2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Pawel Polawski (p.polawski@samsung.com)
20 * @author Jan Olszak (j.olszak@samsung.com)
22 * @brief libprivilege test runer
28 #include <dpl/test/test_runner.h>
29 #include <dpl/log/log.h>
30 #include <sys/types.h>
33 #include <sys/smack.h>
34 #include <sys/xattr.h>
35 #include <sys/socket.h>
39 #define TEST_SUBJECT "test_subject"
40 #define TEST_OBJECT "test_oject"
41 #define TEST_OBJECT_2 "test_oject_2"
43 #define SOCK_PATH "/tmp/test-smack-socket"
45 std::vector<std::string> accessesBasic = { "r", "w", "x", "wx", "rx", "rw", "rwx", "rwxat" };
50 int files_compare(int fd1, int fd2)
54 //for getting files sizes
58 void * h1 = MAP_FAILED;
59 void * h2 = MAP_FAILED;
61 //getting files information
62 if(fstat(fd1, &fs1) == -1) {
66 if(fstat(fd2, &fs2) == -1) {
71 if(fs1.st_size != fs2.st_size) //if files are identical size will be the same
74 //mapping files to process memory
75 if((h1 = mmap(0, fs1.st_size, PROT_READ, MAP_SHARED, fd1, 0 )) == MAP_FAILED) {
79 if((h2 = mmap(0, fs2.st_size, PROT_READ, MAP_SHARED, fd2, 0 )) == MAP_FAILED) {
84 result = memcmp(h1, h2, fs1.st_size);
86 //cleaning after mmap()
89 munmap(h2, fs2.st_size);
91 munmap(h1, fs1.st_size);
97 RUNNER_TEST_GROUP_INIT(libsmack)
99 * Helper method to reset privileges at the begginning of tests.
102 struct smack_accesses * rules = NULL;
103 int result = smack_accesses_new(&rules);
104 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
107 smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","rwxat");
108 smack_accesses_apply(rules);
109 smack_accesses_free(rules);
112 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") != 1, "Rule has previous privileges after cleaning up!");
113 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"w") != 1, "Rule has previous privileges after cleaning up!");
114 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"x") != 1, "Rule has previous privileges after cleaning up!");
115 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"a") != 1, "Rule has previous privileges after cleaning up!");
116 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"t") != 1, "Rule has previous privileges after cleaning up!");
120 * Checking if subject has any access to object
122 bool checkNoAccesses(const char *subject, const char *object){
124 result = smack_have_access(subject, object,"r");
128 result = smack_have_access(subject, object,"w");
132 result = smack_have_access(subject, object,"x");
136 result = smack_have_access(subject, object,"a");
140 result = smack_have_access(subject, object,"t");
147 int removeAccessesAll()
149 struct smack_accesses * rules = NULL;
150 int result = smack_accesses_new(&rules);
151 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
153 result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_01", "", "rxwat");
154 result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_02", "", "rxwat");
155 result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_03", "", "rxwat");
156 result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_01", "", "rxwat");
157 result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_02", "", "rxwat");
158 result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_03", "", "rxwat");
159 result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_01", "", "rxwat");
160 result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_02", "", "rxwat");
161 result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_03", "", "rxwat");
163 smack_accesses_apply(rules);
164 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
165 smack_accesses_free(rules);
170 * Add a new access with smack_accesses_add_modify()
172 RUNNER_TEST(smack_accesses_add_modify_test_1){
177 struct smack_accesses * rules = NULL;
178 result = smack_accesses_new(&rules);
181 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"xr","");
182 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify by empty rules");
183 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
185 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"xr");
186 RUNNER_ASSERT_MSG(result == 1, "Rule modified (added 'xr'), but no change made.");
190 smack_accesses_free(rules);
195 * Test if rules are applied in the right order, and modification works.
197 RUNNER_TEST(smack_accesses_add_modify_test_2){
199 struct smack_accesses * rules = NULL;
200 result = smack_accesses_new(&rules);
201 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
206 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"r","");
207 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
209 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
210 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
212 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
213 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 0, "Modification didn't work");
217 smack_accesses_free(rules);
222 * Test if rules are applied in the right order, and modification works.
223 * Using different smack_accesses list to add and delete.
225 RUNNER_TEST(smack_accesses_add_modify_test_3){
227 struct smack_accesses * rules = NULL;
228 result = smack_accesses_new(&rules);
229 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
235 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"r","");
236 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
237 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
238 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 1, "Adding privileges didn't work");
239 smack_accesses_free(rules);
241 // Revoke r privilege
242 result = smack_accesses_new(&rules);
243 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
244 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
245 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
246 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
248 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
249 RUNNER_ASSERT_MSG(result == 0, "Modification didn't work, rule has still 'r' privileges.");
253 smack_accesses_free(rules);
257 * Add a list of privileges and then revoke just ONE of them.
259 RUNNER_TEST(smack_accesses_add_modify_test_4){
261 struct smack_accesses * rules = NULL;
262 result = smack_accesses_new(&rules);
263 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
268 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwxat","");
269 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
270 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
272 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
273 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
274 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
276 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt");
277 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'awxt' privileges.");
278 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
279 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
283 smack_accesses_free(rules);
287 * Add a list of privileges and then revoke just ONE of them.
