* @brief Test cases for security-server-client-smack.
*/
+#include <unistd.h>
+#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/smack.h>
#include <sys/wait.h>
#include <sys/un.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include <memory>
+#include <functional>
#include <dpl/log/log.h>
#include <dpl/test/test_runner.h>
#include <dpl/test/test_runner_child.h>
+#include <dpl/test/test_runner_multiprocess.h>
#include "security_server_mockup.h"
#include <security-server.h>
-#define ENVIRONMENT \
-do { \
- const char *subject_label = "mylabel"; \
- RUNNER_ASSERT_MSG(-1 != system("touch /opt/home/root/pid_cycle"),\
- "Cannot prepare environment for test."); \
- RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), \
- "Cannot prepare environment for test."); \
- RUNNER_ASSERT_MSG(-1 != setgid(1), \
- "Cannot prepare environment for test."); \
- RUNNER_ASSERT_MSG(-1 != setuid(1), \
- "Cannot prepare environment for test"); \
-}while(0)
+#include "tests_common.h"
+
+#define PROPER_COOKIE_SIZE 20
+
+#define ENVIRONMENT \
+ do { \
+ const char *subject_label = "mylabel"; \
+ RUNNER_ASSERT_MSG(-1 != system("touch /opt/home/root/pid_cycle"), \
+ "Cannot prepare environment for test."); \
+ RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), \
+ "Cannot prepare environment for test."); \
+ RUNNER_ASSERT_MSG(-1 != setgid(1), \
+ "Cannot prepare environment for test."); \
+ RUNNER_ASSERT_MSG(-1 != setuid(1), \
+ "Cannot prepare environment for test"); \
+ } while (0)
+
+
+/**
+ * Environment preparation should only differ in setting label. On NOSMACK system
+ * smack_set_label_for_self returns error because of no access to /proc/self/attr/current.
+ */
+#define ENVIRONMENT_NOSMACK \
+ do { \
+ int fd = open("/opt/home/root/pid_cycle", O_CREAT|O_APPEND, 0444);\
+ RUNNER_ASSERT_MSG(fd >= 0, \
+ "Couldn't create pid_cycle file. errno: " << strerror(errno));\
+ close(fd); \
+ RUNNER_ASSERT_MSG(-1 != setgid(1), \
+ "Cannot prepare environment for test."); \
+ RUNNER_ASSERT_MSG(-1 != setuid(1), \
+ "Cannot prepare environment for test"); \
+ } while (0)
+
+
+/**
+ * Unique_ptr typedef for NOSMACK version of tc06 test
+ */
+void closesockfdptr(int* sockfd_ptr)
+{
+ close(*sockfd_ptr);
+}
+typedef std::unique_ptr<int, std::function<void(int*)> > SockFDUniquePtr;
/**
* Dropping root privileges
*/
int drop_root_privileges()
{
- if (getuid() == 0) {
- /* process is running as root, drop privileges */
- if (setgid(5000) != 0)
- return 1;
- if (setuid(5000) != 0)
- return 1;
- }
- int uid = getuid();
- if (uid == 5000)
- return 0;
+ if (getuid() == 0) {
+ /* process is running as root, drop privileges */
+ if (setgid(5000) != 0)
+ return 1;
+ if (setuid(5000) != 0)
+ return 1;
+ }
+ int uid = getuid();
+ if (uid == 5000)
+ return 0;
- return 1;
+ return 1;
}
RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
* Any other size of cookies should be treated as error.
* expected: Function security_server_get_cookie_size returns 20.
*/
-RUNNER_CHILD_TEST(tc01_security_server_get_cookie_size)
+RUNNER_CHILD_TEST_SMACK(tc01_security_server_get_cookie_size)
{
ENVIRONMENT;
* expected: function will set up cookie in the array and return
* SECURITY_SERVER_API_SUCCESS.
*/
-RUNNER_CHILD_TEST(tc02_security_server_request_cookie_normal_case)
+RUNNER_CHILD_TEST_SMACK(tc02_security_server_request_cookie_normal_case)
{
ENVIRONMENT;
* expected: function will set up cookie in the array and return
* SECURITY_SERVER_API_SUCCESS.
