From: Lukasz Kostyra Date: Thu, 12 Sep 2013 08:32:22 +0000 (+0200) Subject: Add antivirus privilege test cases X-Git-Tag: security-manager_5.5_testing~341 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1c3444ae62962d7823c818a5a31630f5ea06f313;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Add antivirus privilege test cases [Issue#] SSDWSSP-491 [Feature] Add test cases checking if AV has access to every type of folders set by perm_app_setup_path - GROUP_RW, SETTINGS_RW, PUBLIC_RO. Both SMACK and NOSMACK version of tests was added. [Cause] N/A [Solution] N/A [Verification] Build and run libprivilege-control-test. Test should pass both on SMACK and NOSMACK environment. Change-Id: Ie073095f4ca78e86f9d7a7e1d5ec5e7014229504 --- diff --git a/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h b/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h index 9973fabc..446306b2 100644 --- a/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h +++ b/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h @@ -57,6 +57,12 @@ #define APP_TEST_AV_1 "test-antivirus1" #define APP_TEST_AV_2 "test-antivirus_2" #define APP_TEST_AV_3 "test-av-3" +#define APP_TEST_APP_1_DIR "/tmp/test-application1/" +#define APP_TEST_APP_2_DIR "/tmp/test-application2/" +#define APP_TEST_APP_3_DIR "/tmp/test-application3/" +#define APP_TEST_APP_1_SHARED_LABEL "test-application1-shared" +#define APP_TEST_APP_2_SHARED_LABEL "test-application2-shared" +#define APP_TEST_APP_3_SHARED_LABEL "test-application3-shared" #define WGT_APP_ID "QwCqJ0ttyS" #define WGT_PARTNER_APP_ID "7btsV1Y0sX" @@ -87,6 +93,7 @@ extern const char *PRIVS_WGT[]; extern const char *PRIVS_OSP[]; extern const char* PRIV_APPSETTING[]; +extern const char* PRIVS_AV[]; // Rules from test_privilege_control_rules.smack const std::vector< std::vector > rules = { @@ -320,5 +327,8 @@ int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, int /*typeflag*/, struct FTW* /*ftwbuf*/); +void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment); +void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment); + #endif /* LIBPRIVILEGE_CONTROL_TEST_COMMON_H_ */ diff --git a/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp b/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp index 180cd92b..9e815f74 100644 --- a/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp +++ b/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp @@ -36,6 +36,8 @@ const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL }; const char* PRIV_APPSETTING[] {"org.tizen.privilege.appsetting", NULL}; +const char* PRIVS_AV[] = { "org.tizen.privilege.antivirus", NULL }; + void cleaning_smack_app_files (void) { unlink(SMACK_RULES_DIR APP_TEST_APP_1); @@ -206,3 +208,42 @@ int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, return 0; } + +void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment) +{ + int result; + result = smack_have_access(av_id, app_id, "rwx"); + RUNNER_ASSERT_MSG(result == 1, + "Error while checking " << av_id << " rwx access to " + << app_id << " " << comment << " Result: " << result); + result = smack_have_access(av_id, app_id, "a"); + RUNNER_ASSERT_MSG(result == 0, + "Error while checking " << av_id << " a access to " + << app_id << " " << comment << " Result: " << result); + result = smack_have_access(av_id, app_id, "t"); + RUNNER_ASSERT_MSG(result == 0, + "Error while checking " << av_id << " t access to " + << app_id << " " << comment << " Result: " << result); +} + +/** + * NOSMACK version of checkOnlyAvAccess function. + * + * Expects error instead of access granted/forbidden from smack_have_access. + */ +void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment) +{ + int result; + result = smack_have_access(av_id, app_id, "rwx"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result + << " when testing " << comment); + result = smack_have_access(av_id, app_id, "a"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result + << " when testing " << comment); + result = smack_have_access(av_id, app_id, "t"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result + << " when testing " << comment); +} diff --git a/tests/libprivilege-control-tests/test_cases.cpp b/tests/libprivilege-control-tests/test_cases.cpp index 88942342..79636b8a 100644 --- a/tests/libprivilege-control-tests/test_cases.cpp +++ b/tests/libprivilege-control-tests/test_cases.cpp @@ -734,23 +734,6 @@ RUNNER_TEST(privilege_control07_app_uninstall) close(fd); } -void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment) -{ - int result; - result = smack_have_access(av_id, app_id, "rwx"); - RUNNER_ASSERT_MSG(result == 1, - "Error while checking " << av_id << " rwx access to " - << app_id << " " << comment << " Result: " << result); - result = smack_have_access(av_id, app_id, "a"); - RUNNER_ASSERT_MSG(result == 0, - "Error while checking " << av_id << " a access to " - << app_id << " " << comment << " Result: " << result); - result = smack_have_access(av_id, app_id, "t"); - RUNNER_ASSERT_MSG(result == 0, - "Error while checking " << av_id << " t access to " - << app_id << " " << comment << " Result: " << result); -} - /* * Check app_register_av function * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install) @@ -1785,3 +1768,244 @@ RUNNER_TEST(privilege_control20_early_rules) RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found"); RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found"); } + +/** + * AV Privilege test cases. + * + * Each privilege_control24* test case tests antivirus privileges for each app_type_t, except for + * deprecated APP_TYPE_OTHER type. + */ + +int nftw_remove_dir(const char* filename, const struct stat* /*statptr*/, int /*fileflags*/, + struct FTW* /*pfwt*/) +{ + int result = -1; + + struct stat filestat; + + result = stat(filename, &filestat); + RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to get file statistics. Result: " + << result << ", error: " << strerror(errno) << ", file: " << filename); + + if(S_ISREG(filestat.st_mode)) { + result = unlink(filename); + RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to unlink file. Result: " + << result << ", error: " << strerror(errno) << ", file: " << filename); + } else if(S_ISDIR(filestat.st_mode)) { + result = rmdir(filename); + RUNNER_ASSERT_MSG(result == 0, "NFTW error: Failed to remove dir. Result: " + << result << ", error: " << strerror(errno) << ", file: " << filename); + } + + return 0; +} + +void InstallApp(const char* pkg_id, const char* path, app_path_type_t app_path_type, + const char* shared_label) +{ + int result = -1; + + result = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP); + RUNNER_ASSERT_MSG(result == 0, "Can't create dir for tests. Result: " << result << + ", error: " << strerror(errno) << ", app_path_type: " << app_path_type); + + DB_BEGIN + + result = perm_app_revoke_permissions(pkg_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: " + << result << ", app_path_type: " << app_path_type); + result = perm_app_uninstall(pkg_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: " + << result << ", app_path_type: " << app_path_type); + + result = perm_app_install(pkg_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: " + << result << ", app_path_type: " << app_path_type); + result = perm_app_setup_path(pkg_id, path, app_path_type, shared_label); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_setup_path failed. Result: " + << result << ", app_path_type: " << app_path_type); + + DB_END +} + +void InstallAV(const char* av_id, app_type_t av_type) +{ + int result = -1; + + DB_BEGIN + + result = perm_app_revoke_permissions(av_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "revoke_permissions failed. Result: " + << result << ", av_type: " << av_type); + result = perm_app_uninstall(av_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_uninstall failed. Result: " + << result << ", av_type: " << av_type); + + result = perm_app_install(av_id); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "perm_app_install failed. Result: " + << result << ", av_type: " << av_type); + result = perm_app_enable_permissions(av_id, av_type, PRIVS_AV, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "enable_permissions failed. Result: " + << result << ", av_type: " << av_type); + + DB_END +} + +void CheckAVPrivilege(app_type_t av_type, app_path_type_t app_path_type) +{ + int result = -1; + + //clean before test + result = nftw(APP_TEST_APP_1_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result << + ", error " << strerror(errno)); + + result = nftw(APP_TEST_APP_2_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result << + ", error " << strerror(errno)); + + result = nftw(APP_TEST_APP_3_DIR, nftw_remove_dir, FTW_MAX_FDS, FTW_DEPTH | FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0 || errno == ENOENT, "Failed to nftw. Result: " << result << + ", error " << strerror(errno)); + + InstallApp(APP_TEST_APP_1, APP_TEST_APP_1_DIR, app_path_type, APP_TEST_APP_1_SHARED_LABEL); + InstallAV(APP_TEST_AV_1, av_type); + InstallApp(APP_TEST_APP_2, APP_TEST_APP_2_DIR, app_path_type, APP_TEST_APP_2_SHARED_LABEL); + InstallAV(APP_TEST_AV_2, av_type); + InstallApp(APP_TEST_APP_3, APP_TEST_APP_3_DIR, app_path_type, APP_TEST_APP_3_SHARED_LABEL); + + //test - get ACCESS label and check AV privilege + + char* tmp; + + //get labels + result = smack_lgetlabel(APP_TEST_APP_1_DIR, &tmp, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result + << ", av_type: " << av_type << ", app_path_type: " << app_path_type); + std::string label1(tmp); + free(tmp); + + result = smack_lgetlabel(APP_TEST_APP_2_DIR, &tmp, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result + << ", av_type: " << av_type << ", app_path_type: " << app_path_type); + std::string label2(tmp); + free(tmp); + + result = smack_lgetlabel(APP_TEST_APP_3_DIR, &tmp, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "smack_lgetlabel failed. Result: " << result + << ", av_type: " << av_type << ", app_path_type: " << app_path_type); + std::string label3(tmp); + free(tmp); + + if(app_path_type == APP_PATH_GROUP_RW) + { + result = label1.compare(APP_TEST_APP_1_SHARED_LABEL); + RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 << + ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result << + ", av_type: " << av_type << ", app_path_type: " << app_path_type); + + result = label2.compare(APP_TEST_APP_2_SHARED_LABEL); + RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 << + ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result << + ", av_type: " << av_type << ", app_path_type: " << app_path_type); + + result = label3.compare(APP_TEST_APP_3_SHARED_LABEL); + RUNNER_ASSERT_MSG(result == 0, "Labels do not equal. Acquired " << label1 << + ", should be " << APP_TEST_APP_1_SHARED_LABEL << ". Result: " << result << + ", av_type: " << av_type << ", app_path_type: " << app_path_type); + } + + std::stringstream ss; + + //check AV accesses + if(smack_check()) + { + ss << "APP_TEST_APP_1, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_1, label1.c_str(), ss.str().c_str()); + ss.str(std::string()); + + ss << "APP_TEST_APP_2, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_1, label2.c_str(), ss.str().c_str()); + ss.str(std::string()); + + ss << "APP_TEST_APP_3, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_1, label3.c_str(), ss.str().c_str()); + + ss << "APP_TEST_APP_1, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_2, label1.c_str(), ss.str().c_str()); + ss.str(std::string()); + + ss << "APP_TEST_APP_2, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_2, label2.c_str(), ss.str().c_str()); + ss.str(std::string()); + + ss << "APP_TEST_APP_3, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccess(APP_TEST_AV_2, label3.c_str(), ss.str().c_str()); + } + else + { + ss << "APP_TEST_APP_1, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_1, label1.c_str(), ss.str().c_str()); + + ss.str(std::string()); + ss << "APP_TEST_APP_2, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_1, label2.c_str(), ss.str().c_str()); + + ss.str(std::string()); + ss << "APP_TEST_APP_3, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_1, label3.c_str(), ss.str().c_str()); + + ss << "APP_TEST_APP_1, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_2, label1.c_str(), ss.str().c_str()); + + ss.str(std::string()); + ss << "APP_TEST_APP_2, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_2, label2.c_str(), ss.str().c_str()); + + ss.str(std::string()); + ss << "APP_TEST_APP_3, line " << __LINE__ << + ", av_type: " << av_type << ", app_path_type: " << app_path_type; + checkOnlyAvAccessNosmack(APP_TEST_AV_2, label3.c_str(), ss.str().c_str()); + } + + //Clean up + perm_app_revoke_permissions(APP_TEST_AV_1); + perm_app_revoke_permissions(APP_TEST_AV_2); + perm_app_uninstall(APP_TEST_AV_1); + perm_app_uninstall(APP_TEST_AV_2); + perm_app_uninstall(APP_TEST_APP_1); + perm_app_uninstall(APP_TEST_APP_2); + perm_app_uninstall(APP_TEST_APP_3); +} + +RUNNER_TEST(privilege_control24a_av_privilege_group_rw) +{ + CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_GROUP_RW); + CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_GROUP_RW); + CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_GROUP_RW); +} + +RUNNER_TEST(privilege_control24b_av_privilege_settings_rw) +{ + CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_SETTINGS_RW); + CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_SETTINGS_RW); + CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_SETTINGS_RW); +} + +RUNNER_TEST(privilege_control24c_av_privilege_public_ro) +{ + CheckAVPrivilege(APP_TYPE_WGT, APP_PATH_PUBLIC_RO); + CheckAVPrivilege(APP_TYPE_OSP, APP_PATH_PUBLIC_RO); + CheckAVPrivilege(APP_TYPE_EFL, APP_PATH_PUBLIC_RO); +} diff --git a/tests/libprivilege-control-tests/test_cases_nosmack.cpp b/tests/libprivilege-control-tests/test_cases_nosmack.cpp index 79e7850f..36df1ba4 100644 --- a/tests/libprivilege-control-tests/test_cases_nosmack.cpp +++ b/tests/libprivilege-control-tests/test_cases_nosmack.cpp @@ -406,28 +406,6 @@ RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_platform_nos check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); } -/** - * NOSMACK version of checkOnlyAvAccess function. - * - * Expects error instead of access granted/forbidden from smack_have_access. - */ -void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment) -{ - int result; - result = smack_have_access(av_id, app_id, "rwx"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result - << " when testing " << comment); - result = smack_have_access(av_id, app_id, "a"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result - << " when testing " << comment); - result = smack_have_access(av_id, app_id, "t"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result - << " when testing " << comment); -} - /* * NOSMACK version of privilege_control10_app_register_av test. *