288 * Without applying privileges in between those actions.
290 RUNNER_TEST(smack_accesses_add_modify_test_5){
292 struct smack_accesses * rules = NULL;
293 result = smack_accesses_new(&rules);
294 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
299 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwxat","");
300 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
302 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
303 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
304 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
306 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt");
307 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'awxt' privileges.");
308 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
309 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
313 smack_accesses_free(rules);
318 * Add a list of privileges and then revoke just TWO of them.
320 RUNNER_TEST(smack_accesses_add_modify_test_6){
322 struct smack_accesses * rules = NULL;
323 result = smack_accesses_new(&rules);
324 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
329 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwt","");
330 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
331 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
333 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"ax","rt");
334 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
335 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
337 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"wax");
338 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'wax' privileges.");
339 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
340 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
344 smack_accesses_free(rules);
348 * Run smack_accesses_add_modify with the same accesses_add and accesses_del.
350 RUNNER_TEST(smack_accesses_add_modify_test_7){
354 struct smack_accesses * rules = NULL;
356 for(i = 0; i<accessesBasic.size(); ++i){
357 result = smack_accesses_new(&rules);
358 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
360 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str(),accessesBasic[i].c_str());
361 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
362 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
364 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
365 " Error while checking smack access. Accesses exist.");
369 smack_accesses_free(rules);
374 * Revoke subject with previously added rules and revoke it again.
376 RUNNER_TEST(smack_revoke_subject_test_1){
380 struct smack_accesses * rules = NULL;
382 for(i = 0; i<accessesBasic.size(); ++i){
384 // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2
385 result = smack_accesses_new(&rules);
386 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
387 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str(),"");
388 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str(),"");
389 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
390 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
391 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
392 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
393 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
394 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
397 result = smack_revoke_subject(TEST_SUBJECT);
398 RUNNER_ASSERT_MSG(result == 0, "Revoking subject didn't work.");
400 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
401 " Revoke didn't work. Accesses exist.");
402 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
403 " Revoke didn't work. Accesses exist.");
406 // Revoking subject again
407 result = smack_revoke_subject(TEST_SUBJECT);
408 RUNNER_ASSERT_MSG(result == 0, "Revoking subject didn't work.");
410 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
411 " Revoke didn't work. Accesses exist.");
412 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
413 " Revoke didn't work. Accesses exist.");
415 smack_accesses_free(rules);
422 RUNNER_TEST(smack_accesses_clear_test_1){
426 struct smack_accesses * rules = NULL;
428 for(i = 0; i<accessesBasic.size(); ++i){
430 // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2
431 result = smack_accesses_new(&rules);
432 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
433 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
434 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
435 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
436 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
437 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
439 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
440 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
441 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
442 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
444 smack_accesses_free(rules);
446 // Creating and clearing rules with TEST_OBJECT
447 result = smack_accesses_new(&rules);
448 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
449 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
450 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
451 result = smack_accesses_clear(rules);
452 RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work.");
454 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
455 RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work. Rule " << accessesBasic[i].c_str() << " does exist.");
456 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
457 RUNNER_ASSERT_MSG(result == 1, "Clearing rules didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
459 smack_accesses_free(rules);
461 // Creating and clearing rules with TEST_OBJECT_2
462 result = smack_accesses_new(&rules);
463 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
465 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
466 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
467 result = smack_accesses_clear(rules);
468 RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work.");
470 smack_accesses_free(rules);
472 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
473 " Clear didn't work. Accesses exist.");
474 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
475 " Clear didn't work. Accesses exist.");
479 RUNNER_TEST(smack01_storing_and_restoring_rules)
482 * author: Pawel Polawski
483 * test: smack_accesses_new, smack_accesses_add, smack_accesses_add_modify, smack_accesses_add_from_file,
484 * smack_accesses_free, smack_accesses_save
485 * description: This test case will create structure holding SMACK rules and add new one to it. Next rules will be
486 * stored and restored from file.
487 * expect: Rules created and stored in file should be identical to predefined template.
