2 * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 #include <sys/smack.h>
23 #include <security-manager.h>
25 #include <app_install_helper.h>
26 #include <dpl/test/test_runner.h>
28 #include <sm_commons.h>
30 #include <sm_request.h>
31 #include <tests_common.h>
32 #include <tzplatform.h>
34 using namespace SecurityManagerTest;
36 static const std::string SM_TRUSTED_PATH =
37 TzPlatformConfig::globalAppDir() + "/sm_test_02_pkg_id_full/app_dir_trusted";
39 static void check_exact_access(const std::string& subject, const std::string& object, const std::string& access)
42 if (!access.empty()) {
43 int result = smack_have_access(subject.c_str(), object.c_str(), access.c_str());
44 RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
45 RUNNER_ASSERT_MSG(result == 1,
46 "No smack access: " << subject << " " << object << " " << access);
48 // check excessive access
49 auto foundInAccess = [&access](std::string::value_type c) {
50 return access.find(c) != std::string::npos; };
52 std::string negative = "rwxatl";
53 auto end = std::remove_if(negative.begin(), negative.end(), foundInAccess);
54 negative.erase(end, negative.end());
56 for(const auto& c : negative) {
57 int result = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
58 RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
59 RUNNER_ASSERT_MSG(result == 0, "Unexpected access for" <<
60 " subject:" << subject <<
61 " object:" << object <<
62 " right:" << std::string(1,c) <<
63 " result:" << result <<
68 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING)
70 RUNNER_TEST(security_manager_40_set_wrong_author_id)
72 InstallRequest requestInst;
74 RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
75 security_manager_app_inst_req_set_author_id(requestInst.get(), NULL));
77 RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
78 security_manager_app_inst_req_set_author_id(requestInst.get(), ""));
81 RUNNER_TEST(security_manager_41_set_author_id_multiple_times)
83 for(unsigned int i=0; i<10; ++i) {
84 std::string authorId = "some-author-id" + std::to_string(i);
86 InstallRequest requestInst;
87 requestInst.setAuthorId(authorId);
91 RUNNER_TEST(security_manager_43_app_install_with_trusted_path)
93 std::vector<AppInstallHelper> helper {{"app43a"}, {"app43b"}, {"app43c"}};
94 auto &provider = helper[0];
95 auto &user = helper[1];
96 auto &untrusted = helper[2];
98 TestSecurityManagerDatabase dbtest;
99 const char *author_id = "custom_author_id_test 41";
101 const char *const trusted_access = "rwxatl";
102 const char *const system_access = "rwxatl";
107 for (auto &e : helper) {
109 e.createInstallDir();
110 e.createTrustedDir();
113 result = nftw(provider.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
114 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_TRUSTED_PATH);
116 // install app with shared/trusted dir
117 InstallRequest trustingApp;
118 trustingApp.setAppId(provider.getAppId());
119 trustingApp.setPkgId(provider.getPkgId());
120 trustingApp.setAuthorId("author id to be overwritten");
121 trustingApp.setAuthorId(author_id);
122 trustingApp.addPath(provider.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
123 Api::install(trustingApp);
125 int64_t authorDb = dbtest.get_author_id(author_id);
126 const std::string trusted_label = std::string("User::Author::") + std::to_string(authorDb);
128 // check trusted path label
129 check_path(provider.getTrustedDir(), trusted_label);
132 check_exact_access("System", trusted_label, system_access);
133 check_exact_access("User", trusted_label, system_access);
134 check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, trusted_access);
135 check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
137 // install trusted app
138 InstallRequest trustedApp;
139 trustedApp.setAppId(user.getAppId());
140 trustedApp.setPkgId(user.getPkgId());
141 trustedApp.setAuthorId(author_id);
142 Api::install(trustedApp);
145 check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
146 check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
148 // install untrusted app
149 InstallRequest untrustedApp;
150 untrustedApp.setAppId(untrusted.getAppId());
151 untrustedApp.setPkgId(untrusted.getPkgId());
152 Api::install(untrustedApp);
155 check_exact_access(generateAppLabel(untrusted.getAppId()), trusted_label, "");
156 check_exact_access(generatePkgLabel(untrusted.getPkgId()), trusted_label, "");
158 // uninstall trusting app
159 Api::uninstall(trustingApp);
161 // there's still one app with author id, rules should be kept
