2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Pawel Polawski (p.polawski@samsung.com)
20 * @author Jan Olszak (j.olszak@samsung.com)
21 * @author Zofia Abramowska (z.abramowska@samsung.com)
23 * @brief libsmack test runner
30 #include <dpl/test/test_runner.h>
31 #include <dpl/test/test_runner_multiprocess.h>
32 #include <dpl/log/log.h>
33 #include <sys/types.h>
36 #include <sys/smack.h>
37 #include <sys/xattr.h>
38 #include <sys/socket.h>
42 #include "tests_common.h"
43 #include <access_provider.h>
44 #include <fs_label_manager.h>
47 const char* const TEST_SUBJECT = "test_subject";
48 const char* const TEST_OBJECT = "test_object";
49 const char* const TEST_OBJECT_2 = "test_object_2";
51 const std::string testDir = "/tmp/";
52 const std::vector<std::string> accessesBasic = { "r", "w", "x", "wx", "rx", "rw", "rwx", "rwxat" };
54 //This one define is required for sockaddr_un initialization
55 #define SOCK_PATH "/tmp/test-smack-socket"
57 int files_compare(int fd1, int fd2)
59 //for getting files sizes
63 void *h1 = MAP_FAILED;
64 void *h2 = MAP_FAILED;
66 //getting files information
67 RUNNER_ASSERT_ERRNO_MSG(fstat(fd1, &fs1) == 0, "fstat failed");
68 RUNNER_ASSERT_ERRNO_MSG(fstat(fd2, &fs2) == 0, "fstat failed");
70 if (fs1.st_size != fs2.st_size) //if files are identical size will be the same
73 //mapping files to process memory
74 RUNNER_ASSERT_ERRNO_MSG((h1 = mmap(0, fs1.st_size, PROT_READ, MAP_SHARED, fd1, 0 )) != MAP_FAILED,
75 "mmap failed for fd=" << fd1);
77 if ((h2 = mmap(0, fs2.st_size, PROT_READ, MAP_SHARED, fd2, 0 )) == MAP_FAILED) {
78 munmap(h1, fs1.st_size);
79 RUNNER_ASSERT_MSG(h2 != MAP_FAILED, "mmap failed for fd=" << fd2
80 << ". " << strerror(errno));
83 int result = memcmp(h1, h2, fs1.st_size);
84 munmap(h1, fs1.st_size);
85 munmap(h2, fs2.st_size);
90 RUNNER_TEST_GROUP_INIT(libsmack)
92 * Helper method to reset privileges at the begginning of tests.
96 smack_revoke_subject(TEST_SUBJECT);
100 * Checking if subject has any access to object
102 bool checkNoAccesses(const char *subject, const char *object)
106 for(const auto &perm : std::vector<std::string> {"r", "w", "a","t", "l"}) {
107 result = smack_have_access(subject, object, perm.c_str());
115 void removeAccessesAll()
117 for(int i = 1; i <=3; i++)
118 //smack_revoke_subject will fail, when subject does not exist in kernel
119 //as this function is called at test beginning we cannot check return value
120 smack_revoke_subject(("test_subject_0" + std::to_string(i)).c_str());
124 * Add a new access with smack_accesses_add_modify()
126 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_1){
131 struct smack_accesses *rules = nullptr;
132 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
133 SmackAccessesPtr rules_ptr(rules);
136 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"xr","");
137 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify by empty rules");
138 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
140 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"xr");
141 RUNNER_ASSERT_MSG(result == 1, "Rule modified (added 'xr'), but no change made.");
149 * Test if rules are applied in the right order, and modification works.
151 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_2){
153 struct smack_accesses *rules = nullptr;
154 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
155 SmackAccessesPtr rules_ptr(rules);
160 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"r","");
161 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
163 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"","r");
164 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
166 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
167 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 0,
168 "Modification didn't work");
176 * Test if rules are applied in the right order, and modification works.
177 * Using different smack_accesses list to add and delete.
179 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_3){
181 struct smack_accesses *rules = nullptr;
182 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
183 SmackAccessesPtr rules_ptr(rules);
189 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"r","");
190 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
191 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
192 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 1,
193 "Adding privileges didn't work");
195 // Revoke r privilege
197 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
198 rules_ptr.reset(rules);
199 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"","r");
200 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
201 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
203 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
204 RUNNER_ASSERT_MSG(result == 0, "Modification didn't work, rule has still 'r' privileges.");
211 * Add a list of privileges and then revoke just ONE of them.
213 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_4){
215 struct smack_accesses *rules = nullptr;
216 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
217 SmackAccessesPtr rules_ptr(rules);
222 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"rwxat","");
223 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
224 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
226 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"","r");
227 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
228 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
230 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt");
231 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'awxt' privileges.");
232 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
233 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
240 * Add a list of privileges and then revoke just ONE of them.
241 * Without applying privileges in between those actions.
243 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_5){
245 struct smack_accesses *rules = nullptr;
246 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
247 SmackAccessesPtr rules_ptr(rules);
252 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"rwxat","");
253 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
255 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"","r");
256 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
257 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
259 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt");
260 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'awxt' privileges.");
261 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
262 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
270 * Add a list of privileges and then revoke just TWO of them.
272 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_6){
274 struct smack_accesses *rules = nullptr;
275 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
276 SmackAccessesPtr rules_ptr(rules);
281 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"rwt","");
282 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
283 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
285 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"ax","rt");
286 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
287 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
289 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"wax");
290 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'wax' privileges.");
291 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
292 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
299 * Run smack_accesses_add_modify with the same accesses_add and accesses_del.
301 RUNNER_TEST_SMACK(smack_accesses_add_modify_test_7){
305 struct smack_accesses *rules = nullptr;
307 for (i = 0; i < accessesBasic.size(); ++i) {
308 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
309 SmackAccessesPtr rules_ptr(rules);
311 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,
312 accessesBasic[i].c_str(), accessesBasic[i].c_str());
313 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
314 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
316 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
317 " Error while checking smack access. Accesses exist.");
325 * Revoke subject with previously added rules and revoke it again.
