2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
6 * @file security_server_tests_cookie_api.cpp
7 * @author Pawel Polawski (p.polawski@partner.samsung.com)
9 * @brief Test cases for security server cookie api
14 Tested API functions in this file:
16 Protected by "security-server::api-cookie-get" label:
17 int security_server_get_cookie_size(void);
18 int security_server_request_cookie(char *cookie, size_t bufferSize);
21 Protected by "security-server::api-cookie-check" label:
22 int security_server_check_privilege(const char *cookie, gid_t privilege);
23 int security_server_check_privilege_by_cookie(const char *cookie,
25 const char *access_rights);
26 int security_server_get_cookie_pid(const char *cookie);
27 char *security_server_get_smacklabel_cookie(const char *cookie);
28 int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
29 int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
32 #include <dpl/test/test_runner.h>
33 #include <dpl/test/test_runner_multiprocess.h>
34 #include <tests_common.h>
35 #include <sys/smack.h>
37 #include <sys/types.h>
39 #include <access_provider.h>
40 #include <security-server.h>
41 #include <smack_access.h>
43 const char *ROOT_USER = "root";
44 const char *PROC_AUDIO_GROUP_NAME = "audio";
46 typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
47 const int KNOWN_COOKIE_SIZE = 20;
48 typedef std::vector<char> Cookie;
50 Cookie getCookieFromSS() {
51 Cookie cookie(security_server_get_cookie_size());
53 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS ==
54 security_server_request_cookie(cookie.data(), cookie.size()),
55 "Error in security_server_request_cookie.");
60 RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
63 * **************************************************************************
64 * Test cases fot check various functions input params cases
65 * **************************************************************************
68 //---------------------------------------------------------------------------
69 //passing NULL as a buffer pointer
70 RUNNER_CHILD_TEST(tc_arguments_01_01_security_server_request_cookie)
72 int ret = security_server_request_cookie(NULL, KNOWN_COOKIE_SIZE);
73 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
74 "Error in security_server_request_cookie() argument checking: " << ret);
77 //passing too small value as a buffer size
78 RUNNER_CHILD_TEST(tc_arguments_01_02_security_server_request_cookie)
80 Cookie cookie(KNOWN_COOKIE_SIZE);
82 int ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE - 1);
83 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
84 "Error in security_server_request_cookie() argument checking: " << ret);
87 //---------------------------------------------------------------------------
88 //passing NULL as a cookie pointer
89 RUNNER_CHILD_TEST(tc_arguments_02_01_security_server_check_privilege)
91 int ret = security_server_check_privilege(NULL, 0);
92 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
93 "Error in security_server_check_privilege() argument checking: " << ret);
96 //---------------------------------------------------------------------------
97 //passing NULL as a cookie pointer
98 RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie)
100 int ret = security_server_check_privilege_by_cookie(NULL, "wiadro", "rwx");
101 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
102 "Error in security_server_check_privilege_by_cookie() argument checking: "
106 //passing NULL as an object pointer
107 RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie)
109 Cookie cookie = getCookieFromSS();
111 int ret = security_server_check_privilege_by_cookie(cookie.data(), NULL, "rwx");
112 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
113 "Error in security_server_check_privilege_by_cookie() argument checking: "
117 //passing NULL as an access pointer
118 RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie)
120 Cookie cookie = getCookieFromSS();
122 int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", NULL);
123 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
124 "Error in security_server_check_privilege_by_cookie() argument checking: "
128 //---------------------------------------------------------------------------
129 //passing NULL as a cookie pointer
130 RUNNER_CHILD_TEST(tc_arguments_04_01_security_server_get_cookie_pid)
132 int ret = security_server_get_cookie_pid(NULL);
133 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
134 "Error in security_server_get_cookie_pid() argument checking: " << ret);
137 //getting pid of non existing cookie
138 RUNNER_TEST(tc_arguments_04_02_security_server_get_cookie_pid)
140 const char wrong_cookie[KNOWN_COOKIE_SIZE] = {'w', 'a', 't', '?'};
141 RUNNER_ASSERT_BT(security_server_get_cookie_pid(wrong_cookie) ==
142 SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
145 //---------------------------------------------------------------------------
146 //passing NULL as a cookie pointer
147 RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
