2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
5 * @file security_server_tests_server.cpp
6 * @author Bumjin Im (bj.im@samsung.com)
7 * @author Mariusz Domanski (m.domanski@samsung.com)
9 * @brief Test cases for security server
15 #include <sys/types.h>
16 #include <sys/param.h>
21 #include <sys/socket.h>
23 #include <sys/smack.h>
25 #include "security-server.h"
26 #include "security_server_clean_env.h"
27 #include <dpl/test/test_runner.h>
28 #include <dpl/test/test_runner_child.h>
30 #include <privilege-control.h>
32 #include "security_server_tests_common.h"
33 #include "tests_common.h"
34 #include <smack_access.h>
35 #include <access_provider.h>
36 #include <summary_collector.h>
38 const char *TEST03_SUBJECT = "subject_0f09f7cc";
39 const char *TEST04_SUBJECT = "subject_57dfbfc5";
40 const char *TEST07_SUBJECT = "subject_cd738844";
41 const char *TEST08_SUBJECT = "subject_fd84ba7f";
42 const char *TEST09_SUBJECT = "subject_sstest09";
43 const char *TEST10_SUBJECT = "subject_sstest10";
44 const char *TEST11_SUBJECT = "subject_sstest11";
45 const char *TEST12_SUBJECT = "subject_sstest12";
47 const char *API_PASSWD_SET = "security-server::api-password-set";
48 const char *API_PASSWD_CHECK = "security-server::api-password-check";
49 const char *API_PASSWD_RESET = "security-server::api-password-reset";
50 const char *API_RULE_REQUIRED = "w";
52 int clear_password(char ** /*error*/)
55 unsigned int attempt, max_attempt, expire_sec;
56 const char *subject_allow = "subject_allow";
57 struct smack_accesses *handle = NULL;
60 reset_security_server();
62 ret = smack_accesses_new(&handle);
63 RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
65 /* our subject 'subject_allow' has access to security-server::api-password-check */
66 ret = smack_accesses_add(handle, subject_allow, API_PASSWD_CHECK, API_RULE_REQUIRED);
67 RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
69 ret = smack_accesses_apply(handle);
70 RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
72 ret = smack_set_label_for_self(subject_allow);
73 RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
75 smack_accesses_free(handle);
77 attempt = max_attempt = expire_sec = UINT_MAX;
78 ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
80 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
81 RUNNER_ASSERT_BT(expire_sec == 0);
82 RUNNER_ASSERT_BT(max_attempt == 0);
83 RUNNER_ASSERT_BT(attempt == 0);
85 /* we revoke all rules for subject 'subject_allow' */
86 ret = smack_revoke_subject(subject_allow);
87 RUNNER_ASSERT_MSG_BT(ret == 0, "Revoking subject didn't work.");
96 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_SERVER);
98 RUNNER_TEST(tc_security_server_get_gid_normal_case_trying_to_get_gid_of_tel_gprs)
100 RUNNER_ASSERT_BT(security_server_get_gid("tel_gprs") >= 0);
103 RUNNER_TEST(tc_security_server_get_gid_empty_object_name)
105 RUNNER_ASSERT_BT(security_server_get_gid("") == SECURITY_SERVER_API_ERROR_INPUT_PARAM);
108 RUNNER_TEST(tc_security_server_get_gid_wrong_object_name_teltel)
110 RUNNER_ASSERT_BT(security_server_get_gid("teltel") == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT);
113 RUNNER_CHILD_TEST_SMACK(tc01a_security_server_app_give_access)
115 const char *subject = "abc345v34sfa";
116 const char *object = "efg678x2lkjz";
117 const char *server_api = "security-server::api-data-share";
120 smack.add(subject, object, "-----");
121 smack.add(object, server_api, "rw");
124 smack_set_label_for_self(object);
126 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
128 security_server_app_give_access(subject, getpid());
130 RUNNER_ASSERT_BT(1 == smack_have_access(subject, object, "rwxat"));
134 * Currently we are NOT revoking any permissions given by
135 * security_server_app_give_access function
137 /*RUNNER_TEST(tc01b_security_server_app_give_access)
139 const char *subject = "abc345v34sfa";
140 const char *object = "efg678x2lkjz";
142 // After part A thread from security-server will be notified about
143 // process end and revoke permissions. We need to give him some
147 RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "r----"));
148 RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "-w---"));
149 RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "--x--"));
150 RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "---a-"));
151 RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "----t"));
154 RUNNER_CHILD_TEST_SMACK(tc01c_security_server_app_give_access_no_access)
156 const char *subject = "xxx45v34sfa";
157 const char *object = "yyy78x2lkjz";
160 smack.add(subject, object, "-----");
163 RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(object), "Error in smack_label_for_self");
165 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
167 RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == security_server_app_give_access(subject, getpid()));
169 RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "r"));
172 RUNNER_TEST_SMACK(tc02_check_privilege_by_pid)
