src/security-manager-tests/test_cases_trusted_sharing.cpp

   1 /*
   2  * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
   3  *
   4  *    Licensed under the Apache License, Version 2.0 (the "License");
   5  *    you may not use this file except in compliance with the License.
   6  *    You may obtain a copy of the License at
   7  *
   8  *        http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *    Unless required by applicable law or agreed to in writing, software
  11  *    distributed under the License is distributed on an "AS IS" BASIS,
  12  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *    See the License for the specific language governing permissions and
  14  *    limitations under the License.
  15  */
  16
  17 #include <algorithm>
  18 #include <ftw.h>
  19 #include <string>
  20 #include <sys/smack.h>
  21 #include <vector>
  22
  23 #include <security-manager.h>
  24
  25 #include <app_install_helper.h>
  26 #include <dpl/test/test_runner.h>
  27 #include <sm_api.h>
  28 #include <sm_commons.h>
  29 #include <sm_db.h>
  30 #include <sm_request.h>
  31 #include <tests_common.h>
  32
  33 using namespace SecurityManagerTest;
  34
  35 static const char *const SM_TRUSTED_PATH = "/opt/usr/globalapps/sm_test_02_pkg_id_full/app_dir_trusted";
  36
  37 static void check_exact_access(const std::string& subject, const std::string& object, const std::string& access)
  38 {
  39     // check access
  40     if (!access.empty()) {
  41         int result = smack_have_access(subject.c_str(), object.c_str(), access.c_str());
  42         RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
  43         RUNNER_ASSERT_MSG(result == 1,
  44           "No smack access: " << subject << " " << object << " " << access);
  45     }
  46     // check excessive access
  47     auto foundInAccess = [&access](std::string::value_type c) {
  48         return access.find(c) != std::string::npos; };
  49
  50     std::string negative = "rwxatl";
  51     auto end = std::remove_if(negative.begin(), negative.end(), foundInAccess);
  52     negative.erase(end, negative.end());
  53
  54     for(const auto& c : negative) {
  55         int result = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
  56         RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
  57         RUNNER_ASSERT_MSG(result == 0, "Unexpected access for" <<
  58             " subject:" << subject <<
  59             " object:" << object <<
  60             " right:" << std::string(1,c) <<
  61             " result:" << result <<
  62             " expected:0");
  63     }
  64 }
  65
  66 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING)
  67
  68 RUNNER_TEST(security_manager_40_set_wrong_author_id)
  69 {
  70     InstallRequest requestInst;
  71
  72     RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
  73         security_manager_app_inst_req_set_author_id(requestInst.get(), NULL));
  74
  75     RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
  76         security_manager_app_inst_req_set_author_id(requestInst.get(), ""));
  77 }
  78
  79 RUNNER_TEST(security_manager_41_set_author_id_multiple_times)
  80 {
  81     for(unsigned int i=0; i<10; ++i) {
  82         std::string authorId = "some-author-id" + std::to_string(i);
  83
  84         InstallRequest requestInst;
  85         requestInst.setAuthorId(authorId);
  86     }
  87 }
  88
  89 RUNNER_TEST(security_manager_43_app_install_with_trusted_path)
  90 {
  91     std::vector<AppInstallHelper> helper {{"app43a"}, {"app43b"}, {"app43c"}};
  92     auto &provider  = helper[0];
  93     auto &user      = helper[1];
  94     auto &untrusted = helper[2];
  95
  96     TestSecurityManagerDatabase dbtest;
  97     const char *author_id = "custom_author_id_test 41";
  98
  99     const char *const trusted_access = "rwxatl";
 100     const char *const system_access = "rwxatl";
 101
 102     int result;
 103
 104     // cleanup
 105     for (auto &e : helper) {
 106         e.revokeRules();
 107         e.createInstallDir();
 108         e.createTrustedDir();
 109     }
 110
 111     result = nftw(provider.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 112     RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_TRUSTED_PATH);
 113
 114     // install app with shared/trusted dir
 115     InstallRequest trustingApp;
 116     trustingApp.setAppId(provider.getAppId());
 117     trustingApp.setPkgId(provider.getPkgId());
 118     trustingApp.setAuthorId("author id to be overwritten");
 119     trustingApp.setAuthorId(author_id);
 120     trustingApp.addPath(provider.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
 121     Api::install(trustingApp);
 122
 123     int64_t authorDb = dbtest.get_author_id(author_id);
 124     const std::string trusted_label = std::string("User::Author::") + std::to_string(authorDb);
 125
 126     // check trusted path label
 127     check_path(provider.getTrustedDir(), trusted_label);
 128
 129     // check rules
 130     check_exact_access("System", trusted_label, system_access);
 131     check_exact_access("User", trusted_label, system_access);
 132     check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, trusted_access);
 133     check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
 134
 135     // install trusted app
 136     InstallRequest trustedApp;
 137     trustedApp.setAppId(user.getAppId());
 138     trustedApp.setPkgId(user.getPkgId());
 139     trustedApp.setAuthorId(author_id);
 140     Api::install(trustedApp);
 141
 142     // check rules
 143     check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
 144     check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
 145
 146     // install untrusted app
 147     InstallRequest untrustedApp;
 148     untrustedApp.setAppId(untrusted.getAppId());
