2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
5 * @file security_server_tests_client_smack.cpp
6 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
8 * @brief Test cases for security-server-client-smack.
12 #include <sys/types.h>
13 #include <sys/socket.h>
14 #include <sys/smack.h>
24 #include <dpl/log/log.h>
25 #include <dpl/test/test_runner.h>
26 #include <dpl/test/test_runner_child.h>
27 #include <dpl/test/test_runner_multiprocess.h>
28 #include "security_server_mockup.h"
30 #include <security-server.h>
32 #include "tests_common.h"
36 const char *subject_label = "mylabel"; \
37 RUNNER_ASSERT_MSG(-1 != system("touch /opt/home/root/pid_cycle"), \
38 "Cannot prepare environment for test."); \
39 RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), \
40 "Cannot prepare environment for test."); \
41 RUNNER_ASSERT_MSG(-1 != setgid(1), \
42 "Cannot prepare environment for test."); \
43 RUNNER_ASSERT_MSG(-1 != setuid(1), \
44 "Cannot prepare environment for test"); \
49 * Environment preparation should only differ in setting label. On NOSMACK system
50 * smack_set_label_for_self returns error because of no access to /proc/self/attr/current.
52 #define ENVIRONMENT_NOSMACK \
54 int fd = open("/opt/home/root/pid_cycle", O_CREAT|O_APPEND, 0444);\
55 RUNNER_ASSERT_MSG(fd >= 0, \
56 "Couldn't create pid_cycle file. errno: " << strerror(errno));\
58 RUNNER_ASSERT_MSG(-1 != setgid(1), \
59 "Cannot prepare environment for test."); \
60 RUNNER_ASSERT_MSG(-1 != setuid(1), \
61 "Cannot prepare environment for test"); \
65 * Unique_ptr typedef for NOSMACK version of tc06 test
67 void closesockfdptr(int* sockfd_ptr)
71 typedef std::unique_ptr<int, std::function<void(int*)> > SockFDUniquePtr;
74 * Dropping root privileges
75 * returns 0 on success, 1 on error
77 int drop_root_privileges()
80 /* process is running as root, drop privileges */
81 if (setgid(5000) != 0)
83 if (setuid(5000) != 0)
93 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
96 * test: Check cookie size returned by security_server_get_cookie_size.
97 * description: Cookie used by security-server is 20 bytes long.
98 * Any other size of cookies should be treated as error.
99 * expected: Function security_server_get_cookie_size returns 20.
101 RUNNER_CHILD_TEST_SMACK(tc01_security_server_get_cookie_size)
105 int ret = security_server_get_cookie_size();
106 RUNNER_ASSERT_MSG(20 == ret, "ret = " << ret);
110 * test: security_server_request_cookie
111 * description: Function security_server_request_cookie will return
112 * 20 bytes long cookie.
113 * expected: function will set up cookie in the array and return
114 * SECURITY_SERVER_API_SUCCESS.
116 RUNNER_CHILD_TEST_SMACK(tc02_security_server_request_cookie_normal_case)
121 int ret = security_server_request_cookie(cookie, 20);
122 LogDebug("ret = " << ret);
123 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == ret);
127 * test: security_server_request_cookie
128 * description: Function security_server_request_cookie will return
129 * 20 bytes long cookie.
130 * expected: function will set up cookie in the array and return
131 * SECURITY_SERVER_API_SUCCESS.
133 RUNNER_CHILD_TEST_SMACK(tc03_security_server_request_cookie_too_small_buffer_size)
138 int ret = security_server_request_cookie(cookie, 10);
139 LogDebug("ret = " << ret);
140 RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
144 * test: tc04_security_server_get_gid
145 * description: Checking for security_server_get_gid
146 * with nonexisting gid and existing one
147 * expected: security_server_get_gid should return
148 * SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
149 * and group id with second call
151 RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
155 int ret = security_server_get_gid("abc123xyz_pysiaczek");
156 LogDebug("ret = " << ret);
157 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
158 ret = security_server_get_gid("root");
159 LogDebug("ret = " << ret);
160 RUNNER_ASSERT_MSG(0 == ret, "Ret: " << ret);
164 * test: tc05_check_privilege_by_cookie
165 * description: Function security_server_check_privilege_by_cookie should
166 * return status of access rights of cookie owner. In this case cookie owner
167 * is the same process that ask for the rights.
