namespace {
typedef std::unique_ptr<smack_accesses,std::function<void (smack_accesses*)> > SmackUniquePtr;
+void closefdptr(int* fd) { close(*fd); }
+typedef std::unique_ptr<int, std::function<void (int*)> > FDUniquePtr;
+
const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
const char *WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack";
const char *OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack";
RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
}
-RUNNER_TEST_SMACK(privilege_control24a_test_whether_macro_works_smack)
-{
- RUNNER_IGNORED_MSG("STUB: I should be called on SMACK environment only.");
-}
-
-RUNNER_TEST_NOSMACK(privilege_control24b_test_whether_macro_works_nosmack)
-{
- RUNNER_IGNORED_MSG("STUB: I should be called on NOSMACK environment only.");
-}
-
-RUNNER_CHILD_TEST_SMACK(privilege_control24c_test_whether_macro_works_child_smack)
-{
- //Until a fix for RUNNER_IGNORED_MSG comes up to wrt-commons, this must be commented out.
- //RUNNER_IGNORED_MSG("STUB: I should be called on SMACK environment only.");
-}
-RUNNER_CHILD_TEST_NOSMACK(privilege_control24d_test_whether_macro_works_child_nosmack)
-{
- //Until a fix for RUNNER_IGNORED_MSG comes up to wrt-commons, this must be commented out.
- //RUNNER_IGNORED_MSG("STUB: I should be called on NOSMACK environment only.");
-}
//////////////////////////////////////////////////////
//TEST FOR INCORRECT PARAMS CHECK IN LIBPRIVILEGE APIS
//////////////////////////////////////////////////////
RUNNER_ASSERT_MSG(get_smack_label_from_process(PID_INCORRECT, aquired_smack_label) == PC_ERR_INVALID_PARAM, "get_smack_label_from_process didn't check for correct pid.");
}
-RUNNER_TEST(privilege_control21b_incorrect_params_smack_pid_have_access)
+RUNNER_TEST_SMACK(privilege_control21b_incorrect_params_smack_pid_have_access)
{
RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, "some_object", NULL) == -1, "smack_pid_have_access didn't check if access_type isn't NULL.");
RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, NULL, "rw") == -1, "smack_pid_have_access didn't check if object isn't NULL.");
RUNNER_ASSERT_MSG(perm_app_disable_permissions(NULL, APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id isn't NULL.");
RUNNER_ASSERT_MSG(perm_app_disable_permissions("", APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id isn't empty.");
}
+
+
+/////////////////////////////////////////
+//////NOSMACK ENVIRONMENT TESTS//////////
+/////////////////////////////////////////
+
+/**
+ * NOSMACK version of nftw_check_labels_app_shared_dir function.
+ *
+ * This function used with nftw should expect -1 result from smack_have_access instead of 1.
+ */
+int nftw_check_labels_app_shared_dir_nosmack(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+ int result;
+ char* label;
+
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
+ RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
+
+ result = strcmp(APPID_SHARED_DIR, label);
+ RUNNER_ASSERT_MSG(result == 0,
+ "ACCESS label on " << fpath << " is incorrect. Result: " << result);
+
+ //The only exception in nftw_check_labels_app_shared_dir
+ //smack_have_access returns -1 because of no SMACK.
+ result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
+ RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
+
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
+ if (S_ISDIR(sb->st_mode)) {
+ RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
+ result = strcmp("TRUE", label);
+ RUNNER_ASSERT_MSG(result == 0,
+ "TRANSMUTE label on " << fpath << " is not set. Result: " << result);
+ } else
+ RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+
+ return 0;
+}
+
+/**
+ * NOSMACK version of privilege_control03 test.
+ *
+ * Uses nosmack version of nftw_check_labels_app_shared_dir (defined above).
+ */
+RUNNER_TEST_NOSMACK(privilege_control03_app_label_shared_dir_nosmack)
+{
+ int result;
+
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
+ RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
+ "perm_app_setup_path should fail here. Result: " << result);
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Unable to clean up Smack labels in " << TEST_APP_DIR);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_setup_path() failed. Result: " << result);
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir_nosmack, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Unable to check Smack labels for shared app dir");
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Unable to check Smack labels for non-app dir");
+}
+
+/**
+ * NOSMACK version of test_have_accesses functions.
