#include <sys/mman.h>
#include <sys/xattr.h>
#include <sys/smack.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/wait.h>
#include <privilege-control.h>
#include <fstream>
-
+#include <sstream>
#define SMACK_RULES_DIR "/etc/smack/accesses.d/"
#define SMACK_LOAD2 "/smack/load2"
#define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
+const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
+const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
+const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
+const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
+
#define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
#define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
-
#define APP_TEST_APP_1 "test-application1"
#define APP_TEST_APP_2 "test-application_2"
#define APP_TEST_APP_3 "test-app-3"
#define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db"
#define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db"
+#define SOCK_PATH "/tmp/test-smack-socket"
+
#define APP_GID 5000
#define APP_UID 5000
#define APP_USER_NAME "app"
#define APP_HOME_DIR "/opt/home/app"
+#define APP_FRIEND_1 "app_friend_1"
+#define APP_FRIEND_2 "app_friend_2"
+
// How many open file descriptors should ftw() function use?
#define FTW_MAX_FDS 16
{ "test_subject_7", APP_ID, "rwx" },
{ APP_ID, APPID_SHARED_DIR, "rwxat"}};
+// Rules from test_privilege_control_rules2.smack
+const std::vector< std::vector<std::string> > rules2 = {
+ { APP_ID, "test_book_8", "r" },
+ { APP_ID, "test_book_9", "w" },
+ { APP_ID, "test_book_10", "x" },
+ { APP_ID, "test_book_11", "rw" },
+ { APP_ID, "test_book_12", "rx" },
+ { APP_ID, "test_book_13", "wx" },
+ { APP_ID, "test_book_14", "rwx" },
+ { APP_ID, "test_book_15", "rwxat" },
+ { "test_subject_8", APP_ID, "r" },
+ { "test_subject_9", APP_ID, "w" },
+ { "test_subject_10", APP_ID, "x" },
+ { "test_subject_11", APP_ID, "rw" },
+ { "test_subject_12", APP_ID, "rx" },
+ { "test_subject_13", APP_ID, "wx" },
+ { "test_subject_14", APP_ID, "rwx" },
+ { "test_subject_15", APP_ID, "rwxat" }};
+
+// Rules from test_privilege_control_rules_no_r.smack
+const std::vector< std::vector<std::string> > rules2_no_r = {
+ { APP_ID, "test_book_9", "w" },
+ { APP_ID, "test_book_10", "x" },
+ { APP_ID, "test_book_11", "w" },
+ { APP_ID, "test_book_12", "x" },
+ { APP_ID, "test_book_13", "wx" },
+ { APP_ID, "test_book_14", "wx" },
+ { APP_ID, "test_book_15", "wxat" },
+ { "test_subject_9", APP_ID, "w" },
+ { "test_subject_10", APP_ID, "x" },
+ { "test_subject_11", APP_ID, "w" },
+ { "test_subject_12", APP_ID, "x" },
+ { "test_subject_13", APP_ID, "wx" },
+ { "test_subject_14", APP_ID, "wx" },
+ { "test_subject_15", APP_ID, "wxat" }};
+
+// Rules from test_privilege_control_rules.smack
+// minus test_privilege_control_rules_no_r.smack
+const std::vector< std::vector<std::string> > rules2_r = {
+ { APP_ID, "test_book_8", "r" },
+ { APP_ID, "test_book_11", "r" },
+ { APP_ID, "test_book_12", "r" },
+ { APP_ID, "test_book_14", "r" },
+ { APP_ID, "test_book_15", "r" },
+ { "test_subject_8", APP_ID, "r" },
+ { "test_subject_11", APP_ID, "r" },
+ { "test_subject_12", APP_ID, "r" },
+ { "test_subject_14", APP_ID, "r" },
+ { "test_subject_15", APP_ID, "r" }};
+
namespace {
{
int result = app_add_permissions(APP_ID, PRIVS);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- " Error adding app permissions. Errno: " << result);
+ " Error adding app permissions. Result: " << result);
// Check if the accesses are realy applied..
result = test_have_all_accesses(rules);
RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
{
int result;
- char* path = NULL;
- int fd;
// Revoke permissions
result = app_revoke_permissions(APP_ID);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
- "Error revoking app permissions. Errno: " << result);
+ "Error revoking app permissions. Result: " << result);
// Are all the permissions revoked?