150 label = security_server_get_smacklabel_cookie(NULL);
151 RUNNER_ASSERT_MSG_BT(label == NULL,
152 "Error in security_server_get_smacklabel_cookie() argument checking");
158 * **************************************************************************
159 * Unit tests for each function from API
160 * **************************************************************************
163 //---------------------------------------------------------------------------
164 //root has access to API
165 RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
167 int ret = security_server_get_cookie_size();
168 RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
169 "Error in security_server_get_cookie_size(): " << ret);
172 //---------------------------------------------------------------------------
173 // Get cookie size when smack is not loaded
174 RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_02_app_user_security_server_get_cookie_size_nosmack)
178 ret = drop_root_privileges();
179 RUNNER_ASSERT_MSG_BT(ret == 0,
180 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
181 ret = security_server_get_cookie_size();
182 RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE, "ret = " << ret);
185 //---------------------------------------------------------------------------
186 // Test setting up a cookie in normal case when smack is not loaded
187 RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_03_app_user_security_server_request_cookie_nosmack)
190 int cookieSize = security_server_get_cookie_size();
191 Cookie cookie(cookieSize);
193 ret = drop_root_privileges();
194 RUNNER_ASSERT_MSG_BT(ret == 0,
195 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
197 ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE);
198 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
201 //---------------------------------------------------------------------------
202 // Test setting up a cookie when smack is not loaded but with too small
204 RUNNER_CHILD_TEST_NOSMACK(tc_init_01_04_app_user_security_server_request_cookie_too_small_buffer_size_nosmack)
207 int cookieSize = security_server_get_cookie_size();
208 Cookie cookie(cookieSize);
210 ret = drop_root_privileges();
211 RUNNER_ASSERT_MSG_BT(ret == 0,
212 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
214 ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE >> 1);
215 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
218 //---------------------------------------------------------------------------
219 // Get cookie size when smack is loaded
220 RUNNER_CHILD_TEST_SMACK(tc_unit_01_05_app_user_security_server_get_cookie_size)
222 SecurityServer::AccessProvider provider("selflabel_01_05");
223 provider.applyAndSwithToUser(APP_UID, APP_GID);
225 int ret = security_server_get_cookie_size();
226 RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
227 "Error in security_server_get_cookie_size(): " << ret);
230 //---------------------------------------------------------------------------
231 //root has access to API
232 RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
234 int cookieSize = security_server_get_cookie_size();
235 RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
236 "Error in security_server_get_cookie_size(): " << cookieSize);
238 Cookie cookie(cookieSize);
239 int ret = security_server_request_cookie(cookie.data(), cookie.size());
240 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
241 "Error in security_server_request_cookie(): " << ret);
244 //---------------------------------------------------------------------------
245 // Test setting up a cookie in normal case when smack is loaded
246 RUNNER_CHILD_TEST_SMACK(tc_unit_02_02_app_user_security_server_request_cookie)
248 int cookieSize = security_server_get_cookie_size();
249 RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
250 "Error in security_server_get_cookie_size(): " << cookieSize);
252 SecurityServer::AccessProvider provider("selflabel_02_01");
253 provider.applyAndSwithToUser(APP_UID, APP_GID);
255 Cookie cookie(cookieSize);
256 int ret = security_server_request_cookie(cookie.data(), cookie.size());
257 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
258 "Error in security_server_request_cookie(): " << ret);
261 //---------------------------------------------------------------------------
262 // Test setting up a cookie when smack is loaded but with too small buffer
264 RUNNER_CHILD_TEST_SMACK(tc_unit_02_03_app_user_security_server_request_cookie_too_small_buffer_size)
266 int cookieSize = security_server_get_cookie_size();
267 RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
268 "Error in security_server_get_cookie_size(): " << cookieSize);
271 SecurityServer::AccessProvider provider("selflabel_02_02");
272 provider.applyAndSwithToUser(APP_UID, APP_GID);
274 Cookie cookie(cookieSize);
275 int ret = security_server_request_cookie(cookie.data(), cookie.size());
276 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
277 "Error in security_server_request_cookie(): " << ret);
