From d99e3fec86832fa71267b67e2eb9ab8b88da0d43 Mon Sep 17 00:00:00 2001 From: Jan Cybulski Date: Thu, 5 Jun 2014 15:00:42 +0200 Subject: [PATCH] Add tests for security manager's installer service Add more specific tests for security manager's security_manager_app_inst_req_add_path: Tests for SM_PUBLIC_PATH and SM_PUBLIC_RO_PATH added. Change-Id: I505fca28ef992676f967fa6cf29bc2d6343388c1 Signed-off-by: Jan Cybulski --- packaging/security-tests.spec | 2 + tests/security-manager-tests/CMakeLists.txt | 5 + .../security_manager_tests.cpp | 111 +++++++++++++++++++-- .../test_DIR/app_dir/.level_1/.level_2/exec | 0 .../test_DIR/app_dir/.level_1/.level_2/normal | 0 .../test_DIR/app_dir/.level_1/exec | 0 .../test_DIR/app_dir/.level_1/level_2/exec | 0 .../test_DIR/app_dir/.level_1/level_2/normal | 0 .../test_DIR/app_dir/.level_1/link_to_non_app_exec | 1 + .../app_dir/.level_1/link_to_non_app_normal | 1 + .../test_DIR/app_dir/.level_1/normal | 0 tests/security-manager-tests/test_DIR/app_dir/exec | 0 .../test_DIR/app_dir/level_1/.level_2/exec | 0 .../test_DIR/app_dir/level_1/.level_2/normal | 0 .../test_DIR/app_dir/level_1/exec | 0 .../test_DIR/app_dir/level_1/level_2/exec | 0 .../test_DIR/app_dir/level_1/level_2/link_to_exec | 1 + .../app_dir/level_1/level_2/link_to_non_exec | 1 + .../test_DIR/app_dir/level_1/level_2/normal | 0 .../test_DIR/app_dir/level_1/link_to_exec | 1 + .../test_DIR/app_dir/level_1/link_to_non_exec | 1 + .../test_DIR/app_dir/level_1/normal | 0 .../test_DIR/app_dir/link_to_exec | 1 + .../test_DIR/app_dir/link_to_non_app_dir | 1 + .../test_DIR/app_dir/link_to_non_app_exec | 1 + .../test_DIR/app_dir/link_to_non_app_normal | 1 + .../test_DIR/app_dir/link_to_non_exec | 1 + .../security-manager-tests/test_DIR/app_dir/normal | 0 .../test_DIR/app_dir_public/.level_1/.level_2/exec | 0 .../app_dir_public/.level_1/.level_2/normal | 0 .../test_DIR/app_dir_public/.level_1/exec | 0 .../test_DIR/app_dir_public/.level_1/level_2/exec | 0 .../app_dir_public/.level_1/level_2/normal | 0 .../test_DIR/app_dir_public/.level_1/normal | 0 .../test_DIR/app_dir_public/exec | 0 .../test_DIR/app_dir_public/level_1/.level_2/exec | 0 .../app_dir_public/level_1/.level_2/normal | 0 .../test_DIR/app_dir_public/level_1/exec | 0 .../test_DIR/app_dir_public/level_1/level_2/exec | 0 .../app_dir_public/level_1/level_2/link_to_exec | 1 + .../level_1/level_2/link_to_non_exec | 1 + .../test_DIR/app_dir_public/level_1/level_2/normal | 0 .../test_DIR/app_dir_public/level_1/link_to_exec | 1 + .../app_dir_public/level_1/link_to_non_exec | 1 + .../test_DIR/app_dir_public/level_1/normal | 0 .../test_DIR/app_dir_public/link_to_exec | 1 + .../test_DIR/app_dir_public/link_to_non_app_dir | 1 + .../test_DIR/app_dir_public/link_to_non_app_exec | 1 + .../test_DIR/app_dir_public/link_to_non_app_normal | 1 + .../test_DIR/app_dir_public/link_to_non_exec | 1 + .../test_DIR/app_dir_public/normal | 0 .../app_dir_public_ro/.level_1/.level_2/exec | 0 .../app_dir_public_ro/.level_1/.level_2/normal | 0 .../test_DIR/app_dir_public_ro/.level_1/exec | 0 .../app_dir_public_ro/.level_1/level_2/exec | 0 .../app_dir_public_ro/.level_1/level_2/normal | 0 .../test_DIR/app_dir_public_ro/.level_1/normal | 0 .../test_DIR/app_dir_public_ro/exec | 0 .../app_dir_public_ro/level_1/.level_2/exec | 0 .../app_dir_public_ro/level_1/.level_2/normal | 0 .../test_DIR/app_dir_public_ro/level_1/exec | 0 .../app_dir_public_ro/level_1/level_2/exec | 0 .../app_dir_public_ro/level_1/level_2/link_to_exec | 1 + .../level_1/level_2/link_to_non_exec | 1 + .../app_dir_public_ro/level_1/level_2/normal | 0 .../app_dir_public_ro/level_1/link_to_exec | 1 + .../app_dir_public_ro/level_1/link_to_non_exec | 1 + .../test_DIR/app_dir_public_ro/level_1/normal | 0 .../test_DIR/app_dir_public_ro/link_to_exec | 1 + .../test_DIR/app_dir_public_ro/link_to_non_app_dir | 1 + .../app_dir_public_ro/link_to_non_app_exec | 1 + .../app_dir_public_ro/link_to_non_app_normal | 1 + .../test_DIR/app_dir_public_ro/link_to_non_exec | 1 + .../test_DIR/app_dir_public_ro/normal | 0 .../test_DIR/non_app_dir/.level_1/.level_2/exec | 0 .../test_DIR/non_app_dir/.level_1/.level_2/normal | 0 .../test_DIR/non_app_dir/.level_1/exec | 0 .../test_DIR/non_app_dir/.level_1/level_2/exec | 0 .../test_DIR/non_app_dir/.level_1/level_2/normal | 0 .../test_DIR/non_app_dir/.level_1/normal | 0 .../test_DIR/non_app_dir/exec | 0 .../test_DIR/non_app_dir/level_1/.level_2/exec | 0 .../test_DIR/non_app_dir/level_1/.level_2/normal | 0 .../test_DIR/non_app_dir/level_1/exec | 0 .../test_DIR/non_app_dir/level_1/level_2/exec | 0 .../non_app_dir/level_1/level_2/link_to_exec | 1 + .../non_app_dir/level_1/level_2/link_to_non_exec | 1 + .../test_DIR/non_app_dir/level_1/level_2/normal | 0 .../test_DIR/non_app_dir/level_1/link_to_exec | 1 + .../test_DIR/non_app_dir/level_1/link_to_non_exec | 1 + .../test_DIR/non_app_dir/level_1/normal | 0 .../test_DIR/non_app_dir/link_to_exec | 1 + .../test_DIR/non_app_dir/link_to_non_exec | 1 + .../test_DIR/non_app_dir/normal | 0 94 files changed, 146 insertions(+), 7 deletions(-) create mode 100755 tests/security-manager-tests/test_DIR/app_dir/.level_1/.level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir/.level_1/.level_2/normal create mode 100755 tests/security-manager-tests/test_DIR/app_dir/.level_1/exec