2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Pawel Polawski (p.polawski@samsung.com)
20 * @author Jan Olszak (j.olszak@samsung.com)
22 * @brief libprivilege test runer
28 #include <dpl/test/test_runner.h>
29 #include <dpl/log/log.h>
30 #include <sys/types.h>
33 #include <sys/smack.h>
34 #include <sys/xattr.h>
36 #define TEST_SUBJECT "test_subject"
37 #define TEST_OBJECT "test_oject"
38 #define TEST_OBJECT_2 "test_oject_2"
40 std::vector<std::string> accessesBasic = { "r", "w", "x", "wx", "rx", "rw", "rwx", "rwxat" };
42 int files_compare(int fd1, int fd2)
46 //for getting files sizes
50 void * h1 = MAP_FAILED;
51 void * h2 = MAP_FAILED;
53 //getting files information
54 if(fstat(fd1, &fs1) == -1) {
58 if(fstat(fd2, &fs2) == -1) {
63 if(fs1.st_size != fs2.st_size) //if files are identical size will be the same
66 //mapping files to process memory
67 if((h1 = mmap(0, fs1.st_size, PROT_READ, MAP_SHARED, fd1, 0 )) == MAP_FAILED) {
71 if((h2 = mmap(0, fs2.st_size, PROT_READ, MAP_SHARED, fd2, 0 )) == MAP_FAILED) {
76 result = memcmp(h1, h2, fs1.st_size);
78 //cleaning after mmap()
81 munmap(h2, fs2.st_size);
83 munmap(h1, fs1.st_size);
89 RUNNER_TEST_GROUP_INIT(libsmack)
91 * Helper method to reset privileges at the begginning of tests.
94 struct smack_accesses * rules = NULL;
95 int result = smack_accesses_new(&rules);
96 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
99 smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","rwxat");
100 smack_accesses_apply(rules);
101 smack_accesses_free(rules);
104 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") != 1, "Rule has previous privileges after cleaning up!");
105 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"w") != 1, "Rule has previous privileges after cleaning up!");
106 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"x") != 1, "Rule has previous privileges after cleaning up!");
107 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"a") != 1, "Rule has previous privileges after cleaning up!");
108 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"t") != 1, "Rule has previous privileges after cleaning up!");
112 * Checking if subject has any access to object
114 bool checkNoAccesses(const char *subject, const char *object){
116 result = smack_have_access(subject, object,"r");
120 result = smack_have_access(subject, object,"w");
124 result = smack_have_access(subject, object,"x");
128 result = smack_have_access(subject, object,"a");
132 result = smack_have_access(subject, object,"t");
139 int removeAccessesAll()
141 struct smack_accesses * rules = NULL;
142 int result = smack_accesses_new(&rules);
143 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
145 result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_01", "", "rxwat");
146 result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_02", "", "rxwat");
147 result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_03", "", "rxwat");
148 result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_01", "", "rxwat");
149 result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_02", "", "rxwat");
150 result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_03", "", "rxwat");
151 result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_01", "", "rxwat");
152 result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_02", "", "rxwat");
153 result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_03", "", "rxwat");
155 smack_accesses_apply(rules);
156 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
157 smack_accesses_free(rules);
162 * Add a new access with smack_accesses_add_modify()
164 RUNNER_TEST(smack_accesses_add_modify_test_1){
169 struct smack_accesses * rules = NULL;
170 result = smack_accesses_new(&rules);
173 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"xr","");
174 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify by empty rules");
175 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
177 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"xr");
178 RUNNER_ASSERT_MSG(result == 1, "Rule modified (added 'xr'), but no change made.");
182 smack_accesses_free(rules);
187 * Test if rules are applied in the right order, and modification works.
189 RUNNER_TEST(smack_accesses_add_modify_test_2){
191 struct smack_accesses * rules = NULL;
192 result = smack_accesses_new(&rules);
193 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
198 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"r","");
199 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
201 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
202 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
204 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
205 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 0, "Modification didn't work");
209 smack_accesses_free(rules);
214 * Test if rules are applied in the right order, and modification works.
215 * Using different smack_accesses list to add and delete.
217 RUNNER_TEST(smack_accesses_add_modify_test_3){
219 struct smack_accesses * rules = NULL;
220 result = smack_accesses_new(&rules);
221 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
227 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"r","");
228 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
229 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
230 RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 1, "Adding privileges didn't work");
231 smack_accesses_free(rules);
233 // Revoke r privilege
234 result = smack_accesses_new(&rules);
235 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
236 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
237 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
238 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
240 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
241 RUNNER_ASSERT_MSG(result == 0, "Modification didn't work, rule has still 'r' privileges.");
245 smack_accesses_free(rules);
249 * Add a list of privileges and then revoke just ONE of them.
