tests/security-server-tests/cookie_api.cpp

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  */
   4
   5 /*
   6  * @file    security_server_tests_cookie_api.cpp
   7  * @author  Pawel Polawski (p.polawski@partner.samsung.com)
   8  * @version 1.0
   9  * @brief   Test cases for security server cookie api
  10  *
  11  */
  12
  13 /*
  14 Tested API functions in this file:
  15
  16 Protected by "security-server::api-cookie-get" label:
  17     int security_server_get_cookie_size(void);
  18     int security_server_request_cookie(char *cookie, size_t bufferSize);
  19
  20
  21 Protected by "security-server::api-cookie-check" label:
  22     int security_server_check_privilege(const char *cookie, gid_t privilege);
  23     int security_server_check_privilege_by_cookie(const char *cookie,
  24                                                   const char *object,
  25                                                   const char *access_rights);
  26     int security_server_get_cookie_pid(const char *cookie);
  27     char *security_server_get_smacklabel_cookie(const char *cookie);
  28     int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
  29     int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
  30 */
  31
  32 #include <dpl/test/test_runner.h>
  33 #include <dpl/test/test_runner_multiprocess.h>
  34 #include <tests_common.h>
  35 #include <sys/smack.h>
  36 #include <cstddef>
  37 #include <sys/types.h>
  38 #include <unistd.h>
  39
  40 #include <access_provider.h>
  41 #include <security-server.h>
  42 #include <smack_access.h>
  43
  44 typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
  45 const int KNOWN_COOKIE_SIZE = 20;
  46 typedef std::vector<char> Cookie;
  47
  48 Cookie getCookieFromSS() {
  49     Cookie cookie(security_server_get_cookie_size());
  50
  51     RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS ==
  52             security_server_request_cookie(cookie.data(), cookie.size()),
  53         "Error in security_server_request_cookie.");
  54
  55     return cookie;
  56 }
  57
  58 RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
  59
  60 /*
  61  * **************************************************************************
  62  * Test cases fot check various functions input params cases
  63  * **************************************************************************
  64  */
  65
  66 //---------------------------------------------------------------------------
  67 //passing NULL as a buffer pointer
  68 RUNNER_CHILD_TEST(tc_arguments_01_01_security_server_request_cookie)
  69 {
  70     int ret = security_server_request_cookie(NULL, KNOWN_COOKIE_SIZE);
  71     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
  72                       "Error in security_server_request_cookie() argument checking: " << ret);
  73 }
  74
  75 //passing too small value as a buffer size
  76 RUNNER_CHILD_TEST(tc_arguments_01_02_security_server_request_cookie)
  77 {
  78     Cookie cookie(KNOWN_COOKIE_SIZE);
  79
  80     int ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE - 1);
  81     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
  82                       "Error in security_server_request_cookie() argument checking: " << ret);
  83 }
  84
  85 //---------------------------------------------------------------------------
  86 //passing NULL as a cookie pointer
  87 RUNNER_CHILD_TEST(tc_arguments_02_01_security_server_check_privilege)
  88 {
  89     int ret = security_server_check_privilege(NULL, 0);
  90     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
  91                       "Error in security_server_check_privilege() argument checking: " << ret);
  92 }
  93
  94 //---------------------------------------------------------------------------
  95 //passing NULL as a cookie pointer
  96 RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie)
  97 {
  98     int ret = security_server_check_privilege_by_cookie(NULL, "wiadro", "rwx");
  99     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
 100                       "Error in security_server_check_privilege_by_cookie() argument checking: "
 101                       << ret);
 102 }
 103
 104 //passing NULL as an object pointer
 105 RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie)
 106 {
 107     Cookie cookie = getCookieFromSS();
 108
 109     int ret = security_server_check_privilege_by_cookie(cookie.data(), NULL, "rwx");
 110     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
 111                       "Error in security_server_check_privilege_by_cookie() argument checking: "
 112                       << ret);
 113 }
 114
