2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
5 * @file security_server_tests_client_smack.cpp
6 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
8 * @brief Test cases for security-server-client-smack.
13 #include <sys/types.h>
14 #include <sys/socket.h>
15 #include <sys/smack.h>
25 #include <dpl/log/log.h>
26 #include <dpl/test/test_runner.h>
27 #include <dpl/test/test_runner_child.h>
28 #include <dpl/test/test_runner_multiprocess.h>
29 #include "security_server_mockup.h"
31 #include <security-server.h>
32 #include <access_provider.h>
33 #include "tests_common.h"
34 #include <summary_collector.h>
37 #define PROPER_COOKIE_SIZE 20
41 const char *subject_label = "mylabel"; \
42 RUNNER_ASSERT_MSG_BT(-1 != system("touch /opt/home/root/pid_cycle"), \
43 "Cannot prepare environment for test."); \
44 RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), \
45 "Cannot prepare environment for test."); \
46 RUNNER_ASSERT_MSG_BT(-1 != setgid(1), \
47 "Cannot prepare environment for test."); \
48 RUNNER_ASSERT_MSG_BT(-1 != setuid(1), \
49 "Cannot prepare environment for test"); \
54 * Environment preparation should only differ in setting label. On NOSMACK system
55 * smack_set_label_for_self returns error because of no access to /proc/self/attr/current.
57 #define ENVIRONMENT_NOSMACK \
59 int fd = open("/opt/home/root/pid_cycle", O_CREAT|O_APPEND, 0444);\
60 RUNNER_ASSERT_MSG_BT(fd >= 0, \
61 "Couldn't create pid_cycle file. errno: " << strerror(errno));\
63 RUNNER_ASSERT_MSG_BT(-1 != setgid(1), \
64 "Cannot prepare environment for test."); \
65 RUNNER_ASSERT_MSG_BT(-1 != setuid(1), \
66 "Cannot prepare environment for test"); \
71 * Unique_ptr typedef for NOSMACK version of tc06 test
73 void closesockfdptr(int* sockfd_ptr)
77 typedef std::unique_ptr<int, std::function<void(int*)> > SockFDUniquePtr;
79 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
82 * test: Check cookie size returned by security_server_get_cookie_size.
83 * description: Cookie used by security-server is 20 bytes long.
84 * Any other size of cookies should be treated as error.
85 * expected: Function security_server_get_cookie_size returns 20.
87 RUNNER_CHILD_TEST_SMACK(tc01_security_server_get_cookie_size)
91 int ret = security_server_get_cookie_size();
92 RUNNER_ASSERT_MSG_BT(20 == ret, "ret = " << ret);
96 * test: security_server_request_cookie
97 * description: Function security_server_request_cookie will return
98 * 20 bytes long cookie.
99 * expected: function will set up cookie in the array and return
100 * SECURITY_SERVER_API_SUCCESS.
102 RUNNER_CHILD_TEST_SMACK(tc02_security_server_request_cookie_normal_case)
107 int ret = security_server_request_cookie(cookie, 20);
108 LogDebug("ret = " << ret);
109 RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS == ret);
113 * test: security_server_request_cookie
114 * description: Function security_server_request_cookie will return
115 * 20 bytes long cookie.
116 * expected: function will set up cookie in the array and return
117 * SECURITY_SERVER_API_SUCCESS.
119 RUNNER_CHILD_TEST_SMACK(tc03_security_server_request_cookie_too_small_buffer_size)
124 int ret = security_server_request_cookie(cookie, 10);
125 LogDebug("ret = " << ret);
126 RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
130 * test: tc04_security_server_get_gid
131 * description: Checking for security_server_get_gid
132 * with nonexisting gid and existing one
133 * expected: security_server_get_gid should return
134 * SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
135 * and group id with second call
137 RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
139 SecurityServer::AccessProvider provider("tc04mylabel");
140 provider.allowFunction("security_server_get_gid");
141 provider.applyAndSwithToUser(APP_UID, APP_GID);
143 int ret = security_server_get_gid("abc123xyz_pysiaczek");
144 LogDebug("ret = " << ret);
145 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
146 ret = security_server_get_gid("root");
147 LogDebug("ret = " << ret);
148 RUNNER_ASSERT_MSG_BT(0 == ret, "Ret: " << ret);
152 * test: tc05_check_privilege_by_cookie
153 * description: Function security_server_check_privilege_by_cookie should
154 * return status of access rights of cookie owner. In this case cookie owner
155 * is the same process that ask for the rights.