327 RUNNER_TEST_SMACK(smack_revoke_subject_test_1){
331 struct smack_accesses *rules = nullptr;
333 for (i = 0; i < accessesBasic.size(); ++i) {
334 // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2
335 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
336 SmackAccessesPtr rules_ptr(rules);
338 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,
339 accessesBasic[i].c_str(),"");
340 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT_2,
341 accessesBasic[i].c_str(),"");
342 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
343 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
344 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
345 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. "
346 "Rule " << accessesBasic[i].c_str() << " does not exist.");
347 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
348 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. "
349 "Rule " << accessesBasic[i].c_str() << " does not exist.");
352 result = smack_revoke_subject(TEST_SUBJECT);
353 RUNNER_ASSERT_MSG(result == 0, "Revoking subject didn't work.");
355 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
356 " Revoke didn't work. Accesses exist.");
357 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
358 " Revoke didn't work. Accesses exist.");
361 // Revoking subject again
362 result = smack_revoke_subject(TEST_SUBJECT);
363 RUNNER_ASSERT_MSG(result == 0, "Revoking subject didn't work.");
365 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
366 " Revoke didn't work. Accesses exist.");
367 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
368 " Revoke didn't work. Accesses exist.");
376 RUNNER_TEST_SMACK(smack_accesses_clear_test_1){
380 struct smack_accesses *rules = nullptr;
382 for (i = 0; i < accessesBasic.size(); ++i) {
383 // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2
384 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
385 SmackAccessesPtr rules_ptr(rules);
386 result = smack_accesses_add(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,
387 accessesBasic[i].c_str());
388 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
389 result = smack_accesses_add(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT_2,
390 accessesBasic[i].c_str());
391 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
392 RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules");
394 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
395 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule "
396 << accessesBasic[i].c_str() << " does not exist.");
397 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
398 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule "
399 << accessesBasic[i].c_str() << " does not exist.");
401 // Creating and clearing rules with TEST_OBJECT
403 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
404 rules_ptr.reset(rules);
405 result = smack_accesses_add(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,
406 accessesBasic[i].c_str());
407 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
408 result = smack_accesses_clear(rules_ptr.get());
409 RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work.");
411 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
412 RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work. Rule "
413 << accessesBasic[i].c_str() << " does exist.");
414 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
415 RUNNER_ASSERT_MSG(result == 1, "Clearing rules didn't work. Rule "
416 << accessesBasic[i].c_str() << " does not exist.");
418 // Creating and clearing rules with TEST_OBJECT
420 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
421 rules_ptr.reset(rules);
423 result = smack_accesses_add(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT_2,
424 accessesBasic[i].c_str());
425 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
426 result = smack_accesses_clear(rules_ptr.get());
427 RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work.");
429 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
430 " Clear didn't work. Accesses exist.");
431 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
432 " Clear didn't work. Accesses exist.");
436 RUNNER_TEST(smack01_storing_and_restoring_rules)
439 * author: Pawel Polawski
440 * test: smack_accesses_new, smack_accesses_add, smack_accesses_add_modify, smack_accesses_add_from_file,
441 * smack_accesses_free, smack_accesses_save
442 * description: This test case will create structure holding SMACK rules and add new one to it. Next rules will be
443 * stored and restored from file.
444 * expect: Rules created and stored in file should be identical to predefined template.
447 struct smack_accesses *rules = nullptr; //rules prepared in this test case
448 struct smack_accesses *import_test = nullptr; //rules imported from file
450 int result; //result of each operation to be tested by RUNNER_ASSERT
451 int fd, tmp, sample; //file descripptors for save / restore rules tests
453 //int smack_accesses_new(struct smack_accesses **accesses);
454 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
455 SmackAccessesPtr rules_ptr(rules);
456 RUNNER_ASSERT(smack_accesses_new(&import_test) == 0);
457 SmackAccessesPtr import_ptr(import_test);
460 fd = open("/tmp/smack01_rules", O_RDWR | O_CREAT | O_TRUNC, 0644); //for export prepared rules
461 RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to create /tmp/smack01_rules");
462 FdUniquePtr fd_ptr(&fd);
463 tmp = open("/tmp/smack01_tmp", O_RDWR | O_CREAT | O_TRUNC, 0644); //for import rules exported before
464 RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to create /tmp/smack01_tmp");
465 FdUniquePtr tmp_ptr(&tmp);
466 sample = open("/etc/smack/test_smack_rules", O_RDONLY, 0644); //reference preinstalled rules
467 RUNNER_ASSERT_ERRNO_MSG(sample >= 0, "Unable to open /etc/smack/test_smack_rules");
468 FdUniquePtr sample_ptr(&sample);
470 result = smack_accesses_add(rules_ptr.get(), "writer", "book", "rw");
471 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
472 result = smack_accesses_add(rules_ptr.get(), "reader", "book", "wx");
473 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
475 result = smack_accesses_add_modify(rules_ptr.get(), "reader", "book", "r", "wx");
476 RUNNER_ASSERT_MSG(0 == result, "Unable to modify smack rules");
478 result = smack_accesses_save(rules_ptr.get(), fd);
479 RUNNER_ASSERT_MSG(0 == result, "Unable to save smack_accesses instance in file");
481 result = lseek(fd, 0, SEEK_SET);
482 RUNNER_ASSERT_ERRNO_MSG(result == 0, "lseek() error");
483 result = smack_accesses_add_from_file(import_ptr.get(), fd);
484 RUNNER_ASSERT_MSG(result == 0, "Unable to import rules from file");
486 result = smack_accesses_save(import_ptr.get(), tmp);
487 RUNNER_ASSERT_MSG(result == 0, "Unable to save smack_accesses instance in file");
489 //comparing rules saved in file, restored from it and stored one more time
490 result = files_compare(fd, tmp);
491 RUNNER_ASSERT_MSG(result == 0, "No match in stored and restored rules");
493 //comparing rules stored in file with reference preinstalled rules
494 result = files_compare(tmp, sample);
495 RUNNER_ASSERT_MSG(result == 0, "No match in stored rules and pattern file");
498 RUNNER_TEST_SMACK(smack02_aplying_rules_into_kernel)
501 * author: Pawel Polawski
502 * test: smack_accesses_apply, smack_have_access, smack_revoke_subject, smack_accesses_clear, smack_accesses_new,
503 * smack_accesses_add, smack_accesses_free
504 * description: In this test case aplying rules to kernel will be tested. After that function for test
505 * accesses will be used.
506 * expect: In case of correct rules access should be granted.
509 //CAP_MAC_ADMIN needed for process to be able to change rules in kernel (apllying, removing)
511 struct smack_accesses *rules = nullptr; //rules prepared in this test case
512 int result; //for storing functions results
514 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
515 SmackAccessesPtr rules_ptr(rules);
517 //adding test rules to struct
518 result = smack_accesses_add(rules_ptr.get(), "writer", "book", "rwx");
519 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
520 result = smack_accesses_add(rules_ptr.get(), "reader", "book", "r");
521 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
522 result = smack_accesses_add(rules_ptr.get(), "spy", "book", "rwx");
523 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
525 result = smack_accesses_apply(rules_ptr.get()); //applying rules to kernel
526 RUNNER_ASSERT_MSG(result == 0, "Unable to apply rules into kernel");
528 //should have access - rule exist
529 result = smack_have_access("spy", "book", "rwx");
530 RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
531 //should have no access - wrong rule, should be "r" only
532 result = smack_have_access("reader", "book", "rwx");
533 RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access");
534 //should have no access - rule not exist
535 result = smack_have_access("s02badsubjectlabel", "book", "rwx");
536 RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access");
538 //this subject do not exist in kernel rules
539 result = smack_revoke_subject("s02nonexistinglabel");
540 RUNNER_ASSERT_MSG(result == 0, "Error in removing not existing subject from kernel");
541 result = smack_revoke_subject("spy"); //this subject exist in kernel rules
542 RUNNER_ASSERT_MSG(result == 0, "Error in removing existing subject from kernel");
544 //testing access after revoke_subject() from kernel
545 result = smack_have_access("spy", "book", "rwx");
546 //now spy should have no access
547 RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel");
549 //for create new rule as a consequence of use accesses_clear() below
550 result = smack_accesses_add(rules_ptr.get(), "s02subjectlabel", "book", "rwx");
551 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
553 //"spy" removed before by using smack_revoke_subject()
554 result = smack_accesses_clear(rules_ptr.get());
555 RUNNER_ASSERT_MSG(result == 0, "Error in clearing rules in kernel");
557 //testing acces after acces_clear()
558 result = smack_have_access("writer", "book", "rwx");
559 //now writer also should have no access
560 RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel");
564 //pairs of rules for test with mixed cases, different length and mixed order
565 std::vector< std::vector<std::string> > correct_rules = {
566 { "reader1", "-", "------" },
567 { "reader2", "--------", "------" },
568 { "reader3", "RwXaTl", "rwxatl" },
569 { "reader4", "RrrXXXXTTT", "r-x-t-" },
570 { "reader5", "-r-w-a-t-", "rw-at-" },
571 { "reader6", "", "------" },
572 { "reader7", "xa--Rt---W--L", "rwxatl" },
575 RUNNER_TEST_SMACK(smack03_mixed_rule_string_add)
578 * author: Pawel Polawski
579 * test: smack_have_access, smack_accesses_new, smack_accesses_add, smack_accesses_apply, smack_accesses_free
580 * description: In thist test case rules based on mixed string are added to kernel.
