2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
5 * @file security_server_tests_client_smack.cpp
6 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
8 * @brief Test cases for security-server-client-smack.
12 #include <sys/types.h>
13 #include <sys/socket.h>
14 #include <sys/smack.h>
18 #include <dpl/log/log.h>
19 #include <dpl/test/test_runner.h>
20 #include <dpl/test/test_runner_child.h>
21 #include "security_server_mockup.h"
23 #include <security-server.h>
27 const char *subject_label = "mylabel"; \
28 RUNNER_ASSERT_MSG(-1 != system("touch /opt/home/root/pid_cycle"), \
29 "Cannot prepare environment for test."); \
30 RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), \
31 "Cannot prepare environment for test."); \
32 RUNNER_ASSERT_MSG(-1 != setgid(1), \
33 "Cannot prepare environment for test."); \
34 RUNNER_ASSERT_MSG(-1 != setuid(1), \
35 "Cannot prepare environment for test"); \
39 * Dropping root privileges
40 * returns 0 on success, 1 on error
42 int drop_root_privileges()
45 /* process is running as root, drop privileges */
46 if (setgid(5000) != 0)
48 if (setuid(5000) != 0)
58 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
61 * test: Check cookie size returned by security_server_get_cookie_size.
62 * description: Cookie used by security-server is 20 bytes long.
63 * Any other size of cookies should be treated as error.
64 * expected: Function security_server_get_cookie_size returns 20.
66 RUNNER_CHILD_TEST(tc01_security_server_get_cookie_size)
70 int ret = security_server_get_cookie_size();
71 RUNNER_ASSERT_MSG(20 == ret, "ret = " << ret);
75 * test: security_server_request_cookie
76 * description: Function security_server_request_cookie will return
77 * 20 bytes long cookie.
78 * expected: function will set up cookie in the array and return
79 * SECURITY_SERVER_API_SUCCESS.
81 RUNNER_CHILD_TEST(tc02_security_server_request_cookie_normal_case)
86 int ret = security_server_request_cookie(cookie, 20);
87 LogDebug("ret = " << ret);
88 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == ret);
92 * test: security_server_request_cookie
93 * description: Function security_server_request_cookie will return
94 * 20 bytes long cookie.
95 * expected: function will set up cookie in the array and return
96 * SECURITY_SERVER_API_SUCCESS.
98 RUNNER_CHILD_TEST(tc03_security_server_request_cookie_too_small_buffer_size)
103 int ret = security_server_request_cookie(cookie, 10);
104 LogDebug("ret = " << ret);
105 RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret);
109 * test: tc04_security_server_get_gid
110 * description: Checking for security_server_get_gid
111 * with nonexisting gid and existing one
112 * expected: security_server_get_gid should return
113 * SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
114 * and group id with second call
116 RUNNER_CHILD_TEST(tc04_security_server_get_gid)
120 int ret = security_server_get_gid("abc123xyz_pysiaczek");
121 LogDebug("ret = " << ret);
122 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret);
123 ret = security_server_get_gid("root");
124 LogDebug("ret = " << ret);
125 RUNNER_ASSERT_MSG(0 == ret, "Ret: " << ret);
129 * test: tc05_check_privilege_by_cookie
130 * description: Function security_server_check_privilege_by_cookie should
131 * return status of access rights of cookie owner. In this case cookie owner
132 * is the same process that ask for the rights.
133 * expected: Function call with access rights set to "r" should return SUCCESS,
134 * with "rw" should return ACCESS DENIED.
136 RUNNER_CHILD_TEST(tc05_check_privilege_by_cookie)
139 const char *object_label = "tc05objectlabel";
140 const char *access_rights = "r";
141 const char *access_rights_ext = "rw";
142 const char *subject_label = "tc05subjectlabel";
144 smack_accesses *handle;
146 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
148 RUNNER_ASSERT(0 == smack_accesses_add(handle,
153 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
155 smack_accesses_free(handle);
157 RUNNER_ASSERT(0 == smack_set_label_for_self(subject_label));
159 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
160 security_server_request_cookie(cookie,20));
162 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
164 RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
165 security_server_check_privilege_by_cookie(
170 RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED ==
171 security_server_check_privilege_by_cookie(
178 * test: security_server_check_privilege_by_sockfd
179 * description: This test will create dummy server that will accept connection
180 * and die. The client will try to check access rights using connection descriptor.
