From 768490c2e701b8fec57fab7ba7fc1ec5651769cb Mon Sep 17 00:00:00 2001 From: Zofia Abramowska Date: Fri, 13 Sep 2013 20:15:29 +0200 Subject: [PATCH] Clean up libprivilege-control test cases [Issue#] N/A [Bug/Feature] N/A [Cause] All test cases were in one file of 4200 lines. [Solution] Divided test cases by functionalities tested : normaln, nosmack, incorrect parameters, stress tests. Put them in different source files, removed unused includes and macros, created commons containing macros/functions used by different tests. Created RUNNER GROUP for every funcionality. [Verification] Build. Run libprivilege-control-test --output=text --runignored - all tests should pass except for 4 ignores. Change-Id: Iaf905e0cdcda043974958d294cc85e60e8d40752 --- tests/libprivilege-control-tests/CMakeLists.txt | 5 + .../common/libprivilege-control_test_common.h | 324 +++ .../libprivilege-control_test_common.cpp | 208 ++ tests/libprivilege-control-tests/test_cases.cpp | 2675 +------------------- .../test_cases_incorrect_params.cpp | 165 ++ .../test_cases_nosmack.cpp | 1074 ++++++++ .../test_cases_stress.cpp | 817 ++++++ 7 files changed, 2700 insertions(+), 2568 deletions(-) create mode 100644 tests/libprivilege-control-tests/common/libprivilege-control_test_common.h create mode 100644 tests/libprivilege-control-tests/libprivilege-control_test_common.cpp create mode 100644 tests/libprivilege-control-tests/test_cases_incorrect_params.cpp create mode 100644 tests/libprivilege-control-tests/test_cases_nosmack.cpp create mode 100644 tests/libprivilege-control-tests/test_cases_stress.cpp diff --git a/tests/libprivilege-control-tests/CMakeLists.txt b/tests/libprivilege-control-tests/CMakeLists.txt index 06458fa..1822c14 100644 --- a/tests/libprivilege-control-tests/CMakeLists.txt +++ b/tests/libprivilege-control-tests/CMakeLists.txt @@ -33,6 +33,10 @@ PKG_CHECK_MODULES(LPC_TARGET_DEP SET(LPC_TARGET_TEST_SOURCES ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/libprivilege-control-test.cpp ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_cases.cpp + ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_cases_nosmack.cpp + ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_cases_incorrect_params.cpp + ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_cases_stress.cpp + ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp ) #header directories @@ -42,6 +46,7 @@ INCLUDE_DIRECTORIES(SYSTEM INCLUDE_DIRECTORIES( ${PROJECT_SOURCE_DIR}/tests/common/ + ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/common/ ) #preprocessor definitions diff --git a/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h b/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h new file mode 100644 index 0000000..9973fab --- /dev/null +++ b/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h @@ -0,0 +1,324 @@ +/* + * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +*/ + +/* + * @file test_cases.cpp + * @author Zofia Abramowska (z.abramowska@samsung.com) + * @version 1.0 + * @brief libprivilege-control tests commons + */ + +#ifndef LIBPRIVILEGE_CONTROL_TEST_COMMON_H_ +#define LIBPRIVILEGE_CONTROL_TEST_COMMON_H_ + +#include +#include +#include +#include + +// How many open file descriptors should ftw() function use? +#define FTW_MAX_FDS 16 + +#define SOCK_PATH "/tmp/test-smack-socket" + +#define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/" + +#define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir" +#define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir" + +#define APP_ID "test_APP" +#define APPID_DIR "test_APP_ID_dir" +#define APPID_SHARED_DIR "test_APP_ID_shared_dir" + +#define APP_FRIEND_1 "app_friend_1" +#define APP_FRIEND_2 "app_friend_2" + +#define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list" +#define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac" +#define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac" +#define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac" + +#define APP_TEST_APP_1 "test-application1" +#define APP_TEST_APP_2 "test-application_2" +#define APP_TEST_APP_3 "test-app-3" +#define APP_TEST_AV_1 "test-antivirus1" +#define APP_TEST_AV_2 "test-antivirus_2" +#define APP_TEST_AV_3 "test-av-3" + +#define WGT_APP_ID "QwCqJ0ttyS" +#define WGT_PARTNER_APP_ID "7btsV1Y0sX" +#define WGT_PLATFORM_APP_ID "G4DE3U2vmW" + +#define OSP_APP_ID "uqNfgEjqc7" +#define OSP_PARTNER_APP_ID "j4RuPsZrNt" +#define OSP_PLATFORM_APP_ID "V5LKqDFBXm" + +#define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123" +#define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner" +#define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform" + +#define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp" +#define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner" +#define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform" + +#define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP" + +//correct and incorrect PID used in incorrect params test +const pid_t PID_CORRECT = 0; +const pid_t PID_INCORRECT = -1; + +extern const char *PRIVS[]; +extern const char *PRIVS2[]; + +extern const char *PRIVS_WGT[]; +extern const char *PRIVS_OSP[]; + +extern const char* PRIV_APPSETTING[]; + +// Rules from test_privilege_control_rules.smack +const std::vector< std::vector > rules = { + { APP_ID, "test_book_1", "r" }, + { APP_ID, "test_book_2", "w" }, + { APP_ID, "test_book_3", "x" }, + { APP_ID, "test_book_4", "rw" }, + { APP_ID, "test_book_5", "rx" }, + { APP_ID, "test_book_6", "wx" }, + { APP_ID, "test_book_7", "rwx" }, + { "test_subject_1", APP_ID, "r" }, + { "test_subject_2", APP_ID, "w" }, + { "test_subject_3", APP_ID, "x" }, + { "test_subject_4", APP_ID, "rw" }, + { "test_subject_5", APP_ID, "rx" }, + { "test_subject_6", APP_ID, "wx" }, + { "test_subject_7", APP_ID, "rwx" }, + { APP_ID, APPID_SHARED_DIR, "rwxat"} +}; + +// Rules from WRT_test_privilege_control_rules2.smack +const std::vector< std::vector > rules2 = { + { WGT_APP_ID, "test_book_8", "r" }, + { WGT_APP_ID, "test_book_9", "w" }, + { WGT_APP_ID, "test_book_10", "x" }, + { WGT_APP_ID, "test_book_11", "rw" }, + { WGT_APP_ID, "test_book_12", "rx" }, + { WGT_APP_ID, "test_book_13", "wx" }, + { WGT_APP_ID, "test_book_14", "rwx" }, + { WGT_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", WGT_APP_ID, "r" }, + { "test_subject_9", WGT_APP_ID, "w" }, + { "test_subject_10", WGT_APP_ID, "x" }, + { "test_subject_11", WGT_APP_ID, "rw" }, + { "test_subject_12", WGT_APP_ID, "rx" }, + { "test_subject_13", WGT_APP_ID, "wx" }, + { "test_subject_14", WGT_APP_ID, "rwx" }, + { "test_subject_15", WGT_APP_ID, "rwxat" } +}; + +// Rules from WRT_test_privilege_control_rules_no_r.smack +const std::vector< std::vector > rules2_no_r = { + { WGT_APP_ID, "test_book_9", "w" }, + { WGT_APP_ID, "test_book_10", "x" }, + { WGT_APP_ID, "test_book_11", "w" }, + { WGT_APP_ID, "test_book_12", "x" }, + { WGT_APP_ID, "test_book_13", "x" }, + { WGT_APP_ID, "test_book_14", "wx" }, + { WGT_APP_ID, "test_book_15", "wxat" }, + { "test_subject_9", WGT_APP_ID, "w" }, + { "test_subject_10", WGT_APP_ID, "x" }, + { "test_subject_11", WGT_APP_ID, "w" }, + { "test_subject_12", WGT_APP_ID, "x" }, + { "test_subject_13", WGT_APP_ID, "x" }, + { "test_subject_14", WGT_APP_ID, "wx" }, + { "test_subject_15", WGT_APP_ID, "wxat" } +}; + +// Rules from test_privilege_control_rules.smack +// minus WRT_test_privilege_control_rules_no_r.smack +const std::vector< std::vector > rules2_r = { + { WGT_APP_ID, "test_book_8", "r" }, + { WGT_APP_ID, "test_book_11", "r" }, + { WGT_APP_ID, "test_book_12", "r" }, + { WGT_APP_ID, "test_book_14", "r" }, + { WGT_APP_ID, "test_book_15", "r" }, + { "test_subject_8", WGT_APP_ID, "r" }, + { "test_subject_11", WGT_APP_ID, "r" }, + { "test_subject_12", WGT_APP_ID, "r" }, + { "test_subject_14", WGT_APP_ID, "r" }, + { "test_subject_15", WGT_APP_ID, "r" } +}; + +// Rules from EFL_test_privilege_control_rules_osp.smack for osp_platform +const std::vector< std::vector > rules_efl = { + { APP_ID, "test_book_efl", "r" } +}; + +// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt +const std::vector< std::vector > rules_wgt = { + { WGT_APP_ID, "test_book_8", "r" }, + { WGT_APP_ID, "test_book_9", "w" }, + { WGT_APP_ID, "test_book_10", "x" }, + { WGT_APP_ID, "test_book_11", "rw" }, + { WGT_APP_ID, "test_book_12", "rx" }, + { WGT_APP_ID, "test_book_13", "wx" }, + { WGT_APP_ID, "test_book_14", "rwx" }, + { WGT_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", WGT_APP_ID, "r" }, + { "test_subject_9", WGT_APP_ID, "w" }, + { "test_subject_10", WGT_APP_ID, "x" }, + { "test_subject_11", WGT_APP_ID, "rw" }, + { "test_subject_12", WGT_APP_ID, "rx" }, + { "test_subject_13", WGT_APP_ID, "wx" }, + { "test_subject_14", WGT_APP_ID, "rwx" }, + { "test_subject_15", WGT_APP_ID, "rwxat" } +}; + +// Rules from WRT_test_privilege_control_rules.smack for wgt +const std::vector< std::vector > rules_wgt2 = { + { WGT_APP_ID, "test_book_1", "r" }, + { WGT_APP_ID, "test_book_2", "w" }, + { WGT_APP_ID, "test_book_3", "x" }, + { WGT_APP_ID, "test_book_4", "rw" }, + { WGT_APP_ID, "test_book_5", "rx" }, + { WGT_APP_ID, "test_book_6", "wx" }, + { WGT_APP_ID, "test_book_7", "rwx" }, + { "test_subject_1", WGT_APP_ID, "r" }, + { "test_subject_2", WGT_APP_ID, "w" }, + { "test_subject_3", WGT_APP_ID, "x" }, + { "test_subject_4", WGT_APP_ID, "rw" }, + { "test_subject_5", WGT_APP_ID, "rx" }, + { "test_subject_6", WGT_APP_ID, "wx" }, + { "test_subject_7", WGT_APP_ID, "rwx" } +}; + +// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_partner +const std::vector< std::vector > rules_wgt_partner = { + { WGT_PARTNER_APP_ID, "test_book_8", "r" }, + { WGT_PARTNER_APP_ID, "test_book_9", "w" }, + { WGT_PARTNER_APP_ID, "test_book_10", "x" }, + { WGT_PARTNER_APP_ID, "test_book_11", "rw" }, + { WGT_PARTNER_APP_ID, "test_book_12", "rx" }, + { WGT_PARTNER_APP_ID, "test_book_13", "wx" }, + { WGT_PARTNER_APP_ID, "test_book_14", "rwx" }, + { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", WGT_PARTNER_APP_ID, "r" }, + { "test_subject_9", WGT_PARTNER_APP_ID, "w" }, + { "test_subject_10", WGT_PARTNER_APP_ID, "x" }, + { "test_subject_11", WGT_PARTNER_APP_ID, "rw" }, + { "test_subject_12", WGT_PARTNER_APP_ID, "rx" }, + { "test_subject_13", WGT_PARTNER_APP_ID, "wx" }, + { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" }, + { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" } +}; + +// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_platform +const std::vector< std::vector > rules_wgt_platform = { + { WGT_PLATFORM_APP_ID, "test_book_8", "r" }, + { WGT_PLATFORM_APP_ID, "test_book_9", "w" }, + { WGT_PLATFORM_APP_ID, "test_book_10", "x" }, + { WGT_PLATFORM_APP_ID, "test_book_11", "rw" }, + { WGT_PLATFORM_APP_ID, "test_book_12", "rx" }, + { WGT_PLATFORM_APP_ID, "test_book_13", "wx" }, + { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" }, + { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", WGT_PLATFORM_APP_ID, "r" }, + { "test_subject_9", WGT_PLATFORM_APP_ID, "w" }, + { "test_subject_10", WGT_PLATFORM_APP_ID, "x" }, + { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" }, + { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" }, + { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" }, + { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" }, + { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" } +}; + +// Rules from OSP_test_privilege_control_rules_osp.smack for osp +const std::vector< std::vector > rules_osp = { + { OSP_APP_ID, "test_book_8", "r" }, + { OSP_APP_ID, "test_book_9", "w" }, + { OSP_APP_ID, "test_book_10", "x" }, + { OSP_APP_ID, "test_book_11", "rw" }, + { OSP_APP_ID, "test_book_12", "rx" }, + { OSP_APP_ID, "test_book_13", "wx" }, + { OSP_APP_ID, "test_book_14", "rwx" }, + { OSP_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", OSP_APP_ID, "r" }, + { "test_subject_9", OSP_APP_ID, "w" }, + { "test_subject_10", OSP_APP_ID, "x" }, + { "test_subject_11", OSP_APP_ID, "rw" }, + { "test_subject_12", OSP_APP_ID, "rx" }, + { "test_subject_13", OSP_APP_ID, "wx" }, + { "test_subject_14", OSP_APP_ID, "rwx" }, + { "test_subject_15", OSP_APP_ID, "rwxat" } +}; + +// Rules from OSP_test_privilege_control_rules_osp.smack for osp_partner +const std::vector< std::vector > rules_osp_partner = { + { OSP_PARTNER_APP_ID, "test_book_8", "r" }, + { OSP_PARTNER_APP_ID, "test_book_9", "w" }, + { OSP_PARTNER_APP_ID, "test_book_10", "x" }, + { OSP_PARTNER_APP_ID, "test_book_11", "rw" }, + { OSP_PARTNER_APP_ID, "test_book_12", "rx" }, + { OSP_PARTNER_APP_ID, "test_book_13", "wx" }, + { OSP_PARTNER_APP_ID, "test_book_14", "rwx" }, + { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", OSP_PARTNER_APP_ID, "r" }, + { "test_subject_9", OSP_PARTNER_APP_ID, "w" }, + { "test_subject_10", OSP_PARTNER_APP_ID, "x" }, + { "test_subject_11", OSP_PARTNER_APP_ID, "rw" }, + { "test_subject_12", OSP_PARTNER_APP_ID, "rx" }, + { "test_subject_13", OSP_PARTNER_APP_ID, "wx" }, + { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" }, + { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" } +}; + +// Rules from OSP_test_privilege_control_rules_osp.smack for osp_platform +const std::vector< std::vector > rules_osp_platform = { + { OSP_PLATFORM_APP_ID, "test_book_8", "r" }, + { OSP_PLATFORM_APP_ID, "test_book_9", "w" }, + { OSP_PLATFORM_APP_ID, "test_book_10", "x" }, + { OSP_PLATFORM_APP_ID, "test_book_11", "rw" }, + { OSP_PLATFORM_APP_ID, "test_book_12", "rx" }, + { OSP_PLATFORM_APP_ID, "test_book_13", "wx" }, + { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" }, + { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" }, + { "test_subject_8", OSP_PLATFORM_APP_ID, "r" }, + { "test_subject_9", OSP_PLATFORM_APP_ID, "w" }, + { "test_subject_10", OSP_PLATFORM_APP_ID, "x" }, + { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" }, + { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" }, + { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" }, + { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" }, + { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" } +}; + +int test_have_all_accesses(const std::vector< std::vector > &rules); +int test_have_any_accesses(const std::vector< std::vector > &rules); + +void cleaning_smack_app_files (void); + +void read_gids(std::set &set, const char *file_path); +void check_groups(const char *dac_file); + +int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/, + int /*typeflag*/, struct FTW* /*ftwbuf*/); +int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb, + int /*typeflag*/, struct FTW* /*ftwbuf*/); +int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, + int /*typeflag*/, struct FTW* /*ftwbuf*/); +int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, + int /*typeflag*/, struct FTW* /*ftwbuf*/); + + +#endif /* LIBPRIVILEGE_CONTROL_TEST_COMMON_H_ */ diff --git a/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp b/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp new file mode 100644 index 0000000..180cd92 --- /dev/null +++ b/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp @@ -0,0 +1,208 @@ +/* + * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file libprivilege-control-test.cpp + * @author Jan Olszak (j.olszak@samsung.com) + * @version 1.0 + * @brief Main file for libprivilege-control unit tests. + */ + +#include +#include +#include +#include +#include + +#define CANARY_LABEL "tiny_yellow_canary" + +const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL }; +const char *PRIVS2[] = { "test_privilege_control_rules2", NULL }; + +const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL }; +const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL }; + +const char* PRIV_APPSETTING[] {"org.tizen.privilege.appsetting", NULL}; + +void cleaning_smack_app_files (void) +{ + unlink(SMACK_RULES_DIR APP_TEST_APP_1); + unlink(SMACK_RULES_DIR APP_TEST_APP_2); + unlink(SMACK_RULES_DIR APP_TEST_APP_3); + unlink(SMACK_RULES_DIR APP_TEST_AV_1); + unlink(SMACK_RULES_DIR APP_TEST_AV_2); + unlink(SMACK_RULES_DIR APP_TEST_AV_3); +} + +/** + * Check if every rule is true. + * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't + */ +int test_have_all_accesses(const std::vector< std::vector > &rules) +{ + int result; + for (uint i = 0; i < rules.size(); ++i) { + result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str()); + if (result != 1) + return result; + } + return 1; +} + +/** + * Check if every rule is true. + * @return 1 if ANY rule in SMACK, 0 if + */ +int test_have_any_accesses(const std::vector< std::vector > &rules) +{ + int result; + for (uint i = 0; i < rules.size(); ++i) { + result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str()); + if (result == 1) + return 1; + } + return 0; +} + +void read_gids(std::set &set, const char *file_path) +{ + FILE *f = fopen(file_path, "r"); + RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path); + unsigned gid; + while (fscanf(f, "%u\n", &gid) == 1) { + set.insert(gid); + } +} + +void check_groups(const char *dac_file) +{ + std::set groups_check; + read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST); + read_gids(groups_check, dac_file); + + int groups_cnt = getgroups(0, NULL); + RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt"); + gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t)); + RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed"); + RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list)); + + for (int i = 0; i < groups_cnt; ++i) { + //getgroups() can return multiple number of the same group + //they are returned in sequence, so we will given number when last + //element of this number is reached + if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i])) + continue; + if (groups_check.erase(groups_list[i]) == 0) { + // getgroups() may also return process' main group + if (groups_list[i] != getgid()) + RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")"); + } + } + free(groups_list); + std::string groups_left; + for (std::set::iterator it = groups_check.begin(); it != groups_check.end(); it++) { + groups_left.append(std::to_string(*it)).append(" "); + } + RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left); +} + +int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/, + int /*typeflag*/, struct FTW* /*ftwbuf*/) +{ + smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS); + smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC); + smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE); + + return 0; +} + +int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb, + int /*typeflag*/, struct FTW* /*ftwbuf*/) +{ + int result; + char *label; + + /* ACCESS */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); + RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set"); + result = strcmp(APPID_DIR, label); + RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"); + + /* EXEC */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); + if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) { + RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set"); + result = strcmp(APPID_DIR, label); + RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect"); + } else if (S_ISLNK(sb->st_mode)) { + struct stat buf; + char *target = realpath(fpath, NULL); + RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath); + free(target); + if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) { + RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); + } else { + RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set"); + result = strcmp(APPID_DIR, label); + RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect"); + } + } else + RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); + + /* TRANSMUTE */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); + RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); + + return 0; + } + +int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, + int /*typeflag*/, struct FTW* /*ftwbuf*/) +{ + smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS); + smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC); + smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE); + + return 0; +} + +int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, + int /*typeflag*/, struct FTW* /*ftwbuf*/) +{ + int result; + char *label; + + /* ACCESS */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); + result = strcmp(CANARY_LABEL, label); + RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten"); + + /* EXEC */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); + result = strcmp(CANARY_LABEL, label); + RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten"); + + /* TRANSMUTE */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); + RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); + + return 0; +} diff --git a/tests/libprivilege-control-tests/test_cases.cpp b/tests/libprivilege-control-tests/test_cases.cpp index 4935cd3..0781d11 100644 --- a/tests/libprivilege-control-tests/test_cases.cpp +++ b/tests/libprivilege-control-tests/test_cases.cpp @@ -19,372 +19,59 @@ * @author Jan Olszak (j.olszak@samsung.com) * @author Rafal Krypa (r.krypa@samsung.com) * @version 1.0 - * @brief libprivilege-control test runer + * @brief libprivilege-control test runner */ #include -#include -#include -#include #include -#include #include -#include +#include +#include + +#include +#include #include -#include -#include -#include -#include + #include #include -#include -#include -#include -#include + #include #include +#include + #include -#include -#include -#include +#include +#include +#include +#include #include +#include -#define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/" -#define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules" -#define SMACK_LOAD2 "/smack/load2" -#define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir" -#define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir" -#define APPID_DIR "test_APP_ID_dir" -#define APPID_SHARED_DIR "test_APP_ID_shared_dir" -#define CANARY_LABEL "tiny_yellow_canary" +#include -#define APP_ID "test_APP" -#define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP" -#define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL" +#define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules" #define EFL_APP_ID "EFL_APP_ID" -#define WGT_APP_ID "QwCqJ0ttyS" -#define WGT_PARTNER_APP_ID "7btsV1Y0sX" -#define WGT_PLATFORM_APP_ID "G4DE3U2vmW" -#define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123" -#define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner" -#define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform" -#define