[Problem] Libprivilege-control assigns the same label "User" to all
applications. Because of that some of tests make no sense. User id is fixed to
5000 but there's no such user in the system. Wrt-client binary does not exist
so getting its smack label fails.
[Solution] Meaningless asserts commented. User id retrieved from tzconfig. DAC
groups database cleared after every perm_app_set_privilege test.
[Verification] Run libprivilege-control-tests --output=text
Change-Id: Ib8e1f4deafd7033c7ac892af6afd9d46c724c062
<filesystem path="/usr/bin/cynara-tests" exec_label="_" />
<filesystem path="/usr/bin/ckm-tests" exec_label="_" />
<filesystem path="/usr/bin/cynara-tests" exec_label="_" />
<filesystem path="/usr/bin/ckm-tests" exec_label="_" />
+ <filesystem path="/usr/bin/test-app-wgt" exec_label="User" />
<filesystem path="/usr/bin/test-app-efl" exec_label="User" />
<filesystem path="/usr/bin/test-app-osp" exec_label="User" />
</assign>
<filesystem path="/usr/bin/test-app-efl" exec_label="User" />
<filesystem path="/usr/bin/test-app-osp" exec_label="User" />
</assign>
#include <tuple>
#include <errno.h>
#include <string.h>
#include <tuple>
#include <errno.h>
#include <string.h>
+#include <tzplatform_config.h>
-const uid_t APP_UID = 5000;
-const gid_t APP_GID = 5000;
+const uid_t APP_UID = tzplatform_getuid(TZ_USER_NAME);
+const gid_t APP_GID = tzplatform_getgid(TZ_USER_NAME);
const uid_t DB_ALARM_UID = 6001;
const gid_t DB_ALARM_GID = 6001;
const std::string TMP_DIR("/tmp");
const uid_t DB_ALARM_UID = 6001;
const gid_t DB_ALARM_GID = 6001;
const std::string TMP_DIR("/tmp");
WORLD_READ
WORLD_EXECUTE)
WORLD_READ
WORLD_EXECUTE)
-execute_process(COMMAND ln -s /usr/bin/wrt-client ${CMAKE_CURRENT_BINARY_DIR}/${TEST_APP_WGT} )
-
-INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/${TEST_APP_WGT}
- DESTINATION /usr/bin)
+INSTALL(FILES ${TEST_APP_EFL}
+ DESTINATION /usr/bin
+ RENAME ${TEST_APP_WGT}
+ PERMISSIONS OWNER_READ
+ OWNER_WRITE
+ OWNER_EXECUTE
+ GROUP_READ
+ GROUP_EXECUTE
+ WORLD_READ
+ WORLD_EXECUTE)
SET(LPC_TARGET_TEST "libprivilege-control-test")
SET(LPC_TARGET_TEST "libprivilege-control-test")
+ /* Remove the group file to make sure other tests do not affect current one. This is because all
+ apps get the same label "User" */
+ const char* db_file = tzplatform_mkpath(TZ_SYS_DB,".privilege_control_app_gids.db");
+ RUNNER_ASSERT_MSG(db_file, "Failed to get groups db path");
+ result = unlink(db_file);
+ RUNNER_ASSERT_MSG(result == 0, "Removing group db failed " << strerror(errno));
+
DB_BEGIN
result = perm_app_uninstall(app_id);
DB_BEGIN
result = perm_app_uninstall(app_id);
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt)
{
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt)
{
- test_set_app_privilege(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH,
+ test_set_app_privilege(GENERATED_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH,
LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt);
}
LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt);
}
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp)
{
*/
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp)
{
- test_set_app_privilege(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, "tpk", OSP_APP_PATH,
+ test_set_app_privilege(GENERATED_APP_ID, APP_TYPE_OSP, PRIVS_OSP, "tpk", OSP_APP_PATH,
LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp);
}
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_efl)
{
LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp);
}
RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_efl)
{
- test_set_app_privilege(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL,
+ test_set_app_privilege(GENERATED_APP_ID, APP_TYPE_EFL, PRIVS_EFL,
"rpm", EFL_APP_PATH,
LIBPRIVILEGE_TEST_DAC_FILE_EFL, rules_efl);
}
"rpm", EFL_APP_PATH,
LIBPRIVILEGE_TEST_DAC_FILE_EFL, rules_efl);
}
// Verify that all permissions to public dir have been added
// correctly, also to other app
// Verify that all permissions to public dir have been added
// correctly, also to other app
- result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl");
+ result = smack_have_access(GENERATED_APP_ID, shared_dir_auto_label.c_str(), "rwxatl");
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to Public RO dir are granted. Loop index: "
<< i);
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to Public RO dir are granted. Loop index: "
<< i);
- result = smack_have_access(TEST_OSP_FEATURE_APP_ID, shared_dir_auto_label.c_str(), "rx" );
+ /* all apps are getting the label "User" at the moment. Calling smack_have_access with
+ "User" as an argument is no different from previous call */
+ /*result = smack_have_access(TEST_OSP_FEATURE_APP_ID, shared_dir_auto_label.c_str(), "rx" );
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to Public RO dir are granted. Loop index: "
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to Public RO dir are granted. Loop index: "
// Verify that setting app has rwx permission to app dir
// and rx permissions to app
// Verify that setting app has rwx permission to app dir
// and rx permissions to app
- result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl");
+ result = smack_have_access(GENERATED_APP_ID, shared_dir_auto_label.c_str(), "rwxatl");
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to App-Setting dir are granted. "
<< APP_ID << " "<< shared_dir_auto_label << " rwxatl "
<< "Loop index: " << i);
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to App-Setting dir are granted. "
<< APP_ID << " "<< shared_dir_auto_label << " rwxatl "
<< "Loop index: " << i);
- result = smack_have_access(APP_TEST_SETTINGS_ASP1, shared_dir_auto_label.c_str(), "rwx");
+ /* all apps are getting the label "User" at the moment. Calling smack_have_access with
+ "User" as an argument is no different from previous call */
+ /*result = smack_have_access(APP_TEST_SETTINGS_ASP1, shared_dir_auto_label.c_str(), "rwx");
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to App-Setting dir are granted. "
<< APP_TEST_SETTINGS_ASP1 << " " << shared_dir_auto_label << " rwx. "
<< "Loop index: " << i);
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to App-Setting dir are granted. "
<< APP_TEST_SETTINGS_ASP1 << " " << shared_dir_auto_label << " rwx. "
<< "Loop index: " << i);
- result = smack_have_access(APP_TEST_SETTINGS_ASP1, APP_ID, "rx");
+ result = smack_have_access(APP_TEST_SETTINGS_ASP1, GENERATED_APP_ID, "rx");
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to App-Setting dir are granted. "
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to App-Setting dir are granted. "
- << APP_TEST_SETTINGS_ASP1 << " " << APP_ID << " rx"
- << "Loop index: " << i);
+ << APP_TEST_SETTINGS_ASP1 << " " << GENERATED_APP_ID << " rx"
+ << "Loop index: " << i);*/
// Verify that all permissions to public dir have been added
// correctly, also to other app
// Verify that all permissions to public dir have been added
// correctly, also to other app
- result = smack_have_access(APP_ID, LABEL_FOR_PUBLIC_SHARED_DIRS, "rwxatl");
+ result = smack_have_access(GENERATED_APP_ID, LABEL_FOR_PUBLIC_SHARED_DIRS, "rwxatl");
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to Group RW dir are granted. Loop index: "
<< i);
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to Group RW dir are granted. Loop index: "
<< i);
// check if api-features permissions are added properly
result = check_all_accesses(smack,
(const rules_t) {
// check if api-features permissions are added properly
result = check_all_accesses(smack,
(const rules_t) {
- { APP_ID, TEST_OSP_FEATURE_APP_ID, "rxl" },
