From e697be81a37bb03fce1d5dfe7dc5ee52e4ae2b77 Mon Sep 17 00:00:00 2001 From: Lukasz Kostyra Date: Wed, 7 Aug 2013 16:38:35 +0200 Subject: [PATCH] Add libprivilege-control tests for NOSMACK environment. [Issue#] SSDWSSP-417 [Feature] Add new libsprivilege-control tests that test libprivilege-control behaviour on NOSMACK environment. Remove stub test cases used to test macros for different testing environments. [Cause] When previous tests were launched on NOSMACK environment they returned false errors because the system behaved differently with SMACK turned off. [Solution] Creating new tests that would expect different behaviour from libprivilege-control. [Verification] After successful compilation launch libprivilege-control tests on NOSMACK env. Tests that previously failed and were turned off in one of my previous commits should appear with "_nosmack" ending in name. Change-Id: Ib15fcf5b6a7d60b55aef596c17475f170bfe4a1b --- tests/libprivilege-control-tests/test_cases.cpp | 1064 ++++++++++++++++++++++- 1 file changed, 1043 insertions(+), 21 deletions(-) diff --git a/tests/libprivilege-control-tests/test_cases.cpp b/tests/libprivilege-control-tests/test_cases.cpp index e53a2a5..0d63ba1 100644 --- a/tests/libprivilege-control-tests/test_cases.cpp +++ b/tests/libprivilege-control-tests/test_cases.cpp @@ -318,6 +318,9 @@ const std::vector< std::vector > rules_osp_platform = { namespace { typedef std::unique_ptr > SmackUniquePtr; +void closefdptr(int* fd) { close(*fd); } +typedef std::unique_ptr > FDUniquePtr; + const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack"; const char *WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack"; const char *OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack"; @@ -2566,27 +2569,7 @@ RUNNER_TEST(privilege_control20_early_rules) RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found"); } -RUNNER_TEST_SMACK(privilege_control24a_test_whether_macro_works_smack) -{ - RUNNER_IGNORED_MSG("STUB: I should be called on SMACK environment only."); -} - -RUNNER_TEST_NOSMACK(privilege_control24b_test_whether_macro_works_nosmack) -{ - RUNNER_IGNORED_MSG("STUB: I should be called on NOSMACK environment only."); -} - -RUNNER_CHILD_TEST_SMACK(privilege_control24c_test_whether_macro_works_child_smack) -{ - //Until a fix for RUNNER_IGNORED_MSG comes up to wrt-commons, this must be commented out. - //RUNNER_IGNORED_MSG("STUB: I should be called on SMACK environment only."); -} -RUNNER_CHILD_TEST_NOSMACK(privilege_control24d_test_whether_macro_works_child_nosmack) -{ - //Until a fix for RUNNER_IGNORED_MSG comes up to wrt-commons, this must be commented out. - //RUNNER_IGNORED_MSG("STUB: I should be called on NOSMACK environment only."); -} ////////////////////////////////////////////////////// //TEST FOR INCORRECT PARAMS CHECK IN LIBPRIVILEGE APIS ////////////////////////////////////////////////////// @@ -2599,7 +2582,7 @@ RUNNER_TEST(privilege_control21a_incorrect_params_get_smack_label_from_process) RUNNER_ASSERT_MSG(get_smack_label_from_process(PID_INCORRECT, aquired_smack_label) == PC_ERR_INVALID_PARAM, "get_smack_label_from_process didn't check for correct pid."); } -RUNNER_TEST(privilege_control21b_incorrect_params_smack_pid_have_access) +RUNNER_TEST_SMACK(privilege_control21b_incorrect_params_smack_pid_have_access) { RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, "some_object", NULL) == -1, "smack_pid_have_access didn't check if access_type isn't NULL."); RUNNER_ASSERT_MSG(smack_pid_have_access(PID_CORRECT, NULL, "rw") == -1, "smack_pid_have_access didn't check if object isn't NULL."); @@ -2676,3 +2659,1042 @@ RUNNER_TEST(privilege_control21l_incorrect_params_ignored_disable_permissions) RUNNER_ASSERT_MSG(perm_app_disable_permissions(NULL, APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id isn't NULL."); RUNNER_ASSERT_MSG(perm_app_disable_permissions("", APP_TYPE_OTHER, PRIVS2) == PC_ERR_INVALID_PARAM, "perm_app_disable_permissions didn't check if pkg_id isn't empty."); } + + +///////////////////////////////////////// +//////NOSMACK ENVIRONMENT TESTS////////// +///////////////////////////////////////// + +/** + * NOSMACK version of nftw_check_labels_app_shared_dir function. + * + * This function used with nftw should expect -1 result from smack_have_access instead of 1. + */ +int nftw_check_labels_app_shared_dir_nosmack(const char *fpath, const struct stat *sb, + int /*typeflag*/, struct FTW* /*ftwbuf*/) +{ + int result; + char* label; + + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); + RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set"); + + result = strcmp(APPID_SHARED_DIR, label); + RUNNER_ASSERT_MSG(result == 0, + "ACCESS label on " << fpath << " is incorrect. Result: " << result); + + //The only exception in nftw_check_labels_app_shared_dir + //smack_have_access returns -1 because of no SMACK. + result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set"); + + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); + if (S_ISDIR(sb->st_mode)) { + RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set"); + result = strcmp("TRUE", label); + RUNNER_ASSERT_MSG(result == 0, + "TRANSMUTE label on " << fpath << " is not set. Result: " << result); + } else + RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set"); + + return 0; +} + +/** + * NOSMACK version of privilege_control03 test. + * + * Uses nosmack version of nftw_check_labels_app_shared_dir (defined above). + */ +RUNNER_TEST_NOSMACK(privilege_control03_app_label_shared_dir_nosmack) +{ + int result; + + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID); + RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS, + "perm_app_setup_path should fail here. Result: " << result); + + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Unable to clean up Smack labels in " << TEST_APP_DIR); + + result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Unable to clean up Smack labels in " << TEST_NON_APP_DIR); + + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "perm_app_setup_path() failed. Result: " << result); + + result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir_nosmack, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Unable to check Smack labels for shared app dir"); + + result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Unable to check Smack labels for non-app dir"); +} + +/** + * NOSMACK version of test_have_accesses functions. + * + * This will be used in many tests. Checks if for every rule smack_have_access returns error. + * If for any of rules smack_have_access will return something different than error, this result + * is being returned to caller. + */ +int test_have_nosmack_accesses(const std::vector< std::vector > &rules) +{ + int result; + for (uint i = 0; i < rules.size(); ++i) { + result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str()); + if (result != -1) + return result; + } + return -1; +} + +/** + * NOSMACK version of privilege_control04 test. + * + * Tries to add permisions from test_privilege_control_rules template and checks if + * smack_have_access returns -1 on check between every rule. + */ +RUNNER_TEST_NOSMACK(privilege_control04_add_permissions_nosmack) +{ + //Add permissions + auto result = app_add_permissions(APP_ID, PRIVS); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error adding app permissions. Result: " << result); + + //Check if smack_have_access always fails on every rule + result = test_have_nosmack_accesses(rules); + RUNNER_ASSERT_MSG(result == -1, + "Despite SMACK being off some accesses were added. Result: " << result); + + //Does file exist? + std::fstream fs(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary); + RUNNER_ASSERT_MSG(fs.good(), "SMACK file NOT created!. Errno: " << strerror(errno)); + + fs.seekg(0, std::ifstream::end); + RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty, but privileges list was not empty."); +} + +/** + * NOSMACK version of privilege_control05_add_shared_dir_readers test. + * + * This test is very similar to it's SMACK version - only difference is different result expected + * from smack_have_access. + */ +RUNNER_TEST_NOSMACK(privilege_control05_add_shared_dir_readers_nosmack) +{ +#define TEST_OBJ "TEST_OBJECT" +#define TEST_OBJ_SOME_OTHER "TEST_OBJA" +#define test_string_01 "TEST_raz TEST_OBJECT r-x--- ------" +#define test_string_21 "TEST_trzy TEST_OBJA -wx---" +#define test_string_22 "TEST_trzy TEST_OBJECT r-x--- ------" + + int result; + int i; + int fd = -1; + char* path_ref; + + const char* app_labels_wrong[] = {"-TEST_raz", NULL}; + const char* app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL}; + const int READ_BUF_SIZE = 1000; + char buf[READ_BUF_SIZE]; + smack_accesses* tmp = NULL; + + //test environment cleaning + cleaning_smack_app_files(); + cleaning_smack_database_files(); + + //test what happens when the label is not correct SMACK label + result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong); + RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, + "add_shared_dir_readers should fail here. Result: " << result); + + result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx"); + RUNNER_ASSERT_MSG(result != 1, + "add_shared_dir_readers should not grant permission here. Result: " << result); + + //install new apps + result = smack_accesses_new(&tmp); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in smack_accesses_new. Result: " << result); + + //Wrap rules and fd into unique_ptrs for garbage collection + SmackUniquePtr rules(tmp, smack_accesses_free); + FDUniquePtr fd_ptr(&fd, closefdptr); + + std::stringstream path; + for (i = 0; i < 3; i++) { + result = perm_app_revoke_permissions(app_labels[i]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_revoke_permissions. Result: " << result); + result = perm_app_uninstall(app_labels[i]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_install. Result: " << result); + result = perm_app_install(app_labels[i]); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_install. Result: " << result); + + path << SMACK_RULES_DIR << app_labels[i]; + + fd = open(path.str().c_str(), O_WRONLY, 0644); + RUNNER_ASSERT_MSG(fd != -1, "Error in opening file"); + + if (i == 1) { + result = smack_accesses_add(rules.get(), app_labels[i], TEST_OBJ, "wt"); + RUNNER_ASSERT_MSG(result == 0, + "smack_accesses_add failed. Result: " << result); + } + + if (i == 2) { + result = smack_accesses_new(&tmp); + RUNNER_ASSERT_MSG(result == 0, + "Failed to allocate memory for rules."); + + rules.reset(tmp); + + result = smack_accesses_add(rules.get(), app_labels[i], + TEST_OBJ_SOME_OTHER, "wx"); + RUNNER_ASSERT_MSG(result == 0, + "smack_accesses_add failed. Result: " << result); + } + + result = smack_accesses_apply(rules.get()); + RUNNER_ASSERT_MSG(result == -1, + "smack_accesses_apply should fail (SMACK is off). Result: " << result); + + result = smack_accesses_save(rules.get(), fd); + RUNNER_ASSERT_MSG(result == 0, + "smack_accesses_save failed. Result: " << result); + + //cleanup + path.str(std::string()); + } + + //Use add_shared_dir_readers and check if smack_have_access still fails + result = add_shared_dir_readers(TEST_OBJ,app_labels); + RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed. Result: " << result); + + result = smack_have_access(app_labels[0],TEST_OBJ,"rx"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + result = smack_have_access(app_labels[1],TEST_OBJ,"rx"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + result = smack_have_access(app_labels[2],TEST_OBJ,"rx"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + //Test if files are properly formatted + path << SMACK_RULES_DIR << app_labels[0]; + RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno)); + + std::fstream fs(path.str().c_str(), std::ios_base::in); + RUNNER_ASSERT_MSG(fs.good(), "Opening file stream failed. Error: " << strerror(errno)); + + fs.get(buf, READ_BUF_SIZE); + result = strcmp(buf, test_string_01); + RUNNER_ASSERT_MSG(result == 0, + "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() << + ". Result: " << result); + + //Clean up before another test + path.str(std::string()); + fs.close(); + + path << SMACK_RULES_DIR << app_labels[2]; + RUNNER_ASSERT_MSG(path.good(), "Failed to create file path. Error: " << strerror(errno)); + + fs.open(path.str().c_str(), std::ios_base::in); + RUNNER_ASSERT_MSG(fs.good(), "fopen failed, errno:" << strerror(errno)); + + fs.getline(buf, READ_BUF_SIZE); + result = strcmp(buf, test_string_21); + RUNNER_ASSERT_MSG( result == 0, + "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() + << ". Result: " << result); + + fs.getline(buf, READ_BUF_SIZE); + result = strcmp(buf, test_string_22); + RUNNER_ASSERT_MSG( result == 0, + "add_shared_dir_readers ERROR, file not formatted " << path.str().c_str() + << ". Result: " << result); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege test. + * + * Another very similar test to it's SMACK version, this time smack_new_label_from_self is + * expected to return different result. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack) +{ + int result; + + //Preset exec label + smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC); + smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC); + + //Set app privileges + result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + //Check if DAC privileges really set + RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID"); + RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID"); + + result = strcmp(getenv("HOME"), APP_HOME_DIR); + RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR. Result: " << result); + + result = strcmp(getenv("USER"), APP_USER_NAME); + RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME. Result: " << result); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_wgt test. + * + * Same as the above, plus uses test_have_nosmack_accesses instead of test_have_all_accesses. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_nosmack) +{ + int result; + + result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_wgt); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_wgt_partner test. + * + * Same as the above. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_partner_nosmack) +{ + int result; + + result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_wgt_partner); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_wgt_platform test. + * + * Same as the above. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_wgt_platform_nosmack) +{ + int result; + + result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_wgt_platform); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_osp test. + * + * Same as the above. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_nosmack) +{ + int result; + + result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_osp); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_osp_partner test. + * + * Same as the above. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_partner_nosmack) +{ + int result; + + result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_osp_partner); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added."); + + result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); +} + +/** + * NOSMACK version of privilege_control05_set_app_privilege_osp_platform test. + * + * Same as the above. + */ +RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_osp_platform_nosmack) +{ + int result; + + result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error enabling app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules_osp_platform); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error in perm_app_set_privilege. Result: " << result); + + //Even though app privileges are set, no smack label should be extracted. + char* label = NULL; + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result == -1, + "new_label_from_self should return error (SMACK is off). Result: " << result); + RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory for label."); + + check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP); +} + +/** + * NOSMACK version of checkOnlyAvAccess function. + * + * Expects error instead of access granted/forbidden from smack_have_access. + */ +void checkOnlyAvAccessNosmack(const char *av_id, const char *app_id, const char *comment) +{ + int result; + result = smack_have_access(av_id, app_id, "rwx"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + result = smack_have_access(av_id, app_id, "a"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + result = smack_have_access(av_id, app_id, "t"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); +} + +/* + * NOSMACK version of privilege_control10_app_register_av test. + * + * Uses NOSMACK version of checkOnlyAvAccess (mentioned above), rest of the test is identical to + * it's SMACK version. + */ +RUNNER_TEST_NOSMACK(privilege_control10_app_register_av_nosmack) +{ + int result; + + // cleaning + smack_revoke_subject(APP_TEST_AV_1); + smack_revoke_subject(APP_TEST_AV_2); + + cleaning_smack_app_files(); + cleaning_smack_database_files(); + + // Adding two apps before antivir + result = perm_app_install(APP_TEST_APP_1); + RUNNER_ASSERT_MSG(result == 0, + "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + + result = perm_app_install(APP_TEST_APP_2); + RUNNER_ASSERT_MSG(result == 0, + "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + + // Adding antivir + result = app_register_av(APP_TEST_AV_1); + RUNNER_ASSERT_MSG(result == 0, + "app_register_av returned " << result << ". Errno: " << strerror(errno)); + + // Checking added apps accesses + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)"); + + // Adding third app + result = perm_app_install(APP_TEST_APP_3); + RUNNER_ASSERT_MSG(result == 0, + "perm_app_install returned " << result << ". Errno: " << strerror(errno)); + + // Checking app accesses + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)"); + + // Adding second antivir + result = app_register_av(APP_TEST_AV_2); + RUNNER_ASSERT_MSG(result == 0, + "app_register_av returned " << result << ". Errno: " << strerror(errno)); + + // Checking app accesses + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)"); + checkOnlyAvAccessNosmack(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)"); + + // cleaning + smack_revoke_subject(APP_TEST_AV_1); + smack_revoke_subject(APP_TEST_AV_2); + + cleaning_smack_app_files(); + cleaning_smack_database_files(); +} + +/** + * NOSMACK version of privilege_control11_app_enable_permissions test. + * + * Since the original test did the same thing around five times, there is no need to redo the + * same test for perm_app_enable_permissions. perm_app_enable_permissions will be called once, + * test_have_nosmack_accesses will check if smack_have_access still returns error and then + * we will check if SMACK file was correctly created. + */ +RUNNER_TEST_NOSMACK(privilege_control11_app_enable_permissions_nosmack) +{ + int result; + int smack_file_length; + std::fstream fs; + + result = perm_app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error enabling app permissions. Result: " << result); + + //Check if accesses aren't added + result = test_have_nosmack_accesses(rules2); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be added. Result: " << result); + + //File exists? + fs.open(SMACK_RULES_DIR APP_ID, std::ios_base::in | std::ios_base::binary); + RUNNER_ASSERT_MSG(fs.good(), "Couldn't open SMACK file."); + + //Is it empty? + fs.seekg(0, std::ifstream::end); + RUNNER_ASSERT_MSG(fs.tellg() > 0, "SMACK file empty with persistant mode 1."); + + //Clean up + result = perm_app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); +} + +/** + * NOSMACK version of privilege_control13 test. + * + * Uses perm_app_reset_permissions and checks with test_have_nosmack_accesses if nothing has + * changed. + */ +RUNNER_TEST_NOSMACK(privilege_control13_app_reset_permissions_nosmack) +{ + int result; + + // Prepare permissions to reset + result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + " Error adding app permissions. Result: " << result); + + // Reset permissions + result = perm_app_reset_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error reseting app permissions. Result: " << result); + + result = test_have_nosmack_accesses(rules2); + RUNNER_ASSERT_MSG(result == -1, "Permissions shouldn't be changed. Result: " << result); + + // Disable permissions + result = perm_app_revoke_permissions(APP_ID); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error disabling app permissions. Result: " << result); +} + +/** + * NOSMACK version of privilege_control14 test. + * + * Similarily as app_enable_permissions test. This time perm_app_add_friend is called twice, once + * when both friends exist, and then when one of them doesn't exist. Other tests are not required - + * results would be the same as earlier. + */ +RUNNER_TEST_NOSMACK(privilege_control14_app_add_friend_nosmack) +{ + int result; + + result = perm_app_revoke_permissions(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = perm_app_revoke_permissions(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + perm_app_uninstall(APP_FRIEND_1); + perm_app_uninstall(APP_FRIEND_2); + + //Regular test. + + //Installing friends to be + result = perm_app_install(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error installing first app. Result: " << result); + result = perm_app_install(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error installing second app. Result: " << result); + + //Making friends + result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error during friend making. Result: " << result); + + //Same as previous tests, smack_have_access should error. + result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + //Clean up + result = perm_app_revoke_permissions(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = perm_app_revoke_permissions(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + perm_app_uninstall(APP_FRIEND_1); + perm_app_uninstall(APP_FRIEND_2); + + + //Befriending with imaginary friend. + + //Installing one friend + result = perm_app_install(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error installing first app. Result: " << result); + + //Adding imaginairy friend as second + result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error making friends (first) with imaginairy friend failed. Result: " << result); + //Adding imaginairy friend as first + result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error making friends (second) with imaginairy friend failed. Result: " << result); + + //Same as previous tests, smack_have_access should