490 struct smack_accesses * rules = NULL; //rules prepared in this test case
491 struct smack_accesses * import_test = NULL; //rules imported from file
493 int result; //result of each operation to be tested by RUNNER_ASSERT
494 int fd, tmp, sample; //file descripptors for save / restore rules tests
496 //int smack_accesses_new(struct smack_accesses **accesses);
497 result = smack_accesses_new(&rules); //rules struct init
498 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
499 result = smack_accesses_new(&import_test); //rules struct init
500 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
503 fd = open("/tmp/smack01_rules", O_RDWR | O_CREAT | O_TRUNC, 0644); //for export prepared rules
504 RUNNER_ASSERT_MSG(fd >= 0, "Unable to create /tmp/smack01_rules");
505 tmp = open("/tmp/smack01_tmp", O_RDWR | O_CREAT | O_TRUNC, 0644); //for import rules exported before
506 RUNNER_ASSERT_MSG(fd >= 0, "Unable to create /tmp/smack01_tmp");
507 sample = open("/etc/smack/test_smack_rules", O_RDONLY, 0644); //reference preinstalled rules
508 RUNNER_ASSERT_MSG(sample >= 0, "Unable to open /etc/smack/test_smack_rules");
510 //int smack_accesses_add(struct smack_accesses *handle, const char *subject,
511 // const char *object, const char *access_type);
512 result = smack_accesses_add(rules, "writer", "book", "rw");
513 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
514 result = smack_accesses_add(rules, "reader", "book", "wx");
515 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
517 //int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
518 // const char *object, const char *access_add, const char *access_del);
519 result = smack_accesses_add_modify(rules, "reader", "book", "r", "wx");
520 RUNNER_ASSERT_MSG(0 == result, "Unable to modify smack rules");
522 //int smack_accesses_save(struct smack_accesses *handle, int fd);
523 result = smack_accesses_save(rules, fd);
524 RUNNER_ASSERT_MSG(0 == result, "Unable to save smack_accesses instance in file");
526 //int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd);
527 result = lseek(fd, 0, SEEK_SET);
528 RUNNER_ASSERT_MSG(result == 0, "lseek() error");
529 result = smack_accesses_add_from_file(import_test, fd);
530 RUNNER_ASSERT_MSG(result == 0, "Unable to import rules from file");
532 result = smack_accesses_save(import_test, tmp);
533 RUNNER_ASSERT_MSG(result == 0, "Unable to save smack_accesses instance in file");
535 result = files_compare(fd, tmp); //comparing rules saved in file, restored from it and stored one more time
536 RUNNER_ASSERT_MSG(result == 0, "No match in stored and restored rules");
538 result = files_compare(tmp, sample); //comparing rules stored in file with reference preinstalled rules
539 RUNNER_ASSERT_MSG(result == 0, "No match in stored rules and pattern file");
541 //void smack_accesses_free(struct smack_accesses *handle);
542 smack_accesses_free(rules);
543 smack_accesses_free(import_test);
545 //closing file descriptors
551 RUNNER_TEST(smack02_aplying_rules_into_kernel)
554 * author: Pawel Polawski
555 * test: smack_accesses_apply, smack_have_access, smack_revoke_subject, smack_accesses_clear, smack_accesses_new,
556 * smack_accesses_add, smack_accesses_free
557 * description: In this test case aplying rules to kernel will be tested. After that function for test
558 * accesses will be used.
559 * expect: In case of correct rules access should be granted.
562 //CAP_MAC_ADMIN needed for process to be able to change rules in kernel (apllying, removing)
564 struct smack_accesses * rules = NULL; //rules prepared in this test case
565 int result; //for storing functions results
567 result = smack_accesses_new(&rules); //rules struct init
568 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
570 //adding test rules to struct
571 result = smack_accesses_add(rules, "writer", "book", "rwx");
572 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
573 result = smack_accesses_add(rules, "reader", "book", "r");
574 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
575 result = smack_accesses_add(rules, "spy", "book", "rwx");
576 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
578 //int smack_accesses_apply(struct smack_accesses *handle);
579 result = smack_accesses_apply(rules); //applying rules to kernel
580 RUNNER_ASSERT_MSG(result == 0, "Unable to apply rules into kernel");
582 //int smack_have_access(const char *subject, const char *object,
583 // const char *access_type);
584 result = smack_have_access("spy", "book", "rwx"); //should have access - rule exist
585 RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
586 result = smack_have_access("reader", "book", "rwx"); //should have no access - wrong rule, should be "r" only
587 RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access");
588 result = smack_have_access("mars", "book", "rwx"); //should have no acces - rule not exist
589 RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access");
591 //int smack_revoke_subject(const char *subject);
592 result = smack_revoke_subject("snickers"); //this subject do not exist in kernel rules
593 RUNNER_ASSERT_MSG(result == 0, "Error in removing not existing subject from kernel");
594 result = smack_revoke_subject("spy"); //this subject exist in kernel rules
595 RUNNER_ASSERT_MSG(result == 0, "Error in removing existing subject from kernel");
597 result = smack_have_access("spy", "book", "rwx"); //testing access after revoke_subject() from kernel
598 RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel"); //now spy should have no access
599 result = smack_have_access("spy", "book", "-----"); //and should have "-----" rule
600 RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
602 result = smack_accesses_add(rules, "twix", "book", "rwx"); //for create new rule as a consequence of use accesses_clear() below
603 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
605 //int smack_accesses_clear(struct smack_accesses *handle);
606 result = smack_accesses_clear(rules); //"spy" removed before by using smack_revoke_subject()
607 RUNNER_ASSERT_MSG(result == 0, "Error in clearing rules in kernel");
609 result = smack_have_access("writer", "book", "rwx"); //testing acces after acces_clear()
610 RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel"); //now writer also should have no access
611 result = smack_have_access("writer", "book", "-----"); //and should have "-----" rule
612 RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
613 result = smack_have_access("twix", "book", "-----"); //rule created by calling accesses_clear()
614 RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
617 smack_accesses_free(rules);
620 //pairs of rules for test with mixed cases, different length and mixed order
621 char * rules_tab[] = {
622 "reader1", "-", "-----",
623 "reader2", "--------", "-----",
624 "reader3", "RwXaT", "rwxat",
625 "reader4", "RrrXXXXTTT", "r-x-t",
626 "reader5", "-r-w-a-t", "rw-at",
627 "reader6", "", "-----",
628 "reader7", "xa--Rt---W", "rwxat",
629 "reader8", "#Ax[T].!~W@1}", "-wxat"
632 RUNNER_TEST(smack03_mixed_rule_string_add)
635 * author: Pawel Polawski
636 * test: smack_have_access, smack_accesses_new, smack_accesses_add, smack_accesses_apply, smack_accesses_free
637 * description: In thist test case rules based on mixed string are added to kernel.
