tests/security-server-tests/cookie_api.cpp

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  */
   4
   5 /*
   6  * @file    security_server_tests_cookie_api.cpp
   7  * @author  Pawel Polawski (p.polawski@partner.samsung.com)
   8  * @version 1.0
   9  * @brief   Test cases for security server cookie api
  10  *
  11  */
  12
  13 /*
  14 Tested API functions in this file:
  15
  16 Protected by "security-server::api-cookie-get" label:
  17     int security_server_get_cookie_size(void);
  18     int security_server_request_cookie(char *cookie, size_t bufferSize);
  19
  20
  21 Protected by "security-server::api-cookie-check" label:
  22     int security_server_check_privilege(const char *cookie, gid_t privilege);
  23     int security_server_check_privilege_by_cookie(const char *cookie,
  24                                                   const char *object,
  25                                                   const char *access_rights);
  26     int security_server_get_cookie_pid(const char *cookie);
  27     char *security_server_get_smacklabel_cookie(const char *cookie);
  28     int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
  29     int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
  30 */
  31
  32 #include <dpl/test/test_runner.h>
  33 #include <dpl/test/test_runner_multiprocess.h>
  34 #include <tests_common.h>
  35 #include <sys/smack.h>
  36 #include <cstddef>
  37 #include <sys/types.h>
  38 #include <unistd.h>
  39 #include <access_provider.h>
  40 #include <security-server.h>
  41 #include <smack_access.h>
  42 #include <security_server_tests_common.h>
  43
  44 const char *ROOT_USER = "root";
  45 const char *PROC_AUDIO_GROUP_NAME = "audio";
  46
  47 typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
  48 const int KNOWN_COOKIE_SIZE = 20;
  49
  50 RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
  51
  52 /*
  53  * **************************************************************************
  54  * Test cases fot check various functions input params cases
  55  * **************************************************************************
  56  */
  57
  58 //---------------------------------------------------------------------------
  59 //passing NULL as a buffer pointer
  60 RUNNER_CHILD_TEST(tc_arguments_01_01_security_server_request_cookie)
  61 {
  62     int ret = security_server_request_cookie(NULL, KNOWN_COOKIE_SIZE);
  63     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
  64                       "Error in security_server_request_cookie() argument checking: " << ret);
  65 }
  66
  67 //passing too small value as a buffer size
  68 RUNNER_CHILD_TEST(tc_arguments_01_02_security_server_request_cookie)
  69 {
  70     Cookie cookie(KNOWN_COOKIE_SIZE);
  71
  72     int ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE - 1);
  73     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
  74                       "Error in security_server_request_cookie() argument checking: " << ret);
  75 }
  76
  77 //---------------------------------------------------------------------------
  78 //passing NULL as a cookie pointer
  79 RUNNER_CHILD_TEST(tc_arguments_02_01_security_server_check_privilege)
  80 {
  81     int ret = security_server_check_privilege(NULL, 0);
  82     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
  83                       "Error in security_server_check_privilege() argument checking: " << ret);
  84 }
  85
  86 //---------------------------------------------------------------------------
  87 //passing NULL as a cookie pointer
  88 RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie)
  89 {
  90     RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
  91     int ret = security_server_check_privilege_by_cookie(NULL, "wiadro", "rwx");
  92     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
  93                       "Error in security_server_check_privilege_by_cookie() argument checking: "
  94                       << ret);
  95 }
  96
  97 //passing NULL as an object pointer
  98 RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie)
  99 {
 100     RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
 101     Cookie cookie = getCookieFromSS();
 102
 103     int ret = security_server_check_privilege_by_cookie(cookie.data(), NULL, "rwx");
 104     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
 105                       "Error in security_server_check_privilege_by_cookie() argument checking: "
 106                       << ret);
 107 }
 108
 109 //passing NULL as an access pointer
 110 RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie)
 111 {
 112     RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
 113     Cookie cookie = getCookieFromSS();
 114
 115     int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", NULL);
 116     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
 117                       "Error in security_server_check_privilege_by_cookie() argument checking: "