- result = test_have_all_accesses(rules);
+ result = test_have_any_accesses(rules);
RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked.");
- fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
- RUNNER_ASSERT_MSG(fd >= 0, "SMACK file deleted after app_revoke_permissions");
- RUNNER_ASSERT_MSG(lseek(fd, 0, SEEK_END) == 0, "SMACK file not empty after app_revoke_permissions");
- free(path);
- close(fd);
+ //// File exists?
+ FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ if(pFile!=NULL){
+ fclose(pFile);
+ RUNNER_ASSERT_MSG(false,
+ "SMACK file exists after revoke!");
+ }
}
static void read_gids(std::set<unsigned> &set, const char* file_path)
RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path);
if (i == 1) {
- result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt");
- RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
+ result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt");
+ RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
}
if (i == 2) {
- smack_accesses_free(rules);
- result = smack_accesses_new(&rules);
- result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx");
- RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
+ smack_accesses_free(rules);
+ result = smack_accesses_new(&rules);
+ result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx");
+ RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
}
result = smack_accesses_apply(rules);
RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
cleaning_smack_database_files();
}
+/**
+ * Grant SMACK permissions based on permissions list.
+ */
+RUNNER_TEST(privilege_control11_app_enable_permissions)
+{
+ int result;
+ int smack_file_length;
+ FILE *pFile;
+
+/**
+ * Test - Enabling all permissions with persistant mode enabled
+ */
+
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ //// File exists?
+ pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file NOT created!. Errno: " << errno);
+
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length>0,
+ "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
+
+ if (pFile != NULL)
+ fclose(pFile);
+
+ // Clean up
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+/**
+ * Test - Enabling all permissions with persistant mode disabled
+ */
+
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ //// File exists?
+ pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile==NULL,
+ "SMACK file created!.");
+
+ // Clean up
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+/**
+ * Test - Enabling all permissions in two complementary files
+ */
+
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+
+ //// File exists?
+ pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file NOT created!. Errno: " << errno);
+
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length>0,
+ "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
+
+ if (pFile != NULL)
+ fclose(pFile);
+
+ // Clean up
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+/**
+ * Test - Enabling some permissions and then enabling complementary permissions
+ */
+
+ // Enable permission for rules 2 no r
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions without r. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
+
+ //// File exists?
+ pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file NOT created!. Errno: " << errno);
+
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length>0,
+ "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
+
+ if (pFile != NULL)
+ fclose(pFile);
+
+ // Enable permission for rules 2
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app all permissions. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Permissions all not added.");
+
+ // Clean up
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+/**
+ * Test - Enabling some permissions and then enabling all permissions
+ */
+
+ // Enable permission for rules 2 no r
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions without r. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
+
+ //// File exists?
+ pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
+ RUNNER_ASSERT_MSG(pFile != NULL,
+ "SMACK file NOT created!. Errno: " << errno);
+
+ //// Is it empty?
+ fseek(pFile, 0L, SEEK_END);
+ smack_file_length = ftell(pFile);
+ RUNNER_ASSERT_MSG(smack_file_length>0,
+ "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
+
+ if (pFile != NULL)
+ fclose(pFile);
+
+ // Enable permission for rules 2
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions with only r. Result: " << result);
+
+ // Check if the accesses are realy applied..
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Permissions with only r not added.");
+
+ // Clean up
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+}
+
+/**
+ * Remove previously granted SMACK permissions based on permissions list.
+ */
+RUNNER_TEST(privilege_control12_app_disable_permissions)
+{
+
+/**
+ * Test - disable all granted permissions.
+ */
+ int result;
+
+ // Prepare permissions that we want to disable
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ // Disable permissions
+ result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+ // Are all the permissions disabled?
+ result = test_have_any_accesses(rules2);
+ RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
+
+/**
+ * Test - disable some granted permissions leaving non complementary and then disabling those too.