*/
-RUNNER_CHILD_TEST(tc03_security_server_request_cookie_too_small_buffer_size)
+RUNNER_CHILD_TEST_SMACK(tc03_security_server_request_cookie_too_small_buffer_size)
{
ENVIRONMENT;
* SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call
* and group id with second call
*/
-RUNNER_CHILD_TEST(tc04_security_server_get_gid)
+RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
{
ENVIRONMENT;
* expected: Function call with access rights set to "r" should return SUCCESS,
* with "rw" should return ACCESS DENIED.
*/
-RUNNER_CHILD_TEST(tc05_check_privilege_by_cookie)
+RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie)
{
char cookie[20];
const char *object_label = "tc05objectlabel";
RUNNER_ASSERT(0 == smack_accesses_new(&handle));
RUNNER_ASSERT(0 == smack_accesses_add(handle,
- subject_label,
- object_label,
- access_rights));
+ subject_label,
+ object_label,
+ access_rights));
RUNNER_ASSERT(0 == smack_accesses_apply(handle));
cookie,
object_label,
access_rights_ext));
-
}
/*
* expected: Function call with access rights set to "r" should return SUCCESS,
* with "rw" should return ACCESS DENIED.
*/
-RUNNER_TEST(tc06_check_privilege_by_sockfd)
+RUNNER_MULTIPROCESS_TEST_SMACK(tc06_check_privilege_by_sockfd)
{
-
const char *object_label = "tc06objectlabel";
const char *access_rights = "r";
const char *access_rights_ext = "rw";
smack_accesses *handle;
RUNNER_ASSERT(0 == smack_accesses_new(&handle));
RUNNER_ASSERT(0 == smack_accesses_add(handle,
- subject_label,
- object_label,
- access_rights));
+ subject_label,
+ object_label,
+ access_rights));
RUNNER_ASSERT(0 == smack_accesses_apply(handle));
smack_accesses_free(handle);
if (0 == pid) {
// child
- if (0 != smack_set_label_for_self(subject_label)) {
- LogDebug("child, failed");
- exit(1);
- }
+ RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
- LogDebug("child, create_new_socket");
int sockfd = create_new_socket();
+ RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
+ SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
label = security_server_get_smacklabel_sockfd(sockfd);
RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
- RUNNER_ASSERT_MSG(strcmp(label,"")==0, "label is \""<< label<<"\"");
+ RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
free(label);
RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
- LogDebug("child, listen");
- if (listen(sockfd, 5) < 0) {
- LogDebug("child, exit");
- exit(1);
- }
+ RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
label = security_server_get_smacklabel_sockfd(sockfd);
RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
- RUNNER_ASSERT_MSG(strcmp(label,"")==0, "label is \""<< label<<"\"");
+ RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\"");
free(label);
-
- LogDebug("child, accept");
struct sockaddr_un client_addr;
socklen_t client_len = sizeof(client_addr);
int csockfd;
- while(0 <= (csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len))) {
- LogDebug("child, loop");
- close(csockfd);
- }
-
+ RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
- label = security_server_get_smacklabel_sockfd(sockfd);
- RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
- RUNNER_ASSERT_MSG(strcmp(label,subject_label)==0, "label is \""<< label<<"\"" << "subject_label is \""<< subject_label<<"\"" );
- free(label);
+ usleep(500);
- LogDebug("Exit!");
- exit(1);
+ close(csockfd);
+ exit(0);
} else {
// parent
- LogDebug("Parent, sleep 2");
sleep(1);
int sockfd = connect_to_testserver();
+ RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
+
+ SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
label = security_server_get_smacklabel_sockfd(sockfd);
RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
- RUNNER_ASSERT_MSG(strcmp(label,subject_label)==0, "label is \""<< label<<"\"" << "subject_label is \""<< subject_label<<"\"" );
+ RUNNER_ASSERT_MSG(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << ", subject_label is \"" << subject_label << "\"" );
free(label);
- LogDebug("Parent: sockfd: " << sockfd);
- if (sockfd >= 0) {
- result1 = security_server_check_privilege_by_sockfd(
- sockfd,
- object_label,
- access_rights);
- result2 = security_server_check_privilege_by_sockfd(
- sockfd,
- object_label,
- access_rights_ext);
- }
- LogDebug("Parent: Close desc");
- close(sockfd);
- LogDebug("Parent: killing child");
- kill(pid, SIGKILL);
+ result1 = security_server_check_privilege_by_sockfd(
+ sockfd,
+ object_label,
+ access_rights);
+ result2 = security_server_check_privilege_by_sockfd(
+ sockfd,
+ object_label,
+ access_rights_ext);
}
- int status;
- waitpid(pid, &status, 0);
-
RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
}
* expected: Function call with access rights set to "r" should return SUCCESS,
* with "rw" should return ACCESS DENIED.
