2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Pawel Polawski (p.polawski@samsung.com)
20 * @author Jan Olszak (j.olszak@samsung.com)
22 * @brief libprivilege test runer
27 #include <dpl/test/test_runner.h>
28 #include <dpl/log/log.h>
29 #include <sys/types.h>
32 #include <sys/smack.h>
33 #include <sys/xattr.h>
35 #define TEST_SUBJECT "test_subject"
36 #define TEST_OBJECT "test_oject"
39 int files_compare(int fd1, int fd2)
43 //for getting files sizes
47 void * h1 = MAP_FAILED;
48 void * h2 = MAP_FAILED;
50 //getting files information
51 if(fstat(fd1, &fs1) == -1) {
55 if(fstat(fd2, &fs2) == -1) {
60 if(fs1.st_size != fs2.st_size) //if files are identical size will be the same
63 //mapping files to process memory
64 if((h1 = mmap(0, fs1.st_size, PROT_READ, MAP_SHARED, fd1, 0 )) == MAP_FAILED) {
68 if((h2 = mmap(0, fs2.st_size, PROT_READ, MAP_SHARED, fd2, 0 )) == MAP_FAILED) {
73 result = memcmp(h1, h2, fs1.st_size);
75 //cleaning after mmap()
78 munmap(h2, fs2.st_size);
80 munmap(h1, fs1.st_size);
86 RUNNER_TEST_GROUP_INIT(libsmack)
88 * Helper method to reset privileges at the begginning of tests.
91 struct smack_accesses * rules = NULL;
92 int result = smack_accesses_new(&rules);
93 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
96 smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","rwxat");
97 smack_accesses_apply(rules);
98 smack_accesses_free(rules);
101 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") != 1, "Rule has previous privileges after cleaning up!");
102 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"w") != 1, "Rule has previous privileges after cleaning up!");
103 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"x") != 1, "Rule has previous privileges after cleaning up!");
104 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"a") != 1, "Rule has previous privileges after cleaning up!");
105 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"t") != 1, "Rule has previous privileges after cleaning up!");
109 * Add a new access with smack_accesses_add_modify()
111 RUNNER_TEST(smack_accesses_add_modify_test_1){
116 struct smack_accesses * rules = NULL;
117 result = smack_accesses_new(&rules);
120 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"xr","");
121 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify by empty rules");
122 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
124 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"xr");
125 RUNNER_ASSERT_MSG(result == 1, "Rule modified (added 'xr'), but no change made.");
129 smack_accesses_free(rules);
134 * Test if rules are applied in the right order, and modification works.
136 RUNNER_TEST(smack_accesses_add_modify_test_2){
138 struct smack_accesses * rules = NULL;
139 result = smack_accesses_new(&rules);
140 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
145 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"r","");
146 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
148 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
149 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
151 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
152 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 0, "Modification didn't work");
156 smack_accesses_free(rules);
161 * Test if rules are applied in the right order, and modification works.
162 * Using different smack_accesses list to add and delete.
164 RUNNER_TEST(smack_accesses_add_modify_test_3){
166 struct smack_accesses * rules = NULL;
167 result = smack_accesses_new(&rules);
168 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
174 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"r","");
175 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
176 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
177 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 1, "Adding privileges didn't work");
178 smack_accesses_free(rules);
180 // Revoke r privilege
181 result = smack_accesses_new(&rules);
182 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
183 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
184 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
185 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
187 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
188 RUNNER_ASSERT_MSG(result == 0, "Modification didn't work, rule has still 'r' privileges.");
192 smack_accesses_free(rules);
196 * Add a list of privileges and then revoke just ONE of them.
198 RUNNER_TEST(smack_accesses_add_modify_test_4){
200 struct smack_accesses * rules = NULL;
201 result = smack_accesses_new(&rules);
202 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
207 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwxat","");
208 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
209 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
211 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
212 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
213 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
215 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt");
216 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'awxt' privileges.");
217 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
218 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
222 smack_accesses_free(rules);
226 * Add a list of privileges and then revoke just ONE of them.
227 * Without applying privileges in between those actions.
