#include <cstddef>
#include <sys/types.h>
#include <unistd.h>
-
#include <access_provider.h>
#include <security-server.h>
#include <smack_access.h>
+const char *ROOT_USER = "root";
+const char *PROC_AUDIO_GROUP_NAME = "audio";
+
typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
const int KNOWN_COOKIE_SIZE = 20;
typedef std::vector<char> Cookie;
"Error in security_server_get_cookie_pid() argument checking: " << ret);
}
+//getting pid of non existing cookie
+RUNNER_TEST(tc_arguments_04_02_security_server_get_cookie_pid)
+{
+ const char wrong_cookie[KNOWN_COOKIE_SIZE] = {'w', 'a', 't', '?'};
+ RUNNER_ASSERT_BT(security_server_get_cookie_pid(wrong_cookie) ==
+ SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
+}
+
//---------------------------------------------------------------------------
//passing NULL as a cookie pointer
RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
"Error in security_server_get_smacklabel_cookie() argument checking");
}
-//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_06_01_security_server_get_uid_by_cookie)
-{
- uid_t uid;
- int ret = security_server_get_uid_by_cookie(NULL, &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_uid_by_cookie() argument checking: "
- << ret);
-}
-
-//passing NULL as an uid pointer
-RUNNER_CHILD_TEST(tc_arguments_06_02_security_server_get_uid_by_cookie)
-{
- Cookie cookie = getCookieFromSS();
-
- int ret = security_server_get_uid_by_cookie(cookie.data(), NULL);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_uid_by_cookie() argument checking: "
- << ret);
-}
-
-//---------------------------------------------------------------------------
-//passing NULL as an cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_07_01_security_server_get_gid_by_cookie)
-{
- gid_t gid;
- int ret = security_server_get_gid_by_cookie(NULL, &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_gid_by_cookie() argument checking: "
- << ret);
-}
-
-//passing NULL as an gid pointer
-RUNNER_CHILD_TEST(tc_arguments_07_02_security_server_get_gid_by_cookie)
-{
- Cookie cookie = getCookieFromSS();
-
- int ret = security_server_get_gid_by_cookie(cookie.data(), NULL);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_gid_by_cookie() argument checking: "
- << ret);
-}
-
/*
//privileges drop and no smack rule
RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_security_server_check_privilege)
{
+ RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_03_02");
int ret = security_server_check_privilege(cookie.data(), 0);
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_check_privilege(): " << ret);
+ "security_server_check_privilege() should return access denied: " << ret);
}
//privileges drop and added smack rule
"Error in security_server_check_privilege(): " << ret);
}
+// invalid gid
+RUNNER_CHILD_TEST(tc_unit_03_04_security_server_check_privilege_neg)
+{
+ remove_process_group(PROC_AUDIO_GROUP_NAME);
+
+ Cookie cookie = getCookieFromSS();
+ int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(audio_gid > -1,
+ "security_server_get_gid() failed. result = " << audio_gid);
+
+ int ret = security_server_check_privilege(cookie.data(), audio_gid);
+
+ // security_server_check_privilege fails, because the process does not belong to "audio" group
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
+// add gid
+RUNNER_CHILD_TEST(tc_unit_03_05_security_server_check_privilege)
+{
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
+ Cookie cookie = getCookieFromSS();
+ int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(audio_gid > -1,
+ "security_server_get_gid() failed. result = " << audio_gid);
+
+ int ret = security_server_check_privilege(cookie.data(), audio_gid);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+}
+
+// test invalid cookie name
+RUNNER_TEST(tc_unit_03_06_security_server_check_privilege)
+{
+ // create invalid cookie
+ int size = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG_BT(size == KNOWN_COOKIE_SIZE, "Wrong cookie size. size = " << size);
+
+ Cookie cookie(size);
+ cookie[0] = 'a';
+ int ret = security_server_check_privilege(cookie.data(), 0);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
//---------------------------------------------------------------------------
//root has access to API
RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
//privileges drop and no smack rule
RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_security_server_get_cookie_pid)
{
+ RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_05_02");
int ret = security_server_get_cookie_pid(cookie.data());
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_cookie_pid(): " << ret);
+ "security_server_get_cookie_pid() should return access denied: " << ret);
}
//privileges drop and added smack rule
//privileges drop and no smack rule
RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_security_server_get_smacklabel_cookie)
{
+ RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_06_02");
}
//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_07_01_security_server_get_uid_by_cookie)
+// apply smack labels and drop privileges
+RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_cookie_API_access_allow)
{
- Cookie cookie = getCookieFromSS();
-
- uid_t uid;
