projects / platform / core / test / security-tests.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Change sensitive names to more proper ones.
[platform/core/test/security-tests.git] / tests / security-server-tests / security_server_tests_client_smack.cpp
1 /*
2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
3  */
4 /*
5  * @file    security_server_tests_client_smack.cpp
6  * @author  Bartlomiej Grzelewski (b.grzelewski@samsung.com)
7  * @version 1.1
8  * @brief   Test cases for security-server-client-smack.
9  */
10
11 #include <unistd.h>
12 #include <stdlib.h>
13 #include <sys/types.h>
14 #include <sys/socket.h>
15 #include <sys/smack.h>
16 #include <sys/wait.h>
17 #include <sys/un.h>
18 #include <sys/stat.h>
19 #include <fcntl.h>
20 #include <errno.h>
21
22 #include <memory>
23 #include <functional>
24
25 #include <dpl/log/log.h>
26 #include <dpl/test/test_runner.h>
27 #include <dpl/test/test_runner_child.h>
28 #include <dpl/test/test_runner_multiprocess.h>
29 #include "security_server_mockup.h"
30
31 #include <security-server.h>
32 #include <access_provider.h>
33 #include "tests_common.h"
34 #include <summary_collector.h>
35
36
37 #define PROPER_COOKIE_SIZE 20
38
39 #define ENVIRONMENT                                                       \
40     do {                                                                  \
41         const char *subject_label = "mylabel";                            \
42         RUNNER_ASSERT_MSG_BT(-1 != system("touch /opt/home/root/pid_cycle"), \
43             "Cannot prepare environment for test.");                      \
44         RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label),   \
45             "Cannot prepare environment for test.");                      \
46         RUNNER_ASSERT_MSG_BT(-1 != setgid(1),                                \
47             "Cannot prepare environment for test.");                      \
48         RUNNER_ASSERT_MSG_BT(-1 != setuid(1),                                \
49             "Cannot prepare environment for test");                       \
50     } while (0)
51
52
53 /**
54  * Environment preparation should only differ in setting label. On NOSMACK system
55  * smack_set_label_for_self returns error because of no access to /proc/self/attr/current.
56  */
57 #define ENVIRONMENT_NOSMACK                                               \
58     do {                                                                  \
59         int fd = open("/opt/home/root/pid_cycle", O_CREAT|O_APPEND, 0444);\
60         RUNNER_ASSERT_MSG_BT(fd >= 0,                                        \
61             "Couldn't create pid_cycle file. errno: " << strerror(errno));\
62         close(fd);                                                        \
63         RUNNER_ASSERT_MSG_BT(-1 != setgid(1),                                \
64             "Cannot prepare environment for test.");                      \
65         RUNNER_ASSERT_MSG_BT(-1 != setuid(1),                                \
66             "Cannot prepare environment for test");                       \
67     } while (0)
68
69
70 /**
71  * Unique_ptr typedef for NOSMACK version of tc06 test
72  */
73 void closesockfdptr(int* sockfd_ptr)
74 {
75     close(*sockfd_ptr);
76 }
77 typedef std::unique_ptr<int, std::function<void(int*)> > SockFDUniquePtr;
78
79 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
80
81 /*
82  * test: Check cookie size returned by security_server_get_cookie_size.
83  * description: Cookie used by security-server is 20 bytes long.
84  * Any other size of cookies should be treated as error.
85  * expected: Function security_server_get_cookie_size returns 20.
86  */
87 RUNNER_CHILD_TEST_SMACK(tc01_security_server_get_cookie_size)
88 {
89     ENVIRONMENT;
90
91     int ret = security_server_get_cookie_size();
92     RUNNER_ASSERT_MSG_BT(20 == ret, "ret = " << ret);
93 }
94
95 /*
96  * test: security_server_request_cookie
97  * description: Function security_server_request_cookie will return
98  * 20 bytes long cookie.
99  * expected: function will set up cookie in the array and return
100  * SECURITY_SERVER_API_SUCCESS.
101  */
102 RUNNER_CHILD_TEST_SMACK(tc02_security_server_request_cookie_normal_case)
103 {
104     ENVIRONMENT;
105
106     char cookie[20];
107     int ret = security_server_request_cookie(cookie, 20);
108     LogDebug("ret = " << ret);
109     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS == ret);
110 }
111
112 /*
113  * test: security_server_request_cookie
114  * description: Function security_server_request_cookie will return
115  * 20 bytes long cookie.
