2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
5 * @file security_server_tests_client_smack.cpp
6 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
8 * @brief Test cases for security-server-client-smack.
13 #include <sys/types.h>
14 #include <sys/socket.h>
15 #include <sys/smack.h>
25 #include <dpl/log/log.h>
26 #include <dpl/test/test_runner.h>
27 #include <dpl/test/test_runner_child.h>
28 #include <dpl/test/test_runner_multiprocess.h>
29 #include "security_server_mockup.h"
31 #include <security-server.h>
32 #include <access_provider.h>
34 #include "tests_common.h"
35 #include <summary_collector.h>
38 #define PROPER_COOKIE_SIZE 20
42 const char *subject_label = "mylabel"; \
43 RUNNER_ASSERT_MSG_BT(-1 != system("touch /opt/home/root/pid_cycle"), \
44 "Cannot prepare environment for test."); \
45 RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), \
46 "Cannot prepare environment for test."); \
47 RUNNER_ASSERT_MSG_BT(-1 != setgid(1), \
48 "Cannot prepare environment for test."); \
49 RUNNER_ASSERT_MSG_BT(-1 != setuid(1), \
50 "Cannot prepare environment for test"); \
55 * Environment preparation should only differ in setting label. On NOSMACK system
56 * smack_set_label_for_self returns error because of no access to /proc/self/attr/current.
58 #define ENVIRONMENT_NOSMACK \
60 int fd = open("/opt/home/root/pid_cycle", O_CREAT|O_APPEND, 0444);\
61 RUNNER_ASSERT_MSG_BT(fd >= 0, \
62 "Couldn't create pid_cycle file. errno: " << strerror(errno));\
64 RUNNER_ASSERT_MSG_BT(-1 != setgid(1), \
65 "Cannot prepare environment for test."); \
66 RUNNER_ASSERT_MSG_BT(-1 != setuid(1), \
67 "Cannot prepare environment for test"); \
72 * Unique_ptr typedef for NOSMACK version of tc06 test
74 void closesockfdptr(int* sockfd_ptr)
78 typedef std::unique_ptr<int, std::function<void(int*)> > SockFDUniquePtr;
80 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
83 * test: Check cookie size returned by security_server_get_cookie_size.
84 * description: Cookie used by security-server is 20 bytes long.
85 * Any other size of cookies should be treated as error.
86 * expected: Function security_server_get_cookie_size returns 20.
88 RUNNER_CHILD_TEST_SMACK(tc01_security_server_get_cookie_size)
92 int ret = security_server_get_cookie_size();
93 RUNNER_ASSERT_MSG_BT(20 == ret, "ret = " << ret);
97 * test: security_server_request_cookie
98 * description: Function security_server_request_cookie will return
99 * 20 bytes long cookie.
100 * expected: function will set up cookie in the array and return
101 * SECURITY_SERVER_API_SUCCESS.
103 RUNNER_CHILD_TEST_SMACK(tc02_security_server_request_cookie_normal_case)
108 int ret = security_server_request_cookie(cookie, 20);
109 LogDebug("ret = " << ret);
110 RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS == ret);
114 * test: security_server_request_cookie
115 * description: Function security_server_request_cookie will return
116 * 20 bytes long cookie.
117 * expected: function will set up cookie in the array and return
118 * SECURITY_SERVER_API_SUCCESS.
120 RUNNER_CHILD_TEST_SMACK(tc03_security_server_request_cookie_too_small_buffer_size)
125 int ret = security_server_request_cookie(cookie, 10);
126 LogDebug("ret = " << ret);
127 RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
131 * test: tc04_security_server_get_gid
132 * description: Checking for security_server_get_gid
133 * with nonexisting gid and existing one
134 * expected: security_server_get_gid should return
135 * SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
136 * and group id with second call
138 RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
140 SecurityServer::AccessProvider provider("tc04mylabel");
141 provider.allowFunction("security_server_get_gid", TRACE_FROM_HERE);
142 provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
144 int ret = security_server_get_gid("abc123xyz_pysiaczek");
145 LogDebug("ret = " << ret);
146 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
147 ret = security_server_get_gid("root");
148 LogDebug("ret = " << ret);
149 RUNNER_ASSERT_MSG_BT(0 == ret, "Ret: " << ret);
153 * test: tc05_check_privilege_by_cookie
154 * description: Function security_server_check_privilege_by_cookie should
155 * return status of access rights of cookie owner. In this case cookie owner
156 * is the same process that ask for the rights.
157 * expected: Function call with access rights set to "r" should return SUCCESS,
158 * with "rw" should return ACCESS DENIED.
