From 33c5c2c48df8a05022fa35dadba3ab33baeb3802 Mon Sep 17 00:00:00 2001 From: Jan Cybulski Date: Tue, 12 Aug 2014 12:54:57 +0200 Subject: [PATCH] Adjust security-manager tests Security-manager is no longer using libprivilege-control Tests should now use cynara to check if privileges were granted during application installation. Change-Id: I4a0fea8edfad31cb9265c89b9498d6fd27d47676 --- tests/security-manager-tests/CMakeLists.txt | 27 ++---- .../WRT_security_manager_test_rules1.smack | 14 ---- .../WRT_security_manager_test_rules2.smack | 16 ---- .../WRT_security_manager_test_rules2_no_r.smack | 14 ---- .../WRT_security_manager_test_rules2_r.smack | 10 --- .../security_manager_tests.cpp | 97 +++++++++------------- 6 files changed, 45 insertions(+), 133 deletions(-) delete mode 100644 tests/security-manager-tests/WRT_security_manager_test_rules1.smack delete mode 100644 tests/security-manager-tests/WRT_security_manager_test_rules2.smack delete mode 100644 tests/security-manager-tests/WRT_security_manager_test_rules2_no_r.smack delete mode 100644 tests/security-manager-tests/WRT_security_manager_test_rules2_r.smack diff --git a/tests/security-manager-tests/CMakeLists.txt b/tests/security-manager-tests/CMakeLists.txt index ae894b5..b4fdf6b 100644 --- a/tests/security-manager-tests/CMakeLists.txt +++ b/tests/security-manager-tests/CMakeLists.txt @@ -25,6 +25,7 @@ PKG_CHECK_MODULES(SEC_MGR_TESTS_DEP REQUIRED libsmack libprivilege-control + cynara-client security-manager libtzplatform-config sqlite3) @@ -35,6 +36,7 @@ SET(TARGET_SEC_MGR_TESTS "security-manager-tests") SET(SEC_MGR_SOURCES ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/security_manager_tests.cpp ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/common/sm_db.cpp + ${PROJECT_SOURCE_DIR}/tests/cynara-tests/common/cynara_test_client.cpp ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp ) @@ -42,9 +44,14 @@ INCLUDE_DIRECTORIES(SYSTEM ${SEC_MGR_TESTS_DEP_INCLUDE_DIRS} ) +INCLUDE_DIRECTORIES(SYSTEM + ${CYNARA_TARGET_DEP_INCLUDE_DIRS} + ) + INCLUDE_DIRECTORIES( ${PROJECT_SOURCE_DIR}/tests/common/ ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/common/ + ${PROJECT_SOURCE_DIR}/tests/cynara-tests/common/ ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/common/ ) @@ -58,26 +65,6 @@ TARGET_LINK_LIBRARIES(${TARGET_SEC_MGR_TESTS} INSTALL(TARGETS ${TARGET_SEC_MGR_TESTS} DESTINATION /usr/bin) -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/WRT_security_manager_test_rules1.smack - DESTINATION /usr/share/privilege-control/ - ) - -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/WRT_security_manager_test_rules2.smack - DESTINATION /usr/share/privilege-control/ - ) - -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/WRT_security_manager_test_rules2_no_r.smack - DESTINATION /usr/share/privilege-control/ - ) - -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/WRT_security_manager_test_rules2_r.smack - DESTINATION /usr/share/privilege-control/ - ) - INSTALL(DIRECTORY ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/test_DIR DESTINATION /etc/smack/ diff --git a/tests/security-manager-tests/WRT_security_manager_test_rules1.smack b/tests/security-manager-tests/WRT_security_manager_test_rules1.smack deleted file mode 100644 index 0dfa560..0000000 --- a/tests/security-manager-tests/WRT_security_manager_test_rules1.smack +++ /dev/null @@ -1,14 +0,0 @@ -~APP~ test_sm_book_1 r -~APP~ test_sm_book_2 w -~APP~ test_sm_book_3 x -~APP~ test_sm_book_4 rw -~APP~ test_sm_book_5 rx -~APP~ test_sm_book_6 wx -~APP~ test_sm_book_7 rwx -test_sm_subject_1 ~APP~ r -test_sm_subject_2 ~APP~ w -test_sm_subject_3 ~APP~ x -test_sm_subject_4 ~APP~ rw -test_sm_subject_5 ~APP~ rx -test_sm_subject_6 ~APP~ wx -test_sm_subject_7 ~APP~ rwx diff --git a/tests/security-manager-tests/WRT_security_manager_test_rules2.smack b/tests/security-manager-tests/WRT_security_manager_test_rules2.smack deleted file mode 100644 index da67f85..0000000 --- a/tests/security-manager-tests/WRT_security_manager_test_rules2.smack +++ /dev/null @@ -1,16 +0,0 @@ -~APP~ test_sm_book_8 r -~APP~ test_sm_book_9 w -~APP~ test_sm_book_10 x -~APP~ test_sm_book_11 rw -~APP~ test_sm_book_12 rx -~APP~ test_sm_book_13 wx -~APP~ test_sm_book_14 rwx -~APP~ test_sm_book_15 rwxat -test_sm_subject_8 ~APP~ r -test_sm_subject_9 ~APP~ w -test_sm_subject_10 ~APP~ x -test_sm_subject_11 ~APP~ rw -test_sm_subject_12 ~APP~ rx -test_sm_subject_13 ~APP~ wx -test_sm_subject_14 ~APP~ rwx -test_sm_subject_15 ~APP~ rwxat diff --git a/tests/security-manager-tests/WRT_security_manager_test_rules2_no_r.smack b/tests/security-manager-tests/WRT_security_manager_test_rules2_no_r.smack deleted file mode 100644 index 693a26a..0000000 --- a/tests/security-manager-tests/WRT_security_manager_test_rules2_no_r.smack +++ /dev/null @@ -1,14 +0,0 @@ -~APP~ test_sm_book_9 w -~APP~ test_sm_book_10 x -~APP~ test_sm_book_11 w -~APP~ test_sm_book_12 x -~APP~ test_sm_book_13 wx -~APP~ test_sm_book_14 wx -~APP~ test_sm_book_15 wxat -test_sm_subject_9 ~APP~ w -test_sm_subject_10 ~APP~ x -test_sm_subject_11 ~APP~ w -test_sm_subject_12 ~APP~ x -test_sm_subject_13 ~APP~ wx -test_sm_subject_14 ~APP~ wx -test_sm_subject_15 ~APP~ wxat diff --git a/tests/security-manager-tests/WRT_security_manager_test_rules2_r.smack b/tests/security-manager-tests/WRT_security_manager_test_rules2_r.smack deleted file mode 100644 index 8d2d49b..0000000 --- a/tests/security-manager-tests/WRT_security_manager_test_rules2_r.smack +++ /dev/null @@ -1,10 +0,0 @@ -~APP~ test_sm_book_8 r -~APP~ test_sm_book_11 r -~APP~ test_sm_book_12 r -~APP~ test_sm_book_14 r -~APP~ test_sm_book_15 r -test_sm_subject_8 ~APP~ r -test_sm_subject_11 ~APP~ r -test_sm_subject_12 ~APP~ r -test_sm_subject_14 ~APP~ r -test_sm_subject_15 ~APP~ r diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp index 0e505af..ea9a430 100644 --- a/tests/security-manager-tests/security_manager_tests.cpp +++ b/tests/security-manager-tests/security_manager_tests.cpp @@ -3,6 +3,7 @@ #include #include #include +#include #include #include @@ -14,6 +15,7 @@ #include #include +#include DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr); @@ -38,48 +40,18 @@ static const privileges_t SM_DENIED_PRIVILEGES = { "security_manager_test_rules2" }; -static const char *const XATTR_NAME_TIZENEXEC = XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL"; - -static const rules_t SM_ALLOWED_RULES = { - { USER_APP_ID, "test_sm_book_8", "r" }, - { USER_APP_ID, "test_sm_book_9", "w" }, - { USER_APP_ID, "test_sm_book_10", "x" }, - { USER_APP_ID, "test_sm_book_11", "rw" }, - { USER_APP_ID, "test_sm_book_12", "rx" }, - { USER_APP_ID, "test_sm_book_13", "wx" }, - { USER_APP_ID, "test_sm_book_14", "rwx" }, - { USER_APP_ID, "test_sm_book_15", "rwxat" }, - { "test_sm_subject_8", USER_APP_ID, "r" }, - { "test_sm_subject_9", USER_APP_ID, "w" }, - { "test_sm_subject_10", USER_APP_ID, "x" }, - { "test_sm_subject_11", USER_APP_ID, "rw" }, - { "test_sm_subject_12", USER_APP_ID, "rx" }, - { "test_sm_subject_13", USER_APP_ID, "wx" }, - { "test_sm_subject_14", USER_APP_ID, "rwx" }, - { "test_sm_subject_15", USER_APP_ID, "rwxat" } -}; -static const rules_t SM_DENIED_RULES = { - { USER_APP_ID, "test_sm_book_1", "r" }, - { USER_APP_ID, "test_sm_book_2", "w" }, - { USER_APP_ID, "test_sm_book_3", "x" }, - { USER_APP_ID, "test_sm_book_4", "rw" }, - { USER_APP_ID, "test_sm_book_5", "rx" }, - { USER_APP_ID, "test_sm_book_6", "wx" }, - { USER_APP_ID, "test_sm_book_7", "rwx" }, - { "test_sm_subject_1", USER_APP_ID, "r" }, - { "test_sm_subject_2", USER_APP_ID, "w" }, - { "test_sm_subject_3", USER_APP_ID, "x" }, - { "test_sm_subject_4", USER_APP_ID, "rw" }, - { "test_sm_subject_5", USER_APP_ID, "rx" }, - { "test_sm_subject_6", USER_APP_ID, "wx" }, - { "test_sm_subject_7", USER_APP_ID, "rwx" } +static const privileges_t SM_NO_PRIVILEGES = { }; +static const char *const XATTR_NAME_TIZENEXEC = XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL"; + static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir"; static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public"; static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro"; static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir"; static const char *const SM_PRIVATE_PATH_FOR_USER_5000 = "/home/app/securitytests/test_DIR"; +static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/ + static bool isLinkToExec(const char *fpath, const struct stat *sb) @@ -239,40 +211,33 @@ static void check_app_path_after_install() RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH); } -static