2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
5 * @file security_server_tests_client_smack.cpp
6 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
8 * @brief Test cases for security-server-client-smack.
13 #include <sys/types.h>
14 #include <sys/socket.h>
15 #include <sys/smack.h>
25 #include <dpl/log/log.h>
26 #include <dpl/test/test_runner.h>
27 #include <dpl/test/test_runner_child.h>
28 #include <dpl/test/test_runner_multiprocess.h>
29 #include "security_server_mockup.h"
31 #include <security-server.h>
33 #include "tests_common.h"
35 #define PROPER_COOKIE_SIZE 20
39 const char *subject_label = "mylabel"; \
40 RUNNER_ASSERT_MSG(-1 != system("touch /opt/home/root/pid_cycle"), \
41 "Cannot prepare environment for test."); \
42 RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), \
43 "Cannot prepare environment for test."); \
44 RUNNER_ASSERT_MSG(-1 != setgid(1), \
45 "Cannot prepare environment for test."); \
46 RUNNER_ASSERT_MSG(-1 != setuid(1), \
47 "Cannot prepare environment for test"); \
52 * Environment preparation should only differ in setting label. On NOSMACK system
53 * smack_set_label_for_self returns error because of no access to /proc/self/attr/current.
55 #define ENVIRONMENT_NOSMACK \
57 int fd = open("/opt/home/root/pid_cycle", O_CREAT|O_APPEND, 0444);\
58 RUNNER_ASSERT_MSG(fd >= 0, \
59 "Couldn't create pid_cycle file. errno: " << strerror(errno));\
61 RUNNER_ASSERT_MSG(-1 != setgid(1), \
62 "Cannot prepare environment for test."); \
63 RUNNER_ASSERT_MSG(-1 != setuid(1), \
64 "Cannot prepare environment for test"); \
69 * Unique_ptr typedef for NOSMACK version of tc06 test
71 void closesockfdptr(int* sockfd_ptr)
75 typedef std::unique_ptr<int, std::function<void(int*)> > SockFDUniquePtr;
77 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
80 * test: Check cookie size returned by security_server_get_cookie_size.
81 * description: Cookie used by security-server is 20 bytes long.
82 * Any other size of cookies should be treated as error.
83 * expected: Function security_server_get_cookie_size returns 20.
85 RUNNER_CHILD_TEST_SMACK(tc01_security_server_get_cookie_size)
89 int ret = security_server_get_cookie_size();
90 RUNNER_ASSERT_MSG(20 == ret, "ret = " << ret);
94 * test: security_server_request_cookie
95 * description: Function security_server_request_cookie will return
96 * 20 bytes long cookie.
97 * expected: function will set up cookie in the array and return
98 * SECURITY_SERVER_API_SUCCESS.
100 RUNNER_CHILD_TEST_SMACK(tc02_security_server_request_cookie_normal_case)
105 int ret = security_server_request_cookie(cookie, 20);
106 LogDebug("ret = " << ret);
107 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == ret);
111 * test: security_server_request_cookie
112 * description: Function security_server_request_cookie will return
113 * 20 bytes long cookie.
114 * expected: function will set up cookie in the array and return
115 * SECURITY_SERVER_API_SUCCESS.
117 RUNNER_CHILD_TEST_SMACK(tc03_security_server_request_cookie_too_small_buffer_size)
122 int ret = security_server_request_cookie(cookie, 10);
123 LogDebug("ret = " << ret);
124 RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
128 * test: tc04_security_server_get_gid
129 * description: Checking for security_server_get_gid
130 * with nonexisting gid and existing one
131 * expected: security_server_get_gid should return
132 * SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
133 * and group id with second call
135 RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
139 int ret = security_server_get_gid("abc123xyz_pysiaczek");
140 LogDebug("ret = " << ret);
141 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
142 ret = security_server_get_gid("root");
143 LogDebug("ret = " << ret);
144 RUNNER_ASSERT_MSG(0 == ret, "Ret: " << ret);
148 * test: tc05_check_privilege_by_cookie
149 * description: Function security_server_check_privilege_by_cookie should
150 * return status of access rights of cookie owner. In this case cookie owner
151 * is the same process that ask for the rights.
152 * expected: Function call with access rights set to "r" should return SUCCESS,
153 * with "rw" should return ACCESS DENIED.