162 check_exact_access("System", trusted_label, system_access);
163 check_exact_access("User", trusted_label, system_access);
164 check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, "");
165 check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
166 check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
167 check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
169 Api::uninstall(trustedApp);
171 // no more apps with author id
172 check_exact_access("System", trusted_label, "");
173 check_exact_access("User", trusted_label, "");
174 check_exact_access(generateAppLabel(user.getAppId()), trusted_label, "");
175 check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
177 Api::uninstall(untrustedApp);
181 RUNNER_TEST(security_manager_44_app_install_with_trusted_path_no_author_id)
183 AppInstallHelper help("app44");
184 help.createInstallDir();
185 help.createTrustedDir();
187 // install app with shared/trusted dir but without authors id
189 app.setAppId(help.getAppId());
190 app.setPkgId(help.getPkgId());
191 app.addPath(help.getTrustedDir(), SECURITY_MANAGER_PATH_TRUSTED_RW);
192 Api::install(app, SECURITY_MANAGER_ERROR_INPUT_PARAM);
195 RUNNER_TEST(security_manager_45_test_authorId_identificator_creation)
197 std::vector<AppInstallHelper> helper {{"a45"}, {"b45"}};
198 auto &trusted1 = helper[0];
199 auto &trusted2 = helper[1];
201 TestSecurityManagerDatabase dbtest;
202 const char *authorId1 = "custom_author_id_test a45";
203 const char *authorId2 = "custom_author_id_test b45";
206 for (auto &e : helper) {
208 e.createInstallDir();
209 e.createTrustedDir();
212 // install app with shared/trusted dir
213 InstallRequest trustingApp;
214 trustingApp.setAppId(trusted1.getAppId());
215 trustingApp.setPkgId(trusted1.getPkgId());
216 trustingApp.setAuthorId(authorId1);
217 trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
218 Api::install(trustingApp);
220 int64_t authorDb1 = dbtest.get_author_id(authorId1);
222 // install trusted app
223 InstallRequest trustedApp;
224 trustedApp.setAppId(trusted2.getAppId());
225 trustedApp.setPkgId(trusted2.getPkgId());
226 trustedApp.setAuthorId(authorId2);
227 Api::install(trustedApp);
229 int64_t authorDb2 = dbtest.get_author_id(authorId2);
231 Api::uninstall(trustingApp);
232 Api::uninstall(trustedApp);
234 RUNNER_ASSERT(authorDb1 != authorDb2);
237 RUNNER_TEST(security_manager_46_pkgId_deinstalation_test)
240 * Lets assume that app1 and app2 are part of pkg1.
241 * Deinstalation of app1 mustnot remove rules:
242 * System PKG1Label rwxatl
243 * User PKGLabel rwxatl
246 std::vector<AppInstallHelper> helper {{"a46"}, {"b46"}};
247 auto &trusted1 = helper[0];
248 auto &trusted2 = helper[1];
250 std::string authorId1 = "author46XYZ";
252 for (auto &e : helper) {
254 e.createInstallDir();
255 e.createTrustedDir();
258 InstallRequest trustingApp;
259 trustingApp.setAppId(trusted1.getAppId());
260 trustingApp.setPkgId(trusted1.getPkgId());
261 trustingApp.setAuthorId(authorId1);
262 trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
263 Api::install(trustingApp);
265 InstallRequest trustingApp2;
266 trustingApp2.setAppId(trusted2.getAppId());
267 trustingApp2.setPkgId(trusted1.getPkgId()); // both apps will be part of same pkgId
268 trustingApp2.setAuthorId(authorId1);
269 Api::install(trustingApp2);
271 check_exact_access("System", generateAppLabel(trusted1.getAppId()), "rwxl");
272 check_exact_access("User", generateAppLabel(trusted1.getAppId()), "rwxl");
273 check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
274 check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
275 check_exact_access("System", generateAppLabel(trusted2.getAppId()), "rwxl");
276 check_exact_access("User", generateAppLabel(trusted2.getAppId()), "rwxl");
278 Api::uninstall(trustingApp2);
280 check_exact_access("System", generateAppLabel(trusted1.getAppId()), "rwxl");
281 check_exact_access("User", generateAppLabel(trusted1.getAppId()), "rwxl");
282 check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
283 check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
284 check_exact_access("System", generateAppLabel(trusted2.getAppId()), "");
285 check_exact_access("User", generateAppLabel(trusted2.getAppId()), "");
287 Api::uninstall(trustingApp);
289 check_exact_access("System", generateAppLabel(trusted1.getAppId()), "");
290 check_exact_access("User", generateAppLabel(trusted1.getAppId()), "");
291 check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "");
292 check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "");