/*
Tested API functions in this file:
-Protected by "security-server::api-cookie-get" label:
int security_server_get_cookie_size(void);
int security_server_request_cookie(char *cookie, size_t bufferSize);
-
-Protected by "security-server::api-cookie-check" label:
int security_server_check_privilege(const char *cookie, gid_t privilege);
int security_server_check_privilege_by_cookie(const char *cookie,
const char *object,
#include <security-server.h>
#include <smack_access.h>
#include <security_server_tests_common.h>
+#include <memory.h>
const char *ROOT_USER = "root";
const char *PROC_AUDIO_GROUP_NAME = "audio";
-typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
const int KNOWN_COOKIE_SIZE = 20;
RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
"Error in security_server_get_cookie_size(): " << cookieSize);
SecurityServer::AccessProvider provider("selflabel_02_01");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
Cookie cookie(cookieSize);
//privileges drop and no smack rule
RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_app_user_security_server_check_privilege)
{
- RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_03_02");
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_03_03");
- provider.allowFunction("security_server_check_privilege");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_check_privilege(cookie.data(), 0);
//privileges drop and no smack rule
RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_app_user_security_server_get_cookie_pid)
{
- RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_05_02");
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_05_03");
- provider.allowFunction("security_server_get_cookie_pid");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_get_cookie_pid(cookie.data());
Cookie cookie = getCookieFromSS();
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_01") == 0,
"No match in smack label received from cookie, received label: "
<< label.get());
//privileges drop and no smack rule
RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_app_user_security_server_get_smacklabel_cookie)
{
- RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_06_02");
provider.applyAndSwithToUser(APP_UID, APP_GID);
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
RUNNER_ASSERT_MSG_BT(label.get() == NULL,
"NULL should be received due to access denied, received label: "
<< label.get());
RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie)
{
SecurityServer::AccessProvider provider("selflabel_06_03");
- provider.allowFunction("security_server_get_smacklabel_cookie");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
Cookie cookie = getCookieFromSS();
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_03") == 0,
"No match in smack label received from cookie, received label: "
<< label.get());
add_process_group(PROC_AUDIO_GROUP_NAME);
SecurityServer::AccessProvider provider("subject_1d6eda7d");
- provider.allowFunction("security_server_get_gid");
- provider.allowFunction("security_server_request_cookie");
- provider.allowFunction("security_server_check_privilege");
- provider.allowFunction("security_server_get_cookie_pid");
- provider.allowFunction("security_server_get_smacklabel_cookie");
- provider.allowFunction("security_server_check_privilege_by_pid");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
Cookie cookie = getCookieFromSS();
ret = security_server_get_cookie_pid(cookie.data());
RUNNER_ASSERT_MSG_BT(ret == getpid(), "ret: " << ret);
- UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "ss_label: " << ss_label.get());
RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
// disable access and drop privileges
RUNNER_CHILD_TEST_SMACK(tc_unit_09_02_app_user_cookie_API_access_deny)
{
- RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
SecurityServer::AccessProvider provider("subject_1d414140");
provider.applyAndSwithToUser(APP_UID, APP_GID);
"security_server_get_cookie_pid should return access denied, "
"ret: " << ret);
- UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
RUNNER_ASSERT_MSG_BT(ss_label.get() == NULL,
"access should be denied so label should be NULL: " << ss_label.get());
RUNNER_ASSERT_MSG_BT(ret == getpid(),
"get_cookie_pid returned different pid than it should. Result: " << ret);
- UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "get_smacklabel_cookie failed.");
RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success");