#include "tests_common.h"
#include <unistd.h>
+#include <grp.h>
+#include <errno.h>
+#include <vector>
int DB::Transaction::db_result = PC_OPERATION_SUCCESS;
int ret = smack_set_label_for_self(label);
RUNNER_ASSERT_MSG_BT(ret == 0, "Error in smack_set_label_for_self(): " << ret << ", line: " << line);
}
+
+/*
+ * Add a new group to the current process groups.
+ */
+void add_process_group(const char* group_name)
+{
+ // get group ID by group name
+ group *gr = getgrnam(group_name);
+ RUNNER_ASSERT_MSG_BT(gr != NULL, "Group '" << group_name << "' does not exist.");
+ const gid_t new_group_id = gr->gr_gid;
+
+ // get number of groups that the current process belongs to
+ int ngroups = getgroups(0, NULL);
+
+ //allocate groups table + space for new group entry
+ std::vector<gid_t> groups(ngroups + 1);
+ getgroups(ngroups, groups.data());
+
+ // check if the process already belongs to the group
+ if (std::find(groups.begin(), groups.end(), new_group_id) != groups.end()) return;
+
+ // add new group & apply change
+ groups[ngroups] = new_group_id;
+ int ret = setgroups(groups.size(), groups.data());
+ int error = errno;
+ RUNNER_ASSERT_MSG_BT(ret == 0, "setgroups() failed. " << strerror(error));
+}
+
+/*
+ * Remove specific group from the current process groups.
+ */
+void remove_process_group(const char* group_name)
+{
+ // get group ID by group name
+ group *gr = getgrnam(group_name);
+ RUNNER_ASSERT_MSG_BT(gr != NULL, "Group '" << group_name << "' does not exist.");
+ const gid_t new_group_id = gr->gr_gid;
+
+ int ngroups = getgroups(0, NULL);
+ std::vector<gid_t> groups(ngroups);
+ getgroups(ngroups, groups.data());
+
+ // remove group from the list
+ groups.erase(std::remove(groups.begin(), groups.end(), new_group_id));
+
+ if (groups.size() != (size_t)ngroups) {
+ // apply change
+ int ret = setgroups(groups.size(), groups.data());
+ int error = errno;
+ RUNNER_ASSERT_MSG_BT(ret == 0, "setgroups() failed. " << strerror(error));
+ }
+}
#include <cstddef>
#include <sys/types.h>
#include <unistd.h>
-
#include <access_provider.h>
#include <security-server.h>
#include <smack_access.h>
+const char *ROOT_USER = "root";
+const char *PROC_AUDIO_GROUP_NAME = "audio";
+
typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
const int KNOWN_COOKIE_SIZE = 20;
typedef std::vector<char> Cookie;
"Error in security_server_get_cookie_pid() argument checking: " << ret);
}
+//getting pid of non existing cookie
+RUNNER_TEST(tc_arguments_04_02_security_server_get_cookie_pid)
+{
+ const char wrong_cookie[KNOWN_COOKIE_SIZE] = {'w', 'a', 't', '?'};
+ RUNNER_ASSERT_BT(security_server_get_cookie_pid(wrong_cookie) ==
+ SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
+}
+
//---------------------------------------------------------------------------
//passing NULL as a cookie pointer
RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
"Error in security_server_check_privilege(): " << ret);
}
+// invalid gid
+RUNNER_CHILD_TEST(tc_unit_03_04_security_server_check_privilege_neg)
+{
+ remove_process_group(PROC_AUDIO_GROUP_NAME);
+
+ Cookie cookie = getCookieFromSS();
+ int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(audio_gid > -1,
+ "security_server_get_gid() failed. result = " << audio_gid);
+
+ int ret = security_server_check_privilege(cookie.data(), audio_gid);
+
+ // security_server_check_privilege fails, because the process does not belong to "audio" group
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
+// add gid
+RUNNER_CHILD_TEST(tc_unit_03_05_security_server_check_privilege)
+{
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
+ Cookie cookie = getCookieFromSS();
+ int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(audio_gid > -1,
+ "security_server_get_gid() failed. result = " << audio_gid);
+
+ int ret = security_server_check_privilege(cookie.data(), audio_gid);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+}
+
+// test invalid cookie name
+RUNNER_TEST(tc_unit_03_06_security_server_check_privilege)
+{
+ // create invalid cookie
+ int size = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG_BT(size == KNOWN_COOKIE_SIZE, "Wrong cookie size. size = " << size);
+
+ Cookie cookie(size);
+ cookie[0] = 'a';