OSP_APP_ID "uqNfgEjqc7" -#define OSP_PARTNER_APP_ID "j4RuPsZrNt" -#define OSP_PLATFORM_APP_ID "V5LKqDFBXm" -#define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp" -#define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner" -#define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform" #define EARLY_RULE_SUBJECT "livebox.web-provider" #define EARLY_RULE_RIGHTS "rwx---" -const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL }; -const char *PRIVS2[] = { "test_privilege_control_rules2", NULL }; -const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL }; -const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL }; -const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL }; -const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL }; -const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL }; -const char *PRIVS_EFL[] = { "test_privilege_control_rules_efl", NULL }; - - -#define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list" -#define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac" -#define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac" -#define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac" - -#define APP_TEST_APP_1 "test-application1" -#define APP_TEST_APP_2 "test-application_2" -#define APP_TEST_APP_3 "test-app-3" -#define APP_TEST_AV_1 "test-antivirus1" -#define APP_TEST_AV_2 "test-antivirus_2" -#define APP_TEST_AV_3 "test-av-3" - -#define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1" -#define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2" -#define APP_TEST_AV_ASP1 "test-app-av-asp1" -#define APP_TEST_AV_ASP2 "test-app-av-asp2" - -#define SOCK_PATH "/tmp/test-smack-socket" +#define SMACK_ACC_LEN 6 -#define APP_GID 5000 -#define APP_UID 5000 -#define APP_USER_NAME "app" -#define APP_HOME_DIR "/opt/home/app" +#define APP_1 "app_1" +#define APP_1_DIR "/tmp/app_1" -#define APP_FRIEND_1 "app_friend_1" -#define APP_FRIEND_2 "app_friend_2" +#define APP_2 "app_2" +#define APP_2_DIR "/tmp/app_2" -#define SMACK_ACC_LEN 6 +#define APP_TEST "app_test" -// How many open file descriptors should ftw() function use? -#define FTW_MAX_FDS 16 - -// ---- Macros and arrays used in stress tests ---- -#define TEST_OSP_FEATURE_APP_ID "test-osp-feature-app" -#define TEST_WGT_FEATURE_APP_ID "test-wgt-feature-app" -#define TEST_OSP_FEATURE "OSP_test-feature.osp_rxl" -#define TEST_WGT_FEATURE "WGT_test-feature.wgt_rxl" -// OSP Api Feature Test data - gives rxl access to OSP app and rl access to WGT app also! -const char *FILE_PATH_TEST_OSP_FEATURE = "/usr/share/privilege-control/OSP_test-feature.osp_rxl.smack"; -const char *test_osp_feature_rule_set[] = { "~APP~ " TEST_OSP_FEATURE_APP_ID " rxl", - "~APP~ " TEST_WGT_FEATURE_APP_ID " rl", - NULL }; -const char *TEST_OSP_FEATURE_PRIVS[] = { TEST_OSP_FEATURE, NULL }; -// WGT Api Feature Test data - rwx access only to WGT app -const char *FILE_PATH_TEST_WGT_FEATURE = "/usr/share/privilege-control/WRT_test-feature.wgt_rwx.smack"; -const char *test_wgt_feature_rule_set[] = { "~APP~ " TEST_WGT_FEATURE_APP_ID " rwx", - NULL }; -const char *TEST_WGT_FEATURE_PRIVS[] = { TEST_WGT_FEATURE, NULL }; - -const std::vector< std::vector > rules_to_test_any_access1 = { - { TEST_OSP_FEATURE_APP_ID, APP_ID, "r" }, - { TEST_OSP_FEATURE_APP_ID, APP_ID, "w" }, - { TEST_OSP_FEATURE_APP_ID, APP_ID, "x" }, - { TEST_OSP_FEATURE_APP_ID, APP_ID, "a" }, - { TEST_OSP_FEATURE_APP_ID, APP_ID, "t" }, - { TEST_OSP_FEATURE_APP_ID, APP_ID, "l" } -}; - -const std::vector< std::vector > rules_to_test_any_access2 = { - { APP_ID, TEST_OSP_FEATURE_APP_ID, "r" }, - { APP_ID, TEST_OSP_FEATURE_APP_ID, "x" }, - { APP_ID, TEST_OSP_FEATURE_APP_ID, "l" }, - { APP_ID, TEST_WGT_FEATURE_APP_ID, "r" }, - { APP_ID, TEST_WGT_FEATURE_APP_ID, "w" }, - { APP_ID, TEST_WGT_FEATURE_APP_ID, "x" }, - { APP_ID, TEST_WGT_FEATURE_APP_ID, "l" } -}; - -#define FMT_VECTOR_TO_TEST_ANY_ACCESS(sub,obj) \ - (const std::vector< std::vector >) { \ - { sub, obj, "r" }, \ - { sub, obj, "w" }, \ - { sub, obj, "x" }, \ - { sub, obj, "a" }, \ - { sub, obj, "t" }, \ - { sub, obj, "l" } } - -// Rules from test_privilege_control_rules.smack -const std::vector< std::vector > rules = { - { APP_ID, "test_book_1", "r" }, - { APP_ID, "test_book_2", "w" }, - { APP_ID, "test_book_3", "x" }, - { APP_ID, "test_book_4", "rw" }, - { APP_ID, "test_book_5", "rx" }, - { APP_ID, "test_book_6", "wx" }, - { APP_ID, "test_book_7", "rwx" }, - { "test_subject_1", APP_ID, "r" }, - { "test_subject_2", APP_ID, "w" }, - { "test_subject_3", APP_ID, "x" }, - { "test_subject_4", APP_ID, "rw" }, - { "test_subject_5", APP_ID, "rx" }, - { "test_subject_6", APP_ID, "wx" }, - { "test_subject_7", APP_ID, "rwx" }, - { APP_ID, APPID_SHARED_DIR, "rwxat"} -}; - -// Rules from WRT_test_privilege_control_rules2.smack -const std::vector< std::vector > rules2 = { - { WGT_APP_ID, "test_book_8", "r" }, - { WGT_APP_ID, "test_book_9", "w" }, - { WGT_APP_ID, "test_book_10", "x" }, - { WGT_APP_ID, "test_book_11", "rw" }, - { WGT_APP_ID, "test_book_12", "rx" }, - { WGT_APP_ID, "test_book_13", "wx" }, - { WGT_APP_ID, "test_book_14", "rwx" }, - { WGT_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", WGT_APP_ID, "r" }, - { "test_subject_9", WGT_APP_ID, "w" }, - { "test_subject_10", WGT_APP_ID, "x" }, - { "test_subject_11", WGT_APP_ID, "rw" }, - { "test_subject_12", WGT_APP_ID, "rx" }, - { "test_subject_13", WGT_APP_ID, "wx" }, - { "test_subject_14", WGT_APP_ID, "rwx" }, - { "test_subject_15", WGT_APP_ID, "rwxat" } -}; - -// Rules from WRT_test_privilege_control_rules_no_r.smack -const std::vector< std::vector > rules2_no_r = { - { WGT_APP_ID, "test_book_9", "w" }, - { WGT_APP_ID, "test_book_10", "x" }, - { WGT_APP_ID, "test_book_11", "w" }, - { WGT_APP_ID, "test_book_12", "x" }, - { WGT_APP_ID, "test_book_13", "x" }, - { WGT_APP_ID, "test_book_14", "wx" }, - { WGT_APP_ID, "test_book_15", "wxat" }, - { "test_subject_9", WGT_APP_ID, "w" }, - { "test_subject_10", WGT_APP_ID, "x" }, - { "test_subject_11", WGT_APP_ID, "w" }, - { "test_subject_12", WGT_APP_ID, "x" }, - { "test_subject_13", WGT_APP_ID, "x" }, - { "test_subject_14", WGT_APP_ID, "wx" }, - { "test_subject_15", WGT_APP_ID, "wxat" } -}; - -// Rules from test_privilege_control_rules.smack -// minus WRT_test_privilege_control_rules_no_r.smack -const std::vector< std::vector > rules2_r = { - { WGT_APP_ID, "test_book_8", "r" }, - { WGT_APP_ID, "test_book_11", "r" }, - { WGT_APP_ID, "test_book_12", "r" }, - { WGT_APP_ID, "test_book_14", "r" }, - { WGT_APP_ID, "test_book_15", "r" }, - { "test_subject_8", WGT_APP_ID, "r" }, - { "test_subject_11", WGT_APP_ID, "r" }, - { "test_subject_12", WGT_APP_ID, "r" }, - { "test_subject_14", WGT_APP_ID, "r" }, - { "test_subject_15", WGT_APP_ID, "r" } -}; - -// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt -const std::vector< std::vector > rules_wgt = { - { WGT_APP_ID, "test_book_8", "r" }, - { WGT_APP_ID, "test_book_9", "w" }, - { WGT_APP_ID, "test_book_10", "x" }, - { WGT_APP_ID, "test_book_11", "rw" }, - { WGT_APP_ID, "test_book_12", "rx" }, - { WGT_APP_ID, "test_book_13", "wx" }, - { WGT_APP_ID, "test_book_14", "rwx" }, - { WGT_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", WGT_APP_ID, "r" }, - { "test_subject_9", WGT_APP_ID, "w" }, - { "test_subject_10", WGT_APP_ID, "x" }, - { "test_subject_11", WGT_APP_ID, "rw" }, - { "test_subject_12", WGT_APP_ID, "rx" }, - { "test_subject_13", WGT_APP_ID, "wx" }, - { "test_subject_14", WGT_APP_ID, "rwx" }, - { "test_subject_15", WGT_APP_ID, "rwxat" } -}; - -// Rules from WRT_test_privilege_control_rules.smack for wgt -const std::vector< std::vector > rules_wgt2 = { - { WGT_APP_ID, "test_book_1", "r" }, - { WGT_APP_ID, "test_book_2", "w" }, - { WGT_APP_ID, "test_book_3", "x" }, - { WGT_APP_ID, "test_book_4", "rw" }, - { WGT_APP_ID, "test_book_5", "rx" }, - { WGT_APP_ID, "test_book_6", "wx" }, - { WGT_APP_ID, "test_book_7", "rwx" }, - { "test_subject_1", WGT_APP_ID, "r" }, - { "test_subject_2", WGT_APP_ID, "w" }, - { "test_subject_3", WGT_APP_ID, "x" }, - { "test_subject_4", WGT_APP_ID, "rw" }, - { "test_subject_5", WGT_APP_ID, "rx" }, - { "test_subject_6", WGT_APP_ID, "wx" }, - { "test_subject_7", WGT_APP_ID, "rwx" } -}; - -// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_partner -const std::vector< std::vector > rules_wgt_partner = { - { WGT_PARTNER_APP_ID, "test_book_8", "r" }, - { WGT_PARTNER_APP_ID, "test_book_9", "w" }, - { WGT_PARTNER_APP_ID, "test_book_10", "x" }, - { WGT_PARTNER_APP_ID, "test_book_11", "rw" }, - { WGT_PARTNER_APP_ID, "test_book_12", "rx" }, - { WGT_PARTNER_APP_ID, "test_book_13", "wx" }, - { WGT_PARTNER_APP_ID, "test_book_14", "rwx" }, - { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", WGT_PARTNER_APP_ID, "r" }, - { "test_subject_9", WGT_PARTNER_APP_ID, "w" }, - { "test_subject_10", WGT_PARTNER_APP_ID, "x" }, - { "test_subject_11", WGT_PARTNER_APP_ID, "rw" }, - { "test_subject_12", WGT_PARTNER_APP_ID, "rx" }, - { "test_subject_13", WGT_PARTNER_APP_ID, "wx" }, - { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" }, - { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" } -}; - -// Rules from WRT_test_privilege_control_rules_wgt.smack for wgt_platform -const std::vector< std::vector > rules_wgt_platform = { - { WGT_PLATFORM_APP_ID, "test_book_8", "r" }, - { WGT_PLATFORM_APP_ID, "test_book_9", "w" }, - { WGT_PLATFORM_APP_ID, "test_book_10", "x" }, - { WGT_PLATFORM_APP_ID, "test_book_11", "rw" }, - { WGT_PLATFORM_APP_ID, "test_book_12", "rx" }, - { WGT_PLATFORM_APP_ID, "test_book_13", "wx" }, - { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" }, - { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", WGT_PLATFORM_APP_ID, "r" }, - { "test_subject_9", WGT_PLATFORM_APP_ID, "w" }, - { "test_subject_10", WGT_PLATFORM_APP_ID, "x" }, - { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" }, - { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" }, - { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" }, - { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" }, - { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" } -}; - -// Rules from OSP_test_privilege_control_rules_osp.smack for osp -const std::vector< std::vector > rules_osp = { - { OSP_APP_ID, "test_book_8", "r" }, - { OSP_APP_ID, "test_book_9", "w" }, - { OSP_APP_ID, "test_book_10", "x" }, - { OSP_APP_ID, "test_book_11", "rw" }, - { OSP_APP_ID, "test_book_12", "rx" }, - { OSP_APP_ID, "test_book_13", "wx" }, - { OSP_APP_ID, "test_book_14", "rwx" }, - { OSP_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", OSP_APP_ID, "r" }, - { "test_subject_9", OSP_APP_ID, "w" }, - { "test_subject_10", OSP_APP_ID, "x" }, - { "test_subject_11", OSP_APP_ID, "rw" }, - { "test_subject_12", OSP_APP_ID, "rx" }, - { "test_subject_13", OSP_APP_ID, "wx" }, - { "test_subject_14", OSP_APP_ID, "rwx" }, - { "test_subject_15", OSP_APP_ID, "rwxat" } -}; - -// Rules from OSP_test_privilege_control_rules_osp.smack for osp_partner -const std::vector< std::vector > rules_osp_partner = { - { OSP_PARTNER_APP_ID, "test_book_8", "r" }, - { OSP_PARTNER_APP_ID, "test_book_9", "w" }, - { OSP_PARTNER_APP_ID, "test_book_10", "x" }, - { OSP_PARTNER_APP_ID, "test_book_11", "rw" }, - { OSP_PARTNER_APP_ID, "test_book_12", "rx" }, - { OSP_PARTNER_APP_ID, "test_book_13", "wx" }, - { OSP_PARTNER_APP_ID, "test_book_14", "rwx" }, - { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", OSP_PARTNER_APP_ID, "r" }, - { "test_subject_9", OSP_PARTNER_APP_ID, "w" }, - { "test_subject_10", OSP_PARTNER_APP_ID, "x" }, - { "test_subject_11", OSP_PARTNER_APP_ID, "rw" }, - { "test_subject_12", OSP_PARTNER_APP_ID, "rx" }, - { "test_subject_13", OSP_PARTNER_APP_ID, "wx" }, - { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" }, - { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" } -}; - -// Rules from OSP_test_privilege_control_rules_osp.smack for osp_platform -const std::vector< std::vector > rules_osp_platform = { - { OSP_PLATFORM_APP_ID, "test_book_8", "r" }, - { OSP_PLATFORM_APP_ID, "test_book_9", "w" }, - { OSP_PLATFORM_APP_ID, "test_book_10", "x" }, - { OSP_PLATFORM_APP_ID, "test_book_11", "rw" }, - { OSP_PLATFORM_APP_ID, "test_book_12", "rx" }, - { OSP_PLATFORM_APP_ID, "test_book_13", "wx" }, - { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" }, - { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" }, - { "test_subject_8", OSP_PLATFORM_APP_ID, "r" }, - { "test_subject_9", OSP_PLATFORM_APP_ID, "w" }, - { "test_subject_10", OSP_PLATFORM_APP_ID, "x" }, - { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" }, - { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" }, - { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" }, - { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" }, - { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" } -}; - -// Rules from EFL_test_privilege_control_rules_osp.smack for osp_platform -const std::vector< std::vector > rules_efl = { - { APP_ID, "test_book_efl", "r" } -}; namespace { -typedef std::unique_ptr > SmackUniquePtr; -void closefdptr(int* fd) { close(*fd); } -typedef std::unique_ptr > FDUniquePtr; +const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL }; +const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL }; +const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL }; +const char *PRIVS_EFL[] = { "test_privilege_control_rules_efl", NULL }; std::vector gen_names(std::string prefix, std::string suffix, size_t size) { @@ -403,130 +90,6 @@ const char *WRT_BLAHBLAH_DAC ="/usr/share/privilege-control/WGT_blahblah.dac"; const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac"; const std::vector BLAHBLAH_FEATURE = gen_names("http://feature/blah/blahblah", "", 16); - -//correct and incorrect PID used in incorrect params test -const pid_t PID_CORRECT = 0; -const pid_t PID_INCORRECT = -1; - -/** - * Check if every rule is true. - * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't - */ -int test_have_all_accesses(const std::vector< std::vector > &rules) -{ - int result; - for (uint i = 0; i < rules.size(); ++i) { - result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str()); - if (result != 1) - return result; - } - return 1; -} - -/** - * Check if every rule is true. - * @return 1 if ANY rule in SMACK, 0 if - */ -int test_have_any_accesses(const std::vector< std::vector > &rules) -{ - int result; - for (uint i = 0; i < rules.size(); ++i) { - result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str()); - if (result == 1) - return 1; - } - return 0; -} - -int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS); - smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC); - smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE); - - return 0; -} - -int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS); - smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC); - smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE); - - return 0; -} - -int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - int result; - char *label; - - /* ACCESS */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - result = strcmp(CANARY_LABEL, label); - RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten"); - - /* EXEC */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - result = strcmp(CANARY_LABEL, label); - RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten"); - - /* TRANSMUTE */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); - - return 0; -} - -int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - int result; - char *label; - - /* ACCESS */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set"); - result = strcmp(APPID_DIR, label); - RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"); - - /* EXEC */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) { - RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set"); - result = strcmp(APPID_DIR, label); - RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect"); - } else if (S_ISLNK(sb->st_mode)) { - struct stat buf; - char *target = realpath(fpath, NULL); - RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath); - free(target); - if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) { - RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); - } else { - RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set"); - result = strcmp(APPID_DIR, label); - RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect"); - } - } else - RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); - - /* TRANSMUTE */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); - RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); - - return 0; -} - int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb, int /*typeflag*/, struct FTW* /*ftwbuf*/) { @@ -713,30 +276,13 @@ void remove_smack_files() unlink(WRT_BLAHBLAH_DAC); unlink(OTHER_BLAHBLAH_DAC); - for (size_t i = 0; i < OSP_BLAHBLAH_DAC.size(); ++i) + for(size_t i=0; i &set, const char *file_path) -{ - FILE *f = fopen(file_path, "r"); - RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path); - unsigned gid; - while (fscanf(f, "%u\n", &gid) == 1) { - set.insert(gid); - } -} - - -/** - * Set APP privileges. - */ -void check_groups(const char *dac_file) -{ - std::set groups_check; - read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST); - read_gids(groups_check, dac_file); - - int groups_cnt = getgroups(0, NULL); - RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt"); - gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t)); - RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed"); - RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list)); - - for (int i = 0; i < groups_cnt; ++i) { - //getgroups() can return multiple number of the same group - //they are returned in sequence, so we will given number when last - //element of this number is reached - if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i])) - continue; - if (groups_check.erase(groups_list[i]) == 0) { - // getgroups() may also return process' main group - if (groups_list[i] != getgid()) - RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")"); - } - } - free(groups_list); - std::string groups_left; - for (std::set::iterator it = groups_check.begin(); it != groups_check.end(); it++) { - groups_left.append(std::to_string(*it)).append(" "); - } - RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left); -} -/** - * Set APP privileges. wgt. - */ -RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt) -{ - int result = perm_app_uninstall(WGT_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - result = perm_app_install(WGT_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); +void set_app_privilege(int line_no, + const char* app_id, app_type_t APP_TYPE, + const char** privileges, const char* type, + const char* app_path, const char* dac_file, + const std::vector< std::vector > &rules) { + int result = perm_app_uninstall(app_id); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); + result = perm_app_install(app_id); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " perm_app_install returned " << result << ". Errno: " << strerror(errno)); // TEST: - result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + result = perm_app_enable_permissions(app_id, APP_TYPE, privileges, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no << " Error enabling app permissions. Result: " << result); - result = test_have_all_accesses(rules_wgt); + result = test_have_all_accesses(rules); RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result); + result = perm_app_set_privilege(app_id, type, app_path); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + " Error in perm_app_set_privilege. Error: " << result); // Check if SMACK label really set char *label; result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(WGT_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); + RUNNER_ASSERT_MSG(result >= 0, "Line: " << line_no << + " Error getting current process label"); + RUNNER_ASSERT_MSG(label != NULL, "Line: " << line_no << + " Process label is not set"); + result = strcmp(app_id, label); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " Process label " << label << " is incorrect"); + + check_groups(dac_file); +} - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); +/** + * Set APP privileges. wgt. + */ +RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt) +{ + set_app_privilege(__LINE__,WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt); } /** @@ -985,31 +501,9 @@ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt) */ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_partner) { - int result = perm_app_uninstall(WGT_PARTNER_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - result = perm_app_install(WGT_PARTNER_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - // TEST: - result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_wgt_partner); - RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - - result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result); - - // Check if SMACK label really set - char *label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(WGT_PARTNER_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); + set_app_privilege(__LINE__, WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, + "wgt_partner", WGT_PARTNER_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_partner); } /** @@ -1017,31 +511,9 @@ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_partner) */ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_platform) { - int result = perm_app_uninstall(WGT_PLATFORM_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - result = perm_app_install(WGT_PLATFORM_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - // TEST: - result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_wgt_platform); - RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - - result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result); - - // Check if SMACK label really set - char *label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(WGT_PLATFORM_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); + set_app_privilege(__LINE__, WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, + "wgt_platform", WGT_PLATFORM_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt_platform); } /** @@ -1049,31 +521,8 @@ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt_platform) */ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp) { - int