error. + result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "rwxat"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "rwxat"); + RUNNER_ASSERT_MSG(result == -1, + "smack_have_access should return error (SMACK is off). Result: " << result); + + //Clean up + result = perm_app_revoke_permissions(APP_FRIEND_1); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + result = perm_app_revoke_permissions(APP_FRIEND_2); + RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, + "Error revoking app permissions. Result: " << result); + + perm_app_uninstall(APP_FRIEND_1); + perm_app_uninstall(APP_FRIEND_2); +} + +/** + * NOSMACK version of privilege_control15_app_id_from_socket. + * + * SMACK version of this test case utilised smack_new_label_from_self and smack_set_label_for_self. + * Those functions rely on /proc/self/attr/current file, which is unreadable and has no contents on + * NOSMACK environment. Functions mentioned above were tested during libsmack tests, so they are + * assumed to react correctly and are not tested in this test case. + * + * This test works similarily to libsmack test smack09_new_label_from_socket. At first server and + * client are created then sockets are set up and perm_app_id_from_socket is used. On NOSMACK env + * correct behaviour for perm_app_id_from_socket would be returning NULL label. + */ +RUNNER_TEST_NOSMACK(privilege_control15_app_id_from_socket_nosmack) +{ + int pid; + struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH}; + + //Clean up before creating socket + unlink(SOCK_PATH); + + //Create our server and client with fork + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "Fork failed"); + + if (!pid) { //child (server) + int sock, result, fd; + + //Create a socket + sock = socket(AF_UNIX, SOCK_STREAM, 0); + RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno)); + + //Bind socket to address + result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); + if (result != 0) { + close(sock); + RUNNER_ASSERT_MSG(false, "bind failed: " << strerror(errno)); + } + + //Prepare for listening + result = listen(sock, 1); + if (result != 0) { + close(sock); + RUNNER_ASSERT_MSG(false, "listen failed: " << strerror(errno)); + } + + //Accept connection + alarm(2); + fd = accept(sock, NULL, NULL); + alarm(0); + RUNNER_ASSERT_MSG(fd >= 0, "accept failed: " << strerror(errno)); + + //Wait a little bit for client to use perm_app_id_from_socket + usleep(200); + + //cleanup + close(sock); + exit(0); + } else { //parent (client) + // Give server some time to setup listening socket + sleep(1); + int sock, result; + char* smack_label = NULL; + + //Create socket + sock = socket(AF_UNIX, SOCK_STREAM, 0); + RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno)); + + //Try connecting to address + result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); + if (result != 0) { + close(sock); + RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno)); + } + + //Use perm_app_id_from_socket. Should fail and return NULL smack_label. + smack_label = perm_app_id_from_socket(sock); + if (smack_label != NULL) { + close(sock); + RUNNER_ASSERT_MSG(0, "perm_app_id_from_socket should fail."); + } + + //cleanup + close(sock); + waitpid(pid, NULL, 0); + } +} + +/** + * Next three functions are defined only because of NOSMACK environment. + * + * Inside check_labels_dir_nosmack, smack_have_access should expect error, not access granted. + */ +int check_labels_dir_nosmack(const char *fpath, const struct stat *sb, + const char *labels_db_path, const char *dir_db_path, + const char *access) +{ + int result; + char* label; + char* label_gen; + char label_temp[SMACK_LABEL_LEN + 1]; + std::fstream fs_db; + + /* ACCESS */ + result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path. Result: " << result); + RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set"); + + /* EXEC */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); + if (result != 0) { + free(label_gen); + RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result); + } + if (label != NULL) { + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set."); + } + + /* TRANSMUTE */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); + if (result != 0) { + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "Could not get label for the path. Result: " << result); + } + if (S_ISDIR(sb->st_mode)) { + if (label == NULL) { + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set"); + } + result = strcmp("TRUE", label); + if (result != 0) { + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, + "TRANSMUTE label on " << fpath << " is not set to TRUE Result: " << result); + } + } else if (label != NULL) { + free(label_gen); + free(label); + RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set"); + } + + free(label); + + fs_db.open(labels_db_path, std::ios_base::in); + if (!