116  * expected: function will set up cookie in the array and return
117  * SECURITY_SERVER_API_SUCCESS.
118  */
119 RUNNER_CHILD_TEST_SMACK(tc03_security_server_request_cookie_too_small_buffer_size)
120 {
121     ENVIRONMENT;
122
123     char cookie[20];
124     int ret = security_server_request_cookie(cookie, 10);
125     LogDebug("ret = " << ret);
126     RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
127 }
128
129 /*
130  * test: tc04_security_server_get_gid
131  * description: Checking for security_server_get_gid
132  *              with nonexisting gid and existing one
133  * expected: security_server_get_gid should return
134  *           SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
135  *           and group id with second call
136  */
137 RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
138 {
139     SecurityServer::AccessProvider provider("tc04mylabel");
140     provider.allowFunction("security_server_get_gid");
141     provider.applyAndSwithToUser(APP_UID, APP_GID);
142
143     int ret = security_server_get_gid("abc123xyz_pysiaczek");
144     LogDebug("ret = " << ret);
145     RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
146     ret = security_server_get_gid("root");
147     LogDebug("ret = " << ret);
148     RUNNER_ASSERT_MSG_BT(0 == ret, "Ret: " << ret);
149 }
150
151 /*
152  * test: tc05_check_privilege_by_cookie
153  * description: Function security_server_check_privilege_by_cookie should
154  * return status of access rights of cookie owner. In this case cookie owner
155  * is the same process that ask for the rights.
156  * expected: Function call with access rights set to "r" should return SUCCESS,
157  * with "rw" should return ACCESS DENIED.
158  */
159 RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie)
160 {
161     char cookie[20];
162     const char *object_label = "tc05objectlabel";
163     const char *access_rights = "r";
164     const char *access_rights_ext = "rw";
165     const char *subject_label = "tc05subjectlabel";
166
167     SmackAccess access;
168     access.add(subject_label, object_label, access_rights);
169     access.add(subject_label, "security-server::api-cookie-check", "w");
170     access.apply();
171
172     RUNNER_ASSERT_BT(0 == smack_set_label_for_self(subject_label));
173
174     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
175         security_server_request_cookie(cookie,20));
176
177     RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
178
179     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
180         security_server_check_privilege_by_cookie(
181             cookie,
182             object_label,
183             access_rights));
184
185     RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
186         security_server_check_privilege_by_cookie(
187             cookie,
188             object_label,
189             access_rights_ext));
190 }
191
192 /*
193  * test: security_server_check_privilege_by_sockfd
194  * description: This test will create dummy server that will accept connection
195  * and die. The client will try to check access rights using connection descriptor.
196  * expected: Function call with access rights set to "r" should return SUCCESS,
197  * with "rw" should return ACCESS DENIED.
198  */
199 RUNNER_MULTIPROCESS_TEST_SMACK(tc06_check_privilege_by_sockfd)
200 {
201     const char *object_label = "tc06objectlabel";
202     const char *access_rights = "r";
203     const char *access_rights_ext = "rw";
204     const char *subject_label = "tc06subjectlabel";
205
206     int result1 = -1;
207     int result2 = -1;
208
209     smack_accesses *handle;
210     RUNNER_ASSERT_BT(0 == smack_accesses_new(&handle));
211     RUNNER_ASSERT_BT(0 == smack_accesses_add(handle,
212             subject_label,
213             object_label,
214             access_rights));
215     RUNNER_ASSERT_BT(0 == smack_accesses_apply(handle));
216     smack_accesses_free(handle);
217
218     int pid = fork();
219     char *label;
220     RUNNER_ASSERT_BT(-1 != pid);
221
222     if (0 == pid) {
223         // child
224         RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
225
226         int sockfd = create_new_socket();
227         RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
228
229         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
230
231         label = security_server_get_smacklabel_sockfd(sockfd);
232         RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
233         RUNNER_ASSERT_MSG_BT(strcmp(label,"") == 0, "label is \"" << label << "\"");
234         free(label);
235
236         RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
237
238         RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
239
240         label = security_server_get_smacklabel_sockfd(sockfd);
241         RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
242         RUNNER_ASSERT_MSG_BT(strcmp(label,"") == 0, "label is \"" << label << "\"");
243         free(label);
244
245         struct sockaddr_un client_addr;
246         socklen_t client_len = sizeof(client_addr);
247         int csockfd;
248         RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
249
250         usleep(500);
251
252         close(csockfd);
253         exit(0);
254     } else {
255         // parent
256         sleep(1);
257         int sockfd = connect_to_testserver();
258         RUNNER_ASSERT_MSG_BT(sockfd >= 0, "connect_to_testserver() failed");
259
260         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
261
262         label = security_server_get_smacklabel_sockfd(sockfd);
263         RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
264         RUNNER_ASSERT_MSG_BT(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << ", subject_label is \"" << subject_label << "\"" );
265         free(label);
266
267         result1 = security_server_check_privilege_by_sockfd(
268             sockfd,
269             object_label,
270             access_rights);
271         result2 = security_server_check_privilege_by_sockfd(
272             sockfd,
273             object_label,
274             access_rights_ext);
275     }
276
277     RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
278     RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
279 }
280
281 /*
282  * test: security_server_check_privilege_by_sockfd
283  * description: This test will create dummy server that will accept connection
284  * and die. The client will try to check access rights using connection descriptor.
285  * Because we read a smack label not from socket directly, but from from pid of process
286  * on the other end of socket - that's why smack label will be updated.
287  * In this test client is running under root and server is not - to test the extreme case.
288  * expected: Function call with access rights set to "r" should return SUCCESS,
289  * with "rw" should return ACCESS DENIED.
290  */
291 RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd)
292 {
293     const char *object_label = "tc07objectlabel";
294     const char *access_rights = "r";
295     const char *access_rights_ext = "rw";
296     const char *subject_label = "tc07subjectlabel";
297
298     int result1 = -1;
299     int result2 = -1;
300
301     SmackAccess access;
302     access.add(subject_label, object_label, access_rights);
303     access.apply();
304
305     int pid = fork();
306     RUNNER_ASSERT_BT(-1 != pid);
307
308     if (0 == pid) {
309
310         pid = fork();
311         RUNNER_ASSERT_BT(-1 != pid);
312
313         if (0 == pid) {
314             // child
315             int sockfd = create_new_socket();
316             RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
317
318             SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
319
320             RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
321
322             RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
323
324             RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
325
326             struct sockaddr_un client_addr;
327             socklen_t client_len = sizeof(client_addr);
328             int csockfd = TEMP_FAILURE_RETRY(accept(sockfd,(struct sockaddr*)&client_addr, &client_len));
329             if (csockfd >= 0)
330                 close(csockfd);
331             LogDebug("Exit!");
332             exit(0);
333         } else {
334             // parent
335             sleep(1);
336             int sockfd = connect_to_testserver();
337             RUNNER_ASSERT_MSG_BT(sockfd >= 0, "connect_to_testserver() failed");
338
339             result1 = security_server_check_privilege_by_sockfd(
340                 sockfd,
341                 object_label,
342                 access_rights);
343             result2 = security_server_check_privilege_by_sockfd(
344                 sockfd,
345                 object_label,
346                 access_rights_ext);
347
348             close(sockfd);
349
350             RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
351             RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
352         }
353     }
354 }
355
356 ///////////////////////////
357 /////NOSMACK ENV TESTS/////
358 ///////////////////////////
359
360 /**
361  * First four test cases are the same as their SMACK versions. The only difference is environment
362  * preparation (described near ENVIRONMENT_NOSMACK macro).
363  */
364 RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_get_cookie_size_nosmack)
365 {
366     ENVIRONMENT_NOSMACK;
367
368     int ret = security_server_get_cookie_size();
369     RUNNER_ASSERT_MSG_BT(ret == 20, "ret = " << ret);
370 }
371
372 RUNNER_CHILD_TEST_NOSMACK(tc02_security_server_request_cookie_normal_case_nosmack)
373 {
374     ENVIRONMENT_NOSMACK;
375
376     char cookie[20];
377     int ret = security_server_request_cookie(cookie, 20);
378     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
379 }
380
381 RUNNER_CHILD_TEST_NOSMACK(tc03_security_server_request_cookie_too_small_buffer_size_nosmack)
382 {
383     ENVIRONMENT_NOSMACK;
384
385     char cookie[20];
386     int ret = security_server_request_cookie(cookie, 10);
387     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
388 }
389
390 RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack)
391 {
392     ENVIRONMENT_NOSMACK;
393
394     int ret = security_server_get_gid("definitely_not_existing_object");
395     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret);
396     ret = security_server_get_gid("root");
397     RUNNER_ASSERT_MSG_BT(ret == 0, "ret = " << ret);
398 }
399
400 /*
401  * NOSMACK version of tc05 test.