*/
-RUNNER_TEST(tc07_check_privilege_by_sockfd)
+RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd)
{
-
const char *object_label = "tc07objectlabel";
const char *access_rights = "r";
const char *access_rights_ext = "rw";
int result1 = -1;
int result2 = -1;
- int kill_result = -1;
smack_accesses *handle;
RUNNER_ASSERT(0 == smack_accesses_new(&handle));
RUNNER_ASSERT(0 == smack_accesses_add(handle,
- subject_label,
- object_label,
- access_rights));
+ subject_label,
+ object_label,
+ access_rights));
RUNNER_ASSERT(0 == smack_accesses_apply(handle));
smack_accesses_free(handle);
RUNNER_ASSERT(-1 != pid);
if (0 == pid) {
- // child
- LogDebug("child, create_new_socket");
- int sockfd = create_new_socket();
- if (0 != smack_set_label_for_self(subject_label)) {
- LogDebug("child, failed");
- exit(1);
- }
+ pid = fork();
+ RUNNER_ASSERT(-1 != pid);
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+ if (0 == pid) {
+ // child
+ int sockfd = create_new_socket();
+ RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
- LogDebug("child, listen");
- if (listen(sockfd, 5) < 0) {
- LogDebug("child, exit");
- exit(1);
- }
- LogDebug("child, accept");
+ SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
- struct sockaddr_un client_addr;
- socklen_t client_len = sizeof(client_addr);
- int csockfd;
- while(0 <= (csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len))) {
- LogDebug("child, loop");
- close(csockfd);
- }
- LogDebug("Exit!");
- exit(1);
- } else {
- // parent
+ RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set");
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
+
+ struct sockaddr_un client_addr;
+ socklen_t client_len = sizeof(client_addr);
+ int csockfd = TEMP_FAILURE_RETRY(accept(sockfd,(struct sockaddr*)&client_addr, &client_len));
+ if (csockfd >= 0)
+ close(csockfd);
+ LogDebug("Exit!");
+ exit(0);
+ } else {
+ // parent
+
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ sleep(1);
+ int sockfd = connect_to_testserver();
+ RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed");
- LogDebug("Parent, sleep 2");
- sleep(2);
- int sockfd = connect_to_testserver();
- LogDebug("Parent: sockfd: " << sockfd);
- if (sockfd >= 0) {
result1 = security_server_check_privilege_by_sockfd(
sockfd,
object_label,
sockfd,
object_label,
access_rights_ext);
+
+ close(sockfd);
+
+ RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
+ RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
+ }
+ }
+}
+
+///////////////////////////
+/////NOSMACK ENV TESTS/////
+///////////////////////////
+
+/**
+ * First four test cases are the same as their SMACK versions. The only difference is environment
+ * preparation (described near ENVIRONMENT_NOSMACK macro).