229 RUNNER_TEST(smack_accesses_add_modify_test_5){
231 struct smack_accesses * rules = NULL;
232 result = smack_accesses_new(&rules);
233 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
238 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwxat","");
239 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
241 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
242 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
243 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
245 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt");
246 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'awxt' privileges.");
247 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
248 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
252 smack_accesses_free(rules);
257 * Add a list of privileges and then revoke just TWO of them.
259 RUNNER_TEST(smack_accesses_add_modify_test_6){
261 struct smack_accesses * rules = NULL;
262 result = smack_accesses_new(&rules);
263 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
268 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwt","");
269 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
270 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
272 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"ax","rt");
273 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
274 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
276 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"wax");
277 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'wax' privileges.");
278 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
279 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
283 smack_accesses_free(rules);
286 RUNNER_TEST(smack01_storing_and_restoring_rules)
289 * author: Pawel Polawski
290 * test: smack_accesses_new, smack_accesses_add, smack_accesses_add_modify, smack_accesses_add_from_file,
291 * smack_accesses_free, smack_accesses_save
292 * description: This test case will create structure holding SMACK rules and add new one to it. Next rules will be
293 * stored and restored from file.
294 * expect: Rules created and stored in file should be identical to predefined template.
297 struct smack_accesses * rules = NULL; //rules prepared in this test case
298 struct smack_accesses * import_test = NULL; //rules imported from file
300 int result; //result of each operation to be tested by RUNNER_ASSERT
301 int fd, tmp, sample; //file descripptors for save / restore rules tests
303 //int smack_accesses_new(struct smack_accesses **accesses);
304 result = smack_accesses_new(&rules); //rules struct init
305 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
306 result = smack_accesses_new(&import_test); //rules struct init
307 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
310 fd = open("/tmp/smack01_rules", O_RDWR | O_CREAT | O_TRUNC, 0644); //for export prepared rules
311 RUNNER_ASSERT_MSG(fd >= 0, "Unable to create /tmp/smack01_rules");
312 tmp = open("/tmp/smack01_tmp", O_RDWR | O_CREAT | O_TRUNC, 0644); //for import rules exported before
313 RUNNER_ASSERT_MSG(fd >= 0, "Unable to create /tmp/smack01_tmp");
314 sample = open("/etc/smack/test_smack_rules", O_RDONLY, 0644); //reference preinstalled rules
315 RUNNER_ASSERT_MSG(sample >= 0, "Unable to open /etc/smack/test_smack_rules");
317 //int smack_accesses_add(struct smack_accesses *handle, const char *subject,
318 // const char *object, const char *access_type);
319 result = smack_accesses_add(rules, "writer", "book", "rw");
320 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
321 result = smack_accesses_add(rules, "reader", "book", "wx");
322 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
324 //int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
325 // const char *object, const char *access_add, const char *access_del);
326 result = smack_accesses_add_modify(rules, "reader", "book", "r", "wx");
327 RUNNER_ASSERT_MSG(0 == result, "Unable to modify smack rules");
329 //int smack_accesses_save(struct smack_accesses *handle, int fd);
330 result = smack_accesses_save(rules, fd);
331 RUNNER_ASSERT_MSG(0 == result, "Unable to save smack_accesses instance in file");
333 //int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd);
334 result = lseek(fd, 0, SEEK_SET);
335 RUNNER_ASSERT_MSG(result == 0, "lseek() error");
336 result = smack_accesses_add_from_file(import_test, fd);
337 RUNNER_ASSERT_MSG(result == 0, "Unable to import rules from file");
339 result = smack_accesses_save(import_test, tmp);
340 RUNNER_ASSERT_MSG(result == 0, "Unable to save smack_accesses instance in file");
342 result = files_compare(fd, tmp); //comparing rules saved in file, restored from it and stored one more time
343 RUNNER_ASSERT_MSG(result == 0, "No match in stored and restored rules");
345 result = files_compare(tmp, sample); //comparing rules stored in file with reference preinstalled rules
346 RUNNER_ASSERT_MSG(result == 0, "No match in stored rules and pattern file");
348 //void smack_accesses_free(struct smack_accesses *handle);
349 smack_accesses_free(rules);
350 smack_accesses_free(import_test);
352 //closing file descriptors
358 RUNNER_TEST(smack02_aplying_rules_into_kernel)
361 * author: Pawel Polawski
362 * test: smack_accesses_apply, smack_have_access, smack_revoke_subject, smack_accesses_clear, smack_accesses_new,
363 * smack_accesses_add, smack_accesses_free
364 * description: In this test case aplying rules to kernel will be tested. After that function for test
365 * accesses will be used.
