tests/security-server-tests/server.cpp

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  */
   4 /*
   5  * @file    security_server_tests_server.cpp
   6  * @author  Bumjin Im (bj.im@samsung.com)
   7  * @author  Mariusz Domanski (m.domanski@samsung.com)
   8  * @version 1.0
   9  * @brief   Test cases for security server
  10  */
  11
  12 #include <stdio.h>
  13 #include <errno.h>
  14 #include <stdlib.h>
  15 #include <sys/types.h>
  16 #include <sys/param.h>
  17 #include <fcntl.h>
  18 #include <sys/un.h>
  19 #include <unistd.h>
  20 #include <poll.h>
  21 #include <sys/socket.h>
  22 #include <sys/stat.h>
  23 #include <sys/smack.h>
  24 #include <sys/wait.h>
  25 #include "security-server.h"
  26 #include "security_server_clean_env.h"
  27 #include <dpl/test/test_runner.h>
  28 #include <dpl/test/test_runner_child.h>
  29 #include <dlog.h>
  30 #include <privilege-control.h>
  31 #include <ftw.h>
  32 #include "security_server_tests_common.h"
  33 #include "tests_common.h"
  34 #include <smack_access.h>
  35 #include <access_provider.h>
  36 #include <summary_collector.h>
  37
  38 const char *TEST03_SUBJECT = "subject_0f09f7cc";
  39 const char *TEST04_SUBJECT = "subject_57dfbfc5";
  40 const char *TEST07_SUBJECT = "subject_cd738844";
  41 const char *TEST08_SUBJECT = "subject_fd84ba7f";
  42 const char *TEST09_SUBJECT = "subject_sstest09";
  43 const char *TEST10_SUBJECT = "subject_sstest10";
  44 const char *TEST11_SUBJECT = "subject_sstest11";
  45 const char *TEST12_SUBJECT = "subject_sstest12";
  46
  47 const char *API_PASSWD_SET    = "security-server::api-password-set";
  48 const char *API_PASSWD_CHECK  = "security-server::api-password-check";
  49 const char *API_PASSWD_RESET  = "security-server::api-password-reset";
  50 const char *API_RULE_REQUIRED = "w";
  51
  52 int clear_password(char ** /*error*/)
  53 {
  54     int ret = -1;
  55     unsigned int attempt, max_attempt, expire_sec;
  56     const char *subject_allow = "subject_allow";
  57     struct smack_accesses *handle = NULL;
  58
  59     if (getuid() == 0) {
  60         reset_security_server();
  61
  62         ret = smack_accesses_new(&handle);
  63         RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
  64
  65         /* our subject 'subject_allow' has access to security-server::api-password-check */
  66         ret = smack_accesses_add(handle, subject_allow, API_PASSWD_CHECK, API_RULE_REQUIRED);
  67         RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
  68
  69         ret = smack_accesses_apply(handle);
  70         RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
  71
  72         ret = smack_set_label_for_self(subject_allow);
  73         RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
  74
  75         smack_accesses_free(handle);
  76
  77         attempt = max_attempt = expire_sec = UINT_MAX;
  78         ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
  79
  80         RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
  81         RUNNER_ASSERT_BT(expire_sec == 0);
  82         RUNNER_ASSERT_BT(max_attempt == 0);
  83         RUNNER_ASSERT_BT(attempt == 0);
  84
  85         /* we revoke all rules for subject 'subject_allow' */
  86         ret = smack_revoke_subject(subject_allow);
  87         RUNNER_ASSERT_MSG_BT(ret == 0, "Revoking subject didn't work.");
  88
  89         sleep(1);
  90
  91         return 0;
  92     }
  93     return -1;
  94 }
  95
  96 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_SERVER);
  97
  98 RUNNER_TEST(tc_security_server_get_gid_normal_case_trying_to_get_gid_of_tel_gprs)
  99 {
 100     RUNNER_ASSERT_BT(security_server_get_gid("tel_gprs") >= 0);
 101 }
 102
 103 RUNNER_TEST(tc_security_server_get_gid_empty_object_name)
 104 {
 105     RUNNER_ASSERT_BT(security_server_get_gid("") == SECURITY_SERVER_API_ERROR_INPUT_PARAM);
 106 }
 107
 108 RUNNER_TEST(tc_security_server_get_gid_wrong_object_name_teltel)
 109 {
 110     RUNNER_ASSERT_BT(security_server_get_gid("teltel") == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT);
 111 }
 112
 113 RUNNER_CHILD_TEST_SMACK(tc01a_security_server_app_give_access)
 114 {
 115     const char *subject = "abc345v34sfa";
 116     const char *object = "efg678x2lkjz";
 117     const char *server_api = "security-server::api-data-share";
 118
 119     SmackAccess smack;
 120     smack.add(subject, object, "-----");
 121     smack.add(object,  server_api, "rw");
 122     smack.apply();
 123
 124     smack_set_label_for_self(object);
 125
 126     RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
 127
 128     security_server_app_give_access(subject, getpid());
 129
 130     RUNNER_ASSERT_BT(1 == smack_have_access(subject, object, "rwxat"));
 131 }
 132
 133 /*
 134  * Currently we are NOT revoking any permissions given by
 135  * security_server_app_give_access function
 136  */
 137 /*RUNNER_TEST(tc01b_security_server_app_give_access)
 138 {
 139     const char *subject = "abc345v34sfa";
 140     const char *object = "efg678x2lkjz";
 141
 142     // After part A thread from security-server will be notified about
 143     // process end and revoke permissions. We need to give him some
 144     // time.
