2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
6 * @file security_server_tests_cookie_api.cpp
7 * @author Pawel Polawski (p.polawski@partner.samsung.com)
9 * @brief Test cases for security server cookie api
14 Tested API functions in this file:
16 Protected by "security-server::api-cookie-get" label:
17 int security_server_get_cookie_size(void);
18 int security_server_request_cookie(char *cookie, size_t bufferSize);
21 Protected by "security-server::api-cookie-check" label:
22 int security_server_check_privilege(const char *cookie, gid_t privilege);
23 int security_server_check_privilege_by_cookie(const char *cookie,
25 const char *access_rights);
26 int security_server_get_cookie_pid(const char *cookie);
27 char *security_server_get_smacklabel_cookie(const char *cookie);
28 int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
29 int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
32 #include <dpl/test/test_runner.h>
33 #include <dpl/test/test_runner_multiprocess.h>
34 #include <tests_common.h>
35 #include <sys/smack.h>
37 #include <sys/types.h>
39 #include <access_provider.h>
40 #include <security-server.h>
41 #include <smack_access.h>
42 #include <security_server_tests_common.h>
44 const char *ROOT_USER = "root";
45 const char *PROC_AUDIO_GROUP_NAME = "audio";
47 typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
48 const int KNOWN_COOKIE_SIZE = 20;
50 RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
53 * **************************************************************************
54 * Test cases fot check various functions input params cases
55 * **************************************************************************
58 //---------------------------------------------------------------------------
59 //passing NULL as a buffer pointer
60 RUNNER_CHILD_TEST(tc_arguments_01_01_security_server_request_cookie)
62 int ret = security_server_request_cookie(NULL, KNOWN_COOKIE_SIZE);
63 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
64 "Error in security_server_request_cookie() argument checking: " << ret);
67 //passing too small value as a buffer size
68 RUNNER_CHILD_TEST(tc_arguments_01_02_security_server_request_cookie)
70 Cookie cookie(KNOWN_COOKIE_SIZE);
72 int ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE - 1);
73 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
74 "Error in security_server_request_cookie() argument checking: " << ret);
77 //---------------------------------------------------------------------------
78 //passing NULL as a cookie pointer
79 RUNNER_CHILD_TEST(tc_arguments_02_01_security_server_check_privilege)
81 int ret = security_server_check_privilege(NULL, 0);
82 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
83 "Error in security_server_check_privilege() argument checking: " << ret);
86 //---------------------------------------------------------------------------
87 //passing NULL as a cookie pointer
88 RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie)
90 int ret = security_server_check_privilege_by_cookie(NULL, "wiadro", "rwx");
91 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
92 "Error in security_server_check_privilege_by_cookie() argument checking: "
96 //passing NULL as an object pointer
97 RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie)
99 Cookie cookie = getCookieFromSS();
101 int ret = security_server_check_privilege_by_cookie(cookie.data(), NULL, "rwx");
102 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
103 "Error in security_server_check_privilege_by_cookie() argument checking: "
107 //passing NULL as an access pointer
108 RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie)
110 Cookie cookie = getCookieFromSS();
112 int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", NULL);
113 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
114 "Error in security_server_check_privilege_by_cookie() argument checking: "
118 //---------------------------------------------------------------------------
119 //passing NULL as a cookie pointer
120 RUNNER_CHILD_TEST(tc_arguments_04_01_security_server_get_cookie_pid)
122 int ret = security_server_get_cookie_pid(NULL);
123 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
124 "Error in security_server_get_cookie_pid() argument checking: " << ret);
127 //getting pid of non existing cookie
128 RUNNER_TEST(tc_arguments_04_02_security_server_get_cookie_pid)
130 const char wrong_cookie[KNOWN_COOKIE_SIZE] = {'w', 'a', 't', '?'};
131 RUNNER_ASSERT_BT(security_server_get_cookie_pid(wrong_cookie) ==
132 SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
135 //---------------------------------------------------------------------------
136 //passing NULL as a cookie pointer
137 RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
140 label = security_server_get_smacklabel_cookie(NULL);
141 RUNNER_ASSERT_MSG_BT(label == NULL,
142 "Error in security_server_get_smacklabel_cookie() argument checking");
