/*
Tested API functions in this file:
-Protected by "security-server::api-cookie-get" label:
int security_server_get_cookie_size(void);
int security_server_request_cookie(char *cookie, size_t bufferSize);
-
-Protected by "security-server::api-cookie-check" label:
int security_server_check_privilege(const char *cookie, gid_t privilege);
int security_server_check_privilege_by_cookie(const char *cookie,
const char *object,
#include <cstddef>
#include <sys/types.h>
#include <unistd.h>
-
#include <access_provider.h>
#include <security-server.h>
#include <smack_access.h>
-#include <tracker.h>
-
-typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
-const int KNOWN_COOKIE_SIZE = 20;
-typedef std::vector<char> Cookie;
-
-Cookie getCookieFromSS(const Tracker &tracker = Tracker()) {
- Cookie cookie(security_server_get_cookie_size());
+#include <security_server_tests_common.h>
+#include <memory.h>
- RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS ==
- security_server_request_cookie(cookie.data(), cookie.size()),
- tracker.str() << " Error in security_server_request_cookie.");
+const char *ROOT_USER = "root";
+const char *PROC_AUDIO_GROUP_NAME = "audio";
- return cookie;
-}
+const int KNOWN_COOKIE_SIZE = 20;
RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
//passing NULL as a cookie pointer
RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie)
{
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
int ret = security_server_check_privilege_by_cookie(NULL, "wiadro", "rwx");
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
"Error in security_server_check_privilege_by_cookie() argument checking: "
//passing NULL as an object pointer
RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
+ Cookie cookie = getCookieFromSS();
int ret = security_server_check_privilege_by_cookie(cookie.data(), NULL, "rwx");
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
//passing NULL as an access pointer
RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
+ Cookie cookie = getCookieFromSS();
int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", NULL);
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
"Error in security_server_get_cookie_pid() argument checking: " << ret);
}
+//getting pid of non existing cookie
+RUNNER_TEST(tc_arguments_04_02_security_server_get_cookie_pid)
+{
+ const char wrong_cookie[KNOWN_COOKIE_SIZE] = {'w', 'a', 't', '?'};
+ RUNNER_ASSERT_BT(security_server_get_cookie_pid(wrong_cookie) ==
+ SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
+}
+
//---------------------------------------------------------------------------
//passing NULL as a cookie pointer
RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
"Error in security_server_get_smacklabel_cookie() argument checking");
}
+
+
+/*
+ * **************************************************************************
+ * Unit tests for each function from API
+ * **************************************************************************
+ */
+
//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_06_01_security_server_get_uid_by_cookie)
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
{
- uid_t uid;
- int ret = security_server_get_uid_by_cookie(NULL, &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_uid_by_cookie() argument checking: "
- << ret);
+ int ret = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << ret);
}
-//passing NULL as an uid pointer
-RUNNER_CHILD_TEST(tc_arguments_06_02_security_server_get_uid_by_cookie)
+//---------------------------------------------------------------------------
+// Get cookie size when smack is not loaded
+RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_02_app_user_security_server_get_cookie_size_nosmack)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ int ret;
- int ret = security_server_get_uid_by_cookie(cookie.data(), NULL);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_uid_by_cookie() argument checking: "
- << ret);
+ ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG_BT(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
+ ret = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE, "ret = " << ret);
}
//---------------------------------------------------------------------------
-//passing NULL as an cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_07_01_security_server_get_gid_by_cookie)
+// Test setting up a cookie in normal case when smack is not loaded
+RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_03_app_user_security_server_request_cookie_nosmack)
{
- gid_t gid;
- int ret = security_server_get_gid_by_cookie(NULL, &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_gid_by_cookie() argument checking: "
- << ret);
-}
+ int ret;
+ int cookieSize = security_server_get_cookie_size();
+ Cookie cookie(cookieSize);
-//passing NULL as an gid pointer
-RUNNER_CHILD_TEST(tc_arguments_07_02_security_server_get_gid_by_cookie)
-{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG_BT(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
- int ret = security_server_get_gid_by_cookie(cookie.data(), NULL);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_gid_by_cookie() argument checking: "
