From 8be74b0578e5f15e9e8f91ed46d53e421baa69f6 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Fri, 22 May 2015 10:28:38 +0200 Subject: [PATCH] Fix libprivilege-control tests [Problem] Libprivilege-control assigns the same label "User" to all applications. Because of that some of tests make no sense. User id is fixed to 5000 but there's no such user in the system. Wrt-client binary does not exist so getting its smack label fails. [Solution] Meaningless asserts commented. User id retrieved from tzconfig. DAC groups database cleared after every perm_app_set_privilege test. [Verification] Run libprivilege-control-tests --output=text Change-Id: Ib8e1f4deafd7033c7ac892af6afd9d46c724c062 --- packaging/security-tests.manifest | 1 + src/common/tests_common.h | 5 +- src/libprivilege-control-tests/CMakeLists.txt | 14 +++-- src/libprivilege-control-tests/test_cases.cpp | 13 +++-- .../test_cases_stress.cpp | 62 +++++++++++++--------- 5 files changed, 61 insertions(+), 34 deletions(-) diff --git a/packaging/security-tests.manifest b/packaging/security-tests.manifest index 7395a84..e6064d1 100644 --- a/packaging/security-tests.manifest +++ b/packaging/security-tests.manifest @@ -19,6 +19,7 @@ + diff --git a/src/common/tests_common.h b/src/common/tests_common.h index 0cca754..57c8470 100644 --- a/src/common/tests_common.h +++ b/src/common/tests_common.h @@ -35,9 +35,10 @@ #include #include #include +#include -const uid_t APP_UID = 5000; -const gid_t APP_GID = 5000; +const uid_t APP_UID = tzplatform_getuid(TZ_USER_NAME); +const gid_t APP_GID = tzplatform_getgid(TZ_USER_NAME); const uid_t DB_ALARM_UID = 6001; const gid_t DB_ALARM_GID = 6001; const std::string TMP_DIR("/tmp"); diff --git a/src/libprivilege-control-tests/CMakeLists.txt b/src/libprivilege-control-tests/CMakeLists.txt index deaab41..96c9c1d 100644 --- a/src/libprivilege-control-tests/CMakeLists.txt +++ b/src/libprivilege-control-tests/CMakeLists.txt @@ -50,10 +50,16 @@ INSTALL(FILES ${TEST_APP_EFL} WORLD_READ WORLD_EXECUTE) -execute_process(COMMAND ln -s /usr/bin/wrt-client ${CMAKE_CURRENT_BINARY_DIR}/${TEST_APP_WGT} ) - -INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/${TEST_APP_WGT} - DESTINATION /usr/bin) +INSTALL(FILES ${TEST_APP_EFL} + DESTINATION /usr/bin + RENAME ${TEST_APP_WGT} + PERMISSIONS OWNER_READ + OWNER_WRITE + OWNER_EXECUTE + GROUP_READ + GROUP_EXECUTE + WORLD_READ + WORLD_EXECUTE) SET(LPC_TARGET_TEST "libprivilege-control-test") diff --git a/src/libprivilege-control-tests/test_cases.cpp b/src/libprivilege-control-tests/test_cases.cpp index f3a4a70..e1ca540 100644 --- a/src/libprivilege-control-tests/test_cases.cpp +++ b/src/libprivilege-control-tests/test_cases.cpp @@ -198,6 +198,13 @@ void test_set_app_privilege( int result; + /* Remove the group file to make sure other tests do not affect current one. This is because all + apps get the same label "User" */ + const char* db_file = tzplatform_mkpath(TZ_SYS_DB,".privilege_control_app_gids.db"); + RUNNER_ASSERT_MSG(db_file, "Failed to get groups db path"); + result = unlink(db_file); + RUNNER_ASSERT_MSG(result == 0, "Removing group db failed " << strerror(errno)); + DB_BEGIN result = perm_app_uninstall(app_id); @@ -247,7 +254,7 @@ void test_set_app_privilege( */ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt) { - test_set_app_privilege(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH, + test_set_app_privilege(GENERATED_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt); } @@ -256,13 +263,13 @@ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt) */ RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp) { - test_set_app_privilege(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, "tpk", OSP_APP_PATH, + test_set_app_privilege(GENERATED_APP_ID, APP_TYPE_OSP, PRIVS_OSP, "tpk", OSP_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp); } RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_efl) { - test_set_app_privilege(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL, + test_set_app_privilege(GENERATED_APP_ID, APP_TYPE_EFL, PRIVS_EFL, "rpm", EFL_APP_PATH, LIBPRIVILEGE_TEST_DAC_FILE_EFL, rules_efl); } diff --git a/src/libprivilege-control-tests/test_cases_stress.cpp b/src/libprivilege-control-tests/test_cases_stress.cpp index fd4242a..31d9162 100644 --- a/src/libprivilege-control-tests/test_cases_stress.cpp +++ b/src/libprivilege-control-tests/test_cases_stress.cpp @@ -230,16 +230,18 @@ void privilege_control22_app_installation_1x100(bool smack) // Verify that all permissions to public dir have been added // correctly, also to other app - result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl"); + result = smack_have_access(GENERATED_APP_ID, shared_dir_auto_label.c_str(), "rwxatl"); RUNNER_ASSERT_MSG(result == expected_smack_result, "Not all accesses to Public RO dir are granted. Loop index: " << i); - result = smack_have_access(TEST_OSP_FEATURE_APP_ID, shared_dir_auto_label.c_str(), "rx" ); + /* all apps are getting the label "User" at the moment. Calling smack_have_access with + "User" as an argument is no different from previous call */ + /*result = smack_have_access(TEST_OSP_FEATURE_APP_ID, shared_dir_auto_label.c_str(), "rx" ); RUNNER_ASSERT_MSG(result == expected_smack_result, "Not all accesses to Public RO dir are granted. Loop index: " - << i); + << i);*/ break; } @@ -275,27 +277,29 @@ void privilege_control22_app_installation_1x100(bool smack) // Verify that setting app has rwx permission to app dir // and rx permissions to app - result = smack_have_access(APP_ID, shared_dir_auto_label.c_str(), "rwxatl"); + result = smack_have_access(GENERATED_APP_ID, shared_dir_auto_label.c_str(), "rwxatl"); RUNNER_ASSERT_MSG(result == expected_smack_result, "Not all accesses to App-Setting dir are granted. " << APP_ID << " "<< shared_dir_auto_label << " rwxatl " << "Loop index: " << i); - result = smack_have_access(APP_TEST_SETTINGS_ASP1, shared_dir_auto_label.c_str(), "rwx"); + /* all apps are getting the label "User" at the moment. Calling smack_have_access with + "User" as an argument is no different from previous call */ + /*result = smack_have_access(APP_TEST_SETTINGS_ASP1, shared_dir_auto_label.c_str(), "rwx"); RUNNER_ASSERT_MSG(result == expected_smack_result, "Not all accesses to App-Setting dir are granted. " << APP_TEST_SETTINGS_ASP1 << " " << shared_dir_auto_label << " rwx. " << "Loop index: " << i); - result = smack_have_access(APP_TEST_SETTINGS_ASP1, APP_ID, "rx"); + result = smack_have_access(APP_TEST_SETTINGS_ASP1, GENERATED_APP_ID, "rx"); RUNNER_ASSERT_MSG(result == expected_smack_result, "Not all accesses to App-Setting dir are granted. " - << APP_TEST_SETTINGS_ASP1 << " " << APP_ID << " rx" - << "Loop index: " << i); + << APP_TEST_SETTINGS_ASP1 << " " << GENERATED_APP_ID << " rx" + << "Loop index: " << i);*/ // Verify that all permissions to public dir have been added // correctly, also to other app - result = smack_have_access(APP_ID, LABEL_FOR_PUBLIC_SHARED_DIRS, "rwxatl"); + result = smack_have_access(GENERATED_APP_ID, LABEL_FOR_PUBLIC_SHARED_DIRS, "rwxatl"); RUNNER_ASSERT_MSG(result == expected_smack_result, "Not all accesses to Group RW dir are granted. Loop index: " << i); @@ -307,14 +311,14 @@ void privilege_control22_app_installation_1x100(bool smack) // check if api-features permissions are added properly result = check_all_accesses(smack, (const rules_t) { - { APP_ID, TEST_OSP_FEATURE_APP_ID, "rxl" }, - { APP_ID, TEST_WGT_FEATURE_APP_ID, "rwxl" } } ); + { GENERATED_APP_ID, TEST_OSP_FEATURE_APP_ID, "rxl" }, + { GENERATED_APP_ID, TEST_WGT_FEATURE_APP_ID, "rwxl" } } ); RUNNER_ASSERT_MSG(result == 1, "Not all permisions from api features added. Loop index: " << i); // revoke permissions - result = perm_app_revoke_permissions(APP_ID); + result = perm_app_revoke_permissions(GENERATED_APP_ID); RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_revoke_permissions. Loop index: " << i << ". Result: " << result); @@ -406,7 +410,9 @@ void privilege_control23_app_installation2_10x10(bool smack) // generate app ids: test_APP0, test_APP1, test_APP2 etc.: for (int i = 0; i < app_count; ++i) { - result = sprintf(app_ids[i], APP_ID "%d", i); + /* Libprivilege-control assigns "User" label to all apps. Replace it when individual labels + are supported. */ + result = sprintf(app_ids[i], GENERATED_APP_ID); RUNNER_ASSERT_MSG(result > 0, "Cannot generate name for app nr: " << i); } @@ -571,9 +577,10 @@ void privilege_control23_app_installation2_10x10(bool smack) DB_END + // All apps have the same label "User" so this check makes no sense. // Verify that some previously installed app does not have // any acces to app 0 and app 5 PRIVATE folders - for (int j = 0; j < app_count; ++j) + /*for (int j = 0; j < app_count; ++j) { // Apps 1-9 should not have any access