+ *
+ * This will be used in many tests. Checks if for every rule smack_have_access returns error.
+ * If for any of rules smack_have_access will return something different than error, this result
+ * is being returned to caller.
+ */
+int test_have_nosmack_accesses(const std::vector< std::vector<std::string> > &rules)
+{
+ int result;
+ for (uint i = 0; i < rules.size(); ++i) {
+ result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
+ if (result != -1)
+ return result;
+ }
+ return -1;
+}
+
+/**
+ * NOSMACK version of privilege_control04 test.
+ *
+ * Tries to add permisions from test_privilege_control_rules template and checks if
+ * smack_have_access returns -1 on check between every rule.
+ */
+RUNNER_TEST_NOSMACK(privilege_control04_add_permissions_nosmack)
+{
+ //Add permissions
+ auto result = app_add_permissions(APP_ID, PRIVS);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error adding app permissions. Result: " << result);
+
+ //Check if smack_have_access always fails on every rule
+ result = test_have_nosmack_accesses(rules);
+ RUNNER_ASSERT_MSG(result == -1,
+ "Despite SMACK being off some accesses were added. Result: " << result);
+
+ //Does file exist?
+ std::fstream fs(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary);
+ RUNNER_ASSERT_MSG(fs.good(), "SMACK file NOT created!. Errno: " << strerror(errno));
+
+ fs.seekg(0, std::ifstream::end);
+ RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty, but privileges list was not empty.");
+}
+
+/**
+ * NOSMACK version of privilege_control05_add_shared_dir_readers test.
+ *
+ * This test is very similar to it's SMACK version - only difference is different result expected
+ * from smack_have_access.
+ */
+RUNNER_TEST_NOSMACK(privilege_control05_add_shared_dir_readers_nosmack)
+{
+#define TEST_OBJ "TEST_OBJECT"
+#define TEST_OBJ_SOME_OTHER "TEST_OBJA"
+#define test_string_01 "TEST_raz TEST_OBJECT r-x--- ------"
+#define test_string_21 "TEST_trzy TEST_OBJA -wx---"
+#define test_string_22 "TEST_trzy TEST_OBJECT r-x--- ------"
+
+ int result;
+ int i;
+ int fd = -1;
+ char* path_ref;
+
+ const char* app_labels_wrong[] = {"-TEST_raz", NULL};
+ const char* app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
+ const int READ_BUF_SIZE = 1000;
+ char buf[READ_BUF_SIZE];
+ smack_accesses* tmp = NULL;
+
+ //test environment cleaning
+ cleaning_smack_app_files();
+ cleaning_smack_database_files();
+
+ //test what happens when the label is not correct SMACK label
+ result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong);
+ RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM,
+ "add_shared_dir_readers should fail here. Result: " << result);
+
+ result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx");
+ RUNNER_ASSERT_MSG(result != 1,
+ "add_shared_dir_readers should not grant permission here. Result: " << result);
+
+ //install new apps
+ result = smack_accesses_new(&tmp);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in smack_accesses_new. Result: " << result);
+
+ //Wrap rules and fd into unique_ptrs for garbage collection
+ SmackUniquePtr rules(tmp, smack_accesses_free);
+ FDUniquePtr fd_ptr(&fd, closefdptr);
+
+ std::stringstream path;
+ for (i = 0; i < 3; i++) {
+ result = perm_app_revoke_permissions(app_labels[i]);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_revoke_permissions. Result: " << result);
+ result = perm_app_uninstall(app_labels[i]);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_install. Result: " << result);
+ result = perm_app_install(app_labels[i]);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_install. Result: " << result);
+
+ path << SMACK_RULES_DIR << app_labels[i];
+
+ fd = open(path.str().c_str(), O_WRONLY, 0644);
+ RUNNER_ASSERT_MSG(fd != -1, "Error in opening file");
+
+ if (i == 1) {
+ result = smack_accesses_add(rules.get(), app_labels[i], TEST_OBJ, "wt");
+ RUNNER_ASSERT_MSG(result == 0,
+ "smack_accesses_add failed. Result: " << result);
+ }
+
+ if (i == 2) {
+ result = smack_accesses_new(&tmp);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Failed to allocate memory for rules.");
+
+ rules.reset(tmp);
+
+ result = smack_accesses_add(rules.get(), app_labels[i],
+ TEST_OBJ_SOME_OTHER, "wx");