148 * **************************************************************************
149 * Unit tests for each function from API
150 * **************************************************************************
153 //---------------------------------------------------------------------------
154 //root has access to API
155 RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
157 int ret = security_server_get_cookie_size();
158 RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
159 "Error in security_server_get_cookie_size(): " << ret);
162 //---------------------------------------------------------------------------
163 // Get cookie size when smack is not loaded
164 RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_02_app_user_security_server_get_cookie_size_nosmack)
168 ret = drop_root_privileges();
169 RUNNER_ASSERT_MSG_BT(ret == 0,
170 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
171 ret = security_server_get_cookie_size();
172 RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE, "ret = " << ret);
175 //---------------------------------------------------------------------------
176 // Test setting up a cookie in normal case when smack is not loaded
177 RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_03_app_user_security_server_request_cookie_nosmack)
180 int cookieSize = security_server_get_cookie_size();
181 Cookie cookie(cookieSize);
183 ret = drop_root_privileges();
184 RUNNER_ASSERT_MSG_BT(ret == 0,
185 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
187 ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE);
188 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
191 //---------------------------------------------------------------------------
192 // Test setting up a cookie when smack is not loaded but with too small
194 RUNNER_CHILD_TEST_NOSMACK(tc_init_01_04_app_user_security_server_request_cookie_too_small_buffer_size_nosmack)
197 int cookieSize = security_server_get_cookie_size();
198 Cookie cookie(cookieSize);
200 ret = drop_root_privileges();
201 RUNNER_ASSERT_MSG_BT(ret == 0,
202 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
204 ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE >> 1);
205 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
208 //---------------------------------------------------------------------------
209 // Get cookie size when smack is loaded
210 RUNNER_CHILD_TEST_SMACK(tc_unit_01_05_app_user_security_server_get_cookie_size)
212 SecurityServer::AccessProvider provider("selflabel_01_05");
213 provider.applyAndSwithToUser(APP_UID, APP_GID);
215 int ret = security_server_get_cookie_size();
216 RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
217 "Error in security_server_get_cookie_size(): " << ret);
220 //---------------------------------------------------------------------------
221 //root has access to API
222 RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
224 int cookieSize = security_server_get_cookie_size();
225 RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
226 "Error in security_server_get_cookie_size(): " << cookieSize);
228 Cookie cookie(cookieSize);
229 int ret = security_server_request_cookie(cookie.data(), cookie.size());
230 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
231 "Error in security_server_request_cookie(): " << ret);
234 //---------------------------------------------------------------------------
235 // Test setting up a cookie in normal case when smack is loaded
236 RUNNER_CHILD_TEST_SMACK(tc_unit_02_02_app_user_security_server_request_cookie)
238 int cookieSize = security_server_get_cookie_size();
239 RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
240 "Error in security_server_get_cookie_size(): " << cookieSize);
242 SecurityServer::AccessProvider provider("selflabel_02_01");
243 provider.applyAndSwithToUser(APP_UID, APP_GID);
245 Cookie cookie(cookieSize);
246 int ret = security_server_request_cookie(cookie.data(), cookie.size());
247 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
248 "Error in security_server_request_cookie(): " << ret);
251 //---------------------------------------------------------------------------
252 // Test setting up a cookie when smack is loaded but with too small buffer
254 RUNNER_CHILD_TEST_SMACK(tc_unit_02_03_app_user_security_server_request_cookie_too_small_buffer_size)
256 int cookieSize = security_server_get_cookie_size();
257 RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
258 "Error in security_server_get_cookie_size(): " << cookieSize);
261 SecurityServer::AccessProvider provider("selflabel_02_02");
262 provider.applyAndSwithToUser(APP_UID, APP_GID);
264 Cookie cookie(cookieSize);
265 int ret = security_server_request_cookie(cookie.data(), cookie.size());
266 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
267 "Error in security_server_request_cookie(): " << ret);
270 //---------------------------------------------------------------------------
271 //root has access to API
