tests/security-server-tests/security_server_tests_client_smack.cpp

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  */
   4 /*
   5  * @file    security_server_tests_client_smack.cpp
   6  * @author  Bartlomiej Grzelewski (b.grzelewski@samsung.com)
   7  * @version 1.1
   8  * @brief   Test cases for security-server-client-smack.
   9  */
  10
  11 #include <unistd.h>
  12 #include <stdlib.h>
  13 #include <sys/types.h>
  14 #include <sys/socket.h>
  15 #include <sys/smack.h>
  16 #include <sys/wait.h>
  17 #include <sys/un.h>
  18 #include <sys/stat.h>
  19 #include <fcntl.h>
  20 #include <errno.h>
  21
  22 #include <memory>
  23 #include <functional>
  24
  25 #include <dpl/log/log.h>
  26 #include <dpl/test/test_runner.h>
  27 #include <dpl/test/test_runner_child.h>
  28 #include <dpl/test/test_runner_multiprocess.h>
  29 #include "security_server_mockup.h"
  30
  31 #include <security-server.h>
  32 #include <access_provider.h>
  33 #include <tracker.h>
  34 #include "tests_common.h"
  35 #include <summary_collector.h>
  36
  37
  38 #define PROPER_COOKIE_SIZE 20
  39
  40 #define ENVIRONMENT                                                       \
  41     do {                                                                  \
  42         const char *subject_label = "mylabel";                            \
  43         RUNNER_ASSERT_MSG_BT(-1 != system("touch /opt/home/root/pid_cycle"), \
  44             "Cannot prepare environment for test.");                      \
  45         RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label),   \
  46             "Cannot prepare environment for test.");                      \
  47         RUNNER_ASSERT_MSG_BT(-1 != setgid(1),                                \
  48             "Cannot prepare environment for test.");                      \
  49         RUNNER_ASSERT_MSG_BT(-1 != setuid(1),                                \
  50             "Cannot prepare environment for test");                       \
  51     } while (0)
  52
  53
  54 /**
  55  * Environment preparation should only differ in setting label. On NOSMACK system
  56  * smack_set_label_for_self returns error because of no access to /proc/self/attr/current.
  57  */
  58 #define ENVIRONMENT_NOSMACK                                               \
  59     do {                                                                  \
  60         int fd = open("/opt/home/root/pid_cycle", O_CREAT|O_APPEND, 0444);\
  61         RUNNER_ASSERT_MSG_BT(fd >= 0,                                        \
  62             "Couldn't create pid_cycle file. errno: " << strerror(errno));\
  63         close(fd);                                                        \
  64         RUNNER_ASSERT_MSG_BT(-1 != setgid(1),                                \
  65             "Cannot prepare environment for test.");                      \
  66         RUNNER_ASSERT_MSG_BT(-1 != setuid(1),                                \
  67             "Cannot prepare environment for test");                       \
  68     } while (0)
  69
  70
  71 /**
  72  * Unique_ptr typedef for NOSMACK version of tc06 test
  73  */
  74 void closesockfdptr(int* sockfd_ptr)
  75 {
  76     close(*sockfd_ptr);
  77 }
  78 typedef std::unique_ptr<int, std::function<void(int*)> > SockFDUniquePtr;
  79
  80 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
  81
  82 /*
  83  * test: Check cookie size returned by security_server_get_cookie_size.
  84  * description: Cookie used by security-server is 20 bytes long.
  85  * Any other size of cookies should be treated as error.
  86  * expected: Function security_server_get_cookie_size returns 20.
  87  */
  88 RUNNER_CHILD_TEST_SMACK(tc01_security_server_get_cookie_size)
  89 {
  90     ENVIRONMENT;
  91
  92     int ret = security_server_get_cookie_size();
  93     RUNNER_ASSERT_MSG_BT(20 == ret, "ret = " << ret);
  94 }
  95
  96 /*
  97  * test: security_server_request_cookie
  98  * description: Function security_server_request_cookie will return
  99  * 20 bytes long cookie.