366 * expect: In case of correct rules access should be granted.
369 //CAP_MAC_ADMIN needed for process to be able to change rules in kernel (apllying, removing)
371 struct smack_accesses * rules = NULL; //rules prepared in this test case
372 int result; //for storing functions results
374 result = smack_accesses_new(&rules); //rules struct init
375 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
377 //adding test rules to struct
378 result = smack_accesses_add(rules, "writer", "book", "rwx");
379 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
380 result = smack_accesses_add(rules, "reader", "book", "r");
381 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
382 result = smack_accesses_add(rules, "spy", "book", "rwx");
383 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
385 //int smack_accesses_apply(struct smack_accesses *handle);
386 result = smack_accesses_apply(rules); //applying rules to kernel
387 RUNNER_ASSERT_MSG(result == 0, "Unable to apply rules into kernel");
389 //int smack_have_access(const char *subject, const char *object,
390 // const char *access_type);
391 result = smack_have_access("spy", "book", "rwx"); //should have access - rule exist
392 RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
393 result = smack_have_access("reader", "book", "rwx"); //should have no access - wrong rule, should be "r" only
394 RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access");
395 result = smack_have_access("mars", "book", "rwx"); //should have no acces - rule not exist
396 RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access");
398 //int smack_revoke_subject(const char *subject);
399 result = smack_revoke_subject("snickers"); //this subject do not exist in kernel rules
400 RUNNER_ASSERT_MSG(result == 0, "Error in removing not existing subject from kernel");
401 result = smack_revoke_subject("spy"); //this subject exist in kernel rules
402 RUNNER_ASSERT_MSG(result == 0, "Error in removing existing subject from kernel");
404 result = smack_have_access("spy", "book", "rwx"); //testing access after revoke_subject() from kernel
405 RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel"); //now spy should have no access
406 result = smack_have_access("spy", "book", "-----"); //and should have "-----" rule
407 RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
409 result = smack_accesses_add(rules, "twix", "book", "rwx"); //for create new rule as a consequence of use accesses_clear() below
410 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
412 //int smack_accesses_clear(struct smack_accesses *handle);
413 result = smack_accesses_clear(rules); //"spy" removed before by using smack_revoke_subject()
414 RUNNER_ASSERT_MSG(result == 0, "Error in clearing rules in kernel");
416 result = smack_have_access("writer", "book", "rwx"); //testing acces after acces_clear()
417 RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel"); //now writer also should have no access
418 result = smack_have_access("writer", "book", "-----"); //and should have "-----" rule
419 RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
420 result = smack_have_access("twix", "book", "-----"); //rule created by calling accesses_clear()
421 RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
424 smack_accesses_free(rules);
427 //pairs of rules for test with mixed cases, different length and mixed order
428 char * rules_tab[] = {
429 "reader1", "-", "-----",
430 "reader2", "--------", "-----",
431 "reader3", "RwXaT", "rwxat",
432 "reader4", "RrrXXXXTTT", "r-x-t",
433 "reader5", "-r-w-a-t", "rw-at",
434 "reader6", "", "-----",
435 "reader7", "xa--Rt---W", "rwxat",
436 "reader8", "#Ax[T].!~W@1}", "-wxat"
439 RUNNER_TEST(smack03_mixed_rule_string_add)
442 * author: Pawel Polawski
443 * test: smack_have_access, smack_accesses_new, smack_accesses_add, smack_accesses_apply, smack_accesses_free
444 * description: In thist test case rules based on mixed string are added to kernel.