581 * Strings are presented above and contains lower / upper case alpha, numbers and special signs.
582 * expect: Rules should be parsed correct and aplied to kernel.
585 //In thist test case mixed string are used as rules applied to kernel, next they are
586 //readed and compared with correct form of rules
588 struct smack_accesses *rules = nullptr; //rules prepared in this test case
589 int result; //for storing functions results
592 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
593 SmackAccessesPtr rules_ptr(rules);
595 //adding test rules with mixed string
596 for (auto rule=correct_rules.begin(); rule != correct_rules.end(); ++rule) {
597 //using mixed rules from table
598 result = smack_accesses_add(rules_ptr.get(),
602 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
606 //FIXME: Using clear() here can cover error in accesses_apply() function
607 //result = smack_accesses_clear(rules);
608 //RUNNER_ASSERT_MSG(result == 0, "Error in clearing rules in kernel");
610 //applying rules to kernel
611 result = smack_accesses_apply(rules_ptr.get());
612 RUNNER_ASSERT_MSG(result == 0, "Unable to apply rules into kernel");
614 //checking accesses using normal rules
615 for (auto rule=correct_rules.begin(); rule != correct_rules.end(); ++rule) {
616 if ((*rule)[2] == "------")
620 //using normal rules from table
621 result = smack_have_access((*rule)[0].c_str(),
624 RUNNER_ASSERT_MSG(result == expected, "Error while checking Smack access");
628 RUNNER_TEST_SMACK(smack04_mixed_rule_string_have_access)
631 * author: Pawel Polawski
632 * test: smack_have_access
633 * description: In this test case we testing aplied before SMACK rules and comparing them using mixed strings.
634 * expect: Subjects should have accesses to the objects.
637 //In this test case we checking previous aplied rules but for compare mixed strings are used
642 //rules were added in previous RUNNER_TEST section
643 //checking accesses using mixed rules
644 for (auto rule=correct_rules.begin(); rule != correct_rules.end(); ++rule) {
645 if ((*rule)[2] == "------")
649 //using mixed rules from table
650 result = smack_have_access((*rule)[0].c_str(),
653 RUNNER_ASSERT_MSG(result == expected, "Error while checking Smack access");
657 //RUNNER_TEST(smackXX_accesses_add_modify)
660 // - what if we want to apply rule that is already in kernel?
661 // - tests for smack_accesses_add_modify() + smack_have_access() (check if add_modify sets the proper rule)
662 // - smack_accesses_add_modify("subject", "object", "rwx", "rwx") should create empty rule
665 RUNNER_TEST_SMACK(smack05_self_label)
668 * author: Pawel Polawski
669 * test: smack_set_label_for_self, smack_new_label_from_self
670 * description: In this test case process test it own default label. Next label is changed
671 * and tested one more time if change was successfull.
672 * expect: Proces should have default "-" label and can change it to the oter one.
675 //In this test case process will manipulate it own label
677 char *label = nullptr;
681 const int B_SIZE = 8;
684 const char *def_rule = "_";
686 result = smack_new_label_from_self(&label);
687 RUNNER_ASSERT_MSG(result >= 0, "Error in getting self label");
688 //comparing this label with default one "_"
689 result = strcmp(label, def_rule);
691 RUNNER_ASSERT_MSG(result == 0, "Wrong default process label");
693 //comparing this rule with received from /proc/self/attr/current
694 fd = open("/proc/self/attr/current", O_RDONLY, 0644);
695 RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /proc/self/attr/current");
696 FdUniquePtr fd_ptr(&fd);
697 result = read(fd, buff, B_SIZE);
698 RUNNER_ASSERT_ERRNO_MSG(result >= 0, "Error in reading from file /proc/self/attr/current");
699 result = strncmp(buff, def_rule, result);
700 RUNNER_ASSERT_MSG(result == 0, "Wrong default process rule");
702 //now time for setting labels:
704 result = smack_set_label_for_self("cola");
705 RUNNER_ASSERT_MSG(result == 0, "Error in setting self label");
707 //checking new label using smack function
708 result = smack_new_label_from_self(&label);
709 RUNNER_ASSERT_MSG(result >= 0, "Error in getting self label");
710 result = strcmp(label, "cola");
712 RUNNER_ASSERT_MSG(result == 0, "Wrong process label");
714 //checking new label using /proc/self/attr/current
715 result = lseek(fd, 0, SEEK_SET); //going to the file beginning
716 RUNNER_ASSERT_ERRNO_MSG(result == 0, "lseek() error");
717 result = read(fd, buff, B_SIZE);
718 RUNNER_ASSERT_ERRNO_MSG(result >= 0, "Error in reading from file /proc/self/attr/current");
719 result = strncmp(buff, "cola", result);
720 RUNNER_ASSERT_MSG(result == 0, "Proces rule in /proc/self/attr/current other than set");
723 RUNNER_TEST_SMACK(smack06_setlabel_getlabel_test_0)
725 RUNNER_IGNORED_MSG("Upstream does not support label removal yet");
726 const std::string fsLabel = "smack06_setlabel_getlabel_test_0";
727 const std::string fsPath = std::string("/tmp/") + fsLabel;
729 const std::string filePath = "file";
731 FsLabelManager fs(fsPath, fsLabel);
732 fs.createFile(filePath);
734 // reset labels first time
735 fs.testSmackClearLabels(filePath);
737 // reset labels second time
738 fs.testSmackClearLabels(filePath);
741 RUNNER_TEST_SMACK(smack06_setlabel_getlabel_test_1)
743 const std::string fsLabel = "smack06_setlabel_getlabel_test_1";
744 const std::string fsPath = std::string("/tmp/") + fsLabel;
746 const char* testLabelAccess = "access";
747 const char* testLabelExec = "exec";
748 const std::string filePath = "file";
750 FsLabelManager fs(fsPath, fsLabel);
751 fs.createFile(filePath);
753 // set and get labels first time
754 fs.testSmackSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
755 fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
756 fs.testSmackSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
757 fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
759 fs.testSmackSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
760 fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
761 fs.testSmackSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
762 fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
764 // set and get same labels second time
765 fs.testSmackSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
766 fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
767 fs.testSmackSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
768 fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
770 fs.testSmackSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
771 fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
772 fs.testSmackSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
773 fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
776 RUNNER_TEST_SMACK(smack06_setlabel_getlabel_test_2)
778 RUNNER_IGNORED_MSG("Upstream does not support label removal yet");
779 const std::string fsLabel = "smack06_setlabel_getlabel_test_2";
780 const std::string fsPath = std::string("/tmp/") + fsLabel;
782 const char* testLabelAccess = "access";
783 const char* testLabelExec = "exec";
784 const std::string filePath = "file";