to app 0 if (j != 0) @@ -598,7 +605,7 @@ void privilege_control23_app_installation2_10x10(bool smack) ") has access to private label of: " << app_ids[5] << ". It may not be shared. Loop index: " << i << "."); } - } // End for Verify PRIVATE + }*/ // End for Verify PRIVATE // Verify that apps 1, 2 and 6 have all accesses to GROUP_RW folders result = check_all_accesses(smack, @@ -648,8 +655,9 @@ void privilege_control23_app_installation2_10x10(bool smack) RUNNER_ASSERT_MSG(result == 1, "Not all accesses to owned Public RO dir are granted. App id: " << app_ids[j] << " Loop index: " << i); + // All apps have the same label "User" so this check makes no sense. // Verify that there are no extra permissions to public dirs - result = check_no_accesses(smack, + /*result = check_no_accesses(smack, (const rules_t) { { app_ids[j], shared_dir7_auto_label.c_str(), "w" }, { app_ids[j], shared_dir7_auto_label.c_str(), "t" }, @@ -657,7 +665,7 @@ void privilege_control23_app_installation2_10x10(bool smack) { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } ); RUNNER_ASSERT_MSG(result == 1, "Unexpected extra permissions added for app:" << app_ids[j] - << ". Loop index: " << i); + << ". Loop index: " << i);*/ } if (j == 7) { @@ -667,8 +675,9 @@ void privilege_control23_app_installation2_10x10(bool smack) RUNNER_ASSERT_MSG(result == 1, "Not all accesses to owned Public RO dir are granted. App id: " << app_ids[j] << " Loop index: " << i); + // All apps have the same label "User" so this check makes no sense. // Verify that there are no extra permissions to public dirs - result = check_no_accesses(smack, + /*result = check_no_accesses(smack, (const rules_t) { { app_ids[j], shared_dir3_auto_label.c_str(), "w" }, { app_ids[j], shared_dir3_auto_label.c_str(), "t" }, @@ -676,7 +685,7 @@ void privilege_control23_app_installation2_10x10(bool smack) { app_ids[j], shared_dir8_auto_label.c_str(), "t" } } ); RUNNER_ASSERT_MSG(result == 1, "Unexpected extra permissions added for app:" << app_ids[j] - << ". Loop index: " << i); + << ". Loop index: " << i);*/ } if (j == 8) { @@ -686,8 +695,9 @@ void privilege_control23_app_installation2_10x10(bool smack) RUNNER_ASSERT_MSG(result == 1, "Not all accesses to owned Public RO dir are granted. App id: " << app_ids[j] << " Loop index: " << i); + // All apps have the same label "User" so this check makes no sense. // Verify that there are no extra permissions to other public dirs - result = check_no_accesses(smack, + /*result = check_no_accesses(smack, (const rules_t) { { app_ids[j], shared_dir3_auto_label.c_str(), "w" }, { app_ids[j], shared_dir3_auto_label.c_str(), "t" }, @@ -695,7 +705,7 @@ void privilege_control23_app_installation2_10x10(bool smack) { app_ids[j], shared_dir7_auto_label.c_str(), "t" } } ); RUNNER_ASSERT_MSG(result == 1, "Unexpected extra permissions added for app:" << app_ids[j] - << ". Loop index: " << i); + << ". Loop index: " << i);*/ } result = check_all_accesses(smack, @@ -738,7 +748,8 @@ void privilege_control23_app_installation2_10x10(bool smack) "Not all accesses to App-Setting dir are granted." << app_ids[9] << " " << setting_dir9_auto_label << " Loop index: " << i); - result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[4], "rx"); + // All apps have the same label "User" so this check makes no sense. + /*result = smack_have_access(APP_TEST_SETTINGS_ASP1, app_ids[4], "rx"); RUNNER_ASSERT_MSG(result == expected_smack_result, "Not all accesses to App-Setting dir are granted." << APP_TEST_SETTINGS_ASP1 << " " << app_ids[4] @@ -757,7 +768,7 @@ void privilege_control23_app_installation2_10x10(bool smack) RUNNER_ASSERT_MSG(result == expected_smack_result, "Not all accesses to App-Setting dir are granted." << APP_TEST_SETTINGS_ASP1 << " " << setting_dir9_auto_label - << " Loop index: " << i); + << " Loop index: " << i);*/ @@ -802,8 +813,9 @@ void privilege_control23_app_installation2_10x10(bool smack) DB_END + // All apps have the same label "User" so this check makes no sense. // Check if permissions are removed properly - for (int j = 0; j < app_count; ++j) + /*for (int j = 0; j < app_count; ++j) { // To all other apps for (int k = 0; k < app_count; ++k) @@ -816,7 +828,7 @@ void privilege_control23_app_installation2_10x10(bool smack) "Not all permisions revoked. Subject: " << app_ids[j] << " Object: " << app_ids[k] << " Loop index: " << i); } - } + }*/ DB_BEGIN -- 2.7.4