155 RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie)
158 const char *object_label = "tc05objectlabel";
159 const char *access_rights = "r";
160 const char *access_rights_ext = "rw";
161 const char *subject_label = "tc05subjectlabel";
163 smack_accesses *handle;
165 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
167 RUNNER_ASSERT(0 == smack_accesses_add(handle,
172 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
174 smack_accesses_free(handle);
176 RUNNER_ASSERT(0 == smack_set_label_for_self(subject_label));
178 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
179 security_server_request_cookie(cookie,20));
181 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
183 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
184 security_server_check_privilege_by_cookie(
189 RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
190 security_server_check_privilege_by_cookie(
197 * test: security_server_check_privilege_by_sockfd
198 * description: This test will create dummy server that will accept connection
199 * and die. The client will try to check access rights using connection descriptor.
200 * expected: Function call with access rights set to "r" should return SUCCESS,
201 * with "rw" should return ACCESS DENIED.
203 RUNNER_MULTIPROCESS_TEST_SMACK(tc06_check_privilege_by_sockfd)
205 const char *object_label = "tc06objectlabel";
206 const char *access_rights = "r";
207 const char *access_rights_ext = "rw";
208 const char *subject_label = "tc06subjectlabel";
213 smack_accesses *handle;
214 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
215 RUNNER_ASSERT(0 == smack_accesses_add(handle,
219 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
220 smack_accesses_free(handle);
224 RUNNER_ASSERT(-1 != pid);
228 RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
230 int sockfd = create_new_socket();
231 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
233 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
235 label = security_server_get_smacklabel_sockfd(sockfd);
236 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
237 RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
240 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
242 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
244 label = security_server_get_smacklabel_sockfd(sockfd);
245 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
246 RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
249 struct sockaddr_un client_addr;
250 socklen_t client_len = sizeof(client_addr);
252 RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
261 int sockfd = connect_to_testserver();
262 RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
264 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
266 label = security_server_get_smacklabel_sockfd(sockfd);
267 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
268 RUNNER_ASSERT_MSG(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << ", subject_label is \"" << subject_label << "\"" );
271 result1 = security_server_check_privilege_by_sockfd(
275 result2 = security_server_check_privilege_by_sockfd(
281 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
282 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
286 * test: security_server_check_privilege_by_sockfd
287 * description: This test will create dummy server that will accept connection
288 * and die. The client will try to check access rights using connection descriptor.
289 * Because we read a smack label not from socket directly, but from from pid of process
290 * on the other end of socket - that's why smack label will be updated.
291 * In this test client is running under root and server is not - to test the extreme case.
292 * expected: Function call with access rights set to "r" should return SUCCESS,
293 * with "rw" should return ACCESS DENIED.
295 RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd)
297 const char *object_label = "tc07objectlabel";
298 const char *access_rights = "r";
299 const char *access_rights_ext = "rw";
300 const char *subject_label = "tc07subjectlabel";
305 smack_accesses *handle;
306 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
307 RUNNER_ASSERT(0 == smack_accesses_add(handle,
311 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
312 smack_accesses_free(handle);
315 RUNNER_ASSERT(-1 != pid);
320 RUNNER_ASSERT(-1 != pid);
324 int sockfd = create_new_socket();
325 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
327 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
329 RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
331 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
333 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
335 struct sockaddr_un client_addr;
336 socklen_t client_len = sizeof(client_addr);
337 int csockfd = TEMP_FAILURE_RETRY(accept(sockfd,(struct sockaddr*)&client_addr, &client_len));
345 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
348 int sockfd = connect_to_testserver();
349 RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
351 result1 = security_server_check_privilege_by_sockfd(
355 result2 = security_server_check_privilege_by_sockfd(
362 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
363 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
368 ///////////////////////////
369 /////NOSMACK ENV TESTS/////
370 ///////////////////////////
373 * First four test cases are the same as their SMACK versions. The only difference is environment
374 * preparation (described near ENVIRONMENT_NOSMACK macro).
376 RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_get_cookie_size_nosmack)
380 int ret = security_server_get_cookie_size();
381 RUNNER_ASSERT_MSG(ret == 20, "ret = " << ret);
384 RUNNER_CHILD_TEST_NOSMACK(tc02_security_server_request_cookie_normal_case_nosmack)
389 int ret = security_server_request_cookie(cookie, 20);
390 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
393 RUNNER_CHILD_TEST_NOSMACK(tc03_security_server_request_cookie_too_small_buffer_size_nosmack)
398 int ret = security_server_request_cookie(cookie, 10);
399 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
402 RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack)
406 int ret = security_server_get_gid("definitely_not_existing_object");
407 RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret);
408 ret = security_server_get_gid("root");
409 RUNNER_ASSERT_MSG(ret == 0, "ret = " << ret);
413 * NOSMACK version of tc05 test.
415 * Correct behaviour of smack_accesses_apply and smack_set_label_for_self was checked by libsmack
416 * tests. We assume, that those tests pass. Additionally security_server_check_privilege_by_cookie
417 * should return SUCCESS no matter what access_rights we give to this function.
419 RUNNER_CHILD_TEST_NOSMACK(tc05_check_privilege_by_cookie_nosmack)
422 const char* object_label = "tc05objectlabel";
424 RUNNER_ASSERT(security_server_request_cookie(cookie,20) == SECURITY_SERVER_API_SUCCESS);
426 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
428 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
429 security_server_check_privilege_by_cookie(cookie, object_label, "r"));
431 //On NOSMACK env security server should return success on any accesses, even those that are
433 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
434 security_server_check_privilege_by_cookie(cookie, object_label, "rw"));
438 * NOSMACK version of tc06 test.
440 * Differences between this and SMACK version (server):
441 * - Skipped setting access_rights
442 * - Skipped setting label for server
443 * - get_smacklabel_sockfd is called only once for server, almost right after fork and creation
444 * of socket (because it should do nothing when SMACK is off)
445 * - After get_smacklabel_sockfd privileges are dropped and server is prepared to accept connections
448 * For client the only difference are expected results from check_privilege_by_sockfd - both should
451 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc06_check_privilege_by_sockfd_nosmack)
453 const char* object_label = "tc06objectlabel";
460 RUNNER_ASSERT(pid >= 0);
464 if (pid == 0) { //child process - server
466 int sockfd = create_new_socket();
467 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
469 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
471 //check if get_smacklabel_sockfd works correctly
472 label = security_server_get_smacklabel_sockfd(sockfd);
473 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
474 ret = strcmp(label, "");
476 RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
478 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
480 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
482 struct sockaddr_un client_addr;
483 socklen_t client_len = sizeof(client_addr);
486 RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
488 //wait a little bit for parent to do it's job
491 //if everything works, cleanup and return 0
497 int sockfd = connect_to_testserver();
498 RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to connect to server.");
500 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
502 label = security_server_get_smacklabel_sockfd(sockfd);
503 RUNNER_ASSERT_MSG(label != NULL, "get_smacklabel_sockfd failed.");
504 ret = strcmp(label, "");
506 RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
508 result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
509 result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
512 RUNNER_ASSERT_MSG(result1 == SECURITY_SERVER_API_SUCCESS, "result = " << result1);
513 RUNNER_ASSERT_MSG(result2 == SECURITY_SERVER_API_SUCCESS, "result = " << result2);
517 * NOSMACK version of tc07 test.
519 RUNNER_MULTIPROCESS_TEST_NOSMACK(tc07_check_privilege_by_sockfd_nosmack)
521 const char* object_label = "tc07objectlabel";
527 RUNNER_ASSERT(-1 != pid);
532 RUNNER_ASSERT(-1 != pid);
534 if (pid == 0) { //child process
536 int sockfd = create_new_socket();
537 RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
539 SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
542 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
544 //Prepare for accepting
545 RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
547 struct sockaddr_un client_addr;
548 socklen_t client_len = sizeof(client_addr);
552 RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
554 //wait a little bit for parent to do it's job
557 //cleanup and kill child
560 } else { //parent process
561 //Drop root privileges
562 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
564 //Wait for server to set up
567 //Connect and check privileges
568 int sockfd = connect_to_testserver();
569 RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to create socket fd.");
571 result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
572 result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
576 //Both results (just like in the previous test case) should return success.