156 * expected: Function call with access rights set to "r" should return SUCCESS,
157 * with "rw" should return ACCESS DENIED.
159 RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie)
162 const char *object_label = "tc05objectlabel";
163 const char *access_rights = "r";
164 const char *access_rights_ext = "rw";
165 const char *subject_label = "tc05subjectlabel";
168 access.add(subject_label, object_label, access_rights);
169 access.add(subject_label, "security-server::api-cookie-check", "w");
172 RUNNER_ASSERT_BT(0 == smack_set_label_for_self(subject_label));
174 RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
175 security_server_request_cookie(cookie,20));
177 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
179 RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
180 security_server_check_privilege_by_cookie(
185 RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
186 security_server_check_privilege_by_cookie(
193 * test: security_server_check_privilege_by_sockfd
194 * description: This test will create dummy server that will accept connection
195 * and die. The client will try to check access rights using connection descriptor.
196 * expected: Function call with access rights set to "r" should return SUCCESS,
197 * with "rw" should return ACCESS DENIED.
199 RUNNER_MULTIPROCESS_TEST_SMACK(tc06_check_privilege_by_sockfd)
201 const char *object_label = "tc06objectlabel";
202 const char *access_rights = "r";
203 const char *access_rights_ext = "rw";
204 const char *subject_label = "tc06subjectlabel";
209 smack_accesses *handle;
210 RUNNER_ASSERT_BT(0 == smack_accesses_new(&handle));
211 RUNNER_ASSERT_BT(0 == smack_accesses_add(handle,
215 RUNNER_ASSERT_BT(0 == smack_accesses_apply(handle));
216 smack_accesses_free(handle);
220 RUNNER_ASSERT_BT(-1 != pid);
224 RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
226 int sockfd = create_new_socket();
227 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
229 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
231 label = security_server_get_smacklabel_sockfd(sockfd);
232 RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
233 RUNNER_ASSERT_MSG_BT(strcmp(label,"") == 0, "label is \"" << label << "\"");
236 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
238 RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
240 label = security_server_get_smacklabel_sockfd(sockfd);
241 RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
242 RUNNER_ASSERT_MSG_BT(strcmp(label,"") == 0, "label is \"" << label << "\"");
245 struct sockaddr_un client_addr;
246 socklen_t client_len = sizeof(client_addr);
248 RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
257 int sockfd = connect_to_testserver();
258 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "connect_to_testserver() failed");
260 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
262 label = security_server_get_smacklabel_sockfd(sockfd);
263 RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
264 RUNNER_ASSERT_MSG_BT(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << ", subject_label is \"" << subject_label << "\"" );
267 result1 = security_server_check_privilege_by_sockfd(
271 result2 = security_server_check_privilege_by_sockfd(
277 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
278 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
282 * test: security_server_check_privilege_by_sockfd
283 * description: This test will create dummy server that will accept connection
284 * and die. The client will try to check access rights using connection descriptor.
285 * Because we read a smack label not from socket directly, but from from pid of process
286 * on the other end of socket - that's why smack label will be updated.
287 * In this test client is running under root and server is not - to test the extreme case.
288 * expected: Function call with access rights set to "r" should return SUCCESS,
289 * with "rw" should return ACCESS DENIED.