 145     sleep(1);
 146
 147     RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "r----"));
 148     RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "-w---"));
 149     RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "--x--"));
 150     RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "---a-"));
 151     RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "----t"));
 152 }*/
 153
 154 RUNNER_CHILD_TEST_SMACK(tc01c_security_server_app_give_access_no_access)
 155 {
 156     const char *subject = "xxx45v34sfa";
 157     const char *object = "yyy78x2lkjz";
 158
 159     SmackAccess smack;
 160     smack.add(subject, object, "-----");
 161     smack.apply();
 162
 163     RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(object), "Error in smack_label_for_self");
 164
 165     RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
 166
 167     RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == security_server_app_give_access(subject, getpid()));
 168
 169     RUNNER_ASSERT_BT(0 == smack_have_access(subject, object, "r"));
 170 }
 171
 172 RUNNER_TEST_SMACK(tc02_check_privilege_by_pid)
 173 {
 174     int ret;
 175     int pid;
 176
 177     pid = getpid();
 178
 179     //we checking existing rule, it should return positive
 180     ret = security_server_check_privilege_by_pid(pid, "_", "rx");
 181     RUNNER_ASSERT_BT(ret == SECURITY_SERVER_API_SUCCESS);
 182
 183     //we checking rule with label that not exist
 184     ret = security_server_check_privilege_by_pid(pid, "thislabelisnotreal", "rwxat");
 185     RUNNER_ASSERT_BT(ret != SECURITY_SERVER_API_SUCCESS);
 186 }
 187
 188 RUNNER_CHILD_TEST_SMACK(tc03_check_API_passwd_allow)
 189 {
 190     int ret = -1;
 191     unsigned int attempt, max_attempt, expire_sec;
 192     char *str = (char*) malloc(256);
 193
 194     attempt = max_attempt = expire_sec = 0;
 195
 196     ret = clear_password(&str);
 197     RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << str);
 198
 199     SecurityServer::AccessProvider provider(TEST03_SUBJECT);
 200     provider.allowAPI(API_PASSWD_CHECK, API_RULE_REQUIRED);
 201     provider.allowAPI(API_PASSWD_SET,   API_RULE_REQUIRED);
 202     provider.allowAPI(API_PASSWD_RESET, API_RULE_REQUIRED);
 203     provider.applyAndSwithToUser(APP_UID, APP_GID);
 204
 205     ret = security_server_set_pwd_validity(10);
 206     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
 207
 208     ret = security_server_set_pwd_max_challenge(5);
 209     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
 210
 211     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 212     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
 213
 214     usleep(PASSWORD_RETRY_TIMEOUT_US);
 215     ret = security_server_set_pwd(NULL, "12345", 0, 0);
 216     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 217
 218     ret = security_server_reset_pwd("12345",0, 0);
 219     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 220
 221     usleep(PASSWORD_RETRY_TIMEOUT_US);
 222     ret = security_server_chk_pwd("12345", &attempt, &max_attempt, &expire_sec);
 223     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 224
 225     ret = security_server_set_pwd_history(10);
 226     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 227 }
 228
 229 RUNNER_CHILD_TEST(tc04_check_API_passwd_denied)
 230 {
 231     int ret = -1;
 232     unsigned int attempt, max_attempt, expire_sec;
 233
 234     attempt = max_attempt = expire_sec = 0;
 235
 236     SecurityServer::AccessProvider privider(TEST04_SUBJECT);
 237     privider.applyAndSwithToUser(APP_UID, APP_GID);
 238
 239     /*
 240      * now SS should return error
 241      * at the moment SS doesn't check return code from
 242      * authorize_SS_API_caller_socket() so it should give access
 243      * you can check in logs if it's working properly
 244      * has access result = 1
 245      * no access result = 0
 246      * D/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(205) >
 247      *                          [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
 248      *                          object=security-server::api-password-check, access=w, result=1,
 249      *                          caller_path=/usr/bin/security-server-tests-server
 250      * E/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(207) >
 251      *                          [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
 252      *                          object=security-server::api-password-check, access=w, result=0,
 253      *                          caller_path=/usr/bin/security-server-tests-server
 254      */
 255
 256     ret = security_server_set_pwd_validity(10);
 257     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
 258
 259     ret = security_server_set_pwd_max_challenge(5);