+ */
+
+ // Prepare permissions that will not be disabled
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app first permissions. Result: " << result);
+
+ // Prepare permissions that we want to disable
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app second permissions. Result: " << result);
+
+ // Disable second permissions
+ result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app second permissions. Result: " << result);
+
+ // Are all second permissions disabled?
+ result = test_have_any_accesses(rules2);
+ RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
+
+ // Are all first permissions not disabled?
+ result = test_have_all_accesses(rules);
+ RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
+
+ // Disable first permissions
+ result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app first permissions. Result: " << result);
+
+ // Are all second permissions disabled?
+ result = test_have_any_accesses(rules);
+ RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
+
+/**
+ * Test - disable only no r granted permissions.
+ */
+
+ // Prepare permissions
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app permissions. Result: " << result);
+
+ // Disable same permissions without r
+ result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app no r permissions. Result: " << result);
+
+ // Is any r permissions disabled?
+ result = test_have_all_accesses(rules2_r);
+ RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
+ // Are all no r permissions disabled?
+ result = test_have_any_accesses(rules2_no_r);
+ RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
+
+ // Prepare permissions
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app no r permissions. Result: " << result);
+
+ // Disable all permissions
+ result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+}
+
+/**
+ * Reset SMACK permissions for an application by revoking all previously
+ * granted rules and enabling them again from a rules file from disk.
+ */
+
+RUNNER_TEST(privilege_control13_app_reset_permissions)
+{
+
+ int result;
+
+/**
+ * Test - doing reset and checking if rules exist again.
+ */
+
+ // Prepare permissions to reset
+ result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app permissions. Result: " << result);
+
+ // Reset permissions
+ result = app_reset_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error reseting app permissions. Result: " << result);
+
+ // Are all second permissions not disabled?
+ result = test_have_all_accesses(rules2);
+ RUNNER_ASSERT_MSG(result==1, "Not all permissions added.");
+
+ // Disable permissions
+ result = app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+
+}
+
+/**
+ * Make two applications "friends", by giving them both full permissions on
+ * each other.
+ */
+RUNNER_TEST(privilege_control14_app_add_friend)
+{
+ int result;
+
+/**
+ * Test - making friends with no permissions on each other
+ */
+
+ result = app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ app_uninstall(APP_FRIEND_1);
+ app_uninstall(APP_FRIEND_2);
+
+ // Installing friends to be
+ result = app_install(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error installing first app. Result: " << result);
+ result = app_install(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error installing second app. Result: " << result);
+
+ // Making friends
+ result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error making friends. Errno: " << result);
+
+ // Checking if friends were made
+ result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error first one sided friednship failed. Result: " << result);
+ result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error second one sided friednship failed. Result: " << result);
+
+ // Clean up
+ result = app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ app_uninstall(APP_FRIEND_1);
+ app_uninstall(APP_FRIEND_2);
+
+/**
+ * Test - making friends with nonexisting friend
+ */
+
+ // Installing one friend
+ result = app_install(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error installing first app. Errno: " << result);
+
+ // Adding imaginairy friend as second
+ result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
+ " Error making friends (first) with imaginairy friend succeeded. Result: "
+ << result);
+ // Adding imaginairy friend as first
+ result = app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
+ " Error making friends (second) with imaginairy friend succeeded. Result: "
+ << result);
+ // Clean up
+ result = app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ app_uninstall(APP_FRIEND_1);
+ app_uninstall(APP_FRIEND_2);
+
+/**
+ * Test - making friends with some permissions already added
+ */
+ unsigned int i;
+ unsigned int j;
+
+ struct smack_accesses * rulesFriend = NULL;
+
+ std::vector<std::string> accessesFriend =
+ { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
+
+ // Installing friends to be
+ result = app_install(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error installing first app. Result: " << result);