- { APP_ID, TEST_WGT_FEATURE_APP_ID, "rwxl" } } );
+ { GENERATED_APP_ID, TEST_OSP_FEATURE_APP_ID, "rxl" },
+ { GENERATED_APP_ID, TEST_WGT_FEATURE_APP_ID, "rwxl" } } );
RUNNER_ASSERT_MSG(result == 1,
"Not all permisions from api features added. Loop index: "
<< i);
// revoke permissions
RUNNER_ASSERT_MSG(result == 1,
"Not all permisions from api features added. Loop index: "
<< i);
// revoke permissions
- result = perm_app_revoke_permissions(APP_ID);
+ result = perm_app_revoke_permissions(GENERATED_APP_ID);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error in perm_app_revoke_permissions. Loop index: " << i
<< ". Result: " << result);
RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
"Error in perm_app_revoke_permissions. Loop index: " << i
<< ". Result: " << result);
// generate app ids: test_APP0, test_APP1, test_APP2 etc.:
for (int i = 0; i < app_count; ++i)
{
// generate app ids: test_APP0, test_APP1, test_APP2 etc.:
for (int i = 0; i < app_count; ++i)
{
- result = sprintf(app_ids[i], APP_ID "%d", i);
+ /* Libprivilege-control assigns "User" label to all apps. Replace it when individual labels
+ are supported. */
+ result = sprintf(app_ids[i], GENERATED_APP_ID);
RUNNER_ASSERT_MSG(result > 0, "Cannot generate name for app nr: " << i);
}
RUNNER_ASSERT_MSG(result > 0, "Cannot generate name for app nr: " << i);
}
+ // All apps have the same label "User" so this check makes no sense.
// Verify that some previously installed app does not have
// any acces to app 0 and app 5 PRIVATE folders
// Verify that some previously installed app does not have
// any acces to app 0 and app 5 PRIVATE folders
- for (int j = 0; j < app_count; ++j)
+ /*for (int j = 0; j < app_count; ++j)
{
// Apps 1-9 should not have any access to app 0
if (j != 0)
{
// Apps 1-9 should not have any access to app 0
if (j != 0)
") has access to private label of: " << app_ids[5] <<
". It may not be shared. Loop index: " << i << ".");
}
") has access to private label of: " << app_ids[5] <<
". It may not be shared. Loop index: " << i << ".");
}
- } // End for Verify PRIVATE
+ }*/ // End for Verify PRIVATE
// Verify that apps 1, 2 and 6 have all accesses to GROUP_RW folders
result = check_all_accesses(smack,
// Verify that apps 1, 2 and 6 have all accesses to GROUP_RW folders
result = check_all_accesses(smack,
RUNNER_ASSERT_MSG(result == 1,
"Not all accesses to owned Public RO dir are granted. App id: "
<< app_ids[j] << " Loop index: " << i);
RUNNER_ASSERT_MSG(result == 1,
"Not all accesses to owned Public RO dir are granted. App id: "
<< app_ids[j] << " Loop index: " << i);
+ // All apps have the same label "User" so this check makes no sense.
// Verify that there are no extra permissions to public dirs
// Verify that there are no extra permissions to public dirs
- result = check_no_accesses(smack,
+ /*result = check_no_accesses(smack,
(const rules_t) {
{ app_ids[j], shared_dir7_auto_label.c_str(), "w" },
{ app_ids[j], shared_dir7_auto_label.c_str(), "t" },
(const rules_t) {
{ app_ids[j], shared_dir7_auto_label.c_str(), "w" },
{ app_ids[j], shared_dir7_auto_label.c_str(), "t" },
{ app_ids[j], shared_dir8_auto_label.c_str(), "t" } } );
RUNNER_ASSERT_MSG(result == 1,
"Unexpected extra permissions added for app:" << app_ids[j]
{ app_ids[j], shared_dir8_auto_label.c_str(), "t" } } );
RUNNER_ASSERT_MSG(result == 1,
"Unexpected extra permissions added for app:" << app_ids[j]
- << ". Loop index: " << i);
+ << ". Loop index: " << i);*/
RUNNER_ASSERT_MSG(result == 1,
"Not all accesses to owned Public RO dir are granted. App id: "
<< app_ids[j] << " Loop index: " << i);
RUNNER_ASSERT_MSG(result == 1,
"Not all accesses to owned Public RO dir are granted. App id: "
<< app_ids[j] << " Loop index: " << i);
+ // All apps have the same label "User" so this check makes no sense.
