tests/security-server-tests/security_server_tests_client_smack.cpp

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  */
   4 /*
   5  * @file    security_server_tests_client_smack.cpp
   6  * @author  Bartlomiej Grzelewski (b.grzelewski@samsung.com)
   7  * @version 1.1
   8  * @brief   Test cases for security-server-client-smack.
   9  */
  10
  11 #include <sys/types.h>
  12 #include <sys/socket.h>
  13 #include <sys/smack.h>
  14 #include <sys/wait.h>
  15 #include <sys/un.h>
  16
  17 #include <dpl/log/log.h>
  18 #include <dpl/test/test_runner.h>
  19 #include <dpl/test/test_runner_child.h>
  20 #include "security_server_mockup.h"
  21
  22 #include <security-server.h>
  23
  24 #define ENVIRONMENT                                                  \
  25 do {                                                                 \
  26     const char *subject_label = "mylabel";                           \
  27     RUNNER_ASSERT_MSG(-1 != system("touch /opt/home/root/pid_cycle"),\
  28         "Cannot prepare environment for test.");                     \
  29     RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label),  \
  30         "Cannot prepare environment for test.");                     \
  31     RUNNER_ASSERT_MSG(-1 != setgid(1),                               \
  32         "Cannot prepare environment for test.");                     \
  33     RUNNER_ASSERT_MSG(-1 != setuid(1),                               \
  34         "Cannot prepare environment for test");                      \
  35 }while(0)
  36
  37 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
  38
  39 /*
  40  * test: Check cookie size returned by security_server_get_cookie_size.
  41  * description: Cookie used by security-server is 20 bytes long.
  42  * Any other size of cookies should be treated as error.
  43  * expected: Function security_server_get_cookie_size returns 20.
  44  */
  45 RUNNER_CHILD_TEST(tc01_security_server_get_cookie_size)
  46 {
  47     ENVIRONMENT;
  48
  49     int ret = security_server_get_cookie_size();
  50     RUNNER_ASSERT_MSG(20 == ret, "ret = " << ret);
  51 }
  52
  53 /*
  54  * test: security_server_request_cookie
  55  * description: Function security_server_request_cookie will return
  56  * 20 bytes long cookie.
  57  * expected: function will set up cookie in the array and return
  58  * SECURITY_SERVER_API_SUCCESS.
  59  */
  60 RUNNER_CHILD_TEST(tc02_security_server_request_cookie_normal_case)
  61 {
  62     ENVIRONMENT;
  63
  64     char cookie[20];
  65     int ret = security_server_request_cookie(cookie, 20);
  66     LogDebug("ret = " << ret);
  67     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == ret);
  68 }
  69
  70 /*
  71  * test: security_server_request_cookie
  72  * description: Function security_server_request_cookie will return
  73  * 20 bytes long cookie.
  74  * expected: function will set up cookie in the array and return
  75  * SECURITY_SERVER_API_SUCCESS.
  76  */
  77 RUNNER_CHILD_TEST(tc03_security_server_request_cookie_too_small_buffer_size)
  78 {
  79     ENVIRONMENT;
  80
  81     char cookie[20];
  82     int ret = security_server_request_cookie(cookie, 10);
  83     LogDebug("ret = " << ret);
  84     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
  85 }
  86
  87 /*
  88  * test: tc04_security_server_get_gid_client_is_not_allowed
  89  * description: ??
  90  * expected: security_server_get_gid should return AUTHENTICATION_FAILED
  91  */
  92 RUNNER_CHILD_TEST(tc04_security_server_get_gid_client_is_not_allowed)
  93 {
  94     ENVIRONMENT;
  95
  96     int ret = security_server_get_gid("telephony");
  97     LogDebug("ret = " << ret);
  98     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED == ret);
  99 }
 100
 101 /*
 102  * test: tc05_check_privilege_by_cookie
 103  * description: Function security_server_check_privilege_by_cookie should
 104  * return status of access rights of cookie owner. In this case cookie owner
 105  * is the same process that ask for the rights.
 106  * expected: Function call with access rights set to "r" should return SUCCESS,
 107  * with "rw" should return ACCESS DENIED.
 108  */
 109 RUNNER_CHILD_TEST(tc05_check_privilege_by_cookie)
 110 {
 111     char cookie[20];
 112     const char *object_label = "tc05objectlabel";
 113     const char *access_rights = "r";
 114     const char *access_rights_ext = "rw";
 115     const char *subject_label = "tc05subjectlabel";
 116
 117     smack_accesses *handle;
 118
 119     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
 120
 121     RUNNER_ASSERT(0 == smack_accesses_add(handle,
 122                                           subject_label,
 123                                           object_label,
 124                                           access_rights));
 125
 126     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
 127
 128     smack_accesses_free(handle);
 129
 130     RUNNER_ASSERT(0 == smack_set_label_for_self(subject_label));
 131
 132     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
 133         security_server_request_cookie(cookie,20));
 134
 135     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
 136         security_server_check_privilege_by_cookie(
 137             cookie,
 138             object_label,
 139             access_rights));
 140
 141     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
 142         security_server_check_privilege_by_cookie(
 143             cookie,
 144             object_label,
 145             access_rights_ext));
 146
 147 }
 148
 149 /*
 150  * test: security_server_check_privilege_by_sockfd
 151  * description: This test will create dummy server that will accept connection
 152  * and die. The client will try to check access rights using connection descriptor.
 153  * expected: Function call with access rights set to "r" should return SUCCESS,
 154  * with "rw" should return ACCESS DENIED.
 155  */
 156 RUNNER_TEST(tc06_check_privilege_by_sockfd)
 157 {
 158
 159     const char *object_label = "tc06objectlabel";
 160     const char *access_rights = "r";
 161     const char *access_rights_ext = "rw";
 162     const char *subject_label = "tc06subjectlabel";
 163
 164     int result1 = -1;
 165     int result2 = -1;
 166
 167     smack_accesses *handle;
 168     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
 169     RUNNER_ASSERT(0 == smack_accesses_add(handle,
 170                                           subject_label,
 171                                           object_label,
 172                                           access_rights));
 173     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
 174     smack_accesses_free(handle);
 175
 176     int pid = fork();
 177     RUNNER_ASSERT(-1 != pid);
 178
 179     if (0 == pid) {
 180         // child
 181         if (0 != smack_set_label_for_self(subject_label)) {
 182             LogDebug("child, failed");
 183             exit(1);
 184         }
 185
 186         LogDebug("child, create_new_socket");
 187         int sockfd = create_new_socket();
 188
 189         LogDebug("child, listen");
 190         if (listen(sockfd, 5) < 0) {
 191             LogDebug("child, exit");
 192             exit(1);
 193         }
 194         LogDebug("child, accept");
 195
 196         struct sockaddr_un client_addr;
 197         socklen_t client_len = sizeof(client_addr);
 198         int csockfd;
 199         while(0 <= (csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len))) {
 200             LogDebug("child, loop");
 201             close(csockfd);
 202         }
 203         LogDebug("Exit!");
 204         exit(1);
 205     } else {
 206         // parent
 207         LogDebug("Parent, sleep 2");
 208         sleep(1);
 209         int sockfd = connect_to_testserver();
 210         LogDebug("Parent: sockfd: " << sockfd);
 211         if (sockfd >= 0) {
 212             result1 = security_server_check_privilege_by_sockfd(
 213                 sockfd,
 214                 object_label,
 215                 access_rights);
 216             result2 = security_server_check_privilege_by_sockfd(
 217                 sockfd,
 218                 object_label,
 219                 access_rights_ext);
 220         }
 221         LogDebug("Parent: Close desc");
 222         close(sockfd);
 223         LogDebug("Parent: killing child");
 224         kill(pid, SIGKILL);
 225     }
 226
 227     int status;
 228     waitpid(pid, &status, 0);
 229
 230     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == result1);
 231     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2);
 232 }
 233
 234 /*
 235  * test: security_server_check_privilege_by_sockfd
 236  * description: This test will create dummy server that will accept connection
 237  * and die. The client will try to check access rights using connection descriptor.
 238  * Unfortunatelly in this cases smack_set_label_for_self will not change label
 239  * connected with unix socket. Thats why this test will fail.
 240  * expected: Function call with access rights set to "r" should return SUCCESS,
 241  * with "rw" should return ACCESS DENIED.
 242  */
 243 RUNNER_TEST(tc07_check_privilege_by_sockfd)
 244 {
 245
 246     const char *object_label = "tc07objectlabel";
 247     const char *access_rights = "r";
 248     const char *access_rights_ext = "rw";
 249     const char *subject_label = "tc07subjectlabel";
 250
 251     int result1 = -1;
 252     int result2 = -1;
 253
 254     smack_accesses *handle;
 255     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
 256     RUNNER_ASSERT(0 == smack_accesses_add(handle,
 257                                           subject_label,
 258                                           object_label,
 259                                           access_rights));
 260     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
 261     smack_accesses_free(handle);
 262
 263     int pid = fork();
 264     RUNNER_ASSERT(-1 != pid);
 265
 266     if (0 == pid) {
 267         // child
 268         LogDebug("child, create_new_socket");
 269         int sockfd = create_new_socket();
 270
 271         if (0 != smack_set_label_for_self(subject_label)) {
 272             LogDebug("child, failed");
 273             exit(1);
 274         }
 275
 276         LogDebug("child, listen");
 277         if (listen(sockfd, 5) < 0) {
 278             LogDebug("child, exit");
 279             exit(1);
 280         }
 281         LogDebug("child, accept");
 282
 283         struct sockaddr_un client_addr;
 284         socklen_t client_len = sizeof(client_addr);
 285         int csockfd;
 286         while(0 <= (csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len))) {
 287             LogDebug("child, loop");
 288             close(csockfd);
 289         }
 290         LogDebug("Exit!");
 291         exit(1);
 292     } else {
 293         // parent
 294         LogDebug("Parent, sleep 2");
 295         sleep(2);
 296         int sockfd = connect_to_testserver();
 297         LogDebug("Parent: sockfd: " << sockfd);
 298         if (sockfd >= 0) {
 299             result1 = security_server_check_privilege_by_sockfd(
 300                 sockfd,
 301                 object_label,
 302                 access_rights);
 303             result2 = security_server_check_privilege_by_sockfd(
 304                 sockfd,
 305                 object_label,
 306                 access_rights_ext);
 307         }
 308         LogDebug("Parent: Close desc");
 309         close(sockfd);
 310         LogDebug("Parent: killing child");
 311         kill(pid, SIGKILL);
 312     }
 313
 314     int status;
 315     waitpid(pid, &status, 0);
 316
 317     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == result1);
 318     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2);
 319 }
 320
 321 int main(int argc, char *argv[])
 322 {
 323     return
 324         DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
 325 }