445 * Strings are presented above and contains lower / upper case alpha, numbers and special signs.
446 * expect: Rules should be parsed correct and aplied to kernel.
449 //In thist test case mixed string are used as rules applied to kernel, next they are
450 //readed and compared with correct form of rules
452 struct smack_accesses * rules = NULL; //rules prepared in this test case
453 int result; //for storing functions results
456 result = smack_accesses_new(&rules); //rules struct init
457 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
459 //adding test rules with mixed string
460 for(i = 0; i < (3 * 8) ; i += 3) {
461 result = smack_accesses_add(rules, rules_tab[i], "book", rules_tab[i + 1]); //using mixed rules from table
462 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
466 //FIXME: Using clear() here can cover error in accesses_apply() function
467 //result = smack_accesses_clear(rules);
468 //RUNNER_ASSERT_MSG(result == 0, "Error in clearing rules in kernel");
470 //applying rules to kernel
471 result = smack_accesses_apply(rules);
472 RUNNER_ASSERT_MSG(result == 0, "Unable to apply rules into kernel");
474 //checking accesses using normal rules
475 for(i = 0; i < (3 * 8) ; i += 3) {
476 result = smack_have_access(rules_tab[i], "book", rules_tab[i + 2]); //using normal rules from table
477 RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
481 smack_accesses_free(rules);
485 RUNNER_TEST(smack04_mixed_rule_string_have_access)
488 * author: Pawel Polawski
489 * test: smack_have_access
490 * description: In this test case we testing aplied before SMACK rules and comparing them using mixed strings.
491 * expect: Subjects should have accesses to the objects.
494 //In this test case we checking previous aplied rules but for compare mixed strings are used
499 //rules were added in previous RUNNER_TEST section
500 //checking accesses using mixed rules
501 for(i = 0; i < (3 * 8) ; i += 3) {
502 result = smack_have_access(rules_tab[i], "book", rules_tab[i + 1]); //using mixed rules from table
503 RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
507 //RUNNER_TEST(smackXX_accesses_add_modify)
510 // - what if we want to apply rule that is already in kernel?
511 // - tests for smack_accesses_add_modify() + smack_have_access() (check if add_modify sets the proper rule)
512 // - smack_accesses_add_modify("subject", "object", "rwx", "rwx") should create empty rule
515 RUNNER_TEST(smack05_self_label)
518 * author: Pawel Polawski
519 * test: smack_set_label_for_self, smack_new_label_from_self
520 * description: In this test case process test it own default label. Next label is changed
521 * and tested one more time if change was successfull.
522 * expect: Proces should have default "-" label and can change it to the oter one.
525 //In this test case process will manipulate it own label
531 const int B_SIZE = 8;
534 char * def_rule = "_";
536 //int smack_new_label_from_self(char **label);
537 result = smack_new_label_from_self(&label);
538 RUNNER_ASSERT_MSG(result == 0, "Error in getting self label");
540 //comparing this label with default one "_"
541 result = strcmp(label, def_rule);
542 RUNNER_ASSERT_MSG(result == 0, "Wrong default process label");
544 //comparing this rule with received from /proc/self/attr/current
545 fd = open("/proc/self/attr/current", O_RDONLY, 0644);
546 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /proc/self/attr/current");
547 result = read(fd, buff, B_SIZE);
548 RUNNER_ASSERT_MSG(result >= 0, "Error in reading from file /proc/self/attr/current");
549 result = strncmp(buff, def_rule, result);
550 RUNNER_ASSERT_MSG(result == 0, "Wrong default process rule");
554 //now time for setting labels:
556 //int smack_set_label_for_self(const char *label);
557 result = smack_set_label_for_self("cola");
558 RUNNER_ASSERT_MSG(result == 0, "Error in setting self label");
560 //checking new label using smack function
561 result = smack_new_label_from_self(&label);
562 RUNNER_ASSERT_MSG(result == 0, "Error in getting self label");
563 result = strcmp(label, "cola");
564 RUNNER_ASSERT_MSG(result == 0, "Wrong process label");
566 //checking new label using /proc/self/attr/current
567 result = lseek(fd, 0, SEEK_SET); //going to the file beginning
568 RUNNER_ASSERT_MSG(result == 0, "lseek() error");
569 result = read(fd, buff, B_SIZE);
570 RUNNER_ASSERT_MSG(result >= 0, "Error in reading from file /proc/self/attr/current");
571 result = strncmp(buff, "cola", result);
572 RUNNER_ASSERT_MSG(result == 0, "Proces rule in /proc/self/attr/current other than set");
578 //RUNNER_TEST(smackXX_parent_child_label)
580 //In this test case parent process and child labels will be tested
581 //Parent will fork and check child's label. First fork will be with default "_" parent label,
582 //second one witch changed label.
