2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
6 * @file security_server_tests_cookie_api.cpp
7 * @author Pawel Polawski (p.polawski@partner.samsung.com)
9 * @brief Test cases for security server cookie api
14 Tested API functions in this file:
16 Protected by "security-server::api-cookie-get" label:
17 int security_server_get_cookie_size(void);
18 int security_server_request_cookie(char *cookie, size_t bufferSize);
21 Protected by "security-server::api-cookie-check" label:
22 int security_server_check_privilege(const char *cookie, gid_t privilege);
23 int security_server_check_privilege_by_cookie(const char *cookie,
25 const char *access_rights);
26 int security_server_get_cookie_pid(const char *cookie);
27 char *security_server_get_smacklabel_cookie(const char *cookie);
28 int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
29 int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
32 #include <dpl/test/test_runner.h>
33 #include <dpl/test/test_runner_multiprocess.h>
34 #include <tests_common.h>
35 #include <sys/smack.h>
37 #include <sys/types.h>
39 #include <access_provider.h>
40 #include <security-server.h>
41 #include <smack_access.h>
43 const char *ROOT_USER = "root";
44 const char *PROC_AUDIO_GROUP_NAME = "audio";
46 typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
47 const int KNOWN_COOKIE_SIZE = 20;
48 typedef std::vector<char> Cookie;
50 Cookie getCookieFromSS() {
51 Cookie cookie(security_server_get_cookie_size());
53 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS ==
54 security_server_request_cookie(cookie.data(), cookie.size()),
55 "Error in security_server_request_cookie.");
60 RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
63 * **************************************************************************
64 * Test cases fot check various functions input params cases
65 * **************************************************************************
68 //---------------------------------------------------------------------------
69 //passing NULL as a buffer pointer
70 RUNNER_CHILD_TEST(tc_arguments_01_01_security_server_request_cookie)
72 int ret = security_server_request_cookie(NULL, KNOWN_COOKIE_SIZE);
73 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
74 "Error in security_server_request_cookie() argument checking: " << ret);
77 //passing too small value as a buffer size
78 RUNNER_CHILD_TEST(tc_arguments_01_02_security_server_request_cookie)
80 Cookie cookie(KNOWN_COOKIE_SIZE);
82 int ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE - 1);
83 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
84 "Error in security_server_request_cookie() argument checking: " << ret);
87 //---------------------------------------------------------------------------
88 //passing NULL as a cookie pointer
89 RUNNER_CHILD_TEST(tc_arguments_02_01_security_server_check_privilege)
91 int ret = security_server_check_privilege(NULL, 0);
92 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
93 "Error in security_server_check_privilege() argument checking: " << ret);
96 //---------------------------------------------------------------------------
97 //passing NULL as a cookie pointer
98 RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie)
100 int ret = security_server_check_privilege_by_cookie(NULL, "wiadro", "rwx");
101 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
102 "Error in security_server_check_privilege_by_cookie() argument checking: "
106 //passing NULL as an object pointer
107 RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie)
109 Cookie cookie = getCookieFromSS();
111 int ret = security_server_check_privilege_by_cookie(cookie.data(), NULL, "rwx");
112 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
113 "Error in security_server_check_privilege_by_cookie() argument checking: "
117 //passing NULL as an access pointer
118 RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie)
120 Cookie cookie = getCookieFromSS();
122 int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", NULL);
123 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
124 "Error in security_server_check_privilege_by_cookie() argument checking: "
128 //---------------------------------------------------------------------------
129 //passing NULL as a cookie pointer
130 RUNNER_CHILD_TEST(tc_arguments_04_01_security_server_get_cookie_pid)
132 int ret = security_server_get_cookie_pid(NULL);
133 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
134 "Error in security_server_get_cookie_pid() argument checking: " << ret);
137 //getting pid of non existing cookie
138 RUNNER_TEST(tc_arguments_04_02_security_server_get_cookie_pid)
140 const char wrong_cookie[KNOWN_COOKIE_SIZE] = {'w', 'a', 't', '?'};
141 RUNNER_ASSERT_BT(security_server_get_cookie_pid(wrong_cookie) ==
142 SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
145 //---------------------------------------------------------------------------
146 //passing NULL as a cookie pointer
147 RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
150 label = security_server_get_smacklabel_cookie(NULL);
151 RUNNER_ASSERT_MSG_BT(label == NULL,
152 "Error in security_server_get_smacklabel_cookie() argument checking");
158 * **************************************************************************
159 * Unit tests for each function from API
160 * **************************************************************************
163 //---------------------------------------------------------------------------
164 //root has access to API
165 RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
167 int ret = security_server_get_cookie_size();