- << ret);
+ ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
}
+//---------------------------------------------------------------------------
+// Test setting up a cookie when smack is not loaded but with too small
+// buffer size
+RUNNER_CHILD_TEST_NOSMACK(tc_init_01_04_app_user_security_server_request_cookie_too_small_buffer_size_nosmack)
+{
+ int ret;
+ int cookieSize = security_server_get_cookie_size();
+ Cookie cookie(cookieSize);
+ ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG_BT(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
-/*
- * **************************************************************************
- * Unit tests for each function from API
- * **************************************************************************
- */
+ ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE >> 1);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
+}
//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
+// Get cookie size when smack is loaded
+RUNNER_CHILD_TEST_SMACK(tc_unit_01_05_app_user_security_server_get_cookie_size)
{
+ SecurityServer::AccessProvider provider("selflabel_01_05");
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
+
int ret = security_server_get_cookie_size();
RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
"Error in security_server_get_cookie_size(): " << ret);
}
//---------------------------------------------------------------------------
-// security_server_get_cookie_size() is no longer ptotected by SMACK
-RUNNER_CHILD_TEST(tc_unit_01_02_security_server_get_cookie_size)
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
{
- SecurityServer::AccessProvider provider("selflabel_01_02");
- provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << cookieSize);
- int ret = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
- "Error in security_server_get_cookie_size(): " << ret);
+ Cookie cookie(cookieSize);
+ int ret = security_server_request_cookie(cookie.data(), cookie.size());
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_request_cookie(): " << ret);
}
//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
+// Test setting up a cookie in normal case when smack is loaded
+RUNNER_CHILD_TEST_SMACK(tc_unit_02_02_app_user_security_server_request_cookie)
{
int cookieSize = security_server_get_cookie_size();
RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
"Error in security_server_get_cookie_size(): " << cookieSize);
+ SecurityServer::AccessProvider provider("selflabel_02_01");
+ provider.allowSS();
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
+
Cookie cookie(cookieSize);
int ret = security_server_request_cookie(cookie.data(), cookie.size());
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
}
//---------------------------------------------------------------------------
+// Test setting up a cookie when smack is loaded but with too small buffer
+// size
+RUNNER_CHILD_TEST_SMACK(tc_unit_02_03_app_user_security_server_request_cookie_too_small_buffer_size)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << cookieSize);
+ cookieSize >>= 1;
+
+ SecurityServer::AccessProvider provider("selflabel_02_02");
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
+
+ Cookie cookie(cookieSize);
+ int ret = security_server_request_cookie(cookie.data(), cookie.size());
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
+ "Error in security_server_request_cookie(): " << ret);
+}
+
+//---------------------------------------------------------------------------
//root has access to API
RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ Cookie cookie = getCookieFromSS();
int ret = security_server_check_privilege(cookie.data(), 0);
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
}
//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_security_server_check_privilege)
+RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_app_user_security_server_check_privilege)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
+ Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_03_02");
- provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_check_privilege(cookie.data(), 0);
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_check_privilege(): " << ret);
+ "security_server_check_privilege() should return access denied: " << ret);
}
//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_security_server_check_privilege)
+RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_app_user_security_server_check_privilege)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_03_03");
- provider.allowFunction("security_server_check_privilege", TRACE_FROM_HERE);
- provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+ provider.allowSS();
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_check_privilege(cookie.data(), 0);
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
"Error in security_server_check_privilege(): " << ret);
}
+// invalid gid
+RUNNER_CHILD_TEST(tc_unit_03_04_security_server_check_privilege_neg)
+{
+ remove_process_group(PROC_AUDIO_GROUP_NAME);
+
+ Cookie cookie = getCookieFromSS();
+ int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(audio_gid > -1,
