/*
Tested API functions in this file:
-Protected by "security-server::api-cookie-get" label:
int security_server_get_cookie_size(void);
int security_server_request_cookie(char *cookie, size_t bufferSize);
-
-Protected by "security-server::api-cookie-check" label:
int security_server_check_privilege(const char *cookie, gid_t privilege);
int security_server_check_privilege_by_cookie(const char *cookie,
const char *object,
#include <access_provider.h>
#include <security-server.h>
#include <smack_access.h>
+#include <security_server_tests_common.h>
+#include <memory.h>
const char *ROOT_USER = "root";
const char *PROC_AUDIO_GROUP_NAME = "audio";
-typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
const int KNOWN_COOKIE_SIZE = 20;
-typedef std::vector<char> Cookie;
-
-Cookie getCookieFromSS() {
- Cookie cookie(security_server_get_cookie_size());
-
- RUNNER_ASSERT_MSG_BT(SECURITY_SERVER_API_SUCCESS ==
- security_server_request_cookie(cookie.data(), cookie.size()),
- "Error in security_server_request_cookie.");
-
- return cookie;
-}
RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
*/
//---------------------------------------------------------------------------
-//passing NULL as a buffer pointer
+//passing nullptr as a buffer pointer
RUNNER_CHILD_TEST(tc_arguments_01_01_security_server_request_cookie)
{
- int ret = security_server_request_cookie(NULL, KNOWN_COOKIE_SIZE);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ int ret = security_server_request_cookie(nullptr, KNOWN_COOKIE_SIZE);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
"Error in security_server_request_cookie() argument checking: " << ret);
}
Cookie cookie(KNOWN_COOKIE_SIZE);
int ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE - 1);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
"Error in security_server_request_cookie() argument checking: " << ret);
}
//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
+//passing nullptr as a cookie pointer
RUNNER_CHILD_TEST(tc_arguments_02_01_security_server_check_privilege)
{
- int ret = security_server_check_privilege(NULL, 0);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ int ret = security_server_check_privilege(nullptr, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
"Error in security_server_check_privilege() argument checking: " << ret);
}
//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
+//passing nullptr as a cookie pointer
RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie)
{
- int ret = security_server_check_privilege_by_cookie(NULL, "wiadro", "rwx");
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
+ int ret = security_server_check_privilege_by_cookie(nullptr, "wiadro", "rwx");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
"Error in security_server_check_privilege_by_cookie() argument checking: "
<< ret);
}
-//passing NULL as an object pointer
+//passing nullptr as an object pointer
RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie)
{
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
Cookie cookie = getCookieFromSS();
- int ret = security_server_check_privilege_by_cookie(cookie.data(), NULL, "rwx");
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ int ret = security_server_check_privilege_by_cookie(cookie.data(), nullptr, "rwx");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
"Error in security_server_check_privilege_by_cookie() argument checking: "
<< ret);
}
-//passing NULL as an access pointer
+//passing nullptr as an access pointer
RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie)
{
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
Cookie cookie = getCookieFromSS();
- int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", NULL);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", nullptr);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
"Error in security_server_check_privilege_by_cookie() argument checking: "
<< ret);
}
//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
+//passing nullptr as a cookie pointer
RUNNER_CHILD_TEST(tc_arguments_04_01_security_server_get_cookie_pid)
{
- int ret = security_server_get_cookie_pid(NULL);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ int ret = security_server_get_cookie_pid(nullptr);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
"Error in security_server_get_cookie_pid() argument checking: " << ret);
}
RUNNER_TEST(tc_arguments_04_02_security_server_get_cookie_pid)
{
const char wrong_cookie[KNOWN_COOKIE_SIZE] = {'w', 'a', 't', '?'};
- RUNNER_ASSERT_BT(security_server_get_cookie_pid(wrong_cookie) ==
+ RUNNER_ASSERT(security_server_get_cookie_pid(wrong_cookie) ==
SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
}
//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
+//passing nullptr as a cookie pointer
RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
{
- char *label = NULL;
- label = security_server_get_smacklabel_cookie(NULL);
- RUNNER_ASSERT_MSG_BT(label == NULL,
+ char *label = nullptr;
+ label = security_server_get_smacklabel_cookie(nullptr);
