From: Marcin Lis Date: Thu, 3 Oct 2013 14:20:27 +0000 (+0200) Subject: Add new Libprivilege and Security-Server API tests. X-Git-Tag: security-manager_5.5_testing~331 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f20ac8226cdc4e28a1263ad05f1db9af19ae8acf;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Add new Libprivilege and Security-Server API tests. [Issue#] SSDWSSP-527 [Feature] N/A [Cause] New API for checking app permission assignment created. [Solution] Use new API functions in libprivilege-tests and security-server-tests-server. Also tc09 and tc10 in ssts are now corrected. [Verification] Build, install & run tests. Change-Id: I4fe8b9f3699f60f7a63d92332ba5fa910ca2400d --- diff --git a/tests/common/tests_common.cpp b/tests/common/tests_common.cpp index 7f974b05..d27c22f8 100644 --- a/tests/common/tests_common.cpp +++ b/tests/common/tests_common.cpp @@ -25,6 +25,8 @@ int DB::Transaction::db_result = PC_OPERATION_SUCCESS; +const char *WGT_APP_ID = "QwCqJ0ttyS"; + int smack_runtime_check(void) { static int smack_present = -1; diff --git a/tests/common/tests_common.h b/tests/common/tests_common.h index bca0da28..18ad08c6 100644 --- a/tests/common/tests_common.h +++ b/tests/common/tests_common.h @@ -156,5 +156,10 @@ namespace DB { RUNNER_ASSERT_MSG(PC_OPERATION_SUCCESS == DB::Transaction::db_result, \ "perm_end returned: " << DB::Transaction::db_result); +// Common typedefs +typedef std::unique_ptr > SmackUniquePtr; + +// Common macros and labels used in tests +extern const char *WGT_APP_ID; #endif diff --git a/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h b/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h index 103c7926..301ac92c 100644 --- a/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h +++ b/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h @@ -29,6 +29,7 @@ #include #include #include +#include // How many open file descriptors should ftw() function use? #define FTW_MAX_FDS 16 @@ -75,7 +76,6 @@ #define APP_TEST_APP_2_SHARED_LABEL "test-application2-shared" #define APP_TEST_APP_3_SHARED_LABEL "test-application3-shared" -#define WGT_APP_ID "QwCqJ0ttyS" #define WGT_PARTNER_APP_ID "7btsV1Y0sX" #define WGT_PLATFORM_APP_ID "G4DE3U2vmW" @@ -360,6 +360,8 @@ int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment); void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment); +void check_app_has_permission(const char* app_id, const app_type_t app_type, + const char *perm_list[], const int expected_result); void test_revoke_permissions(int line_no, const char* app_id, const rules_t &rules, bool smack); void test_app_enable_permissions_efl(bool smack); diff --git a/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp b/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp index 09b53abb..5d6a529e 100644 --- a/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp +++ b/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp @@ -277,6 +277,21 @@ int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, return 0; } +void check_app_has_permission(const char* app_id, const app_type_t app_type, + const char *perm_list[], const int expected_result) +{ + int result = PC_OPERATION_SUCCESS; + bool has_permission = false; + + for (int i = 0; perm_list[i] != NULL; i++) { + result = perm_app_has_permission(app_id, app_type, perm_list[i], &has_permission); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "perm_app_has_permission failed with result: " << result); + RUNNER_ASSERT_MSG(has_permission == expected_result, + "Unexpected result, perm_app_has_permission returned: " << has_permission + << ", expected: " << expected_result); + } +} void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment) { int result; @@ -388,6 +403,9 @@ void test_app_enable_permissions_efl(bool smack) RUNNER_ASSERT_MSG(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}), "SMACK accesses not granted for EFL_APP"); + // Check if permission is assigned to app in db + check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true); + DB_BEGIN // Cleanup @@ -396,6 +414,9 @@ void test_app_enable_permissions_efl(bool smack) "perm_app_uninstall failed: " << result); DB_END + + // Check if permission is disabled in db + check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, false); } void test_app_disable_permissions_efl(bool smack) @@ -423,6 +444,9 @@ void test_app_disable_permissions_efl(bool smack) RUNNER_ASSERT_MSG(check_all_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}), "SMACK accesses not granted for EFL_APP"); + // Check if permission is assigned to app in db + check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, true); + DB_BEGIN // Disable a permission @@ -435,6 +459,9 @@ void test_app_disable_permissions_efl(bool smack) RUNNER_ASSERT_MSG(check_no_accesses(smack, {{EFL_APP_ID,"test_book_efl", "r"}}), "SMACK accesses not disabled for EFL_APP"); + // Check if permission is disabled in db + check_app_has_permission(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, false); + DB_BEGIN // Cleanup @@ -473,6 +500,9 @@ void test_app_disable_permissions(bool smack) // Are all the permissions enabled? RUNNER_ASSERT_MSG(check_all_accesses(smack, rules2), "Not all permisions enabled."); + // Check if permissions are enabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true); + DB_BEGIN // Disable permissions @@ -485,6 +515,9 @@ void test_app_disable_permissions(bool smack) // Are all the permissions disabled? RUNNER_ASSERT_MSG(check_no_accesses(smack, rules2), "Not all permisions disabled."); + // Check if permission is disabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); + /** * Test - disable some granted permissions leaving non complementary and then disabling those too. */ @@ -514,6 +547,11 @@ void test_app_disable_permissions(bool smack) // Are all first permissions not disabled? RUNNER_ASSERT_MSG(check_all_accesses(smack, rules_wgt2), "Some of second permissions disabled."); + // Check if second permission is disabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); + // Check if first permission is enabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS, true); + DB_BEGIN // Disable first permissions @@ -526,6 +564,9 @@ void test_app_disable_permissions(bool smack) // Are all second permissions disabled? RUNNER_ASSERT_MSG(check_no_accesses(smack, rules_wgt2), "Not all second permisions disabled."); + // Check if permission is disabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS, false); + /** * Test - disable only no r granted permissions. */ @@ -549,6 +590,11 @@ void test_app_disable_permissions(bool smack) // Are all no r permissions disabled? RUNNER_ASSERT_MSG(check_no_accesses(smack, rules2_no_r), "Not all no r permissions disabled."); + // Check if second permission is enabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, true); + // Check if permission is disabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false); + DB_BEGIN // Prepare permissions @@ -571,6 +617,9 @@ void test_app_disable_permissions(bool smack) RUNNER_ASSERT_MSG(check_no_accesses(smack, rules2_r), "Not all r permissions disabled."); + // Check if permission is disabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false); + DB_BEGIN // Clean up after test: diff --git a/tests/libprivilege-control-tests/test_cases.cpp b/tests/libprivilege-control-tests/test_cases.cpp index 1ed8e0d0..f784166e 100644 --- a/tests/libprivilege-control-tests/test_cases.cpp +++ b/tests/libprivilege-control-tests/test_cases.cpp @@ -351,6 +351,9 @@ RUNNER_TEST_SMACK(privilege_control04_add_permissions) DB_END + // Check if permission is assigned to app in db + check_app_has_permission(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true); + // Check if the accesses are realy applied.. result = test_have_all_accesses(rules_efl); RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); @@ -780,6 +783,9 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) result = test_have_all_accesses(rules2); RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); + // Check if permission is assigned to app in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true); + DB_BEGIN // Clean up @@ -787,10 +793,17 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); + DB_END + + // Check if permission is disabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); + /** * Test - Enabling all permissions with persistant mode disabled */ + DB_BEGIN + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, 0); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error enabling app permissions. Result: " << result); @@ -801,6 +814,9 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) result = test_have_all_accesses(rules2); RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); + // Check if permission is assigned to app in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true); + DB_BEGIN // Clean up @@ -808,10 +824,17 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); + DB_END + + // Check if permission is disabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false); + /** * Test - Enabling all permissions in two complementary files */ + DB_BEGIN + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, 1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error enabling app permissions. Result: " << result); @@ -822,6 +845,9 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) result = test_have_all_accesses(rules2_no_r); RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); + // Check if permissions are assigned to app in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, true); + DB_BEGIN // Clean up @@ -829,10 +855,17 @@ RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions) RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error revoking app permissions. Result: " << result); + DB_END + + // Check if permissions are disabled in db + check_app_has_permission(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false); + /** * Test - Enabling some permissions and then enabling complementary permissions */ + DB_BEGIN + // Enable permission for rules 2 no r result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, 1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, diff --git a/tests/libprivilege-control-tests/test_cases_incorrect_params.cpp b/tests/libprivilege-control-tests/test_cases_incorrect_params.cpp index a101580c..5cdfc35b 100644 --- a/tests/libprivilege-control-tests/test_cases_incorrect_params.cpp +++ b/tests/libprivilege-control-tests/test_cases_incorrect_params.cpp @@ -162,4 +162,20 @@ RUNNER_TEST(privilege_control21l_incorrect_params_ignored_disable_permissions) "perm_app_disable_permissions didn't check if pkg_id is valid."); } - +RUNNER_TEST(privilege_control21m_incorrect_params_perm_app_has_permission) +{ + bool has_permission; + + RUNNER_ASSERT_MSG(perm_app_has_permission(NULL, APP_TYPE_WGT, + PRIVS2[0], &has_permission) == PC_ERR_INVALID_PARAM, + "perm_app_has_permission didn't check if pkg_id isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_has_permission(APP_ID, APP_TYPE_OTHER, + PRIVS2[0], &has_permission) == PC_ERR_INVALID_PARAM, + "perm_app_has_permission should not accept app_type = OTHER."); + RUNNER_ASSERT_MSG(perm_app_has_permission(APP_ID, APP_TYPE_WGT, + NULL, &has_permission) == PC_ERR_INVALID_PARAM, + "perm_app_has_permission didn't check if permission_name isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_has_permission(APP_ID, APP_TYPE_WGT, + PRIVS2[0], NULL) == PC_ERR_INVALID_PARAM, + "perm_app_has_permission didn't check if has_permission isn't NULL."); +} diff --git a/tests/libprivilege-control-tests/test_cases_nosmack.cpp b/tests/libprivilege-control-tests/test_cases_nosmack.cpp index 75cb01fa..005c7f21 100644 --- a/tests/libprivilege-control-tests/test_cases_nosmack.cpp +++ b/tests/libprivilege-control-tests/test_cases_nosmack.cpp @@ -48,11 +48,9 @@ #define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL" namespace { -typedef std::unique_ptr > SmackUniquePtr; - void closefdptr(int* fd) { close(*fd); } typedef std::unique_ptr > FDUniquePtr; -} +} //namespace ///////////////////////////////////////// //////NOSMACK ENVIRONMENT TESTS////////// @@ -176,7 +174,8 @@ RUNNER_TEST_NOSMACK(privilege_control04_add_permissions_nosmack) RUNNER_ASSERT_MSG(result == -1, "Despite SMACK being off some accesses were added. Result: " << result); - // TODO check entry in database + // Check if permission is assigned to app in db + check_app_has_permission(APP_ID, APP_TYPE_EFL, PRIVS_EFL, true); } void set_app_privilege_nosmack(int line_no, diff --git a/tests/security-server-tests/CMakeLists.txt b/tests/security-server-tests/CMakeLists.txt index 1bae78de..44d395db 100644 --- a/tests/security-server-tests/CMakeLists.txt +++ b/tests/security-server-tests/CMakeLists.txt @@ -24,6 +24,7 @@ INCLUDE(FindPkgConfig) # Dependencies PKG_CHECK_MODULES(SEC_SRV_TESTS_DEP libsmack + libprivilege-control security-server dpl-test-efl dlog @@ -51,6 +52,7 @@ SET(SEC_SRV_CLIENT_SMACK_SOURCES SET(SEC_SRV_TC_SERVER_SOURCES ${PROJECT_SOURCE_DIR}/tests/security-server-tests/security_server_tests_server.cpp ${PROJECT_SOURCE_DIR}/tests/security-server-tests/security_server_tests_weird_arguments.cpp + ${PROJECT_SOURCE_DIR}/tests/security-server-tests/common/security_server_tests_common.cpp ) SET(SEC_SRV_PWD_SOURCES @@ -76,6 +78,7 @@ INCLUDE_DIRECTORIES(SYSTEM INCLUDE_DIRECTORIES( ${PROJECT_SOURCE_DIR}/tests/common/ + ${PROJECT_SOURCE_DIR}/tests/security-server-tests/common/ ) ADD_DEFINITIONS("-I/usr/include/dbus-1.0/dbus") diff --git a/tests/security-server-tests/common/security_server_tests_common.cpp b/tests/security-server-tests/common/security_server_tests_common.cpp new file mode 100644 index 00000000..1a349f5e --- /dev/null +++ b/tests/security-server-tests/common/security_server_tests_common.cpp @@ -0,0 +1,85 @@ +/* + * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +*/ + +/* + * @file security_server_tests_common.cpp + * @author Marcin Lis (m.lis@samsung.com) + * @version 1.0 + * @brief security-server tests commons + */ + +#include "security_server_tests_common.h" + +void check_app_has_privilege(const char *app_id, const app_type_t app_type, + const char *perm_list[], const int expected_result) +{ + int has_privilege = false; + int result = SECURITY_SERVER_API_SUCCESS; + + for (int i = 0; perm_list[i] != NULL; i++) { + result = security_server_app_has_privilege(app_id, app_type, perm_list[i], &has_privilege); + RUNNER_ASSERT_MSG(result == SECURITY_SERVER_API_SUCCESS, + "security_server_app_has_privilege failed with result: " << result); + RUNNER_ASSERT_MSG(has_privilege == expected_result, + "Unexpected result, has_privilege returned: " << has_privilege + << ", expected: " << expected_result); + } +} + +void check_app_caller_has_privilege(const app_type_t app_type, const char *perm_list[], + const int expected_result) +{ + int has_privilege = false; + int result = SECURITY_SERVER_API_SUCCESS; + + for (int i = 0; perm_list[i] != NULL; i++) { + result = security_server_app_caller_has_privilege(app_type, perm_list[i], &has_privilege); + RUNNER_ASSERT_MSG(result == SECURITY_SERVER_API_SUCCESS, + "security_server_app_caller_has_privilege failed with result: " << result); + RUNNER_ASSERT_MSG(has_privilege == expected_result, + "Unexpected result, caller_has_privilege returned: " << has_privilege + << ", expected: " << expected_result); + } +} + +void check_app_has_privilege_denied(const char *app_id, const app_type_t app_type, + const char *perm_list[]) +{ + int has_privilege = false; + int result = SECURITY_SERVER_API_SUCCESS; + + for (int i = 0; perm_list[i] != NULL; i++) { + // call api function - should return access denied error + result = security_server_app_has_privilege(app_id, app_type, perm_list[i], &has_privilege); + RUNNER_ASSERT_MSG(result == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, + "security_server_app_has_privilege returned unexpected value, " + "result: " << result); + } +} + +void check_app_caller_has_privilege_denied(const app_type_t app_type, const char *perm_list[]) +{ + int has_privilege = false; + int result = SECURITY_SERVER_API_SUCCESS; + + for (int i = 0; perm_list[i] != NULL; i++) { + // call api function - should return access denied error + result = security_server_app_caller_has_privilege(app_type, perm_list[i], &has_privilege); + RUNNER_ASSERT_MSG(result == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, + "security_server_app_caller_has_privilege returned unexpected value, " + "result: " << result); + } +} diff --git a/tests/security-server-tests/common/security_server_tests_common.h b/tests/security-server-tests/common/security_server_tests_common.h new file mode 100644 index 00000000..e2e774bb --- /dev/null +++ b/tests/security-server-tests/common/security_server_tests_common.h @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +*/ + +/* + * @file security_server_tests_common.h + * @author Marcin Lis (m.lis@samsung.com) + * @version 1.0 + * @brief security-server tests commons + */ + +#include +#include +#include "tests_common.h" + +#ifndef SECURITY_SERVER_TESTS_COMMON_H_ +#define SECURITY_SERVER_TESTS_COMMON_H_ + +void check_app_has_privilege(const char *app_id, const app_type_t app_type, + const char *perm_list[], const int expected_result); + +void check_app_caller_has_privilege(const app_type_t app_type, const