179 //we checking existing rule, it should return positive
180 ret = security_server_check_privilege_by_pid(pid, "_", "rx");
181 RUNNER_ASSERT_BT(ret == SECURITY_SERVER_API_SUCCESS);
183 //we checking rule with label that not exist
184 ret = security_server_check_privilege_by_pid(pid, "thislabelisnotreal", "rwxat");
185 RUNNER_ASSERT_BT(ret != SECURITY_SERVER_API_SUCCESS);
188 RUNNER_CHILD_TEST_SMACK(tc03_check_API_passwd_allow)
191 unsigned int attempt, max_attempt, expire_sec;
192 char *str = (char*) malloc(256);
194 attempt = max_attempt = expire_sec = 0;
196 ret = clear_password(&str);
197 RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << str);
199 SecurityServer::AccessProvider provider(TEST03_SUBJECT);
200 provider.allowAPI(API_PASSWD_CHECK, API_RULE_REQUIRED);
201 provider.allowAPI(API_PASSWD_SET, API_RULE_REQUIRED);
202 provider.allowAPI(API_PASSWD_RESET, API_RULE_REQUIRED);
203 provider.applyAndSwithToUser(APP_UID, APP_GID);
205 ret = security_server_set_pwd_validity(10);
206 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
208 ret = security_server_set_pwd_max_challenge(5);
209 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
211 ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
212 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
214 usleep(PASSWORD_RETRY_TIMEOUT_US);
215 ret = security_server_set_pwd(NULL, "12345", 0, 0);
216 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
218 ret = security_server_reset_pwd("12345",0, 0);
219 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
221 usleep(PASSWORD_RETRY_TIMEOUT_US);
222 ret = security_server_chk_pwd("12345", &attempt, &max_attempt, &expire_sec);
223 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
225 ret = security_server_set_pwd_history(10);
226 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
229 RUNNER_CHILD_TEST(tc04_check_API_passwd_denied)
232 unsigned int attempt, max_attempt, expire_sec;
234 attempt = max_attempt = expire_sec = 0;
236 SecurityServer::AccessProvider privider(TEST04_SUBJECT);
237 privider.applyAndSwithToUser(APP_UID, APP_GID);
240 * now SS should return error
241 * at the moment SS doesn't check return code from
242 * authorize_SS_API_caller_socket() so it should give access
243 * you can check in logs if it's working properly
244 * has access result = 1
245 * no access result = 0
246 * D/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(205) >
247 * [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
248 * object=security-server::api-password-check, access=w, result=1,
249 * caller_path=/usr/bin/security-server-tests-server
250 * E/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(207) >
251 * [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
252 * object=security-server::api-password-check, access=w, result=0,
253 * caller_path=/usr/bin/security-server-tests-server
256 ret = security_server_set_pwd_validity(10);
257 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
259 ret = security_server_set_pwd_max_challenge(5);
260 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
262 ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
263 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
265 usleep(PASSWORD_RETRY_TIMEOUT_US);
266 ret = security_server_set_pwd("12345", "12346", 0, 0);
267 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
269 ret = security_server_reset_pwd("12346",0, 0);
270 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
272 usleep(PASSWORD_RETRY_TIMEOUT_US);
273 ret = security_server_chk_pwd("12346", &attempt, &max_attempt, &expire_sec);
274 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
276 ret = security_server_set_pwd_history(10);
277 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
280 RUNNER_CHILD_TEST_SMACK(tc07_check_API_data_share_allow)
282 SecurityServer::AccessProvider provider(TEST07_SUBJECT);
283 provider.allowFunction("security_server_app_give_access");
284 provider.applyAndSwithToUser(APP_UID, APP_GID);
286 int ret = security_server_app_give_access(TEST07_SUBJECT, getpid());
287 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
290 RUNNER_CHILD_TEST_SMACK(tc08_check_API_data_share_denied)
292 SecurityServer::AccessProvider provider(TEST08_SUBJECT);
293 provider.applyAndSwithToUser(APP_UID, APP_GID);
295 int ret = security_server_app_give_access(TEST08_SUBJECT, getpid());
296 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
299 RUNNER_CHILD_TEST(tc09_check_API_app_enable_permissions)
302 const char *perm_list[] = {"org.tizen.privilege.contact.read",
303 "org.tizen.privilege.contact.write",
307 // need to install WGT once again, in case it was removed before
309 ret = perm_app_uninstall(WGT_APP_ID);
310 RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
311 ret = perm_app_install(WGT_APP_ID);
312 RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
316 ret = security_server_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list, persistent);