+ RUNNER_ASSERT_MSG(result == 0,
+ "smack_accesses_add failed. Result: " << result);
+ }
+
+ result = smack_accesses_apply(rules.get());
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_accesses_apply should fail (SMACK is off). Result: " << result);
+
+ result = smack_accesses_save(rules.get(), fd);
+ RUNNER_ASSERT_MSG(result == 0,
+ "smack_accesses_save failed. Result: " << result);
+
+ //cleanup
+ path.str(std::string());
+ }
+
+ //Use add_shared_dir_readers and check if smack_have_access still fails
+ result = add_shared_dir_readers(TEST_OBJ,app_labels);
+ RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed. Result: " << result);
+
+ result = smack_have_access(app_labels[0],TEST_OBJ,"rx");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+
+ result = smack_have_access(app_labels[1],TEST_OBJ,"rx");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+
+ result = smack_have_access(app_labels[2],TEST_OBJ,"rx");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+
+ result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+
+ result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+
+ //Test if files are properly formatted
+ path << SMACK_RULES_DIR << app_labels[0];
+ RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno));
+
+ std::fstream fs(path.str().c_str(), std::ios_base::in);
+ RUNNER_ASSERT_MSG(fs.good(), "Opening file stream failed. Error: " << strerror(errno));
+
+ fs.get(buf, READ_BUF_SIZE);
+ result = strcmp(buf, test_string_01);
+ RUNNER_ASSERT_MSG(result == 0,
+ "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() <<
+ ". Result: " << result);
+
+ //Clean up before another test
+ path.str(std::string());
+ fs.close();
+
+ path << SMACK_RULES_DIR << app_labels[2];
+ RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno));
+
+ fs.open(path.str().c_str(), std::ios_base::in);
+ RUNNER_ASSERT_MSG(fs.good(), "fopen failed, errno:" << strerror(errno));
+
+ fs.getline(buf, READ_BUF_SIZE);
+ result = strcmp(buf, test_string_21);
+ RUNNER_ASSERT_MSG( result == 0,
+ "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str()
+ << ". Result: " << result);
+
+ fs.getline(buf, READ_BUF_SIZE);
+ result = strcmp(buf, test_string_22);
+ RUNNER_ASSERT_MSG( result == 0,
+ "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str()
+ << ". Result: " << result);
+}
+
+/**
+ * NOSMACK version of privilege_control05_set_app_privilege test.
+ *
+ * Another very similar test to it's SMACK version, this time smack_new_label_from_self is
+ * expected to return different result.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack)
+{
+ int result;
+
+ //Preset exec label
+ smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
+ smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
+
+ //Set app privileges
+ result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_set_privilege. Result: " << result);
+
+ //Even though app privileges are set, no smack label should be extracted.
+ char* label = NULL;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == -1,
+ "new_label_from_self should return error (SMACK is off). Result: " << result);
+ RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
+
+ //Check if DAC privileges really set
+ RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
+ RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
+
+ result = strcmp(getenv("HOME"), APP_HOME_DIR);
+ RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR. Result: " << result);
+
+ result = strcmp(getenv("USER"), APP_USER_NAME);
+ RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME. Result: " << result);
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE);
+}
+
+/**
+ * NOSMACK version of privilege_control05_set_app_privilege_wgt test.
+ *
+ * Same as the above, plus uses test_have_nosmack_accesses instead of test_have_all_accesses.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_nosmack)
+{
+ int result;
+
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_nosmack_accesses(rules_wgt);
+ RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
+
+ result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_set_privilege. Result: " << result);
+
+ //Even though app privileges are set, no smack label should be extracted.