result = perm_app_uninstall(OSP_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - result = perm_app_install(OSP_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - // TEST: - result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_osp); - RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - - result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result); - - // Check if SMACK label really set - char *label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(OSP_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); + set_app_privilege(__LINE__, OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, NULL, OSP_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp); } /** @@ -1081,31 +530,8 @@ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp) */ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_partner) { - int result = perm_app_uninstall(OSP_PARTNER_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - result = perm_app_install(OSP_PARTNER_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - // TEST: - result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_osp_partner); - RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - - result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result); - - // Check if SMACK label really set - char *label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(OSP_PARTNER_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); + set_app_privilege(__LINE__, OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, + NULL, OSP_PARTNER_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_partner); } /** @@ -1113,31 +539,9 @@ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_partner) */ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp_platform) { - int result = perm_app_uninstall(OSP_PLATFORM_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno)); - result = perm_app_install(OSP_PLATFORM_APP_ID); - RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - // TEST: - result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_all_accesses(rules_osp_platform); - RUNNER_ASSERT_MSG(result == 1, "Permissions not added."); - - result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result); - - // Check if SMACK label really set - char *label; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result >= 0, "Error getting current process label"); - RUNNER_ASSERT_MSG(label != NULL, "Process label is not set"); - result = strcmp(OSP_PLATFORM_APP_ID, label); - RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect"); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); + set_app_privilege(__LINE__, OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, + NULL, OSP_PLATFORM_APP_PATH, + LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp_platform); } /** @@ -1778,7 +1182,7 @@ RUNNER_TEST_SMACK(privilege_control14_app_add_friend) perm_app_uninstall(APP_FRIEND_2); /** - * Test - making friends with nonexisting friend + * Test - making friends with nonexistent friend */ // Installing one friend @@ -1786,12 +1190,12 @@ RUNNER_TEST_SMACK(privilege_control14_app_add_friend) RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error installing first app. Errno: " << result); - // Adding imaginairy friend as second + // Adding imaginary friend as second result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error making friends (first) with imaginairy friend failed. Result: " << result); - // Adding imaginairy friend as first + // Adding imaginary friend as first result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, " Error making friends (second) with imaginairy friend failed. Result: " @@ -2053,22 +1457,11 @@ RUNNER_TEST(privilege_control16_app_setup_path){ RUNNER_TEST(privilege_control17_appsettings_privilege) { -#define APP_1 "app_1" -#define APP_1_DIR "/tmp/app_1" - -#define APP_2 "app_2" -#define APP_2_DIR "/tmp/app_2" - -#define APP_TEST "app_test" - -#define PRIV_APPSETTING (const char*[]) {"org.tizen.privilege.appsetting", NULL} - int ret; char *app1_dir_label; char *app2_dir_label; //prepare test - (void)perm_app_uninstall(APP_TEST); (void)perm_app_uninstall(APP_1); (void)perm_app_uninstall(APP_2); @@ -2089,14 +1482,12 @@ RUNNER_TEST(privilege_control17_appsettings_privilege) ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true); - RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, " Error enabling app permissions. Result: " << ret); //check if "app_test" has an RX access to the app "app_1" ret = smack_have_access(APP_TEST, APP_1, "rx"); - RUNNER_ASSERT_MSG(ret,"access denies"); - + RUNNER_ASSERT_MSG(ret,"access denied"); //check if "app_test" has an RWX access to a folder registered by "app_1" ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS ); @@ -2134,57 +1525,47 @@ RUNNER_TEST(privilege_control17_appsettings_privilege) (void)perm_app_uninstall(APP_2); } -RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public) -{ +void test_app_setup_path(int line_no, app_path_type_t PATH_TYPE) { int result; result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + " Error in perm_app_uninstall." << result); result = perm_app_install(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install." << result); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + " Error in perm_app_install." << result); result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " Unable to clean up Smack labels in " << TEST_APP_DIR); result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " Unable to clean up Smack labels in " << TEST_NON_APP_DIR); - result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO); - RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed"); + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, PATH_TYPE); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " perm_app_setup_path() failed"); result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir"); + RUNNER_ASSERT_MSG(result == 0, "Line: " << line_no << + " Unable to check Smack labels for non-app dir"); result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Line: " << line_no << + " Error in perm_app_uninstall." << result); } -RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings) +RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public) { - int result; + test_app_setup_path(__LINE__, APP_PATH_PUBLIC_RO); +} - result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result); - - result = perm_app_install(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install." << result); - - result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR); - - result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); - - result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW); - RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed"); - - result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir"); - - result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_uninstall." << result); -} +RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings) +{ + test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW); +} RUNNER_TEST(privilege_control20_early_rules) { @@ -2197,15 +1578,11 @@ RUNNER_TEST(privilege_control20_early_rules) char *single_line_format = NULL; char *perm = NULL; FILE *file = NULL; - char subject[SMACK_LABEL_LEN + 1]; - char object[SMACK_LABEL_LEN + 1]; - char rule_add[SMACK_ACC_LEN + 1]; - char rule_remove[SMACK_ACC_LEN + 1]; - subject[SMACK_LABEL_LEN] = '\0'; - object[SMACK_LABEL_LEN] = '\0'; - rule_add[SMACK_ACC_LEN] = '\0'; - rule_remove[SMACK_ACC_LEN] = '\0'; + char subject[SMACK_LABEL_LEN + 1] = {0}; + char object[SMACK_LABEL_LEN + 1] = {0}; + char rule_add[SMACK_ACC_LEN + 1] = {0}; + char rule_remove[SMACK_ACC_LEN + 1] = {0}; unlink(SMACK_RULES_DIR APP_ID); @@ -2299,1841 +1676,3 @@ RUNNER_TEST(privilege_control20_early_rules) RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found"); RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found"); } - - -////////////////////////////////////////////////////// -//TEST FOR INCORRECT PARAMS CHECK IN LIBPRIVILEGE APIS -////////////////////////////////////////////////////// - -RUNNER_TEST(privilege_control21a_incorrect_params_get_smack_label_from_process) -{ - RUNNER_ASSERT_MSG(get_smack_label_from_process(PID_CORRECT, NULL) == PC_ERR_INVALID_PARAM, "get_smack_label_from_process didn't check if smack_label isn't NULL."); - - char aquired_smack_label[SMACK_LABEL_LEN+1]; - RUNNER_ASSERT_MSG(get_smack_label_from_process(PID_INCORRECT, aquired_smack_label) == PC_ERR_INVALID_PARAM, "get_smack_label_from_process didn't check for correct pid."); -} - -RUNNER_TEST_SMACK(privilege_control21b_incorrect_params_smack_pid_have_access) -{ - RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, "some_object", NULL) == -1, "smack_pid_have_access didn't check if access_type isn't NULL."); - RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, NULL, "rw") == -1, "smack_pid_have_access didn't check if object isn't NULL."); - RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, "", "rw") == -1, "smack_pid_have_access didn't check if object isn't empty."); - RUNNER_ASSERT_MSG(smack_pid_have_access(PID_INCORRECT, "some_object", "rw") == -1, "smack_pid_have_access didn't check for correct pid."); -} - -RUNNER_TEST(privilege_control21c_incorrect_params_perm_app_set_privilege) -{ - RUNNER_ASSERT_MSG(perm_app_set_privilege(NULL, NULL, APP_SET_PRIV_PATH) == PC_ERR_INVALID_PARAM, "perm_app_set_privilege didn't check if package name isn't NULL."); -} - -RUNNER_TEST(privilege_control21d_incorrect_params_perm_app_install) -{ - RUNNER_ASSERT_MSG(perm_app_install(NULL) == PC_ERR_INVALID_PARAM, "perm_app_install didn't check if pkg_id isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_install("") == PC_ERR_INVALID_PARAM, "perm_app_install didn't check if pkg_id isn't empty."); -} - -RUNNER_TEST(privilege_control21e_incorrect_params_perm_app_uninstall) -{ - RUNNER_ASSERT_MSG(perm_app_uninstall(NULL) == PC_ERR_INVALID_PARAM, "perm_app_uninstall didn't check if pkg_id isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_uninstall("") == PC_ERR_INVALID_PARAM, "perm_app_uninstall didn't check if pkg_id isn't empty."); -} - -RUNNER_TEST(privilege_control21f_incorrect_params_perm_app_enable_permissions) -{ - RUNNER_ASSERT_MSG(perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, NULL, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if perm_list isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_enable_permissions(NULL, APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if pkg_id isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_enable_permissions("", APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if pkg_id isn't empty."); - RUNNER_ASSERT_MSG(perm_app_enable_permissions("~APP~", APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, "perm_app_enable_permissions didn't check if pkg_id is valid"); -} - -RUNNER_TEST(privilege_control21g_incorrect_params_app_revoke_permissions) -{ - RUNNER_ASSERT_MSG(perm_app_revoke_permissions(NULL) == PC_ERR_INVALID_PARAM, "perm_app_revoke_permissions didn't check if pkg_id isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_revoke_permissions("") == PC_ERR_INVALID_PARAM, "perm_app_revoke_permissions didn't check if pkg_id isn't empty."); - RUNNER_ASSERT_MSG(perm_app_revoke_permissions("~APP~") == PC_ERR_INVALID_PARAM, "perm_app_revoke_permissions didn't check if pkg_id is valid."); -} - -RUNNER_TEST(privilege_control21h_incorrect_params_app_reset_permissions) -{ - RUNNER_ASSERT_MSG(perm_app_reset_permissions(NULL) == PC_ERR_INVALID_PARAM, "perm_app_reset_permissions didn't check if pkg_id isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_reset_permissions("") == PC_ERR_INVALID_PARAM, "perm_app_reset_permissions didn't check if pkg_id isn't empty."); - RUNNER_ASSERT_MSG(perm_app_reset_permissions("~APP~") == PC_ERR_INVALID_PARAM, "perm_app_reset_permissions didn't check if pkg_id is valid."); -} - -RUNNER_TEST(privilege_control21i_incorrect_params_app_setup_path) -{ - RUNNER_ASSERT_MSG(perm_app_setup_path(APPID_DIR, NULL, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if path isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_setup_path(NULL, TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if pkg_id isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_setup_path("", TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if pkg_id isn't empty."); - RUNNER_ASSERT_MSG(perm_app_setup_path("~APP~", TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, "perm_app_setup_path didn't check if pkg_id is valid."); -} - -RUNNER_TEST(privilege_control21j_incorrect_params_app_add_friend) -{ - RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented"); - - RUNNER_ASSERT_MSG(perm_app_add_friend(NULL, APP_FRIEND_2) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id1 isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_add_friend("", APP_FRIEND_2) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id1 isn't empty."); - RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, NULL) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id2 isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, "") == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id2 isn't empty."); - RUNNER_ASSERT_MSG(perm_app_add_friend("~APP~", APP_FRIEND_2) == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id1 is valid."); - RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, "~APP~") == PC_ERR_INVALID_PARAM, "perm_app_add_friend didin't check if pkg_id2 is valid."); -} - -RUNNER_TEST(privilege_control21k_incorrect_params_add_api_feature) -{ - RUNNER_ASSERT_MSG(perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0) == PC_ERR_INVALID_PARAM, "perm_add_api_feature didn't check if api_feature_name isn't NULL."); - RUNNER_ASSERT_MSG(perm_add_api_feature(APP_TYPE_OSP, "", NULL, NULL, 0) == PC_ERR_INVALID_PARAM, "perm_add_api_feature didn't check if api_feature_name isn't empty."); -} - -RUNNER_TEST(privilege_control21l_incorrect_params_ignored_disable_permissions) -{ - RUNNER_ASSERT_MSG(perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, NULL) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if perm_list isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_disable_permissions(NULL, APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id isn't NULL."); - RUNNER_ASSERT_MSG(perm_app_disable_permissions("", APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id isn't empty."); - RUNNER_ASSERT_MSG(perm_app_disable_permissions("~APP~", APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id is valid."); -} - - -///////////////////////////////////////// -//////NOSMACK ENVIRONMENT TESTS////////// -///////////////////////////////////////// - -/** - * NOSMACK version of nftw_check_labels_app_shared_dir function. - * - * This function used with nftw should expect -1 result from smack_have_access instead of 1. - */ -int nftw_check_labels_app_shared_dir_nosmack(const char *fpath, const struct stat *sb, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - int result; - char* label; - - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); - RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set"); - - result = strcmp(APPID_SHARED_DIR, label); - RUNNER_ASSERT_MSG(result == 0, - "ACCESS label on " << fpath << " is incorrect. Result: " << result); - - //The only exception in nftw_check_labels_app_shared_dir - //smack_have_access returns -1 because of no SMACK. - result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result); - - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); - RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); - - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); - if (S_ISDIR(sb->st_mode)) { - RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set"); - result = strcmp("TRUE", label); - RUNNER_ASSERT_MSG(result == 0, - "TRANSMUTE label on " << fpath << " is not set. Result: " << result); - } else - RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); - - return 0; -} - -/** - * NOSMACK version of privilege_control03 test. - * - * Uses nosmack version of nftw_check_labels_app_shared_dir (defined above). - */ -RUNNER_TEST_NOSMACK(privilege_control03_app_label_shared_dir_nosmack) -{ - int result; - - result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID); - RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS, - "perm_app_setup_path should fail here. Result: " << result); - - result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Unable to clean up Smack labels in " << TEST_APP_DIR); - - result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); - - result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "perm_app_setup_path() failed. Result: " << result); - - result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir_nosmack, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Unable to check Smack labels for shared app dir"); - - result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Unable to check Smack labels for non-app dir"); -} - -/** - * NOSMACK version of test_have_accesses functions. - * - * This will be used in many tests. Checks if for every rule smack_have_access returns error. - * If for any of rules smack_have_access will return something different than error, this result - * is being returned to caller. - */ -int test_have_nosmack_accesses(const std::vector< std::vector > &rules) -{ - int result; - for (uint i = 0; i < rules.size(); ++i) { - result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str()); - if (result != -1) - return result; - } - return -1; -} - -/** - * NOSMACK version of privilege_control04 test. - * - * Tries to add permisions from test_privilege_control_rules template and checks if - * smack_have_access returns -1 on check between every rule. - */ -RUNNER_TEST_NOSMACK(privilege_control04_add_permissions_nosmack) -{ - //Add permissions - auto result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error adding app permissions. Result: " << result); - - //Check if smack_have_access always fails on every rule - result = test_have_nosmack_accesses(rules); - RUNNER_ASSERT_MSG(result == -1, - "Despite SMACK being off some accesses were added. Result: " << result); - - //Does file exist? - std::fstream fs(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary); - RUNNER_ASSERT_MSG(fs.good(), "SMACK file NOT created!. Errno: " << strerror(errno)); - - fs.seekg(0, std::ifstream::end); - RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty, but privileges list was not empty."); -} - -/** - * NOSMACK version of privilege_control05_add_shared_dir_readers test. - * - * This test is very similar to it's SMACK version - only difference is different result expected - * from smack_have_access. - */ -#pragma GCC diagnostic ignored "-Wdeprecated-declarations" -RUNNER_TEST_NOSMACK(privilege_control05_add_shared_dir_readers_nosmack) -{ - const char* test_obj = "TEST_OBJECT"; - const char* test_obj_some_other = "TEST_OBJA"; - const char* test_str_01 = "TEST_raz TEST_OBJECT r-x--- ------"; - const char* test_str_21 = "TEST_trzy TEST_OBJA -wx---"; - const char* test_str_22 = "TEST_trzy TEST_OBJECT r-x--- ------"; - - int result; - int i; - int fd = -1; - - const char* app_labels_wrong[] = {"-TEST_raz", NULL}; - const char* app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL}; - const int READ_BUF_SIZE = 1000; - char buf[READ_BUF_SIZE]; - smack_accesses* tmp = NULL; - - //test environment cleaning - cleaning_smack_app_files(); - - //test what happens when the label is not correct SMACK label - result = add_shared_dir_readers(test_obj,app_labels_wrong); - RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, - "add_shared_dir_readers should fail here. Result: " << result); - result = smack_have_access(app_labels_wrong[0],test_obj,"rx"); - RUNNER_ASSERT_MSG(result != 1, - "add_shared_dir_readers should not grant permission here. Result: " << result); - - //install new apps - result = smack_accesses_new(&tmp); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in smack_accesses_new. Result: " << result); - - //Wrap rules and fd into unique_ptrs for garbage collection - SmackUniquePtr rules(tmp, smack_accesses_free); - FDUniquePtr fd_ptr(&fd, closefdptr); - - std::stringstream path; - for (i = 0; i < 3; i++) { - result = perm_app_revoke_permissions(app_labels[i]); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_revoke_permissions. Result: " << result); - result = perm_app_uninstall(app_labels[i]); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_install. Result: " << result); - result = perm_app_install(app_labels[i]); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_install. Result: " << result); - - path << SMACK_RULES_DIR << app_labels[i]; - - fd = open(path.str().c_str(), O_WRONLY, 0644); - RUNNER_ASSERT_MSG(fd != -1, "Error in opening file"); - - if (i == 1) { - result = smack_accesses_add(rules.get(), app_labels[i], test_obj, "wt"); - RUNNER_ASSERT_MSG(result == 0, - "smack_accesses_add failed. Result: " << result); - } - - if (i == 2) { - result = smack_accesses_new(&tmp); - RUNNER_ASSERT_MSG(result == 0, - "Failed to allocate memory for rules."); - - rules.reset(tmp); - - result = smack_accesses_add(rules.get(), app_labels[i], - test_obj_some_other, "wx"); - RUNNER_ASSERT_MSG(result == 0, - "smack_accesses_add failed. Result: " << result); - } - - result = smack_accesses_apply(rules.get()); - RUNNER_ASSERT_MSG(result == -1, - "smack_accesses_apply should fail (SMACK is off). Result: " << result); - - result = smack_accesses_save(rules.get(), fd); - RUNNER_ASSERT_MSG(result == 0, - "smack_accesses_save failed. Result: " << result); - - //cleanup - path.str(std::string()); - } - - //Use add_shared_dir_readers and check if smack_have_access still fails - result = add_shared_dir_readers(test_obj,app_labels); - RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed. Result: " << result); - - result = smack_have_access(app_labels[0],test_obj,"rx"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result); - - result = smack_have_access(app_labels[1],test_obj,"rx"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result); - - result = smack_have_access(app_labels[2],test_obj,"rx"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result); - - result = smack_have_access(app_labels[1],test_obj,"rwxt"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result); - - result = smack_have_access(app_labels[2],test_obj_some_other,"wx"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result); - - //Test