402  *
403  * Correct behaviour of smack_accesses_apply and smack_set_label_for_self was checked by libsmack
404  * tests. We assume, that those tests pass. Additionally security_server_check_privilege_by_cookie
405  * should return SUCCESS no matter what access_rights we give to this function.
406  */
407 RUNNER_CHILD_TEST_NOSMACK(tc05_check_privilege_by_cookie_nosmack)
408 {
409     char cookie[20];
410     const char* object_label = "tc05objectlabel";
411
412     RUNNER_ASSERT_BT(security_server_request_cookie(cookie,20) == SECURITY_SERVER_API_SUCCESS);
413
414     RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
415
416     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
417         security_server_check_privilege_by_cookie(cookie, object_label, "r"));
418
419     //On NOSMACK env security server should return success on any accesses, even those that are
420     //incorrect.
421     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
422         security_server_check_privilege_by_cookie(cookie, object_label, "rw"));
423 }
424
425 /**
426  * NOSMACK version of tc06 test.
427  *
428  * Differences between this and SMACK version (server):
429  * - Skipped setting access_rights
430  * - Skipped setting label for server
431  * - get_smacklabel_sockfd is called only once for server, almost right after fork and creation
432  *   of socket (because it should do nothing when SMACK is off)
433  * - After get_smacklabel_sockfd privileges are dropped and server is prepared to accept connections
434  *   from client
435  *
436  * For client the only difference are expected results from check_privilege_by_sockfd - both should
437  * return SUCCESS.
438  */
439 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc06_check_privilege_by_sockfd_nosmack)
440 {
441     const char* object_label = "tc06objectlabel";
442
443     int result1 = -1;
444     int result2 = -1;
445
446     int pid = fork();
447     char* label;
448     RUNNER_ASSERT_BT(pid >= 0);
449
450     int ret;
451
452     if (pid == 0) { //child process - server
453         //create new socket
454         int sockfd = create_new_socket();
455         RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
456
457         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
458
459         //check if get_smacklabel_sockfd works correctly
460         label = security_server_get_smacklabel_sockfd(sockfd);
461         RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
462         ret = strcmp(label, "");
463         free(label);
464         RUNNER_ASSERT_MSG_BT(ret == 0, "label is \"" << label << "\"");
465
466         RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
467
468         RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
469
470         struct sockaddr_un client_addr;
471         socklen_t client_len = sizeof(client_addr);
472
473         int csockfd;
474         RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
475
476         //wait a little bit for parent to do it's job
477         usleep(200);
478
479         //if everything works, cleanup and return 0
480         close(csockfd);
481         exit(0);
482     } else {
483         //parent
484         sleep(1);
485         int sockfd = connect_to_testserver();
486         RUNNER_ASSERT_MSG_BT(sockfd >= 0, "Failed to connect to server.");
487
488         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
489
490         label = security_server_get_smacklabel_sockfd(sockfd);
491         RUNNER_ASSERT_MSG_BT(label != NULL, "get_smacklabel_sockfd failed.");
492         ret = strcmp(label, "");
493         free(label);
494         RUNNER_ASSERT_MSG_BT(ret == 0, "label is \"" << label << "\"");
495
496         result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
497         result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
498     }
499
500     RUNNER_ASSERT_MSG_BT(result1 == SECURITY_SERVER_API_SUCCESS, "result = " << result1);
501     RUNNER_ASSERT_MSG_BT(result2 == SECURITY_SERVER_API_SUCCESS, "result = " << result2);
502 }
503
504 /**
505  * NOSMACK version of tc07 test.
506  */
507 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc07_check_privilege_by_sockfd_nosmack)
508 {
509     const char* object_label = "tc07objectlabel";
510
511     int result1 = -1;
512     int result2 = -1;
513
514     int pid = fork();
515     RUNNER_ASSERT_BT(-1 != pid);
516
517     if (pid == 0) {
518
519         pid = fork();
520         RUNNER_ASSERT_BT(-1 != pid);
521
522         if (pid == 0) { //child process
523             //Create socket
524             int sockfd = create_new_socket();
525             RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
526
527             SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
528
529             //Drop privileges
530             RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
531
532             //Prepare for accepting
533             RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
534
535             struct sockaddr_un client_addr;
536             socklen_t client_len = sizeof(client_addr);
537
538             //Accept connections
539             int csockfd;
540             RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
541
542             //wait a little bit for parent to do it's job
543             usleep(200);
544
545             //cleanup and kill child
546             close(csockfd);
547             exit(0);
548         } else {    //parent process
549             //Drop root privileges
550             RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
551
552             //Wait for server to set up
553             sleep(1);
554
555             //Connect and check privileges
556             int sockfd = connect_to_testserver();
557             RUNNER_ASSERT_MSG_BT(sockfd >= 0, "Failed to create socket fd.");
558
559             result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
560             result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
561
562             close(sockfd);
563
564             //Both results (just like in the previous test case) should return success.