577 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
578 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result2, "result2 = " << result2);
583 int apply_smack_rule(const char *subject, const char *object, const char *rule)
585 struct smack_accesses *ruleHandler = NULL;
586 if (smack_accesses_new(&ruleHandler) != 0)
588 if (smack_accesses_add(ruleHandler, subject, object, rule) != 0)
590 if (smack_accesses_apply(ruleHandler) != 0)
593 smack_accesses_free(ruleHandler);
597 smack_accesses_free(ruleHandler);
601 RUNNER_TEST(tc10_security_server_get_uid_by_cookie)
603 int cookieSize = security_server_get_cookie_size();
604 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
606 std::vector<char> cookie(cookieSize);
607 int retval = security_server_request_cookie(&cookie[0], cookieSize);
608 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
611 uid_t cookieUid, realUid;
613 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
614 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie. My uid: " << realUid << " Server error: " << retval);
615 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
617 //checking for input parameters
618 retval = security_server_get_uid_by_cookie(NULL, &cookieUid);
619 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
620 retval = security_server_get_uid_by_cookie(&cookie[0], NULL);
621 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
624 RUNNER_CHILD_TEST_SMACK(tc11_security_server_get_uid_by_cookie_smack)
626 int cookieSize = security_server_get_cookie_size();
627 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
629 std::vector<char> cookie(cookieSize);
630 int retval = security_server_request_cookie(&cookie[0], cookieSize);
631 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
633 //preapare SMACK environment
634 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
635 RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
637 RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
641 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
642 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
645 RUNNER_CHILD_TEST_SMACK(tc12_security_server_get_uid_by_cookie_smack)
647 int cookieSize = security_server_get_cookie_size();
648 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
650 uid_t realUid = getuid();
652 std::vector<char> cookie(cookieSize);
653 int retval = security_server_request_cookie(&cookie[0], cookieSize);
654 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
656 //preapare SMACK environment
657 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
658 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
660 RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
664 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
665 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
666 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
669 RUNNER_CHILD_TEST_NOSMACK(tc12_security_server_get_uid_by_cookie_nosmack)
671 int cookieSize = security_server_get_cookie_size();
672 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
674 uid_t realUid = getuid();
676 std::vector<char> cookie(cookieSize);
677 int retval = security_server_request_cookie(&cookie[0], cookieSize);
678 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
681 RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
685 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
686 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
687 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
690 RUNNER_CHILD_TEST_SMACK(tc13_security_server_get_uid_by_cookie_smack)
692 int cookieSize = security_server_get_cookie_size();
693 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
695 //preapare SMACK environment
696 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
697 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
698 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
700 RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
702 std::vector<char> cookie(cookieSize);
703 int retval = security_server_request_cookie(&cookie[0], cookieSize);
704 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
707 uid_t cookieUid, realUid = getuid();
708 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
709 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
710 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
713 RUNNER_CHILD_TEST_NOSMACK(tc13_security_server_get_uid_by_cookie_nosmack)
715 int cookieSize = security_server_get_cookie_size();
716 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
719 RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
721 std::vector<char> cookie(cookieSize);
722 int retval = security_server_request_cookie(&cookie[0], cookieSize);
723 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
726 uid_t cookieUid, realUid = getuid();
727 retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
728 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
729 RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
732 RUNNER_TEST(tc14_security_server_get_gid_by_cookie)
734 int cookieSize = security_server_get_cookie_size();
735 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
737 std::vector<char> cookie(cookieSize);
738 int retval = security_server_request_cookie(&cookie[0], cookieSize);
739 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
742 gid_t cookieGid, realGid;
744 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
745 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
746 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID");
748 //checking for input parameters
749 retval = security_server_get_gid_by_cookie(NULL, &cookieGid);
750 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
751 retval = security_server_get_gid_by_cookie(&cookie[0], NULL);
752 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
756 RUNNER_CHILD_TEST_SMACK(tc15_security_server_get_gid_by_cookie_smack)
758 int cookieSize = security_server_get_cookie_size();
759 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
761 std::vector<char> cookie(cookieSize);
762 int retval = security_server_request_cookie(&cookie[0], cookieSize);
763 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
765 //preapare SMACK environment
766 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