 260     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
 261
 262     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 263     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
 264
 265     usleep(PASSWORD_RETRY_TIMEOUT_US);
 266     ret = security_server_set_pwd("12345", "12346", 0, 0);
 267     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
 268
 269     ret = security_server_reset_pwd("12346",0, 0);
 270     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
 271
 272     usleep(PASSWORD_RETRY_TIMEOUT_US);
 273     ret = security_server_chk_pwd("12346", &attempt, &max_attempt, &expire_sec);
 274     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
 275
 276     ret = security_server_set_pwd_history(10);
 277     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
 278 }
 279
 280 RUNNER_CHILD_TEST_SMACK(tc07_check_API_data_share_allow)
 281 {
 282     SecurityServer::AccessProvider provider(TEST07_SUBJECT);
 283     provider.allowFunction("security_server_app_give_access");
 284     provider.applyAndSwithToUser(APP_UID, APP_GID);
 285
 286     int ret = security_server_app_give_access(TEST07_SUBJECT, getpid());
 287     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 288 }
 289
 290 RUNNER_CHILD_TEST_SMACK(tc08_check_API_data_share_denied)
 291 {
 292     SecurityServer::AccessProvider provider(TEST08_SUBJECT);
 293     provider.applyAndSwithToUser(APP_UID, APP_GID);
 294
 295     int ret = security_server_app_give_access(TEST08_SUBJECT, getpid());
 296     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
 297 }
 298
 299 RUNNER_CHILD_TEST(tc09_check_API_app_enable_permissions)
 300 {
 301     int ret;
 302     const char *perm_list[] = {"org.tizen.privilege.contact.read",
 303                                "org.tizen.privilege.contact.write",
 304                                 NULL};
 305     int persistent = 1;
 306
 307     // need to install WGT once again, in case it was removed before
 308     DB_BEGIN
 309     ret = perm_app_uninstall(WGT_APP_ID);
 310     RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
 311     ret = perm_app_install(WGT_APP_ID);
 312     RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
 313     DB_END
 314
 315     // enable permission
 316     ret = security_server_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list, persistent);
 317     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 318
 319     SecurityServer::AccessProvider provider(TEST09_SUBJECT);
 320     provider.allowFunction("security_server_app_has_privilege");
 321     provider.applyAndSwithToUser(APP_UID, APP_GID);
 322
 323     // Check if permissions are given
 324     check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, true);
 325 }
 326
 327 RUNNER_CHILD_TEST(tc10_check_API_app_disable_permissions)
 328 {
 329     int ret;
 330     const char *perm_list[] = {"org.tizen.privilege.contact.read",
 331                                "org.tizen.privilege.contact.write",
 332                                 NULL};
 333
 334     // need to install WGT once again, in case it was removed before
 335     DB_BEGIN
 336     ret = perm_app_uninstall(WGT_APP_ID);
 337     RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
 338     ret = perm_app_install(WGT_APP_ID);
 339     RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
 340     DB_END
 341
 342     // disable permission
 343     ret = security_server_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list);
 344     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 345
 346     SecurityServer::AccessProvider provider(TEST10_SUBJECT);
 347     provider.allowFunction("security_server_app_has_privilege");
 348     provider.applyAndSwithToUser(APP_UID, APP_GID);
 349
 350     // Check if permissions are disabled
 351     check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, false);
 352 }
 353
 354 RUNNER_TEST(tc11_security_server_app_has_privilege)
 355 {
 356     int ret;
 357     const char *perm_list_pers[] = {"org.tizen.privilege.contact.read",
 358                                     "org.tizen.privilege.contact.write",
 359                                     NULL};
 360     const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read",
 361                                     "org.tizen.privilege.calendar.write",
 362                                     NULL};
 363     const char *perm_list_disabled[] = {"org.tizen.privilege.alarm",
 364                                         NULL};
 365     DB_BEGIN
 366     ret = perm_app_uninstall(TEST11_SUBJECT);
 367     RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
 368     ret = perm_app_install(TEST11_SUBJECT);
 369     RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret);
 370     DB_END
 371
 372     // enable permission
 373     ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1);
