#include <stdio.h>
#include <memory.h>
#include <summary_collector.h>
+#include <string>
#include <sys/types.h>
#include <sys/stat.h>
#include <security-manager.h>
#include <sm_db.h>
+#include <cynara_test_client.h>
DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
"security_manager_test_rules2"
};
-static const char *const XATTR_NAME_TIZENEXEC = XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL";
-
-static const rules_t SM_ALLOWED_RULES = {
- { USER_APP_ID, "test_sm_book_8", "r" },
- { USER_APP_ID, "test_sm_book_9", "w" },
- { USER_APP_ID, "test_sm_book_10", "x" },
- { USER_APP_ID, "test_sm_book_11", "rw" },
- { USER_APP_ID, "test_sm_book_12", "rx" },
- { USER_APP_ID, "test_sm_book_13", "wx" },
- { USER_APP_ID, "test_sm_book_14", "rwx" },
- { USER_APP_ID, "test_sm_book_15", "rwxat" },
- { "test_sm_subject_8", USER_APP_ID, "r" },
- { "test_sm_subject_9", USER_APP_ID, "w" },
- { "test_sm_subject_10", USER_APP_ID, "x" },
- { "test_sm_subject_11", USER_APP_ID, "rw" },
- { "test_sm_subject_12", USER_APP_ID, "rx" },
- { "test_sm_subject_13", USER_APP_ID, "wx" },
- { "test_sm_subject_14", USER_APP_ID, "rwx" },
- { "test_sm_subject_15", USER_APP_ID, "rwxat" }
-};
-static const rules_t SM_DENIED_RULES = {
- { USER_APP_ID, "test_sm_book_1", "r" },
- { USER_APP_ID, "test_sm_book_2", "w" },
- { USER_APP_ID, "test_sm_book_3", "x" },
- { USER_APP_ID, "test_sm_book_4", "rw" },
- { USER_APP_ID, "test_sm_book_5", "rx" },
- { USER_APP_ID, "test_sm_book_6", "wx" },
- { USER_APP_ID, "test_sm_book_7", "rwx" },
- { "test_sm_subject_1", USER_APP_ID, "r" },
- { "test_sm_subject_2", USER_APP_ID, "w" },
- { "test_sm_subject_3", USER_APP_ID, "x" },
- { "test_sm_subject_4", USER_APP_ID, "rw" },
- { "test_sm_subject_5", USER_APP_ID, "rx" },
- { "test_sm_subject_6", USER_APP_ID, "wx" },
- { "test_sm_subject_7", USER_APP_ID, "rwx" }
+static const privileges_t SM_NO_PRIVILEGES = {
};
+static const char *const XATTR_NAME_TIZENEXEC = XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL";
+
static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
static const char *const SM_PRIVATE_PATH_FOR_USER_5000 = "/home/app/securitytests/test_DIR";
+static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
+
static bool isLinkToExec(const char *fpath, const struct stat *sb)
RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
}
-static void check_app_permissions(const char *const app_id, const char *const pkg_id,
- const privileges_t &allowed_privs, const privileges_t &denied_privs,
- const rules_t &allowed_rules, const rules_t &denied_rules)
-{
- bool result;
- result = check_all_accesses(smack_check(), allowed_rules);
- RUNNER_ASSERT_MSG_BT(result, "Permissions not added.");
- result = check_no_accesses(smack_check(), denied_rules);
- RUNNER_ASSERT_MSG_BT(result, "Permissions added.");
+static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
+ const privileges_t &allowed_privs, const privileges_t &denied_privs)
+{
+ (void) app_id;
- /* TODO: USER_APP_ID is hardcoded in the following checks, because libprivilege always generate
- * label "User" for all installed apps. Adjust it when libprivilege is upgraded. */
- (void)app_id; // unused parameter
- (void)pkg_id; // unused parameter
+ CynaraTestClient ctc;
- for (auto it = allowed_privs.begin(); it != allowed_privs.end(); ++it)
- check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), true);
+ for (auto &priv : allowed_privs) {
+ ctc.check(pkg_id, "", user, priv.c_str(), CYNARA_API_SUCCESS);
+ }
- for (auto it = denied_privs.begin(); it != denied_privs.end(); ++it)
- check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), false);
+ for (auto &priv : denied_privs) {
+ ctc.check(pkg_id, "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
+ }
}
static void check_app_after_install(const char *const app_id, const char *const pkg_id,
- const privileges_t &allowed_privs, const privileges_t &denied_privs,
- const rules_t &allowed_rules, const rules_t &denied_rules)
+ const privileges_t &allowed_privs,
+ const privileges_t &denied_privs)
{
TestSecurityManagerDatabase dbtest;
dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
- check_app_permissions(app_id, pkg_id,
- allowed_privs, denied_privs,
- allowed_rules, denied_rules);
+ /*Privileges should be granted to all users if root installs app*/
+ check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
}
static void check_app_after_install(const char *const app_id, const char *const pkg_id)
{
TestSecurityManagerDatabase dbtest;
dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
+
+
+ /*Privileges should not be granted anymore to any user*/
+ check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
}
static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
/* Check records in the security-manager database */
check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
- SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES,
- SM_ALLOWED_RULES, SM_DENIED_RULES);
+ SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
/* TODO: add parameters to this function */
check_app_path_after_install();
{
int result;
AppInstReqUniquePtr request;
+ const std::string user = std::to_string(static_cast<unsigned int>(APP_UID));
//switch user to non-root
//should succeed - this time i register folder inside user's home dir
prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER_5000);
+ for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
+ result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
+ RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
+ "setting allowed permission failed. Result: " << result);
+ }
+
result = security_manager_app_install(request.get());
RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
"installing app failed. Result: " << result);
+ check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
+
//uninstall app as non-root user
request.reset(do_app_inst_req_new());
result = security_manager_app_uninstall(request.get());
RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
"uninstalling app failed. Result: " << result);
+
+ check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
}