2 * Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include "app_install_helper_ext.h"
21 #include <sys/smack.h>
25 #include <unordered_set>
28 #include <security-manager-types.h>
31 #include <label_generator.h>
32 #include <cynara_test_client.h>
33 #include <policy_configuration.h>
36 constexpr char SMACK_RULES_PATH[] = "/sys/fs/smackfs/load2";
37 constexpr char ANY_USER_REPRESENTATION[] = "anyuser";/*this may be actually any string*/
39 void assertNoLabelInRule(const AccessRequest &rule, const std::string &label)
41 RUNNER_ASSERT_MSG(rule.object != label && rule.subject != label,
42 "Smack rule left after uninstallation process." <<
43 " Subject: " << rule.subject <<
44 " object: " << rule.object <<
45 " access: " << rule.access);
48 std::string accessOpposite(std::string &access)
50 static const std::map<char, int> accessMapping = {{'r', 0}, {'w', 1}, {'x', 2}, {'a', 3},
52 // May write implies may lock
53 if (access.find('w') != std::string::npos && access.find('l') == std::string::npos) {
56 std::string oppositeAccess = "rwxatl";
57 for (char c : access) {
58 oppositeAccess[accessMapping.at(c)] = '-';
60 auto it = std::remove_if(oppositeAccess.begin(), oppositeAccess.end(), [](char c) {return c == '-';});
61 oppositeAccess.erase(it, oppositeAccess.end());
62 return oppositeAccess;
65 void checkExactSmackAccesses(const std::string &subject, const std::string &object,
66 const std::string &access)
68 std::string access_str(access);
69 auto no_access = accessOpposite(access_str);
70 for (char c : access_str) {
71 int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
72 RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object
73 << ">, <" << c << "> errno=" << strerror(errno));
74 RUNNER_ASSERT_MSG(ret == 1, "Access " << c << " from " << subject << " to "
75 << object << " not given");
78 for (char c : no_access) {
79 int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
80 RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object
81 << ">, <" << c << "> errno=" << strerror(errno));
82 RUNNER_ASSERT_MSG(ret == 0, "Access " << c << " from " << subject << " to "
83 << object << " unnecessarily given");
87 } // namespace anonymous
89 namespace SecurityManagerTest
92 void AppInstallHelperExt::checkPrivileges(const PrivilegeVector &allowedPrivs,
93 const PrivilegeVector &deniedPrivs) const
95 /* Privileges should be granted to all users if root installs app */
96 auto user = (m_uidGid == 0 ? ANY_USER_REPRESENTATION : std::to_string(m_uidGid));
98 std::string smackLabel = generateProcessLabel(m_appName, m_pkgName, m_isHybrid);
100 CynaraTestClient::Client ctc;
103 for (auto &priv : allowedPrivs) {
104 ctc.check(smackLabel.c_str(), "", user, priv.getName().c_str(), CYNARA_API_ACCESS_ALLOWED);
106 Api::appHasPrivilege(m_appName, priv, m_uidGid, result);
107 RUNNER_ASSERT_MSG(result == 1,
108 "Application " << m_appName << " has no access to " << priv);
111 for (auto &priv : deniedPrivs) {
112 ctc.check(smackLabel.c_str(), "", user, priv.getName().c_str(), CYNARA_API_ACCESS_DENIED);
114 Api::appHasPrivilege(m_appName, priv, m_uidGid, result);
115 RUNNER_ASSERT_MSG(result == 0,
116 "Application " << m_appName << " has unexpected access to " << priv);
120 void AppInstallHelperExt::checkDeniedPrivileges(const PrivilegeVector &deniedPrivs) const
122 checkPrivileges({}, deniedPrivs);
125 void AppInstallHelperExt::checkPrivilegeGroups(const PrivilegeVector &allowedPrivs) const
127 static PolicyConfiguration policy;
128 const auto allowed_groups = policy.privToGroup(allowedPrivs);
129 RUNNER_ASSERT_MSG(allowed_groups.size() == allowedPrivs.size(),
130 "Some privileges given were not found in the policy");
132 std::vector<gid_t> allowed_gids;
133 for (const auto &groupName : allowed_groups) {
135 struct group* grp = getgrnam(groupName.c_str());
136 RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
137 allowed_gids.push_back(grp->gr_gid);
140 checkGids(allowed_gids);
143 void AppInstallHelperExt:: checkSmackPrivileges(const PrivilegeVector &allowedPrivs,
144 const PrivilegeVector &deniedPrivs) const