+ char* label = NULL;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == -1,
+ "new_label_from_self should return error (SMACK is off). Result: " << result);
+ RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
+}
+
+/**
+ * NOSMACK version of privilege_control05_set_app_privilege_wgt_partner test.
+ *
+ * Same as the above.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_partner_nosmack)
+{
+ int result;
+
+ result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_nosmack_accesses(rules_wgt_partner);
+ RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
+
+ result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_set_privilege. Result: " << result);
+
+ //Even though app privileges are set, no smack label should be extracted.
+ char* label = NULL;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == -1,
+ "new_label_from_self should return error (SMACK is off). Result: " << result);
+ RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
+}
+
+/**
+ * NOSMACK version of privilege_control05_set_app_privilege_wgt_platform test.
+ *
+ * Same as the above.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_platform_nosmack)
+{
+ int result;
+
+ result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_nosmack_accesses(rules_wgt_platform);
+ RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
+
+ result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_set_privilege. Result: " << result);
+
+ //Even though app privileges are set, no smack label should be extracted.
+ char* label = NULL;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == -1,
+ "new_label_from_self should return error (SMACK is off). Result: " << result);
+ RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
+}
+
+/**
+ * NOSMACK version of privilege_control05_set_app_privilege_osp test.
+ *
+ * Same as the above.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_nosmack)
+{
+ int result;
+
+ result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_nosmack_accesses(rules_osp);
+ RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
+
+ result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_set_privilege. Result: " << result);
+
+ //Even though app privileges are set, no smack label should be extracted.
+ char* label = NULL;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == -1,
+ "new_label_from_self should return error (SMACK is off). Result: " << result);
+ RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
+}
+
+/**
+ * NOSMACK version of privilege_control05_set_app_privilege_osp_partner test.
+ *
+ * Same as the above.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_partner_nosmack)
+{
+ int result;
+
+ result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error enabling app permissions. Result: " << result);
+
+ result = test_have_nosmack_accesses(rules_osp_partner);
+ RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added.");
+
+ result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_set_privilege. Result: " << result);
+
+ //Even though app privileges are set, no smack label should be extracted.
+ char* label = NULL;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == -1,
+ "new_label_from_self should return error (SMACK is off). Result: " << result);
+ RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
+}
+
+/**
+ * NOSMACK version of privilege_control05_set_app_privilege_osp_platform test.
+ *
+ * Same as the above.
+ */
+RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_platform_nosmack)
+{
+ int result;
+
+ result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_nosmack_accesses(rules_osp_platform);
+ RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
+
+ result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error in perm_app_set_privilege. Result: " << result);
+
+ //Even though app privileges are set, no smack label should be extracted.
+ char* label = NULL;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == -1,
+ "new_label_from_self should return error (SMACK is off). Result: " << result);
+ RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label.");
+
+ check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
+}
+
+/**
+ * NOSMACK version of checkOnlyAvAccess function.
+ *
+ * Expects error instead of access granted/forbidden from smack_have_access.
+ */
+void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment)
+{
+ int result;
+ result = smack_have_access(av_id, app_id, "rwx");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+ result = smack_have_access(av_id, app_id, "a");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+ result = smack_have_access(av_id, app_id, "t");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+}
+
+/*
+ * NOSMACK version of privilege_control10_app_register_av test.
+ *
+ * Uses NOSMACK version of checkOnlyAvAccess (mentioned above), rest of the test is identical to
+ * it's SMACK version.