+ */
+RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_get_cookie_size_nosmack)
+{
+ ENVIRONMENT_NOSMACK;
+
+ int ret = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(ret == 20, "ret = " << ret);
+}
+
+RUNNER_CHILD_TEST_NOSMACK(tc02_security_server_request_cookie_normal_case_nosmack)
+{
+ ENVIRONMENT_NOSMACK;
+
+ char cookie[20];
+ int ret = security_server_request_cookie(cookie, 20);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret);
+}
+
+RUNNER_CHILD_TEST_NOSMACK(tc03_security_server_request_cookie_too_small_buffer_size_nosmack)
+{
+ ENVIRONMENT_NOSMACK;
+
+ char cookie[20];
+ int ret = security_server_request_cookie(cookie, 10);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret);
+}
+
+RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack)
+{
+ ENVIRONMENT_NOSMACK;
+
+ int ret = security_server_get_gid("definitely_not_existing_object");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret);
+ ret = security_server_get_gid("root");
+ RUNNER_ASSERT_MSG(ret == 0, "ret = " << ret);
+}
+
+/*
+ * NOSMACK version of tc05 test.
+ *
+ * Correct behaviour of smack_accesses_apply and smack_set_label_for_self was checked by libsmack
+ * tests. We assume, that those tests pass. Additionally security_server_check_privilege_by_cookie
+ * should return SUCCESS no matter what access_rights we give to this function.
+ */
+RUNNER_CHILD_TEST_NOSMACK(tc05_check_privilege_by_cookie_nosmack)
+{
+ char cookie[20];
+ const char* object_label = "tc05objectlabel";
+
+ RUNNER_ASSERT(security_server_request_cookie(cookie,20) == SECURITY_SERVER_API_SUCCESS);
+
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
+ security_server_check_privilege_by_cookie(cookie, object_label, "r"));
+
+ //On NOSMACK env security server should return success on any accesses, even those that are
+ //incorrect.
+ RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
+ security_server_check_privilege_by_cookie(cookie, object_label, "rw"));
+}
+
+/**
+ * NOSMACK version of tc06 test.
+ *
+ * Differences between this and SMACK version (server):
+ * - Skipped setting access_rights
+ * - Skipped setting label for server
+ * - get_smacklabel_sockfd is called only once for server, almost right after fork and creation
+ * of socket (because it should do nothing when SMACK is off)
+ * - After get_smacklabel_sockfd privileges are dropped and server is prepared to accept connections
+ * from client
+ *
+ * For client the only difference are expected results from check_privilege_by_sockfd - both should
+ * return SUCCESS.
+ */
+RUNNER_MULTIPROCESS_TEST_NOSMACK(tc06_check_privilege_by_sockfd_nosmack)
+{
+ const char* object_label = "tc06objectlabel";
+
+ int result1 = -1;
+ int result2 = -1;
+
+ int pid = fork();
+ char* label;
+ RUNNER_ASSERT(pid >= 0);
+
+ int ret;
+
+ if (pid == 0) { //child process - server
+ //create new socket
+ int sockfd = create_new_socket();
+ RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
+
+ SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
+
+ //check if get_smacklabel_sockfd works correctly
+ label = security_server_get_smacklabel_sockfd(sockfd);
+ RUNNER_ASSERT_MSG(label != NULL, "security_server_get_smacklabel_sockfd failed");
+ ret = strcmp(label, "");
+ free(label);
+ RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
+
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
+
+ struct sockaddr_un client_addr;
+ socklen_t client_len = sizeof(client_addr);
+
+ int csockfd;
+ RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
+
+ //wait a little bit for parent to do it's job
+ usleep(200);
+
+ //if everything works, cleanup and return 0
+ close(csockfd);
+ exit(0);
+ } else {
+ //parent
+ sleep(1);
+ int sockfd = connect_to_testserver();
+ RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to connect to server.");
+
+ SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
+
+ label = security_server_get_smacklabel_sockfd(sockfd);
+ RUNNER_ASSERT_MSG(label != NULL, "get_smacklabel_sockfd failed.");
+ ret = strcmp(label, "");
+ free(label);
+ RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\"");
+
+ result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
+ result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
+ }
+
+ RUNNER_ASSERT_MSG(result1 == SECURITY_SERVER_API_SUCCESS, "result = " << result1);
+ RUNNER_ASSERT_MSG(result2 == SECURITY_SERVER_API_SUCCESS, "result = " << result2);
+}
+
+/**
+ * NOSMACK version of tc07 test.