+ RUNNER_ASSERT_MSG(label == nullptr,
"Error in security_server_get_smacklabel_cookie() argument checking");
}
+
+
+/*
+ * **************************************************************************
+ * Unit tests for each function from API
+ * **************************************************************************
+ */
+
//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_06_01_security_server_get_uid_by_cookie)
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
{
- uid_t uid;
- int ret = security_server_get_uid_by_cookie(NULL, &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_uid_by_cookie() argument checking: "
- << ret);
+ int ret = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << ret);
}
-//passing NULL as an uid pointer
-RUNNER_CHILD_TEST(tc_arguments_06_02_security_server_get_uid_by_cookie)
+//---------------------------------------------------------------------------
+// Get cookie size when smack is not loaded
+RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_02_app_user_security_server_get_cookie_size_nosmack)
{
- Cookie cookie = getCookieFromSS();
+ int ret;
- int ret = security_server_get_uid_by_cookie(cookie.data(), NULL);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_uid_by_cookie() argument checking: "
- << ret);
+ ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
+ ret = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE, "ret = " << ret);
}
//---------------------------------------------------------------------------
-//passing NULL as an cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_07_01_security_server_get_gid_by_cookie)
+// Test setting up a cookie in normal case when smack is not loaded
+RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_03_app_user_security_server_request_cookie_nosmack)
{
- gid_t gid;
- int ret = security_server_get_gid_by_cookie(NULL, &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_gid_by_cookie() argument checking: "
- << ret);
-}
+ int ret;
+ int cookieSize = security_server_get_cookie_size();
+ Cookie cookie(cookieSize);
-//passing NULL as an gid pointer
-RUNNER_CHILD_TEST(tc_arguments_07_02_security_server_get_gid_by_cookie)
-{
- Cookie cookie = getCookieFromSS();
+ ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
- int ret = security_server_get_gid_by_cookie(cookie.data(), NULL);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_gid_by_cookie() argument checking: "
- << ret);
+ ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
}
+//---------------------------------------------------------------------------
+// Test setting up a cookie when smack is not loaded but with too small
+// buffer size
+RUNNER_CHILD_TEST_NOSMACK(tc_init_01_04_app_user_security_server_request_cookie_too_small_buffer_size_nosmack)
+{
+ int ret;
+ int cookieSize = security_server_get_cookie_size();
+ Cookie cookie(cookieSize);
+ ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
-/*
- * **************************************************************************
- * Unit tests for each function from API
- * **************************************************************************
- */
+ ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE >> 1);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
+}
//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
+// Get cookie size when smack is loaded
+RUNNER_CHILD_TEST_SMACK(tc_unit_01_05_app_user_security_server_get_cookie_size)
{
+ SecurityServer::AccessProvider provider("selflabel_01_05");
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
+
int ret = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
+ RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE,
"Error in security_server_get_cookie_size(): " << ret);
}
//---------------------------------------------------------------------------
-// security_server_get_cookie_size() is no longer ptotected by SMACK
-RUNNER_CHILD_TEST(tc_unit_01_02_security_server_get_cookie_size)
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
{
- SecurityServer::AccessProvider provider("selflabel_01_02");
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << cookieSize);
+
+ Cookie cookie(cookieSize);
+ int ret = security_server_request_cookie(cookie.data(), cookie.size());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_request_cookie(): " << ret);
+}
+
+//---------------------------------------------------------------------------
+// Test setting up a cookie in normal case when smack is loaded
+RUNNER_CHILD_TEST_SMACK(tc_unit_02_02_app_user_security_server_request_cookie)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << cookieSize);
+
+ SecurityServer::AccessProvider provider("selflabel_02_01");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
- int ret = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE,
- "Error in security_server_get_cookie_size(): " << ret);
+ Cookie cookie(cookieSize);
+ int ret = security_server_request_cookie(cookie.data(), cookie.size());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_request_cookie(): " << ret);