251 RUNNER_TEST(smack_accesses_add_modify_test_4){
253 struct smack_accesses * rules = NULL;
254 result = smack_accesses_new(&rules);
255 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
260 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwxat","");
261 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
262 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
264 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
265 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
266 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
268 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt");
269 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'awxt' privileges.");
270 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
271 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
275 smack_accesses_free(rules);
279 * Add a list of privileges and then revoke just ONE of them.
280 * Without applying privileges in between those actions.
282 RUNNER_TEST(smack_accesses_add_modify_test_5){
284 struct smack_accesses * rules = NULL;
285 result = smack_accesses_new(&rules);
286 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
291 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwxat","");
292 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
294 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","r");
295 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
296 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
298 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt");
299 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'awxt' privileges.");
300 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
301 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
305 smack_accesses_free(rules);
310 * Add a list of privileges and then revoke just TWO of them.
312 RUNNER_TEST(smack_accesses_add_modify_test_6){
314 struct smack_accesses * rules = NULL;
315 result = smack_accesses_new(&rules);
316 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
321 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"rwt","");
322 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
323 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
325 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"ax","rt");
326 RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule.");
327 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
329 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"wax");
330 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'wax' privileges.");
331 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r");
332 RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege.");
336 smack_accesses_free(rules);
340 * Run smack_accesses_add_modify with the same accesses_add and accesses_del.
342 RUNNER_TEST(smack_accesses_add_modify_test_7){
346 struct smack_accesses * rules = NULL;
348 for(i = 0; i<accessesBasic.size(); ++i){
349 result = smack_accesses_new(&rules);
350 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
352 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str(),accessesBasic[i].c_str());
353 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
354 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
356 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
357 " Error while checking smack access. Accesses exist.");
361 smack_accesses_free(rules);
366 * Revoke subject with previously added rules and revoke it again.
368 RUNNER_TEST(smack_revoke_subject_test_1){
372 struct smack_accesses * rules = NULL;
374 for(i = 0; i<accessesBasic.size(); ++i){
376 // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2
377 result = smack_accesses_new(&rules);
378 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
379 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str(),"");
380 result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str(),"");
381 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
382 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
383 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
384 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
385 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
386 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
389 result = smack_revoke_subject(TEST_SUBJECT);
390 RUNNER_ASSERT_MSG(result == 0, "Revoking subject didn't work.");
392 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
393 " Revoke didn't work. Accesses exist.");
394 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
395 " Revoke didn't work. Accesses exist.");
398 // Revoking subject again
399 result = smack_revoke_subject(TEST_SUBJECT);
400 RUNNER_ASSERT_MSG(result == 0, "Revoking subject didn't work.");
402 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
403 " Revoke didn't work. Accesses exist.");
404 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
405 " Revoke didn't work. Accesses exist.");
407 smack_accesses_free(rules);
414 RUNNER_TEST(smack_accesses_clear_test_1){
418 struct smack_accesses * rules = NULL;
420 for(i = 0; i<accessesBasic.size(); ++i){
422 // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2
423 result = smack_accesses_new(&rules);
424 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
425 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
426 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
427 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
428 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
429 RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
431 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
432 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
433 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
434 RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
436 smack_accesses_free(rules);
438 // Creating and clearing rules with TEST_OBJECT
439 result = smack_accesses_new(&rules);
440 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
441 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
442 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
443 result = smack_accesses_clear(rules);
444 RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work.");
446 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
447 RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work. Rule " << accessesBasic[i].c_str() << " does exist.");
448 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
449 RUNNER_ASSERT_MSG(result == 1, "Clearing rules didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
451 smack_accesses_free(rules);
453 // Creating and clearing rules with TEST_OBJECT_2
454 result = smack_accesses_new(&rules);
455 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
457 result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
458 RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
459 result = smack_accesses_clear(rules);
460 RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work.");
462 smack_accesses_free(rules);
464 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
465 " Clear didn't work. Accesses exist.");
466 RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
467 " Clear didn't work. Accesses exist.");
471 RUNNER_TEST(smack01_storing_and_restoring_rules)
474 * author: Pawel Polawski
475 * test: smack_accesses_new, smack_accesses_add, smack_accesses_add_modify, smack_accesses_add_from_file,
476 * smack_accesses_free, smack_accesses_save
477 * description: This test case will create structure holding SMACK rules and add new one to it. Next rules will be
478 * stored and restored from file.
479 * expect: Rules created and stored in file should be identical to predefined template.