785 const std::string linkPath = "link";
787 FsLabelManager fs(fsPath, fsLabel);
788 fs.createFile(filePath);
789 fs.createLink(linkPath, filePath);
791 // set and get labels for file to which link points
792 fs.testSmackSetLabel(linkPath, testLabelAccess, SMACK_LABEL_ACCESS);
793 fs.testSmackSetLabel(linkPath, testLabelExec, SMACK_LABEL_EXEC);
794 fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
795 fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
796 fs.testSmackGetLabel(linkPath, testLabelAccess, SMACK_LABEL_ACCESS);
797 fs.testSmackGetLabel(linkPath, testLabelExec, SMACK_LABEL_EXEC);
799 // link labels should not be changed
800 fs.testSmackLGetLabel(linkPath, nullptr, SMACK_LABEL_ACCESS);
801 fs.testSmackLGetLabel(linkPath, nullptr, SMACK_LABEL_EXEC);
804 RUNNER_TEST_SMACK(smack06_lsetlabel_lgetlabel_test_1)
806 const std::string fsLabel = "smack06_lsetlabel_lgetlabel_test_1";
807 const std::string fsPath = std::string("/tmp/") + fsLabel;
809 const char* testLabelAccess = "fileAccess";
810 const char* testLabelExec = "fileExec";
811 const char* testLinkLabelAccess = "linkAccess";
812 const char* testLinkLabelExec = "linkExec";
813 const std::string filePath = "file";
814 const std::string linkPath = "link";
816 FsLabelManager fs(fsPath, fsLabel);
817 fs.createFile(filePath);
818 fs.createLink(linkPath, filePath);
820 // set different labels for link and file
821 fs.testSmackSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
822 fs.testSmackSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
823 fs.testSmackLSetLabel(linkPath, testLinkLabelAccess, SMACK_LABEL_ACCESS);
824 fs.testSmackLSetLabel(linkPath, testLinkLabelExec, SMACK_LABEL_EXEC);
827 fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
828 fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
829 fs.testSmackLGetLabel(linkPath, testLinkLabelAccess, SMACK_LABEL_ACCESS);
830 fs.testSmackLGetLabel(linkPath, testLinkLabelExec, SMACK_LABEL_EXEC);
833 RUNNER_TEST_SMACK(smack06_fsetlabel_fgetlabel_test_1)
835 const std::string fsLabel = "smack06_fsetlabel_fgetlabel_test_1";
836 const std::string fsPath = std::string("/tmp/") + fsLabel;
838 const char* testLabelAccess = "access";
839 const char* testLabelExec = "exec";
840 const std::string filePath = "file";
842 FsLabelManager fs(fsPath, fsLabel);
843 fs.createFile(filePath);
845 // set and get labels for fd
846 fs.testSmackFSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
847 fs.testSmackFSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
848 fs.testSmackFGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS);
849 fs.testSmackFGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC);
852 RUNNER_TEST_SMACK(smack10_adding_removing_rules)
857 struct smack_accesses *rules = nullptr;
859 for (i = 0; i < accessesBasic.size(); ++i)
862 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
863 SmackAccessesPtr rules_ptr(rules);
866 result = smack_accesses_add(rules_ptr.get(), TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
867 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
870 result = smack_accesses_apply(rules_ptr.get());
871 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
873 // Checking if accesses were created
874 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
875 RUNNER_ASSERT_MSG(result == 1,
876 " Error while checking smack access. Result: " << result);
878 // Deleting all rules
882 for (i = 0; i < 3; ++i)
884 // --- Creating rules (r or w or x)
885 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
886 SmackAccessesPtr rules_ptr(rules);
889 result = smack_accesses_add(rules_ptr.get(), TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
890 RUNNER_ASSERT_MSG(result == 0, "Unable to add rulesBasic. Result: " << result);
893 result = smack_accesses_apply(rules_ptr.get());
894 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
895 // Checking if accesses were created
896 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
897 RUNNER_ASSERT_MSG(result == 1,
898 " Error while checking smack access. Result: " << result);
900 // Checking if wrong accesses were not created
901 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
902 RUNNER_ASSERT_MSG(result == 0,
903 " Error while checking smack access. Result: " << result);
905 // --- Modifying accesses (r for wx or w for rx or x for rw)
906 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,
907 accessesBasic[i + 3].c_str(),accessesBasic[i].c_str());
908 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
911 result = smack_accesses_apply(rules_ptr.get());
912 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
914 // Checking if accesses were created
915 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
916 RUNNER_ASSERT_MSG(result == 1,
917 " Error while checking smack access. Result: " << result);
919 // Checking if wrong accesses were not created
920 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
921 RUNNER_ASSERT_MSG(result == 0,
922 " Error while checking smack access. Result: " << result);
925 // --- Creating complementary rules (r or w or x)
926 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
927 rules_ptr.reset(rules);
930 result = smack_accesses_add(rules_ptr.get(), TEST_SUBJECT, TEST_OBJECT,
931 accessesBasic[i].c_str());
932 RUNNER_ASSERT_MSG(result == 0, "Unable to add rulesBasic. Result: " << result);
934 // Checking if accesses were created
935 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
936 RUNNER_ASSERT_MSG(result == 1,
937 " Error while checking smack access. Result: " << result);
940 result = smack_accesses_apply(rules_ptr.get());
941 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
943 // Checking if accesses were created
944 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
945 RUNNER_ASSERT_MSG(result == 1,
946 " Error while checking smack access. Result: " << result);
948 // --- Modifying accesses (adding rwx and removing r or w or x)
949 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"rwx",
950 accessesBasic[i].c_str());
951 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
954 result = smack_accesses_apply(rules_ptr.get());
955 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
957 // Checking if accesses were created
958 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
959 RUNNER_ASSERT_MSG(result == 1,
960 " Error while checking smack access. Result: " << result);
962 // Checking if wrong accesses were not created
963 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
964 RUNNER_ASSERT_MSG(result == 0,
965 " Error while checking smack access. Result: " << result);
967 // --- Adding crossing accesses (rx or rw or wx)
968 result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,
969 accessesBasic[3 + ((i + 1) % 3)].c_str(),"");
970 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
973 result = smack_accesses_apply(rules_ptr.get());
974 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
976 // Checking if accesses were created
977 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,
978 accessesBasic[3 + ((i + 1) % 3)].c_str());