+ */
+RUNNER_TEST_NOSMACK(privilege_control10_app_register_av_nosmack)
+{
+ int result;
+
+ // cleaning
+ smack_revoke_subject(APP_TEST_AV_1);
+ smack_revoke_subject(APP_TEST_AV_2);
+
+ cleaning_smack_app_files();
+ cleaning_smack_database_files();
+
+ // Adding two apps before antivir
+ result = perm_app_install(APP_TEST_APP_1);
+ RUNNER_ASSERT_MSG(result == 0,
+ "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ result = perm_app_install(APP_TEST_APP_2);
+ RUNNER_ASSERT_MSG(result == 0,
+ "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ // Adding antivir
+ result = app_register_av(APP_TEST_AV_1);
+ RUNNER_ASSERT_MSG(result == 0,
+ "app_register_av returned " << result << ". Errno: " << strerror(errno));
+
+ // Checking added apps accesses
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
+
+ // Adding third app
+ result = perm_app_install(APP_TEST_APP_3);
+ RUNNER_ASSERT_MSG(result == 0,
+ "perm_app_install returned " << result << ". Errno: " << strerror(errno));
+
+ // Checking app accesses
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)");
+
+ // Adding second antivir
+ result = app_register_av(APP_TEST_AV_2);
+ RUNNER_ASSERT_MSG(result == 0,
+ "app_register_av returned " << result << ". Errno: " << strerror(errno));
+
+ // Checking app accesses
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
+ checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
+
+ // cleaning
+ smack_revoke_subject(APP_TEST_AV_1);
+ smack_revoke_subject(APP_TEST_AV_2);
+
+ cleaning_smack_app_files();
+ cleaning_smack_database_files();
+}
+
+/**
+ * NOSMACK version of privilege_control11_app_enable_permissions test.
+ *
+ * Since the original test did the same thing around five times, there is no need to redo the
+ * same test for perm_app_enable_permissions. perm_app_enable_permissions will be called once,
+ * test_have_nosmack_accesses will check if smack_have_access still returns error and then
+ * we will check if SMACK file was correctly created.
+ */
+RUNNER_TEST_NOSMACK(privilege_control11_app_enable_permissions_nosmack)
+{
+ int result;
+ int smack_file_length;
+ std::fstream fs;
+
+ result = perm_app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error enabling app permissions. Result: " << result);
+
+ //Check if accesses aren't added
+ result = test_have_nosmack_accesses(rules2);
+ RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result);
+
+ //File exists?
+ fs.open(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary);
+ RUNNER_ASSERT_MSG(fs.good(), "Couldn't open SMACK file.");
+
+ //Is it empty?
+ fs.seekg(0, std::ifstream::end);
+ RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty with persistant mode 1.");
+
+ //Clean up
+ result = perm_app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+}
+
+/**
+ * NOSMACK version of privilege_control13 test.
+ *
+ * Uses perm_app_reset_permissions and checks with test_have_nosmack_accesses if nothing has
+ * changed.
+ */
+RUNNER_TEST_NOSMACK(privilege_control13_app_reset_permissions_nosmack)
+{
+ int result;
+
+ // Prepare permissions to reset
+ result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error adding app permissions. Result: " << result);
+
+ // Reset permissions
+ result = perm_app_reset_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error reseting app permissions. Result: " << result);
+
+ result = test_have_nosmack_accesses(rules2);
+ RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be changed. Result: " << result);
+
+ // Disable permissions
+ result = perm_app_revoke_permissions(APP_ID);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error disabling app permissions. Result: " << result);
+}
+
+/**
+ * NOSMACK version of privilege_control14 test.
+ *
+ * Similarily as app_enable_permissions test. This time perm_app_add_friend is called twice, once
+ * when both friends exist, and then when one of them doesn't exist. Other tests are not required -
+ * results would be the same as earlier.
+ */
+RUNNER_TEST_NOSMACK(privilege_control14_app_add_friend_nosmack)
+{
+ int result;
+
+ result = perm_app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = perm_app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ perm_app_uninstall(APP_FRIEND_1);
+ perm_app_uninstall(APP_FRIEND_2);
+
+ //Regular test.
+
+ //Installing friends to be
+ result = perm_app_install(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error installing first app. Result: " << result);
+ result = perm_app_install(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error installing second app. Result: " << result);
+
+ //Making friends
+ result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error during friend making. Result: " << result);
+
+ //Same as previous tests, smack_have_access should error.
+ result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+ result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+
+ //Clean up
+ result = perm_app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = perm_app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ perm_app_uninstall(APP_FRIEND_1);
+ perm_app_uninstall(APP_FRIEND_2);
+
+
+ //Befriending with imaginary friend.