638 * Strings are presented above and contains lower / upper case alpha, numbers and special signs.
639 * expect: Rules should be parsed correct and aplied to kernel.
642 //In thist test case mixed string are used as rules applied to kernel, next they are
643 //readed and compared with correct form of rules
645 struct smack_accesses * rules = NULL; //rules prepared in this test case
646 int result; //for storing functions results
649 result = smack_accesses_new(&rules); //rules struct init
650 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
652 //adding test rules with mixed string
653 for(i = 0; i < (3 * 8) ; i += 3) {
654 result = smack_accesses_add(rules, rules_tab[i], "book", rules_tab[i + 1]); //using mixed rules from table
655 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
659 //FIXME: Using clear() here can cover error in accesses_apply() function
660 //result = smack_accesses_clear(rules);
661 //RUNNER_ASSERT_MSG(result == 0, "Error in clearing rules in kernel");
663 //applying rules to kernel
664 result = smack_accesses_apply(rules);
665 RUNNER_ASSERT_MSG(result == 0, "Unable to apply rules into kernel");
667 //checking accesses using normal rules
668 for(i = 0; i < (3 * 8) ; i += 3) {
669 result = smack_have_access(rules_tab[i], "book", rules_tab[i + 2]); //using normal rules from table
670 RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
674 smack_accesses_free(rules);
678 RUNNER_TEST(smack04_mixed_rule_string_have_access)
681 * author: Pawel Polawski
682 * test: smack_have_access
683 * description: In this test case we testing aplied before SMACK rules and comparing them using mixed strings.
684 * expect: Subjects should have accesses to the objects.
687 //In this test case we checking previous aplied rules but for compare mixed strings are used
692 //rules were added in previous RUNNER_TEST section
693 //checking accesses using mixed rules
694 for(i = 0; i < (3 * 8) ; i += 3) {
695 result = smack_have_access(rules_tab[i], "book", rules_tab[i + 1]); //using mixed rules from table
696 RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
700 //RUNNER_TEST(smackXX_accesses_add_modify)
703 // - what if we want to apply rule that is already in kernel?
704 // - tests for smack_accesses_add_modify() + smack_have_access() (check if add_modify sets the proper rule)
705 // - smack_accesses_add_modify("subject", "object", "rwx", "rwx") should create empty rule
708 RUNNER_TEST(smack05_self_label)
711 * author: Pawel Polawski
712 * test: smack_set_label_for_self, smack_new_label_from_self
713 * description: In this test case process test it own default label. Next label is changed
714 * and tested one more time if change was successfull.
715 * expect: Proces should have default "-" label and can change it to the oter one.
718 //In this test case process will manipulate it own label
724 const int B_SIZE = 8;
727 char * def_rule = "_";
729 //int smack_new_label_from_self(char **label);
730 result = smack_new_label_from_self(&label);
731 RUNNER_ASSERT_MSG(result == 0, "Error in getting self label");
733 //comparing this label with default one "_"
734 result = strcmp(label, def_rule);
735 RUNNER_ASSERT_MSG(result == 0, "Wrong default process label");
737 //comparing this rule with received from /proc/self/attr/current
738 fd = open("/proc/self/attr/current", O_RDONLY, 0644);
739 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /proc/self/attr/current");
740 result = read(fd, buff, B_SIZE);
741 RUNNER_ASSERT_MSG(result >= 0, "Error in reading from file /proc/self/attr/current");
742 result = strncmp(buff, def_rule, result);
743 RUNNER_ASSERT_MSG(result == 0, "Wrong default process rule");
747 //now time for setting labels:
749 //int smack_set_label_for_self(const char *label);
750 result = smack_set_label_for_self("cola");
751 RUNNER_ASSERT_MSG(result == 0, "Error in setting self label");
753 //checking new label using smack function
754 result = smack_new_label_from_self(&label);
755 RUNNER_ASSERT_MSG(result == 0, "Error in getting self label");
756 result = strcmp(label, "cola");
757 RUNNER_ASSERT_MSG(result == 0, "Wrong process label");
759 //checking new label using /proc/self/attr/current
760 result = lseek(fd, 0, SEEK_SET); //going to the file beginning
761 RUNNER_ASSERT_MSG(result == 0, "lseek() error");
762 result = read(fd, buff, B_SIZE);
763 RUNNER_ASSERT_MSG(result >= 0, "Error in reading from file /proc/self/attr/current");
764 result = strncmp(buff, "cola", result);
765 RUNNER_ASSERT_MSG(result == 0, "Proces rule in /proc/self/attr/current other than set");
771 //RUNNER_TEST(smackXX_parent_child_label)
773 //In this test case parent process and child labels will be tested
774 //Parent will fork and check child's label. First fork will be with default "_" parent label,
775 //second one witch changed label.
