Add classes to smack rules managment.
Refactoring of security_server_tests*.
[Issue#] N/A
[Problem] People set wrong privileges in tests.
[Cause] N/A
[Solution] Create class to help them set proper smack rules.
[Verification] Build, run tests.
Change-Id: Icab5a8f54be9c46ee69fba59f4503d8b4c99b852
#files to compile
SET(COMMON_TARGET_TEST_SOURCES
${PROJECT_SOURCE_DIR}/tests/common/tests_common.cpp
+ ${PROJECT_SOURCE_DIR}/tests/common/access_provider.cpp
+ ${PROJECT_SOURCE_DIR}/tests/common/smack_access.cpp
)
#header directories
INCLUDE_DIRECTORIES(
${COMMON_TARGET_DEP_INCLUDE_DIRS}
+ ${PROJECT_SOURCE_DIR}/tests/common
)
#output OBJECT format
--- /dev/null
+/*
+ * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * @file access_provider.cpp
+ * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ * @brief Common functions and macros used in security-tests package.
+ */
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/smack.h>
+
+#include <map>
+
+#include <dpl/test/test_runner.h>
+
+#include <access_provider.h>
+
+namespace SecurityServer {
+
+AccessProvider::AccessProvider(const std::string &mySubject)
+ : m_mySubject(mySubject)
+{}
+
+void AccessProvider::allowFunction(const std::string &functionName, const Tracker &tracker) {
+ static const std::map<std::string, std::string> translation = {
+ {"security_server_get_gid", "security-server::api-get-gid"},
+ {"security_server_request_cookie", "none"},
+ {"security_server_get_cookie_size", "none"},
+ {"security_server_check_privilege", "security-server::api-cookie-check"},
+ {"security_server_check_privilege_by_cookie", "security-server::api-cookie-check"},
+ {"security_server_check_privilege_by_sockfd", "security-server::api-privilege-by-pid"},
+ {"security_server_get_cookie_pid", "security-server::api-cookie-check"},
+ {"security_server_is_pwd_valid", "security-server::api-password-check"},
+ {"security_server_set_pwd", "security-server::api_password-set"},
+ {"security_server_set_pwd_validity", "security-server::api-password-set"},
+ {"security_server_set_pwd_max_challenge", "security-server::api-password-set"},
+ {"security_server_reset_pwd", "security-server::api-password-set"},
+ {"security_server_chk_pwd", "security-server::api-password-check"},
+ {"security_server_set_pwd_history", "security-server::api-password-set"},
+ {"security_server_get_smacklabel_cookie", "security-server::api-cookie-check"},
+ {"security_server_get_smacklabel_sockfd", "none"},
+ {"security_server_app_give_access", "security-server::api-data-share"},
+ {"security_server_check_privilege_by_pid", "security-server::api-privilege-by-pid"},
+ {"security_server_app_enable_permissions", "security-server::api-app-permissions"},
+ {"security_server_app_disable_permissions", "security-server::api-app-permissions"},
+ {"security_server_get_uid_by_cookie", "security-server::api-cookie-check"},
+ {"security_server_app_has_privilege", "security-server::api-app-privilege-by-name"},
+ {"security_server_app_caller_has_privilege", "security-server::api-app-privilege-by-name"},
+ {"security_server_get_gid_by_cookie", "security-server::api-cookie-check"},
+ {"security_server_open_for", "security-server::api-open-for"}
+ };
+
+ auto it = translation.find(functionName);
+ RUNNER_ASSERT_MSG(it != translation.end(),
+ tracker.str() << "Error no function " << functionName << " in security server.");
+
+ m_smackAccess.add(m_mySubject, it->second, "w", tracker);
+}
+
+void AccessProvider::allowAPI(const std::string &api, const std::string &rule, const Tracker &tracker) {
+ m_smackAccess.add(m_mySubject, api, rule, tracker);
+}
+
+void AccessProvider::apply(const Tracker &tracker) {
+ m_smackAccess.apply(tracker);
+}
+
+void AccessProvider::applyAndSwithToUser(int uid, int gid, const Tracker &tracker) {
+ RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
+ tracker.str() << "Error in smack_revoke_subject(" << m_mySubject << ")");
+ apply(tracker);
+ RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_mySubject.c_str()),
+ tracker.str() << "Error in smack_set_label_for_self.");
+ RUNNER_ASSERT_MSG(0 == setgid(gid),
+ tracker.str() << "Error in setgid.");
+ RUNNER_ASSERT_MSG(0 == setuid(uid),
+ tracker.str() << "Error in setuid.");
+}
+
+} // namespace SecurityServer
+
--- /dev/null
+/*
+ * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * @file access_provider.h
+ * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ * @brief Common functions and macros used in security-tests package.
+ */
+#ifndef _ACCESS_FOR_DUMMIES_H_
+#define _ACCESS_FOR_DUMMIES_H_
+
+#include <string>
+
+#include <tracker.h>
+#include <smack_access.h>
+
+namespace SecurityServer {
+
+class AccessProvider {
+public:
+ AccessProvider(const std::string &mySubject);
+
+ AccessProvider(const AccessProvider &second) = delete;
+ AccessProvider& operator=(const AccessProvider &second) = delete;
+
+ void allowAPI(const std::string &api, const std::string &rules, const Tracker &tracker = Tracker());
+ void allowFunction(const std::string &functionName, const Tracker &tracker = Tracker());
+ void apply(const Tracker &tracker = Tracker());
+ void applyAndSwithToUser(int uid, int gid, const Tracker &tracker = Tracker());
+
+ virtual ~AccessProvider(){}
+private:
+ std::string m_mySubject;
+ SmackAccess m_smackAccess;
+};
+
+} // namespace SecurityServer
+
+#endif // _ACCESS_FOR_DUMMIES_H_
+
--- /dev/null
+/*
+ * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * @file smack_access.cpp
+ * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ * @brief Common functions and macros used in security-tests package.
+ */
+
+#include <sys/smack.h>
+
+#include <dpl/test/test_runner.h>
+
+#include <smack_access.h>
+
+SmackAccess::SmackAccess()
+ : m_handle(NULL)
+{
+ RUNNER_ASSERT_MSG(0 == smack_accesses_new(&m_handle),
+ "Error in smack_accesses_new");
+}
+
+void SmackAccess::add(
+ const std::string &subject,
+ const std::string &object,
+ const std::string &rights,
+ const Tracker &tracker)
+{
+ RUNNER_ASSERT_MSG(0 == smack_accesses_add(m_handle,
+ subject.c_str(),
+ object.c_str(),
+ rights.c_str()),
+ tracker.str() << "Error in smack_accesses_add.");
+}
+
+void SmackAccess::apply(const Tracker &tracker) {
+ RUNNER_ASSERT_MSG(0 == smack_accesses_apply(m_handle),
+ tracker.str() << "Error in smack_accessses_apply.");
+}
+
+SmackAccess::~SmackAccess() {
+ if (m_handle)
+ smack_accesses_free(m_handle);
+}
+
--- /dev/null
+/*
+ * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * @file smack_access.h
+ * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ * @brief Common functions and macros used in security-tests package.
+ */
+#ifndef _SMACK_ACCESS_H_
+#define _SMACK_ACCESS_H_
+
+#include <string>
+
+#include <tracker.h>
+
+struct smack_accesses;
+
+class SmackAccess {
+public:
+ SmackAccess();
+ SmackAccess(const SmackAccess &second) = delete;
+ SmackAccess& operator=(SmackAccess &second) = delete;
+
+ void add(const std::string &subject,
+ const std::string &object,
+ const std::string &rights,
+ const Tracker &tracker = Tracker());
+ void apply(const Tracker &tracker = Tracker());
+ virtual ~SmackAccess();
+private:
+ struct smack_accesses *m_handle;
+};
+
+#endif // _SMACK_ACCESS_H_
+
return 1;
}
-void dropRootPrivileges(const int line)
-{
- int ret = drop_root_privileges();
- RUNNER_ASSERT_MSG(ret == 0, "Error in drop privileges" << ", line: " << line);
-}
-
void setLabelForSelf(const int line, const char *label)
{
int ret = smack_set_label_for_self(label);
RUNNER_ASSERT_MSG(ret == 0, "Error in smack_set_label_for_self(): " << ret << ", line: " << line);
}
-void addSmackRule(const int line, const char *subject, const char *object, const char *access)
-{
- struct smack_accesses *rulesTmp = NULL;
-
- int ret = smack_accesses_new(&rulesTmp);
- RUNNER_ASSERT_MSG(ret == 0, "Error in smack_accesses_new(): " << ret << ", line: " << line);
-
- AccessesUniquePtr rules(rulesTmp, smack_accesses_free);
-
- ret = smack_accesses_add(rules.get(), subject, object, access);
- RUNNER_ASSERT_MSG(ret == 0, "Error in smack_accesses_add():" << ret << ", line: " << line);
-
- ret = smack_accesses_apply(rules.get());
- RUNNER_ASSERT_MSG(ret == 0, "Error in smack_accesses_apply(): " << ret << ", line: " << line);
-
- ret = smack_have_access(subject, object, access);
- RUNNER_ASSERT_MSG(ret == 1, "Error in checking if smack rule exist: " << ret << ", line: " << line);
-}
-
-void removeSmackRule(const int line, const char *subject, const char *object, const char *access)
-{
- struct smack_accesses *rulesTmp = NULL;
-
- int ret = smack_accesses_new(&rulesTmp);
- RUNNER_ASSERT_MSG(ret == 0, "Error in smack_accesses_new(): " << ret << ", line: " << line);
-
- AccessesUniquePtr rules(rulesTmp, smack_accesses_free);
-
- ret = smack_accesses_add(rules.get(), subject, object, access);
- RUNNER_ASSERT_MSG(ret == 0, "Error in smack_accesses_add(): " << ret << ", line: " << line);
-
- ret = smack_accesses_clear(rules.get());
- RUNNER_ASSERT_MSG(ret == 0, "Error in smack_accesses_clear(): " << ret << ", line: " << line);
-
- ret = smack_have_access(subject, object, access);
- RUNNER_ASSERT_MSG(ret == 1, "Error in checking if smack rule exist: " << ret << ", line: " << line);
-}
void closeFileDsr(int *fd);
-void dropRootPrivileges(const int line);
void setLabelForSelf(const int line, const char *label);
-void addSmackRule(const int line, const char *subject, const char *object, const char *access);
-void removeSmackRule(const int line, const char *subject, const char *object, const char *access);
-
namespace DB {
RUNNER_ASSERT_MSG(PC_OPERATION_SUCCESS == DB::Transaction::db_result, \
"perm_end returned: " << DB::Transaction::db_result);
-// Common typedefs
-typedef std::unique_ptr<smack_accesses,std::function<void (smack_accesses*)> > SmackUniquePtr;
-
// Common macros and labels used in tests
extern const char *WGT_APP_ID;
--- /dev/null
+/*
+ * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * @file tracker.h
+ * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ * @brief Common functions and macros used in security-tests package.