(fs_db.good())) { + free(label_gen); + RUNNER_ASSERT_MSG(false, "Can not open database for apps"); + } + + while(!fs_db.eof()) { + fs_db.getline(label_temp, 255); + result = smack_have_access(label_temp, label_gen, access); + if (result != -1) { //expect error, not access granted + free(label_gen); + RUNNER_ASSERT_MSG(false, "smack_have_access should fail. Result: " << result); + } + } + + fs_db.close(); + + fs_db.open(dir_db_path, std::ios_base::in); + if (!fs_db.good()) { + free(label_gen); + RUNNER_ASSERT_MSG(false, "Can not open database for dirs"); + } + + bool is_dir = false; + while(!fs_db.eof()) { + fs_db.getline(label_temp, 255); + if (strcmp(label_gen, label_temp) == 0) { + is_dir = true; + break; + } + } + + free(label_gen); + + RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db."); + + return 0; +} + +int nftw_check_labels_app_public_dir_nosmack(const char *fpath, const struct stat *sb, + int /*typeflag*/, struct FTW* /*ftwbuf*/) +{ + return check_labels_dir_nosmack(fpath, sb, + SMACK_APPS_LABELS_DATABASE, + SMACK_PUBLIC_DIRS_DATABASE, "rx"); +} + +int nftw_check_labels_app_settings_dir_nosmack(const char *fpath, const struct stat *sb, + int /*typeflag*/, struct FTW* /*ftwbuf*/) +{ + return check_labels_dir_nosmack(fpath, sb, + SMACK_APPS_SETTINGS_LABELS_DATABASE, + SMACK_SETTINGS_DIRS_DATABASE, "rwx"); +} + +/** + * NOSMACK version of privilege_control18 test. + * + * Uses NOSMACK version of nftw_check_labels_app_public_dir. + */ +RUNNER_TEST_NOSMACK(privilege_control18_app_setup_path_public_nosmack) +{ + int result; + + cleaning_smack_database_files(); + add_lables_to_db(); + + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result); + + result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result); + + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO); + RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result); + + result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_dir_nosmack, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to check Smack labels for shared app dir. Result: " << result); + + result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to check Smack labels for non-app dir. Result: " << result); + + cleaning_smack_database_files(); +} + +/** + * NOSMACK version of privilege_control19 test. + * + * Uses NOSMACK version of nftw_check_labels_app_settings_dir. + */ +RUNNER_TEST_NOSMACK(privilege_control19_app_setup_path_settings_nosmack) +{ + int result; + + cleaning_smack_database_files(); + add_lables_to_db(); + + result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in " << TEST_APP_DIR << ". Result: " << result); + + result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to clean up Smack labels in " << TEST_NON_APP_DIR << ". Result: " << result); + + result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW); + RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed. Result: " << result); + + result = nftw(TEST_APP_DIR, &nftw_check_labels_app_settings_dir_nosmack, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to check Smack labels for shared app dir. Result: " << result); + + result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, + "Unable to check Smack labels for non-app dir. Result: " << result); + + cleaning_smack_database_files(); +} + +/** + * NOSMACK version of privielge_control21b test. + * + * Instead of error caused by incorrect params expect access granted, becuase SMACK is off. + */ +RUNNER_TEST_NOSMACK(privilege_control21b_incorrect_params_smack_pid_have_access_nosmack) +{ + int result = smack_pid_have_access(PID_CORRECT, "some_object", NULL); + RUNNER_ASSERT_MSG(result == 1, + "smack_pid_have_access should return access granted. Result: " << result); + + result = smack_pid_have_access(PID_CORRECT, NULL, "rw"); + RUNNER_ASSERT_MSG(result == 1, + "smack_pid_have_access should return access granted. Result: " << result); + + result = smack_pid_have_access(PID_CORRECT, NULL, "rw"); + RUNNER_ASSERT_MSG(result == 1, + "smack_pid_have_access should return access granted. Result: " << result); + + result = smack_pid_have_access(PID_INCORRECT, "some_object", "rw"); + RUNNER_ASSERT_MSG(result == 1, + "smack_pid_have_access should return access granted. Result: " << result); +} -- 2.7.4