 100  * expected: function will set up cookie in the array and return
 101  * SECURITY_SERVER_API_SUCCESS.
 102  */
 103 RUNNER_CHILD_TEST_SMACK(tc02_security_server_request_cookie_normal_case)
 104 {
 105     ENVIRONMENT;
 106
 107     char cookie[20];
 108     int ret = security_server_request_cookie(cookie, 20);
 109     LogDebug("ret = " << ret);
 110     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS == ret);
 111 }
 112
 113 /*
 114  * test: security_server_request_cookie
 115  * description: Function security_server_request_cookie will return
 116  * 20 bytes long cookie.
 117  * expected: function will set up cookie in the array and return
 118  * SECURITY_SERVER_API_SUCCESS.
 119  */
 120 RUNNER_CHILD_TEST_SMACK(tc03_security_server_request_cookie_too_small_buffer_size)
 121 {
 122     ENVIRONMENT;
 123
 124     char cookie[20];
 125     int ret = security_server_request_cookie(cookie, 10);
 126     LogDebug("ret = " << ret);
 127     RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
 128 }
 129
 130 /*
 131  * test: tc04_security_server_get_gid
 132  * description: Checking for security_server_get_gid
 133  *              with nonexisting gid and existing one
 134  * expected: security_server_get_gid should return
 135  *           SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
 136  *           and group id with second call
 137  */
 138 RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
 139 {
 140     SecurityServer::AccessProvider provider("tc04mylabel");
 141     provider.allowFunction("security_server_get_gid", TRACE_FROM_HERE);
 142     provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
 143
 144     int ret = security_server_get_gid("abc123xyz_pysiaczek");
 145     LogDebug("ret = " << ret);
 146     RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
 147     ret = security_server_get_gid("root");
 148     LogDebug("ret = " << ret);
 149     RUNNER_ASSERT_MSG_BT(0 == ret, "Ret: " << ret);
 150 }
 151
 152 /*
 153  * test: tc05_check_privilege_by_cookie
 154  * description: Function security_server_check_privilege_by_cookie should
 155  * return status of access rights of cookie owner. In this case cookie owner
 156  * is the same process that ask for the rights.
 157  * expected: Function call with access rights set to "r" should return SUCCESS,
 158  * with "rw" should return ACCESS DENIED.
 159  */
 160 RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie)
 161 {
 162     char cookie[20];
 163     const char *object_label = "tc05objectlabel";
 164     const char *access_rights = "r";
 165     const char *access_rights_ext = "rw";
 166     const char *subject_label = "tc05subjectlabel";
 167
 168     SmackAccess access;
 169     access.add(subject_label, object_label, access_rights, TRACE_FROM_HERE);
 170     access.add(subject_label, "security-server::api-cookie-check", "w", TRACE_FROM_HERE);
 171     access.apply(TRACE_FROM_HERE);
 172
 173     RUNNER_ASSERT_BT(0 == smack_set_label_for_self(subject_label));
 174
 175     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
 176         security_server_request_cookie(cookie,20));
 177
 178     RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
 179
 180     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
 181         security_server_check_privilege_by_cookie(
 182             cookie,
 183             object_label,
 184             access_rights));
 185
 186     RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
 187         security_server_check_privilege_by_cookie(
 188             cookie,
 189             object_label,
 190             access_rights_ext));
 191 }
 192
 193 /*
 194  * test: security_server_check_privilege_by_sockfd
 195  * description: This test will create dummy server that will accept connection
 196  * and die. The client will try to check access rights using connection descriptor.
 197  * expected: Function call with access rights set to "r" should return SUCCESS,
 198  * with "rw" should return ACCESS DENIED.