+ */
+#ifndef __TRACKER_H__
+#define __TRACKER_H__
+
+#include <string>
+#include <sstream>
+
+#define TRACE_FROM_HERE Tracker(__FILE__, __LINE__, std::string())
+#define TRACE_FROM_HERE_MSG(msg) Tracker(__FILE__, __LINE__, msg)
+
+class Tracker {
+public:
+ Tracker()
+ : m_line(-1)
+ {}
+
+ Tracker(const std::string &file, int line, const std::string &message)
+ : m_file(file)
+ , m_line(line)
+ , m_msg(message)
+ {}
+
+ std::string str() const {
+ if (m_line == -1)
+ return std::string();
+
+ std::ostringstream stream;
+ stream << "\n[File: " << m_file << ":" << m_line << m_msg << "]\n";
+ return stream.str();
+ }
+private:
+ std::string m_file;
+ int m_line;
+ std::string m_msg;
+};
+
+#endif // __TRACKER_H__
)
SET(SEC_SRV_TC_SERVER_SOURCES
- ${PROJECT_SOURCE_DIR}/tests/security-server-tests/security_server_tests_server.cpp
+ ${PROJECT_SOURCE_DIR}/tests/security-server-tests/server.cpp
${PROJECT_SOURCE_DIR}/tests/security-server-tests/security_server_tests_open_for.cpp
- ${PROJECT_SOURCE_DIR}/tests/security-server-tests/security_server_tests_cookie_api.cpp
- ${PROJECT_SOURCE_DIR}/tests/security-server-tests/security_server_tests_weird_arguments.cpp
+ ${PROJECT_SOURCE_DIR}/tests/security-server-tests/cookie_api.cpp
+ ${PROJECT_SOURCE_DIR}/tests/security-server-tests/weird_arguments.cpp
${PROJECT_SOURCE_DIR}/tests/security-server-tests/common/security_server_tests_common.cpp
${PROJECT_SOURCE_DIR}/tests/security-server-tests/security_server_clean_env.cpp
)
--- /dev/null
+/*
+ * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ */
+
+/*
+ * @file security_server_tests_cookie_api.cpp
+ * @author Pawel Polawski (p.polawski@partner.samsung.com)
+ * @version 1.0
+ * @brief Test cases for security server cookie api
+ *
+ */
+
+/*
+Tested API functions in this file:
+
+Protected by "security-server::api-cookie-get" label:
+ int security_server_get_cookie_size(void);
+ int security_server_request_cookie(char *cookie, size_t bufferSize);
+
+
+Protected by "security-server::api-cookie-check" label:
+ int security_server_check_privilege(const char *cookie, gid_t privilege);
+ int security_server_check_privilege_by_cookie(const char *cookie,
+ const char *object,
+ const char *access_rights);
+ int security_server_get_cookie_pid(const char *cookie);
+ char *security_server_get_smacklabel_cookie(const char *cookie);
+ int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
+ int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
+*/
+
+#include <dpl/test/test_runner.h>
+#include <dpl/test/test_runner_multiprocess.h>
+#include <tests_common.h>
+#include <sys/smack.h>
+#include <cstddef>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <access_provider.h>
+#include <security-server.h>
+#include <smack_access.h>
+#include <tracker.h>
+
+typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
+const int KNOWN_COOKIE_SIZE = 20;
+typedef std::vector<char> Cookie;
+
+Cookie getCookieFromSS(const Tracker &tracker = Tracker()) {
+ Cookie cookie(security_server_get_cookie_size());
+
+ RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS ==
+ security_server_request_cookie(cookie.data(), cookie.size()),
+ tracker.str() << " Error in security_server_request_cookie.");
+
+ return cookie;
+}
+
+RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
+
+/*
+ * **************************************************************************
+ * Test cases fot check various functions input params cases
+ * **************************************************************************
+ */
+
+//---------------------------------------------------------------------------
+//passing NULL as a buffer pointer
+RUNNER_CHILD_TEST(tc_arguments_01_01_security_server_request_cookie)
+{
+ int ret = security_server_request_cookie(NULL, KNOWN_COOKIE_SIZE);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_request_cookie() argument checking: " << ret);
+}
+
+//passing too small value as a buffer size
+RUNNER_CHILD_TEST(tc_arguments_01_02_security_server_request_cookie)
+{
+ Cookie cookie(KNOWN_COOKIE_SIZE);
+
+ int ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE - 1);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
+ "Error in security_server_request_cookie() argument checking: " << ret);
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as a cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_02_01_security_server_check_privilege)
+{
+ int ret = security_server_check_privilege(NULL, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_check_privilege() argument checking: " << ret);
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as a cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie)
+{
+ int ret = security_server_check_privilege_by_cookie(NULL, "wiadro", "rwx");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_check_privilege_by_cookie() argument checking: "
+ << ret);
+}
+
+//passing NULL as an object pointer
+RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ int ret = security_server_check_privilege_by_cookie(cookie.data(), NULL, "rwx");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_check_privilege_by_cookie() argument checking: "
+ << ret);
+}
+
+//passing NULL as an access pointer
+RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", NULL);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_check_privilege_by_cookie() argument checking: "
+ << ret);
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as a cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_04_01_security_server_get_cookie_pid)
+{
+ int ret = security_server_get_cookie_pid(NULL);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_get_cookie_pid() argument checking: " << ret);
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as a cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
+{
+ char *label = NULL;
+ label = security_server_get_smacklabel_cookie(NULL);
+ RUNNER_ASSERT_MSG(label == NULL,
+ "Error in security_server_get_smacklabel_cookie() argument checking");
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as a cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_06_01_security_server_get_uid_by_cookie)
+{
+ uid_t uid;
+ int ret = security_server_get_uid_by_cookie(NULL, &uid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_get_uid_by_cookie() argument checking: "
+ << ret);
+}
+
+//passing NULL as an uid pointer
+RUNNER_CHILD_TEST(tc_arguments_06_02_security_server_get_uid_by_cookie)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ int ret = security_server_get_uid_by_cookie(cookie.data(), NULL);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_get_uid_by_cookie() argument checking: "
+ << ret);
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as an cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_07_01_security_server_get_gid_by_cookie)
+{
+ gid_t gid;
+ int ret = security_server_get_gid_by_cookie(NULL, &gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_get_gid_by_cookie() argument checking: "
+ << ret);
+}
+
+//passing NULL as an gid pointer
+RUNNER_CHILD_TEST(tc_arguments_07_02_security_server_get_gid_by_cookie)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ int ret = security_server_get_gid_by_cookie(cookie.data(), NULL);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_get_gid_by_cookie() argument checking: "
+ << ret);
+}
+
+
+
+/*
+ * **************************************************************************
+ * Unit tests for each function from API
+ * **************************************************************************
+ */
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
+{
+ int ret = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << ret);
+}
+
+//---------------------------------------------------------------------------
+// security_server_get_cookie_size() is no longer ptotected by SMACK
+RUNNER_CHILD_TEST(tc_unit_01_02_security_server_get_cookie_size)
+{
+ SecurityServer::AccessProvider provider("selflabel_01_02");
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ int ret = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << ret);
+}
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << cookieSize);
+
+ Cookie cookie(cookieSize);
+ int ret = security_server_request_cookie(cookie.data(), cookie.size());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_request_cookie(): " << ret);
+}
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ int ret = security_server_check_privilege(cookie.data(), 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_check_privilege(): " << ret);
+}
+
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_security_server_check_privilege)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ SecurityServer::AccessProvider provider("selflabel_03_02");
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ int ret = security_server_check_privilege(cookie.data(), 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "Error in security_server_check_privilege(): " << ret);
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_security_server_check_privilege)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ SecurityServer::AccessProvider provider("selflabel_03_03");
+ provider.allowFunction("security_server_check_privilege", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ int ret = security_server_check_privilege(cookie.data(), 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_check_privilege(): " << ret);
+}
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ int ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
+
+ int pid = getpid();
+ RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie");
+}
+
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_security_server_get_cookie_pid)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ SecurityServer::AccessProvider provider("selflabel_05_02");
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ int ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "Error in security_server_get_cookie_pid(): " << ret);
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_security_server_get_cookie_pid)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ SecurityServer::AccessProvider provider("selflabel_05_03");
+ provider.allowFunction("security_server_get_cookie_pid", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ int ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
+
+ int pid = getpid();
+ RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie");
+}
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_06_01_security_server_get_smacklabel_cookie)
+{
+ setLabelForSelf(__LINE__, "selflabel_06_01");
+
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_01") == 0,
+ "No match in smack label received from cookie, received label: "
+ << label.get());
+}
+
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_security_server_get_smacklabel_cookie)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ SecurityServer::AccessProvider provider("selflabel_06_02");
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG(label.get() == NULL,
+ "NULL should be received due to access denied, received label: "
+ << label.get());
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_security_server_get_smacklabel_cookie)
+{
+ SecurityServer::AccessProvider provider("selflabel_06_03");
+ provider.allowFunction("security_server_get_smacklabel_cookie", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_03") == 0,
+ "No match in smack label received from cookie, received label: "
+ << label.get());
+}
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_07_01_security_server_get_uid_by_cookie)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ uid_t uid;
+ int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_get_uid_by_cookie(): " << ret);
+ ret = getuid();
+ RUNNER_ASSERT_MSG(ret == (int)uid, "No match in UID received from cookie");
+}
+
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_07_02_security_server_get_uid_by_cookie)
+{
+ SecurityServer::AccessProvider provider("selflabel_07_02");
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ Cookie cookie(KNOWN_COOKIE_SIZE);
+ uid_t uid;
+
+ int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "Error in security_server_get_uid_by_cookie(): " << ret);
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_07_03_security_server_get_uid_by_cookie)
+{
+ SecurityServer::AccessProvider provider("selflabel_07_02");
+ provider.allowFunction("security_server_get_uid_by_cookie", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ uid_t uid;
+
+ int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_get_uid_by_cookie(): " << ret);
+ ret = getuid();
+ RUNNER_ASSERT_MSG(ret == (int)uid, "No match in UID received from cookie");
+}
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_08_01_security_server_get_gid_by_cookie)
+{
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+
+ gid_t gid;
+
+ int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_get_gid_by_cookie(): " << ret);
+ ret = getgid();
+ RUNNER_ASSERT_MSG(ret == (int)gid, "No match in GID received from cookie");
+}
+
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_08_02_security_server_get_gid_by_cookie)
+{
+ SecurityServer::AccessProvider provider("selflabel_08_02");
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ Cookie cookie(KNOWN_COOKIE_SIZE);
+ gid_t gid;
+
+ int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "Error in security_server_get_gid_by_cookie(): " << ret);
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_08_03_security_server_get_gid_by_cookie)
+{
+ SecurityServer::AccessProvider provider("selflabel_08_03");
+ provider.allowFunction("security_server_get_gid_by_cookie", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ Cookie cookie = getCookieFromSS(TRACE_FROM_HERE);
+ gid_t gid;
+
+ int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_get_gid_by_cookie(): " << ret);
+ ret = getgid();
+ RUNNER_ASSERT_MSG(ret == (int)gid, "No match in GID received from cookie");
+}
+
+++ /dev/null
-/*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
- */
-/*
- * @file security_server_tests_client.h
- * @author Bumjin Im (bj.im@samsung.com)
- * @author Mariusz Domanski (m.domanski@samsung.com)
- * @version 1.0
- * @brief Test cases for security server client
- */
-
-#ifndef SECURITY_SERVER_TESTS_CLIENT_H
-#define SECURITY_SERVER_TESTS_CLIENT_H
-
-#include <unistd.h>
-#include <errno.h>
-#include <string.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <fcntl.h>
-#include <sys/un.h>
-#include <sys/socket.h>
-#include <sys/smack.h>
-#include "security-server.h"
-#include <grp.h>
-#include "test.h"
-
-#include <dpl/log/log.h>
-
-int *g_permissions = NULL;
-gid_t *g_groups = NULL;
-int g_perm_num, g_group_num;
-
-char *object_label = NULL;
-char *subject_label = NULL;
-char *access_rights = NULL;
-
-int sock_fd, i, cur_pid, cnt;
-char cookie[20];
-char tmpchar[100];
-
-/* deprecated info for old c-style binary
- * still useful for understanding the test itself
- *
- * Usage:
- * cmd -u uid -g gid1 gid2 gid3... -p gid_a gid_b gid_c ...
- * or:
- * cmd -s subject -o object -a access-rights
- * [Options]
- * -u: UID that the process are running as
- * Only one UID is allowed.
- * -g: GIDs that the process belongs to
- * -p: GIDs that the process wants to get privilege
- * -s: subject label (label of the process)
- * -o: object label to be accessed
- * -a: accessed rights requested (one or more of the letterrs rwx)
- * Examples:
- * cmd -u 5000 -g 6001 6002 6003 6004 6005 6006 6007 -p 6001 6002 6010
- * cmd -s mylabel -o objlabel -a rx
- */
-
-int privilege_control_old(int argc, char *argv[])
-{
- int option = 0; /* 0: no, 1: uID, 2: gid, 3: permission */
- int uid_flag = 0, gid_flag = 0, perm_flag = 0, i = 1, number, uid = 0, j;
-
- while (i < argc)
- {
- if (strcmp(argv[i], "-u") == 0)
- {
- if (uid_flag != 0)
- {
- printf("%s\n", "-u option already used");
- exit(1);
- }
- option = 1;
- uid_flag = 1;
- }
- else if (strcmp(argv[i], "-g") == 0)
- {
- if (gid_flag != 0)
- {
- printf("%s\n", "-g option already used");
- exit(1);
- }
- option = 2;
- gid_flag = 1;
- }
- else if (strcmp(argv[i], "-p") == 0)
- {
- if (perm_flag != 0)
- {
- printf("%s\n", "-p option already used");
- exit(1);
- }
- option = 3;
- perm_flag = 1;
- }
- else
- {
- errno = 0;
- number = strtoul(argv[i], 0, 10);
- if (errno != 0)
- {
- printf("%s\n", "Invalid option");
- exit(1);
- }
- switch (option)
- {
- case 1:
- if (uid != 0)
- {
- printf("%s\n", "You cannot assign more than 1 uID");
- exit(1);
- }
- uid = number;
- break;
- case 2:
- for (j = 0; i < g_group_num; j++)
- {
- if (number == g_groups[j])
- break;
- }
- g_groups = (gid_t*)realloc(g_groups, sizeof(gid_t) * (++g_group_num));
- g_groups[g_group_num - 1] = number;
- break;
- case 3:
- for (j = 0; i < g_perm_num; j++)
- {
- if (number == g_permissions[j])
- break;
- }
- g_permissions = (int*)realloc(g_permissions, sizeof(int) * (++g_perm_num));
