2 * Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include "app_install_helper_ext.h"
21 #include <sys/smack.h>
25 #include <unordered_set>
28 #include <security-manager-types.h>
31 #include <label_generator.h>
32 #include <cynara_test_client.h>
33 #include <policy_configuration.h>
36 constexpr char SMACK_RULES_PATH[] = "/sys/fs/smackfs/load2";
37 constexpr char ANY_USER_REPRESENTATION[] = "anyuser";/*this may be actually any string*/
39 void assertNoLabelInRule(const AccessRequest &rule, const std::string &label)
41 RUNNER_ASSERT_MSG(rule.object != label && rule.subject != label,
42 "Smack rule left after uninstallation process." <<
43 " Subject: " << rule.subject <<
44 " object: " << rule.object <<
45 " access: " << rule.access);
48 std::string accessOpposite(std::string &access)
50 static const std::map<char, int> accessMapping = {{'r', 0}, {'w', 1}, {'x', 2}, {'a', 3},
52 // May write implies may lock
53 if (access.find('w') != std::string::npos && access.find('l') == std::string::npos) {
56 std::string oppositeAccess = "rwxatl";
57 for (char c : access) {
58 oppositeAccess[accessMapping.at(c)] = '-';
60 auto it = std::remove_if(oppositeAccess.begin(), oppositeAccess.end(), [](char c) {return c == '-';});
61 oppositeAccess.erase(it, oppositeAccess.end());
62 return oppositeAccess;
65 void checkExactSmackAccesses(const std::string &subject, const std::string &object,
66 const std::string &access)
68 std::string access_str(access);
69 auto no_access = accessOpposite(access_str);
70 for (char c : access_str) {
71 int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
72 RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object
73 << ">, <" << c << "> errno=" << strerror(errno));
74 RUNNER_ASSERT_MSG(ret == 1, "Access " << c << " from " << subject << " to "
75 << object << " not given");
78 for (char c : no_access) {
79 int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
80 RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object
81 << ">, <" << c << "> errno=" << strerror(errno));
82 RUNNER_ASSERT_MSG(ret == 0, "Access " << c << " from " << subject << " to "
83 << object << " unnecessarily given");
87 } // namespace anonymous
89 namespace SecurityManagerTest
92 void AppInstallHelperExt::checkPrivileges(const PrivilegeVector &allowedPrivs,
93 const PrivilegeVector &deniedPrivs) const
95 /* Privileges should be granted to all users if root installs app */
96 auto user = (m_uidGid == 0 ? ANY_USER_REPRESENTATION : std::to_string(m_uidGid));
98 std::string smackLabel = generateProcessLabel(m_appName, m_pkgName, m_isHybrid);
100 CynaraTestClient::Client ctc;
103 for (auto &priv : allowedPrivs) {
104 ctc.check(smackLabel.c_str(), "", user, priv.getName().c_str(), CYNARA_API_ACCESS_ALLOWED);
106 Api::appHasPrivilege(m_appName, priv, m_uidGid, result);
107 RUNNER_ASSERT_MSG(result == 1,
108 "Application " << m_appName << " has no access to " << priv);
111 for (auto &priv : deniedPrivs) {
112 ctc.check(smackLabel.c_str(), "", user, priv.getName().c_str(), CYNARA_API_ACCESS_DENIED);
114 Api::appHasPrivilege(m_appName, priv, m_uidGid, result);
115 RUNNER_ASSERT_MSG(result == 0,
116 "Application " << m_appName << " has unexpected access to " << priv);
120 void AppInstallHelperExt::checkDeniedPrivileges(const PrivilegeVector &deniedPrivs) const
122 checkPrivileges({}, deniedPrivs);
125 void AppInstallHelperExt::checkPrivilegeGroups(const PrivilegeVector &allowedPrivs) const
127 static PolicyConfiguration policy;
128 const auto allowed_groups = policy.privToGroup(allowedPrivs);
129 RUNNER_ASSERT_MSG(allowed_groups.size() == allowedPrivs.size(),
130 "Some privileges given were not found in the policy");
132 std::vector<gid_t> allowed_gids;
133 for (const auto &groupName : allowed_groups) {