168 RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
169 "Error in security_server_get_cookie_size(): " << ret);
172 //---------------------------------------------------------------------------
173 // security_server_get_cookie_size() is no longer ptotected by SMACK
174 RUNNER_CHILD_TEST(tc_unit_01_02_security_server_get_cookie_size)
176 SecurityServer::AccessProvider provider("selflabel_01_02");
177 provider.applyAndSwithToUser(APP_UID, APP_GID);
179 int ret = security_server_get_cookie_size();
180 RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
181 "Error in security_server_get_cookie_size(): " << ret);
184 //---------------------------------------------------------------------------
185 //root has access to API
186 RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
188 int cookieSize = security_server_get_cookie_size();
189 RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
190 "Error in security_server_get_cookie_size(): " << cookieSize);
192 Cookie cookie(cookieSize);
193 int ret = security_server_request_cookie(cookie.data(), cookie.size());
194 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
195 "Error in security_server_request_cookie(): " << ret);
198 //---------------------------------------------------------------------------
199 //root has access to API
200 RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege)
202 Cookie cookie = getCookieFromSS();
204 int ret = security_server_check_privilege(cookie.data(), 0);
205 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
206 "Error in security_server_check_privilege(): " << ret);
209 //privileges drop and no smack rule
210 RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_security_server_check_privilege)
212 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
213 Cookie cookie = getCookieFromSS();
215 SecurityServer::AccessProvider provider("selflabel_03_02");
216 provider.applyAndSwithToUser(APP_UID, APP_GID);
218 int ret = security_server_check_privilege(cookie.data(), 0);
219 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
220 "security_server_check_privilege() should return access denied: " << ret);
223 //privileges drop and added smack rule
224 RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_security_server_check_privilege)
226 Cookie cookie = getCookieFromSS();
228 SecurityServer::AccessProvider provider("selflabel_03_03");
229 provider.allowFunction("security_server_check_privilege");
230 provider.applyAndSwithToUser(APP_UID, APP_GID);
232 int ret = security_server_check_privilege(cookie.data(), 0);
233 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
234 "Error in security_server_check_privilege(): " << ret);
238 RUNNER_CHILD_TEST(tc_unit_03_04_security_server_check_privilege_neg)
240 remove_process_group(PROC_AUDIO_GROUP_NAME);
242 Cookie cookie = getCookieFromSS();
243 int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
244 RUNNER_ASSERT_MSG_BT(audio_gid > -1,
245 "security_server_get_gid() failed. result = " << audio_gid);
247 int ret = security_server_check_privilege(cookie.data(), audio_gid);
249 // security_server_check_privilege fails, because the process does not belong to "audio" group
250 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
254 RUNNER_CHILD_TEST(tc_unit_03_05_security_server_check_privilege)
256 add_process_group(PROC_AUDIO_GROUP_NAME);
258 Cookie cookie = getCookieFromSS();
259 int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
260 RUNNER_ASSERT_MSG_BT(audio_gid > -1,
261 "security_server_get_gid() failed. result = " << audio_gid);
263 int ret = security_server_check_privilege(cookie.data(), audio_gid);
264 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
267 // test invalid cookie name
268 RUNNER_TEST(tc_unit_03_06_security_server_check_privilege)
270 // create invalid cookie
271 int size = security_server_get_cookie_size();
272 RUNNER_ASSERT_MSG_BT(size == KNOWN_COOKIE_SIZE, "Wrong cookie size. size = " << size);
276 int ret = security_server_check_privilege(cookie.data(), 0);
277 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
280 //---------------------------------------------------------------------------
281 //root has access to API
282 RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
284 Cookie cookie = getCookieFromSS();
286 int ret = security_server_get_cookie_pid(cookie.data());
287 RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
290 RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
293 //privileges drop and no smack rule
294 RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_security_server_get_cookie_pid)
296 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
297 Cookie cookie = getCookieFromSS();
299 SecurityServer::AccessProvider provider("selflabel_05_02");
300 provider.applyAndSwithToUser(APP_UID, APP_GID);
302 int ret = security_server_get_cookie_pid(cookie.data());
303 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
304 "security_server_get_cookie_pid() should return access denied: " << ret);
307 //privileges drop and added smack rule
308 RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_security_server_get_cookie_pid)
310 Cookie cookie = getCookieFromSS();
312 SecurityServer::AccessProvider provider("selflabel_05_03");
313 provider.allowFunction("security_server_get_cookie_pid");
314 provider.applyAndSwithToUser(APP_UID, APP_GID);
316 int ret = security_server_get_cookie_pid(cookie.data());
317 RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
320 RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
323 //---------------------------------------------------------------------------