if files are properly formatted - path << SMACK_RULES_DIR << app_labels[0]; - RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno)); - - std::fstream fs(path.str().c_str(), std::ios_base::in); - RUNNER_ASSERT_MSG(fs.good(), "Opening file stream failed. Error: " << strerror(errno)); - - fs.get(buf, READ_BUF_SIZE); - result = strcmp(buf, test_str_01); - RUNNER_ASSERT_MSG(result == 0, - "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() << - ". Result: " << result); - - //Clean up before another test - path.str(std::string()); - fs.close(); - - path << SMACK_RULES_DIR << app_labels[2]; - RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno)); - - fs.open(path.str().c_str(), std::ios_base::in); - RUNNER_ASSERT_MSG(fs.good(), "fopen failed, errno:" << strerror(errno)); - - fs.getline(buf, READ_BUF_SIZE); - result = strcmp(buf, test_str_21); - RUNNER_ASSERT_MSG( result == 0, - "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() - << ". Result: " << result); - - fs.getline(buf, READ_BUF_SIZE); - result = strcmp(buf, test_str_22); - RUNNER_ASSERT_MSG( result == 0, - "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() - << ". Result: " << result); -} -#pragma GCC diagnostic warning "-Wdeprecated-declarations" - - -/** - * NOSMACK version of privilege_control05_set_app_privilege test. - * - * Another very similar test to it's SMACK version, this time smack_new_label_from_self is - * expected to return different result. - */ -RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack) -{ - int result; - - //Preset exec label - smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC); - smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC); - - //Set app privileges - result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_set_privilege. Result: " << result); - - //Even though app privileges are set, no smack label should be extracted. - char* label = NULL; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == -1, - "new_label_from_self should return error (SMACK is off). Result: " << result); - RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); - - //Check if DAC privileges really set - RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID"); - RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID"); - - result = strcmp(getenv("HOME"), APP_HOME_DIR); - RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR. Result: " << result); - - result = strcmp(getenv("USER"), APP_USER_NAME); - RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME. Result: " << result); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE); -} - -/** - * NOSMACK version of privilege_control05_set_app_privilege_wgt test. - * - * Same as the above, plus uses test_have_nosmack_accesses instead of test_have_all_accesses. - */ -RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_nosmack) -{ - int result; - - result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_nosmack_accesses(rules_wgt); - RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); - - result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_set_privilege. Result: " << result); - - //Even though app privileges are set, no smack label should be extracted. - char* label = NULL; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == -1, - "new_label_from_self should return error (SMACK is off). Result: " << result); - RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); -} - -/** - * NOSMACK version of privilege_control05_set_app_privilege_wgt_partner test. - * - * Same as the above. - */ -RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_partner_nosmack) -{ - int result; - - result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_nosmack_accesses(rules_wgt_partner); - RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); - - result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_set_privilege. Result: " << result); - - //Even though app privileges are set, no smack label should be extracted. - char* label = NULL; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == -1, - "new_label_from_self should return error (SMACK is off). Result: " << result); - RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); -} - -/** - * NOSMACK version of privilege_control05_set_app_privilege_wgt_platform test. - * - * Same as the above. - */ -RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_platform_nosmack) -{ - int result; - - result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_nosmack_accesses(rules_wgt_platform); - RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); - - result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_set_privilege. Result: " << result); - - //Even though app privileges are set, no smack label should be extracted. - char* label = NULL; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == -1, - "new_label_from_self should return error (SMACK is off). Result: " << result); - RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); -} - -/** - * NOSMACK version of privilege_control05_set_app_privilege_osp test. - * - * Same as the above. - */ -RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_nosmack) -{ - int result; - - result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_nosmack_accesses(rules_osp); - RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); - - result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_set_privilege. Result: " << result); - - //Even though app privileges are set, no smack label should be extracted. - char* label = NULL; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == -1, - "new_label_from_self should return error (SMACK is off). Result: " << result); - RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); -} - -/** - * NOSMACK version of privilege_control05_set_app_privilege_osp_partner test. - * - * Same as the above. - */ -RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_partner_nosmack) -{ - int result; - - result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error enabling app permissions. Result: " << result); - - result = test_have_nosmack_accesses(rules_osp_partner); - RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added."); - - result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_set_privilege. Result: " << result); - - //Even though app privileges are set, no smack label should be extracted. - char* label = NULL; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == -1, - "new_label_from_self should return error (SMACK is off). Result: " << result); - RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); -} - -/** - * NOSMACK version of privilege_control05_set_app_privilege_osp_platform test. - * - * Same as the above. - */ -RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_platform_nosmack) -{ - int result; - - result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error enabling app permissions. Result: " << result); - - result = test_have_nosmack_accesses(rules_osp_platform); - RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); - - result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_set_privilege. Result: " << result); - - //Even though app privileges are set, no smack label should be extracted. - char* label = NULL; - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == -1, - "new_label_from_self should return error (SMACK is off). Result: " << result); - RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); - - check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); -} - -/** - * NOSMACK version of checkOnlyAvAccess function. - * - * Expects error instead of access granted/forbidden from smack_have_access. - */ -void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment) -{ - int result; - result = smack_have_access(av_id, app_id, "rwx"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result - << " when testing " << comment); - result = smack_have_access(av_id, app_id, "a"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result - << " when testing " << comment); - result = smack_have_access(av_id, app_id, "t"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result - << " when testing " << comment); -} - -/* - * NOSMACK version of privilege_control10_app_register_av test. - * - * Uses NOSMACK version of checkOnlyAvAccess (mentioned above), rest of the test is identical to - * it's SMACK version. - */ -#pragma GCC diagnostic ignored "-Wdeprecated-declarations" -RUNNER_TEST_NOSMACK(privilege_control10_app_register_av_nosmack) -{ - RUNNER_IGNORED_MSG("app_register_av is not implemented"); - int result; - - // cleaning - smack_revoke_subject(APP_TEST_AV_1); - smack_revoke_subject(APP_TEST_AV_2); - - cleaning_smack_app_files(); - - // Adding two apps before antivir - result = perm_app_install(APP_TEST_APP_1); - RUNNER_ASSERT_MSG(result == 0, - "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - result = perm_app_install(APP_TEST_APP_2); - RUNNER_ASSERT_MSG(result == 0, - "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - // Adding antivir - result = app_register_av(APP_TEST_AV_1); - RUNNER_ASSERT_MSG(result == 0, - "app_register_av returned " << result << ". Errno: " << strerror(errno)); - - // Checking added apps accesses - checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)"); - checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)"); - - // Adding third app - result = perm_app_install(APP_TEST_APP_3); - RUNNER_ASSERT_MSG(result == 0, - "perm_app_install returned " << result << ". Errno: " << strerror(errno)); - - // Checking app accesses - checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)"); - checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)"); - checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)"); - - // Adding second antivir - result = app_register_av(APP_TEST_AV_2); - RUNNER_ASSERT_MSG(result == 0, - "app_register_av returned " << result << ". Errno: " << strerror(errno)); - - // Checking app accesses - checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); - checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); - - // cleaning - smack_revoke_subject(APP_TEST_AV_1); - smack_revoke_subject(APP_TEST_AV_2); - - cleaning_smack_app_files(); - -} -#pragma GCC diagnostic warning "-Wdeprecated-declarations" - -/** - * NOSMACK version of privilege_control11_app_enable_permissions test. - * - * Since the original test did the same thing around five times, there is no need to redo the - * same test for perm_app_enable_permissions. perm_app_enable_permissions will be called once, - * test_have_nosmack_accesses will check if smack_have_access still returns error and then - * we will check if SMACK file was correctly created. - */ -RUNNER_TEST_NOSMACK(privilege_control11_app_enable_permissions_nosmack) -{ - int result; - std::fstream fs; - - result = perm_app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error enabling app permissions. Result: " << result); - - //Check if accesses aren't added - result = test_have_nosmack_accesses(rules2); - RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); - - //File exists? - fs.open(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary); - RUNNER_ASSERT_MSG(fs.good(), "Couldn't open SMACK file."); - - //Is it empty? - fs.seekg(0, std::ifstream::end); - RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty with persistant mode 1."); - - //Clean up - result = perm_app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); -} - -/** - * NOSMACK version of privilege_control13 test. - * - * Uses perm_app_reset_permissions and checks with test_have_nosmack_accesses if nothing has - * changed. - */ -RUNNER_TEST_NOSMACK(privilege_control13_app_reset_permissions_nosmack) -{ - int result; - - // Prepare permissions to reset - result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - " Error adding app permissions. Result: " << result); - - // Reset permissions - result = perm_app_reset_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error reseting app permissions. Result: " << result); - - result = test_have_nosmack_accesses(rules2); - RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be changed. Result: " << result); - - // Disable permissions - result = perm_app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app permissions. Result: " << result); -} - -/** - * NOSMACK version of privilege_control14 test. - * - * Similarily as app_enable_permissions test. This time perm_app_add_friend is called twice, once - * when both friends exist, and then when one of them doesn't exist. Other tests are not required - - * results would be the same as earlier. - */ -RUNNER_TEST_NOSMACK(privilege_control14_app_add_friend_nosmack) -{ - RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented"); - - int result; - - result = perm_app_revoke_permissions(APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = perm_app_revoke_permissions(APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - perm_app_uninstall(APP_FRIEND_1); - perm_app_uninstall(APP_FRIEND_2); - - //Regular test. - - //Installing friends to be - result = perm_app_install(APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error installing first app. Result: " << result); - result = perm_app_install(APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error installing second app. Result: " << result); - - //Making friends - result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error during friend making. Result: " << result); - - //Same as previous tests, smack_have_access should error. - result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result); - result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result); - - //Clean up - result = perm_app_revoke_permissions(APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = perm_app_revoke_permissions(APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - perm_app_uninstall(APP_FRIEND_1); - perm_app_uninstall(APP_FRIEND_2); - - - //Befriending with imaginary friend. - - //Installing one friend - result = perm_app_install(APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error installing first app. Result: " << result); - - //Adding imaginairy friend as second - result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error making friends (first) with imaginairy friend failed. Result: " << result); - //Adding imaginairy friend as first - result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error making friends (second) with imaginairy friend failed. Result: " << result); - - //Same as previous tests, smack_have_access should error. - result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result); - result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error (SMACK is off). Result: " << result); - - //Clean up - result = perm_app_revoke_permissions(APP_FRIEND_1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - result = perm_app_revoke_permissions(APP_FRIEND_2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error revoking app permissions. Result: " << result); - - perm_app_uninstall(APP_FRIEND_1); - perm_app_uninstall(APP_FRIEND_2); -} - -/** - * NOSMACK version of privilege_control15_app_id_from_socket. - * - * SMACK version of this test case utilised smack_new_label_from_self and smack_set_label_for_self. - * Those functions rely on /proc/self/attr/current file, which is unreadable and has no contents on - * NOSMACK environment. Functions mentioned above were tested during libsmack tests, so they are - * assumed to react correctly and are not tested in this test case. - * - * This test works similarily to libsmack test smack09_new_label_from_socket. At first server and - * client are created then sockets are set up and perm_app_id_from_socket is used. On NOSMACK env - * correct behaviour for perm_app_id_from_socket would be returning NULL label. - */ -RUNNER_MULTIPROCESS_TEST_NOSMACK(privilege_control15_app_id_from_socket_nosmack) -{ - int pid; - struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH}; - - //Clean up before creating socket - unlink(SOCK_PATH); - - //Create our server and client with fork - pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "Fork failed"); - - if (!pid) { //child (server) - int sock, result, fd; - - //Create a socket - sock = socket(AF_UNIX, SOCK_STREAM, 0); - RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno)); - - //Bind socket to address - result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); - if (result != 0) { - close(sock); - RUNNER_ASSERT_MSG(false, "bind failed: " << strerror(errno)); - } - - //Prepare for listening - result = listen(sock, 1); - if (result != 0) { - close(sock); - RUNNER_ASSERT_MSG(false, "listen failed: " << strerror(errno)); - } - - //Accept connection - alarm(2); - fd = accept(sock, NULL, NULL); - alarm(0); - RUNNER_ASSERT_MSG(fd >= 0, "accept failed: " << strerror(errno)); - - //Wait a little bit for client to use perm_app_id_from_socket - usleep(200); - - //cleanup - close(sock); - exit(0); - } else { //parent (client) - // Give server some time to setup listening socket - sleep(1); - int sock, result; - char* smack_label = NULL; - - //Create socket - sock = socket(AF_UNIX, SOCK_STREAM, 0); - RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno)); - - //Try connecting to address - result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); - if (result != 0) { - close(sock); - RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno)); - } - - //Use perm_app_id_from_socket. Should fail and return NULL smack_label. - smack_label = perm_app_id_from_socket(sock); - close(sock); - RUNNER_ASSERT_MSG(smack_label == NULL, "perm_app_id_from_socket should fail."); - } -} - -/** - * Next three functions are defined only because of NOSMACK environment. - * - * Inside check_labels_dir_nosmack, smack_have_access should expect error, not access granted. - */ -int check_labels_dir_nosmack(const char *fpath, const struct stat *sb, - const char *labels_db_path, const char *dir_db_path, - const char *access) -{ - int result; - char* label; - char* label_gen; - char label_temp[SMACK_LABEL_LEN + 1]; - std::fstream fs_db; - - /* ACCESS */ - result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); - RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set"); - - /* EXEC */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - if (result != 0) { - free(label_gen); - RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result); - } - if (label != NULL) { - free(label_gen); - free(label); - RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set."); - } - - /* TRANSMUTE */ - result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); - if (result != 0) { - free(label_gen); - free(label); - RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result); - } - if (S_ISDIR(sb->st_mode)) { - if (label == NULL) { - free(label_gen); - free(label); - RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set"); - } - result = strcmp("TRUE", label); - if (result != 0) { - free(label_gen); - free(label); - RUNNER_ASSERT_MSG(false, - "TRANSMUTE label on " << fpath << " is not set to TRUE Result: " << result); - } - } else if (label != NULL) { - free(label_gen); - free(label); - RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set"); - } - - free(label); - - fs_db.open(labels_db_path, std::ios_base::in); - if (!