160 RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie)
163 const char *object_label = "tc05objectlabel";
164 const char *access_rights = "r";
165 const char *access_rights_ext = "rw";
166 const char *subject_label = "tc05subjectlabel";
169 access.add(subject_label, object_label, access_rights, TRACE_FROM_HERE);
170 access.add(subject_label, "security-server::api-cookie-check", "w", TRACE_FROM_HERE);
171 access.apply(TRACE_FROM_HERE);
173 RUNNER_ASSERT_BT(0 == smack_set_label_for_self(subject_label));
175 RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
176 security_server_request_cookie(cookie,20));
178 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
180 RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
181 security_server_check_privilege_by_cookie(
186 RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
187 security_server_check_privilege_by_cookie(
194 * test: security_server_check_privilege_by_sockfd
195 * description: This test will create dummy server that will accept connection
196 * and die. The client will try to check access rights using connection descriptor.
197 * expected: Function call with access rights set to "r" should return SUCCESS,
198 * with "rw" should return ACCESS DENIED.
200 RUNNER_MULTIPROCESS_TEST_SMACK(tc06_check_privilege_by_sockfd)
202 const char *object_label = "tc06objectlabel";
203 const char *access_rights = "r";
204 const char *access_rights_ext = "rw";
205 const char *subject_label = "tc06subjectlabel";
210 smack_accesses *handle;
211 RUNNER_ASSERT_BT(0 == smack_accesses_new(&handle));
212 RUNNER_ASSERT_BT(0 == smack_accesses_add(handle,
216 RUNNER_ASSERT_BT(0 == smack_accesses_apply(handle));
217 smack_accesses_free(handle);
221 RUNNER_ASSERT_BT(-1 != pid);
225 RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
227 int sockfd = create_new_socket();
228 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
230 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
232 label = security_server_get_smacklabel_sockfd(sockfd);
233 RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
234 RUNNER_ASSERT_MSG_BT(strcmp(label,"") == 0, "label is \"" << label << "\"");
237 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
239 RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
241 label = security_server_get_smacklabel_sockfd(sockfd);
242 RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
243 RUNNER_ASSERT_MSG_BT(strcmp(label,"") == 0, "label is \"" << label << "\"");
246 struct sockaddr_un client_addr;
247 socklen_t client_len = sizeof(client_addr);
249 RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
258 int sockfd = connect_to_testserver();
259 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "connect_to_testserver() failed");
261 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
263 label = security_server_get_smacklabel_sockfd(sockfd);
264 RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
265 RUNNER_ASSERT_MSG_BT(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << ", subject_label is \"" << subject_label << "\"" );
268 result1 = security_server_check_privilege_by_sockfd(
272 result2 = security_server_check_privilege_by_sockfd(
278 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
279 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
283 * test: security_server_check_privilege_by_sockfd
284 * description: This test will create dummy server that will accept connection
285 * and die. The client will try to check access rights using connection descriptor.
286 * Because we read a smack label not from socket directly, but from from pid of process
287 * on the other end of socket - that's why smack label will be updated.
288 * In this test client is running under root and server is not - to test the extreme case.
289 * expected: Function call with access rights set to "r" should return SUCCESS,
290 * with "rw" should return ACCESS DENIED.
292 RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd)
294 const char *object_label = "tc07objectlabel";
295 const char *access_rights = "r";
296 const char *access_rights_ext = "rw";
297 const char *subject_label = "tc07subjectlabel";
303 access.add(subject_label, object_label, access_rights, TRACE_FROM_HERE);
304 access.apply(TRACE_FROM_HERE);
307 RUNNER_ASSERT_BT(-1 != pid);
312 RUNNER_ASSERT_BT(-1 != pid);
316 int sockfd = create_new_socket();
317 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
319 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
321 RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
323 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
325 RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
327 struct sockaddr_un client_addr;
328 socklen_t client_len = sizeof(client_addr);
329 int csockfd = TEMP_FAILURE_RETRY(accept(sockfd,(struct sockaddr*)&client_addr, &client_len));
337 int sockfd = connect_to_testserver();
338 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "connect_to_testserver() failed");
340 result1 = security_server_check_privilege_by_sockfd(
344 result2 = security_server_check_privilege_by_sockfd(
351 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
352 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
357 ///////////////////////////
358 /////NOSMACK ENV TESTS/////
359 ///////////////////////////
362 * First four test cases are the same as their SMACK versions. The only difference is environment
363 * preparation (described near ENVIRONMENT_NOSMACK macro).