 149     untrustedApp.setPkgId(untrusted.getPkgId());
 150     Api::install(untrustedApp);
 151
 152     // check rules
 153     check_exact_access(generateAppLabel(untrusted.getAppId()), trusted_label, "");
 154     check_exact_access(generatePkgLabel(untrusted.getPkgId()), trusted_label, "");
 155
 156     // uninstall trusting app
 157     Api::uninstall(trustingApp);
 158
 159     // there's still one app with author id, rules should be kept
 160     check_exact_access("System", trusted_label, system_access);
 161     check_exact_access("User", trusted_label, system_access);
 162     check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, "");
 163     check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
 164     check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
 165     check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
 166
 167     Api::uninstall(trustedApp);
 168
 169     // no more apps with author id
 170     check_exact_access("System", trusted_label, "");
 171     check_exact_access("User", trusted_label, "");
 172     check_exact_access(generateAppLabel(user.getAppId()), trusted_label, "");
 173     check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
 174
 175     Api::uninstall(untrustedApp);
 176 }
 177
 178
 179 RUNNER_TEST(security_manager_44_app_install_with_trusted_path_no_author_id)
 180 {
 181     AppInstallHelper help("app44");
 182     help.createInstallDir();
 183     help.createTrustedDir();
 184
 185     // install app with shared/trusted dir but without authors id
 186     InstallRequest app;
 187     app.setAppId(help.getAppId());
 188     app.setPkgId(help.getPkgId());
 189     app.addPath(help.getTrustedDir(), SECURITY_MANAGER_PATH_TRUSTED_RW);
 190     Api::install(app, SECURITY_MANAGER_ERROR_INPUT_PARAM);
 191 }
 192
 193 RUNNER_TEST(security_manager_45_test_authorId_identificator_creation)
 194 {
 195     std::vector<AppInstallHelper> helper {{"a45"}, {"b45"}};
 196     auto &trusted1 = helper[0];
 197     auto &trusted2 = helper[1];
 198
 199     TestSecurityManagerDatabase dbtest;
 200     const char *authorId1 = "custom_author_id_test a45";
 201     const char *authorId2 = "custom_author_id_test b45";
 202
 203     // cleanup
 204     for (auto &e : helper) {
 205         e.revokeRules();
 206         e.createInstallDir();
 207         e.createTrustedDir();
 208     }
 209
 210     // install app with shared/trusted dir
 211     InstallRequest trustingApp;
 212     trustingApp.setAppId(trusted1.getAppId());
 213     trustingApp.setPkgId(trusted1.getPkgId());
 214     trustingApp.setAuthorId(authorId1);
 215     trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
 216     Api::install(trustingApp);
 217
 218     int64_t authorDb1 = dbtest.get_author_id(authorId1);
 219
 220     // install trusted app
 221     InstallRequest trustedApp;
 222     trustedApp.setAppId(trusted2.getAppId());
 223     trustedApp.setPkgId(trusted2.getPkgId());
 224     trustedApp.setAuthorId(authorId2);
 225     Api::install(trustedApp);
 226
 227     int64_t authorDb2 = dbtest.get_author_id(authorId2);
 228
 229     Api::uninstall(trustingApp);
 230     Api::uninstall(trustedApp);
 231
 232     RUNNER_ASSERT(authorDb1 != authorDb2);
 233 }
 234
 235 RUNNER_TEST(security_manager_46_pkgId_deinstalation_test)
 236 {
 237     /* Description:
 238      * Lets assume that app1 and app2 are part of pkg1.
 239      * Deinstalation of app1 mustnot remove rules:
 240      * System PKG1Label rwxatl
 241      * User PKGLabel rwxatl
 242      */
 243
 244     std::vector<AppInstallHelper> helper {{"a46"}, {"b46"}};
 245     auto &trusted1 = helper[0];
 246     auto &trusted2 = helper[1];
 247
 248     std::string authorId1 = "author46XYZ";
 249
 250     for (auto &e : helper) {
 251         e.revokeRules();
 252         e.createInstallDir();
 253         e.createTrustedDir();
 254     }
 255
 256     InstallRequest trustingApp;
 257     trustingApp.setAppId(trusted1.getAppId());
 258     trustingApp.setPkgId(trusted1.getPkgId());
 259     trustingApp.setAuthorId(authorId1);
 260     trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
 261     Api::install(trustingApp);
 262
 263     InstallRequest trustingApp2;
 264     trustingApp2.setAppId(trusted2.getAppId());
 265     trustingApp2.setPkgId(trusted1.getPkgId()); // both apps will be part of same pkgId
 266     trustingApp2.setAuthorId(authorId1);
 267     Api::install(trustingApp2);
 268
 269     check_exact_access("System", generateAppLabel(trusted1.getAppId()), "rwxl");
 270     check_exact_access("User", generateAppLabel(trusted1.getAppId()), "rwxl");
 271     check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
 272     check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
 273     check_exact_access("System", generateAppLabel(trusted2.getAppId()), "rwxl");
 274     check_exact_access("User", generateAppLabel(trusted2.getAppId()), "rwxl");
 275
 276     Api::uninstall(trustingApp2);
 277
 278     check_exact_access("System", generateAppLabel(trusted1.getAppId()), "rwxl");
 279     check_exact_access("User", generateAppLabel(trusted1.getAppId()), "rwxl");
 280     check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
 281     check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
 282     check_exact_access("System", generateAppLabel(trusted2.getAppId()), "");
 283     check_exact_access("User", generateAppLabel(trusted2.getAppId()), "");
 284
 285     Api::uninstall(trustingApp);
 286
 287     check_exact_access("System", generateAppLabel(trusted1.getAppId()), "");
 288     check_exact_access("User", generateAppLabel(trusted1.getAppId()), "");
 289     check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "");
 290     check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "");
 291 }