(fs_db.good())) { - free(label_gen); - RUNNER_ASSERT_MSG(false, "Can not open database for apps"); - } - - while(!fs_db.eof()) { - fs_db.getline(label_temp, 255); - result = smack_have_access(label_temp, label_gen, access); - if (result != -1) { //expect error, not access granted - free(label_gen); - RUNNER_ASSERT_MSG(false, "smack_have_access should fail. Result: " << result); - } - } - - fs_db.close(); - - fs_db.open(dir_db_path, std::ios_base::in); - if (!fs_db.good()) { - free(label_gen); - RUNNER_ASSERT_MSG(false, "Can not open database for dirs"); - } - - bool is_dir = false; - while(!fs_db.eof()) { - fs_db.getline(label_temp, 255); - if (strcmp(label_gen, label_temp) == 0) { - is_dir = true; - break; - } - } - - free(label_gen); - - RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db."); - - return 0; -} - -/** - * NOSMACK version of privilege_control18 test. - * - * Uses NOSMACK version of nftw_check_labels_app_public_dir. - */ -RUNNER_TEST_NOSMACK(privilege_control18_app_setup_path_public_nosmack) -{ - int result; - - result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, - "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result); - - result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, - "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result); - - result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO); - RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result); - - result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, - "Unable to check Smack labels for non-app dir. Result: " << result); - -} - -/** - * NOSMACK version of privilege_control19 test. - * - * Uses NOSMACK version of nftw_check_labels_app_settings_dir. - */ -RUNNER_TEST_NOSMACK(privilege_control19_app_setup_path_settings_nosmack) -{ - int result; - - result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, - "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result); - - result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, - "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result); - - result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW); - RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result); - - result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, - "Unable to check Smack labels for non-app dir. Result: " << result); - -} - -/** - * NOSMACK version of privielge_control21b test. - * - * Instead of error caused by incorrect params expect access granted, becuase SMACK is off. - */ -RUNNER_TEST_NOSMACK(privilege_control21b_incorrect_params_smack_pid_have_access_nosmack) -{ - int result = smack_pid_have_access(PID_CORRECT, "some_object", NULL); - RUNNER_ASSERT_MSG(result == 1, - "smack_pid_have_access should return access granted. Result: " << result); - - result = smack_pid_have_access(PID_CORRECT, NULL, "rw"); - RUNNER_ASSERT_MSG(result == 1, - "smack_pid_have_access should return access granted. Result: " << result); - - result = smack_pid_have_access(PID_CORRECT, NULL, "rw"); - RUNNER_ASSERT_MSG(result == 1, - "smack_pid_have_access should return access granted. Result: " << result); - - result = smack_pid_have_access(PID_INCORRECT, "some_object", "rw"); - RUNNER_ASSERT_MSG(result == 1, - "smack_pid_have_access should return access granted. Result: " << result); -} - -/** - * Test - Simulation of 100 installations and uninstallations of one application. - * Installed application will have various kind of permissions from api - * features and shared folders. - */ -RUNNER_TEST(privilege_control22_app_installation_1x100) -{ - int result; - std::string shared_dir_auto_label; - - // Clear any previously created apps, files, labels and permissions - result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, - "Unable to clean up Smack labels in: " << TEST_APP_DIR - << ". Result: " << result); - - result = nftw(TEST_NON_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, - "Unable to clean up Smack labels in: " << TEST_NON_APP_DIR - << ". Result: " << result); - - result = perm_app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_revoke_permissions. Result: " << result); - - result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_uninstall. Result: " << result); - - // remove api features by deleting files - // TODO: Rewrite deleting features - unlink(FILE_PATH_TEST_OSP_FEATURE); - unlink(FILE_PATH_TEST_WGT_FEATURE); - - // Install setting app and give it app-setting permissions - result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_revoke_permissions. Result: " << result); - result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_uninstall. Result: " << result); - result = perm_app_install(APP_TEST_SETTINGS_ASP1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_install. Result: " << result); - result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1, - APP_TYPE_OSP, PRIV_APPSETTING, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error enabling App-Setting permissions. Result: " << result); - - // Install one additional app (used to check perm to shared directories) - result = perm_app_revoke_permissions(TEST_OSP_FEATURE_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_revoke_permissions. Result: " << result); - result = perm_app_uninstall(TEST_OSP_FEATURE_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_uninstall. Result: " << result); - result = perm_app_install(TEST_OSP_FEATURE_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_install. Result: " << result); - result = perm_app_enable_permissions(TEST_OSP_FEATURE_APP_ID, - APP_TYPE_OSP,(const char*[]) {NULL}, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error enabling permissions. Result: " << result); - - // Register two valid api features - result = perm_add_api_feature(APP_TYPE_OSP, TEST_OSP_FEATURE, - test_osp_feature_rule_set, NULL, 0); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_add_api_feature. Cannot add TEST_OSP_FEATURE: " - << TEST_OSP_FEATURE << ". Result: " << result); - - result = perm_add_api_feature(APP_TYPE_WGT, TEST_WGT_FEATURE, - test_wgt_feature_rule_set, NULL, 0); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_add_api_feature. Cannot add TEST_WGT_FEATURE: " - << TEST_WGT_FEATURE << ". Result: " << result); - - - // Install app loop - for (int i = 0; i < 100; ++i) - { - // Add application - result = perm_app_install(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_install. Loop index: " << i - << ". Result: " << result); - - // Add persistent permissions - result = perm_app_enable_permissions(APP_ID, APP_TYPE_OSP, - TEST_OSP_FEATURE_PRIVS, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_enable_permissions from OSP Feature. Loop index: " - << i << ". Result: " << result); - - result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT, - TEST_WGT_FEATURE_PRIVS, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_enable_permissions from WGT Feature. Loop index: " - << i << ". Result: " << result); - - // add shared dirs - switch (i%2) // separate odd and even loop runs - { - case 0: // Shared dirs: APP_PATH_PRIVATE & APP_PATH_PUBLIC_RO - { - // Add app shared dir - APP_PATH_PRIVATE - result = perm_app_setup_path(APP_ID, TEST_APP_DIR, - APP_PATH_PRIVATE); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. Loop index: " << i - << ". Result: " << result); - - // Add app shared dir - APP_PATH_PUBLIC_RO - result = perm_app_setup_path(APP_ID, TEST_NON_APP_DIR, - APP_PATH_PUBLIC_RO); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. Loop index: " << i - << ". Result: " << result); - - // Verify that some previously installed app does not have any access - // to APP_ID private label - result = test_have_any_accesses(rules_to_test_any_access1); - RUNNER_ASSERT_MSG(result == 0, - "Error - other app has access to private label. Loop index: " - << i); - - // Get autogenerated Public RO label - char *label; - result = smack_getlabel(TEST_NON_APP_DIR, &label, - SMACK_LABEL_ACCESS ); - RUNNER_ASSERT_MSG(result == 0, - "Cannot get access label from Public RO shared dir. Loop index: " - << i << ". Result: " << result); - shared_dir_auto_label = label; - free(label); - - // Verify that all permissions to public dir have been added - // correctly, also to other app - result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl"); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to Public RO dir are granted. Loop index: " - << i); - - result = smack_have_access(TEST_OSP_FEATURE_APP_ID, shared_dir_auto_label.c_str(), "rx" ); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to Public RO dir are granted. Loop index: " - << i); - - break; - } - case 1: // Shared dirs: APP_PATH_APPSETTING_RW & APP_PATH_GROUP_RW - { - // Add app shared dir - APP_PATH_SETTINGS_RW - result = perm_app_setup_path(APP_ID, TEST_APP_DIR, - APP_PATH_SETTINGS_RW); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. Loop index: " << i - << ". Result: " << result); - - // Add app shared dir - APP_PATH_GROUP_RW - result = perm_app_setup_path(APP_ID, TEST_NON_APP_DIR, - APP_PATH_GROUP_RW, APPID_SHARED_DIR); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. Loop index: " << i - << ". Result: " << result); - - // Get autogenerated App-Setting label - char *label; - result = smack_getlabel(TEST_APP_DIR, &label, - SMACK_LABEL_ACCESS ); - RUNNER_ASSERT_MSG(result == 0, - "Cannot get access label from App-Setting shared dir. Loop index: " - << i << ". Result: " << result); - shared_dir_auto_label = label; - free(label); - - // Verify that setting app has rwx permission to app dir - // and rx permissions to app - result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl"); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to App-Setting dir are granted. " - << APP_ID << " "<< shared_dir_auto_label << " rwxatl " - << "Loop index: " << i); - - result = smack_have_access(APP_TEST_SETTINGS_ASP1, shared_dir_auto_label.c_str(), "rwx"); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to App-Setting dir are granted. " - << APP_TEST_SETTINGS_ASP1 << " " << shared_dir_auto_label << " rwx. " - << "Loop index: " << i); - - result = smack_have_access(APP_TEST_SETTINGS_ASP1, APP_ID, "rx"); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to App-Setting dir are granted. " - << APP_TEST_SETTINGS_ASP1 << " " << APP_ID << " rx" - << "Loop index: " << i); - - // Verify that all permissions to public dir have been added - // correctly, also to other app - result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxatl"); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to Group RW dir are granted. Loop index: " - << i); - - break; - } - } // END switch - - // check if api-features permissions are added properly - result = test_have_all_accesses( - (const std::vector< std::vector >) { - { APP_ID, TEST_OSP_FEATURE_APP_ID, "rxl" }, - { APP_ID, TEST_WGT_FEATURE_APP_ID, "rwxl" } } ); - RUNNER_ASSERT_MSG(result == 1, - "Not all permisions from api features added. Loop index: " - << i); - - // revoke permissions - result = perm_app_revoke_permissions(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_revoke_permissions. Loop index: " << i - << ". Result: " << result); - - // check if api-features permissions are removed properly - result = test_have_any_accesses(rules_to_test_any_access2); - RUNNER_ASSERT_MSG(result == 0, - "Not all permisions revoked. Loop index: " << i); - - // remove labels from app folder - result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, - "Unable to clean up Smack labels in " << TEST_APP_DIR - << " . Loop index: " << i << ". Result: " << result); - // remove labels from shared folder - result = nftw(TEST_NON_APP_DIR, &nftw_remove_labels, - FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, - "Unable to clean up Smack labels in " << TEST_NON_APP_DIR - << " . Loop index: " << i << ". Result: " << result); - - // uninstall app - result = perm_app_uninstall(APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_uninstall. Loop index: " << i - << ". Result: " << result); - } // END Install app loop - - // Uninstall setting app and additional app - result = perm_app_uninstall(TEST_OSP_FEATURE_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_uninstall. Result: " << result); - result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_uninstall. Result: " << result); - - // Remove api features - // TODO: Rewrite removing features - unlink(FILE_PATH_TEST_OSP_FEATURE); - unlink(FILE_PATH_TEST_WGT_FEATURE); - -} - -/** - * Test - Simulation of 10 installations and uninstallations of set of 10 applications. - * Installed applications will have various kind of permissions to each other - * from api-features and shared folders. - * - * APP_TEST_SETTINGS_ASP1 ("test-app-settings-asp1") - registered as setting app - * - * Permissions: - * test_APP0-4 - receive test_osp_feature_rule_set2 - * test_APP5-9 - receive test_wgt_feature_rule_set2 - * - * During this test there is one directory created for each app for each loop run, - * dir name syntax is: /tmp/_ - * - * test_APP0 & test_APP5 register their directories as APP_PATH_PRIVATE - * test_APP1, test_APP2 & test_APP6 register their directories as - * APP_PATH_GROUP_RW using the same label - * APPID_SHARED_DIR = "test_APP_ID_shared_dir" - * test_APP3, test_APP7 & test_APP8 register their directories as - * APP_PATH_PUBLIC_RO - * test_APP4 & test_APP9 register their directories as - * APP_PATH_SETTINGS_RW - */ -RUNNER_TEST(privilege_control23_app_installation2_10x10) -{ - int result; - const int app_count = 10; - std::string shared_dir3_auto_label; - std::string shared_dir7_auto_label; - std::string shared_dir8_auto_label; - std::string setting_dir4_auto_label; - std::string setting_dir9_auto_label; - char app_ids[app_count][strlen(APP_ID) + 3]; - char app_dirs[app_count][strlen(APP_ID) + 12]; - const char *test_osp_feature_rule_set2[] = { "~APP~ " APP_ID "6 r", - "~APP~ " APP_ID "7 rxl", - "~APP~ " APP_ID "8 rwxal", - "~APP~ " APP_ID "9 rwxatl", - NULL }; - const char *test_wgt_feature_rule_set2[] = { "~APP~ " APP_ID "1 r", - "~APP~ " APP_ID "2 rxl", - "~APP~ " APP_ID "3 rwxal", - "~APP~ " APP_ID "4 rwxatl", - NULL }; - - - // generate app ids: test_APP0, test_APP1, test_APP2 etc.: - for (int i = 0; i < app_count; ++i) - { - result = sprintf(app_ids[i], APP_ID "%d", i); - RUNNER_ASSERT_MSG(result > 0, "Cannot generate name for app nr: " << i); - } - - // Clear any previously created apps, files, labels and permissions - for (int i = 0; i < app_count; ++i) - { - result = perm_app_revoke_permissions(app_ids[i]); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_revoke_permissions for app: " - << app_ids[i] << ". Result: " << result); - - result = perm_app_uninstall(app_ids[i]); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_uninstall for app: " - << app_ids[i] << ". Result: " << result); - } - - // Install setting app and give it app-setting permissions - result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_revoke_permissions." - << " Result: " << result); - result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_uninstall." - << " Result: " << result); - result = perm_app_install(APP_TEST_SETTINGS_ASP1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_install." - << " Result: " << result); - result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1, - APP_TYPE_OSP, PRIV_APPSETTING, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error enabling App-Setting permissions." - << " Result: " << result); - - // Register two valid api features - result = perm_add_api_feature(APP_TYPE_OSP, TEST_OSP_FEATURE, - test_osp_feature_rule_set2, NULL, 0); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_add_api_feature. Cannot add TEST_OSP_FEATURE: " - << TEST_OSP_FEATURE << ". Result: " << result); - - result = perm_add_api_feature(APP_TYPE_WGT, TEST_WGT_FEATURE, - test_wgt_feature_rule_set2, NULL, 0); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_add_api_feature. Cannot add TEST_WGT_FEATURE: " - << TEST_WGT_FEATURE << ". Result: " << result); - - - // Install apps loop - for (int i = 0; i < 10; ++i) - { - // Install 10 apps - for (int j = 0; j < app_count; ++j) - { - result = perm_app_install(app_ids[j]); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_install. App id: " - << app_ids[j] - << " Loop index: " << i - << ". Result: " << result); - - // Create 10 directories - result = sprintf(app_dirs[j],"/tmp/" APP_ID "%d_%d", j, i); - RUNNER_ASSERT_MSG(result > 0, - "Cannot generate directory name for app nr: " << j - << " Loop index: " << i); - result = mkdir(app_dirs[j], S_IRWXU | S_IRGRP | S_IXGRP); - RUNNER_ASSERT_MSG(result == 0 || errno == EEXIST, - "Cannot create directory: " << app_dirs[j]); - result = nftw(app_dirs[j], &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, - "Unable to clean up Smack labels in: " << app_dirs[j] - << ". Result: " << result); - } - - // Give permissions from api-features - for (int j = 0; j < (app_count/2); ++j) - { - // add persistent api feature permissions - result = perm_app_enable_permissions(app_ids[j], APP_TYPE_OSP, - TEST_OSP_FEATURE_PRIVS, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_enable_permissions from OSP Feature. App id: " - << app_ids[j] << " Loop index: " << i << ". Result: " << result); - - result = perm_app_enable_permissions(app_ids[j+5], APP_TYPE_WGT, - TEST_WGT_FEATURE_PRIVS, 1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_enable_permissions from WGT Feature. App id: " - << app_ids[j+5] << " Loop index: " << i << ". Result: " << result); - } - - // Add app shared dirs - APP_PATH_PRIVATE (apps 0, 5) - result = perm_app_setup_path(app_ids[0], app_dirs[0], APP_PATH_PRIVATE); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. App id: " << app_ids[0] - << " Loop index: " << i << ". Result: " << result); - result = perm_app_setup_path(app_ids[5], app_dirs[5], APP_PATH_PRIVATE); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. App id: " << app_ids[5] - << " Loop index: " << i << ". Result: " << result); - - // Add app shared dir - APP_PATH_GROUP_RW (apps 1, 2, 6) - result = perm_app_setup_path(app_ids[1], app_dirs[1], - APP_PATH_GROUP_RW, APPID_SHARED_DIR); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. App id: " << app_ids[1] - << " Loop index: " << i << ". Result: " << result); - result = perm_app_setup_path(app_ids[2], app_dirs[2], - APP_PATH_GROUP_RW, APPID_SHARED_DIR); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. App id: " << app_ids[2] - << " Loop index: " << i << ". Result: " << result); - result = perm_app_setup_path(app_ids[6], app_dirs[6], - APP_PATH_GROUP_RW, APPID_SHARED_DIR); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. App id: " << app_ids[6] - << " Loop index: " << i << ". Result: " << result); - - // Add app shared dir - APP_PATH_PUBLIC_RO (apps 3, 7, 8) - result = perm_app_setup_path(app_ids[3], app_dirs[3], - APP_PATH_PUBLIC_RO); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. App id: " << app_ids[1] - << " Loop index: " << i << ". Result: " << result); - result = perm_app_setup_path(app_ids[7], app_dirs[7], - APP_PATH_PUBLIC_RO); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. App id: " << app_ids[7] - << " Loop index: " << i << ". Result: " << result); - result = perm_app_setup_path(app_ids[8], app_dirs[8], - APP_PATH_PUBLIC_RO); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. App id: " << app_ids[8] - << " Loop index: " << i << ". Result: " << result); - - // Add app shared dir - APP_PATH_SETTINGS_RW (apps ,4, 9) - result = perm_app_setup_path(app_ids[4], app_dirs[4], - APP_PATH_SETTINGS_RW); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. App id: " << app_ids[4] - << " Loop index: " << i << ". Result: " << result); - result = perm_app_setup_path(app_ids[9], app_dirs[9], - APP_PATH_SETTINGS_RW); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_setup_path. App id: " << app_ids[9] - << " Loop index: " << i << ". Result: " << result); - - // Verify that some previously installed app does not have - // any acces to app 0 and app 5 PRIVATE folders - for (int j = 0; j < app_count; ++j) - { - // Apps 1-9 should not have any access to app 0 - if (j != 0) - { - result = test_have_any_accesses( - FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[0]) - ); - RUNNER_ASSERT_MSG(result == 0, - "Other app (app id: " << app_ids[j] << - ") has access to private label of: " << app_ids[0] << - ". It may not be shared. Loop index: " << i << "."); - } - - // Apps 0-4 and 6-9 should not have any access to app 5 - if (j != 5) - { - result = test_have_any_accesses( - FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[5]) - ); - RUNNER_ASSERT_MSG(result == 0, - "Other app (app id: " << app_ids[j] << - ") has access to private label of: " << app_ids[5] << - ". It may not be shared. Loop index: " << i << "."); - } - } // End for Verify PRIVATE - - // Verify that apps 1, 2 and 6 have all accesses to GROUP_RW folders - result = test_have_all_accesses( - (const std::vector< std::vector >) { - { app_ids[1], APPID_SHARED_DIR, "rwxatl" }, - { app_ids[2], APPID_SHARED_DIR, "rwxatl" }, - { app_ids[6], APPID_SHARED_DIR, "rwxatl" } } ); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to Group RW dir are granted. Loop index: " - << i); - - // Get autogenerated Public_RO labels - char *label; - result = smack_getlabel(app_dirs[3], &label, - SMACK_LABEL_ACCESS ); - RUNNER_ASSERT_MSG(result == 0, - "Cannot get access label from Public RO shared dir: " << app_dirs[3] - << " . Loop index: " << i << ". Result: " << result); - shared_dir3_auto_label = label; - free(label); - - result = smack_getlabel(app_dirs[7], &label, - SMACK_LABEL_ACCESS ); - RUNNER_ASSERT_MSG(result == 0, - "Cannot get access label from Public RO shared dir: " << app_dirs[7] - << " . Loop index: " << i << ". Result: " << result); - shared_dir7_auto_label = label; - free(label); - - result = smack_getlabel(app_dirs[8], &label, - SMACK_LABEL_ACCESS ); - RUNNER_ASSERT_MSG(result == 0, - "Cannot get access label from Public RO shared dir: " << app_dirs[8] - << " . Loop index: " << i << ". Result: " << result); - shared_dir8_auto_label = label; - free(label); - - // Verify that all apps have ro permissions to public folders of apps 3, 7 and 8 - // Also apps 3, 7 and 8 should have all permisisons to their own PUBLIC_RO dirs - for (int j = 0; j < app_count; ++j) - { - if (j == 3) - { - result = test_have_all_accesses( - (const std::vector< std::vector >) { - { app_ids[j], shared_dir3_auto_label.c_str(), "rwxatl" } } ); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to owned Public RO dir are granted. App id: " - << app_ids[j] << " Loop index: " << i); - // Verify that there are no extra permissions to public dirs - result = test_have_any_accesses( - (const std::vector< std::vector >) { - { app_ids[j], shared_dir7_auto_label.c_str(), "w" }, - { app_ids[j], shared_dir7_auto_label.c_str(), "t" }, - { app_ids[j], shared_dir8_auto_label.c_str(), "w" }, - { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } ); - RUNNER_ASSERT_MSG(result == 0, - "Unexpected extra permissions added for app:" << app_ids[j] - << ". Loop index: " << i); - } - if (j == 7) - { - result = test_have_all_accesses( - (const std::vector< std::vector >) { - { app_ids[j], shared_dir7_auto_label.c_str(), "rwxatl" } } ); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to owned Public RO dir are granted. App id: " - << app_ids[j] << " Loop index: " << i); - // Verify that there are no extra permissions to public dirs - result = test_have_any_accesses( - (const std::vector< std::vector >) { - { app_ids[j], shared_dir3_auto_label.c_str(), "w" }, - { app_ids[j], shared_dir3_auto_label.c_str(), "t" }, - { app_ids[j], shared_dir8_auto_label.c_str(), "w" }, - { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } ); - RUNNER_ASSERT_MSG(result == 0, - "Unexpected extra permissions added for app:" << app_ids[j] - << ". Loop index: " << i); - } - if (j == 8) - { - result = test_have_all_accesses( - (const std::vector< std::vector >) { - { app_ids[j], shared_dir8_auto_label.c_str(), "rwxatl" } } ); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to owned Public RO dir are granted. App id: " - << app_ids[j] << " Loop index: " << i); - // Verify that there are no extra permissions to other public dirs - result = test_have_any_accesses( - (const std::vector< std::vector >) { - { app_ids[j], shared_dir3_auto_label.c_str(), "w" }, - { app_ids[j], shared_dir3_auto_label.c_str(), "t" }, - { app_ids[j], shared_dir7_auto_label.c_str(), "w" }, - { app_ids[j], shared_dir7_auto_label.c_str(), "t" } } ); - RUNNER_ASSERT_MSG(result == 0, - "Unexpected extra permissions added for app:" << app_ids[j] - << ". Loop index: " << i); - } - - result = test_have_all_accesses( - (const std::vector< std::vector >) { - { app_ids[j], shared_dir3_auto_label.c_str(), "rx" }, - { app_ids[j], shared_dir7_auto_label.c_str(), "rx" }, - { app_ids[j], shared_dir8_auto_label.c_str(), "rx" } } ); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to Public RO dirs are granted. App id: " - << app_ids[j] << ". Loop index: " << i); - } // End for Verify PUBLIC_RO - - // Get autogenerated SETTING_RW labels - result = smack_getlabel(app_dirs[4], &label, - SMACK_LABEL_ACCESS ); - RUNNER_ASSERT_MSG(result == 0, - "Cannot get access label from App-Setting shared dir: " - << app_dirs[4] << " . Loop index: " << i - << ". Result: " << result); - setting_dir4_auto_label = label; - free(label); - - result = smack_getlabel(app_dirs[9], &label, - SMACK_LABEL_ACCESS ); - RUNNER_ASSERT_MSG(result == 0, - "Cannot get access label from App-Setting shared dir: " - << app_dirs[9] << " . Loop index: " << i - << ". Result: " << result); - setting_dir9_auto_label = label; - free(label); - - // Verify that setting app has rwx permission to