979 RUNNER_ASSERT_MSG(result == 1,
980 " Error while checking smack access. Result: " << result);
982 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, "rwx");
983 RUNNER_ASSERT_MSG(result == 1,
984 " Error while checking smack access. Result: " << result);
986 // Deleting all rules
987 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","rwx");
988 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
990 result = smack_accesses_apply(rules_ptr.get());
991 RUNNER_ASSERT_MSG(result == 0, "Error while checking smack access. Result: " << result);
993 // Deleting all rules
998 RUNNER_TEST_SMACK(smack11_saving_loading_rules)
1003 struct smack_accesses *rules = nullptr;
1006 removeAccessesAll();
1008 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
1009 SmackAccessesPtr rules_ptr(rules);
1011 // Loading file with rwxat rules - test_smack_rules_full
1012 fd = open("/etc/smack/test_smack_rules_full", O_RDONLY, 0644);
1013 RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules_full");
1015 // Adding rules from file
1016 result = smack_accesses_add_from_file(rules_ptr.get(), fd);
1018 RUNNER_ASSERT_MSG(result == 0, "Error importing accesses from file");
1021 result = smack_accesses_apply(rules_ptr.get());
1022 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1025 result = smack_have_access("test_subject_01", "test_object_02", "rwxat");
1026 RUNNER_ASSERT_MSG(result == 1,
1027 " Error while checking smack accesses.");
1028 result = smack_have_access("test_subject_01", "test_object_03", "rwxat");
1029 RUNNER_ASSERT_MSG(result == 1,
1030 " Error while checking smack accesses.");
1031 result = smack_have_access("test_subject_02", "test_object_01", "rwxat");
1032 RUNNER_ASSERT_MSG(result == 1,
1033 " Error while checking smack accesses.");
1034 result = smack_have_access("test_subject_02", "test_object_02", "rwxat");
1035 RUNNER_ASSERT_MSG(result == 1,
1036 " Error while checking smack accesses.");
1037 result = smack_have_access("test_subject_02", "test_object_03", "rwxat");
1038 RUNNER_ASSERT_MSG(result == 1,
1039 " Error while checking smack accesses.");
1040 result = smack_have_access("test_subject_03", "test_object_01", "rwxat");
1041 RUNNER_ASSERT_MSG(result == 1,
1042 " Error while checking smack accesses.");
1043 result = smack_have_access("test_subject_03", "test_object_02", "rwxat");
1044 RUNNER_ASSERT_MSG(result == 1,
1045 " Error while checking smack accesses.");
1046 result = smack_have_access("test_subject_03", "test_object_03", "rwxat");
1047 RUNNER_ASSERT_MSG(result == 1,
1048 " Error while checking smack accesses.");
1051 removeAccessesAll();
1054 rules_ptr.release();
1055 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
1056 rules_ptr.reset(rules);
1058 // Loading file with partial wrong rules - test_smack_rules2
1059 fd = open("/etc/smack/test_smack_rules2", O_RDONLY, 0644);
1060 RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules2");
1062 // Adding rules from file
1063 result = smack_accesses_add_from_file(rules_ptr.get(), fd);
1065 RUNNER_ASSERT_MSG(result == 0, "Error importing accesses from file");
1068 result = smack_accesses_apply(rules_ptr.get());
1069 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1072 RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_01", "test_object_01"),
1073 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist.");
1074 result = smack_have_access("test_subject_01", "test_object_02", "rwatl");
1075 RUNNER_ASSERT_MSG(result == 1,
1076 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1077 result = smack_have_access("test_subject_01", "test_object_03", "wat");
1078 RUNNER_ASSERT_MSG(result == 1,
1079 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1080 RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_02", "test_object_01"),
1081 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist.");
1082 result = smack_have_access("test_subject_02", "test_object_02", "wa-lt");
1083 RUNNER_ASSERT_MSG(result == 1,
1084 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1085 result = smack_have_access("test_subject_02", "test_object_03", "wr");
1086 RUNNER_ASSERT_MSG(result == 1,
1087 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1088 result = smack_have_access("test_subject_03", "test_object_01", "a");
1089 RUNNER_ASSERT_MSG(result == 1,
1090 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1091 result = smack_have_access("test_subject_03", "test_object_02", "rwat");
1092 RUNNER_ASSERT_MSG(result == 1,
1093 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1094 result = smack_have_access("test_subject_03", "test_object_03", "w---l-");
1095 RUNNER_ASSERT_MSG(result == 1,
1096 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1099 removeAccessesAll();
1102 rules_ptr.release();
1103 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
1104 rules_ptr.reset(rules);
1106 // Loading file with partial wrong rules - test_smack_rules3
1107 fd = open("/etc/smack/test_smack_rules3", O_RDONLY, 0644);
1108 RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules3");
1110 // Adding rules from file
1111 result = smack_accesses_add_from_file(rules_ptr.get(), fd);
1113 RUNNER_ASSERT_MSG(result != 0, "Accesses were loaded from file");
1116 removeAccessesAll();
1119 rules_ptr.release();
1120 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
1121 rules_ptr.reset(rules);
1123 // Loading file with partial wrong rules - test_smack_rules4
1124 fd = open("/etc/smack/test_smack_rules4", O_RDONLY, 0644);
1125 RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules4");
1127 // Adding rules from file
1128 result = smack_accesses_add_from_file(rules_ptr.get(), fd);
1130 RUNNER_ASSERT_MSG(result != 0, "Accesses were loaded from file");
1133 removeAccessesAll();
1136 //int smack_new_label_from_socket(int fd, char **label);
1139 static void smack_set_another_label_for_self(void)
1141 static int number = time(nullptr);
1144 std::string smack_label("s" + std::to_string(number));
1146 int result = smack_set_label_for_self(smack_label.c_str());
1147 RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self(" << smack_label << ") failed");
1150 static void smack_unix_sock_server(int sock)
1156 fd = accept(sock, nullptr, nullptr);
1158 RUNNER_ASSERT_ERRNO(fd >= 0);
1159 FdUniquePtr fd_ptr(&fd);
1161 result = smack_new_label_from_self(&label);
1162 RUNNER_ASSERT_MSG(result >= 0, "smack_new_label_from_self() failed");
1163 CStringPtr label_ptr(label);
1164 result = write(fd, label, strlen(label));
1165 RUNNER_ASSERT_ERRNO_MSG(result == (int)strlen(label), "write() failed");
1169 RUNNER_MULTIPROCESS_TEST_SMACK(smack09_new_label_from_socket)
1172 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
1174 smack_set_another_label_for_self();
1176 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
1177 if (!pid) { /* child process, server */
1181 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1182 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
1183 SockUniquePtr sock_ptr(&sock);
1184 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
1185 RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