+ int ret = security_server_check_privilege(cookie.data(), 0);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
//---------------------------------------------------------------------------
//root has access to API
RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
RUNNER_ASSERT_MSG_BT(ret == (int)gid, "No match in GID received from cookie");
}
+//---------------------------------------------------------------------------
+// apply smack labels and drop privileges
+RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_cookie_API_access_allow)
+{
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
+ SecurityServer::AccessProvider provider("subject_1d6eda7d");
+ provider.allowFunction("security_server_get_gid");
+ provider.allowFunction("security_server_request_cookie");
+ provider.allowFunction("security_server_check_privilege");
+ provider.allowFunction("security_server_get_cookie_pid");
+ provider.allowFunction("security_server_get_smacklabel_cookie");
+ provider.allowFunction("security_server_check_privilege_by_pid");
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
+
+ Cookie cookie = getCookieFromSS();
+
+ int ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
+ << "\" gid. Result: " << ret);
+
+ ret = security_server_check_privilege(cookie.data(), ret);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ int root_gid = security_server_get_gid(ROOT_USER);
+ RUNNER_ASSERT_MSG_BT(root_gid > -1, "root_gid: " << root_gid);
+
+ ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG_BT(ret == getpid(), "ret: " << ret);
+
+ UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "ss_label: " << ss_label.get());
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+}
+
+// disable access and drop privileges
+RUNNER_CHILD_TEST(tc_unit_09_02_cookie_API_access_deny)
+{
+ SecurityServer::AccessProvider provider("subject_1d414140");
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
+
+ Cookie cookie = getCookieFromSS();
+
+ int ret = security_server_check_privilege(cookie.data(), DB_ALARM_GID);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_get_gid(ROOT_USER);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG_BT(ss_label.get() == NULL, "ss_label: " << ss_label.get());
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
+// NOSMACK version of the test above
+RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_cookie_API_access_allow_nosmack)
+{
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
+ // drop root privileges
+ int ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG_BT(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
+
+ Cookie cookie = getCookieFromSS();
+
+ ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME
+ << "\" gid. Result: " << ret);
+
+ ret = security_server_check_privilege(cookie.data(), ret);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
+ "check_privilege failed. Result: " << ret);
+
+ ret = security_server_get_gid(ROOT_USER);
+ RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"root\" gid. Result: " << ret);
+
+ ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG_BT(ret == getpid(),
+ "get_cookie_pid returned different pid than it should. Result: " << ret);
+
+ UniquePtrCstring ss_label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG_BT(ss_label.get() != NULL, "get_smacklabel_cookie failed.");
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
+ "check_privilege_by_pid failed. Result: " << ret);
+}
#include <sys/stat.h>
#include <sys/smack.h>
#include <sys/wait.h>
-#include <grp.h>
#include "security-server.h"
#include "security_server_clean_env.h"
#include <dpl/test/test_runner.h>
const char *TEST03_SUBJECT = "subject_0f09f7cc";
const char *TEST04_SUBJECT = "subject_57dfbfc5";
-const char *TEST05_SUBJECT = "subject_1d6eda7d";
-const char *TEST06_SUBJECT = "subject_1d414140";
const char *TEST07_SUBJECT = "subject_cd738844";
const char *TEST08_SUBJECT = "subject_fd84ba7f";
const char *TEST09_SUBJECT = "subject_sstest09";
const char *API_PASSWD_CHECK = "security-server::api-password-check";
const char *API_PASSWD_RESET = "security-server::api-password-reset";
const char *API_RULE_REQUIRED = "w";
-const char *PROC_AUDIO_GROUP_NAME = "audio";
int clear_password(char ** /*error*/)
{
return -1;
}
-/*
- * Add a new group to the current process groups.
