-#sbs-git:slp/pkgs/w/wrt-security wrt-security 0.0.43
Name: security-tests
Summary: Security repository for holding tests.
Version: 0.0.45
Release: 1
-Group: Development/Libraries
+Group: Security/Testing
License: Apache License, Version 2.0
URL: N/A
Source0: %{name}-%{version}.tar.gz
api_feature_loader --verbose
wrt-installer --install /usr/bin/TestMisiuPysiu123.wgt
-wrt-installer --install /usr/bin/MisiuPysiu123Partner.wgt
-wrt-installer --install /usr/bin/MisiuPysiu123Platform.wgt
osp-installer -i /usr/bin/uqNfgEjqc7-1.0.0-arm.tpk
-osp-installer -i /usr/bin/j4RuPsZrNt-1.0.0-arm.tpk
-osp-installer -i /usr/bin/V5LKqDFBXm-1.0.0-arm.tpk
echo "security-tests postinst done ..."
%postun
wrt-installer --uninstall-name QwCqJ0ttyS
-wrt-installer --uninstall-name 7btsV1Y0sX
-wrt-installer --uninstall-name G4DE3U2vmW
osp-installer -u uqNfgEjqc7
-osp-installer -u j4RuPsZrNt
-osp-installer -u V5LKqDFBXm
%files
%manifest %{name}.manifest
/usr/share/privilege-control/*
/etc/smack/test_privilege_control_DIR/*
/usr/bin/TestMisiuPysiu123.wgt
-/usr/bin/MisiuPysiu123Partner.wgt
-/usr/bin/MisiuPysiu123Platform.wgt
/usr/bin/uqNfgEjqc7-1.0.0-arm.tpk
-/usr/bin/j4RuPsZrNt-1.0.0-arm.tpk
-/usr/bin/V5LKqDFBXm-1.0.0-arm.tpk
/usr/bin/hello-tizen
${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/common/duplicates.cpp
${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/libprivilege-control-test.cpp
${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_cases.cpp
- ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_cases_perm_add_additional_rules.cpp
${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_cases_nosmack.cpp
${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_cases_incorrect_params.cpp
${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_cases_stress.cpp
# Test SMACK rules
INSTALL(FILES
- ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/WRT_test_privilege_control_rules.smack
+ ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/WRT_test_privilege_control_rules1.smack
DESTINATION /usr/share/privilege-control/
)
)
INSTALL(FILES
- ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/MisiuPysiu123Partner.wgt
- DESTINATION /usr/bin/
- )
-
-INSTALL(FILES
- ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/MisiuPysiu123Platform.wgt
- DESTINATION /usr/bin/
- )
-
-INSTALL(FILES
${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/uqNfgEjqc7-1.0.0-arm.tpk
DESTINATION /usr/bin/
)
INSTALL(FILES
- ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/j4RuPsZrNt-1.0.0-arm.tpk
- DESTINATION /usr/bin/
- )
-
-INSTALL(FILES
- ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/V5LKqDFBXm-1.0.0-arm.tpk
- DESTINATION /usr/bin/
- )
-
-INSTALL(FILES
${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/WRT_test_privilege_control_rules_wgt.smack
DESTINATION /usr/share/privilege-control/
)
}
}
-void TestLibPrivilegeControlDatabase::test_db_after__perm_add_additional_rules(
- const additional_rules& rules)
-{
- if (!m_base.is_open())
- m_base.open();
-
- additional_rules_table_create();
-
- size_t i;
- for (i = 0; i < rules.size(); ++i) {
- additional_rules_check_single_rule(rules[i]);
- }
-
- additional_rules_table_check();
-}
-
-void TestLibPrivilegeControlDatabase::test_db_label(const std::string& label_name)
-{
- if(!m_base.is_open())
- m_base.open();
-
- Sqlite3DBaseSelectResult result;
- ostringstream sql;
-
-
- sql << "SELECT label_id FROM label WHERE name = '" << label_name << "' ;";
- m_base.execute(sql.str(), result);
-
- RUNNER_ASSERT_MSG_BT(result.rows.size() == 1, "querry : <" << sql.str() << "> returned [" <<
- result.rows.size() << "] rows");
-}
-
-void TestLibPrivilegeControlDatabase::test_db_not_label(const std::string& label_name)
-{
- if(!m_base.is_open())
- m_base.open();
-
- Sqlite3DBaseSelectResult result;
- ostringstream sql;
-
- sql << "SELECT label_id FROM label WHERE name = '" << label_name << "' ;";
- m_base.execute(sql.str(), result);
-
- RUNNER_ASSERT_MSG_BT(result.rows.size() == 0, "querry : <" << sql.str() << "> returned [" <<
- result.rows.size() << "] rows");
-}
-
-void TestLibPrivilegeControlDatabase::test_db__perm_app_setup_path(const std::string& app_name,
- const std::string& path)
-{
- if(!m_base.is_open())
- m_base.open();
-
- Sqlite3DBaseSelectResult result;
- ostringstream sql;
-
- sql << "SELECT * FROM app_path "
- "INNER JOIN app USING(app_id) "
- "INNER JOIN label ON label.label_id = app.label_id "
- "WHERE "
- "label.name == '" << app_name << "' "
- "AND app_path.path == '" << path << "' "
- ";";
- m_base.execute(sql.str(), result);
-
- RUNNER_ASSERT_MSG_BT(result.rows.size() == 1, ": querry : <" << sql.str() << "> returned [" <<
- result.rows.size() << "] rows");
-}
-
-void TestLibPrivilegeControlDatabase::test_db__perm_app_remove_path(const std::string& app_name,
- const std::string& path)
-{
- if(!m_base.is_open())
- m_base.open();
-
- Sqlite3DBaseSelectResult result;
- ostringstream sql;
-
- sql << "SELECT * FROM app_path "
- "INNER JOIN app USING(app_id) "
- "INNER JOIN label ON label.label_id = app.label_id "
- "WHERE "
- "label.name == '" << app_name << "' "
- "AND app_path.path == '" << path << "' "
- ";";
- m_base.execute(sql.str(), result);
-
- RUNNER_ASSERT_MSG_BT(result.rows.size() == 0, "querry : <" << sql.str() << "> returned [" <<
- result.rows.size() << "] rows");
-}
-
void TestLibPrivilegeControlDatabase::app_label(const std::string& app_name)
{
Sqlite3DBaseSelectResult result;
RUNNER_ASSERT_MSG_BT(result.rows.size() == 1, "query : <" << sql.str() << "> returned [" <<
result.rows.size() << "] rows");
}
-
-void TestLibPrivilegeControlDatabase::additional_rules_table_create(void)
-{
- Sqlite3DBaseSelectResult result;
- ostringstream sql;
- sql << "CREATE TEMP TABLE IF NOT EXISTS test_additional_rules ("
- "label_name TEXT, "
- "app_path_type_name TEXT, "
- "access INTEGER, "
- "reverse INTEGER) ; ";
- sql << "DELETE FROM test_additional_rules ; ";
- m_base.execute(sql.str(), result);
-}
-
-void TestLibPrivilegeControlDatabase::additional_rules_check_single_rule(
- const additional_rule& rule)
-{
- static const std::set<std::string> allowed_objects = {"~PUBLIC_PATH~",
- "~GROUP_PATH~",
- "~SETTINGS_PATH~",
- "~NPRUNTIME_PATH~"};
- if (allowed_objects.find(rule.object) == allowed_objects.end())
- return;
-
- //remove prefix and postfix ~
- std::string path = rule.object.substr(1, rule.object.size() - 2);
-
- Sqlite3DBaseSelectResult result;
- ostringstream sql;
- sql << "INSERT OR IGNORE INTO test_additional_rules VALUES ('"
- << rule.subject << "', '"
- << path << "', "
- << str_to_access(rule.access) << ", "
- << (rule.reverse ? "1" : "0") << ") ;";
- m_base.execute(sql.str(), result);
-
- label(rule.subject);
- app_path_type(path);
- label_app_path_type_rule(rule, path);
-}
-
-void TestLibPrivilegeControlDatabase::label(const std::string& label)
-{
- Sqlite3DBaseSelectResult result;
- ostringstream sql;
- sql << "SELECT label_id FROM label "
- "WHERE name == '" << label << "' ;";
- m_base.execute(sql.str(), result);
-
- RUNNER_ASSERT_MSG_BT(result.rows.size() == 1,"query : <" << sql.str() << "> returned [" <<
- result.rows.size() << "] rows");
-}
-
-void TestLibPrivilegeControlDatabase::app_path_type(const std::string& path)
-{
- Sqlite3DBaseSelectResult result;
- ostringstream sql;
- sql << "SELECT * FROM app_path_type "
- "WHERE name == '" << path << "' ;";
- m_base.execute(sql.str(), result);
-
- RUNNER_ASSERT_MSG_BT(result.rows.size() == 1, "query : <" << sql.str() << "> returned [" <<
- result.rows.size() << "] rows");
-}
-
-void TestLibPrivilegeControlDatabase::label_app_path_type_rule(const additional_rule& rule,
- const std::string& path)
-{
- Sqlite3DBaseSelectResult result;
- ostringstream sql;
- sql << "SELECT * FROM label_app_path_type_rule "
- "INNER JOIN label USING (label_id) "
- "INNER JOIN app_path_type USING (app_path_type_id) "
- "WHERE "
- "label.name == '" << rule.subject << "' "
- "AND app_path_type.name == '" << path << "' "
- "AND is_reverse == " << (rule.reverse ? "1" : "0") << " "
- "AND access == " << str_to_access(rule.access) << " ;";
- m_base.execute(sql.str(), result);
-
- RUNNER_ASSERT_MSG_BT(result.rows.size() == 1, "query : <" << sql.str() << "> returned [" <<
- result.rows.size() << "] rows");
-}
-
-void TestLibPrivilegeControlDatabase::additional_rules_table_check(void)
-{
- Sqlite3DBaseSelectResult result;
- ostringstream sql;
- sql << "SELECT label.name AS label_name, "
- "app_path_type.name AS app_path_type_name, "
- "access AS access, "
- "is_reverse AS reverse "
- "FROM label_app_path_type_rule "
- "INNER JOIN label USING (label_id) "
- "INNER JOIN app_path_type USING (app_path_type_id) "
- "EXCEPT SELECT * FROM test_additional_rules ;";
- m_base.execute(sql.str(), result);
-
- RUNNER_ASSERT_MSG_BT(result.rows.size() == 0, "query : <" << sql.str() << "> returned [" <<
- result.rows.size() << "] rows");
-}
void test_db_after__perm_app_enable_permissions(const char* name, app_type_t app_type,
const char** perm_list, bool persistent);
-/**
- * @brief Method for testing database after "perm_add_additional_rules" was run.
- *
- * It checks database's table "label_app_path_type_rule" for 100% compatibility with rules.
- * Argument rules for this function should be prepared with "additional_rules_parse()"
- *
- * @param rules set of rules to be checked
- */
- void test_db_after__perm_add_additional_rules(const additional_rules& rules);
-
-/**
- * @brief Check existence of label with given name.
- *
- * @label_name name of the label
- */
- void test_db_label(const std::string& label_name);
-
-/**
- * @brief Check absence of test_db_label with given name.
- *
- * @label_name name of the label
- */
- void test_db_not_label(const std::string& label_name);
-
-/**
- * @brief Check existence of path for given app.
- *
- * @param app_name name of application
- * @param path name of path
- */
- void test_db__perm_app_setup_path(const std::string& app_name, const std::string& path);
-
-/**
- * @brief Check absence of path for given app.
- *
- * @param app_name name of application
- * @param path name of path
- */
- void test_db__perm_app_remove_path(const std::string& app_name, const std::string& path);
-
private:
/**
* @var base
*/
void app_permission(const std::string& app_name, const std::string& permission_name,
const std::string& permission_type_name, int is_volatile, int is_enabled);
-
-/**
- * @brief It prepares temporary database infrastructure needed to test perm_add_additional_rules
- *
- * Temporary database table is used for gathering checked records. After all records are checked
- * table allows to find unchecked ones.
- */
- void additional_rules_table_create(void);
-
-/**
- * @brief It checks single additional record (and marks it in temporary table)
- *
- * @param rule additional rule to be checked
- */
- void additional_rules_check_single_rule(const additional_rule& rule);
-
-/**
- * @brief Checks existence of single record in label table
- *
- * @param label label to be checked
- */
- void label(const std::string& label);
-
-/**
- * @brief Checks existence of single record in app_path_type table
- *
- * @param path path to be checked
- */
- void app_path_type(const std::string& path);
-
-/**
- * @brief Checks existence of single record in label_app_path_type_rule table
- *
- * @param rule rule to be checked (object field is ignored
- * only: subject, isreverse and access fields are used)
- * @param path path to be checked (as object of rule)
- */
- void label_app_path_type_rule(const additional_rule& rule, const std::string& path);
-
-/**
- * @brief It checks temporary database for additional unchecked records
- *
- * It counts the difference between true database table and temporary one.
- * It is an error if any record is found.
- */
- void additional_rules_table_check(void);
};
#endif /* LIBPRIVILEGE_CONTROL_TEST_DB_H_ */
#include <sqlite3.h>
/**
- * @def DB_SQLITE_READWRITE_FLAG
- * @brief Sqlite3 flag set for opening database in RW mode
- */
-#define DB_SQLITE_READWRITE_FLAG SQLITE_OPEN_NOMUTEX | SQLITE_OPEN_PRIVATECACHE \
- | SQLITE_OPEN_READWRITE
-
-/**
* @def DB_SQLITE_READONLY_FLAG
* @brief Sqlite3 flag set for opening database in RO mode
*/
{
switch(app_type)
{
- case PERM_APP_TYPE_WGT:
+ case APP_TYPE_WGT:
return "WRT";
- case PERM_APP_TYPE_OSP:
+ case APP_TYPE_OSP:
return "OSP";
- case PERM_APP_TYPE_WGT_PARTNER:
- return "WRT_partner";
- case PERM_APP_TYPE_WGT_PLATFORM:
- return "WRT_platform";
- case PERM_APP_TYPE_OSP_PARTNER:
- return "OSP_partner";
- case PERM_APP_TYPE_OSP_PLATFORM:
- return "OSP_platform";
- case PERM_APP_TYPE_EFL:
+ case APP_TYPE_EFL:
return "EFL";
default:
return "";
{
switch (app_type)
{
- case PERM_APP_TYPE_WGT:
- case PERM_APP_TYPE_WGT_PARTNER:
- case PERM_APP_TYPE_WGT_PLATFORM:
+ case APP_TYPE_WGT:
return "WRT";
- case PERM_APP_TYPE_OSP:
- case PERM_APP_TYPE_OSP_PARTNER:
- case PERM_APP_TYPE_OSP_PLATFORM:
+ case APP_TYPE_OSP:
return "OSP";
- case PERM_APP_TYPE_EFL:
+ case APP_TYPE_EFL:
return "EFL";
default:
return "";
}
}
+
/*
* This function changes permission URI to basename for file name.
