2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Pawel Polawski (p.polawski@samsung.com)
20 * @author Jan Olszak (j.olszak@samsung.com)
22 * @brief libprivilege test runer
29 #include <dpl/test/test_runner.h>
30 #include <dpl/test/test_runner_multiprocess.h>
31 #include <dpl/log/log.h>
32 #include <sys/types.h>
35 #include <sys/smack.h>
36 #include <sys/xattr.h>
37 #include <sys/socket.h>
41 #include "tests_common.h"
42 #include <access_provider.h>
44 #define TEST_SUBJECT "test_subject"
45 #define TEST_OBJECT "test_oject"
46 #define TEST_OBJECT_2 "test_oject_2"
48 #define SOCK_PATH "/tmp/test-smack-socket"
50 std::string testDir = "/opt/home/app/";
51 std::vector<std::string> accessesBasic = { "r", "w", "x", "wx", "rx", "rw", "rwx", "rwxat" };
53 int files_compare(int fd1, int fd2)
57 //for getting files sizes
61 void *h1 = MAP_FAILED;
62 void *h2 = MAP_FAILED;
64 //getting files information
65 if (fstat(fd1, &fs1) == -1) {
69 if (fstat(fd2, &fs2) == -1) {
74 if (fs1.st_size != fs2.st_size) //if files are identical size will be the same
77 //mapping files to process memory
78 if ((h1 = mmap(0, fs1.st_size, PROT_READ, MAP_SHARED, fd1, 0 )) == MAP_FAILED) {
82 if ((h2 = mmap(0, fs2.st_size, PROT_READ, MAP_SHARED, fd2, 0 )) == MAP_FAILED) {
87 result = memcmp(h1, h2, fs1.st_size);
89 //cleaning after mmap()
92 munmap(h2, fs2.st_size);
94 munmap(h1, fs1.st_size);
100 RUNNER_TEST_GROUP_INIT(libsmack)
102 * Helper method to reset privileges at the begginning of tests.
106 struct smack_accesses *rules = NULL;
107 int result = smack_accesses_new(&rules);
108 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
111 smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","rwxat");
112 smack_accesses_apply(rules);
113 smack_accesses_free(rules);
116 RUNNER_ASSERT_MSG_BT(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") != 1, "Rule has previous privileges after cleaning up!");
117 RUNNER_ASSERT_MSG_BT(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"w") != 1, "Rule has previous privileges after cleaning up!");
118 RUNNER_ASSERT_MSG_BT(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"x") != 1, "Rule has previous privileges after cleaning up!");
119 RUNNER_ASSERT_MSG_BT(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"a") != 1, "Rule has previous privileges after cleaning up!");
120 RUNNER_ASSERT_MSG_BT(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"t") != 1, "Rule has previous privileges after cleaning up!");
124 * Checking if subject has any access to object
126 bool checkNoAccesses(const char *subject, const char *object)
129 result = smack_have_access(subject, object,"r");
133 result = smack_have_access(subject, object,"w");
137 result = smack_have_access(subject, object,"x");
141 result = smack_have_access(subject, object,"a");
145 result = smack_have_access(subject, object,"t");
152 void removeAccessesAll()
154 struct smack_accesses *rules = NULL;
155 int result = smack_accesses_new(&rules);
156 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
158 result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_01", "", "rxwat");
159 result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_02", "", "rxwat");
160 result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_03", "", "rxwat");
161 result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_01", "", "rxwat");
162 result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_02", "", "rxwat");
163 result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_03", "", "rxwat");
164 result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_01", "", "rxwat");
165 result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_02", "", "rxwat");
166 result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_03", "", "rxwat");
168 smack_accesses_apply(rules);
169 RUNNER_ASSERT_MSG_BT(result == 0, "Error while applying accesses. Result: " << result);
170 smack_accesses_free(rules);
175 * Add a new access with smack_accesses_add_modify()
177 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_1){
182 struct smack_accesses *rules = NULL;
183 result = smack_accesses_new(&rules);
186 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"xr","");
187 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add modify by empty rules");
188 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
190 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"xr");
191 RUNNER_ASSERT_MSG_BT(result == 1, "Rule modified (added 'xr'), but no change made.");
195 smack_accesses_free(rules);
200 * Test if rules are applied in the right order, and modification works.
202 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_2){
204 struct smack_accesses *rules = NULL;
205 result = smack_accesses_new(&rules);
206 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
211 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"r","");
212 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule.");
214 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
215 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule.");
217 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
218 RUNNER_ASSERT_MSG_BT(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 0, "Modification didn't work");
222 smack_accesses_free(rules);
227 * Test if rules are applied in the right order, and modification works.
228 * Using different smack_accesses list to add and delete.
230 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_3){
232 struct smack_accesses *rules = NULL;
233 result = smack_accesses_new(&rules);
234 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
240 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"r","");
241 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule.");
242 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
243 RUNNER_ASSERT_MSG_BT(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 1, "Adding privileges didn't work");
244 smack_accesses_free(rules);
246 // Revoke r privilege
247 result = smack_accesses_new(&rules);
248 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
249 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
250 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule.");
251 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
253 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
254 RUNNER_ASSERT_MSG_BT(result == 0, "Modification didn't work, rule has still 'r' privileges.");
258 smack_accesses_free(rules);
262 * Add a list of privileges and then revoke just ONE of them.
264 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_4){
266 struct smack_accesses *rules = NULL;
267 result = smack_accesses_new(&rules);
268 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
273 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwxat","");
274 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule.");
275 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
277 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
278 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule.");
279 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
281 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt");
282 RUNNER_ASSERT_MSG_BT(result == 1, "Modification didn't work. Rule should have 'awxt' privileges.");
283 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
284 RUNNER_ASSERT_MSG_BT(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
288 smack_accesses_free(rules);
292 * Add a list of privileges and then revoke just ONE of them.
293 * Without applying privileges in between those actions.
295 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_5){
297 struct smack_accesses *rules = NULL;
298 result = smack_accesses_new(&rules);
299 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
304 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwxat","");
305 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule.");
307 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
308 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule.");
309 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
311 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt");
312 RUNNER_ASSERT_MSG_BT(result == 1, "Modification didn't work. Rule should have 'awxt' privileges.");
313 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
314 RUNNER_ASSERT_MSG_BT(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
318 smack_accesses_free(rules);
323 * Add a list of privileges and then revoke just TWO of them.
325 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_6){
327 struct smack_accesses *rules = NULL;
328 result = smack_accesses_new(&rules);
329 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
334 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwt","");
335 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule.");
336 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
338 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"ax","rt");
339 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule.");
340 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
342 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"wax");
343 RUNNER_ASSERT_MSG_BT(result == 1, "Modification didn't work. Rule should have 'wax' privileges.");
344 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
345 RUNNER_ASSERT_MSG_BT(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
349 smack_accesses_free(rules);
353 * Run smack_accesses_add_modify with the same accesses_add and accesses_del.
355 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_7){
359 struct smack_accesses *rules = NULL;
361 for (i = 0; i < accessesBasic.size(); ++i) {
362 result = smack_accesses_new(&rules);
363 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
365 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str(),accessesBasic[i].c_str());
366 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify accesses instance");
367 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
369 RUNNER_ASSERT_MSG_BT(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
370 " Error while checking smack access. Accesses exist.");
374 smack_accesses_free(rules);
379 * Revoke subject with previously added rules and revoke it again.
