2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
5 * @file security_server_tests_client_smack.cpp
6 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
8 * @brief Test cases for security-server-client-smack.
11 #include <sys/types.h>
12 #include <sys/socket.h>
13 #include <sys/smack.h>
17 #include <dpl/log/log.h>
18 #include <dpl/test/test_runner.h>
19 #include <dpl/test/test_runner_child.h>
20 #include "security_server_mockup.h"
22 #include <security-server.h>
26 const char *subject_label = "mylabel"; \
27 RUNNER_ASSERT_MSG(-1 != system("touch /opt/home/root/pid_cycle"), \
28 "Cannot prepare environment for test."); \
29 RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), \
30 "Cannot prepare environment for test."); \
31 RUNNER_ASSERT_MSG(-1 != setgid(1), \
32 "Cannot prepare environment for test."); \
33 RUNNER_ASSERT_MSG(-1 != setuid(1), \
34 "Cannot prepare environment for test"); \
38 * Dropping root privileges
39 * returns 0 on success, 1 on error
41 int drop_root_privileges()
44 /* process is running as root, drop privileges */
45 if (setgid(5000) != 0)
47 if (setuid(5000) != 0)
57 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
60 * test: Check cookie size returned by security_server_get_cookie_size.
61 * description: Cookie used by security-server is 20 bytes long.
62 * Any other size of cookies should be treated as error.
63 * expected: Function security_server_get_cookie_size returns 20.
65 RUNNER_CHILD_TEST(tc01_security_server_get_cookie_size)
69 int ret = security_server_get_cookie_size();
70 RUNNER_ASSERT_MSG(20 == ret, "ret = " << ret);
74 * test: security_server_request_cookie
75 * description: Function security_server_request_cookie will return
76 * 20 bytes long cookie.
77 * expected: function will set up cookie in the array and return
78 * SECURITY_SERVER_API_SUCCESS.
80 RUNNER_CHILD_TEST(tc02_security_server_request_cookie_normal_case)
85 int ret = security_server_request_cookie(cookie, 20);
86 LogDebug("ret = " << ret);
87 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == ret);
91 * test: security_server_request_cookie
92 * description: Function security_server_request_cookie will return
93 * 20 bytes long cookie.
94 * expected: function will set up cookie in the array and return
95 * SECURITY_SERVER_API_SUCCESS.
97 RUNNER_CHILD_TEST(tc03_security_server_request_cookie_too_small_buffer_size)
102 int ret = security_server_request_cookie(cookie, 10);
103 LogDebug("ret = " << ret);
104 RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
108 * test: tc04_security_server_get_gid
109 * description: Checking for security_server_get_gid
110 * with nonexisting gid and existing one
111 * expected: security_server_get_gid should return
112 * SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
113 * and group id with second call
115 RUNNER_CHILD_TEST(tc04_security_server_get_gid)
119 int ret = security_server_get_gid("abc123xyz_pysiaczek");
120 LogDebug("ret = " << ret);
121 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
122 ret = security_server_get_gid("root");
123 LogDebug("ret = " << ret);
124 RUNNER_ASSERT_MSG(0 == ret, "Ret: " << ret);
128 * test: tc05_check_privilege_by_cookie
129 * description: Function security_server_check_privilege_by_cookie should
130 * return status of access rights of cookie owner. In this case cookie owner
131 * is the same process that ask for the rights.
132 * expected: Function call with access rights set to "r" should return SUCCESS,
133 * with "rw" should return ACCESS DENIED.
135 RUNNER_CHILD_TEST(tc05_check_privilege_by_cookie)
138 const char *object_label = "tc05objectlabel";
139 const char *access_rights = "r";
140 const char *access_rights_ext = "rw";
141 const char *subject_label = "tc05subjectlabel";
143 smack_accesses *handle;
145 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
147 RUNNER_ASSERT(0 == smack_accesses_add(handle,
152 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
154 smack_accesses_free(handle);
156 RUNNER_ASSERT(0 == smack_set_label_for_self(subject_label));
158 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
159 security_server_request_cookie(cookie,20));
161 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
163 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
164 security_server_check_privilege_by_cookie(
169 RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
170 security_server_check_privilege_by_cookie(
177 * test: security_server_check_privilege_by_sockfd
178 * description: This test will create dummy server that will accept connection
179 * and die. The client will try to check access rights using connection descriptor.