+
+ //Installing one friend
+ result = perm_app_install(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error installing first app. Result: " << result);
+
+ //Adding imaginairy friend as second
+ result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error making friends (first) with imaginairy friend failed. Result: " << result);
+ //Adding imaginairy friend as first
+ result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error making friends (second) with imaginairy friend failed. Result: " << result);
+
+ //Same as previous tests, smack_have_access should error.
+ result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+ result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+
+ //Clean up
+ result = perm_app_revoke_permissions(APP_FRIEND_1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = perm_app_revoke_permissions(APP_FRIEND_2);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
+ perm_app_uninstall(APP_FRIEND_1);
+ perm_app_uninstall(APP_FRIEND_2);
+}
+
+/**
+ * NOSMACK version of privilege_control15_app_id_from_socket.
+ *
+ * SMACK version of this test case utilised smack_new_label_from_self and smack_set_label_for_self.
+ * Those functions rely on /proc/self/attr/current file, which is unreadable and has no contents on
+ * NOSMACK environment. Functions mentioned above were tested during libsmack tests, so they are
+ * assumed to react correctly and are not tested in this test case.
+ *
+ * This test works similarily to libsmack test smack09_new_label_from_socket. At first server and
+ * client are created then sockets are set up and perm_app_id_from_socket is used. On NOSMACK env
+ * correct behaviour for perm_app_id_from_socket would be returning NULL label.
+ */
+RUNNER_TEST_NOSMACK(privilege_control15_app_id_from_socket_nosmack)
+{
+ int pid;
+ struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
+
+ //Clean up before creating socket
+ unlink(SOCK_PATH);
+
+ //Create our server and client with fork
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
+
+ if (!pid) { //child (server)
+ int sock, result, fd;
+
+ //Create a socket
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
+
+ //Bind socket to address
+ result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG(false, "bind failed: " << strerror(errno));
+ }
+
+ //Prepare for listening
+ result = listen(sock, 1);
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG(false, "listen failed: " << strerror(errno));
+ }
+
+ //Accept connection
+ alarm(2);
+ fd = accept(sock, NULL, NULL);
+ alarm(0);
+ RUNNER_ASSERT_MSG(fd >= 0, "accept failed: " << strerror(errno));
+
+ //Wait a little bit for client to use perm_app_id_from_socket
+ usleep(200);
+
+ //cleanup
+ close(sock);
+ exit(0);
+ } else { //parent (client)
+ // Give server some time to setup listening socket
+ sleep(1);
+ int sock, result;
+ char* smack_label = NULL;
+
+ //Create socket
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
+
+ //Try connecting to address
+ result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
+ }
+
+ //Use perm_app_id_from_socket. Should fail and return NULL smack_label.
+ smack_label = perm_app_id_from_socket(sock);
+ if (smack_label != NULL) {
+ close(sock);
+ RUNNER_ASSERT_MSG(0, "perm_app_id_from_socket should fail.");
+ }
+
+ //cleanup
+ close(sock);
+ waitpid(pid, NULL, 0);
+ }
+}
+
+/**
+ * Next three functions are defined only because of NOSMACK environment.
+ *
+ * Inside check_labels_dir_nosmack, smack_have_access should expect error, not access granted.