778 //bellow function is from libsmack.c witch changed name
779 char * xattr(enum smack_label_type type)
782 case SMACK_LABEL_ACCESS:
783 return "security.SMACK64";
784 case SMACK_LABEL_EXEC:
785 return "security.SMACK64EXEC";
786 case SMACK_LABEL_MMAP:
787 return "security.SMACK64MMAP";
788 case SMACK_LABEL_TRANSMUTE:
789 return "security.SMACK64TRANSMUTE";
790 case SMACK_LABEL_IPIN:
791 return "security.SMACK64IPIN";
792 case SMACK_LABEL_IPOUT:
793 return "security.SMACK64IPOUT";
795 /* Should not reach this point */
800 //TODO: In bellow RUNNER_TEST add lget / lset functions to be testet the same way as normal get / set
801 RUNNER_TEST(smack06_get_set_label)
804 * author: Pawel Polawski
805 * test: smack_getlabel, smack_setlabel
806 * description: In this test case file label is tested using SMACK API functions and system xattr functions.
807 * Functions tested here is used for normal files.
808 * expect: Function should return default label, and the new one after change it.
811 //In this test case will be tested setting and getting file label
812 //If file is symbolic link functions should follow it
814 //SMACK xattr from libsmack.c:
816 //case SMACK_LABEL_ACCESS:
817 // return "security.SMACK64";
818 //case SMACK_LABEL_EXEC:
819 // return "security.SMACK64EXEC";
820 //case SMACK_LABEL_MMAP:
821 // return "security.SMACK64MMAP";
822 //case SMACK_LABEL_TRANSMUTE:
823 // return "security.SMACK64TRANSMUTE";
824 //case SMACK_LABEL_IPIN:
825 // return "security.SMACK64IPIN";
826 //case SMACK_LABEL_IPOUT:
827 // return "security.SMACK64IPOUT";
832 const int B_SIZE = 8;
835 char * file_path = "/etc/smack/test_smack_rules";
838 //preparing environment by restoring default "_" label
839 result = smack_setlabel(file_path, "_", SMACK_LABEL_ACCESS);
840 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
843 //int smack_getlabel(const char *path, char** label,
844 // enum smack_label_type type);
845 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
846 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
847 //get label, should be default "_"
848 result = strcmp(label, "_");
849 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
851 //get label using xattr function
852 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
853 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
854 //check label, should match the one readed by smack function
855 result = strncmp(buff, "_", result);
856 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
859 //int smack_setlabel(const char *path, const char* label,
860 // enum smack_label_type type);
861 result = smack_setlabel(file_path, "fanta", SMACK_LABEL_ACCESS);
862 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
865 //get label using smack function
866 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
867 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
868 //get label, should be default "fanta"
869 result = strcmp(label, "fanta");
870 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
872 //get label using xattr function
873 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
874 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
875 //check label, should match the one readed by smack function
876 result = strncmp(buff, "fanta", result);
877 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
880 //RUNNER_TEST(smackXX_get_label_exec)
882 //In this test case EXEC label will be tested
883 //by setting this type of label, reading it and testing executed binary exit status
886 RUNNER_TEST(smack07_l_get_set_label)
889 * author: Pawel Polawski
890 * test: smack_lgetlabel, smack_lsetlabel, smack_getlabel
891 * description: Functions tested here are similar to one from previous test case. The difference
892 * is that in case of symbolic link they follows it and operates on file pointed by it.
893 * expect: All label manipulations should affect file pointed by symbolic link.
899 const int B_SIZE = 8;
902 char * file_path = "/etc/smack/test_smack_rules_lnk";
905 //preparing environment by restoring default "_" label
906 result = smack_lsetlabel(file_path, "_", SMACK_LABEL_ACCESS);
907 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
908 result = smack_setlabel(file_path, "_", SMACK_LABEL_ACCESS);
909 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
912 //int smack_lgetlabel(const char *path, char** label,
913 // enum smack_label_type type);
914 result = smack_lgetlabel(file_path, &label, SMACK_LABEL_ACCESS);
915 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
916 //get label of symbolic link, should be default "_"
917 result = strcmp(label, "_");
918 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
920 //get label using xattr function
921 result = lgetxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
922 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
923 //check label, should match the one readed by smack function
924 result = strncmp(buff, "_", result);
925 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
928 //int smack_lsetlabel(const char *path, const char* label,
929 // enum smack_label_type type);
930 result = smack_lsetlabel(file_path, "7up", SMACK_LABEL_ACCESS);
931 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
932 //and set label for file pointed by link
933 result = smack_setlabel(file_path, "mirinda", SMACK_LABEL_ACCESS);
934 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
937 //get label using smack function
938 result = smack_lgetlabel(file_path, &label, SMACK_LABEL_ACCESS);
939 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
940 //check label, should be "7up"
941 result = strcmp(label, "7up");
942 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
944 //get label using xattr function
945 result = lgetxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
946 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
947 //check label, should match the one readed by smack function
948 result = strncmp(buff, "7up", result);
949 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
952 //now similar to above, but folowing symbolic link set before to "mirinda"
953 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
954 RUNNER_ASSERT_MSG(result == 0, "Error gettin label of file pointed by symbolic link");
955 //now label should be "mirinda" for file instead of "7up" set for link
956 result = strcmp(label, "mirinda");
957 RUNNER_ASSERT_MSG(result == 0, "Wrong label of file pointed by symbolic link");
959 //get label using xattr function
960 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
961 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
962 //check label, should match the one readed by smack function
963 result = strncmp(buff, "mirinda", result);
964 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
967 RUNNER_TEST(smack08_f_get_set_label)
970 * author: Pawel Polawski
971 * test: smack_fgetlabel, smack_fsetlabel
972 * description: This test case is similar to test case smack06 above. The difference
973 * is that argument is file descriptor instead of file path.