* For e.g. from http://tizen.org/privilege/contact.read will be
return PC_OPERATION_SUCCESS;
}
-
-bool is_wildcard(const std::string& label)
-{
- static const std::set<std::string> wildcards = { "~ALL_APPS~",
- "~ALL_APPS_WITH_SAME_PERMISSION~",
- "~PUBLIC_PATH~",
- "~GROUP_PATH~",
- "~SETTINGS_PATH~",
- "~NPRUNTIME_PATH~" };
- return (wildcards.find(label) != wildcards.end());
-}
-
-bool smack_label_is_valid(const std::string& label)
-{
- if (label.empty() ||
- label.size() > SMACK_LABEL_LEN ||
- label[0] == '-' ||
- label.find_first_of("~ /\"\\'") != std::string::npos)
- return false;
- return true;
-}
-
-/**
- * @brief access flags codes used by libprivilege database
- */
-const int RDB_ACCESS_READ = 1;
-const int RDB_ACCESS_WRITE = 2;
-const int RDB_ACCESS_EXEC = 4;
-const int RDB_ACCESS_APPEND = 8;
-const int RDB_ACCESS_TRANSMUTE = 16;
-const int RDB_ACCESS_LOCK = 32;
-
-int str_to_access(const std::string& str)
-{
- int access = 0;
-
- for (auto i = 0U; i < str.size(); ++i) {
- switch (str[i]) {
- case 'R':
- case 'r': access |= RDB_ACCESS_READ; break;
-
- case 'W':
- case 'w': access |= RDB_ACCESS_WRITE; break;
-
- case 'X':
- case 'x': access |= RDB_ACCESS_EXEC; break;
-
- case 'A':
- case 'a': access |= RDB_ACCESS_APPEND; break;
-
- case 'T':
- case 't': access |= RDB_ACCESS_TRANSMUTE; break;
-
- case 'L':
- case 'l': access |= RDB_ACCESS_LOCK; break;
-
- case '-': break;
-
- default: // An unknown permission
- return -1;
- }
- }
- return access;
-}
-
-std::string smack_label_for_path(const std::string& app_id, const std::string& path)
-{
- std::string ret;
-
- /* Prefix $1$ causes crypt() to use MD5 function */
- const std::string salt = "$1$" + app_id;
-
- char* label = crypt(path.c_str(), salt.c_str());
- if (label) {
- ret = label;
- /* crypt() output may contain slash character,
- * which is not legal in Smack labels */
- std::replace(ret.begin(), ret.end(), '/', '%');
- }
-
- return ret;
-}
*/
int base_name_from_perm(const char *perm, std::string& name);
-/**
- * @brief check if string is libprivilege wildcard
- *
- * @ingroup RDB internal functions test duplicate
- *
- * @param label string to be checked
- * @return true if label is a wildcard
- * false otherwise
- */
-bool is_wildcard(const std::string& label);
-
-/**
- * @brief check if smack label is valid
- *
- * @ingroup RDB internal functions test duplicate
- *
- * @param label label to be checked
- * @return true if label is valid
- * false otherwise
- */
-bool smack_label_is_valid(const std::string& label);
-
-/**
- * @brief encodes string defining access to int format used in libprivilege database
- *
- * @ingroup RDB internal functions test duplicate
- *
- * @param str access in string format
- * @return access in int format (ored RDB_ACCESS_* flags)
- */
-int str_to_access(const std::string& str);
-
-/**
- * @brief creates smack label for given path for application with given app_id as MD5
- *
- * @ingroup RDB internal functions test duplicate
- *
- * @param app_id application id
- * @param path path for which label should be created
- * @return smack label for path
- */
-std::string smack_label_for_path(const std::string& app_id, const std::string& path);
-
#endif /* LIBPRIVILEGE_CONTROL_TEST_DUPLICATES_H_ */
#define APP_FRIEND_1 "app_friend_1"
#define APP_FRIEND_2 "app_friend_2"
-#define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
#define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
#define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
#define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac"
#define APP_TEST_APP_2_SHARED_LABEL "test-application2-shared"
#define APP_TEST_APP_3_SHARED_LABEL "test-application3-shared"
-#define WGT_PARTNER_APP_ID "7btsV1Y0sX"
-#define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
-
#define OSP_APP_ID "uqNfgEjqc7"
-#define OSP_PARTNER_APP_ID "j4RuPsZrNt"
-#define OSP_PLATFORM_APP_ID "V5LKqDFBXm"
#define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123"
-#define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner"
-#define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform"
-
#define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp"
-#define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner"
-#define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform"
-
#define EFL_APP_PATH "/usr/bin/hello-tizen"
#define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
-#define APP_NPRUNTIME "app_np_test"
-#define APP_NPRUNTIME_FILE "/etc/smack/test_privilege_control_DIR/app_dir/exec"
-
const std::string RDB_PATH("/opt/dbspace/.rules-db.db3");
const std::string RDB_PATH_BACKUP("/opt/dbspace/.rules-db.db3.backup");
-//correct and incorrect PID used in incorrect params test
-const pid_t PID_CORRECT = 0;
-const pid_t PID_INCORRECT = -1;
-
-extern const char *PRIVS[];
+extern const char *PRIVS1[];
extern const char *PRIVS2[];
extern const char *PRIVS2_NO_R[];
extern const char *PRIVS2_R[];
};
typedef std::unique_ptr<char, free_deleter> CStringPtr;
-template<typename T> struct list_deleter {
- void operator()(void* p) {
- T** list = (T**) p;
-
- for (int i = 0; list[i] != NULL; ++i) {
- free(list[i]);
- }
-
- free(p);
- }
-};
-typedef std::unique_ptr<char*, list_deleter<char> > CStringListPtr;
-
-typedef struct perm_app_status_list {
- perm_app_status_t *status;
- size_t size;
-} perm_app_status_list_t;
-typedef std::unique_ptr<perm_app_status_list_t, void (*)(perm_app_status_list_t*)> ListAppStatusPtr;
-
-class DBBackup {
-private:
- bool backupfile(const std::string& src, const std::string& dst);
- bool restorefile(const std::string& src, const std::string& dst);
-public:
- DBBackup();
- ~DBBackup();
-};
-
-class Directory
-{
-public:
- Directory(std::string path, mode_t mode) : m_errorCode(0), m_path(path)
- {
- if (mkdir(path.c_str(), mode) != 0) {
- m_errorCode = errno;
- }
- }
-
- Directory(const Directory& directory) = delete;
-
- Directory(Directory&& directory)
- : m_errorCode(std::move(directory.m_errorCode)), m_path(std::move(directory.m_path))
- {
- directory.m_path = "";
- }
-
- const Directory& operator=(const Directory& directory) = delete;
-
- const Directory& operator=(Directory&& directory)
- {
- m_errorCode = directory.m_errorCode;
- m_path = std::move(directory.m_path);
- directory.m_path = "";
-
- return *this;
- }
-
- ~Directory()
- {
- if (m_errorCode == 0 && !m_path.empty()) {
- rmdir(m_path.c_str());
- }
- }
-
- bool isCreated() const
- {
- return m_errorCode == 0;
- }
-
- int errorCode() const
- {
- return m_errorCode;
- }
-
- const std::string& path() const
- {
- return m_path;
- }
-
-private:
- int m_errorCode;
-
- std::string m_path;
-};
-
-// Rules from test_privilege_control_rules.smack
-const rules_t rules = {
- { APP_ID, "test_book_1", "r" },
- { APP_ID, "test_book_2", "w" },
- { APP_ID, "test_book_3", "x" },
- { APP_ID, "test_book_4", "rw" },
- { APP_ID, "test_book_5", "rx" },
- { APP_ID, "test_book_6", "wx" },
- { APP_ID, "test_book_7", "rwx" },
- { "test_subject_1", APP_ID, "r" },
- { "test_subject_2", APP_ID, "w" },
- { "test_subject_3", APP_ID, "x" },
- { "test_subject_4", APP_ID, "rw" },
- { "test_subject_5", APP_ID, "rx" },
- { "test_subject_6", APP_ID, "wx" },
- { "test_subject_7", APP_ID, "rwx" },
- { APP_ID, APPID_SHARED_DIR, "rwxat"}
+// Rules from WRT_test_privilege_control_rules1.smack for wgt
+const rules_t rules1 = {
+ { WGT_APP_ID, "test_book_1", "r" },
+ { WGT_APP_ID, "test_book_2", "w" },
+ { WGT_APP_ID, "test_book_3", "x" },
+ { WGT_APP_ID, "test_book_4", "rw" },
+ { WGT_APP_ID, "test_book_5", "rx" },
+ { WGT_APP_ID, "test_book_6", "wx" },
+ { WGT_APP_ID, "test_book_7", "rwx" },
+ { "test_subject_1", WGT_APP_ID, "r" },
+ { "test_subject_2", WGT_APP_ID, "w" },
+ { "test_subject_3", WGT_APP_ID, "x" },
+ { "test_subject_4", WGT_APP_ID, "rw" },
+ { "test_subject_5", WGT_APP_ID, "rx" },
+ { "test_subject_6", WGT_APP_ID, "wx" },
+ { "test_subject_7", WGT_APP_ID, "rwx" }
};
// Rules from WRT_test_privilege_control_rules2.smack
{ "test_subject_15", WGT_APP_ID, "rwxat" }
};
-// Rules from WRT_test_privilege_control_rules.smack for wgt
-const rules_t rules_wgt2 = {
- { WGT_APP_ID, "test_book_1", "r" },
- { WGT_APP_ID, "test_book_2", "w" },
- { WGT_APP_ID, "test_book_3", "x" },
- { WGT_APP_ID, "test_book_4", "rw" },
- { WGT_APP_ID, "test_book_5", "rx" },
- { WGT_APP_ID, "test_book_6", "wx" },
- { WGT_APP_ID, "test_book_7", "rwx" },
- { "test_subject_1", WGT_APP_ID, "r" },
- { "test_subject_2", WGT_APP_ID, "w" },
- { "test_subject_3", WGT_APP_ID, "x" },
- { "test_subject_4", WGT_APP_ID, "rw" },
- { "test_subject_5", WGT_APP_ID, "rx" },
- { "test_subject_6", WGT_APP_ID, "wx" },
- { "test_subject_7", WGT_APP_ID, "rwx" }
-};
-
-// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_partner
-const rules_t rules_wgt_partner = {
- { WGT_PARTNER_APP_ID, "test_book_8", "r" },
- { WGT_PARTNER_APP_ID, "test_book_9", "w" },
- { WGT_PARTNER_APP_ID, "test_book_10", "x" },
- { WGT_PARTNER_APP_ID, "test_book_11", "rw" },
- { WGT_PARTNER_APP_ID, "test_book_12", "rx" },
- { WGT_PARTNER_APP_ID, "test_book_13", "wx" },
- { WGT_PARTNER_APP_ID, "test_book_14", "rwx" },
- { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" },
- { "test_subject_8", WGT_PARTNER_APP_ID, "r" },
- { "test_subject_9", WGT_PARTNER_APP_ID, "w" },
- { "test_subject_10", WGT_PARTNER_APP_ID, "x" },
- { "test_subject_11", WGT_PARTNER_APP_ID, "rw" },
- { "test_subject_12", WGT_PARTNER_APP_ID, "rx" },
- { "test_subject_13", WGT_PARTNER_APP_ID, "wx" },
- { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" },
- { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }
-};
-
-// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_platform
-const rules_t rules_wgt_platform = {
- { WGT_PLATFORM_APP_ID, "test_book_8", "r" },
- { WGT_PLATFORM_APP_ID, "test_book_9", "w" },
- { WGT_PLATFORM_APP_ID, "test_book_10", "x" },
- { WGT_PLATFORM_APP_ID, "test_book_11", "rw" },
- { WGT_PLATFORM_APP_ID, "test_book_12", "rx" },
- { WGT_PLATFORM_APP_ID, "test_book_13", "wx" },
- { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" },
- { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" },
- { "test_subject_8", WGT_PLATFORM_APP_ID, "r" },
- { "test_subject_9", WGT_PLATFORM_APP_ID, "w" },
- { "test_subject_10", WGT_PLATFORM_APP_ID, "x" },
- { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" },
- { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" },
- { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" },
- { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" },
- { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }
-};
-
// Rules from OSP_test_privilege_control_rules_osp.smack for osp
const rules_t rules_osp = {
{ OSP_APP_ID, "test_book_8", "r" },
{ "test_subject_15", OSP_APP_ID, "rwxat" }
};
-// Rules from OSP_test_privilege_control_rules_osp.smack for osp_partner
-const rules_t rules_osp_partner = {
- { OSP_PARTNER_APP_ID, "test_book_8", "r" },
- { OSP_PARTNER_APP_ID, "test_book_9", "w" },
- { OSP_PARTNER_APP_ID, "test_book_10", "x" },
- { OSP_PARTNER_APP_ID, "test_book_11", "rw" },
- { OSP_PARTNER_APP_ID, "test_book_12", "rx" },
- { OSP_PARTNER_APP_ID, "test_book_13", "wx" },
- { OSP_PARTNER_APP_ID, "test_book_14", "rwx" },
- { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" },
- { "test_subject_8", OSP_PARTNER_APP_ID, "r" },
- { "test_subject_9", OSP_PARTNER_APP_ID, "w" },
- { "test_subject_10", OSP_PARTNER_APP_ID, "x" },
- { "test_subject_11", OSP_PARTNER_APP_ID, "rw" },
- { "test_subject_12", OSP_PARTNER_APP_ID, "rx" },
- { "test_subject_13", OSP_PARTNER_APP_ID, "wx" },
- { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" },
- { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" }
-};
-
-// Rules from OSP_test_privilege_control_rules_osp.smack for osp_platform
-const rules_t rules_osp_platform = {
- { OSP_PLATFORM_APP_ID, "test_book_8", "r" },
- { OSP_PLATFORM_APP_ID, "test_book_9", "w" },
- { OSP_PLATFORM_APP_ID, "test_book_10", "x" },
- { OSP_PLATFORM_APP_ID, "test_book_11", "rw" },
- { OSP_PLATFORM_APP_ID, "test_book_12", "rx" },
- { OSP_PLATFORM_APP_ID, "test_book_13", "wx" },
- { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" },
- { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" },
- { "test_subject_8", OSP_PLATFORM_APP_ID, "r" },
- { "test_subject_9", OSP_PLATFORM_APP_ID, "w" },
- { "test_subject_10", OSP_PLATFORM_APP_ID, "x" },
- { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" },
- { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" },
- { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" },
- { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" },
- { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" }
-};
-
int test_have_all_accesses(const rules_t &rules);
int test_have_any_accesses(const rules_t &rules);
int test_have_nosmack_accesses(const rules_t &rules);
void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment);
void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment);
-void check_app_has_permission(const char* app_id, const app_type_t app_type,
- const char *perm_list[], const int expected_result);
void test_revoke_permissions(int line_no, const char* app_id, const rules_t &rules, bool smack);
void test_app_enable_permissions_efl(bool smack);
void test_app_disable_permissions(bool smack);
void test_appsettings_privilege(bool smack);
-// Parsed form of single libprivilege additional rule.
-struct additional_rule
-{
- std::string subject;
- std::string object;
- std::string access;
- bool reverse;
-};
-
-typedef std::vector<additional_rule> additional_rules;
-
-bool additional_rules_parse(const char** smack_rules, additional_rules& rules);
-
-void restore_original_additional_rules(void);
-
-class RestoreAdditionalRulesGuard
-{
-public:
- ~RestoreAdditionalRulesGuard() {
- restore_original_additional_rules();
- }
-};
-
#endif /* LIBPRIVILEGE_CONTROL_TEST_COMMON_H_ */
#define CANARY_LABEL "tiny_yellow_canary"
-const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
+const char *PRIVS1[] = { "WRT", "test_privilege_control_rules1", NULL };
const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
const char* PRIVS_AV[] = { "org.tizen.privilege.antivirus", NULL };
-bool DBBackup::backupfile(const std::string& src, const std::string& dst)
-{
- int fdsrc = TEMP_FAILURE_RETRY(open(src.c_str(), O_RDONLY));
- if (fdsrc == -1)
- return false;
- FDUniquePtr FdPtrSrc(&fdsrc, closeFdPtr);
-
- struct stat stat_source;
- if (fstat(fdsrc, &stat_source) == -1)
- return false;
-
- int fddst = TEMP_FAILURE_RETRY(open(dst.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0644));
- if (fddst == -1)
- return false;
- FDUniquePtr FdPtrDst(&fddst, closeFdPtr);
-
- if (sendfile(fddst, fdsrc, 0, stat_source.st_size) == -1)
- return false;
-
- return true;
-}
-
-bool DBBackup::restorefile(const std::string& src, const std::string& dst)
-{
- if (rename(src.c_str(), dst.c_str()) == -1)
- return false;
-
- return true;
-}
-
-DBBackup::DBBackup()
-{
- RUNNER_ASSERT_MSG_BT(backupfile(RDB_PATH, RDB_PATH_BACKUP),
- "libprivilege DB backup failed. Errno: " << strerror(errno));
-}
-
-DBBackup::~DBBackup()
-{
- if (!restorefile(RDB_PATH_BACKUP, RDB_PATH)) {
-
- std::string fatal_error =
- "\n\n"
- "!!! !!!\n"
- "!!! FATAL ERROR - libprivilege DB restoring failed. !!!\n"
- "!!! libprivilege-control tests are not valid. !!!\n"
- "!!! Reinstall libprivilege-control package. !!!\n"
- "!!! !!!\n";
-
- if (std::uncaught_exception()) // don't throw!
- std::cerr << fatal_error << std::flush;
- else
- RUNNER_ASSERT_MSG_BT(false, fatal_error);
- }
-}
-
/**
* Check if every rule is true.
* @return 1 if ALL rules in SMACK, 0 if ANY rule isn't, -1 on failure
void check_groups(const char *dac_file)
{
std::set<unsigned> groups_check;
- read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
read_gids(groups_check, dac_file);
int groups_cnt = getgroups(0, NULL);
return 0;
}
-void check_app_has_permission(const char* app_id, const app_type_t app_type,
- const char *perm_list[], const int expected_result)
-{
- int result = PC_OPERATION_SUCCESS;
- bool has_permission = false;
-
- for (int i = 0; perm_list[i] != NULL; i++) {
- result = perm_app_has_permission(app_id, app_type, perm_list[i], &has_permission);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_has_permission failed with result: " << result);
- RUNNER_ASSERT_MSG_BT(has_permission == expected_result,
- "Unexpected result, perm_app_has_permission returned: " << has_permission
- << ", expected: " << expected_result);
- }
-}
void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment)
{
int result;
"perm_app_install failed: " << result);
// Register a permission:
- result = perm_app_setup_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL);
+ result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error registering app permissions. Result: " << result);
RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
"SMACK accesses not granted for EFL_APP");
- // Check if permission is assigned to app in db
- check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
-
DB_BEGIN
// Cleanup
"perm_app_uninstall failed: " << result);
DB_END
-
- // Check if permission is disabled in db
- check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, false);
}
void test_app_disable_permissions_efl(bool smack)
"perm_app_install failed: " << result);
// Register a permission
- result = perm_app_setup_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL);
+ result = perm_app_enable_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error registering app permissions. Result: " << result);
RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
"SMACK accesses not granted for EFL_APP");
- // Check if permission is assigned to app in db
- check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
-
DB_BEGIN
// Disable a permission
RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}),
"SMACK accesses not disabled for EFL_APP");
- // Check if permission is disabled in db
- check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, false);
-
DB_BEGIN
// Cleanup
*/
// Prepare permissions that we want to disable
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
// Are all the permissions enabled?
RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, rules2), "Not all permisions enabled.");
- // Check if permissions are enabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
-
DB_BEGIN
// Disable permissions
// Are all the permissions disabled?
RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2), "Not all permisions disabled.");
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
-
/**
* Test - disable some granted permissions leaving non complementary and then disabling those too.
*/
DB_BEGIN
// Prepare permissions that will not be disabled
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS1, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error adding app first permissions. Result: " << result);
// Prepare permissions that we want to disable
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error adding app second permissions. Result: " << result);
RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2), "Not all first permisions disabled.");
// Are all first permissions not disabled?
- RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, rules_wgt2), "Some of second permissions disabled.");
-
- // Check if second permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
- // Check if first permission is enabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS, true);
+ RUNNER_ASSERT_MSG_BT(check_all_accesses(smack, rules1), "Some of second permissions disabled.");
DB_BEGIN
// Disable first permissions
- result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS);
+ result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS1);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error disabling app first permissions. Result: " << result);
DB_END
// Are all second permissions disabled?
- RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules_wgt2), "Not all second permisions disabled.");
-
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS, false);
+ RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules1), "Not all second permisions disabled.");
/**
* Test - disable only no r granted permissions.
DB_BEGIN
// Prepare permissions
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app r permissions. Result: " << result);
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app no r permissions. Result: " << result);
// Are all no r permissions disabled?
RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2_no_r), "Not all no r permissions disabled.");
- // Check if second permission is enabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, true);
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
-
DB_BEGIN
// Prepare permissions
RUNNER_ASSERT_MSG_BT(check_no_accesses(smack, rules2_r), "Not all r permissions disabled.");
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false);
-
DB_BEGIN
// Clean up after test:
RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
- ret = perm_app_setup_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING);
+ ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << ret);
DB_END
}
-
-// This function takes libprivilege additional smack_rules in same format as libprivilege,
-// parses them in same way as libprivilege.
-// If functions succeeds in parsing it returns true and fills rules parameter with parsed rules.
-// If smack_rules cannot be parsed false is returned.
-bool additional_rules_parse(const char** smack_rules, additional_rules& rules)
-{
- const size_t ACC_LEN = 6;
- rules.clear();
- for (int i = 0; smack_rules[i] != NULL ; ++i)
- {
- std::string line(smack_rules[i]);
- additional_rule rule;
-
- // Ignore empty lines
- if (line.find_first_not_of(" \t\n") == std::string::npos)
- continue;
-
- // Split
- std::stringstream(line) >> rule.subject >> rule.object >> rule.access;
- // If last element is empty - split failed
- if (rule.access.empty() || rule.object.length() > SMACK_LABEL_LEN ||
- rule.subject.length() > SMACK_LABEL_LEN || rule.access.length() > ACC_LEN)
- return false;
- rule.reverse = false;
-
- // Rearrange
- if (is_wildcard(rule.subject))
- {
- rule.subject.swap(rule.object);
- rule.reverse = true;
- }
-
- // Check validity of subject
- if (!smack_label_is_valid(rule.subject))
- return false;
-
- rules.push_back(rule);
- }
- return true;
-}
-
-void restore_original_additional_rules(void)
-{
- std::ifstream file("/usr/share/privilege-control/ADDITIONAL_RULES.smack");
- std::string line;
- std::vector<const char*> rules;
-
- while(std::getline(file, line))
- rules.push_back(strdupa(line.c_str()));
- rules.push_back(NULL);
-
- perm_add_additional_rules(rules.data());
-}
#include "common/duplicates.h"
#include "common/db.h"
-#define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules"
-
-#define EARLY_RULE_SUBJECT "livebox.web-provider"
-#define EARLY_RULE_RIGHTS "rwx---"
-
-#define SMACK_ACC_LEN 6
-
// Error codes for test_libprivilege_strerror
const std::vector<int> error_codes {
PC_OPERATION_SUCCESS, PC_ERR_FILE_OPERATION, PC_ERR_MEM_OPERATION, PC_ERR_NOT_PERMITTED,
return 0;
}
-int check_labels_dir(const char *fpath, const struct stat *sb,
- const char *labels_db_path, const char *dir_db_path,
- const char *access)
-{
- int result;
- char *label;
- char *label_gen;
- char *scanf_label_format;
- char label_temp[SMACK_LABEL_LEN + 1];
- FILE *file_db;
-
- /* ACCESS */
- result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
- RUNNER_ASSERT_MSG_BT(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
-
- /* EXEC */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- if (result != 0) {
- free(label_gen);
- RUNNER_ASSERT_MSG_BT(false, "Could not get label for the path");
- }
- if (label != NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "EXEC label on " << fpath << " is set.");
- }
-
- /* TRANSMUTE */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- if (result != 0) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "Could not get label for the path");
- }
- if (S_ISDIR(sb->st_mode)) {
- if (label == NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is not set");
- }
- result = strcmp("TRUE", label);
- if (result != 0) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
- }
- } else if (label != NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is set");
- }
-
- free(label);
-
- if (0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)) {
- free(label_gen);
- RUNNER_ASSERT_MSG_BT(false, "asprintf failed");
- }
-
- file_db = fopen(labels_db_path, "r");
- if (file_db == NULL) {
- free(label_gen);
- free(scanf_label_format);
- RUNNER_ASSERT_MSG_BT(false, "Can not open database for apps");
- }
- while (fscanf(file_db, scanf_label_format, label_temp) == 1) {
- result = smack_have_access(label_temp, label_gen, access);
- if (result != 1) {
- fclose(file_db);
- free(label_gen);
- free(scanf_label_format);
- RUNNER_ASSERT_MSG_BT(false,
- "Error " << access << " access was not given for subject: "
- << label_temp << ". Result: " << result);
- }
- }
- fclose(file_db);
-
- file_db = fopen(dir_db_path, "r");
- if (file_db == NULL) {
- free(label_gen);
- free(scanf_label_format);
- RUNNER_ASSERT_MSG_BT(false, "Can not open database for dirs");
- }
-
- free(scanf_label_format);
- free(label_gen);
- fclose(file_db);
-
- return 0;
-}
-
-void osp_blahblah_check(int line_no, const std::vector<std::string> &rules)
-{
- std::ifstream smack_file(OSP_BLAHBLAH);
- RUNNER_ASSERT_MSG_BT(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
-
- auto it = rules.begin();
- std::string line;
- while (std::getline(smack_file,line)) {
- RUNNER_ASSERT_MSG_BT(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
- RUNNER_ASSERT_MSG_BT(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
- it++;
- }
-
- RUNNER_ASSERT_MSG_BT(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
-
- smack_file.close();
-}
-
void osp_blahblah_dac_check(int line_no, const std::vector<unsigned> &gids, std::string dac_file_path)
{
std::ifstream dac_file(dac_file_path);
}
/**
- * Simple enabling EFL permissions;.