381 RUNNER_TEST_SMACK(smack_revoke_subject_test_1){
385 struct smack_accesses *rules = NULL;
387 for (i = 0; i < accessesBasic.size(); ++i) {
388 // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2
389 result = smack_accesses_new(&rules);
390 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
391 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str(),"");
392 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str(),"");
393 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify accesses instance");
394 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
395 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
396 RUNNER_ASSERT_MSG_BT(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
397 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
398 RUNNER_ASSERT_MSG_BT(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
401 result = smack_revoke_subject(TEST_SUBJECT);
402 RUNNER_ASSERT_MSG_BT(result == 0, "Revoking subject didn't work.");
404 RUNNER_ASSERT_MSG_BT(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
405 " Revoke didn't work. Accesses exist.");
406 RUNNER_ASSERT_MSG_BT(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
407 " Revoke didn't work. Accesses exist.");
410 // Revoking subject again
411 result = smack_revoke_subject(TEST_SUBJECT);
412 RUNNER_ASSERT_MSG_BT(result == 0, "Revoking subject didn't work.");
414 RUNNER_ASSERT_MSG_BT(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
415 " Revoke didn't work. Accesses exist.");
416 RUNNER_ASSERT_MSG_BT(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
417 " Revoke didn't work. Accesses exist.");
419 smack_accesses_free(rules);
426 RUNNER_TEST_SMACK(smack_accesses_clear_test_1){
430 struct smack_accesses *rules = NULL;
432 for (i = 0; i < accessesBasic.size(); ++i) {
433 // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2
434 result = smack_accesses_new(&rules);
435 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
436 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
437 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify accesses instance");
438 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
439 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify accesses instance");
440 RUNNER_ASSERT_MSG_BT(smack_accesses_apply(rules) == 0, "Unable to apply rules");
442 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
443 RUNNER_ASSERT_MSG_BT(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
444 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
445 RUNNER_ASSERT_MSG_BT(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
447 smack_accesses_free(rules);
449 // Creating and clearing rules with TEST_OBJECT
450 result = smack_accesses_new(&rules);
451 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
452 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
453 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify accesses instance");
454 result = smack_accesses_clear(rules);
455 RUNNER_ASSERT_MSG_BT(result == 0, "Clearing rules didn't work.");
457 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
458 RUNNER_ASSERT_MSG_BT(result == 0, "Clearing rules didn't work. Rule " << accessesBasic[i].c_str() << " does exist.");
459 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
460 RUNNER_ASSERT_MSG_BT(result == 1, "Clearing rules didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
462 smack_accesses_free(rules);
464 // Creating and clearing rules with TEST_OBJECT_2
465 result = smack_accesses_new(&rules);
466 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
468 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
469 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify accesses instance");
470 result = smack_accesses_clear(rules);
471 RUNNER_ASSERT_MSG_BT(result == 0, "Clearing rules didn't work.");
473 smack_accesses_free(rules);
475 RUNNER_ASSERT_MSG_BT(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
476 " Clear didn't work. Accesses exist.");
477 RUNNER_ASSERT_MSG_BT(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
478 " Clear didn't work. Accesses exist.");
482 RUNNER_TEST(smack01_storing_and_restoring_rules)
485 * author: Pawel Polawski
486 * test: smack_accesses_new, smack_accesses_add, smack_accesses_add_modify, smack_accesses_add_from_file,
487 * smack_accesses_free, smack_accesses_save
488 * description: This test case will create structure holding SMACK rules and add new one to it. Next rules will be
489 * stored and restored from file.
490 * expect: Rules created and stored in file should be identical to predefined template.
493 struct smack_accesses *rules = NULL; //rules prepared in this test case
494 struct smack_accesses *import_test = NULL; //rules imported from file
496 int result; //result of each operation to be tested by RUNNER_ASSERT
497 int fd, tmp, sample; //file descripptors for save / restore rules tests
499 //int smack_accesses_new(struct smack_accesses **accesses);
500 result = smack_accesses_new(&rules); //rules struct init
501 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
502 result = smack_accesses_new(&import_test); //rules struct init
503 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
506 fd = open("/tmp/smack01_rules", O_RDWR | O_CREAT | O_TRUNC, 0644); //for export prepared rules
507 RUNNER_ASSERT_MSG_BT(fd >= 0, "Unable to create /tmp/smack01_rules");
508 tmp = open("/tmp/smack01_tmp", O_RDWR | O_CREAT | O_TRUNC, 0644); //for import rules exported before
509 RUNNER_ASSERT_MSG_BT(fd >= 0, "Unable to create /tmp/smack01_tmp");
510 sample = open("/etc/smack/test_smack_rules", O_RDONLY, 0644); //reference preinstalled rules
511 RUNNER_ASSERT_MSG_BT(sample >= 0, "Unable to open /etc/smack/test_smack_rules");
513 //int smack_accesses_add(struct smack_accesses *handle, const char *subject,
514 // const char *object, const char *access_type);
515 result = smack_accesses_add(rules, "writer", "book", "rw");
516 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add smack rules");
517 result = smack_accesses_add(rules, "reader", "book", "wx");
518 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add smack rules");
520 //int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
521 // const char *object, const char *access_add, const char *access_del);
522 result = smack_accesses_add_modify(rules, "reader", "book", "r", "wx");
523 RUNNER_ASSERT_MSG_BT(0 == result, "Unable to modify smack rules");
525 //int smack_accesses_save(struct smack_accesses *handle, int fd);
526 result = smack_accesses_save(rules, fd);
527 RUNNER_ASSERT_MSG_BT(0 == result, "Unable to save smack_accesses instance in file");
529 //int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd);
530 result = lseek(fd, 0, SEEK_SET);
531 RUNNER_ASSERT_MSG_BT(result == 0, "lseek() error");
532 result = smack_accesses_add_from_file(import_test, fd);
533 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to import rules from file");
535 result = smack_accesses_save(import_test, tmp);
536 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to save smack_accesses instance in file");
538 result = files_compare(fd, tmp); //comparing rules saved in file, restored from it and stored one more time
539 RUNNER_ASSERT_MSG_BT(result == 0, "No match in stored and restored rules");
541 result = files_compare(tmp, sample); //comparing rules stored in file with reference preinstalled rules
542 RUNNER_ASSERT_MSG_BT(result == 0, "No match in stored rules and pattern file");
544 //void smack_accesses_free(struct smack_accesses *handle);
545 smack_accesses_free(rules);
546 smack_accesses_free(import_test);
548 //closing file descriptors
554 RUNNER_TEST_SMACK(smack02_aplying_rules_into_kernel)
557 * author: Pawel Polawski
558 * test: smack_accesses_apply, smack_have_access, smack_revoke_subject, smack_accesses_clear, smack_accesses_new,
559 * smack_accesses_add, smack_accesses_free
560 * description: In this test case aplying rules to kernel will be tested. After that function for test
561 * accesses will be used.
562 * expect: In case of correct rules access should be granted.
565 //CAP_MAC_ADMIN needed for process to be able to change rules in kernel (apllying, removing)
567 struct smack_accesses *rules = NULL; //rules prepared in this test case
568 int result; //for storing functions results
570 result = smack_accesses_new(&rules); //rules struct init
571 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
573 //adding test rules to struct
574 result = smack_accesses_add(rules, "writer", "book", "rwx");
575 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add smack rules");
576 result = smack_accesses_add(rules, "reader", "book", "r");
577 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add smack rules");
578 result = smack_accesses_add(rules, "spy", "book", "rwx");
579 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add smack rules");
581 //int smack_accesses_apply(struct smack_accesses *handle);
582 result = smack_accesses_apply(rules); //applying rules to kernel
583 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to apply rules into kernel");
585 //int smack_have_access(const char *subject, const char *object,
586 // const char *access_type);
587 result = smack_have_access("spy", "book", "rwx"); //should have access - rule exist
588 RUNNER_ASSERT_MSG_BT(result == 1, "Error while checking Smack access");
589 result = smack_have_access("reader", "book", "rwx"); //should have no access - wrong rule, should be "r" only
590 RUNNER_ASSERT_MSG_BT(result == 0, "Error while checking Smack access");
591 result = smack_have_access("s02badsubjectlabel", "book", "rwx"); //should fail - rule not exist
592 RUNNER_ASSERT_MSG_BT(result == -1, "Error while checking Smack access");
594 //int smack_revoke_subject(const char *subject);
595 result = smack_revoke_subject("s02nonexistinglabel"); //this subject do not exist in kernel rules
596 RUNNER_ASSERT_MSG_BT(result == 0, "Error in removing not existing subject from kernel");
597 result = smack_revoke_subject("spy"); //this subject exist in kernel rules
598 RUNNER_ASSERT_MSG_BT(result == 0, "Error in removing existing subject from kernel");
600 result = smack_have_access("spy", "book", "rwx"); //testing access after revoke_subject() from kernel
601 RUNNER_ASSERT_MSG_BT(result == 0, "Error in acces aplied to kernel"); //now spy should have no access
603 //for create new rule as a consequence of use accesses_clear() below
604 result = smack_accesses_add(rules, "s02subjectlabel", "book", "rwx");
605 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add smack rules");
607 //int smack_accesses_clear(struct smack_accesses *handle);
608 result = smack_accesses_clear(rules); //"spy" removed before by using smack_revoke_subject()
609 RUNNER_ASSERT_MSG_BT(result == 0, "Error in clearing rules in kernel");
611 result = smack_have_access("writer", "book", "rwx"); //testing acces after acces_clear()
612 RUNNER_ASSERT_MSG_BT(result == 0, "Error in acces aplied to kernel"); //now writer also should have no access
615 smack_accesses_free(rules);
618 //pairs of rules for test with mixed cases, different length and mixed order
619 const char *rules_tab[] = {
620 "reader1", "-", "-----",
621 "reader2", "--------", "-----",
622 "reader3", "RwXaT", "rwxat",
623 "reader4", "RrrXXXXTTT", "r-x-t",
624 "reader5", "-r-w-a-t", "rw-at",
625 "reader6", "", "-----",
626 "reader7", "xa--Rt---W", "rwxat",
627 "reader8", "#Ax[T].!~W@1}", "-wxat"
630 RUNNER_TEST_SMACK(smack03_mixed_rule_string_add)
633 * author: Pawel Polawski
634 * test: smack_have_access, smack_accesses_new, smack_accesses_add, smack_accesses_apply, smack_accesses_free
635 * description: In thist test case rules based on mixed string are added to kernel.