974 * Function not follow symbolic link and operates directly on it.
975 * expect: All label manipulations should affect symbolic link itself.
981 const int B_SIZE = 8;
985 char * file_path = "/etc/smack/test_smack_rules";
987 fd = open(file_path, O_RDWR, 0644); //reference preinstalled rules
988 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules");
990 //preparing environment by restoring default "_" label
991 result = smack_fsetlabel(fd, "_", SMACK_LABEL_ACCESS);
992 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
995 //int smack_fgetlabel(int fd, char** label,
996 // enum smack_label_type type);
997 result = smack_fgetlabel(fd, &label, SMACK_LABEL_ACCESS);
998 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
999 //check label, should be "_"
1000 result = strcmp(label, "_");
1001 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
1003 //get label using xattr function
1004 result = fgetxattr(fd, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
1005 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
1006 //check label, should match the one readed by smack function
1007 result = strncmp(buff, "_", result);
1008 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
1011 //int smack_fsetlabel(int fd, const char* label,
1012 // enum smack_label_type type);
1013 result = smack_fsetlabel(fd, "sprite", SMACK_LABEL_ACCESS);
1014 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
1017 //get label using smack function
1018 result = smack_fgetlabel(fd, &label, SMACK_LABEL_ACCESS);
1019 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
1020 //check label, should be "sprite"
1021 result = strcmp(label, "sprite");
1022 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
1024 //get label using xattr function
1025 result = fgetxattr(fd, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
1026 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
1027 //check label, should match the one readed by smack function
1028 result = strncmp(buff, "sprite", result);
1029 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
1035 RUNNER_TEST(smack10_adding_removing_rules)
1040 struct smack_accesses * rulesBasic = NULL;
1042 for(i = 0; i<accessesBasic.size(); ++i)
1045 result = smack_accesses_new(&rulesBasic);
1046 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1049 result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1050 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1053 result = smack_accesses_apply(rulesBasic);
1054 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1056 // Checking if accesses were created
1057 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1058 RUNNER_ASSERT_MSG(result == 1,
1059 " Error while checking smack access. Result: " << result);
1061 smack_accesses_free(rulesBasic);
1064 // Deleting all rules
1068 for(i = 0; i<3; ++i)
1070 // --- Creating rules (r or w or x)
1071 result = smack_accesses_new(&rulesBasic);
1072 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1075 result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1076 RUNNER_ASSERT_MSG(result == 0, "Unable to add rulesBasic. Result: " << result);
1079 result = smack_accesses_apply(rulesBasic);
1080 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1081 // Checking if accesses were created
1082 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1083 RUNNER_ASSERT_MSG(result == 1,
1084 " Error while checking smack access. Result: " << result);
1086 // Checking if wrong accesses were not created
1087 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i+3].c_str());
1088 RUNNER_ASSERT_MSG(result == 0,
1089 " Error while checking smack access. Result: " << result);
1091 // --- Modifying accesses (r for wx or w for rx or x for rw)
1092 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i+3].c_str(),accessesBasic[i].c_str());
1093 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1096 result = smack_accesses_apply(rulesBasic);
1097 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1099 // Checking if accesses were created
1100 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i+3].c_str());
1101 RUNNER_ASSERT_MSG(result == 1,
1102 " Error while checking smack access. Result: " << result);
1104 // Checking if wrong accesses were not created
1105 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1106 RUNNER_ASSERT_MSG(result == 0,
1107 " Error while checking smack access. Result: " << result);
1109 smack_accesses_free(rulesBasic);
1112 // --- Creating complementary rules (r or w or x)
1113 result = smack_accesses_new(&rulesBasic);
1114 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1117 result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1118 RUNNER_ASSERT_MSG(result == 0, "Unable to add rulesBasic. Result: " << result);
1120 // Checking if accesses were created
1121 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i+3].c_str());
1122 RUNNER_ASSERT_MSG(result == 1,
1123 " Error while checking smack access. Result: " << result);
1126 result = smack_accesses_apply(rulesBasic);
1127 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1129 // Checking if accesses were created
1130 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1131 RUNNER_ASSERT_MSG(result == 1,
1132 " Error while checking smack access. Result: " << result);
1134 // --- Modifying accesses (adding rwx and removing r or w or x)
1135 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,"rwx",accessesBasic[i].c_str());
1136 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1139 result = smack_accesses_apply(rulesBasic);