- */
-RUNNER_TEST_SMACK(privilege_control04_add_permissions)
-{
- int result = 0;
- DB_BEGIN
-
- result = perm_app_uninstall(EFL_APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
-
- result = perm_app_install(EFL_APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
-
- result = perm_app_setup_permissions(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- " perm_app_setup_permissions failed with result: " << result);
-
- DB_END
-
- // Check if permission is assigned to app in db
- check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
-
- // Check if the accesses are realy applied..
- result = test_have_all_accesses(rules_efl);
- RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
-
- DB_BEGIN
-
- result = perm_app_uninstall(EFL_APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
-
- DB_END
-}
-
-/**
* Revoke permissions from the list. Should be executed as privileged user.
*/
RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt)
/**
* Revoke permissions from the list. Should be executed as privileged user.
*/
-RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_partner)
-{
- test_revoke_permissions(__LINE__, WGT_PARTNER_APP_ID, rules_wgt_partner, true);
-}
-
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt_platform)
-{
- test_revoke_permissions(__LINE__, WGT_PLATFORM_APP_ID, rules_wgt_platform, true);
-}
-
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp)
{
test_revoke_permissions(__LINE__, OSP_APP_ID, rules_osp, true);
}
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_partner)
-{
- test_revoke_permissions(__LINE__, OSP_PARTNER_APP_ID, rules_osp_partner, true);
-}
-
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp_platform)
-{
- test_revoke_permissions(__LINE__, OSP_PLATFORM_APP_ID, rules_osp_platform, true);
-}
-
void test_set_app_privilege(
const char* app_id, app_type_t APP_TYPE,
const char** privileges, const char* type,
"Errno: " << strerror(errno));
// TEST:
- result = perm_app_setup_permissions(app_id, APP_TYPE, privileges);
+ result = perm_app_enable_permissions(app_id, APP_TYPE, privileges, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
}
/**
- * Set APP privileges. wgt_partner.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_partner)
-{
- test_set_app_privilege(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT,
- "wgt_partner", WGT_PARTNER_APP_PATH,
- LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_partner);
-}
-
-/**
- * Set APP privileges. wgt_platform.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_platform)
-{
- test_set_app_privilege(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT,
- "wgt_platform", WGT_PLATFORM_APP_PATH,
- LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_platform);
-}
-
-/**
* Set APP privileges. osp app.
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp)
LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp);
}
-/**
- * Set APP privileges. partner osp app.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_partner)
-{
- test_set_app_privilege(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP,
- "tpk", OSP_PARTNER_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_partner);
-}
-
-/**
- * Set APP privileges. platform osp app.
- */
-RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_platform)
-{
- test_set_app_privilege(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP,
- "tpk", OSP_PLATFORM_APP_PATH,
- LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_platform);
-}
-
-
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_efl)
{
- test_set_app_privilege(EFL_APP_ID, PERM_APP_TYPE_EFL, PRIVS_EFL,
+ test_set_app_privilege(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL,
"rpm", EFL_APP_PATH,
LIBPRIVILEGE_TEST_DAC_FILE_EFL, rules_efl);
}
/**
- * Check perm_get_permissions()
- */
-bool is_permission_on_the_list(char **permissions, const char *const test_permission_name)
-{
- if(permissions != NULL) {
- for(size_t i = 0; permissions[i] != NULL; ++i) {
- if(strcmp(permissions[i], test_permission_name) == 0)
- return true;
- }
- }
- return false;
-}
-
-RUNNER_TEST(privilege_control05_perm_get_permissions)
-{
- DBBackup dbbackup;
-
- char **permissions_1 = NULL;
- char **permissions_2 = NULL;
-
- const char *test_permission_name = "perm_get_permissions_test_2";
- const char *test_permission[] = {
- "~APP~ object\t rwxatl",
- " \t \n",
- "subject2\t~APP~ ltxarw",
- "",
- NULL
- };
-
- bool permission_found_1;
- bool permission_found_2;
- int result;
-
- result = perm_get_permissions(&permissions_1, APP_TYPE_OSP);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_get_permissions returned " << perm_strerror(result));
- CStringListPtr listPtr_1(permissions_1);
-
- permission_found_1 = is_permission_on_the_list(permissions_1, test_permission_name);
- RUNNER_ASSERT_MSG_BT(permission_found_1 == false, "permission_found_1 = " << permission_found_1);
-
- DB_BEGIN
-
- result = perm_add_api_feature(APP_TYPE_OSP, test_permission_name, test_permission, NULL, 0);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " <<
- perm_strerror(result));
-
- DB_END
-
- result = perm_get_permissions(&permissions_2, APP_TYPE_OSP);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_get_permissions returned " << perm_strerror(result));
- CStringListPtr listPtr_2(permissions_2);
-
- permission_found_2 = is_permission_on_the_list(permissions_2, test_permission_name);
- RUNNER_ASSERT_MSG_BT(permission_found_2 == true, "permission_found_2 = " << permission_found_2);
-}
-
-/**
- * Check perm_get_apps_with_permission()
- */
-int get_app_index(perm_app_status_t *apps, const char *pkg_id, size_t apps_count)
-{
- size_t i = 0;
- if(apps_count > 0) {
- for(i = 0; i < apps_count; ++i) {
- if(strcmp(pkg_id, apps[i].app_id) == 0)
- return i;
- }
- }
- return -1;
-}
-
-void wrapper_perm_free_apps_list(perm_app_status_list_t *list) {
- perm_free_apps_list(list->status, list->size);
-}
-
-RUNNER_TEST(privilege_control05_perm_get_apps_with_permission_default)
-{
- perm_app_status_t *apps_1 = NULL;
- perm_app_status_t *apps_2 = NULL;
- size_t apps_count_1 = 0;
- size_t apps_count_2 = 0;
- int app_index_2 = 0;
- int result = 0;
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall (1) returned " << perm_strerror(result));
-
- DB_END
-
- result = perm_get_apps_with_permission(&apps_1, &apps_count_1, APP_TYPE_OSP, PRIVS_OSP[0]);
-
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_get_apps_with_permission (1) returned " <<
- perm_strerror(result));
-
- perm_app_status_list_t app_list_1;
- app_list_1.status = apps_1;
- app_list_1.size = apps_count_1;
- ListAppStatusPtr listAppStatusPtr_1(&app_list_1, wrapper_perm_free_apps_list);
-
- DB_BEGIN
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << perm_strerror(result));
-
- result = perm_app_enable_permissions(APP_ID, APP_TYPE_OSP, PRIVS_OSP, true);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "error enabling app permissions. Result: " << perm_strerror(result));
- DB_END
-
- result = perm_get_apps_with_permission(&apps_2, &apps_count_2, APP_TYPE_OSP, PRIVS_OSP[0]);
-
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_get_apps_with_permission (2) returned " <<
- perm_strerror(result));
-
- perm_app_status_list_t app_list_2;
- app_list_2.status = apps_2;
- app_list_2.size = apps_count_2;
- ListAppStatusPtr listAppStatusPtr_2(&app_list_2, wrapper_perm_free_apps_list);
-
- RUNNER_ASSERT_MSG_BT(apps_count_2 > apps_count_1, "no new app added " << perm_strerror(result));
-
- DB_BEGIN
-
- // check default is_permanent (true), is_enabled (true)
- app_index_2 = get_app_index(apps_2, APP_ID, apps_count_2);
-
- RUNNER_ASSERT_MSG_BT(app_index_2 >= 0, "index not found (2): " << app_index_2);
-
- RUNNER_ASSERT_MSG_BT(apps_2[app_index_2].is_permanent,
- "incorrect is_permanent value: " << apps_2[app_index_2].is_permanent);
-
- RUNNER_ASSERT_MSG_BT(apps_2[app_index_2].is_enabled,
- "incorrect is_enabled value: " << apps_2[app_index_2].is_enabled);
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall (2) returned " << perm_strerror(result));
-
- DB_END
-}
-
-RUNNER_TEST(privilege_control05_perm_get_apps_with_permission_is_permanent)
-{
- perm_app_status_t *apps = NULL;
- size_t apps_count = 0;
- int app_index = 0;
- int result = 0;
-
- DB_BEGIN
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << perm_strerror(result));
-
- // change is_permanent to false using perm_app_enable_permissions
-
- bool is_permanent = false;
- result = perm_app_enable_permissions(APP_ID, APP_TYPE_OSP, PRIVS_OSP, is_permanent);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_enable_permissions returned " <<
- perm_strerror(result));
-
- DB_END
-
- result = perm_get_apps_with_permission(&apps, &apps_count, APP_TYPE_OSP, PRIVS_OSP[0]);
-
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_get_apps_with_permission returned " <<
- perm_strerror(result));
-
- perm_app_status_list_t app_list;
- app_list.status = apps;
- app_list.size = apps_count;
- ListAppStatusPtr listAppStatusPtr(&app_list, wrapper_perm_free_apps_list);
-
- DB_BEGIN
-
- app_index = get_app_index(apps, APP_ID, apps_count);
-
- RUNNER_ASSERT_MSG_BT(app_index >= 0, "index not found: " << app_index);
-
- RUNNER_ASSERT_MSG_BT(apps[app_index].is_permanent == false,
- "incorrect is_permanent value: " << apps[app_index].is_permanent);
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall (2) returned " << perm_strerror(result));
-
- DB_END
-}
-
-RUNNER_TEST(privilege_control05_perm_get_apps_with_permission_is_enabled)
-{
- perm_app_status_t *apps = NULL;
- size_t apps_count = 0;
- int app_index = 0;
- int result = 0;
-
- DB_BEGIN
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << perm_strerror(result));
-
- // enable (i.e. register) permission for installed app
-
- result = perm_app_enable_permissions(APP_ID, APP_TYPE_OSP, PRIVS_OSP, false);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_enable_permissions returned " <<
- perm_strerror(result));
-
- // change is_enabled to false
- result = perm_app_disable_permissions(APP_ID, APP_TYPE_OSP, PRIVS_OSP);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_disable_permissions returned " <<
- perm_strerror(result));
-
- DB_END
-
- result = perm_get_apps_with_permission(&apps, &apps_count, APP_TYPE_OSP, PRIVS_OSP[0]);
-
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_get_apps_with_permission returned " <<
- perm_strerror(result));
-
- perm_app_status_list_t app_list;
- app_list.status = apps;
- app_list.size = apps_count;
- ListAppStatusPtr listAppStatusPtr(&app_list, wrapper_perm_free_apps_list);
-
- DB_BEGIN
-
- app_index = get_app_index(apps, APP_ID, apps_count);
-
- RUNNER_ASSERT_MSG_BT(app_index >= 0, "index not found: " << app_index);
-
- RUNNER_ASSERT_MSG_BT(apps[app_index].is_enabled == false,
- "incorrect is_enabled value: " << apps[app_index].is_enabled);
-
- result = perm_app_uninstall(APP_ID);
-
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << perm_strerror(result));
-
- DB_END
-}
-
-/**
* Add new API feature
*/
RUNNER_TEST(privilege_control11_add_api_feature)
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
RUNNER_TEST_SMACK(privilege_control10_app_register_av)
{
- RUNNER_IGNORED_MSG("app_register_av is not implemented");
+ RUNNER_IGNORED_MSG("app_register_av is deprecated");
int result;
// cleaning
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error revoking app permissions. Result: " << result);
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
result = test_have_all_accesses(rules2);
RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
- // Check if permission is assigned to app in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
-
DB_BEGIN
// Clean up
DB_END
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
-
/**
* Test - Enabling all permissions with persistant mode disabled
*/
DB_BEGIN
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
result = test_have_all_accesses(rules2);
RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
- // Check if permission is assigned to app in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
-
DB_BEGIN
// Clean up
DB_END
- // Check if permission is disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
-
/**
* Test - Registering new permissions in two complementary files
*/
DB_BEGIN
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
result = test_have_all_accesses(rules2_no_r);
RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
- // Check if permissions are assigned to app in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, true);
-
DB_BEGIN
// Clean up
DB_END
- // Check if permissions are disabled in db
- check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false);
-
/**
* Test - Enabling some permissions and then enabling complementary permissions
*/
DB_BEGIN
// Register permission for rules 2 no r
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions without r. Result: " << result);
DB_BEGIN
// Register permission for rules 2
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app all permissions. Result: " << result);
*/
// Enable permission for rules 2 no r
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions without r. Result: " << result);
DB_BEGIN
// Enable permission for rules 2
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions with only r. Result: " << result);
RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
// Prepare permissions to reset
- result = perm_app_setup_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
+ result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
" Error registering app permissions. Result: " << result);
test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW);
}
-RUNNER_TEST_SMACK(privilege_control20_app_setup_path_npruntime)
-{
- int result = 0;
- CStringPtr labelPtr;
- std::string nptargetlabel = std::string(APP_NPRUNTIME) + ".npruntime";
- char *label = NULL;
-
- restore_original_additional_rules();
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
-
- result = perm_app_install(APP_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_install. " << result);
-
- result = perm_app_setup_path(APP_NPRUNTIME, APP_NPRUNTIME_FILE, PERM_APP_PATH_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path. " << result);
-
- DB_END
-
- RUNNER_ASSERT_BT(0 == smack_lgetlabel(APP_NPRUNTIME_FILE, &label, SMACK_LABEL_EXEC));
- labelPtr.reset(label);
- label = NULL;
- RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), nptargetlabel.c_str()));
-
- // Rules to test
- const std::vector< std::vector<std::string> > np_rules = {
- { APP_NPRUNTIME, nptargetlabel, "rw" },
- { nptargetlabel, APP_NPRUNTIME, "rxat" },
- { nptargetlabel, "system::homedir", "rxat" },
- { nptargetlabel, "xorg", "rw" },
- { nptargetlabel, "crash-worker", "rwxa" },
- { nptargetlabel, "sys-assert::core", "rwxat" },
- { nptargetlabel, "syslogd", "rw" },
- };
-
- // Test smack accesses
- result = test_have_all_accesses(np_rules);
- RUNNER_ASSERT_MSG_BT(result == 1, "Not all permissions added.");
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
-
- DB_END
-}
-
-RUNNER_TEST(privilege_control21_early_rules)
-{
- RUNNER_IGNORED_MSG("early rules are not implemented");
-
- int result;
- int pass_1 = 0;
- int pass_2 = 0;
- char *single_line_format = NULL;
- char *perm = NULL;
- FILE *file = NULL;
-
- char subject[SMACK_LABEL_LEN + 1] = {0};
- char object[SMACK_LABEL_LEN + 1] = {0};
- char rule_add[SMACK_ACC_LEN + 1] = {0};
- char rule_remove[SMACK_ACC_LEN + 1] = {0};
-
- DB_BEGIN
-
- perm_app_uninstall(APP_ID);
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
- result = perm_app_install(APP_TEST_APP_1);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
-
- DB_END
-
- TestLibPrivilegeControlDatabase db_test;
- db_test.test_db_after__perm_app_install(APP_ID);
- db_test.test_db_after__perm_app_install(APP_TEST_APP_1);
-
- DB_BEGIN
-
- result = perm_app_setup_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm);
- RUNNER_ASSERT_MSG_BT(result == 0, "app_register_permissions failed: " << result);
- result = perm_app_setup_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm);
- RUNNER_ASSERT_MSG_BT(result == 0, "app_register_permissions failed: " << result);
-
- DB_END
-
- file = fopen(SMACK_STARTUP_RULES_FILE, "r");
- RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
-
- result = asprintf(&single_line_format, "%%%ds %%%ds %%%ds %%%ds\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN, SMACK_ACC_LEN, SMACK_ACC_LEN);
-
- while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
- pass_1 = 1; // Found rule for APP_ID
- continue;
- }
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
- pass_2 = 1; // Found rule for APP_TEST_APP_1
- continue;
- }
- }
- fclose(file);
- file = NULL;
-
- RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " not found");
- RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
-
- // Checking if "early rule" for APP_ID was really removed
- // We also should make sure that "early rules" for other apps wasn't removed
- DB_BEGIN
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- DB_END
- pass_1 = 1;
- pass_2 = 0;
-
- file = fopen(SMACK_STARTUP_RULES_FILE, "r");
- RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
-
- while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
- pass_1 = 0; // Found rule for APP_ID - it should NOT be here
- continue;
- }
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
- pass_2 = 1; // Found rule for APP_TEST_APP_1
- continue;
- }
- }
- fclose(file);
- file = NULL;
-
- RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
- RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
-
- // Removing and checking "early rule" for APP_TEST_APP_1
- DB_BEGIN
- result = perm_app_uninstall(APP_TEST_APP_1);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
- DB_END
- pass_1 = 1;
- pass_2 = 1;
-
- file = fopen(SMACK_STARTUP_RULES_FILE, "r");
- RUNNER_ASSERT_MSG_BT(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
-
- while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
- pass_1 = 0; // Found rule for APP_ID - it should NOT be here
- continue;
- }
- if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
- pass_2 = 0; // Found rule for APP_TEST_APP_1 - it should NOT be here
- continue;
- }
- }
- free(single_line_format);
- fclose(file);
-
- RUNNER_ASSERT_MSG_BT(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
- RUNNER_ASSERT_MSG_BT(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
-}
-
/**
* AV Privilege test cases.
