*/
#include <string>
+#include <sstream>
#include <fcntl.h>
+#include <unistd.h>
#include <dpl/test/test_runner.h>
+#include <dpl/test/test_runner_multiprocess.h>
#include <dpl/log/log.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/smack.h>
#include <sys/xattr.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include "tests_common.h"
-#define TEST_SUBJECT "test_subject"
-#define TEST_OBJECT "test_oject"
+#define TEST_SUBJECT "test_subject"
+#define TEST_OBJECT "test_oject"
+#define TEST_OBJECT_2 "test_oject_2"
+#define SOCK_PATH "/tmp/test-smack-socket"
+
+std::vector<std::string> accessesBasic = { "r", "w", "x", "wx", "rx", "rw", "rwx", "rwxat" };
int files_compare(int fd1, int fd2)
{
struct stat fs1, fs2;
//handlers for mmap()
- void * h1 = MAP_FAILED;
- void * h2 = MAP_FAILED;
+ void *h1 = MAP_FAILED;
+ void *h2 = MAP_FAILED;
//getting files information
- if(fstat(fd1, &fs1) == -1) {
+ if (fstat(fd1, &fs1) == -1) {
perror("fstat");
return -1;
}
- if(fstat(fd2, &fs2) == -1) {
+ if (fstat(fd2, &fs2) == -1) {
perror("fstat");
return -1;
}
- if(fs1.st_size != fs2.st_size) //if files are identical size will be the same
+ if (fs1.st_size != fs2.st_size) //if files are identical size will be the same
return -1;
//mapping files to process memory
- if((h1 = mmap(0, fs1.st_size, PROT_READ, MAP_SHARED, fd1, 0 )) == MAP_FAILED) {
+ if ((h1 = mmap(0, fs1.st_size, PROT_READ, MAP_SHARED, fd1, 0 )) == MAP_FAILED) {
result = -1;
goto end;
}
- if((h2 = mmap(0, fs2.st_size, PROT_READ, MAP_SHARED, fd2, 0 )) == MAP_FAILED) {
+ if ((h2 = mmap(0, fs2.st_size, PROT_READ, MAP_SHARED, fd2, 0 )) == MAP_FAILED) {
result = -1;
goto end;
}
//cleaning after mmap()
end:
- if(h2 != MAP_FAILED)
+ if (h2 != MAP_FAILED)
munmap(h2, fs2.st_size);
- if(h1 != MAP_FAILED)
+ if (h1 != MAP_FAILED)
munmap(h1, fs1.st_size);
return result;
/**
* Helper method to reset privileges at the begginning of tests.
*/
-void clean_up(){
- struct smack_accesses * rules = NULL;
+void clean_up()
+{
+ struct smack_accesses *rules = NULL;
int result = smack_accesses_new(&rules);
RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
}
/**
+ * Checking if subject has any access to object
+ */
+bool checkNoAccesses(const char *subject, const char *object)
+{
+ int result;
+ result = smack_have_access(subject, object,"r");
+ if (result == 1) {
+ return false;
+ }
+ result = smack_have_access(subject, object,"w");
+ if (result == 1) {
+ return false;
+ }
+ result = smack_have_access(subject, object,"x");
+ if (result == 1) {
+ return false;
+ }
+ result = smack_have_access(subject, object,"a");
+ if (result == 1) {
+ return false;
+ }
+ result = smack_have_access(subject, object,"t");
+ if (result == 1) {
+ return false;
+ }
+ return true;
+}
+
+void removeAccessesAll()
+{
+ struct smack_accesses *rules = NULL;
+ int result = smack_accesses_new(&rules);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
+
+ result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_01", "", "rxwat");
+ result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_02", "", "rxwat");
+ result = smack_accesses_add_modify(rules, "test_subject_01", "test_object_03", "", "rxwat");
+ result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_01", "", "rxwat");
+ result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_02", "", "rxwat");
+ result = smack_accesses_add_modify(rules, "test_subject_02", "test_object_03", "", "rxwat");
+ result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_01", "", "rxwat");
+ result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_02", "", "rxwat");
+ result = smack_accesses_add_modify(rules, "test_subject_03", "test_object_03", "", "rxwat");
+
+ smack_accesses_apply(rules);
+ RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
+ smack_accesses_free(rules);
+}
+
+
+/**
* Add a new access with smack_accesses_add_modify()
*/
-RUNNER_TEST(smack_accesses_add_modify_test_1){
+RUNNER_TEST_SMACK(smack_accesses_add_modify_test_1){
int result;
clean_up();
- struct smack_accesses * rules = NULL;
+ struct smack_accesses *rules = NULL;
result = smack_accesses_new(&rules);
// THE TEST
/**
* Test if rules are applied in the right order, and modification works.
*/
-RUNNER_TEST(smack_accesses_add_modify_test_2){
+RUNNER_TEST_SMACK(smack_accesses_add_modify_test_2){
int result;
- struct smack_accesses * rules = NULL;
+ struct smack_accesses *rules = NULL;
result = smack_accesses_new(&rules);
RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
* Test if rules are applied in the right order, and modification works.
* Using different smack_accesses list to add and delete.
