int DB::Transaction::db_result = PC_OPERATION_SUCCESS;
+const char *WGT_APP_ID = "QwCqJ0ttyS";
+
int smack_runtime_check(void)
{
static int smack_present = -1;
RUNNER_ASSERT_MSG(PC_OPERATION_SUCCESS == DB::Transaction::db_result, \
"perm_end returned: " << DB::Transaction::db_result);
+// Common typedefs
+typedef std::unique_ptr<smack_accesses,std::function<void (smack_accesses*)> > SmackUniquePtr;
+
+// Common macros and labels used in tests
+extern const char *WGT_APP_ID;
#endif
#include <string>
#include <set>
#include <ftw.h>
+#include <tests_common.h>
// How many open file descriptors should ftw() function use?
#define FTW_MAX_FDS 16
#define APP_TEST_APP_2_SHARED_LABEL "test-application2-shared"
#define APP_TEST_APP_3_SHARED_LABEL "test-application3-shared"
-#define WGT_APP_ID "QwCqJ0ttyS"
#define WGT_PARTNER_APP_ID "7btsV1Y0sX"
#define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment);
void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment);
+void check_app_has_permission(const char* app_id, const app_type_t app_type,
+ const char *perm_list[], const int expected_result);
void test_revoke_permissions(int line_no, const char* app_id, const rules_t &rules, bool smack);
void test_app_enable_permissions_efl(bool smack);
return 0;
}
+void check_app_has_permission(const char* app_id, const app_type_t app_type,
+ const char *perm_list[], const int expected_result)
+{
+ int result = PC_OPERATION_SUCCESS;
+ bool has_permission = false;
+
+ for (int i = 0; perm_list[i] != NULL; i++) {
+ result = perm_app_has_permission(app_id, app_type, perm_list[i], &has_permission);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "perm_app_has_permission failed with result: " << result);
+ RUNNER_ASSERT_MSG(has_permission == expected_result,
+ "Unexpected result, perm_app_has_permission returned: " << has_permission
+ << ", expected: " << expected_result);
+ }
+}
void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment)
{
int result;
RUNNER_ASSERT_MSG(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
"SMACK accesses not granted for EFL_APP");
+ // Check if permission is assigned to app in db
+ check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
+
DB_BEGIN
// Cleanup
"perm_app_uninstall failed: " << result);
DB_END
+
+ // Check if permission is disabled in db
+ check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, false);
}
void test_app_disable_permissions_efl(bool smack)
RUNNER_ASSERT_MSG(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
"SMACK accesses not granted for EFL_APP");
+ // Check if permission is assigned to app in db
+ check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
+
DB_BEGIN
// Disable a permission
RUNNER_ASSERT_MSG(check_no_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
"SMACK accesses not disabled for EFL_APP");
+ // Check if permission is disabled in db
+ check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, false);
+
DB_BEGIN
// Cleanup
// Are all the permissions enabled?
RUNNER_ASSERT_MSG(check_all_accesses(smack, rules2), "Not all permisions enabled.");
+ // Check if permissions are enabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
+
DB_BEGIN
// Disable permissions
// Are all the permissions disabled?
RUNNER_ASSERT_MSG(check_no_accesses(smack, rules2), "Not all permisions disabled.");
+ // Check if permission is disabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
+
/**
* Test - disable some granted permissions leaving non complementary and then disabling those too.
*/
// Are all first permissions not disabled?
RUNNER_ASSERT_MSG(check_all_accesses(smack, rules_wgt2), "Some of second permissions disabled.");
+ // Check if second permission is disabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
+ // Check if first permission is enabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS, true);
+
DB_BEGIN
// Disable first permissions
// Are all second permissions disabled?
RUNNER_ASSERT_MSG(check_no_accesses(smack, rules_wgt2), "Not all second permisions disabled.");
+ // Check if permission is disabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS, false);
+
/**
* Test - disable only no r granted permissions.