291 RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd)
293 const char *object_label = "tc07objectlabel";
294 const char *access_rights = "r";
295 const char *access_rights_ext = "rw";
296 const char *subject_label = "tc07subjectlabel";
302 access.add(subject_label, object_label, access_rights);
306 RUNNER_ASSERT_BT(-1 != pid);
311 RUNNER_ASSERT_BT(-1 != pid);
315 int sockfd = create_new_socket();
316 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
318 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
320 RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
322 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
324 RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
326 struct sockaddr_un client_addr;
327 socklen_t client_len = sizeof(client_addr);
328 int csockfd = TEMP_FAILURE_RETRY(accept(sockfd,(struct sockaddr*)&client_addr, &client_len));
336 int sockfd = connect_to_testserver();
337 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "connect_to_testserver() failed");
339 result1 = security_server_check_privilege_by_sockfd(
343 result2 = security_server_check_privilege_by_sockfd(
350 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
351 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
356 ///////////////////////////
357 /////NOSMACK ENV TESTS/////
358 ///////////////////////////
361 * First four test cases are the same as their SMACK versions. The only difference is environment
362 * preparation (described near ENVIRONMENT_NOSMACK macro).
364 RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_get_cookie_size_nosmack)
368 int ret = security_server_get_cookie_size();
369 RUNNER_ASSERT_MSG_BT(ret == 20, "ret = " << ret);
372 RUNNER_CHILD_TEST_NOSMACK(tc02_security_server_request_cookie_normal_case_nosmack)
377 int ret = security_server_request_cookie(cookie, 20);
378 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
381 RUNNER_CHILD_TEST_NOSMACK(tc03_security_server_request_cookie_too_small_buffer_size_nosmack)
386 int ret = security_server_request_cookie(cookie, 10);
387 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
390 RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack)
394 int ret = security_server_get_gid("definitely_not_existing_object");
395 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret);
396 ret = security_server_get_gid("root");
397 RUNNER_ASSERT_MSG_BT(ret == 0, "ret = " << ret);
401 * NOSMACK version of tc05 test.
403 * Correct behaviour of smack_accesses_apply and smack_set_label_for_self was checked by libsmack
404 * tests. We assume, that those tests pass. Additionally security_server_check_privilege_by_cookie
405 * should return SUCCESS no matter what access_rights we give to this function.
407 RUNNER_CHILD_TEST_NOSMACK(tc05_check_privilege_by_cookie_nosmack)
410 const char* object_label = "tc05objectlabel";
412 RUNNER_ASSERT_BT(security_server_request_cookie(cookie,20) == SECURITY_SERVER_API_SUCCESS);
414 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
416 RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
417 security_server_check_privilege_by_cookie(cookie, object_label, "r"));
419 //On NOSMACK env security server should return success on any accesses, even those that are
421 RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
422 security_server_check_privilege_by_cookie(cookie, object_label, "rw"));
426 * NOSMACK version of tc06 test.
428 * Differences between this and SMACK version (server):
429 * - Skipped setting access_rights
430 * - Skipped setting label for server
431 * - get_smacklabel_sockfd is called only once for server, almost right after fork and creation
432 * of socket (because it should do nothing when SMACK is off)
433 * - After get_smacklabel_sockfd privileges are dropped and server is prepared to accept connections
436 * For client the only difference are expected results from check_privilege_by_sockfd - both should
439 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc06_check_privilege_by_sockfd_nosmack)
441 const char* object_label = "tc06objectlabel";
448 RUNNER_ASSERT_BT(pid >= 0);
452 if (pid == 0) { //child process - server
454 int sockfd = create_new_socket();
455 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
457 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
459 //check if get_smacklabel_sockfd works correctly
460 label = security_server_get_smacklabel_sockfd(sockfd);
461 RUNNER_ASSERT_MSG_BT(label != NULL, "security_server_get_smacklabel_sockfd failed");
462 ret = strcmp(label, "");
464 RUNNER_ASSERT_MSG_BT(ret == 0, "label is \"" << label << "\"");
466 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
468 RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
470 struct sockaddr_un client_addr;
471 socklen_t client_len = sizeof(client_addr);
474 RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
476 //wait a little bit for parent to do it's job
479 //if everything works, cleanup and return 0
485 int sockfd = connect_to_testserver();
486 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "Failed to connect to server.");
488 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
490 label = security_server_get_smacklabel_sockfd(sockfd);
491 RUNNER_ASSERT_MSG_BT(label != NULL, "get_smacklabel_sockfd failed.");
492 ret = strcmp(label, "");
494 RUNNER_ASSERT_MSG_BT(ret == 0, "label is \"" << label << "\"");
496 result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
497 result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
500 RUNNER_ASSERT_MSG_BT(result1 == SECURITY_SERVER_API_SUCCESS, "result = " << result1);
501 RUNNER_ASSERT_MSG_BT(result2 == SECURITY_SERVER_API_SUCCESS, "result = " << result2);
505 * NOSMACK version of tc07 test.