*/
-RUNNER_TEST(smack_accesses_add_modify_test_3){
+RUNNER_TEST_SMACK(smack_accesses_add_modify_test_3){
int result;
- struct smack_accesses * rules = NULL;
+ struct smack_accesses *rules = NULL;
result = smack_accesses_new(&rules);
RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
/**
* Add a list of privileges and then revoke just ONE of them.
*/
-RUNNER_TEST(smack_accesses_add_modify_test_4){
+RUNNER_TEST_SMACK(smack_accesses_add_modify_test_4){
int result;
- struct smack_accesses * rules = NULL;
+ struct smack_accesses *rules = NULL;
result = smack_accesses_new(&rules);
RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
* Add a list of privileges and then revoke just ONE of them.
* Without applying privileges in between those actions.
*/
-RUNNER_TEST(smack_accesses_add_modify_test_5){
+RUNNER_TEST_SMACK(smack_accesses_add_modify_test_5){
int result;
- struct smack_accesses * rules = NULL;
+ struct smack_accesses *rules = NULL;
result = smack_accesses_new(&rules);
RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
/**
* Add a list of privileges and then revoke just TWO of them.
*/
-RUNNER_TEST(smack_accesses_add_modify_test_6){
+RUNNER_TEST_SMACK(smack_accesses_add_modify_test_6){
int result;
- struct smack_accesses * rules = NULL;
+ struct smack_accesses *rules = NULL;
result = smack_accesses_new(&rules);
RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
smack_accesses_free(rules);
}
+/**
+ * Run smack_accesses_add_modify with the same accesses_add and accesses_del.
+ */
+RUNNER_TEST_SMACK(smack_accesses_add_modify_test_7){
+ unsigned int i;
+ int result;
+
+ struct smack_accesses *rules = NULL;
+
+ for (i = 0; i < accessesBasic.size(); ++i) {
+ result = smack_accesses_new(&rules);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
+
+ result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str(),accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
+ RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
+
+ RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
+ " Error while checking smack access. Accesses exist.");
+
+ // CLEAN UP
+ clean_up();
+ smack_accesses_free(rules);
+ }
+}
+
+/**
+ * Revoke subject with previously added rules and revoke it again.
+ */
+RUNNER_TEST_SMACK(smack_revoke_subject_test_1){
+ unsigned int i;
+ int result;
+
+ struct smack_accesses *rules = NULL;
+
+ for (i = 0; i < accessesBasic.size(); ++i) {
+ // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2
+ result = smack_accesses_new(&rules);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
+ result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str(),"");
+ result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str(),"");
+ RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
+ RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
+
+ // Revoking subject
+ result = smack_revoke_subject(TEST_SUBJECT);
+ RUNNER_ASSERT_MSG(result == 0, "Revoking subject didn't work.");
+
+ RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
+ " Revoke didn't work. Accesses exist.");
+ RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
+ " Revoke didn't work. Accesses exist.");
+
+
+ // Revoking subject again
+ result = smack_revoke_subject(TEST_SUBJECT);
+ RUNNER_ASSERT_MSG(result == 0, "Revoking subject didn't work.");
+
+ RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
+ " Revoke didn't work. Accesses exist.");
+ RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
+ " Revoke didn't work. Accesses exist.");
+
+ smack_accesses_free(rules);
+ }
+}
+
+/**
+ * Clearing accesses
+ */
+RUNNER_TEST_SMACK(smack_accesses_clear_test_1){
+ unsigned int i;
+ int result;
+
+ struct smack_accesses *rules = NULL;
+
+ for (i = 0; i < accessesBasic.size(); ++i) {
+ // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2
+ result = smack_accesses_new(&rules);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
+ result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
+ result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
+ RUNNER_ASSERT_MSG(smack_accesses_apply(rules) == 0, "Unable to apply rules");
+
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
+
+ smack_accesses_free(rules);
+
+ // Creating and clearing rules with TEST_OBJECT
+ result = smack_accesses_new(&rules);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
+ result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
+ result = smack_accesses_clear(rules);
+ RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work.");
+
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work. Rule " << accessesBasic[i].c_str() << " does exist.");
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 1, "Clearing rules didn't work. Rule " << accessesBasic[i].c_str() << " does not exist.");
+
+ smack_accesses_free(rules);
+
+ // Creating and clearing rules with TEST_OBJECT_2
+ result = smack_accesses_new(&rules);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
+
+ result = smack_accesses_add(rules,TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance");
+ result = smack_accesses_clear(rules);
+ RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work.");
+
+ smack_accesses_free(rules);
+
+ RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT),
+ " Clear didn't work. Accesses exist.");
+ RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2),
+ " Clear didn't work. Accesses exist.");
+ }
+}
+
RUNNER_TEST(smack01_storing_and_restoring_rules)
{
/*
* author: Pawel Polawski
- * test: smack_accesses_new, smack_accesses_add, smack_accesses_add_modify, smack_accesses_add_from_file,
+ * test: smack_accesses_new, smack_accesses_add, smack_accesses_add_modify, smack_accesses_add_from_file,
* smack_accesses_free, smack_accesses_save
* description: This test case will create structure holding SMACK rules and add new one to it. Next rules will be
* stored and restored from file.
* expect: Rules created and stored in file should be identical to predefined template.
*/
- struct smack_accesses * rules = NULL; //rules prepared in this test case
- struct smack_accesses * import_test = NULL; //rules imported from file
+ struct smack_accesses *rules = NULL; //rules prepared in this test case
+ struct smack_accesses *import_test = NULL; //rules imported from file
int result; //result of each operation to be tested by RUNNER_ASSERT
int fd, tmp, sample; //file descripptors for save / restore rules tests
close(sample);
}
-RUNNER_TEST(smack02_aplying_rules_into_kernel)
+RUNNER_TEST_SMACK(smack02_aplying_rules_into_kernel)
{
/*
* author: Pawel Polawski
//CAP_MAC_ADMIN needed for process to be able to change rules in kernel (apllying, removing)
- struct smack_accesses * rules = NULL; //rules prepared in this test case
+ struct smack_accesses *rules = NULL; //rules prepared in this test case
int result; //for storing functions results
result = smack_accesses_new(&rules); //rules struct init
RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
result = smack_have_access("reader", "book", "rwx"); //should have no access - wrong rule, should be "r" only
RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access");
- result = smack_have_access("mars", "book", "rwx"); //should have no acces - rule not exist
- RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access");
+ result = smack_have_access("mars", "book", "rwx"); //should fail - rule not exist
+ RUNNER_ASSERT_MSG(result == -1, "Error while checking Smack access");
//int smack_revoke_subject(const char *subject);
result = smack_revoke_subject("snickers"); //this subject do not exist in kernel rules
result = smack_have_access("spy", "book", "rwx"); //testing access after revoke_subject() from kernel
RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel"); //now spy should have no access
- result = smack_have_access("spy", "book", "-----"); //and should have "-----" rule
- RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
result = smack_accesses_add(rules, "twix", "book", "rwx"); //for create new rule as a consequence of use accesses_clear() below
RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
result = smack_have_access("writer", "book", "rwx"); //testing acces after acces_clear()
RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel"); //now writer also should have no access
- result = smack_have_access("writer", "book", "-----"); //and should have "-----" rule
- RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
- result = smack_have_access("twix", "book", "-----"); //rule created by calling accesses_clear()
- RUNNER_ASSERT_MSG(result == 1, "Error in acces aplied to kernel");
//free resources
smack_accesses_free(rules);
}
//pairs of rules for test with mixed cases, different length and mixed order
-char * rules_tab[] = {
- "reader1", "-", "-----",
- "reader2", "--------", "-----",
- "reader3", "RwXaT", "rwxat",
- "reader4", "RrrXXXXTTT", "r-x-t",
- "reader5", "-r-w-a-t", "rw-at",
- "reader6", "", "-----",
- "reader7", "xa--Rt---W", "rwxat",
- "reader8", "#Ax[T].!~W@1}", "-wxat"
- };
-
-RUNNER_TEST(smack03_mixed_rule_string_add)
+const char *rules_tab[] = {
+ "reader1", "-", "-----",
+ "reader2", "--------", "-----",
+ "reader3", "RwXaT", "rwxat",
+ "reader4", "RrrXXXXTTT", "r-x-t",
+ "reader5", "-r-w-a-t", "rw-at",
+ "reader6", "", "-----",
+ "reader7", "xa--Rt---W", "rwxat",
+ "reader8", "#Ax[T].!~W@1}", "-wxat"
+};
+
+RUNNER_TEST_SMACK(smack03_mixed_rule_string_add)
{
/*
* author: Pawel Polawski
//In thist test case mixed string are used as rules applied to kernel, next they are
//readed and compared with correct form of rules
- struct smack_accesses * rules = NULL; //rules prepared in this test case
+ struct smack_accesses *rules = NULL; //rules prepared in this test case
int result; //for storing functions results
int i;
+ int expected;
result = smack_accesses_new(&rules); //rules struct init
RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
//adding test rules with mixed string
- for(i = 0; i < (3 * 8) ; i += 3) {
+ for (i = 0; i < (3 * 8); i += 3) {
result = smack_accesses_add(rules, rules_tab[i], "book", rules_tab[i + 1]); //using mixed rules from table
RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
}
RUNNER_ASSERT_MSG(result == 0, "Unable to apply rules into kernel");
//checking accesses using normal rules
- for(i = 0; i < (3 * 8) ; i += 3) {
+ for (i = 0; i < (3 * 8); i += 3) {
+ if (!strcmp(rules_tab[i + 2], "-----"))
+ expected = 0;
+ else
+ expected = 1;
result = smack_have_access(rules_tab[i], "book", rules_tab[i + 2]); //using normal rules from table
- RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
+ RUNNER_ASSERT_MSG(result == expected, "Error while checking Smack access");
}
//free resources
smack_accesses_free(rules);
-
}
-RUNNER_TEST(smack04_mixed_rule_string_have_access)
+RUNNER_TEST_SMACK(smack04_mixed_rule_string_have_access)
{
/*
* author: Pawel Polawski
int result;
int i;
+ int expected;
//rules were added in previous RUNNER_TEST section
//checking accesses using mixed rules
- for(i = 0; i < (3 * 8) ; i += 3) {
+ for (i = 0; i < (3 * 8); i += 3) {
+ if (!strcmp(rules_tab[i + 2], "-----"))
+ expected = 0;
+ else
+ expected = 1;
result = smack_have_access(rules_tab[i], "book", rules_tab[i + 1]); //using mixed rules from table
- RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access");
+ RUNNER_ASSERT_MSG(result == expected, "Error while checking Smack access");
}
}
// - smack_accesses_add_modify("subject", "object", "rwx", "rwx") should create empty rule
//}
-RUNNER_TEST(smack05_self_label)
+RUNNER_TEST_SMACK(smack05_self_label)
{
/*
* author: Pawel Polawski
//In this test case process will manipulate it own label
- char * label = NULL;
+ char *label = NULL;
int result;
int fd;