 115 //passing NULL as an access pointer
 116 RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie)
 117 {
 118     Cookie cookie = getCookieFromSS();
 119
 120     int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", NULL);
 121     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
 122                       "Error in security_server_check_privilege_by_cookie() argument checking: "
 123                       << ret);
 124 }
 125
 126 //---------------------------------------------------------------------------
 127 //passing NULL as a cookie pointer
 128 RUNNER_CHILD_TEST(tc_arguments_04_01_security_server_get_cookie_pid)
 129 {
 130     int ret = security_server_get_cookie_pid(NULL);
 131     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
 132                       "Error in security_server_get_cookie_pid() argument checking: " << ret);
 133 }
 134
 135 //---------------------------------------------------------------------------
 136 //passing NULL as a cookie pointer
 137 RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
 138 {
 139     char *label = NULL;
 140     label = security_server_get_smacklabel_cookie(NULL);
 141     RUNNER_ASSERT_MSG_BT(label == NULL,
 142                       "Error in security_server_get_smacklabel_cookie() argument checking");
 143 }
 144
 145 //---------------------------------------------------------------------------
 146 //passing NULL as a cookie pointer
 147 RUNNER_CHILD_TEST(tc_arguments_06_01_security_server_get_uid_by_cookie)
 148 {
 149     uid_t uid;
 150     int ret = security_server_get_uid_by_cookie(NULL, &uid);
 151     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
 152                       "Error in security_server_get_uid_by_cookie() argument checking: "
 153                       << ret);
 154 }
 155
 156 //passing NULL as an uid pointer
 157 RUNNER_CHILD_TEST(tc_arguments_06_02_security_server_get_uid_by_cookie)
 158 {
 159     Cookie cookie = getCookieFromSS();
 160
 161     int ret = security_server_get_uid_by_cookie(cookie.data(), NULL);
 162     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
 163                       "Error in security_server_get_uid_by_cookie() argument checking: "
 164                       << ret);
 165 }
 166
 167 //---------------------------------------------------------------------------
 168 //passing NULL as an cookie pointer
 169 RUNNER_CHILD_TEST(tc_arguments_07_01_security_server_get_gid_by_cookie)
 170 {
 171     gid_t gid;
 172     int ret = security_server_get_gid_by_cookie(NULL, &gid);
 173     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
 174                       "Error in security_server_get_gid_by_cookie() argument checking: "
 175                       << ret);
 176 }
 177
 178 //passing NULL as an gid pointer
 179 RUNNER_CHILD_TEST(tc_arguments_07_02_security_server_get_gid_by_cookie)
 180 {
 181     Cookie cookie = getCookieFromSS();
 182
 183     int ret = security_server_get_gid_by_cookie(cookie.data(), NULL);
 184     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
 185                       "Error in security_server_get_gid_by_cookie() argument checking: "
 186                       << ret);
 187 }
 188
 189
 190
 191 /*
 192  * **************************************************************************
 193  * Unit tests for each function from API
 194  * **************************************************************************
 195  */
 196
 197 //---------------------------------------------------------------------------
 198 //root has access to API
 199 RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
 200 {
 201     int ret = security_server_get_cookie_size();
 202     RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
 203                       "Error in security_server_get_cookie_size(): " << ret);
 204 }
 205
 206 //---------------------------------------------------------------------------
 207 // security_server_get_cookie_size() is no longer ptotected by SMACK
 208 RUNNER_CHILD_TEST(tc_unit_01_02_security_server_get_cookie_size)
 209 {
 210     SecurityServer::AccessProvider provider("selflabel_01_02");
 211     provider.applyAndSwithToUser(APP_UID, APP_GID);
 212
 213     int ret = security_server_get_cookie_size();
 214     RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
 215                       "Error in security_server_get_cookie_size(): " << ret);
 216 }
 217
 218 //---------------------------------------------------------------------------
 219 //root has access to API
 220 RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
 221 {
 222     int cookieSize = security_server_get_cookie_size();