}
//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
+// Test setting up a cookie when smack is loaded but with too small buffer
+// size
+RUNNER_CHILD_TEST_SMACK(tc_unit_02_03_app_user_security_server_request_cookie_too_small_buffer_size)
{
int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE,
+ RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
"Error in security_server_get_cookie_size(): " << cookieSize);
+ cookieSize >>= 1;
+
+ SecurityServer::AccessProvider provider("selflabel_02_02");
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
Cookie cookie(cookieSize);
int ret = security_server_request_cookie(cookie.data(), cookie.size());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
"Error in security_server_request_cookie(): " << ret);
}
Cookie cookie = getCookieFromSS();
int ret = security_server_check_privilege(cookie.data(), 0);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
"Error in security_server_check_privilege(): " << ret);
}
//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_security_server_check_privilege)
+RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_app_user_security_server_check_privilege)
{
Cookie cookie = getCookieFromSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_check_privilege(cookie.data(), 0);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_check_privilege(): " << ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_check_privilege() should return access denied: " << ret);
}
//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_security_server_check_privilege)
+RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_app_user_security_server_check_privilege)
{
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_03_03");
- provider.allowFunction("security_server_check_privilege");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_check_privilege(cookie.data(), 0);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
"Error in security_server_check_privilege(): " << ret);
}
Cookie cookie = getCookieFromSS();
int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
- RUNNER_ASSERT_MSG_BT(audio_gid > -1,
+ RUNNER_ASSERT_MSG(audio_gid > -1,
"security_server_get_gid() failed. result = " << audio_gid);
int ret = security_server_check_privilege(cookie.data(), audio_gid);
// security_server_check_privilege fails, because the process does not belong to "audio" group
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
}
// add gid
Cookie cookie = getCookieFromSS();
int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
- RUNNER_ASSERT_MSG_BT(audio_gid > -1,
+ RUNNER_ASSERT_MSG(audio_gid > -1,
"security_server_get_gid() failed. result = " << audio_gid);
int ret = security_server_check_privilege(cookie.data(), audio_gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
}
// test invalid cookie name
{
// create invalid cookie
int size = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG_BT(size == KNOWN_COOKIE_SIZE, "Wrong cookie size. size = " << size);
+ RUNNER_ASSERT_MSG(size == KNOWN_COOKIE_SIZE, "Wrong cookie size. size = " << size);
Cookie cookie(size);
cookie[0] = 'a';
int ret = security_server_check_privilege(cookie.data(), 0);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
}
//---------------------------------------------------------------------------
Cookie cookie = getCookieFromSS();
int ret = security_server_get_cookie_pid(cookie.data());
- RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
+ RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
int pid = getpid();
- RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
+ RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie");
}
//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_security_server_get_cookie_pid)
+RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_app_user_security_server_get_cookie_pid)
{
Cookie cookie = getCookieFromSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_get_cookie_pid(cookie.data());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_cookie_pid(): " << ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_get_cookie_pid() should return access denied: " << ret);
}
//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_security_server_get_cookie_pid)
+RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_app_user_security_server_get_cookie_pid)
{
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_05_03");
- provider.allowFunction("security_server_get_cookie_pid");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_get_cookie_pid(cookie.data());
- RUNNER_ASSERT_MSG_BT(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
+ RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
int pid = getpid();
- RUNNER_ASSERT_MSG_BT(pid == ret, "No match in PID received from cookie");
+ RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie");
}
//---------------------------------------------------------------------------
//root has access to API
-RUNNER_CHILD_TEST(tc_unit_06_01_security_server_get_smacklabel_cookie)