const int B_SIZE = 8;
char buff[B_SIZE];
- char * def_rule = "_";
+ const char *def_rule = "_";
//int smack_new_label_from_self(char **label);
result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result == 0, "Error in getting self label");
+ RUNNER_ASSERT_MSG(result >= 0, "Error in getting self label");
//comparing this label with default one "_"
result = strcmp(label, def_rule);
//checking new label using smack function
result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result == 0, "Error in getting self label");
+ RUNNER_ASSERT_MSG(result >= 0, "Error in getting self label");
result = strcmp(label, "cola");
RUNNER_ASSERT_MSG(result == 0, "Wrong process label");
//RUNNER_TEST(smackXX_parent_child_label)
//{
- //In this test case parent process and child labels will be tested
- //Parent will fork and check child's label. First fork will be with default "_" parent label,
- //second one witch changed label.
+//In this test case parent process and child labels will be tested
+//Parent will fork and check child's label. First fork will be with default "_" parent label,
+//second one witch changed label.
//}
//bellow function is from libsmack.c witch changed name
-char * xattr(enum smack_label_type type)
+const char *xattr(enum smack_label_type type)
{
switch (type) {
case SMACK_LABEL_ACCESS:
case SMACK_LABEL_IPOUT:
return "security.SMACK64IPOUT";
default:
- /* Should not reach this point */
- return NULL;
+ /* Should not reach this point */
+ return NULL;
}
}
// return "security.SMACK64IPOUT";
int result;
- char * label = NULL;
+ char *label = NULL;
const int B_SIZE = 8;
char buff[B_SIZE];
- char * file_path = "/etc/smack/test_smack_rules";
+ const char *file_path = "/etc/smack/test_smack_rules";
//preparing environment by restoring default "_" label
//RUNNER_TEST(smackXX_get_label_exec)
//{
- //In this test case EXEC label will be tested
- //by setting this type of label, reading it and testing executed binary exit status
+//In this test case EXEC label will be tested
+//by setting this type of label, reading it and testing executed binary exit status
//}
RUNNER_TEST(smack07_l_get_set_label)
*/
int result;
- char * label = NULL;
+ char *label = NULL;
const int B_SIZE = 8;
char buff[B_SIZE];
- char * file_path = "/etc/smack/test_smack_rules_lnk";
+ const char *file_path = "/etc/smack/test_smack_rules_lnk";
//preparing environment by restoring default "_" label
*/
int result;
- char * label = NULL;
+ char *label = NULL;
const int B_SIZE = 8;
char buff[B_SIZE];
int fd;
- char * file_path = "/etc/smack/test_smack_rules";
+ const char *file_path = "/etc/smack/test_smack_rules";
fd = open(file_path, O_RDWR, 0644); //reference preinstalled rules
RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules");
close(fd);
}
+RUNNER_TEST_SMACK(smack10_adding_removing_rules)
+{
+ unsigned int i;
+ int result;
+
+ struct smack_accesses *rulesBasic = NULL;
+
+ for (i = 0; i < accessesBasic.size(); ++i)
+ {
+ // Creating rules
+ result = smack_accesses_new(&rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
+
+ // Adding accesses
+ result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
+
+ // Applying rules
+ result = smack_accesses_apply(rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
+
+ // Checking if accesses were created
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access. Result: " << result);
+
+ smack_accesses_free(rulesBasic);
+ rulesBasic = NULL;
+
+ // Deleting all rules
+ clean_up();
+ }
+
+ for (i = 0; i < 3; ++i)
+ {
+ // --- Creating rules (r or w or x)
+ result = smack_accesses_new(&rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
+
+ // Adding accesses
+ result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0, "Unable to add rulesBasic. Result: " << result);
+
+ // Applying rules
+ result = smack_accesses_apply(rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
+ // Checking if accesses were created
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access. Result: " << result);
+
+ // Checking if wrong accesses were not created
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
+ RUNNER_ASSERT_MSG(result == 0,
+ " Error while checking smack access. Result: " << result);
+
+ // --- Modifying accesses (r for wx or w for rx or x for rw)
+ result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,accessesBasic[i + 3].c_str(),accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
+
+ // Applying rules
+ result = smack_accesses_apply(rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
+
+ // Checking if accesses were created
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access. Result: " << result);
+
+ // Checking if wrong accesses were not created
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0,
+ " Error while checking smack access. Result: " << result);
+
+ smack_accesses_free(rulesBasic);
+ rulesBasic = NULL;
+
+ // --- Creating complementary rules (r or w or x)
+ result = smack_accesses_new(&rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
+
+ // Adding accesses
+ result = smack_accesses_add(rulesBasic, TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0, "Unable to add rulesBasic. Result: " << result);
+
+ // Checking if accesses were created
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access. Result: " << result);
+
+ // Applying rules
+ result = smack_accesses_apply(rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
+
+ // Checking if accesses were created
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access. Result: " << result);
+
+ // --- Modifying accesses (adding rwx and removing r or w or x)
+ result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,"rwx",accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
+
+ // Applying rules
+ result = smack_accesses_apply(rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