1140 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1142 // Checking if accesses were created
1143 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i+3].c_str());
1144 RUNNER_ASSERT_MSG(result == 1,
1145 " Error while checking smack access. Result: " << result);
1147 // Checking if wrong accesses were not created
1148 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1149 RUNNER_ASSERT_MSG(result == 0,
1150 " Error while checking smack access. Result: " << result);
1152 // --- Adding crossing accesses (rx or rw or wx)
1153 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,accessesBasic[3+((i+1)%3)].c_str(),"");
1154 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1157 result = smack_accesses_apply(rulesBasic);
1158 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1160 // Checking if accesses were created
1161 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[3+((i+1)%3)].c_str());
1162 RUNNER_ASSERT_MSG(result == 1,
1163 " Error while checking smack access. Result: " << result);
1165 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, "rwx");
1166 RUNNER_ASSERT_MSG(result == 1,
1167 " Error while checking smack access. Result: " << result);
1169 // Deleting all rules
1170 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,"","rwx");
1171 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1173 result = smack_accesses_apply(rulesBasic);
1174 RUNNER_ASSERT_MSG(result == 0, "Error while checking smack access. Result: " << result);
1176 smack_accesses_free(rulesBasic);
1179 // Deleting all rules
1184 RUNNER_TEST(smack11_saving_loading_rules)
1189 struct smack_accesses * rulesBasic = NULL;
1192 removeAccessesAll();
1195 result = smack_accesses_new(&rulesBasic);
1196 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1198 // Loading file with rwxat rules - test_smack_rules_full
1199 fd = open("/etc/smack/test_smack_rules_full", O_RDONLY, 0644);
1200 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules_full");
1202 // Adding rules from file
1203 result = smack_accesses_add_from_file(rulesBasic, fd);
1205 RUNNER_ASSERT_MSG(result == 0, "Error importing accesses from file");
1208 result = smack_accesses_apply(rulesBasic);
1209 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1212 result = smack_have_access("test_subject_01", "test_object_01", "rwxat");
1213 RUNNER_ASSERT_MSG(result == 1,
1214 " Error while checking smack accesses.");
1215 result = smack_have_access("test_subject_01", "test_object_02", "rwxat");
1216 RUNNER_ASSERT_MSG(result == 1,
1217 " Error while checking smack accesses.");
1218 result = smack_have_access("test_subject_01", "test_object_03", "rwxat");
1219 RUNNER_ASSERT_MSG(result == 1,
1220 " Error while checking smack accesses.");
1221 result = smack_have_access("test_subject_02", "test_object_01", "rwxat");
1222 RUNNER_ASSERT_MSG(result == 1,
1223 " Error while checking smack accesses.");
1224 result = smack_have_access("test_subject_02", "test_object_02", "rwxat");
1225 RUNNER_ASSERT_MSG(result == 1,
1226 " Error while checking smack accesses.");
1227 result = smack_have_access("test_subject_02", "test_object_03", "rwxat");
1228 RUNNER_ASSERT_MSG(result == 1,
1229 " Error while checking smack accesses.");
1230 result = smack_have_access("test_subject_03", "test_object_01", "rwxat");
1231 RUNNER_ASSERT_MSG(result == 1,
1232 " Error while checking smack accesses.");
1233 result = smack_have_access("test_subject_03", "test_object_02", "rwxat");
1234 RUNNER_ASSERT_MSG(result == 1,
1235 " Error while checking smack accesses.");
1236 result = smack_have_access("test_subject_03", "test_object_03", "rwxat");
1237 RUNNER_ASSERT_MSG(result == 1,
1238 " Error while checking smack accesses.");
1241 removeAccessesAll();
1243 smack_accesses_free(rulesBasic);
1246 result = smack_accesses_new(&rulesBasic);
1247 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1249 // Loading file with partial wrong rules - test_smack_rules2
1250 fd = open("/etc/smack/test_smack_rules2", O_RDONLY, 0644);
1251 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules2");
1253 // Adding rules from file
1254 result = smack_accesses_add_from_file(rulesBasic, fd);
1256 RUNNER_ASSERT_MSG(result == 0, "Accesses were loaded from file");
1259 result = smack_accesses_apply(rulesBasic);
1260 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1263 RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_01", "test_object_01"),
1264 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist.");
1265 result = smack_have_access("test_subject_01", "test_object_02", "rwat");
1266 RUNNER_ASSERT_MSG(result == 1,
1267 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1268 result = smack_have_access("test_subject_01", "test_object_03", "wat");
1269 RUNNER_ASSERT_MSG(result == 1,
1270 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1271 RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_02", "test_object_01"),
1272 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist.");
1273 result = smack_have_access("test_subject_02", "test_object_02", "wa-ft");
1274 RUNNER_ASSERT_MSG(result == 1,
1275 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1276 result = smack_have_access("test_subject_02", "test_object_03", "wr");
1277 RUNNER_ASSERT_MSG(result == 1,
1278 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1279 result = smack_have_access("test_subject_03", "test_object_01", "a");
1280 RUNNER_ASSERT_MSG(result == 1,
1281 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1282 result = smack_have_access("test_subject_03", "test_object_02", "rwat");