 118                       << ret);
 119 }
 120
 121 //---------------------------------------------------------------------------
 122 //passing NULL as a cookie pointer
 123 RUNNER_CHILD_TEST(tc_arguments_04_01_security_server_get_cookie_pid)
 124 {
 125     int ret = security_server_get_cookie_pid(NULL);
 126     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
 127                       "Error in security_server_get_cookie_pid() argument checking: " << ret);
 128 }
 129
 130 //getting pid of non existing cookie
 131 RUNNER_TEST(tc_arguments_04_02_security_server_get_cookie_pid)
 132 {
 133     const char wrong_cookie[KNOWN_COOKIE_SIZE] = {'w', 'a', 't', '?'};
 134     RUNNER_ASSERT_BT(security_server_get_cookie_pid(wrong_cookie) ==
 135                   SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
 136 }
 137
 138 //---------------------------------------------------------------------------
 139 //passing NULL as a cookie pointer
 140 RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
 141 {
 142     char *label = NULL;
 143     label = security_server_get_smacklabel_cookie(NULL);
 144     RUNNER_ASSERT_MSG_BT(label == NULL,
 145                       "Error in security_server_get_smacklabel_cookie() argument checking");
 146 }
 147
 148
 149
 150 /*
 151  * **************************************************************************
 152  * Unit tests for each function from API
 153  * **************************************************************************
 154  */
 155
 156 //---------------------------------------------------------------------------
 157 //root has access to API
 158 RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
 159 {
 160     int ret = security_server_get_cookie_size();
 161     RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
 162                       "Error in security_server_get_cookie_size(): " << ret);
 163 }
 164
 165 //---------------------------------------------------------------------------
 166 // Get cookie size when smack is not loaded
 167 RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_02_app_user_security_server_get_cookie_size_nosmack)
 168 {
 169     int ret;
 170
 171     ret = drop_root_privileges();
 172     RUNNER_ASSERT_MSG_BT(ret == 0,
 173             "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
 174     ret = security_server_get_cookie_size();
 175     RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE, "ret = " << ret);
 176 }
 177
 178 //---------------------------------------------------------------------------
 179 // Test setting up a cookie in normal case when smack is not loaded
 180 RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_03_app_user_security_server_request_cookie_nosmack)
 181 {
 182     int ret;
 183     int cookieSize = security_server_get_cookie_size();
 184     Cookie cookie(cookieSize);
 185
 186     ret = drop_root_privileges();
 187     RUNNER_ASSERT_MSG_BT(ret == 0,
 188             "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
 189
 190     ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE);
 191     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 192 }
 193
 194 //---------------------------------------------------------------------------
 195 // Test setting up a cookie when smack is not loaded but with too small
 196 // buffer size
 197 RUNNER_CHILD_TEST_NOSMACK(tc_init_01_04_app_user_security_server_request_cookie_too_small_buffer_size_nosmack)
 198 {
 199     int ret;
 200     int cookieSize = security_server_get_cookie_size();
 201     Cookie cookie(cookieSize);
 202
 203     ret = drop_root_privileges();
 204     RUNNER_ASSERT_MSG_BT(ret == 0,
 205             "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
 206
 207     ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE >> 1);
 208     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
 209 }
 210
 211 //---------------------------------------------------------------------------
 212 // Get cookie size when smack is loaded
 213 RUNNER_CHILD_TEST_SMACK(tc_unit_01_05_app_user_security_server_get_cookie_size)
 214 {
 215     SecurityServer::AccessProvider provider("selflabel_01_05");
 216     provider.applyAndSwithToUser(APP_UID, APP_GID);
 217
 218     int ret = security_server_get_cookie_size();
 219     RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
 220                       "Error in security_server_get_cookie_size(): " << ret);
 221 }
 222
 223 //---------------------------------------------------------------------------
 224 //root has access to API
 225 RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
 226 {
 227     int cookieSize = security_server_get_cookie_size();
 228     RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
 229                     "Error in security_server_get_cookie_size(): " << cookieSize);
 230
 231     Cookie cookie(cookieSize);
 232     int ret = security_server_request_cookie(cookie.data(), cookie.size());
