1 #include <dpl/test/test_runner.h>
5 #include <summary_collector.h>
10 #include <linux/xattr.h>
12 #include <libprivilege-control_test_common.h>
13 #include <tests_common.h>
15 #include <security-manager.h>
18 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
20 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
21 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
23 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
24 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
26 static const privileges_t SM_ALLOWED_PRIVILEGES = {
27 "security_manager_test_rules2_r",
28 "security_manager_test_rules2_no_r"
31 static const privileges_t SM_DENIED_PRIVILEGES = {
32 "security_manager_test_rules1",
33 "security_manager_test_rules2"
36 static const char *const XATTR_NAME_TIZENEXEC = XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL";
38 static const rules_t SM_ALLOWED_RULES = {
39 { USER_APP_ID, "test_sm_book_8", "r" },
40 { USER_APP_ID, "test_sm_book_9", "w" },
41 { USER_APP_ID, "test_sm_book_10", "x" },
42 { USER_APP_ID, "test_sm_book_11", "rw" },
43 { USER_APP_ID, "test_sm_book_12", "rx" },
44 { USER_APP_ID, "test_sm_book_13", "wx" },
45 { USER_APP_ID, "test_sm_book_14", "rwx" },
46 { USER_APP_ID, "test_sm_book_15", "rwxat" },
47 { "test_sm_subject_8", USER_APP_ID, "r" },
48 { "test_sm_subject_9", USER_APP_ID, "w" },
49 { "test_sm_subject_10", USER_APP_ID, "x" },
50 { "test_sm_subject_11", USER_APP_ID, "rw" },
51 { "test_sm_subject_12", USER_APP_ID, "rx" },
52 { "test_sm_subject_13", USER_APP_ID, "wx" },
53 { "test_sm_subject_14", USER_APP_ID, "rwx" },
54 { "test_sm_subject_15", USER_APP_ID, "rwxat" }
56 static const rules_t SM_DENIED_RULES = {
57 { USER_APP_ID, "test_sm_book_1", "r" },
58 { USER_APP_ID, "test_sm_book_2", "w" },
59 { USER_APP_ID, "test_sm_book_3", "x" },
60 { USER_APP_ID, "test_sm_book_4", "rw" },
61 { USER_APP_ID, "test_sm_book_5", "rx" },
62 { USER_APP_ID, "test_sm_book_6", "wx" },
63 { USER_APP_ID, "test_sm_book_7", "rwx" },
64 { "test_sm_subject_1", USER_APP_ID, "r" },
65 { "test_sm_subject_2", USER_APP_ID, "w" },
66 { "test_sm_subject_3", USER_APP_ID, "x" },
67 { "test_sm_subject_4", USER_APP_ID, "rw" },
68 { "test_sm_subject_5", USER_APP_ID, "rx" },
69 { "test_sm_subject_6", USER_APP_ID, "wx" },
70 { "test_sm_subject_7", USER_APP_ID, "rwx" }
73 static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
74 static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
75 static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
76 static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
79 static bool isLinkToExec(const char *fpath, const struct stat *sb)
86 // check if it's a link
87 if ( !S_ISLNK(sb->st_mode))
90 target = realpath(fpath, NULL);
91 RUNNER_ASSERT_MSG_BT(target != 0, "Could not obtain real path from link.");
93 ret = stat(target, &buf);
94 RUNNER_ASSERT_MSG_BT(ret == 0, "Could not obtain real path's stat from link.");
96 if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG))
103 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
104 const char* correctLabel, bool transmute_test, bool exec_test)
111 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
112 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
113 labelPtr.reset(label);
114 RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
115 result = strcmp(correctLabel, label);
116 RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect"
117 " (should be '" << correctLabel << "' and is '" << label << "')");
121 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
122 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
123 labelPtr.reset(label);
125 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
126 RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set");
127 result = strcmp(correctLabel, label);
128 RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect EXEC label on executable file " << fpath);
130 RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
134 if (isLinkToExec(fpath, sb) && exec_test) {
135 char buf[SMACK_LABEL_LEN+1];
136 result = lgetxattr(fpath, XATTR_NAME_TIZENEXEC, buf, sizeof(buf));
137 RUNNER_ASSERT_MSG_BT(result != -1, "Could not get label for the path "
138 << fpath << "("<<strerror(errno)<<")");
140 result = strcmp(correctLabel, buf);
141 RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect TIZEN_EXEC_LABEL attribute"
142 " on link to executable " << fpath);
148 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
149 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
150 labelPtr.reset(label);
152 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
153 RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set at all");
154 RUNNER_ASSERT_MSG_BT(strcmp(label,"TRUE") == 0,
155 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
157 RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
164 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
165 int /*typeflag*/, struct FTW* /*ftwbuf*/)
167 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
170 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
171 int /*typeflag*/, struct FTW* /*ftwbuf*/)
174 return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
177 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
178 int /*typeflag*/, struct FTW* /*ftwbuf*/)
181 return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
184 static app_inst_req* do_app_inst_req_new()
187 app_inst_req *req = NULL;
189 result = security_manager_app_inst_req_new(&req);
190 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
191 "creation of new request failed. Result: " << result);
192 RUNNER_ASSERT_MSG_BT(req != NULL, "creation of new request did not allocate memory");
196 static void prepare_app_path()
200 result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
201 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
203 result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
204 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
206 result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
207 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
209 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
210 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
213 static void prepare_app_env()
218 /* TODO: add parameters to this function */
219 static void check_app_path_after_install()
223 result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
224 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
226 result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
227 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