 199  */
 200 RUNNER_MULTIPROCESS_TEST_SMACK(tc06_check_privilege_by_sockfd)
 201 {
 202     const char *object_label = "tc06objectlabel";
 203     const char *access_rights = "r";
 204     const char *access_rights_ext = "rw";
 205     const char *subject_label = "tc06subjectlabel";
 206
 207     int result1 = -1;
 208     int result2 = -1;
 209
 210     smack_accesses *handle;
 211     RUNNER_ASSERT_BT(0 == smack_accesses_new(&handle));
 212     RUNNER_ASSERT_BT(0 == smack_accesses_add(handle,
 213             subject_label,
 214             object_label,
 215             access_rights));
 216     RUNNER_ASSERT_BT(0 == smack_accesses_apply(handle));
 217     smack_accesses_free(handle);
 218
 219     int pid = fork();
 220     char *label;
 221     RUNNER_ASSERT_BT(-1 != pid);
 222
 223     if (0 == pid) {
 224         // child
 225         RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
 226
 227         int sockfd = create_new_socket();
 228         RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
 229
 230         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 231
 232         label = security_server_get_smacklabel_sockfd(sockfd);
 233         RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
 234         RUNNER_ASSERT_MSG_BT(strcmp(label,"") == 0, "label is \"" << label << "\"");
 235         free(label);
 236
 237         RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
 238
 239         RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
 240
 241         label = security_server_get_smacklabel_sockfd(sockfd);
 242         RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
 243         RUNNER_ASSERT_MSG_BT(strcmp(label,"") == 0, "label is \"" << label << "\"");
 244         free(label);
 245
 246         struct sockaddr_un client_addr;
 247         socklen_t client_len = sizeof(client_addr);
 248         int csockfd;
 249         RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
 250
 251         usleep(500);
 252
 253         close(csockfd);
 254         exit(0);
 255     } else {
 256         // parent
 257         sleep(1);
 258         int sockfd = connect_to_testserver();
 259         RUNNER_ASSERT_MSG_BT(sockfd >= 0, "connect_to_testserver() failed");
 260
 261         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 262
 263         label = security_server_get_smacklabel_sockfd(sockfd);
 264         RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
 265         RUNNER_ASSERT_MSG_BT(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << ", subject_label is \"" << subject_label << "\"" );
 266         free(label);
 267
 268         result1 = security_server_check_privilege_by_sockfd(
 269             sockfd,
 270             object_label,
 271             access_rights);
 272         result2 = security_server_check_privilege_by_sockfd(
 273             sockfd,
 274             object_label,
 275             access_rights_ext);
 276     }
 277
 278     RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
 279     RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
 280 }
 281
 282 /*
 283  * test: security_server_check_privilege_by_sockfd
 284  * description: This test will create dummy server that will accept connection
 285  * and die. The client will try to check access rights using connection descriptor.
 286  * Because we read a smack label not from socket directly, but from from pid of process
 287  * on the other end of socket - that's why smack label will be updated.
 288  * In this test client is running under root and server is not - to test the extreme case.
 289  * expected: Function call with access rights set to "r" should return SUCCESS,
 290  * with "rw" should return ACCESS DENIED.
