2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
5 * @file security_server_tests_client_smack.cpp
6 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
8 * @brief Test cases for security-server-client-smack.
13 #include <sys/types.h>
14 #include <sys/socket.h>
15 #include <sys/smack.h>
25 #include <dpl/log/log.h>
26 #include <dpl/test/test_runner.h>
27 #include <dpl/test/test_runner_child.h>
28 #include <dpl/test/test_runner_multiprocess.h>
29 #include "security_server_mockup.h"
31 #include <security-server.h>
33 #include "tests_common.h"
35 #define PROPER_COOKIE_SIZE 20
39 const char *subject_label = "mylabel"; \
40 RUNNER_ASSERT_MSG(-1 != system("touch /opt/home/root/pid_cycle"), \
41 "Cannot prepare environment for test."); \
42 RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), \
43 "Cannot prepare environment for test."); \
44 RUNNER_ASSERT_MSG(-1 != setgid(1), \
45 "Cannot prepare environment for test."); \
46 RUNNER_ASSERT_MSG(-1 != setuid(1), \
47 "Cannot prepare environment for test"); \
52 * Environment preparation should only differ in setting label. On NOSMACK system
53 * smack_set_label_for_self returns error because of no access to /proc/self/attr/current.
55 #define ENVIRONMENT_NOSMACK \
57 int fd = open("/opt/home/root/pid_cycle", O_CREAT|O_APPEND, 0444);\
58 RUNNER_ASSERT_MSG(fd >= 0, \
59 "Couldn't create pid_cycle file. errno: " << strerror(errno));\
61 RUNNER_ASSERT_MSG(-1 != setgid(1), \
62 "Cannot prepare environment for test."); \
63 RUNNER_ASSERT_MSG(-1 != setuid(1), \
64 "Cannot prepare environment for test"); \
69 * Unique_ptr typedef for NOSMACK version of tc06 test
71 void closesockfdptr(int* sockfd_ptr)
75 typedef std::unique_ptr<int, std::function<void(int*)> > SockFDUniquePtr;
78 * Dropping root privileges
79 * returns 0 on success, 1 on error
81 int drop_root_privileges()
84 /* process is running as root, drop privileges */
85 if (setgid(5000) != 0)
87 if (setuid(5000) != 0)
97 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
100 * test: Check cookie size returned by security_server_get_cookie_size.
101 * description: Cookie used by security-server is 20 bytes long.
102 * Any other size of cookies should be treated as error.
103 * expected: Function security_server_get_cookie_size returns 20.
105 RUNNER_CHILD_TEST_SMACK(tc01_security_server_get_cookie_size)
109 int ret = security_server_get_cookie_size();
110 RUNNER_ASSERT_MSG(20 == ret, "ret = " << ret);
114 * test: security_server_request_cookie
115 * description: Function security_server_request_cookie will return
116 * 20 bytes long cookie.
117 * expected: function will set up cookie in the array and return
118 * SECURITY_SERVER_API_SUCCESS.
120 RUNNER_CHILD_TEST_SMACK(tc02_security_server_request_cookie_normal_case)
125 int ret = security_server_request_cookie(cookie, 20);
126 LogDebug("ret = " << ret);
127 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == ret);
131 * test: security_server_request_cookie
132 * description: Function security_server_request_cookie will return
133 * 20 bytes long cookie.
134 * expected: function will set up cookie in the array and return
135 * SECURITY_SERVER_API_SUCCESS.
137 RUNNER_CHILD_TEST_SMACK(tc03_security_server_request_cookie_too_small_buffer_size)
142 int ret = security_server_request_cookie(cookie, 10);
143 LogDebug("ret = " << ret);
144 RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
148 * test: tc04_security_server_get_gid
149 * description: Checking for security_server_get_gid
150 * with nonexisting gid and existing one
151 * expected: security_server_get_gid should return
152 * SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
153 * and group id with second call
155 RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
159 int ret = security_server_get_gid("abc123xyz_pysiaczek");
160 LogDebug("ret = " << ret);
161 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
162 ret = security_server_get_gid("root");
163 LogDebug("ret = " << ret);
164 RUNNER_ASSERT_MSG(0 == ret, "Ret: " << ret);
168 * test: tc05_check_privilege_by_cookie
169 * description: Function security_server_check_privilege_by_cookie should
170 * return status of access rights of cookie owner. In this case cookie owner
171 * is the same process that ask for the rights.
172 * expected: Function call with access rights set to "r" should return SUCCESS,
173 * with "rw" should return ACCESS DENIED.
175 RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie)
178 const char *object_label = "tc05objectlabel";
179 const char *access_rights = "r";
180 const char *access_rights_ext = "rw";
181 const char *subject_label = "tc05subjectlabel";
183 smack_accesses *handle;
185 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
187 RUNNER_ASSERT(0 == smack_accesses_add(handle,
192 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
194 smack_accesses_free(handle);
196 RUNNER_ASSERT(0 == smack_set_label_for_self(subject_label));
198 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
199 security_server_request_cookie(cookie,20));
201 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
203 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
204 security_server_check_privilege_by_cookie(
209 RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
210 security_server_check_privilege_by_cookie(
217 * test: security_server_check_privilege_by_sockfd
218 * description: This test will create dummy server that will accept connection
219 * and die. The client will try to check access rights using connection descriptor.
220 * expected: Function call with access rights set to "r" should return SUCCESS,
221 * with "rw" should return ACCESS DENIED.
223 RUNNER_MULTIPROCESS_TEST_SMACK(tc06_check_privilege_by_sockfd)
225 const char *object_label = "tc06objectlabel";
226 const char *access_rights = "r";
227 const char *access_rights_ext = "rw";
228 const char *subject_label = "tc06subjectlabel";
233 smack_accesses *handle;
234 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
235 RUNNER_ASSERT(0 == smack_accesses_add(handle,
239 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
240 smack_accesses_free(handle);
244 RUNNER_ASSERT(-1 != pid);
248 RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
250 int sockfd = create_new_socket();
251 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
253 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
255 label = security_server_get_smacklabel_sockfd(sockfd);
256 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
257 RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
260 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
262 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
264 label = security_server_get_smacklabel_sockfd(sockfd);
265 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
266 RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
269 struct sockaddr_un client_addr;
270 socklen_t client_len = sizeof(client_addr);
272 RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
281 int sockfd = connect_to_testserver();
282 RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
284 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
286 label = security_server_get_smacklabel_sockfd(sockfd);
287 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
288 RUNNER_ASSERT_MSG(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << ", subject_label is \"" << subject_label << "\"" );
291 result1 = security_server_check_privilege_by_sockfd(
295 result2 = security_server_check_privilege_by_sockfd(
301 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
302 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
306 * test: security_server_check_privilege_by_sockfd
307 * description: This test will create dummy server that will accept connection
308 * and die. The client will try to check access rights using connection descriptor.
309 * Because we read a smack label not from socket directly, but from from pid of process
310 * on the other end of socket - that's why smack label will be updated.
311 * In this test client is running under root and server is not - to test the extreme case.
312 * expected: Function call with access rights set to "r" should return SUCCESS,
313 * with "rw" should return ACCESS DENIED.
315 RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd)
317 const char *object_label = "tc07objectlabel";
318 const char *access_rights = "r";
319 const char *access_rights_ext = "rw";
320 const char *subject_label = "tc07subjectlabel";
325 smack_accesses *handle;
326 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
327 RUNNER_ASSERT(0 == smack_accesses_add(handle,
331 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
332 smack_accesses_free(handle);
335 RUNNER_ASSERT(-1 != pid);
340 RUNNER_ASSERT(-1 != pid);
344 int sockfd = create_new_socket();
345 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
347 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
349 RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
351 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
353 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
355 struct sockaddr_un client_addr;
356 socklen_t client_len = sizeof(client_addr);
357 int csockfd = TEMP_FAILURE_RETRY(accept(sockfd,(struct sockaddr*)&client_addr, &client_len));
365 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
368 int sockfd = connect_to_testserver();
369 RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
371 result1 = security_server_check_privilege_by_sockfd(
375 result2 = security_server_check_privilege_by_sockfd(
382 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
383 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
388 ///////////////////////////
389 /////NOSMACK ENV TESTS/////
390 ///////////////////////////
393 * First four test cases are the same as their SMACK versions. The only difference is environment
394 * preparation (described near ENVIRONMENT_NOSMACK macro).
396 RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_get_cookie_size_nosmack)
400 int ret = security_server_get_cookie_size();
401 RUNNER_ASSERT_MSG(ret == 20, "ret = " << ret);
404 RUNNER_CHILD_TEST_NOSMACK(tc02_security_server_request_cookie_normal_case_nosmack)
409 int ret = security_server_request_cookie(cookie, 20);
410 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
413 RUNNER_CHILD_TEST_NOSMACK(tc03_security_server_request_cookie_too_small_buffer_size_nosmack)
418 int ret = security_server_request_cookie(cookie, 10);
419 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
422 RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack)
426 int ret = security_server_get_gid("definitely_not_existing_object");
427 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret);
428 ret = security_server_get_gid("root");
429 RUNNER_ASSERT_MSG(ret == 0, "ret = " << ret);
433 * NOSMACK version of tc05 test.
435 * Correct behaviour of smack_accesses_apply and smack_set_label_for_self was checked by libsmack
436 * tests. We assume, that those tests pass. Additionally security_server_check_privilege_by_cookie
437 * should return SUCCESS no matter what access_rights we give to this function.
439 RUNNER_CHILD_TEST_NOSMACK(tc05_check_privilege_by_cookie_nosmack)
442 const char* object_label = "tc05objectlabel";
444 RUNNER_ASSERT(security_server_request_cookie(cookie,20) == SECURITY_SERVER_API_SUCCESS);
446 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
448 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
449 security_server_check_privilege_by_cookie(cookie, object_label, "r"));
451 //On NOSMACK env security server should return success on any accesses, even those that are
453 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
454 security_server_check_privilege_by_cookie(cookie, object_label, "rw"));
458 * NOSMACK version of tc06 test.
460 * Differences between this and SMACK version (server):
461 * - Skipped setting access_rights
462 * - Skipped setting label for server
463 * - get_smacklabel_sockfd is called only once for server, almost right after fork and creation
464 * of socket (because it should do nothing when SMACK is off)
465 * - After get_smacklabel_sockfd privileges are dropped and server is prepared to accept connections
468 * For client the only difference are expected results from check_privilege_by_sockfd - both should
471 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc06_check_privilege_by_sockfd_nosmack)
473 const char* object_label = "tc06objectlabel";
480 RUNNER_ASSERT(pid >= 0);
484 if (pid == 0) { //child process - server
486 int sockfd = create_new_socket();
487 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
489 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
491 //check if get_smacklabel_sockfd works correctly
492 label = security_server_get_smacklabel_sockfd(sockfd);
493 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
494 ret = strcmp(label, "");
496 RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
498 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
500 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
502 struct sockaddr_un client_addr;
503 socklen_t client_len = sizeof(client_addr);
506 RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
508 //wait a little bit for parent to do it's job
511 //if everything works, cleanup and return 0
517 int sockfd = connect_to_testserver();
518 RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to connect to server.");
520 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
522 label = security_server_get_smacklabel_sockfd(sockfd);
523 RUNNER_ASSERT_MSG(label != NULL, "get_smacklabel_sockfd failed.");
524 ret = strcmp(label, "");
526 RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
528 result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
529 result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
532 RUNNER_ASSERT_MSG(result1 == SECURITY_SERVER_API_SUCCESS, "result = " << result1);
533 RUNNER_ASSERT_MSG(result2 == SECURITY_SERVER_API_SUCCESS, "result = " << result2);
537 * NOSMACK version of tc07 test.
539 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc07_check_privilege_by_sockfd_nosmack)
541 const char* object_label = "tc07objectlabel";
547 RUNNER_ASSERT(-1 != pid);
552 RUNNER_ASSERT(-1 != pid);
554 if (pid == 0) { //child process
556 int sockfd = create_new_socket();
557 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
559 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
562 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
564 //Prepare for accepting
565 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
567 struct sockaddr_un client_addr;
568 socklen_t client_len = sizeof(client_addr);
572 RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
574 //wait a little bit for parent to do it's job
577 //cleanup and kill child
580 } else { //parent process
581 //Drop root privileges
582 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
584 //Wait for server to set up
587 //Connect and check privileges
588 int sockfd = connect_to_testserver();
589 RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to create socket fd.");
591 result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
592 result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
596 //Both results (just like in the previous test case) should return success.
597 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
598 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result2, "result2 = " << result2);
603 int apply_smack_rule(const char *subject, const char *object, const char *rule)
605 struct smack_accesses *ruleHandler = NULL;
606 if (smack_accesses_new(&ruleHandler) != 0)
608 if (smack_accesses_add(ruleHandler, subject, object, rule) != 0)
610 if (smack_accesses_apply(ruleHandler) != 0)
613 smack_accesses_free(ruleHandler);
617 smack_accesses_free(ruleHandler);
621 RUNNER_TEST(tc10_security_server_get_uid_by_cookie)
623 int cookieSize = security_server_get_cookie_size();
624 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
626 std::vector<char> cookie(cookieSize);
627 int retval = security_server_request_cookie(&cookie[0], cookieSize);
628 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
631 uid_t cookieUid, realUid;
633 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
634 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie. My uid: " << realUid << " Server error: " << retval);
635 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
637 //checking for input parameters
638 retval = security_server_get_uid_by_cookie(NULL, &cookieUid);
639 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
640 retval = security_server_get_uid_by_cookie(&cookie[0], NULL);
641 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
644 RUNNER_CHILD_TEST_SMACK(tc11_security_server_get_uid_by_cookie_smack)
646 int cookieSize = security_server_get_cookie_size();
647 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
649 std::vector<char> cookie(cookieSize);
650 int retval = security_server_request_cookie(&cookie[0], cookieSize);
651 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
653 //preapare SMACK environment
654 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
655 RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
657 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
661 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
662 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
665 RUNNER_CHILD_TEST_SMACK(tc12_security_server_get_uid_by_cookie_smack)
667 int cookieSize = security_server_get_cookie_size();
668 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
670 uid_t realUid = getuid();
672 std::vector<char> cookie(cookieSize);
673 int retval = security_server_request_cookie(&cookie[0], cookieSize);
674 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
676 //preapare SMACK environment
677 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
678 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
680 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
684 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
685 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
686 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
689 RUNNER_CHILD_TEST_NOSMACK(tc12_security_server_get_uid_by_cookie_nosmack)
691 int cookieSize = security_server_get_cookie_size();
692 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
694 uid_t realUid = getuid();
696 std::vector<char> cookie(cookieSize);
697 int retval = security_server_request_cookie(&cookie[0], cookieSize);
698 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
701 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
705 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
706 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
707 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
710 RUNNER_CHILD_TEST_SMACK(tc13_security_server_get_uid_by_cookie_smack)
712 int cookieSize = security_server_get_cookie_size();
713 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
715 //preapare SMACK environment
716 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
717 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
718 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
720 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
722 std::vector<char> cookie(cookieSize);
723 int retval = security_server_request_cookie(&cookie[0], cookieSize);
724 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
727 uid_t cookieUid, realUid = getuid();
728 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
729 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
730 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
733 RUNNER_CHILD_TEST_NOSMACK(tc13_security_server_get_uid_by_cookie_nosmack)
735 int cookieSize = security_server_get_cookie_size();
736 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
739 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
741 std::vector<char> cookie(cookieSize);
742 int retval = security_server_request_cookie(&cookie[0], cookieSize);
743 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
746 uid_t cookieUid, realUid = getuid();
747 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
748 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
749 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
752 RUNNER_TEST(tc14_security_server_get_gid_by_cookie)
754 int cookieSize = security_server_get_cookie_size();
755 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
757 std::vector<char> cookie(cookieSize);
758 int retval = security_server_request_cookie(&cookie[0], cookieSize);
759 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
762 gid_t cookieGid, realGid;
764 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
765 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
766 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID");
768 //checking for input parameters
769 retval = security_server_get_gid_by_cookie(NULL, &cookieGid);
770 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
771 retval = security_server_get_gid_by_cookie(&cookie[0], NULL);
772 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
776 RUNNER_CHILD_TEST_SMACK(tc15_security_server_get_gid_by_cookie_smack)
778 int cookieSize = security_server_get_cookie_size();
779 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
781 std::vector<char> cookie(cookieSize);
782 int retval = security_server_request_cookie(&cookie[0], cookieSize);
783 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
785 //preapare SMACK environment
786 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
787 RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
789 RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
790 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
793 gid_t cookieGid, realGid;
795 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
796 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
799 RUNNER_CHILD_TEST_SMACK(tc16_security_server_get_gid_by_cookie_smack)
801 int cookieSize = security_server_get_cookie_size();
802 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
804 std::vector<char> cookie(cookieSize);
806 gid_t realGid = getgid();
807 int retval = security_server_request_cookie(&cookie[0], cookieSize);
808 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
810 //preapare SMACK environment
811 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
812 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
814 RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
815 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
819 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
820 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
821 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
824 RUNNER_CHILD_TEST_NOSMACK(tc16_security_server_get_gid_by_cookie_nosmack)
826 int cookieSize = security_server_get_cookie_size();
827 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
829 std::vector<char> cookie(cookieSize);
831 gid_t realGid = getgid();
832 int retval = security_server_request_cookie(&cookie[0], cookieSize);
833 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
836 RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
837 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
841 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
842 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
843 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
846 RUNNER_CHILD_TEST_SMACK(tc17_security_server_get_gid_by_cookie_smack)
848 int cookieSize = security_server_get_cookie_size();
849 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
851 //preapare SMACK environment
852 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
853 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
854 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
856 RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
857 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
859 std::vector<char> cookie(cookieSize);
860 int retval = security_server_request_cookie(&cookie[0], cookieSize);
861 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
864 gid_t cookieGid, realGid = getgid();
865 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
866 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
867 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
870 RUNNER_CHILD_TEST_NOSMACK(tc17_security_server_get_gid_by_cookie_nosmack)
872 int cookieSize = security_server_get_cookie_size();
873 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
876 RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
877 RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
879 std::vector<char> cookie(cookieSize);
880 int retval = security_server_request_cookie(&cookie[0], cookieSize);
881 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
884 gid_t cookieGid, realGid = getgid();
885 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
886 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
887 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
890 RUNNER_TEST_SMACK(tc18_security_server_get_smacklabel_cookie) {
895 char *label_smack = NULL;
896 char *label_ss = NULL;
899 int cookie_size = security_server_get_cookie_size();
900 RUNNER_ASSERT_MSG(PROPER_COOKIE_SIZE == cookie_size, "Wrong cookie size from security-server");
904 cookie = (char*) calloc(cookie_size, 1);
905 RUNNER_ASSERT_MSG(NULL != cookie, "Memory allocation error");
907 res = security_server_request_cookie(cookie, cookie_size);
908 if (res != SECURITY_SERVER_API_SUCCESS) {
910 RUNNER_ASSERT_MSG(res == SECURITY_SERVER_API_SUCCESS, "Error in requesting cookie from security-server");
913 label_ss = security_server_get_smacklabel_cookie(cookie);
915 RUNNER_ASSERT_MSG(label_ss != NULL, "Error in getting label by cookie");
918 std::string label_cookie(label_ss);
921 res = smack_new_label_from_self(&label_smack);
924 RUNNER_ASSERT_MSG(res == 0, "Error in getting self SMACK label");
926 std::string label_self(label_smack ? label_smack : "");
929 RUNNER_ASSERT_MSG(label_self == label_cookie, "No match in SMACK labels");
932 //TODO: here could be label change using SMACK API and checking if it
933 //is changed using security-server API function based on the same cookie
937 * NOSMACK version of tc_security_server_get_smacklabel_cookie test.
939 * Most of this test goes exactly as the original one. The only difference are the labels:
940 * - We assume that libsmack tests passed and smack_new_label_from_self will return -1 and NULL
941 * label - there is no need to re-check it.
942 * - Label acquired from security_server_get_smacklabel_cookie should be an empty string.
944 RUNNER_TEST_NOSMACK(tc18_security_server_get_smacklabel_cookie_nosmack) {
949 char* label_ss = NULL;
952 int cookie_size = security_server_get_cookie_size();
953 RUNNER_ASSERT_MSG(PROPER_COOKIE_SIZE == cookie_size,
954 "Wrong cookie size from security-server. Size: " << cookie_size);
956 cookie = (char*) calloc(cookie_size, sizeof(char));
957 RUNNER_ASSERT_MSG(NULL != cookie, "Memory allocation error");
961 //Request cookie from SS
962 res = security_server_request_cookie(cookie, cookie_size);
963 std::unique_ptr<char, std::function<void(char*)> > cookie_ptr(cookie, free);
965 RUNNER_ASSERT_MSG(res == SECURITY_SERVER_API_SUCCESS,
966 "Error in requesting cookie from security-server. Result: " << res);
968 label_ss = security_server_get_smacklabel_cookie(cookie_ptr.get());
969 RUNNER_ASSERT_MSG(label_ss != NULL, "Error in getting label by cookie");
971 //Check if label_ss is correct, that is only one NULL character.
972 if (label_ss[0] != '\0') {
974 RUNNER_ASSERT_MSG(label_ss[0] == '\0', "label_ss was not an empty string.");
984 int main(int argc, char *argv[])
987 DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);