1186 result = listen(sock, 1);
1187 RUNNER_ASSERT_ERRNO_MSG(result == 0, "listen failed");
1188 smack_unix_sock_server(sock);
1191 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
1192 /* Test if socket label was unaffected by fork() */
1193 smack_unix_sock_server(sock);
1196 smack_set_another_label_for_self();
1197 smack_unix_sock_server(sock);
1201 } else { /* parent process, client */
1202 sleep(1); /* Give server some time to setup listening socket */
1203 for (int i = 0; i < 4; ++i) {
1205 char smack_label1[SMACK_LABEL_LEN + 1];
1208 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1209 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
1210 SockUniquePtr sock_ptr(&sock);
1211 result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
1212 RUNNER_ASSERT_ERRNO_MSG(result == 0, "connect failed");
1214 result = read(sock, smack_label1, SMACK_LABEL_LEN);
1216 RUNNER_ASSERT_ERRNO_MSG(result >= 0, "read failed");
1217 smack_label1[result] = '\0';
1218 result = smack_new_label_from_socket(sock, &smack_label2);
1219 SmackLabelPtr label2_ptr(smack_label2);
1220 RUNNER_ASSERT_MSG(result >= 0, "smack_label_from_socket failed");
1221 result = strcmp(smack_label1, label2_ptr.get());
1223 RUNNER_ASSERT_MSG(result == 0, "smack labels differ: '" << smack_label1
1224 << "' != '" << smack_label2 << "' i == " << i);
1226 RUNNER_ASSERT_MSG(result != 0, "smack labels do not differ: '" << smack_label1
1227 << "' != '" << smack_label2 << "' i == " << i);
1232 void createFileWithLabel(const std::string &filePath, const std::string &fileLabel)
1234 //create temporary file and set label for it
1237 unlink(filePath.c_str());
1238 //allow to create file with 777 rights
1239 systemMask = umask(0000);
1240 int fd = open(filePath.c_str(), O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
1241 //restore system mask
1243 RUNNER_ASSERT_ERRNO_MSG(fd > -1, "Unable to create file for tests");
1245 //for descriptor protection
1246 FdUniquePtr fd_ptr(&fd);
1248 //change owner and group to user APP
1249 int ret = chown(filePath.c_str(), APP_UID, APP_GID);
1250 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Unable to change file owner");
1252 //set smack label on file
1253 ret = smack_setlabel(filePath.c_str(), fileLabel.c_str(), SMACK_LABEL_ACCESS);
1254 RUNNER_ASSERT_MSG(ret == 0, "Unable to set label for file: " << ret);
1256 char *label = nullptr;
1257 ret = smack_getlabel(filePath.c_str(), &label, SMACK_LABEL_ACCESS);
1258 RUNNER_ASSERT_MSG(ret == 0, "Unable to get label from file");
1259 std::string label_str(label ? label : "");
1261 RUNNER_ASSERT_MSG(label_str == fileLabel, "File label not match set label");
1264 void prepareEnvironment(const std::string &subject, const std::string &object, const std::string &access)
1266 const std::string ruleAll = "x";
1268 SecurityServer::AccessProvider provider(subject);
1269 provider.addObjectRule("User", ruleAll);
1270 provider.addObjectRule(object, access);
1271 provider.applyAndSwithToUser(APP_UID, APP_GID);
1274 //- Add "l" rule to system
1276 //Should be able to add "l" rule to system
1277 RUNNER_CHILD_TEST_SMACK(smack13_0_checking_laccess_mode_enabled_on_device)
1279 std::string selfLabel = "smack13_0";
1280 std::string filename = "smack13_0_file";
1282 //function inside checks if rule exist after add it
1283 SecurityServer::AccessProvider provider(selfLabel);
1284 provider.addObjectRule(filename, "l");
1287 int ret = smack_have_access(selfLabel.c_str(), filename.c_str(), "l");
1288 RUNNER_ASSERT_MSG(ret == 1, "Error in adding laccess rule - l");
1292 //- Set label for file and self
1295 //Should have no access due to missing SMACK rule
1296 RUNNER_CHILD_TEST_SMACK(smack13_1_checking_laccess_mode)
1298 std::string selfLabel = "smack13_1";
1299 std::string filename = "smack13_1_file";
1300 std::string filePath = testDir + filename;
1302 createFileWithLabel(filePath, filename);
1303 int fd = open(filePath.c_str(), O_RDWR, 0);
1304 FdUniquePtr fd_ptr(&fd);
1306 SecurityServer::AccessProvider provider(selfLabel);
1307 provider.applyAndSwithToUser(APP_UID, APP_GID);
1309 int ret = flock(fd, LOCK_EX | LOCK_NB);
1310 RUNNER_ASSERT_ERRNO_MSG(ret < 0, "Error, able to lock file");
1311 ret = flock(fd, LOCK_UN | LOCK_NB);
1312 RUNNER_ASSERT_ERRNO_MSG(ret < 0, "Error, able to lock file");
1313 ret = flock(fd, LOCK_SH | LOCK_NB);
1314 RUNNER_ASSERT_ERRNO_MSG(ret < 0, "Error, able to lock file");
1318 //- Set label for file and self
1319 //- Add SMACK rule "l"
1322 //Should be able to lock file even without "w" rule
1323 RUNNER_CHILD_TEST_SMACK(smack13_2_checking_laccess_mode_with_l_rule)
1325 std::string selfLabel = "smack13_2";
1326 std::string filename = "smack13_2_file";
1327 std::string filePath = testDir + filename;
1329 createFileWithLabel(filePath, filename);
1330 int fd = open(filePath.c_str(), O_RDWR, 0);
1331 FdUniquePtr fd_ptr(&fd);
1333 prepareEnvironment(selfLabel, filename, "l");
1335 int ret = flock(fd, LOCK_EX | LOCK_NB);
1336 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to exclusive lock file");
1337 ret = flock(fd, LOCK_UN | LOCK_NB);
1338 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to unlock file");
1339 ret = flock(fd, LOCK_SH | LOCK_NB);
1340 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to shared lock file");
1344 //- Set label for file and self
1345 //- Add SMACK rule "w"
1348 //Should be able to lock file even without "l" rule
1349 RUNNER_CHILD_TEST_SMACK(smack13_3_checking_laccess_mode_with_w_rule)
1351 std::string selfLabel = "smack13_3";
1352 std::string filename = "smack13_3_file";
1353 std::string filePath = testDir + filename;
1355 createFileWithLabel(filePath, filename);
1356 int fd = open(filePath.c_str(), O_RDWR, 0);
1357 FdUniquePtr fd_ptr(&fd);
1359 prepareEnvironment(selfLabel, filename, "w");
1361 int ret = flock(fd, LOCK_EX | LOCK_NB);
1362 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to exclusive lock file");
1363 ret = flock(fd, LOCK_UN | LOCK_NB);
1364 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to unlock file");
1365 ret = flock(fd, LOCK_SH | LOCK_NB);
1366 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to shared lock file");
1370 //- Set label for file and self
1371 //- Add SMACK rule "rw"
1373 //- Lock file (shared lock)
1374 //- Spawn child process
1375 //- Child tries to lock file (shared)
1377 //Child should be able to lock file due to shared lock
1378 RUNNER_MULTIPROCESS_TEST_SMACK(smack13_4_0_checking_laccess_mode_w_rule_child)
1380 std::string selfLabel = "smack13_4_0";
1381 std::string filename = "smack13_4_0_file";
1382 std::string filePath = testDir + filename;
1384 createFileWithLabel(filePath, filename);
1385 int fd = open(filePath.c_str(), O_RDWR);
1386 FdUniquePtr fd_ptr(&fd);
1387 int ret = flock(fd, LOCK_SH | LOCK_NB);
1388 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to shared lock file");
1393 prepareEnvironment(selfLabel, filename, "rw");
1395 int child_fd = open(filePath.c_str(), O_RDWR);
1396 RUNNER_ASSERT_ERRNO_MSG(child_fd > -1, "Unable to open created file");
1397 //for descriptor protection