280 //---------------------------------------------------------------------------
281 //root has access to API
282 RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege)
284 Cookie cookie = getCookieFromSS();
286 int ret = security_server_check_privilege(cookie.data(), 0);
287 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
288 "Error in security_server_check_privilege(): " << ret);
291 //privileges drop and no smack rule
292 RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_app_user_security_server_check_privilege)
294 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
295 Cookie cookie = getCookieFromSS();
297 SecurityServer::AccessProvider provider("selflabel_03_02");
298 provider.applyAndSwithToUser(APP_UID, APP_GID);
300 int ret = security_server_check_privilege(cookie.data(), 0);
301 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
302 "security_server_check_privilege() should return access denied: " << ret);
305 //privileges drop and added smack rule
306 RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_app_user_security_server_check_privilege)
308 Cookie cookie = getCookieFromSS();
310 SecurityServer::AccessProvider provider("selflabel_03_03");
311 provider.allowFunction("security_server_check_privilege");
312 provider.applyAndSwithToUser(APP_UID, APP_GID);
314 int ret = security_server_check_privilege(cookie.data(), 0);
315 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
316 "Error in security_server_check_privilege(): " << ret);
320 RUNNER_CHILD_TEST(tc_unit_03_04_security_server_check_privilege_neg)
322 remove_process_group(PROC_AUDIO_GROUP_NAME);
324 Cookie cookie = getCookieFromSS();
325 int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
326 RUNNER_ASSERT_MSG_BT(audio_gid > -1,
327 "security_server_get_gid() failed. result = " << audio_gid);
329 int ret = security_server_check_privilege(cookie.data(), audio_gid);
331 // security_server_check_privilege fails, because the process does not belong to "audio" group
332 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
336 RUNNER_CHILD_TEST(tc_unit_03_05_security_server_check_privilege)
338 add_process_group(PROC_AUDIO_GROUP_NAME);
340 Cookie cookie = getCookieFromSS();
341 int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
342 RUNNER_ASSERT_MSG_BT(audio_gid > -1,
343 "security_server_get_gid() failed. result = " << audio_gid);
345 int ret = security_server_check_privilege(cookie.data(), audio_gid);
346 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
349 // test invalid cookie name
350 RUNNER_TEST(tc_unit_03_06_security_server_check_privilege)
352 // create invalid cookie
353 int size = security_server_get_cookie_size();
354 RUNNER_ASSERT_MSG_BT(size == KNOWN_COOKIE_SIZE, "Wrong cookie size. size = " << size);
358 int ret = security_server_check_privilege(cookie.data(), 0);
359 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
362 //---------------------------------------------------------------------------
363 //root has access to API
364 RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
366 Cookie cookie = getCookieFromSS();
368 int ret = security_server_get_cookie_pid(cookie.data());
369 RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
372 RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
375 //privileges drop and no smack rule
376 RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_app_user_security_server_get_cookie_pid)
378 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
379 Cookie cookie = getCookieFromSS();
381 SecurityServer::AccessProvider provider("selflabel_05_02");
382 provider.applyAndSwithToUser(APP_UID, APP_GID);
384 int ret = security_server_get_cookie_pid(cookie.data());
385 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
386 "security_server_get_cookie_pid() should return access denied: " << ret);
389 //privileges drop and added smack rule
390 RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_app_user_security_server_get_cookie_pid)
392 Cookie cookie = getCookieFromSS();
394 SecurityServer::AccessProvider provider("selflabel_05_03");
395 provider.allowFunction("security_server_get_cookie_pid");
396 provider.applyAndSwithToUser(APP_UID, APP_GID);
398 int ret = security_server_get_cookie_pid(cookie.data());
399 RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
402 RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
405 //---------------------------------------------------------------------------
406 //root has access to API
407 RUNNER_CHILD_TEST(tc_unit_06_01_security_server_get_smacklabel_cookie)
409 setLabelForSelf(__LINE__, "selflabel_06_01");
411 Cookie cookie = getCookieFromSS();
413 UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
414 RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_01") == 0,
415 "No match in smack label received from cookie, received label: "
419 //privileges drop and no smack rule
420 RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_app_user_security_server_get_smacklabel_cookie)
422 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