636 * Strings are presented above and contains lower / upper case alpha, numbers and special signs.
637 * expect: Rules should be parsed correct and aplied to kernel.
640 //In thist test case mixed string are used as rules applied to kernel, next they are
641 //readed and compared with correct form of rules
643 struct smack_accesses *rules = NULL; //rules prepared in this test case
644 int result; //for storing functions results
648 result = smack_accesses_new(&rules); //rules struct init
649 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
651 //adding test rules with mixed string
652 for (i = 0; i < (3 * 8); i += 3) {
653 result = smack_accesses_add(rules, rules_tab[i], "book", rules_tab[i + 1]); //using mixed rules from table
654 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add smack rules");
658 //FIXME: Using clear() here can cover error in accesses_apply() function
659 //result = smack_accesses_clear(rules);
660 //RUNNER_ASSERT_MSG_BT(result == 0, "Error in clearing rules in kernel");
662 //applying rules to kernel
663 result = smack_accesses_apply(rules);
664 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to apply rules into kernel");
666 //checking accesses using normal rules
667 for (i = 0; i < (3 * 8); i += 3) {
668 if (!strcmp(rules_tab[i + 2], "-----"))
672 result = smack_have_access(rules_tab[i], "book", rules_tab[i + 2]); //using normal rules from table
673 RUNNER_ASSERT_MSG_BT(result == expected, "Error while checking Smack access");
677 smack_accesses_free(rules);
680 RUNNER_TEST_SMACK(smack04_mixed_rule_string_have_access)
683 * author: Pawel Polawski
684 * test: smack_have_access
685 * description: In this test case we testing aplied before SMACK rules and comparing them using mixed strings.
686 * expect: Subjects should have accesses to the objects.
689 //In this test case we checking previous aplied rules but for compare mixed strings are used
695 //rules were added in previous RUNNER_TEST section
696 //checking accesses using mixed rules
697 for (i = 0; i < (3 * 8); i += 3) {
698 if (!strcmp(rules_tab[i + 2], "-----"))
702 result = smack_have_access(rules_tab[i], "book", rules_tab[i + 1]); //using mixed rules from table
703 RUNNER_ASSERT_MSG_BT(result == expected, "Error while checking Smack access");
707 //RUNNER_TEST(smackXX_accesses_add_modify)
710 // - what if we want to apply rule that is already in kernel?
711 // - tests for smack_accesses_add_modify() + smack_have_access() (check if add_modify sets the proper rule)
712 // - smack_accesses_add_modify("subject", "object", "rwx", "rwx") should create empty rule
715 RUNNER_TEST_SMACK(smack05_self_label)
718 * author: Pawel Polawski
719 * test: smack_set_label_for_self, smack_new_label_from_self
720 * description: In this test case process test it own default label. Next label is changed
721 * and tested one more time if change was successfull.
722 * expect: Proces should have default "-" label and can change it to the oter one.
725 //In this test case process will manipulate it own label
731 const int B_SIZE = 8;
734 const char *def_rule = "_";
736 //int smack_new_label_from_self(char **label);
737 result = smack_new_label_from_self(&label);
738 RUNNER_ASSERT_MSG_BT(result >= 0, "Error in getting self label");
740 //comparing this label with default one "_"
741 result = strcmp(label, def_rule);
742 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong default process label");
744 //comparing this rule with received from /proc/self/attr/current
745 fd = open("/proc/self/attr/current", O_RDONLY, 0644);
746 RUNNER_ASSERT_MSG_BT(fd >= 0, "Unable to open /proc/self/attr/current");
747 result = read(fd, buff, B_SIZE);
748 RUNNER_ASSERT_MSG_BT(result >= 0, "Error in reading from file /proc/self/attr/current");
749 result = strncmp(buff, def_rule, result);
750 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong default process rule");
754 //now time for setting labels:
756 //int smack_set_label_for_self(const char *label);
757 result = smack_set_label_for_self("cola");
758 RUNNER_ASSERT_MSG_BT(result == 0, "Error in setting self label");
760 //checking new label using smack function
761 result = smack_new_label_from_self(&label);
762 RUNNER_ASSERT_MSG_BT(result >= 0, "Error in getting self label");
763 result = strcmp(label, "cola");
764 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong process label");
766 //checking new label using /proc/self/attr/current
767 result = lseek(fd, 0, SEEK_SET); //going to the file beginning
768 RUNNER_ASSERT_MSG_BT(result == 0, "lseek() error");
769 result = read(fd, buff, B_SIZE);
770 RUNNER_ASSERT_MSG_BT(result >= 0, "Error in reading from file /proc/self/attr/current");
771 result = strncmp(buff, "cola", result);
772 RUNNER_ASSERT_MSG_BT(result == 0, "Proces rule in /proc/self/attr/current other than set");
778 //RUNNER_TEST(smackXX_parent_child_label)
780 //In this test case parent process and child labels will be tested
781 //Parent will fork and check child's label. First fork will be with default "_" parent label,
782 //second one witch changed label.
785 //bellow function is from libsmack.c witch changed name
786 const char *xattr(enum smack_label_type type)
789 case SMACK_LABEL_ACCESS:
790 return "security.SMACK64";
791 case SMACK_LABEL_EXEC:
792 return "security.SMACK64EXEC";
793 case SMACK_LABEL_MMAP:
794 return "security.SMACK64MMAP";
795 case SMACK_LABEL_TRANSMUTE:
796 return "security.SMACK64TRANSMUTE";
797 case SMACK_LABEL_IPIN:
798 return "security.SMACK64IPIN";
799 case SMACK_LABEL_IPOUT:
800 return "security.SMACK64IPOUT";
802 /* Should not reach this point */
807 //TODO: In bellow RUNNER_TEST add lget / lset functions to be testet the same way as normal get / set
808 RUNNER_TEST(smack06_get_set_label)
811 * author: Pawel Polawski
812 * test: smack_getlabel, smack_setlabel
813 * description: In this test case file label is tested using SMACK API functions and system xattr functions.
814 * Functions tested here is used for normal files.
815 * expect: Function should return default label, and the new one after change it.
818 //In this test case will be tested setting and getting file label
819 //If file is symbolic link functions should follow it
821 //SMACK xattr from libsmack.c:
823 //case SMACK_LABEL_ACCESS:
824 // return "security.SMACK64";
825 //case SMACK_LABEL_EXEC:
826 // return "security.SMACK64EXEC";
827 //case SMACK_LABEL_MMAP:
828 // return "security.SMACK64MMAP";
829 //case SMACK_LABEL_TRANSMUTE:
830 // return "security.SMACK64TRANSMUTE";
831 //case SMACK_LABEL_IPIN:
832 // return "security.SMACK64IPIN";
833 //case SMACK_LABEL_IPOUT:
834 // return "security.SMACK64IPOUT";
839 char buff[SMACK_LABEL_LEN+1];
840 const char* s06testlabel = "s06testlabel";
842 const char *file_path = "/etc/smack/test_smack_rules";
845 //preparing environment by restoring default "_" label
846 result = smack_setlabel(file_path, "_", SMACK_LABEL_ACCESS);
847 RUNNER_ASSERT_MSG_BT(result == 0, "Error in setting ACCESS label for file");
850 //int smack_getlabel(const char *path, char** label,
851 // enum smack_label_type type);
852 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
853 RUNNER_ASSERT_MSG_BT(result == 0, "Error in getting smack ACCESS label from file");
854 //get label, should be default "_"
855 result = strcmp(label, "_");
856 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file default label");
858 //get label using xattr function
859 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, SMACK_LABEL_LEN);
860 RUNNER_ASSERT_MSG_BT(result > 0, "Error in getting xattr from file");
861 //check label, should match the one readed by smack function
862 result = strncmp(buff, "_", result);
863 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file default label");
866 //int smack_setlabel(const char *path, const char* label,
867 // enum smack_label_type type);
868 result = smack_setlabel(file_path, s06testlabel, SMACK_LABEL_ACCESS);
869 RUNNER_ASSERT_MSG_BT(result == 0, "Error in setting ACCESS label for file");
872 //get label using smack function
873 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
874 RUNNER_ASSERT_MSG_BT(result == 0, "Error in getting smack ACCESS label from file");
875 //get label, should be default s06testlabel
876 result = strcmp(label, s06testlabel);
877 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file label");
879 //get label using xattr function
880 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, SMACK_LABEL_LEN);
881 RUNNER_ASSERT_MSG_BT(result > 0, "Error in getting xattr from file");
882 //check label, should match the one readed by smack function
883 result = strncmp(buff, s06testlabel, result);
884 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file label");
887 //RUNNER_TEST(smackXX_get_label_exec)
889 //In this test case EXEC label will be tested
890 //by setting this type of label, reading it and testing executed binary exit status
893 RUNNER_TEST(smack07_l_get_set_label)
896 * author: Pawel Polawski
897 * test: smack_lgetlabel, smack_lsetlabel, smack_getlabel
898 * description: Functions tested here are similar to one from previous test case. The difference
899 * is that in case of symbolic link they follows it and operates on file pointed by it.
