projects / platform / core / test / security-tests.git / blob
? search:


5b730366d3bfb60126c2885619770b9eaeb4262f
[platform/core/test/security-tests.git] / tests / security-server-tests / security_server_tests_client_smack.cpp
1 /*
2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
3  */
4 /*
5  * @file    security_server_tests_client_smack.cpp
6  * @author  Bartlomiej Grzelewski (b.grzelewski@samsung.com)
7  * @version 1.1
8  * @brief   Test cases for security-server-client-smack.
9  */
10
11 #include <unistd.h>
12 #include <sys/types.h>
13 #include <sys/socket.h>
14 #include <sys/smack.h>
15 #include <sys/wait.h>
16 #include <sys/un.h>
17 #include <sys/stat.h>
18 #include <fcntl.h>
19 #include <errno.h>
20
21 #include <memory>
22 #include <functional>
23
24 #include <dpl/log/log.h>
25 #include <dpl/test/test_runner.h>
26 #include <dpl/test/test_runner_child.h>
27 #include <dpl/test/test_runner_multiprocess.h>
28 #include "security_server_mockup.h"
29
30 #include <security-server.h>
31
32 #include "tests_common.h"
33
34 #define ENVIRONMENT                                                       \
35     do {                                                                  \
36         const char *subject_label = "mylabel";                            \
37         RUNNER_ASSERT_MSG(-1 != system("touch /opt/home/root/pid_cycle"), \
38             "Cannot prepare environment for test.");                      \
39         RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label),   \
40             "Cannot prepare environment for test.");                      \
41         RUNNER_ASSERT_MSG(-1 != setgid(1),                                \
42             "Cannot prepare environment for test.");                      \
43         RUNNER_ASSERT_MSG(-1 != setuid(1),                                \
44             "Cannot prepare environment for test");                       \
45     } while (0)
46
47
48 /**
49  * Environment preparation should only differ in setting label. On NOSMACK system
50  * smack_set_label_for_self returns error because of no access to /proc/self/attr/current.
51  */
52 #define ENVIRONMENT_NOSMACK                                               \
53     do {                                                                  \
54         int fd = open("/opt/home/root/pid_cycle", O_CREAT|O_APPEND, 0444);\
55         RUNNER_ASSERT_MSG(fd >= 0,                                        \
56             "Couldn't create pid_cycle file. errno: " << strerror(errno));\
57         close(fd);                                                        \
58         RUNNER_ASSERT_MSG(-1 != setgid(1),                                \
59             "Cannot prepare environment for test.");                      \
60         RUNNER_ASSERT_MSG(-1 != setuid(1),                                \
61             "Cannot prepare environment for test");                       \
62     } while (0)
63
64 /**
65  * Unique_ptr typedef for NOSMACK version of tc06 test
66  */
67 void closesockfdptr(int* sockfd_ptr)
68 {
69     close(*sockfd_ptr);
70 }
71 typedef std::unique_ptr<int, std::function<void(int*)> > SockFDUniquePtr;
72
73 /**
74  * Dropping root privileges
75  * returns 0 on success, 1 on error
76  */
77 int drop_root_privileges()
78 {
79     if (getuid() == 0) {
80         /* process is running as root, drop privileges */
81         if (setgid(5000) != 0)
82             return 1;
83         if (setuid(5000) != 0)
84             return 1;
85     }
86     int uid = getuid();
87     if (uid == 5000)
88         return 0;
89
90     return 1;
91 }
92
93 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
94
95 /*
96  * test: Check cookie size returned by security_server_get_cookie_size.
97  * description: Cookie used by security-server is 20 bytes long.
98  * Any other size of cookies should be treated as error.
99  * expected: Function security_server_get_cookie_size returns 20.
100  */
101 RUNNER_CHILD_TEST_SMACK(tc01_security_server_get_cookie_size)
102 {
103     ENVIRONMENT;
104
105     int ret = security_server_get_cookie_size();
106     RUNNER_ASSERT_MSG(20 == ret, "ret = " << ret);
107 }
108
109 /*
110  * test: security_server_request_cookie
111  * description: Function security_server_request_cookie will return
112  * 20 bytes long cookie.
113  * expected: function will set up cookie in the array and return
114  * SECURITY_SERVER_API_SUCCESS.
115  */
116 RUNNER_CHILD_TEST_SMACK(tc02_security_server_request_cookie_normal_case)
117 {
118     ENVIRONMENT;
119
120     char cookie[20];
121     int ret = security_server_request_cookie(cookie, 20);
122     LogDebug("ret = " << ret);
123     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == ret);
124 }
125
126 /*
127  * test: security_server_request_cookie
128  * description: Function security_server_request_cookie will return
129  * 20 bytes long cookie.