1398 FdUniquePtr child_fd_ptr(&child_fd);
1400 ret = flock(child_fd, LOCK_SH | LOCK_NB);
1401 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to lock file with shared lock");
1406 //- Set label for file and self
1407 //- Add SMACK rule "l"
1409 //- Lock file (shared lock)
1410 //- Spawn child process
1411 //- Child tries to lock file (shared)
1413 //Child should be able to lock file due to shared lock
1414 RUNNER_MULTIPROCESS_TEST_SMACK(smack13_4_1_checking_laccess_mode_l_rule_child)
1416 std::string selfLabel = "smack13_4_1";
1417 std::string filename = "smack13_4_1_file";
1418 std::string filePath = testDir + filename;
1420 createFileWithLabel(filePath, filename);
1421 int fd = open(filePath.c_str(), O_RDWR);
1422 FdUniquePtr fd_str(&fd);
1423 int ret = flock(fd, LOCK_SH | LOCK_NB);
1424 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to shared lock file");
1429 //"r" is only for open in O_RDONLY mode
1430 prepareEnvironment(selfLabel, filename, "rl");
1432 int child_fd = open(filePath.c_str(), O_RDONLY, 0);
1433 RUNNER_ASSERT_ERRNO_MSG(child_fd > -1, "Unable to open created file");
1434 //for descriptor protection
1435 FdUniquePtr child_fd_ptr(&child_fd);
1437 ret = flock(child_fd, LOCK_SH | LOCK_NB);
1438 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to lock file with shared lock");
1443 //- Set label for file and self
1444 //- Add SMACK rule "rw"
1446 //- Lock file (exclusive lock)
1447 //- Spawn child process
1448 //- Child tries to lock file (exclusive / shared)
1450 //Child should not be able to lock file due to exclusive lock
1451 RUNNER_MULTIPROCESS_TEST_SMACK(smack13_4_2_checking_laccess_mode_w_rule_child)
1453 std::string selfLabel = "smack13_4_2";
1454 std::string filename = "smack13_4_2_file";
1455 std::string filePath = testDir + filename;
1457 createFileWithLabel(filePath, filename);
1458 int fd = open(filePath.c_str(), O_RDWR);
1459 FdUniquePtr fd_ptr(&fd);
1460 int ret = flock(fd, LOCK_EX | LOCK_NB);
1461 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to exclusive lock file");
1466 prepareEnvironment(selfLabel, filename, "rw");
1468 int child_fd = open(filePath.c_str(), O_RDWR, 0);
1469 RUNNER_ASSERT_ERRNO_MSG(child_fd > -1, "Unable to open created file");
1470 //for descriptor protection
1471 FdUniquePtr child_fd_ptr(&child_fd);
1473 ret = flock(child_fd, LOCK_EX | LOCK_NB);
1474 RUNNER_ASSERT_ERRNO_MSG(ret < 0, "Error, able to lock file with exclusive lock");
1479 //- Set label for file and self
1480 //- Add SMACK rule "l"
1482 //- Lock file (exclusive lock)
1483 //- Spawn child process
1484 //- Child tries to lock file (exclusive / shared)
1486 //Child should not be able to lock file due to exclusive lock
1487 RUNNER_MULTIPROCESS_TEST_SMACK(smack13_4_3_checking_laccess_mode_l_rule_child)
1489 std::string selfLabel = "smack13_4_3";
1490 std::string filename = "smack13_4_3_file";
1491 std::string filePath = testDir + filename;
1493 createFileWithLabel(filePath, filename);
1494 int fd = open(filePath.c_str(), O_RDWR, 0);
1495 FdUniquePtr fd_ptr(&fd);
1496 int ret = flock(fd, LOCK_EX | LOCK_NB);
1497 RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to exclusive lock file");
1502 //"r" is only for open in O_RDONLY mode
1503 prepareEnvironment(selfLabel, filename, "rl");
1505 int child_fd = open(filePath.c_str(), O_RDONLY, 0);
1506 RUNNER_ASSERT_ERRNO_MSG(child_fd > -1, "Unable to open created file");
1507 //for descriptor protection
1508 FdUniquePtr child_fd_ptr(&child_fd);
1510 ret = flock(child_fd, LOCK_EX | LOCK_NB);
1511 RUNNER_ASSERT_ERRNO_MSG(ret < 0, "Error, able to lock file with eclusive lock");
1516 /////////////////////////////////////////
1517 //////NOSMACK ENVIRONMENT TESTS//////////
1518 /////////////////////////////////////////
1521 * NOSMACK version of smack02 test. Functions, that should return error instead of success:
1522 * - smack_accesses_apply
1523 * - smack_have_access
1524 * - smack_revoke_subject
1525 * - smack_acceesses_clear
1527 * Tests smack03, smack04, smack10, smack_accesses_clear, smack_revoke_subject all use functions
1528 * tested in smack02 test. Results from those functions (smack_have_access, smack_accesses_apply,
1529 * smack_accesses_clear, smack_revoke_subject) would be the same as in this test. Tests mentioned
1530 * above doesn't make much sense on NOSMACK environment when test smack02 exists and passes
1531 * correctly, thus those tests are are not implemented.
1533 RUNNER_TEST_NOSMACK(smack02_aplying_rules_into_kernel_nosmack)
1536 smack_accesses *rules = nullptr;
1540 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
1541 //pass rules to unique_ptr
1542 SmackAccessesPtr rules_ptr(rules);
1544 //adding test rules to struct (same as SMACK version of smack02 test)
1545 result = smack_accesses_add(rules_ptr.get(), "writer", "book", "rwx");
1546 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
1547 result = smack_accesses_add(rules_ptr.get(), "reader", "book", "r");
1548 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
1549 result = smack_accesses_add(rules_ptr.get(), "spy", "book", "rwx");
1550 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
1552 //applying rules to kernel (should fail)
1553 result = smack_accesses_apply(rules_ptr.get());
1554 RUNNER_ASSERT_MSG(result == -1, "Unable to apply rules into kernel");
1556 //calls from SMACK version of this test - all should fail because of SMACK being turned off
1557 result = smack_have_access("spy", "book", "rwx");
1558 RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off)");
1559 result = smack_have_access("reader", "book", "rwx");
1560 RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off)");
1561 result = smack_have_access("s02badsubjectlabel", "book", "rwx");
1562 RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off)");
1564 //testing subject revoking - should return error (no accesses applied = no subjects to revoke)
1565 result = smack_revoke_subject("s02nonexistinglabel");
1566 RUNNER_ASSERT_MSG(result == -1, "smack_revoke_subject error - subject doesn't exist.");
1567 result = smack_revoke_subject("spy");
1568 RUNNER_ASSERT_MSG(result == -1, "smack_revoke_subject error - subject doesn't exist.");
1570 //after revoking smack_have_access still should return error
1571 result = smack_have_access("spy", "book", "rwx");
1572 RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off).");
1574 result = smack_accesses_add(rules_ptr.get(), "s02subjectlabel", "book", "rwx");
1575 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
1577 //smack_accesses_clear should return error aswell
1578 result = smack_accesses_clear(rules_ptr.get());
1579 RUNNER_ASSERT_MSG(result == -1, "Clearing rules should return error - no SMACK on system.");
1581 result = smack_have_access("writer", "book", "rwx");
1582 RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off).");
1586 * NOSMACK version of smack11 test. Tests functions:
1587 * - smack_accesses_add_from_file
1589 * Since other SMACK functions were tested in smack02 test, the only function needed to be checked
1590 * is applying rules loaded from file.