565             RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
566             RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result2, "result2 = " << result2);
567         }
568     }
569 }
570
571 int apply_smack_rule(const char *subject, const char *object, const char *rule)
572 {
573     struct smack_accesses *ruleHandler = NULL;
574     if (smack_accesses_new(&ruleHandler) != 0)
575         goto error;
576     if (smack_accesses_add(ruleHandler, subject, object, rule) != 0)
577         goto error;
578     if (smack_accesses_apply(ruleHandler) != 0)
579         goto error;
580
581     smack_accesses_free(ruleHandler);
582     return 0;
583
584 error:
585     smack_accesses_free(ruleHandler);
586     return -1;
587 }
588
589 RUNNER_TEST(tc10_security_server_get_uid_by_cookie)
590 {
591     int cookieSize = security_server_get_cookie_size();
592     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
593
594     std::vector<char> cookie(cookieSize);
595     int retval = security_server_request_cookie(&cookie[0], cookieSize);
596     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
597
598     //checking function
599     uid_t cookieUid, realUid;
600     realUid = getuid();
601     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
602     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie. My uid: " << realUid << " Server error: " << retval);
603     RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
604
605     //checking for input parameters
606     retval = security_server_get_uid_by_cookie(NULL, &cookieUid);
607     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
608     retval = security_server_get_uid_by_cookie(&cookie[0], NULL);
609     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
610 }
611
612 RUNNER_CHILD_TEST_SMACK(tc11_security_server_get_uid_by_cookie_smack)
613 {
614     const char* tc11testlabel = "tc11testlabel";
615
616     int cookieSize = security_server_get_cookie_size();
617     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
618
619     std::vector<char> cookie(cookieSize);
620     int retval = security_server_request_cookie(&cookie[0], cookieSize);
621     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
622
623     //preapare SMACK environment
624     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc11testlabel) == 0,
625             "Unable to set label for self");
626     RUNNER_ASSERT_MSG_BT(smack_revoke_subject(tc11testlabel) == 0,
627             "Error in smack_revoke_subject");
628     //drop privileges
629     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
630
631     //checking function
632     uid_t cookieUid;
633     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
634     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
635 }
636
637 RUNNER_CHILD_TEST_SMACK(tc12_security_server_get_uid_by_cookie_smack)
638 {
639     const char* tc12testlabel = "tc12testlabel";
640
641     int cookieSize = security_server_get_cookie_size();
642     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
643
644     uid_t realUid = getuid();
645
646     std::vector<char> cookie(cookieSize);
647     int retval = security_server_request_cookie(&cookie[0], cookieSize);
648     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
649
650     //preapare SMACK environment
651     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc12testlabel) == 0,
652             "Unable to set label for self");
653     RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc12testlabel,
654             "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
655     //drop privileges
656     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
657
658     //checking function
659     uid_t cookieUid;
660     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
661     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
662     RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
663 }
664
665 RUNNER_CHILD_TEST_NOSMACK(tc12_security_server_get_uid_by_cookie_nosmack)
666 {
667     int cookieSize = security_server_get_cookie_size();
668     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
669
670     uid_t realUid = getuid();
671
672     std::vector<char> cookie(cookieSize);
673     int retval = security_server_request_cookie(&cookie[0], cookieSize);
674     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
675
676     //drop privileges
677     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
678
679     //checking function
680     uid_t cookieUid;
681     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
682     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
683     RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
684 }
685
686 RUNNER_CHILD_TEST_SMACK(tc13_security_server_get_uid_by_cookie_smack)
687 {
688     const char* tc13testlabel = "tc13testlabel";
689
690     int cookieSize = security_server_get_cookie_size();
691     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
692
693     //preapare SMACK environment
694     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc13testlabel) == 0,
695             "Unable to set label for self");
696     RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc13testlabel,
697             "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
698     RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc13testlabel,
699             "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
700     //drop privileges
701     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
702