324 //root has access to API
325 RUNNER_CHILD_TEST(tc_unit_06_01_security_server_get_smacklabel_cookie)
327 setLabelForSelf(__LINE__, "selflabel_06_01");
329 Cookie cookie = getCookieFromSS();
331 UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
332 RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_01") == 0,
333 "No match in smack label received from cookie, received label: "
337 //privileges drop and no smack rule
338 RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_security_server_get_smacklabel_cookie)
340 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
341 Cookie cookie = getCookieFromSS();
343 SecurityServer::AccessProvider provider("selflabel_06_02");
344 provider.applyAndSwithToUser(APP_UID, APP_GID);
346 UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
347 RUNNER_ASSERT_MSG_BT(label.get() == NULL,
348 "NULL should be received due to access denied, received label: "
352 //privileges drop and added smack rule
353 RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_security_server_get_smacklabel_cookie)
355 SecurityServer::AccessProvider provider("selflabel_06_03");
356 provider.allowFunction("security_server_get_smacklabel_cookie");
357 provider.applyAndSwithToUser(APP_UID, APP_GID);
359 Cookie cookie = getCookieFromSS();
361 UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
362 RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_03") == 0,
363 "No match in smack label received from cookie, received label: "
367 //---------------------------------------------------------------------------
368 // apply smack labels and drop privileges
369 RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_cookie_API_access_allow)
371 add_process_group(PROC_AUDIO_GROUP_NAME);
373 SecurityServer::AccessProvider provider("subject_1d6eda7d");
374 provider.allowFunction("security_server_get_gid");
375 provider.allowFunction("security_server_request_cookie");
376 provider.allowFunction("security_server_check_privilege");
377 provider.allowFunction("security_server_get_cookie_pid");
378 provider.allowFunction("security_server_get_smacklabel_cookie");
379 provider.allowFunction("security_server_check_privilege_by_pid");
380 provider.applyAndSwithToUser(APP_UID, APP_GID);
382 Cookie cookie = getCookieFromSS();
384 int ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
385 RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
386 << "\" gid. Result: " << ret);
388 ret = security_server_check_privilege(cookie.data(), ret);
389 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
391 int root_gid = security_server_get_gid(ROOT_USER);
392 RUNNER_ASSERT_MSG_BT(root_gid > -1, "root_gid: " << root_gid);
394 ret = security_server_get_cookie_pid(cookie.data());
395 RUNNER_ASSERT_MSG_BT(ret == getpid(), "ret: " << ret);
397 UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
398 RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "ss_label: " << ss_label.get());
400 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
401 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
404 // disable access and drop privileges
405 RUNNER_CHILD_TEST(tc_unit_09_02_cookie_API_access_deny)
407 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
408 SecurityServer::AccessProvider provider("subject_1d414140");
409 provider.applyAndSwithToUser(APP_UID, APP_GID);
411 Cookie cookie = getCookieFromSS();
413 int ret = security_server_check_privilege(cookie.data(), DB_ALARM_GID);
414 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
415 "security_server_check_privilege should return access denied, "
418 ret = security_server_get_gid(ROOT_USER);
419 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
420 "security_server_get_gid should return access denied, "
423 ret = security_server_get_cookie_pid(cookie.data());
424 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
425 "security_server_get_cookie_pid should return access denied, "
428 UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
429 RUNNER_ASSERT_MSG_BT(ss_label.get() == NULL,
430 "access should be denied so label should be NULL: " << ss_label.get());
432 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
433 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
434 "security_server_check_privilege_by_pid should return access denied, "
438 // NOSMACK version of the test above
439 RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_cookie_API_access_allow_nosmack)
441 add_process_group(PROC_AUDIO_GROUP_NAME);
443 // drop root privileges
444 int ret = drop_root_privileges();
445 RUNNER_ASSERT_MSG_BT(ret == 0,
446 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
448 Cookie cookie = getCookieFromSS();
450 ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
451 RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
452 << "\" gid. Result: " << ret);
454 ret = security_server_check_privilege(cookie.data(), ret);
455 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
456 "check_privilege failed. Result: " << ret);
458 ret = security_server_get_gid(ROOT_USER);
459 RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"root\" gid. Result: " << ret);
461 ret = security_server_get_cookie_pid(cookie.data());
462 RUNNER_ASSERT_MSG_BT(ret == getpid(),
463 "get_cookie_pid returned different pid than it should. Result: " << ret);
465 UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
466 RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "get_smacklabel_cookie failed.");
468 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
469 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
470 "check_privilege_by_pid failed. Result: " << ret);