1592 RUNNER_TEST_NOSMACK(smack03_saving_loading_rules_nosmack)
1597 smack_accesses* tmp = nullptr;
1599 RUNNER_ASSERT(smack_accesses_new(&tmp) == 0);
1600 SmackAccessesPtr rules(tmp);
1602 //open file with rules
1603 fd = open("/etc/smack/test_smack_rules_full", O_RDONLY, 0644);
1604 RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules_full");
1606 //load accesses from file
1607 result = smack_accesses_add_from_file(rules.get(), fd);
1609 RUNNER_ASSERT_MSG(result == 0, "Error while importing accesses from file. Result: " << result);
1613 * NOSMACK version of smack05 test. Tests if functions getting, or
1614 * setting self label work correctly (that is, return error).
1616 RUNNER_TEST_NOSMACK(smack04_self_label_nosmack)
1618 char* label = nullptr;
1622 char buff[SMACK_LABEL_LEN+1];
1624 //smack_new_label_from_self should fail
1625 result = smack_new_label_from_self(&label);
1626 RUNNER_ASSERT_MSG(result == -1, "new_label_from_self should return error (SMACK is off).");
1627 RUNNER_ASSERT_MSG(label == nullptr, "new_label_from_self shouldn't allocate memory to label.");
1628 //We don't need to remember about freeing label - smack_new_label_from_self must return nullptr
1629 //label if it's working properly.
1631 // /proc/self/attr/current shouldn't keep any rules inside
1632 fd = open("/proc/self/attr/current", O_RDONLY, 0644); //file exists, so it should open
1633 RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "/proc/self/attr/current failed to open");
1634 FdUniquePtr fd_ptr(&fd);
1636 result = read(fd, buff, SMACK_LABEL_LEN); //however reading it should return error
1637 RUNNER_ASSERT_ERRNO_MSG(result < 0, "Reading /proc/self/attr/current should return error");
1639 //setting label for self should fail
1640 result = smack_set_label_for_self("s04testlabel");
1641 RUNNER_ASSERT_MSG(result == -1, "set_label_for_self should return error (SMACK is off).");
1643 //getting previously set label should also fail
1644 result = smack_new_label_from_self(&label);
1645 RUNNER_ASSERT_MSG(result == -1, "new_label_from_self should return error (SMACK is off).");
1646 RUNNER_ASSERT_MSG(label == nullptr, "new_label_from_self shouldn't allocate memory to label.");
1648 // /proc/self/attr/current still shouldn't keep any rules inside
1649 result = lseek(fd, 0, SEEK_SET); //going to the file beginning
1650 RUNNER_ASSERT_ERRNO_MSG(result == 0, "lseek() error");
1652 result = read(fd, buff, SMACK_LABEL_LEN); //however it should return error
1653 RUNNER_ASSERT_ERRNO_MSG(result < 0, "Reading /proc/self/attr/current should return error");
1657 * NOSMACK version of smack_accesses_add_modify_x tests.
1659 * Because all smack_accesses_add_modify tests are basically the same (all use smack_accesses_apply
1660 * and smack_have_access, which return -1 when SMACK is turned off), it makes much more sense to
1661 * write one test which will create rules using smack_accesses_add_modify and then check if
1662 * smack_accesses_apply and smack_have_access indeed return -1 when SMACK is turned off.
1664 RUNNER_TEST_NOSMACK(smack05_accesses_add_modify_nosmack)
1667 smack_accesses* rules = nullptr;
1669 RUNNER_ASSERT(smack_accesses_new(&rules) == 0);
1671 SmackAccessesPtr rules_ptr(rules);
1673 //Not doing clean_up() every RUNNER_ASSERT_MSG - what clean_up does is just a creation of new
1674 //rule struct and removal of currenctly added and applied rules. clean_up() must be done only
1675 //after smack_accesses_apply().
1676 result = smack_accesses_add_modify(rules_ptr.get(), TEST_SUBJECT, TEST_OBJECT, "rwx", "");
1677 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule. Result: " << result);
1679 result = smack_accesses_add_modify(rules_ptr.get(), TEST_SUBJECT, TEST_OBJECT, "rwx", "");
1680 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule. Result: " << result);
1682 result = smack_accesses_apply(rules_ptr.get());
1683 RUNNER_ASSERT_MSG(result == -1,
1684 "smack_accesses_apply should return error (SMACK is off). Result: " << result);
1686 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, "rwx");
1689 RUNNER_FAIL_MSG("smack_have_access should return error (SMACK is off). Result: "
1697 * NOSMACK version of smack09 test.
1699 * This test checks if smack_new_label_from_socket reacts correctly. Since label should be
1700 * acquired from getsockopt, and it should fail, we must only set up socket and call
1701 * smack_new_label_from_socket. It should return error.
1703 RUNNER_MULTIPROCESS_TEST_NOSMACK(smack09_new_label_from_socket_nosmack)
1706 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
1711 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
1712 if (!pid) { //child (server)
1717 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1718 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
1719 SockUniquePtr sock_ptr(&sock);
1721 //Bind it to sockaddr
1722 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
1723 RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
1725 //Prepare for listening
1726 result = listen(sock, 1);
1727 RUNNER_ASSERT_ERRNO_MSG(result == 0, "listen failed");
1731 fd = accept(sock, nullptr, nullptr);
1733 RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Failed when accepting connection from client");
1734 FdUniquePtr fd_ptr(&fd);
1736 //wait for smack_new_label_from_socket execution
1742 else { //parent (client)
1743 //Wait a little bit until server is set up
1748 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1749 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
1750 SockUniquePtr sock_ptr(&sock);
1752 //Connect to sockaddr
1753 result = connect(sock, (struct sockaddr*) &sockaddr,
1754 sizeof(struct sockaddr_un));
1755 RUNNER_ASSERT_ERRNO_MSG(result == 0, "connect failed");
1757 //Try getting label, should fail beacuse getsockopt won't get anything
1758 result = smack_new_label_from_socket(sock, &smack_label);
1759 RUNNER_ASSERT_MSG(result == -1, "smack_new_label_from_socket should fail.");