 223     RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
 224                       "Error in security_server_get_cookie_size(): " << cookieSize);
 225
 226     Cookie cookie(cookieSize);
 227     int ret = security_server_request_cookie(cookie.data(), cookie.size());
 228     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 229                       "Error in security_server_request_cookie(): " << ret);
 230 }
 231
 232 //---------------------------------------------------------------------------
 233 //root has access to API
 234 RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege)
 235 {
 236     Cookie cookie = getCookieFromSS();
 237
 238     int ret = security_server_check_privilege(cookie.data(), 0);
 239     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 240                       "Error in security_server_check_privilege(): " << ret);
 241 }
 242
 243 //privileges drop and no smack rule
 244 RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_security_server_check_privilege)
 245 {
 246     Cookie cookie = getCookieFromSS();
 247
 248     SecurityServer::AccessProvider provider("selflabel_03_02");
 249     provider.applyAndSwithToUser(APP_UID, APP_GID);
 250
 251     int ret = security_server_check_privilege(cookie.data(), 0);
 252     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
 253                       "Error in security_server_check_privilege(): " << ret);
 254 }
 255
 256 //privileges drop and added smack rule
 257 RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_security_server_check_privilege)
 258 {
 259     Cookie cookie = getCookieFromSS();
 260
 261     SecurityServer::AccessProvider provider("selflabel_03_03");
 262     provider.allowFunction("security_server_check_privilege");
 263     provider.applyAndSwithToUser(APP_UID, APP_GID);
 264
 265     int ret = security_server_check_privilege(cookie.data(), 0);
 266     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 267                       "Error in security_server_check_privilege(): " << ret);
 268 }
 269
 270 //---------------------------------------------------------------------------
 271 //root has access to API
 272 RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
 273 {
 274     Cookie cookie = getCookieFromSS();
 275
 276     int ret = security_server_get_cookie_pid(cookie.data());
 277     RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
 278
 279     int pid = getpid();
 280     RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
 281 }
 282
 283 //privileges drop and no smack rule
 284 RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_security_server_get_cookie_pid)
 285 {
 286     Cookie cookie = getCookieFromSS();
 287
 288     SecurityServer::AccessProvider provider("selflabel_05_02");
 289     provider.applyAndSwithToUser(APP_UID, APP_GID);
 290
 291     int ret = security_server_get_cookie_pid(cookie.data());
 292     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
 293                       "Error in security_server_get_cookie_pid(): " << ret);
 294 }
 295
 296 //privileges drop and added smack rule
 297 RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_security_server_get_cookie_pid)
 298 {
 299     Cookie cookie = getCookieFromSS();
 300
 301     SecurityServer::AccessProvider provider("selflabel_05_03");
 302     provider.allowFunction("security_server_get_cookie_pid");
 303     provider.applyAndSwithToUser(APP_UID, APP_GID);
 304
 305     int ret = security_server_get_cookie_pid(cookie.data());
 306     RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
 307
 308     int pid = getpid();
 309     RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
 310 }
 311
 312 //---------------------------------------------------------------------------
 313 //root has access to API
 314 RUNNER_CHILD_TEST(tc_unit_06_01_security_server_get_smacklabel_cookie)
 315 {
 316     setLabelForSelf(__LINE__, "selflabel_06_01");
 317
 318     Cookie cookie = getCookieFromSS();
 319
 320     UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
 321     RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_01") == 0,
 322                       "No match in smack label received from cookie, received label: "
 323                       << label.get());
 324 }
 325
 326 //privileges drop and no smack rule
 327 RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_security_server_get_smacklabel_cookie)
 328 {
 329     Cookie cookie = getCookieFromSS();
 330
 331     SecurityServer::AccessProvider provider("selflabel_06_02");
 332     provider.applyAndSwithToUser(APP_UID, APP_GID);
 333
 334     UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