 291  */
 292 RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd)
 293 {
 294     const char *object_label = "tc07objectlabel";
 295     const char *access_rights = "r";
 296     const char *access_rights_ext = "rw";
 297     const char *subject_label = "tc07subjectlabel";
 298
 299     int result1 = -1;
 300     int result2 = -1;
 301
 302     SmackAccess access;
 303     access.add(subject_label, object_label, access_rights, TRACE_FROM_HERE);
 304     access.apply(TRACE_FROM_HERE);
 305
 306     int pid = fork();
 307     RUNNER_ASSERT_BT(-1 != pid);
 308
 309     if (0 == pid) {
 310
 311         pid = fork();
 312         RUNNER_ASSERT_BT(-1 != pid);
 313
 314         if (0 == pid) {
 315             // child
 316             int sockfd = create_new_socket();
 317             RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
 318
 319             SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 320
 321             RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
 322
 323             RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
 324
 325             RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
 326
 327             struct sockaddr_un client_addr;
 328             socklen_t client_len = sizeof(client_addr);
 329             int csockfd = TEMP_FAILURE_RETRY(accept(sockfd,(struct sockaddr*)&client_addr, &client_len));
 330             if (csockfd >= 0)
 331                 close(csockfd);
 332             LogDebug("Exit!");
 333             exit(0);
 334         } else {
 335             // parent
 336             sleep(1);
 337             int sockfd = connect_to_testserver();
 338             RUNNER_ASSERT_MSG_BT(sockfd >= 0, "connect_to_testserver() failed");
 339
 340             result1 = security_server_check_privilege_by_sockfd(
 341                 sockfd,
 342                 object_label,
 343                 access_rights);
 344             result2 = security_server_check_privilege_by_sockfd(
 345                 sockfd,
 346                 object_label,
 347                 access_rights_ext);
 348
 349             close(sockfd);
 350
 351             RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
 352             RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
 353         }
 354     }
 355 }
 356
 357 ///////////////////////////
 358 /////NOSMACK ENV TESTS/////
 359 ///////////////////////////
 360
 361 /**
 362  * First four test cases are the same as their SMACK versions. The only difference is environment
 363  * preparation (described near ENVIRONMENT_NOSMACK macro).
 364  */
 365 RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_get_cookie_size_nosmack)
 366 {
 367     ENVIRONMENT_NOSMACK;
 368
 369     int ret = security_server_get_cookie_size();
 370     RUNNER_ASSERT_MSG_BT(ret == 20, "ret = " << ret);
 371 }
 372
 373 RUNNER_CHILD_TEST_NOSMACK(tc02_security_server_request_cookie_normal_case_nosmack)
 374 {
 375     ENVIRONMENT_NOSMACK;
 376
 377     char cookie[20];
 378     int ret = security_server_request_cookie(cookie, 20);
 379     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 380 }
 381
 382 RUNNER_CHILD_TEST_NOSMACK(tc03_security_server_request_cookie_too_small_buffer_size_nosmack)
 383 {
 384     ENVIRONMENT_NOSMACK;
 385
 386     char cookie[20];
 387     int ret = security_server_request_cookie(cookie, 10);
 388     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
 389 }
 390
 391 RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack)
 392 {
 393     ENVIRONMENT_NOSMACK;
 394
 395     int ret = security_server_get_gid("definitely_not_existing_object");
 396     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret);
 397     ret = security_server_get_gid("root");
 398     RUNNER_ASSERT_MSG_BT(ret == 0, "ret = " << ret);
 399 }
 400
 401 /*
 402  * NOSMACK version of tc05 test.
 403  *
 404  * Correct behaviour of smack_accesses_apply and smack_set_label_for_self was checked by libsmack
 405  * tests. We assume, that those tests pass. Additionally security_server_check_privilege_by_cookie
 406  * should return SUCCESS no matter what access_rights we give to this function.
 407  */
 408 RUNNER_CHILD_TEST_NOSMACK(tc05_check_privilege_by_cookie_nosmack)
 409 {
 410     char cookie[20];
 411     const char* object_label = "tc05objectlabel";
 412
 413     RUNNER_ASSERT_BT(security_server_request_cookie(cookie,20) == SECURITY_SERVER_API_SUCCESS);
 414
 415     RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
 416
 417     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
 418         security_server_check_privilege_by_cookie(cookie, object_label, "r"));
 419
 420     //On NOSMACK env security server should return success on any accesses, even those that are
 421     //incorrect.
 422     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
 423         security_server_check_privilege_by_cookie(cookie, object_label, "rw"));
 424 }
 425
 426 /**
 427  * NOSMACK version of tc06 test.