*/
// Are all no r permissions disabled?
RUNNER_ASSERT_MSG(check_no_accesses(smack, rules2_no_r), "Not all no r permissions disabled.");
+ // Check if second permission is enabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, true);
+ // Check if permission is disabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
+
DB_BEGIN
// Prepare permissions
RUNNER_ASSERT_MSG(check_no_accesses(smack, rules2_r), "Not all r permissions disabled.");
+ // Check if permission is disabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false);
+
DB_BEGIN
// Clean up after test:
DB_END
+ // Check if permission is assigned to app in db
+ check_app_has_permission(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
+
// Check if the accesses are realy applied..
result = test_have_all_accesses(rules_efl);
RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
result = test_have_all_accesses(rules2);
RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
+ // Check if permission is assigned to app in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
+
DB_BEGIN
// Clean up
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error revoking app permissions. Result: " << result);
+ DB_END
+
+ // Check if permission is disabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
+
/**
* Test - Enabling all permissions with persistant mode disabled
*/
+ DB_BEGIN
+
result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 0);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
" Error enabling app permissions. Result: " << result);
result = test_have_all_accesses(rules2);
RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
+ // Check if permission is assigned to app in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
+
DB_BEGIN
// Clean up
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error revoking app permissions. Result: " << result);
+ DB_END
+
+ // Check if permission is disabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
+
/**
* Test - Enabling all permissions in two complementary files
*/
+ DB_BEGIN
+
result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, 1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
" Error enabling app permissions. Result: " << result);
result = test_have_all_accesses(rules2_no_r);
RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
+ // Check if permissions are assigned to app in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, true);
+
DB_BEGIN
// Clean up
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error revoking app permissions. Result: " << result);
+ DB_END
+
+ // Check if permissions are disabled in db
+ check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false);
+
/**
* Test - Enabling some permissions and then enabling complementary permissions
*/
+ DB_BEGIN
+
// Enable permission for rules 2 no r
result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"perm_app_disable_permissions didn't check if pkg_id is valid.");
}
-
+RUNNER_TEST(privilege_control21m_incorrect_params_perm_app_has_permission)
+{
+ bool has_permission;
+
+ RUNNER_ASSERT_MSG(perm_app_has_permission(NULL, APP_TYPE_WGT,
+ PRIVS2[0], &has_permission) == PC_ERR_INVALID_PARAM,
+ "perm_app_has_permission didn't check if pkg_id isn't NULL.");
+ RUNNER_ASSERT_MSG(perm_app_has_permission(APP_ID, APP_TYPE_OTHER,
+ PRIVS2[0], &has_permission) == PC_ERR_INVALID_PARAM,
+ "perm_app_has_permission should not accept app_type = OTHER.");
+ RUNNER_ASSERT_MSG(perm_app_has_permission(APP_ID, APP_TYPE_WGT,
+ NULL, &has_permission) == PC_ERR_INVALID_PARAM,
+ "perm_app_has_permission didn't check if permission_name isn't NULL.");
+ RUNNER_ASSERT_MSG(perm_app_has_permission(APP_ID, APP_TYPE_WGT,
+ PRIVS2[0], NULL) == PC_ERR_INVALID_PARAM,
+ "perm_app_has_permission didn't check if has_permission isn't NULL.");
+}
#define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
namespace {
-typedef std::unique_ptr<smack_accesses,std::function<void (smack_accesses*)> > SmackUniquePtr;
-
void closefdptr(int* fd) { close(*fd); }