317 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
319 SecurityServer::AccessProvider provider(TEST09_SUBJECT);
320 provider.allowFunction("security_server_app_has_privilege");
321 provider.applyAndSwithToUser(APP_UID, APP_GID);
323 // Check if permissions are given
324 check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, true);
327 RUNNER_CHILD_TEST(tc10_check_API_app_disable_permissions)
330 const char *perm_list[] = {"org.tizen.privilege.contact.read",
331 "org.tizen.privilege.contact.write",
334 // need to install WGT once again, in case it was removed before
336 ret = perm_app_uninstall(WGT_APP_ID);
337 RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
338 ret = perm_app_install(WGT_APP_ID);
339 RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
342 // disable permission
343 ret = security_server_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list);
344 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
346 SecurityServer::AccessProvider provider(TEST10_SUBJECT);
347 provider.allowFunction("security_server_app_has_privilege");
348 provider.applyAndSwithToUser(APP_UID, APP_GID);
350 // Check if permissions are disabled
351 check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, false);
354 RUNNER_TEST(tc11_security_server_app_has_privilege)
357 const char *perm_list_pers[] = {"org.tizen.privilege.contact.read",
358 "org.tizen.privilege.contact.write",
360 const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read",
361 "org.tizen.privilege.calendar.write",
363 const char *perm_list_disabled[] = {"org.tizen.privilege.alarm",
366 ret = perm_app_uninstall(TEST11_SUBJECT);
367 RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
368 ret = perm_app_install(TEST11_SUBJECT);
369 RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret);
373 ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1);
374 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
375 ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0);
376 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
378 // Check if permissions are given using API with app_label parameter
379 check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, true);
380 check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, true);
381 check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_disabled, false);
384 RUNNER_CHILD_TEST(tc12_security_server_app_caller_has_privilege)
387 const char *perm_list_pers[] = {"org.tizen.privilege.contact.read",
388 "org.tizen.privilege.contact.write",
390 const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read",
391 "org.tizen.privilege.calendar.write",
393 const char *perm_list_disabled[] = {"org.tizen.privilege.alarm",
397 ret = perm_app_uninstall(TEST11_SUBJECT);
398 RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
399 ret = perm_app_install(TEST11_SUBJECT);
400 RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret);
404 ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1);
405 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
406 ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0);
407 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
409 SecurityServer::AccessProvider provider(TEST11_SUBJECT);
410 provider.allowFunction("security_server_app_caller_has_privilege");
411 provider.applyAndSwithToUser(APP_UID, APP_GID);
413 // Check if permissions are given using "caller" API
414 check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_pers, true);
415 check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_temp, true);
416 check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_disabled, false);
419 RUNNER_CHILD_TEST(tc13_check_API_app_has_privilege_denied)
422 const char *perm_list[] = {"org.tizen.privilege.contact.read",
423 "org.tizen.privilege.contact.write",
426 // set smack label without previously assigned permissions to api socket
427 ret = smack_set_label_for_self(TEST12_SUBJECT);
428 RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
430 // drop root privileges
431 RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
433 // call common function to perform the check
434 check_app_caller_has_privilege_denied(APP_TYPE_WGT, perm_list);
436 // call also second common function
437 check_app_has_privilege_denied(TEST12_SUBJECT, APP_TYPE_WGT, perm_list);
440 //////////////////////////////////////////
441 /////////NOSMACK ENV TESTS////////////////
442 //////////////////////////////////////////
445 * NOSMACK version of tc01a and tc01c tests.
447 * SMACK is turned off - that means for us, that we don't need any accesses added to our process
448 * in SMACK before dropping root privileges. This test drops root privileges, calls
449 * security_server_app_give_access and then checks if smack_have_access returns error (because
452 * security_server_app_give_access shouldn't return anything else than success when SMACK is off,
453 * hence there is only one test that replaces tests tc01a and tc01c.
455 RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_app_give_access_nosmack)
457 const char* subject = "abc345v34sfa";
458 const char* object = "efg678x2lkjz";
461 result = drop_root_privileges();
462 RUNNER_ASSERT_MSG_BT(result == 0,
463 "Failed to drop root privileges. Result: " << result << "uid = " << getuid());
465 result = security_server_app_give_access(subject, getpid());
466 RUNNER_ASSERT_MSG_BT(result == SECURITY_SERVER_API_SUCCESS,
467 "Error in security_server_app_give_access. Result: " << result);
469 result = smack_have_access(subject, object, "rwxat");
470 RUNNER_ASSERT_MSG_BT(result == -1,
471 "smack_have_access should return error when SMACK is off. Result: " << result);
475 * NOSMACK version of tc02 test.
477 * check_privilege_by_pid should always return success when SMACK is off, no matter if label is
480 RUNNER_TEST_NOSMACK(tc02_check_privilege_by_pid_nosmack)
487 //we checking existing rule, it should return positive
488 ret = security_server_check_privilege_by_pid(pid, "_", "rx");
489 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
490 "check_privilege_by_pid for existing label failed. Result: " << ret);
492 //we checking rule with label that not exist
493 ret = security_server_check_privilege_by_pid(pid, "thislabelisnotreal", "rwxat");
494 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
495 "check_privilege_by_pid for nonexisting label failed. Result: " << ret);
499 * NOSMACK version of clear_password function.
501 * Compared to SMACK version of this function, this one skips adding rules and setting label.
503 int clear_password_nosmack()
506 unsigned int attempt, max_attempt, expire_sec;
509 reset_security_server();
511 attempt = max_attempt = expire_sec = UINT_MAX;
512 ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
514 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
515 "is_pwd_faild should return no password error. Result: " << ret);
516 RUNNER_ASSERT_MSG_BT(expire_sec == 0, "expire_sec = " << expire_sec << ", should be 0.");
517 RUNNER_ASSERT_MSG_BT(max_attempt == 0, "max_attempt = " << max_attempt << ", should be 0.");
518 RUNNER_ASSERT_MSG_BT(attempt == 0, "attempt = " << attempt << ", should be 0.");
526 * NOSMACK version of tc03 test.
528 * Just as tc01a/tc01c NOSMACK replacement, we don't need to do anything with SMACK because most
529 * important functions will return errors (that is smack_accesses_apply/smack_have_access etc.).
530 * First clear password, then drop privileges and proceed to regular testing.
533 RUNNER_CHILD_TEST_NOSMACK(tc03_check_API_passwd_allow_nosmack)
536 unsigned int attempt, max_attempt, expire_sec;
538 attempt = max_attempt = expire_sec = 0;
540 clear_password_nosmack();
542 // drop root privileges
543 ret = drop_root_privileges();
544 RUNNER_ASSERT_MSG_BT(ret == 0,
545 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
547 ret = security_server_set_pwd_validity(10);
548 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
549 "set_pwd_validity should return no password error. Result: " << ret);
551 ret = security_server_set_pwd_max_challenge(5);
552 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
553 "set_pwd_max_challenge should return no password error. Result: " << ret);
555 ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
556 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
557 "is_pwd_valid should return no password error. Result: " << ret);
559 usleep(PASSWORD_RETRY_TIMEOUT_US);
560 ret = security_server_set_pwd(NULL, "12345", 0, 0);
561 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
562 "set_pwd failed. Result: " << ret);
564 ret = security_server_reset_pwd("12345",0, 0);
565 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
566 "reset_pwd failed. Result: " << ret);
568 usleep(PASSWORD_RETRY_TIMEOUT_US);
569 ret = security_server_chk_pwd("12345", &attempt, &max_attempt, &expire_sec);
570 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
571 "chk_pwd failed. Result: " << ret);
573 ret = security_server_set_pwd_history(10);
574 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
575 "set_pwd_history failed. Result: " << ret);
579 * NOSMACK version of tc07 test.
581 * Similarily to previous tests - no need to set self label because SMACK is off. Just as
582 * tc01a/tc01c replacement, security_server_app_give_access should return only success. Hence the
583 * NOSMACK version of tc08 test is skipped.
585 RUNNER_CHILD_TEST_NOSMACK(tc07_check_API_data_share_allow_nosmack)
589 // drop root privileges
590 ret = drop_root_privileges();
591 RUNNER_ASSERT_MSG_BT(ret == 0,
592 "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
594 ret = security_server_app_give_access(TEST07_SUBJECT, getpid());
595 RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
596 "app_give_access failed. Result: " << ret);
599 int main(int argc, char *argv[]) {
601 printf("Error: %s must be executed by root\n", argv[0]);
604 SummaryCollector::Register();
605 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);