2 * Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include "app_install_helper_ext.h"
21 #include <sys/smack.h>
25 #include <unordered_set>
28 #include <security-manager-types.h>
31 #include <label_generator.h>
32 #include <cynara_test_client.h>
35 constexpr char SMACK_RULES_PATH[] = "/sys/fs/smackfs/load2";
36 constexpr char ANY_USER_REPRESENTATION[] = "anyuser";/*this may be actually any string*/
38 void assertNoLabelInRule(const AccessRequest &rule, const std::string &label)
40 RUNNER_ASSERT_MSG(rule.object != label && rule.subject != label,
41 "Smack rule left after uninstallation process." <<
42 " Subject: " << rule.subject <<
43 " object: " << rule.object <<
44 " access: " << rule.access);
47 std::string accessOpposite(std::string &access)
49 static const std::map<char, int> accessMapping = {{'r', 0}, {'w', 1}, {'x', 2}, {'a', 3},
51 // May write implies may lock
52 if (access.find('w') != std::string::npos && access.find('l') == std::string::npos) {
55 std::string oppositeAccess = "rwxatl";
56 for (char c : access) {
57 oppositeAccess[accessMapping.at(c)] = '-';
59 auto it = std::remove_if(oppositeAccess.begin(), oppositeAccess.end(), [](char c) {return c == '-';});
60 oppositeAccess.erase(it, oppositeAccess.end());
61 return oppositeAccess;
64 void checkExactSmackAccesses(const std::string &subject, const std::string &object,
65 const std::string &access)
67 std::string access_str(access);
68 auto no_access = accessOpposite(access_str);
69 for (char c : access_str) {
70 int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
71 RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object
72 << ">, <" << c << "> errno=" << strerror(errno));
73 RUNNER_ASSERT_MSG(ret == 1, "Access " << c << " from " << subject << " to "
74 << object << " not given");
77 for (char c : no_access) {
78 int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
79 RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object
80 << ">, <" << c << "> errno=" << strerror(errno));
81 RUNNER_ASSERT_MSG(ret == 0, "Access " << c << " from " << subject << " to "
82 << object << " unnecessarily given");
86 } // namespace anonymous
88 namespace SecurityManagerTest
91 void AppInstallHelperExt::checkPrivileges(const PolicyConfiguration::PrivVector &allowedPrivs,
92 const PolicyConfiguration::PrivVector &deniedPrivs) const
94 /* Privileges should be granted to all users if root installs app */
95 auto user = (m_uidGid == 0 ? ANY_USER_REPRESENTATION : std::to_string(m_uidGid));
97 std::string smackLabel = generateProcessLabel(m_appName, m_pkgName, m_isHybrid);
99 CynaraTestClient::Client ctc;
102 for (auto &priv : allowedPrivs) {
103 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
105 Api::appHasPrivilege(m_appName, priv, m_uidGid, result);
106 RUNNER_ASSERT_MSG(result == 1,
107 "Application " << m_appName << " has no access to " << priv);
110 for (auto &priv : deniedPrivs) {
111 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
113 Api::appHasPrivilege(m_appName, priv, m_uidGid, result);
114 RUNNER_ASSERT_MSG(result == 0,
115 "Application " << m_appName << " has unexpected access to " << priv);
119 void AppInstallHelperExt::checkDeniedPrivileges(const PolicyConfiguration::PrivVector &deniedPrivs) const
121 checkPrivileges({}, deniedPrivs);
124 void AppInstallHelperExt::checkPrivilegeGroups(const PolicyConfiguration::PrivVector &allowedPrivs) const
126 static PolicyConfiguration policy;
127 const auto allowed_groups = policy.privToGroup(allowedPrivs);
128 RUNNER_ASSERT_MSG(allowed_groups.size() == allowedPrivs.size(),
129 "Some privileges given were not found in the policy");
131 std::vector<gid_t> allowed_gids;
132 for (const auto &groupName : allowed_groups) {