typedef std::unique_ptr<int, std::function<void (int*)> > FDUniquePtr;
-}
+} //namespace
/////////////////////////////////////////
//////NOSMACK ENVIRONMENT TESTS//////////
RUNNER_ASSERT_MSG(result == -1,
"Despite SMACK being off some accesses were added. Result: " << result);
- // TODO check entry in database
+ // Check if permission is assigned to app in db
+ check_app_has_permission(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
}
void set_app_privilege_nosmack(int line_no,
# Dependencies
PKG_CHECK_MODULES(SEC_SRV_TESTS_DEP
libsmack
+ libprivilege-control
security-server
dpl-test-efl
dlog
SET(SEC_SRV_TC_SERVER_SOURCES
${PROJECT_SOURCE_DIR}/tests/security-server-tests/security_server_tests_server.cpp
${PROJECT_SOURCE_DIR}/tests/security-server-tests/security_server_tests_weird_arguments.cpp
+ ${PROJECT_SOURCE_DIR}/tests/security-server-tests/common/security_server_tests_common.cpp
)
SET(SEC_SRV_PWD_SOURCES
INCLUDE_DIRECTORIES(
${PROJECT_SOURCE_DIR}/tests/common/
+ ${PROJECT_SOURCE_DIR}/tests/security-server-tests/common/
)
ADD_DEFINITIONS("-I/usr/include/dbus-1.0/dbus")
--- /dev/null
+/*
+ * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+*/
+
+/*
+ * @file security_server_tests_common.cpp
+ * @author Marcin Lis (m.lis@samsung.com)
+ * @version 1.0
+ * @brief security-server tests commons
+ */
+
+#include "security_server_tests_common.h"
+
+void check_app_has_privilege(const char *app_id, const app_type_t app_type,
+ const char *perm_list[], const int expected_result)
+{
+ int has_privilege = false;
+ int result = SECURITY_SERVER_API_SUCCESS;
+
+ for (int i = 0; perm_list[i] != NULL; i++) {
+ result = security_server_app_has_privilege(app_id, app_type, perm_list[i], &has_privilege);
+ RUNNER_ASSERT_MSG(result == SECURITY_SERVER_API_SUCCESS,
+ "security_server_app_has_privilege failed with result: " << result);
+ RUNNER_ASSERT_MSG(has_privilege == expected_result,
+ "Unexpected result, has_privilege returned: " << has_privilege
+ << ", expected: " << expected_result);
+ }
+}
+
+void check_app_caller_has_privilege(const app_type_t app_type, const char *perm_list[],
+ const int expected_result)
+{
+ int has_privilege = false;
+ int result = SECURITY_SERVER_API_SUCCESS;
+
+ for (int i = 0; perm_list[i] != NULL; i++) {
+ result = security_server_app_caller_has_privilege(app_type, perm_list[i], &has_privilege);
+ RUNNER_ASSERT_MSG(result == SECURITY_SERVER_API_SUCCESS,
+ "security_server_app_caller_has_privilege failed with result: " << result);
+ RUNNER_ASSERT_MSG(has_privilege == expected_result,
+ "Unexpected result, caller_has_privilege returned: " << has_privilege
+ << ", expected: " << expected_result);
+ }
+}
+
+void check_app_has_privilege_denied(const char *app_id, const app_type_t app_type,
+ const char *perm_list[])
+{
+ int has_privilege = false;
+ int result = SECURITY_SERVER_API_SUCCESS;
+
+ for (int i = 0; perm_list[i] != NULL; i++) {
+ // call api function - should return access denied error
+ result = security_server_app_has_privilege(app_id, app_type, perm_list[i], &has_privilege);
+ RUNNER_ASSERT_MSG(result == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_app_has_privilege returned unexpected value, "
+ "result: " << result);
+ }
+}
+
+void check_app_caller_has_privilege_denied(const app_type_t app_type, const char *perm_list[])
+{
+ int has_privilege = false;
+ int result = SECURITY_SERVER_API_SUCCESS;
+
+ for (int i = 0; perm_list[i] != NULL; i++) {
+ // call api function - should return access denied error
+ result = security_server_app_caller_has_privilege(app_type, perm_list[i], &has_privilege);
+ RUNNER_ASSERT_MSG(result == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_app_caller_has_privilege returned unexpected value, "
+ "result: " << result);
+ }
+}
--- /dev/null
+/*
+ * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+*/
+
+/*
+ * @file security_server_tests_common.h
+ * @author Marcin Lis (m.lis@samsung.com)
+ * @version 1.0
+ * @brief security-server tests commons
+ */
+
+#include <security-server.h>