507 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc07_check_privilege_by_sockfd_nosmack)
509 const char* object_label = "tc07objectlabel";
515 RUNNER_ASSERT_BT(-1 != pid);
520 RUNNER_ASSERT_BT(-1 != pid);
522 if (pid == 0) { //child process
524 int sockfd = create_new_socket();
525 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "create_new_socket() failed");
527 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
530 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
532 //Prepare for accepting
533 RUNNER_ASSERT_MSG_BT(listen(sockfd, 5) >= 0, "child listen failed");
535 struct sockaddr_un client_addr;
536 socklen_t client_len = sizeof(client_addr);
540 RUNNER_ASSERT_MSG_BT((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
542 //wait a little bit for parent to do it's job
545 //cleanup and kill child
548 } else { //parent process
549 //Drop root privileges
550 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
552 //Wait for server to set up
555 //Connect and check privileges
556 int sockfd = connect_to_testserver();
557 RUNNER_ASSERT_MSG_BT(sockfd >= 0, "Failed to create socket fd.");
559 result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
560 result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
564 //Both results (just like in the previous test case) should return success.
565 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
566 RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS == result2, "result2 = " << result2);
571 int apply_smack_rule(const char *subject, const char *object, const char *rule)
573 struct smack_accesses *ruleHandler = NULL;
574 if (smack_accesses_new(&ruleHandler) != 0)
576 if (smack_accesses_add(ruleHandler, subject, object, rule) != 0)
578 if (smack_accesses_apply(ruleHandler) != 0)
581 smack_accesses_free(ruleHandler);
585 smack_accesses_free(ruleHandler);
589 RUNNER_TEST(tc10_security_server_get_uid_by_cookie)
591 int cookieSize = security_server_get_cookie_size();
592 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
594 std::vector<char> cookie(cookieSize);
595 int retval = security_server_request_cookie(&cookie[0], cookieSize);
596 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
599 uid_t cookieUid, realUid;
601 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
602 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie. My uid: " << realUid << " Server error: " << retval);
603 RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
605 //checking for input parameters
606 retval = security_server_get_uid_by_cookie(NULL, &cookieUid);
607 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
608 retval = security_server_get_uid_by_cookie(&cookie[0], NULL);
609 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
612 RUNNER_CHILD_TEST_SMACK(tc11_security_server_get_uid_by_cookie_smack)
614 const char* tc11testlabel = "tc11testlabel";
616 int cookieSize = security_server_get_cookie_size();
617 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
619 std::vector<char> cookie(cookieSize);
620 int retval = security_server_request_cookie(&cookie[0], cookieSize);
621 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
623 //preapare SMACK environment
624 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc11testlabel) == 0,
625 "Unable to set label for self");
626 RUNNER_ASSERT_MSG_BT(smack_revoke_subject(tc11testlabel) == 0,
627 "Error in smack_revoke_subject");
629 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
633 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
634 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
637 RUNNER_CHILD_TEST_SMACK(tc12_security_server_get_uid_by_cookie_smack)
639 const char* tc12testlabel = "tc12testlabel";
641 int cookieSize = security_server_get_cookie_size();
642 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
644 uid_t realUid = getuid();
646 std::vector<char> cookie(cookieSize);
647 int retval = security_server_request_cookie(&cookie[0], cookieSize);
648 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
650 //preapare SMACK environment
651 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc12testlabel) == 0,
652 "Unable to set label for self");
653 RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc12testlabel,
654 "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
656 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
660 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
661 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
662 RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
665 RUNNER_CHILD_TEST_NOSMACK(tc12_security_server_get_uid_by_cookie_nosmack)
667 int cookieSize = security_server_get_cookie_size();
668 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
670 uid_t realUid = getuid();
672 std::vector<char> cookie(cookieSize);
673 int retval = security_server_request_cookie(&cookie[0], cookieSize);
674 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
677 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
681 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
