tests/security-server-tests/security_server_tests_client_smack.cpp

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  */
   4 /*
   5  * @file    security_server_tests_client_smack.cpp
   6  * @author  Bartlomiej Grzelewski (b.grzelewski@samsung.com)
   7  * @version 1.1
   8  * @brief   Test cases for security-server-client-smack.
   9  */
  10
  11 #include <unistd.h>
  12 #include <stdlib.h>
  13 #include <sys/types.h>
  14 #include <sys/socket.h>
  15 #include <sys/smack.h>
  16 #include <sys/wait.h>
  17 #include <sys/un.h>
  18 #include <sys/stat.h>
  19 #include <fcntl.h>
  20 #include <errno.h>
  21
  22 #include <memory>
  23 #include <functional>
  24
  25 #include <dpl/log/log.h>
  26 #include <dpl/test/test_runner.h>
  27 #include <dpl/test/test_runner_child.h>
  28 #include <dpl/test/test_runner_multiprocess.h>
  29 #include "security_server_mockup.h"
  30
  31 #include <security-server.h>
  32
  33 #include "tests_common.h"
  34
  35 #define PROPER_COOKIE_SIZE 20
  36
  37 #define ENVIRONMENT                                                       \
  38     do {                                                                  \
  39         const char *subject_label = "mylabel";                            \
  40         RUNNER_ASSERT_MSG(-1 != system("touch /opt/home/root/pid_cycle"), \
  41             "Cannot prepare environment for test.");                      \
  42         RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label),   \
  43             "Cannot prepare environment for test.");                      \
  44         RUNNER_ASSERT_MSG(-1 != setgid(1),                                \
  45             "Cannot prepare environment for test.");                      \
  46         RUNNER_ASSERT_MSG(-1 != setuid(1),                                \
  47             "Cannot prepare environment for test");                       \
  48     } while (0)
  49
  50
  51 /**
  52  * Environment preparation should only differ in setting label. On NOSMACK system
  53  * smack_set_label_for_self returns error because of no access to /proc/self/attr/current.
  54  */
  55 #define ENVIRONMENT_NOSMACK                                               \
  56     do {                                                                  \
  57         int fd = open("/opt/home/root/pid_cycle", O_CREAT|O_APPEND, 0444);\
  58         RUNNER_ASSERT_MSG(fd >= 0,                                        \
  59             "Couldn't create pid_cycle file. errno: " << strerror(errno));\
  60         close(fd);                                                        \
  61         RUNNER_ASSERT_MSG(-1 != setgid(1),                                \
  62             "Cannot prepare environment for test.");                      \
  63         RUNNER_ASSERT_MSG(-1 != setuid(1),                                \
  64             "Cannot prepare environment for test");                       \
  65     } while (0)
  66
  67
  68 /**
  69  * Unique_ptr typedef for NOSMACK version of tc06 test
  70  */
  71 void closesockfdptr(int* sockfd_ptr)
  72 {
  73     close(*sockfd_ptr);
  74 }
  75 typedef std::unique_ptr<int, std::function<void(int*)> > SockFDUniquePtr;
  76
  77 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
  78
  79 /*
  80  * test: Check cookie size returned by security_server_get_cookie_size.
  81  * description: Cookie used by security-server is 20 bytes long.
  82  * Any other size of cookies should be treated as error.
  83  * expected: Function security_server_get_cookie_size returns 20.
  84  */
  85 RUNNER_CHILD_TEST_SMACK(tc01_security_server_get_cookie_size)
  86 {
  87     ENVIRONMENT;
  88
  89     int ret = security_server_get_cookie_size();
  90     RUNNER_ASSERT_MSG(20 == ret, "ret = " << ret);
  91 }
  92
  93 /*
  94  * test: security_server_request_cookie
  95  * description: Function security_server_request_cookie will return
  96  * 20 bytes long cookie.
  97  * expected: function will set up cookie in the array and return
  98  * SECURITY_SERVER_API_SUCCESS.
  99  */
 100 RUNNER_CHILD_TEST_SMACK(tc02_security_server_request_cookie_normal_case)
 101 {
 102     ENVIRONMENT;
 103
 104     char cookie[20];
 105     int ret = security_server_request_cookie(cookie, 20);
 106     LogDebug("ret = " << ret);
 107     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == ret);
 108 }
 109
 110 /*
 111  * test: security_server_request_cookie
 112  * description: Function security_server_request_cookie will return
 113  * 20 bytes long cookie.