703     std::vector<char> cookie(cookieSize);
704     int retval = security_server_request_cookie(&cookie[0], cookieSize);
705     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
706
707     //checking function
708     uid_t cookieUid, realUid = getuid();
709     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
710     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
711     RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
712 }
713
714 RUNNER_CHILD_TEST_NOSMACK(tc13_security_server_get_uid_by_cookie_nosmack)
715 {
716     int cookieSize = security_server_get_cookie_size();
717     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
718
719     //drop privileges
720     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
721
722     std::vector<char> cookie(cookieSize);
723     int retval = security_server_request_cookie(&cookie[0], cookieSize);
724     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
725
726     //checking function
727     uid_t cookieUid, realUid = getuid();
728     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
729     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
730     RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
731 }
732
733 RUNNER_TEST(tc14_security_server_get_gid_by_cookie)
734 {
735     int cookieSize = security_server_get_cookie_size();
736     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
737
738     std::vector<char> cookie(cookieSize);
739     int retval = security_server_request_cookie(&cookie[0], cookieSize);
740     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
741
742     //checking function
743     gid_t cookieGid, realGid;
744     realGid = getgid();
745     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
746     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
747     RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID");
748
749     //checking for input parameters
750     retval = security_server_get_gid_by_cookie(NULL, &cookieGid);
751     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
752     retval = security_server_get_gid_by_cookie(&cookie[0], NULL);
753     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
754
755 }
756
757 RUNNER_CHILD_TEST_SMACK(tc15_security_server_get_gid_by_cookie_smack)
758 {
759     const char* tc15testlabel = "tc15testlabel";
760
761     int cookieSize = security_server_get_cookie_size();
762     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
763
764     std::vector<char> cookie(cookieSize);
765     int retval = security_server_request_cookie(&cookie[0], cookieSize);
766     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
767
768     //preapare SMACK environment
769     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc15testlabel) == 0,
770             "Unable to set label for self");
771     RUNNER_ASSERT_MSG_BT(smack_revoke_subject(tc15testlabel) == 0,
772             "Error in smack_revoke_subject");
773     //drop privileges
774     RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
775     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
776
777     //checking function
778     gid_t cookieGid;
779     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
780     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
781 }
782
783 RUNNER_CHILD_TEST_SMACK(tc16_security_server_get_gid_by_cookie_smack)
784 {
785     const char* tc16testlabel = "tc16testlabel";
786
787     int cookieSize = security_server_get_cookie_size();
788     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
789
790     std::vector<char> cookie(cookieSize);
791
792     gid_t realGid = getgid();
793     int retval = security_server_request_cookie(&cookie[0], cookieSize);
794     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
795
796     //preapare SMACK environment
797     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc16testlabel) == 0,
798             "Unable to set label for self");
799     RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc16testlabel,
800             "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
801     //drop privileges
802     RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
803     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
804
805     //checking function
806     gid_t cookieGid;
807     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
808     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
809     RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
810 }
811
812 RUNNER_CHILD_TEST_NOSMACK(tc16_security_server_get_gid_by_cookie_nosmack)
813 {
814     int cookieSize = security_server_get_cookie_size();
815     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
816
817     std::vector<char> cookie(cookieSize);
818
819     gid_t realGid = getgid();
820     int retval = security_server_request_cookie(&cookie[0], cookieSize);
821     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
822
823     //drop privileges
824     RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
825     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
826
827     //checking function
828     gid_t cookieGid;
829     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
830     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
831     RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
832 }
833
834 RUNNER_CHILD_TEST_SMACK(tc17_security_server_get_gid_by_cookie_smack)
835 {
836     const char* tc17testlabel = "tc17testlabel";
837
838     int cookieSize = security_server_get_cookie_size();