168 * expected: Function call with access rights set to "r" should return SUCCESS,
169 * with "rw" should return ACCESS DENIED.
171 RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie)
174 const char *object_label = "tc05objectlabel";
175 const char *access_rights = "r";
176 const char *access_rights_ext = "rw";
177 const char *subject_label = "tc05subjectlabel";
179 smack_accesses *handle;
181 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
183 RUNNER_ASSERT(0 == smack_accesses_add(handle,
188 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
190 smack_accesses_free(handle);
192 RUNNER_ASSERT(0 == smack_set_label_for_self(subject_label));
194 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
195 security_server_request_cookie(cookie,20));
197 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
199 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
200 security_server_check_privilege_by_cookie(
205 RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
206 security_server_check_privilege_by_cookie(
213 * test: security_server_check_privilege_by_sockfd
214 * description: This test will create dummy server that will accept connection
215 * and die. The client will try to check access rights using connection descriptor.
216 * expected: Function call with access rights set to "r" should return SUCCESS,
217 * with "rw" should return ACCESS DENIED.
219 RUNNER_MULTIPROCESS_TEST_SMACK(tc06_check_privilege_by_sockfd)
221 const char *object_label = "tc06objectlabel";
222 const char *access_rights = "r";
223 const char *access_rights_ext = "rw";
224 const char *subject_label = "tc06subjectlabel";
229 smack_accesses *handle;
230 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
231 RUNNER_ASSERT(0 == smack_accesses_add(handle,
235 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
236 smack_accesses_free(handle);
240 RUNNER_ASSERT(-1 != pid);
244 RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
246 int sockfd = create_new_socket();
247 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
249 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
251 label = security_server_get_smacklabel_sockfd(sockfd);
252 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
253 RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
256 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
258 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
260 label = security_server_get_smacklabel_sockfd(sockfd);
261 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
262 RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
265 struct sockaddr_un client_addr;
266 socklen_t client_len = sizeof(client_addr);
268 RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
277 int sockfd = connect_to_testserver();
278 RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
280 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
282 label = security_server_get_smacklabel_sockfd(sockfd);
283 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
284 RUNNER_ASSERT_MSG(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << ", subject_label is \"" << subject_label << "\"" );
287 result1 = security_server_check_privilege_by_sockfd(
291 result2 = security_server_check_privilege_by_sockfd(
297 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
298 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
302 * test: security_server_check_privilege_by_sockfd
303 * description: This test will create dummy server that will accept connection
304 * and die. The client will try to check access rights using connection descriptor.
305 * Because we read a smack label not from socket directly, but from from pid of process
306 * on the other end of socket - that's why smack label will be updated.
307 * In this test client is running under root and server is not - to test the extreme case.
308 * expected: Function call with access rights set to "r" should return SUCCESS,
309 * with "rw" should return ACCESS DENIED.
311 RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd)
313 RUNNER_IGNORED_MSG("This test drop privileges");
314 const char *object_label = "tc07objectlabel";
315 const char *access_rights = "r";
316 const char *access_rights_ext = "rw";
317 const char *subject_label = "tc07subjectlabel";
322 smack_accesses *handle;
323 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
324 RUNNER_ASSERT(0 == smack_accesses_add(handle,
328 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
329 smack_accesses_free(handle);
332 RUNNER_ASSERT(-1 != pid);
336 int sockfd = create_new_socket();
337 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
339 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
341 RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
343 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
345 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
347 struct sockaddr_un client_addr;
348 socklen_t client_len = sizeof(client_addr);
349 int csockfd = TEMP_FAILURE_RETRY(accept(sockfd,(struct sockaddr*)&client_addr, &client_len));
357 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
360 int sockfd = connect_to_testserver();
361 RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
363 result1 = security_server_check_privilege_by_sockfd(
367 result2 = security_server_check_privilege_by_sockfd(
375 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
376 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
379 ///////////////////////////
380 /////NOSMACK ENV TESTS/////
381 ///////////////////////////
384 * First four test cases are the same as their SMACK versions. The only difference is environment
385 * preparation (described near ENVIRONMENT_NOSMACK macro).