900 * expect: All label manipulations should affect file pointed by symbolic link.
906 char buff[SMACK_LABEL_LEN+1];
907 const char* s07testlabel1 = "s07testlabel1";
908 const char* s07testlabel2 = "s07testlabel2";
910 const char *file_path = "/etc/smack/test_smack_rules_lnk";
913 //preparing environment by restoring default "_" label
914 result = smack_lsetlabel(file_path, "_", SMACK_LABEL_ACCESS);
915 RUNNER_ASSERT_MSG_BT(result == 0, "Error in setting ACCESS label for file");
916 result = smack_setlabel(file_path, "_", SMACK_LABEL_ACCESS);
917 RUNNER_ASSERT_MSG_BT(result == 0, "Error in setting ACCESS label for file");
920 //int smack_lgetlabel(const char *path, char** label,
921 // enum smack_label_type type);
922 result = smack_lgetlabel(file_path, &label, SMACK_LABEL_ACCESS);
923 RUNNER_ASSERT_MSG_BT(result == 0, "Error in getting smack ACCESS label from file");
924 //get label of symbolic link, should be default "_"
925 result = strcmp(label, "_");
926 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file default label");
928 //get label using xattr function
929 result = lgetxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, SMACK_LABEL_LEN);
930 RUNNER_ASSERT_MSG_BT(result > 0, "Error in getting xattr from file");
931 //check label, should match the one readed by smack function
932 result = strncmp(buff, "_", result);
933 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file default label");
936 //int smack_lsetlabel(const char *path, const char* label,
937 // enum smack_label_type type);
938 result = smack_lsetlabel(file_path, s07testlabel1, SMACK_LABEL_ACCESS);
939 RUNNER_ASSERT_MSG_BT(result == 0, "Error in setting ACCESS label for file");
940 //and set label for file pointed by link
941 result = smack_setlabel(file_path, s07testlabel2, SMACK_LABEL_ACCESS);
942 RUNNER_ASSERT_MSG_BT(result == 0, "Error in setting ACCESS label for file");
945 //get label using smack function
946 result = smack_lgetlabel(file_path, &label, SMACK_LABEL_ACCESS);
947 RUNNER_ASSERT_MSG_BT(result == 0, "Error in getting smack ACCESS label from file");
948 //check label, should be s07testlabel1
949 result = strcmp(label, s07testlabel1);
950 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file label");
952 //get label using xattr function
953 result = lgetxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, SMACK_LABEL_LEN);
954 RUNNER_ASSERT_MSG_BT(result > 0, "Error in getting xattr from file");
955 //check label, should match the one readed by smack function
956 result = strncmp(buff, s07testlabel1, result);
957 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file label");
960 //now similar to above, but folowing symbolic link set before to s07testlabel2
961 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
962 RUNNER_ASSERT_MSG_BT(result == 0, "Error gettin label of file pointed by symbolic link");
963 //now label should be s07testlabel2 for file instead of s07testlabel1 set for link
964 result = strcmp(label, s07testlabel2);
965 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong label of file pointed by symbolic link");
967 //get label using xattr function
968 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, SMACK_LABEL_LEN);
969 RUNNER_ASSERT_MSG_BT(result > 0, "Error in getting xattr from file");
970 //check label, should match the one readed by smack function
971 result = strncmp(buff, s07testlabel2, result);
972 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file label");
975 RUNNER_TEST(smack08_f_get_set_label)
978 * author: Pawel Polawski
979 * test: smack_fgetlabel, smack_fsetlabel
980 * description: This test case is similar to test case smack06 above. The difference
981 * is that argument is file descriptor instead of file path.
982 * Function not follow symbolic link and operates directly on it.
983 * expect: All label manipulations should affect symbolic link itself.
989 char buff[SMACK_LABEL_LEN+1];
990 const char* s08testlabel = "s08testlabel";
993 const char *file_path = "/etc/smack/test_smack_rules";
995 fd = open(file_path, O_RDWR, 0644); //reference preinstalled rules
996 RUNNER_ASSERT_MSG_BT(fd >= 0, "Unable to open /etc/smack/test_smack_rules");
998 //preparing environment by restoring default "_" label
999 result = smack_fsetlabel(fd, "_", SMACK_LABEL_ACCESS);
1000 RUNNER_ASSERT_MSG_BT(result == 0, "Error in setting ACCESS label for file");
1003 //int smack_fgetlabel(int fd, char** label,
1004 // enum smack_label_type type);
1005 result = smack_fgetlabel(fd, &label, SMACK_LABEL_ACCESS);
1006 RUNNER_ASSERT_MSG_BT(result == 0, "Error in getting smack ACCESS label from file");
1007 //check label, should be "_"
1008 result = strcmp(label, "_");
1009 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file default label");
1011 //get label using xattr function
1012 result = fgetxattr(fd, xattr(SMACK_LABEL_ACCESS), buff, SMACK_LABEL_LEN);
1013 RUNNER_ASSERT_MSG_BT(result > 0, "Error in getting xattr from file");
1014 //check label, should match the one readed by smack function
1015 result = strncmp(buff, "_", result);
1016 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file default label");
1019 //int smack_fsetlabel(int fd, const char* label,
1020 // enum smack_label_type type);
1021 result = smack_fsetlabel(fd, s08testlabel, SMACK_LABEL_ACCESS);
1022 RUNNER_ASSERT_MSG_BT(result == 0, "Error in setting ACCESS label for file");
1025 //get label using smack function
1026 result = smack_fgetlabel(fd, &label, SMACK_LABEL_ACCESS);
1027 RUNNER_ASSERT_MSG_BT(result == 0, "Error in getting smack ACCESS label from file");
1028 //check label, should be s08testlabel
1029 result = strcmp(label, s08testlabel);
1030 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file label");
1032 //get label using xattr function
1033 result = fgetxattr(fd, xattr(SMACK_LABEL_ACCESS), buff, SMACK_LABEL_LEN);
1034 RUNNER_ASSERT_MSG_BT(result > 0, "Error in getting xattr from file");
1035 //check label, should match the one readed by smack function
1036 result = strncmp(buff, s08testlabel, result);
1037 RUNNER_ASSERT_MSG_BT(result == 0, "Wrong file label");
1043 RUNNER_TEST_SMACK(smack10_adding_removing_rules)
1048 struct smack_accesses *rulesBasic = NULL;
1050 for (i = 0; i < accessesBasic.size(); ++i)
1053 result = smack_accesses_new(&rulesBasic);
1054 RUNNER_ASSERT_MSG_BT(result == 0, "Error while creating new accesses. Result: " << result);
1057 result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1058 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1061 result = smack_accesses_apply(rulesBasic);
1062 RUNNER_ASSERT_MSG_BT(result == 0, "Error while applying accesses. Result: " << result);
1064 // Checking if accesses were created
1065 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1066 RUNNER_ASSERT_MSG_BT(result == 1,
1067 " Error while checking smack access. Result: " << result);
1069 smack_accesses_free(rulesBasic);
1072 // Deleting all rules
1076 for (i = 0; i < 3; ++i)
1078 // --- Creating rules (r or w or x)
1079 result = smack_accesses_new(&rulesBasic);
1080 RUNNER_ASSERT_MSG_BT(result == 0, "Error while creating new accesses. Result: " << result);
1083 result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1084 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add rulesBasic. Result: " << result);
1087 result = smack_accesses_apply(rulesBasic);
1088 RUNNER_ASSERT_MSG_BT(result == 0, "Error while applying accesses. Result: " << result);
1089 // Checking if accesses were created
1090 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1091 RUNNER_ASSERT_MSG_BT(result == 1,
1092 " Error while checking smack access. Result: " << result);
1094 // Checking if wrong accesses were not created
1095 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
1096 RUNNER_ASSERT_MSG_BT(result == 0,
1097 " Error while checking smack access. Result: " << result);
1099 // --- Modifying accesses (r for wx or w for rx or x for rw)
