#define APP_TEST "app_test"
-#define APP_NPRUNTIME "app_np_test"
-#define APP_NPRUNTIME_FILE "/etc/smack/test_privilege_control_DIR/app_dir/exec"
-
namespace {
const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW);
}
-RUNNER_TEST(privilege_control20_app_setup_path_npruntime)
+RUNNER_TEST_SMACK(privilege_control20_app_setup_path_npruntime)
{
int result = 0;
std::unique_ptr<char, std::function<void(void*)> > labelPtr(NULL,free);
label = NULL;
RUNNER_ASSERT(0 == strcmp(labelPtr.get(), nptargetlabel.c_str()));
- // test smack accesses
- result = smack_have_access(APP_NPRUNTIME, nptargetlabel.c_str(), "rw");
- RUNNER_ASSERT_MSG(result == 1,
- "Error: subject: " << APP_NPRUNTIME << " has not rw access to object: "
- << nptargetlabel.c_str() << ". Result: " << result);
-
- result = smack_have_access(nptargetlabel.c_str(), APP_NPRUNTIME, "rxat");
- RUNNER_ASSERT_MSG(result == 1,
- "Error: subject: " << nptargetlabel.c_str() << " has not rxat access to object: "
- << APP_NPRUNTIME << ". Result: " << result);
-
- result = smack_have_access(nptargetlabel.c_str(), "system::homedir", "rxat");
- RUNNER_ASSERT_MSG(result == 1,
- "Error: subject: " << nptargetlabel.c_str() << " has not rxat access to object: "
- << "system::homedir. Result: " << result);
-
- result = smack_have_access(nptargetlabel.c_str(), "xorg", "rw");
- RUNNER_ASSERT_MSG(result == 1,
- "Error: subject: " << nptargetlabel.c_str() << " has not rw access to object: "
- << "xorg. Result: " << result);
+ // Rules to test
+ const std::vector< std::vector<std::string> > np_rules = {
+ { APP_NPRUNTIME, nptargetlabel, "rw" },
+ { nptargetlabel, APP_NPRUNTIME, "rxat" },
+ { nptargetlabel, "system::homedir", "rxat" },
+ { nptargetlabel, "xorg", "rw" },
+ { nptargetlabel, "crash-worker", "rwxa" },
+ { nptargetlabel, "sys-assert::core", "rwxat" },
+ { nptargetlabel, "syslogd", "rw" },
+ };
+
+ // Test smack accesses
+ result = test_have_all_accesses(np_rules);
+ RUNNER_ASSERT_MSG(result == 1, "Not all permissions added.");
result = perm_app_uninstall(APP_NPRUNTIME);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
}
/**
+ * NOSMACK version of privilege_control20 test.
+ *
+ * Uses NOSMACK version of test_have_nosmack_accesses.
+ */
+RUNNER_TEST_NOSMACK(privilege_control20_app_setup_path_npruntime_nosmack)
+{
+ int result = 0;
+ std::unique_ptr<char, std::function<void(void*)> > labelPtr(NULL,free);
+ std::string nptargetlabel = std::string(APP_NPRUNTIME) + ".npruntime";
+ char *label = NULL;
+
+ DB_BEGIN
+
+ result = perm_app_uninstall(APP_NPRUNTIME);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
+
+ result = perm_app_install(APP_NPRUNTIME);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install. " << result);
+
+ result = perm_app_setup_path(APP_NPRUNTIME, APP_NPRUNTIME_FILE, PERM_APP_PATH_NPRUNTIME);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path. " << result);
+
+ DB_END
+
+ RUNNER_ASSERT(0 == smack_lgetlabel(APP_NPRUNTIME_FILE, &label, SMACK_LABEL_EXEC));
+ labelPtr.reset(label);
+ label = NULL;
+ RUNNER_ASSERT(0 == strcmp(labelPtr.get(), nptargetlabel.c_str()));
+
+ // Rules to test
+ const std::vector< std::vector<std::string> > np_rules = {
+ { APP_NPRUNTIME, nptargetlabel, "rw" },
+ { nptargetlabel, APP_NPRUNTIME, "rxat" },
+ { nptargetlabel, "system::homedir", "rxat" },
+ { nptargetlabel, "xorg", "rw" },
+ { nptargetlabel, "crash-worker", "rwxa" },
+ { nptargetlabel, "sys-assert::core", "rwxat" },
+ { nptargetlabel, "syslogd", "rw" },
+ };
+
+ // Check if accesses aren't added
+ result = test_have_nosmack_accesses(np_rules);
+ RUNNER_ASSERT_MSG(result == -1, "Accesses shouldn't be added. Result: " << result);
+
+ // Uninstall app runtime
+ result = perm_app_uninstall(APP_NPRUNTIME);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
+}
+
+/**
* NOSMACK version of privielge_control21b test.
*
* Instead of error caused by incorrect params expect access granted, becuase SMACK is off.