+#include <privilege-control.h>
+#include "tests_common.h"
+
+#ifndef SECURITY_SERVER_TESTS_COMMON_H_
+#define SECURITY_SERVER_TESTS_COMMON_H_
+
+void check_app_has_privilege(const char *app_id, const app_type_t app_type,
+ const char *perm_list[], const int expected_result);
+
+void check_app_caller_has_privilege(const app_type_t app_type, const char *perm_list[],
+ const int expected_result);
+
+void check_app_has_privilege_denied(const char *app_id, const app_type_t app_type,
+ const char *perm_list[]);
+
+void check_app_caller_has_privilege_denied(const app_type_t app_type, const char *perm_list[]);
+
+#endif /* SECURITY_SERVER_TESTS_COMMON_H_ */
#include <dlog.h>
#include <privilege-control.h>
#include <ftw.h>
+#include "security_server_tests_common.h"
#include "tests_common.h"
#include "test.h"
#define TEST06_SUBJECT "subject_1d414140"
#define TEST07_SUBJECT "subject_cd738844"
#define TEST08_SUBJECT "subject_fd84ba7f"
+const char *TEST09_SUBJECT = "subject_sstest09";
+const char *TEST10_SUBJECT = "subject_sstest10";
+const char *TEST11_SUBJECT = "subject_sstest11";
+const char *TEST12_SUBJECT = "subject_sstest12";
#define SECURITY_SERVER_SOCK_PATH "/tmp/.security_server.sock"
#define COOKIE_SIZE 20
/* from security-server-common.h */
#define SECURITY_SERVER_MAX_OBJ_NAME 30
-#define API_PASSWD_SET "security-server::api-password-set"
-#define API_PASSWD_CHECK "security-server::api-password-check"
-#define API_DATA_SHARE "security-server::api-data-share"
-#define API_MIDDLEWARE "security-server::api-middleware"
+#define API_PASSWD_SET "security-server::api-password-set"
+#define API_PASSWD_CHECK "security-server::api-password-check"
+#define API_DATA_SHARE "security-server::api-data-share"
+#define API_MIDDLEWARE "security-server::api-middleware"
+#define API_PRIVILEGE_BY_NAME "security-server::api-app-privilege-by-name"
#define API_FREE_ACCESS "*"
#define API_RULE_REQUIRED "w"
RUNNER_CHILD_TEST(tc09_check_API_app_enable_permissions)
{
int ret;
- const char *app_id = "test_app";
- app_type_t app_type = APP_TYPE_WGT;
- const char *perm_list[] = {"aaa", "bbb", "ccc", NULL};
+ const char *perm_list[] = {"org.tizen.privilege.contact.read",
+ "org.tizen.privilege.contact.write",
+ NULL};
int persistent = 1;
- ret = security_server_app_enable_permissions(app_id, app_type, perm_list, persistent);
+ // need to install WGT once again, in case it was removed before
+ DB_BEGIN
+ ret = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
+ ret = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
+ DB_END
+
+ // enable permission
+ ret = security_server_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list, persistent);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ /* allow subject TEST09_SUBJECT to socket label security-server::api-privilege-by-name */
+ struct smack_accesses *handle = NULL;
+ ret = smack_accesses_new(&handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ SmackUniquePtr smackAccPtr(handle, smack_accesses_free);
+ handle = NULL; // it is better to reset standard pointer after that
+
+ ret = smack_accesses_add(smackAccPtr.get(), TEST09_SUBJECT, API_PRIVILEGE_BY_NAME, API_RULE_REQUIRED);
RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_accesses_apply(smackAccPtr.get());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_set_label_for_self(TEST09_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ // drop root privileges
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ // Check if permissions are given
+ check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, true);
}
RUNNER_CHILD_TEST(tc10_check_API_app_disable_permissions)
{
int ret;
- const char *app_id = "test_app";
- app_type_t app_type = APP_TYPE_WGT;
- const char *perm_list[] = {"aaa", "bbb", "ccc", NULL};
+ const char *perm_list[] = {"org.tizen.privilege.contact.read",
+ "org.tizen.privilege.contact.write",
+ NULL};
+
+ // need to install WGT once again, in case it was removed before
+ DB_BEGIN
+ ret = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
+ ret = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
+ DB_END
+
+ // disable permission
+ ret = security_server_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ /* allow subject TEST10_SUBJECT to socket label security-server::api-privilege-by-name */
+ struct smack_accesses *handle = NULL;
+ ret = smack_accesses_new(&handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ SmackUniquePtr smackAccPtr(handle, smack_accesses_free);
+ handle = NULL; // it is better to reset standard pointer after that
+
+ ret = smack_accesses_add(smackAccPtr.get(), TEST10_SUBJECT, API_PRIVILEGE_BY_NAME, API_RULE_REQUIRED);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- ret = security_server_app_disable_permissions(app_id, app_type, perm_list);
+ ret = smack_accesses_apply(smackAccPtr.get());
RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_set_label_for_self(TEST10_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ // drop root privileges
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ // Check if permissions are disabled
+ check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, false);
+}
+
+RUNNER_CHILD_TEST(tc11_check_API_app_has_privilege_allow)
+{
+ int ret;
+ const char *perm_list_pers[] = {"org.tizen.privilege.contact.read",
+ "org.tizen.privilege.contact.write",
+ NULL};
+ const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read",
+ "org.tizen.privilege.calendar.write",
+ NULL};
+ const char *perm_list_disabled[] = {"org.tizen.privilege.alarm",
+ NULL};
+
+ // simulate app installation - add TEST11_SUBJECT to databse
+ ret = perm_app_uninstall(TEST11_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
+
+ DB_BEGIN
+ ret = perm_app_uninstall(TEST11_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
+ ret = perm_app_install(TEST11_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret);
+ DB_END
+
+ // enable permission
+ ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+ ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ // allow subject TEST11_SUBJECT to sockets (label privilege-by-name)
+ struct smack_accesses *handle = NULL;
+ ret = smack_accesses_new(&handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ SmackUniquePtr smackAccPtr(handle, smack_accesses_free);
+ handle = NULL; // it is better to reset standard pointer after that
+
+ ret = smack_accesses_add(smackAccPtr.get(), TEST11_SUBJECT, API_PRIVILEGE_BY_NAME, API_RULE_REQUIRED);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_accesses_apply(smackAccPtr.get());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_set_label_for_self(TEST11_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ // drop root privileges
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ // Check if permissions are given using "caller" API
+ check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_pers, true);
+ check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_temp, true);
+ check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_disabled, false);
+
+ // Check if permissions are given using API with app_label parameter
+ check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, true);
+ check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, true);
+ check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_disabled, false);
+}
+
+RUNNER_CHILD_TEST(tc12_check_API_app_has_privilege_denied)
+{
+ int ret;
+ const char *perm_list[] = {"org.tizen.privilege.contact.read",
+ "org.tizen.privilege.contact.write",
+ NULL};
+
+ // set smack label without previously assigned permissions to api socket
+ ret = smack_set_label_for_self(TEST12_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ // drop root privileges
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ // call common function to perform the check
+ check_app_caller_has_privilege_denied(APP_TYPE_WGT, perm_list);
+
+ // call also second common function
+ check_app_has_privilege_denied(TEST12_SUBJECT, APP_TYPE_WGT, perm_list);
}
//////////////////////////////////////////