1100 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i + 3].c_str(),accessesBasic[i].c_str());
1101 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1104 result = smack_accesses_apply(rulesBasic);
1105 RUNNER_ASSERT_MSG_BT(result == 0, "Error while applying accesses. Result: " << result);
1107 // Checking if accesses were created
1108 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
1109 RUNNER_ASSERT_MSG_BT(result == 1,
1110 " Error while checking smack access. Result: " << result);
1112 // Checking if wrong accesses were not created
1113 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1114 RUNNER_ASSERT_MSG_BT(result == 0,
1115 " Error while checking smack access. Result: " << result);
1117 smack_accesses_free(rulesBasic);
1120 // --- Creating complementary rules (r or w or x)
1121 result = smack_accesses_new(&rulesBasic);
1122 RUNNER_ASSERT_MSG_BT(result == 0, "Error while creating new accesses. Result: " << result);
1125 result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1126 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add rulesBasic. Result: " << result);
1128 // Checking if accesses were created
1129 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
1130 RUNNER_ASSERT_MSG_BT(result == 1,
1131 " Error while checking smack access. Result: " << result);
1134 result = smack_accesses_apply(rulesBasic);
1135 RUNNER_ASSERT_MSG_BT(result == 0, "Error while applying accesses. Result: " << result);
1137 // Checking if accesses were created
1138 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1139 RUNNER_ASSERT_MSG_BT(result == 1,
1140 " Error while checking smack access. Result: " << result);
1142 // --- Modifying accesses (adding rwx and removing r or w or x)
1143 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,"rwx",accessesBasic[i].c_str());
1144 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1147 result = smack_accesses_apply(rulesBasic);
1148 RUNNER_ASSERT_MSG_BT(result == 0, "Error while applying accesses. Result: " << result);
1150 // Checking if accesses were created
1151 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
1152 RUNNER_ASSERT_MSG_BT(result == 1,
1153 " Error while checking smack access. Result: " << result);
1155 // Checking if wrong accesses were not created
1156 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1157 RUNNER_ASSERT_MSG_BT(result == 0,
1158 " Error while checking smack access. Result: " << result);
1160 // --- Adding crossing accesses (rx or rw or wx)
1161 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,accessesBasic[3 + ((i + 1) % 3)].c_str(),"");
1162 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1165 result = smack_accesses_apply(rulesBasic);
1166 RUNNER_ASSERT_MSG_BT(result == 0, "Error while applying accesses. Result: " << result);
1168 // Checking if accesses were created
1169 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[3 + ((i + 1) % 3)].c_str());
1170 RUNNER_ASSERT_MSG_BT(result == 1,
1171 " Error while checking smack access. Result: " << result);
1173 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, "rwx");
1174 RUNNER_ASSERT_MSG_BT(result == 1,
1175 " Error while checking smack access. Result: " << result);
1177 // Deleting all rules
1178 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,"","rwx");
1179 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1181 result = smack_accesses_apply(rulesBasic);
1182 RUNNER_ASSERT_MSG_BT(result == 0, "Error while checking smack access. Result: " << result);
1184 smack_accesses_free(rulesBasic);
1187 // Deleting all rules
1192 RUNNER_TEST_SMACK(smack11_saving_loading_rules)
1197 struct smack_accesses *rulesBasic = NULL;
1200 removeAccessesAll();
1203 result = smack_accesses_new(&rulesBasic);
1204 RUNNER_ASSERT_MSG_BT(result == 0, "Error while creating new accesses. Result: " << result);
1206 // Loading file with rwxat rules - test_smack_rules_full
1207 fd = open("/etc/smack/test_smack_rules_full", O_RDONLY, 0644);
1208 RUNNER_ASSERT_MSG_BT(fd >= 0, "Unable to open /etc/smack/test_smack_rules_full");
1210 // Adding rules from file
1211 result = smack_accesses_add_from_file(rulesBasic, fd);
1213 RUNNER_ASSERT_MSG_BT(result == 0, "Error importing accesses from file");
1216 result = smack_accesses_apply(rulesBasic);
1217 RUNNER_ASSERT_MSG_BT(result == 0, "Error while applying accesses. Result: " << result);
1220 result = smack_have_access("test_subject_01", "test_object_01", "rwxat");
1221 RUNNER_ASSERT_MSG_BT(result == 1,
1222 " Error while checking smack accesses.");
1223 result = smack_have_access("test_subject_01", "test_object_02", "rwxat");
1224 RUNNER_ASSERT_MSG_BT(result == 1,
1225 " Error while checking smack accesses.");
1226 result = smack_have_access("test_subject_01", "test_object_03", "rwxat");
1227 RUNNER_ASSERT_MSG_BT(result == 1,
1228 " Error while checking smack accesses.");
1229 result = smack_have_access("test_subject_02", "test_object_01", "rwxat");
1230 RUNNER_ASSERT_MSG_BT(result == 1,
1231 " Error while checking smack accesses.");
1232 result = smack_have_access("test_subject_02", "test_object_02", "rwxat");
1233 RUNNER_ASSERT_MSG_BT(result == 1,
1234 " Error while checking smack accesses.");
1235 result = smack_have_access("test_subject_02", "test_object_03", "rwxat");
1236 RUNNER_ASSERT_MSG_BT(result == 1,
1237 " Error while checking smack accesses.");
1238 result = smack_have_access("test_subject_03", "test_object_01", "rwxat");
1239 RUNNER_ASSERT_MSG_BT(result == 1,
1240 " Error while checking smack accesses.");
1241 result = smack_have_access("test_subject_03", "test_object_02", "rwxat");
1242 RUNNER_ASSERT_MSG_BT(result == 1,
1243 " Error while checking smack accesses.");
1244 result = smack_have_access("test_subject_03", "test_object_03", "rwxat");
1245 RUNNER_ASSERT_MSG_BT(result == 1,
1246 " Error while checking smack accesses.");
1249 removeAccessesAll();
1251 smack_accesses_free(rulesBasic);
1254 result = smack_accesses_new(&rulesBasic);
1255 RUNNER_ASSERT_MSG_BT(result == 0, "Error while creating new accesses. Result: " << result);
1257 // Loading file with partial wrong rules - test_smack_rules2
1258 fd = open("/etc/smack/test_smack_rules2", O_RDONLY, 0644);
1259 RUNNER_ASSERT_MSG_BT(fd >= 0, "Unable to open /etc/smack/test_smack_rules2");
1261 // Adding rules from file
1262 result = smack_accesses_add_from_file(rulesBasic, fd);
1264 RUNNER_ASSERT_MSG_BT(result == 0, "Accesses were loaded from file");
1267 result = smack_accesses_apply(rulesBasic);
1268 RUNNER_ASSERT_MSG_BT(result == 0, "Error while applying accesses. Result: " << result);
1271 RUNNER_ASSERT_MSG_BT(checkNoAccesses("test_subject_01", "test_object_01"),
1272 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist.");
1273 result = smack_have_access("test_subject_01", "test_object_02", "rwat");
1274 RUNNER_ASSERT_MSG_BT(result == 1,
1275 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1276 result = smack_have_access("test_subject_01", "test_object_03", "wat");
1277 RUNNER_ASSERT_MSG_BT(result == 1,
1278 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1279 RUNNER_ASSERT_MSG_BT(checkNoAccesses("test_subject_02", "test_object_01"),
1280 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist.");
1281 result = smack_have_access("test_subject_02", "test_object_02", "wa-ft");
1282 RUNNER_ASSERT_MSG_BT(result == 1,
1283 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1284 result = smack_have_access("test_subject_02", "test_object_03", "wr");
1285 RUNNER_ASSERT_MSG_BT(result == 1,
1286 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1287 result = smack_have_access("test_subject_03", "test_object_01", "a");
1288 RUNNER_ASSERT_MSG_BT(result == 1,
1289 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1290 result = smack_have_access("test_subject_03", "test_object_02", "rwat");
1291 RUNNER_ASSERT_MSG_BT(result == 1,
1292 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1293 result = smack_have_access("test_subject_03", "test_object_03", "w");
1294 RUNNER_ASSERT_MSG_BT(result == 1,