482 struct smack_accesses * rules = NULL; //rules prepared in this test case
483 struct smack_accesses * import_test = NULL; //rules imported from file
485 int result; //result of each operation to be tested by RUNNER_ASSERT
486 int fd, tmp, sample; //file descripptors for save / restore rules tests
488 //int smack_accesses_new(struct smack_accesses **accesses);
489 result = smack_accesses_new(&rules); //rules struct init
490 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
491 result = smack_accesses_new(&import_test); //rules struct init
492 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
495 fd = open("/tmp/smack01_rules", O_RDWR | O_CREAT | O_TRUNC, 0644); //for export prepared rules
496 RUNNER_ASSERT_MSG(fd >= 0, "Unable to create /tmp/smack01_rules");
497 tmp = open("/tmp/smack01_tmp", O_RDWR | O_CREAT | O_TRUNC, 0644); //for import rules exported before
498 RUNNER_ASSERT_MSG(fd >= 0, "Unable to create /tmp/smack01_tmp");
499 sample = open("/etc/smack/test_smack_rules", O_RDONLY, 0644); //reference preinstalled rules
500 RUNNER_ASSERT_MSG(sample >= 0, "Unable to open /etc/smack/test_smack_rules");
502 //int smack_accesses_add(struct smack_accesses *handle, const char *subject,
503 // const char *object, const char *access_type);
504 result = smack_accesses_add(rules, "writer", "book", "rw");
505 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
506 result = smack_accesses_add(rules, "reader", "book", "wx");
507 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
509 //int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
510 // const char *object, const char *access_add, const char *access_del);
511 result = smack_accesses_add_modify(rules, "reader", "book", "r", "wx");
512 RUNNER_ASSERT_MSG(0 == result, "Unable to modify smack rules");
514 //int smack_accesses_save(struct smack_accesses *handle, int fd);
515 result = smack_accesses_save(rules, fd);
516 RUNNER_ASSERT_MSG(0 == result, "Unable to save smack_accesses instance in file");
518 //int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd);
519 result = lseek(fd, 0, SEEK_SET);
520 RUNNER_ASSERT_MSG(result == 0, "lseek() error");
521 result = smack_accesses_add_from_file(import_test, fd);
522 RUNNER_ASSERT_MSG(result == 0, "Unable to import rules from file");
524 result = smack_accesses_save(import_test, tmp);
525 RUNNER_ASSERT_MSG(result == 0, "Unable to save smack_accesses instance in file");
527 result = files_compare(fd, tmp); //comparing rules saved in file, restored from it and stored one more time
528 RUNNER_ASSERT_MSG(result == 0, "No match in stored and restored rules");
530 result = files_compare(tmp, sample); //comparing rules stored in file with reference preinstalled rules
531 RUNNER_ASSERT_MSG(result == 0, "No match in stored rules and pattern file");
533 //void smack_accesses_free(struct smack_accesses *handle);
534 smack_accesses_free(rules);
535 smack_accesses_free(import_test);
537 //closing file descriptors
543 RUNNER_TEST(smack02_aplying_rules_into_kernel)
546 * author: Pawel Polawski
547 * test: smack_accesses_apply, smack_have_access, smack_revoke_subject, smack_accesses_clear, smack_accesses_new,
548 * smack_accesses_add, smack_accesses_free
549 * description: In this test case aplying rules to kernel will be tested. After that function for test
550 * accesses will be used.
551 * expect: In case of correct rules access should be granted.
554 //CAP_MAC_ADMIN needed for process to be able to change rules in kernel (apllying, removing)
556 struct smack_accesses * rules = NULL; //rules prepared in this test case
557 int result; //for storing functions results
559 result = smack_accesses_new(&rules); //rules struct init
560 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
562 //adding test rules to struct
563 result = smack_accesses_add(rules, "writer", "book", "rwx");
564 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
565 result = smack_accesses_add(rules, "reader", "book", "r");
566 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
567 result = smack_accesses_add(rules, "spy", "book", "rwx");
568 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
570 //int smack_accesses_apply(struct smack_accesses *handle);
571 result = smack_accesses_apply(rules); //applying rules to kernel
572 RUNNER_ASSERT_MSG(result == 0, "Unable to apply rules into kernel");
574 //int smack_have_access(const char *subject, const char *object,
575 // const char *access_type);
576 result = smack_have_access("spy", "book", "rwx"); //should have access - rule exist
577 RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
578 result = smack_have_access("reader", "book", "rwx"); //should have no access - wrong rule, should be "r" only
579 RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access");
580 result = smack_have_access("mars", "book", "rwx"); //should have no acces - rule not exist
581 RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access");
583 //int smack_revoke_subject(const char *subject);
584 result = smack_revoke_subject("snickers"); //this subject do not exist in kernel rules
585 RUNNER_ASSERT_MSG(result == 0, "Error in removing not existing subject from kernel");
586 result = smack_revoke_subject("spy"); //this subject exist in kernel rules
587 RUNNER_ASSERT_MSG(result == 0, "Error in removing existing subject from kernel");
589 result = smack_have_access("spy", "book", "rwx"); //testing access after revoke_subject() from kernel
590 RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel"); //now spy should have no access
591 result = smack_have_access("spy", "book", "-----"); //and should have "-----" rule
592 RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
594 result = smack_accesses_add(rules, "twix", "book", "rwx"); //for create new rule as a consequence of use accesses_clear() below
595 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
597 //int smack_accesses_clear(struct smack_accesses *handle);
598 result = smack_accesses_clear(rules); //"spy" removed before by using smack_revoke_subject()
599 RUNNER_ASSERT_MSG(result == 0, "Error in clearing rules in kernel");
601 result = smack_have_access("writer", "book", "rwx"); //testing acces after acces_clear()
602 RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel"); //now writer also should have no access
603 result = smack_have_access("writer", "book", "-----"); //and should have "-----" rule
604 RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
605 result = smack_have_access("twix", "book", "-----"); //rule created by calling accesses_clear()
606 RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
609 smack_accesses_free(rules);
612 //pairs of rules for test with mixed cases, different length and mixed order
613 char * rules_tab[] = {
614 "reader1", "-", "-----",
615 "reader2", "--------", "-----",
616 "reader3", "RwXaT", "rwxat",
617 "reader4", "RrrXXXXTTT", "r-x-t",
618 "reader5", "-r-w-a-t", "rw-at",
619 "reader6", "", "-----",
620 "reader7", "xa--Rt---W", "rwxat",
621 "reader8", "#Ax[T].!~W@1}", "-wxat"
624 RUNNER_TEST(smack03_mixed_rule_string_add)
627 * author: Pawel Polawski
628 * test: smack_have_access, smack_accesses_new, smack_accesses_add, smack_accesses_apply, smack_accesses_free
629 * description: In thist test case rules based on mixed string are added to kernel.