+ "security_server_get_gid() failed. result = " << audio_gid);
+
+ int ret = security_server_check_privilege(cookie.data(), audio_gid);
+
+ // security_server_check_privilege fails, because the process does not belong to "audio" group
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
+// add gid
+RUNNER_CHILD_TEST(tc_unit_03_05_security_server_check_privilege)
+{
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
+ Cookie cookie = getCookieFromSS();
+ int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(audio_gid > -1,
+ "security_server_get_gid() failed. result = " << audio_gid);
+
+ int ret = security_server_check_privilege(cookie.data(), audio_gid);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+}
+
+// test invalid cookie name
+RUNNER_TEST(tc_unit_03_06_security_server_check_privilege)
+{
+ // create invalid cookie
+ int size = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG_BT(size == KNOWN_COOKIE_SIZE, "Wrong cookie size. size = " << size);
+
+ Cookie cookie(size);
+ cookie[0] = 'a';
+ int ret = security_server_check_privilege(cookie.data(), 0);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
//---------------------------------------------------------------------------
//root has access to API
RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ Cookie cookie = getCookieFromSS();
int ret = security_server_get_cookie_pid(cookie.data());
RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
}
//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_security_server_get_cookie_pid)
+RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_app_user_security_server_get_cookie_pid)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
+ Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_05_02");
- provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_get_cookie_pid(cookie.data());
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_cookie_pid(): " << ret);
+ "security_server_get_cookie_pid() should return access denied: " << ret);
}
//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_security_server_get_cookie_pid)
+RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_app_user_security_server_get_cookie_pid)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_05_03");
- provider.allowFunction("security_server_get_cookie_pid", TRACE_FROM_HERE);
- provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+ provider.allowSS();
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_get_cookie_pid(cookie.data());
RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
//---------------------------------------------------------------------------
//root has access to API
-RUNNER_CHILD_TEST(tc_unit_06_01_security_server_get_smacklabel_cookie)
+RUNNER_CHILD_TEST_SMACK(tc_unit_06_01_security_server_get_smacklabel_cookie_smack)
{
setLabelForSelf(__LINE__, "selflabel_06_01");
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ Cookie cookie = getCookieFromSS();
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_01") == 0,
"No match in smack label received from cookie, received label: "
<< label.get());
}
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST_NOSMACK(tc_unit_06_01_security_server_get_smacklabel_cookie_nosmack)
+{
+ Cookie cookie = getCookieFromSS();
+
+ char *receivedLabel = security_server_get_smacklabel_cookie(cookie.data());
+ RUNNER_ASSERT_MSG_BT(receivedLabel != NULL,
+ "security_server_get_smacklabel_cookie returned NULL");
+ std::string label(receivedLabel);
+ free(receivedLabel);
+ RUNNER_ASSERT_MSG_BT(label.empty(),
+ "security_server_get_smacklabel_cookie returned: "
+ << label);
+}
+
//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_security_server_get_smacklabel_cookie)
+RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_app_user_security_server_get_smacklabel_cookie)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
+ Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_06_02");
- provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
RUNNER_ASSERT_MSG_BT(label.get() == NULL,
"NULL should be received due to access denied, received label: "
<< label.get());
}
//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_security_server_get_smacklabel_cookie)
+RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie)
{
SecurityServer::AccessProvider provider("selflabel_06_03");
- provider.allowFunction("security_server_get_smacklabel_cookie", TRACE_FROM_HERE);
- provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+ provider.allowSS();
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ Cookie cookie = getCookieFromSS();
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_03") == 0,
"No match in smack label received from cookie, received label: "
<< label.get());
}
//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_07_01_security_server_get_uid_by_cookie)
+// apply smack labels and drop privileges
+RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_app_user_cookie_API_access_allow)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ add_process_group(PROC_AUDIO_GROUP_NAME);
- uid_t uid;
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_uid_by_cookie(): " << ret);
- ret = getuid();