 335     RUNNER_ASSERT_MSG_BT(label.get() == NULL,
 336                       "NULL should be received due to access denied, received label: "
 337                       << label.get());
 338 }
 339
 340 //privileges drop and added smack rule
 341 RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_security_server_get_smacklabel_cookie)
 342 {
 343     SecurityServer::AccessProvider provider("selflabel_06_03");
 344     provider.allowFunction("security_server_get_smacklabel_cookie");
 345     provider.applyAndSwithToUser(APP_UID, APP_GID);
 346
 347     Cookie cookie = getCookieFromSS();
 348
 349     UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
 350     RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_03") == 0,
 351                       "No match in smack label received from cookie, received label: "
 352                       << label.get());
 353 }
 354
 355 //---------------------------------------------------------------------------
 356 //root has access to API
 357 RUNNER_CHILD_TEST(tc_unit_07_01_security_server_get_uid_by_cookie)
 358 {
 359     Cookie cookie = getCookieFromSS();
 360
 361     uid_t uid;
 362     int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
 363     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 364                       "Error in security_server_get_uid_by_cookie(): " << ret);
 365     ret = getuid();
 366     RUNNER_ASSERT_MSG_BT(ret == (int)uid, "No match in UID received from cookie");
 367 }
 368
 369 //privileges drop and no smack rule
 370 RUNNER_CHILD_TEST_SMACK(tc_unit_07_02_security_server_get_uid_by_cookie)
 371 {
 372     SecurityServer::AccessProvider provider("selflabel_07_02");
 373     provider.applyAndSwithToUser(APP_UID, APP_GID);
 374
 375     Cookie cookie(KNOWN_COOKIE_SIZE);
 376     uid_t uid;
 377
 378     int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
 379     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
 380                       "Error in security_server_get_uid_by_cookie(): " << ret);
 381 }
 382
 383 //privileges drop and added smack rule
 384 RUNNER_CHILD_TEST_SMACK(tc_unit_07_03_security_server_get_uid_by_cookie)
 385 {
 386     SecurityServer::AccessProvider provider("selflabel_07_02");
 387     provider.allowFunction("security_server_get_uid_by_cookie");
 388     provider.applyAndSwithToUser(APP_UID, APP_GID);
 389
 390     Cookie cookie = getCookieFromSS();
 391     uid_t uid;
 392
 393     int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
 394     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 395                       "Error in security_server_get_uid_by_cookie(): " << ret);
 396     ret = getuid();
 397     RUNNER_ASSERT_MSG_BT(ret == (int)uid, "No match in UID received from cookie");
 398 }
 399
 400 //---------------------------------------------------------------------------
 401 //root has access to API
 402 RUNNER_CHILD_TEST(tc_unit_08_01_security_server_get_gid_by_cookie)
 403 {
 404     Cookie cookie = getCookieFromSS();
 405
 406     gid_t gid;
 407
 408     int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
 409     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 410                       "Error in security_server_get_gid_by_cookie(): " << ret);
 411     ret = getgid();
 412     RUNNER_ASSERT_MSG_BT(ret == (int)gid, "No match in GID received from cookie");
 413 }
 414
 415 //privileges drop and no smack rule
 416 RUNNER_CHILD_TEST_SMACK(tc_unit_08_02_security_server_get_gid_by_cookie)
 417 {
 418     SecurityServer::AccessProvider provider("selflabel_08_02");
 419     provider.applyAndSwithToUser(APP_UID, APP_GID);
 420
 421     Cookie cookie(KNOWN_COOKIE_SIZE);
 422     gid_t gid;
 423
 424     int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
 425     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
 426                       "Error in security_server_get_gid_by_cookie(): " << ret);
 427 }
 428
 429 //privileges drop and added smack rule
 430 RUNNER_CHILD_TEST_SMACK(tc_unit_08_03_security_server_get_gid_by_cookie)
 431 {
 432     SecurityServer::AccessProvider provider("selflabel_08_03");
 433     provider.allowFunction("security_server_get_gid_by_cookie");
 434     provider.applyAndSwithToUser(APP_UID, APP_GID);
 435
 436     Cookie cookie = getCookieFromSS();
 437     gid_t gid;
 438
 439     int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
 440     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 441                       "Error in security_server_get_gid_by_cookie(): " << ret);
 442     ret = getgid();
 443     RUNNER_ASSERT_MSG_BT(ret == (int)gid, "No match in GID received from cookie");
 444 }
 445