create mode 100755 tests/security-manager-tests/test_DIR/app_dir/.level_1/level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir/.level_1/level_2/normal create mode 120000 tests/security-manager-tests/test_DIR/app_dir/.level_1/link_to_non_app_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir/.level_1/link_to_non_app_normal create mode 100644 tests/security-manager-tests/test_DIR/app_dir/.level_1/normal create mode 100755 tests/security-manager-tests/test_DIR/app_dir/exec create mode 100755 tests/security-manager-tests/test_DIR/app_dir/level_1/.level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir/level_1/.level_2/normal create mode 100755 tests/security-manager-tests/test_DIR/app_dir/level_1/exec create mode 100755 tests/security-manager-tests/test_DIR/app_dir/level_1/level_2/exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir/level_1/level_2/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir/level_1/level_2/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir/level_1/level_2/normal create mode 120000 tests/security-manager-tests/test_DIR/app_dir/level_1/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir/level_1/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir/level_1/normal create mode 120000 tests/security-manager-tests/test_DIR/app_dir/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir/link_to_non_app_dir create mode 120000 tests/security-manager-tests/test_DIR/app_dir/link_to_non_app_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir/link_to_non_app_normal create mode 120000 tests/security-manager-tests/test_DIR/app_dir/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir/normal create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public/.level_1/.level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public/.level_1/.level_2/normal create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public/.level_1/exec create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public/.level_1/level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public/.level_1/level_2/normal create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public/.level_1/normal create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public/exec create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public/level_1/.level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public/level_1/.level_2/normal create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public/level_1/exec create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public/level_1/level_2/exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public/level_1/level_2/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public/level_1/level_2/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public/level_1/level_2/normal create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public/level_1/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public/level_1/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public/level_1/normal create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public/link_to_non_app_dir create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public/link_to_non_app_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public/link_to_non_app_normal create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public/normal create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public_ro/.level_1/.level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public_ro/.level_1/.level_2/normal create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public_ro/.level_1/exec create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public_ro/.level_1/level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public_ro/.level_1/level_2/normal create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public_ro/.level_1/normal create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public_ro/exec create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public_ro/level_1/.level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public_ro/level_1/.level_2/normal create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public_ro/level_1/exec create mode 100755 tests/security-manager-tests/test_DIR/app_dir_public_ro/level_1/level_2/exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public_ro/level_1/level_2/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public_ro/level_1/level_2/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public_ro/level_1/level_2/normal create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public_ro/level_1/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public_ro/level_1/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public_ro/level_1/normal create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public_ro/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public_ro/link_to_non_app_dir create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public_ro/link_to_non_app_exec create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public_ro/link_to_non_app_normal create mode 120000 tests/security-manager-tests/test_DIR/app_dir_public_ro/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/app_dir_public_ro/normal create mode 100755 