2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
6 * @file security_server_tests_cookie_api.cpp
7 * @author Pawel Polawski (p.polawski@partner.samsung.com)
9 * @brief Test cases for security server cookie api
14 Tested API functions in this file:
16 int security_server_get_cookie_size(void);
17 int security_server_request_cookie(char *cookie, size_t bufferSize);
19 int security_server_check_privilege(const char *cookie, gid_t privilege);
20 int security_server_check_privilege_by_cookie(const char *cookie,
22 const char *access_rights);
23 int security_server_get_cookie_pid(const char *cookie);
24 char *security_server_get_smacklabel_cookie(const char *cookie);
25 int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
26 int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
29 #include <dpl/test/test_runner.h>
30 #include <dpl/test/test_runner_multiprocess.h>
31 #include <tests_common.h>
32 #include <sys/smack.h>
34 #include <sys/types.h>
36 #include <access_provider.h>
37 #include <security-server.h>
38 #include <smack_access.h>
39 #include <security_server_tests_common.h>
42 const char *ROOT_USER = "root";
43 const char *PROC_AUDIO_GROUP_NAME = "audio";
45 const int KNOWN_COOKIE_SIZE = 20;
47 RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
50 * **************************************************************************
51 * Test cases fot check various functions input params cases
52 * **************************************************************************
55 //---------------------------------------------------------------------------
56 //passing nullptr as a buffer pointer
57 RUNNER_CHILD_TEST(tc_arguments_01_01_security_server_request_cookie)
59 int ret = security_server_request_cookie(nullptr, KNOWN_COOKIE_SIZE);
60 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
61 "Error in security_server_request_cookie() argument checking: " << ret);
64 //passing too small value as a buffer size
65 RUNNER_CHILD_TEST(tc_arguments_01_02_security_server_request_cookie)
67 Cookie cookie(KNOWN_COOKIE_SIZE);
69 int ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE - 1);
70 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
71 "Error in security_server_request_cookie() argument checking: " << ret);
74 //---------------------------------------------------------------------------
75 //passing nullptr as a cookie pointer
76 RUNNER_CHILD_TEST(tc_arguments_02_01_security_server_check_privilege)
78 int ret = security_server_check_privilege(nullptr, 0);
79 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
80 "Error in security_server_check_privilege() argument checking: " << ret);
83 //---------------------------------------------------------------------------
84 //passing nullptr as a cookie pointer
85 RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie)
87 RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
88 int ret = security_server_check_privilege_by_cookie(nullptr, "wiadro", "rwx");
89 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
90 "Error in security_server_check_privilege_by_cookie() argument checking: "
94 //passing nullptr as an object pointer
95 RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie)
97 RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
98 Cookie cookie = getCookieFromSS();
100 int ret = security_server_check_privilege_by_cookie(cookie.data(), nullptr, "rwx");
101 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
102 "Error in security_server_check_privilege_by_cookie() argument checking: "
106 //passing nullptr as an access pointer
107 RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie)
109 RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
110 Cookie cookie = getCookieFromSS();
112 int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", nullptr);
113 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
114 "Error in security_server_check_privilege_by_cookie() argument checking: "
118 //---------------------------------------------------------------------------
119 //passing nullptr as a cookie pointer
120 RUNNER_CHILD_TEST(tc_arguments_04_01_security_server_get_cookie_pid)
122 int ret = security_server_get_cookie_pid(nullptr);
123 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
124 "Error in security_server_get_cookie_pid() argument checking: " << ret);
127 //getting pid of non existing cookie
128 RUNNER_TEST(tc_arguments_04_02_security_server_get_cookie_pid)
130 const char wrong_cookie[KNOWN_COOKIE_SIZE] = {'w', 'a', 't', '?'};
131 RUNNER_ASSERT(security_server_get_cookie_pid(wrong_cookie) ==
132 SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
135 //---------------------------------------------------------------------------
136 //passing nullptr as a cookie pointer
137 RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
139 char *label = nullptr;
140 label = security_server_get_smacklabel_cookie(nullptr);
141 RUNNER_ASSERT_MSG(label == nullptr,