+RUNNER_CHILD_TEST_SMACK(tc_unit_06_01_security_server_get_smacklabel_cookie_smack)
{
setLabelForSelf(__LINE__, "selflabel_06_01");
Cookie cookie = getCookieFromSS();
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
- RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_01") == 0,
- "No match in smack label received from cookie, received label: "
- << label.get());
-}
-
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_security_server_get_smacklabel_cookie)
-{
- Cookie cookie = getCookieFromSS();
-
- SecurityServer::AccessProvider provider("selflabel_06_02");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
- RUNNER_ASSERT_MSG_BT(label.get() == NULL,
- "NULL should be received due to access denied, received label: "
- << label.get());
-}
-
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_security_server_get_smacklabel_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_06_03");
- provider.allowFunction("security_server_get_smacklabel_cookie");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- Cookie cookie = getCookieFromSS();
-
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
- RUNNER_ASSERT_MSG_BT(strcmp(label.get(), "selflabel_06_03") == 0,
+ CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
+ RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_01") == 0,
"No match in smack label received from cookie, received label: "
<< label.get());
}
//---------------------------------------------------------------------------
//root has access to API
-RUNNER_CHILD_TEST(tc_unit_07_01_security_server_get_uid_by_cookie)
+RUNNER_CHILD_TEST_NOSMACK(tc_unit_06_01_security_server_get_smacklabel_cookie_nosmack)
{
Cookie cookie = getCookieFromSS();
- uid_t uid;
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_uid_by_cookie(): " << ret);
- ret = getuid();
- RUNNER_ASSERT_MSG_BT(ret == (int)uid, "No match in UID received from cookie");
+ char *receivedLabel = security_server_get_smacklabel_cookie(cookie.data());
+ RUNNER_ASSERT_MSG(receivedLabel != nullptr,
+ "security_server_get_smacklabel_cookie returned nullptr");
+ std::string label(receivedLabel);
+ free(receivedLabel);
+ RUNNER_ASSERT_MSG(label.empty(),
+ "security_server_get_smacklabel_cookie returned: "
+ << label);
}
//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_07_02_security_server_get_uid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_07_02");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- Cookie cookie(KNOWN_COOKIE_SIZE);
- uid_t uid;
-
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_uid_by_cookie(): " << ret);
-}
-
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_07_03_security_server_get_uid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_07_02");
- provider.allowFunction("security_server_get_uid_by_cookie");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- Cookie cookie = getCookieFromSS();
- uid_t uid;
-
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_uid_by_cookie(): " << ret);
- ret = getuid();
- RUNNER_ASSERT_MSG_BT(ret == (int)uid, "No match in UID received from cookie");
-}
-
-//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_08_01_security_server_get_gid_by_cookie)
+RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_app_user_security_server_get_smacklabel_cookie)
{
Cookie cookie = getCookieFromSS();
- gid_t gid;
-
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_gid_by_cookie(): " << ret);
- ret = getgid();
- RUNNER_ASSERT_MSG_BT(ret == (int)gid, "No match in GID received from cookie");
-}
-
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_08_02_security_server_get_gid_by_cookie)
-{
- SecurityServer::AccessProvider provider("selflabel_08_02");
+ SecurityServer::AccessProvider provider("selflabel_06_02");
provider.applyAndSwithToUser(APP_UID, APP_GID);
- Cookie cookie(KNOWN_COOKIE_SIZE);
- gid_t gid;
-
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_gid_by_cookie(): " << ret);
+ CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
+ RUNNER_ASSERT_MSG(label.get() == nullptr,
+ "nullptr should be received due to access denied, received label: "
+ << label.get());
}
//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_08_03_security_server_get_gid_by_cookie)
+RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie)
{
- SecurityServer::AccessProvider provider("selflabel_08_03");
- provider.allowFunction("security_server_get_gid_by_cookie");
+ SecurityServer::AccessProvider provider("selflabel_06_03");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
Cookie cookie = getCookieFromSS();
- gid_t gid;
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_gid_by_cookie(): " << ret);
- ret = getgid();
- RUNNER_ASSERT_MSG_BT(ret == (int)gid, "No match in GID received from cookie");
+ CStringPtr label(security_server_get_smacklabel_cookie(cookie.data()));
+ RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_03") == 0,
+ "No match in smack label received from cookie, received label: "
+ << label.get());
}
//---------------------------------------------------------------------------
// apply smack labels and drop privileges
-RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_cookie_API_access_allow)
+RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_app_user_cookie_API_access_allow)
{
add_process_group(PROC_AUDIO_GROUP_NAME);
SecurityServer::AccessProvider provider("subject_1d6eda7d");
- provider.allowFunction("security_server_get_gid");
- provider.allowFunction("security_server_request_cookie");
- provider.allowFunction("security_server_check_privilege");
- provider.allowFunction("security_server_get_cookie_pid");
- provider.allowFunction("security_server_get_smacklabel_cookie");
- provider.allowFunction("security_server_check_privilege_by_pid");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
Cookie cookie = getCookieFromSS();
int ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
- RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
+ RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
<< "\" gid. Result: " << ret);
ret = security_server_check_privilege(cookie.data(), ret);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
int root_gid = security_server_get_gid(ROOT_USER);
- RUNNER_ASSERT_MSG_BT(root_gid > -1, "root_gid: " << root_gid);
+ RUNNER_ASSERT_MSG(root_gid > -1, "root_gid: " << root_gid);
ret = security_server_get_cookie_pid(cookie.data());
- RUNNER_ASSERT_MSG_BT(ret == getpid(), "ret: " << ret);
+ RUNNER_ASSERT_MSG(ret == getpid(), "ret: " << ret);
+
+ CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
+ RUNNER_ASSERT_MSG(ss_label.get() != nullptr, "ss_label: " << ss_label.get());
- UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
- RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "ss_label: " << ss_label.get());
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success");
ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
}
// disable access and drop privileges
-RUNNER_CHILD_TEST(tc_unit_09_02_cookie_API_access_deny)
+RUNNER_CHILD_TEST_SMACK(tc_unit_09_02_app_user_cookie_API_access_deny)
{
SecurityServer::AccessProvider provider("subject_1d414140");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
Cookie cookie = getCookieFromSS();
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
+
int ret = security_server_check_privilege(cookie.data(), DB_ALARM_GID);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_check_privilege should return access denied, "
+ "ret: " << ret);
ret = security_server_get_gid(ROOT_USER);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_get_gid should return access denied, "
+ "ret: " << ret);
ret = security_server_get_cookie_pid(cookie.data());
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_get_cookie_pid should return access denied, "
+ "ret: " << ret);
+
+ CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
+ RUNNER_ASSERT_MSG(ss_label.get() == nullptr,
+ "access should be denied so label should be nullptr: " << ss_label.get());
- UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
- RUNNER_ASSERT_MSG_BT(ss_label.get() == NULL, "ss_label: " << ss_label.get());
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success");
ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "security_server_check_privilege_by_pid should return access denied, "
+ "ret: " << ret);
}
// NOSMACK version of the test above
-RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_cookie_API_access_allow_nosmack)
+RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_app_user_cookie_API_access_allow_nosmack)
{
add_process_group(PROC_AUDIO_GROUP_NAME);
// drop root privileges
int ret = drop_root_privileges();
- RUNNER_ASSERT_MSG_BT(ret == 0,
+ RUNNER_ASSERT_MSG(ret == 0,
"Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
Cookie cookie = getCookieFromSS();
ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
- RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
+ RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
<< "\" gid. Result: " << ret);
ret = security_server_check_privilege(cookie.data(), ret);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
"check_privilege failed. Result: " << ret);
ret = security_server_get_gid(ROOT_USER);
- RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"root\" gid. Result: " << ret);
+ RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"root\" gid. Result: " << ret);
ret = security_server_get_cookie_pid(cookie.data());
- RUNNER_ASSERT_MSG_BT(ret == getpid(),
+ RUNNER_ASSERT_MSG(ret == getpid(),
"get_cookie_pid returned different pid than it should. Result: " << ret);
- UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
- RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "get_smacklabel_cookie failed.");
+ CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data()));
+ RUNNER_ASSERT_MSG(ss_label.get() != nullptr, "get_smacklabel_cookie failed.");
+
+ RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success");
ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
"check_privilege_by_pid failed. Result: " << ret);
}