tests/security-manager-tests/test_DIR/non_app_dir/.level_1/.level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/non_app_dir/.level_1/.level_2/normal create mode 100755 tests/security-manager-tests/test_DIR/non_app_dir/.level_1/exec create mode 100755 tests/security-manager-tests/test_DIR/non_app_dir/.level_1/level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/non_app_dir/.level_1/level_2/normal create mode 100644 tests/security-manager-tests/test_DIR/non_app_dir/.level_1/normal create mode 100755 tests/security-manager-tests/test_DIR/non_app_dir/exec create mode 100755 tests/security-manager-tests/test_DIR/non_app_dir/level_1/.level_2/exec create mode 100644 tests/security-manager-tests/test_DIR/non_app_dir/level_1/.level_2/normal create mode 100755 tests/security-manager-tests/test_DIR/non_app_dir/level_1/exec create mode 100755 tests/security-manager-tests/test_DIR/non_app_dir/level_1/level_2/exec create mode 120000 tests/security-manager-tests/test_DIR/non_app_dir/level_1/level_2/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/non_app_dir/level_1/level_2/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/non_app_dir/level_1/level_2/normal create mode 120000 tests/security-manager-tests/test_DIR/non_app_dir/level_1/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/non_app_dir/level_1/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/non_app_dir/level_1/normal create mode 120000 tests/security-manager-tests/test_DIR/non_app_dir/link_to_exec create mode 120000 tests/security-manager-tests/test_DIR/non_app_dir/link_to_non_exec create mode 100644 tests/security-manager-tests/test_DIR/non_app_dir/normal diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec index 55cf105..47cf9d3 100644 --- a/packaging/security-tests.spec +++ b/packaging/security-tests.spec @@ -45,6 +45,7 @@ ln -sf /etc/smack/test_smack_rules %{buildroot}/etc/smack/test_smack_rules_lnk %post find /etc/smack/test_privilege_control_DIR/ -type f -name exec -exec chmod 0755 {} + +find /etc/smack/test_DIR/ -type f -name exec -exec chmod 0755 {} + # Load permissions templates api_feature_loader --verbose @@ -81,6 +82,7 @@ echo "security-tests postinst done ..." /etc/smack/test_smack_rules_lnk /usr/share/privilege-control/* /etc/smack/test_privilege_control_DIR/* +/etc/smack/test_DIR/* /usr/bin/test-app-efl /usr/bin/test-app-osp /usr/bin/test-app-wgt diff --git a/tests/security-manager-tests/CMakeLists.txt b/tests/security-manager-tests/CMakeLists.txt index 59af8af..0ade860 100644 --- a/tests/security-manager-tests/CMakeLists.txt +++ b/tests/security-manager-tests/CMakeLists.txt @@ -72,3 +72,8 @@ INSTALL(FILES ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/WRT_security_manager_test_rules2_r.smack DESTINATION /usr/share/privilege-control/ ) + +INSTALL(DIRECTORY + ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/test_DIR + DESTINATION /etc/smack/ +) diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp index d1d26a7..2421796 100644 --- a/tests/security-manager-tests/security_manager_tests.cpp +++ b/tests/security-manager-tests/security_manager_tests.cpp @@ -4,6 +4,10 @@ #include #include +#include +#include +#include + #include #include @@ -58,8 +62,79 @@ static const rules_t SM_DENIED_RULES = { static const char* SM_DENIED_PERMISSION1 = "security_manager_test_rules1"; static const char* SM_DENIED_PERMISSION2 = "security_manager_test_rules2"; -static const char* SM_ALLOWED_PATH = TEST_APP_DIR; -static const char* SM_DENIED_PATH = TEST_NON_APP_DIR; +static const char* SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir"; +static const char* SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public"; +static const char* SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro"; +static const char* SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir"; + + +static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb, + const char* correctLabel, bool transmute_test, bool exec_test) +{ + int result; + CStringPtr labelPtr; + char* label = NULL; + + /* ACCESS */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); + RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); + labelPtr.reset(label); + RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set"); + result = strcmp(correctLabel, label); + RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect" + " (should be '" << correctLabel << "' and is '" << label << "')"); + + + /* EXEC */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); + RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); + labelPtr.reset(label); + + if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) { + RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set"); + result = strcmp(correctLabel, label); + RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect EXEC label on executable file " << fpath); + } else + RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set"); + + + /* TRANSMUTE */ + result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE); + RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); + labelPtr.reset(label); + + if (S_ISDIR(sb->st_mode) && transmute_test == true) { + RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set at all"); + RUNNER_ASSERT_MSG_BT(strcmp(label,"TRUE") == 0, + "TRANSMUTE label on " << fpath << " is not set properly: '"<