+ */
+RUNNER_MULTIPROCESS_TEST_NOSMACK(tc07_check_privilege_by_sockfd_nosmack)
+{
+ const char* object_label = "tc07objectlabel";
+
+ int result1 = -1;
+ int result2 = -1;
+
+ int pid = fork();
+ RUNNER_ASSERT(-1 != pid);
+
+ if (pid == 0) {
+
+ pid = fork();
+ RUNNER_ASSERT(-1 != pid);
+
+ if (pid == 0) { //child process
+ //Create socket
+ int sockfd = create_new_socket();
+ RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed");
+
+ SockFDUniquePtr sockfd_ptr(&sockfd, closesockfdptr);
+
+ //Drop privileges
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ //Prepare for accepting
+ RUNNER_ASSERT_MSG(listen(sockfd, 5) >= 0, "child listen failed");
+
+ struct sockaddr_un client_addr;
+ socklen_t client_len = sizeof(client_addr);
+
+ //Accept connections
+ int csockfd;
+ RUNNER_ASSERT_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, "child accept failed");
+
+ //wait a little bit for parent to do it's job
+ usleep(200);
+
+ //cleanup and kill child
+ close(csockfd);
+ exit(0);
+ } else { //parent process
+ //Drop root privileges
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ //Wait for server to set up
+ sleep(1);
+
+ //Connect and check privileges
+ int sockfd = connect_to_testserver();
+ RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to create socket fd.");
+
+ result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r");
+ result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw");
+
+ close(sockfd);
+
+ //Both results (just like in the previous test case) should return success.
+ RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
+ RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result2, "result2 = " << result2);
}
- LogDebug("Parent: Close desc");
- close(sockfd);
- LogDebug("Parent: killing child");
- // we cannot kill child - because of dropping privileges
- kill_result = kill(pid, SIGKILL);
}
+}
+
+int apply_smack_rule(const char *subject, const char *object, const char *rule)
+{
+ struct smack_accesses *ruleHandler = NULL;
+ if (smack_accesses_new(&ruleHandler) != 0)
+ goto error;
+ if (smack_accesses_add(ruleHandler, subject, object, rule) != 0)
+ goto error;
+ if (smack_accesses_apply(ruleHandler) != 0)
+ goto error;
+
+ smack_accesses_free(ruleHandler);
+ return 0;
+
+error:
+ smack_accesses_free(ruleHandler);
+ return -1;
+}
+
+RUNNER_TEST(tc10_security_server_get_uid_by_cookie)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ std::vector<char> cookie(cookieSize);
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //checking function
+ uid_t cookieUid, realUid;
+ realUid = getuid();
+ retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie. My uid: " << realUid << " Server error: " << retval);
+ RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
+
+ //checking for input parameters
+ retval = security_server_get_uid_by_cookie(NULL, &cookieUid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
+ retval = security_server_get_uid_by_cookie(&cookie[0], NULL);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
+}
+
+RUNNER_CHILD_TEST_SMACK(tc11_security_server_get_uid_by_cookie_smack)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ std::vector<char> cookie(cookieSize);
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //preapare SMACK environment
+ RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
+ RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
+ //drop privileges
+ RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
+
+ //checking function
+ uid_t cookieUid;
+ retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
+}
+
+RUNNER_CHILD_TEST_SMACK(tc12_security_server_get_uid_by_cookie_smack)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ uid_t realUid = getuid();
+
+ std::vector<char> cookie(cookieSize);
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //preapare SMACK environment
+ RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
+ RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
+ //drop privileges
+ RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
+
+ //checking function
+ uid_t cookieUid;
+ retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
+ RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
+}
+
+RUNNER_CHILD_TEST_NOSMACK(tc12_security_server_get_uid_by_cookie_nosmack)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ uid_t realUid = getuid();
+
+ std::vector<char> cookie(cookieSize);
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //drop privileges
+ RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
