2 * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 #include <sys/smack.h>
23 #include <security-manager.h>
25 #include <app_install_helper.h>
26 #include <dpl/test/test_runner.h>
28 #include <sm_commons.h>
30 #include <sm_request.h>
31 #include <tests_common.h>
33 using namespace SecurityManagerTest;
35 static const char *const SM_TRUSTED_PATH = "/opt/usr/globalapps/sm_test_02_pkg_id_full/app_dir_trusted";
37 static void check_exact_access(const std::string& subject, const std::string& object, const std::string& access)
40 if (!access.empty()) {
41 int result = smack_have_access(subject.c_str(), object.c_str(), access.c_str());
42 RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
43 RUNNER_ASSERT_MSG(result == 1,
44 "No smack access: " << subject << " " << object << " " << access);
46 // check excessive access
47 auto foundInAccess = [&access](std::string::value_type c) {
48 return access.find(c) != std::string::npos; };
50 std::string negative = "rwxatl";
51 auto end = std::remove_if(negative.begin(), negative.end(), foundInAccess);
52 negative.erase(end, negative.end());
54 for(const auto& c : negative) {
55 int result = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
56 RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
57 RUNNER_ASSERT_MSG(result == 0, "Unexpected access for" <<
58 " subject:" << subject <<
59 " object:" << object <<
60 " right:" << std::string(1,c) <<
61 " result:" << result <<
66 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING)
68 RUNNER_TEST(security_manager_40_set_wrong_author_id)
70 InstallRequest requestInst;
72 RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
73 security_manager_app_inst_req_set_author_id(requestInst.get(), NULL));
75 RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
76 security_manager_app_inst_req_set_author_id(requestInst.get(), ""));
79 RUNNER_TEST(security_manager_41_set_author_id_multiple_times)
81 for(unsigned int i=0; i<10; ++i) {
82 std::string authorId = "some-author-id" + std::to_string(i);
84 InstallRequest requestInst;
85 requestInst.setAuthorId(authorId);
89 RUNNER_TEST(security_manager_43_app_install_with_trusted_path)
91 std::vector<AppInstallHelper> helper {{"app43a"}, {"app43b"}, {"app43c"}};
92 auto &provider = helper[0];
93 auto &user = helper[1];
94 auto &untrusted = helper[2];
96 TestSecurityManagerDatabase dbtest;
97 const char *author_id = "custom_author_id_test 41";
99 const char *const trusted_access = "rwxatl";
100 const char *const system_access = "rwxatl";
105 for (auto &e : helper) {
107 e.createInstallDir();
108 e.createTrustedDir();
111 result = nftw(provider.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
112 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_TRUSTED_PATH);
114 // install app with shared/trusted dir
115 InstallRequest trustingApp;
116 trustingApp.setAppId(provider.getAppId());
117 trustingApp.setPkgId(provider.getPkgId());
118 trustingApp.setAuthorId("author id to be overwritten");
119 trustingApp.setAuthorId(author_id);
120 trustingApp.addPath(provider.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
121 Api::install(trustingApp);
123 int64_t authorDb = dbtest.get_author_id(author_id);
124 const std::string trusted_label = std::string("User::Author::") + std::to_string(authorDb);
126 // check trusted path label
127 check_path(provider.getTrustedDir(), trusted_label);
130 check_exact_access("System", trusted_label, system_access);
131 check_exact_access("User", trusted_label, system_access);
132 check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, trusted_access);
133 check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
135 // install trusted app
136 InstallRequest trustedApp;
137 trustedApp.setAppId(user.getAppId());
138 trustedApp.setPkgId(user.getPkgId());
139 trustedApp.setAuthorId(author_id);
140 Api::install(trustedApp);
143 check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
144 check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
146 // install untrusted app
147 InstallRequest untrustedApp;
148 untrustedApp.setAppId(untrusted.getAppId());
149 untrustedApp.setPkgId(untrusted.getPkgId());
150 Api::install(untrustedApp);
153 check_exact_access(generateAppLabel(untrusted.getAppId()), trusted_label, "");
154 check_exact_access(generatePkgLabel(untrusted.getPkgId()), trusted_label, "");
156 // uninstall trusting app
157 Api::uninstall(trustingApp);
159 // there's still one app with author id, rules should be kept
160 check_exact_access("System", trusted_label, system_access);