*
result = perm_app_install(av_id);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: "
<< result << ", av_type: " << av_type);
- result = perm_app_setup_permissions(av_id, av_type, PRIVS_AV);
+ result = perm_app_enable_permissions(av_id, av_type, PRIVS_AV, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "register_permissions failed. Result: "
<< result << ", av_type: " << av_type);
RUNNER_ASSERT_MSG_BT(strcmp(result, "Unknown error") == 0,
"Bad message returned for invalid error code: \"" << result << "\"");
}
-
-RUNNER_TEST(privilege_control27_perm_app_get_privileges_empty)
-{
- char** pp_privileges = NULL;
- int result;
- CStringListPtr privileges;
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_uninstall failed: " << perm_strerror(result));
-
- result = perm_app_install(APP_ID);
-
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_install failed: " << perm_strerror(result));
-
- DB_END
-
- result = perm_app_get_permissions(APP_ID, PERM_APP_TYPE_WGT, &pp_privileges);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_get_permissions failed: " << perm_strerror(result));
- privileges.reset(pp_privileges);
-
- RUNNER_ASSERT_MSG_BT(pp_privileges != NULL,
- "perm_app_get_permissions failed to set pointer to cstring array");
- RUNNER_ASSERT_MSG_BT(*pp_privileges == NULL,
- "perm_app_get_permissions found permissions when not supposed to");
-}
-
-RUNNER_TEST(privilege_control27_perm_app_get_privileges)
-{
- char** pp_privileges = NULL;
- int result;
- size_t i;
- CStringListPtr privileges;
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
-
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_uninstall failed: " << perm_strerror(result));
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_install failed: " << perm_strerror(result));
-
- result = perm_app_setup_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_register_permissions failed: " << perm_strerror(result));
-
- result = perm_app_setup_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_register_permissions failed: " << perm_strerror(result));
-
- result = perm_app_disable_permissions(APP_ID, PERM_APP_TYPE_WGT, PRIVS2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_disable_permissions failed: " << perm_strerror(result));
- DB_END
-
- result = perm_app_get_permissions(APP_ID, PERM_APP_TYPE_WGT, &pp_privileges);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_get_permissions returned " << result << ": " << perm_strerror(result));
- privileges.reset(pp_privileges);
-
- for(i = 0; pp_privileges[i] != NULL; ++i) {
- RUNNER_ASSERT_MSG_BT(PRIVS[i] != NULL,
- "perm_app_get_permissions returned too many permissions");
- RUNNER_ASSERT_MSG_BT(strcmp(pp_privileges[i], PRIVS[i]) == 0,
- "perm_app_get_permissions returned wrong permission, " << pp_privileges[i] <<
- " != " << PRIVS[i]);
- }
- RUNNER_ASSERT_MSG_BT(PRIVS[i] == NULL,
- "perm_app_get_permissions returned too few enabled permissions");
-}
-
-RUNNER_TEST(privilege_control28_perm_app_get_paths_empty)
-{
- char **pp_paths = NULL;
- int result;
- CStringListPtr paths;
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_app_uninstall failed: " << perm_strerror(result));
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed: " <<
- perm_strerror(result));
-
- DB_END
-
- result = perm_app_get_paths(APP_ID, PERM_APP_PATH_PUBLIC, &pp_paths);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_get_paths failed: " <<
- perm_strerror(result));
- paths.reset(pp_paths);
-
- RUNNER_ASSERT_MSG_BT(pp_paths != NULL,
- "perm_app_get_paths failed to set pointer to cstring array");
- RUNNER_ASSERT_MSG_BT(*pp_paths == NULL, "perm_app_get_paths found paths when not supposed to");
-}
-
-RUNNER_TEST(privilege_control28_perm_app_get_paths)
-{
- char **pp_paths = NULL;
- int result;
- size_t i;
- size_t DIR_NUM = 3;
- CStringListPtr paths;
- std::vector<Directory> test_paths;
-
- for (i = 0; i < DIR_NUM; ++i) {
- test_paths.push_back(Directory("/tmp/dir" + std::to_string(i), 0));
- RUNNER_ASSERT_MSG_BT(test_paths[i].isCreated(), "failed to create a directory " <<
- test_paths[i].path() << ": " << strerror(test_paths[i].errorCode()));
- }
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed: " <<
- perm_strerror(result));
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed: " <<
- perm_strerror(result));
-
- for (auto itr = test_paths.begin(); itr != test_paths.end(); ++itr) {
- result = perm_app_setup_path(APP_ID, itr->path().c_str(), PERM_APP_PATH_PUBLIC);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path failed: " << perm_strerror(result));
- }
-
- DB_END
-
- result = perm_app_get_paths(APP_ID, PERM_APP_PATH_PUBLIC, &pp_paths);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_get_paths failed: " <<
- perm_strerror(result));
- paths.reset(pp_paths);
-
- for(i = 0; pp_paths[i] != NULL; ++i) {
- RUNNER_ASSERT_MSG_BT(i < test_paths.size(), "perm_app_get_paths returned too many paths");
- RUNNER_ASSERT_MSG_BT(test_paths[i].path() == pp_paths[i],
- "perm_app_get_paths returned unexpected path, " << pp_paths[i] << " != " <<
- test_paths[i].path());
- }
- RUNNER_ASSERT_MSG_BT(i == test_paths.size(), "perm_app_get_paths returned too few paths");
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed: " <<
- perm_strerror(result));
-
- DB_END
-}
-
-RUNNER_TEST(privilege_control29_perm_app_remove_path)
-{
- char** pp_paths;
- int result;
- size_t i;
- const size_t i_num_paths_to_remove = 4;
- const size_t i_num_paths = 7;
- CStringListPtr paths;
- std::vector<Directory> test_paths;
-
- for (i = 0; i < i_num_paths; ++i) {
- test_paths.push_back(Directory("/tmp/dir" + std::to_string(i), 0));
- RUNNER_ASSERT_MSG_BT(test_paths[i].isCreated(), "failed to create a directory " <<
- test_paths[i].path() << ": " << strerror(test_paths[i].errorCode()));
- }
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_ID);
-
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed: " <<
- perm_strerror(result));
-
- result = perm_app_install(APP_ID);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed: " <<
- perm_strerror(result));
-
- for (i = 0; i < i_num_paths; ++i) {
- result = perm_app_setup_path(APP_ID, test_paths[i].path().c_str(), PERM_APP_PATH_PUBLIC);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path failed: " << perm_strerror(result));
- }
-
- for (i = 0; i < i_num_paths_to_remove; ++i) {
- result = perm_app_remove_path(APP_ID, test_paths[i].path().c_str());
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_remove_path failed: " << perm_strerror(result));
- }
-
- result = perm_app_get_paths(APP_ID, PERM_APP_PATH_PUBLIC, &pp_paths);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_get_paths failed: " <<
- perm_strerror(result));
- paths.reset(pp_paths);
-
- DB_END
-
- for (i = 0; pp_paths[i] != NULL; ++i) {
- RUNNER_ASSERT_MSG_BT(i < i_num_paths - i_num_paths_to_remove,
- "perm_app_remove_path removed too few paths");
- RUNNER_ASSERT_MSG_BT(test_paths[i + i_num_paths_to_remove].path() == pp_paths[i],
- "unexpected path encountered - " << pp_paths[i] << " instead of " <<
- test_paths[i + i_num_paths].path() <<
- " - perm_app_remove_path removed wrong path?");
- }
- RUNNER_ASSERT_MSG_BT(i == i_num_paths - i_num_paths_to_remove,
- "perm_app_remove_path removed too many paths");
-
- for (i = i_num_paths_to_remove; i < i_num_paths; ++i) {
- RUNNER_ASSERT_MSG_BT(mkdir(test_paths[i].path().c_str(), 0) == -1 && errno == EEXIST,
- "unexpected error " << strerror(errno) <<
- "- perm_app_remove_path removed data from file system?");
- }
-}
-
-RUNNER_TEST(privilege_control29_perm_app_remove_path_group)
-{
- const char* label = "perm.app.remove.path.group";
- int result;
- Directory directory("/tmp/perm_app_remove_path_dir1", 0);
- TestLibPrivilegeControlDatabase db_test;
-
- RUNNER_ASSERT_MSG_BT(directory.isCreated(), "failed to create the directory " <<
- directory.path() << ": " << strerror(directory.errorCode()));
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_1);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed: " <<
- perm_strerror(result));
-
- result = perm_app_uninstall(APP_2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed: " <<
- perm_strerror(result));
-
- result = perm_app_install(APP_1);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed: " <<
- perm_strerror(result));
-
- result = perm_app_install(APP_2);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install failed: " <<
- perm_strerror(result));
-
- result = perm_app_setup_path(APP_1, directory.path().c_str(), PERM_APP_PATH_GROUP, label);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path failed: " << perm_strerror(result));
-
- result = perm_app_setup_path(APP_2, directory.path().c_str(), PERM_APP_PATH_GROUP, label);
- RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path failed: " << perm_strerror(result));
-
- result = perm_app_remove_path(APP_1, directory.path().c_str());
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_remove_path failed: " <<
- perm_strerror(result));
-
- DB_END
-
- db_test.test_db_label(label);
- db_test.test_db__perm_app_remove_path(APP_1, directory.path());
- db_test.test_db__perm_app_setup_path(APP_2, directory.path());
-
- DB_BEGIN
-
- result = perm_app_remove_path(APP_2, directory.path().c_str());
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_remove_path failed: " <<
- perm_strerror(result));
-
- DB_END
-
- db_test.test_db__perm_app_remove_path(APP_2, directory.path());
- db_test.test_db_not_label(label);
-
- RUNNER_ASSERT_MSG_BT(mkdir(directory.path().c_str(), 0) == -1 && errno == EEXIST,
- "unexpected error " << strerror(errno) <<
- "- perm_app_remove_path removed data from file system?");
-}
RUNNER_TEST_GROUP_INIT(libprivilegecontrol_incorrect_params)
-RUNNER_TEST(privilege_control21a_incorrect_params_get_smack_label_from_process)
-{
- RUNNER_ASSERT_MSG_BT(get_smack_label_from_process(PID_CORRECT, NULL) == PC_ERR_INVALID_PARAM,
- "get_smack_label_from_process didn't check if smack_label isn't NULL.");
-
- char aquired_smack_label[SMACK_LABEL_LEN+1];
- RUNNER_ASSERT_MSG_BT(get_smack_label_from_process(PID_INCORRECT, aquired_smack_label) == PC_ERR_INVALID_PARAM,
- "get_smack_label_from_process didn't check for correct pid.");
-}
-
-RUNNER_TEST_SMACK(privilege_control21b_incorrect_params_smack_pid_have_access)
-{
- RUNNER_ASSERT_MSG_BT(smack_pid_have_access(PID_CORRECT, "some_object", NULL) == -1,
- "smack_pid_have_access didn't check if access_type isn't NULL.");
- RUNNER_ASSERT_MSG_BT(smack_pid_have_access(PID_CORRECT, NULL, "rw") == -1,
- "smack_pid_have_access didn't check if object isn't NULL.");
- RUNNER_ASSERT_MSG_BT(smack_pid_have_access(PID_CORRECT, "", "rw") == -1,
- "smack_pid_have_access didn't check if object isn't empty.");
- RUNNER_ASSERT_MSG_BT(smack_pid_have_access(PID_INCORRECT, "some_object", "rw") == -1,
- "smack_pid_have_access didn't check for correct pid.");
-}
-
RUNNER_TEST(privilege_control21c_incorrect_params_perm_app_set_privilege)
{
RUNNER_ASSERT_MSG_BT(perm_app_set_privilege(NULL, NULL, APP_SET_PRIV_PATH) == PC_ERR_INVALID_PARAM,
RUNNER_ASSERT_MSG_BT(perm_app_disable_permissions("~APP~", APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM,
"perm_app_disable_permissions didn't check if pkg_id is valid.");
}
-
-RUNNER_TEST(privilege_control21m_incorrect_params_perm_app_has_permission)
-{
- bool has_permission;
-
- RUNNER_ASSERT_MSG_BT(perm_app_has_permission(NULL, APP_TYPE_WGT,
- PRIVS2[0], &has_permission) == PC_ERR_INVALID_PARAM,
- "perm_app_has_permission didn't check if pkg_id isn't NULL.");
- RUNNER_ASSERT_MSG_BT(perm_app_has_permission(APP_ID, APP_TYPE_OTHER,
- PRIVS2[0], &has_permission) == PC_ERR_INVALID_PARAM,
- "perm_app_has_permission should not accept app_type = OTHER.");
- RUNNER_ASSERT_MSG_BT(perm_app_has_permission(APP_ID, APP_TYPE_WGT,
- NULL, &has_permission) == PC_ERR_INVALID_PARAM,
- "perm_app_has_permission didn't check if permission_name isn't NULL.");
- RUNNER_ASSERT_MSG_BT(perm_app_has_permission(APP_ID, APP_TYPE_WGT,
- PRIVS2[0], NULL) == PC_ERR_INVALID_PARAM,
- "perm_app_has_permission didn't check if has_permission isn't NULL.");
-}
-
-RUNNER_TEST(privilege_control21n_incorrect_params_perm_app_setup_permissions)
-{
- RUNNER_ASSERT_MSG_BT(perm_app_setup_permissions(APP_ID, APP_TYPE_OTHER,
- NULL) == PC_ERR_INVALID_PARAM,
- "perm_app_setup_permissions didn't check if perm_list isn't NULL");
- RUNNER_ASSERT_MSG_BT(perm_app_setup_permissions(NULL, APP_TYPE_OTHER,
- PRIVS2) == PC_ERR_INVALID_PARAM,
- "perm_app_setup_permissions didn't check if pkg_id isn't NULL.");
- RUNNER_ASSERT_MSG_BT(perm_app_setup_permissions("", APP_TYPE_OTHER,
- PRIVS2) == PC_ERR_INVALID_PARAM,
- "perm_app_setup_permissions didn't check if pkg_id isn't empty.");
- RUNNER_ASSERT_MSG_BT(perm_app_setup_permissions(APP_ID, (app_type_t)-1,
- PRIVS2) == PC_ERR_INVALID_PARAM,
- "perm_app_setup_permissions didn't check if app type is valid.");
- RUNNER_ASSERT_MSG_BT(perm_app_setup_permissions("~APP~", APP_TYPE_OTHER,
- PRIVS2) == PC_ERR_INVALID_PARAM,
- "perm_app_setup_permissions didn't check if pkg_id is valid");
-}
-
-RUNNER_TEST(privilege_control22n_incorrect_params_perm_app_get_paths)
-{
- char **pp_paths;
-
- RUNNER_ASSERT_MSG_BT(perm_app_get_paths(NULL, PERM_APP_PATH_PUBLIC,
- &pp_paths) == PC_ERR_INVALID_PARAM,
- "perm_app_get_paths didn't check if pkg_id isn't NULL.");
-
- RUNNER_ASSERT_MSG_BT(perm_app_get_paths(APP_ID, PERM_APP_PATH_PUBLIC,
- NULL) == PC_ERR_INVALID_PARAM,
- "perm_app_get_paths didn't check if ppp_paths isn't NULL.");
-
- RUNNER_ASSERT_MSG_BT(perm_app_get_paths(APP_ID, PERM_APP_PATH_PRIVATE,
- &pp_paths) == PC_ERR_INVALID_PARAM,
- "perm_app_get_paths shouldn't accept paths of type PERM_APP_PATH_PRIVATE");
- RUNNER_ASSERT_MSG_BT(perm_app_get_paths(APP_ID, PERM_APP_PATH_ANY_LABEL,
- &pp_paths) == PC_ERR_INVALID_PARAM,
- "perm_app_get_paths should not accept paths of type PERM_APP_PATH_ANY_LABEL");
-}
-
-RUNNER_TEST(privilege_control21p_incorrect_params_perm_app_remove_path)
-{
- RUNNER_ASSERT_MSG_BT(perm_app_remove_path(NULL, "path") == PC_ERR_INVALID_PARAM,
- "perm_app_remove_path didn't check if pkg_id isn't NULL.");
-}
RUNNER_ASSERT_MSG_BT(result == -1,
"Despite SMACK being off some accesses were added. Result: " << result);
- // Check if permission is assigned to app in db
- check_app_has_permission(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
-
TestLibPrivilegeControlDatabase db_test;
db_test.test_db_after__perm_app_install(APP_ID);
db_test.test_db_after__perm_app_enable_permissions(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true);
}
/**
- * NOSMACK version of privilege_control05_set_app_privilege_wgt_partner test.
- *
- * Same as the above.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_partner_nosmack)
-{
- test_set_app_privilege_nosmack(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT,
- "wgt_partner", WGT_PARTNER_APP_PATH,
- LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_partner);
-}
-
-/**
- * NOSMACK version of privilege_control05_set_app_privilege_wgt_platform test.
- *
- * Same as the above.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_platform_nosmack)
-{
- test_set_app_privilege_nosmack(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT,
- "wgt_platform", WGT_PLATFORM_APP_PATH,
- LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_platform);
-}
-
-/**
* NOSMACK version of privilege_control05_set_app_privilege_osp test.
*
* Same as the above.
LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp);
}
-/**
- * NOSMACK version of privilege_control05_set_app_privilege_osp_partner test.
- *
- * Same as the above.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_partner_nosmack)
-{
- test_set_app_privilege_nosmack(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP,
- "tpk", OSP_PARTNER_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_partner);
-}
-
-/**
- * NOSMACK version of privilege_control05_set_app_privilege_osp_platform test.
- *
- * Same as the above.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_platform_nosmack)
-{
- test_set_app_privilege_nosmack(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP,
- "tpk", OSP_PLATFORM_APP_PATH,
- LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_platform);
-}
-
RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_efl_nosmack)
{
- test_set_app_privilege_nosmack(EFL_APP_ID, PERM_APP_TYPE_EFL, PRIVS_EFL,
+ test_set_app_privilege_nosmack(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL,
"rpm", EFL_APP_PATH,
LIBPRIVILEGE_TEST_DAC_FILE_EFL, rules_efl);
}
/**
* Revoke permissions from the list. Should be executed as privileged user.
*/
-RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_wgt_partner_nosmack)
-{
- test_revoke_permissions(__LINE__, WGT_PARTNER_APP_ID, rules_wgt_partner, false);
-}
-
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_wgt_platform_nosmack)
-{
- test_revoke_permissions(__LINE__, WGT_PLATFORM_APP_ID, rules_wgt_platform, false);
-}
-
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_osp_nosmack)
{
test_revoke_permissions(__LINE__, OSP_APP_ID, rules_osp, false);
}
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_osp_partner_nosmack)
-{
- test_revoke_permissions(__LINE__, OSP_PARTNER_APP_ID, rules_osp_partner, false);
-}
-
-/**
- * Revoke permissions from the list. Should be executed as privileged user.
- */
-RUNNER_CHILD_TEST_NOSMACK(privilege_control06_revoke_permissions_osp_platform_nosmack)
-{
- test_revoke_permissions(__LINE__, OSP_PLATFORM_APP_ID, rules_osp_platform, false);
-}
-
/*
* NOSMACK version of privilege_control10_app_register_av test.
*
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
RUNNER_TEST_NOSMACK(privilege_control10_app_register_av_nosmack)
{
- RUNNER_IGNORED_MSG("app_register_av is not implemented");
+ RUNNER_IGNORED_MSG("app_register_av is deprecated");
int result;
// cleaning
}
}
-/**
- * Next three functions are defined only because of NOSMACK environment.
- *
- * Inside check_labels_dir_nosmack, smack_have_access should expect error, not access granted.
- */
-int check_labels_dir_nosmack(const char *fpath, const struct stat *sb,
- const char *labels_db_path, const char *dir_db_path,
- const char *access)
-{
- int result;
- char* label;
- char* label_gen;
- char label_temp[SMACK_LABEL_LEN + 1];
- std::fstream fs_db;
-
- /* ACCESS */
- result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
- RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path. Result: " << result);
- RUNNER_ASSERT_MSG_BT(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
-
- /* EXEC */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
- if (result != 0) {
- free(label_gen);
- RUNNER_ASSERT_MSG_BT(false, "Could not get label for the path. Result: " << result);
- }
- if (label != NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "EXEC label on " << fpath << " is set.");
- }
-
- /* TRANSMUTE */
- result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
- if (result != 0) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "Could not get label for the path. Result: " << result);
- }
- if (S_ISDIR(sb->st_mode)) {
- if (label == NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is not set");
- }
- result = strcmp("TRUE", label);
- if (result != 0) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false,
- "TRANSMUTE label on " << fpath << " is not set to TRUE Result: " << result);
- }
- } else if (label != NULL) {
- free(label_gen);
- free(label);
- RUNNER_ASSERT_MSG_BT(false, "TRANSMUTE label on " << fpath << " is set");
- }
-
- free(label);
-
- fs_db.open(labels_db_path, std::ios_base::in);
- if (!(fs_db.good())) {
- free(label_gen);
- RUNNER_ASSERT_MSG_BT(false, "Can not open database for apps");
- }
-
- while(!fs_db.eof()) {
- fs_db.getline(label_temp, 255);
- result = smack_have_access(label_temp, label_gen, access);
- if (result != -1) { //expect error, not access granted
- free(label_gen);
- RUNNER_ASSERT_MSG_BT(false, "smack_have_access should fail. Result: " << result);
- }
- }
-
- fs_db.close();
-
- fs_db.open(dir_db_path, std::ios_base::in);
- if (!fs_db.good()) {
- free(label_gen);
- RUNNER_ASSERT_MSG_BT(false, "Can not open database for dirs");
- }
-
- bool is_dir = false;
- while(!fs_db.eof()) {
- fs_db.getline(label_temp, 255);
- if (strcmp(label_gen, label_temp) == 0) {
- is_dir = true;
- break;
- }
- }
-
- free(label_gen);
-
- RUNNER_ASSERT_MSG_BT(is_dir, "Error autogenerated label is not in dirs db.");
-
- return 0;
-}
-
RUNNER_TEST_NOSMACK(privilege_control17_appsettings_privilege_nosmack)
{
test_appsettings_privilege(false);
"Unable to check Smack labels for non-app dir. Result: " << result);
}
-
-/**
- * NOSMACK version of privilege_control20 test.
- *
- * Uses NOSMACK version of test_have_nosmack_accesses.
- */
-RUNNER_TEST_NOSMACK(privilege_control20_app_setup_path_npruntime_nosmack)
-{
- int result = 0;
- CStringPtr labelPtr;
- std::string nptargetlabel = std::string(APP_NPRUNTIME) + ".npruntime";
- char *label = NULL;
-
- DB_BEGIN
-
- result = perm_app_uninstall(APP_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
-
- result = perm_app_install(APP_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_install. " << result);
-
- result = perm_app_setup_path(APP_NPRUNTIME, APP_NPRUNTIME_FILE, PERM_APP_PATH_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path. " << result);
-
- DB_END
-
- RUNNER_ASSERT_BT(0 == smack_lgetlabel(APP_NPRUNTIME_FILE, &label, SMACK_LABEL_EXEC));
- labelPtr.reset(label);
- label = NULL;
- RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), nptargetlabel.c_str()));
-
- // Rules to test
- const std::vector< std::vector<std::string> > np_rules = {
- { APP_NPRUNTIME, nptargetlabel, "rw" },
- { nptargetlabel, APP_NPRUNTIME, "rxat" },
- { nptargetlabel, "system::homedir", "rxat" },
- { nptargetlabel, "xorg", "rw" },
- { nptargetlabel, "crash-worker", "rwxa" },
- { nptargetlabel, "sys-assert::core", "rwxat" },
- { nptargetlabel, "syslogd", "rw" },
- };
-
- // Check if accesses aren't added
- result = test_have_nosmack_accesses(np_rules);
- RUNNER_ASSERT_MSG_BT(result == -1, "Accesses shouldn't be added. Result: " << result);
-
- DB_BEGIN
-
- // Uninstall app runtime
- result = perm_app_uninstall(APP_NPRUNTIME);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall. " << result);
-
- DB_END
-}
-
-/**
- * NOSMACK version of privielge_control21b test.
- *
- * Instead of error caused by incorrect params expect access granted, becuase SMACK is off.
- */
-RUNNER_TEST_NOSMACK(privilege_control21b_incorrect_params_smack_pid_have_access_nosmack)
-{
- int result = smack_pid_have_access(PID_CORRECT, "some_object", NULL);
- RUNNER_ASSERT_MSG_BT(result == 1,
- "smack_pid_have_access should return access granted. Result: " << result);
-
- result = smack_pid_have_access(PID_CORRECT, NULL, "rw");
- RUNNER_ASSERT_MSG_BT(result == 1,
- "smack_pid_have_access should return access granted. Result: " << result);
-
- result = smack_pid_have_access(PID_CORRECT, NULL, "rw");
- RUNNER_ASSERT_MSG_BT(result == 1,
- "smack_pid_have_access should return access granted. Result: " << result);
-
- result = smack_pid_have_access(PID_INCORRECT, "some_object", "rw");
- RUNNER_ASSERT_MSG_BT(result == 1,
- "smack_pid_have_access should return access granted. Result: " << result);
-}
-
-
+++ /dev/null
-/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
-*/
-
-/*
- * @file test_cases_perm_add_additional_rules.cpp
- * @author Lukasz Wojciechowski (l.wojciechow@partner.samsung.com)
- * @version 1.0
- * @brief libprivilege-control test_cases_perm_add_additional_rules tests
- */
-
-#include <string>
-#include <vector>
-#include <functional>
-#include <memory>
-#include <sys/smack.h>
-
-#include <privilege-control.h>
-#include <dpl/test/test_runner.h>
-#include <tests_common.h>
-#include <libprivilege-control_test_common.h>
-#include "common/duplicates.h"
-#include "common/db.h"
-
-const char* additional_rules_empty[] = {
- NULL };
-
-const char* additional_rules_rollback[] = {
- "app1 ~PUBLIC_PATH~ rw",
- "~PUBLIC_PATH~ app2 rw",
- "app3 ~GROUP_PATH~ rw",
- "~GROUP_PATH~ app4 rw",
- "app5 ~SETTINGS_PATH~ rw",
- "~SETTINGS_PATH~ app6 rw",
- "app7 ~NPRUNTIME_PATH~ rw",
- "~NPRUNTIME_PATH~ app8 rw",
- NULL };
-
-
-const char* additional_rules_test_case_bad_01[] = {
- "AAA BBB",
- NULL };
-
-const char* additional_rules_test_case_bad_02[] = {
- "AAA BBB 1234567890123456789012345678901234567890123456789012345678901234567890",
- NULL };
-
-const char* additional_rules_test_case_bad_03[] = {
- "~PUBLIC_PATH~ ~PUBLIC_PATH~ rw",
- NULL };
-
-const char* additional_rules_test_case_bad_04[] = {
- "~ALL_APPS~ ~ALL_APPS~ wax",
- NULL };
-
-const char* additional_rules_test_case_bad_05[] = {
- "~ALL_APPS~ ~costam r",
- NULL };
-
-const char* additional_rules_test_case_bad_06[] = {
- "~AAA ~BBB tlw",
- NULL };
-
-const char* additional_rules_test_case_good_01[] = {
- "AAA BBB CCC",
- NULL };
-
-const char* additional_rules_test_case_good_02[] = {
- "qazapp1 ~PUBLIC_PATH~ r",
- "~PUBLIC_PATH~ wsxapp2 w",
- "qazapp3 ~GROUP_PATH~ x",
- "~GROUP_PATH~ wsxapp4 t",
- "qazapp5 ~SETTINGS_PATH~ a",
- "~SETTINGS_PATH~ wsxapp6 l",
- "qazapp7 ~NPRUNTIME_PATH~ rwxatl",
- "~NPRUNTIME_PATH~ wsxapp8 ------",
- "qazapp9 ~ALL_APPS~ rwx",
- "~ALL_APPS~ wsxapp10 rwx",
- "qazapp11 ~ALL_APPS_WITH_SAME_PERMISSION~ rwxt",
- "~ALL_APPS_WITH_SAME_PERMISSION~ wsxapp12 rwxt",
- NULL };
-
-const char* additional_rules_test_case_good_03[] = {
- "~ALL_APPS~ costam wata",
- NULL };
-
-void test_one_additional_rules_set(const char** rules)
-{
- int result = -1;
- additional_rules parsed_rules;
-
-// Parse rules and check if they are valid
- bool correct_rules = additional_rules_parse(rules, parsed_rules);
-
-// Apply known set of additional rules and close db transaction to apply them to smack
- DB_BEGIN
- result = perm_add_additional_rules(additional_rules_rollback);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Failed on applying rollback additional rules with result = " << result);
- DB_END
-
-// Try setting test set
- DB_BEGIN
- result = perm_add_additional_rules(rules);
- DB_END
-
- if (correct_rules) {
-// If rules are correct test set should be applied succesfully
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "perm_add_additional_rules failed. result = " << result);
-
- //testing database
- TestLibPrivilegeControlDatabase db_test;
- db_test.test_db_after__perm_add_additional_rules(parsed_rules);
- } else {
-// If rules are not valid test set should not be applied and db should rollback to known set
- RUNNER_ASSERT_MSG_BT(result != PC_OPERATION_SUCCESS,
- "perm_add_additional_rules succeeded, but shouldn't.");
-
- //testing rollback
- additional_rules parsed_rollback_rules;
- additional_rules_parse(additional_rules_rollback, parsed_rollback_rules);
- TestLibPrivilegeControlDatabase db_test;
- db_test.test_db_after__perm_add_additional_rules(parsed_rollback_rules);
- }
-}
-
-RUNNER_TEST(privilege_control26_perm_add_additional_rules_database)
-{
- UNUSED RestoreAdditionalRulesGuard guard;
- test_one_additional_rules_set(additional_rules_empty);
- test_one_additional_rules_set(additional_rules_rollback);
-
- test_one_additional_rules_set(additional_rules_test_case_bad_01);
- test_one_additional_rules_set(additional_rules_test_case_bad_02);
- test_one_additional_rules_set(additional_rules_test_case_bad_03);
- test_one_additional_rules_set(additional_rules_test_case_bad_04);
- test_one_additional_rules_set(additional_rules_test_case_bad_05);
- test_one_additional_rules_set(additional_rules_test_case_bad_06);
-
- test_one_additional_rules_set(additional_rules_test_case_good_01);
- test_one_additional_rules_set(additional_rules_test_case_good_02);
- test_one_additional_rules_set(additional_rules_test_case_good_03);
-}
-
-/**************************************************************************************************/
-
-struct smack_rule
-{
- std::string subject;
- std::string object;
- std::string access;
-};
-
-typedef std::vector<smack_rule> smack_rules_vector;
-
-void test_one_smack_rule(const smack_rule& rule)
-{
- int result;
- bool pass;
- const std::vector<std::string> access = {"r", "w", "x" ,"a", "t", "l"};
- for (auto a = access.begin(); a != access.end(); ++a) {
- result = smack_have_access(rule.subject.c_str(), rule.object.c_str(), a->c_str());
-
- if (rule.access.find(*a) != std::string::npos)
- pass = (result == 1);
- else
- pass = (result <= 0);
-
- RUNNER_ASSERT_MSG_BT(pass, "rule = {" << rule.subject << "; " << rule.object << "; " <<
- rule.access << "}" << std::endl <<
- "access = " << *a << std::endl <<
- "result = " << result << std::endl);
- }
-}
-
-void test_smack_rules_vector(const smack_rules_vector& rules)
-{
- for (auto rule = rules.begin(); rule != rules.end(); ++rule)
- test_one_smack_rule(*rule);
-}
-
-const std::string APP27_A = "APP27_A";
-const std::string APP27_B = "APP27_B";
-const std::string APP27_C = "APP27_C";
-const std::string APP27_D = "APP27_D";
-const std::string APP27_E = "APP27_E";
-const std::string APP27_F = "APP27_F";
-
-const std::string APP27_A_PUB = "/etc/smack/test_privilege_control_DIR/A_PUBLIC";
-const std::string APP27_D_PUB = "/etc/smack/test_privilege_control_DIR/D_PUBLIC";
-const std::string APP27_E_PUB = "/etc/smack/test_privilege_control_DIR/E_PUBLIC";
-
-const std::string APP27_A_PUB_ID = smack_label_for_path(APP27_A, APP27_A_PUB);
-const std::string APP27_D_PUB_ID = smack_label_for_path(APP27_D, APP27_D_PUB);
-const std::string APP27_E_PUB_ID = smack_label_for_path(APP27_E, APP27_E_PUB);
-
-const std::string APP27_B_SET = "/etc/smack/test_privilege_control_DIR/B_SETTINGS";
-const std::string APP27_C_SET = "/etc/smack/test_privilege_control_DIR/C_SETTINGS";
-const std::string APP27_E_SET = "/etc/smack/test_privilege_control_DIR/E_SETTINGS";
-
-const std::string APP27_B_SET_ID = smack_label_for_path(APP27_B, APP27_B_SET);
-const std::string APP27_C_SET_ID = smack_label_for_path(APP27_C, APP27_C_SET);
-const std::string APP27_E_SET_ID = smack_label_for_path(APP27_E, APP27_E_SET);
-
-const std::string APP27_A_GRP = "/etc/smack/test_privilege_control_DIR/A_GROUP";
-const std::string APP27_B_GRP = "/etc/smack/test_privilege_control_DIR/B_GROUP";
-const std::string APP27_F_GRP = "/etc/smack/test_privilege_control_DIR/F_GROUP";
-
-const std::string APP27_A_GRP_ID = "A";
-const std::string APP27_B_GRP_ID = "B";
-const std::string APP27_F_GRP_ID = "F";
-
-const smack_rules_vector initial_state = {
- { APP27_A, APP27_A_PUB_ID, "rwxatl" },
- { APP27_B, APP27_A_PUB_ID, "rx" },
- { APP27_C, APP27_A_PUB_ID, "rx" },
- { APP27_D, APP27_A_PUB_ID, "rx" },
- { APP27_E, APP27_A_PUB_ID, "rx" },
- { APP27_F, APP27_A_PUB_ID, "" },
-
- { APP27_A, APP27_D_PUB_ID, "rx" },
- { APP27_B, APP27_D_PUB_ID, "rx" },
- { APP27_C, APP27_D_PUB_ID, "rx" },
- { APP27_D, APP27_D_PUB_ID, "rwxatl" },
- { APP27_E, APP27_D_PUB_ID, "rx" },
- { APP27_F, APP27_D_PUB_ID, "" },
-
- { APP27_A, APP27_E_PUB_ID, "" },
- { APP27_B, APP27_E_PUB_ID, "" },
- { APP27_C, APP27_E_PUB_ID, "" },
- { APP27_D, APP27_E_PUB_ID, "" },
- { APP27_E, APP27_E_PUB_ID, "" },
- { APP27_F, APP27_E_PUB_ID, "" },
-
- { APP27_A, APP27_A_GRP_ID, "rwxatl" },
- { APP27_B, APP27_A_GRP_ID, "rwxatl" },
- { APP27_C, APP27_A_GRP_ID, "" },
- { APP27_D, APP27_A_GRP_ID, "" },
- { APP27_E, APP27_A_GRP_ID, "" },
- { APP27_F, APP27_A_GRP_ID, "" },
-
- { APP27_A, APP27_B_GRP_ID, "" },
- { APP27_B, APP27_B_GRP_ID, "rwxatl" },
- { APP27_C, APP27_B_GRP_ID, "rwxatl" },
- { APP27_D, APP27_B_GRP_ID, "" },
- { APP27_E, APP27_B_GRP_ID, "" },
- { APP27_F, APP27_B_GRP_ID, "" },
-
- { APP27_A, APP27_F_GRP_ID, "" },
- { APP27_B, APP27_F_GRP_ID, "" },
- { APP27_C, APP27_F_GRP_ID, "" },
- { APP27_D, APP27_F_GRP_ID, "" },
- { APP27_E, APP27_F_GRP_ID, "" },
- { APP27_F, APP27_F_GRP_ID, "" },
-
- { APP27_A, APP27_B_SET_ID, "" },
- { APP27_B, APP27_B_SET_ID, "rwxatl" },
- { APP27_C, APP27_B_SET_ID, "" },
- { APP27_D, APP27_B_SET_ID, "" },
- { APP27_E, APP27_B_SET_ID, "" },
- { APP27_F, APP27_B_SET_ID, "" },
-
- { APP27_A, APP27_C_SET_ID, "" },
- { APP27_B, APP27_C_SET_ID, "" },
- { APP27_C, APP27_C_SET_ID, "" },
- { APP27_D, APP27_C_SET_ID, "" },
- { APP27_E, APP27_C_SET_ID, "" },
- { APP27_F, APP27_C_SET_ID, "" },
-
- { APP27_A, APP27_E_SET_ID, "" },
- { APP27_B, APP27_E_SET_ID, "" },
- { APP27_C, APP27_E_SET_ID, "" },
- { APP27_D, APP27_E_SET_ID, "" },
- { APP27_E, APP27_E_SET_ID, "rwxatl" },
- { APP27_F, APP27_E_SET_ID, "" }
-};
-
-const smack_rules_vector rules_1_state = {
- { APP27_A, APP27_A_PUB_ID, "rwxatl" },
- { APP27_B, APP27_A_PUB_ID, "rx" },
- { APP27_C, APP27_A_PUB_ID, "rx" },
- { APP27_D, APP27_A_PUB_ID, "rxl" },
- { APP27_E, APP27_A_PUB_ID, "rwxatl" },
- { APP27_F, APP27_A_PUB_ID, "rwxatl" },
-
- { APP27_A, APP27_D_PUB_ID, "rx" },
- { APP27_B, APP27_D_PUB_ID, "rx" },
- { APP27_C, APP27_D_PUB_ID, "rx" },
- { APP27_D, APP27_D_PUB_ID, "rwxatl" },
- { APP27_E, APP27_D_PUB_ID, "rwxatl" },
- { APP27_F, APP27_D_PUB_ID, "rwxatl" },
-
- { APP27_A, APP27_E_PUB_ID, "" },
- { APP27_B, APP27_E_PUB_ID, "" },
- { APP27_C, APP27_E_PUB_ID, "" },
- { APP27_D, APP27_E_PUB_ID, "" },
- { APP27_E, APP27_E_PUB_ID, "" },
- { APP27_F, APP27_E_PUB_ID, "" },
-
- { APP27_A, APP27_A_GRP_ID, "rwxatl" },
- { APP27_B, APP27_A_GRP_ID, "rwxatl" },
- { APP27_C, APP27_A_GRP_ID, "" },
- { APP27_D, APP27_A_GRP_ID, "ra" },
- { APP27_E, APP27_A_GRP_ID, "" },
- { APP27_F, APP27_A_GRP_ID, "" },
-
- { APP27_A, APP27_B_GRP_ID, "" },
- { APP27_B, APP27_B_GRP_ID, "rwxatl" },
- { APP27_C, APP27_B_GRP_ID, "rwxatl" },
- { APP27_D, APP27_B_GRP_ID, "ra" },
- { APP27_E, APP27_B_GRP_ID, "" },
- { APP27_F, APP27_B_GRP_ID, "" },
-
- { APP27_A, APP27_F_GRP_ID, "" },
- { APP27_B, APP27_F_GRP_ID, "" },
- { APP27_C, APP27_F_GRP_ID, "" },
- { APP27_D, APP27_F_GRP_ID, "" },
- { APP27_E, APP27_F_GRP_ID, "" },
- { APP27_F, APP27_F_GRP_ID, "" },
-
- { APP27_A, APP27_B_SET_ID, "ra" },
- { APP27_B, APP27_B_SET_ID, "rwxatl" },
- { APP27_C, APP27_B_SET_ID, "" },
- { APP27_D, APP27_B_SET_ID, "" },
- { APP27_E, APP27_B_SET_ID, "xl" },
- { APP27_F, APP27_B_SET_ID, "" },
-
- { APP27_A, APP27_C_SET_ID, "" },
- { APP27_B, APP27_C_SET_ID, "" },
- { APP27_C, APP27_C_SET_ID, "" },
- { APP27_D, APP27_C_SET_ID, "" },
- { APP27_E, APP27_C_SET_ID, "" },
- { APP27_F, APP27_C_SET_ID, "" },
-
- { APP27_A, APP27_E_SET_ID, "ra" },
- { APP27_B, APP27_E_SET_ID, "" },
- { APP27_C, APP27_E_SET_ID, "" },
- { APP27_D, APP27_E_SET_ID, "" },
- { APP27_E, APP27_E_SET_ID, "rwxatl" },
- { APP27_F, APP27_E_SET_ID, "" }
-};
-
-const smack_rules_vector add_app_state = {
- { APP27_A, APP27_A_PUB_ID, "rwxatl" },
- { APP27_B, APP27_A_PUB_ID, "rx" },
- { APP27_C, APP27_A_PUB_ID, "rx" },
- { APP27_D, APP27_A_PUB_ID, "rxl" },
- { APP27_E, APP27_A_PUB_ID, "rwxatl" },
- { APP27_F, APP27_A_PUB_ID, "rwxatl" },
-
- { APP27_A, APP27_D_PUB_ID, "rx" },
- { APP27_B, APP27_D_PUB_ID, "rx" },
- { APP27_C, APP27_D_PUB_ID, "rx" },
- { APP27_D, APP27_D_PUB_ID, "rwxatl" },
- { APP27_E, APP27_D_PUB_ID, "rwxatl" },
- { APP27_F, APP27_D_PUB_ID, "rwxatl" },
-
- { APP27_A, APP27_E_PUB_ID, "" },
- { APP27_B, APP27_E_PUB_ID, "" },
- { APP27_C, APP27_E_PUB_ID, "" },
- { APP27_D, APP27_E_PUB_ID, "" },
- { APP27_E, APP27_E_PUB_ID, "" },
- { APP27_F, APP27_E_PUB_ID, "" },
-
- { APP27_A, APP27_A_GRP_ID, "rwxatl" },
- { APP27_B, APP27_A_GRP_ID, "rwxatl" },
- { APP27_C, APP27_A_GRP_ID, "" },
- { APP27_D, APP27_A_GRP_ID, "ra" },
- { APP27_E, APP27_A_GRP_ID, "" },
- { APP27_F, APP27_A_GRP_ID, "" },
-
- { APP27_A, APP27_B_GRP_ID, "" },
- { APP27_B, APP27_B_GRP_ID, "rwxatl" },
- { APP27_C, APP27_B_GRP_ID, "rwxatl" },
- { APP27_D, APP27_B_GRP_ID, "ra" },
- { APP27_E, APP27_B_GRP_ID, "" },
- { APP27_F, APP27_B_GRP_ID, "" },
-
- { APP27_A, APP27_F_GRP_ID, "rwxatl" },
- { APP27_B, APP27_F_GRP_ID, "" },
- { APP27_C, APP27_F_GRP_ID, "" },
- { APP27_D, APP27_F_GRP_ID, "ra" },
- { APP27_E, APP27_F_GRP_ID, "" },
- { APP27_F, APP27_F_GRP_ID, "rwxatl" },
-
- { APP27_A, APP27_B_SET_ID, "ra" },
- { APP27_B, APP27_B_SET_ID, "rwxatl" },
- { APP27_C, APP27_B_SET_ID, "" },
- { APP27_D, APP27_B_SET_ID, "" },
- { APP27_E, APP27_B_SET_ID, "xl" },
- { APP27_F, APP27_B_SET_ID, "" },
-
- { APP27_A, APP27_C_SET_ID, "" },
- { APP27_B, APP27_C_SET_ID, "" },
- { APP27_C, APP27_C_SET_ID, "" },
- { APP27_D, APP27_C_SET_ID, "" },
- { APP27_E, APP27_C_SET_ID, "" },
- { APP27_F, APP27_C_SET_ID, "" },
-
- { APP27_A, APP27_E_SET_ID, "ra" },
- { APP27_B, APP27_E_SET_ID, "" },
- { APP27_C, APP27_E_SET_ID, "" },
- { APP27_D, APP27_E_SET_ID, "" },
- { APP27_E, APP27_E_SET_ID, "rwxatl" },
- { APP27_F, APP27_E_SET_ID, "" }
-};
-
-const smack_rules_vector add_dir_state = {
- { APP27_A, APP27_A_PUB_ID, "rwxatl" },
- { APP27_B, APP27_A_PUB_ID, "rx" },
- { APP27_C, APP27_A_PUB_ID, "rx" },
- { APP27_D, APP27_A_PUB_ID, "rxl" },
- { APP27_E, APP27_A_PUB_ID, "rwxatl" },
- { APP27_F, APP27_A_PUB_ID, "rwxatl" },
-
- { APP27_A, APP27_D_PUB_ID, "rx" },
- { APP27_B, APP27_D_PUB_ID, "rx" },
- { APP27_C, APP27_D_PUB_ID, "rx" },
- { APP27_D, APP27_D_PUB_ID, "rwxatl" },
- { APP27_E, APP27_D_PUB_ID, "rwxatl" },
- { APP27_F, APP27_D_PUB_ID, "rwxatl" },
-
- { APP27_A, APP27_E_PUB_ID, "rx" },
- { APP27_B, APP27_E_PUB_ID, "rx" },
- { APP27_C, APP27_E_PUB_ID, "rx" },
- { APP27_D, APP27_E_PUB_ID, "rxl" },
- { APP27_E, APP27_E_PUB_ID, "rwxatl" },
- { APP27_F, APP27_E_PUB_ID, "rwxatl" },
-
- { APP27_A, APP27_A_GRP_ID, "rwxatl" },
- { APP27_B, APP27_A_GRP_ID, "rwxatl" },
- { APP27_C, APP27_A_GRP_ID, "" },
- { APP27_D, APP27_A_GRP_ID, "rwxatl" },
- { APP27_E, APP27_A_GRP_ID, "" },
- { APP27_F, APP27_A_GRP_ID, "" },
-
- { APP27_A, APP27_B_GRP_ID, "rwxatl" },
- { APP27_B, APP27_B_GRP_ID, "rwxatl" },
- { APP27_C, APP27_B_GRP_ID, "rwxatl" },
- { APP27_D, APP27_B_GRP_ID, "ra" },
- { APP27_E, APP27_B_GRP_ID, "" },
- { APP27_F, APP27_B_GRP_ID, "" },
-
- { APP27_A, APP27_F_GRP_ID, "" },
- { APP27_B, APP27_F_GRP_ID, "" },
- { APP27_C, APP27_F_GRP_ID, "rwxatl" },
- { APP27_D, APP27_F_GRP_ID, "ra" },
- { APP27_E, APP27_F_GRP_ID, "" },
- { APP27_F, APP27_F_GRP_ID, "" },
-
- { APP27_A, APP27_B_SET_ID, "ra" },
- { APP27_B, APP27_B_SET_ID, "rwxatl" },
- { APP27_C, APP27_B_SET_ID, "" },
- { APP27_D, APP27_B_SET_ID, "" },
- { APP27_E, APP27_B_SET_ID, "xl" },
- { APP27_F, APP27_B_SET_ID, "" },
-
- { APP27_A, APP27_C_SET_ID, "ra" },
- { APP27_B, APP27_C_SET_ID, "" },