+ */
+int check_labels_dir_nosmack(const char *fpath, const struct stat *sb,
+ const char *labels_db_path, const char *dir_db_path,
+ const char *access)
+{
+ int result;
+ char* label;
+ char* label_gen;
+ char label_temp[SMACK_LABEL_LEN + 1];
+ std::fstream fs_db;
+
+ /* ACCESS */
+ result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result);
+ RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
+
+ /* EXEC */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ if (result != 0) {
+ free(label_gen);
+ RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result);
+ }
+ if (label != NULL) {
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
+ }
+
+ /* TRANSMUTE */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ if (result != 0) {
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result);
+ }
+ if (S_ISDIR(sb->st_mode)) {
+ if (label == NULL) {
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
+ }
+ result = strcmp("TRUE", label);
+ if (result != 0) {
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false,
+ "TRANSMUTE label on " << fpath << " is not set to TRUE Result: " << result);
+ }
+ } else if (label != NULL) {
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
+ }
+
+ free(label);
+
+ fs_db.open(labels_db_path, std::ios_base::in);
+ if (!(fs_db.good())) {
+ free(label_gen);
+ RUNNER_ASSERT_MSG(false, "Can not open database for apps");
+ }
+
+ while(!fs_db.eof()) {
+ fs_db.getline(label_temp, 255);
+ result = smack_have_access(label_temp, label_gen, access);
+ if (result != -1) { //expect error, not access granted
+ free(label_gen);
+ RUNNER_ASSERT_MSG(false, "smack_have_access should fail. Result: " << result);
+ }
+ }
+
+ fs_db.close();
+
+ fs_db.open(dir_db_path, std::ios_base::in);
+ if (!fs_db.good()) {
+ free(label_gen);
+ RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
+ }
+
+ bool is_dir = false;
+ while(!fs_db.eof()) {
+ fs_db.getline(label_temp, 255);
+ if (strcmp(label_gen, label_temp) == 0) {
+ is_dir = true;
+ break;
+ }
+ }
+
+ free(label_gen);
+
+ RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db.");
+
+ return 0;
+}
+
+int nftw_check_labels_app_public_dir_nosmack(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+ return check_labels_dir_nosmack(fpath, sb,
+ SMACK_APPS_LABELS_DATABASE,
+ SMACK_PUBLIC_DIRS_DATABASE, "rx");
+}
+
+int nftw_check_labels_app_settings_dir_nosmack(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+ return check_labels_dir_nosmack(fpath, sb,
+ SMACK_APPS_SETTINGS_LABELS_DATABASE,
+ SMACK_SETTINGS_DIRS_DATABASE, "rwx");
+}
+
+/**
+ * NOSMACK version of privilege_control18 test.
+ *
+ * Uses NOSMACK version of nftw_check_labels_app_public_dir.
+ */
+RUNNER_TEST_NOSMACK(privilege_control18_app_setup_path_public_nosmack)
+{
+ int result;
+
+ cleaning_smack_database_files();
+ add_lables_to_db();
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
+
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
+ RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result);
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_dir_nosmack, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to check Smack labels for shared app dir. Result: " << result);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to check Smack labels for non-app dir. Result: " << result);
+
+ cleaning_smack_database_files();
+}
+
+/**
+ * NOSMACK version of privilege_control19 test.
+ *
+ * Uses NOSMACK version of nftw_check_labels_app_settings_dir.
+ */
+RUNNER_TEST_NOSMACK(privilege_control19_app_setup_path_settings_nosmack)
+{
+ int result;
+
+ cleaning_smack_database_files();
+ add_lables_to_db();
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result);
+
+ result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
+ RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result);
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_settings_dir_nosmack, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to check Smack labels for shared app dir. Result: " << result);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0,
+ "Unable to check Smack labels for non-app dir. Result: " << result);
+
+ cleaning_smack_database_files();
+}
+
+/**
+ * NOSMACK version of privielge_control21b test.
+ *
+ * Instead of error caused by incorrect params expect access granted, becuase SMACK is off.
+ */
+RUNNER_TEST_NOSMACK(privilege_control21b_incorrect_params_smack_pid_have_access_nosmack)
+{
+ int result = smack_pid_have_access(PID_CORRECT, "some_object", NULL);
+ RUNNER_ASSERT_MSG(result == 1,
+ "smack_pid_have_access should return access granted. Result: " << result);
+
+ result = smack_pid_have_access(PID_CORRECT, NULL, "rw");
+ RUNNER_ASSERT_MSG(result == 1,
+ "smack_pid_have_access should return access granted. Result: " << result);
+
+ result = smack_pid_have_access(PID_CORRECT, NULL, "rw");
+ RUNNER_ASSERT_MSG(result == 1,
+ "smack_pid_have_access should return access granted. Result: " << result);
+
+ result = smack_pid_have_access(PID_INCORRECT, "some_object", "rw");
+ RUNNER_ASSERT_MSG(result == 1,
+ "smack_pid_have_access should return access granted. Result: " << result);
+}