 428  *
 429  * Differences between this and SMACK version (server):
 430  * - Skipped setting access_rights
 431  * - Skipped setting label for server
 432  * - get_smacklabel_sockfd is called only once for server, almost right after fork and creation
 433  *   of socket (because it should do nothing when SMACK is off)
 434  * - After get_smacklabel_sockfd privileges are dropped and server is prepared to accept connections
 435  *   from client
 436  *
 437  * For client the only difference are expected results from check_privilege_by_sockfd - both should
 438  * return SUCCESS.
 439  */
 440 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc06_check_privilege_by_sockfd_nosmack)
 441 {
 442     const char* object_label = "tc06objectlabel";
 443
 444     int result1 = -1;
 445     int result2 = -1;
 446
 447     int pid = fork();
 448     char* label;
 449     RUNNER_ASSERT_BT(pid >= 0);
 450
 451     int ret;
 452
 453     if (pid == 0) { //child process - server
 454         //create new socket
 455         int sockfd = create_new_socket();
 456         RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
 457
 458         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 459
 460         //check if get_smacklabel_sockfd works correctly
 461         label = security_server_get_smacklabel_sockfd(sockfd);
 462         RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
 463         ret = strcmp(label, "");
 464         free(label);
 465         RUNNER_ASSERT_MSG_BT(ret == 0, "label is \"" << label << "\"");
 466
 467         RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
 468
 469         RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
 470
 471         struct sockaddr_un client_addr;
 472         socklen_t client_len = sizeof(client_addr);
 473
 474         int csockfd;
 475         RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
 476
 477         //wait a little bit for parent to do it's job
 478         usleep(200);
 479
 480         //if everything works, cleanup and return 0
 481         close(csockfd);
 482         exit(0);
 483     } else {
 484         //parent
 485         sleep(1);
 486         int sockfd = connect_to_testserver();
 487         RUNNER_ASSERT_MSG_BT(sockfd >= 0, "Failed to connect to server.");
 488
 489         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 490
 491         label = security_server_get_smacklabel_sockfd(sockfd);
 492         RUNNER_ASSERT_MSG_BT(label != NULL, "get_smacklabel_sockfd failed.");
 493         ret = strcmp(label, "");
 494         free(label);
 495         RUNNER_ASSERT_MSG_BT(ret == 0, "label is \"" << label << "\"");
 496
 497         result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
 498         result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
 499     }
 500
 501     RUNNER_ASSERT_MSG_BT(result1 == SECURITY_SERVER_API_SUCCESS, "result = " << result1);
 502     RUNNER_ASSERT_MSG_BT(result2 == SECURITY_SERVER_API_SUCCESS, "result = " << result2);
 503 }
 504
 505 /**
 506  * NOSMACK version of tc07 test.
 507  */
 508 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc07_check_privilege_by_sockfd_nosmack)
 509 {
 510     const char* object_label = "tc07objectlabel";
 511
 512     int result1 = -1;
 513     int result2 = -1;
 514
 515     int pid = fork();
 516     RUNNER_ASSERT_BT(-1 != pid);
 517
 518     if (pid == 0) {
 519
 520         pid = fork();
 521         RUNNER_ASSERT_BT(-1 != pid);
 522
 523         if (pid == 0) { //child process
 524             //Create socket
 525             int sockfd = create_new_socket();
 526             RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
 527
 528             SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 529
 530             //Drop privileges
 531             RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
 532
 533             //Prepare for accepting
 534             RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
 535
 536             struct sockaddr_un client_addr;
 537             socklen_t client_len = sizeof(client_addr);
 538
 539             //Accept connections
 540             int csockfd;
 541             RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
 542
 543             //wait a little bit for parent to do it's job
 544             usleep(200);
 545
 546             //cleanup and kill child
 547             close(csockfd);
 548             exit(0);
 549         } else {    //parent process
 550             //Drop root privileges
 551             RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
 552
 553             //Wait for server to set up
 554             sleep(1);
 555
 556             //Connect and check privileges
 557             int sockfd = connect_to_testserver();
 558             RUNNER_ASSERT_MSG_BT(sockfd >= 0, "Failed to create socket fd.");
 559
 560             result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
 561             result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
 562
 563             close(sockfd);
 564
 565             //Both results (just like in the previous test case) should return success.