- { APP27_C, APP27_C_SET_ID, "rwxatl" },
- { APP27_D, APP27_C_SET_ID, "" },
- { APP27_E, APP27_C_SET_ID, "xl" },
- { APP27_F, APP27_C_SET_ID, "" },
-
- { APP27_A, APP27_E_SET_ID, "ra" },
- { APP27_B, APP27_E_SET_ID, "" },
- { APP27_C, APP27_E_SET_ID, "" },
- { APP27_D, APP27_E_SET_ID, "" },
- { APP27_E, APP27_E_SET_ID, "rwxatl" },
- { APP27_F, APP27_E_SET_ID, "" }
-};
-
-const smack_rules_vector rules_2_state = {
- { APP27_A, APP27_A_PUB_ID, "rwxatl" },
- { APP27_B, APP27_A_PUB_ID, "rx" },
- { APP27_C, APP27_A_PUB_ID, "rxlt" },
- { APP27_D, APP27_A_PUB_ID, "rxa" },
- { APP27_E, APP27_A_PUB_ID, "rwxl" },
- { APP27_F, APP27_A_PUB_ID, "" },
-
- { APP27_A, APP27_D_PUB_ID, "rx" },
- { APP27_B, APP27_D_PUB_ID, "rx" },
- { APP27_C, APP27_D_PUB_ID, "rxlt" },
- { APP27_D, APP27_D_PUB_ID, "rwxatl" },
- { APP27_E, APP27_D_PUB_ID, "rwxl" },
- { APP27_F, APP27_D_PUB_ID, "" },
-
- { APP27_A, APP27_E_PUB_ID, "" },
- { APP27_B, APP27_E_PUB_ID, "" },
- { APP27_C, APP27_E_PUB_ID, "" },
- { APP27_D, APP27_E_PUB_ID, "" },
- { APP27_E, APP27_E_PUB_ID, "" },
- { APP27_F, APP27_E_PUB_ID, "" },
-
- { APP27_A, APP27_A_GRP_ID, "rwxatl" },
- { APP27_B, APP27_A_GRP_ID, "rwxatl" },
- { APP27_C, APP27_A_GRP_ID, "" },
- { APP27_D, APP27_A_GRP_ID, "" },
- { APP27_E, APP27_A_GRP_ID, "" },
- { APP27_F, APP27_A_GRP_ID, "" },
-
- { APP27_A, APP27_B_GRP_ID, "" },
- { APP27_B, APP27_B_GRP_ID, "rwxatl" },
- { APP27_C, APP27_B_GRP_ID, "rwxatl" },
- { APP27_D, APP27_B_GRP_ID, "" },
- { APP27_E, APP27_B_GRP_ID, "" },
- { APP27_F, APP27_B_GRP_ID, "" },
-
- { APP27_A, APP27_F_GRP_ID, "" },
- { APP27_B, APP27_F_GRP_ID, "" },
- { APP27_C, APP27_F_GRP_ID, "" },
- { APP27_D, APP27_F_GRP_ID, "" },
- { APP27_E, APP27_F_GRP_ID, "" },
- { APP27_F, APP27_F_GRP_ID, "" },
-
- { APP27_A, APP27_B_SET_ID, "" },
- { APP27_B, APP27_B_SET_ID, "rwxatl" },
- { APP27_C, APP27_B_SET_ID, "" },
- { APP27_D, APP27_B_SET_ID, "" },
- { APP27_E, APP27_B_SET_ID, "" },
- { APP27_F, APP27_B_SET_ID, "" },
-
- { APP27_A, APP27_C_SET_ID, "" },
- { APP27_B, APP27_C_SET_ID, "" },
- { APP27_C, APP27_C_SET_ID, "" },
- { APP27_D, APP27_C_SET_ID, "" },
- { APP27_E, APP27_C_SET_ID, "" },
- { APP27_F, APP27_C_SET_ID, "" },
-
- { APP27_A, APP27_E_SET_ID, "" },
- { APP27_B, APP27_E_SET_ID, "" },
- { APP27_C, APP27_E_SET_ID, "" },
- { APP27_D, APP27_E_SET_ID, "" },
- { APP27_E, APP27_E_SET_ID, "rwxatl" },
- { APP27_F, APP27_E_SET_ID, "" }
-};
-
-const smack_rules_vector rules_3_state = {
- { APP27_A, APP27_A_PUB_ID, "rwxatl" },
- { APP27_B, APP27_A_PUB_ID, "rx" },
- { APP27_C, APP27_A_PUB_ID, "rx" },
- { APP27_D, APP27_A_PUB_ID, "rx" },
- { APP27_E, APP27_A_PUB_ID, "rx" },
- { APP27_F, APP27_A_PUB_ID, "" },
-
- { APP27_A, APP27_D_PUB_ID, "rx" },
- { APP27_B, APP27_D_PUB_ID, "rx" },
- { APP27_C, APP27_D_PUB_ID, "rx" },
- { APP27_D, APP27_D_PUB_ID, "rwxatl" },
- { APP27_E, APP27_D_PUB_ID, "rx" },
- { APP27_F, APP27_D_PUB_ID, "" },
-
- { APP27_A, APP27_E_PUB_ID, "" },
- { APP27_B, APP27_E_PUB_ID, "" },
- { APP27_C, APP27_E_PUB_ID, "" },
- { APP27_D, APP27_E_PUB_ID, "" },
- { APP27_E, APP27_E_PUB_ID, "" },
- { APP27_F, APP27_E_PUB_ID, "" },
-
- { APP27_A, APP27_A_GRP_ID, "rwxatl" },
- { APP27_B, APP27_A_GRP_ID, "rwxatl" },
- { APP27_C, APP27_A_GRP_ID, "xlt" },
- { APP27_D, APP27_A_GRP_ID, "" },
- { APP27_E, APP27_A_GRP_ID, "rwl" },
- { APP27_F, APP27_A_GRP_ID, "" },
-
- { APP27_A, APP27_B_GRP_ID, "" },
- { APP27_B, APP27_B_GRP_ID, "rwxatl" },
- { APP27_C, APP27_B_GRP_ID, "rwxatl" },
- { APP27_D, APP27_B_GRP_ID, "" },
- { APP27_E, APP27_B_GRP_ID, "rwl" },
- { APP27_F, APP27_B_GRP_ID, "" },
-
- { APP27_A, APP27_F_GRP_ID, "" },
- { APP27_B, APP27_F_GRP_ID, "" },
- { APP27_C, APP27_F_GRP_ID, "" },
- { APP27_D, APP27_F_GRP_ID, "" },
- { APP27_E, APP27_F_GRP_ID, "" },
- { APP27_F, APP27_F_GRP_ID, "" },
-
- { APP27_A, APP27_B_SET_ID, "" },
- { APP27_B, APP27_B_SET_ID, "rwxatl" },
- { APP27_C, APP27_B_SET_ID, "" },
- { APP27_D, APP27_B_SET_ID, "" },
- { APP27_E, APP27_B_SET_ID, "" },
- { APP27_F, APP27_B_SET_ID, "" },
-
- { APP27_A, APP27_C_SET_ID, "" },
- { APP27_B, APP27_C_SET_ID, "" },
- { APP27_C, APP27_C_SET_ID, "" },
- { APP27_D, APP27_C_SET_ID, "" },
- { APP27_E, APP27_C_SET_ID, "" },
- { APP27_F, APP27_C_SET_ID, "" },
-
- { APP27_A, APP27_E_SET_ID, "" },
- { APP27_B, APP27_E_SET_ID, "" },
- { APP27_C, APP27_E_SET_ID, "" },
- { APP27_D, APP27_E_SET_ID, "" },
- { APP27_E, APP27_E_SET_ID, "rwxatl" },
- { APP27_F, APP27_E_SET_ID, "" }
-};
-
-const smack_rules_vector rules_4_state = {
- { APP27_A, APP27_A_PUB_ID, "rwxatl" },
- { APP27_B, APP27_A_PUB_ID, "rx" },
- { APP27_C, APP27_A_PUB_ID, "rx" },
- { APP27_D, APP27_A_PUB_ID, "rx" },
- { APP27_E, APP27_A_PUB_ID, "rx" },
- { APP27_F, APP27_A_PUB_ID, "" },
-
- { APP27_A, APP27_D_PUB_ID, "rx" },
- { APP27_B, APP27_D_PUB_ID, "rx" },
- { APP27_C, APP27_D_PUB_ID, "rx" },
- { APP27_D, APP27_D_PUB_ID, "rwxatl" },
- { APP27_E, APP27_D_PUB_ID, "rx" },
- { APP27_F, APP27_D_PUB_ID, "" },
-
- { APP27_A, APP27_E_PUB_ID, "" },
- { APP27_B, APP27_E_PUB_ID, "" },
- { APP27_C, APP27_E_PUB_ID, "" },
- { APP27_D, APP27_E_PUB_ID, "" },
- { APP27_E, APP27_E_PUB_ID, "" },
- { APP27_F, APP27_E_PUB_ID, "" },
-
- { APP27_A, APP27_A_GRP_ID, "rwxatl" },
- { APP27_B, APP27_A_GRP_ID, "rwxatl" },
- { APP27_C, APP27_A_GRP_ID, "" },
- { APP27_D, APP27_A_GRP_ID, "" },
- { APP27_E, APP27_A_GRP_ID, "" },
- { APP27_F, APP27_A_GRP_ID, "" },
-
- { APP27_A, APP27_B_GRP_ID, "" },
- { APP27_B, APP27_B_GRP_ID, "rwxatl" },
- { APP27_C, APP27_B_GRP_ID, "rwxatl" },
- { APP27_D, APP27_B_GRP_ID, "" },
- { APP27_E, APP27_B_GRP_ID, "" },
- { APP27_F, APP27_B_GRP_ID, "" },
-
- { APP27_A, APP27_F_GRP_ID, "" },
- { APP27_B, APP27_F_GRP_ID, "" },
- { APP27_C, APP27_F_GRP_ID, "" },
- { APP27_D, APP27_F_GRP_ID, "" },
- { APP27_E, APP27_F_GRP_ID, "" },
- { APP27_F, APP27_F_GRP_ID, "" },
-
- { APP27_A, APP27_B_SET_ID, "" },
- { APP27_B, APP27_B_SET_ID, "rwxatl" },
- { APP27_C, APP27_B_SET_ID, "xlt" },
- { APP27_D, APP27_B_SET_ID, "" },
- { APP27_E, APP27_B_SET_ID, "rwl" },
- { APP27_F, APP27_B_SET_ID, "" },
-
- { APP27_A, APP27_C_SET_ID, "" },
- { APP27_B, APP27_C_SET_ID, "" },
- { APP27_C, APP27_C_SET_ID, "" },
- { APP27_D, APP27_C_SET_ID, "" },
- { APP27_E, APP27_C_SET_ID, "" },
- { APP27_F, APP27_C_SET_ID, "" },
-
- { APP27_A, APP27_E_SET_ID, "" },
- { APP27_B, APP27_E_SET_ID, "ra" },
- { APP27_C, APP27_E_SET_ID, "xlt" },
- { APP27_D, APP27_E_SET_ID, "" },
- { APP27_E, APP27_E_SET_ID, "rwxatl" },
- { APP27_F, APP27_E_SET_ID, "" }
-};
-
-const std::vector<std::string> directories_27 = { APP27_A_PUB, APP27_D_PUB, APP27_E_PUB,
- APP27_B_SET, APP27_C_SET, APP27_E_SET,
- APP27_A_GRP, APP27_B_GRP, APP27_F_GRP};
-
-void additional_rules_prepare_directories(void)
-{
- for (auto dir = directories_27.begin(); dir != directories_27.end(); ++dir) {
- int result = mkdir(dir->c_str(), 0);
- RUNNER_ASSERT_MSG_BT(result == 0 || (result == -1 && errno == EEXIST), "directory = " <<
- dir->c_str() << "; result = " << result << "; errno = " << errno <<
- "; error = " << strerror(errno));
- }
-}
-
-void additional_rules_set_initial_state(void)
-{
- int result;
-
- DB_BEGIN
- result = perm_app_install(APP27_A.c_str());
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- result = perm_app_setup_path(APP27_A.c_str(), APP27_A_PUB.c_str(), PERM_APP_PATH_PUBLIC);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- result = perm_app_setup_path(APP27_A.c_str(), APP27_A_GRP.c_str(), PERM_APP_PATH_GROUP, "A");
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-
- result = perm_app_install(APP27_B.c_str());
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- result = perm_app_setup_path(APP27_B.c_str(), APP27_A_GRP.c_str(), PERM_APP_PATH_GROUP, "A");
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- result = perm_app_setup_path(APP27_B.c_str(), APP27_B_GRP.c_str(), PERM_APP_PATH_GROUP, "B");
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- result = perm_app_setup_path(APP27_B.c_str(), APP27_B_SET.c_str(), PERM_APP_PATH_SETTINGS);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-
- result = perm_app_install(APP27_C.c_str());
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- result = perm_app_setup_path(APP27_C.c_str(), APP27_B_GRP.c_str(), PERM_APP_PATH_GROUP, "B");
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-
- result = perm_app_install(APP27_D.c_str());
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- result = perm_app_setup_path(APP27_D.c_str(), APP27_D_PUB.c_str(), PERM_APP_PATH_PUBLIC);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-
- result = perm_app_install(APP27_E.c_str());
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- result = perm_app_setup_path(APP27_E.c_str(), APP27_E_SET.c_str(), PERM_APP_PATH_SETTINGS);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-
- DB_END
-}
-
-void additional_rules_set_add_app_state(void)
-{
- int result;
-
- DB_BEGIN
- result = perm_app_setup_path(APP27_A.c_str(), APP27_F_GRP.c_str(), PERM_APP_PATH_GROUP, "F");
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-
- result = perm_app_install(APP27_F.c_str());
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- result = perm_app_setup_path(APP27_F.c_str(), APP27_F_GRP.c_str(), PERM_APP_PATH_GROUP, "F");
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- DB_END
-}
-
-void additional_rules_set_add_dir_state(void)
-{
- int result;
-
- DB_BEGIN
- result = perm_app_setup_path(APP27_E.c_str(), APP27_E_PUB.c_str(), PERM_APP_PATH_PUBLIC);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-
- result = perm_app_setup_path(APP27_A.c_str(), APP27_B_GRP.c_str(), PERM_APP_PATH_GROUP, "B");
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- result = perm_app_setup_path(APP27_C.c_str(), APP27_F_GRP.c_str(), PERM_APP_PATH_GROUP, "F");
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- result = perm_app_setup_path(APP27_D.c_str(), APP27_A_GRP.c_str(), PERM_APP_PATH_GROUP, "A");
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-
- result = perm_app_setup_path(APP27_C.c_str(), APP27_C_SET.c_str(), PERM_APP_PATH_SETTINGS);
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
- DB_END
-}
-
-void free_null_term_tab(char** tab)
-{
- int i = 0;
- while(tab[i])
- free(tab[i++]);
-}
-
-void set_rules_1_state(void)
-{
- int result, i = 0;
- const int count = 9;
- char* rules[count] = {};
- std::unique_ptr<char*, std::function<void(char**)> > rules_pointer(rules, free_null_term_tab);
-
- result = asprintf(&rules[i++], "%s %s %s", APP27_B.c_str(), APP27_A_PUB_ID.c_str(), "rwx");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_C.c_str(), APP27_D_PUB_ID.c_str(), "rwxa");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_D.c_str(), "~PUBLIC_PATH~", "rxl");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_E.c_str(), "~PUBLIC_PATH~", "rwxat");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_F.c_str(), "~PUBLIC_PATH~", "rwxatl");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_D.c_str(), "~GROUP_PATH~", "ra");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_A.c_str(), "~SETTINGS_PATH~", "ra");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_E.c_str(), "~SETTINGS_PATH~", "xl");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- rules[i] = NULL;
-
- DB_BEGIN
- result = perm_add_additional_rules((const char**)rules);
- DB_END
-
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-}
-
-void set_rules_2_state(void)
-{
- int result, i = 0;
- const int count = 5;
- char* rules[count] = {};
- std::unique_ptr<char*, std::function<void(char**)> > rules_pointer(rules, free_null_term_tab);
-
- result = asprintf(&rules[i++], "%s %s %s", APP27_B.c_str(), "~PUBLIC_PATH~", "r");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_C.c_str(), "~PUBLIC_PATH~", "lt");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_D.c_str(), "~PUBLIC_PATH~", "xa");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_E.c_str(), "~PUBLIC_PATH~", "w");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- rules[i] = NULL;
-
- DB_BEGIN
- result = perm_add_additional_rules((const char**) rules);
- DB_END
-
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-}
-
-void set_rules_3_state(void)
-{
- int result, i = 0;
- const int count = 4;
- char* rules[count] = {};
- std::unique_ptr<char*, std::function<void(char**)> > rules_pointer(rules, free_null_term_tab);
-
- result = asprintf(&rules[i++], "%s %s %s", APP27_B.c_str(), "~GROUP_PATH~", "ra");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_C.c_str(), "~GROUP_PATH~", "xlt");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_E.c_str(), "~GROUP_PATH~", "rw");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- rules[i] = NULL;
-
- DB_BEGIN
- result = perm_add_additional_rules((const char**) rules);
- DB_END
-
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-}
-
-void set_rules_4_state(void)
-{
- int result, i = 0;
- const int count = 4;
- char* rules[count] = {};
- std::unique_ptr<char*, std::function<void(char**)> > rules_pointer(rules, free_null_term_tab);
-
- result = asprintf(&rules[i++], "%s %s %s", APP27_B.c_str(), "~SETTINGS_PATH~", "ra");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_C.c_str(), "~SETTINGS_PATH~", "xlt");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- result = asprintf(&rules[i++], "%s %s %s", APP27_E.c_str(), "~SETTINGS_PATH~", "rw");
- RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
- rules[i] = NULL;
-
- DB_BEGIN
- result = perm_add_additional_rules((const char**) rules);
- DB_END
-
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-}
-
-void cleanup_additional_rules_apps(void)
-{
- int result;
- const std::vector<std::string> apps = { APP27_A, APP27_B, APP27_C, APP27_D, APP27_E, APP27_F };
-
- DB_BEGIN
- for (auto a = apps.begin(); a != apps.end(); ++a) {
- result = perm_app_uninstall(a->c_str());
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "app = " << a->c_str() <<
- "; result = " << result);
- }
- DB_END
-}
-
-void cleanup_additional_rules_rules(void)
-{
- int result;
- const char* empty[] = { NULL };
- DB_BEGIN
- result = perm_add_additional_rules(empty);
- DB_END
- RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "result = " << result);
-}
-
-void cleanup_additional_rules_directories(void)
-{
- for (auto dir = directories_27.begin(); dir != directories_27.end(); ++dir) {
- int result = rmdir(dir->c_str());
- RUNNER_ASSERT_MSG_BT(result == 0 || (result == -1 && errno == ENOENT),
- "directory = " << dir->c_str() << "; result = " << result <<
- "; errno = " << errno << "; error = " << strerror(errno));
- }
-}
-
-void cleanup_additional_rules_all(void)
-{
- cleanup_additional_rules_apps();
- cleanup_additional_rules_rules();
- additional_rules_prepare_directories();
-}
-
-RUNNER_TEST_SMACK(privilege_control27_perm_add_additional_rules_smack_access_1_rollback)
-{
- UNUSED RestoreAdditionalRulesGuard guard;
- cleanup_additional_rules_all();
-
- //initial state
- additional_rules_set_initial_state();
- test_smack_rules_vector(initial_state);
-
- //set state with some public additional rules
- set_rules_1_state();
- test_smack_rules_vector(rules_1_state);
-
- //rollback to initial state
- cleanup_additional_rules_rules();
- test_smack_rules_vector(initial_state);
-
- //cleanup
- cleanup_additional_rules_all();
-}
-
-RUNNER_TEST_SMACK(privilege_control27_perm_add_additional_rules_smack_access_2_add_app)
-{
- UNUSED RestoreAdditionalRulesGuard guard;
- cleanup_additional_rules_all();
-
- //initial state
- additional_rules_set_initial_state();
- test_smack_rules_vector(initial_state);
-
- //set state with some public additional rules
- set_rules_1_state();
- test_smack_rules_vector(rules_1_state);
-
- //add app F
- additional_rules_set_add_app_state();
- test_smack_rules_vector(add_app_state);
-
- //cleanup
- cleanup_additional_rules_all();
-}
-
-RUNNER_TEST_SMACK(privilege_control27_perm_add_additional_rules_smack_access_3_add_dir)
-{
- UNUSED RestoreAdditionalRulesGuard guard;
- cleanup_additional_rules_all();
-
- //initial state
- additional_rules_set_initial_state();
- test_smack_rules_vector(initial_state);
-
- //set state with some public additional rules
- set_rules_1_state();
- test_smack_rules_vector(rules_1_state);
-
- //add public dir E
- additional_rules_set_add_dir_state();
- test_smack_rules_vector(add_dir_state);
-
- //cleanup
- cleanup_additional_rules_all();
-}
-
-RUNNER_TEST_SMACK(privilege_control27_perm_add_additional_rules_smack_access_4_update_rules)
-{
- UNUSED RestoreAdditionalRulesGuard guard;
- cleanup_additional_rules_all();
-
- //initial state
- additional_rules_set_initial_state();
- test_smack_rules_vector(initial_state);
-
- //set state with some additional rules
- set_rules_1_state();
- test_smack_rules_vector(rules_1_state);
-
- //set state with some public additional rules
- set_rules_2_state();
- test_smack_rules_vector(rules_2_state);
-
- //set state with some group additional rules
- set_rules_3_state();
- test_smack_rules_vector(rules_3_state);
-
- //set state with some settings additional rules
- set_rules_4_state();
- test_smack_rules_vector(rules_4_state);
-
- //cleanup
- cleanup_additional_rules_all();
-}
result = perm_app_install(APP_TEST_SETTINGS_ASP1);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error in perm_app_install. Result: " << result);
- result = perm_app_setup_permissions(APP_TEST_SETTINGS_ASP1,
- APP_TYPE_OSP, PRIV_APPSETTING);
+ result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1,
+ APP_TYPE_OSP, PRIV_APPSETTING, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error enabling App-Setting permissions. Result: " << result);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error in perm_app_install. Result: " << result);