146 auto& smackPrivilegeRules = PolicyConfiguration::getSmackPrivRulesMap();
148 auto getPrivilegeRules = [&](const PrivilegeVector &privs) {
149 std::vector<AccessRequest> rules;
151 for (auto &priv : privs) {
152 auto it = smackPrivilegeRules.find(priv);
153 RUNNER_ASSERT_MSG(it != smackPrivilegeRules.end(), priv << " is not a smack privilege");
155 rules.insert(rules.end(), it->second.begin(), it->second.end());
160 checkSmackAccesses(getPrivilegeRules(allowedPrivs));
161 checkSmackAccesses(getPrivilegeRules(deniedPrivs), false);
164 void AppInstallHelperExt::checkAfterInstall() const
166 static const std::vector<AccessRequest> staticRules[] =
167 {parseSmackRulesFile(PolicyConfiguration::getPkgRulesFilePath()),
168 parseSmackRulesFile(PolicyConfiguration::getAppRulesFilePath())};
170 checkAppIdExistence(true);
172 checkSmackAccesses(staticRules[m_isHybrid]);
174 checkPrivileges(m_privileges, {});
177 void AppInstallHelperExt::checkAfterUninstall(bool removePkg) const
179 checkAppIdExistence(false);
182 checkPkgSmackRulesAfterUninstall();
184 // there should be no hybrid rules regardless of the app type
185 checkHybridAppSmackRulesAterUninstall();
187 checkDeniedPrivileges(m_privileges);
190 void AppInstallHelperExt::checkSmackAccesses(std::vector<AccessRequest> rules, bool hasAccess) const
192 const std::pair<std::string, std::string> switchAliases[] = {
193 {"~PATH_RW~", generatePathRWLabel(m_pkgName)},
194 {"~PATH_RO~", generatePathROLabel(m_pkgName)},
195 {"~PROCESS~", generateProcessLabel(m_appName, m_pkgName, m_isHybrid)}
198 for (auto& rule : rules) {
199 if (rule.object == "~PATH_TRUSTED~") {
203 for (const auto &alias : switchAliases) {
204 if (rule.subject == alias.first) {
205 rule.subject = alias.second;
207 if (rule.object == alias.first) {
208 rule.object = alias.second;
215 // Special label that may occur in the template. Other special labels will not be used.
216 if (rule.object == "_") {
217 rule.access = "rx" + rule.access;
220 checkExactSmackAccesses(rule.subject, rule.object, rule.access);
224 void AppInstallHelperExt::checkPkgSmackRulesAfterUninstall() const
226 const std::vector<AccessRequest> rules(std::move(parseSmackRulesFile(SMACK_RULES_PATH)));
227 const std::string labels[] = {generatePathRWLabel(m_pkgName),
228 generatePathROLabel(m_pkgName),
229 generateProcessLabel(m_appName, m_pkgName, true),
230 generateProcessLabel(m_appName, m_pkgName)};
232 for (const auto &rule : rules) {
233 for (const auto &label : labels) {
234 assertNoLabelInRule(rule, label);
239 void AppInstallHelperExt::checkHybridAppSmackRulesAterUninstall() const
241 const std::vector<AccessRequest> rules(parseSmackRulesFile(SMACK_RULES_PATH));
242 const std::string appLabel = generateProcessLabel(m_appName, m_pkgName, true);
244 for (const auto &rule : rules) {
245 assertNoLabelInRule(rule, appLabel);
249 void AppInstallHelperExt::checkAppIdExistence(bool expected) const
251 lib_retcode ret = expected ? SECURITY_MANAGER_SUCCESS : SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT;
252 std::string retPkgId = Api::getPkgId(m_appName, ret);
255 RUNNER_ASSERT_MSG(m_pkgName == retPkgId,
256 "The given appId does not belong to the given pkgId.");
260 void AppInstallHelperExt::checkGids(const std::vector<gid_t> &allowedGids) const
263 std::unordered_set<gid_t> referenceGids(allowedGids.begin(), allowedGids.end());
265 // Reset supplementary groups
266 ret = setgroups(0, NULL);
267 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
269 Api::setProcessGroups(m_appName);
271 ret = getgroups(0, nullptr);
272 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
274 std::vector<gid_t> actualGids(ret);
275 ret = getgroups(ret, actualGids.data());
276 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
278 for (const auto &gid : actualGids) {
279 RUNNER_ASSERT_MSG(referenceGids.count(gid) > 0,
280 "Application shouldn't get access to group " << gid);
281 referenceGids.erase(gid);
284 RUNNER_ASSERT_MSG(referenceGids.empty(), "Application didn't get access to some groups");
287 } // namespace SecurityManagerTest