365 RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_get_cookie_size_nosmack)
369 int ret = security_server_get_cookie_size();
370 RUNNER_ASSERT_MSG_BT(ret == 20, "ret = " << ret);
373 RUNNER_CHILD_TEST_NOSMACK(tc02_security_server_request_cookie_normal_case_nosmack)
378 int ret = security_server_request_cookie(cookie, 20);
379 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
382 RUNNER_CHILD_TEST_NOSMACK(tc03_security_server_request_cookie_too_small_buffer_size_nosmack)
387 int ret = security_server_request_cookie(cookie, 10);
388 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
391 RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack)
395 int ret = security_server_get_gid("definitely_not_existing_object");
396 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret);
397 ret = security_server_get_gid("root");
398 RUNNER_ASSERT_MSG_BT(ret == 0, "ret = " << ret);
402 * NOSMACK version of tc05 test.
404 * Correct behaviour of smack_accesses_apply and smack_set_label_for_self was checked by libsmack
405 * tests. We assume, that those tests pass. Additionally security_server_check_privilege_by_cookie
406 * should return SUCCESS no matter what access_rights we give to this function.
408 RUNNER_CHILD_TEST_NOSMACK(tc05_check_privilege_by_cookie_nosmack)
411 const char* object_label = "tc05objectlabel";
413 RUNNER_ASSERT_BT(security_server_request_cookie(cookie,20) == SECURITY_SERVER_API_SUCCESS);
415 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
417 RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
418 security_server_check_privilege_by_cookie(cookie, object_label, "r"));
420 //On NOSMACK env security server should return success on any accesses, even those that are
422 RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
423 security_server_check_privilege_by_cookie(cookie, object_label, "rw"));
427 * NOSMACK version of tc06 test.
429 * Differences between this and SMACK version (server):
430 * - Skipped setting access_rights
431 * - Skipped setting label for server
432 * - get_smacklabel_sockfd is called only once for server, almost right after fork and creation
433 * of socket (because it should do nothing when SMACK is off)
434 * - After get_smacklabel_sockfd privileges are dropped and server is prepared to accept connections
437 * For client the only difference are expected results from check_privilege_by_sockfd - both should
440 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc06_check_privilege_by_sockfd_nosmack)
442 const char* object_label = "tc06objectlabel";
449 RUNNER_ASSERT_BT(pid >= 0);
453 if (pid == 0) { //child process - server
455 int sockfd = create_new_socket();
456 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
458 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
460 //check if get_smacklabel_sockfd works correctly
461 label = security_server_get_smacklabel_sockfd(sockfd);
462 RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
463 ret = strcmp(label, "");
465 RUNNER_ASSERT_MSG_BT(ret == 0, "label is \"" << label << "\"");
467 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
469 RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
471 struct sockaddr_un client_addr;
472 socklen_t client_len = sizeof(client_addr);
475 RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
477 //wait a little bit for parent to do it's job
480 //if everything works, cleanup and return 0
486 int sockfd = connect_to_testserver();
487 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "Failed to connect to server.");
489 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
491 label = security_server_get_smacklabel_sockfd(sockfd);
492 RUNNER_ASSERT_MSG_BT(label != NULL, "get_smacklabel_sockfd failed.");
493 ret = strcmp(label, "");
495 RUNNER_ASSERT_MSG_BT(ret == 0, "label is \"" << label << "\"");
497 result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
498 result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
501 RUNNER_ASSERT_MSG_BT(result1 == SECURITY_SERVER_API_SUCCESS, "result = " << result1);
502 RUNNER_ASSERT_MSG_BT(result2 == SECURITY_SERVER_API_SUCCESS, "result = " << result2);
506 * NOSMACK version of tc07 test.
508 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc07_check_privilege_by_sockfd_nosmack)
510 const char* object_label = "tc07objectlabel";
516 RUNNER_ASSERT_BT(-1 != pid);
521 RUNNER_ASSERT_BT(-1 != pid);
523 if (pid == 0) { //child process
525 int sockfd = create_new_socket();
526 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
528 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
531 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
533 //Prepare for accepting
534 RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
536 struct sockaddr_un client_addr;
537 socklen_t client_len = sizeof(client_addr);
541 RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
543 //wait a little bit for parent to do it's job
546 //cleanup and kill child
549 } else { //parent process
550 //Drop root privileges
551 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
553 //Wait for server to set up
556 //Connect and check privileges
557 int sockfd = connect_to_testserver();
558 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "Failed to create socket fd.");
560 result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
561 result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
565 //Both results (just like in the previous test case) should return success.