142 "Error in security_server_get_smacklabel_cookie() argument checking");
148 * **************************************************************************
149 * Unit tests for each function from API
150 * **************************************************************************
153 //---------------------------------------------------------------------------
154 //root has access to API
155 RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
157 int ret = security_server_get_cookie_size();
158 RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE,
159 "Error in security_server_get_cookie_size(): " << ret);
162 //---------------------------------------------------------------------------
163 // Get cookie size when smack is not loaded
164 RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_02_app_user_security_server_get_cookie_size_nosmack)
168 ret = drop_root_privileges();
169 RUNNER_ASSERT_MSG(ret == 0,
170 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
171 ret = security_server_get_cookie_size();
172 RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE, "ret = " << ret);
175 //---------------------------------------------------------------------------
176 // Test setting up a cookie in normal case when smack is not loaded
177 RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_03_app_user_security_server_request_cookie_nosmack)
180 int cookieSize = security_server_get_cookie_size();
181 Cookie cookie(cookieSize);
183 ret = drop_root_privileges();
184 RUNNER_ASSERT_MSG(ret == 0,
185 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
187 ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE);
188 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
191 //---------------------------------------------------------------------------
192 // Test setting up a cookie when smack is not loaded but with too small
194 RUNNER_CHILD_TEST_NOSMACK(tc_init_01_04_app_user_security_server_request_cookie_too_small_buffer_size_nosmack)
197 int cookieSize = security_server_get_cookie_size();
198 Cookie cookie(cookieSize);
200 ret = drop_root_privileges();
201 RUNNER_ASSERT_MSG(ret == 0,
202 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
204 ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE >> 1);
205 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
208 //---------------------------------------------------------------------------
209 // Get cookie size when smack is loaded
210 RUNNER_CHILD_TEST_SMACK(tc_unit_01_05_app_user_security_server_get_cookie_size)
212 SecurityServer::AccessProvider provider("selflabel_01_05");
213 provider.applyAndSwithToUser(APP_UID, APP_GID);
215 int ret = security_server_get_cookie_size();
216 RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE,
217 "Error in security_server_get_cookie_size(): " << ret);
220 //---------------------------------------------------------------------------
221 //root has access to API
222 RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
224 int cookieSize = security_server_get_cookie_size();
225 RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
226 "Error in security_server_get_cookie_size(): " << cookieSize);
228 Cookie cookie(cookieSize);
229 int ret = security_server_request_cookie(cookie.data(), cookie.size());
230 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
231 "Error in security_server_request_cookie(): " << ret);
234 //---------------------------------------------------------------------------
235 // Test setting up a cookie in normal case when smack is loaded
236 RUNNER_CHILD_TEST_SMACK(tc_unit_02_02_app_user_security_server_request_cookie)
238 int cookieSize = security_server_get_cookie_size();
239 RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
240 "Error in security_server_get_cookie_size(): " << cookieSize);
242 SecurityServer::AccessProvider provider("selflabel_02_01");
244 provider.applyAndSwithToUser(APP_UID, APP_GID);
246 Cookie cookie(cookieSize);
247 int ret = security_server_request_cookie(cookie.data(), cookie.size());
248 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
249 "Error in security_server_request_cookie(): " << ret);
252 //---------------------------------------------------------------------------
253 // Test setting up a cookie when smack is loaded but with too small buffer
255 RUNNER_CHILD_TEST_SMACK(tc_unit_02_03_app_user_security_server_request_cookie_too_small_buffer_size)
257 int cookieSize = security_server_get_cookie_size();
258 RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
259 "Error in security_server_get_cookie_size(): " << cookieSize);
262 SecurityServer::AccessProvider provider("selflabel_02_02");
263 provider.applyAndSwithToUser(APP_UID, APP_GID);
265 Cookie cookie(cookieSize);
266 int ret = security_server_request_cookie(cookie.data(), cookie.size());
267 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
268 "Error in security_server_request_cookie(): " << ret);
271 //---------------------------------------------------------------------------