+ result = app_install(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error installing second app. Result: " << result);
+
+ for(i = 0; i<accessesFriend.size(); ++i)
+ {
+ for(j = 0; j<accessesFriend.size(); ++j)
+ {
+
+ // Adding rules before making friends
+ result = smack_accesses_new(&rulesFriend);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in smack_accesses_new. Result: " << result);
+
+ result = smack_accesses_add(rulesFriend,
+ APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to add modify rulesFirend (first). Result: " << result);
+ result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
+ APP_FRIEND_1, accessesFriend[j].c_str());
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to add modify rulesFirend (second). Result: " << result);
+
+ result = smack_accesses_apply(rulesFriend);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in smack_accesses_apply. Result: " << result);
+
+ // Adding friends
+ result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error making friends. Result: " << result);
+
+ // Checking if friends were made
+ result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error first one sided friednship failed. Result: " << result);
+ result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error second one sided friednship failed. Result: " << result);
+
+ // Deleting all rules between friends
+ smack_accesses_add_modify(rulesFriend,
+ APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
+ smack_accesses_add_modify(rulesFriend,
+ APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
+
+ result = smack_accesses_apply(rulesFriend);
+
+ smack_accesses_free(rulesFriend);
+ rulesFriend = NULL;
+ }
+
+ }
+
+ // Clean up
+ result = app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ app_uninstall(APP_FRIEND_1);
+ app_uninstall(APP_FRIEND_2);
+}
+
+static void smack_set_random_label_based_on_pid_on_self(void)
+{
+ int result;
+ std::stringstream ss;
+
+ ss << "s-" << getpid() << "-" << getppid();
+ result = smack_set_label_for_self(ss.str().c_str());
+ RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self("
+ << ss.str().c_str() << ") failed");
+}
+
+static void smack_unix_sock_server(int sock)
+{
+ int fd, result;
+ char* smack_label;
+
+ alarm(2);
+ fd = accept(sock, NULL, NULL);
+ alarm(0);
+ if (fd < 0)
+ return;
+ result = smack_new_label_from_self(&smack_label);
+ if(result != 0){
+ close(fd);
+ close(sock);
+ free(smack_label);
+ RUNNER_ASSERT_MSG(0, "smack_new_label_from_self() failed");
+ }
+ result = write(fd, smack_label, strlen(smack_label));
+ if(result != strlen(smack_label)){
+ close(fd);
+ close(sock);
+ free(smack_label);
+ RUNNER_ASSERT_MSG(0, "write() failed: " << strerror(errno));
+ }
+ close(fd);
+ free(smack_label);
+}
+
+RUNNER_TEST(privilege_control15_app_id_from_socket)
+{
+ int pid;
+ struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
+
+ unlink(SOCK_PATH);
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
+
+ smack_set_random_label_based_on_pid_on_self();
+
+ if (!pid) { /* child process, server */
+ int sock, result;
+
+ /* Set the process label before creating a socket */
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
+ result = bind(sock,
+ (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
+ if(result != 0){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno));
+ }
+ result = listen(sock, 1);
+ if(result != 0){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno));
+ }
+ smack_unix_sock_server(sock);
+
+ /* Change the process label with listening socket */
+ smack_unix_sock_server(sock);
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
+ /* Now running two concurrent servers.
+ Test if socket label was unaffected by fork() */
+ smack_unix_sock_server(sock);
+ /* Let's give the two servers different labels */
+ smack_unix_sock_server(sock);
+ close(sock);
+ waitpid(pid, NULL, 0);
+ exit(0);
+ } else { /* parent process, client */
+ sleep(1); /* Give server some time to setup listening socket */
+ int i;
+ for (i = 0; i < 4; ++i) {
+ int sock;
+ int result;
+ char smack_label1[SMACK_LABEL_LEN + 1];
+ char* smack_label2;
+
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG(sock >= 0,
+ "socket failed: " << strerror(errno));
+ result = connect(sock,
+ (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
+ if(result != 0){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
+ }
+
+ alarm(2);
+ result = read(sock, smack_label1, SMACK_LABEL_LEN);
+ alarm(0);
+ if(result < 0){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno));
+ }
+ smack_label1[result] = '\0';
+ smack_label2 = app_id_from_socket(sock);
+ if(smack_label2 == NULL){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "app_id_from_socket failed");
+ }
+ result = strcmp(smack_label1, smack_label2);
+ if(result != 0){
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1
+ << "' != '" << smack_label2 << "-" << random() << "'");
+ }
+ close(sock);
+ }
+ waitpid(pid, NULL, 0);
+ }
+}
projects / platform / core / test / security-tests.git / commitdiff