- g_permissions[g_perm_num - 1] = number;
- break;
- default:
- printf("%s\n", "Invalid option");
- exit(1);
- break;
- }
- }
- i++;
- }
- if (g_group_num == 0 || g_perm_num == 0)
- {
- printf("%s\n", "You must assign groups and permissions");
- exit(1);
- }
- if (setgroups(g_group_num, g_groups) != 0)
- {
- printf("%s\n", "Error on setgroups{}");
- exit(1);
- }
-
- setgid(uid);
- setuid(uid);
- return 0;
-}
-
-int privilege_control_new(int argc, char *argv[])
-{
- if (argc == 7 && !strcmp(argv[1], "-s") &&
- !strcmp(argv[3], "-o") &&
- !strcmp(argv[5], "-a"))
- {
- int ret;
- subject_label = argv[2];
- object_label = argv[4];
- access_rights = argv[6];
-
- ret = smack_set_label_for_self(subject_label);
- if (ret != 0)
- {
- printf("(2)Cannot set my own smack label... maybe I'm not root?");
- exit(1);
- }
- setgid(1);
- setuid(1);
- }
- else
- {
- exit(1);
- }
-
- return 0;
-}
-
-int privilege_control(int argc, char *argv[])
-{
- if (argc == 7 && !strcmp(argv[1], "-s"))
- {
- return privilege_control_new(argc, argv);
- }
- else
- {
- return privilege_control_old(argc, argv);
- }
-}
-
-int connect_to_testserver()
-{
- struct sockaddr_un clientaddr;
- int client_len = 0, localsockfd, ret;
-
- /* Create a socket */
- if ((localsockfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
- {
- LogDebug("Error on socket()");
- return -1;
- }
-
- bzero(&clientaddr, sizeof(clientaddr));
- clientaddr.sun_family = AF_UNIX;
- strncpy(clientaddr.sun_path, SECURITY_SERVER_TEST_SOCK_PATH, strlen(SECURITY_SERVER_TEST_SOCK_PATH));
- clientaddr.sun_path[strlen(SECURITY_SERVER_TEST_SOCK_PATH)] = 0;
- client_len = sizeof(clientaddr);
- if (connect(localsockfd, (struct sockaddr*)&clientaddr, client_len) < 0)
- {
- LogDebug("Error on connect");
- close(localsockfd);
- return -1;
- }
- return localsockfd;
-}
-
-int send_request(int sock_fd, unsigned char *cookie, int perm)
-{
- unsigned char buf[28] = {0, 0, 0, 0, };
- int size;
- memcpy(buf + 4, cookie, 20);
- memcpy(buf + 24, &perm, sizeof(int));
- size = write(sock_fd, buf, 28);
- if (size < 28)
- {
- printf("Cannot send\n");
- close(sock_fd);
- exit(1);
- }
- return 0;
-}
-
-/*
- * @param direct 0=via security server 1=directly from IPC socket
- */
-int send_request_new_cookie(int sock_fd,
- const char *cookie,
- const char *subject_label,
- const char *access_rights)
-{
- unsigned char buf[1024] = {17, 0, 0, 0, };
- int olen, alen;
- int size, ret;
- olen = strlen(subject_label);
- alen = strlen(access_rights);
- size = 24 + 2 * sizeof(int) + olen + alen;
- memcpy(buf + 4, cookie, 20);
- memcpy(buf + 24, &olen, sizeof(int));
- memcpy(buf + 28, &alen, sizeof(int));
- memcpy(buf + 32, subject_label, olen);
- memcpy(buf + 32 + olen, access_rights, alen);
- ret = write(sock_fd, buf, size);
- if (ret < size)
- {
- printf("Cannot send\n");
- close(sock_fd);
- exit(1);
- }
- return 0;
-}
-
-int send_request_new_direct(int sock_fd,
- const char *object_label,
- const char *access_rights)
-{
- unsigned char buf[1024] = {17, 0, 0, 1, };
- int olen, alen;
- int size, ret;
- olen = strlen(object_label);
- alen = strlen(access_rights);
- size = 24 + 2 * sizeof(int) + olen + alen;
- memcpy(buf + 4, &olen, sizeof(int));
- memcpy(buf + 8, &alen, sizeof(int));
- memcpy(buf + 12, object_label, olen);
- memcpy(buf + 12 + olen, access_rights, alen);
- ret = write(sock_fd, buf, size);
- if (ret < size)
- {
- printf("Cannot send\n");
- close(sock_fd);
- exit(1);
- }
- return 0;
-}
-
-int recv_result(int sock_fd)
-{
- int buf, size;
- size = read(sock_fd, &buf, sizeof(int));
- if (size < sizeof(int))
- {
- printf("Cannot recv\n");
- close(sock_fd);
- exit(1);
- }
- return buf;
-}
-
-#endif /* SECURITY_SERVER_TESTS_CLIENT_H */
+++ /dev/null
-/*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
- */
-
-/*
- * @file security_server_tests_cookie_api.cpp
- * @author Pawel Polawski (p.polawski@partner.samsung.com)
- * @version 1.0
- * @brief Test cases for security server cookie api
- *
- */
-
-/*
-Tested API functions in this file:
-
-Protected by "security-server::api-cookie-get" label:
- int security_server_get_cookie_size(void);
- int security_server_request_cookie(char *cookie, size_t bufferSize);
-
-
-Protected by "security-server::api-cookie-check" label:
- int security_server_check_privilege(const char *cookie, gid_t privilege);
- int security_server_check_privilege_by_cookie(const char *cookie,
- const char *object,
- const char *access_rights);
- int security_server_get_cookie_pid(const char *cookie);
- char *security_server_get_smacklabel_cookie(const char *cookie);
- int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
- int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
-*/
-
-#include <dpl/test/test_runner.h>
-#include <dpl/test/test_runner_multiprocess.h>
-#include <tests_common.h>
-#include <sys/smack.h>
-#include <cstddef>
-#include <sys/types.h>
-#include <unistd.h>
-#include "security-server.h"
-
-
-typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
-//const char API_LABEL_GET[] = "security-server::api-cookie-get";
-const char API_LABEL_CHECK[] = "security-server::api-cookie-check";
-const char API_ACCESS[] = "w";
-const int KNOWN_COOKIE_SIZE = 20;
-
-
-void getCookieFromSS(const int line, std::vector<char> &cookie)
-{
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
- "Wrong cookie size received from server: " << cookieSize
- << ", line: " << line);
-
- cookie.resize(cookieSize);
-
- int ret = security_server_request_cookie(cookie.data(), cookieSize);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_request_cookie(): " << ret
- << ", line: " << line);
-}
-
-
-RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
-
-/*
- * **************************************************************************
- * Test cases fot check various functions input params cases
- * **************************************************************************
- */
-
-//---------------------------------------------------------------------------
-//passing NULL as a buffer pointer
-RUNNER_CHILD_TEST(tc_arguments_01_01_security_server_request_cookie)
-{
- int ret = security_server_request_cookie(NULL, KNOWN_COOKIE_SIZE);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_request_cookie() argument checking: " << ret);
-}
-
-//passing too small value as a buffer size
-RUNNER_CHILD_TEST(tc_arguments_01_02_security_server_request_cookie)
-{
- std::vector<char> cookie(KNOWN_COOKIE_SIZE);
-
- int ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE - 1);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
- "Error in security_server_request_cookie() argument checking: " << ret);
-}
-
-//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_02_01_security_server_check_privilege)
-{
- int ret = security_server_check_privilege(NULL, 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_check_privilege() argument checking: " << ret);
-}
-
-//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie)
-{
- int ret = security_server_check_privilege_by_cookie(NULL, "wiadro", "rwx");
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_check_privilege_by_cookie() argument checking: "
- << ret);
-}
-
-//passing NULL as an object pointer
-RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- int ret = security_server_check_privilege_by_cookie(cookie.data(), NULL, "rwx");
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_check_privilege_by_cookie() argument checking: "
- << ret);
-}
-
-//passing NULL as an access pointer
-RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", NULL);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_check_privilege_by_cookie() argument checking: "
- << ret);
-}
-
-//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_04_01_security_server_get_cookie_pid)
-{
- int ret = security_server_get_cookie_pid(NULL);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_cookie_pid() argument checking: " << ret);
-}
-
-//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
-{
- char *label = NULL;
- label = security_server_get_smacklabel_cookie(NULL);
- RUNNER_ASSERT_MSG(label == NULL,
- "Error in security_server_get_smacklabel_cookie() argument checking");
-}
-
-//---------------------------------------------------------------------------
-//passing NULL as a cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_06_01_security_server_get_uid_by_cookie)
-{
- uid_t uid;
- int ret = security_server_get_uid_by_cookie(NULL, &uid);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_uid_by_cookie() argument checking: "
- << ret);
-}
-
-//passing NULL as an uid pointer
-RUNNER_CHILD_TEST(tc_arguments_06_02_security_server_get_uid_by_cookie)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- int ret = security_server_get_uid_by_cookie(cookie.data(), NULL);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_uid_by_cookie() argument checking: "
- << ret);
-}
-
-//---------------------------------------------------------------------------
-//passing NULL as an cookie pointer
-RUNNER_CHILD_TEST(tc_arguments_07_01_security_server_get_gid_by_cookie)
-{
- gid_t gid;
- int ret = security_server_get_gid_by_cookie(NULL, &gid);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_gid_by_cookie() argument checking: "
- << ret);
-}
-
-//passing NULL as an gid pointer
-RUNNER_CHILD_TEST(tc_arguments_07_02_security_server_get_gid_by_cookie)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- int ret = security_server_get_gid_by_cookie(cookie.data(), NULL);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
- "Error in security_server_get_gid_by_cookie() argument checking: "
- << ret);
-}
-
-
-
-/*
- * **************************************************************************
- * Unit tests for each function from API
- * **************************************************************************
- */
-
-//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
-{
- int ret = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE,
- "Error in security_server_get_cookie_size(): " << ret);
-}
-
-/*
- * security_server_get_cookie_size() is no longer ptotected by SMACK
- *
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST(tc_unit_01_02_security_server_get_cookie_size)
-{
- setLabelForSelf("selflabel_01_02", __LINE__);
- dropRootPrivileges(__LINE__);
-
- int ret = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_cookie_size(): " << ret);
-}
-
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST(tc_unit_01_03_security_server_get_cookie_size)
-{
- addSmackRule("selflabel_01_03", API_LABEL_GET, API_ACCESS, __LINE__);
- setLabelForSelf("selflabel_01_03", __LINE__);
- dropRootPrivileges(__LINE__);
-
- int ret = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE,
- "Error in security_server_get_cookie_size(): " << ret);
-}
-*/
-
-//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
-{
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
- "Error in security_server_get_cookie_size(): " << cookieSize);
-
- std::vector<char> cookie(cookieSize);
- int ret = security_server_request_cookie(cookie.data(), cookie.size());
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_request_cookie(): " << ret);
-}
-
-/*
- * security_server_get_cookie_size() is no longer protected by SMACK
- *
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST(tc_unit_02_02_security_server_request_cookie)
-{
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
- "Error in security_server_get_cookie_size(): " << cookieSize);
-
- setLabelForSelf("selflabel_02_02", __LINE__);
- dropRootPrivileges(__LINE__);
-
- std::vector<char> cookie(cookieSize);
- int ret = security_server_request_cookie(cookie.data(), cookie.size());
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_request_cookie(): " << ret);
-}
-
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST(tc_unit_02_03_security_server_request_cookie)
-{
- int cookieSize = security_server_get_cookie_size();
- RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
- "Error in security_server_get_cookie_size(): " << cookieSize);
-
- addSmackRule("selflabel_02_03", API_LABEL_GET, API_ACCESS, __LINE__);
- setLabelForSelf("selflabel_02_03", __LINE__);
- dropRootPrivileges(__LINE__);
-
- std::vector<char> cookie(cookieSize);
- int ret = security_server_request_cookie(cookie.data(), cookie.size());
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_request_cookie(): " << ret);
-}
-*/
-
-//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- int ret = security_server_check_privilege(cookie.data(), 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_check_privilege(): " << ret);
-}
-
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_security_server_check_privilege)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- setLabelForSelf(__LINE__, "selflabel_03_02");
- dropRootPrivileges(__LINE__);
-
- int ret = security_server_check_privilege(cookie.data(), 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_check_privilege(): " << ret);
-}
-
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_security_server_check_privilege)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- addSmackRule(__LINE__, "selflabel_03_03", API_LABEL_CHECK, API_ACCESS);
- setLabelForSelf(__LINE__, "selflabel_03_03");
- dropRootPrivileges(__LINE__);
-
- int ret = security_server_check_privilege(cookie.data(), 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_check_privilege(): " << ret);
-}
-
-//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- int ret = security_server_get_cookie_pid(cookie.data());
- RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
-
- int pid = getpid();
- RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie");
-}
-
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_security_server_get_cookie_pid)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- setLabelForSelf(__LINE__, "selflabel_05_02");
- dropRootPrivileges(__LINE__);
-
- int ret = security_server_get_cookie_pid(cookie.data());
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_cookie_pid(): " << ret);
-}
-
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_security_server_get_cookie_pid)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- addSmackRule(__LINE__, "selflabel_05_03", API_LABEL_CHECK, API_ACCESS);
- setLabelForSelf(__LINE__, "selflabel_05_03");
- dropRootPrivileges(__LINE__);
-
- int ret = security_server_get_cookie_pid(cookie.data());
- RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
-
- int pid = getpid();
- RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie");
-}
-
-//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_06_01_security_server_get_smacklabel_cookie)
-{
- setLabelForSelf(__LINE__, "selflabel_06_01");
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
- RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_01") == 0,
- "No match in smack label received from cookie, received label: "
- << label.get());
-}
-
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_security_server_get_smacklabel_cookie)
-{
- setLabelForSelf(__LINE__, "selflabel_06_02");
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- dropRootPrivileges(__LINE__);
-
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
- RUNNER_ASSERT_MSG(label.get() == NULL,
- "NULL should be received due to access denied, received label: "
- << label.get());
-}
-
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_security_server_get_smacklabel_cookie)
-{
- setLabelForSelf(__LINE__, "selflabel_06_03");
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
-
- addSmackRule(__LINE__, "selflabel_06_03", API_LABEL_CHECK, API_ACCESS);
- dropRootPrivileges(__LINE__);
-
- UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
- RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_03") == 0,
- "No match in smack label received from cookie, received label: "
- << label.get());
-}
-
-//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_07_01_security_server_get_uid_by_cookie)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
- uid_t uid;
-
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_uid_by_cookie(): " << ret);
- ret = getuid();
- RUNNER_ASSERT_MSG(ret == (int)uid, "No match in UID received from cookie");
-}
-
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_07_02_security_server_get_uid_by_cookie)
-{
- setLabelForSelf(__LINE__, "selflabel_07_02");
- dropRootPrivileges(__LINE__);
-
- std::vector<char> cookie(KNOWN_COOKIE_SIZE);
- uid_t uid;
-
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_uid_by_cookie(): " << ret);
-}
-
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_07_03_security_server_get_uid_by_cookie)
-{
- addSmackRule(__LINE__, "selflabel_07_03", API_LABEL_CHECK, API_ACCESS);
- setLabelForSelf(__LINE__, "selflabel_07_03");
- dropRootPrivileges(__LINE__);
-
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
- uid_t uid;
-
- int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_uid_by_cookie(): " << ret);