const char *test1[] = { NULL };
- result = perm_app_setup_permissions(TEST_OSP_FEATURE_APP_ID,
- APP_TYPE_OSP, test1);
+ result = perm_app_enable_permissions(TEST_OSP_FEATURE_APP_ID,
+ APP_TYPE_OSP, test1, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error enabling permissions. Result: " << result);
<< ". Result: " << result);
// Add persistent permissions
- result = perm_app_setup_permissions(APP_ID, APP_TYPE_OSP,
- TEST_OSP_FEATURE_PRIVS);
+ result = perm_app_enable_permissions(APP_ID, APP_TYPE_OSP,
+ TEST_OSP_FEATURE_PRIVS, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_permissions from OSP Feature. Loop index: "
+ "Error in perm_app_enable_permissions from OSP Feature. Loop index: "
<< i << ". Result: " << result);
- result = perm_app_setup_permissions(APP_ID, APP_TYPE_WGT,
- TEST_WGT_FEATURE_PRIVS);
+ result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT,
+ TEST_WGT_FEATURE_PRIVS, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_permissions from WGT Feature. Loop index: "
+ "Error in perm_app_enable_permissions from WGT Feature. Loop index: "
<< i << ". Result: " << result);
DB_END
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error in perm_app_install."
<< " Result: " << result);
- result = perm_app_setup_permissions(APP_TEST_SETTINGS_ASP1,
- APP_TYPE_OSP, PRIV_APPSETTING);
+ result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1,
+ APP_TYPE_OSP, PRIV_APPSETTING, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
"Error registering App-Setting permissions."
<< " Result: " << result);
for (int j = 0; j < (app_count/2); ++j)
{
// add persistent api feature permissions
- result = perm_app_setup_permissions(app_ids[j], APP_TYPE_OSP,
- TEST_OSP_FEATURE_PRIVS);
+ result = perm_app_enable_permissions(app_ids[j], APP_TYPE_OSP,
+ TEST_OSP_FEATURE_PRIVS, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_permissions from OSP Feature. App id: "
+ "Error in perm_app__permissions from OSP Feature. App id: "
<< app_ids[j] << " Loop index: " << i << ". Result: " << result);
- result = perm_app_setup_permissions(app_ids[j+5], APP_TYPE_WGT,
- TEST_WGT_FEATURE_PRIVS);
+ result = perm_app_enable_permissions(app_ids[j+5], APP_TYPE_WGT,
+ TEST_WGT_FEATURE_PRIVS, true);
RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
- "Error in perm_app_setup_permissions from WGT Feature. App id: "
+ "Error in perm_app_enable_permissions from WGT Feature. App id: "
<< app_ids[j+5] << " Loop index: " << i << ". Result: " << result);
}
SET(SEC_SRV_TC_SERVER_SOURCES
${PROJECT_SOURCE_DIR}/tests/security-server-tests/server.cpp
- ${PROJECT_SOURCE_DIR}/tests/security-server-tests/open_for.cpp
${PROJECT_SOURCE_DIR}/tests/security-server-tests/cookie_api.cpp
${PROJECT_SOURCE_DIR}/tests/security-server-tests/weird_arguments.cpp
${PROJECT_SOURCE_DIR}/tests/security-server-tests/security_server_clean_env.cpp
#include "security_server_tests_common.h"
const unsigned int PASSWORD_RETRY_TIMEOUT_US = 500000;
-
-void check_app_has_privilege(const char *app_id, const app_type_t app_type,
- const char *perm_list[], const int expected_result)
-{
- int has_privilege = false;
- int result = SECURITY_SERVER_API_SUCCESS;
-
- for (int i = 0; perm_list[i] != NULL; i++) {
- result = security_server_app_has_privilege(app_id, app_type, perm_list[i], &has_privilege);
- RUNNER_ASSERT_MSG_BT(result == SECURITY_SERVER_API_SUCCESS,
- "security_server_app_has_privilege failed with result: " << result);
- RUNNER_ASSERT_MSG_BT(has_privilege == expected_result,
- "Unexpected result, has_privilege returned: " << has_privilege
- << ", expected: " << expected_result);
- }
-}
-
-void check_app_caller_has_privilege(const app_type_t app_type, const char *perm_list[],
- const int expected_result)
-{
- int has_privilege = false;
- int result = SECURITY_SERVER_API_SUCCESS;
-
- for (int i = 0; perm_list[i] != NULL; i++) {
- result = security_server_app_caller_has_privilege(app_type, perm_list[i], &has_privilege);
- RUNNER_ASSERT_MSG_BT(result == SECURITY_SERVER_API_SUCCESS,
- "security_server_app_caller_has_privilege failed with result: " << result);
- RUNNER_ASSERT_MSG_BT(has_privilege == expected_result,
- "Unexpected result, caller_has_privilege returned: " << has_privilege
- << ", expected: " << expected_result);
- }
-}
-
-void check_app_has_privilege_denied(const char *app_id, const app_type_t app_type,
- const char *perm_list[])
-{
- int has_privilege = false;
- int result = SECURITY_SERVER_API_SUCCESS;
-
- for (int i = 0; perm_list[i] != NULL; i++) {
- // call api function - should return access denied error
- result = security_server_app_has_privilege(app_id, app_type, perm_list[i], &has_privilege);
- RUNNER_ASSERT_MSG_BT(result == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "security_server_app_has_privilege returned unexpected value, "
- "result: " << result);
- }
-}
-
-void check_app_caller_has_privilege_denied(const app_type_t app_type, const char *perm_list[])
-{
- int has_privilege = false;
- int result = SECURITY_SERVER_API_SUCCESS;
-
- for (int i = 0; perm_list[i] != NULL; i++) {
- // call api function - should return access denied error
- result = security_server_app_caller_has_privilege(app_type, perm_list[i], &has_privilege);
- RUNNER_ASSERT_MSG_BT(result == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "security_server_app_caller_has_privilege returned unexpected value, "
- "result: " << result);
- }
-}
extern const unsigned int PASSWORD_RETRY_TIMEOUT_US;
-void check_app_has_privilege(const char *app_id, const app_type_t app_type,
- const char *perm_list[], const int expected_result);
-
-void check_app_caller_has_privilege(const app_type_t app_type, const char *perm_list[],
- const int expected_result);
-
-void check_app_has_privilege_denied(const char *app_id, const app_type_t app_type,
- const char *perm_list[]);
-
-void check_app_caller_has_privilege_denied(const app_type_t app_type, const char *perm_list[]);
-
#endif /* SECURITY_SERVER_TESTS_COMMON_H_ */
"Error in security_server_get_smacklabel_cookie() argument checking");
}
-//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_06_01_security_server_get_uid_by_cookie)
-{
- uid_t uid;
- int ret = security_server_get_uid_by_cookie(NULL, &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_uid_by_cookie() argument checking: "
- << ret);
-}
-
-//passing NULL as an uid pointer
-RUNNER_CHILD_TEST(tc_arguments_06_02_security_server_get_uid_by_cookie)
-{
- Cookie cookie = getCookieFromSS();
-
- int ret = security_server_get_uid_by_cookie(cookie.data(), NULL);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_uid_by_cookie() argument checking: "
- << ret);
-}
-
-//---------------------------------------------------------------------------
-//passing NULL as an cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_07_01_security_server_get_gid_by_cookie)
-{
- gid_t gid;
- int ret = security_server_get_gid_by_cookie(NULL, &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_gid_by_cookie() argument checking: "
- << ret);
-}
-
-//passing NULL as an gid pointer
-RUNNER_CHILD_TEST(tc_arguments_07_02_security_server_get_gid_by_cookie)
-{
- Cookie cookie = getCookieFromSS();
-
- int ret = security_server_get_gid_by_cookie(cookie.data(), NULL);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_gid_by_cookie() argument checking: "
- << ret);
-}
-
/*
}
//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_07_01_security_server_get_uid_by_cookie)
-{
- Cookie cookie = getCookieFromSS();
-
- uid_t uid;
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_uid_by_cookie(): " << ret);
- ret = getuid();
- RUNNER_ASSERT_MSG_BT(ret == (int)uid, "No match in UID received from cookie");
-}
-
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_07_02_security_server_get_uid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_07_02");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- Cookie cookie(KNOWN_COOKIE_SIZE);
- uid_t uid;
-
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_uid_by_cookie(): " << ret);
-}
-
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_07_03_security_server_get_uid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_07_02");
- provider.allowFunction("security_server_get_uid_by_cookie");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- Cookie cookie = getCookieFromSS();
- uid_t uid;
-
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_uid_by_cookie(): " << ret);
- ret = getuid();
- RUNNER_ASSERT_MSG_BT(ret == (int)uid, "No match in UID received from cookie");
-}
-
-//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_08_01_security_server_get_gid_by_cookie)
-{
- Cookie cookie = getCookieFromSS();
-
- gid_t gid;
-
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_gid_by_cookie(): " << ret);
- ret = getgid();
- RUNNER_ASSERT_MSG_BT(ret == (int)gid, "No match in GID received from cookie");
-}
-
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_08_02_security_server_get_gid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_08_02");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- Cookie cookie(KNOWN_COOKIE_SIZE);
- gid_t gid;
-
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_gid_by_cookie(): " << ret);
-}
-
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_08_03_security_server_get_gid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_08_03");
- provider.allowFunction("security_server_get_gid_by_cookie");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- Cookie cookie = getCookieFromSS();
- gid_t gid;
-
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_gid_by_cookie(): " << ret);
- ret = getgid();
- RUNNER_ASSERT_MSG_BT(ret == (int)gid, "No match in GID received from cookie");
-}
-
-//---------------------------------------------------------------------------
// apply smack labels and drop privileges
RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_cookie_API_access_allow)
{
+++ /dev/null
-/*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
- */
-/*
- * @file security_server_tests_open-for.cpp
- * @author Zbigniew Jasinski (z.jasinski@samsung.com)
- * @version 1.0
- * @brief Test cases for security server open-for API
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <string>
-#include <vector>
-
-#include <tests_common.h>
-#include <dpl/test/test_runner.h>
-#include <dpl/log/log.h>
-
-#pragma GCC diagnostic warning "-Wdeprecated-declarations"
-#include <access_provider.h>
-#include <security-server.h>
-
-const std::string SENDER = "open-for-sender";
-const std::string AUTHORIZED_RECEIVER = "open-for-client";
-const std::string UNAUTHORIZED_RECEIVER = "open-for-bad-client";
-
-const std::string file = "file";
-const std::string dir = "/var/run/security-server/";
-const std::string path = dir + file;
-const std::string write_buf1 = "ala ma kota";
-const std::string write_buf2 = "kot ma ale";
-
-void clearSecureDir(void) {
- if (unlink(path.c_str()))
- RUNNER_ASSERT_MSG_BT((ENOENT == errno), "unlink error: " << strerror(errno));
-}
-
-RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_OPEN_FOR_API);
-
-RUNNER_CHILD_TEST_SMACK(tc01_shared_file_open_new_file)
-{
- ScopedClose fd;
-
- // clear secure dir
- clearSecureDir();
-
- SecurityServer::AccessProvider provider(SENDER);
- provider.allowFunction("security_server_open_for");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- int ret = security_server_shared_file_open(file.c_str(), AUTHORIZED_RECEIVER.c_str(),
- fd.Ptr());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = write(fd.Get(), write_buf1.c_str(), write_buf1.size());
- RUNNER_ASSERT_MSG_BT(ret == static_cast<int>(write_buf1.size()), "error in write: " << ret);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc02_shared_file_open_existing_file)
-{
- // clear secure dir
- clearSecureDir();
-
- // prepare file for tests before dropping privs
- ScopedClose fd(open(path.c_str(), O_RDWR | O_CREAT));
- RUNNER_ASSERT_MSG_BT(-1 != fd.Get(), "open error: " << strerror(errno));
- fd.Reset();
-
- SecurityServer::AccessProvider provider(SENDER);
- provider.allowFunction("security_server_open_for");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- int ret = security_server_shared_file_open(file.c_str(), AUTHORIZED_RECEIVER.c_str(), fd.Ptr());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_FILE_EXIST, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc03_shared_file_reopen_auth_existing_file_for_read)
-{
- clearSecureDir();
-
- ScopedClose fd(open(path.c_str(), O_RDWR | O_CREAT));
- int ret = write(fd.Get(), write_buf1.c_str(), write_buf1.size());
- RUNNER_ASSERT_MSG_BT(ret == static_cast<int>(write_buf1.size()), "error in write: " << ret);
- RUNNER_ASSERT_MSG_BT(0 >= smack_setlabel(path.c_str(), AUTHORIZED_RECEIVER.c_str(),
- SMACK_LABEL_ACCESS), "smack_setlabel error");
- fd.Reset();
-
- SecurityServer::AccessProvider provider(AUTHORIZED_RECEIVER);
- provider.allowFunction("security_server_open_for");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- ret = security_server_shared_file_reopen(file.c_str(), fd.Ptr());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- std::vector<char> read_buf1(write_buf1.size());
- ret = read(fd.Get(), read_buf1.data(), write_buf1.size());
- RUNNER_ASSERT_MSG_BT(ret == static_cast<int>(write_buf1.size()), "error in read: " << strerror(errno));
- RUNNER_ASSERT_MSG_BT(std::string(read_buf1.data(), ret) == write_buf1, "string mismatch");
-}
-
-RUNNER_CHILD_TEST_SMACK(tc04_shared_file_reopen_auth_existing_file_for_write)
-{
- clearSecureDir();
-
- ScopedClose fd(open(path.c_str(), O_RDWR | O_CREAT));
- RUNNER_ASSERT_MSG_BT(-1 != fd.Get(), "open error: " << strerror(errno));
- int ret = write(fd.Get(), write_buf1.c_str(), write_buf1.size());
- RUNNER_ASSERT_MSG_BT(ret == static_cast<int>(write_buf1.size()), "error in write: " << ret);
- fd.Reset();
- RUNNER_ASSERT_MSG_BT(0 >= smack_setlabel(path.c_str(), AUTHORIZED_RECEIVER.c_str(),
- SMACK_LABEL_ACCESS), "smack_setlabel error");
-
- SecurityServer::AccessProvider provider(AUTHORIZED_RECEIVER);
- provider.allowFunction("security_server_open_for");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- ret = security_server_shared_file_reopen(file.c_str(), fd.Ptr());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- RUNNER_ASSERT_MSG_BT(-1 != ftruncate(fd.Get(), 0), "error in ftruncate: " << strerror(errno));
- std::vector<char> read_buf2(write_buf2.size());
- ret = write(fd.Get(), write_buf2.c_str(), write_buf2.size());
-
- RUNNER_ASSERT_MSG_BT(-1 != lseek(fd.Get(), 0L, 0), "error in lseek: " << strerror(errno));
- ret = read(fd.Get(), read_buf2.data(), write_buf2.size());
- RUNNER_ASSERT_MSG_BT(std::string(read_buf2.data(), ret) == write_buf2, "string mismatch");
-}
-
-RUNNER_CHILD_TEST_SMACK(tc05_shared_file_reopen_unauth_existing_file_for_read)
-{
- clearSecureDir();
-
- ScopedClose fd(open(path.c_str(), O_RDWR | O_CREAT));
- RUNNER_ASSERT_MSG_BT(-1 != fd.Get(), "open error: " << strerror(errno));
- fd.Reset();
- RUNNER_ASSERT_MSG_BT(0 >= smack_setlabel(path.c_str(), AUTHORIZED_RECEIVER.c_str(),
- SMACK_LABEL_ACCESS), "smack_setlabel error");
-
- SecurityServer::AccessProvider provider(UNAUTHORIZED_RECEIVER);
- provider.allowFunction("security_server_open_for");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- int ret = security_server_shared_file_reopen(file.c_str(), fd.Ptr());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc06_shared_file_delete_unauth_existing_file)
-{
- clearSecureDir();
-
- ScopedClose fd(open(path.c_str(), O_RDWR | O_CREAT));
- RUNNER_ASSERT_MSG_BT(-1 != fd.Get(), "open error: " << strerror(errno));
- fd.Reset();
- RUNNER_ASSERT_MSG_BT(0 >= smack_setlabel(path.c_str(), AUTHORIZED_RECEIVER.c_str(),
- SMACK_LABEL_ACCESS), "smack_setlabel error");
-
- SecurityServer::AccessProvider provider(UNAUTHORIZED_RECEIVER);
- provider.allowFunction("security_server_open_for");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- int ret = security_server_shared_file_delete(file.c_str());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc07_shared_file_delete_auth_existing_file)
-{
- clearSecureDir();
-
- ScopedClose fd(open(path.c_str(), O_RDWR | O_CREAT));
- RUNNER_ASSERT_MSG_BT(-1 != fd.Get(), "open error: " << strerror(errno));
- fd.Reset();
- RUNNER_ASSERT_MSG_BT(0 >= smack_setlabel(path.c_str(), AUTHORIZED_RECEIVER.c_str(),
- SMACK_LABEL_ACCESS), "smack_setlabel error");
-
- SecurityServer::AccessProvider provider(AUTHORIZED_RECEIVER);
- provider.allowFunction("security_server_open_for");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- int ret = security_server_shared_file_delete(file.c_str());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc08_shared_file_delete_missing_file)
-{
- SecurityServer::AccessProvider provider(AUTHORIZED_RECEIVER);
- provider.allowFunction("security_server_open_for");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- int ret = security_server_shared_file_delete(file.c_str());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc09_shared_file_open_bad_file_name)
-{
- SecurityServer::AccessProvider provider(SENDER);
- provider.allowFunction("security_server_open_for");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- std::vector<std::string> badFile = { "/plik","-plik",".plik","..plik","..",".","../plik",
- "../../plik" };
-
- for (auto iter = badFile.begin(); iter != badFile.end(); ++iter) {
- ScopedClose fd;
- int ret = security_server_shared_file_open((*iter).c_str(), AUTHORIZED_RECEIVER.c_str(),
- fd.Ptr());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