 566             RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
 567             RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result2, "result2 = " << result2);
 568         }
 569     }
 570 }
 571
 572 int apply_smack_rule(const char *subject, const char *object, const char *rule)
 573 {
 574     struct smack_accesses *ruleHandler = NULL;
 575     if (smack_accesses_new(&ruleHandler) != 0)
 576         goto error;
 577     if (smack_accesses_add(ruleHandler, subject, object, rule) != 0)
 578         goto error;
 579     if (smack_accesses_apply(ruleHandler) != 0)
 580         goto error;
 581
 582     smack_accesses_free(ruleHandler);
 583     return 0;
 584
 585 error:
 586     smack_accesses_free(ruleHandler);
 587     return -1;
 588 }
 589
 590 RUNNER_TEST(tc10_security_server_get_uid_by_cookie)
 591 {
 592     int cookieSize = security_server_get_cookie_size();
 593     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 594
 595     std::vector<char> cookie(cookieSize);
 596     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 597     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 598
 599     //checking function
 600     uid_t cookieUid, realUid;
 601     realUid = getuid();
 602     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 603     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie. My uid: " << realUid << " Server error: " << retval);
 604     RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
 605
 606     //checking for input parameters
 607     retval = security_server_get_uid_by_cookie(NULL, &cookieUid);
 608     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
 609     retval = security_server_get_uid_by_cookie(&cookie[0], NULL);
 610     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
 611 }
 612
 613 RUNNER_CHILD_TEST_SMACK(tc11_security_server_get_uid_by_cookie_smack)
 614 {
 615     int cookieSize = security_server_get_cookie_size();
 616     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 617
 618     std::vector<char> cookie(cookieSize);
 619     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 620     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 621
 622     //preapare SMACK environment
 623     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 624     RUNNER_ASSERT_MSG_BT(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
 625     //drop privileges
 626     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
 627
 628     //checking function
 629     uid_t cookieUid;
 630     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 631     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
 632 }
 633
 634 RUNNER_CHILD_TEST_SMACK(tc12_security_server_get_uid_by_cookie_smack)
 635 {
 636     int cookieSize = security_server_get_cookie_size();
 637     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 638
 639     uid_t realUid = getuid();
 640
 641     std::vector<char> cookie(cookieSize);
 642     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 643     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 644
 645     //preapare SMACK environment
 646     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 647     RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
 648     //drop privileges
 649     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
 650
 651     //checking function
 652     uid_t cookieUid;
 653     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 654     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
 655     RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
 656 }
 657
 658 RUNNER_CHILD_TEST_NOSMACK(tc12_security_server_get_uid_by_cookie_nosmack)
 659 {
 660     int cookieSize = security_server_get_cookie_size();
 661     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 662
 663     uid_t realUid = getuid();
 664
 665     std::vector<char> cookie(cookieSize);
 666     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 667     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 668
 669     //drop privileges
 670     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
 671
 672     //checking function
 673     uid_t cookieUid;
 674     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 675     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
 676     RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
 677 }
 678
 679 RUNNER_CHILD_TEST_SMACK(tc13_security_server_get_uid_by_cookie_smack)
 680 {
 681     int cookieSize = security_server_get_cookie_size();
 682     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 683
 684     //preapare SMACK environment
 685     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 686     RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
 687     RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
 688     //drop privileges
 689     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
 690
 691     std::vector<char> cookie(cookieSize);
 692     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 693     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 694
 695     //checking function
 696     uid_t cookieUid, realUid = getuid();