272 //root has access to API
273 RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege)
275 Cookie cookie = getCookieFromSS();
277 int ret = security_server_check_privilege(cookie.data(), 0);
278 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
279 "Error in security_server_check_privilege(): " << ret);
282 //privileges drop and no smack rule
283 RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_app_user_security_server_check_privilege)
285 Cookie cookie = getCookieFromSS();
287 SecurityServer::AccessProvider provider("selflabel_03_02");
288 provider.applyAndSwithToUser(APP_UID, APP_GID);
290 int ret = security_server_check_privilege(cookie.data(), 0);
291 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
292 "security_server_check_privilege() should return access denied: " << ret);
295 //privileges drop and added smack rule
296 RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_app_user_security_server_check_privilege)
298 Cookie cookie = getCookieFromSS();
300 SecurityServer::AccessProvider provider("selflabel_03_03");
302 provider.applyAndSwithToUser(APP_UID, APP_GID);
304 int ret = security_server_check_privilege(cookie.data(), 0);
305 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
306 "Error in security_server_check_privilege(): " << ret);
310 RUNNER_CHILD_TEST(tc_unit_03_04_security_server_check_privilege_neg)
312 remove_process_group(PROC_AUDIO_GROUP_NAME);
314 Cookie cookie = getCookieFromSS();
315 int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
316 RUNNER_ASSERT_MSG(audio_gid > -1,
317 "security_server_get_gid() failed. result = " << audio_gid);
319 int ret = security_server_check_privilege(cookie.data(), audio_gid);
321 // security_server_check_privilege fails, because the process does not belong to "audio" group
322 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
326 RUNNER_CHILD_TEST(tc_unit_03_05_security_server_check_privilege)
328 add_process_group(PROC_AUDIO_GROUP_NAME);
330 Cookie cookie = getCookieFromSS();
331 int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
332 RUNNER_ASSERT_MSG(audio_gid > -1,
333 "security_server_get_gid() failed. result = " << audio_gid);
335 int ret = security_server_check_privilege(cookie.data(), audio_gid);
336 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
339 // test invalid cookie name
340 RUNNER_TEST(tc_unit_03_06_security_server_check_privilege)
342 // create invalid cookie
343 int size = security_server_get_cookie_size();
344 RUNNER_ASSERT_MSG(size == KNOWN_COOKIE_SIZE, "Wrong cookie size. size = " << size);
348 int ret = security_server_check_privilege(cookie.data(), 0);
349 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
352 //---------------------------------------------------------------------------
353 //root has access to API
354 RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
356 Cookie cookie = getCookieFromSS();
358 int ret = security_server_get_cookie_pid(cookie.data());
359 RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
362 RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie");
365 //privileges drop and no smack rule
366 RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_app_user_security_server_get_cookie_pid)
368 Cookie cookie = getCookieFromSS();
370 SecurityServer::AccessProvider provider("selflabel_05_02");
371 provider.applyAndSwithToUser(APP_UID, APP_GID);
373 int ret = security_server_get_cookie_pid(cookie.data());
374 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
375 "security_server_get_cookie_pid() should return access denied: " << ret);
378 //privileges drop and added smack rule
379 RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_app_user_security_server_get_cookie_pid)
381 Cookie cookie = getCookieFromSS();
383 SecurityServer::AccessProvider provider("selflabel_05_03");
385 provider.applyAndSwithToUser(APP_UID, APP_GID);
387 int ret = security_server_get_cookie_pid(cookie.data());
388 RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
391 RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie");
394 //---------------------------------------------------------------------------
395 //root has access to API
396 RUNNER_CHILD_TEST_SMACK(tc_unit_06_01_security_server_get_smacklabel_cookie_smack)
398 setLabelForSelf(__LINE__, "selflabel_06_01");
400 Cookie cookie = getCookieFromSS();
402 CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
403 RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_01") == 0,
404 "No match in smack label received from cookie, received label: "
408 //---------------------------------------------------------------------------
409 //root has access to API
410 RUNNER_CHILD_TEST_NOSMACK(tc_unit_06_01_security_server_get_smacklabel_cookie_nosmack)
412 Cookie cookie = getCookieFromSS();
414 char *receivedLabel = security_server_get_smacklabel_cookie(cookie.data());
415 RUNNER_ASSERT_MSG(receivedLabel != nullptr,
416 "security_server_get_smacklabel_cookie returned nullptr");