630 * Strings are presented above and contains lower / upper case alpha, numbers and special signs.
631 * expect: Rules should be parsed correct and aplied to kernel.
634 //In thist test case mixed string are used as rules applied to kernel, next they are
635 //readed and compared with correct form of rules
637 struct smack_accesses * rules = NULL; //rules prepared in this test case
638 int result; //for storing functions results
641 result = smack_accesses_new(&rules); //rules struct init
642 RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
644 //adding test rules with mixed string
645 for(i = 0; i < (3 * 8) ; i += 3) {
646 result = smack_accesses_add(rules, rules_tab[i], "book", rules_tab[i + 1]); //using mixed rules from table
647 RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
651 //FIXME: Using clear() here can cover error in accesses_apply() function
652 //result = smack_accesses_clear(rules);
653 //RUNNER_ASSERT_MSG(result == 0, "Error in clearing rules in kernel");
655 //applying rules to kernel
656 result = smack_accesses_apply(rules);
657 RUNNER_ASSERT_MSG(result == 0, "Unable to apply rules into kernel");
659 //checking accesses using normal rules
660 for(i = 0; i < (3 * 8) ; i += 3) {
661 result = smack_have_access(rules_tab[i], "book", rules_tab[i + 2]); //using normal rules from table
662 RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
666 smack_accesses_free(rules);
670 RUNNER_TEST(smack04_mixed_rule_string_have_access)
673 * author: Pawel Polawski
674 * test: smack_have_access
675 * description: In this test case we testing aplied before SMACK rules and comparing them using mixed strings.
676 * expect: Subjects should have accesses to the objects.
679 //In this test case we checking previous aplied rules but for compare mixed strings are used
684 //rules were added in previous RUNNER_TEST section
685 //checking accesses using mixed rules
686 for(i = 0; i < (3 * 8) ; i += 3) {
687 result = smack_have_access(rules_tab[i], "book", rules_tab[i + 1]); //using mixed rules from table
688 RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
692 //RUNNER_TEST(smackXX_accesses_add_modify)
695 // - what if we want to apply rule that is already in kernel?
696 // - tests for smack_accesses_add_modify() + smack_have_access() (check if add_modify sets the proper rule)
697 // - smack_accesses_add_modify("subject", "object", "rwx", "rwx") should create empty rule
700 RUNNER_TEST(smack05_self_label)
703 * author: Pawel Polawski
704 * test: smack_set_label_for_self, smack_new_label_from_self
705 * description: In this test case process test it own default label. Next label is changed
706 * and tested one more time if change was successfull.
707 * expect: Proces should have default "-" label and can change it to the oter one.