 697     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 698     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
 699     RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
 700 }
 701
 702 RUNNER_CHILD_TEST_NOSMACK(tc13_security_server_get_uid_by_cookie_nosmack)
 703 {
 704     int cookieSize = security_server_get_cookie_size();
 705     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 706
 707     //drop privileges
 708     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
 709
 710     std::vector<char> cookie(cookieSize);
 711     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 712     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 713
 714     //checking function
 715     uid_t cookieUid, realUid = getuid();
 716     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 717     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
 718     RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
 719 }
 720
 721 RUNNER_TEST(tc14_security_server_get_gid_by_cookie)
 722 {
 723     int cookieSize = security_server_get_cookie_size();
 724     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 725
 726     std::vector<char> cookie(cookieSize);
 727     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 728     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 729
 730     //checking function
 731     gid_t cookieGid, realGid;
 732     realGid = getgid();
 733     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 734     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
 735     RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID");
 736
 737     //checking for input parameters
 738     retval = security_server_get_gid_by_cookie(NULL, &cookieGid);
 739     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
 740     retval = security_server_get_gid_by_cookie(&cookie[0], NULL);
 741     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
 742
 743 }
 744
 745 RUNNER_CHILD_TEST_SMACK(tc15_security_server_get_gid_by_cookie_smack)
 746 {
 747     int cookieSize = security_server_get_cookie_size();
 748     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 749
 750     std::vector<char> cookie(cookieSize);
 751     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 752     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 753
 754     //preapare SMACK environment
 755     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 756     RUNNER_ASSERT_MSG_BT(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
 757     //drop privileges
 758     RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
 759     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
 760
 761     //checking function
 762     gid_t cookieGid, realGid;
 763     realGid = getgid();
 764     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 765     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
 766 }
 767
 768 RUNNER_CHILD_TEST_SMACK(tc16_security_server_get_gid_by_cookie_smack)
 769 {
 770     int cookieSize = security_server_get_cookie_size();
 771     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 772
 773     std::vector<char> cookie(cookieSize);
 774
 775     gid_t realGid = getgid();
 776     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 777     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 778
 779     //preapare SMACK environment
 780     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 781     RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
 782     //drop privileges
 783     RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
 784     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
 785
 786     //checking function
 787     gid_t cookieGid;
 788     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 789     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
 790     RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
 791 }
 792
 793 RUNNER_CHILD_TEST_NOSMACK(tc16_security_server_get_gid_by_cookie_nosmack)
 794 {
 795     int cookieSize = security_server_get_cookie_size();
 796     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 797
 798     std::vector<char> cookie(cookieSize);
 799
 800     gid_t realGid = getgid();
 801     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 802     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 803
 804     //drop privileges
 805     RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
 806     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
 807
 808     //checking function
 809     gid_t cookieGid;
 810     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 811     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
 812     RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
 813 }
 814
 815 RUNNER_CHILD_TEST_SMACK(tc17_security_server_get_gid_by_cookie_smack)
 816 {
 817     int cookieSize = security_server_get_cookie_size();
 818     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 819
 820     //preapare SMACK environment
 821     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 822     RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
 823     RUNNER_ASSERT_MSG_BT(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