387 RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_get_cookie_size_nosmack)
391 int ret = security_server_get_cookie_size();
392 RUNNER_ASSERT_MSG(ret == 20, "ret = " << ret);
395 RUNNER_CHILD_TEST_NOSMACK(tc02_security_server_request_cookie_normal_case_nosmack)
400 int ret = security_server_request_cookie(cookie, 20);
401 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
404 RUNNER_CHILD_TEST_NOSMACK(tc03_security_server_request_cookie_too_small_buffer_size_nosmack)
409 int ret = security_server_request_cookie(cookie, 10);
410 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
413 RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack)
417 int ret = security_server_get_gid("definitely_not_existing_object");
418 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret);
419 ret = security_server_get_gid("root");
420 RUNNER_ASSERT_MSG(ret == 0, "ret = " << ret);
424 * NOSMACK version of tc05 test.
426 * Correct behaviour of smack_accesses_apply and smack_set_label_for_self was checked by libsmack
427 * tests. We assume, that those tests pass. Additionally security_server_check_privilege_by_cookie
428 * should return SUCCESS no matter what access_rights we give to this function.
430 RUNNER_CHILD_TEST_NOSMACK(tc05_check_privilege_by_cookie_nosmack)
433 const char* object_label = "tc05objectlabel";
435 RUNNER_ASSERT(security_server_request_cookie(cookie,20) == SECURITY_SERVER_API_SUCCESS);
437 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
439 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
440 security_server_check_privilege_by_cookie(cookie, object_label, "r"));
442 //On NOSMACK env security server should return success on any accesses, even those that are
444 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
445 security_server_check_privilege_by_cookie(cookie, object_label, "rw"));
449 * NOSMACK version of tc06 test.
451 * Differences between this and SMACK version (server):
452 * - Skipped setting access_rights
453 * - Skipped setting label for server
454 * - get_smacklabel_sockfd is called only once for server, almost right after fork and creation
455 * of socket (because it should do nothing when SMACK is off)
456 * - After get_smacklabel_sockfd privileges are dropped and server is prepared to accept connections
459 * For client the only difference are expected results from check_privilege_by_sockfd - both should
462 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc06_check_privilege_by_sockfd_nosmack)
464 const char* object_label = "tc06objectlabel";
471 RUNNER_ASSERT(pid >= 0);
475 if (pid == 0) { //child process - server
477 int sockfd = create_new_socket();
478 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
480 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
482 //check if get_smacklabel_sockfd works correctly
483 label = security_server_get_smacklabel_sockfd(sockfd);
484 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
485 ret = strcmp(label, "");
487 RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
489 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
491 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
493 struct sockaddr_un client_addr;
494 socklen_t client_len = sizeof(client_addr);
497 RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
499 //wait a little bit for parent to do it's job
502 //if everything works, cleanup and return 0
508 int sockfd = connect_to_testserver();
509 RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to connect to server.");
511 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
513 label = security_server_get_smacklabel_sockfd(sockfd);
514 RUNNER_ASSERT_MSG(label != NULL, "get_smacklabel_sockfd failed.");
515 ret = strcmp(label, "");
517 RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
519 result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
520 result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
523 RUNNER_ASSERT_MSG(result1 == SECURITY_SERVER_API_SUCCESS, "result = " << result1);
524 RUNNER_ASSERT_MSG(result2 == SECURITY_SERVER_API_SUCCESS, "result = " << result2);
528 * NOSMACK version of tc07 test.
530 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc07_check_privilege_by_sockfd_nosmack)
532 RUNNER_IGNORED_MSG("This test drop privileges");
533 const char* object_label = "tc07objectlabel";
539 RUNNER_ASSERT(-1 != pid);
541 if (pid == 0) { //child process
543 int sockfd = create_new_socket();
544 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
546 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
549 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
551 //Prepare for accepting
552 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
554 struct sockaddr_un client_addr;
555 socklen_t client_len = sizeof(client_addr);
559 RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
561 //wait a little bit for parent to do it's job
564 //cleanup and kill child
567 } else { //parent process
568 //Drop root privileges
569 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
571 //Wait for server to set up
574 //Connect and check privileges
575 int sockfd = connect_to_testserver();
576 RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to create socket fd.");
578 result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
579 result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
584 //Both results (just like in the previous test case) should return success.