 374     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 375     ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0);
 376     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 377
 378     // Check if permissions are given using API with app_label parameter
 379     check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, true);
 380     check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, true);
 381     check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_disabled, false);
 382 }
 383
 384 RUNNER_CHILD_TEST(tc12_security_server_app_caller_has_privilege)
 385 {
 386     int ret;
 387     const char *perm_list_pers[] = {"org.tizen.privilege.contact.read",
 388                                     "org.tizen.privilege.contact.write",
 389                                     NULL};
 390     const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read",
 391                                     "org.tizen.privilege.calendar.write",
 392                                     NULL};
 393     const char *perm_list_disabled[] = {"org.tizen.privilege.alarm",
 394                                         NULL};
 395
 396     DB_BEGIN
 397     ret = perm_app_uninstall(TEST11_SUBJECT);
 398     RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
 399     ret = perm_app_install(TEST11_SUBJECT);
 400     RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret);
 401     DB_END
 402
 403     // enable permission
 404     ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1);
 405     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 406     ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0);
 407     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 408
 409     SecurityServer::AccessProvider provider(TEST11_SUBJECT);
 410     provider.allowFunction("security_server_app_caller_has_privilege");
 411     provider.applyAndSwithToUser(APP_UID, APP_GID);
 412
 413     // Check if permissions are given using "caller" API
 414     check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_pers, true);
 415     check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_temp, true);
 416     check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_disabled, false);
 417 }
 418
 419 RUNNER_CHILD_TEST(tc13_check_API_app_has_privilege_denied)
 420 {
 421     int ret;
 422     const char *perm_list[] = {"org.tizen.privilege.contact.read",
 423                                "org.tizen.privilege.contact.write",
 424                                 NULL};
 425
 426     // set smack label without previously assigned permissions to api socket
 427     ret = smack_set_label_for_self(TEST12_SUBJECT);
 428     RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
 429
 430     // drop root privileges
 431     RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
 432
 433     // call common function to perform the check
 434     check_app_caller_has_privilege_denied(APP_TYPE_WGT, perm_list);
 435
 436     // call also second common function
 437     check_app_has_privilege_denied(TEST12_SUBJECT, APP_TYPE_WGT, perm_list);
 438 }
 439
 440 //////////////////////////////////////////
 441 /////////NOSMACK ENV TESTS////////////////
 442 //////////////////////////////////////////
 443
 444 /**
 445  * NOSMACK version of tc01a and tc01c tests.
 446  *
 447  * SMACK is turned off - that means for us, that we don't need any accesses added to our process
 448  * in SMACK before dropping root privileges. This test drops root privileges, calls
 449  * security_server_app_give_access and then checks if smack_have_access returns error (because
 450  * SMACK is off).
 451  *
 452  * security_server_app_give_access shouldn't return anything else than success when SMACK is off,
 453  * hence there is only one test that replaces tests tc01a and tc01c.
 454  */
 455 RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_app_give_access_nosmack)
 456 {
 457     const char* subject = "abc345v34sfa";
 458     const char* object = "efg678x2lkjz";
 459     int result = 0;
 460
 461     result = drop_root_privileges();
 462     RUNNER_ASSERT_MSG_BT(result == 0,
 463             "Failed to drop root privileges. Result: " << result << "uid = " << getuid());
 464
 465     result = security_server_app_give_access(subject, getpid());
 466     RUNNER_ASSERT_MSG_BT(result == SECURITY_SERVER_API_SUCCESS,
 467             "Error in security_server_app_give_access. Result: " << result);
 468
 469     result = smack_have_access(subject, object, "rwxat");
 470     RUNNER_ASSERT_MSG_BT(result == -1,
 471             "smack_have_access should return error when SMACK is off. Result: " << result);
 472 }
 473
 474 /**
 475  * NOSMACK version of tc02 test.
 476  *
 477  * check_privilege_by_pid should always return success when SMACK is off, no matter if label is
 478  * real or not.