- ret = getuid();
- RUNNER_ASSERT_MSG(ret == (int)uid, "No match in UID received from cookie");
-}
-
-//---------------------------------------------------------------------------
-//root has access to API
-RUNNER_CHILD_TEST(tc_unit_08_01_security_server_get_gid_by_cookie)
-{
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
- gid_t gid;
-
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_gid_by_cookie(): " << ret);
- ret = getgid();
- RUNNER_ASSERT_MSG(ret == (int)gid, "No match in GID received from cookie");
-}
-
-//privileges drop and no smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_08_02_security_server_get_gid_by_cookie)
-{
- setLabelForSelf(__LINE__, "selflabel_08_02");
- dropRootPrivileges(__LINE__);
-
- std::vector<char> cookie(KNOWN_COOKIE_SIZE);
- gid_t gid;
-
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
- "Error in security_server_get_gid_by_cookie(): " << ret);
-}
-
-//privileges drop and added smack rule
-RUNNER_CHILD_TEST_SMACK(tc_unit_08_03_security_server_get_gid_by_cookie)
-{
- addSmackRule(__LINE__, "selflabel_08_03", API_LABEL_CHECK, API_ACCESS);
- setLabelForSelf(__LINE__, "selflabel_08_03");
- dropRootPrivileges(__LINE__);
-
- std::vector<char> cookie;
- getCookieFromSS(__LINE__, cookie);
- gid_t gid;
-
- int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_get_gid_by_cookie(): " << ret);
- ret = getgid();
- RUNNER_ASSERT_MSG(ret == (int)gid, "No match in GID received from cookie");
-}
-
* @version 1.0
* @brief Test cases for security server open-for API
*/
-
-#include "tests_common.h"
-#include "security-server.h"
-#include "privilege-control.h"
-#include <dpl/test/test_runner.h>
-#include <dpl/log/log.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string>
#include <vector>
-#define TEST01_SUBJECT "open-for-client"
+#include <tests_common.h>
+#include <dpl/test/test_runner.h>
+#include <dpl/log/log.h>
-#define API_OPEN_FOR "security-server::api-open-for"
-#define API_RULE_REQUIRED "w"
+#include <access_provider.h>
+#include <security-server.h>
+#include <tracker.h>
-typedef std::unique_ptr<smack_accesses, std::function<void(smack_accesses*)> > AccessesUniquePtr;
+#define TEST01_SUBJECT "open-for-client"
const char *file = "file";
const char *write_buf1 = "ala ma kota";
RUNNER_CHILD_TEST_SMACK(tc13_open_for_new_file)
{
- std::string subject_allow = TEST01_SUBJECT;
- struct smack_accesses *handle = NULL;
- int ret = -1;
int fd = -1;
-
FDUniquePtr fd_ptr(&fd, closefdptr);
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- AccessesUniquePtr rules(handle, smack_accesses_free);
+ SecurityServer::AccessProvider provider(TEST01_SUBJECT);
+ provider.allowFunction("security_server_open_for", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
- ret = smack_accesses_add(rules.get(), subject_allow.c_str(), API_OPEN_FOR, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_apply(rules.get());
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "ret: " << ret);
-
- ret = smack_set_label_for_self(subject_allow.c_str());
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "ret: " << ret);
-
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- ret = security_server_open_for(file, fd_ptr.get());
+ int ret = security_server_open_for(file, fd_ptr.get());
RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
ret = write(*fd_ptr, write_buf1, strlen(write_buf1));
RUNNER_CHILD_TEST_SMACK(tc14_open_for_read_from_existing_file)
{
- std::string subject_allow = TEST01_SUBJECT;
- struct smack_accesses *handle = NULL;
- int ret = -1;
int fd = -1;
-
FDUniquePtr fd_ptr(&fd, closefdptr);
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- AccessesUniquePtr rules(handle, smack_accesses_free);
-
- ret = smack_accesses_add(rules.get(), subject_allow.c_str(), API_OPEN_FOR, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+ SecurityServer::AccessProvider provider(TEST01_SUBJECT);
+ provider.allowFunction("security_server_open_for", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
- ret = smack_accesses_apply(rules.get());
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "ret: " << ret);
-
- ret = smack_set_label_for_self(subject_allow.c_str());
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "ret: " << ret);
-
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- ret = security_server_open_for(file, fd_ptr.get());
+ int ret = security_server_open_for(file, fd_ptr.get());
RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
ret = read(*fd_ptr, read_buf1, strlen(write_buf1));
RUNNER_CHILD_TEST_SMACK(tc15_open_for_write_to_existing_file)
{
- std::string subject_allow = TEST01_SUBJECT;
- struct smack_accesses *handle = NULL;
- int ret = -1;
- int fd = -1;
+ int fd = open("/var/run/security-server/file", O_RDWR);
+ int ret = ftruncate(fd, 0);
FDUniquePtr fd_ptr(&fd, closefdptr);
- fd = open("/var/run/security-server/file", O_RDWR);
- ret = ftruncate(fd, 0);
ret = write(*fd_ptr, write_buf2, strlen(write_buf2));
int err = errno;
RUNNER_ASSERT_MSG(ret == (int)strlen(write_buf2), "error in read: " << ret << " err: " << strerror(err));
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- AccessesUniquePtr rules(handle, smack_accesses_free);
-
- ret = smack_accesses_add(rules.get(), subject_allow.c_str(), API_OPEN_FOR, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_apply(rules.get());
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "ret: " << ret);
-
- ret = smack_set_label_for_self(subject_allow.c_str());
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "ret: " << ret);
-
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+ SecurityServer::AccessProvider provider(TEST01_SUBJECT);
+ provider.allowFunction("security_server_open_for", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
ret = security_server_open_for(file, fd_ptr.get());
RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
RUNNER_CHILD_TEST_SMACK(tc16_open_for_bad_file_name)
{
- std::string subject_allow = TEST01_SUBJECT;
- struct smack_accesses *handle = NULL;
- int ret = -1;
int fd = -1;
-
FDUniquePtr fd_ptr(&fd, closefdptr);
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- AccessesUniquePtr rules(handle, smack_accesses_free);
-
- ret = smack_accesses_add(rules.get(), subject_allow.c_str(), API_OPEN_FOR, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_apply(rules.get());
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "ret: " << ret);
-
- ret = smack_set_label_for_self(subject_allow.c_str());
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "ret: " << ret);
-
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+ SecurityServer::AccessProvider provider(TEST01_SUBJECT);
+ provider.allowFunction("security_server_open_for", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
std::vector<std::string> badFile = { "/plik","-plik",".plik","pl..k","..plik",
"..","." };
for (auto iter = badFile.begin(); iter != badFile.end(); ++iter) {
- ret = security_server_open_for((*iter).c_str(), fd_ptr.get());
+ int ret = security_server_open_for((*iter).c_str(), fd_ptr.get());
RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
}
}
#include "security-server.h"
#include <dpl/test/test_runner.h>
#include <dlog.h>
-#include "test.h"
#include "security_server_clean_env.h"
+++ /dev/null
-/*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
- */
-/*
- * @file security_server_tests_server.cpp
- * @author Bumjin Im (bj.im@samsung.com)
- * @author Mariusz Domanski (m.domanski@samsung.com)
- * @version 1.0
- * @brief Test cases for security server
- */
-
-#include <stdio.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <fcntl.h>
-#include <sys/un.h>
-#include <unistd.h>
-#include <poll.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/smack.h>
-#include <sys/wait.h>
-#include <grp.h>
-#include "security-server.h"
-#include "security_server_clean_env.h"
-#include <dpl/test/test_runner.h>
-#include <dpl/test/test_runner_child.h>
-#include <dlog.h>
-#include <privilege-control.h>
-#include <ftw.h>
-#include "security_server_tests_common.h"
-#include "tests_common.h"
-#include "test.h"
-
-#define TEST03_SUBJECT "subject_0f09f7cc"
-#define TEST04_SUBJECT "subject_57dfbfc5"
-#define TEST05_SUBJECT "subject_1d6eda7d"
-#define TEST06_SUBJECT "subject_1d414140"
-#define TEST07_SUBJECT "subject_cd738844"
-#define TEST08_SUBJECT "subject_fd84ba7f"
-const char *TEST09_SUBJECT = "subject_sstest09";
-const char *TEST10_SUBJECT = "subject_sstest10";
-const char *TEST11_SUBJECT = "subject_sstest11";
-const char *TEST12_SUBJECT = "subject_sstest12";
-
-#define SECURITY_SERVER_SOCK_PATH "/tmp/.security_server.sock"
-#define COOKIE_SIZE 20
-#define OBJ_NAME_SIZE 30
-#define OLABEL_SIZE 1024
-#define ARIGHTS_SIZE 32
-
-/* from security-server-common.h */
-#define SECURITY_SERVER_MAX_OBJ_NAME 30
-
-#define API_PASSWD_SET "security-server::api-password-set"
-#define API_PASSWD_CHECK "security-server::api-password-check"
-#define API_DATA_SHARE "security-server::api-data-share"
-#define API_PRIVILEGE_BY_NAME "security-server::api-app-privilege-by-name"
-
-#define API_FREE_ACCESS "*"
-#define API_RULE_REQUIRED "w"
-
-// we assume that the group 'audio' exists in the system
-const char* PROC_AUDIO_GROUP_NAME = "audio";
-
-
-/* Message */
-typedef struct
-{
- unsigned char version;
- unsigned char msg_id;
- unsigned short msg_len;
-} basic_header;
-
-typedef struct
-{
- basic_header basic_hdr;
- unsigned char return_code;
-} response_header;
-
-int server_sockfd, client_sockfd, ret, recved_gid, client_len, i;
-unsigned char cookie[COOKIE_SIZE], wrong_cookie[COOKIE_SIZE];
-char obj_name[OBJ_NAME_SIZE];
-struct sockaddr_un clientaddr;
-
-/* Create a Unix domain socket and bind */
-int create_new_socket()
-{
- int localsockfd = 0, flags;
- struct sockaddr_un serveraddr;
- mode_t sock_mode;
-
- if (unlink(SECURITY_SERVER_TEST_SOCK_PATH) == -1 && errno != ENOENT) {
- SLOGE("%s : %s\n", "unlink()", strerror(errno));
- goto error;
- }
-
- /* Create Unix domain socket */
- if ((localsockfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
- {
- SLOGE("%s : %s\n", "socket()", strerror(errno));
- goto error;
- }
-
- /* Make socket as non blocking */
- if ((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 ||
- fcntl(localsockfd, F_SETFL, flags | O_NONBLOCK) < 0)
- {
- SLOGE("%s : %s\n", "fcntl()", strerror(errno));
- goto error;
- }
-
- bzero (&serveraddr, sizeof(serveraddr));
- serveraddr.sun_family = AF_UNIX;
- strncpy(serveraddr.sun_path, SECURITY_SERVER_TEST_SOCK_PATH,
- strlen(SECURITY_SERVER_TEST_SOCK_PATH) + 1);
-
- /* Bind the socket */
- if ((bind(localsockfd, (struct sockaddr*)&serveraddr, sizeof(serveraddr))) < 0)
- {
- SLOGE("%s : %s\n", "bind()", strerror(errno));
- goto error;
- }
-
- /* Change permission to accept all processes that has different uID/gID */
- sock_mode = (S_IRWXU | S_IRWXG | S_IRWXO);
- /* Flawfinder hits this chmod function as level 5 CRITICAL as race condition flaw *
- * Flawfinder recommends to user fchmod insted of chmod
- * But, fchmod doesn't work on socket file so there is no other choice at this point */
- if (chmod(SECURITY_SERVER_TEST_SOCK_PATH, sock_mode) < 0) /* Flawfinder: ignore */
- {
- SLOGE("%s : %s\n", "chmod()", strerror(errno));
- goto error;
- }
-
- return localsockfd;
-error:
-
- close(localsockfd);
- localsockfd = -1;
- return localsockfd;
-}
-
-int check_socket_poll(int sockfd, int event, int timeout)
-{
- struct pollfd poll_fd[1];
- int retval;
-
- poll_fd[0].fd = sockfd;
- poll_fd[0].events = event;
- retval = poll(poll_fd, 1, timeout);
- if (retval < 0)
- {
- SLOGE("%s : %s\n", "poll()", strerror(errno));
- return -1;
- }
-
- /* Timed out */
- if (retval == 0)
- {
- SLOGE("%s", "poll() timeout");
- return 0;
- }
- return 1;
-}
-
-int send_gid_request(int sock_fd, const char *object)
-{
- basic_header hdr;
- int retval, send_len = 0;
- unsigned char *buf = NULL;
-
- hdr.version = 0x01; /* SECURITY_SERVER_MSG_VERSION; */
- hdr.msg_id = 0x07; /* SECURITY_SERVER_MSG_TYPE_GID_REQUEST; */
- hdr.msg_len = strlen(object);
-
- send_len = sizeof(hdr) + strlen(object);
-
- buf = (unsigned char*) malloc(send_len);
- if (buf == NULL)
- {
- SLOGE("%s\n", "out of memory");
- return -1;
- }
-
- memcpy(buf, &hdr, sizeof(hdr));
- memcpy(buf + sizeof(hdr), object, strlen(object));
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, 1000);
- if (retval == -1)
- {
- SLOGE("%s\n", "poll() error");
- if (buf != NULL)
- free(buf);
- return -1;
- }
- if (retval == 0)
- {
- SLOGE("%s\n", "poll() timeout");
- if (buf != NULL)
- free(buf);
- return -1;
- }
-
- retval = write(sock_fd, buf, send_len);
- if (retval < send_len)
- {
- /* Write error */
- SLOGE("Error on write(): %d. errno=%d, sockfd=%d\n", retval, errno, sock_fd);
- if (buf != NULL)
- free(buf);
- return -1;
- }
- if (buf != NULL)
- free(buf);
-
- return 0;
-}
-
-int connect_to_server(int *fd)
-{
- struct sockaddr_un clientaddr;
- int client_len = 0, localsockfd, ret, flags;
- *fd = -1;
-
- /* Create a socket */
- localsockfd = socket(AF_UNIX, SOCK_STREAM, 0);
- if (localsockfd < 0)
- {
- SLOGE("%s : %s\n", "socket()", strerror(errno));
- return -1;
- }
-
- /* Make socket as non blocking */
- if ((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 ||
- fcntl(localsockfd, F_SETFL, flags | O_NONBLOCK) < 0)
- {
- close(localsockfd);
- SLOGE("%s : %s\n", "fcntl()", strerror(errno));
- return -1;
- }
-
- bzero(&clientaddr, sizeof(clientaddr));
- clientaddr.sun_family = AF_UNIX;
- strncpy(clientaddr.sun_path, SECURITY_SERVER_SOCK_PATH, strlen(SECURITY_SERVER_SOCK_PATH));
- clientaddr.sun_path[strlen(SECURITY_SERVER_SOCK_PATH)] = 0;
- client_len = sizeof(clientaddr);
-
- ret = connect(localsockfd, (struct sockaddr*)&clientaddr, client_len);
- if (ret < 0)
- {
- if (errno == EINPROGRESS)
- {
- SLOGD("%s\n", "Connection is in progress");
- check_socket_poll(localsockfd, POLLOUT, 1000);
- if (ret == -1)
- {
- SLOGE("%s\n", "poll() error");
- close(localsockfd);
- return -1;
- }
- ret = connect(localsockfd, (struct sockaddr*)&clientaddr, client_len);
- if (ret < 0)
- {
- SLOGE("%s\n", "connection failed");
- close(localsockfd);
- return -1;
- }
- }
- else
- {
- SLOGE("%s\n", "Connection failed");
- close(localsockfd);
- return -1;
- }
- }
-
- *fd = localsockfd;
- return 0;
-}
-
-
-int fake_get_gid(const char *object)
-{
- int sockfd = -1, retval;
-
- retval = connect_to_server(&sockfd);
- if (retval != 0)
- {
- /* Error on socket */
- SLOGE("Connection failed: %d\n", retval);
- goto error;
- }
-
- /* make request packet and send to server*/
- retval = send_gid_request(sockfd, object);
- if (retval != 0)
- {
- /* Error on socket */
- SLOGE("Send request failed: %d\n", retval);
- goto error;
- }
- SLOGD("%s", "Just closing the socket and exit\n");
-
-error:
- if (sockfd > 0)
- close(sockfd);
-
- return 0;
-}
-
-int clear_password(char ** /*error*/)
-{
- int ret = -1;
- unsigned int attempt, max_attempt, expire_sec;
- const char *subject_allow = "subject_allow";
- struct smack_accesses *handle = NULL;
-
- if (getuid() == 0) {
- reset_security_server();
-
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- /* our subject 'subject_allow' has access to security-server::api-password-check */
- ret = smack_accesses_add(handle, subject_allow, API_PASSWD_CHECK, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_apply(handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_set_label_for_self(subject_allow);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
-
- smack_accesses_free(handle);
-
- attempt = max_attempt = expire_sec = UINT_MAX;
- ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
-
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
- RUNNER_ASSERT(expire_sec == 0);
- RUNNER_ASSERT(max_attempt == 0);
- RUNNER_ASSERT(attempt == 0);
-
- /* we revoke all rules for subject 'subject_allow' */
- ret = smack_revoke_subject(subject_allow);
- RUNNER_ASSERT_MSG(ret == 0, "Revoking subject didn't work.");
-
- sleep(1);
-
- return 0;
- }
- return -1;
-}
-
-/*
- * Add a new group to the current process groups.
- */
-void add_process_group(const char* group_name)
-{
- // get group ID by gtoup name
- group *gr = getgrnam(group_name);
- RUNNER_ASSERT_MSG(gr != NULL, "Group '" << group_name << "' does not exist.");
- const gid_t new_group_id = gr->gr_gid;
-
- // get number of groups that the current process belongs to
- int ngroups = getgroups(0, NULL);
-
- //allocate groups table + space for new group entry
- std::vector<gid_t> groups(ngroups + 1);
- getgroups(ngroups, groups.data());
-
- // check if the process already belongs to the group
- for (int i = 0; i < ngroups; ++i)
- if (groups[i] == new_group_id)
- return;
-
- // add new group & apply change
- groups[ngroups] = new_group_id;
- int ret = setgroups(ngroups + 1, groups.data());
- RUNNER_ASSERT_MSG(ret == 0, "setgroups failed. ret = " << ret);
-}
-
-/*
- * Remove specific group from the current process groups.