+
+ // Checking if accesses were created
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str());
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access. Result: " << result);
+
+ // Checking if wrong accesses were not created
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str());
+ RUNNER_ASSERT_MSG(result == 0,
+ " Error while checking smack access. Result: " << result);
+
+ // --- Adding crossing accesses (rx or rw or wx)
+ result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,accessesBasic[3 + ((i + 1) % 3)].c_str(),"");
+ RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
+
+ // Applying rules
+ result = smack_accesses_apply(rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
+
+ // Checking if accesses were created
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[3 + ((i + 1) % 3)].c_str());
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access. Result: " << result);
+
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, "rwx");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access. Result: " << result);
+
+ // Deleting all rules
+ result = smack_accesses_add_modify(rulesBasic,TEST_SUBJECT, TEST_OBJECT,"","rwx");
+ RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result);
+
+ result = smack_accesses_apply(rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while checking smack access. Result: " << result);
+
+ smack_accesses_free(rulesBasic);
+ rulesBasic = NULL;
+
+ // Deleting all rules
+ clean_up();
+ }
+}
+
+RUNNER_TEST_SMACK(smack11_saving_loading_rules)
+{
+ int result;
+ int fd;
+
+ struct smack_accesses *rulesBasic = NULL;
+
+ // Pre-cleanup
+ removeAccessesAll();
+
+ // Creating rules
+ result = smack_accesses_new(&rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
+
+ // Loading file with rwxat rules - test_smack_rules_full
+ fd = open("/etc/smack/test_smack_rules_full", O_RDONLY, 0644);
+ RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules_full");
+
+ // Adding rules from file
+ result = smack_accesses_add_from_file(rulesBasic, fd);
+ close(fd);
+ RUNNER_ASSERT_MSG(result == 0, "Error importing accesses from file");
+
+ // Applying rules
+ result = smack_accesses_apply(rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
+
+ // Checking rules
+ result = smack_have_access("test_subject_01", "test_object_01", "rwxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack accesses.");
+ result = smack_have_access("test_subject_01", "test_object_02", "rwxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack accesses.");
+ result = smack_have_access("test_subject_01", "test_object_03", "rwxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack accesses.");
+ result = smack_have_access("test_subject_02", "test_object_01", "rwxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack accesses.");
+ result = smack_have_access("test_subject_02", "test_object_02", "rwxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack accesses.");
+ result = smack_have_access("test_subject_02", "test_object_03", "rwxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack accesses.");
+ result = smack_have_access("test_subject_03", "test_object_01", "rwxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack accesses.");
+ result = smack_have_access("test_subject_03", "test_object_02", "rwxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack accesses.");
+ result = smack_have_access("test_subject_03", "test_object_03", "rwxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack accesses.");
+
+ // Removing rules
+ removeAccessesAll();
+
+ smack_accesses_free(rulesBasic);
+
+ // Creating rules
+ result = smack_accesses_new(&rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
+
+ // Loading file with partial wrong rules - test_smack_rules2
+ fd = open("/etc/smack/test_smack_rules2", O_RDONLY, 0644);
+ RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules2");
+
+ // Adding rules from file
+ result = smack_accesses_add_from_file(rulesBasic, fd);
+ close(fd);
+ RUNNER_ASSERT_MSG(result == 0, "Accesses were loaded from file");
+
+ // Applying rules
+ result = smack_accesses_apply(rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
+
+ // Checking rules
+ RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_01", "test_object_01"),
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist.");
+ result = smack_have_access("test_subject_01", "test_object_02", "rwat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
+ result = smack_have_access("test_subject_01", "test_object_03", "wat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
+ RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_02", "test_object_01"),
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist.");
+ result = smack_have_access("test_subject_02", "test_object_02", "wa-ft");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
+ result = smack_have_access("test_subject_02", "test_object_03", "wr");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
+ result = smack_have_access("test_subject_03", "test_object_01", "a");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
+ result = smack_have_access("test_subject_03", "test_object_02", "rwat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
+ result = smack_have_access("test_subject_03", "test_object_03", "w");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result );
+
+ // Removing rules
+ removeAccessesAll();
+
+ smack_accesses_free(rulesBasic);
+
+ // Creating rules
+ result = smack_accesses_new(&rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
+
+ // Loading file with partial wrong rules - test_smack_rules3
+ fd = open("/etc/smack/test_smack_rules3", O_RDONLY, 0644);
+ RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules3");
+
+ // Adding rules from file