- */
-void add_process_group(const char* group_name)
-{
- // get group ID by gtoup name
- group *gr = getgrnam(group_name);
- RUNNER_ASSERT_MSG_BT(gr != NULL, "Group '" << group_name << "' does not exist.");
- const gid_t new_group_id = gr->gr_gid;
-
- // get number of groups that the current process belongs to
- int ngroups = getgroups(0, NULL);
-
- //allocate groups table + space for new group entry
- std::vector<gid_t> groups(ngroups + 1);
- getgroups(ngroups, groups.data());
-
- // check if the process already belongs to the group
- for (int i = 0; i < ngroups; ++i)
- if (groups[i] == new_group_id)
- return;
-
- // add new group & apply change
- groups[ngroups] = new_group_id;
- int ret = setgroups(ngroups + 1, groups.data());
- RUNNER_ASSERT_MSG_BT(ret == 0, "setgroups failed. ret = " << ret);
-}
-
-/*
- * Remove specific group from the current process groups.
- */
-void remove_process_group(const char* group_name)
-{
- // get group ID by gtoup name
- group *gr = getgrnam(group_name);
- RUNNER_ASSERT_MSG_BT(gr != NULL, "Group '" << group_name << "' does not exist.");
- const gid_t new_group_id = gr->gr_gid;
-
- // get number of groups that the current process belongs to
- int ngroups = getgroups(0, NULL);
-
- //allocate groups table + space for new group entry
- std::vector<gid_t> groups(ngroups);
- getgroups(ngroups, groups.data());
-
- // check if the process already belongs to the group
- for (int i = 0; i < ngroups; ++i)
- if (groups[i] == new_group_id) {
- groups[i] = groups[ngroups-1]; // replace with last
-
- // apply change
- int ret = setgroups(ngroups - 1, groups.data());
- RUNNER_ASSERT_MSG_BT(ret == 0, "setgroups failed. ret = " << ret);
- return;
- }
-}
-
RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_SERVER);
RUNNER_TEST(tc_security_server_get_gid_normal_case_trying_to_get_gid_of_tel_gprs)
RUNNER_ASSERT_BT(security_server_get_gid("teltel") == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT);
}
-//RUNNER_CHILD_TEST(tc_cookie_check_groups_privilege_negative)
-//{
-// remove_process_group(PROC_AUDIO_GROUP_NAME);
-//
-// RUNNER_ASSERT_BT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) ==
-// SECURITY_SERVER_API_SUCCESS);
-// ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
-// ret = security_server_check_privilege((char*) cookie, ret);
-// RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-//}
-//
-//RUNNER_CHILD_TEST(tc_cookie_check_groups_privilege_positive)
-//{
-// add_process_group(PROC_AUDIO_GROUP_NAME);
-//
-// RUNNER_ASSERT_BT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) ==
-// SECURITY_SERVER_API_SUCCESS);
-// ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
-// ret = security_server_check_privilege((char*) cookie, ret);
-// RUNNER_ASSERT_BT(ret == SECURITY_SERVER_API_SUCCESS);
-//}
-
-//RUNNER_TEST(tc_ask_for_privilege_with_default_cookie_case_with_wrong_cookie)
-//{
-// ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
-// srand(time(NULL));
-// for (i = 0; i < COOKIE_SIZE; i++)
-// wrong_cookie[i] = rand() % 255;
-// ret = security_server_check_privilege((const char*) wrong_cookie, ret);
-// RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-//}
-//
-
-//RUNNER_TEST(tc_fake_security_server_get_gid)
-//{
-// /* Close socket just after sending request msg.