272 RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege)
274 Cookie cookie = getCookieFromSS();
276 int ret = security_server_check_privilege(cookie.data(), 0);
277 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
278 "Error in security_server_check_privilege(): " << ret);
281 //privileges drop and no smack rule
282 RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_app_user_security_server_check_privilege)
284 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
285 Cookie cookie = getCookieFromSS();
287 SecurityServer::AccessProvider provider("selflabel_03_02");
288 provider.applyAndSwithToUser(APP_UID, APP_GID);
290 int ret = security_server_check_privilege(cookie.data(), 0);
291 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
292 "security_server_check_privilege() should return access denied: " << ret);
295 //privileges drop and added smack rule
296 RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_app_user_security_server_check_privilege)
298 Cookie cookie = getCookieFromSS();
300 SecurityServer::AccessProvider provider("selflabel_03_03");
301 provider.allowFunction("security_server_check_privilege");
302 provider.applyAndSwithToUser(APP_UID, APP_GID);
304 int ret = security_server_check_privilege(cookie.data(), 0);
305 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
306 "Error in security_server_check_privilege(): " << ret);
310 RUNNER_CHILD_TEST(tc_unit_03_04_security_server_check_privilege_neg)
312 remove_process_group(PROC_AUDIO_GROUP_NAME);
314 Cookie cookie = getCookieFromSS();
315 int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
316 RUNNER_ASSERT_MSG_BT(audio_gid > -1,
317 "security_server_get_gid() failed. result = " << audio_gid);
319 int ret = security_server_check_privilege(cookie.data(), audio_gid);
321 // security_server_check_privilege fails, because the process does not belong to "audio" group
322 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
326 RUNNER_CHILD_TEST(tc_unit_03_05_security_server_check_privilege)
328 add_process_group(PROC_AUDIO_GROUP_NAME);
330 Cookie cookie = getCookieFromSS();
331 int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
332 RUNNER_ASSERT_MSG_BT(audio_gid > -1,
333 "security_server_get_gid() failed. result = " << audio_gid);
335 int ret = security_server_check_privilege(cookie.data(), audio_gid);
336 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
339 // test invalid cookie name
340 RUNNER_TEST(tc_unit_03_06_security_server_check_privilege)
342 // create invalid cookie
343 int size = security_server_get_cookie_size();
344 RUNNER_ASSERT_MSG_BT(size == KNOWN_COOKIE_SIZE, "Wrong cookie size. size = " << size);
348 int ret = security_server_check_privilege(cookie.data(), 0);
349 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
352 //---------------------------------------------------------------------------
353 //root has access to API
354 RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
356 Cookie cookie = getCookieFromSS();
358 int ret = security_server_get_cookie_pid(cookie.data());
359 RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
362 RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
365 //privileges drop and no smack rule
366 RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_app_user_security_server_get_cookie_pid)
368 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
369 Cookie cookie = getCookieFromSS();
371 SecurityServer::AccessProvider provider("selflabel_05_02");
372 provider.applyAndSwithToUser(APP_UID, APP_GID);
374 int ret = security_server_get_cookie_pid(cookie.data());
375 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
376 "security_server_get_cookie_pid() should return access denied: " << ret);
379 //privileges drop and added smack rule
380 RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_app_user_security_server_get_cookie_pid)
382 Cookie cookie = getCookieFromSS();
384 SecurityServer::AccessProvider provider("selflabel_05_03");
385 provider.allowFunction("security_server_get_cookie_pid");
386 provider.applyAndSwithToUser(APP_UID, APP_GID);
388 int ret = security_server_get_cookie_pid(cookie.data());
389 RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
392 RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
395 //---------------------------------------------------------------------------
396 //root has access to API
397 RUNNER_CHILD_TEST(tc_unit_06_01_security_server_get_smacklabel_cookie)
399 setLabelForSelf(__LINE__, "selflabel_06_01");
401 Cookie cookie = getCookieFromSS();
403 UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
404 RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_01") == 0,
405 "No match in smack label received from cookie, received label: "
409 //privileges drop and no smack rule
410 RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_app_user_security_server_get_smacklabel_cookie)
412 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
413 Cookie cookie = getCookieFromSS();