+ result = smack_accesses_add_from_file(rulesBasic, fd);
+ close(fd);
+ RUNNER_ASSERT_MSG(result != 0, "Accesses were loaded from file");
+
+ // Applying rules
+ result = smack_accesses_apply(rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
+
+ // Checking rules
+ result = smack_have_access("test_subject_01", "test_object_01", "rwat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Result: " << result );
+ RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_01", "test_object_02"),
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Accesses exist.");
+ result = smack_have_access("test_subject_01", "test_object_03", "x");
+ RUNNER_ASSERT_MSG(result == 0,
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules3. Result: " << result );
+
+ // Removing rules
+ removeAccessesAll();
+
+ smack_accesses_free(rulesBasic);
+
+ // Creating rules
+ result = smack_accesses_new(&rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while creating new accesses. Result: " << result);
+
+ // Loading file with partial wrong rules - test_smack_rules4
+ fd = open("/etc/smack/test_smack_rules4", O_RDONLY, 0644);
+ RUNNER_ASSERT_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules4");
+
+ // Adding rules from file
+ result = smack_accesses_add_from_file(rulesBasic, fd);
+ close(fd);
+ RUNNER_ASSERT_MSG(result != 0, "Accesses were loaded from file");
+
+ // Applying rules
+ result = smack_accesses_apply(rulesBasic);
+ RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result);
+
+ // Checking rules
+ result = smack_have_access("test_subject_01", "test_object_01", "rxwat");
+ RUNNER_ASSERT_MSG(result == 1,
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Result: " << result );
+ RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_01", "test_object_02"),
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Accesses exist.");
+ result = smack_have_access("test_subject_01", "test_object_03", "a");
+ RUNNER_ASSERT_MSG(result == 0,
+ " Error while checking smack access loaded from /etc/smack/test_smack_rules4. Result: " << result );
+
+ // Removing rules
+ removeAccessesAll();
+
+ smack_accesses_free(rulesBasic);
+}
+
//int smack_new_label_from_socket(int fd, char **label);
+
+static void smack_set_another_label_for_self(void)
+{
+ static int number = time(NULL);
+ int result;
+ char *smack_label;
+
+ number++;
+ result = asprintf(&smack_label, "s%d", number);
+ RUNNER_ASSERT_MSG(result > 0, "asprintf failed");
+ result = smack_set_label_for_self(smack_label);
+ RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self(" << smack_label << ") failed");
+ free(smack_label);
+}
+
+static void smack_unix_sock_server(int sock)
+{
+ int fd, result;
+ char *smack_label;
+
+ alarm(2);
+ fd = accept(sock, NULL, NULL);
+ alarm(0);
+ if (fd < 0)
+ return;
+ result = smack_new_label_from_self(&smack_label);
+ RUNNER_ASSERT_MSG(result >= 0, "smack_new_label_from_self() failed");
+ result = write(fd, smack_label, strlen(smack_label));
+ RUNNER_ASSERT_MSG(result == (int)strlen(smack_label), "write() failed");
+ close(fd);
+ free(smack_label);
+}
+
+RUNNER_MULTIPROCESS_TEST_SMACK(smack09_new_label_from_socket)
+{
+ int pid;
+ struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
+ unlink(SOCK_PATH);
+ smack_set_another_label_for_self();
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
+ if (!pid) { /* child process, server */
+ int sock, result;
+
+
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
+ result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+ RUNNER_ASSERT_MSG(result == 0, "bind failed: " << strerror(errno));
+ result = listen(sock, 1);
+ RUNNER_ASSERT_MSG(result == 0, "listen failed: " << strerror(errno));
+ smack_unix_sock_server(sock);
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
+ /* Test if socket label was unaffected by fork() */
+ smack_unix_sock_server(sock);
+ if (!pid) {
+ usleep (100);
+ smack_set_another_label_for_self();
+ smack_unix_sock_server(sock);
+ }
+ close(sock);
+
+ exit(0);
+ } else { /* parent process, client */
+ sleep(1); /* Give server some time to setup listening socket */
+ for (int i = 0; i < 4; ++i) {
+ int sock, result;
+ char smack_label1[SMACK_LABEL_LEN + 1];
+ char *smack_label2;
+
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
+ result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+ RUNNER_ASSERT_MSG(result == 0, "connect failed: " << strerror(errno));
+ alarm(2);
+ result = read(sock, smack_label1, SMACK_LABEL_LEN);
+ RUNNER_ASSERT_MSG(result >= 0, "read failed: " << strerror(errno));
+ alarm(0);
+ smack_label1[result] = '\0';
+ result = smack_new_label_from_socket(sock, &smack_label2);
+ RUNNER_ASSERT_MSG(result >= 0, "smack_label_from_socket failed");
+ result = strcmp(smack_label1, smack_label2);
+ if (i < 3)
+ RUNNER_ASSERT_MSG(result == 0, "smack labels differ: '" << smack_label1 << "' != '" << smack_label2 << "' i == " << i);
+ else
+ RUNNER_ASSERT_MSG(result != 0, "smack labels do not differ: '" << smack_label1 << "' != '" << smack_label2 << "' i == " << i);
+ close(sock);
+ }
+ }
+}
+
+/////////////////////////////////////////
+//////NOSMACK ENVIRONMENT TESTS//////////
+/////////////////////////////////////////
+
+/**
+ * NOSMACK version of smack02 test. Functions, that should return error instead of success:
+ * - smack_accesses_apply
+ * - smack_have_access
+ * - smack_revoke_subject
+ * - smack_acceesses_clear
+ *
+ * Tests smack03, smack04, smack10, smack_accesses_clear, smack_revoke_subject all use functions
+ * tested in smack02 test. Results from those functions (smack_have_access, smack_accesses_apply,
+ * smack_accesses_clear, smack_revoke_subject) would be the same as in this test. Tests mentioned
+ * above doesn't make much sense on NOSMACK environment when test smack02 exists and passes
+ * correctly, thus those tests are are not implemented.