void check_app_permissions(const char *const app_id, const char *const pkg_id, - const privileges_t &allowed_privs, const privileges_t &denied_privs, - const rules_t &allowed_rules, const rules_t &denied_rules) -{ - bool result; - result = check_all_accesses(smack_check(), allowed_rules); - RUNNER_ASSERT_MSG_BT(result, "Permissions not added."); - result = check_no_accesses(smack_check(), denied_rules); - RUNNER_ASSERT_MSG_BT(result, "Permissions added."); +static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user, + const privileges_t &allowed_privs, const privileges_t &denied_privs) +{ + (void) app_id; - /* TODO: USER_APP_ID is hardcoded in the following checks, because libprivilege always generate - * label "User" for all installed apps. Adjust it when libprivilege is upgraded. */ - (void)app_id; // unused parameter - (void)pkg_id; // unused parameter + CynaraTestClient ctc; - for (auto it = allowed_privs.begin(); it != allowed_privs.end(); ++it) - check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), true); + for (auto &priv : allowed_privs) { + ctc.check(pkg_id, "", user, priv.c_str(), CYNARA_API_SUCCESS); + } - for (auto it = denied_privs.begin(); it != denied_privs.end(); ++it) - check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), false); + for (auto &priv : denied_privs) { + ctc.check(pkg_id, "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED); + } } static void check_app_after_install(const char *const app_id, const char *const pkg_id, - const privileges_t &allowed_privs, const privileges_t &denied_privs, - const rules_t &allowed_rules, const rules_t &denied_rules) + const privileges_t &allowed_privs, + const privileges_t &denied_privs) { TestSecurityManagerDatabase dbtest; dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs); dbtest.check_privileges_removed(app_id, pkg_id, denied_privs); - check_app_permissions(app_id, pkg_id, - allowed_privs, denied_privs, - allowed_rules, denied_rules); + /*Privileges should be granted to all users if root installs app*/ + check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs); } static void check_app_after_install(const char *const app_id, const char *const pkg_id) @@ -286,6 +251,10 @@ static void check_app_after_uninstall(const char *const app_id, const char *cons { TestSecurityManagerDatabase dbtest; dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed); + + + /*Privileges should not be granted anymore to any user*/ + check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges); } static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id, @@ -428,8 +397,7 @@ RUNNER_TEST(security_manager_02_app_install_uninstall_full) /* Check records in the security-manager database */ check_app_after_install(SM_APP_ID2, SM_PKG_ID2, - SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, - SM_ALLOWED_RULES, SM_DENIED_RULES); + SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES); /* TODO: add parameters to this function */ check_app_path_after_install(); @@ -566,6 +534,7 @@ RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_uid_5000) { int result; AppInstReqUniquePtr request; + const std::string user = std::to_string(static_cast(APP_UID)); //switch user to non-root @@ -591,10 +560,18 @@ RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_uid_5000) //should succeed - this time i register folder inside user's home dir prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER_5000); + for (auto &privilege : SM_ALLOWED_PRIVILEGES) { + result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str()); + RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, + "setting allowed permission failed. Result: " << result); + } + result = security_manager_app_install(request.get()); RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, "installing app failed. Result: " << result); + check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES); + //uninstall app as non-root user request.reset(do_app_inst_req_new()); @@ -605,6 +582,8 @@ RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_uid_5000) result = security_manager_app_uninstall(request.get()); RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, "uninstalling app failed. Result: " << result); + + check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); } -- 2.7.4