 233     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 234                     "Error in security_server_request_cookie(): " << ret);
 235 }
 236
 237 //---------------------------------------------------------------------------
 238 // Test setting up a cookie in normal case when smack is loaded
 239 RUNNER_CHILD_TEST_SMACK(tc_unit_02_02_app_user_security_server_request_cookie)
 240 {
 241     int cookieSize = security_server_get_cookie_size();
 242     RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
 243                       "Error in security_server_get_cookie_size(): " << cookieSize);
 244
 245     SecurityServer::AccessProvider provider("selflabel_02_01");
 246     provider.applyAndSwithToUser(APP_UID, APP_GID);
 247
 248     Cookie cookie(cookieSize);
 249     int ret = security_server_request_cookie(cookie.data(), cookie.size());
 250     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 251                       "Error in security_server_request_cookie(): " << ret);
 252 }
 253
 254 //---------------------------------------------------------------------------
 255 // Test setting up a cookie when smack is loaded but with too small buffer
 256 // size
 257 RUNNER_CHILD_TEST_SMACK(tc_unit_02_03_app_user_security_server_request_cookie_too_small_buffer_size)
 258 {
 259     int cookieSize = security_server_get_cookie_size();
 260     RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
 261                       "Error in security_server_get_cookie_size(): " << cookieSize);
 262     cookieSize >>= 1;
 263
 264     SecurityServer::AccessProvider provider("selflabel_02_02");
 265     provider.applyAndSwithToUser(APP_UID, APP_GID);
 266
 267     Cookie cookie(cookieSize);
 268     int ret = security_server_request_cookie(cookie.data(), cookie.size());
 269     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
 270                       "Error in security_server_request_cookie(): " << ret);
 271 }
 272
 273 //---------------------------------------------------------------------------
 274 //root has access to API
 275 RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege)
 276 {
 277     Cookie cookie = getCookieFromSS();
 278
 279     int ret = security_server_check_privilege(cookie.data(), 0);
 280     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 281                       "Error in security_server_check_privilege(): " << ret);
 282 }
 283
 284 //privileges drop and no smack rule
 285 RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_app_user_security_server_check_privilege)
 286 {
 287     RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
 288     Cookie cookie = getCookieFromSS();
 289
 290     SecurityServer::AccessProvider provider("selflabel_03_02");
 291     provider.applyAndSwithToUser(APP_UID, APP_GID);
 292
 293     int ret = security_server_check_privilege(cookie.data(), 0);
 294     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
 295                       "security_server_check_privilege() should return access denied: " << ret);
 296 }
 297
 298 //privileges drop and added smack rule
 299 RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_app_user_security_server_check_privilege)
 300 {
 301     Cookie cookie = getCookieFromSS();
 302
 303     SecurityServer::AccessProvider provider("selflabel_03_03");
 304     provider.allowFunction("security_server_check_privilege");
 305     provider.applyAndSwithToUser(APP_UID, APP_GID);
 306
 307     int ret = security_server_check_privilege(cookie.data(), 0);
 308     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 309                       "Error in security_server_check_privilege(): " << ret);
 310 }
 311
 312 // invalid gid
 313 RUNNER_CHILD_TEST(tc_unit_03_04_security_server_check_privilege_neg)
 314 {
 315     remove_process_group(PROC_AUDIO_GROUP_NAME);
 316
 317     Cookie cookie = getCookieFromSS();
 318     int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
 319     RUNNER_ASSERT_MSG_BT(audio_gid > -1,
 320                          "security_server_get_gid() failed. result = " << audio_gid);
 321
 322     int ret = security_server_check_privilege(cookie.data(), audio_gid);
 323
 324     // security_server_check_privilege fails, because the process does not belong to "audio" group
 325     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
 326 }
 327
 328 // add gid
 329 RUNNER_CHILD_TEST(tc_unit_03_05_security_server_check_privilege)
 330 {
 331     add_process_group(PROC_AUDIO_GROUP_NAME);
 332
 333     Cookie cookie = getCookieFromSS();
 334     int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
 335     RUNNER_ASSERT_MSG_BT(audio_gid > -1,
 336                          "security_server_get_gid() failed. result = " << audio_gid);
 337
 338     int ret = security_server_check_privilege(cookie.data(), audio_gid);
 339     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 340 }
 341
 342 // test invalid cookie name
 343 RUNNER_TEST(tc_unit_03_06_security_server_check_privilege)
