilege_control04_revoke_permissions)
{
int result;
/**
* Set APP privileges.
*/
-RUNNER_TEST(privilege_control_set_app_privilege)
+RUNNER_TEST(privilege_control05_set_app_privilege)
{
int result;
char* labelApp = "test_pc_label";
projects / platform / core / test / security-tests.git / commitdiff