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_uid_by_cookie(): " << ret);
- ret = getuid();
- RUNNER_ASSERT_MSG_BT(ret == (int)uid, "No match in UID received from cookie");
-}
+ add_process_group(PROC_AUDIO_GROUP_NAME);
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_07_02_security_server_get_uid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_07_02");
+ SecurityServer::AccessProvider provider("subject_1d6eda7d");
+ provider.allowFunction("security_server_get_gid");
+ provider.allowFunction("security_server_request_cookie");
+ provider.allowFunction("security_server_check_privilege");
+ provider.allowFunction("security_server_get_cookie_pid");
+ provider.allowFunction("security_server_get_smacklabel_cookie");
+ provider.allowFunction("security_server_check_privilege_by_pid");
provider.applyAndSwithToUser(APP_UID, APP_GID);
- Cookie cookie(KNOWN_COOKIE_SIZE);
- uid_t uid;
+ Cookie cookie = getCookieFromSS();
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_uid_by_cookie(): " << ret);
-}
+ int ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
+ << "\" gid. Result: " << ret);
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_07_03_security_server_get_uid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_07_02");
- provider.allowFunction("security_server_get_uid_by_cookie");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
+ ret = security_server_check_privilege(cookie.data(), ret);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- Cookie cookie = getCookieFromSS();
- uid_t uid;
+ int root_gid = security_server_get_gid(ROOT_USER);
+ RUNNER_ASSERT_MSG_BT(root_gid > -1, "root_gid: " << root_gid);
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_uid_by_cookie(): " << ret);
- ret = getuid();
- RUNNER_ASSERT_MSG_BT(ret == (int)uid, "No match in UID received from cookie");
+ ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG_BT(ret == getpid(), "ret: " << ret);
+
+ UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "ss_label: " << ss_label.get());
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
}
-//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_08_01_security_server_get_gid_by_cookie)
+// disable access and drop privileges
+RUNNER_CHILD_TEST(tc_unit_09_02_cookie_API_access_deny)
{
+ RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
+ SecurityServer::AccessProvider provider("subject_1d414140");
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
+
Cookie cookie = getCookieFromSS();
- gid_t gid;
+ int ret = security_server_check_privilege(cookie.data(), DB_ALARM_GID);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_check_privilege should return access denied, "
+ "ret: " << ret);
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_gid_by_cookie(): " << ret);
- ret = getgid();
- RUNNER_ASSERT_MSG_BT(ret == (int)gid, "No match in GID received from cookie");
-}
+ ret = security_server_get_gid(ROOT_USER);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_get_gid should return access denied, "
+ "ret: " << ret);
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_08_02_security_server_get_gid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_08_02");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
+ ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_get_cookie_pid should return access denied, "
+ "ret: " << ret);
- Cookie cookie(KNOWN_COOKIE_SIZE);
- gid_t gid;
+ UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG_BT(ss_label.get() == NULL,
+ "access should be denied so label should be NULL: " << ss_label.get());
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_gid_by_cookie(): " << ret);
+ "security_server_check_privilege_by_pid should return access denied, "
+ "ret: " << ret);
}
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_08_03_security_server_get_gid_by_cookie)
+// NOSMACK version of the test above
+RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_cookie_API_access_allow_nosmack)
{
- SecurityServer::AccessProvider provider("selflabel_08_03");
- provider.allowFunction("security_server_get_gid_by_cookie");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
+ // drop root privileges
+ int ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG_BT(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
Cookie cookie = getCookieFromSS();
- gid_t gid;
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
+ ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
+ << "\" gid. Result: " << ret);
+
+ ret = security_server_check_privilege(cookie.data(), ret);
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_gid_by_cookie(): " << ret);
- ret = getgid();
- RUNNER_ASSERT_MSG_BT(ret == (int)gid, "No match in GID received from cookie");
-}
+ "check_privilege failed. Result: " << ret);
+ ret = security_server_get_gid(ROOT_USER);
+ RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"root\" gid. Result: " << ret);
+
+ ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG_BT(ret == getpid(),
+ "get_cookie_pid returned different pid than it should. Result: " << ret);
+
+ UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "get_smacklabel_cookie failed.");
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
+ "check_privilege_by_pid failed. Result: " << ret);
+}