 344 {
 345     // create invalid cookie
 346     int size = security_server_get_cookie_size();
 347     RUNNER_ASSERT_MSG_BT(size == KNOWN_COOKIE_SIZE, "Wrong cookie size. size = " << size);
 348
 349     Cookie cookie(size);
 350     cookie[0] = 'a';
 351     int ret = security_server_check_privilege(cookie.data(), 0);
 352     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
 353 }
 354
 355 //---------------------------------------------------------------------------
 356 //root has access to API
 357 RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
 358 {
 359     Cookie cookie = getCookieFromSS();
 360
 361     int ret = security_server_get_cookie_pid(cookie.data());
 362     RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
 363
 364     int pid = getpid();
 365     RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
 366 }
 367
 368 //privileges drop and no smack rule
 369 RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_app_user_security_server_get_cookie_pid)
 370 {
 371     RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
 372     Cookie cookie = getCookieFromSS();
 373
 374     SecurityServer::AccessProvider provider("selflabel_05_02");
 375     provider.applyAndSwithToUser(APP_UID, APP_GID);
 376
 377     int ret = security_server_get_cookie_pid(cookie.data());
 378     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
 379                       "security_server_get_cookie_pid() should return access denied: " << ret);
 380 }
 381
 382 //privileges drop and added smack rule
 383 RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_app_user_security_server_get_cookie_pid)
 384 {
 385     Cookie cookie = getCookieFromSS();
 386
 387     SecurityServer::AccessProvider provider("selflabel_05_03");
 388     provider.allowFunction("security_server_get_cookie_pid");
 389     provider.applyAndSwithToUser(APP_UID, APP_GID);
 390
 391     int ret = security_server_get_cookie_pid(cookie.data());
 392     RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
 393
 394     int pid = getpid();
 395     RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
 396 }
 397
 398 //---------------------------------------------------------------------------
 399 //root has access to API
 400 RUNNER_CHILD_TEST_SMACK(tc_unit_06_01_security_server_get_smacklabel_cookie_smack)
 401 {
 402     setLabelForSelf(__LINE__, "selflabel_06_01");
 403
 404     Cookie cookie = getCookieFromSS();
 405
 406     UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
 407     RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_01") == 0,
 408                       "No match in smack label received from cookie, received label: "
 409                       << label.get());
 410 }
 411
 412 //---------------------------------------------------------------------------
 413 //root has access to API
 414 RUNNER_CHILD_TEST_NOSMACK(tc_unit_06_01_security_server_get_smacklabel_cookie_nosmack)
 415 {
 416     Cookie cookie = getCookieFromSS();
 417
 418     char *receivedLabel = security_server_get_smacklabel_cookie(cookie.data());
 419     RUNNER_ASSERT_MSG_BT(receivedLabel != NULL,
 420                          "security_server_get_smacklabel_cookie returned NULL");
 421     std::string label(receivedLabel);
 422     free(receivedLabel);
 423     RUNNER_ASSERT_MSG_BT(label.empty(),
 424                          "security_server_get_smacklabel_cookie returned: "
 425                          << label);
 426 }
 427
 428 //privileges drop and no smack rule
 429 RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_app_user_security_server_get_smacklabel_cookie)
 430 {
 431     RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
 432     Cookie cookie = getCookieFromSS();
 433
 434     SecurityServer::AccessProvider provider("selflabel_06_02");
 435     provider.applyAndSwithToUser(APP_UID, APP_GID);
 436
 437     UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
 438     RUNNER_ASSERT_MSG_BT(label.get() == NULL,
 439                       "NULL should be received due to access denied, received label: "
 440                       << label.get());
 441 }
 442
 443 //privileges drop and added smack rule
 444 RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie)
 445 {
 446     SecurityServer::AccessProvider provider("selflabel_06_03");
 447     provider.allowFunction("security_server_get_smacklabel_cookie");
 448     provider.applyAndSwithToUser(APP_UID, APP_GID);
 449
 450     Cookie cookie = getCookieFromSS();
 451
 452     UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
 453     RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_03") == 0,
 454                       "No match in smack label received from cookie, received label: "
 455                       << label.get());
 456 }
 457
 458 //---------------------------------------------------------------------------
 459 // apply smack labels and drop privileges