app-settings dirs and rx to apps - result = smack_have_access(app_ids[4], setting_dir4_auto_label.c_str(), "rwxatl"); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to App-Setting dir are granted." - << app_ids[4] << " " << setting_dir4_auto_label - << " Loop index: " << i); - result = smack_have_access(app_ids[9], setting_dir9_auto_label.c_str(), "rwxatl"); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to App-Setting dir are granted." - << app_ids[9] << " " << setting_dir9_auto_label - << " Loop index: " << i); - result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[4], "rx"); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to App-Setting dir are granted." - << APP_TEST_SETTINGS_ASP1 << " " << app_ids[4] - << " Loop index: " << i); - result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[9], "rx"); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to App-Setting dir are granted." - << APP_TEST_SETTINGS_ASP1 << " " << app_ids[9] - << " Loop index: " << i); - result = smack_have_access(APP_TEST_SETTINGS_ASP1, setting_dir4_auto_label.c_str(), "rwx"); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to App-Setting dir are granted." - << APP_TEST_SETTINGS_ASP1 << " " << setting_dir4_auto_label - << " Loop index: " << i); - result = smack_have_access(APP_TEST_SETTINGS_ASP1, setting_dir9_auto_label.c_str(), "rwx"); - RUNNER_ASSERT_MSG(result == 1, - "Not all accesses to App-Setting dir are granted." - << APP_TEST_SETTINGS_ASP1 << " " << setting_dir9_auto_label - << " Loop index: " << i); - - - - // Check if api-features permissions are added properly - for (int j = 0; j < 5; ++j) - { - result = test_have_all_accesses( - (const std::vector< std::vector >) { - { app_ids[j], app_ids[6], "r" }, - { app_ids[j], app_ids[7], "rxl" }, - { app_ids[j], app_ids[8], "rwxal" }, - { app_ids[j], app_ids[9], "rwxatl" } } ); - RUNNER_ASSERT_MSG(result == 1, - "Not all permisions from api features added for app id: " - << app_ids[j] << ". Loop index: " << i); - } - - for (int j = 5; j < app_count; ++j) - { - result = test_have_all_accesses( - (const std::vector< std::vector >) { - { app_ids[j], app_ids[1], "r" }, - { app_ids[j], app_ids[2], "rxl" }, - { app_ids[j], app_ids[3], "rwxal" }, - { app_ids[j], app_ids[4], "rwxatl" } } ); - RUNNER_ASSERT_MSG(result == 1, - "Not all permisions from api features added for app id: " - << app_ids[j] << ". Loop index: " << i); - } - - // Revoke permissions - for (int j = 0; j < app_count; ++j) - { - result = perm_app_revoke_permissions(app_ids[j]); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_revoke_permissions. App id: " - << app_ids[j] << " Loop index: " << i - << ". Result: " << result); - } - - // Check if permissions are removed properly - for (int j = 0; j < app_count; ++j) - { - // To all other apps - for (int k = 0; k < app_count; ++k) - if (j != k) - { - result = test_have_any_accesses( - FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[k]) - ); - RUNNER_ASSERT_MSG(result == 0, - "Not all permisions revoked. Subject: " << app_ids[j] - << " Object: " << app_ids[k] << " Loop index: " << i); - } - } - - // Remove labels from folders and uninstall all apps - for (int j = 0; j < app_count; ++j) - { - result = nftw(app_dirs[j], &nftw_remove_labels, - FTW_MAX_FDS, FTW_PHYS); // rm labels from app folder - RUNNER_ASSERT_MSG(result == 0, - "Unable to clean up Smack labels in: " - << app_dirs[j] << " . Loop index: " << i - << ". Result: " << result); - - result = perm_app_uninstall(app_ids[j]); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_uninstall for app: " - << app_ids[j] << " . Loop index: " << i - << ". Result: " << result); - } - - // Remove created dirs - for (int j = 0; j < app_count; ++j) - { - result = rmdir(app_dirs[j]); - RUNNER_ASSERT_MSG(result == 0, - "Cannot remove directory: " << app_dirs[j]); - } - } // END Install app loop - - // Uninstall setting app - result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error in perm_app_uninstall. Result: " << result); - -} diff --git a/tests/libprivilege-control-tests/test_cases_incorrect_params.cpp b/tests/libprivilege-control-tests/test_cases_incorrect_params.cpp new file mode 100644 index 0000000..a101580 --- /dev/null +++ b/tests/libprivilege-control-tests/test_cases_incorrect_params.cpp @@ -0,0 +1,165 @@ +/* + * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +*/ + +/* + * @file test_cases.cpp + * @author Jan Olszak (j.olszak@samsung.com) + * @author Rafal Krypa (r.krypa@samsung.com) + * @version 1.0 + * @brief libprivilege-control test runner + */ + +#include +#include +#include +#include +#include + + + +////////////////////////////////////////////////////// +//TEST FOR INCORRECT PARAMS CHECK IN LIBPRIVILEGE APIS +////////////////////////////////////////////////////// + +RUNNER_TEST_GROUP_INIT(libprivilegecontrol_incorrect_params) + +RUNNER_TEST(privilege_control21a_incorrect_params_get_smack_label_from_process) +{ + RUNNER_ASSERT_MSG(get_smack_label_from_process(PID_CORRECT, NULL) == PC_ERR_INVALID_PARAM, + "get_smack_label_from_process didn't check if smack_label isn't NULL."); + + char aquired_smack_label[SMACK_LABEL_LEN+1]; + RUNNER_ASSERT_MSG(get_smack_label_from_process(PID_INCORRECT, aquired_smack_label) == PC_ERR_INVALID_PARAM, + "get_smack_label_from_process didn't check for correct pid."); +} + +RUNNER_TEST_SMACK(privilege_control21b_incorrect_params_smack_pid_have_access) +{ + RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, "some_object", NULL) == -1, + "smack_pid_have_access didn't check if access_type isn't NULL."); + RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, NULL, "rw") == -1, + "smack_pid_have_access didn't check if object isn't NULL."); + RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, "", "rw") == -1, + "smack_pid_have_access didn't check if object isn't empty."); + RUNNER_ASSERT_MSG(smack_pid_have_access(PID_INCORRECT, "some_object", "rw") == -1, + "smack_pid_have_access didn't check for correct pid."); +} + +RUNNER_TEST(privilege_control21c_incorrect_params_perm_app_set_privilege) +{ + RUNNER_ASSERT_MSG(perm_app_set_privilege(NULL, NULL, APP_SET_PRIV_PATH) == PC_ERR_INVALID_PARAM, + "perm_app_set_privilege didn't check if package name isn't NULL."); +} + +RUNNER_TEST(privilege_control21d_incorrect_params_perm_app_install) +{ + RUNNER_ASSERT_MSG(perm_app_install(NULL) == PC_ERR_INVALID_PARAM, + "perm_app_install didn't check if pkg_id isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_install("") == PC_ERR_INVALID_PARAM, + "perm_app_install didn't check if pkg_id isn't empty."); +} + +RUNNER_TEST(privilege_control21e_incorrect_params_perm_app_uninstall) +{ + RUNNER_ASSERT_MSG(perm_app_uninstall(NULL) == PC_ERR_INVALID_PARAM, + "perm_app_uninstall didn't check if pkg_id isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_uninstall("") == PC_ERR_INVALID_PARAM, + "perm_app_uninstall didn't check if pkg_id isn't empty."); +} + +RUNNER_TEST(privilege_control21f_incorrect_params_perm_app_enable_permissions) +{ + RUNNER_ASSERT_MSG(perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, NULL, 1) == PC_ERR_INVALID_PARAM, + "perm_app_enable_permissions didn't check if perm_list isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_enable_permissions(NULL, APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, + "perm_app_enable_permissions didn't check if pkg_id isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_enable_permissions("", APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, + "perm_app_enable_permissions didn't check if pkg_id isn't empty."); + RUNNER_ASSERT_MSG(perm_app_enable_permissions("~APP~", APP_TYPE_OTHER, PRIVS2, 1) == PC_ERR_INVALID_PARAM, + "perm_app_enable_permissions didn't check if pkg_id is valid"); +} + +RUNNER_TEST(privilege_control21g_incorrect_params_app_revoke_permissions) +{ + RUNNER_ASSERT_MSG(perm_app_revoke_permissions(NULL) == PC_ERR_INVALID_PARAM, + "perm_app_revoke_permissions didn't check if pkg_id isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_revoke_permissions("") == PC_ERR_INVALID_PARAM, + "perm_app_revoke_permissions didn't check if pkg_id isn't empty."); + RUNNER_ASSERT_MSG(perm_app_revoke_permissions("~APP~") == PC_ERR_INVALID_PARAM, + "perm_app_revoke_permissions didn't check if pkg_id is valid."); +} + +RUNNER_TEST(privilege_control21h_incorrect_params_app_reset_permissions) +{ + RUNNER_ASSERT_MSG(perm_app_reset_permissions(NULL) == PC_ERR_INVALID_PARAM, + "perm_app_reset_permissions didn't check if pkg_id isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_reset_permissions("") == PC_ERR_INVALID_PARAM, + "perm_app_reset_permissions didn't check if pkg_id isn't empty."); + RUNNER_ASSERT_MSG(perm_app_reset_permissions("~APP~") == PC_ERR_INVALID_PARAM, + "perm_app_reset_permissions didn't check if pkg_id is valid."); +} + +RUNNER_TEST(privilege_control21i_incorrect_params_app_setup_path) +{ + RUNNER_ASSERT_MSG(perm_app_setup_path(APPID_DIR, NULL, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, + "perm_app_setup_path didn't check if path isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_setup_path(NULL, TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, + "perm_app_setup_path didn't check if pkg_id isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_setup_path("", TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, + "perm_app_setup_path didn't check if pkg_id isn't empty."); + RUNNER_ASSERT_MSG(perm_app_setup_path("~APP~", TEST_APP_DIR, APP_PATH_PRIVATE) == PC_ERR_INVALID_PARAM, + "perm_app_setup_path didn't check if pkg_id is valid."); +} + +RUNNER_TEST(privilege_control21j_incorrect_params_app_add_friend) +{ + RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented"); + + RUNNER_ASSERT_MSG(perm_app_add_friend(NULL, APP_FRIEND_2) == PC_ERR_INVALID_PARAM, + "perm_app_add_friend didin't check if pkg_id1 isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_add_friend("", APP_FRIEND_2) == PC_ERR_INVALID_PARAM, + "perm_app_add_friend didin't check if pkg_id1 isn't empty."); + RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, NULL) == PC_ERR_INVALID_PARAM, + "perm_app_add_friend didin't check if pkg_id2 isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, "") == PC_ERR_INVALID_PARAM, + "perm_app_add_friend didin't check if pkg_id2 isn't empty."); + RUNNER_ASSERT_MSG(perm_app_add_friend("~APP~", APP_FRIEND_2) == PC_ERR_INVALID_PARAM, + "perm_app_add_friend didin't check if pkg_id1 is valid."); + RUNNER_ASSERT_MSG(perm_app_add_friend(APP_FRIEND_1, "~APP~") == PC_ERR_INVALID_PARAM, + "perm_app_add_friend didin't check if pkg_id2 is valid."); +} + +RUNNER_TEST(privilege_control21k_incorrect_params_add_api_feature) +{ + RUNNER_ASSERT_MSG(perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0) == PC_ERR_INVALID_PARAM, + "perm_add_api_feature didn't check if api_feature_name isn't NULL."); + RUNNER_ASSERT_MSG(perm_add_api_feature(APP_TYPE_OSP, "", NULL, NULL, 0) == PC_ERR_INVALID_PARAM, + "perm_add_api_feature didn't check if api_feature_name isn't empty."); +} + +RUNNER_TEST(privilege_control21l_incorrect_params_ignored_disable_permissions) +{ + RUNNER_ASSERT_MSG(perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, NULL) == PC_ERR_INVALID_PARAM, + "perm_app_disable_permissions didn't check if perm_list isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_disable_permissions(NULL, APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, + "perm_app_disable_permissions didn't check if pkg_id isn't NULL."); + RUNNER_ASSERT_MSG(perm_app_disable_permissions("", APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, + "perm_app_disable_permissions didn't check if pkg_id isn't empty."); + RUNNER_ASSERT_MSG(perm_app_disable_permissions("~APP~", APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, + "perm_app_disable_permissions didn't check if pkg_id is valid."); +} + + diff --git a/tests/libprivilege-control-tests/test_cases_nosmack.cpp b/tests/libprivilege-control-tests/test_cases_nosmack.cpp new file mode 100644 index 0000000..01570e4 --- /dev/null +++ b/tests/libprivilege-control-tests/test_cases_nosmack.cpp @@ -0,0 +1,1074 @@ +/* + * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +*/ + +/* + * @file test_cases.cpp + * @author Jan Olszak (j.olszak@samsung.com) + * @author Rafal Krypa (r.krypa@samsung.com) + * @version 1.0 + * @brief libprivilege-control test runner + */ + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#define APP_GID 5000 +#define APP_UID 5000 + +#define APP_USER_NAME "app" +#define APP_HOME_DIR "/opt/home/app" + + +#define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL" + +namespace { +typedef std::unique_ptr > SmackUniquePtr; + +void closefdptr(int* fd) { close(*fd); } +typedef std::unique_ptr > FDUniquePtr; +} + +///////////////////////////////////////// +//////NOSMACK ENVIRONMENT TESTS////////// +///////////////////////////////////////// + +/** + * NOSMACK version of nftw_check_labels_app_shared_dir function. + * + * This function used with nftw should expect -1 result from smack_have_access instead of 1. + */ +int nftw_check_labels_app_shared_dir_nosmack(const char *fpath, const struct stat *sb, + int /*typeflag*/, struct FTW* /*ftwbuf*/) +{ + int result; + char* label; + + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); + RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set"); + + result = strcmp(APPID_SHARED_DIR, label); + RUNNER_ASSERT_MSG(result == 0, + "ACCESS label on " << fpath << " is incorrect. Result: " << result); + + //The only exception in nftw_check_labels_app_shared_dir + //smack_have_access returns -1 because of no SMACK. + result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); + + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); + if (S_ISDIR(sb->st_mode)) { + RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set"); + result = strcmp("TRUE", label); + RUNNER_ASSERT_MSG(result == 0, + "TRANSMUTE label on " << fpath << " is not set. Result: " << result); + } else + RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); + + return 0; +} + +RUNNER_TEST_GROUP_INIT(libprivilegecontrol_nosmack) + +/** + * NOSMACK version of privilege_control03 test. + * + * Uses nosmack version of nftw_check_labels_app_shared_dir (defined above). + */ +RUNNER_TEST_NOSMACK(privilege_control03_app_label_shared_dir_nosmack) +{ + int result; + + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID); + RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS, + "perm_app_setup_path should fail here. Result: " << result); + + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Unable to clean up Smack labels in " << TEST_APP_DIR); + + result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); + + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "perm_app_setup_path() failed. Result: " << result); + + result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir_nosmack, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Unable to check Smack labels for shared app dir"); + + result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Unable to check Smack labels for non-app dir"); +} + +/** + * NOSMACK version of test_have_accesses functions. + * + * This will be used in many tests. Checks if for every rule smack_have_access returns error. + * If for any of rules smack_have_access will return something different than error, this result + * is being returned to caller. + */ +int test_have_nosmack_accesses(const std::vector< std::vector > &rules) +{ + int result; + for (uint i = 0; i < rules.size(); ++i) { + result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str()); + if (result != -1) + return result; + } + return -1; +} + +/** + * NOSMACK version of privilege_control04 test. + * + * Tries to add permisions from test_privilege_control_rules template and checks if + * smack_have_access returns -1 on check between every rule. + */ +RUNNER_TEST_NOSMACK(privilege_control04_add_permissions_nosmack) +{ + //Add permissions + auto result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error adding app permissions. Result: " << result); + + //Check if smack_have_access always fails on every rule + result = test_have_nosmack_accesses(rules); + RUNNER_ASSERT_MSG(result == -1, + "Despite SMACK being off some accesses were added. Result: " << result); + + //Does file exist? + std::fstream fs(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary); + RUNNER_ASSERT_MSG(fs.good(), "SMACK file NOT created!. Errno: " << strerror(errno)); + + fs.seekg(0, std::ifstream::end); + RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty, but privileges list was not empty."); +} + +/** + * NOSMACK version of privilege_control05_add_shared_dir_readers test. + * + * This test is very similar to it's SMACK version - only difference is different result expected + * from smack_have_access. + */ +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +RUNNER_TEST_NOSMACK(privilege_control05_add_shared_dir_readers_nosmack) +{ + const char* test_obj = "TEST_OBJECT"; + const char* test_obj_some_other = "TEST_OBJA"; + const char* test_str_01 = "TEST_raz TEST_OBJECT r-x--- ------"; + const char* test_str_21 = "TEST_trzy TEST_OBJA -wx---"; + const char* test_str_22 = "TEST_trzy TEST_OBJECT r-x--- ------"; + + int result; + int i; + int fd = -1; + + const char* app_labels_wrong[] = {"-TEST_raz", NULL}; + const char* app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL}; + const int READ_BUF_SIZE = 1000; + char buf[READ_BUF_SIZE]; + smack_accesses* tmp = NULL; + + //test environment cleaning + cleaning_smack_app_files(); + + //test what happens when the label is not correct SMACK label + result = add_shared_dir_readers(test_obj,app_labels_wrong); + RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, + "add_shared_dir_readers should fail here. Result: " << result); + result = smack_have_access(app_labels_wrong[0],test_obj,"rx"); + RUNNER_ASSERT_MSG(result != 1, + "add_shared_dir_readers should not grant permission here. Result: " << result); + + //install new apps + result = smack_accesses_new(&tmp); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in smack_accesses_new. Result: " << result); + + //Wrap rules and fd into unique_ptrs for garbage collection + SmackUniquePtr rules(tmp, smack_accesses_free); + FDUniquePtr fd_ptr(&fd, closefdptr); + + std::stringstream path; + for (i = 0; i < 3; i++) { + result = perm_app_revoke_permissions(app_labels[i]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_revoke_permissions. Result: " << result); + result = perm_app_uninstall(app_labels[i]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_install. Result: " << result); + result = perm_app_install(app_labels[i]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_install. Result: " << result); + + path << SMACK_RULES_DIR << app_labels[i]; + + fd = open(path.str().c_str(), O_WRONLY, 0644); + RUNNER_ASSERT_MSG(fd != -1, "Error in opening file"); + + if (i == 1) { + result = smack_accesses_add(rules.get(), app_labels[i], test_obj, "wt"); + RUNNER_ASSERT_MSG(result == 0, + "smack_accesses_add failed. Result: " << result); + } + + if (i == 2) { + result = smack_accesses_new(&tmp); + RUNNER_ASSERT_MSG(result == 0, + "Failed to allocate memory for rules."); + + rules.reset(tmp); + + result = smack_accesses_add(rules.get(), app_labels[i], + test_obj_some_other, "wx"); + RUNNER_ASSERT_MSG(result == 0, + "smack_accesses_add failed. Result: " << result); + } + + result = smack_accesses_apply(rules.get()); + RUNNER_ASSERT_MSG(result == -1, + "smack_accesses_apply should fail (SMACK is off). Result: " << result); + + result = smack_accesses_save(rules.get(), fd); + RUNNER_ASSERT_MSG(result == 0, + "smack_accesses_save failed. Result: " << result); + + //cleanup + path.str(std::string()); + } + + //Use add_shared_dir_readers and check if smack_have_access still fails + result = add_shared_dir_readers(test_obj,app_labels); + RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed. Result: " << result); + + result = smack_have_access(app_labels[0],test_obj,"rx"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + result = smack_have_access(app_labels[1],test_obj,"rx"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + result = smack_have_access(app_labels[2],test_obj,"rx"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + result = smack_have_access(app_labels[1],test_obj,"rwxt"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + result = smack_have_access(app_labels[2],test_obj_some_other,"wx"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + //Test if files are properly formatted + path << SMACK_RULES_DIR << app_labels[0]; + RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno)); + + std::fstream fs(path.str().c_str(), std::ios_base::in); + RUNNER_ASSERT_MSG(fs.good(), "Opening file stream failed. Error: " << strerror(errno)); + + fs.get(buf, READ_BUF_SIZE); + result = strcmp(buf, test_str_01); + RUNNER_ASSERT_MSG(result == 0, + "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() << + ". Result: " << result); + + //Clean up before another test + path.str(std::string()); + fs.close(); + + path << SMACK_RULES_DIR << app_labels[2]; + RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno)); + + fs.open(path.str().c_str(), std::ios_base::in); + RUNNER_ASSERT_MSG(fs.good(), "fopen failed, errno:" << strerror(errno)); + + fs.getline(buf, READ_BUF_SIZE); + result = strcmp(buf, test_str_21); + RUNNER_ASSERT_MSG( result == 0, + "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() + << ". Result: " << result); + + fs.getline(buf, READ_BUF_SIZE); + result = strcmp(buf, test_str_22); + RUNNER_ASSERT_MSG( result == 0, + "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() + << ". Result: " << result); +} +#pragma GCC diagnostic warning "-Wdeprecated-declarations" + + +/** + * NOSMACK version of privilege_control05_set_app_privilege test. + * + * Another very similar test to it's SMACK version, this time smack_new_label_from_self is + * expected to return different result. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack) +{ + int result; + + //Preset exec label + smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC); + smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC); + + //Set app privileges + result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + //Check if DAC privileges really set + RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID"); + RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID"); + + result = strcmp(getenv("HOME"), APP_HOME_DIR); + RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR. Result: " << result); + + result = strcmp(getenv("USER"), APP_USER_NAME); + RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME. Result: " << result); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_wgt test. + * + * Same as the above, plus uses test_have_nosmack_accesses instead of test_have_all_accesses. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_nosmack) +{ + int result; + + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_wgt); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_wgt_partner test. + * + * Same as the above. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_partner_nosmack) +{ + int result; + + result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_wgt_partner); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_wgt_platform test. + * + * Same as the above. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_platform_nosmack) +{ + int result; + + result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_wgt_platform); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_osp test. + * + * Same as the above. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_nosmack) +{ + int result; + + result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_osp); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_osp_partner test. + * + * Same as the above. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_partner_nosmack) +{ + int result; + + result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_osp_partner); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added."); + + result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_osp_platform test. + * + * Same as the above. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_platform_nosmack) +{ + int result; + + result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_osp_platform); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); +} + +/** + * NOSMACK version of checkOnlyAvAccess function. + * + * Expects error instead of access granted/forbidden from smack_have_access. + */ +void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment) +{ + int result; + result = smack_have_access(av_id, app_id, "rwx"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result + << " when testing " << comment); + result = smack_have_access(av_id, app_id, "a"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result + << " when testing " << comment); + result = smack_have_access(av_id, app_id, "t"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result + << " when testing " << comment); +} + +/* + * NOSMACK version of privilege_control10_app_register_av test. + * + * Uses NOSMACK version of checkOnlyAvAccess (mentioned above), rest of the test is identical to + * it's SMACK version. + */ +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +RUNNER_TEST_NOSMACK(privilege_control10_app_register_av_nosmack) +{ + RUNNER_IGNORED_MSG("app_register_av is not implemented"); + int result; + + // cleaning + smack_revoke_subject(APP_TEST_AV_1); + smack_revoke_subject(APP_TEST_AV_2); + + cleaning_smack_app_files(); + + // Adding two apps before antivir + result = perm_app_install(APP_TEST_APP_1); + RUNNER_ASSERT_MSG(result == 0, + "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + + result = perm_app_install(APP_TEST_APP_2); + RUNNER_ASSERT_MSG(result == 0, + "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + + // Adding antivir + result = app_register_av(APP_TEST_AV_1); + RUNNER_ASSERT_MSG(result == 0, + "app_register_av returned " << result << ". Errno: " << strerror(errno)); + + // Checking added apps accesses + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)"); + + // Adding third app + result = perm_app_install(APP_TEST_APP_3); + RUNNER_ASSERT_MSG(result == 0, + "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + + // Checking app accesses + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)"); + + // Adding second antivir + result = app_register_av(APP_TEST_AV_2); + RUNNER_ASSERT_MSG(result == 0, + "app_register_av returned " << result << ". Errno: " << strerror(errno)); + + // Checking app accesses + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); + + // cleaning + smack_revoke_subject(APP_TEST_AV_1); + smack_revoke_subject(APP_TEST_AV_2); + + cleaning_smack_app_files(); + +} +#pragma GCC diagnostic warning "-Wdeprecated-declarations" + +/** + * NOSMACK version of privilege_control11_app_enable_permissions test. + * + * Since the original test did the same thing around five times, there is no need to redo the + * same test for perm_app_enable_permissions. perm_app_enable_permissions will be called once, + * test_have_nosmack_accesses will check if smack_have_access still returns error and then + * we will check if SMACK file was correctly created. + */ +RUNNER_TEST_NOSMACK(privilege_control11_app_enable_permissions_nosmack) +{ + int result; + std::fstream fs; + + result = perm_app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error enabling app permissions. Result: " << result); + + //Check if accesses aren't added + result = test_have_nosmack_accesses(rules2); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + //File exists? + fs.open(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary); + RUNNER_ASSERT_MSG(fs.good(), "Couldn't open SMACK file."); + + //Is it empty? + fs.seekg(0, std::ifstream::end); + RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty with persistant mode 1."); + + //Clean up + result = perm_app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); +} + +/** + * NOSMACK version of privilege_control13 test. + * + * Uses perm_app_reset_permissions and checks with test_have_nosmack_accesses if nothing has + * changed. + */ +RUNNER_TEST_NOSMACK(privilege_control13_app_reset_permissions_nosmack) +{ + int result; + + // Prepare permissions to reset + result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error adding app permissions. Result: " << result); + + // Reset permissions + result = perm_app_reset_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error reseting app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules2); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be changed. Result: " << result); + + // Disable permissions + result = perm_app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error disabling app permissions. Result: " << result); +} + +/** + * NOSMACK version of privilege_control14 test. + * + * Similarily as app_enable_permissions test. This time perm_app_add_friend is called twice, once + * when both friends exist, and then when one of them doesn't exist. Other tests are not required - + * results would be the same as earlier. + */ +RUNNER_TEST_NOSMACK(privilege_control14_app_add_friend_nosmack) +{ + RUNNER_IGNORED_MSG("perm_app_add_friend is not implemented"); + + int result; + + result = perm_app_revoke_permissions(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = perm_app_revoke_permissions(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + perm_app_uninstall(APP_FRIEND_1); + perm_app_uninstall(APP_FRIEND_2); + + //Regular test. + + //Installing friends to be + result = perm_app_install(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error installing first app. Result: " << result); + result = perm_app_install(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error installing second app. Result: " << result); + + //Making friends + result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error during friend making. Result: " << result); + + //Same as previous tests, smack_have_access should error. + result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + //Clean up + result = perm_app_revoke_permissions(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = perm_app_revoke_permissions(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + perm_app_uninstall(APP_FRIEND_1); + perm_app_uninstall(APP_FRIEND_2); + + + //Befriending with imaginary friend. + + //Installing one friend + result = perm_app_install(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error installing first app. Result: " << result); + + //Adding imaginairy friend as second + result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error making friends (first) with imaginairy friend failed. Result: " << result); + //Adding imaginairy friend as first + result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error making friends (second) with imaginairy friend failed. Result: " << result); + + //Same as previous tests, smack_have_access should error. + result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + //Clean up + result = perm_app_revoke_permissions(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = perm_app_revoke_permissions(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + perm_app_uninstall(APP_FRIEND_1); + perm_app_uninstall(APP_FRIEND_2); +} + +/** + * NOSMACK version of privilege_control15_app_id_from_socket. + * + * SMACK version of this test case utilized smack_new_label_from_self and smack_set_label_for_self. + * Those functions rely on /proc/self/attr/current file, which is unreadable and has no contents on + * NOSMACK environment. Functions mentioned above were tested during libsmack tests, so they are + * assumed to react correctly and are not tested in this test case. + * + * This test works similarly to libsmack test smack09_new_label_from_socket. At first server and + * client are created then sockets are set up and perm_app_id_from_socket is used. On NOSMACK env + * correct behavior for perm_app_id_from_socket would be returning NULL label. + */ +RUNNER_MULTIPROCESS_TEST_NOSMACK(privilege_control15_app_id_from_socket_nosmack) +{ + int pid; + struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH}; + + //Clean up before creating socket + unlink(SOCK_PATH); + + //Create our server and client with fork + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "Fork failed"); + + if (!pid) { //child (server) + int sock, result, fd; + + //Create a socket + sock = socket(AF_UNIX, SOCK_STREAM, 0); + RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno)); + + //Bind socket to address + result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); + if (result != 0) { + close(sock); + RUNNER_ASSERT_MSG(false, "bind failed: " << strerror(errno)); + } + + //Prepare for listening + result = listen(sock, 1); + if (result != 0) { + close(sock); + RUNNER_ASSERT_MSG(false, "listen failed: " << strerror(errno)); + } + + //Accept connection + alarm(2); + fd = accept(sock, NULL, NULL); + alarm(0); + RUNNER_ASSERT_MSG(fd >= 0, "accept failed: " << strerror(errno)); + + //Wait a little bit for client to use perm_app_id_from_socket + usleep(200); + + //cleanup + close(sock); + exit(0); + } else { //parent (client) + // Give server some time to setup listening socket + sleep(1); + int sock, result; + char* smack_label = NULL; + + //Create socket + sock = socket(AF_UNIX, SOCK_STREAM, 0); + RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno)); + + //Try connecting to address + result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); + if (result != 0) { + close(sock); + RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno)); + } + + //Use perm_app_id_from_socket. Should fail and return NULL smack_label. + smack_label = perm_app_id_from_socket(sock); + if (smack_label != NULL) { + close(sock); + RUNNER_ASSERT_MSG(0, "perm_app_id_from_socket should fail."); + } + + //cleanup + close(sock); + RUNNER_ASSERT_MSG(smack_label == NULL, "perm_app_id_from_socket should fail."); + } +} + +/** + * Next three functions are defined only because of NOSMACK environment. + * + * Inside check_labels_dir_nosmack, smack_have_access should expect error, not access granted. + */ +int check_labels_dir_nosmack(const char *fpath, const struct stat *sb, + const char *labels_db_path, const char *dir_db_path, + const char *access) +{ + int result; + char* label; + char* label_gen; + char label_temp[SMACK_LABEL_LEN + 1]; + std::fstream fs_db; + + /* ACCESS */ + result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); + RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set"); + + /* EXEC */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); + if (result != 0) { + free(label_gen); + RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result); + } + if (label != NULL) { + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set."); + } + + /* TRANSMUTE */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); + if (result != 0) { + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result); + } + if (S_ISDIR(sb->st_mode)) { + if (label == NULL) { + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set"); + } + result = strcmp("TRUE", label); + if (result != 0) { + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, + "TRANSMUTE label on " << fpath << " is not set to TRUE Result: " << result); + } + } else if (label != NULL) { + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set"); + } + + free(label); + + fs_db.open(labels_db_path, std::ios_base::in); + if (!(fs_db.good())) { + free(label_gen); + RUNNER_ASSERT_MSG(false, "Can not open database for apps"); + } + + while(!fs_db.eof()) { + fs_db.getline(label_temp, 255); + result = smack_have_access(label_temp, label_gen, access); + if (result != -1) { //expect error, not access granted + free(label_gen); + RUNNER_ASSERT_MSG(false, "smack_have_access should fail. Result: " << result); + } + } + + fs_db.close(); + + fs_db.open(dir_db_path, std::ios_base::in); + if (!fs_db.good()) { + free(label_gen); + RUNNER_ASSERT_MSG(false, "Can not open database for dirs"); + } + + bool is_dir = false; + while(!fs_db.eof()) { + fs_db.getline(label_temp, 255); + if (strcmp(label_gen, label_temp) == 0) { + is_dir = true; + break; + } + } + + free(label_gen); + + RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db."); + + return 0; +} + +/** + * NOSMACK version of privilege_control18 test. + * + * Uses NOSMACK version of nftw_check_labels_app_public_dir. + */ +RUNNER_TEST_NOSMACK(privilege_control18_app_setup_path_public_nosmack) +{ + int result; + + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result); + + result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result); + + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO); + RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result); + + result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to check Smack labels for non-app dir. Result: " << result); + +} + +/** + * NOSMACK version of privilege_control19 test. + * + * Uses NOSMACK version of nftw_check_labels_app_settings_dir. + */ +RUNNER_TEST_NOSMACK(privilege_control19_app_setup_path_settings_nosmack) +{ + int result; + + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result); + + result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result); + + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW); + RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result); + + result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to check Smack labels for non-app dir. Result: " << result); + +} + +/** + * NOSMACK version of privielge_control21b test. + * + * Instead of error caused by incorrect params expect access granted, becuase SMACK is off. + */ +RUNNER_TEST_NOSMACK(privilege_control21b_incorrect_params_smack_pid_have_access_nosmack) +{ + int result = smack_pid_have_access(PID_CORRECT, "some_object", NULL); + RUNNER_ASSERT_MSG(result == 1, + "smack_pid_have_access should return access granted. Result: " << result); + + result = smack_pid_have_access(PID_CORRECT, NULL, "rw"); + RUNNER_ASSERT_MSG(result == 1, + "smack_pid_have_access should return access granted. Result: " << result); + + result = smack_pid_have_access(PID_CORRECT, NULL, "rw"); + RUNNER_ASSERT_MSG(result == 1, + "smack_pid_have_access should return access granted. Result: " << result); + + result = smack_pid_have_access(PID_INCORRECT, "some_object", "rw"); + RUNNER_ASSERT_MSG(result == 1, + "smack_pid_have_access should return access granted. Result: " << result); +} + + diff --git a/tests/libprivilege-control-tests/test_cases_stress.cpp b/tests/libprivilege-control-tests/test_cases_stress.cpp new file mode 100644 index 0000000..b936b32 --- /dev/null +++ b/tests/libprivilege-control-tests/test_cases_stress.cpp @@ -0,0 +1,817 @@ +/* + * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +*/ + +/* + * @file test_cases.cpp + * @author Jan Olszak (j.olszak@samsung.com) + * @author Rafal Krypa (r.krypa@samsung.com) + * @version 1.0 + * @brief libprivilege-control test runner + */ + +#include +#include +#include +#include +#include +#include + +// ---- Macros and arrays used in stress tests ---- +#define TEST_OSP_FEATURE_APP_ID "test-osp-feature-app" +#define TEST_WGT_FEATURE_APP_ID "test-wgt-feature-app" +#define TEST_OSP_FEATURE "OSP_test-feature.osp_rxl" +#define TEST_WGT_FEATURE "WGT_test-feature.wgt_rxl" + +#define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1" +// OSP Api Feature Test data - gives rxl access to OSP app and rl access to WGT app also! +const char *FILE_PATH_TEST_OSP_FEATURE = "/usr/share/privilege-control/OSP_test-feature.osp_rxl.smack"; +const char *test_osp_feature_rule_set[] = { "~APP~ " TEST_OSP_FEATURE_APP_ID " rxl", + "~APP~ " TEST_WGT_FEATURE_APP_ID " rl", + NULL }; +const char *TEST_OSP_FEATURE_PRIVS[] = { TEST_OSP_FEATURE, NULL }; +// WGT Api Feature Test data - rwx access only to WGT app +const char *FILE_PATH_TEST_WGT_FEATURE = "/usr/share/privilege-control/WRT_test-feature.wgt_rwx.smack"; +const char *test_wgt_feature_rule_set[] = { "~APP~ " TEST_WGT_FEATURE_APP_ID " rwx", + NULL }; +const char *TEST_WGT_FEATURE_PRIVS[] = { TEST_WGT_FEATURE, NULL }; + +const std::vector< std::vector > rules_to_test_any_access1 = { + { TEST_OSP_FEATURE_APP_ID, APP_ID, "r" }, + { TEST_OSP_FEATURE_APP_ID, APP_ID, "w" }, + { TEST_OSP_FEATURE_APP_ID, APP_ID, "x" }, + { TEST_OSP_FEATURE_APP_ID, APP_ID, "a" }, + { TEST_OSP_FEATURE_APP_ID, APP_ID, "t" }, + { TEST_OSP_FEATURE_APP_ID, APP_ID, "l" } +}; + +const std::vector< std::vector > rules_to_test_any_access2 = { + { APP_ID, TEST_OSP_FEATURE_APP_ID, "r" }, + { APP_ID, TEST_OSP_FEATURE_APP_ID, "x" }, + { APP_ID, TEST_OSP_FEATURE_APP_ID, "l" }, + { APP_ID, TEST_WGT_FEATURE_APP_ID, "r" }, + { APP_ID, TEST_WGT_FEATURE_APP_ID, "w" }, + { APP_ID, TEST_WGT_FEATURE_APP_ID, "x" }, + { APP_ID, TEST_WGT_FEATURE_APP_ID, "l" } +}; + +#define FMT_VECTOR_TO_TEST_ANY_ACCESS(sub,obj) \ + (const std::vector< std::vector >) { \ + { sub, obj, "r" }, \ + { sub, obj, "w" }, \ + { sub, obj, "x" }, \ + { sub, obj, "a" }, \ + { sub, obj, "t" }, \ + { sub, obj, "l" } } + +/** + * Test - Simulation of 100 installations and uninstallations of one application. + * Installed application will have various kind of permissions from api + * features and shared folders. + */ + +RUNNER_TEST_GROUP_INIT(libprivilegecontrol_stress) + +RUNNER_TEST(privilege_control22_app_installation_1x100) +{ + int result; + std::string shared_dir_auto_label; + + // Clear any previously created apps, files, labels and permissions + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in: " << TEST_APP_DIR + << ". Result: " << result); + + result = nftw(TEST_NON_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in: " << TEST_NON_APP_DIR + << ". Result: " << result); + + result = perm_app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_revoke_permissions. Result: " << result); + + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_uninstall. Result: " << result); + + // remove api features by deleting files + // TODO: Rewrite deleting features + unlink(FILE_PATH_TEST_OSP_FEATURE); + unlink(FILE_PATH_TEST_WGT_FEATURE); + + // Install setting app and give it app-setting permissions + result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_revoke_permissions. Result: " << result); + result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_uninstall. Result: " << result); + result = perm_app_install(APP_TEST_SETTINGS_ASP1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_install. Result: " << result); + result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1, + APP_TYPE_OSP, PRIV_APPSETTING, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error enabling App-Setting permissions. Result: " << result); + + // Install one additional app (used to check perm to shared directories) + result = perm_app_revoke_permissions(TEST_OSP_FEATURE_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_revoke_permissions. Result: " << result); + result = perm_app_uninstall(TEST_OSP_FEATURE_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_uninstall. Result: " << result); + result = perm_app_install(TEST_OSP_FEATURE_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_install. Result: " << result); + result = perm_app_enable_permissions(TEST_OSP_FEATURE_APP_ID, + APP_TYPE_OSP,(const char*[]) {NULL}, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error enabling permissions. Result: " << result); + + // Register two valid api features + result = perm_add_api_feature(APP_TYPE_OSP, TEST_OSP_FEATURE, + test_osp_feature_rule_set, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_add_api_feature. Cannot add TEST_OSP_FEATURE: " + << TEST_OSP_FEATURE << ". Result: " << result); + + result = perm_add_api_feature(APP_TYPE_WGT, TEST_WGT_FEATURE, + test_wgt_feature_rule_set, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_add_api_feature. Cannot add TEST_WGT_FEATURE: " + << TEST_WGT_FEATURE << ". Result: " << result); + + + // Install app loop + for (int i = 0; i < 100; ++i) + { + // Add application + result = perm_app_install(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_install. Loop index: " << i + << ". Result: " << result); + + // Add persistent permissions + result = perm_app_enable_permissions(APP_ID, APP_TYPE_OSP, + TEST_OSP_FEATURE_PRIVS, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_enable_permissions from OSP Feature. Loop index: " + << i << ". Result: " << result); + + result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT, + TEST_WGT_FEATURE_PRIVS, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_enable_permissions from WGT Feature. Loop index: " + << i << ". Result: " << result); + + // add shared dirs + switch (i%2) // separate odd and even loop runs + { + case 0: // Shared dirs: APP_PATH_PRIVATE & APP_PATH_PUBLIC_RO + { + // Add app shared dir - APP_PATH_PRIVATE + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, + APP_PATH_PRIVATE); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. Loop index: " << i + << ". Result: " << result); + + // Add app shared dir - APP_PATH_PUBLIC_RO + result = perm_app_setup_path(APP_ID, TEST_NON_APP_DIR, + APP_PATH_PUBLIC_RO); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. Loop index: " << i + << ". Result: " << result); + + // Verify that some previously installed app does not have any access + // to APP_ID private label + result = test_have_any_accesses(rules_to_test_any_access1); + RUNNER_ASSERT_MSG(result == 0, + "Error - other app has access to private label. Loop index: " + << i); + + // Get autogenerated Public RO label + char *label; + result = smack_getlabel(TEST_NON_APP_DIR, &label, + SMACK_LABEL_ACCESS ); + RUNNER_ASSERT_MSG(result == 0, + "Cannot get access label from Public RO shared dir. Loop index: " + << i << ". Result: " << result); + shared_dir_auto_label = label; + free(label); + + // Verify that all permissions to public dir have been added + // correctly, also to other app + result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl"); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to Public RO dir are granted. Loop index: " + << i); + + result = smack_have_access(TEST_OSP_FEATURE_APP_ID, shared_dir_auto_label.c_str(), "rx" ); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to Public RO dir are granted. Loop index: " + << i); + + break; + } + case 1: // Shared dirs: APP_PATH_APPSETTING_RW & APP_PATH_GROUP_RW + { + // Add app shared dir - APP_PATH_SETTINGS_RW + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, + APP_PATH_SETTINGS_RW); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. Loop index: " << i + << ". Result: " << result); + + // Add app shared dir - APP_PATH_GROUP_RW + result = perm_app_setup_path(APP_ID, TEST_NON_APP_DIR, + APP_PATH_GROUP_RW, APPID_SHARED_DIR); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. Loop index: " << i + << ". Result: " << result); + + // Get autogenerated App-Setting label + char *label; + result = smack_getlabel(TEST_APP_DIR, &label, + SMACK_LABEL_ACCESS ); + RUNNER_ASSERT_MSG(result == 0, + "Cannot get access label from App-Setting shared dir. Loop index: " + << i << ". Result: " << result); + shared_dir_auto_label = label; + free(label); + + // Verify that setting app has rwx permission to app dir + // and rx permissions to app + result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl"); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to App-Setting dir are granted. " + << APP_ID << " "<< shared_dir_auto_label << " rwxatl " + << "Loop index: " << i); + + result = smack_have_access(APP_TEST_SETTINGS_ASP1, shared_dir_auto_label.c_str(), "rwx"); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to App-Setting dir are granted. " + << APP_TEST_SETTINGS_ASP1 << " " << shared_dir_auto_label << " rwx. " + << "Loop index: " << i); + + result = smack_have_access(APP_TEST_SETTINGS_ASP1, APP_ID, "rx"); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to App-Setting dir are granted. " + << APP_TEST_SETTINGS_ASP1 << " " << APP_ID << " rx" + << "Loop index: " << i); + + // Verify that all permissions to public dir have been added + // correctly, also to other app + result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxatl"); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to Group RW dir are granted. Loop index: " + << i); + + break; + } + } // END switch + + // check if api-features permissions are added properly + result = test_have_all_accesses( + (const std::vector< std::vector >) { + { APP_ID, TEST_OSP_FEATURE_APP_ID, "rxl" }, + { APP_ID, TEST_WGT_FEATURE_APP_ID, "rwxl" } } ); + RUNNER_ASSERT_MSG(result == 1, + "Not all permisions from api features added. Loop index: " + << i); + + // revoke permissions + result = perm_app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_revoke_permissions. Loop index: " << i + << ". Result: " << result); + + // check if api-features permissions are removed properly + result = test_have_any_accesses(rules_to_test_any_access2); + RUNNER_ASSERT_MSG(result == 0, + "Not all permisions revoked. Loop index: " << i); + + // remove labels from app folder + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in " << TEST_APP_DIR + << " . Loop index: " << i << ". Result: " << result); + // remove labels from shared folder + result = nftw(TEST_NON_APP_DIR, &nftw_remove_labels, + FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in " << TEST_NON_APP_DIR + << " . Loop index: " << i << ". Result: " << result); + + // uninstall app + result = perm_app_uninstall(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_uninstall. Loop index: " << i + << ". Result: " << result); + } // END Install app loop + + // Uninstall setting app and additional app + result = perm_app_uninstall(TEST_OSP_FEATURE_APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_uninstall. Result: " << result); + result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_uninstall. Result: " << result); + + // Remove api features + // TODO: Rewrite removing features + unlink(FILE_PATH_TEST_OSP_FEATURE); + unlink(FILE_PATH_TEST_WGT_FEATURE); + +} + +/** + * Test - Simulation of 10 installations and uninstallations of set of 10 applications. + * Installed applications will have various kind of permissions to each other + * from api-features and shared folders. + * + * APP_TEST_SETTINGS_ASP1 ("test-app-settings-asp1") - registered as setting app + * + * Permissions: + * test_APP0-4 - receive test_osp_feature_rule_set2 + * test_APP5-9 - receive test_wgt_feature_rule_set2 + * + * During this test there is one directory created for each app for each loop run, + * dir name syntax is: /tmp/_ + * + * test_APP0 & test_APP5 register their directories as APP_PATH_PRIVATE + * test_APP1, test_APP2 & test_APP6 register their directories as + * APP_PATH_GROUP_RW using the same label + * APPID_SHARED_DIR = "test_APP_ID_shared_dir" + * test_APP3, test_APP7 & test_APP8 register their directories as + * APP_PATH_PUBLIC_RO + * test_APP4 & test_APP9 register their directories as + * APP_PATH_SETTINGS_RW + */ +RUNNER_TEST(privilege_control23_app_installation2_10x10) +{ + int result; + const int app_count = 10; + std::string shared_dir3_auto_label; + std::string shared_dir7_auto_label; + std::string shared_dir8_auto_label; + std::string setting_dir4_auto_label; + std::string setting_dir9_auto_label; + char app_ids[app_count][strlen(APP_ID) + 3]; + char app_dirs[app_count][strlen(APP_ID) + 12]; + const char *test_osp_feature_rule_set2[] = { "~APP~ " APP_ID "6 r", + "~APP~ " APP_ID "7 rxl", + "~APP~ " APP_ID "8 rwxal", + "~APP~ " APP_ID "9 rwxatl", + NULL }; + const char *test_wgt_feature_rule_set2[] = { "~APP~ " APP_ID "1 r", + "~APP~ " APP_ID "2 rxl", + "~APP~ " APP_ID "3 rwxal", + "~APP~ " APP_ID "4 rwxatl", + NULL }; + + + // generate app ids: test_APP0, test_APP1, test_APP2 etc.: + for (int i = 0; i < app_count; ++i) + { + result = sprintf(app_ids[i], APP_ID "%d", i); + RUNNER_ASSERT_MSG(result > 0, "Cannot generate name for app nr: " << i); + } + + // Clear any previously created apps, files, labels and permissions + for (int i = 0; i < app_count; ++i) + { + result = perm_app_revoke_permissions(app_ids[i]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_revoke_permissions for app: " + << app_ids[i] << ". Result: " << result); + + result = perm_app_uninstall(app_ids[i]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_uninstall for app: " + << app_ids[i] << ". Result: " << result); + } + + // Install setting app and give it app-setting permissions + result = perm_app_revoke_permissions(APP_TEST_SETTINGS_ASP1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_revoke_permissions." + << " Result: " << result); + result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_uninstall." + << " Result: " << result); + result = perm_app_install(APP_TEST_SETTINGS_ASP1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_install." + << " Result: " << result); + result = perm_app_enable_permissions(APP_TEST_SETTINGS_ASP1, + APP_TYPE_OSP, PRIV_APPSETTING, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error enabling App-Setting permissions." + << " Result: " << result); + + // Register two valid api features + result = perm_add_api_feature(APP_TYPE_OSP, TEST_OSP_FEATURE, + test_osp_feature_rule_set2, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_add_api_feature. Cannot add TEST_OSP_FEATURE: " + << TEST_OSP_FEATURE << ". Result: " << result); + + result = perm_add_api_feature(APP_TYPE_WGT, TEST_WGT_FEATURE, + test_wgt_feature_rule_set2, NULL, 0); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_add_api_feature. Cannot add TEST_WGT_FEATURE: " + << TEST_WGT_FEATURE << ". Result: " << result); + + + // Install apps loop + for (int i = 0; i < 10; ++i) + { + // Install 10 apps + for (int j = 0; j < app_count; ++j) + { + result = perm_app_install(app_ids[j]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_install. App id: " + << app_ids[j] + << " Loop index: " << i + << ". Result: " << result); + + // Create 10 directories + result = sprintf(app_dirs[j],"/tmp/" APP_ID "%d_%d", j, i); + RUNNER_ASSERT_MSG(result > 0, + "Cannot generate directory name for app nr: " << j + << " Loop index: " << i); + result = mkdir(app_dirs[j], S_IRWXU | S_IRGRP | S_IXGRP); + RUNNER_ASSERT_MSG(result == 0 || errno == EEXIST, + "Cannot create directory: " << app_dirs[j]); + result = nftw(app_dirs[j], &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in: " << app_dirs[j] + << ". Result: " << result); + } + + // Give permissions from api-features + for (int j = 0; j < (app_count/2); ++j) + { + // add persistent api feature permissions + result = perm_app_enable_permissions(app_ids[j], APP_TYPE_OSP, + TEST_OSP_FEATURE_PRIVS, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_enable_permissions from OSP Feature. App id: " + << app_ids[j] << " Loop index: " << i << ". Result: " << result); + + result = perm_app_enable_permissions(app_ids[j+5], APP_TYPE_WGT, + TEST_WGT_FEATURE_PRIVS, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_enable_permissions from WGT Feature. App id: " + << app_ids[j+5] << " Loop index: " << i << ". Result: " << result); + } + + // Add app shared dirs - APP_PATH_PRIVATE (apps 0, 5) + result = perm_app_setup_path(app_ids[0], app_dirs[0], APP_PATH_PRIVATE); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. App id: " << app_ids[0] + << " Loop index: " << i << ". Result: " << result); + result = perm_app_setup_path(app_ids[5], app_dirs[5], APP_PATH_PRIVATE); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. App id: " << app_ids[5] + << " Loop index: " << i << ". Result: " << result); + + // Add app shared dir - APP_PATH_GROUP_RW (apps 1, 2, 6) + result = perm_app_setup_path(app_ids[1], app_dirs[1], + APP_PATH_GROUP_RW, APPID_SHARED_DIR); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. App id: " << app_ids[1] + << " Loop index: " << i << ". Result: " << result); + result = perm_app_setup_path(app_ids[2], app_dirs[2], + APP_PATH_GROUP_RW, APPID_SHARED_DIR); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. App id: " << app_ids[2] + << " Loop index: " << i << ". Result: " << result); + result = perm_app_setup_path(app_ids[6], app_dirs[6], + APP_PATH_GROUP_RW, APPID_SHARED_DIR); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. App id: " << app_ids[6] + << " Loop index: " << i << ". Result: " << result); + + // Add app shared dir - APP_PATH_PUBLIC_RO (apps 3, 7, 8) + result = perm_app_setup_path(app_ids[3], app_dirs[3], + APP_PATH_PUBLIC_RO); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. App id: " << app_ids[1] + << " Loop index: " << i << ". Result: " << result); + result = perm_app_setup_path(app_ids[7], app_dirs[7], + APP_PATH_PUBLIC_RO); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. App id: " << app_ids[7] + << " Loop index: " << i << ". Result: " << result); + result = perm_app_setup_path(app_ids[8], app_dirs[8], + APP_PATH_PUBLIC_RO); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. App id: " << app_ids[8] + << " Loop index: " << i << ". Result: " << result); + + // Add app shared dir - APP_PATH_SETTINGS_RW (apps ,4, 9) + result = perm_app_setup_path(app_ids[4], app_dirs[4], + APP_PATH_SETTINGS_RW); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. App id: " << app_ids[4] + << " Loop index: " << i << ". Result: " << result); + result = perm_app_setup_path(app_ids[9], app_dirs[9], + APP_PATH_SETTINGS_RW); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_setup_path. App id: " << app_ids[9] + << " Loop index: " << i << ". Result: " << result); + + // Verify that some previously installed app does not have + // any acces to app 0 and app 5 PRIVATE folders + for (int j = 0; j < app_count; ++j) + { + // Apps 1-9 should not have any access to app 0 + if (j != 0) + { + result = test_have_any_accesses( + FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[0]) + ); + RUNNER_ASSERT_MSG(result == 0, + "Other app (app id: " << app_ids[j] << + ") has access to private label of: " << app_ids[0] << + ". It may not be shared. Loop index: " << i << "."); + } + + // Apps 0-4 and 6-9 should not have any access to app 5 + if (j != 5) + { + result = test_have_any_accesses( + FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[5]) + ); + RUNNER_ASSERT_MSG(result == 0, + "Other app (app id: " << app_ids[j] << + ") has access to private label of: " << app_ids[5] << + ". It may not be shared. Loop index: " << i << "."); + } + } // End for Verify PRIVATE + + // Verify that apps 1, 2 and 6 have all accesses to GROUP_RW folders + result = test_have_all_accesses( + (const std::vector< std::vector >) { + { app_ids[1], APPID_SHARED_DIR, "rwxatl" }, + { app_ids[2], APPID_SHARED_DIR, "rwxatl" }, + { app_ids[6], APPID_SHARED_DIR, "rwxatl" } } ); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to Group RW dir are granted. Loop index: " + << i); + + // Get autogenerated Public_RO labels + char *label; + result = smack_getlabel(app_dirs[3], &label, + SMACK_LABEL_ACCESS ); + RUNNER_ASSERT_MSG(result == 0, + "Cannot get access label from Public RO shared dir: " << app_dirs[3] + << " . Loop index: " << i << ". Result: " << result); + shared_dir3_auto_label = label; + free(label); + + result = smack_getlabel(app_dirs[7], &label, + SMACK_LABEL_ACCESS ); + RUNNER_ASSERT_MSG(result == 0, + "Cannot get access label from Public RO shared dir: " << app_dirs[7] + << " . Loop index: " << i << ". Result: " << result); + shared_dir7_auto_label = label; + free(label); + + result = smack_getlabel(app_dirs[8], &label, + SMACK_LABEL_ACCESS ); + RUNNER_ASSERT_MSG(result == 0, + "Cannot get access label from Public RO shared dir: " << app_dirs[8] + << " . Loop index: " << i << ". Result: " << result); + shared_dir8_auto_label = label; + free(label); + + // Verify that all apps have ro permissions to public folders of apps 3, 7 and 8 + // Also apps 3, 7 and 8 should have all permisisons to their own PUBLIC_RO dirs + for (int j = 0; j < app_count; ++j) + { + if (j == 3) + { + result = test_have_all_accesses( + (const std::vector< std::vector >) { + { app_ids[j], shared_dir3_auto_label.c_str(), "rwxatl" } } ); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to owned Public RO dir are granted. App id: " + << app_ids[j] << " Loop index: " << i); + // Verify that there are no extra permissions to public dirs + result = test_have_any_accesses( + (const std::vector< std::vector >) { + { app_ids[j], shared_dir7_auto_label.c_str(), "w" }, + { app_ids[j], shared_dir7_auto_label.c_str(), "t" }, + { app_ids[j], shared_dir8_auto_label.c_str(), "w" }, + { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } ); + RUNNER_ASSERT_MSG(result == 0, + "Unexpected extra permissions added for app:" << app_ids[j] + << ". Loop index: " << i); + } + if (j == 7) + { + result = test_have_all_accesses( + (const std::vector< std::vector >) { + { app_ids[j], shared_dir7_auto_label.c_str(), "rwxatl" } } ); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to owned Public RO dir are granted. App id: " + << app_ids[j] << " Loop index: " << i); + // Verify that there are no extra permissions to public dirs + result = test_have_any_accesses( + (const std::vector< std::vector >) { + { app_ids[j], shared_dir3_auto_label.c_str(), "w" }, + { app_ids[j], shared_dir3_auto_label.c_str(), "t" }, + { app_ids[j], shared_dir8_auto_label.c_str(), "w" }, + { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } ); + RUNNER_ASSERT_MSG(result == 0, + "Unexpected extra permissions added for app:" << app_ids[j] + << ". Loop index: " << i); + } + if (j == 8) + { + result = test_have_all_accesses( + (const std::vector< std::vector >) { + { app_ids[j], shared_dir8_auto_label.c_str(), "rwxatl" } } ); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to owned Public RO dir are granted. App id: " + << app_ids[j] << " Loop index: " << i); + // Verify that there are no extra permissions to other public dirs + result = test_have_any_accesses( + (const std::vector< std::vector >) { + { app_ids[j], shared_dir3_auto_label.c_str(), "w" }, + { app_ids[j], shared_dir3_auto_label.c_str(), "t" }, + { app_ids[j], shared_dir7_auto_label.c_str(), "w" }, + { app_ids[j], shared_dir7_auto_label.c_str(), "t" } } ); + RUNNER_ASSERT_MSG(result == 0, + "Unexpected extra permissions added for app:" << app_ids[j] + << ". Loop index: " << i); + } + + result = test_have_all_accesses( + (const std::vector< std::vector >) { + { app_ids[j], shared_dir3_auto_label.c_str(), "rx" }, + { app_ids[j], shared_dir7_auto_label.c_str(), "rx" }, + { app_ids[j], shared_dir8_auto_label.c_str(), "rx" } } ); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to Public RO dirs are granted. App id: " + << app_ids[j] << ". Loop index: " << i); + } // End for Verify PUBLIC_RO + + // Get autogenerated SETTING_RW labels + result = smack_getlabel(app_dirs[4], &label, + SMACK_LABEL_ACCESS ); + RUNNER_ASSERT_MSG(result == 0, + "Cannot get access label from App-Setting shared dir: " + << app_dirs[4] << " . Loop index: " << i + << ". Result: " << result); + setting_dir4_auto_label = label; + free(label); + + result = smack_getlabel(app_dirs[9], &label, + SMACK_LABEL_ACCESS ); + RUNNER_ASSERT_MSG(result == 0, + "Cannot get access label from App-Setting shared dir: " + << app_dirs[9] << " . Loop index: " << i + << ". Result: " << result); + setting_dir9_auto_label = label; + free(label); + + // Verify that setting app has rwx permission to app-settings dirs and rx to apps + result = smack_have_access(app_ids[4], setting_dir4_auto_label.c_str(), "rwxatl"); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to App-Setting dir are granted." + << app_ids[4] << " " << setting_dir4_auto_label + << " Loop index: " << i); + result = smack_have_access(app_ids[9], setting_dir9_auto_label.c_str(), "rwxatl"); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to App-Setting dir are granted." + << app_ids[9] << " " << setting_dir9_auto_label + << " Loop index: " << i); + result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[4], "rx"); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to App-Setting dir are granted." + << APP_TEST_SETTINGS_ASP1 << " " << app_ids[4] + << " Loop index: " << i); + result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[9], "rx"); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to App-Setting dir are granted." + << APP_TEST_SETTINGS_ASP1 << " " << app_ids[9] + << " Loop index: " << i); + result = smack_have_access(APP_TEST_SETTINGS_ASP1, setting_dir4_auto_label.c_str(), "rwx"); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to App-Setting dir are granted." + << APP_TEST_SETTINGS_ASP1 << " " << setting_dir4_auto_label + << " Loop index: " << i); + result = smack_have_access(APP_TEST_SETTINGS_ASP1, setting_dir9_auto_label.c_str(), "rwx"); + RUNNER_ASSERT_MSG(result == 1, + "Not all accesses to App-Setting dir are granted." + << APP_TEST_SETTINGS_ASP1 << " " << setting_dir9_auto_label + << " Loop index: " << i); + + + + // Check if api-features permissions are added properly + for (int j = 0; j < 5; ++j) + { + result = test_have_all_accesses( + (const std::vector< std::vector >) { + { app_ids[j], app_ids[6], "r" }, + { app_ids[j], app_ids[7], "rxl" }, + { app_ids[j], app_ids[8], "rwxal" }, + { app_ids[j], app_ids[9], "rwxatl" } } ); + RUNNER_ASSERT_MSG(result == 1, + "Not all permisions from api features added for app id: " + << app_ids[j] << ". Loop index: " << i); + } + + for (int j = 5; j < app_count; ++j) + { + result = test_have_all_accesses( + (const std::vector< std::vector >) { + { app_ids[j], app_ids[1], "r" }, + { app_ids[j], app_ids[2], "rxl" }, + { app_ids[j], app_ids[3], "rwxal" }, + { app_ids[j], app_ids[4], "rwxatl" } } ); + RUNNER_ASSERT_MSG(result == 1, + "Not all permisions from api features added for app id: " + << app_ids[j] << ". Loop index: " << i); + } + + // Revoke permissions + for (int j = 0; j < app_count; ++j) + { + result = perm_app_revoke_permissions(app_ids[j]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_revoke_permissions. App id: " + << app_ids[j] << " Loop index: " << i + << ". Result: " << result); + } + + // Check if permissions are removed properly + for (int j = 0; j < app_count; ++j) + { + // To all other apps + for (int k = 0; k < app_count; ++k) + if (j != k) + { + result = test_have_any_accesses( + FMT_VECTOR_TO_TEST_ANY_ACCESS(app_ids[j], app_ids[k]) + ); + RUNNER_ASSERT_MSG(result == 0, + "Not all permisions revoked. Subject: " << app_ids[j] + << " Object: " << app_ids[k] << " Loop index: " << i); + } + } + + // Remove labels from folders and uninstall all apps + for (int j = 0; j < app_count; ++j) + { + result = nftw(app_dirs[j], &nftw_remove_labels, + FTW_MAX_FDS, FTW_PHYS); // rm labels from app folder + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in: " + << app_dirs[j] << " . Loop index: " << i + << ". Result: " << result); + + result = perm_app_uninstall(app_ids[j]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_uninstall for app: " + << app_ids[j] << " . Loop index: " << i + << ". Result: " << result); + } + + // Remove created dirs + for (int j = 0; j < app_count; ++j) + { + result = rmdir(app_dirs[j]); + RUNNER_ASSERT_MSG(result == 0, + "Cannot remove directory: " << app_dirs[j]); + } + } // END Install app loop + + // Uninstall setting app + result = perm_app_uninstall(APP_TEST_SETTINGS_ASP1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_uninstall. Result: " << result); + +} -- 2.7.4