1283 RUNNER_ASSERT_MSG(result == 1,
1284 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1285 result = smack_have_access("test_subject_03", "test_object_03", "w");
1286 RUNNER_ASSERT_MSG(result == 1,
1287 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1290 removeAccessesAll();
1292 smack_accesses_free(rulesBasic);
1295 result = smack_accesses_new(&rulesBasic);
1296 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1298 // Loading file with partial wrong rules - test_smack_rules3
1299 fd = open("/etc/smack/test_smack_rules3", O_RDONLY, 0644);
1300 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules3");
1302 // Adding rules from file
1303 result = smack_accesses_add_from_file(rulesBasic, fd);
1305 RUNNER_ASSERT_MSG(result != 0, "Accesses were loaded from file");
1308 result = smack_accesses_apply(rulesBasic);
1309 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1312 result = smack_have_access("test_subject_01", "test_object_01", "rwat");
1313 RUNNER_ASSERT_MSG(result == 1,
1314 " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Result: " << result );
1315 RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_01", "test_object_02"),
1316 " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Accesses exist.");
1317 result = smack_have_access("test_subject_01", "test_object_03", "x");
1318 RUNNER_ASSERT_MSG(result == 0,
1319 " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Result: " << result );
1322 removeAccessesAll();
1324 smack_accesses_free(rulesBasic);
1327 result = smack_accesses_new(&rulesBasic);
1328 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1330 // Loading file with partial wrong rules - test_smack_rules4
1331 fd = open("/etc/smack/test_smack_rules4", O_RDONLY, 0644);
1332 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules4");
1334 // Adding rules from file
1335 result = smack_accesses_add_from_file(rulesBasic, fd);
1337 RUNNER_ASSERT_MSG(result != 0, "Accesses were loaded from file");
1340 result = smack_accesses_apply(rulesBasic);
1341 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1344 result = smack_have_access("test_subject_01", "test_object_01", "rxwat");
1345 RUNNER_ASSERT_MSG(result == 1,
1346 " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Result: " << result );
1347 RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_01", "test_object_02"),
1348 " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Accesses exist.");
1349 result = smack_have_access("test_subject_01", "test_object_03", "a");
1350 RUNNER_ASSERT_MSG(result == 0,
1351 " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Result: " << result );
1354 removeAccessesAll();
1356 smack_accesses_free(rulesBasic);
1360 //int smack_new_label_from_socket(int fd, char **label);
1363 static void smack_set_another_label_for_self(void)
1365 static int number = time(NULL);
1370 result = asprintf(&smack_label, "s%ld", number);
1371 RUNNER_ASSERT_MSG(result > 0, "asprintf failed");
1372 result = smack_set_label_for_self(smack_label);
1373 RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self(" << smack_label << ") failed");
1377 static void smack_unix_sock_server(int sock)
1383 fd = accept(sock, NULL, NULL);
1387 result = smack_new_label_from_self(&smack_label);
1388 RUNNER_ASSERT_MSG(result == 0, "smack_new_label_from_self() failed");
1389 result = write(fd, smack_label, strlen(smack_label));
1390 RUNNER_ASSERT_MSG(result == strlen(smack_label), "write() failed");
1395 RUNNER_TEST(smack09_new_label_from_socket)
1399 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
1401 smack_set_another_label_for_self();
1403 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
1404 if (!pid) { /* child process, server */
1408 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1409 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
1410 result = bind(sock, (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
1411 RUNNER_ASSERT_MSG(result == 0, "bind failed: " << strerror(errno));
1412 result = listen(sock, 1);
1413 RUNNER_ASSERT_MSG(result == 0, "listen failed: " << strerror(errno));
1414 smack_unix_sock_server(sock);
1417 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
1418 /* Test if socket label was unaffected by fork() */
1419 smack_unix_sock_server(sock);
1422 smack_set_another_label_for_self();
1423 smack_unix_sock_server(sock);
1427 waitpid(pid, NULL, 0);
1429 } else { /* parent process, client */
1430 sleep(1); /* Give server some time to setup listening socket */
1431 for (int i = 0; i < 4; ++i) {
1434 char smack_label1[SMACK_LABEL_LEN + 1];
1437 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1438 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
1439 result = connect(sock, (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
1440 RUNNER_ASSERT_MSG(result == 0, "connect failed: " << strerror(errno));
1442 result = read(sock, smack_label1, SMACK_LABEL_LEN);
1443 RUNNER_ASSERT_MSG(result >= 0, "read failed: " << strerror(errno));
1445 smack_label1[result] = '\0';
1446 result = smack_new_label_from_socket(sock, &smack_label2);
1447 RUNNER_ASSERT_MSG(result == 0, "smack_label_from_socket failed");
1448 result = strcmp(smack_label1, smack_label2);
1450 RUNNER_ASSERT_MSG(result == 0, "smack labels differ: '" << smack_label1 << "' != '" << smack_label2 << "' i == " << i);
1452 RUNNER_ASSERT_MSG(result != 0, "smack labels do not differ: '" << smack_label1 << "' != '" << smack_label2 << "' i == " << i);
1455 waitpid(pid, NULL, 0);
projects / platform / core / test / security-tests.git / blob