161 check_exact_access("User", trusted_label, system_access);
162 check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, "");
163 check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
164 check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
165 check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
167 Api::uninstall(trustedApp);
169 // no more apps with author id
170 check_exact_access("System", trusted_label, "");
171 check_exact_access("User", trusted_label, "");
172 check_exact_access(generateAppLabel(user.getAppId()), trusted_label, "");
173 check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
175 Api::uninstall(untrustedApp);
179 RUNNER_TEST(security_manager_44_app_install_with_trusted_path_no_author_id)
181 AppInstallHelper help("app44");
182 help.createInstallDir();
183 help.createTrustedDir();
185 // install app with shared/trusted dir but without authors id
187 app.setAppId(help.getAppId());
188 app.setPkgId(help.getPkgId());
189 app.addPath(help.getTrustedDir(), SECURITY_MANAGER_PATH_TRUSTED_RW);
190 Api::install(app, SECURITY_MANAGER_ERROR_INPUT_PARAM);
193 RUNNER_TEST(security_manager_45_test_authorId_identificator_creation)
195 std::vector<AppInstallHelper> helper {{"a45"}, {"b45"}};
196 auto &trusted1 = helper[0];
197 auto &trusted2 = helper[1];
199 TestSecurityManagerDatabase dbtest;
200 const char *authorId1 = "custom_author_id_test a45";
201 const char *authorId2 = "custom_author_id_test b45";
204 for (auto &e : helper) {
206 e.createInstallDir();
207 e.createTrustedDir();
210 // install app with shared/trusted dir
211 InstallRequest trustingApp;
212 trustingApp.setAppId(trusted1.getAppId());
213 trustingApp.setPkgId(trusted1.getPkgId());
214 trustingApp.setAuthorId(authorId1);
215 trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
216 Api::install(trustingApp);
218 int64_t authorDb1 = dbtest.get_author_id(authorId1);
220 // install trusted app
221 InstallRequest trustedApp;
222 trustedApp.setAppId(trusted2.getAppId());
223 trustedApp.setPkgId(trusted2.getPkgId());
224 trustedApp.setAuthorId(authorId2);
225 Api::install(trustedApp);
227 int64_t authorDb2 = dbtest.get_author_id(authorId2);
229 Api::uninstall(trustingApp);
230 Api::uninstall(trustedApp);
232 RUNNER_ASSERT(authorDb1 != authorDb2);
235 RUNNER_TEST(security_manager_46_pkgId_deinstalation_test)
238 * Lets assume that app1 and app2 are part of pkg1.
239 * Deinstalation of app1 mustnot remove rules:
240 * System PKG1Label rwxatl
241 * User PKGLabel rwxatl
244 std::vector<AppInstallHelper> helper {{"a46"}, {"b46"}};
245 auto &trusted1 = helper[0];
246 auto &trusted2 = helper[1];
248 std::string authorId1 = "author46XYZ";
250 for (auto &e : helper) {
252 e.createInstallDir();
253 e.createTrustedDir();
256 InstallRequest trustingApp;
257 trustingApp.setAppId(trusted1.getAppId());
258 trustingApp.setPkgId(trusted1.getPkgId());
259 trustingApp.setAuthorId(authorId1);
260 trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
261 Api::install(trustingApp);
263 InstallRequest trustingApp2;
264 trustingApp2.setAppId(trusted2.getAppId());
265 trustingApp2.setPkgId(trusted1.getPkgId()); // both apps will be part of same pkgId
266 trustingApp2.setAuthorId(authorId1);
267 Api::install(trustingApp2);
269 check_exact_access("System", generateAppLabel(trusted1.getAppId()), "rwxl");
270 check_exact_access("User", generateAppLabel(trusted1.getAppId()), "rwxl");
271 check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
272 check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
273 check_exact_access("System", generateAppLabel(trusted2.getAppId()), "rwxl");
274 check_exact_access("User", generateAppLabel(trusted2.getAppId()), "rwxl");
276 Api::uninstall(trustingApp2);
278 check_exact_access("System", generateAppLabel(trusted1.getAppId()), "rwxl");
279 check_exact_access("User", generateAppLabel(trusted1.getAppId()), "rwxl");
280 check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
281 check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
282 check_exact_access("System", generateAppLabel(trusted2.getAppId()), "");
283 check_exact_access("User", generateAppLabel(trusted2.getAppId()), "");
285 Api::uninstall(trustingApp);
287 check_exact_access("System", generateAppLabel(trusted1.getAppId()), "");
288 check_exact_access("User", generateAppLabel(trusted1.getAppId()), "");
289 check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "");
290 check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "");