tests/security-server-tests/security_server_tests_client_smack.cpp

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  */
   4 /*
   5  * @file    security_server_tests_client_smack.cpp
   6  * @author  Bartlomiej Grzelewski (b.grzelewski@samsung.com)
   7  * @version 1.1
   8  * @brief   Test cases for security-server-client-smack.
   9  */
  10
  11 #include <sys/types.h>
  12 #include <sys/socket.h>
  13 #include <sys/smack.h>
  14 #include <sys/wait.h>
  15 #include <sys/un.h>
  16
  17 #include <dpl/log/log.h>
  18 #include <dpl/test/test_runner.h>
  19 #include <dpl/test/test_runner_child.h>
  20 #include "security_server_mockup.h"
  21
  22 #include <security-server.h>
  23
  24 #define ENVIRONMENT                                                  \
  25 do {                                                                 \
  26     const char *subject_label = "mylabel";                           \
  27     RUNNER_ASSERT_MSG(-1 != system("touch /opt/home/root/pid_cycle"),\
  28         "Cannot prepare environment for test.");                     \
  29     RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label),  \
  30         "Cannot prepare environment for test.");                     \
  31     RUNNER_ASSERT_MSG(-1 != setgid(1),                               \
  32         "Cannot prepare environment for test.");                     \
  33     RUNNER_ASSERT_MSG(-1 != setuid(1),                               \
  34         "Cannot prepare environment for test");                      \
  35 }while(0)
  36
  37 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
  38
  39 /*
  40  * test: Check cookie size returned by security_server_get_cookie_size.
  41  * description: Cookie used by security-server is 20 bytes long.
  42  * Any other size of cookies should be treated as error.
  43  * expected: Function security_server_get_cookie_size returns 20.
  44  */
  45 RUNNER_CHILD_TEST(tc01_security_server_get_cookie_size)
  46 {
  47     ENVIRONMENT;
  48
  49     int ret = security_server_get_cookie_size();
  50     RUNNER_ASSERT_MSG(20 == ret, "ret = " << ret);
  51 }
  52
  53 /*
  54  * test: security_server_request_cookie
  55  * description: Function security_server_request_cookie will return
  56  * 20 bytes long cookie.
  57  * expected: function will set up cookie in the array and return
  58  * SECURITY_SERVER_API_SUCCESS.
  59  */
  60 RUNNER_CHILD_TEST(tc02_security_server_request_cookie_normal_case)
  61 {
  62     ENVIRONMENT;
  63
  64     char cookie[20];
  65     int ret = security_server_request_cookie(cookie, 20);
  66     LogDebug("ret = " << ret);
  67     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == ret);
  68 }
  69
  70 /*
  71  * test: security_server_request_cookie
  72  * description: Function security_server_request_cookie will return
  73  * 20 bytes long cookie.
  74  * expected: function will set up cookie in the array and return
  75  * SECURITY_SERVER_API_SUCCESS.
  76  */
  77 RUNNER_CHILD_TEST(tc03_security_server_request_cookie_too_small_buffer_size)
  78 {
  79     ENVIRONMENT;
  80
  81     char cookie[20];
  82     int ret = security_server_request_cookie(cookie, 10);
  83     LogDebug("ret = " << ret);
  84     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
  85 }
  86
  87 /*
  88  * test: tc04_security_server_get_gid
  89  * description: Checking for security_server_get_gid
  90  *              with nonexisting gid and existing one
  91  * expected: security_server_get_gid should return
  92  *           SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
  93  *           and group id with second call
  94  */
  95 RUNNER_CHILD_TEST(tc04_security_server_get_gid)
  96 {
  97     ENVIRONMENT;
  98
  99     int ret = security_server_get_gid("abc123xyz_pysiaczek");
 100     LogDebug("ret = " << ret);
 101     RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
 102     ret = security_server_get_gid("root");
 103     LogDebug("ret = " << ret);
 104     RUNNER_ASSERT_MSG(0 == ret, "Ret: " << ret);
 105 }
 106
 107 /*
 108  * test: tc05_check_privilege_by_cookie
 109  * description: Function security_server_check_privilege_by_cookie should
 110  * return status of access rights of cookie owner. In this case cookie owner
 111  * is the same process that ask for the rights.
 112  * expected: Function call with access rights set to "r" should return SUCCESS,
 113  * with "rw" should return ACCESS DENIED.
 114  */
 115 RUNNER_CHILD_TEST(tc05_check_privilege_by_cookie)
 116 {
 117     char cookie[20];
 118     const char *object_label = "tc05objectlabel";
 119     const char *access_rights = "r";
 120     const char *access_rights_ext = "rw";
 121     const char *subject_label = "tc05subjectlabel";
 122
 123     smack_accesses *handle;
 124
 125     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
 126
 127     RUNNER_ASSERT(0 == smack_accesses_add(handle,
 128                                           subject_label,
 129                                           object_label,
 130                                           access_rights));
 131
 132     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
 133
 134     smack_accesses_free(handle);
 135
 136     RUNNER_ASSERT(0 == smack_set_label_for_self(subject_label));
 137
 138     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
 139         security_server_request_cookie(cookie,20));
 140
 141     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
 142         security_server_check_privilege_by_cookie(
 143             cookie,
 144             object_label,
 145             access_rights));
 146
 147     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
 148         security_server_check_privilege_by_cookie(
 149             cookie,
 150             object_label,
 151             access_rights_ext));
 152
 153 }
 154
 155 /*
 156  * test: security_server_check_privilege_by_sockfd
 157  * description: This test will create dummy server that will accept connection
 158  * and die. The client will try to check access rights using connection descriptor.
 159  * expected: Function call with access rights set to "r" should return SUCCESS,
 160  * with "rw" should return ACCESS DENIED.
 161  */
 162 RUNNER_TEST(tc06_check_privilege_by_sockfd)
 163 {
 164
 165     const char *object_label = "tc06objectlabel";
 166     const char *access_rights = "r";
 167     const char *access_rights_ext = "rw";
 168     const char *subject_label = "tc06subjectlabel";
 169
 170     int result1 = -1;
 171     int result2 = -1;
 172
 173     smack_accesses *handle;
 174     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
 175     RUNNER_ASSERT(0 == smack_accesses_add(handle,
 176                                           subject_label,
 177                                           object_label,
 178                                           access_rights));
 179     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
 180     smack_accesses_free(handle);
 181
 182     int pid = fork();
 183     char *label;
 184     RUNNER_ASSERT(-1 != pid);
 185
 186     if (0 == pid) {
 187         // child
 188         if (0 != smack_set_label_for_self(subject_label)) {
 189             LogDebug("child, failed");
 190             exit(1);
 191         }
 192
 193         LogDebug("child, create_new_socket");
 194         int sockfd = create_new_socket();
 195
 196
 197         label = security_server_get_smacklabel_sockfd(sockfd);
 198         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
 199         RUNNER_ASSERT_MSG(strcmp(label,"")==0, "label is \""<< label<<"\"");
 200         free(label);
 201
 202         LogDebug("child, listen");
 203         if (listen(sockfd, 5) < 0) {
 204             LogDebug("child, exit");
 205             exit(1);
 206         }
 207
 208         label = security_server_get_smacklabel_sockfd(sockfd);
 209         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
 210         RUNNER_ASSERT_MSG(strcmp(label,"")==0, "label is \""<< label<<"\"");
 211         free(label);
 212
 213
 214         LogDebug("child, accept");
 215         struct sockaddr_un client_addr;
 216         socklen_t client_len = sizeof(client_addr);
 217         int csockfd;
 218         while(0 <= (csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len))) {
 219             LogDebug("child, loop");
 220             close(csockfd);
 221         }
 222
 223
 224         label = security_server_get_smacklabel_sockfd(sockfd);
 225         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
 226         RUNNER_ASSERT_MSG(strcmp(label,subject_label)==0, "label is \""<< label<<"\"" << "subject_label is \""<< subject_label<<"\"" );
 227         free(label);
 228
 229         LogDebug("Exit!");
 230         exit(1);
 231     } else {
 232         // parent
 233         LogDebug("Parent, sleep 2");
 234         sleep(1);
 235         int sockfd = connect_to_testserver();
 236
 237         label = security_server_get_smacklabel_sockfd(sockfd);
 238         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
 239         RUNNER_ASSERT_MSG(strcmp(label,subject_label)==0, "label is \""<< label<<"\"" << "subject_label is \""<< subject_label<<"\"" );
 240         free(label);
 241
 242         LogDebug("Parent: sockfd: " << sockfd);
 243         if (sockfd >= 0) {
 244             result1 = security_server_check_privilege_by_sockfd(
 245                 sockfd,
 246                 object_label,
 247                 access_rights);
 248             result2 = security_server_check_privilege_by_sockfd(
 249                 sockfd,
 250                 object_label,
 251                 access_rights_ext);
 252         }
 253         LogDebug("Parent: Close desc");
 254         close(sockfd);
 255         LogDebug("Parent: killing child");
 256         kill(pid, SIGKILL);
 257     }
 258
 259     int status;
 260     waitpid(pid, &status, 0);
 261
 262     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == result1);
 263     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2);
 264 }
 265
 266 /*
 267  * test: security_server_check_privilege_by_sockfd
 268  * description: This test will create dummy server that will accept connection
 269  * and die. The client will try to check access rights using connection descriptor.
 270  * Unfortunatelly in this cases smack_set_label_for_self will not change label
 271  * connected with unix socket. Thats why this test will fail.
 272  * expected: Function call with access rights set to "r" should return SUCCESS,
 273  * with "rw" should return ACCESS DENIED.
 274  */
 275 RUNNER_TEST(tc07_check_privilege_by_sockfd)
 276 {
 277
 278     const char *object_label = "tc07objectlabel";
 279     const char *access_rights = "r";
 280     const char *access_rights_ext = "rw";
 281     const char *subject_label = "tc07subjectlabel";
 282
 283     int result1 = -1;
 284     int result2 = -1;
 285
 286     smack_accesses *handle;
 287     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
 288     RUNNER_ASSERT(0 == smack_accesses_add(handle,
 289                                           subject_label,
 290                                           object_label,
 291                                           access_rights));
 292     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
 293     smack_accesses_free(handle);
 294
 295     int pid = fork();
 296     RUNNER_ASSERT(-1 != pid);
 297
 298     if (0 == pid) {
 299         // child
 300         LogDebug("child, create_new_socket");
 301         int sockfd = create_new_socket();
 302
 303         if (0 != smack_set_label_for_self(subject_label)) {
 304             LogDebug("child, failed");
 305             exit(1);
 306         }
 307
 308         LogDebug("child, listen");
 309         if (listen(sockfd, 5) < 0) {
 310             LogDebug("child, exit");
 311             exit(1);
 312         }
 313         LogDebug("child, accept");
 314
 315         struct sockaddr_un client_addr;
 316         socklen_t client_len = sizeof(client_addr);
 317         int csockfd;
 318         while(0 <= (csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len))) {
 319             LogDebug("child, loop");
 320             close(csockfd);
 321         }
 322         LogDebug("Exit!");
 323         exit(1);
 324     } else {
 325         // parent
 326         LogDebug("Parent, sleep 2");
 327         sleep(2);
 328         int sockfd = connect_to_testserver();
 329         LogDebug("Parent: sockfd: " << sockfd);
 330         if (sockfd >= 0) {
 331             result1 = security_server_check_privilege_by_sockfd(
 332                 sockfd,
 333                 object_label,
 334                 access_rights);
 335             result2 = security_server_check_privilege_by_sockfd(
 336                 sockfd,
 337                 object_label,
 338                 access_rights_ext);
 339         }
 340         LogDebug("Parent: Close desc");
 341         close(sockfd);
 342         LogDebug("Parent: killing child");
 343         kill(pid, SIGKILL);
 344     }
 345
 346     int status;
 347     waitpid(pid, &status, 0);
 348
 349     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result1);
 350     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2);
 351 }
 352
 353 int main(int argc, char *argv[])
 354 {
 355     return
 356         DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
 357 }