// Verify that there are no extra permissions to public dirs
// Verify that there are no extra permissions to public dirs
- result = check_no_accesses(smack,
+ /*result = check_no_accesses(smack,
(const rules_t) {
{ app_ids[j], shared_dir3_auto_label.c_str(), "w" },
{ app_ids[j], shared_dir3_auto_label.c_str(), "t" },
(const rules_t) {
{ app_ids[j], shared_dir3_auto_label.c_str(), "w" },
{ app_ids[j], shared_dir3_auto_label.c_str(), "t" },
{ app_ids[j], shared_dir8_auto_label.c_str(), "t" } } );
RUNNER_ASSERT_MSG(result == 1,
"Unexpected extra permissions added for app:" << app_ids[j]
{ app_ids[j], shared_dir8_auto_label.c_str(), "t" } } );
RUNNER_ASSERT_MSG(result == 1,
"Unexpected extra permissions added for app:" << app_ids[j]
- << ". Loop index: " << i);
+ << ". Loop index: " << i);*/
RUNNER_ASSERT_MSG(result == 1,
"Not all accesses to owned Public RO dir are granted. App id: "
<< app_ids[j] << " Loop index: " << i);
RUNNER_ASSERT_MSG(result == 1,
"Not all accesses to owned Public RO dir are granted. App id: "
<< app_ids[j] << " Loop index: " << i);
+ // All apps have the same label "User" so this check makes no sense.
// Verify that there are no extra permissions to other public dirs
// Verify that there are no extra permissions to other public dirs
- result = check_no_accesses(smack,
+ /*result = check_no_accesses(smack,
(const rules_t) {
{ app_ids[j], shared_dir3_auto_label.c_str(), "w" },
{ app_ids[j], shared_dir3_auto_label.c_str(), "t" },
(const rules_t) {
{ app_ids[j], shared_dir3_auto_label.c_str(), "w" },
{ app_ids[j], shared_dir3_auto_label.c_str(), "t" },
{ app_ids[j], shared_dir7_auto_label.c_str(), "t" } } );
RUNNER_ASSERT_MSG(result == 1,
"Unexpected extra permissions added for app:" << app_ids[j]
{ app_ids[j], shared_dir7_auto_label.c_str(), "t" } } );
RUNNER_ASSERT_MSG(result == 1,
"Unexpected extra permissions added for app:" << app_ids[j]
- << ". Loop index: " << i);
+ << ". Loop index: " << i);*/
}
result = check_all_accesses(smack,
}
result = check_all_accesses(smack,
"Not all accesses to App-Setting dir are granted."
<< app_ids[9] << " " << setting_dir9_auto_label
<< " Loop index: " << i);
"Not all accesses to App-Setting dir are granted."
<< app_ids[9] << " " << setting_dir9_auto_label
<< " Loop index: " << i);
- result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[4], "rx");
+ // All apps have the same label "User" so this check makes no sense.
+ /*result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[4], "rx");
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to App-Setting dir are granted."
<< APP_TEST_SETTINGS_ASP1 << " " << app_ids[4]
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to App-Setting dir are granted."
<< APP_TEST_SETTINGS_ASP1 << " " << app_ids[4]
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to App-Setting dir are granted."
<< APP_TEST_SETTINGS_ASP1 << " " << setting_dir9_auto_label
RUNNER_ASSERT_MSG(result == expected_smack_result,
"Not all accesses to App-Setting dir are granted."
<< APP_TEST_SETTINGS_ASP1 << " " << setting_dir9_auto_label
- << " Loop index: " << i);
+ << " Loop index: " << i);*/
+ // All apps have the same label "User" so this check makes no sense.
// Check if permissions are removed properly
// Check if permissions are removed properly
- for (int j = 0; j < app_count; ++j)
+ /*for (int j = 0; j < app_count; ++j)
{
// To all other apps
for (int k = 0; k < app_count; ++k)
{
// To all other apps
for (int k = 0; k < app_count; ++k)
"Not all permisions revoked. Subject: " << app_ids[j]
<< " Object: " << app_ids[k] << " Loop index: " << i);
}
"Not all permisions revoked. Subject: " << app_ids[j]
<< " Object: " << app_ids[k] << " Loop index: " << i);
}