From 7a32da179bbd0843900817afc92646ea044f8cd5 Mon Sep 17 00:00:00 2001 From: Zofia Abramowska Date: Fri, 4 Nov 2016 17:11:41 +0100 Subject: [PATCH] SM : Cleanup - trusted sharing test cases Change-Id: I3114a2e711b2d73d5fcc34a8a86a690098388b00 --- .../test_cases_trusted_sharing.cpp | 317 +++++++-------------- 1 file changed, 104 insertions(+), 213 deletions(-) diff --git a/src/security-manager-tests/test_cases_trusted_sharing.cpp b/src/security-manager-tests/test_cases_trusted_sharing.cpp index 531d9f2..0060fa2 100644 --- a/src/security-manager-tests/test_cases_trusted_sharing.cpp +++ b/src/security-manager-tests/test_cases_trusted_sharing.cpp @@ -19,52 +19,24 @@ #include #include #include +#include #include #include #include +#include +#include #include #include #include #include +#include #include #include using namespace SecurityManagerTest; -static const std::string SM_TRUSTED_PATH = - TzPlatformConfig::globalAppDir() + "/sm_test_02_pkg_id_full/app_dir_trusted"; - -static void check_exact_access(const std::string& subject, const std::string& object, const std::string& access) -{ - // check access - if (!access.empty()) { - int result = smack_have_access(subject.c_str(), object.c_str(), access.c_str()); - RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed"); - RUNNER_ASSERT_MSG(result == 1, - "No smack access: " << subject << " " << object << " " << access); - } - // check excessive access - auto foundInAccess = [&access](std::string::value_type c) { - return access.find(c) != std::string::npos; }; - - std::string negative = "rwxatl"; - auto end = std::remove_if(negative.begin(), negative.end(), foundInAccess); - negative.erase(end, negative.end()); - - for(const auto& c : negative) { - int result = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str()); - RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed"); - RUNNER_ASSERT_MSG(result == 0, "Unexpected access for" << - " subject:" << subject << - " object:" << object << - " right:" << std::string(1,c) << - " result:" << result << - " expected:0"); - } -} - RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING) RUNNER_TEST(security_manager_40_set_wrong_author_id) @@ -88,92 +60,64 @@ RUNNER_TEST(security_manager_41_set_author_id_multiple_times) } } -RUNNER_TEST(security_manager_43_app_install_with_trusted_path) +RUNNER_CHILD_TEST(security_manager_43_app_install_with_trusted_path) { - std::vector helper {{"app43a"}, {"app43b"}, {"app43c"}}; - auto &provider = helper[0]; - auto &user = helper[1]; - auto &untrusted = helper[2]; + TemporaryTestUser user("sm_test_43_user_name", GUM_USERTYPE_NORMAL); + user.create(); - TestSecurityManagerDatabase dbtest; - const char *author_id = "custom_author_id_test 41"; + const std::string authorId = "sm_test_43_author_id"; - const char *const trusted_access = "rwxatl"; - const char *const system_access = "rwxatl"; + AppInstallHelper provider("sm_test_43_provider", user.getUid()); + provider.createTrustedDir(); + provider.setAuthor(authorId); - int result; - - // cleanup - for (auto &e : helper) { - e.revokeRules(); - e.createTrustedDir(); - } + AppInstallHelper trusted("sm_test_43_user", user.getUid()); + trusted.setAuthor(authorId); - result = nftw(provider.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_TRUSTED_PATH); + AppInstallHelper untrusted("sm_test_43_untrusted"); // install app with shared/trusted dir - InstallRequest trustingApp; - trustingApp.setAppId(provider.getAppId()); - trustingApp.setPkgId(provider.getPkgId()); - trustingApp.setAuthorId("author id to be overwritten"); - trustingApp.setAuthorId(author_id); - trustingApp.addPath(provider.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW); - Api::install(trustingApp); - - int64_t authorDb = dbtest.get_author_id(author_id); - const std::string trusted_label = std::string("User::Author::") + std::to_string(authorDb); - - // check trusted path label - check_path(provider.getTrustedDir(), trusted_label); - - // check rules - check_exact_access("System", trusted_label, system_access); - check_exact_access("User", trusted_label, system_access); - check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()), - trusted_label, trusted_access); + InstallRequest providerInstallReq; + providerInstallReq.setAppId(provider.getAppId()); + providerInstallReq.setPkgId(provider.getPkgId()); + providerInstallReq.setUid(provider.getUID()); + providerInstallReq.setAuthorId("author id to be overwritten"); + providerInstallReq.setAuthorId(provider.getAuthor()); + providerInstallReq.addPath(provider.getTrustedDir(), SECURITY_MANAGER_PATH_TRUSTED_RW); + Api::install(providerInstallReq); - // install