585 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
586 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result2, "result2 = " << result2);
589 int apply_smack_rule(const char *subject, const char *object, const char *rule)
591 struct smack_accesses *ruleHandler = NULL;
592 if (smack_accesses_new(&ruleHandler) != 0)
594 if (smack_accesses_add(ruleHandler, subject, object, rule) != 0)
596 if (smack_accesses_apply(ruleHandler) != 0)
599 smack_accesses_free(ruleHandler);
603 smack_accesses_free(ruleHandler);
607 RUNNER_TEST(tc10_security_server_get_uid_by_cookie)
609 int cookieSize = security_server_get_cookie_size();
610 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
612 std::vector<char> cookie(cookieSize);
613 int retval = security_server_request_cookie(&cookie[0], cookieSize);
614 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
617 uid_t cookieUid, realUid;
619 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
620 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie. My uid: " << realUid << " Server error: " << retval);
621 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
623 //checking for input parameters
624 retval = security_server_get_uid_by_cookie(NULL, &cookieUid);
625 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
626 retval = security_server_get_uid_by_cookie(&cookie[0], NULL);
627 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
630 RUNNER_CHILD_TEST(tc11_security_server_get_uid_by_cookie)
632 int cookieSize = security_server_get_cookie_size();
633 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
635 std::vector<char> cookie(cookieSize);
636 int retval = security_server_request_cookie(&cookie[0], cookieSize);
637 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
639 //preapare SMACK environment
640 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
641 RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
643 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
647 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
648 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
651 RUNNER_CHILD_TEST(tc12_security_server_get_uid_by_cookie)
653 int cookieSize = security_server_get_cookie_size();
654 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
656 uid_t realUid = getuid();
658 std::vector<char> cookie(cookieSize);
659 int retval = security_server_request_cookie(&cookie[0], cookieSize);
660 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
662 //preapare SMACK environment
663 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
664 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
666 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
670 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
671 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
672 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
675 RUNNER_CHILD_TEST(tc13_security_server_get_uid_by_cookie)
677 int cookieSize = security_server_get_cookie_size();
678 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
680 //preapare SMACK environment
681 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
682 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
683 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
685 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
687 std::vector<char> cookie(cookieSize);
688 int retval = security_server_request_cookie(&cookie[0], cookieSize);
689 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
692 uid_t cookieUid, realUid = getuid();
693 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
694 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
695 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
698 RUNNER_TEST(tc14_security_server_get_gid_by_cookie)
700 int cookieSize = security_server_get_cookie_size();
701 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
703 std::vector<char> cookie(cookieSize);
704 int retval = security_server_request_cookie(&cookie[0], cookieSize);
705 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
708 gid_t cookieGid, realGid;
710 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
711 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
712 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID");
714 //checking for input parameters
715 retval = security_server_get_gid_by_cookie(NULL, &cookieGid);
716 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
717 retval = security_server_get_gid_by_cookie(&cookie[0], NULL);
718 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
722 RUNNER_CHILD_TEST(tc15_security_server_get_gid_by_cookie)
724 int cookieSize = security_server_get_cookie_size();
725 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
727 std::vector<char> cookie(cookieSize);
728 int retval = security_server_request_cookie(&cookie[0], cookieSize);
729 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
731 //preapare SMACK environment
732 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
733 RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
735 RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
736 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
739 gid_t cookieGid, realGid;
741 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
742 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
745 RUNNER_CHILD_TEST(tc16_security_server_get_gid_by_cookie)
747 int cookieSize = security_server_get_cookie_size();
748 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
750 std::vector<char> cookie(cookieSize);
752 gid_t realGid = getgid();
753 int retval = security_server_request_cookie(&cookie[0], cookieSize);
754 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
756 //preapare SMACK environment
757 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
758 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
760 RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
761 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
765 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
766 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
767 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
770 RUNNER_CHILD_TEST(tc17_security_server_get_gid_by_cookie)
772 int cookieSize = security_server_get_cookie_size();
773 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
775 //preapare SMACK environment
776 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
777 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
778 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
780 RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
781 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
783 std::vector<char> cookie(cookieSize);
784 int retval = security_server_request_cookie(&cookie[0], cookieSize);
785 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
788 gid_t cookieGid, realGid = getgid();
789 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
790 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
791 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
799 int main(int argc, char *argv[])
802 DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);