682 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
683 RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
686 RUNNER_CHILD_TEST_SMACK(tc13_security_server_get_uid_by_cookie_smack)
688 const char* tc13testlabel = "tc13testlabel";
690 int cookieSize = security_server_get_cookie_size();
691 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
693 //preapare SMACK environment
694 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc13testlabel) == 0,
695 "Unable to set label for self");
696 RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc13testlabel,
697 "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
698 RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc13testlabel,
699 "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
701 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
703 std::vector<char> cookie(cookieSize);
704 int retval = security_server_request_cookie(&cookie[0], cookieSize);
705 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
708 uid_t cookieUid, realUid = getuid();
709 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
710 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
711 RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
714 RUNNER_CHILD_TEST_NOSMACK(tc13_security_server_get_uid_by_cookie_nosmack)
716 int cookieSize = security_server_get_cookie_size();
717 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
720 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
722 std::vector<char> cookie(cookieSize);
723 int retval = security_server_request_cookie(&cookie[0], cookieSize);
724 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
727 uid_t cookieUid, realUid = getuid();
728 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
729 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
730 RUNNER_ASSERT_MSG_BT(realUid == cookieUid, "No match in received UID");
733 RUNNER_TEST(tc14_security_server_get_gid_by_cookie)
735 int cookieSize = security_server_get_cookie_size();
736 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
738 std::vector<char> cookie(cookieSize);
739 int retval = security_server_request_cookie(&cookie[0], cookieSize);
740 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
743 gid_t cookieGid, realGid;
745 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
746 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
747 RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID");
749 //checking for input parameters
750 retval = security_server_get_gid_by_cookie(NULL, &cookieGid);
751 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
752 retval = security_server_get_gid_by_cookie(&cookie[0], NULL);
753 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
757 RUNNER_CHILD_TEST_SMACK(tc15_security_server_get_gid_by_cookie_smack)
759 const char* tc15testlabel = "tc15testlabel";
761 int cookieSize = security_server_get_cookie_size();
762 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
764 std::vector<char> cookie(cookieSize);
765 int retval = security_server_request_cookie(&cookie[0], cookieSize);
766 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
768 //preapare SMACK environment
769 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc15testlabel) == 0,
770 "Unable to set label for self");
771 RUNNER_ASSERT_MSG_BT(smack_revoke_subject(tc15testlabel) == 0,
772 "Error in smack_revoke_subject");
774 RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
775 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
779 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
780 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
783 RUNNER_CHILD_TEST_SMACK(tc16_security_server_get_gid_by_cookie_smack)
785 const char* tc16testlabel = "tc16testlabel";
787 int cookieSize = security_server_get_cookie_size();
788 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
790 std::vector<char> cookie(cookieSize);
792 gid_t realGid = getgid();
793 int retval = security_server_request_cookie(&cookie[0], cookieSize);
794 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
796 //preapare SMACK environment
797 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc16testlabel) == 0,
798 "Unable to set label for self");
799 RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc16testlabel,
800 "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
802 RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
803 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
807 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
808 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
809 RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
812 RUNNER_CHILD_TEST_NOSMACK(tc16_security_server_get_gid_by_cookie_nosmack)
814 int cookieSize = security_server_get_cookie_size();
815 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
817 std::vector<char> cookie(cookieSize);
819 gid_t realGid = getgid();
820 int retval = security_server_request_cookie(&cookie[0], cookieSize);
821 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