- */
-void remove_process_group(const char* group_name)
-{
- // get group ID by gtoup name
- group *gr = getgrnam(group_name);
- RUNNER_ASSERT_MSG(gr != NULL, "Group '" << group_name << "' does not exist.");
- const gid_t new_group_id = gr->gr_gid;
-
- // get number of groups that the current process belongs to
- int ngroups = getgroups(0, NULL);
-
- //allocate groups table + space for new group entry
- std::vector<gid_t> groups(ngroups);
- getgroups(ngroups, groups.data());
-
- // check if the process already belongs to the group
- for (int i = 0; i < ngroups; ++i)
- if (groups[i] == new_group_id) {
- groups[i] = groups[ngroups-1]; // replace with last
-
- // apply change
- int ret = setgroups(ngroups - 1, groups.data());
- RUNNER_ASSERT_MSG(ret == 0, "setgroups failed. ret = " << ret);
- return;
- }
-}
-
-RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_SERVER);
-
-RUNNER_TEST(tc_getting_default_cookie)
-{
- printhex(cookie, COOKIE_SIZE);
- RUNNER_ASSERT(security_server_request_cookie((char*)cookie, 20) == SECURITY_SERVER_API_SUCCESS);
-}
-
-RUNNER_TEST(tc_security_server_get_gid_normal_case_trying_to_get_gid_of_tel_gprs)
-{
- RUNNER_ASSERT(security_server_get_gid("tel_gprs") >= 0);
-}
-
-RUNNER_TEST(tc_security_server_get_gid_empty_object_name)
-{
- RUNNER_ASSERT(security_server_get_gid("") == SECURITY_SERVER_API_ERROR_INPUT_PARAM);
-}
-
-RUNNER_TEST(tc_security_server_get_gid_wrong_object_name_teltel)
-{
- RUNNER_ASSERT(security_server_get_gid("teltel") == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT);
-}
-
-RUNNER_CHILD_TEST(tc_cookie_check_groups_privilege_negative)
-{
- remove_process_group(PROC_AUDIO_GROUP_NAME);
-
- RUNNER_ASSERT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) ==
- SECURITY_SERVER_API_SUCCESS);
- ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
- ret = security_server_check_privilege((char*) cookie, ret);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST(tc_cookie_check_groups_privilege_positive)
-{
- add_process_group(PROC_AUDIO_GROUP_NAME);
-
- RUNNER_ASSERT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) ==
- SECURITY_SERVER_API_SUCCESS);
- ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
- ret = security_server_check_privilege((char*) cookie, ret);
- RUNNER_ASSERT(ret == SECURITY_SERVER_API_SUCCESS);
-}
-
-RUNNER_TEST(tc_ask_for_privilege_with_default_cookie_case_with_wrong_cookie)
-{
- ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
- srand(time(NULL));
- for (i = 0; i < COOKIE_SIZE; i++)
- wrong_cookie[i] = rand() % 255;
- ret = security_server_check_privilege((const char*) wrong_cookie, ret);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-}
-
-
-RUNNER_TEST(tc_fake_security_server_get_gid)
-{
- /* Close socket just after sending request msg.
- * This is done with fake security_server_get_gid()*/
-
- ret = fake_get_gid(PROC_AUDIO_GROUP_NAME);
- RUNNER_IGNORED_MSG("Watch whether security server has crashed or not.");
-}
-
-RUNNER_TEST(tc_get_pid_of_a_given_cookie_default_cookie_case)
-{
- RUNNER_ASSERT(security_server_get_cookie_pid((const char*) cookie) == getpid());
-}
-
-RUNNER_TEST(tc_get_pid_of_non_existing_cookie)
-{
- RUNNER_ASSERT(security_server_get_cookie_pid((const char*) wrong_cookie) == SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
-}
-
-RUNNER_TEST(tc_get_pid_of_null_cookie)
-{
- RUNNER_ASSERT(security_server_get_cookie_pid(NULL) == SECURITY_SERVER_API_ERROR_INPUT_PARAM);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc01a_security_server_app_give_access)
-{
- const char *subject = "abc345v34sfa";
- const char *object = "efg678x2lkjz";
- const char *server_api = "security-server::api-data-share";
- smack_accesses *tmp = NULL;
-
- RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
-
- AccessesUniquePtr smack(tmp, smack_accesses_free);
-
- RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-----"));
- RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), object, server_api, "rw"));
- RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
-
- smack_set_label_for_self(object);
-
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- security_server_app_give_access(subject, getpid());
-
- RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxat"));
-}
-
-/*
- * Currently we are NOT revoking any permissions given by
- * security_server_app_give_access function
- */
-/*RUNNER_TEST(tc01b_security_server_app_give_access)
-{
- const char *subject = "abc345v34sfa";
- const char *object = "efg678x2lkjz";
-
- // After part A thread from security-server will be notified about
- // process end and revoke permissions. We need to give him some
- // time.
- sleep(1);
-
- RUNNER_ASSERT(0 == smack_have_access(subject, object, "r----"));
- RUNNER_ASSERT(0 == smack_have_access(subject, object, "-w---"));
- RUNNER_ASSERT(0 == smack_have_access(subject, object, "--x--"));
- RUNNER_ASSERT(0 == smack_have_access(subject, object, "---a-"));
- RUNNER_ASSERT(0 == smack_have_access(subject, object, "----t"));
-}*/
-
-RUNNER_CHILD_TEST_SMACK(tc01c_security_server_app_give_access_no_access)
-{
- const char *subject = "xxx45v34sfa";
- const char *object = "yyy78x2lkjz";
- smack_accesses *tmp = NULL;
-
- RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
-
- AccessesUniquePtr smack(tmp, smack_accesses_free);
-
- RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-----"));
- RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
-
- smack_set_label_for_self(object);
-
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == security_server_app_give_access(subject, getpid()));
-
- RUNNER_ASSERT(0 == smack_have_access(subject, object, "r"));
-}
-
-RUNNER_TEST_SMACK(tc02_check_privilege_by_pid)
-{
- int ret;
- int pid;
-
- pid = getpid();
-
- //we checking existing rule, it should return positive
- ret = security_server_check_privilege_by_pid(pid, "_", "rx");
- RUNNER_ASSERT(ret == SECURITY_SERVER_API_SUCCESS);
-
- //we checking rule with label that not exist
- ret = security_server_check_privilege_by_pid(pid, "thislabelisnotreal", "rwxat");
- RUNNER_ASSERT(ret != SECURITY_SERVER_API_SUCCESS);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc03_check_API_passwd_allow)
-{
- int ret = -1;
- unsigned int attempt, max_attempt, expire_sec;
- const char *subject_allow = TEST03_SUBJECT;
- struct smack_accesses *handle = NULL;
- char *str = (char*) malloc(256);
-
- attempt = max_attempt = expire_sec = 0;
-
- ret = clear_password(&str);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << str);
-
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- /* our subject 'subject_allow' has access to security-server::api-password-check */
- ret = smack_accesses_add(handle, subject_allow, API_PASSWD_CHECK, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_apply(handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- /* our subject 'subject_allow' has access to security-server::api-passwd-set */
- ret = smack_accesses_add(handle, subject_allow, API_PASSWD_SET, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_apply(handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- smack_accesses_free(handle);
-
- ret = smack_set_label_for_self(subject_allow);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
-
- // drop root privileges
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- ret = security_server_set_pwd_validity(10);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
-
- ret = security_server_set_pwd_max_challenge(5);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
-
- ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
-
- sleep(1);
- ret = security_server_set_pwd(NULL, "12345", 0, 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- sleep(1);
- ret = security_server_reset_pwd("12345",0, 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- sleep(1);
- ret = security_server_chk_pwd("12345", &attempt, &max_attempt, &expire_sec);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- sleep(1);
- ret = security_server_set_pwd_history(10);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST(tc04_check_API_passwd_denied)
-{
- RUNNER_IGNORED_MSG("SS API label checking not enabled yet.");
-
- int ret = -1;
- unsigned int attempt, max_attempt, expire_sec;
- const char *subject_denied = TEST04_SUBJECT;
- char *str = (char*) malloc(256);
-
- attempt = max_attempt = expire_sec = 0;
-
- ret = smack_set_label_for_self(subject_denied);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
-
- // drop root privileges
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- /*
- * now SS should return error
- * at the moment SS doesn't check return code from
- * authorize_SS_API_caller_socket() so it should give access
- * you can check in logs if it's working properly
- * has access result = 1
- * no access result = 0
- * D/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(205) >
- * [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
- * object=security-server::api-password-check, access=w, result=1,
- * caller_path=/usr/bin/security-server-tests-server
- * E/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(207) >
- * [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
- * object=security-server::api-password-check, access=w, result=0,
- * caller_path=/usr/bin/security-server-tests-server
- */
-
- ret = security_server_set_pwd_validity(10);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- ret = security_server_set_pwd_max_challenge(5);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- sleep(1);
- ret = security_server_set_pwd("12345", "12346", 0, 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- sleep(1);
- ret = security_server_reset_pwd("12346",0, 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- sleep(1);
- ret = security_server_chk_pwd("12346", &attempt, &max_attempt, &expire_sec);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- sleep(1);
- ret = security_server_set_pwd_history(10);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- ret = clear_password(&str);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
- free(str);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc05_check_API_middleware_allow)
-{
- int ret = -1;
- size_t cookie_size = security_server_get_cookie_size();
- char cookie[20];
- char *ss_label = NULL;
-
- add_process_group(PROC_AUDIO_GROUP_NAME);
-
- // drop root privileges
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- ret = security_server_request_cookie(cookie, cookie_size);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
- ret = security_server_check_privilege(cookie, ret);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = security_server_get_gid("root");
- RUNNER_ASSERT_MSG(ret > -1, "ret: " << ret);
-
- ret = security_server_get_cookie_pid(cookie);
- RUNNER_ASSERT_MSG(ret == getpid(), "ret: " << ret);
-
- ss_label = security_server_get_smacklabel_cookie(cookie);
- RUNNER_ASSERT_MSG(ss_label != NULL, "ret: " << ss_label);
-
- ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST(tc06_check_API_middleware_denied)
-{
- RUNNER_IGNORED_MSG("SS API label checking not enabled yet.");
-
- int ret = -1;
- const char *subject_denied = TEST06_SUBJECT;
- size_t cookie_size = security_server_get_cookie_size();
- char cookie[20];
- char *ss_label = NULL;
-
- add_process_group(PROC_AUDIO_GROUP_NAME);
-
- ret = smack_set_label_for_self(subject_denied);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
-
- // drop root privileges
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- ret = security_server_request_cookie(cookie, cookie_size);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = security_server_check_privilege(cookie, DB_ALARM_GID);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- ret = security_server_get_gid("root");
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- ret = security_server_get_cookie_pid(cookie);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- ss_label = security_server_get_smacklabel_cookie(cookie);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-
- ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc07_check_API_data_share_allow)
-{
- int ret = -1;
- const char *subject_allow = TEST07_SUBJECT;
- struct smack_accesses *handle = NULL;
-
- /* allow subject 'subjet_allow' to security-server::api-data-share */
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_add(handle, subject_allow, API_DATA_SHARE, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_apply(handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- smack_accesses_free(handle);
-
- ret = smack_set_label_for_self(subject_allow);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
-
- // drop root privileges
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- ret = security_server_app_give_access(subject_allow, getpid());
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST_SMACK(tc08_check_API_data_share_denied)
-{
- int ret = -1;
- const char *subject_denied = TEST08_SUBJECT;
-
- ret = smack_set_label_for_self(subject_denied);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
-
- // drop root privileges
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- ret = security_server_app_give_access(subject_denied, getpid());
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-}
-
-RUNNER_CHILD_TEST(tc09_check_API_app_enable_permissions)
-{
- int ret;
- const char *perm_list[] = {"org.tizen.privilege.contact.read",
- "org.tizen.privilege.contact.write",
- NULL};
- int persistent = 1;
-
- // need to install WGT once again, in case it was removed before
- DB_BEGIN
- ret = perm_app_uninstall(WGT_APP_ID);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
- ret = perm_app_install(WGT_APP_ID);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
- DB_END
-
- // enable permission
- ret = security_server_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list, persistent);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- /* allow subject TEST09_SUBJECT to socket label security-server::api-privilege-by-name */
- struct smack_accesses *handle = NULL;
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- SmackUniquePtr smackAccPtr(handle, smack_accesses_free);
- handle = NULL; // it is better to reset standard pointer after that
-
- ret = smack_accesses_add(smackAccPtr.get(), TEST09_SUBJECT, API_PRIVILEGE_BY_NAME, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_apply(smackAccPtr.get());
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_set_label_for_self(TEST09_SUBJECT);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
-
- // drop root privileges
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- // Check if permissions are given
- check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, true);
-}
-
-RUNNER_CHILD_TEST(tc10_check_API_app_disable_permissions)
-{
- int ret;
- const char *perm_list[] = {"org.tizen.privilege.contact.read",
- "org.tizen.privilege.contact.write",
- NULL};
-
- // need to install WGT once again, in case it was removed before
- DB_BEGIN
- ret = perm_app_uninstall(WGT_APP_ID);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
- ret = perm_app_install(WGT_APP_ID);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
- DB_END
-
- // disable permission
- ret = security_server_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- /* allow subject TEST10_SUBJECT to socket label security-server::api-privilege-by-name */
- struct smack_accesses *handle = NULL;
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- SmackUniquePtr smackAccPtr(handle, smack_accesses_free);
- handle = NULL; // it is better to reset standard pointer after that
-
- ret = smack_accesses_add(smackAccPtr.get(), TEST10_SUBJECT, API_PRIVILEGE_BY_NAME, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_apply(smackAccPtr.get());
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_set_label_for_self(TEST10_SUBJECT);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
-
- // drop root privileges
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- // Check if permissions are disabled
- check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, false);
-}
-
-RUNNER_TEST(tc11_security_server_app_has_privilege)
-{
- int ret;
- const char *perm_list_pers[] = {"org.tizen.privilege.contact.read",
- "org.tizen.privilege.contact.write",
- NULL};
- const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read",
- "org.tizen.privilege.calendar.write",
- NULL};
- const char *perm_list_disabled[] = {"org.tizen.privilege.alarm",
- NULL};
- DB_BEGIN
- ret = perm_app_uninstall(TEST11_SUBJECT);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
- ret = perm_app_install(TEST11_SUBJECT);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret);
- DB_END
-
- // enable permission
- ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- // Check if permissions are given using API with app_label parameter
- check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, true);
- check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, true);
- check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_disabled, false);
-}
-
-RUNNER_CHILD_TEST(tc12_security_server_app_caller_has_privilege)
-{
- int ret;
- const char *perm_list_pers[] = {"org.tizen.privilege.contact.read",
- "org.tizen.privilege.contact.write",
- NULL};
- const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read",
- "org.tizen.privilege.calendar.write",
- NULL};
- const char *perm_list_disabled[] = {"org.tizen.privilege.alarm",
- NULL};
-
- DB_BEGIN
- ret = perm_app_uninstall(TEST11_SUBJECT);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
- ret = perm_app_install(TEST11_SUBJECT);
- RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret);
- DB_END
-
- // enable permission
- ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- // allow subject TEST11_SUBJECT to sockets (label privilege-by-name)
- struct smack_accesses *handle = NULL;
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- SmackUniquePtr smackAccPtr(handle, smack_accesses_free);
- handle = NULL; // it is better to reset standard pointer after that
-
- ret = smack_accesses_add(smackAccPtr.get(), TEST11_SUBJECT, API_PRIVILEGE_BY_NAME, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_apply(smackAccPtr.get());
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_set_label_for_self(TEST11_SUBJECT);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
-
- // drop root privileges
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- // Check if permissions are given using "caller" API
- check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_pers, true);
- check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_temp, true);
- check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_disabled, false);
-}
-
-RUNNER_CHILD_TEST(tc13_check_API_app_has_privilege_denied)
-{
- int ret;
- const char *perm_list[] = {"org.tizen.privilege.contact.read",
- "org.tizen.privilege.contact.write",
- NULL};
-
- // set smack label without previously assigned permissions to api socket
- ret = smack_set_label_for_self(TEST12_SUBJECT);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
-
- // drop root privileges
- RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
-
- // call common function to perform the check
- check_app_caller_has_privilege_denied(APP_TYPE_WGT, perm_list);
-
- // call also second common function
- check_app_has_privilege_denied(TEST12_SUBJECT, APP_TYPE_WGT, perm_list);
-}
-
-//////////////////////////////////////////
-/////////NOSMACK ENV TESTS////////////////
-//////////////////////////////////////////
-
-/**
- * NOSMACK version of tc01a and tc01c tests.