839     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
840
841     //preapare SMACK environment
842     RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc17testlabel) == 0,
843             "Unable to set label for self");
844     RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc17testlabel,
845             "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
846     RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc17testlabel,
847             "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
848     //drop privileges
849     RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
850     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
851
852     std::vector<char> cookie(cookieSize);
853     int retval = security_server_request_cookie(&cookie[0], cookieSize);
854     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
855
856     //checking function
857     gid_t cookieGid, realGid = getgid();
858     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
859     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
860     RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
861 }
862
863 RUNNER_CHILD_TEST_NOSMACK(tc17_security_server_get_gid_by_cookie_nosmack)
864 {
865     int cookieSize = security_server_get_cookie_size();
866     RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
867
868     //drop privileges
869     RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
870     RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
871
872     std::vector<char> cookie(cookieSize);
873     int retval = security_server_request_cookie(&cookie[0], cookieSize);
874     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
875
876     //checking function
877     gid_t cookieGid, realGid = getgid();
878     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
879     RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
880     RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
881 }
882
883 RUNNER_TEST_SMACK(tc18_security_server_get_smacklabel_cookie) {
884     int res;
885
886     char *label_smack = NULL;
887     char *label_ss = NULL;
888     char *cookie = NULL;
889
890     int cookie_size = security_server_get_cookie_size();
891     RUNNER_ASSERT_MSG_BT(PROPER_COOKIE_SIZE == cookie_size, "Wrong cookie size from security-server");
892
893     cookie = (char*) calloc(cookie_size, 1);
894     RUNNER_ASSERT_MSG_BT(NULL != cookie, "Memory allocation error");
895
896     res = security_server_request_cookie(cookie, cookie_size);
897     if (res != SECURITY_SERVER_API_SUCCESS) {
898         free(cookie);
899         RUNNER_ASSERT_MSG_BT(res == SECURITY_SERVER_API_SUCCESS, "Error in requesting cookie from security-server");
900     }
901
902     label_ss = security_server_get_smacklabel_cookie(cookie);
903     free(cookie);
904     RUNNER_ASSERT_MSG_BT(label_ss != NULL, "Error in getting label by cookie");
905
906
907     std::string label_cookie(label_ss);
908     free(label_ss);
909
910     res = smack_new_label_from_self(&label_smack);
911     if (res < 0) {
912         free(label_smack);
913         RUNNER_ASSERT_MSG_BT(res == 0, "Error in getting self SMACK label");
914     }
915     std::string label_self(label_smack ? label_smack : "");
916     free(label_smack);
917
918     RUNNER_ASSERT_MSG_BT(label_self == label_cookie, "No match in SMACK labels");
919
920
921     //TODO: here could be label change using SMACK API and checking if it
922     //is changed using security-server API function based on the same cookie
923 }
924
925 /**
926  * NOSMACK version of tc_security_server_get_smacklabel_cookie test.
927  *
928  * Most of this test goes exactly as the original one. The only difference are the labels:
929  * - We assume that libsmack tests passed and smack_new_label_from_self will return -1 and NULL
930  *   label - there is no need to re-check it.
931  * - Label acquired from security_server_get_smacklabel_cookie should be an empty string.
932  */
933 RUNNER_TEST_NOSMACK(tc18_security_server_get_smacklabel_cookie_nosmack) {
934     int res;
935
936     char* label_ss = NULL;
937     char* cookie = NULL;
938
939     int cookie_size = security_server_get_cookie_size();
940     RUNNER_ASSERT_MSG_BT(PROPER_COOKIE_SIZE == cookie_size,
941             "Wrong cookie size from security-server. Size: " << cookie_size);
942
943     cookie = (char*) calloc(cookie_size, sizeof(char));
944     RUNNER_ASSERT_MSG_BT(NULL != cookie, "Memory allocation error");
945
946     //Request cookie from SS
947     res = security_server_request_cookie(cookie, cookie_size);
948     std::unique_ptr<char, std::function<void(char*)> > cookie_ptr(cookie, free);
949     cookie = NULL;
950     RUNNER_ASSERT_MSG_BT(res == SECURITY_SERVER_API_SUCCESS,
951             "Error in requesting cookie from security-server. Result: " << res);
952
953     label_ss = security_server_get_smacklabel_cookie(cookie_ptr.get());
954     RUNNER_ASSERT_MSG_BT(label_ss != NULL, "Error in getting label by cookie");
955
956     //Check if label_ss is correct, that is only one NULL character.
957     if (label_ss[0] != '\0') {
958         free(label_ss);
959         RUNNER_ASSERT_MSG_BT(label_ss[0] == '\0', "label_ss was not an empty string.");
960     }
961
962     free(label_ss);
963 }
964
965 ////////////////////
966 /////MAIN///////////
967 ////////////////////
968
969 int main(int argc, char *argv[])
970 {
971     SummaryCollector::Register();
972     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
973 }
Domain: Security / Uncategorized;