824 RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
825 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
829 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
830 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
831 RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
834 RUNNER_CHILD_TEST_SMACK(tc17_security_server_get_gid_by_cookie_smack)
836 const char* tc17testlabel = "tc17testlabel";
838 int cookieSize = security_server_get_cookie_size();
839 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
841 //preapare SMACK environment
842 RUNNER_ASSERT_MSG_BT(smack_set_label_for_self(tc17testlabel) == 0,
843 "Unable to set label for self");
844 RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc17testlabel,
845 "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
846 RUNNER_ASSERT_MSG_BT(apply_smack_rule(tc17testlabel,
847 "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
849 RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
850 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
852 std::vector<char> cookie(cookieSize);
853 int retval = security_server_request_cookie(&cookie[0], cookieSize);
854 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
857 gid_t cookieGid, realGid = getgid();
858 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
859 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
860 RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
863 RUNNER_CHILD_TEST_NOSMACK(tc17_security_server_get_gid_by_cookie_nosmack)
865 int cookieSize = security_server_get_cookie_size();
866 RUNNER_ASSERT_MSG_BT(cookieSize == 20, "Wrong cookie size");
869 RUNNER_ASSERT_MSG_BT(setgid(APP_GID) == 0, "Unable to drop privileges");
870 RUNNER_ASSERT_MSG_BT(setuid(APP_UID) == 0, "Unable to drop privileges");
872 std::vector<char> cookie(cookieSize);
873 int retval = security_server_request_cookie(&cookie[0], cookieSize);
874 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
877 gid_t cookieGid, realGid = getgid();
878 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
879 RUNNER_ASSERT_MSG_BT(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
880 RUNNER_ASSERT_MSG_BT(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
883 RUNNER_TEST_SMACK(tc18_security_server_get_smacklabel_cookie) {
886 char *label_smack = NULL;
887 char *label_ss = NULL;
890 int cookie_size = security_server_get_cookie_size();
891 RUNNER_ASSERT_MSG_BT(PROPER_COOKIE_SIZE == cookie_size, "Wrong cookie size from security-server");
893 cookie = (char*) calloc(cookie_size, 1);
894 RUNNER_ASSERT_MSG_BT(NULL != cookie, "Memory allocation error");
896 res = security_server_request_cookie(cookie, cookie_size);
897 if (res != SECURITY_SERVER_API_SUCCESS) {
899 RUNNER_ASSERT_MSG_BT(res == SECURITY_SERVER_API_SUCCESS, "Error in requesting cookie from security-server");
902 label_ss = security_server_get_smacklabel_cookie(cookie);
904 RUNNER_ASSERT_MSG_BT(label_ss != NULL, "Error in getting label by cookie");
907 std::string label_cookie(label_ss);
910 res = smack_new_label_from_self(&label_smack);
913 RUNNER_ASSERT_MSG_BT(res == 0, "Error in getting self SMACK label");
915 std::string label_self(label_smack ? label_smack : "");
918 RUNNER_ASSERT_MSG_BT(label_self == label_cookie, "No match in SMACK labels");
921 //TODO: here could be label change using SMACK API and checking if it
922 //is changed using security-server API function based on the same cookie
926 * NOSMACK version of tc_security_server_get_smacklabel_cookie test.
928 * Most of this test goes exactly as the original one. The only difference are the labels:
929 * - We assume that libsmack tests passed and smack_new_label_from_self will return -1 and NULL
930 * label - there is no need to re-check it.
931 * - Label acquired from security_server_get_smacklabel_cookie should be an empty string.
933 RUNNER_TEST_NOSMACK(tc18_security_server_get_smacklabel_cookie_nosmack) {
936 char* label_ss = NULL;
939 int cookie_size = security_server_get_cookie_size();
940 RUNNER_ASSERT_MSG_BT(PROPER_COOKIE_SIZE == cookie_size,
941 "Wrong cookie size from security-server. Size: " << cookie_size);
943 cookie = (char*) calloc(cookie_size, sizeof(char));
944 RUNNER_ASSERT_MSG_BT(NULL != cookie, "Memory allocation error");
946 //Request cookie from SS
947 res = security_server_request_cookie(cookie, cookie_size);
948 std::unique_ptr<char, std::function<void(char*)> > cookie_ptr(cookie, free);
950 RUNNER_ASSERT_MSG_BT(res == SECURITY_SERVER_API_SUCCESS,
951 "Error in requesting cookie from security-server. Result: " << res);
953 label_ss = security_server_get_smacklabel_cookie(cookie_ptr.get());
954 RUNNER_ASSERT_MSG_BT(label_ss != NULL, "Error in getting label by cookie");
956 //Check if label_ss is correct, that is only one NULL character.
957 if (label_ss[0] != '\0') {
959 RUNNER_ASSERT_MSG_BT(label_ss[0] == '\0', "label_ss was not an empty string.");
969 int main(int argc, char *argv[])
971 SummaryCollector::Register();
972 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);