- if (kill_result == 0) {
- int status;
- waitpid(pid, &status, 0);
+ //checking function
+ uid_t cookieUid;
+ retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
+ RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
+}
+
+RUNNER_CHILD_TEST_SMACK(tc13_security_server_get_uid_by_cookie_smack)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ //preapare SMACK environment
+ RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
+ RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
+ RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
+ //drop privileges
+ RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
+
+ std::vector<char> cookie(cookieSize);
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //checking function
+ uid_t cookieUid, realUid = getuid();
+ retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
+ RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
+}
+
+RUNNER_CHILD_TEST_NOSMACK(tc13_security_server_get_uid_by_cookie_nosmack)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ //drop privileges
+ RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
+
+ std::vector<char> cookie(cookieSize);
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //checking function
+ uid_t cookieUid, realUid = getuid();
+ retval = security_server_get_uid_by_cookie(&cookie[0], &cookieUid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get UID from cookie");
+ RUNNER_ASSERT_MSG(realUid == cookieUid, "No match in received UID");
+}
+
+RUNNER_TEST(tc14_security_server_get_gid_by_cookie)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ std::vector<char> cookie(cookieSize);
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //checking function
+ gid_t cookieGid, realGid;
+ realGid = getgid();
+ retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
+ RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID");
+
+ //checking for input parameters
+ retval = security_server_get_gid_by_cookie(NULL, &cookieGid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
+ retval = security_server_get_gid_by_cookie(&cookie[0], NULL);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "Error in checking input parameters by function");
+
+}
+
+RUNNER_CHILD_TEST_SMACK(tc15_security_server_get_gid_by_cookie_smack)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ std::vector<char> cookie(cookieSize);
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //preapare SMACK environment
+ RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
+ RUNNER_ASSERT_MSG(smack_revoke_subject("BialyMis") == 0, "Error in smack_revoke_subject");
+ //drop privileges
+ RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
+ RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
+
+ //checking function
+ gid_t cookieGid, realGid;
+ realGid = getgid();
+ retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "Socket not protected by smack");
+}
+
+RUNNER_CHILD_TEST_SMACK(tc16_security_server_get_gid_by_cookie_smack)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ std::vector<char> cookie(cookieSize);
+
+ gid_t realGid = getgid();
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //preapare SMACK environment
+ RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
+ RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
+ //drop privileges
+ RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
+ RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
+
+ //checking function
+ gid_t cookieGid;
+ retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
+ RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
+}
+
+RUNNER_CHILD_TEST_NOSMACK(tc16_security_server_get_gid_by_cookie_nosmack)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ std::vector<char> cookie(cookieSize);
+
+ gid_t realGid = getgid();
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //drop privileges
+ RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
+ RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
+
+ //checking function
+ gid_t cookieGid;
+ retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
+ RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
+}
+
+RUNNER_CHILD_TEST_SMACK(tc17_security_server_get_gid_by_cookie_smack)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ //preapare SMACK environment
+ RUNNER_ASSERT_MSG(smack_set_label_for_self("BialyMis") == 0, "Unable to set label for self");
+ RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-check", "w") == 0, "Error in adding rule");
+ RUNNER_ASSERT_MSG(apply_smack_rule("BialyMis", "security-server::api-cookie-get", "w") == 0, "Error in adding rule");