130  * expected: function will set up cookie in the array and return
131  * SECURITY_SERVER_API_SUCCESS.
132  */
133 RUNNER_CHILD_TEST_SMACK(tc03_security_server_request_cookie_too_small_buffer_size)
134 {
135     ENVIRONMENT;
136
137     char cookie[20];
138     int ret = security_server_request_cookie(cookie, 10);
139     LogDebug("ret = " << ret);
140     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
141 }
142
143 /*
144  * test: tc04_security_server_get_gid
145  * description: Checking for security_server_get_gid
146  *              with nonexisting gid and existing one
147  * expected: security_server_get_gid should return
148  *           SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
149  *           and group id with second call
150  */
151 RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
152 {
153     ENVIRONMENT;
154
155     int ret = security_server_get_gid("abc123xyz_pysiaczek");
156     LogDebug("ret = " << ret);
157     RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
158     ret = security_server_get_gid("root");
159     LogDebug("ret = " << ret);
160     RUNNER_ASSERT_MSG(0 == ret, "Ret: " << ret);
161 }
162
163 /*
164  * test: tc05_check_privilege_by_cookie
165  * description: Function security_server_check_privilege_by_cookie should
166  * return status of access rights of cookie owner. In this case cookie owner
167  * is the same process that ask for the rights.
168  * expected: Function call with access rights set to "r" should return SUCCESS,
169  * with "rw" should return ACCESS DENIED.
170  */
171 RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie)
172 {
173     char cookie[20];
174     const char *object_label = "tc05objectlabel";
175     const char *access_rights = "r";
176     const char *access_rights_ext = "rw";
177     const char *subject_label = "tc05subjectlabel";
178
179     smack_accesses *handle;
180
181     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
182
183     RUNNER_ASSERT(0 == smack_accesses_add(handle,
184             subject_label,
185             object_label,
186             access_rights));
187
188     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
189
190     smack_accesses_free(handle);
191
192     RUNNER_ASSERT(0 == smack_set_label_for_self(subject_label));
193
194     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
195         security_server_request_cookie(cookie,20));
196
197     RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
198
199     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
200         security_server_check_privilege_by_cookie(
201             cookie,
202             object_label,
203             access_rights));
204
205     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
206         security_server_check_privilege_by_cookie(
207             cookie,
208             object_label,
209             access_rights_ext));
210 }
211
212 /*
213  * test: security_server_check_privilege_by_sockfd
214  * description: This test will create dummy server that will accept connection
215  * and die. The client will try to check access rights using connection descriptor.
216  * expected: Function call with access rights set to "r" should return SUCCESS,
217  * with "rw" should return ACCESS DENIED.
218  */
219 RUNNER_MULTIPROCESS_TEST_SMACK(tc06_check_privilege_by_sockfd)
220 {
221     const char *object_label = "tc06objectlabel";
222     const char *access_rights = "r";
223     const char *access_rights_ext = "rw";
224     const char *subject_label = "tc06subjectlabel";
225
226     int result1 = -1;
227     int result2 = -1;
228
229     smack_accesses *handle;
230     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
231     RUNNER_ASSERT(0 == smack_accesses_add(handle,
232             subject_label,
233             object_label,
234             access_rights));
235     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
236     smack_accesses_free(handle);
237
238     int pid = fork();
239     char *label;
240     RUNNER_ASSERT(-1 != pid);
241
242     if (0 == pid) {
243         // child
244         RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
245
246         int sockfd = create_new_socket();
247         RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
248
249         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
250
251         label = security_server_get_smacklabel_sockfd(sockfd);
252         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
253         RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
254         free(label);
255
256         RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
257
258         RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
259
260         label = security_server_get_smacklabel_sockfd(sockfd);
261         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
262         RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
263         free(label);
264
265         struct sockaddr_un client_addr;
266         socklen_t client_len = sizeof(client_addr);
267         int csockfd;
268         RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
269
270         usleep(500);
271
272         close(csockfd);
273         exit(0);
274     } else {
275         // parent
276         sleep(1);
277         int sockfd = connect_to_testserver();
278         RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
279
280         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
281
282         label = security_server_get_smacklabel_sockfd(sockfd);
283         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
284         RUNNER_ASSERT_MSG(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << ", subject_label is \"" << subject_label << "\"" );
285         free(label);
286
287         result1 = security_server_check_privilege_by_sockfd(
288             sockfd,
289             object_label,
290             access_rights);
291         result2 = security_server_check_privilege_by_sockfd(
292             sockfd,
293             object_label,
294             access_rights_ext);
295     }
296
297     RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
298     RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
299 }
300
301 /*
302  * test: security_server_check_privilege_by_sockfd
303  * description: This test will create dummy server that will accept connection
304  * and die. The client will try to check access rights using connection descriptor.
305  * Because we read a smack label not from socket directly, but from from pid of process
306  * on the other end of socket - that's why smack label will be updated.
307  * In this test client is running under root and server is not - to test the extreme case.
308  * expected: Function call with access rights set to "r" should return SUCCESS,
309  * with "rw" should return ACCESS DENIED.
310  */
311 RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd)
312 {
313     RUNNER_IGNORED_MSG("This test drop privileges");
314     const char *object_label = "tc07objectlabel";
315     const char *access_rights = "r";
316     const char *access_rights_ext = "rw";
317     const char *subject_label = "tc07subjectlabel";
318
319     int result1 = -1;
320     int result2 = -1;
321
322     smack_accesses *handle;
323     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
324     RUNNER_ASSERT(0 == smack_accesses_add(handle,
325             subject_label,
326             object_label,
327             access_rights));
328     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
329     smack_accesses_free(handle);
330
331     int pid = fork();
332     RUNNER_ASSERT(-1 != pid);
333
334     if (0 == pid) {
335         // child
336         int sockfd = create_new_socket();
337         RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
338
339         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
340
341         RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
342
343         RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
344
345         RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
346
347         struct sockaddr_un client_addr;
348         socklen_t client_len = sizeof(client_addr);
349         int csockfd = TEMP_FAILURE_RETRY(accept(sockfd,(struct sockaddr*)&client_addr, &client_len));
350         if (csockfd >= 0)
351             close(csockfd);
352         LogDebug("Exit!");
353         exit(0);
354     } else {
355         // parent
356
357         RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
358
359         sleep(1);
360         int sockfd = connect_to_testserver();
361         RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
362
363         result1 = security_server_check_privilege_by_sockfd(
364             sockfd,
365             object_label,
366             access_rights);
367         result2 = security_server_check_privilege_by_sockfd(
368             sockfd,
369             object_label,
370             access_rights_ext);
371
372         close(sockfd);
373     }
374
375     RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
376     RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
377 }
378
379 ///////////////////////////
380 /////NOSMACK ENV TESTS/////
381 ///////////////////////////
382
383 /**
384  * First four test cases are the same as their SMACK versions. The only difference is environment
385  * preparation (described near ENVIRONMENT_NOSMACK macro).
386  */
387 RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_get_cookie_size_nosmack)
388 {
389     ENVIRONMENT_NOSMACK;
390
391     int ret = security_server_get_cookie_size();
392     RUNNER_ASSERT_MSG(ret == 20, "ret = " << ret);
393 }
394
395 RUNNER_CHILD_TEST_NOSMACK(tc02_security_server_request_cookie_normal_case_nosmack)
396 {
397     ENVIRONMENT_NOSMACK;
398
399     char cookie[20];
400     int ret = security_server_request_cookie(cookie, 20);
401     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
402 }
403
404 RUNNER_CHILD_TEST_NOSMACK(tc03_security_server_request_cookie_too_small_buffer_size_nosmack)
405 {
406     ENVIRONMENT_NOSMACK;
407
408     char cookie[20];
409     int ret = security_server_request_cookie(cookie, 10);
410     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
411 }
412
413 RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack)
414 {
415     ENVIRONMENT_NOSMACK;
416
417     int ret = security_server_get_gid("definitely_not_existing_object");
418     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret);
419     ret = security_server_get_gid("root");
420     RUNNER_ASSERT_MSG(ret == 0, "ret = " << ret);
421 }
422
423 /*
424  * NOSMACK version of tc05 test.
425  *
426  * Correct behaviour of smack_accesses_apply and smack_set_label_for_self was checked by libsmack
427  * tests. We assume, that those tests pass. Additionally security_server_check_privilege_by_cookie
428  * should return SUCCESS no matter what access_rights we give to this function.
429  */
430 RUNNER_CHILD_TEST_NOSMACK(tc05_check_privilege_by_cookie_nosmack)
431 {
432     char cookie[20];
433     const char* object_label = "tc05objectlabel";
434
435     RUNNER_ASSERT(security_server_request_cookie(cookie,20) == SECURITY_SERVER_API_SUCCESS);
436
437     RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
438
439     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
440         security_server_check_privilege_by_cookie(cookie, object_label, "r"));
441
442     //On NOSMACK env security server should return success on any accesses, even those that are
443     //incorrect.
444     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
445         security_server_check_privilege_by_cookie(cookie, object_label, "rw"));
446 }
447
448 /**
449  * NOSMACK version of tc06 test.
450  *
451  * Differences between this and SMACK version (server):
452  * - Skipped setting access_rights
453  * - Skipped setting label for server
454  * - get_smacklabel_sockfd is called only once for server, almost right after fork and creation
455  *   of socket (because it should do nothing when SMACK is off)
456  * - After get_smacklabel_sockfd privileges are dropped and server is prepared to accept connections
457  *   from client
458  *
459  * For client the only difference are expected results from check_privilege_by_sockfd - both should
460  * return SUCCESS.
461  */
462 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc06_check_privilege_by_sockfd_nosmack)
463 {
464     const char* object_label = "tc06objectlabel";
465
466     int result1 = -1;
467     int result2 = -1;
468
469     int pid = fork();
470     char* label;
471     RUNNER_ASSERT(pid >= 0);
472
473     int ret;
474
475     if (pid == 0) { //child process - server
476         //create new socket
477         int sockfd = create_new_socket();
478         RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
479
480         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
481
482         //check if get_smacklabel_sockfd works correctly
483         label = security_server_get_smacklabel_sockfd(sockfd);
484         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
485         ret = strcmp(label, "");
486         free(label);
487         RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
488
489         RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
490
491         RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
492
493         struct sockaddr_un client_addr;
494         socklen_t client_len = sizeof(client_addr);
495
496         int csockfd;
497         RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
498
499         //wait a little bit for parent to do it's job
500         usleep(200);
501
502         //if everything works, cleanup and return 0
503         close(csockfd);
504         exit(0);
505     } else {
506         //parent
507         sleep(1);
508         int sockfd = connect_to_testserver();
509         RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to connect to server.");
510
511         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
512
513         label = security_server_get_smacklabel_sockfd(sockfd);
514         RUNNER_ASSERT_MSG(label != NULL, "get_smacklabel_sockfd failed.");
515         ret = strcmp(label, "");
516         free(label);
517         RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
518
519         result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
520         result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
521     }
522
523     RUNNER_ASSERT_MSG(result1 == SECURITY_SERVER_API_SUCCESS, "result = " << result1);
524     RUNNER_ASSERT_MSG(result2 == SECURITY_SERVER_API_SUCCESS, "result = " << result2);
525 }
526
527 /**
528  * NOSMACK version of tc07 test.
529  */
530 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc07_check_privilege_by_sockfd_nosmack)
531 {
532     RUNNER_IGNORED_MSG("This test drop privileges");
533     const char* object_label = "tc07objectlabel";
534
535     int result1 = -1;
536     int result2 = -1;
537
538     int pid = fork();
539     RUNNER_ASSERT(-1 != pid);
540
541     if (pid == 0) { //child process
542         //Create socket
543         int sockfd = create_new_socket();
544         RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
545
546         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
547
548         //Drop privileges
549         RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
550
551         //Prepare for accepting
552         RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
553
554         struct sockaddr_un client_addr;
555         socklen_t client_len = sizeof(client_addr);
556
557         //Accept connections
558         int csockfd;
559         RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
560
561         //wait a little bit for parent to do it's job
562         usleep(200);
563
564         //cleanup and kill child
565         close(csockfd);
566         exit(0);
567     } else {    //parent process
568         //Drop root privileges
569         RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
570
571         //Wait for server to set up
572         sleep(1);
573
574         //Connect and check privileges
575         int sockfd = connect_to_testserver();
576         RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to create socket fd.");
577
578         result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
579         result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
580
581         close(sockfd);
582     }
583
584     //Both results (just like in the previous test case) should return success.
585     RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
586     RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result2, "result2 = " << result2);
587 }
588
589 int apply_smack_rule(const char *subject, const char *object, const char *rule)
590 {
591     struct smack_accesses *ruleHandler = NULL;
592     if (smack_accesses_new(&ruleHandler) != 0)
593         goto error;
594     if (smack_accesses_add(ruleHandler, subject, object, rule) != 0)
595         goto error;
596     if (smack_accesses_apply(ruleHandler) != 0)
597         goto error;
598
599     smack_accesses_free(ruleHandler);
600     return 0;
601
602 error:
603     smack_accesses_free(ruleHandler);
604     return -1;
605 }
606
607 RUNNER_TEST(tc10_security_server_get_uid_by_cookie)
608 {
609     int cookieSize = security_server_get_cookie_size();
610     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
611
612     std::vector<char> cookie(cookieSize);
613     int retval = security_server_request_cookie(&cookie[0], cookieSize);
614     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
615
616     //checking function
617     uid_t cookieUid, realUid;
618     realUid = getuid();
619     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
620     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie. My uid: " << realUid << " Server error: " << retval);
621     RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
622
623     //checking for input parameters
624     retval = security_server_get_uid_by_cookie(NULL, &cookieUid);
625     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
626     retval = security_server_get_uid_by_cookie(&cookie[0], NULL);
627     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
628 }
629
630 RUNNER_CHILD_TEST(tc11_security_server_get_uid_by_cookie)
631 {
632     int cookieSize = security_server_get_cookie_size();
633     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
634
635     std::vector<char> cookie(cookieSize);
636     int retval = security_server_request_cookie(&cookie[0], cookieSize);
637     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
638
639     //preapare SMACK environment
640     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
641     RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
642     //drop privileges
643     RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
644
645     //checking function
646     uid_t cookieUid;
647     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
648     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
649 }
650
651 RUNNER_CHILD_TEST(tc12_security_server_get_uid_by_cookie)
652 {
653     int cookieSize = security_server_get_cookie_size();
654     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
655
656     uid_t realUid = getuid();
657
658     std::vector<char> cookie(cookieSize);
659     int retval = security_server_request_cookie(&cookie[0], cookieSize);
660     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
661
662     //preapare SMACK environment
663     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
664     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
665     //drop privileges
666     RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
667
668     //checking function
669     uid_t cookieUid;
670     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
671     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
672     RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
673 }
674
675 RUNNER_CHILD_TEST(tc13_security_server_get_uid_by_cookie)
676 {
677     int cookieSize = security_server_get_cookie_size();
678     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
679
680     //preapare SMACK environment
681     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
682     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
683     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
684     //drop privileges
685     RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
686
687     std::vector<char> cookie(cookieSize);
688     int retval = security_server_request_cookie(&cookie[0], cookieSize);
689     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
690
691     //checking function
692     uid_t cookieUid, realUid = getuid();
693     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
694     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
695     RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
696 }
697
698 RUNNER_TEST(tc14_security_server_get_gid_by_cookie)
699 {
700     int cookieSize = security_server_get_cookie_size();
701     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
702
703     std::vector<char> cookie(cookieSize);
704     int retval = security_server_request_cookie(&cookie[0], cookieSize);
705     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
706
707     //checking function
708     gid_t cookieGid, realGid;
709     realGid = getgid();
710     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
711     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
712     RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID");
713
714     //checking for input parameters
715     retval = security_server_get_gid_by_cookie(NULL, &cookieGid);
716     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
717     retval = security_server_get_gid_by_cookie(&cookie[0], NULL);
718     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
719
720 }
721
722 RUNNER_CHILD_TEST(tc15_security_server_get_gid_by_cookie)
723 {
724     int cookieSize = security_server_get_cookie_size();
725     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
726
727     std::vector<char> cookie(cookieSize);
728     int retval = security_server_request_cookie(&cookie[0], cookieSize);
729     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
730
731     //preapare SMACK environment
732     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
733     RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
734     //drop privileges
735     RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
736     RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
737
738     //checking function
739     gid_t cookieGid, realGid;
740     realGid = getgid();
741     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
742     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
743 }
744
745 RUNNER_CHILD_TEST(tc16_security_server_get_gid_by_cookie)
746 {
747     int cookieSize = security_server_get_cookie_size();
748     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
749
750     std::vector<char> cookie(cookieSize);
751
752     gid_t realGid = getgid();
753     int retval = security_server_request_cookie(&cookie[0], cookieSize);
754     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
755
756     //preapare SMACK environment
757     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
758     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
759     //drop privileges
760     RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
761     RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
762
763     //checking function
764     gid_t cookieGid;
765     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
766     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
767     RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
768 }
769
770 RUNNER_CHILD_TEST(tc17_security_server_get_gid_by_cookie)
771 {
772     int cookieSize = security_server_get_cookie_size();
773     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
774
775     //preapare SMACK environment
776     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
777     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
778     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
779     //drop privileges
780     RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
781     RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
782
783     std::vector<char> cookie(cookieSize);
784     int retval = security_server_request_cookie(&cookie[0], cookieSize);
785     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
786
787     //checking function
788     gid_t cookieGid, realGid = getgid();
789     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
790     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
791     RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
792 }
793
794
795 ////////////////////
796 /////MAIN///////////
797 ////////////////////
798
799 int main(int argc, char *argv[])
800 {
801     return
802         DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
803 }
Domain: Security / Uncategorized;