- *
- * SMACK is turned off - that means for us, that we don't need any accesses added to our process
- * in SMACK before dropping root privileges. This test drops root privileges, calls
- * security_server_app_give_access and then checks if smack_have_access returns error (because
- * SMACK is off).
- *
- * security_server_app_give_access shouldn't return anything else than success when SMACK is off,
- * hence there is only one test that replaces tests tc01a and tc01c.
- */
-RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_app_give_access_nosmack)
-{
- const char* subject = "abc345v34sfa";
- const char* object = "efg678x2lkjz";
- int result = 0;
-
- result = drop_root_privileges();
- RUNNER_ASSERT_MSG(result == 0,
- "Failed to drop root privileges. Result: " << result << "uid = " << getuid());
-
- result = security_server_app_give_access(subject, getpid());
- RUNNER_ASSERT_MSG(result == SECURITY_SERVER_API_SUCCESS,
- "Error in security_server_app_give_access. Result: " << result);
-
- result = smack_have_access(subject, object, "rwxat");
- RUNNER_ASSERT_MSG(result == -1,
- "smack_have_access should return error when SMACK is off. Result: " << result);
-}
-
-/**
- * NOSMACK version of tc02 test.
- *
- * check_privilege_by_pid should always return success when SMACK is off, no matter if label is
- * real or not.
- */
-RUNNER_TEST_NOSMACK(tc02_check_privilege_by_pid_nosmack)
-{
- int ret;
- int pid;
-
- pid = getpid();
-
- //we checking existing rule, it should return positive
- ret = security_server_check_privilege_by_pid(pid, "_", "rx");
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "check_privilege_by_pid for existing label failed. Result: " << ret);
-
- //we checking rule with label that not exist
- ret = security_server_check_privilege_by_pid(pid, "thislabelisnotreal", "rwxat");
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "check_privilege_by_pid for nonexisting label failed. Result: " << ret);
-}
-
-/**
- * NOSMACK version of clear_password function.
- *
- * Compared to SMACK version of this function, this one skips adding rules and setting label.
- */
-int clear_password_nosmack()
-{
- int ret = -1;
- unsigned int attempt, max_attempt, expire_sec;
-
- if (getuid() == 0) {
- reset_security_server();
-
- attempt = max_attempt = expire_sec = UINT_MAX;
- ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
-
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
- "is_pwd_faild should return no password error. Result: " << ret);
- RUNNER_ASSERT_MSG(expire_sec == 0, "expire_sec = " << expire_sec << ", should be 0.");
- RUNNER_ASSERT_MSG(max_attempt == 0, "max_attempt = " << max_attempt << ", should be 0.");
- RUNNER_ASSERT_MSG(attempt == 0, "attempt = " << attempt << ", should be 0.");
-
- sleep(1);
-
- return 0;
- }
- return -1;
-}
-
-/**
- * NOSMACK version of tc03 test.
- *
- * Just as tc01a/tc01c NOSMACK replacement, we don't need to do anything with SMACK because most
- * important functions will return errors (that is smack_accesses_apply/smack_have_access etc.).
- * First clear password, then drop privileges and proceed to regular testing.
- */
-
-RUNNER_CHILD_TEST_NOSMACK(tc03_check_API_passwd_allow_nosmack)
-{
- int ret = -1;
- unsigned int attempt, max_attempt, expire_sec;
-
- attempt = max_attempt = expire_sec = 0;
-
- clear_password_nosmack();
-
- // drop root privileges
- ret = drop_root_privileges();
- RUNNER_ASSERT_MSG(ret == 0,
- "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
-
- ret = security_server_set_pwd_validity(10);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
- "set_pwd_validity should return no password error. Result: " << ret);
-
- ret = security_server_set_pwd_max_challenge(5);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
- "set_pwd_max_challenge should return no password error. Result: " << ret);
-
- ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
- "is_pwd_valid should return no password error. Result: " << ret);
-
- sleep(1);
- ret = security_server_set_pwd(NULL, "12345", 0, 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "set_pwd failed. Result: " << ret);
-
- sleep(1);
- ret = security_server_reset_pwd("12345",0, 0);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "reset_pwd failed. Result: " << ret);
-
- sleep(1);
- ret = security_server_chk_pwd("12345", &attempt, &max_attempt, &expire_sec);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "chk_pwd failed. Result: " << ret);
-
- sleep(1);
- ret = security_server_set_pwd_history(10);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "set_pwd_history failed. Result: " << ret);
-}
-
-/**
- * NOSMACK version of tc05 test.
- *
- * This test assumes similar information as previous NOSMACK tests. SMACK off = no need to
- * set accesses and apply them in SMACK before dropping privileges.
- */
-
-RUNNER_CHILD_TEST_NOSMACK(tc05_check_API_middleware_allow_nosmack)
-{
- int ret = -1;
- size_t cookie_size = security_server_get_cookie_size();
- char cookie[20];
- char* ss_label = NULL;
-
- add_process_group(PROC_AUDIO_GROUP_NAME);
-
- // drop root privileges
- ret = drop_root_privileges();
- RUNNER_ASSERT_MSG(ret == 0,
- "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
-
- ret = security_server_request_cookie(cookie, cookie_size);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "request_cookie failed. Result: " << ret);
-
- ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
- RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME << "\" gid. Result: "
- << ret);
-
- ret = security_server_check_privilege(cookie, ret);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "check_privilege failed. Result: " << ret);
-
- ret = security_server_get_gid("root");
- RUNNER_ASSERT_MSG(ret > -1,
- "Failed to get \"root\" gid. Result: " << ret);
-
- ret = security_server_get_cookie_pid(cookie);
- RUNNER_ASSERT_MSG(ret == getpid(),
- "get_cookie_pid returned different pid than it should. Result: " << ret);
-
- ss_label = security_server_get_smacklabel_cookie(cookie);
- RUNNER_ASSERT_MSG(ss_label != NULL, "get_smacklabel_cookie failed.");
-
- ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
- if(ret != SECURITY_SERVER_API_SUCCESS) {
- free(ss_label);
- RUNNER_ASSERT_MSG(false, "check_privilege_by_pid failed. Result: " << ret);
- }
-}
-
-/**
- * NOSMACK version of tc07 test.
- *
- * Similarily to previous tests - no need to set self label because SMACK is off. Just as
- * tc01a/tc01c replacement, security_server_app_give_access should return only success. Hence the
- * NOSMACK version of tc08 test is skipped.
- */
-RUNNER_CHILD_TEST_NOSMACK(tc07_check_API_data_share_allow_nosmack)
-{
- int ret = -1;
- const char* subject_allow = TEST07_SUBJECT;
-
- // drop root privileges
- ret = drop_root_privileges();
- RUNNER_ASSERT_MSG(ret == 0,
- "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
-
- ret = security_server_app_give_access(subject_allow, getpid());
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "app_give_access failed. Result: " << ret);
-}
-
-int main(int argc, char *argv[])
-{
- server_sockfd = -1;
-
- ret = getuid();
- if (ret != 0)
- {
- printf("Error: %s must be executed by root\n", argv[0]);
- exit(1);
- }
-
- int status =
- DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
-
- if (server_sockfd > 0)
- close(server_sockfd);
- if (client_sockfd > 0)
- close(client_sockfd);
-
- return status;
-}
+++ /dev/null
-/*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
- */
-/*
- * @file security_server_tests_weird_arguments.cpp
- * @author Zbigniew Jasinski (z.jasinski@samsung.com)
- * @version 1.0
- * @brief Test cases for security server
- *
- */
-#include "tests_common.h"
-#include "security-server.h"
-#include <dpl/test/test_runner.h>
-#include <dpl/log/log.h>
-
-#define SECURITY_SERVER_MAX_OBJ_NAME 30
-
-RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_WEIRD_ARGUMENTS);
-
-RUNNER_TEST(tc01_security_server_get_gid_weird_input_case)
-{
- int ret = 0;
- char weird[] = {static_cast <char> (0xe3), 0x79, static_cast <char> (0x82), 0x0};
-
- /* normal param case */
- ret = security_server_get_gid("tel_sim");
- RUNNER_ASSERT_MSG(ret > -1, "ret: " << ret);
-
- /* wrong param case */
- ret = security_server_get_gid("elephony_akecall");
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret: " << ret);
-
- /* weird param case */
- ret = security_server_get_gid(weird);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret: " << ret);
-
- /* null param case */
- ret = security_server_get_gid(NULL);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
-
- /* param too long case */
- ret = security_server_get_gid("abcdefghijklmnopqrstuvwxyz01234");
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
-
- /* empty param case */
- ret = security_server_get_gid("");
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
-}
-
-/* from security_server_tests_server.cpp */
-
-RUNNER_TEST(tc03_security_server_request_cookie_weird_input_case)
-{
- int ret = 0;
- size_t cookie_size = security_server_get_cookie_size();
-
- /* null cookie case */
- char *cookie = NULL;
-
- ret = security_server_request_cookie(cookie, cookie_size);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
-
- /* buffer size too small case */
- cookie_size = 19;
- char cookie2[cookie_size];
-
- ret = security_server_request_cookie(cookie2, cookie_size);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret: " << ret);
-}
-
-RUNNER_TEST(tc04_security_server_check_privilege_weird_input_case)
-{
- int ret = 0;
- size_t cookie_size = security_server_get_cookie_size();
- gid_t gid = DB_ALARM_GID;
-
- /* null cookie case */
- char *cookie = NULL;
-
- ret = security_server_check_privilege(cookie, gid);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
-
- char cookie2[cookie_size];
-
- ret = security_server_request_cookie(cookie2, cookie_size);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- /* big gid case */
- gid = 70666;
-
- ret = security_server_check_privilege(cookie2, gid);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
-}
-RUNNER_TEST(tc05_security_server_check_privilege_by_cookie_weird_input_case)
-{
- int ret = 0;
- size_t cookie_size = security_server_get_cookie_size();;
- const char *object = "telephony_makecall";
- const char *access_rights = "r";
-
- /* null cookie case */
- char *cookie = NULL;
- ret = security_server_check_privilege_by_cookie(cookie, object, access_rights);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
-
- /* null object case */
- char *object2 = NULL;
- char cookie2[cookie_size];
-
- ret = security_server_request_cookie(cookie2, cookie_size);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = security_server_check_privilege_by_cookie(cookie2, object2, access_rights);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
-
- /* null access rights case */
- access_rights = NULL;
- ret = security_server_check_privilege_by_cookie(cookie2, object, access_rights);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
-}
-
-RUNNER_TEST_SMACK(tc06_security_server_check_privilege_by_sockfd_weird_input_case)
-{
- int ret = 0;
- int sockfd = -1;
- const char *object = "telephony_makecall";
- const char *access_rights = "r";
-
- /* invalid sockfd case */
- ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
- sockfd = 0;
-
- /* null object case */
- char *object2 = NULL;
- ret = security_server_check_privilege_by_sockfd(sockfd, object2, access_rights);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
-
- /* null access rights case */
- access_rights = NULL;
- ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
-}
-
-RUNNER_TEST(tc07_security_server_get_cookie_pid_weird_input_case)
-{
- int ret = 0;
- char *cookie = NULL;
-
- ret = security_server_get_cookie_pid(cookie);
- RUNNER_ASSERT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM);
-}
-
-///////////////////////////
-/////NOSMACK ENV TESTS/////
-///////////////////////////
-
-/**
- * NOSMACK version of tc06 test.
- *
- * security_server_check_privilege_by_sockfd at first checks if SMACK exists and then checks if
- * params are correct. Even with incorrect params we should expect SUCCESS instead of
- * ERROR_INPUT_PARAM.
- */
-
-RUNNER_TEST_NOSMACK(tc06_security_server_check_privilege_by_sockfd_weird_input_case_nosmack)
-{
- int ret = 0;
- int sockfd = -1;
- const char* object = "telephony_makecall";
- const char* access_rights = "r";
-
- //invalid sockfd case
- ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "check_privilege_by_sockfd failed. Result: " << ret);
- sockfd = 0;
-
- //null object case
- char *object2 = NULL;
- ret = security_server_check_privilege_by_sockfd(sockfd, object2, access_rights);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "check_privilege_by_sockfd failed. Result: " << ret);
-
- //null access rights case
- access_rights = NULL;
- ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
- "check_privilege_by_sockfd failed. Result: " << ret);
-}
--- /dev/null
+/*
+ * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ */
+/*
+ * @file security_server_tests_server.cpp
+ * @author Bumjin Im (bj.im@samsung.com)
+ * @author Mariusz Domanski (m.domanski@samsung.com)
+ * @version 1.0
+ * @brief Test cases for security server
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <fcntl.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <poll.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/smack.h>
+#include <sys/wait.h>
+#include <grp.h>
+#include "security-server.h"
+#include "security_server_clean_env.h"
+#include <dpl/test/test_runner.h>
+#include <dpl/test/test_runner_child.h>
+#include <dlog.h>
+#include <privilege-control.h>
+#include <ftw.h>
+#include "security_server_tests_common.h"
+#include "tests_common.h"
+#include <smack_access.h>
+#include <access_provider.h>
+
+const char *TEST03_SUBJECT = "subject_0f09f7cc";
+const char *TEST04_SUBJECT = "subject_57dfbfc5";
+const char *TEST05_SUBJECT = "subject_1d6eda7d";
+const char *TEST06_SUBJECT = "subject_1d414140";
+const char *TEST07_SUBJECT = "subject_cd738844";
+const char *TEST08_SUBJECT = "subject_fd84ba7f";
+const char *TEST09_SUBJECT = "subject_sstest09";
+const char *TEST10_SUBJECT = "subject_sstest10";
+const char *TEST11_SUBJECT = "subject_sstest11";
+const char *TEST12_SUBJECT = "subject_sstest12";
+
+const char *API_PASSWD_SET = "security-server::api-password-set";
+const char *API_PASSWD_CHECK = "security-server::api-password-check";
+const char *API_RULE_REQUIRED = "w";
+const char *PROC_AUDIO_GROUP_NAME = "audio";
+
+int clear_password(char ** /*error*/)
+{
+ int ret = -1;
+ unsigned int attempt, max_attempt, expire_sec;
+ const char *subject_allow = "subject_allow";
+ struct smack_accesses *handle = NULL;
+
+ if (getuid() == 0) {
+ reset_security_server();
+
+ ret = smack_accesses_new(&handle);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ /* our subject 'subject_allow' has access to security-server::api-password-check */
+ ret = smack_accesses_add(handle, subject_allow, API_PASSWD_CHECK, API_RULE_REQUIRED);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ ret = smack_accesses_apply(handle);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ ret = smack_set_label_for_self(subject_allow);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ smack_accesses_free(handle);
+
+ attempt = max_attempt = expire_sec = UINT_MAX;
+ ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
+
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
+ RUNNER_ASSERT(expire_sec == 0);
+ RUNNER_ASSERT(max_attempt == 0);
+ RUNNER_ASSERT(attempt == 0);
+
+ /* we revoke all rules for subject 'subject_allow' */
+ ret = smack_revoke_subject(subject_allow);
+ RUNNER_ASSERT_MSG(ret == 0, "Revoking subject didn't work.");
+
+ sleep(1);
+
+ return 0;
+ }
+ return -1;
+}
+
+/*
+ * Add a new group to the current process groups.