566 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
567 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result2, "result2 = " << result2);
572 int apply_smack_rule(const char *subject, const char *object, const char *rule)
574 struct smack_accesses *ruleHandler = NULL;
575 if (smack_accesses_new(&ruleHandler) != 0)
577 if (smack_accesses_add(ruleHandler, subject, object, rule) != 0)
579 if (smack_accesses_apply(ruleHandler) != 0)
582 smack_accesses_free(ruleHandler);
586 smack_accesses_free(ruleHandler);
590 RUNNER_TEST(tc10_security_server_get_uid_by_cookie)
592 int cookieSize = security_server_get_cookie_size();
593 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
595 std::vector<char> cookie(cookieSize);
596 int retval = security_server_request_cookie(&cookie[0], cookieSize);
597 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
600 uid_t cookieUid, realUid;
602 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
603 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie. My uid: " << realUid << " Server error: " << retval);
604 RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
606 //checking for input parameters
607 retval = security_server_get_uid_by_cookie(NULL, &cookieUid);
608 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
609 retval = security_server_get_uid_by_cookie(&cookie[0], NULL);
610 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
613 RUNNER_CHILD_TEST_SMACK(tc11_security_server_get_uid_by_cookie_smack)
615 int cookieSize = security_server_get_cookie_size();
616 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
618 std::vector<char> cookie(cookieSize);
619 int retval = security_server_request_cookie(&cookie[0], cookieSize);
620 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
622 //preapare SMACK environment
623 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
624 RUNNER_ASSERT_MSG_BT(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
626 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
630 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
631 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
634 RUNNER_CHILD_TEST_SMACK(tc12_security_server_get_uid_by_cookie_smack)
636 int cookieSize = security_server_get_cookie_size();
637 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
639 uid_t realUid = getuid();
641 std::vector<char> cookie(cookieSize);
642 int retval = security_server_request_cookie(&cookie[0], cookieSize);
643 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
645 //preapare SMACK environment
646 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
647 RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
649 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
653 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
654 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
655 RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
658 RUNNER_CHILD_TEST_NOSMACK(tc12_security_server_get_uid_by_cookie_nosmack)
660 int cookieSize = security_server_get_cookie_size();
661 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
663 uid_t realUid = getuid();
665 std::vector<char> cookie(cookieSize);
666 int retval = security_server_request_cookie(&cookie[0], cookieSize);
667 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
670 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
674 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
675 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
676 RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
679 RUNNER_CHILD_TEST_SMACK(tc13_security_server_get_uid_by_cookie_smack)
681 int cookieSize = security_server_get_cookie_size();
682 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
684 //preapare SMACK environment
685 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
686 RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
687 RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
689 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
691 std::vector<char> cookie(cookieSize);
692 int retval = security_server_request_cookie(&cookie[0], cookieSize);
693 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
696 uid_t cookieUid, realUid = getuid();
697 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
698 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
699 RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
702 RUNNER_CHILD_TEST_NOSMACK(tc13_security_server_get_uid_by_cookie_nosmack)
704 int cookieSize = security_server_get_cookie_size();
705 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
708 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
710 std::vector<char> cookie(cookieSize);
711 int retval = security_server_request_cookie(&cookie[0], cookieSize);
712 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
715 uid_t cookieUid, realUid = getuid();
716 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
717 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
718 RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
721 RUNNER_TEST(tc14_security_server_get_gid_by_cookie)
723 int cookieSize = security_server_get_cookie_size();
724 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
726 std::vector<char> cookie(cookieSize);
727 int retval = security_server_request_cookie(&cookie[0], cookieSize);
728 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
731 gid_t cookieGid, realGid;
733 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
734 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
735 RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID");
737 //checking for input parameters
738 retval = security_server_get_gid_by_cookie(NULL, &cookieGid);
739 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
740 retval = security_server_get_gid_by_cookie(&cookie[0], NULL);
741 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
745 RUNNER_CHILD_TEST_SMACK(tc15_security_server_get_gid_by_cookie_smack)
747 int cookieSize = security_server_get_cookie_size();
748 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
750 std::vector<char> cookie(cookieSize);
751 int retval = security_server_request_cookie(&cookie[0], cookieSize);
752 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
754 //preapare SMACK environment
755 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