 114  * expected: function will set up cookie in the array and return
 115  * SECURITY_SERVER_API_SUCCESS.
 116  */
 117 RUNNER_CHILD_TEST_SMACK(tc03_security_server_request_cookie_too_small_buffer_size)
 118 {
 119     ENVIRONMENT;
 120
 121     char cookie[20];
 122     int ret = security_server_request_cookie(cookie, 10);
 123     LogDebug("ret = " << ret);
 124     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
 125 }
 126
 127 /*
 128  * test: tc04_security_server_get_gid
 129  * description: Checking for security_server_get_gid
 130  *              with nonexisting gid and existing one
 131  * expected: security_server_get_gid should return
 132  *           SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
 133  *           and group id with second call
 134  */
 135 RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
 136 {
 137     ENVIRONMENT;
 138
 139     int ret = security_server_get_gid("abc123xyz_pysiaczek");
 140     LogDebug("ret = " << ret);
 141     RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
 142     ret = security_server_get_gid("root");
 143     LogDebug("ret = " << ret);
 144     RUNNER_ASSERT_MSG(0 == ret, "Ret: " << ret);
 145 }
 146
 147 /*
 148  * test: tc05_check_privilege_by_cookie
 149  * description: Function security_server_check_privilege_by_cookie should
 150  * return status of access rights of cookie owner. In this case cookie owner
 151  * is the same process that ask for the rights.
 152  * expected: Function call with access rights set to "r" should return SUCCESS,
 153  * with "rw" should return ACCESS DENIED.
 154  */
 155 RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie)
 156 {
 157     char cookie[20];
 158     const char *object_label = "tc05objectlabel";
 159     const char *access_rights = "r";
 160     const char *access_rights_ext = "rw";
 161     const char *subject_label = "tc05subjectlabel";
 162
 163     smack_accesses *handle;
 164
 165     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
 166
 167     RUNNER_ASSERT(0 == smack_accesses_add(handle,
 168             subject_label,
 169             object_label,
 170             access_rights));
 171
 172     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
 173
 174     smack_accesses_free(handle);
 175
 176     RUNNER_ASSERT(0 == smack_set_label_for_self(subject_label));
 177
 178     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
 179         security_server_request_cookie(cookie,20));
 180
 181     RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
 182
 183     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
 184         security_server_check_privilege_by_cookie(
 185             cookie,
 186             object_label,
 187             access_rights));
 188
 189     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
 190         security_server_check_privilege_by_cookie(
 191             cookie,
 192             object_label,
 193             access_rights_ext));
 194 }
 195
 196 /*
 197  * test: security_server_check_privilege_by_sockfd
 198  * description: This test will create dummy server that will accept connection
 199  * and die. The client will try to check access rights using connection descriptor.
 200  * expected: Function call with access rights set to "r" should return SUCCESS,
 201  * with "rw" should return ACCESS DENIED.
 202  */
 203 RUNNER_MULTIPROCESS_TEST_SMACK(tc06_check_privilege_by_sockfd)
 204 {
 205     const char *object_label = "tc06objectlabel";
 206     const char *access_rights = "r";
 207     const char *access_rights_ext = "rw";
 208     const char *subject_label = "tc06subjectlabel";
 209
 210     int result1 = -1;
 211     int result2 = -1;
 212
 213     smack_accesses *handle;
 214     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
 215     RUNNER_ASSERT(0 == smack_accesses_add(handle,
 216             subject_label,
 217             object_label,
 218             access_rights));
 219     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
 220     smack_accesses_free(handle);
 221
 222     int pid = fork();
 223     char *label;
 224     RUNNER_ASSERT(-1 != pid);
 225
 226     if (0 == pid) {
 227         // child
 228         RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
 229
 230         int sockfd = create_new_socket();
 231         RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
 232
 233         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 234
 235         label = security_server_get_smacklabel_sockfd(sockfd);
 236         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
 237         RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
 238         free(label);
 239
 240         RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
 241
 242         RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
 243
 244         label = security_server_get_smacklabel_sockfd(sockfd);
 245         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
 246         RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
 247         free(label);
 248
 249         struct sockaddr_un client_addr;
 250         socklen_t client_len = sizeof(client_addr);
 251         int csockfd;
 252         RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
 253
 254         usleep(500);
 255
 256         close(csockfd);
 257         exit(0);
 258     } else {
 259         // parent
 260         sleep(1);
 261         int sockfd = connect_to_testserver();
 262         RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
 263
 264         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 265
 266         label = security_server_get_smacklabel_sockfd(sockfd);
 267         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
 268         RUNNER_ASSERT_MSG(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << ", subject_label is \"" << subject_label << "\"" );
 269         free(label);
 270
 271         result1 = security_server_check_privilege_by_sockfd(
 272             sockfd,
 273             object_label,
 274             access_rights);
 275         result2 = security_server_check_privilege_by_sockfd(
 276             sockfd,
 277             object_label,
 278             access_rights_ext);
 279     }
 280
 281     RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
 282     RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
 283 }
 284
 285 /*
 286  * test: security_server_check_privilege_by_sockfd
 287  * description: This test will create dummy server that will accept connection
 288  * and die. The client will try to check access rights using connection descriptor.
 289  * Because we read a smack label not from socket directly, but from from pid of process
 290  * on the other end of socket - that's why smack label will be updated.
 291  * In this test client is running under root and server is not - to test the extreme case.
 292  * expected: Function call with access rights set to "r" should return SUCCESS,
 293  * with "rw" should return ACCESS DENIED.
 294  */
 295 RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd)
 296 {
 297     const char *object_label = "tc07objectlabel";
 298     const char *access_rights = "r";
 299     const char *access_rights_ext = "rw";
 300     const char *subject_label = "tc07subjectlabel";
 301
 302     int result1 = -1;
 303     int result2 = -1;
 304
 305     smack_accesses *handle;
 306     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
 307     RUNNER_ASSERT(0 == smack_accesses_add(handle,
 308             subject_label,
 309             object_label,
 310             access_rights));
 311     RUNNER_ASSERT(0 == smack_accesses_apply(handle));
 312     smack_accesses_free(handle);
 313
 314     int pid = fork();
 315     RUNNER_ASSERT(-1 != pid);
 316
 317     if (0 == pid) {
 318
 319         pid = fork();
 320         RUNNER_ASSERT(-1 != pid);
 321
 322         if (0 == pid) {
 323             // child
 324             int sockfd = create_new_socket();
 325             RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
 326
 327             SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 328
 329             RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
 330
 331             RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
 332
 333             RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
 334
 335             struct sockaddr_un client_addr;
 336             socklen_t client_len = sizeof(client_addr);
 337             int csockfd = TEMP_FAILURE_RETRY(accept(sockfd,(struct sockaddr*)&client_addr, &client_len));
 338             if (csockfd >= 0)
 339                 close(csockfd);
 340             LogDebug("Exit!");
 341             exit(0);
 342         } else {
 343             // parent
 344
 345             RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
 346
 347             sleep(1);
 348             int sockfd = connect_to_testserver();
 349             RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
 350
 351             result1 = security_server_check_privilege_by_sockfd(
 352                 sockfd,
 353                 object_label,
 354                 access_rights);
 355             result2 = security_server_check_privilege_by_sockfd(
 356                 sockfd,
 357                 object_label,
 358                 access_rights_ext);
 359
 360             close(sockfd);
 361
 362             RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
 363             RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
 364         }
 365     }
 366 }
 367
 368 ///////////////////////////
 369 /////NOSMACK ENV TESTS/////
 370 ///////////////////////////
 371
 372 /**
 373  * First four test cases are the same as their SMACK versions. The only difference is environment
 374  * preparation (described near ENVIRONMENT_NOSMACK macro).
 375  */
 376 RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_get_cookie_size_nosmack)
 377 {
 378     ENVIRONMENT_NOSMACK;
 379
 380     int ret = security_server_get_cookie_size();
 381     RUNNER_ASSERT_MSG(ret == 20, "ret = " << ret);
 382 }
 383
 384 RUNNER_CHILD_TEST_NOSMACK(tc02_security_server_request_cookie_normal_case_nosmack)
 385 {
 386     ENVIRONMENT_NOSMACK;
 387
 388     char cookie[20];
 389     int ret = security_server_request_cookie(cookie, 20);
 390     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
 391 }
 392
 393 RUNNER_CHILD_TEST_NOSMACK(tc03_security_server_request_cookie_too_small_buffer_size_nosmack)
 394 {
 395     ENVIRONMENT_NOSMACK;
 396
 397     char cookie[20];
 398     int ret = security_server_request_cookie(cookie, 10);
 399     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
 400 }
 401
 402 RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack)
 403 {
 404     ENVIRONMENT_NOSMACK;
 405
 406     int ret = security_server_get_gid("definitely_not_existing_object");
 407     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret);
 408     ret = security_server_get_gid("root");
 409     RUNNER_ASSERT_MSG(ret == 0, "ret = " << ret);
 410 }
 411
 412 /*
 413  * NOSMACK version of tc05 test.
 414  *
 415  * Correct behaviour of smack_accesses_apply and smack_set_label_for_self was checked by libsmack
 416  * tests. We assume, that those tests pass. Additionally security_server_check_privilege_by_cookie
 417  * should return SUCCESS no matter what access_rights we give to this function.
 418  */
 419 RUNNER_CHILD_TEST_NOSMACK(tc05_check_privilege_by_cookie_nosmack)
 420 {
 421     char cookie[20];
 422     const char* object_label = "tc05objectlabel";
 423
 424     RUNNER_ASSERT(security_server_request_cookie(cookie,20) == SECURITY_SERVER_API_SUCCESS);
 425
 426     RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
 427
 428     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
 429         security_server_check_privilege_by_cookie(cookie, object_label, "r"));
 430
 431     //On NOSMACK env security server should return success on any accesses, even those that are
 432     //incorrect.
 433     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
 434         security_server_check_privilege_by_cookie(cookie, object_label, "rw"));
 435 }
 436
 437 /**
 438  * NOSMACK version of tc06 test.
 439  *
 440  * Differences between this and SMACK version (server):
 441  * - Skipped setting access_rights
 442  * - Skipped setting label for server
 443  * - get_smacklabel_sockfd is called only once for server, almost right after fork and creation
 444  *   of socket (because it should do nothing when SMACK is off)
 445  * - After get_smacklabel_sockfd privileges are dropped and server is prepared to accept connections
 446  *   from client
 447  *
 448  * For client the only difference are expected results from check_privilege_by_sockfd - both should
 449  * return SUCCESS.
 450  */
 451 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc06_check_privilege_by_sockfd_nosmack)
 452 {
 453     const char* object_label = "tc06objectlabel";
 454
 455     int result1 = -1;
 456     int result2 = -1;
 457
 458     int pid = fork();
 459     char* label;
 460     RUNNER_ASSERT(pid >= 0);
 461
 462     int ret;
 463
 464     if (pid == 0) { //child process - server
 465         //create new socket
 466         int sockfd = create_new_socket();
 467         RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
 468
 469         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 470
 471         //check if get_smacklabel_sockfd works correctly
 472         label = security_server_get_smacklabel_sockfd(sockfd);
 473         RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
 474         ret = strcmp(label, "");
 475         free(label);
 476         RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
 477
 478         RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
 479
 480         RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
 481
 482         struct sockaddr_un client_addr;
 483         socklen_t client_len = sizeof(client_addr);
 484
 485         int csockfd;
 486         RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
 487
 488         //wait a little bit for parent to do it's job
 489         usleep(200);
 490
 491         //if everything works, cleanup and return 0
 492         close(csockfd);
 493         exit(0);
 494     } else {
 495         //parent
 496         sleep(1);
 497         int sockfd = connect_to_testserver();
 498         RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to connect to server.");
 499
 500         SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 501
 502         label = security_server_get_smacklabel_sockfd(sockfd);
 503         RUNNER_ASSERT_MSG(label != NULL, "get_smacklabel_sockfd failed.");
 504         ret = strcmp(label, "");
 505         free(label);
 506         RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
 507
 508         result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
 509         result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
 510     }
 511
 512     RUNNER_ASSERT_MSG(result1 == SECURITY_SERVER_API_SUCCESS, "result = " << result1);
 513     RUNNER_ASSERT_MSG(result2 == SECURITY_SERVER_API_SUCCESS, "result = " << result2);
 514 }
 515
 516 /**
 517  * NOSMACK version of tc07 test.
 518  */
 519 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc07_check_privilege_by_sockfd_nosmack)
 520 {
 521     const char* object_label = "tc07objectlabel";
 522
 523     int result1 = -1;
 524     int result2 = -1;
 525
 526     int pid = fork();
 527     RUNNER_ASSERT(-1 != pid);
 528
 529     if (pid == 0) {
 530
 531         pid = fork();
 532         RUNNER_ASSERT(-1 != pid);
 533
 534         if (pid == 0) { //child process
 535             //Create socket
 536             int sockfd = create_new_socket();
 537             RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
 538
 539             SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
 540
 541             //Drop privileges
 542             RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
 543
 544             //Prepare for accepting
 545             RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
 546
 547             struct sockaddr_un client_addr;
 548             socklen_t client_len = sizeof(client_addr);
 549
 550             //Accept connections
 551             int csockfd;
 552             RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
 553
 554             //wait a little bit for parent to do it's job
 555             usleep(200);
 556
 557             //cleanup and kill child
 558             close(csockfd);
 559             exit(0);
 560         } else {    //parent process
 561             //Drop root privileges
 562             RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
 563
 564             //Wait for server to set up
 565             sleep(1);
 566
 567             //Connect and check privileges
 568             int sockfd = connect_to_testserver();
 569             RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to create socket fd.");
 570
 571             result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
 572             result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
 573
 574             close(sockfd);
 575
 576             //Both results (just like in the previous test case) should return success.
 577             RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
 578             RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result2, "result2 = " << result2);
 579         }
 580     }
 581 }
 582
 583 int apply_smack_rule(const char *subject, const char *object, const char *rule)
 584 {
 585     struct smack_accesses *ruleHandler = NULL;
 586     if (smack_accesses_new(&ruleHandler) != 0)
 587         goto error;
 588     if (smack_accesses_add(ruleHandler, subject, object, rule) != 0)
 589         goto error;
 590     if (smack_accesses_apply(ruleHandler) != 0)
 591         goto error;
 592
 593     smack_accesses_free(ruleHandler);
 594     return 0;
 595
 596 error:
 597     smack_accesses_free(ruleHandler);
 598     return -1;
 599 }
 600
 601 RUNNER_TEST(tc10_security_server_get_uid_by_cookie)
 602 {
 603     int cookieSize = security_server_get_cookie_size();
 604     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 605
 606     std::vector<char> cookie(cookieSize);
 607     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 608     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 609
 610     //checking function
 611     uid_t cookieUid, realUid;
 612     realUid = getuid();
 613     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 614     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie. My uid: " << realUid << " Server error: " << retval);
 615     RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
 616
 617     //checking for input parameters
 618     retval = security_server_get_uid_by_cookie(NULL, &cookieUid);
 619     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
 620     retval = security_server_get_uid_by_cookie(&cookie[0], NULL);
 621     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
 622 }
 623
 624 RUNNER_CHILD_TEST_SMACK(tc11_security_server_get_uid_by_cookie_smack)
 625 {
 626     int cookieSize = security_server_get_cookie_size();
 627     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 628
 629     std::vector<char> cookie(cookieSize);
 630     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 631     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 632
 633     //preapare SMACK environment
 634     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 635     RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
 636     //drop privileges
 637     RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
 638
 639     //checking function
 640     uid_t cookieUid;
 641     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 642     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
 643 }
 644
 645 RUNNER_CHILD_TEST_SMACK(tc12_security_server_get_uid_by_cookie_smack)
 646 {
 647     int cookieSize = security_server_get_cookie_size();
 648     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 649
 650     uid_t realUid = getuid();
 651
 652     std::vector<char> cookie(cookieSize);
 653     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 654     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 655
 656     //preapare SMACK environment
 657     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 658     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
 659     //drop privileges
 660     RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
 661
 662     //checking function
 663     uid_t cookieUid;
 664     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 665     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
 666     RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
 667 }
 668
 669 RUNNER_CHILD_TEST_NOSMACK(tc12_security_server_get_uid_by_cookie_nosmack)
 670 {
 671     int cookieSize = security_server_get_cookie_size();
 672     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 673
 674     uid_t realUid = getuid();
 675
 676     std::vector<char> cookie(cookieSize);
 677     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 678     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 679
 680     //drop privileges
 681     RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
 682
 683     //checking function
 684     uid_t cookieUid;
 685     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 686     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
 687     RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
 688 }
 689
 690 RUNNER_CHILD_TEST_SMACK(tc13_security_server_get_uid_by_cookie_smack)
 691 {
 692     int cookieSize = security_server_get_cookie_size();
 693     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 694
 695     //preapare SMACK environment
 696     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 697     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
 698     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
 699     //drop privileges
 700     RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
 701
 702     std::vector<char> cookie(cookieSize);
 703     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 704     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 705
 706     //checking function
 707     uid_t cookieUid, realUid = getuid();
 708     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 709     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
 710     RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
 711 }
 712
 713 RUNNER_CHILD_TEST_NOSMACK(tc13_security_server_get_uid_by_cookie_nosmack)
 714 {
 715     int cookieSize = security_server_get_cookie_size();
 716     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 717
 718     //drop privileges
 719     RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
 720
 721     std::vector<char> cookie(cookieSize);
 722     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 723     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 724
 725     //checking function
 726     uid_t cookieUid, realUid = getuid();
 727     retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
 728     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
 729     RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
 730 }
 731
 732 RUNNER_TEST(tc14_security_server_get_gid_by_cookie)
 733 {
 734     int cookieSize = security_server_get_cookie_size();
 735     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 736
 737     std::vector<char> cookie(cookieSize);
 738     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 739     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 740
 741     //checking function
 742     gid_t cookieGid, realGid;
 743     realGid = getgid();
 744     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 745     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
 746     RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID");
 747
 748     //checking for input parameters
 749     retval = security_server_get_gid_by_cookie(NULL, &cookieGid);
 750     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
 751     retval = security_server_get_gid_by_cookie(&cookie[0], NULL);
 752     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
 753
 754 }
 755
 756 RUNNER_CHILD_TEST_SMACK(tc15_security_server_get_gid_by_cookie_smack)
 757 {
 758     int cookieSize = security_server_get_cookie_size();
 759     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 760
 761     std::vector<char> cookie(cookieSize);
 762     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 763     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 764
 765     //preapare SMACK environment
 766     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 767     RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
 768     //drop privileges
 769     RUNNER_ASSERT_MSG(setgid(APP_GID) == 0, "Unable to drop privileges");
 770     RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
 771
 772     //checking function
 773     gid_t cookieGid, realGid;
 774     realGid = getgid();
 775     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 776     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
 777 }
 778
 779 RUNNER_CHILD_TEST_SMACK(tc16_security_server_get_gid_by_cookie_smack)
 780 {
 781     int cookieSize = security_server_get_cookie_size();
 782     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 783
 784     std::vector<char> cookie(cookieSize);
 785
 786     gid_t realGid = getgid();
 787     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 788     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 789
 790     //preapare SMACK environment
 791     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 792     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
 793     //drop privileges
 794     RUNNER_ASSERT_MSG(setgid(APP_GID) == 0, "Unable to drop privileges");
 795     RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
 796
 797     //checking function
 798     gid_t cookieGid;
 799     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 800     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
 801     RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
 802 }
 803
 804 RUNNER_CHILD_TEST_NOSMACK(tc16_security_server_get_gid_by_cookie_nosmack)
 805 {
 806     int cookieSize = security_server_get_cookie_size();
 807     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 808
 809     std::vector<char> cookie(cookieSize);
 810
 811     gid_t realGid = getgid();
 812     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 813     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 814
 815     //drop privileges
 816     RUNNER_ASSERT_MSG(setgid(APP_GID) == 0, "Unable to drop privileges");
 817     RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
 818
 819     //checking function
 820     gid_t cookieGid;
 821     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 822     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
 823     RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
 824 }
 825
 826 RUNNER_CHILD_TEST_SMACK(tc17_security_server_get_gid_by_cookie_smack)
 827 {
 828     int cookieSize = security_server_get_cookie_size();
 829     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 830
 831     //preapare SMACK environment
 832     RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
 833     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
 834     RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
 835     //drop privileges
 836     RUNNER_ASSERT_MSG(setgid(APP_GID) == 0, "Unable to drop privileges");
 837     RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
 838
 839     std::vector<char> cookie(cookieSize);
 840     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 841     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 842
 843     //checking function
 844     gid_t cookieGid, realGid = getgid();
 845     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 846     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
 847     RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
 848 }
 849
 850 RUNNER_CHILD_TEST_NOSMACK(tc17_security_server_get_gid_by_cookie_nosmack)
 851 {
 852     int cookieSize = security_server_get_cookie_size();
 853     RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
 854
 855     //drop privileges
 856     RUNNER_ASSERT_MSG(setgid(APP_GID) == 0, "Unable to drop privileges");
 857     RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
 858
 859     std::vector<char> cookie(cookieSize);
 860     int retval = security_server_request_cookie(&cookie[0], cookieSize);
 861     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
 862
 863     //checking function
 864     gid_t cookieGid, realGid = getgid();
 865     retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
 866     RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
 867     RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
 868 }
 869
 870 RUNNER_TEST_SMACK(tc18_security_server_get_smacklabel_cookie) {
 871     int res;
 872
 873     pid_t mypid;
 874
 875     char *label_smack = NULL;
 876     char *label_ss = NULL;
 877     char *cookie = NULL;
 878
 879     int cookie_size = security_server_get_cookie_size();
 880     RUNNER_ASSERT_MSG(PROPER_COOKIE_SIZE == cookie_size, "Wrong cookie size from security-server");
 881
 882     mypid = getpid();
 883
 884     cookie = (char*) calloc(cookie_size, 1);
 885     RUNNER_ASSERT_MSG(NULL != cookie, "Memory allocation error");
 886
 887     res = security_server_request_cookie(cookie, cookie_size);
 888     if (res != SECURITY_SERVER_API_SUCCESS) {
 889         free(cookie);
 890         RUNNER_ASSERT_MSG(res == SECURITY_SERVER_API_SUCCESS, "Error in requesting cookie from security-server");
 891     }
 892
 893     label_ss = security_server_get_smacklabel_cookie(cookie);
 894     free(cookie);
 895     RUNNER_ASSERT_MSG(label_ss != NULL, "Error in getting label by cookie");
 896
 897
 898     std::string label_cookie(label_ss);
 899     free(label_ss);
 900
 901     res = smack_new_label_from_self(&label_smack);
 902     if (res < 0) {
 903         free(label_smack);
 904         RUNNER_ASSERT_MSG(res == 0, "Error in getting self SMACK label");
 905     }
 906     std::string label_self(label_smack ? label_smack : "");
 907     free(label_smack);
 908
 909     RUNNER_ASSERT_MSG(label_self == label_cookie, "No match in SMACK labels");
 910
 911
 912     //TODO: here could be label change using SMACK API and checking if it
 913     //is changed using security-server API function based on the same cookie
 914 }
 915
 916 /**
 917  * NOSMACK version of tc_security_server_get_smacklabel_cookie test.
 918  *
 919  * Most of this test goes exactly as the original one. The only difference are the labels:
 920  * - We assume that libsmack tests passed and smack_new_label_from_self will return -1 and NULL
 921  *   label - there is no need to re-check it.
 922  * - Label acquired from security_server_get_smacklabel_cookie should be an empty string.
 923  */
 924 RUNNER_TEST_NOSMACK(tc18_security_server_get_smacklabel_cookie_nosmack) {
 925     int res;
 926
 927     pid_t mypid;
 928
 929     char* label_ss = NULL;
 930     char* cookie = NULL;
 931
 932     int cookie_size = security_server_get_cookie_size();
 933     RUNNER_ASSERT_MSG(PROPER_COOKIE_SIZE == cookie_size,
 934             "Wrong cookie size from security-server. Size: " << cookie_size);
 935
 936     cookie = (char*) calloc(cookie_size, sizeof(char));
 937     RUNNER_ASSERT_MSG(NULL != cookie, "Memory allocation error");
 938
 939     mypid = getpid();
 940
 941     //Request cookie from SS
 942     res = security_server_request_cookie(cookie, cookie_size);
 943     std::unique_ptr<char, std::function<void(char*)> > cookie_ptr(cookie, free);
 944     cookie = NULL;
 945     RUNNER_ASSERT_MSG(res == SECURITY_SERVER_API_SUCCESS,
 946             "Error in requesting cookie from security-server. Result: " << res);
 947
 948     label_ss = security_server_get_smacklabel_cookie(cookie_ptr.get());
 949     RUNNER_ASSERT_MSG(label_ss != NULL, "Error in getting label by cookie");
 950
 951     //Check if label_ss is correct, that is only one NULL character.
 952     if (label_ss[0] != '\0') {
 953         free(label_ss);
 954         RUNNER_ASSERT_MSG(label_ss[0] == '\0', "label_ss was not an empty string.");
 955     }
 956
 957     free(label_ss);
 958 }
 959
 960 ////////////////////
 961 /////MAIN///////////
 962 ////////////////////
 963
 964 int main(int argc, char *argv[])
 965 {
 966     return
 967         DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
 968 }