423 Cookie cookie = getCookieFromSS();
425 SecurityServer::AccessProvider provider("selflabel_06_02");
426 provider.applyAndSwithToUser(APP_UID, APP_GID);
428 UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
429 RUNNER_ASSERT_MSG_BT(label.get() == NULL,
430 "NULL should be received due to access denied, received label: "
434 //privileges drop and added smack rule
435 RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie)
437 SecurityServer::AccessProvider provider("selflabel_06_03");
438 provider.allowFunction("security_server_get_smacklabel_cookie");
439 provider.applyAndSwithToUser(APP_UID, APP_GID);
441 Cookie cookie = getCookieFromSS();
443 UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
444 RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_03") == 0,
445 "No match in smack label received from cookie, received label: "
449 //---------------------------------------------------------------------------
450 // apply smack labels and drop privileges
451 RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_app_user_cookie_API_access_allow)
453 add_process_group(PROC_AUDIO_GROUP_NAME);
455 SecurityServer::AccessProvider provider("subject_1d6eda7d");
456 provider.allowFunction("security_server_get_gid");
457 provider.allowFunction("security_server_request_cookie");
458 provider.allowFunction("security_server_check_privilege");
459 provider.allowFunction("security_server_get_cookie_pid");
460 provider.allowFunction("security_server_get_smacklabel_cookie");
461 provider.allowFunction("security_server_check_privilege_by_pid");
462 provider.applyAndSwithToUser(APP_UID, APP_GID);
464 Cookie cookie = getCookieFromSS();
466 int ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
467 RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
468 << "\" gid. Result: " << ret);
470 ret = security_server_check_privilege(cookie.data(), ret);
471 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
473 int root_gid = security_server_get_gid(ROOT_USER);
474 RUNNER_ASSERT_MSG_BT(root_gid > -1, "root_gid: " << root_gid);
476 ret = security_server_get_cookie_pid(cookie.data());
477 RUNNER_ASSERT_MSG_BT(ret == getpid(), "ret: " << ret);
479 UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
480 RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "ss_label: " << ss_label.get());
482 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
483 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
486 // disable access and drop privileges
487 RUNNER_CHILD_TEST(tc_unit_09_02_app_user_cookie_API_access_deny)
489 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
490 SecurityServer::AccessProvider provider("subject_1d414140");
491 provider.applyAndSwithToUser(APP_UID, APP_GID);
493 Cookie cookie = getCookieFromSS();
495 int ret = security_server_check_privilege(cookie.data(), DB_ALARM_GID);
496 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
497 "security_server_check_privilege should return access denied, "
500 ret = security_server_get_gid(ROOT_USER);
501 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
502 "security_server_get_gid should return access denied, "
505 ret = security_server_get_cookie_pid(cookie.data());
506 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
507 "security_server_get_cookie_pid should return access denied, "
510 UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
511 RUNNER_ASSERT_MSG_BT(ss_label.get() == NULL,
512 "access should be denied so label should be NULL: " << ss_label.get());
514 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
515 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
516 "security_server_check_privilege_by_pid should return access denied, "
520 // NOSMACK version of the test above
521 RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_app_user_cookie_API_access_allow_nosmack)
523 add_process_group(PROC_AUDIO_GROUP_NAME);
525 // drop root privileges
526 int ret = drop_root_privileges();
527 RUNNER_ASSERT_MSG_BT(ret == 0,
528 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
530 Cookie cookie = getCookieFromSS();
532 ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
533 RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
534 << "\" gid. Result: " << ret);
536 ret = security_server_check_privilege(cookie.data(), ret);
537 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
538 "check_privilege failed. Result: " << ret);
540 ret = security_server_get_gid(ROOT_USER);
541 RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"root\" gid. Result: " << ret);
543 ret = security_server_get_cookie_pid(cookie.data());
544 RUNNER_ASSERT_MSG_BT(ret == getpid(),
545 "get_cookie_pid returned different pid than it should. Result: " << ret);
547 UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
548 RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "get_smacklabel_cookie failed.");
550 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
551 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
552 "check_privilege_by_pid failed. Result: " << ret);