-// * This is done with fake security_server_get_gid()*/
-//
-// ret = fake_get_gid(PROC_AUDIO_GROUP_NAME);
-// RUNNER_IGNORED_MSG("Watch whether security server has crashed or not.");
-//}
-
-RUNNER_TEST(tc_ask_for_privilege_with_default_cookie_case_with_wrong_cookie)
-{
- const char wrong_cookie[20] = {'w','a','t','?'};
- int audioGID = security_server_get_gid("audio");
- RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED
- == security_server_check_privilege((const char*) wrong_cookie, audioGID));
-}
-
-RUNNER_TEST(tc_get_pid_of_non_existing_cookie)
-{
- const char wrong_cookie[20] = {'w', 'a', 't', '?'};
- RUNNER_ASSERT_BT(security_server_get_cookie_pid(wrong_cookie) == SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
-}
-
-RUNNER_TEST(tc_get_pid_of_null_cookie)
-{
- RUNNER_ASSERT_BT(security_server_get_cookie_pid(NULL) == SECURITY_SERVER_API_ERROR_INPUT_PARAM);
-}
-
RUNNER_CHILD_TEST_SMACK(tc01a_security_server_app_give_access)
{
const char *subject = "abc345v34sfa";
RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
}
-RUNNER_CHILD_TEST_SMACK(tc05_check_API_middleware_allow)
-{
- int ret = -1;
- size_t cookie_size = security_server_get_cookie_size();
- char cookie[20];
- char *ss_label = NULL;
-
- add_process_group(PROC_AUDIO_GROUP_NAME);
-
- SecurityServer::AccessProvider provider(TEST05_SUBJECT);
- provider.allowFunction("security_server_get_gid");
- provider.allowFunction("security_server_request_cookie");
- provider.allowFunction("security_server_check_privilege");
- provider.allowFunction("security_server_get_cookie_pid");
- provider.allowFunction("security_server_get_smacklabel_cookie");
- provider.allowFunction("security_server_check_privilege_by_pid");
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- ret = security_server_request_cookie(cookie, cookie_size);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
- ret = security_server_check_privilege(cookie, ret);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = security_server_get_gid("root");
- RUNNER_ASSERT_MSG_BT(ret > -1, "ret: " << ret);
-
- ret = security_server_get_cookie_pid(cookie);
- RUNNER_ASSERT_MSG_BT(ret == getpid(), "ret: " << ret);
-
- ss_label = security_server_get_smacklabel_cookie(cookie);
- RUNNER_ASSERT_MSG_BT(ss_label != NULL, "ret: " << ss_label);
-
- ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST(tc06_check_API_middleware_denied)
-{
- int ret = -1;
- size_t cookie_size = security_server_get_cookie_size();
- char cookie[20];
- char *ss_label = NULL;
-
- SecurityServer::AccessProvider provider(TEST06_SUBJECT);
- provider.applyAndSwithToUser(APP_UID, APP_GID);
-
- ret = security_server_request_cookie(cookie, cookie_size);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = security_server_check_privilege(cookie, DB_ALARM_GID);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- ret = security_server_get_gid("root");
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- ret = security_server_get_cookie_pid(cookie);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- ss_label = security_server_get_smacklabel_cookie(cookie);
- RUNNER_ASSERT_MSG_BT(ss_label != NULL && !strcmp(ss_label, TEST06_SUBJECT), "label:" << ss_label);
-
- ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-}
-
RUNNER_CHILD_TEST_SMACK(tc07_check_API_data_share_allow)
{
SecurityServer::AccessProvider provider(TEST07_SUBJECT);
}
/**
- * NOSMACK version of tc05 test.
- *
- * This test assumes similar information as previous NOSMACK tests. SMACK off = no need to
- * set accesses and apply them in SMACK before dropping privileges.
- */
-
-RUNNER_CHILD_TEST_NOSMACK(tc05_check_API_middleware_allow_nosmack)
-{
- int ret = -1;
- size_t cookie_size = security_server_get_cookie_size();
- char cookie[20];
- char* ss_label = NULL;
-
- add_process_group(PROC_AUDIO_GROUP_NAME);
-
- // drop root privileges
- ret = drop_root_privileges();
- RUNNER_ASSERT_MSG_BT(ret == 0,
- "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
-
- ret = security_server_request_cookie(cookie, cookie_size);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "request_cookie failed. Result: " << ret);
-
- ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
- RUNNER_ASSERT_MSG_BT(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME << "\" gid. Result: "
- << ret);
-
- ret = security_server_check_privilege(cookie, ret);
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS,
- "check_privilege failed. Result: " << ret);
-
- ret = security_server_get_gid("root");
- RUNNER_ASSERT_MSG_BT(ret > -1,
- "Failed to get \"root\" gid. Result: " << ret);
-
- ret = security_server_get_cookie_pid(cookie);
- RUNNER_ASSERT_MSG_BT(ret == getpid(),
- "get_cookie_pid returned different pid than it should. Result: " << ret);
-
- ss_label = security_server_get_smacklabel_cookie(cookie);
- RUNNER_ASSERT_MSG_BT(ss_label != NULL, "get_smacklabel_cookie failed.");
-
- ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
- if(ret != SECURITY_SERVER_API_SUCCESS) {
- free(ss_label);
- RUNNER_ASSERT_MSG_BT(false, "check_privilege_by_pid failed. Result: " << ret);
- }
-}
-
-/**
* NOSMACK version of tc07 test.
*
* Similarily to previous tests - no need to set self label because SMACK is off. Just as