585 //bellow function is from libsmack.c witch changed name
586 char * xattr(enum smack_label_type type)
589 case SMACK_LABEL_ACCESS:
590 return "security.SMACK64";
591 case SMACK_LABEL_EXEC:
592 return "security.SMACK64EXEC";
593 case SMACK_LABEL_MMAP:
594 return "security.SMACK64MMAP";
595 case SMACK_LABEL_TRANSMUTE:
596 return "security.SMACK64TRANSMUTE";
597 case SMACK_LABEL_IPIN:
598 return "security.SMACK64IPIN";
599 case SMACK_LABEL_IPOUT:
600 return "security.SMACK64IPOUT";
602 /* Should not reach this point */
607 //TODO: In bellow RUNNER_TEST add lget / lset functions to be testet the same way as normal get / set
608 RUNNER_TEST(smack06_get_set_label)
611 * author: Pawel Polawski
612 * test: smack_getlabel, smack_setlabel
613 * description: In this test case file label is tested using SMACK API functions and system xattr functions.
614 * Functions tested here is used for normal files.
615 * expect: Function should return default label, and the new one after change it.
618 //In this test case will be tested setting and getting file label
619 //If file is symbolic link functions should follow it
621 //SMACK xattr from libsmack.c:
623 //case SMACK_LABEL_ACCESS:
624 // return "security.SMACK64";
625 //case SMACK_LABEL_EXEC:
626 // return "security.SMACK64EXEC";
627 //case SMACK_LABEL_MMAP:
628 // return "security.SMACK64MMAP";
629 //case SMACK_LABEL_TRANSMUTE:
630 // return "security.SMACK64TRANSMUTE";
631 //case SMACK_LABEL_IPIN:
632 // return "security.SMACK64IPIN";
633 //case SMACK_LABEL_IPOUT:
634 // return "security.SMACK64IPOUT";
639 const int B_SIZE = 8;
642 char * file_path = "/etc/smack/test_smack_rules";
645 //preparing environment by restoring default "_" label
646 result = smack_setlabel(file_path, "_", SMACK_LABEL_ACCESS);
647 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
650 //int smack_getlabel(const char *path, char** label,
651 // enum smack_label_type type);
652 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
653 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
654 //get label, should be default "_"
655 result = strcmp(label, "_");
656 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
658 //get label using xattr function
659 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
660 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
661 //check label, should match the one readed by smack function
662 result = strncmp(buff, "_", result);
663 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
666 //int smack_setlabel(const char *path, const char* label,
667 // enum smack_label_type type);
668 result = smack_setlabel(file_path, "fanta", SMACK_LABEL_ACCESS);
669 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
672 //get label using smack function
673 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
674 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
675 //get label, should be default "fanta"
676 result = strcmp(label, "fanta");
677 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
679 //get label using xattr function
680 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
681 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
682 //check label, should match the one readed by smack function
683 result = strncmp(buff, "fanta", result);
684 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
687 //RUNNER_TEST(smackXX_get_label_exec)
689 //In this test case EXEC label will be tested
690 //by setting this type of label, reading it and testing executed binary exit status
693 RUNNER_TEST(smack07_l_get_set_label)
696 * author: Pawel Polawski
697 * test: smack_lgetlabel, smack_lsetlabel, smack_getlabel
698 * description: Functions tested here are similar to one from previous test case. The difference
699 * is that in case of symbolic link they follows it and operates on file pointed by it.