+ */
+RUNNER_TEST_NOSMACK(smack02_aplying_rules_into_kernel_nosmack)
+{
+
+ smack_accesses *tmp = NULL;
+ int result;
+
+ //init rules
+ result = smack_accesses_new(&tmp);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to create smack_accesses instance");
+
+ //pass rules to unique_ptr
+ AccessesUniquePtr rules(tmp, smack_accesses_free);
+
+ //adding test rules to struct (same as SMACK version of smack02 test)
+ result = smack_accesses_add(rules.get(), "writer", "book", "rwx");
+ RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
+ result = smack_accesses_add(rules.get(), "reader", "book", "r");
+ RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
+ result = smack_accesses_add(rules.get(), "spy", "book", "rwx");
+ RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
+
+ //applying rules to kernel (should fail)
+ result = smack_accesses_apply(rules.get());
+ RUNNER_ASSERT_MSG(result == -1, "Unable to apply rules into kernel");
+
+ //calls from SMACK version of this test - all should fail because of SMACK being turned off
+ result = smack_have_access("spy", "book", "rwx");
+ RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off)");
+ result = smack_have_access("reader", "book", "rwx");
+ RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off)");
+ result = smack_have_access("mars", "book", "rwx");
+ RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off)");
+
+ //testing subject revoking - should return error (no accesses applied = no subjects to revoke)
+ result = smack_revoke_subject("snickers");
+ RUNNER_ASSERT_MSG(result == -1, "smack_revoke_subject error - subject doesn't exist.");
+ result = smack_revoke_subject("spy");
+ RUNNER_ASSERT_MSG(result == -1, "smack_revoke_subject error - subject doesn't exist.");
+
+ //after revoking smack_have_access still should return error
+ result = smack_have_access("spy", "book", "rwx");
+ RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off).");
+
+ result = smack_accesses_add(rules.get(), "twix", "book", "rwx");
+ RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules");
+
+ //smack_accesses_clear should return error aswell
+ result = smack_accesses_clear(rules.get());
+ RUNNER_ASSERT_MSG(result == -1, "Clearing rules should return error - no SMACK on system.");
+
+ result = smack_have_access("writer", "book", "rwx");
+ RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off).");
+}
+
+/**
+ * NOSMACK version of smack11 test. Tests functions:
+ * - smack_accesses_add_from_file
+ *
+ * Since other SMACK functions were tested in smack02 test, the only function needed to be checked
+ * is applying rules loaded from file.
+ */
+RUNNER_TEST_NOSMACK(smack03_saving_loading_rules_nosmack)
+{
+ int result;
+ int fd;
+
+ smack_accesses* tmp = NULL;
+
+ result = smack_accesses_new(&tmp);
+ RUNNER_ASSERT_MSG(result == 0, "Error during rules creation.");
+
+ AccessesUniquePtr rules(tmp, smack_accesses_free);
+
+ //open file with rules
+ fd = open("/etc/smack/test_smack_rules_full", O_RDONLY, 0644);
+ RUNNER_ASSERT_MSG(fd >= 0,
+ "Unable to open /etc/smack/test_smack_rules_full. Errno: " << strerror(errno));
+
+ //load accesses from file
+ result = smack_accesses_add_from_file(rules.get(), fd);
+ close(fd);
+ RUNNER_ASSERT_MSG(result == 0, "Error while importing accesses from file. Result: " << result);
+}
+
+/**
+ * NOSMACK version of smack05 test. Tests if functions getting, or
+ * setting self label work correctly (that is, return error).
+ */
+RUNNER_TEST_NOSMACK(smack04_self_label_nosmack)
+{
+ char* label = NULL;
+ int result;
+ int fd;
+
+ const int B_SIZE = 8;
+ char buff[B_SIZE];
+
+ //smack_new_label_from_self should fail
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result == -1, "new_label_from_self should return error (SMACK is off).");
+ RUNNER_ASSERT_MSG(label == NULL, "new_label_from_self shouldn't allocate memory to label.");
+
+ //We don't need to remember about freeing label - smack_new_label_from_self must return NULL
+ //label if it's working properly.