181 * expected: Function call with access rights set to "r" should return SUCCESS,
182 * with "rw" should return ACCESS DENIED.
184 RUNNER_TEST(tc06_check_privilege_by_sockfd)
186 const char *object_label = "tc06objectlabel";
187 const char *access_rights = "r";
188 const char *access_rights_ext = "rw";
189 const char *subject_label = "tc06subjectlabel";
194 smack_accesses *handle;
195 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
196 RUNNER_ASSERT(0 == smack_accesses_add(handle,
200 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
201 smack_accesses_free(handle);
205 RUNNER_ASSERT(-1 != pid);
209 if (0 != smack_set_label_for_self(subject_label)) {
210 LogDebug("child, failed");
214 LogDebug("child, create_new_socket");
215 int sockfd = create_new_socket();
218 label = security_server_get_smacklabel_sockfd(sockfd);
219 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
220 RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
223 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
225 LogDebug("child, listen");
226 if (listen(sockfd, 5) < 0) {
227 LogDebug("child, exit");
231 label = security_server_get_smacklabel_sockfd(sockfd);
232 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
233 RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
237 LogDebug("child, accept");
238 struct sockaddr_un client_addr;
239 socklen_t client_len = sizeof(client_addr);
241 while (0 <= (csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len))) {
242 LogDebug("child, loop");
247 label = security_server_get_smacklabel_sockfd(sockfd);
248 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
249 RUNNER_ASSERT_MSG(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << "subject_label is \"" << subject_label << "\"" );
256 LogDebug("Parent, sleep 2");
258 int sockfd = connect_to_testserver();
260 label = security_server_get_smacklabel_sockfd(sockfd);
261 RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
262 RUNNER_ASSERT_MSG(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << "subject_label is \"" << subject_label << "\"" );
265 LogDebug("Parent: sockfd: " << sockfd);
267 result1 = security_server_check_privilege_by_sockfd(
271 result2 = security_server_check_privilege_by_sockfd(
276 LogDebug("Parent: Close desc");
278 LogDebug("Parent: killing child");
283 waitpid(pid, &status, 0);
285 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
286 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
290 * test: security_server_check_privilege_by_sockfd
291 * description: This test will create dummy server that will accept connection
292 * and die. The client will try to check access rights using connection descriptor.
293 * Because we read a smack label not from socket directly, but from from pid of process
294 * on the other end of socket - that's why smack label will be updated.
295 * In this test client is running under root and server is not - to test the extreme case.
296 * expected: Function call with access rights set to "r" should return SUCCESS,
297 * with "rw" should return ACCESS DENIED.
299 RUNNER_TEST(tc07_check_privilege_by_sockfd)
301 const char *object_label = "tc07objectlabel";
302 const char *access_rights = "r";
303 const char *access_rights_ext = "rw";
304 const char *subject_label = "tc07subjectlabel";
308 int kill_result = -1;
310 smack_accesses *handle;
311 RUNNER_ASSERT(0 == smack_accesses_new(&handle));
312 RUNNER_ASSERT(0 == smack_accesses_add(handle,
316 RUNNER_ASSERT(0 == smack_accesses_apply(handle));
317 smack_accesses_free(handle);
320 RUNNER_ASSERT(-1 != pid);
324 LogDebug("child, create_new_socket");
325 int sockfd = create_new_socket();
327 if (0 != smack_set_label_for_self(subject_label)) {
328 LogDebug("child, failed");
332 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
334 LogDebug("child, listen");
335 if (listen(sockfd, 5) < 0) {
336 LogDebug("child, exit");
339 LogDebug("child, accept");
341 struct sockaddr_un client_addr;
342 socklen_t client_len = sizeof(client_addr);
344 while (0 <= (csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len))) {
345 LogDebug("child, loop");
353 RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
355 LogDebug("Parent, sleep 2");
357 int sockfd = connect_to_testserver();
358 LogDebug("Parent: sockfd: " << sockfd);
360 result1 = security_server_check_privilege_by_sockfd(
364 result2 = security_server_check_privilege_by_sockfd(
369 LogDebug("Parent: Close desc");
371 LogDebug("Parent: killing child");
372 // we cannot kill child - because of dropping privileges
373 kill_result = kill(pid, SIGKILL);
376 if (kill_result == 0) {
378 waitpid(pid, &status, 0);
383 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
384 RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
387 int main(int argc, char *argv[])
390 DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);