 460 RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_app_user_cookie_API_access_allow)
 461 {
 462     add_process_group(PROC_AUDIO_GROUP_NAME);
 463
 464     SecurityServer::AccessProvider provider("subject_1d6eda7d");
 465     provider.allowFunction("security_server_get_gid");
 466     provider.allowFunction("security_server_request_cookie");
 467     provider.allowFunction("security_server_check_privilege");
 468     provider.allowFunction("security_server_get_cookie_pid");
 469     provider.allowFunction("security_server_get_smacklabel_cookie");
 470     provider.allowFunction("security_server_check_privilege_by_pid");
 471     provider.applyAndSwithToUser(APP_UID, APP_GID);
 472
 473     Cookie cookie = getCookieFromSS();
 474
 475     int ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
 476     RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
 477                          << "\" gid. Result: " << ret);
 478
 479     ret = security_server_check_privilege(cookie.data(), ret);
 480     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 481
 482     int root_gid = security_server_get_gid(ROOT_USER);
 483     RUNNER_ASSERT_MSG_BT(root_gid > -1, "root_gid: " << root_gid);
 484
 485     ret = security_server_get_cookie_pid(cookie.data());
 486     RUNNER_ASSERT_MSG_BT(ret == getpid(), "ret: " << ret);
 487
 488     UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
 489     RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "ss_label: " << ss_label.get());
 490
 491     RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
 492
 493     ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
 494     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 495 }
 496
 497 // disable access and drop privileges
 498 RUNNER_CHILD_TEST_SMACK(tc_unit_09_02_app_user_cookie_API_access_deny)
 499 {
 500     RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
 501     SecurityServer::AccessProvider provider("subject_1d414140");
 502     provider.applyAndSwithToUser(APP_UID, APP_GID);
 503
 504     Cookie cookie = getCookieFromSS();
 505
 506     int ret = security_server_check_privilege(cookie.data(), DB_ALARM_GID);
 507     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
 508             "security_server_check_privilege should return access denied, "
 509             "ret: " << ret);
 510
 511     ret = security_server_get_gid(ROOT_USER);
 512     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
 513             "security_server_get_gid should return access denied, "
 514             "ret: " << ret);
 515
 516     ret = security_server_get_cookie_pid(cookie.data());
 517     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
 518             "security_server_get_cookie_pid should return access denied, "
 519             "ret: " << ret);
 520
 521     UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
 522     RUNNER_ASSERT_MSG_BT(ss_label.get() == NULL,
 523             "access should be denied so label should be NULL: " << ss_label.get());
 524
 525     RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success");
 526
 527     ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
 528     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
 529             "security_server_check_privilege_by_pid should return access denied, "
 530             "ret: " << ret);
 531 }
 532
 533 // NOSMACK version of the test above
 534 RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_app_user_cookie_API_access_allow_nosmack)
 535 {
 536     add_process_group(PROC_AUDIO_GROUP_NAME);
 537
 538     // drop root privileges
 539     int ret = drop_root_privileges();
 540     RUNNER_ASSERT_MSG_BT(ret == 0,
 541             "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
 542
 543     Cookie cookie = getCookieFromSS();
 544
 545     ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
 546     RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
 547                          << "\" gid. Result: " << ret);
 548
 549     ret = security_server_check_privilege(cookie.data(), ret);
 550     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 551                          "check_privilege failed. Result: " << ret);
 552
 553     ret = security_server_get_gid(ROOT_USER);
 554     RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"root\" gid. Result: " << ret);
 555
 556     ret = security_server_get_cookie_pid(cookie.data());
 557     RUNNER_ASSERT_MSG_BT(ret == getpid(),
 558             "get_cookie_pid returned different pid than it should. Result: " << ret);
 559
 560     UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
 561     RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "get_smacklabel_cookie failed.");
 562
 563     RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success");
 564
 565     ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
 566     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 567                          "check_privilege_by_pid failed. Result: " << ret);
 568 }