#include <memory.h>
#include <summary_collector.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/xattr.h>
+
#include <libprivilege-control_test_common.h>
#include <tests_common.h>
static const char* SM_DENIED_PERMISSION1 = "security_manager_test_rules1";
static const char* SM_DENIED_PERMISSION2 = "security_manager_test_rules2";
-static const char* SM_ALLOWED_PATH = TEST_APP_DIR;
-static const char* SM_DENIED_PATH = TEST_NON_APP_DIR;
+static const char* SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
+static const char* SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
+static const char* SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
+static const char* SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
+
+
+static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
+ const char* correctLabel, bool transmute_test, bool exec_test)
+{
+ int result;
+ CStringPtr labelPtr;
+ char* label = NULL;
+
+ /* ACCESS */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
+ result = strcmp(correctLabel, label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect"
+ " (should be '" << correctLabel << "' and is '" << label << "')");
+
+
+ /* EXEC */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ labelPtr.reset(label);
+
+ if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
+ RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set");
+ result = strcmp(correctLabel, label);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect EXEC label on executable file " << fpath);
+ } else
+ RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
+
+
+ /* TRANSMUTE */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
+ labelPtr.reset(label);
+
+ if (S_ISDIR(sb->st_mode) && transmute_test == true) {
+ RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set at all");
+ RUNNER_ASSERT_MSG_BT(strcmp(label,"TRUE") == 0,
+ "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
+ } else {
+ RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
+ }
+
+ return 0;
+}
+
+
+static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+ return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
+}
+
+static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+
+ return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
+}
+
+static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+
+ return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
+}
+
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
{
int result;
- result = nftw(SM_ALLOWED_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_ALLOWED_PATH);
+ result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
+
+ result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
+
+ result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG_BT(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
{
int result;
- result = nftw(SM_ALLOWED_PATH, &nftw_check_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_ALLOWED_PATH);
+ result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
+
+ result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
+
+ result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
"setting allowed permission failed. Result: " << result);
- result = security_manager_app_inst_req_add_path(request.get(), SM_ALLOWED_PATH,
+ result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
SECURITY_MANAGER_PATH_PRIVATE);
RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
"setting allowed path failed. Result: " << result);
+ result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
+ SECURITY_MANAGER_PATH_PUBLIC);
+ RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
+ "setting allowed path failed. Result: " << result);
+
+ result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
+ SECURITY_MANAGER_PATH_PUBLIC_RO);
+ RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
+ "setting allowed path failed. Result: " << result);
+
result = security_manager_app_install(request.get());
RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
"installing app failed. Result: " << result);