767 RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
769 RUNNER_ASSERT_MSG(setgid(APP_GID) == 0, "Unable to drop privileges");
770 RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
773 gid_t cookieGid, realGid;
775 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
776 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
779 RUNNER_CHILD_TEST_SMACK(tc16_security_server_get_gid_by_cookie_smack)
781 int cookieSize = security_server_get_cookie_size();
782 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
784 std::vector<char> cookie(cookieSize);
786 gid_t realGid = getgid();
787 int retval = security_server_request_cookie(&cookie[0], cookieSize);
788 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
790 //preapare SMACK environment
791 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
792 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
794 RUNNER_ASSERT_MSG(setgid(APP_GID) == 0, "Unable to drop privileges");
795 RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
799 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
800 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
801 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
804 RUNNER_CHILD_TEST_NOSMACK(tc16_security_server_get_gid_by_cookie_nosmack)
806 int cookieSize = security_server_get_cookie_size();
807 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
809 std::vector<char> cookie(cookieSize);
811 gid_t realGid = getgid();
812 int retval = security_server_request_cookie(&cookie[0], cookieSize);
813 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
816 RUNNER_ASSERT_MSG(setgid(APP_GID) == 0, "Unable to drop privileges");
817 RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
821 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
822 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
823 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
826 RUNNER_CHILD_TEST_SMACK(tc17_security_server_get_gid_by_cookie_smack)
828 int cookieSize = security_server_get_cookie_size();
829 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
831 //preapare SMACK environment
832 RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
833 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
834 RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
836 RUNNER_ASSERT_MSG(setgid(APP_GID) == 0, "Unable to drop privileges");
837 RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
839 std::vector<char> cookie(cookieSize);
840 int retval = security_server_request_cookie(&cookie[0], cookieSize);
841 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
844 gid_t cookieGid, realGid = getgid();
845 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
846 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
847 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
850 RUNNER_CHILD_TEST_NOSMACK(tc17_security_server_get_gid_by_cookie_nosmack)
852 int cookieSize = security_server_get_cookie_size();
853 RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
856 RUNNER_ASSERT_MSG(setgid(APP_GID) == 0, "Unable to drop privileges");
857 RUNNER_ASSERT_MSG(setuid(APP_UID) == 0, "Unable to drop privileges");
859 std::vector<char> cookie(cookieSize);
860 int retval = security_server_request_cookie(&cookie[0], cookieSize);
861 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
864 gid_t cookieGid, realGid = getgid();
865 retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
866 RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
867 RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
870 RUNNER_TEST_SMACK(tc18_security_server_get_smacklabel_cookie) {
875 char *label_smack = NULL;
876 char *label_ss = NULL;
879 int cookie_size = security_server_get_cookie_size();
880 RUNNER_ASSERT_MSG(PROPER_COOKIE_SIZE == cookie_size, "Wrong cookie size from security-server");
884 cookie = (char*) calloc(cookie_size, 1);
885 RUNNER_ASSERT_MSG(NULL != cookie, "Memory allocation error");
887 res = security_server_request_cookie(cookie, cookie_size);
888 if (res != SECURITY_SERVER_API_SUCCESS) {
890 RUNNER_ASSERT_MSG(res == SECURITY_SERVER_API_SUCCESS, "Error in requesting cookie from security-server");
893 label_ss = security_server_get_smacklabel_cookie(cookie);
895 RUNNER_ASSERT_MSG(label_ss != NULL, "Error in getting label by cookie");
898 std::string label_cookie(label_ss);
901 res = smack_new_label_from_self(&label_smack);
904 RUNNER_ASSERT_MSG(res == 0, "Error in getting self SMACK label");
906 std::string label_self(label_smack ? label_smack : "");
909 RUNNER_ASSERT_MSG(label_self == label_cookie, "No match in SMACK labels");
912 //TODO: here could be label change using SMACK API and checking if it
913 //is changed using security-server API function based on the same cookie
917 * NOSMACK version of tc_security_server_get_smacklabel_cookie test.
919 * Most of this test goes exactly as the original one. The only difference are the labels:
920 * - We assume that libsmack tests passed and smack_new_label_from_self will return -1 and NULL
921 * label - there is no need to re-check it.
922 * - Label acquired from security_server_get_smacklabel_cookie should be an empty string.
924 RUNNER_TEST_NOSMACK(tc18_security_server_get_smacklabel_cookie_nosmack) {
929 char* label_ss = NULL;
932 int cookie_size = security_server_get_cookie_size();
933 RUNNER_ASSERT_MSG(PROPER_COOKIE_SIZE == cookie_size,
934 "Wrong cookie size from security-server. Size: " << cookie_size);
936 cookie = (char*) calloc(cookie_size, sizeof(char));
937 RUNNER_ASSERT_MSG(NULL != cookie, "Memory allocation error");
941 //Request cookie from SS
942 res = security_server_request_cookie(cookie, cookie_size);
943 std::unique_ptr<char, std::function<void(char*)> > cookie_ptr(cookie, free);
945 RUNNER_ASSERT_MSG(res == SECURITY_SERVER_API_SUCCESS,
946 "Error in requesting cookie from security-server. Result: " << res);
948 label_ss = security_server_get_smacklabel_cookie(cookie_ptr.get());
949 RUNNER_ASSERT_MSG(label_ss != NULL, "Error in getting label by cookie");
951 //Check if label_ss is correct, that is only one NULL character.
952 if (label_ss[0] != '\0') {
954 RUNNER_ASSERT_MSG(label_ss[0] == '\0', "label_ss was not an empty string.");
964 int main(int argc, char *argv[])
967 DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);