- }
-}
/*Number of calls in a single test*/
#define NUMBER_OF_CALLS (5)
#define MICROSECS_PER_SEC (1000000)
-/*the constant is defined in security-server-common.h, not accessable to the outside world*/
-#define SECURITY_SERVER_MAX_OBJ_NAME (30)
/* number of miliseconds, process will be suspended for multiplications of this quantum */
#define QUANTUM (10000)
/*Strings used in tests*/
@return -1 if the function result code indicated network error, 0 otherwise
*/
int communication_succeeded(int result_code) {
- if ((result_code == SECURITY_SERVER_API_ERROR_SOCKET) ||
- (result_code == SECURITY_SERVER_API_ERROR_SEND_FAILED) ||
- (result_code == SECURITY_SERVER_API_ERROR_RECV_FAILED))
+ switch(result_code)
+ {
+ case SECURITY_SERVER_API_ERROR_SOCKET:
+ case SECURITY_SERVER_API_ERROR_BAD_REQUEST:
+ case SECURITY_SERVER_API_ERROR_BAD_RESPONSE:
return -1;
- else
+ default:
return 0;
+ }
}
/** Returns current system time (wrapper for standard system function)
return result;
}
-double timeval_to_secs(timeval t) {
- return ((double)t.tv_sec) + (t.tv_usec / (double)MICROSECS_PER_SEC);
-}
-
double timeval_to_microsecs(timeval t) {
return ((double)t.tv_sec * (double)MICROSECS_PER_SEC) + ((double)t.tv_usec);
}
-timeval secs_to_timeval(double s) {
- timeval t;
- t.tv_sec = (time_t)s;
- t.tv_usec = (__suseconds_t) ((s - (double)t.tv_sec) * MICROSECS_PER_SEC);
- return t;
-}
-
/** Initialize statistics at the beginning of a TEST_CASE
@param stats [in/out] statistics to be initialized
*/
}
}
-int apply_smack_rule(const char *subject, const char *object, const char *rule)
-{
- struct smack_accesses *ruleHandler = NULL;
- if (smack_accesses_new(&ruleHandler) != 0)
- goto error;
- if (smack_accesses_add(ruleHandler, subject, object, rule) != 0)
- goto error;
- if (smack_accesses_apply(ruleHandler) != 0)
- goto error;
-
- smack_accesses_free(ruleHandler);
- return 0;
-
-error:
- smack_accesses_free(ruleHandler);
- return -1;
-}
-
-RUNNER_TEST(tc10_security_server_get_uid_by_cookie)
-{
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- std::vector<char> cookie(cookieSize);
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //checking function
- uid_t cookieUid, realUid;
- realUid = getuid();
- retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie. My uid: " << realUid << " Server error: " << retval);
- RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
-
- //checking for input parameters
- retval = security_server_get_uid_by_cookie(NULL, &cookieUid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
- retval = security_server_get_uid_by_cookie(&cookie[0], NULL);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
-}
-
-RUNNER_CHILD_TEST_SMACK(tc11_security_server_get_uid_by_cookie_smack)
-{
- const char* tc11testlabel = "tc11testlabel";
-
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- std::vector<char> cookie(cookieSize);
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //preapare SMACK environment
- RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc11testlabel) == 0,
- "Unable to set label for self");
- RUNNER_ASSERT_MSG_BT(smack_revoke_subject(tc11testlabel) == 0,
- "Error in smack_revoke_subject");
- //drop privileges
- RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
-
- //checking function
- uid_t cookieUid;
- retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
-}
-
-RUNNER_CHILD_TEST_SMACK(tc12_security_server_get_uid_by_cookie_smack)
-{
- const char* tc12testlabel = "tc12testlabel";
-
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- uid_t realUid = getuid();
-
- std::vector<char> cookie(cookieSize);
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //preapare SMACK environment
- RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc12testlabel) == 0,
- "Unable to set label for self");
- RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc12testlabel,
- "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
- //drop privileges
- RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
-
- //checking function
- uid_t cookieUid;
- retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
- RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
-}
-
-RUNNER_CHILD_TEST_NOSMACK(tc12_security_server_get_uid_by_cookie_nosmack)
-{
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- uid_t realUid = getuid();
-
- std::vector<char> cookie(cookieSize);
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //drop privileges
- RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
-
- //checking function
- uid_t cookieUid;
- retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
- RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
-}
-
-RUNNER_CHILD_TEST_SMACK(tc13_security_server_get_uid_by_cookie_smack)
-{
- const char* tc13testlabel = "tc13testlabel";
-
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- //preapare SMACK environment
- RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc13testlabel) == 0,
- "Unable to set label for self");
- RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc13testlabel,
- "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
- RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc13testlabel,
- "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
- //drop privileges
- RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
-
- std::vector<char> cookie(cookieSize);
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //checking function
- uid_t cookieUid, realUid = getuid();
- retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
- RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
-}
-
-RUNNER_CHILD_TEST_NOSMACK(tc13_security_server_get_uid_by_cookie_nosmack)
-{
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- //drop privileges
- RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
-
- std::vector<char> cookie(cookieSize);
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //checking function
- uid_t cookieUid, realUid = getuid();
- retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
- RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
-}
-
-RUNNER_TEST(tc14_security_server_get_gid_by_cookie)
-{
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- std::vector<char> cookie(cookieSize);
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //checking function
- gid_t cookieGid, realGid;
- realGid = getgid();
- retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
- RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID");
-
- //checking for input parameters
- retval = security_server_get_gid_by_cookie(NULL, &cookieGid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
- retval = security_server_get_gid_by_cookie(&cookie[0], NULL);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
-
-}
-
-RUNNER_CHILD_TEST_SMACK(tc15_security_server_get_gid_by_cookie_smack)
-{
- const char* tc15testlabel = "tc15testlabel";
-
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- std::vector<char> cookie(cookieSize);
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //preapare SMACK environment
- RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc15testlabel) == 0,
- "Unable to set label for self");
- RUNNER_ASSERT_MSG_BT(smack_revoke_subject(tc15testlabel) == 0,
- "Error in smack_revoke_subject");
- //drop privileges
- RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
- RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
-
- //checking function
- gid_t cookieGid;
- retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
-}
-
-RUNNER_CHILD_TEST_SMACK(tc16_security_server_get_gid_by_cookie_smack)
-{
- const char* tc16testlabel = "tc16testlabel";
-
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- std::vector<char> cookie(cookieSize);
-
- gid_t realGid = getgid();
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //preapare SMACK environment
- RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc16testlabel) == 0,
- "Unable to set label for self");
- RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc16testlabel,
- "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
- //drop privileges
- RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
- RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
-
- //checking function
- gid_t cookieGid;
- retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
- RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
-}
-
-RUNNER_CHILD_TEST_NOSMACK(tc16_security_server_get_gid_by_cookie_nosmack)
-{
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- std::vector<char> cookie(cookieSize);
-
- gid_t realGid = getgid();
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //drop privileges
- RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
- RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
-
- //checking function
- gid_t cookieGid;
- retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
- RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc17_security_server_get_gid_by_cookie_smack)
-{
- const char* tc17testlabel = "tc17testlabel";
-
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- //preapare SMACK environment
- RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc17testlabel) == 0,
- "Unable to set label for self");
- RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc17testlabel,
- "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
- RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc17testlabel,
- "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
- //drop privileges
- RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
- RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
-
- std::vector<char> cookie(cookieSize);
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //checking function
- gid_t cookieGid, realGid = getgid();
- retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
- RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
-}
-
-RUNNER_CHILD_TEST_NOSMACK(tc17_security_server_get_gid_by_cookie_nosmack)
-{
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
-
- //drop privileges
- RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
- RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
-
- std::vector<char> cookie(cookieSize);
- int retval = security_server_request_cookie(&cookie[0], cookieSize);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
-
- //checking function
- gid_t cookieGid, realGid = getgid();
- retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
- RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
- RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
-}
-
RUNNER_TEST_SMACK(tc18_security_server_get_smacklabel_cookie) {
int res;
#define API_FREE_ACCESS "------"
#define DBUS_SERVER_NAME "test.method.server"
-#define DBUS_SERVER_OBJECT "/test/method/server/Object"
-#define DBUS_SERVER_INTERFACE DBUS_SERVER_NAME ".Type"
-#define DBUS_SERVER_METHOD "Method"
#define DBUS_CALLER_NAME "test.method.caller"
#define DBUS_SMACK_NAME "org.freedesktop.DBus"
const char *access_rights);
int security_server_get_cookie_pid(const char *cookie);
char *security_server_get_smacklabel_cookie(const char *cookie);
- int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
- int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
*/
int ret;
size_t COOKIE_SIZE;
- uid_t uid;
- gid_t gid;
//security_server_get_cookie_size()
COOKIE_SIZE = security_server_get_cookie_size();
}
}
- //security_server_get_uid_by_cookie()
- ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- if (ret < 0) {
- appendError("Error in security_server_get_uid_by_cookie(): " + std::to_string(ret));
- return;
- }
- uid_t trueUid = getuid();
- if (trueUid != uid) {
- appendError("Error in UID match");
- return;
- }
-
- //security_server_get_gid_by_cookie()
- ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- if (ret < 0) {
- appendError("Error in security_server_get_gid_by_cookie(): " + std::to_string(ret));
- return;
- }
- gid_t trueGid = getgid();
- if (trueGid != gid) {
- appendError("Error in GID match");
- return;
- }
-
std::lock_guard<std::mutex> lock(g_mutex);
++g_successes;
}
const char *TEST04_SUBJECT = "subject_57dfbfc5";
const char *TEST07_SUBJECT = "subject_cd738844";
const char *TEST08_SUBJECT = "subject_fd84ba7f";
-const char *TEST09_SUBJECT = "subject_sstest09";
-const char *TEST10_SUBJECT = "subject_sstest10";
-const char *TEST11_SUBJECT = "subject_sstest11";
-const char *TEST12_SUBJECT = "subject_sstest12";
const char *API_PASSWD_SET = "security-server::api-password-set";
const char *API_PASSWD_CHECK = "security-server::api-password-check";
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
}
-RUNNER_CHILD_TEST(tc09_check_API_app_enable_permissions)
-{
- int ret;
- const char *perm_list[] = {"org.tizen.privilege.contact.read",
- "org.tizen.privilege.contact.write",
- NULL};
- int persistent = 1;
-
- // need to install WGT once again, in case it was removed before
- DB_BEGIN
- ret = perm_app_uninstall(WGT_APP_ID);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
- ret = perm_app_install(WGT_APP_ID);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
- DB_END
-
- // enable permission
- ret = security_server_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list, persistent);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- SecurityServer::AccessProvider provider(TEST09_SUBJECT);
- provider.allowFunction("security_server_app_has_privilege");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- // Check if permissions are given
- check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, true);
-}
-
-RUNNER_CHILD_TEST(tc10_check_API_app_disable_permissions)
-{
- int ret;
- const char *perm_list[] = {"org.tizen.privilege.contact.read",
- "org.tizen.privilege.contact.write",
- NULL};
-
- // need to install WGT once again, in case it was removed before
- DB_BEGIN
- ret = perm_app_uninstall(WGT_APP_ID);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
- ret = perm_app_install(WGT_APP_ID);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
- DB_END
-
- // disable permission
- ret = security_server_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- SecurityServer::AccessProvider provider(TEST10_SUBJECT);
- provider.allowFunction("security_server_app_has_privilege");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- // Check if permissions are disabled
- check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, false);
-}
-
-RUNNER_TEST(tc11_security_server_app_has_privilege)
-{
- int ret;
- const char *perm_list_pers[] = {"org.tizen.privilege.contact.read",
- "org.tizen.privilege.contact.write",
- NULL};
- const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read",
- "org.tizen.privilege.calendar.write",
- NULL};
- const char *perm_list_disabled[] = {"org.tizen.privilege.alarm",
- NULL};
- DB_BEGIN
- ret = perm_app_uninstall(TEST11_SUBJECT);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
- ret = perm_app_install(TEST11_SUBJECT);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret);
- DB_END
-
- // enable permission
- ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- // Check if permissions are given using API with app_label parameter
- check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, true);
- check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, true);
- check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_disabled, false);
-}
-
-RUNNER_CHILD_TEST(tc12_security_server_app_caller_has_privilege)
-{
- int ret;
- const char *perm_list_pers[] = {"org.tizen.privilege.contact.read",
- "org.tizen.privilege.contact.write",
- NULL};
- const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read",
- "org.tizen.privilege.calendar.write",
- NULL};
- const char *perm_list_disabled[] = {"org.tizen.privilege.alarm",
- NULL};
-
- DB_BEGIN
- ret = perm_app_uninstall(TEST11_SUBJECT);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
- ret = perm_app_install(TEST11_SUBJECT);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret);
- DB_END
-
- // enable permission
- ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- SecurityServer::AccessProvider provider(TEST11_SUBJECT);
- provider.allowFunction("security_server_app_caller_has_privilege");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- // Check if permissions are given using "caller" API
- check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_pers, true);
- check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_temp, true);
- check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_disabled, false);
-}
-
-RUNNER_CHILD_TEST(tc13_check_API_app_has_privilege_denied)
-{
- int ret;
- const char *perm_list[] = {"org.tizen.privilege.contact.read",
- "org.tizen.privilege.contact.write",
- NULL};
-
- // set smack label without previously assigned permissions to api socket
- ret = smack_set_label_for_self(TEST12_SUBJECT);
- RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
-
- // drop root privileges
- RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
-
- // call common function to perform the check
- check_app_caller_has_privilege_denied(APP_TYPE_WGT, perm_list);
-
- // call also second common function
- check_app_has_privilege_denied(TEST12_SUBJECT, APP_TYPE_WGT, perm_list);
-}
-
//////////////////////////////////////////
/////////NOSMACK ENV TESTS////////////////
//////////////////////////////////////////
#include <dpl/test/test_runner.h>
#include <dpl/log/log.h>
-#define SECURITY_SERVER_MAX_OBJ_NAME 30
-
RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_WEIRD_ARGUMENTS);
RUNNER_TEST(tc01_security_server_get_gid_weird_input_case)
projects / platform / core / test / security-tests.git / commitdiff