 824     //drop privileges
 825     RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
 826     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
 827
 828     std::vector<char> cookie(cookieSize);
 829     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 830     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 831
 832     //checking function
 833     gid_t cookieGid, realGid = getgid();
 834     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 835     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
 836     RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
 837 }
 838
 839 RUNNER_CHILD_TEST_NOSMACK(tc17_security_server_get_gid_by_cookie_nosmack)
 840 {
 841     int cookieSize = security_server_get_cookie_size();
 842     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
 843
 844     //drop privileges
 845     RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
 846     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
 847
 848     std::vector<char> cookie(cookieSize);
 849     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 850     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 851
 852     //checking function
 853     gid_t cookieGid, realGid = getgid();
 854     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 855     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
 856     RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
 857 }
 858
 859 RUNNER_TEST_SMACK(tc18_security_server_get_smacklabel_cookie) {
 860     int res;
 861
 862     pid_t mypid;
 863
 864     char *label_smack = NULL;
 865     char *label_ss = NULL;
 866     char *cookie = NULL;
 867
 868     int cookie_size = security_server_get_cookie_size();
 869     RUNNER_ASSERT_MSG_BT(PROPER_COOKIE_SIZE == cookie_size, "Wrong cookie size from security-server");
 870
 871     mypid = getpid();
 872
 873     cookie = (char*) calloc(cookie_size, 1);
 874     RUNNER_ASSERT_MSG_BT(NULL != cookie, "Memory allocation error");
 875
 876     res = security_server_request_cookie(cookie, cookie_size);
 877     if (res != SECURITY_SERVER_API_SUCCESS) {
 878         free(cookie);
 879         RUNNER_ASSERT_MSG_BT(res == SECURITY_SERVER_API_SUCCESS, "Error in requesting cookie from security-server");
 880     }
 881
 882     label_ss = security_server_get_smacklabel_cookie(cookie);
 883     free(cookie);
 884     RUNNER_ASSERT_MSG_BT(label_ss != NULL, "Error in getting label by cookie");
 885
 886
 887     std::string label_cookie(label_ss);
 888     free(label_ss);
 889
 890     res = smack_new_label_from_self(&label_smack);
 891     if (res < 0) {
 892         free(label_smack);
 893         RUNNER_ASSERT_MSG_BT(res == 0, "Error in getting self SMACK label");
 894     }
 895     std::string label_self(label_smack ? label_smack : "");
 896     free(label_smack);
 897
 898     RUNNER_ASSERT_MSG_BT(label_self == label_cookie, "No match in SMACK labels");
 899
 900
 901     //TODO: here could be label change using SMACK API and checking if it
 902     //is changed using security-server API function based on the same cookie
 903 }
 904
 905 /**
 906  * NOSMACK version of tc_security_server_get_smacklabel_cookie test.
 907  *
 908  * Most of this test goes exactly as the original one. The only difference are the labels:
 909  * - We assume that libsmack tests passed and smack_new_label_from_self will return -1 and NULL
 910  *   label - there is no need to re-check it.
 911  * - Label acquired from security_server_get_smacklabel_cookie should be an empty string.
 912  */
 913 RUNNER_TEST_NOSMACK(tc18_security_server_get_smacklabel_cookie_nosmack) {
 914     int res;
 915
 916     pid_t mypid;
 917
 918     char* label_ss = NULL;
 919     char* cookie = NULL;
 920
 921     int cookie_size = security_server_get_cookie_size();
 922     RUNNER_ASSERT_MSG_BT(PROPER_COOKIE_SIZE == cookie_size,
 923             "Wrong cookie size from security-server. Size: " << cookie_size);
 924
 925     cookie = (char*) calloc(cookie_size, sizeof(char));
 926     RUNNER_ASSERT_MSG_BT(NULL != cookie, "Memory allocation error");
 927
 928     mypid = getpid();
 929
 930     //Request cookie from SS
 931     res = security_server_request_cookie(cookie, cookie_size);
 932     std::unique_ptr<char, std::function<void(char*)> > cookie_ptr(cookie, free);
 933     cookie = NULL;
 934     RUNNER_ASSERT_MSG_BT(res == SECURITY_SERVER_API_SUCCESS,
 935             "Error in requesting cookie from security-server. Result: " << res);
 936
 937     label_ss = security_server_get_smacklabel_cookie(cookie_ptr.get());
 938     RUNNER_ASSERT_MSG_BT(label_ss != NULL, "Error in getting label by cookie");
 939
 940     //Check if label_ss is correct, that is only one NULL character.
 941     if (label_ss[0] != '\0') {
 942         free(label_ss);
 943         RUNNER_ASSERT_MSG_BT(label_ss[0] == '\0', "label_ss was not an empty string.");
 944     }
 945
 946     free(label_ss);
 947 }
 948
 949 ////////////////////
 950 /////MAIN///////////
 951 ////////////////////
 952
 953 int main(int argc, char *argv[])
 954 {
 955     SummaryCollector::Register();
 956     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
 957 }