710 //In this test case process will manipulate it own label
716 const int B_SIZE = 8;
719 char * def_rule = "_";
721 //int smack_new_label_from_self(char **label);
722 result = smack_new_label_from_self(&label);
723 RUNNER_ASSERT_MSG(result == 0, "Error in getting self label");
725 //comparing this label with default one "_"
726 result = strcmp(label, def_rule);
727 RUNNER_ASSERT_MSG(result == 0, "Wrong default process label");
729 //comparing this rule with received from /proc/self/attr/current
730 fd = open("/proc/self/attr/current", O_RDONLY, 0644);
731 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /proc/self/attr/current");
732 result = read(fd, buff, B_SIZE);
733 RUNNER_ASSERT_MSG(result >= 0, "Error in reading from file /proc/self/attr/current");
734 result = strncmp(buff, def_rule, result);
735 RUNNER_ASSERT_MSG(result == 0, "Wrong default process rule");
739 //now time for setting labels:
741 //int smack_set_label_for_self(const char *label);
742 result = smack_set_label_for_self("cola");
743 RUNNER_ASSERT_MSG(result == 0, "Error in setting self label");
745 //checking new label using smack function
746 result = smack_new_label_from_self(&label);
747 RUNNER_ASSERT_MSG(result == 0, "Error in getting self label");
748 result = strcmp(label, "cola");
749 RUNNER_ASSERT_MSG(result == 0, "Wrong process label");
751 //checking new label using /proc/self/attr/current
752 result = lseek(fd, 0, SEEK_SET); //going to the file beginning
753 RUNNER_ASSERT_MSG(result == 0, "lseek() error");
754 result = read(fd, buff, B_SIZE);
755 RUNNER_ASSERT_MSG(result >= 0, "Error in reading from file /proc/self/attr/current");
756 result = strncmp(buff, "cola", result);
757 RUNNER_ASSERT_MSG(result == 0, "Proces rule in /proc/self/attr/current other than set");
763 //RUNNER_TEST(smackXX_parent_child_label)
765 //In this test case parent process and child labels will be tested
766 //Parent will fork and check child's label. First fork will be with default "_" parent label,
767 //second one witch changed label.
770 //bellow function is from libsmack.c witch changed name
771 char * xattr(enum smack_label_type type)
774 case SMACK_LABEL_ACCESS:
775 return "security.SMACK64";
776 case SMACK_LABEL_EXEC:
777 return "security.SMACK64EXEC";
778 case SMACK_LABEL_MMAP:
779 return "security.SMACK64MMAP";
780 case SMACK_LABEL_TRANSMUTE:
781 return "security.SMACK64TRANSMUTE";
782 case SMACK_LABEL_IPIN:
783 return "security.SMACK64IPIN";
784 case SMACK_LABEL_IPOUT:
785 return "security.SMACK64IPOUT";
787 /* Should not reach this point */
792 //TODO: In bellow RUNNER_TEST add lget / lset functions to be testet the same way as normal get / set
793 RUNNER_TEST(smack06_get_set_label)
796 * author: Pawel Polawski
797 * test: smack_getlabel, smack_setlabel
798 * description: In this test case file label is tested using SMACK API functions and system xattr functions.
799 * Functions tested here is used for normal files.
800 * expect: Function should return default label, and the new one after change it.
803 //In this test case will be tested setting and getting file label
804 //If file is symbolic link functions should follow it
806 //SMACK xattr from libsmack.c:
808 //case SMACK_LABEL_ACCESS:
809 // return "security.SMACK64";
810 //case SMACK_LABEL_EXEC:
811 // return "security.SMACK64EXEC";
812 //case SMACK_LABEL_MMAP:
813 // return "security.SMACK64MMAP";
814 //case SMACK_LABEL_TRANSMUTE:
815 // return "security.SMACK64TRANSMUTE";
816 //case SMACK_LABEL_IPIN:
817 // return "security.SMACK64IPIN";
818 //case SMACK_LABEL_IPOUT:
819 // return "security.SMACK64IPOUT";
824 const int B_SIZE = 8;
827 char * file_path = "/etc/smack/test_smack_rules";
830 //preparing environment by restoring default "_" label
831 result = smack_setlabel(file_path, "_", SMACK_LABEL_ACCESS);
832 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
835 //int smack_getlabel(const char *path, char** label,
836 // enum smack_label_type type);
837 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
838 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
839 //get label, should be default "_"
840 result = strcmp(label, "_");
841 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
843 //get label using xattr function
844 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
845 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
846 //check label, should match the one readed by smack function
847 result = strncmp(buff, "_", result);
848 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
851 //int smack_setlabel(const char *path, const char* label,
852 // enum smack_label_type type);
853 result = smack_setlabel(file_path, "fanta", SMACK_LABEL_ACCESS);
854 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
857 //get label using smack function
858 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
859 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
860 //get label, should be default "fanta"
861 result = strcmp(label, "fanta");
862 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
864 //get label using xattr function
865 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
866 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
867 //check label, should match the one readed by smack function
868 result = strncmp(buff, "fanta", result);
869 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
872 //RUNNER_TEST(smackXX_get_label_exec)
874 //In this test case EXEC label will be tested
875 //by setting this type of label, reading it and testing executed binary exit status
878 RUNNER_TEST(smack07_l_get_set_label)
881 * author: Pawel Polawski
882 * test: smack_lgetlabel, smack_lsetlabel, smack_getlabel
883 * description: Functions tested here are similar to one from previous test case. The difference
884 * is that in case of symbolic link they follows it and operates on file pointed by it.
885 * expect: All label manipulations should affect file pointed by symbolic link.