1295 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1298 removeAccessesAll();
1300 smack_accesses_free(rulesBasic);
1303 result = smack_accesses_new(&rulesBasic);
1304 RUNNER_ASSERT_MSG_BT(result == 0, "Error while creating new accesses. Result: " << result);
1306 // Loading file with partial wrong rules - test_smack_rules3
1307 fd = open("/etc/smack/test_smack_rules3", O_RDONLY, 0644);
1308 RUNNER_ASSERT_MSG_BT(fd >= 0, "Unable to open /etc/smack/test_smack_rules3");
1310 // Adding rules from file
1311 result = smack_accesses_add_from_file(rulesBasic, fd);
1313 RUNNER_ASSERT_MSG_BT(result != 0, "Accesses were loaded from file");
1316 result = smack_accesses_apply(rulesBasic);
1317 RUNNER_ASSERT_MSG_BT(result == 0, "Error while applying accesses. Result: " << result);
1320 result = smack_have_access("test_subject_01", "test_object_01", "rwat");
1321 RUNNER_ASSERT_MSG_BT(result == 1,
1322 " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Result: " << result );
1323 RUNNER_ASSERT_MSG_BT(checkNoAccesses("test_subject_01", "test_object_02"),
1324 " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Accesses exist.");
1325 result = smack_have_access("test_subject_01", "test_object_03", "x");
1326 RUNNER_ASSERT_MSG_BT(result == 0,
1327 " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Result: " << result );
1330 removeAccessesAll();
1332 smack_accesses_free(rulesBasic);
1335 result = smack_accesses_new(&rulesBasic);
1336 RUNNER_ASSERT_MSG_BT(result == 0, "Error while creating new accesses. Result: " << result);
1338 // Loading file with partial wrong rules - test_smack_rules4
1339 fd = open("/etc/smack/test_smack_rules4", O_RDONLY, 0644);
1340 RUNNER_ASSERT_MSG_BT(fd >= 0, "Unable to open /etc/smack/test_smack_rules4");
1342 // Adding rules from file
1343 result = smack_accesses_add_from_file(rulesBasic, fd);
1345 RUNNER_ASSERT_MSG_BT(result != 0, "Accesses were loaded from file");
1348 result = smack_accesses_apply(rulesBasic);
1349 RUNNER_ASSERT_MSG_BT(result == 0, "Error while applying accesses. Result: " << result);
1352 result = smack_have_access("test_subject_01", "test_object_01", "rxwat");
1353 RUNNER_ASSERT_MSG_BT(result == 1,
1354 " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Result: " << result );
1355 RUNNER_ASSERT_MSG_BT(checkNoAccesses("test_subject_01", "test_object_02"),
1356 " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Accesses exist.");
1357 result = smack_have_access("test_subject_01", "test_object_03", "a");
1358 RUNNER_ASSERT_MSG_BT(result == 0,
1359 " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Result: " << result );
1362 removeAccessesAll();
1364 smack_accesses_free(rulesBasic);
1367 //int smack_new_label_from_socket(int fd, char **label);
1370 static void smack_set_another_label_for_self(void)
1372 static int number = time(NULL);
1377 result = asprintf(&smack_label, "s%d", number);
1378 RUNNER_ASSERT_MSG_BT(result > 0, "asprintf failed");
1379 result = smack_set_label_for_self(smack_label);
1380 RUNNER_ASSERT_MSG_BT(result == 0, "smack_set_label_for_self(" << smack_label << ") failed");
1384 static void smack_unix_sock_server(int sock)
1390 fd = accept(sock, NULL, NULL);
1394 result = smack_new_label_from_self(&smack_label);
1395 RUNNER_ASSERT_MSG_BT(result >= 0, "smack_new_label_from_self() failed");
1396 result = write(fd, smack_label, strlen(smack_label));
1397 RUNNER_ASSERT_MSG_BT(result == (int)strlen(smack_label), "write() failed");
1402 RUNNER_MULTIPROCESS_TEST_SMACK(smack09_new_label_from_socket)
1405 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
1407 smack_set_another_label_for_self();
1409 RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed");
1410 if (!pid) { /* child process, server */
1414 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1415 RUNNER_ASSERT_MSG_BT(sock >= 0, "socket failed: " << strerror(errno));
1416 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
1417 RUNNER_ASSERT_MSG_BT(result == 0, "bind failed: " << strerror(errno));
1418 result = listen(sock, 1);
1419 RUNNER_ASSERT_MSG_BT(result == 0, "listen failed: " << strerror(errno));
1420 smack_unix_sock_server(sock);
1423 RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed");
1424 /* Test if socket label was unaffected by fork() */
1425 smack_unix_sock_server(sock);
1428 smack_set_another_label_for_self();
1429 smack_unix_sock_server(sock);
1434 } else { /* parent process, client */
1435 sleep(1); /* Give server some time to setup listening socket */
1436 for (int i = 0; i < 4; ++i) {
1438 char smack_label1[SMACK_LABEL_LEN + 1];
1441 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1442 RUNNER_ASSERT_MSG_BT(sock >= 0, "socket failed: " << strerror(errno));
1443 result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
1444 RUNNER_ASSERT_MSG_BT(result == 0, "connect failed: " << strerror(errno));
1446 result = read(sock, smack_label1, SMACK_LABEL_LEN);
1447 RUNNER_ASSERT_MSG_BT(result >= 0, "read failed: " << strerror(errno));
1449 smack_label1[result] = '\0';
1450 result = smack_new_label_from_socket(sock, &smack_label2);
1451 RUNNER_ASSERT_MSG_BT(result >= 0, "smack_label_from_socket failed");
1452 result = strcmp(smack_label1, smack_label2);
1454 RUNNER_ASSERT_MSG_BT(result == 0, "smack labels differ: '" << smack_label1 << "' != '" << smack_label2 << "' i == " << i);
1456 RUNNER_ASSERT_MSG_BT(result != 0, "smack labels do not differ: '" << smack_label1 << "' != '" << smack_label2 << "' i == " << i);
1462 void createFileWithLabel(const std::string &filePath, const std::string &fileLabel)
1464 //create temporary file and set label for it
1467 unlink(filePath.c_str());
1468 //allow to create file with 777 rights
1469 systemMask = umask(0000);
1470 int fd = open(filePath.c_str(), O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
1471 //restore system mask
1473 RUNNER_ASSERT_MSG_BT(fd > -1, "Unable to create file for tests: " << strerror(errno));
1475 //for descriptor protection
1476 FDUniquePtr fp(&fd, closeFdPtr);
1478 //change owner and group to user APP
1479 int ret = chown(filePath.c_str(), APP_UID, APP_GID);
1480 RUNNER_ASSERT_MSG_BT(ret == 0, "Unable to change file owner: " << strerror(errno));
1482 //set smack label on file
1483 ret = smack_setlabel(filePath.c_str(), fileLabel.c_str(), SMACK_LABEL_ACCESS);
1484 RUNNER_ASSERT_MSG_BT(ret == 0, "Unable to set label for file: " << ret);
1487 ret = smack_getlabel(filePath.c_str(), &label, SMACK_LABEL_ACCESS);
1488 RUNNER_ASSERT_MSG_BT(ret == 0, "Unable to get label from file");
1489 std::string label_str(label ? label : "");
1491 RUNNER_ASSERT_MSG_BT(label_str == fileLabel, "File label not match set label");
1494 void prepareEnvironment(const std::string &subject, const std::string &object, const std::string &access)
1496 const std::string ruleAll = "x";
1498 SecurityServer::AccessProvider provider(subject);
1499 provider.allowAPI("system::homedir", ruleAll);
1500 provider.allowAPI(object, access);
1501 provider.applyAndSwithToUser(APP_UID, APP_GID);
1504 //- Add "l" rule to system
1506 //Should be able to add "l" rule to system
1507 RUNNER_CHILD_TEST_SMACK(smack13_0_checking_laccess_mode_enabled_on_device)
1509 std::string selfLabel = "smack13_0";
1510 std::string filename = "smack13_0_file";
1512 //function inside checks if rule exist after add it
1513 SecurityServer::AccessProvider provider(selfLabel);
1514 provider.allowAPI(filename, "l");
1517 int ret = smack_have_access(selfLabel.c_str(), filename.c_str(), "l");
1518 RUNNER_ASSERT_MSG_BT(ret == 1, "Error in adding laccess rule - l");
1522 //- Set label for file and self
1525 //Should have no access due to missing SMACK rule
1526 RUNNER_CHILD_TEST_SMACK(smack13_1_checking_laccess_mode)
1528 std::string selfLabel = "smack13_1";
1529 std::string filename = "smack13_1_file";
1530 std::string filePath = testDir + filename;
1532 createFileWithLabel(filePath, filename);
1533 int fd = open(filePath.c_str(), O_RDWR, 0);
1534 FDUniquePtr fp(&fd, closeFdPtr);