415 SecurityServer::AccessProvider provider("selflabel_06_02");
416 provider.applyAndSwithToUser(APP_UID, APP_GID);
418 UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
419 RUNNER_ASSERT_MSG_BT(label.get() == NULL,
420 "NULL should be received due to access denied, received label: "
424 //privileges drop and added smack rule
425 RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie)
427 SecurityServer::AccessProvider provider("selflabel_06_03");
428 provider.allowFunction("security_server_get_smacklabel_cookie");
429 provider.applyAndSwithToUser(APP_UID, APP_GID);
431 Cookie cookie = getCookieFromSS();
433 UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
434 RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_03") == 0,
435 "No match in smack label received from cookie, received label: "
439 //---------------------------------------------------------------------------
440 // apply smack labels and drop privileges
441 RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_app_user_cookie_API_access_allow)
443 add_process_group(PROC_AUDIO_GROUP_NAME);
445 SecurityServer::AccessProvider provider("subject_1d6eda7d");
446 provider.allowFunction("security_server_get_gid");
447 provider.allowFunction("security_server_request_cookie");
448 provider.allowFunction("security_server_check_privilege");
449 provider.allowFunction("security_server_get_cookie_pid");
450 provider.allowFunction("security_server_get_smacklabel_cookie");
451 provider.allowFunction("security_server_check_privilege_by_pid");
452 provider.applyAndSwithToUser(APP_UID, APP_GID);
454 Cookie cookie = getCookieFromSS();
456 int ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
457 RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
458 << "\" gid. Result: " << ret);
460 ret = security_server_check_privilege(cookie.data(), ret);
461 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
463 int root_gid = security_server_get_gid(ROOT_USER);
464 RUNNER_ASSERT_MSG_BT(root_gid > -1, "root_gid: " << root_gid);
466 ret = security_server_get_cookie_pid(cookie.data());
467 RUNNER_ASSERT_MSG_BT(ret == getpid(), "ret: " << ret);
469 UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
470 RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "ss_label: " << ss_label.get());
472 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
473 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
476 // disable access and drop privileges
477 RUNNER_CHILD_TEST_SMACK(tc_unit_09_02_app_user_cookie_API_access_deny)
479 RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
480 SecurityServer::AccessProvider provider("subject_1d414140");
481 provider.applyAndSwithToUser(APP_UID, APP_GID);
483 Cookie cookie = getCookieFromSS();
485 int ret = security_server_check_privilege(cookie.data(), DB_ALARM_GID);
486 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
487 "security_server_check_privilege should return access denied, "
490 ret = security_server_get_gid(ROOT_USER);
491 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
492 "security_server_get_gid should return access denied, "
495 ret = security_server_get_cookie_pid(cookie.data());
496 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
497 "security_server_get_cookie_pid should return access denied, "
500 UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
501 RUNNER_ASSERT_MSG_BT(ss_label.get() == NULL,
502 "access should be denied so label should be NULL: " << ss_label.get());
504 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
505 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
506 "security_server_check_privilege_by_pid should return access denied, "
510 // NOSMACK version of the test above
511 RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_app_user_cookie_API_access_allow_nosmack)
513 add_process_group(PROC_AUDIO_GROUP_NAME);
515 // drop root privileges
516 int ret = drop_root_privileges();
517 RUNNER_ASSERT_MSG_BT(ret == 0,
518 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
520 Cookie cookie = getCookieFromSS();
522 ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
523 RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
524 << "\" gid. Result: " << ret);
526 ret = security_server_check_privilege(cookie.data(), ret);
527 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
528 "check_privilege failed. Result: " << ret);
530 ret = security_server_get_gid(ROOT_USER);
531 RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"root\" gid. Result: " << ret);
533 ret = security_server_get_cookie_pid(cookie.data());
534 RUNNER_ASSERT_MSG_BT(ret == getpid(),
535 "get_cookie_pid returned different pid than it should. Result: " << ret);
537 UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
538 RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "get_smacklabel_cookie failed.");
540 ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
541 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
542 "check_privilege_by_pid failed. Result: " << ret);