+ */
+void add_process_group(const char* group_name)
+{
+ // get group ID by gtoup name
+ group *gr = getgrnam(group_name);
+ RUNNER_ASSERT_MSG(gr != NULL, "Group '" << group_name << "' does not exist.");
+ const gid_t new_group_id = gr->gr_gid;
+
+ // get number of groups that the current process belongs to
+ int ngroups = getgroups(0, NULL);
+
+ //allocate groups table + space for new group entry
+ std::vector<gid_t> groups(ngroups + 1);
+ getgroups(ngroups, groups.data());
+
+ // check if the process already belongs to the group
+ for (int i = 0; i < ngroups; ++i)
+ if (groups[i] == new_group_id)
+ return;
+
+ // add new group & apply change
+ groups[ngroups] = new_group_id;
+ int ret = setgroups(ngroups + 1, groups.data());
+ RUNNER_ASSERT_MSG(ret == 0, "setgroups failed. ret = " << ret);
+}
+
+/*
+ * Remove specific group from the current process groups.
+ */
+void remove_process_group(const char* group_name)
+{
+ // get group ID by gtoup name
+ group *gr = getgrnam(group_name);
+ RUNNER_ASSERT_MSG(gr != NULL, "Group '" << group_name << "' does not exist.");
+ const gid_t new_group_id = gr->gr_gid;
+
+ // get number of groups that the current process belongs to
+ int ngroups = getgroups(0, NULL);
+
+ //allocate groups table + space for new group entry
+ std::vector<gid_t> groups(ngroups);
+ getgroups(ngroups, groups.data());
+
+ // check if the process already belongs to the group
+ for (int i = 0; i < ngroups; ++i)
+ if (groups[i] == new_group_id) {
+ groups[i] = groups[ngroups-1]; // replace with last
+
+ // apply change
+ int ret = setgroups(ngroups - 1, groups.data());
+ RUNNER_ASSERT_MSG(ret == 0, "setgroups failed. ret = " << ret);
+ return;
+ }
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_SERVER);
+
+RUNNER_TEST(tc_security_server_get_gid_normal_case_trying_to_get_gid_of_tel_gprs)
+{
+ RUNNER_ASSERT(security_server_get_gid("tel_gprs") >= 0);
+}
+
+RUNNER_TEST(tc_security_server_get_gid_empty_object_name)
+{
+ RUNNER_ASSERT(security_server_get_gid("") == SECURITY_SERVER_API_ERROR_INPUT_PARAM);
+}
+
+RUNNER_TEST(tc_security_server_get_gid_wrong_object_name_teltel)
+{
+ RUNNER_ASSERT(security_server_get_gid("teltel") == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT);
+}
+
+//RUNNER_CHILD_TEST(tc_cookie_check_groups_privilege_negative)
+//{
+// remove_process_group(PROC_AUDIO_GROUP_NAME);
+//
+// RUNNER_ASSERT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) ==
+// SECURITY_SERVER_API_SUCCESS);
+// ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+// ret = security_server_check_privilege((char*) cookie, ret);
+// RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+//}
+//
+//RUNNER_CHILD_TEST(tc_cookie_check_groups_privilege_positive)
+//{
+// add_process_group(PROC_AUDIO_GROUP_NAME);
+//
+// RUNNER_ASSERT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) ==
+// SECURITY_SERVER_API_SUCCESS);
+// ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+// ret = security_server_check_privilege((char*) cookie, ret);
+// RUNNER_ASSERT(ret == SECURITY_SERVER_API_SUCCESS);
+//}
+
+//RUNNER_TEST(tc_ask_for_privilege_with_default_cookie_case_with_wrong_cookie)
+//{
+// ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+// srand(time(NULL));
+// for (i = 0; i < COOKIE_SIZE; i++)
+// wrong_cookie[i] = rand() % 255;
+// ret = security_server_check_privilege((const char*) wrong_cookie, ret);
+// RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+//}
+//
+
+//RUNNER_TEST(tc_fake_security_server_get_gid)
+//{
+// /* Close socket just after sending request msg.
+// * This is done with fake security_server_get_gid()*/
+//
+// ret = fake_get_gid(PROC_AUDIO_GROUP_NAME);
+// RUNNER_IGNORED_MSG("Watch whether security server has crashed or not.");
+//}
+
+RUNNER_TEST(tc_ask_for_privilege_with_default_cookie_case_with_wrong_cookie)
+{
+ const char wrong_cookie[20] = {'w','a','t','?'};
+ int audioGID = security_server_get_gid("audio");
+ RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED
+ == security_server_check_privilege((const char*) wrong_cookie, audioGID));
+}
+
+RUNNER_TEST(tc_get_pid_of_non_existing_cookie)
+{
+ const char wrong_cookie[20] = {'w', 'a', 't', '?'};
+ RUNNER_ASSERT(security_server_get_cookie_pid(wrong_cookie) == SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
+}
+
+RUNNER_TEST(tc_get_pid_of_null_cookie)
+{
+ RUNNER_ASSERT(security_server_get_cookie_pid(NULL) == SECURITY_SERVER_API_ERROR_INPUT_PARAM);
+}
+
+RUNNER_CHILD_TEST_SMACK(tc01a_security_server_app_give_access)
+{
+ const char *subject = "abc345v34sfa";
+ const char *object = "efg678x2lkjz";
+ const char *server_api = "security-server::api-data-share";
+
+ SmackAccess smack;
+ smack.add(subject, object, "-----", TRACE_FROM_HERE);
+ smack.add(object, server_api, "rw", TRACE_FROM_HERE);
+ smack.apply(TRACE_FROM_HERE);
+
+ smack_set_label_for_self(object);
+
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ security_server_app_give_access(subject, getpid());
+
+ RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxat"));
+}
+
+/*
+ * Currently we are NOT revoking any permissions given by
+ * security_server_app_give_access function
+ */
+/*RUNNER_TEST(tc01b_security_server_app_give_access)
+{
+ const char *subject = "abc345v34sfa";
+ const char *object = "efg678x2lkjz";
+
+ // After part A thread from security-server will be notified about
+ // process end and revoke permissions. We need to give him some
+ // time.
+ sleep(1);
+
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "r----"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "-w---"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "--x--"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "---a-"));
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "----t"));
+}*/
+
+RUNNER_CHILD_TEST_SMACK(tc01c_security_server_app_give_access_no_access)
+{
+ const char *subject = "xxx45v34sfa";
+ const char *object = "yyy78x2lkjz";
+
+ SmackAccess smack;
+ smack.add(subject, object, "-----", TRACE_FROM_HERE);
+ smack.apply(TRACE_FROM_HERE);
+
+ RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(object), "Error in smack_label_for_self");
+
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == security_server_app_give_access(subject, getpid()));
+
+ RUNNER_ASSERT(0 == smack_have_access(subject, object, "r"));
+}
+
+RUNNER_TEST_SMACK(tc02_check_privilege_by_pid)
+{
+ int ret;
+ int pid;
+
+ pid = getpid();
+
+ //we checking existing rule, it should return positive
+ ret = security_server_check_privilege_by_pid(pid, "_", "rx");
+ RUNNER_ASSERT(ret == SECURITY_SERVER_API_SUCCESS);
+
+ //we checking rule with label that not exist
+ ret = security_server_check_privilege_by_pid(pid, "thislabelisnotreal", "rwxat");
+ RUNNER_ASSERT(ret != SECURITY_SERVER_API_SUCCESS);
+}
+
+RUNNER_CHILD_TEST_SMACK(tc03_check_API_passwd_allow)
+{
+ int ret = -1;
+ unsigned int attempt, max_attempt, expire_sec;
+ char *str = (char*) malloc(256);
+
+ attempt = max_attempt = expire_sec = 0;
+
+ ret = clear_password(&str);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << str);
+
+ SecurityServer::AccessProvider provider(TEST03_SUBJECT);
+ provider.allowAPI(API_PASSWD_CHECK, API_RULE_REQUIRED, TRACE_FROM_HERE);
+ provider.allowAPI(API_PASSWD_SET, API_RULE_REQUIRED, TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ ret = security_server_set_pwd_validity(10);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
+
+ ret = security_server_set_pwd_max_challenge(5);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
+
+ ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_set_pwd(NULL, "12345", 0, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_reset_pwd("12345",0, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_chk_pwd("12345", &attempt, &max_attempt, &expire_sec);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_set_pwd_history(10);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+}
+
+RUNNER_CHILD_TEST(tc04_check_API_passwd_denied)
+{
+ RUNNER_IGNORED_MSG("SS API label checking not enabled yet.");
+
+ int ret = -1;
+ unsigned int attempt, max_attempt, expire_sec;
+
+ attempt = max_attempt = expire_sec = 0;
+
+ SecurityServer::AccessProvider privider(TEST04_SUBJECT);
+ privider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ /*
+ * now SS should return error
+ * at the moment SS doesn't check return code from
+ * authorize_SS_API_caller_socket() so it should give access
+ * you can check in logs if it's working properly
+ * has access result = 1
+ * no access result = 0
+ * D/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(205) >
+ * [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
+ * object=security-server::api-password-check, access=w, result=1,
+ * caller_path=/usr/bin/security-server-tests-server
+ * E/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(207) >
+ * [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
+ * object=security-server::api-password-check, access=w, result=0,
+ * caller_path=/usr/bin/security-server-tests-server
+ */
+
+ ret = security_server_set_pwd_validity(10);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_set_pwd_max_challenge(5);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_set_pwd("12345", "12346", 0, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_reset_pwd("12346",0, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_chk_pwd("12346", &attempt, &max_attempt, &expire_sec);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_set_pwd_history(10);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
+RUNNER_CHILD_TEST_SMACK(tc05_check_API_middleware_allow)
+{
+ int ret = -1;
+ size_t cookie_size = security_server_get_cookie_size();
+ char cookie[20];
+ char *ss_label = NULL;
+
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
+ SecurityServer::AccessProvider provider(TEST05_SUBJECT);
+ provider.allowFunction("security_server_get_gid", TRACE_FROM_HERE);
+ provider.allowFunction("security_server_request_cookie", TRACE_FROM_HERE);
+ provider.allowFunction("security_server_check_privilege", TRACE_FROM_HERE);
+ provider.allowFunction("security_server_get_cookie_pid", TRACE_FROM_HERE);
+ provider.allowFunction("security_server_get_smacklabel_cookie", TRACE_FROM_HERE);
+ provider.allowFunction("security_server_check_privilege_by_pid", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ ret = security_server_request_cookie(cookie, cookie_size);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ ret = security_server_check_privilege(cookie, ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = security_server_get_gid("root");
+ RUNNER_ASSERT_MSG(ret > -1, "ret: " << ret);
+
+ ret = security_server_get_cookie_pid(cookie);
+ RUNNER_ASSERT_MSG(ret == getpid(), "ret: " << ret);
+
+ ss_label = security_server_get_smacklabel_cookie(cookie);
+ RUNNER_ASSERT_MSG(ss_label != NULL, "ret: " << ss_label);
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+}
+
+RUNNER_CHILD_TEST(tc06_check_API_middleware_denied)
+{
+ RUNNER_IGNORED_MSG("SS API label checking not enabled yet.");
+
+ int ret = -1;
+ size_t cookie_size = security_server_get_cookie_size();
+ char cookie[20];
+ char *ss_label = NULL;
+
+ SecurityServer::AccessProvider provider(TEST06_SUBJECT);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ ret = security_server_request_cookie(cookie, cookie_size);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = security_server_check_privilege(cookie, DB_ALARM_GID);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_get_gid("root");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_get_cookie_pid(cookie);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ss_label = security_server_get_smacklabel_cookie(cookie);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
+RUNNER_CHILD_TEST_SMACK(tc07_check_API_data_share_allow)
+{
+ SecurityServer::AccessProvider provider(TEST07_SUBJECT);
+ provider.allowFunction("security_server_app_give_access", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ int ret = security_server_app_give_access(TEST07_SUBJECT, getpid());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+}
+
+RUNNER_CHILD_TEST_SMACK(tc08_check_API_data_share_denied)
+{
+ SecurityServer::AccessProvider provider(TEST08_SUBJECT);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ int ret = security_server_app_give_access(TEST08_SUBJECT, getpid());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
+RUNNER_CHILD_TEST(tc09_check_API_app_enable_permissions)
+{
+ int ret;
+ const char *perm_list[] = {"org.tizen.privilege.contact.read",
+ "org.tizen.privilege.contact.write",
+ NULL};
+ int persistent = 1;
+
+ // need to install WGT once again, in case it was removed before
+ DB_BEGIN
+ ret = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
+ ret = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
+ DB_END
+
+ // enable permission
+ ret = security_server_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list, persistent);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ SecurityServer::AccessProvider provider(TEST09_SUBJECT);
+ provider.allowFunction("security_server_app_has_privilege", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ // Check if permissions are given
+ check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, true);
+}
+
+RUNNER_CHILD_TEST(tc10_check_API_app_disable_permissions)
+{
+ int ret;
+ const char *perm_list[] = {"org.tizen.privilege.contact.read",
+ "org.tizen.privilege.contact.write",
+ NULL};
+
+ // need to install WGT once again, in case it was removed before
+ DB_BEGIN
+ ret = perm_app_uninstall(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall WGT_APP_ID, ret: " << ret);
+ ret = perm_app_install(WGT_APP_ID);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install WGT_APP_ID, ret: " << ret);
+ DB_END
+
+ // disable permission
+ ret = security_server_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, perm_list);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ SecurityServer::AccessProvider provider(TEST10_SUBJECT);
+ provider.allowFunction("security_server_app_has_privilege", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ // Check if permissions are disabled
+ check_app_has_privilege(WGT_APP_ID, APP_TYPE_WGT, perm_list, false);
+}
+
+RUNNER_TEST(tc11_security_server_app_has_privilege)
+{
+ int ret;
+ const char *perm_list_pers[] = {"org.tizen.privilege.contact.read",
+ "org.tizen.privilege.contact.write",
+ NULL};
+ const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read",
+ "org.tizen.privilege.calendar.write",
+ NULL};
+ const char *perm_list_disabled[] = {"org.tizen.privilege.alarm",
+ NULL};
+ DB_BEGIN
+ ret = perm_app_uninstall(TEST11_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
+ ret = perm_app_install(TEST11_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret);
+ DB_END
+
+ // enable permission
+ ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+ ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ // Check if permissions are given using API with app_label parameter
+ check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, true);
+ check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, true);
+ check_app_has_privilege(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_disabled, false);
+}
+
+RUNNER_CHILD_TEST(tc12_security_server_app_caller_has_privilege)
+{
+ int ret;
+ const char *perm_list_pers[] = {"org.tizen.privilege.contact.read",
+ "org.tizen.privilege.contact.write",
+ NULL};
+ const char *perm_list_temp[] = {"org.tizen.privilege.calendar.read",
+ "org.tizen.privilege.calendar.write",
+ NULL};
+ const char *perm_list_disabled[] = {"org.tizen.privilege.alarm",
+ NULL};
+
+ DB_BEGIN
+ ret = perm_app_uninstall(TEST11_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot uninstall TEST11_SUBJECT, ret: " << ret);
+ ret = perm_app_install(TEST11_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Cannot install TEST11_SUBJECT, ret: " << ret);
+ DB_END
+
+ // enable permission
+ ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_pers, 1);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+ ret = security_server_app_enable_permissions(TEST11_SUBJECT, APP_TYPE_WGT, perm_list_temp, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ SecurityServer::AccessProvider provider(TEST11_SUBJECT);
+ provider.allowFunction("security_server_app_caller_has_privilege", TRACE_FROM_HERE);
+ provider.applyAndSwithToUser(APP_UID, APP_GID, TRACE_FROM_HERE);
+
+ // Check if permissions are given using "caller" API
+ check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_pers, true);
+ check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_temp, true);
+ check_app_caller_has_privilege(APP_TYPE_WGT, perm_list_disabled, false);
+}
+
+RUNNER_CHILD_TEST(tc13_check_API_app_has_privilege_denied)
+{
+ int ret;
+ const char *perm_list[] = {"org.tizen.privilege.contact.read",
+ "org.tizen.privilege.contact.write",
+ NULL};
+
+ // set smack label without previously assigned permissions to api socket
+ ret = smack_set_label_for_self(TEST12_SUBJECT);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ // drop root privileges
+ RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
+ // call common function to perform the check
+ check_app_caller_has_privilege_denied(APP_TYPE_WGT, perm_list);
+
+ // call also second common function
+ check_app_has_privilege_denied(TEST12_SUBJECT, APP_TYPE_WGT, perm_list);
+}
+
+//////////////////////////////////////////
+/////////NOSMACK ENV TESTS////////////////
+//////////////////////////////////////////
+
+/**
+ * NOSMACK version of tc01a and tc01c tests.