756 RUNNER_ASSERT_MSG_BT(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
758 RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
759 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
762 gid_t cookieGid, realGid;
764 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
765 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
768 RUNNER_CHILD_TEST_SMACK(tc16_security_server_get_gid_by_cookie_smack)
770 int cookieSize = security_server_get_cookie_size();
771 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
773 std::vector<char> cookie(cookieSize);
775 gid_t realGid = getgid();
776 int retval = security_server_request_cookie(&cookie[0], cookieSize);
777 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
779 //preapare SMACK environment
780 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
781 RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
783 RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
784 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
788 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
789 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
790 RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
793 RUNNER_CHILD_TEST_NOSMACK(tc16_security_server_get_gid_by_cookie_nosmack)
795 int cookieSize = security_server_get_cookie_size();
796 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
798 std::vector<char> cookie(cookieSize);
800 gid_t realGid = getgid();
801 int retval = security_server_request_cookie(&cookie[0], cookieSize);
802 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
805 RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
806 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
810 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
811 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
812 RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
815 RUNNER_CHILD_TEST_SMACK(tc17_security_server_get_gid_by_cookie_smack)
817 int cookieSize = security_server_get_cookie_size();
818 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
820 //preapare SMACK environment
821 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
822 RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
823 RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
825 RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
826 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
828 std::vector<char> cookie(cookieSize);
829 int retval = security_server_request_cookie(&cookie[0], cookieSize);
830 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
833 gid_t cookieGid, realGid = getgid();
834 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
835 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
836 RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
839 RUNNER_CHILD_TEST_NOSMACK(tc17_security_server_get_gid_by_cookie_nosmack)
841 int cookieSize = security_server_get_cookie_size();
842 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
845 RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
846 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
848 std::vector<char> cookie(cookieSize);
849 int retval = security_server_request_cookie(&cookie[0], cookieSize);
850 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
853 gid_t cookieGid, realGid = getgid();
854 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
855 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
856 RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
859 RUNNER_TEST_SMACK(tc18_security_server_get_smacklabel_cookie) {
864 char *label_smack = NULL;
865 char *label_ss = NULL;
868 int cookie_size = security_server_get_cookie_size();
869 RUNNER_ASSERT_MSG_BT(PROPER_COOKIE_SIZE == cookie_size, "Wrong cookie size from security-server");
873 cookie = (char*) calloc(cookie_size, 1);
874 RUNNER_ASSERT_MSG_BT(NULL != cookie, "Memory allocation error");
876 res = security_server_request_cookie(cookie, cookie_size);
877 if (res != SECURITY_SERVER_API_SUCCESS) {
879 RUNNER_ASSERT_MSG_BT(res == SECURITY_SERVER_API_SUCCESS, "Error in requesting cookie from security-server");
882 label_ss = security_server_get_smacklabel_cookie(cookie);
884 RUNNER_ASSERT_MSG_BT(label_ss != NULL, "Error in getting label by cookie");
887 std::string label_cookie(label_ss);
890 res = smack_new_label_from_self(&label_smack);
893 RUNNER_ASSERT_MSG_BT(res == 0, "Error in getting self SMACK label");
895 std::string label_self(label_smack ? label_smack : "");
898 RUNNER_ASSERT_MSG_BT(label_self == label_cookie, "No match in SMACK labels");
901 //TODO: here could be label change using SMACK API and checking if it
902 //is changed using security-server API function based on the same cookie
906 * NOSMACK version of tc_security_server_get_smacklabel_cookie test.
908 * Most of this test goes exactly as the original one. The only difference are the labels:
909 * - We assume that libsmack tests passed and smack_new_label_from_self will return -1 and NULL
910 * label - there is no need to re-check it.
911 * - Label acquired from security_server_get_smacklabel_cookie should be an empty string.
913 RUNNER_TEST_NOSMACK(tc18_security_server_get_smacklabel_cookie_nosmack) {
918 char* label_ss = NULL;
921 int cookie_size = security_server_get_cookie_size();
922 RUNNER_ASSERT_MSG_BT(PROPER_COOKIE_SIZE == cookie_size,
923 "Wrong cookie size from security-server. Size: " << cookie_size);
925 cookie = (char*) calloc(cookie_size, sizeof(char));
926 RUNNER_ASSERT_MSG_BT(NULL != cookie, "Memory allocation error");
930 //Request cookie from SS
931 res = security_server_request_cookie(cookie, cookie_size);
932 std::unique_ptr<char, std::function<void(char*)> > cookie_ptr(cookie, free);
934 RUNNER_ASSERT_MSG_BT(res == SECURITY_SERVER_API_SUCCESS,
935 "Error in requesting cookie from security-server. Result: " << res);
937 label_ss = security_server_get_smacklabel_cookie(cookie_ptr.get());
938 RUNNER_ASSERT_MSG_BT(label_ss != NULL, "Error in getting label by cookie");
940 //Check if label_ss is correct, that is only one NULL character.
941 if (label_ss[0] != '\0') {
943 RUNNER_ASSERT_MSG_BT(label_ss[0] == '\0', "label_ss was not an empty string.");
953 int main(int argc, char *argv[])
955 SummaryCollector::Register();
956 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);