+
+ // /proc/self/attr/current shouldn't keep any rules inside
+ fd = open("/proc/self/attr/current", O_RDONLY, 0644); //file exists, so it should open
+ RUNNER_ASSERT_MSG(fd >= 0, "/proc/self/attr/current failed to open.");
+
+ result = read(fd, buff, B_SIZE); //however reading it should return error
+ if(result >= 0) {
+ close(fd);
+ RUNNER_ASSERT_MSG(false, "Reading /proc/self/attr/current should return error.");
+ }
+
+ //setting label for self should fail
+ result = smack_set_label_for_self("fanta");
+ if(result != -1) {
+ close(fd);
+ RUNNER_ASSERT_MSG(false, "set_label_for_self should return error (SMACK is off).");
+ }
+
+ //getting previously set label should also fail
+ result = smack_new_label_from_self(&label);
+ if(result != -1) {
+ close(fd);
+ RUNNER_ASSERT_MSG(false, "new_label_from_self should return error (SMACK is off).");
+ }
+ if(label != NULL) {
+ close(fd);
+ RUNNER_ASSERT_MSG(false, "new_label_from_self shouldn't allocate memory to label.");
+ }
+
+ // /proc/self/attr/current still shouldn't keep any rules inside
+ result = lseek(fd, 0, SEEK_SET); //going to the file beginning
+ if(result != 0) {
+ close(fd);
+ RUNNER_ASSERT_MSG(false, "lseek() error.");
+ }
+
+ result = read(fd, buff, B_SIZE); //however it should return error
+ if(result >= 0) {
+ close(fd);
+ RUNNER_ASSERT_MSG(false, "Reading /proc/self/attr/current should return error.");
+ }
+
+ close(fd);
+}
+
+/**
+ * NOSMACK version of smack_accesses_add_modify_x tests.
+ *
+ * Because all smack_accesses_add_modify tests are basically the same (all use smack_accesses_apply
+ * and smack_have_access, which return -1 when SMACK is turned off), it makes much more sense to
+ * write one test which will create rules using smack_accesses_add_modify and then check if
+ * smack_accesses_apply and smack_have_access indeed return -1 when SMACK is turned off.
+ */
+RUNNER_TEST_NOSMACK(smack05_accesses_add_modify_nosmack)
+{
+ int result;
+ smack_accesses* tmp = NULL;
+
+ result = smack_accesses_new(&tmp);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to allocate memory for rules. Result: " << result);
+
+ AccessesUniquePtr rules(tmp, smack_accesses_free);
+
+ //Not doing clean_up() every RUNNER_ASSERT_MSG - what clean_up does is just a creation of new
+ //rule struct and removal of currenctly added and applied rules. clean_up() must be done only
+ //after smack_accesses_apply().
+ result = smack_accesses_add_modify(rules.get(), TEST_SUBJECT, TEST_OBJECT, "rwx", "");
+ RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule. Result: " << result);
+
+ result = smack_accesses_add_modify(rules.get(), TEST_SUBJECT, TEST_OBJECT, "rwx", "");
+ RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule. Result: " << result);
+
+ result = smack_accesses_apply(rules.get());
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_accesses_apply should return error (SMACK is off). Result: " << result);
+
+ result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, "rwx");
+ if(result != -1) {
+ clean_up();
+ RUNNER_ASSERT_MSG(false,
+ "smack_have_access should return error (SMACK is off). Result: " << result);
+ }
+
+ clean_up();
+}
+
+/**
+ * NOSMACK version of smack09 test.
+ *
+ * This test checks if smack_new_label_from_socket reacts correctly. Since label should be
+ * acquired from getsockopt, and it should fail, we must only set up socket and call
+ * smack_new_label_from_socket. It should return error.
+ */
+RUNNER_MULTIPROCESS_TEST_NOSMACK(smack09_new_label_from_socket_nosmack)
+{
+ int pid;
+ struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
+ unlink(SOCK_PATH);
+ char* smack_label;
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
+ if (!pid) { //child (server)
+ int sock, result;
+ int fd;
+
+ //Create new socket
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
+
+ //Bind it to sockaddr
+ result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG(false, "bind failed: " << strerror(errno));
+ }
+
+ //Prepare for listening
+ result = listen(sock, 1);
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG(false, "listen failed: " << strerror(errno));
+ }
+
+ //Accept client
+ alarm(2);
+ fd = accept(sock, NULL, NULL);
+ alarm(0);
+ if (fd < 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG(false, "Failed when accepting connection from client.");
+ }
+
+ //wait for smack_new_label_from_socket execution
+ usleep(200);
+
+ //Close socket and server
+ close(sock);
+ exit(0);
+ }
+ else { //parent (client)
+ //Wait a little bit until server is set up
+ sleep(1);
+ int sock, result;
+
+ //Create socket
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
+
+ //Connect to sockaddr
+ result = connect(sock, (struct sockaddr*) &sockaddr,
+ sizeof(struct sockaddr_un));
+ if (result != 0) {
+ close(sock);
+ RUNNER_ASSERT_MSG(false, "connect failed: " << strerror(errno));
+ }
+
+ //Try getting label, should fail beacuse getsockopt won't get anything
+ result = smack_new_label_from_socket(sock, &smack_label);
+ close(sock);
+ RUNNER_ASSERT_MSG(result == -1, "smack_new_label_from_socket should fail.");
+ }
+}
projects / platform / core / test / security-tests.git / blobdiff