trusted app - InstallRequest trustedApp; - trustedApp.setAppId(user.getAppId()); - trustedApp.setPkgId(user.getPkgId()); - trustedApp.setAuthorId(author_id); - Api::install(trustedApp); + std::string trustedPath = provider.getTrustedDir(); - // check rules - check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()), - trusted_label, trusted_access); + // Second installation only for scoped uninstall + ScopedInstaller providerInstall(provider); - // install untrusted app - InstallRequest untrustedApp; - untrustedApp.setAppId(untrusted.getAppId()); - untrustedApp.setPkgId(untrusted.getPkgId()); - Api::install(untrustedApp); + runAccessTest(provider, trustedPath, R_OK|W_OK|X_OK); + runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK); - // check rules - check_exact_access(generateProcessLabel(untrusted.getAppId(), untrusted.getPkgId()), - trusted_label, ""); + // install trusted app + ScopedInstaller userInstall(trusted); + runAccessTest(trusted, provider.getTrustedDir(), R_OK|W_OK|X_OK); - // uninstall trusting app - Api::uninstall(trustingApp); + // install untrusted app + ScopedInstaller untrustedInstall(untrusted); + runAccessTest(untrusted, trustedPath, 0); + + providerInstall.uninstallApp(); // there's still one app with author id, rules should be kept - check_exact_access("System", trusted_label, system_access); - check_exact_access("User", trusted_label, system_access); - check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()), - trusted_label, ""); - check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()), - trusted_label, trusted_access); + runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK); + runAccessTest(trusted, provider.getTrustedDir(), R_OK|W_OK|X_OK); + runAccessTest(untrusted, trustedPath, 0); - Api::uninstall(trustedApp); + //Second install of provider, but without authorid, to check if there is no access + AppInstallHelper provider2("sm_test_43_provider"); + ScopedInstaller providerInstall2(provider2); + runAccessTest(provider2, trustedPath, 0); - // no more apps with author id - check_exact_access("System", trusted_label, ""); - check_exact_access("User", trusted_label, ""); - check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()), - trusted_label, ""); + userInstall.uninstallApp(); - Api::uninstall(untrustedApp); + // no more apps with author id + runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, 0); } @@ -190,139 +134,86 @@ RUNNER_TEST(security_manager_44_app_install_with_trusted_path_no_author_id) Api::install(app, SECURITY_MANAGER_ERROR_INPUT_PARAM); } -RUNNER_TEST(security_manager_45_test_authorId_identificator_creation) +RUNNER_CHILD_TEST(security_manager_45_test_authorId_identificator_creation) { - std::vector helper {{"a45"}, {"b45"}}; - auto &trusted1 = helper[0]; - auto &trusted2 = helper[1]; - - TestSecurityManagerDatabase dbtest; - const char *authorId1 = "custom_author_id_test a45"; - const char *authorId2 = "custom_author_id_test b45"; - - // cleanup - for (auto &e : helper) { - e.revokeRules(); - e.createTrustedDir(); - } - // install app with shared/trusted dir - InstallRequest trustingApp; - trustingApp.setAppId(trusted1.getAppId()); - trustingApp.setPkgId(trusted1.getPkgId()); - trustingApp.setAuthorId(authorId1); - trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW); - Api::install(trustingApp); + AppInstallHelper trusted1("sm_test_45_1"); + trusted1.setAuthor("sm_test_45_1_author_id"); + trusted1.createTrustedDir(); - int64_t authorDb1 = dbtest.get_author_id(authorId1); + AppInstallHelper trusted2("sm_test_45_2"); + trusted2.setAuthor("sm_test_45_2_author_id"); + trusted2.createTrustedDir(); - // install trusted app - InstallRequest trustedApp; - trustedApp.setAppId(trusted2.getAppId()); - trustedApp.setPkgId(trusted2.getPkgId()); - trustedApp.setAuthorId(authorId2); - Api::install(trustedApp); + ScopedInstaller trustedInstall1(trusted1); + ScopedInstaller trustedInstall2(trusted2); - int64_t authorDb2 = dbtest.get_author_id(authorId2); + std::string trustedPath1 = trusted1.getTrustedDir(); + std::string trustedPath2 = trusted2.getTrustedDir(); - Api::uninstall(trustingApp); - Api::uninstall(trustedApp); + runAccessTest(trusted1, trustedPath1, R_OK|W_OK|X_OK); + runAccessTest(trusted2, trustedPath1, 0); + runSystemAccessTest(geteuid(), getegid(), trustedPath1, R_OK | W_OK | X_OK); - RUNNER_ASSERT(authorDb1 != authorDb2); + runAccessTest(trusted2, trustedPath2, R_OK|W_OK|X_OK); + runAccessTest(trusted1, trustedPath2, 0); + runSystemAccessTest(geteuid(), getegid(), trustedPath2, R_OK | W_OK | X_OK); } /* Description: * Lets assume that app1 and app2 are part of