417 std::string label(receivedLabel);
419 RUNNER_ASSERT_MSG(label.empty(),
420 "security_server_get_smacklabel_cookie returned: "
424 //privileges drop and no smack rule
425 RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_app_user_security_server_get_smacklabel_cookie)
427 Cookie cookie = getCookieFromSS();
429 SecurityServer::AccessProvider provider("selflabel_06_02");
430 provider.applyAndSwithToUser(APP_UID, APP_GID);
432 CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
433 RUNNER_ASSERT_MSG(label.get() == nullptr,
434 "nullptr should be received due to access denied, received label: "
438 //privileges drop and added smack rule
439 RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie)
441 SecurityServer::AccessProvider provider("selflabel_06_03");
443 provider.applyAndSwithToUser(APP_UID, APP_GID);
445 Cookie cookie = getCookieFromSS();
447 CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
448 RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_03") == 0,
449 "No match in smack label received from cookie, received label: "
453 //---------------------------------------------------------------------------
454 // apply smack labels and drop privileges
455 RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_app_user_cookie_API_access_allow)
457 add_process_group(PROC_AUDIO_GROUP_NAME);
459 SecurityServer::AccessProvider provider("subject_1d6eda7d");
461 provider.applyAndSwithToUser(APP_UID, APP_GID);
463 Cookie cookie = getCookieFromSS();
465 int ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
466 RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
467 << "\" gid. Result: " << ret);
469 ret = security_server_check_privilege(cookie.data(), ret);
470 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
472 int root_gid = security_server_get_gid(ROOT_USER);
473 RUNNER_ASSERT_MSG(root_gid > -1, "root_gid: " << root_gid);
475 ret = security_server_get_cookie_pid(cookie.data());
476 RUNNER_ASSERT_MSG(ret == getpid(), "ret: " << ret);
478 CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
479 RUNNER_ASSERT_MSG(ss_label.get() != nullptr, "ss_label: " << ss_label.get());
481 RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
483 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
484 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
487 // disable access and drop privileges
488 RUNNER_CHILD_TEST_SMACK(tc_unit_09_02_app_user_cookie_API_access_deny)
490 SecurityServer::AccessProvider provider("subject_1d414140");
492 Cookie cookie = getCookieFromSS();
494 provider.applyAndSwithToUser(APP_UID, APP_GID);
496 int ret = security_server_check_privilege(cookie.data(), DB_ALARM_GID);
497 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
498 "security_server_check_privilege should return access denied, "
501 ret = security_server_get_gid(ROOT_USER);
502 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
503 "security_server_get_gid should return access denied, "
506 ret = security_server_get_cookie_pid(cookie.data());
507 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
508 "security_server_get_cookie_pid should return access denied, "
511 CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
512 RUNNER_ASSERT_MSG(ss_label.get() == nullptr,
513 "access should be denied so label should be nullptr: " << ss_label.get());
515 RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success");
517 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
518 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
519 "security_server_check_privilege_by_pid should return access denied, "
523 // NOSMACK version of the test above
524 RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_app_user_cookie_API_access_allow_nosmack)
526 add_process_group(PROC_AUDIO_GROUP_NAME);
528 // drop root privileges
529 int ret = drop_root_privileges();
530 RUNNER_ASSERT_MSG(ret == 0,
531 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
533 Cookie cookie = getCookieFromSS();
535 ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
536 RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
537 << "\" gid. Result: " << ret);
539 ret = security_server_check_privilege(cookie.data(), ret);
540 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
541 "check_privilege failed. Result: " << ret);
543 ret = security_server_get_gid(ROOT_USER);
544 RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"root\" gid. Result: " << ret);
546 ret = security_server_get_cookie_pid(cookie.data());
547 RUNNER_ASSERT_MSG(ret == getpid(),
548 "get_cookie_pid returned different pid than it should. Result: " << ret);
550 CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
551 RUNNER_ASSERT_MSG(ss_label.get() != nullptr, "get_smacklabel_cookie failed.");
553 RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success");
555 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
556 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
557 "check_privilege_by_pid failed. Result: " << ret);