1536 SecurityServer::AccessProvider provider(selfLabel);
1537 provider.applyAndSwithToUser(APP_UID, APP_GID);
1539 int ret = flock(fd, LOCK_EX | LOCK_NB);
1540 RUNNER_ASSERT_MSG_BT(ret < 0, "Error, able to lock file: " << strerror(errno));
1541 ret = flock(fd, LOCK_UN | LOCK_NB);
1542 RUNNER_ASSERT_MSG_BT(ret < 0, "Error, able to lock file: " << strerror(errno));
1543 ret = flock(fd, LOCK_SH | LOCK_NB);
1544 RUNNER_ASSERT_MSG_BT(ret < 0, "Error, able to lock file: " << strerror(errno));
1548 //- Set label for file and self
1549 //- Add SMACK rule "l"
1552 //Should be able to lock file even without "w" rule
1553 RUNNER_CHILD_TEST_SMACK(smack13_2_checking_laccess_mode_with_l_rule)
1555 std::string selfLabel = "smack13_2";
1556 std::string filename = "smack13_2_file";
1557 std::string filePath = testDir + filename;
1559 createFileWithLabel(filePath, filename);
1560 int fd = open(filePath.c_str(), O_RDWR, 0);
1561 FDUniquePtr fp(&fd, closeFdPtr);
1563 prepareEnvironment(selfLabel, filename, "l");
1565 int ret = flock(fd, LOCK_EX | LOCK_NB);
1566 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to exclusive lock file: " << strerror(errno));
1567 ret = flock(fd, LOCK_UN | LOCK_NB);
1568 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to unlock file: " << strerror(errno));
1569 ret = flock(fd, LOCK_SH | LOCK_NB);
1570 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to shared lock file: " << strerror(errno));
1574 //- Set label for file and self
1575 //- Add SMACK rule "w"
1578 //Should be able to lock file even without "l" rule
1579 RUNNER_CHILD_TEST_SMACK(smack13_3_checking_laccess_mode_with_w_rule)
1581 std::string selfLabel = "smack13_3";
1582 std::string filename = "smack13_3_file";
1583 std::string filePath = testDir + filename;
1585 createFileWithLabel(filePath, filename);
1586 int fd = open(filePath.c_str(), O_RDWR, 0);
1587 FDUniquePtr fp(&fd, closeFdPtr);
1589 prepareEnvironment(selfLabel, filename, "w");
1591 int ret = flock(fd, LOCK_EX | LOCK_NB);
1592 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to exclusive lock file: " << strerror(errno));
1593 ret = flock(fd, LOCK_UN | LOCK_NB);
1594 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to unlock file: " << strerror(errno));
1595 ret = flock(fd, LOCK_SH | LOCK_NB);
1596 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to shared lock file: " << strerror(errno));
1600 //- Set label for file and self
1601 //- Add SMACK rule "rw"
1603 //- Lock file (shared lock)
1604 //- Spawn child process
1605 //- Child tries to lock file (shared)
1607 //Child should be able to lock file due to shared lock
1608 RUNNER_MULTIPROCESS_TEST_SMACK(smack13_4_0_checking_laccess_mode_w_rule_child)
1610 std::string selfLabel = "smack13_4_0";
1611 std::string filename = "smack13_4_0_file";
1612 std::string filePath = testDir + filename;
1614 createFileWithLabel(filePath, filename);
1615 int fd = open(filePath.c_str(), O_RDWR);
1616 FDUniquePtr fp(&fd, closeFdPtr);
1617 int ret = flock(fd, LOCK_SH | LOCK_NB);
1618 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to shared lock file: " << strerror(errno));
1623 prepareEnvironment(selfLabel, filename, "rw");
1625 int child_fd = open(filePath.c_str(), O_RDWR);
1626 RUNNER_ASSERT_MSG_BT(child_fd > -1, "Unable to open created file: " << strerror(errno));
1628 //for descriptor protection
1629 FDUniquePtr fp(&child_fd, closeFdPtr);
1631 ret = flock(child_fd, LOCK_SH | LOCK_NB);
1632 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to lock file with shared lock: "
1633 << strerror(errno));
1638 //- Set label for file and self
1639 //- Add SMACK rule "l"
1641 //- Lock file (shared lock)
1642 //- Spawn child process
1643 //- Child tries to lock file (shared)
1645 //Child should be able to lock file due to shared lock
1646 RUNNER_MULTIPROCESS_TEST_SMACK(smack13_4_1_checking_laccess_mode_l_rule_child)
1648 std::string selfLabel = "smack13_4_1";
1649 std::string filename = "smack13_4_1_file";
1650 std::string filePath = testDir + filename;
1652 createFileWithLabel(filePath, filename);
1653 int fd = open(filePath.c_str(), O_RDWR);
1654 FDUniquePtr fp(&fd, closeFdPtr);
1655 int ret = flock(fd, LOCK_SH | LOCK_NB);
1656 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to shared lock file: " << strerror(errno));
1661 //"r" is only for open in O_RDONLY mode
1662 prepareEnvironment(selfLabel, filename, "rl");
1664 int child_fd = open(filePath.c_str(), O_RDONLY, 0);
1665 RUNNER_ASSERT_MSG_BT(child_fd > -1, "Unable to open created file: " << strerror(errno));
1667 //for descriptor protection
1668 FDUniquePtr fp(&child_fd, closeFdPtr);
1670 ret = flock(child_fd, LOCK_SH | LOCK_NB);
1671 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to lock file with shared lock: "
1672 << strerror(errno));
1677 //- Set label for file and self
1678 //- Add SMACK rule "rw"
1680 //- Lock file (exclusive lock)
1681 //- Spawn child process
1682 //- Child tries to lock file (exclusive / shared)
1684 //Child should not be able to lock file due to exclusive lock
1685 RUNNER_MULTIPROCESS_TEST_SMACK(smack13_4_2_checking_laccess_mode_w_rule_child)
1687 std::string selfLabel = "smack13_4_2";
1688 std::string filename = "smack13_4_2_file";
1689 std::string filePath = testDir + filename;
1691 createFileWithLabel(filePath, filename);
1692 int fd = open(filePath.c_str(), O_RDWR);
1693 FDUniquePtr fp(&fd, closeFdPtr);
1694 int ret = flock(fd, LOCK_EX | LOCK_NB);
1695 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to exclusive lock file: " << strerror(errno));
1700 prepareEnvironment(selfLabel, filename, "rw");
1702 int child_fd = open(filePath.c_str(), O_RDWR, 0);
1703 RUNNER_ASSERT_MSG_BT(child_fd > -1, "Unable to open created file: " << strerror(errno));
1705 //for descriptor protection
1706 FDUniquePtr fp(&child_fd, closeFdPtr);
1708 ret = flock(child_fd, LOCK_EX | LOCK_NB);
1709 RUNNER_ASSERT_MSG_BT(ret < 0, "Error, able to lock file with exclusive lock");
1714 //- Set label for file and self
1715 //- Add SMACK rule "l"
1717 //- Lock file (exclusive lock)
1718 //- Spawn child process
1719 //- Child tries to lock file (exclusive / shared)
1721 //Child should not be able to lock file due to exclusive lock
1722 RUNNER_MULTIPROCESS_TEST_SMACK(smack13_4_3_checking_laccess_mode_l_rule_child)
1724 std::string selfLabel = "smack13_4_3";
1725 std::string filename = "smack13_4_3_file";
1726 std::string filePath = testDir + filename;
1728 createFileWithLabel(filePath, filename);
1729 int fd = open(filePath.c_str(), O_RDWR, 0);
1730 FDUniquePtr fp(&fd, closeFdPtr);
1731 int ret = flock(fd, LOCK_EX | LOCK_NB);
1732 RUNNER_ASSERT_MSG_BT(ret == 0, "Error, unable to exclusive lock file: " << strerror(errno));
1737 //"r" is only for open in O_RDONLY mode
1738 prepareEnvironment(selfLabel, filename, "rl");
1740 int child_fd = open(filePath.c_str(), O_RDONLY, 0);
1741 RUNNER_ASSERT_MSG_BT(child_fd > -1, "Unable to open created file: " << strerror(errno));
1743 //for descriptor protection
1744 FDUniquePtr fp(&child_fd, closeFdPtr);
1746 ret = flock(child_fd, LOCK_EX | LOCK_NB);
1747 RUNNER_ASSERT_MSG_BT(ret < 0, "Error, able to lock file with eclusive lock");
1752 /////////////////////////////////////////
1753 //////NOSMACK ENVIRONMENT TESTS//////////
1754 /////////////////////////////////////////
1757 * NOSMACK version of smack02 test. Functions, that should return error instead of success:
1758 * - smack_accesses_apply
1759 * - smack_have_access
1760 * - smack_revoke_subject
1761 * - smack_acceesses_clear
1763 * Tests smack03, smack04, smack10, smack_accesses_clear, smack_revoke_subject all use functions
1764 * tested in smack02 test. Results from those functions (smack_have_access, smack_accesses_apply,
1765 * smack_accesses_clear, smack_revoke_subject) would be the same as in this test. Tests mentioned
1766 * above doesn't make much sense on NOSMACK environment when test smack02 exists and passes
1767 * correctly, thus those tests are are not implemented.