700 * expect: All label manipulations should affect file pointed by symbolic link.
706 const int B_SIZE = 8;
709 char * file_path = "/etc/smack/test_smack_rules_lnk";
712 //preparing environment by restoring default "_" label
713 result = smack_lsetlabel(file_path, "_", SMACK_LABEL_ACCESS);
714 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
715 result = smack_setlabel(file_path, "_", SMACK_LABEL_ACCESS);
716 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
719 //int smack_lgetlabel(const char *path, char** label,
720 // enum smack_label_type type);
721 result = smack_lgetlabel(file_path, &label, SMACK_LABEL_ACCESS);
722 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
723 //get label of symbolic link, should be default "_"
724 result = strcmp(label, "_");
725 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
727 //get label using xattr function
728 result = lgetxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
729 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
730 //check label, should match the one readed by smack function
731 result = strncmp(buff, "_", result);
732 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
735 //int smack_lsetlabel(const char *path, const char* label,
736 // enum smack_label_type type);
737 result = smack_lsetlabel(file_path, "7up", SMACK_LABEL_ACCESS);
738 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
739 //and set label for file pointed by link
740 result = smack_setlabel(file_path, "mirinda", SMACK_LABEL_ACCESS);
741 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
744 //get label using smack function
745 result = smack_lgetlabel(file_path, &label, SMACK_LABEL_ACCESS);
746 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
747 //check label, should be "7up"
748 result = strcmp(label, "7up");
749 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
751 //get label using xattr function
752 result = lgetxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
753 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
754 //check label, should match the one readed by smack function
755 result = strncmp(buff, "7up", result);
756 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
759 //now similar to above, but folowing symbolic link set before to "mirinda"
760 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
761 RUNNER_ASSERT_MSG(result == 0, "Error gettin label of file pointed by symbolic link");
762 //now label should be "mirinda" for file instead of "7up" set for link
763 result = strcmp(label, "mirinda");
764 RUNNER_ASSERT_MSG(result == 0, "Wrong label of file pointed by symbolic link");
766 //get label using xattr function
767 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
768 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
769 //check label, should match the one readed by smack function
770 result = strncmp(buff, "mirinda", result);
771 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
774 RUNNER_TEST(smack08_f_get_set_label)
777 * author: Pawel Polawski
778 * test: smack_fgetlabel, smack_fsetlabel
779 * description: This test case is similar to test case smack06 above. The difference
780 * is that argument is file descriptor instead of file path.
781 * Function not follow symbolic link and operates directly on it.
782 * expect: All label manipulations should affect symbolic link itself.
788 const int B_SIZE = 8;
792 char * file_path = "/etc/smack/test_smack_rules";
794 fd = open(file_path, O_RDWR, 0644); //reference preinstalled rules
795 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules");
797 //preparing environment by restoring default "_" label
798 result = smack_fsetlabel(fd, "_", SMACK_LABEL_ACCESS);
799 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
802 //int smack_fgetlabel(int fd, char** label,
803 // enum smack_label_type type);
804 result = smack_fgetlabel(fd, &label, SMACK_LABEL_ACCESS);
805 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
806 //check label, should be "_"
807 result = strcmp(label, "_");
808 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
810 //get label using xattr function
811 result = fgetxattr(fd, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
812 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
813 //check label, should match the one readed by smack function
814 result = strncmp(buff, "_", result);
815 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
818 //int smack_fsetlabel(int fd, const char* label,
819 // enum smack_label_type type);
820 result = smack_fsetlabel(fd, "sprite", SMACK_LABEL_ACCESS);
821 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
824 //get label using smack function
825 result = smack_fgetlabel(fd, &label, SMACK_LABEL_ACCESS);
826 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
827 //check label, should be "sprite"
828 result = strcmp(label, "sprite");
829 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
831 //get label using xattr function
832 result = fgetxattr(fd, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
833 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
834 //check label, should match the one readed by smack function
835 result = strncmp(buff, "sprite", result);
836 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
842 //int smack_new_label_from_socket(int fd, char **label);