134 struct group* grp = getgrnam(groupName.c_str());
135 RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
136 allowed_gids.push_back(grp->gr_gid);
139 checkGids(allowed_gids);
142 void AppInstallHelperExt::checkAfterInstall() const
144 static const std::vector<AccessRequest> staticRules[] =
145 {parseSmackRulesFile(PolicyConfiguration::getPkgRulesFilePath()),
146 parseSmackRulesFile(PolicyConfiguration::getAppRulesFilePath())};
148 checkAppIdExistence(true);
150 checkSmackAccesses(staticRules[m_isHybrid]);
152 checkPrivileges(getPrivilegesNames(), {});
155 void AppInstallHelperExt::checkAfterUninstall(bool removePkg) const
157 checkAppIdExistence(false);
160 checkPkgSmackRulesAfterUninstall();
162 // there should be no hybrid rules regardless of the app type
163 checkHybridAppSmackRulesAterUninstall();
165 checkDeniedPrivileges(getPrivilegesNames());
168 void AppInstallHelperExt::checkSmackAccesses(std::vector<AccessRequest> rules, bool hasAccess) const
170 const std::pair<std::string, std::string> switchAliases[] = {
171 {"~PATH_RW~", generatePathRWLabel(m_pkgName)},
172 {"~PATH_RO~", generatePathROLabel(m_pkgName)},
173 {"~PROCESS~", generateProcessLabel(m_appName, m_pkgName, m_isHybrid)}
176 for (auto& rule : rules) {
177 if (rule.object == "~PATH_TRUSTED~") {
181 for (const auto &alias : switchAliases) {
182 if (rule.subject == alias.first) {
183 rule.subject = alias.second;
185 if (rule.object == alias.first) {
186 rule.object = alias.second;
193 // Special label that may occur in the template. Other special labels will not be used.
194 if (rule.object == "_") {
195 rule.access = "rx" + rule.access;
198 checkExactSmackAccesses(rule.subject, rule.object, rule.access);
202 void AppInstallHelperExt::checkPkgSmackRulesAfterUninstall() const
204 const std::vector<AccessRequest> rules(std::move(parseSmackRulesFile(SMACK_RULES_PATH)));
205 const std::string labels[] = {generatePathRWLabel(m_pkgName),
206 generatePathROLabel(m_pkgName),
207 generateProcessLabel(m_appName, m_pkgName, true),
208 generateProcessLabel(m_appName, m_pkgName)};
210 for (const auto &rule : rules) {
211 for (const auto &label : labels) {
212 assertNoLabelInRule(rule, label);
217 void AppInstallHelperExt::checkHybridAppSmackRulesAterUninstall() const
219 const std::vector<AccessRequest> rules(parseSmackRulesFile(SMACK_RULES_PATH));
220 const std::string appLabel = generateProcessLabel(m_appName, m_pkgName, true);
222 for (const auto &rule : rules) {
223 assertNoLabelInRule(rule, appLabel);
227 void AppInstallHelperExt::checkAppIdExistence(bool expected) const
229 lib_retcode ret = expected ? SECURITY_MANAGER_SUCCESS : SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT;
230 std::string retPkgId = Api::getPkgId(m_appName, ret);
233 RUNNER_ASSERT_MSG(m_pkgName == retPkgId,
234 "The given appId does not belong to the given pkgId.");
238 void AppInstallHelperExt::checkGids(const std::vector<gid_t> &allowedGids) const
241 std::unordered_set<gid_t> referenceGids(allowedGids.begin(), allowedGids.end());
243 // Reset supplementary groups
244 ret = setgroups(0, NULL);
245 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
247 Api::setProcessGroups(m_appName);
249 ret = getgroups(0, nullptr);
250 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
252 std::vector<gid_t> actualGids(ret);
253 ret = getgroups(ret, actualGids.data());
254 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
256 for (const auto &gid : actualGids) {
257 RUNNER_ASSERT_MSG(referenceGids.count(gid) > 0,
258 "Application shouldn't get access to group " << gid);
259 referenceGids.erase(gid);
262 RUNNER_ASSERT_MSG(referenceGids.empty(), "Application didn't get access to some groups");
265 } // namespace SecurityManagerTest