From 44f879f761cda1f54e03787e70e6843359f9f8ee Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Fri, 24 Apr 2020 14:08:22 +0200 Subject: [PATCH] Smack privilege tests with different configurations Change-Id: I93138c69683dc910df44515d216b42f0b5855ff5 --- .../priv-rules-default-template.smack | 2 + .../malformed/privilege-smack.list | 3 + .../privilege-mapping/flawed-camera-template.smack | 3 + .../priv-rules-default-template.smack | 2 + .../multiple-privs/privilege-smack.list | 2 + .../test_cases_smack_privileges.cpp | 154 ++++++++++++++++++++- 6 files changed, 162 insertions(+), 4 deletions(-) create mode 100644 src/security-manager-tests/smack-privileges/malformed/privilege-mapping/priv-rules-default-template.smack create mode 100644 src/security-manager-tests/smack-privileges/malformed/privilege-smack.list create mode 100644 src/security-manager-tests/smack-privileges/multiple-privs/privilege-mapping/flawed-camera-template.smack create mode 100644 src/security-manager-tests/smack-privileges/multiple-privs/privilege-mapping/priv-rules-default-template.smack create mode 100644 src/security-manager-tests/smack-privileges/multiple-privs/privilege-smack.list diff --git a/src/security-manager-tests/smack-privileges/malformed/privilege-mapping/priv-rules-default-template.smack b/src/security-manager-tests/smack-privileges/malformed/privilege-mapping/priv-rules-default-template.smack new file mode 100644 index 0000000..09c5be6 --- /dev/null +++ b/src/security-manager-tests/smack-privileges/malformed/privilege-mapping/priv-rules-default-template.smack @@ -0,0 +1,2 @@ +~PROCESS~ ~PRIVILEGE~ w +~PRIVILEGE~ ~PROCESS~ w diff --git a/src/security-manager-tests/smack-privileges/malformed/privilege-smack.list b/src/security-manager-tests/smack-privileges/malformed/privilege-smack.list new file mode 100644 index 0000000..04ab381 --- /dev/null +++ b/src/security-manager-tests/smack-privileges/malformed/privilege-smack.list @@ -0,0 +1,3 @@ +http://tizen.org/privilege/internet System::Privilege::Internet default +http://tizen.org/privilege/camera System::Privilege::Camera the-fault +http://tizen.org/privilege/camera System::Privilege::Camera diff --git a/src/security-manager-tests/smack-privileges/multiple-privs/privilege-mapping/flawed-camera-template.smack b/src/security-manager-tests/smack-privileges/multiple-privs/privilege-mapping/flawed-camera-template.smack new file mode 100644 index 0000000..fb35c52 --- /dev/null +++ b/src/security-manager-tests/smack-privileges/multiple-privs/privilege-mapping/flawed-camera-template.smack @@ -0,0 +1,3 @@ +~PROCESS~ System::TEF r +~PROCESS~ ~PRIVILEGE~ w +~PRIVILEGE~ ~PROCESS~ w diff --git a/src/security-manager-tests/smack-privileges/multiple-privs/privilege-mapping/priv-rules-default-template.smack b/src/security-manager-tests/smack-privileges/multiple-privs/privilege-mapping/priv-rules-default-template.smack new file mode 100644 index 0000000..09c5be6 --- /dev/null +++ b/src/security-manager-tests/smack-privileges/multiple-privs/privilege-mapping/priv-rules-default-template.smack @@ -0,0 +1,2 @@ +~PROCESS~ ~PRIVILEGE~ w +~PRIVILEGE~ ~PROCESS~ w diff --git a/src/security-manager-tests/smack-privileges/multiple-privs/privilege-smack.list b/src/security-manager-tests/smack-privileges/multiple-privs/privilege-smack.list new file mode 100644 index 0000000..8a0bc4f --- /dev/null +++ b/src/security-manager-tests/smack-privileges/multiple-privs/privilege-smack.list @@ -0,0 +1,2 @@ +http://tizen.org/privilege/internet System::Privilege::Internet default +http://tizen.org/privilege/camera System::Privilege::Camera flawed-camera-template.smack diff --git a/src/security-manager-tests/test_cases_smack_privileges.cpp b/src/security-manager-tests/test_cases_smack_privileges.cpp index 2878da3..0aba4f7 100644 --- a/src/security-manager-tests/test_cases_smack_privileges.cpp +++ b/src/security-manager-tests/test_cases_smack_privileges.cpp @@ -58,11 +58,24 @@ void changePolicy(const AppInstallHelper& app, const std::string& priv, const st Api::sendPolicy(policyRequest); } +const std::vector INTERNET_RULES = { + {"~PROCESS~", "System::Privilege::Internet", "w"}, + {"System::Privilege::Internet", "~PROCESS~", "w"} +}; +const std::vector CAMERA_RULES = { + {"~PROCESS~", "System::Privilege::Camera", "w"}, + {"System::Privilege::Camera", "~PROCESS~", "w"} +}; +const std::vector CAMERA_IGNORED_RULES = { + {"~PROCESS~", "System::TEF", "r"} +}; + enum class SmackPrivSetup { ORIGINAL, EMPTY, INTERNET_ONLY, - // TODO test other configurations + MULTIPLE_PRIVS, + MALFORMED }; // This is to ensure that original security-manager policy is restored after the group is finished @@ -74,7 +87,9 @@ private: m_currentSetup(SmackPrivSetup::ORIGINAL), m_serviceManager("security-manager.service"), m_setupMap({{ SmackPrivSetup::EMPTY, "empty" }, - { SmackPrivSetup::INTERNET_ONLY, "internet-only" }}) + { SmackPrivSetup::INTERNET_ONLY, "internet-only" }, + { SmackPrivSetup::MULTIPLE_PRIVS, "multiple-privs" }, + { SmackPrivSetup::MALFORMED, "malformed" }}) { } SmackPrivSetupMgr(const SmackPrivSetupMgr&) = delete; @@ -173,7 +188,10 @@ public: void finish() {} }; +typedef TestSetup EmptySetup; typedef TestSetup InternetOnlySetup; +typedef TestSetup MultiplePrivsSetup; +typedef TestSetup MalformedSetup; } // namespace anonymous @@ -187,9 +205,11 @@ RUNNER_CHILD_TEST(smack_privileges_10_no_privileges, InternetOnlySetup) app.checkAfterInstall(); app.checkDeniedPrivileges({PRIV_INTERNET}); app.checkSmackPrivileges({}, {PRIV_INTERNET}); + app.checkSmackAccesses(CAMERA_RULES, false); { ScopedAppLauncher appLaunch(app); app.checkSmackPrivileges({}, {PRIV_INTERNET}); + app.checkSmackAccesses(CAMERA_RULES, false); } } app.checkAfterUninstall(); @@ -198,16 +218,18 @@ RUNNER_CHILD_TEST(smack_privileges_10_no_privileges, InternetOnlySetup) RUNNER_CHILD_TEST(smack_privileges_20_internet_privilege, InternetOnlySetup) { AppInstallHelperExt app("sm_test_sp_20_app"); - app.addPrivileges({PRIV_INTERNET}); + app.addPrivileges({PRIV_INTERNET, PRIV_CAMERA}); { ScopedInstaller appInstall(app); app.checkAfterInstall(); // rules absent before app is launched app.checkSmackPrivileges({}, {PRIV_INTERNET}); + app.checkSmackAccesses(CAMERA_RULES, false); { ScopedAppLauncher appLaunch(app); app.checkSmackPrivileges({PRIV_INTERNET}, {}); + app.checkSmackAccesses(CAMERA_RULES, false); } // rules present after app is terminated app.checkSmackPrivileges({PRIV_INTERNET}, {}); @@ -812,4 +834,128 @@ RUNNER_CHILD_TEST(smack_privileges_180_hybrid_package_both_apps_privileged, Inte app2.checkSmackPrivileges({}, {PRIV_INTERNET}); } -// TODO custom smack privileges +RUNNER_CHILD_TEST(smack_privileges_200_empty_policy, EmptySetup) +{ + AppInstallHelperExt app("sm_test_sp_200_app"); + app.addPrivileges({PRIV_INTERNET, PRIV_CAMERA}); + { + ScopedInstaller appInstall(app); + + app.checkAfterInstall(); + + app.checkSmackAccesses(INTERNET_RULES, false); + app.checkSmackAccesses(CAMERA_RULES, false); + { + ScopedAppLauncher appLaunch(app); + + // no config -> no access + app.checkSmackAccesses(INTERNET_RULES, false); + app.checkSmackAccesses(CAMERA_RULES, false); + } + } + app.checkAfterUninstall(); + app.checkSmackAccesses(INTERNET_RULES, false); + app.checkSmackAccesses(CAMERA_RULES, false); +} + +RUNNER_CHILD_TEST(smack_privileges_300_multi_policy_no_privs, MultiplePrivsSetup) +{ + AppInstallHelperExt app("sm_test_sp_300_app"); + { + ScopedInstaller appInstall(app); + + app.checkAfterInstall(); + app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA}); + app.checkSmackAccesses(CAMERA_IGNORED_RULES, false); + { + ScopedAppLauncher appLaunch(app); + + app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA}); + app.checkSmackAccesses(CAMERA_IGNORED_RULES, false); + } + } + app.checkAfterUninstall(); + app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA}); +} + +RUNNER_CHILD_TEST(smack_privileges_310_multi_policy_single_priv, MultiplePrivsSetup) +{ + AppInstallHelperExt app("sm_test_sp_310_app"); + app.addPrivilege(PRIV_CAMERA); + { + ScopedInstaller appInstall(app); + + app.checkAfterInstall(); + app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA}); + app.checkSmackAccesses(CAMERA_IGNORED_RULES, false); + { + ScopedAppLauncher appLaunch(app); + + app.checkSmackPrivileges({PRIV_CAMERA}, {PRIV_INTERNET}); + app.checkSmackAccesses(CAMERA_IGNORED_RULES, false); + } + } + app.checkAfterUninstall(); + app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA}); +} + +RUNNER_CHILD_TEST(smack_privileges_320_multi_policy_all_privs, MultiplePrivsSetup) +{ + TemporaryTestUser testUser("sm_test_320_user_name", GUM_USERTYPE_NORMAL, true); + testUser.create(); + + AppInstallHelperExt app("sm_test_sp_320_app", testUser.getUid()); + app.addPrivileges({PRIV_CAMERA, PRIV_INTERNET}); + { + ScopedInstaller appInstall(app); + + app.checkAfterInstall(); + app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA}); + app.checkSmackAccesses(CAMERA_IGNORED_RULES, false); + { + ScopedAppLauncher appLaunch(app); + + app.checkSmackPrivileges({PRIV_CAMERA, PRIV_INTERNET}, {}); + app.checkSmackAccesses(CAMERA_IGNORED_RULES, false); + + // change policy + changePolicy(app, PRIV_INTERNET, PolicyEntry::LEVEL_DENY); + + app.checkSmackPrivileges({PRIV_CAMERA}, {PRIV_INTERNET}); + app.checkSmackAccesses(CAMERA_IGNORED_RULES, false); + + // change policy + changePolicy(app, PRIV_INTERNET, PolicyEntry::LEVEL_ALLOW); + changePolicy(app, PRIV_CAMERA, PolicyEntry::LEVEL_DENY); + + app.checkSmackPrivileges({PRIV_INTERNET}, {PRIV_CAMERA}); + app.checkSmackAccesses(CAMERA_IGNORED_RULES, false); + } + } + app.checkAfterUninstall(); + app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA}); +} + +RUNNER_CHILD_TEST(smack_privileges_400_malformed, MalformedSetup) +{ + AppInstallHelperExt app("sm_test_sp_400_app"); + app.addPrivileges({PRIV_INTERNET, PRIV_CAMERA}); + { + ScopedInstaller appInstall(app); + + app.checkAfterInstall(); + + app.checkSmackAccesses(INTERNET_RULES, false); + app.checkSmackAccesses(CAMERA_RULES, false); + { + ScopedAppLauncher appLaunch(app); + + // malformed config -> no access + app.checkSmackAccesses(INTERNET_RULES, false); + app.checkSmackAccesses(CAMERA_RULES, false); + } + } + app.checkAfterUninstall(); + app.checkSmackAccesses(INTERNET_RULES, false); + app.checkSmackAccesses(CAMERA_RULES, false); +} -- 2.7.4