 479  */
 480 RUNNER_TEST_NOSMACK(tc02_check_privilege_by_pid_nosmack)
 481 {
 482     int ret;
 483     int pid;
 484
 485     pid = getpid();
 486
 487     //we checking existing rule, it should return positive
 488     ret = security_server_check_privilege_by_pid(pid, "_", "rx");
 489     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 490             "check_privilege_by_pid for existing label failed. Result: " << ret);
 491
 492     //we checking rule with label that not exist
 493     ret = security_server_check_privilege_by_pid(pid, "thislabelisnotreal", "rwxat");
 494     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 495             "check_privilege_by_pid for nonexisting label failed. Result: " << ret);
 496 }
 497
 498 /**
 499  * NOSMACK version of clear_password function.
 500  *
 501  * Compared to SMACK version of this function, this one skips adding rules and setting label.
 502  */
 503 int clear_password_nosmack()
 504 {
 505     int ret = -1;
 506     unsigned int attempt, max_attempt, expire_sec;
 507
 508     if (getuid() == 0) {
 509         reset_security_server();
 510
 511         attempt = max_attempt = expire_sec = UINT_MAX;
 512         ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 513
 514         RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
 515                 "is_pwd_faild should return no password error. Result: " << ret);
 516         RUNNER_ASSERT_MSG_BT(expire_sec == 0, "expire_sec = " << expire_sec << ", should be 0.");
 517         RUNNER_ASSERT_MSG_BT(max_attempt == 0, "max_attempt = " << max_attempt << ", should be 0.");
 518         RUNNER_ASSERT_MSG_BT(attempt == 0, "attempt = " << attempt << ", should be 0.");
 519
 520         return 0;
 521     }
 522     return -1;
 523 }
 524
 525 /**
 526  * NOSMACK version of tc03 test.
 527  *
 528  * Just as tc01a/tc01c NOSMACK replacement, we don't need to do anything with SMACK because most
 529  * important functions will return errors (that is smack_accesses_apply/smack_have_access etc.).
 530  * First clear password, then drop privileges and proceed to regular testing.
 531  */
 532
 533 RUNNER_CHILD_TEST_NOSMACK(tc03_check_API_passwd_allow_nosmack)
 534 {
 535     int ret = -1;
 536     unsigned int attempt, max_attempt, expire_sec;
 537
 538     attempt = max_attempt = expire_sec = 0;
 539
 540     clear_password_nosmack();
 541
 542     // drop root privileges
 543     ret = drop_root_privileges();
 544     RUNNER_ASSERT_MSG_BT(ret == 0,
 545             "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
 546
 547     ret = security_server_set_pwd_validity(10);
 548     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
 549             "set_pwd_validity should return no password error. Result: " << ret);
 550
 551     ret = security_server_set_pwd_max_challenge(5);
 552     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
 553             "set_pwd_max_challenge should return no password error. Result: " << ret);
 554
 555     ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 556     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
 557             "is_pwd_valid should return no password error. Result: " << ret);
 558
 559     usleep(PASSWORD_RETRY_TIMEOUT_US);
 560     ret = security_server_set_pwd(NULL, "12345", 0, 0);
 561     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 562             "set_pwd failed. Result: " << ret);
 563
 564     ret = security_server_reset_pwd("12345",0, 0);
 565     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 566             "reset_pwd failed. Result: " << ret);
 567
 568     usleep(PASSWORD_RETRY_TIMEOUT_US);
 569     ret = security_server_chk_pwd("12345", &attempt, &max_attempt, &expire_sec);
 570     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 571             "chk_pwd failed. Result: " << ret);
 572
 573     ret = security_server_set_pwd_history(10);
 574     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 575             "set_pwd_history failed. Result: " << ret);
 576 }
 577
 578 /**
 579  * NOSMACK version of tc07 test.
 580  *
 581  * Similarily to previous tests - no need to set self label because SMACK is off. Just as
 582  * tc01a/tc01c replacement, security_server_app_give_access should return only success. Hence the
 583  * NOSMACK version of tc08 test is skipped.
 584  */
 585 RUNNER_CHILD_TEST_NOSMACK(tc07_check_API_data_share_allow_nosmack)
 586 {
 587     int ret = -1;
 588
 589     // drop root privileges
 590     ret = drop_root_privileges();
 591     RUNNER_ASSERT_MSG_BT(ret == 0,
 592             "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
 593
 594     ret = security_server_app_give_access(TEST07_SUBJECT, getpid());
 595     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
 596             "app_give_access failed. Result: " << ret);
 597 }
 598
 599 int main(int argc, char *argv[]) {
 600     if (0 != getuid()) {
 601         printf("Error: %s must be executed by root\n", argv[0]);
 602         exit(1);
 603     }
 604     SummaryCollector::Register();
 605     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
 606 }