180 * expected: Function call with access rights set to "r" should return SUCCESS,
181 * with "rw" should return ACCESS DENIED.
183 RUNNER_TEST(tc06_check_privilege_by_sockfd)
185 const char *object_label = "tc06objectlabel";
186 const char *access_rights = "r";
187 const char *access_rights_ext = "rw";
188 const char *subject_label = "tc06subjectlabel";
193 smack_accesses *handle;
194 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
195 RUNNER_ASSERT(0 == smack_accesses_add(handle,
199 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
200 smack_accesses_free(handle);
204 RUNNER_ASSERT(-1 != pid);
208 if (0 != smack_set_label_for_self(subject_label)) {
209 LogDebug("child, failed");
213 LogDebug("child, create_new_socket");
214 int sockfd = create_new_socket();
217 label = security_server_get_smacklabel_sockfd(sockfd);
218 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
219 RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
222 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
224 LogDebug("child, listen");
225 if (listen(sockfd, 5) < 0) {
226 LogDebug("child, exit");
230 label = security_server_get_smacklabel_sockfd(sockfd);
231 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
232 RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
236 LogDebug("child, accept");
237 struct sockaddr_un client_addr;
238 socklen_t client_len = sizeof(client_addr);
240 while (0 <= (csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len))) {
241 LogDebug("child, loop");
246 label = security_server_get_smacklabel_sockfd(sockfd);
247 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
248 RUNNER_ASSERT_MSG(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << "subject_label is \"" << subject_label << "\"" );
255 LogDebug("Parent, sleep 2");
257 int sockfd = connect_to_testserver();
259 label = security_server_get_smacklabel_sockfd(sockfd);
260 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
261 RUNNER_ASSERT_MSG(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << "subject_label is \"" << subject_label << "\"" );
264 LogDebug("Parent: sockfd: " << sockfd);
266 result1 = security_server_check_privilege_by_sockfd(
270 result2 = security_server_check_privilege_by_sockfd(
275 LogDebug("Parent: Close desc");
277 LogDebug("Parent: killing child");
282 waitpid(pid, &status, 0);
284 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
285 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
289 * test: security_server_check_privilege_by_sockfd
290 * description: This test will create dummy server that will accept connection
291 * and die. The client will try to check access rights using connection descriptor.
292 * Because we read a smack label not from socket directly, but from from pid of process
293 * on the other end of socket - that's why smack label will be updated.
294 * In this test client is running under root and server is not - to test the extreme case.
295 * expected: Function call with access rights set to "r" should return SUCCESS,
296 * with "rw" should return ACCESS DENIED.
298 RUNNER_TEST(tc07_check_privilege_by_sockfd)
300 const char *object_label = "tc07objectlabel";
301 const char *access_rights = "r";
302 const char *access_rights_ext = "rw";
303 const char *subject_label = "tc07subjectlabel";
307 int kill_result = -1;
309 smack_accesses *handle;
310 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
311 RUNNER_ASSERT(0 == smack_accesses_add(handle,
315 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
316 smack_accesses_free(handle);
319 RUNNER_ASSERT(-1 != pid);
323 LogDebug("child, create_new_socket");
324 int sockfd = create_new_socket();
326 if (0 != smack_set_label_for_self(subject_label)) {
327 LogDebug("child, failed");
331 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
333 LogDebug("child, listen");
334 if (listen(sockfd, 5) < 0) {
335 LogDebug("child, exit");
338 LogDebug("child, accept");
340 struct sockaddr_un client_addr;
341 socklen_t client_len = sizeof(client_addr);
343 while (0 <= (csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len))) {
344 LogDebug("child, loop");
352 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
354 LogDebug("Parent, sleep 2");
356 int sockfd = connect_to_testserver();
357 LogDebug("Parent: sockfd: " << sockfd);
359 result1 = security_server_check_privilege_by_sockfd(
363 result2 = security_server_check_privilege_by_sockfd(
368 LogDebug("Parent: Close desc");
370 LogDebug("Parent: killing child");
371 // we cannot kill child - because of dropping privileges
372 kill_result = kill(pid, SIGKILL);
375 if (kill_result == 0) {
377 waitpid(pid, &status, 0);
382 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
383 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
386 int main(int argc, char *argv[])
389 DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);