From 7acca19616508ceec46b2646e76c04e55263490b Mon Sep 17 00:00:00 2001 From: Alicja Kluczek Date: Thu, 4 Jul 2019 12:57:32 +0200 Subject: [PATCH] Add SM test covering hybridity upgrade Add functionality checking if there aren't any rules related to app in Smack rules file (both for hybrid and non-hybrid package). Apply above functionality every time when checking if whole package has been uninstalled properly. Add a test checking if Smack rules were properly deleted after uninstall. Change-Id: Ia638f478dc007a4ef42fe32e01a282dd960d50d7 --- src/security-manager-tests/common/sm_commons.cpp | 55 +++++++++++++++++++++--- src/security-manager-tests/common/sm_commons.h | 6 +-- src/security-manager-tests/test_cases.cpp | 31 ++++++++++++- 3 files changed, 80 insertions(+), 12 deletions(-) diff --git a/src/security-manager-tests/common/sm_commons.cpp b/src/security-manager-tests/common/sm_commons.cpp index f70a825..e777272 100644 --- a/src/security-manager-tests/common/sm_commons.cpp +++ b/src/security-manager-tests/common/sm_commons.cpp @@ -54,6 +54,7 @@ using namespace SecurityManagerTest; #define CONF_DIR "/usr/share/security-manager/policy/" +#define SMACK_RULES_PATH "/sys/fs/smackfs/load2" // Common DB/nftw checks @@ -221,8 +222,41 @@ static void check_app_smack_accesses(const std::string &appId, const std::string } } +static void assert_no_label_in_rule(const AccessRequest &rule, const std::string &label) +{ + RUNNER_ASSERT_MSG(rule.object != label && rule.subject != label, + "Smack rule left after uninstallation process." << + " Subject: " << rule.subject << + " object: " << rule.object << + " access: " << rule.access); +} + +static void check_pkg_smack_rules_after_uninstall(const std::string &appId, const std::string &pkgId) +{ + const std::vector rules(std::move(parseSmackRulesFile(SMACK_RULES_PATH))); + const std::string labels[] = {generatePathRWLabel(pkgId), + generatePathROLabel(pkgId), + generatePathSharedROLabel(pkgId), + generateProcessLabel(appId, pkgId, true), + generateProcessLabel(appId, pkgId)}; + for (const auto &rule : rules) { + for (const auto &label : labels) { + assert_no_label_in_rule(rule, label); + } + } +} + +static void check_hybrid_app_smack_rules_after_uninstall(const std::string &appId, const std::string &pkgId) +{ + const std::vector rules(std::move(parseSmackRulesFile(SMACK_RULES_PATH))); + const std::string appLabel = generateProcessLabel(appId, pkgId, true); + for (const auto &rule : rules) { + assert_no_label_in_rule(rule, appLabel); + } +} + static void check_app(const std::string &appId, const std::string &pkgId, - bool shouldBeInstalled, bool isHybrid) + bool shouldBeInstalled, bool isHybrid, bool removePkg) { char *retPkgId; int ret = security_manager_get_app_pkgid(&retPkgId, appId.c_str()); @@ -238,12 +272,18 @@ static void check_app(const std::string &appId, const std::string &pkgId, check_app_smack_accesses(appId, pkgId, isHybrid); } else { RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, "The given appId is installed."); + + if (removePkg) { + check_pkg_smack_rules_after_uninstall(appId, pkgId); + } else if (isHybrid) { + check_hybrid_app_smack_rules_after_uninstall(appId, pkgId); + } } } void check_app_after_install(const std::string &app_id, const std::string &pkg_id, bool isHybrid) { - check_app(app_id, pkg_id, true, isHybrid); + check_app(app_id, pkg_id, true, isHybrid, false); } static void check_app_gids(const std::string &app_id, const std::vector &allowed_gids) @@ -281,7 +321,7 @@ void check_app_after_install(const std::string &app_id, const std::string &pkg_i const privileges_t &denied_privs, bool isHybrid) { - check_app(app_id, pkg_id, true, isHybrid); + check_app(app_id, pkg_id, true, isHybrid, false); /* Privileges should be granted to all users if root installs app */ check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs, isHybrid); @@ -312,15 +352,16 @@ void check_path(const std::string &path, const std::string &label, bool transmut } void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id, - bool isHybrid) + bool isHybrid, bool removePkg) { - check_app(app_id, pkg_id, false, isHybrid); + check_app(app_id, pkg_id, false, isHybrid, removePkg); } void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id, - const privileges_t &privileges, bool isHybrid) + const privileges_t &privileges, bool isHybrid, + bool removePkg) { - check_app(app_id, pkg_id, false, isHybrid); + check_app(app_id, pkg_id, false, isHybrid, removePkg); /* Privileges should not be granted anymore to any user */ check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, {}, privileges, isHybrid); diff --git a/src/security-manager-tests/common/sm_commons.h b/src/security-manager-tests/common/sm_commons.h index 8cd7538..3160e10 100644 --- a/src/security-manager-tests/common/sm_commons.h +++ b/src/security-manager-tests/common/sm_commons.h @@ -54,10 +54,10 @@ void check_app_after_install(const std::string &app_id, const std::string &pkg_i void check_path(const std::string &path, const std::string &label, bool transmute = true, bool execute = false); void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id, - bool isHybrid = false); + bool isHybrid = false, bool removePkg = false); void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id, - const privileges_t &privileges, bool isHybrid = false); - + const privileges_t &privileges, bool isHybrid = false, + bool removePkg = false); std::string access_opposite(std::string &access); void check_exact_smack_accesses(const std::string &subject, const std::string &object, diff --git a/src/security-manager-tests/test_cases.cpp b/src/security-manager-tests/test_cases.cpp index 3195de3..fcd798e 100644 --- a/src/security-manager-tests/test_cases.cpp +++ b/src/security-manager-tests/test_cases.cpp @@ -565,11 +565,38 @@ RUNNER_TEST(security_manager_09c_update_many_apps_in_single_request_hybrid_packa check_app_after_install(appIds[1], pkgId, true); // Package became hybrid properly, // so app not included in updated version of package was uninstalled. - check_app_after_uninstall(appIds[2], pkgId, false); + check_app_after_uninstall(appIds[2], pkgId); } for (const auto &appId : appIds) { - check_app_after_uninstall(appId, pkgId, true); + check_app_after_uninstall(appId, pkgId, true, true); + } +} + +RUNNER_TEST(security_manager_09d_uninstall_app_from_hybrid_package) +{ + const std::vector appIds = {"sm_test_09d_app_id_0", "sm_test_09d_app_id_1", "sm_test_09d_app_id_2"}; + const std::string pkgId = "sm_test_09d_pkg_id_0"; + { + ScopedInstaller appsInstall(appIds, pkgId); + + InstallRequest updateRequest; + updateRequest.setPkgId(pkgId); + for (unsigned int i = 0; i < appIds.size(); i++) { + if (i > 0) { + updateRequest.nextApp(); + } + updateRequest.setAppId(appIds[i]); + } + updateRequest.setHybrid(); + Api::update(updateRequest); + + InstallRequest uninstRequest; + uninstRequest.setPkgId(pkgId); + uninstRequest.setAppId(appIds[0]); + Api::uninstall(uninstRequest); + + check_app_after_uninstall(appIds[0], pkgId, true); } } -- 2.7.4