891 const int B_SIZE = 8;
894 char * file_path = "/etc/smack/test_smack_rules_lnk";
897 //preparing environment by restoring default "_" label
898 result = smack_lsetlabel(file_path, "_", SMACK_LABEL_ACCESS);
899 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
900 result = smack_setlabel(file_path, "_", SMACK_LABEL_ACCESS);
901 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
904 //int smack_lgetlabel(const char *path, char** label,
905 // enum smack_label_type type);
906 result = smack_lgetlabel(file_path, &label, SMACK_LABEL_ACCESS);
907 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
908 //get label of symbolic link, should be default "_"
909 result = strcmp(label, "_");
910 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
912 //get label using xattr function
913 result = lgetxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
914 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
915 //check label, should match the one readed by smack function
916 result = strncmp(buff, "_", result);
917 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
920 //int smack_lsetlabel(const char *path, const char* label,
921 // enum smack_label_type type);
922 result = smack_lsetlabel(file_path, "7up", SMACK_LABEL_ACCESS);
923 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
924 //and set label for file pointed by link
925 result = smack_setlabel(file_path, "mirinda", SMACK_LABEL_ACCESS);
926 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
929 //get label using smack function
930 result = smack_lgetlabel(file_path, &label, SMACK_LABEL_ACCESS);
931 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
932 //check label, should be "7up"
933 result = strcmp(label, "7up");
934 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
936 //get label using xattr function
937 result = lgetxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
938 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
939 //check label, should match the one readed by smack function
940 result = strncmp(buff, "7up", result);
941 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
944 //now similar to above, but folowing symbolic link set before to "mirinda"
945 result = smack_getlabel(file_path, &label, SMACK_LABEL_ACCESS);
946 RUNNER_ASSERT_MSG(result == 0, "Error gettin label of file pointed by symbolic link");
947 //now label should be "mirinda" for file instead of "7up" set for link
948 result = strcmp(label, "mirinda");
949 RUNNER_ASSERT_MSG(result == 0, "Wrong label of file pointed by symbolic link");
951 //get label using xattr function
952 result = getxattr(file_path, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
953 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
954 //check label, should match the one readed by smack function
955 result = strncmp(buff, "mirinda", result);
956 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
959 RUNNER_TEST(smack08_f_get_set_label)
962 * author: Pawel Polawski
963 * test: smack_fgetlabel, smack_fsetlabel
964 * description: This test case is similar to test case smack06 above. The difference
965 * is that argument is file descriptor instead of file path.
966 * Function not follow symbolic link and operates directly on it.
967 * expect: All label manipulations should affect symbolic link itself.
973 const int B_SIZE = 8;
977 char * file_path = "/etc/smack/test_smack_rules";
979 fd = open(file_path, O_RDWR, 0644); //reference preinstalled rules
980 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules");
982 //preparing environment by restoring default "_" label
983 result = smack_fsetlabel(fd, "_", SMACK_LABEL_ACCESS);
984 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
987 //int smack_fgetlabel(int fd, char** label,
988 // enum smack_label_type type);
989 result = smack_fgetlabel(fd, &label, SMACK_LABEL_ACCESS);
990 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
991 //check label, should be "_"
992 result = strcmp(label, "_");
993 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
995 //get label using xattr function
996 result = fgetxattr(fd, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
997 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
998 //check label, should match the one readed by smack function
999 result = strncmp(buff, "_", result);
1000 RUNNER_ASSERT_MSG(result == 0, "Wrong file default label");
1003 //int smack_fsetlabel(int fd, const char* label,
1004 // enum smack_label_type type);
1005 result = smack_fsetlabel(fd, "sprite", SMACK_LABEL_ACCESS);
1006 RUNNER_ASSERT_MSG(result == 0, "Error in setting ACCESS label for file");
1009 //get label using smack function
1010 result = smack_fgetlabel(fd, &label, SMACK_LABEL_ACCESS);
1011 RUNNER_ASSERT_MSG(result == 0, "Error in getting smack ACCESS label from file");
1012 //check label, should be "sprite"
1013 result = strcmp(label, "sprite");
1014 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
1016 //get label using xattr function
1017 result = fgetxattr(fd, xattr(SMACK_LABEL_ACCESS), buff, B_SIZE);
1018 RUNNER_ASSERT_MSG(result > 0, "Error in getting xattr from file");
1019 //check label, should match the one readed by smack function
1020 result = strncmp(buff, "sprite", result);
1021 RUNNER_ASSERT_MSG(result == 0, "Wrong file label");
1027 RUNNER_TEST(smack10_adding_removing_rules)
1032 struct smack_accesses * rulesBasic = NULL;
1034 for(i = 0; i<accessesBasic.size(); ++i)
1037 result = smack_accesses_new(&rulesBasic);
1038 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1041 result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1042 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1045 result = smack_accesses_apply(rulesBasic);