- RUNNER_ASSERT_MSG_BT(ret == (int)uid, "No match in UID received from cookie");
-}
+ SecurityServer::AccessProvider provider("subject_1d6eda7d");
+ provider.allowSS();
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_07_02_security_server_get_uid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_07_02");
- provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+ Cookie cookie = getCookieFromSS();
- Cookie cookie(KNOWN_COOKIE_SIZE);
- uid_t uid;
+ int ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
+ << "\" gid. Result: " << ret);
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_uid_by_cookie(): " << ret);
-}
+ ret = security_server_check_privilege(cookie.data(), ret);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_07_03_security_server_get_uid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_07_02");
- provider.allowFunction("security_server_get_uid_by_cookie", TRACE_FROM_HERE);
- provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+ int root_gid = security_server_get_gid(ROOT_USER);
+ RUNNER_ASSERT_MSG_BT(root_gid > -1, "root_gid: " << root_gid);
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
- uid_t uid;
+ ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG_BT(ret == getpid(), "ret: " << ret);
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_uid_by_cookie(): " << ret);
- ret = getuid();
- RUNNER_ASSERT_MSG_BT(ret == (int)uid, "No match in UID received from cookie");
+ CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
+ RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "ss_label: " << ss_label.get());
+
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
}
-//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_08_01_security_server_get_gid_by_cookie)
+// disable access and drop privileges
+RUNNER_CHILD_TEST_SMACK(tc_unit_09_02_app_user_cookie_API_access_deny)
{
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
+ SecurityServer::AccessProvider provider("subject_1d414140");
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
- gid_t gid;
+ Cookie cookie = getCookieFromSS();
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_gid_by_cookie(): " << ret);
- ret = getgid();
- RUNNER_ASSERT_MSG_BT(ret == (int)gid, "No match in GID received from cookie");
-}
+ int ret = security_server_check_privilege(cookie.data(), DB_ALARM_GID);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_check_privilege should return access denied, "
+ "ret: " << ret);
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_08_02_security_server_get_gid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_08_02");
- provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+ ret = security_server_get_gid(ROOT_USER);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_get_gid should return access denied, "
+ "ret: " << ret);
- Cookie cookie(KNOWN_COOKIE_SIZE);
- gid_t gid;
+ ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_get_cookie_pid should return access denied, "
+ "ret: " << ret);
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
+ CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
+ RUNNER_ASSERT_MSG_BT(ss_label.get() == NULL,
+ "access should be denied so label should be NULL: " << ss_label.get());
+
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success");
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_gid_by_cookie(): " << ret);
+ "security_server_check_privilege_by_pid should return access denied, "
+ "ret: " << ret);
}
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_08_03_security_server_get_gid_by_cookie)
+// NOSMACK version of the test above
+RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_app_user_cookie_API_access_allow_nosmack)
{
- SecurityServer::AccessProvider provider("selflabel_08_03");
- provider.allowFunction("security_server_get_gid_by_cookie", TRACE_FROM_HERE);
- provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
+ // drop root privileges
+ int ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG_BT(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
- Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
- gid_t gid;
+ Cookie cookie = getCookieFromSS();
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
+ ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
+ << "\" gid. Result: " << ret);
+
+ ret = security_server_check_privilege(cookie.data(), ret);
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_gid_by_cookie(): " << ret);
- ret = getgid();
- RUNNER_ASSERT_MSG_BT(ret == (int)gid, "No match in GID received from cookie");
-}
+ "check_privilege failed. Result: " << ret);
+
+ ret = security_server_get_gid(ROOT_USER);
+ RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"root\" gid. Result: " << ret);
+
+ ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG_BT(ret == getpid(),
+ "get_cookie_pid returned different pid than it should. Result: " << ret);
+ CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
+ RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "get_smacklabel_cookie failed.");
+
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success");
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
+ "check_privilege_by_pid failed. Result: " << ret);
+}