1769 RUNNER_TEST_NOSMACK(smack02_aplying_rules_into_kernel_nosmack)
1772 smack_accesses *tmp = NULL;
1776 result = smack_accesses_new(&tmp);
1777 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to create smack_accesses instance");
1779 //pass rules to unique_ptr
1780 AccessesUniquePtr rules(tmp, smack_accesses_free);
1782 //adding test rules to struct (same as SMACK version of smack02 test)
1783 result = smack_accesses_add(rules.get(), "writer", "book", "rwx");
1784 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add smack rules");
1785 result = smack_accesses_add(rules.get(), "reader", "book", "r");
1786 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add smack rules");
1787 result = smack_accesses_add(rules.get(), "spy", "book", "rwx");
1788 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add smack rules");
1790 //applying rules to kernel (should fail)
1791 result = smack_accesses_apply(rules.get());
1792 RUNNER_ASSERT_MSG_BT(result == -1, "Unable to apply rules into kernel");
1794 //calls from SMACK version of this test - all should fail because of SMACK being turned off
1795 result = smack_have_access("spy", "book", "rwx");
1796 RUNNER_ASSERT_MSG_BT(result == -1, "smack_have_access should return error (SMACK is off)");
1797 result = smack_have_access("reader", "book", "rwx");
1798 RUNNER_ASSERT_MSG_BT(result == -1, "smack_have_access should return error (SMACK is off)");
1799 result = smack_have_access("s02badsubjectlabel", "book", "rwx");
1800 RUNNER_ASSERT_MSG_BT(result == -1, "smack_have_access should return error (SMACK is off)");
1802 //testing subject revoking - should return error (no accesses applied = no subjects to revoke)
1803 result = smack_revoke_subject("s02nonexistinglabel");
1804 RUNNER_ASSERT_MSG_BT(result == -1, "smack_revoke_subject error - subject doesn't exist.");
1805 result = smack_revoke_subject("spy");
1806 RUNNER_ASSERT_MSG_BT(result == -1, "smack_revoke_subject error - subject doesn't exist.");
1808 //after revoking smack_have_access still should return error
1809 result = smack_have_access("spy", "book", "rwx");
1810 RUNNER_ASSERT_MSG_BT(result == -1, "smack_have_access should return error (SMACK is off).");
1812 result = smack_accesses_add(rules.get(), "s02subjectlabel", "book", "rwx");
1813 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to add smack rules");
1815 //smack_accesses_clear should return error aswell
1816 result = smack_accesses_clear(rules.get());
1817 RUNNER_ASSERT_MSG_BT(result == -1, "Clearing rules should return error - no SMACK on system.");
1819 result = smack_have_access("writer", "book", "rwx");
1820 RUNNER_ASSERT_MSG_BT(result == -1, "smack_have_access should return error (SMACK is off).");
1824 * NOSMACK version of smack11 test. Tests functions:
1825 * - smack_accesses_add_from_file
1827 * Since other SMACK functions were tested in smack02 test, the only function needed to be checked
1828 * is applying rules loaded from file.
1830 RUNNER_TEST_NOSMACK(smack03_saving_loading_rules_nosmack)
1835 smack_accesses* tmp = NULL;
1837 result = smack_accesses_new(&tmp);
1838 RUNNER_ASSERT_MSG_BT(result == 0, "Error during rules creation.");
1840 AccessesUniquePtr rules(tmp, smack_accesses_free);
1842 //open file with rules
1843 fd = open("/etc/smack/test_smack_rules_full", O_RDONLY, 0644);
1844 RUNNER_ASSERT_MSG_BT(fd >= 0,
1845 "Unable to open /etc/smack/test_smack_rules_full. Errno: " << strerror(errno));
1847 //load accesses from file
1848 result = smack_accesses_add_from_file(rules.get(), fd);
1850 RUNNER_ASSERT_MSG_BT(result == 0, "Error while importing accesses from file. Result: " << result);
1854 * NOSMACK version of smack05 test. Tests if functions getting, or
1855 * setting self label work correctly (that is, return error).
1857 RUNNER_TEST_NOSMACK(smack04_self_label_nosmack)
1863 char buff[SMACK_LABEL_LEN+1];
1865 //smack_new_label_from_self should fail
1866 result = smack_new_label_from_self(&label);
1867 RUNNER_ASSERT_MSG_BT(result == -1, "new_label_from_self should return error (SMACK is off).");
1868 RUNNER_ASSERT_MSG_BT(label == NULL, "new_label_from_self shouldn't allocate memory to label.");
1870 //We don't need to remember about freeing label - smack_new_label_from_self must return NULL
1871 //label if it's working properly.
1873 // /proc/self/attr/current shouldn't keep any rules inside
1874 fd = open("/proc/self/attr/current", O_RDONLY, 0644); //file exists, so it should open
1875 RUNNER_ASSERT_MSG_BT(fd >= 0, "/proc/self/attr/current failed to open.");
1877 result = read(fd, buff, SMACK_LABEL_LEN); //however reading it should return error
1880 RUNNER_ASSERT_MSG_BT(false, "Reading /proc/self/attr/current should return error.");
1883 //setting label for self should fail
1884 result = smack_set_label_for_self("s04testlabel");
1887 RUNNER_ASSERT_MSG_BT(false, "set_label_for_self should return error (SMACK is off).");
1890 //getting previously set label should also fail
1891 result = smack_new_label_from_self(&label);
1894 RUNNER_ASSERT_MSG_BT(false, "new_label_from_self should return error (SMACK is off).");
1898 RUNNER_ASSERT_MSG_BT(false, "new_label_from_self shouldn't allocate memory to label.");
1901 // /proc/self/attr/current still shouldn't keep any rules inside
1902 result = lseek(fd, 0, SEEK_SET); //going to the file beginning
1905 RUNNER_ASSERT_MSG_BT(false, "lseek() error.");
1908 result = read(fd, buff, SMACK_LABEL_LEN); //however it should return error
1911 RUNNER_ASSERT_MSG_BT(false, "Reading /proc/self/attr/current should return error.");
1918 * NOSMACK version of smack_accesses_add_modify_x tests.
1920 * Because all smack_accesses_add_modify tests are basically the same (all use smack_accesses_apply
1921 * and smack_have_access, which return -1 when SMACK is turned off), it makes much more sense to
1922 * write one test which will create rules using smack_accesses_add_modify and then check if
1923 * smack_accesses_apply and smack_have_access indeed return -1 when SMACK is turned off.
1925 RUNNER_TEST_NOSMACK(smack05_accesses_add_modify_nosmack)
1928 smack_accesses* tmp = NULL;
1930 result = smack_accesses_new(&tmp);
1931 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to allocate memory for rules. Result: " << result);
1933 AccessesUniquePtr rules(tmp, smack_accesses_free);
1935 //Not doing clean_up() every RUNNER_ASSERT_MSG - what clean_up does is just a creation of new
1936 //rule struct and removal of currenctly added and applied rules. clean_up() must be done only
1937 //after smack_accesses_apply().
1938 result = smack_accesses_add_modify(rules.get(), TEST_SUBJECT, TEST_OBJECT, "rwx", "");
1939 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule. Result: " << result);
1941 result = smack_accesses_add_modify(rules.get(), TEST_SUBJECT, TEST_OBJECT, "rwx", "");
1942 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to modify rule. Result: " << result);
1944 result = smack_accesses_apply(rules.get());
1945 RUNNER_ASSERT_MSG_BT(result == -1,
1946 "smack_accesses_apply should return error (SMACK is off). Result: " << result);
1948 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, "rwx");
1951 RUNNER_ASSERT_MSG_BT(false,
1952 "smack_have_access should return error (SMACK is off). Result: " << result);
1959 * NOSMACK version of smack09 test.
1961 * This test checks if smack_new_label_from_socket reacts correctly. Since label should be
1962 * acquired from getsockopt, and it should fail, we must only set up socket and call
1963 * smack_new_label_from_socket. It should return error.
1965 RUNNER_MULTIPROCESS_TEST_NOSMACK(smack09_new_label_from_socket_nosmack)
1968 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
1973 RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed");
1974 if (!pid) { //child (server)
1979 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1980 RUNNER_ASSERT_MSG_BT(sock >= 0, "socket failed: " << strerror(errno));
1982 //Bind it to sockaddr
1983 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
1986 RUNNER_ASSERT_MSG_BT(false, "bind failed: " << strerror(errno));
1989 //Prepare for listening
1990 result = listen(sock, 1);
1993 RUNNER_ASSERT_MSG_BT(false, "listen failed: " << strerror(errno));
1998 fd = accept(sock, NULL, NULL);
2002 RUNNER_ASSERT_MSG_BT(false, "Failed when accepting connection from client.");
2005 //wait for smack_new_label_from_socket execution
2008 //Close socket and server
2012 else { //parent (client)
2013 //Wait a little bit until server is set up
2018 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2019 RUNNER_ASSERT_MSG_BT(sock >= 0, "socket failed: " << strerror(errno));
2021 //Connect to sockaddr
2022 result = connect(sock, (struct sockaddr*) &sockaddr,
2023 sizeof(struct sockaddr_un));
2026 RUNNER_ASSERT_MSG_BT(false, "connect failed: " << strerror(errno));
2029 //Try getting label, should fail beacuse getsockopt won't get anything
2030 result = smack_new_label_from_socket(sock, &smack_label);
2032 RUNNER_ASSERT_MSG_BT(result == -1, "smack_new_label_from_socket should fail.");
projects / platform / core / test / security-tests.git / blob