#define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
#define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
+#define WGT_APP_LABEL "wgt_QwCqJ0ttyS"
+#define WGT_PARTNER_APP_LABEL "wgt_partner_7btsV1Y0sX"
+#define WGT_PLATFORM_APP_LABEL "wgt_platform_G4DE3U2vmW"
+#define WGT_APP_ID "QwCqJ0ttyS"
+#define WGT_PARTNER_APP_ID "7btsV1Y0sX"
+#define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
+#define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123"
+#define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner"
+#define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform"
+
const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
-
+const char *PRIVS_WGT[] = { "WRT", "test_privilege_control_rules_wgt", NULL };
+const char *PRIVS_WGT_PARTNER[] = { "WRT_partner", "test_privilege_control_rules_wgt", NULL };
+const char *PRIVS_WGT_PLATFORM[] = { "WRT_platform", "test_privilege_control_rules_wgt", NULL };
#define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
#define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
+#define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
+
#define APP_TEST_APP_1 "test-application1"
#define APP_TEST_APP_2 "test-application_2"
#define APP_TEST_APP_3 "test-app-3"
{ "test_subject_14", APP_ID, "r" },
{ "test_subject_15", APP_ID, "r" }};
+// Rules from test_privilege_control_rules_wgt.smack for wgt
+const std::vector< std::vector<std::string> > rules_wgt = {
+ { WGT_APP_LABEL, "test_book_8", "r" },
+ { WGT_APP_LABEL, "test_book_9", "w" },
+ { WGT_APP_LABEL, "test_book_10", "x" },
+ { WGT_APP_LABEL, "test_book_11", "rw" },
+ { WGT_APP_LABEL, "test_book_12", "rx" },
+ { WGT_APP_LABEL, "test_book_13", "wx" },
+ { WGT_APP_LABEL, "test_book_14", "rwx" },
+ { WGT_APP_LABEL, "test_book_15", "rwxat" },
+ { "test_subject_8", WGT_APP_LABEL, "r" },
+ { "test_subject_9", WGT_APP_LABEL, "w" },
+ { "test_subject_10", WGT_APP_LABEL, "x" },
+ { "test_subject_11", WGT_APP_LABEL, "rw" },
+ { "test_subject_12", WGT_APP_LABEL, "rx" },
+ { "test_subject_13", WGT_APP_LABEL, "wx" },
+ { "test_subject_14", WGT_APP_LABEL, "rwx" },
+ { "test_subject_15", WGT_APP_LABEL, "rwxat" }};
+
+// Rules from test_privilege_control_rules_wgt.smack for wgt_partner
+const std::vector< std::vector<std::string> > rules_wgt_partner = {
+ { WGT_PARTNER_APP_LABEL, "test_book_8", "r" },
+ { WGT_PARTNER_APP_LABEL, "test_book_9", "w" },
+ { WGT_PARTNER_APP_LABEL, "test_book_10", "x" },
+ { WGT_PARTNER_APP_LABEL, "test_book_11", "rw" },
+ { WGT_PARTNER_APP_LABEL, "test_book_12", "rx" },
+ { WGT_PARTNER_APP_LABEL, "test_book_13", "wx" },
+ { WGT_PARTNER_APP_LABEL, "test_book_14", "rwx" },
+ { WGT_PARTNER_APP_LABEL, "test_book_15", "rwxat" },
+ { "test_subject_8", WGT_PARTNER_APP_LABEL, "r" },
+ { "test_subject_9", WGT_PARTNER_APP_LABEL, "w" },
+ { "test_subject_10", WGT_PARTNER_APP_LABEL, "x" },
+ { "test_subject_11", WGT_PARTNER_APP_LABEL, "rw" },
+ { "test_subject_12", WGT_PARTNER_APP_LABEL, "rx" },
+ { "test_subject_13", WGT_PARTNER_APP_LABEL, "wx" },
+ { "test_subject_14", WGT_PARTNER_APP_LABEL, "rwx" },
+ { "test_subject_15", WGT_PARTNER_APP_LABEL, "rwxat" }};
+
+// Rules from test_privilege_control_rules_wgt.smack for wgt_platform
+const std::vector< std::vector<std::string> > rules_wgt_platform = {
+ { WGT_PLATFORM_APP_LABEL, "test_book_8", "r" },
+ { WGT_PLATFORM_APP_LABEL, "test_book_9", "w" },
+ { WGT_PLATFORM_APP_LABEL, "test_book_10", "x" },
+ { WGT_PLATFORM_APP_LABEL, "test_book_11", "rw" },
+ { WGT_PLATFORM_APP_LABEL, "test_book_12", "rx" },
+ { WGT_PLATFORM_APP_LABEL, "test_book_13", "wx" },
+ { WGT_PLATFORM_APP_LABEL, "test_book_14", "rwx" },
+ { WGT_PLATFORM_APP_LABEL, "test_book_15", "rwxat" },
+ { "test_subject_8", WGT_PLATFORM_APP_LABEL, "r" },
+ { "test_subject_9", WGT_PLATFORM_APP_LABEL, "w" },
+ { "test_subject_10", WGT_PLATFORM_APP_LABEL, "x" },
+ { "test_subject_11", WGT_PLATFORM_APP_LABEL, "rw" },
+ { "test_subject_12", WGT_PLATFORM_APP_LABEL, "rx" },
+ { "test_subject_13", WGT_PLATFORM_APP_LABEL, "wx" },
+ { "test_subject_14", WGT_PLATFORM_APP_LABEL, "rwx" },
+ { "test_subject_15", WGT_PLATFORM_APP_LABEL, "rwxat" }};
namespace {
RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
{
int result;
+ int fd;
// Revoke permissions
result = app_revoke_permissions(APP_ID);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(WGT_APP_LABEL);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(WGT_PARTNER_APP_LABEL);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+ result = app_revoke_permissions(WGT_PLATFORM_APP_LABEL);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ "Error revoking app permissions. Result: " << result);
+
// Are all the permissions revoked?
result = test_have_any_accesses(rules);
RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked.");
+ result = test_have_any_accesses(rules_wgt);
+ RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
+ result = test_have_any_accesses(rules_wgt_partner);
+ RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
+ result = test_have_any_accesses(rules_wgt_platform);
+ RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
//// File exists?
FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
RUNNER_ASSERT_MSG(false,
"SMACK file exists after revoke!");
}
+
+ fd = open(SMACK_RULES_DIR WGT_APP_ID, O_RDONLY);
+ RUNNER_ASSERT_MSG(fd >= 0, "SMACK file deleted after app_revoke_permissions");
+ RUNNER_ASSERT_MSG(lseek(fd, 0, SEEK_END) == 0, "SMACK file not empty after app_revoke_permissions");
+ close(fd);
+
+ fd = open(SMACK_RULES_DIR WGT_PARTNER_APP_ID, O_RDONLY);
+ RUNNER_ASSERT_MSG(fd >= 0, "SMACK file deleted after app_revoke_permissions");
+ RUNNER_ASSERT_MSG(lseek(fd, 0, SEEK_END) == 0, "SMACK file not empty after app_revoke_permissions");
+ close(fd);
+
+ fd = open(SMACK_RULES_DIR WGT_PLATFORM_APP_ID, O_RDONLY);
+ RUNNER_ASSERT_MSG(fd >= 0, "SMACK file deleted after app_revoke_permissions");
+ RUNNER_ASSERT_MSG(lseek(fd, 0, SEEK_END) == 0, "SMACK file not empty after app_revoke_permissions");
+ close(fd);
+
}
static void read_gids(std::set<unsigned> &set, const char* file_path)
RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
}
+/**
+ * Set APP privileges. wgt.
+ */
+RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt)
+{
+ int result;
+
+ result = set_app_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
+
+ // Check if SMACK label really set
+ char * label;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
+ RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
+ result = strcmp(WGT_APP_LABEL, label);
+ RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
+
+ std::set<unsigned> groups_check;
+ read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
+ read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT);
+
+ int groups_cnt = getgroups(0, NULL);
+ RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
+ gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
+ RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
+ getgroups(groups_cnt, groups_list);
+
+ for (int i = 0; i < groups_cnt; ++i) {
+ if (groups_check.erase(groups_list[i]) == 0) {
+ // getgroups() may also return process' main group
+ if (groups_list[i] != getgid())
+ RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
+ }
+ }
+ std::string groups_left;
+ for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
+ groups_left.append(std::to_string(*it)).append(" ");
+ }
+ RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
+
+
+ result = app_enable_permissions(APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
+ RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_any_accesses(rules_wgt);
+ RUNNER_ASSERT_MSG(result==0, "Permissions exist.");
+
+ result = app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_all_accesses(rules_wgt);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+}
+
+/**
+ * Set APP privileges. wgt_partner.
+ */
+RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_partner)
+{
+ int result;
+
+ result = set_app_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
+
+ // Check if SMACK label really set
+ char * label;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
+ RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
+ result = strcmp(WGT_PARTNER_APP_LABEL, label);
+ RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
+
+ std::set<unsigned> groups_check;
+ read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
+ read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT);
+
+ int groups_cnt = getgroups(0, NULL);
+ RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
+ gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
+ RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
+ getgroups(groups_cnt, groups_list);
+
+ for (int i = 0; i < groups_cnt; ++i) {
+ if (groups_check.erase(groups_list[i]) == 0) {
+ // getgroups() may also return process' main group
+ if (groups_list[i] != getgid())
+ RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
+ }
+ }
+ std::string groups_left;
+ for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
+ groups_left.append(std::to_string(*it)).append(" ");
+ }
+ RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
+
+ result = app_enable_permissions(APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT_PARTNER, 1);
+ RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_any_accesses(rules_wgt_partner);
+ RUNNER_ASSERT_MSG(result==0, "Permissions exist.");
+
+ result = app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT_PARTNER, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_all_accesses(rules_wgt_partner);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+}
+
+/**
+ * Set APP privileges. wgt_platform.
+ */
+RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_platform)
+{
+ int result;
+
+ result = set_app_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
+
+ // Check if SMACK label really set
+ char * label;
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
+ RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
+ result = strcmp(WGT_PLATFORM_APP_LABEL, label);
+ RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
+
+ std::set<unsigned> groups_check;
+ read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
+ read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT);
+
+ int groups_cnt = getgroups(0, NULL);
+ RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
+ gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
+ RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
+ getgroups(groups_cnt, groups_list);
+
+ for (int i = 0; i < groups_cnt; ++i) {
+ if (groups_check.erase(groups_list[i]) == 0) {
+ // getgroups() may also return process' main group
+ if (groups_list[i] != getgid())
+ RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
+ }
+ }
+ std::string groups_left;
+ for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
+ groups_left.append(std::to_string(*it)).append(" ");
+ }
+ RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
+
+
+ result = app_enable_permissions(APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT_PLATFORM, 1);
+ RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_any_accesses(rules_wgt_platform);
+ RUNNER_ASSERT_MSG(result==0, "Permissions exist.");
+
+ result = app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT_PLATFORM, 1);
+ RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
+ " Error enabling app permissions. Result: " << result);
+
+ result = test_have_all_accesses(rules_wgt_platform);
+ RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
+}
+
RUNNER_TEST(privilege_control08_app_give_access)
{
const char *subject = "lkjq345v34sfa";
projects / platform / core / test / security-tests.git / commitdiff