pkg1. - * Deinstalation of app1 mustnot remove rules: - * System PKG1Label rwxatl - * User PKGLabel rwxatl + * Deinstalation of app1 must not remove access from system processes to trusted paths */ -void test_46_pkgId_deinstallation(bool isHybrid) { - std::vector helper {{"a46", "a46"}, {"b46", "a46"}}; - auto &trusted1 = helper[0]; - auto &trusted2 = helper[1]; +void test_46_pkgId_deinstallation(bool isFirstOneHybrid, bool isSecondOneHybrid) { + TemporaryTestUser user("sm_test_46_user_name", GUM_USERTYPE_NORMAL); + user.create(); - std::string authorId1 = "author46XYZ"; + const std::string authorId = "sm_test_46_author_id"; - for (auto &e : helper) { - e.revokeRules(); - e.createTrustedDir(); - } + AppInstallHelper provider("sm_test_46_1", user.getUid()); + provider.createTrustedDir(); + provider.setAuthor(authorId); + if (isFirstOneHybrid) + provider.setHybrid(); + ScopedInstaller providerInstaller(provider); - InstallRequest trustingApp; - trustingApp.setAppId(trusted1.getAppId()); - trustingApp.setPkgId(trusted1.getPkgId()); - trustingApp.setAuthorId(authorId1); - if (isHybrid) - trustingApp.setHybrid(); - trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW); - Api::install(trustingApp); - - InstallRequest trustingApp2; - trustingApp2.setAppId(trusted2.getAppId()); - trustingApp2.setPkgId(trusted2.getPkgId()); - trustingApp2.setAuthorId(authorId1); - if (isHybrid) - trustingApp2.setHybrid(); - Api::install(trustingApp2); - - - check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl"); - check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl"); - if (isHybrid) { - // Nonhybrid apps have the same label for process and private files - check_exact_access("System", - generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid), - "rwxatl"); - check_exact_access("User", - generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid), - "rwxatl"); - check_exact_access("System", - generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid), - "rwxatl"); - check_exact_access("User", - generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid), - "rwxatl"); - } + AppInstallHelper trusted("sm_test_46_2", user.getUid()); + trusted.setAuthor(authorId); + if (isSecondOneHybrid) + trusted.setHybrid(); + ScopedInstaller trustedInstaller(trusted); - Api::uninstall(trustingApp2); - - check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl"); - check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl"); - - if (isHybrid) { - // Nonhybrid apps from the same package share process label - check_exact_access("System", - generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid), - "rwxatl"); - check_exact_access("User", - generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid), - "rwxatl"); - check_exact_access("System", - generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid), - ""); - check_exact_access("User", - generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId(), isHybrid), - ""); - } + const std::string trustedPath = provider.getTrustedDir(); + + runAccessTest(provider, trustedPath, R_OK | W_OK | X_OK); + runAccessTest(trusted, trustedPath, R_OK | W_OK | X_OK); + runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK); + + trustedInstaller.uninstallApp(); - Api::uninstall(trustingApp); + runAccessTest(provider, trustedPath, R_OK | W_OK | X_OK); + runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, R_OK | W_OK | X_OK); - check_exact_access("System", - generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid), - ""); - check_exact_access("User", - generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId(), isHybrid), - ""); - check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), ""); - check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), ""); + providerInstaller.uninstallApp(); + + runSystemAccessTest(user.getUid(), user.getGid(), trustedPath, 0); +} + +RUNNER_CHILD_TEST(security_manager_46a_pkgId_deinstalation_test_hybrid) +{ + test_46_pkgId_deinstallation(true, true); +} + +RUNNER_CHILD_TEST(security_manager_46b_pkgId_deinstalation_test_nonhybrid) +{ + test_46_pkgId_deinstallation(false, false); } -RUNNER_TEST(security_manager_46_pkgId_deinstalation_test_hybrid) +RUNNER_CHILD_TEST(security_manager_46c_pkgId_deinstalation_test_hybrid_only_provider) { - test_46_pkgId_deinstallation(true); + test_46_pkgId_deinstallation(true, false); } -RUNNER_TEST(security_manager_46_pkgId_deinstalation_test_nonhybrid) +RUNNER_CHILD_TEST(security_manager_46d_pkgId_deinstalation_test_hybrid_only_trusted) { - test_46_pkgId_deinstallation(false); + test_46_pkgId_deinstallation(false, true); } -- 2.7.4