1046 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1048 // Checking if accesses were created
1049 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1050 RUNNER_ASSERT_MSG(result == 1,
1051 " Error while checking smack access. Result: " << result);
1053 smack_accesses_free(rulesBasic);
1056 // Deleting all rules
1060 for(i = 0; i<3; ++i)
1062 // --- Creating rules (r or w or x)
1063 result = smack_accesses_new(&rulesBasic);
1064 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1067 result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1068 RUNNER_ASSERT_MSG(result == 0, "Unable to add rulesBasic. Result: " << result);
1071 result = smack_accesses_apply(rulesBasic);
1072 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1073 // Checking if accesses were created
1074 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1075 RUNNER_ASSERT_MSG(result == 1,
1076 " Error while checking smack access. Result: " << result);
1078 // Checking if wrong accesses were not created
1079 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i+3].c_str());
1080 RUNNER_ASSERT_MSG(result == 0,
1081 " Error while checking smack access. Result: " << result);
1083 // --- Modifying accesses (r for wx or w for rx or x for rw)
1084 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i+3].c_str(),accessesBasic[i].c_str());
1085 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1088 result = smack_accesses_apply(rulesBasic);
1089 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1091 // Checking if accesses were created
1092 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i+3].c_str());
1093 RUNNER_ASSERT_MSG(result == 1,
1094 " Error while checking smack access. Result: " << result);
1096 // Checking if wrong accesses were not created
1097 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1098 RUNNER_ASSERT_MSG(result == 0,
1099 " Error while checking smack access. Result: " << result);
1101 smack_accesses_free(rulesBasic);
1104 // --- Creating complementary rules (r or w or x)
1105 result = smack_accesses_new(&rulesBasic);
1106 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1109 result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1110 RUNNER_ASSERT_MSG(result == 0, "Unable to add rulesBasic. Result: " << result);
1112 // Checking if accesses were created
1113 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i+3].c_str());
1114 RUNNER_ASSERT_MSG(result == 1,
1115 " Error while checking smack access. Result: " << result);
1118 result = smack_accesses_apply(rulesBasic);
1119 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1121 // Checking if accesses were created
1122 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1123 RUNNER_ASSERT_MSG(result == 1,
1124 " Error while checking smack access. Result: " << result);
1126 // --- Modifying accesses (adding rwx and removing r or w or x)
1127 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,"rwx",accessesBasic[i].c_str());
1128 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1131 result = smack_accesses_apply(rulesBasic);
1132 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1134 // Checking if accesses were created
1135 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i+3].c_str());
1136 RUNNER_ASSERT_MSG(result == 1,
1137 " Error while checking smack access. Result: " << result);
1139 // Checking if wrong accesses were not created
1140 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
1141 RUNNER_ASSERT_MSG(result == 0,
1142 " Error while checking smack access. Result: " << result);
1144 // --- Adding crossing accesses (rx or rw or wx)
1145 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,accessesBasic[3+((i+1)%3)].c_str(),"");
1146 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1149 result = smack_accesses_apply(rulesBasic);
1150 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1152 // Checking if accesses were created
1153 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[3+((i+1)%3)].c_str());
1154 RUNNER_ASSERT_MSG(result == 1,
1155 " Error while checking smack access. Result: " << result);
1157 result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, "rwx");
1158 RUNNER_ASSERT_MSG(result == 1,
1159 " Error while checking smack access. Result: " << result);
1161 // Deleting all rules
1162 result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,"","rwx");
1163 RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
1165 result = smack_accesses_apply(rulesBasic);
1166 RUNNER_ASSERT_MSG(result == 0, "Error while checking smack access. Result: " << result);
1168 smack_accesses_free(rulesBasic);
1171 // Deleting all rules
1176 RUNNER_TEST(smack11_saving_loading_rules)
1181 struct smack_accesses * rulesBasic = NULL;
1184 removeAccessesAll();
1187 result = smack_accesses_new(&rulesBasic);
1188 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1190 // Loading file with rwxat rules - test_smack_rules_full
1191 fd = open("/etc/smack/test_smack_rules_full", O_RDONLY, 0644);
1192 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules_full");
1194 // Adding rules from file
1195 result = smack_accesses_add_from_file(rulesBasic, fd);
1197 RUNNER_ASSERT_MSG(result == 0, "Error importing accesses from file");
1200 result = smack_accesses_apply(rulesBasic);
1201 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1204 result = smack_have_access("test_subject_01", "test_object_01", "rwxat");
1205 RUNNER_ASSERT_MSG(result == 1,
1206 " Error while checking smack accesses.");
1207 result = smack_have_access("test_subject_01", "test_object_02", "rwxat");
1208 RUNNER_ASSERT_MSG(result == 1,
1209 " Error while checking smack accesses.");
1210 result = smack_have_access("test_subject_01", "test_object_03", "rwxat");
1211 RUNNER_ASSERT_MSG(result == 1,