char *perm_list[], + const int expected_result); + +void check_app_has_privilege_denied(const char *app_id, const app_type_t app_type, + const char *perm_list[]); + +void check_app_caller_has_privilege_denied(const app_type_t app_type, const char *perm_list[]); + +#endif /* SECURITY_SERVER_TESTS_COMMON_H_ */ diff --git a/tests/security-server-tests/security_server_tests_server.cpp b/tests/security-server-tests/security_server_tests_server.cpp index ff1e6345..49b79815 100644 --- a/tests/security-server-tests/security_server_tests_server.cpp +++ b/tests/security-server-tests/security_server_tests_server.cpp @@ -28,6 +28,7 @@ #include #include #include +#include "security_server_tests_common.h" #include "tests_common.h" #include "test.h" @@ -37,6 +38,10 @@ #define TEST06_SUBJECT "subject_1d414140" #define TEST07_SUBJECT "subject_cd738844" #define TEST08_SUBJECT "subject_fd84ba7f" +const char *TEST09_SUBJECT = "subject_sstest09"; +const char *TEST10_SUBJECT = "subject_sstest10"; +const char *TEST11_SUBJECT = "subject_sstest11"; +const char *TEST12_SUBJECT = "subject_sstest12"; #define SECURITY_SERVER_SOCK_PATH "/tmp/.security_server.sock" #define COOKIE_SIZE 20 @@ -47,10 +52,11 @@ /* from security-server-common.h */ #define SECURITY_SERVER_MAX_OBJ_NAME 30 -#define API_PASSWD_SET "security-server::api-password-set" -#define API_PASSWD_CHECK "security-server::api-password-check" -#define API_DATA_SHARE "security-server::api-data-share" -#define API_MIDDLEWARE "security-server::api-middleware" +#define API_PASSWD_SET "security-server::api-password-set" +#define API_PASSWD_CHECK "security-server::api-password-check" +#define API_DATA_SHARE "security-server::api-data-share" +#define API_MIDDLEWARE "security-server::api-middleware" +#define API_PRIVILEGE_BY_NAME "security-server::api-app-privilege-by-name" #define API_FREE_ACCESS "*" #define API_RULE_REQUIRED "w" @@ -819,24 +825,169 @@ RUNNER_CHILD_TEST_SMACK(tc08_check_API_data_share_denied) RUNNER_CHILD_TEST(tc09_check_API_app_enable_permissions) { int ret; - const char *app_id = "test_app"; - app_type_t app_type = APP_TYPE_WGT; - const char *perm_list[] = {"aaa", "bbb", "ccc", NULL}; + const char *perm_list[] = {"org.tizen.privilege.contact.read", + "org.tizen.privilege.contact.write", + NULL}; int persistent = 1; - ret = security_server_app_enable_permissions(app_id, app_type, perm_list, persistent); + // need to install WGT once again, in case it was removed before + DB_BEGIN + ret = perm_app_uninstall(WGT_APP_ID); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret); + ret = perm_app_install(WGT_APP_ID); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret); + DB_END + + // enable permission + ret = security_server_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list, persistent); + RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + + /* allow subject TEST09_SUBJECT to socket label security-server::api-privilege-by-name */ + struct smack_accesses *handle = NULL; + ret = smack_accesses_new(&handle); + RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + + SmackUniquePtr smackAccPtr(handle, smack_accesses_free); + handle = NULL; // it is better to reset standard pointer after that + + ret = smack_accesses_add(smackAccPtr.get(), TEST09_SUBJECT, API_PRIVILEGE_BY_NAME, API_RULE_REQUIRED); RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + + ret = smack_accesses_apply(smackAccPtr.get()); + RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + + ret = smack_set_label_for_self(TEST09_SUBJECT); + RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret); + + // drop root privileges + RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid()); + + // Check if permissions are given + check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, true); } RUNNER_CHILD_TEST(tc10_check_API_app_disable_permissions) { int ret; - const char *app_id = "test_app"; - app_type_t app_type = APP_TYPE_WGT; - const char *perm_list[] = {"aaa", "bbb", "ccc", NULL}; + const char *perm_list[] = {"org.tizen.privilege.contact.read", + "org.tizen.privilege.contact.write", + NULL}; + + // need to install WGT once again, in case it was removed before + DB_BEGIN + ret = perm_app_uninstall(WGT_APP_ID); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret); + ret = perm_app_install(WGT_APP_ID); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret); + DB_END + + // disable permission + ret = security_server_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list); + RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + + /* allow subject TEST10_SUBJECT to socket label security-server::api-privilege-by-name */ + struct smack_accesses *handle = NULL; + ret = smack_accesses_new(&handle); + RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + + SmackUniquePtr smackAccPtr(handle, smack_accesses_free); + handle = NULL; // it is better to reset standard pointer after that + + ret = smack_accesses_add(smackAccPtr.get(), TEST10_SUBJECT, API_PRIVILEGE_BY_NAME, API_RULE_REQUIRED); + RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); - ret = security_server_app_disable_permissions(app_id, app_type, perm_list); + ret = smack_accesses_apply(smackAccPtr.get()); RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + + ret = smack_set_label_for_self(TEST10_SUBJECT); + RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret); + + // drop root privileges + RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid()); + + // Check if permissions are disabled + check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, false); +} + +RUNNER_CHILD_TEST(tc11_check_API_app_has_privilege_allow) +{ + int ret; + const char *perm_list_pers[] = {"org.tizen.privilege.contact.read", + "org.tizen.privilege.contact.write", + NULL}; + const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read", + "org.tizen.privilege.calendar.write", + NULL}; + const char *perm_list_disabled[] = {"org.tizen.privilege.alarm", + NULL}; + + // simulate app installation - add TEST11_SUBJECT to databse + ret = perm_app_uninstall(TEST11_SUBJECT); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret); + + DB_BEGIN + ret = perm_app_uninstall(TEST11_SUBJECT); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret); + ret = perm_app_install(TEST11_SUBJECT); + RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret); + DB_END + + // enable permission + ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1); + RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0); + RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + + // allow subject TEST11_SUBJECT to sockets (label privilege-by-name) + struct smack_accesses *handle = NULL; + ret = smack_accesses_new(&handle); + RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + + SmackUniquePtr smackAccPtr(handle, smack_accesses_free); + handle = NULL; // it is better to reset standard pointer after that + + ret = smack_accesses_add(smackAccPtr.get(), TEST11_SUBJECT, API_PRIVILEGE_BY_NAME, API_RULE_REQUIRED); + RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + + ret = smack_accesses_apply(smackAccPtr.get()); + RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); + + ret = smack_set_label_for_self(TEST11_SUBJECT); + RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret); + + // drop root privileges + RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid()); + + // Check if permissions are given using "caller" API + check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_pers, true); + check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_temp, true); + check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_disabled, false); + + // Check if permissions are given using API with app_label parameter + check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, true); + check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, true); + check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_disabled, false); +} + +RUNNER_CHILD_TEST(tc12_check_API_app_has_privilege_denied) +{ + int ret; + const char *perm_list[] = {"org.tizen.privilege.contact.read", + "org.tizen.privilege.contact.write", + NULL}; + + // set smack label without previously assigned permissions to api socket + ret = smack_set_label_for_self(TEST12_SUBJECT); + RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret); + + // drop root privileges + RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid()); + + // call common function to perform the check + check_app_caller_has_privilege_denied(APP_TYPE_WGT, perm_list); + + // call also second common function + check_app_has_privilege_denied(TEST12_SUBJECT, APP_TYPE_WGT, perm_list); } //////////////////////////////////////////