229 result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
230 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
232 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
233 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
236 static void check_app_permissions(const char *const app_id, const char *const pkg_id,
237 const privileges_t &allowed_privs, const privileges_t &denied_privs,
238 const rules_t &allowed_rules, const rules_t &denied_rules)
242 result = check_all_accesses(smack_check(), allowed_rules);
243 RUNNER_ASSERT_MSG_BT(result, "Permissions not added.");
244 result = check_no_accesses(smack_check(), denied_rules);
245 RUNNER_ASSERT_MSG_BT(result, "Permissions added.");
247 /* TODO: USER_APP_ID is hardcoded in the following checks, because libprivilege always generate
248 * label "User" for all installed apps. Adjust it when libprivilege is upgraded. */
249 (void)app_id; // unused parameter
250 (void)pkg_id; // unused parameter
252 for (auto it = allowed_privs.begin(); it != allowed_privs.end(); ++it)
253 check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), true);
255 for (auto it = denied_privs.begin(); it != denied_privs.end(); ++it)
256 check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), false);
259 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
260 const privileges_t &allowed_privs, const privileges_t &denied_privs,
261 const rules_t &allowed_rules, const rules_t &denied_rules)
263 TestSecurityManagerDatabase dbtest;
264 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
265 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
267 check_app_permissions(app_id, pkg_id,
268 allowed_privs, denied_privs,
269 allowed_rules, denied_rules);
272 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
274 TestSecurityManagerDatabase dbtest;
275 dbtest.test_db_after__app_install(app_id, pkg_id);
278 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
279 const privileges_t &privileges, const bool is_pkg_removed)
281 TestSecurityManagerDatabase dbtest;
282 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
285 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
286 const bool is_pkg_removed)
288 TestSecurityManagerDatabase dbtest;
289 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
293 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
296 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
299 AppInstReqUniquePtr request;
301 request.reset(do_app_inst_req_new());
303 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
304 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
305 "setting app id failed. Result: " << result);
307 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
308 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
309 "setting pkg id failed. Result: " << result);
311 result = security_manager_app_install(request.get());
312 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
313 "installing app failed. Result: " << result);
315 result = security_manager_app_install(request.get());
316 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
317 "installing already installed app failed. Result: " << result);
319 /* Check records in the security-manager database */
320 check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
322 request.reset(do_app_inst_req_new());
324 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
325 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
326 "setting app id failed. Result: " << result);
328 result = security_manager_app_uninstall(request.get());
329 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
330 "uninstalling app failed. Result: " << result);
332 result = security_manager_app_uninstall(request.get());
333 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
334 "uninstalling already uninstalled app failed. Result: " << result);
336 /* Check records in the security-manager database */
337 check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
340 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
343 AppInstReqUniquePtr request;
347 request.reset(do_app_inst_req_new());
349 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
350 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
351 "setting app id failed. Result: " << result);
353 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
354 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
355 "setting pkg id failed. Result: " << result);
357 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
358 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
359 "setting allowed permission failed. Result: " << result);
360 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
361 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
362 "setting allowed permission failed. Result: " << result);
364 result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
365 SECURITY_MANAGER_PATH_PRIVATE);
366 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
367 "setting allowed path failed. Result: " << result);
369 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
370 SECURITY_MANAGER_PATH_PUBLIC);
371 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
372 "setting allowed path failed. Result: " << result);
374 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
375 SECURITY_MANAGER_PATH_PUBLIC_RO);
376 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
377 "setting allowed path failed. Result: " << result);
379 result = security_manager_app_install(request.get());
380 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
381 "installing app failed. Result: " << result);
383 /* Check records in the security-manager database */
384 check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
385 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES,
386 SM_ALLOWED_RULES, SM_DENIED_RULES);
388 /* TODO: add parameters to this function */
389 check_app_path_after_install();
391 request.reset(do_app_inst_req_new());
393 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
394 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
395 "setting app id failed. Result: " << result);
397 result = security_manager_app_uninstall(request.get());
398 RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
399 "uninstalling app failed. Result: " << result);
401 /* Check records in the security-manager database,
402 * all previously allowed privileges should be removed */
403 check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
404 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
407 int main(int argc, char *argv[])
409 SummaryCollector::Register();
410 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);