1212 " Error while checking smack accesses.");
1213 result = smack_have_access("test_subject_02", "test_object_01", "rwxat");
1214 RUNNER_ASSERT_MSG(result == 1,
1215 " Error while checking smack accesses.");
1216 result = smack_have_access("test_subject_02", "test_object_02", "rwxat");
1217 RUNNER_ASSERT_MSG(result == 1,
1218 " Error while checking smack accesses.");
1219 result = smack_have_access("test_subject_02", "test_object_03", "rwxat");
1220 RUNNER_ASSERT_MSG(result == 1,
1221 " Error while checking smack accesses.");
1222 result = smack_have_access("test_subject_03", "test_object_01", "rwxat");
1223 RUNNER_ASSERT_MSG(result == 1,
1224 " Error while checking smack accesses.");
1225 result = smack_have_access("test_subject_03", "test_object_02", "rwxat");
1226 RUNNER_ASSERT_MSG(result == 1,
1227 " Error while checking smack accesses.");
1228 result = smack_have_access("test_subject_03", "test_object_03", "rwxat");
1229 RUNNER_ASSERT_MSG(result == 1,
1230 " Error while checking smack accesses.");
1233 removeAccessesAll();
1235 smack_accesses_free(rulesBasic);
1238 result = smack_accesses_new(&rulesBasic);
1239 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1241 // Loading file with partial wrong rules - test_smack_rules2
1242 fd = open("/etc/smack/test_smack_rules2", O_RDONLY, 0644);
1243 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules2");
1245 // Adding rules from file
1246 result = smack_accesses_add_from_file(rulesBasic, fd);
1248 RUNNER_ASSERT_MSG(result == 0, "Accesses were loaded from file");
1251 result = smack_accesses_apply(rulesBasic);
1252 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1255 RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_01", "test_object_01"),
1256 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist.");
1257 result = smack_have_access("test_subject_01", "test_object_02", "rwat");
1258 RUNNER_ASSERT_MSG(result == 1,
1259 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1260 result = smack_have_access("test_subject_01", "test_object_03", "wat");
1261 RUNNER_ASSERT_MSG(result == 1,
1262 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1263 RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_02", "test_object_01"),
1264 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist.");
1265 result = smack_have_access("test_subject_02", "test_object_02", "wa-ft");
1266 RUNNER_ASSERT_MSG(result == 1,
1267 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1268 result = smack_have_access("test_subject_02", "test_object_03", "wr");
1269 RUNNER_ASSERT_MSG(result == 1,
1270 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1271 result = smack_have_access("test_subject_03", "test_object_01", "a");
1272 RUNNER_ASSERT_MSG(result == 1,
1273 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1274 result = smack_have_access("test_subject_03", "test_object_02", "rwat");
1275 RUNNER_ASSERT_MSG(result == 1,
1276 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1277 result = smack_have_access("test_subject_03", "test_object_03", "w");
1278 RUNNER_ASSERT_MSG(result == 1,
1279 " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
1282 removeAccessesAll();
1284 smack_accesses_free(rulesBasic);
1287 result = smack_accesses_new(&rulesBasic);
1288 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1290 // Loading file with partial wrong rules - test_smack_rules3
1291 fd = open("/etc/smack/test_smack_rules3", O_RDONLY, 0644);
1292 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules3");
1294 // Adding rules from file
1295 result = smack_accesses_add_from_file(rulesBasic, fd);
1297 RUNNER_ASSERT_MSG(result != 0, "Accesses were loaded from file");
1300 result = smack_accesses_apply(rulesBasic);
1301 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1304 result = smack_have_access("test_subject_01", "test_object_01", "rwat");
1305 RUNNER_ASSERT_MSG(result == 1,
1306 " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Result: " << result );
1307 RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_01", "test_object_02"),
1308 " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Accesses exist.");
1309 result = smack_have_access("test_subject_01", "test_object_03", "x");
1310 RUNNER_ASSERT_MSG(result == 0,
1311 " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Result: " << result );
1314 removeAccessesAll();
1316 smack_accesses_free(rulesBasic);
1319 result = smack_accesses_new(&rulesBasic);
1320 RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
1322 // Loading file with partial wrong rules - test_smack_rules4
1323 fd = open("/etc/smack/test_smack_rules4", O_RDONLY, 0644);
1324 RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules4");
1326 // Adding rules from file
1327 result = smack_accesses_add_from_file(rulesBasic, fd);
1329 RUNNER_ASSERT_MSG(result != 0, "Accesses were loaded from file");
1332 result = smack_accesses_apply(rulesBasic);
1333 RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
1336 result = smack_have_access("test_subject_01", "test_object_01", "rxwat");
1337 RUNNER_ASSERT_MSG(result == 1,
1338 " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Result: " << result );
1339 RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_01", "test_object_02"),
1340 " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Accesses exist.");
1341 result = smack_have_access("test_subject_01", "test_object_03", "a");
1342 RUNNER_ASSERT_MSG(result == 0,
1343 " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Result: " << result );
1346 removeAccessesAll();
1348 smack_accesses_free(rulesBasic);
1352 //int smack_new_label_from_socket(int fd, char **label);
projects / platform / core / test / security-tests.git / blob