135 struct group* grp = getgrnam(groupName.c_str());
136 RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
137 allowed_gids.push_back(grp->gr_gid);
140 checkGids(allowed_gids);
143 void AppInstallHelperExt::checkAfterInstall() const
145 static const std::vector<AccessRequest> staticRules[] =
146 {parseSmackRulesFile(PolicyConfiguration::getPkgRulesFilePath()),
147 parseSmackRulesFile(PolicyConfiguration::getAppRulesFilePath())};
149 checkAppIdExistence(true);
151 checkSmackAccesses(staticRules[m_isHybrid]);
153 checkPrivileges(m_privileges, {});
156 void AppInstallHelperExt::checkAfterUninstall(bool removePkg) const
158 checkAppIdExistence(false);
161 checkPkgSmackRulesAfterUninstall();
163 // there should be no hybrid rules regardless of the app type
164 checkHybridAppSmackRulesAterUninstall();
166 checkDeniedPrivileges(m_privileges);
169 void AppInstallHelperExt::checkSmackAccesses(std::vector<AccessRequest> rules, bool hasAccess) const
171 const std::pair<std::string, std::string> switchAliases[] = {
172 {"~PATH_RW~", generatePathRWLabel(m_pkgName)},
173 {"~PATH_RO~", generatePathROLabel(m_pkgName)},
174 {"~PROCESS~", generateProcessLabel(m_appName, m_pkgName, m_isHybrid)}
177 for (auto& rule : rules) {
178 if (rule.object == "~PATH_TRUSTED~") {
182 for (const auto &alias : switchAliases) {
183 if (rule.subject == alias.first) {
184 rule.subject = alias.second;
186 if (rule.object == alias.first) {
187 rule.object = alias.second;
194 // Special label that may occur in the template. Other special labels will not be used.
195 if (rule.object == "_") {
196 rule.access = "rx" + rule.access;
199 checkExactSmackAccesses(rule.subject, rule.object, rule.access);
203 void AppInstallHelperExt::checkPkgSmackRulesAfterUninstall() const
205 const std::vector<AccessRequest> rules(std::move(parseSmackRulesFile(SMACK_RULES_PATH)));
206 const std::string labels[] = {generatePathRWLabel(m_pkgName),
207 generatePathROLabel(m_pkgName),
208 generateProcessLabel(m_appName, m_pkgName, true),
209 generateProcessLabel(m_appName, m_pkgName)};
211 for (const auto &rule : rules) {
212 for (const auto &label : labels) {
213 assertNoLabelInRule(rule, label);
218 void AppInstallHelperExt::checkHybridAppSmackRulesAterUninstall() const
220 const std::vector<AccessRequest> rules(parseSmackRulesFile(SMACK_RULES_PATH));
221 const std::string appLabel = generateProcessLabel(m_appName, m_pkgName, true);
223 for (const auto &rule : rules) {
224 assertNoLabelInRule(rule, appLabel);
228 void AppInstallHelperExt::checkAppIdExistence(bool expected) const
230 lib_retcode ret = expected ? SECURITY_MANAGER_SUCCESS : SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT;
231 std::string retPkgId = Api::getPkgId(m_appName, ret);
234 RUNNER_ASSERT_MSG(m_pkgName == retPkgId,
235 "The given appId does not belong to the given pkgId.");
239 void AppInstallHelperExt::checkGids(const std::vector<gid_t> &allowedGids) const
242 std::unordered_set<gid_t> referenceGids(allowedGids.begin(), allowedGids.end());
244 // Reset supplementary groups
245 ret = setgroups(0, NULL);
246 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
248 Api::setProcessGroups(m_appName);
250 ret = getgroups(0, nullptr);
251 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
253 std::vector<gid_t> actualGids(ret);
254 ret = getgroups(ret, actualGids.data());
255 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
257 for (const auto &gid : actualGids) {
258 RUNNER_ASSERT_MSG(referenceGids.count(gid) > 0,
259 "Application shouldn't get access to group " << gid);
260 referenceGids.erase(gid);
263 RUNNER_ASSERT_MSG(referenceGids.empty(), "Application didn't get access to some groups");
266 } // namespace SecurityManagerTest