+ *
+ * SMACK is turned off - that means for us, that we don't need any accesses added to our process
+ * in SMACK before dropping root privileges. This test drops root privileges, calls
+ * security_server_app_give_access and then checks if smack_have_access returns error (because
+ * SMACK is off).
+ *
+ * security_server_app_give_access shouldn't return anything else than success when SMACK is off,
+ * hence there is only one test that replaces tests tc01a and tc01c.
+ */
+RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_app_give_access_nosmack)
+{
+ const char* subject = "abc345v34sfa";
+ const char* object = "efg678x2lkjz";
+ int result = 0;
+
+ result = drop_root_privileges();
+ RUNNER_ASSERT_MSG(result == 0,
+ "Failed to drop root privileges. Result: " << result << "uid = " << getuid());
+
+ result = security_server_app_give_access(subject, getpid());
+ RUNNER_ASSERT_MSG(result == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_app_give_access. Result: " << result);
+
+ result = smack_have_access(subject, object, "rwxat");
+ RUNNER_ASSERT_MSG(result == -1,
+ "smack_have_access should return error when SMACK is off. Result: " << result);
+}
+
+/**
+ * NOSMACK version of tc02 test.
+ *
+ * check_privilege_by_pid should always return success when SMACK is off, no matter if label is
+ * real or not.
+ */
+RUNNER_TEST_NOSMACK(tc02_check_privilege_by_pid_nosmack)
+{
+ int ret;
+ int pid;
+
+ pid = getpid();
+
+ //we checking existing rule, it should return positive
+ ret = security_server_check_privilege_by_pid(pid, "_", "rx");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "check_privilege_by_pid for existing label failed. Result: " << ret);
+
+ //we checking rule with label that not exist
+ ret = security_server_check_privilege_by_pid(pid, "thislabelisnotreal", "rwxat");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "check_privilege_by_pid for nonexisting label failed. Result: " << ret);
+}
+
+/**
+ * NOSMACK version of clear_password function.
+ *
+ * Compared to SMACK version of this function, this one skips adding rules and setting label.
+ */
+int clear_password_nosmack()
+{
+ int ret = -1;
+ unsigned int attempt, max_attempt, expire_sec;
+
+ if (getuid() == 0) {
+ reset_security_server();
+
+ attempt = max_attempt = expire_sec = UINT_MAX;
+ ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
+
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
+ "is_pwd_faild should return no password error. Result: " << ret);
+ RUNNER_ASSERT_MSG(expire_sec == 0, "expire_sec = " << expire_sec << ", should be 0.");
+ RUNNER_ASSERT_MSG(max_attempt == 0, "max_attempt = " << max_attempt << ", should be 0.");
+ RUNNER_ASSERT_MSG(attempt == 0, "attempt = " << attempt << ", should be 0.");
+
+ sleep(1);
+
+ return 0;
+ }
+ return -1;
+}
+
+/**
+ * NOSMACK version of tc03 test.
+ *
+ * Just as tc01a/tc01c NOSMACK replacement, we don't need to do anything with SMACK because most
+ * important functions will return errors (that is smack_accesses_apply/smack_have_access etc.).
+ * First clear password, then drop privileges and proceed to regular testing.
+ */
+
+RUNNER_CHILD_TEST_NOSMACK(tc03_check_API_passwd_allow_nosmack)
+{
+ int ret = -1;
+ unsigned int attempt, max_attempt, expire_sec;
+
+ attempt = max_attempt = expire_sec = 0;
+
+ clear_password_nosmack();
+
+ // drop root privileges
+ ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
+
+ ret = security_server_set_pwd_validity(10);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
+ "set_pwd_validity should return no password error. Result: " << ret);
+
+ ret = security_server_set_pwd_max_challenge(5);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
+ "set_pwd_max_challenge should return no password error. Result: " << ret);
+
+ ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD,
+ "is_pwd_valid should return no password error. Result: " << ret);
+
+ sleep(1);
+ ret = security_server_set_pwd(NULL, "12345", 0, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "set_pwd failed. Result: " << ret);
+
+ sleep(1);
+ ret = security_server_reset_pwd("12345",0, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "reset_pwd failed. Result: " << ret);
+
+ sleep(1);
+ ret = security_server_chk_pwd("12345", &attempt, &max_attempt, &expire_sec);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "chk_pwd failed. Result: " << ret);
+
+ sleep(1);
+ ret = security_server_set_pwd_history(10);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "set_pwd_history failed. Result: " << ret);
+}
+
+/**
+ * NOSMACK version of tc05 test.
+ *
+ * This test assumes similar information as previous NOSMACK tests. SMACK off = no need to
+ * set accesses and apply them in SMACK before dropping privileges.
+ */
+
+RUNNER_CHILD_TEST_NOSMACK(tc05_check_API_middleware_allow_nosmack)
+{
+ int ret = -1;
+ size_t cookie_size = security_server_get_cookie_size();
+ char cookie[20];
+ char* ss_label = NULL;
+
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
+ // drop root privileges
+ ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
+
+ ret = security_server_request_cookie(cookie, cookie_size);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "request_cookie failed. Result: " << ret);
+
+ ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME << "\" gid. Result: "
+ << ret);
+
+ ret = security_server_check_privilege(cookie, ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "check_privilege failed. Result: " << ret);
+
+ ret = security_server_get_gid("root");
+ RUNNER_ASSERT_MSG(ret > -1,
+ "Failed to get \"root\" gid. Result: " << ret);
+
+ ret = security_server_get_cookie_pid(cookie);
+ RUNNER_ASSERT_MSG(ret == getpid(),
+ "get_cookie_pid returned different pid than it should. Result: " << ret);
+
+ ss_label = security_server_get_smacklabel_cookie(cookie);
+ RUNNER_ASSERT_MSG(ss_label != NULL, "get_smacklabel_cookie failed.");
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ if(ret != SECURITY_SERVER_API_SUCCESS) {
+ free(ss_label);
+ RUNNER_ASSERT_MSG(false, "check_privilege_by_pid failed. Result: " << ret);
+ }
+}
+
+/**
+ * NOSMACK version of tc07 test.
+ *
+ * Similarily to previous tests - no need to set self label because SMACK is off. Just as
+ * tc01a/tc01c replacement, security_server_app_give_access should return only success. Hence the
+ * NOSMACK version of tc08 test is skipped.
+ */
+RUNNER_CHILD_TEST_NOSMACK(tc07_check_API_data_share_allow_nosmack)
+{
+ int ret = -1;
+
+ // drop root privileges
+ ret = drop_root_privileges();
+ RUNNER_ASSERT_MSG(ret == 0,
+ "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
+
+ ret = security_server_app_give_access(TEST07_SUBJECT, getpid());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "app_give_access failed. Result: " << ret);
+}
+
+int main(int argc, char *argv[]) {
+ if (0 != getuid()) {
+ printf("Error: %s must be executed by root\n", argv[0]);
+ exit(1);
+ }
+ return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
+}
+++ /dev/null
-/*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
- */
-/*
- * @file test.h
- * @author Bumjin Im (bj.im@samsung.com)
- * @author Mariusz Domanski (m.domanski@samsung.com)
- * @version 1.0
- * @brief Test cases for security server
- */
-
-#ifndef SECURITY_SERVER_TESTS_TEST_H
-#define SECURITY_SERVER_TESTS_TEST_H
-
-#include <sstream>
-#include <iomanip>
-
-#include <dpl/log/log.h>
-
-#define SECURITY_SERVER_TEST_SOCK_PATH "/tmp/.security-server-test"
-
-#ifdef LOG_TAG
- #undef LOG_TAG
-#endif // LOG_TAG
-#ifndef LOG_TAG
- #define LOG_TAG "SEC_SRV_TESTS"
-#endif // LOG_TAG
-
-void printhex(unsigned char *data, int size)
-{
- int i;
- std::ostringstream msg;
- msg << std::hex << std::setfill('0') << std::uppercase;
- for (i = 0; i < size; i++)
- {
- msg << std::setw(2) << static_cast<int>(data[i]) << " ";
- if (((i + 1) % 16) == 0 && i != 0)
- msg << std::endl;
- }
- msg << std::endl;
- LogDebug(msg.str());
-}
-
-#endif // SECURITY_SERVER_TESTS_TEST_H
--- /dev/null
+/*
+ * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ */
+/*
+ * @file security_server_tests_weird_arguments.cpp
+ * @author Zbigniew Jasinski (z.jasinski@samsung.com)
+ * @version 1.0
+ * @brief Test cases for security server
+ *
+ */
+#include "tests_common.h"
+#include "security-server.h"
+#include <dpl/test/test_runner.h>
+#include <dpl/log/log.h>
+
+#define SECURITY_SERVER_MAX_OBJ_NAME 30
+
+RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_WEIRD_ARGUMENTS);
+
+RUNNER_TEST(tc01_security_server_get_gid_weird_input_case)
+{
+ int ret = 0;
+ char weird[] = {static_cast <char> (0xe3), 0x79, static_cast <char> (0x82), 0x0};
+
+ /* normal param case */
+ ret = security_server_get_gid("tel_sim");
+ RUNNER_ASSERT_MSG(ret > -1, "ret: " << ret);
+
+ /* wrong param case */
+ ret = security_server_get_gid("elephony_akecall");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret: " << ret);
+
+ /* weird param case */
+ ret = security_server_get_gid(weird);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret: " << ret);
+
+ /* null param case */
+ ret = security_server_get_gid(NULL);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
+
+ /* param too long case */
+ ret = security_server_get_gid("abcdefghijklmnopqrstuvwxyz01234");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
+
+ /* empty param case */
+ ret = security_server_get_gid("");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
+}
+
+/* from security_server_tests_server.cpp */
+
+RUNNER_TEST(tc03_security_server_request_cookie_weird_input_case)
+{
+ int ret = 0;
+ size_t cookie_size = security_server_get_cookie_size();
+
+ /* null cookie case */
+ char *cookie = NULL;
+
+ ret = security_server_request_cookie(cookie, cookie_size);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
+
+ /* buffer size too small case */
+ cookie_size = 19;
+ char cookie2[cookie_size];
+
+ ret = security_server_request_cookie(cookie2, cookie_size);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret: " << ret);
+}
+
+RUNNER_TEST(tc04_security_server_check_privilege_weird_input_case)
+{
+ int ret = 0;
+ size_t cookie_size = security_server_get_cookie_size();
+ gid_t gid = DB_ALARM_GID;
+
+ /* null cookie case */
+ char *cookie = NULL;
+
+ ret = security_server_check_privilege(cookie, gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
+
+ char cookie2[cookie_size];
+
+ ret = security_server_request_cookie(cookie2, cookie_size);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ /* big gid case */
+ gid = 70666;
+
+ ret = security_server_check_privilege(cookie2, gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+RUNNER_TEST(tc05_security_server_check_privilege_by_cookie_weird_input_case)
+{
+ int ret = 0;
+ size_t cookie_size = security_server_get_cookie_size();;
+ const char *object = "telephony_makecall";
+ const char *access_rights = "r";
+
+ /* null cookie case */
+ char *cookie = NULL;
+ ret = security_server_check_privilege_by_cookie(cookie, object, access_rights);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
+
+ /* null object case */
+ char *object2 = NULL;
+ char cookie2[cookie_size];
+
+ ret = security_server_request_cookie(cookie2, cookie_size);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = security_server_check_privilege_by_cookie(cookie2, object2, access_rights);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
+
+ /* null access rights case */
+ access_rights = NULL;
+ ret = security_server_check_privilege_by_cookie(cookie2, object, access_rights);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
+}
+
+RUNNER_TEST_SMACK(tc06_security_server_check_privilege_by_sockfd_weird_input_case)
+{
+ int ret = 0;
+ int sockfd = -1;
+ const char *object = "telephony_makecall";
+ const char *access_rights = "r";
+
+ /* invalid sockfd case */
+ ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
+ sockfd = 0;
+
+ /* null object case */
+ char *object2 = NULL;
+ ret = security_server_check_privilege_by_sockfd(sockfd, object2, access_rights);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
+
+ /* null access rights case */
+ access_rights = NULL;
+ ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret);
+}
+
+RUNNER_TEST(tc07_security_server_get_cookie_pid_weird_input_case)
+{
+ int ret = 0;
+ char *cookie = NULL;
+
+ ret = security_server_get_cookie_pid(cookie);
+ RUNNER_ASSERT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM);
+}
+
+///////////////////////////
+/////NOSMACK ENV TESTS/////
+///////////////////////////
+
+/**
+ * NOSMACK version of tc06 test.
+ *
+ * security_server_check_privilege_by_sockfd at first checks if SMACK exists and then checks if
+ * params are correct. Even with incorrect params we should expect SUCCESS instead of
+ * ERROR_INPUT_PARAM.
+ */
+
+RUNNER_TEST_NOSMACK(tc06_security_server_check_privilege_by_sockfd_weird_input_case_nosmack)
+{
+ int ret = 0;
+ int sockfd = -1;
+ const char* object = "telephony_makecall";
+ const char* access_rights = "r";
+
+ //invalid sockfd case
+ ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "check_privilege_by_sockfd failed. Result: " << ret);
+ sockfd = 0;
+
+ //null object case
+ char *object2 = NULL;
+ ret = security_server_check_privilege_by_sockfd(sockfd, object2, access_rights);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "check_privilege_by_sockfd failed. Result: " << ret);
+
+ //null access rights case
+ access_rights = NULL;
+ ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "check_privilege_by_sockfd failed. Result: " << ret);
+}
+
projects / platform / core / test / security-tests.git / commitdiff