+ //drop privileges
+ RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
+ RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
+
+ std::vector<char> cookie(cookieSize);
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //checking function
+ gid_t cookieGid, realGid = getgid();
+ retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
+ RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
+}
+
+RUNNER_CHILD_TEST_NOSMACK(tc17_security_server_get_gid_by_cookie_nosmack)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == 20, "Wrong cookie size");
+
+ //drop privileges
+ RUNNER_ASSERT_MSG(setgid(5000) == 0, "Unable to drop privileges");
+ RUNNER_ASSERT_MSG(setuid(5000) == 0, "Unable to drop privileges");
+
+ std::vector<char> cookie(cookieSize);
+ int retval = security_server_request_cookie(&cookie[0], cookieSize);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get cookie");
+
+ //checking function
+ gid_t cookieGid, realGid = getgid();
+ retval = security_server_get_gid_by_cookie(&cookie[0], &cookieGid);
+ RUNNER_ASSERT_MSG(retval == SECURITY_SERVER_API_SUCCESS, "Unable to get GID from cookie");
+ RUNNER_ASSERT_MSG(realGid == cookieGid, "No match in received GID. ReadGid: " << realGid << " CookieGid: " << cookieGid);
+}
+
+RUNNER_TEST_SMACK(tc18_security_server_get_smacklabel_cookie) {
+ int res;
+
+ pid_t mypid;
+
+ char *label_smack = NULL;
+ char *label_ss = NULL;
+ char *cookie = NULL;
+
+ int cookie_size = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(PROPER_COOKIE_SIZE == cookie_size, "Wrong cookie size from security-server");
+
+ mypid = getpid();
+
+ cookie = (char*) calloc(cookie_size, 1);
+ RUNNER_ASSERT_MSG(NULL != cookie, "Memory allocation error");
+
+ res = security_server_request_cookie(cookie, cookie_size);
+ if (res != SECURITY_SERVER_API_SUCCESS) {
+ free(cookie);
+ RUNNER_ASSERT_MSG(res == SECURITY_SERVER_API_SUCCESS, "Error in requesting cookie from security-server");
+ }
+
+ label_ss = security_server_get_smacklabel_cookie(cookie);
+ free(cookie);
+ RUNNER_ASSERT_MSG(label_ss != NULL, "Error in getting label by cookie");
+
+
+ std::string label_cookie(label_ss);
+ free(label_ss);
+
+ res = smack_new_label_from_self(&label_smack);
+ if (res < 0) {
+ free(label_smack);
+ RUNNER_ASSERT_MSG(res == 0, "Error in getting self SMACK label");
}
- else
- sleep(2);
+ std::string label_self(label_smack ? label_smack : "");
+ free(label_smack);
+
+ RUNNER_ASSERT_MSG(label_self == label_cookie, "No match in SMACK labels");
+
- RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
- RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
+ //TODO: here could be label change using SMACK API and checking if it
+ //is changed using security-server API function based on the same cookie
}
+/**
+ * NOSMACK version of tc_security_server_get_smacklabel_cookie test.
+ *
+ * Most of this test goes exactly as the original one. The only difference are the labels:
+ * - We assume that libsmack tests passed and smack_new_label_from_self will return -1 and NULL
+ * label - there is no need to re-check it.
+ * - Label acquired from security_server_get_smacklabel_cookie should be an empty string.
+ */
+RUNNER_TEST_NOSMACK(tc18_security_server_get_smacklabel_cookie_nosmack) {
+ int res;
+
+ pid_t mypid;
+
+ char* label_ss = NULL;
+ char* cookie = NULL;
+
+ int cookie_size = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(PROPER_COOKIE_SIZE == cookie_size,
+ "Wrong cookie size from security-server. Size: " << cookie_size);
+
+ cookie = (char*) calloc(cookie_size, sizeof(char));
+ RUNNER_ASSERT_MSG(NULL != cookie, "Memory allocation error");
+
+ mypid = getpid();
+
+ //Request cookie from SS
+ res = security_server_request_cookie(cookie, cookie_size);
+ std::unique_ptr<char, std::function<void(char*)> > cookie_ptr(cookie, free);
+ cookie = NULL;
+ RUNNER_ASSERT_MSG(res == SECURITY_SERVER_API_SUCCESS,
+ "Error in requesting cookie from security-server. Result: " << res);
+
+ label_ss = security_server_get_smacklabel_cookie(cookie_ptr.get());
+ RUNNER_ASSERT_MSG(label_ss != NULL, "Error in getting label by cookie");
+
+ //Check if label_ss is correct, that is only one NULL character.
+ if (label_ss[0] != '\0') {
+ free(label_ss);
+ RUNNER_ASSERT_MSG(label_ss[0] == '\0', "label_ss was not an empty string.");
+ }
+
+ free(label_ss);
+}
+
+////////////////////
+/////MAIN///////////
+////////////////////
+
int main(int argc, char *argv[])
{
return
projects / platform / core / test / security-tests.git / blobdiff