#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/smack.h>
+#include <sys/wait.h>
#include "security-server.h"
#include <dpl/test/test_runner.h>
#include <dpl/test/test_runner_child.h>
#include <dlog.h>
#include <privilege-control.h>
+#include <ftw.h>
#include "test.h"
#define SECURITY_SERVER_SOCK_PATH "/tmp/.security_server.sock"
#define OLABEL_SIZE 1024
#define ARIGHTS_SIZE 32
+/* from security-server-common.h */
+#define SECURITY_SERVER_MAX_OBJ_NAME 30
+
+#define API_PASSWD_SET "security-server::api-password-set"
+#define API_PASSWD_CHECK "security-server::api-password-check"
+#define API_DATA_SHARE "security-server::api-data-share"
+#define API_MIDDLEWARE "security-server::api-middleware"
+
+#define API_FREE_ACCESS "*"
+#define API_RULE_REQUIRED "w"
+
/* Message */
typedef struct
return 0;
}
+static int nftw_rmdir_contents(const char *fpath, const struct stat *sb,
+ int tflag, struct FTW *ftwbuf)
+{
+ if (tflag == FTW_F) {
+ unlink(fpath);
+ }
+ if (tflag == FTW_DP && ftwbuf->level != 0) {
+ rmdir(fpath);
+ }
+
+ return 0;
+}
+
+int clear_password(char **error)
+{
+ int ret = -1;
+ unsigned int attempt, max_attempt, expire_sec;
+ const char *path = "/opt/data/security-server/";
+ const char *subject_allow = "subject_allow";
+ struct smack_accesses *handle = NULL;
+
+ attempt = max_attempt = expire_sec = 0;
+
+ if (getuid() == 0) {
+ if (access(path, F_OK) != 0) {
+ if (errno == ENOENT) {
+ strncpy(*error, strerror(errno), 256);
+ return errno;
+ }
+ if (errno == ENOTDIR) {
+ strncpy(*error, strerror(errno), 256);
+ return errno;
+ }
+ } else {
+ if (nftw(path, &nftw_rmdir_contents, 20, FTW_DEPTH) == -1) {
+ return 1;
+ }
+ }
+ sync();
+
+ ret = smack_accesses_new(&handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ /* our subject 'subject_allow' has access to security-server::api-password-check */
+ ret = smack_accesses_add(handle, subject_allow, API_PASSWD_CHECK, API_RULE_REQUIRED);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_accesses_apply(handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_set_label_for_self(subject_allow);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ smack_accesses_free(handle);
+
+ ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
+
+ RUNNER_ASSERT(expire_sec == 0);
+ RUNNER_ASSERT(max_attempt == 0);
+ RUNNER_ASSERT(attempt == 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
+
+ /* we revoke all rules for subject 'subject_allow' */
+ ret = smack_revoke_subject(subject_allow);
+ RUNNER_ASSERT_MSG(ret == 0, "Revoking subject didn't work.");
+
+ sleep(1);
+
+ return 0;
+ }
+}
+
RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_SERVER);
RUNNER_TEST(tc_getting_default_cookie)
RUNNER_ASSERT(ret != SECURITY_SERVER_API_SUCCESS);
}
+RUNNER_TEST(tc03_check_API_passwd)
+{
+ int ret = -1;
+ unsigned int attempt, max_attempt, expire_sec;
+ const char *subject_allow = "subject_allow";
+ const char *subject_denied = "subject_denied";
+ struct smack_accesses *handle = NULL;
+ char *str = (char*) malloc(256);
+
+ attempt = max_attempt = expire_sec = 0;
+
+ ret = clear_password(&str);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << str);
+
+ ret = smack_accesses_new(&handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ /* our subject 'subject_allow' has access to security-server::api-password-check */
+ ret = smack_accesses_add(handle, subject_allow, API_PASSWD_CHECK, API_RULE_REQUIRED);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_accesses_apply(handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ /* our subject 'subject_allow' has access to security-server::api-passwd-set */
+ ret = smack_accesses_add(handle, subject_allow, API_PASSWD_SET, API_RULE_REQUIRED);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_accesses_apply(handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ smack_accesses_free(handle);
+
+ ret = smack_set_label_for_self(subject_allow);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ ret = security_server_set_pwd_validity(10);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
+
+ ret = security_server_set_pwd_max_challenge(5);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
+
+ ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_set_pwd(NULL, "12345", 0, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_reset_pwd("12345",0, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_chk_pwd("12345", &attempt, &max_attempt, &expire_sec);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_set_pwd_history(10);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ /* we revoke all rules for subject 'subject_allow' */
+ ret = smack_revoke_subject(subject_allow);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ ret = smack_set_label_for_self(subject_denied);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ /*
+ * now SS should return error
+ * at the moment SS doesn't check return code from
+ * authorize_SS_API_caller_socket() so it should give access
+ * you can check in logs if it's working properly
+ * has access result = 1
+ * no access result = 0
+ * D/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(205) >
+ * [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
+ * object=security-server::api-password-check, access=w, result=1,
+ * caller_path=/usr/bin/security-server-tests-server
+ * E/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(207) >
+ * [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
+ * object=security-server::api-password-check, access=w, result=0,
+ * caller_path=/usr/bin/security-server-tests-server
+ */
+
+ ret = security_server_set_pwd_validity(10);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_set_pwd_max_challenge(5);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_set_pwd("12345", "12346", 0, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_reset_pwd("12346",0, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_chk_pwd("12346", &attempt, &max_attempt, &expire_sec);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ sleep(1);
+ ret = security_server_set_pwd_history(10);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = clear_password(&str);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+ free(str);
+}
+
+RUNNER_TEST(tc04_check_API_middleware)
+{
+ int ret = -1;
+ const char *subject_allow = "subject_allow";
+ const char *subject_denied = "subject_denied";
+ size_t cookie_size = security_server_get_cookie_size();
+ gid_t gid = 6001;
+ char cookie[20];
+ char *ss_label = NULL;
+ char object[SECURITY_SERVER_MAX_OBJ_NAME];
+ struct smack_accesses *handle = NULL;
+
+ /* allow subject 'subjet_allow' to security-server::api-middleware */
+ ret = smack_accesses_new(&handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_accesses_add(handle, subject_allow, API_MIDDLEWARE, API_RULE_REQUIRED);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_accesses_apply(handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+ smack_accesses_free(handle);
+
+ ret = smack_set_label_for_self(subject_allow);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ ret = security_server_request_cookie(cookie, cookie_size);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = security_server_check_privilege(cookie, gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = security_server_get_object_name(gid, object, sizeof(object));
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = security_server_get_gid("root");
+ RUNNER_ASSERT_MSG(ret > -1, "ret: " << ret);
+
+ ret = security_server_get_cookie_pid(cookie);
+ RUNNER_ASSERT_MSG(ret == getpid(), "ret: " << ret);
+
+ ss_label = security_server_get_smacklabel_cookie(cookie);
+ RUNNER_ASSERT_MSG(ss_label != NULL, "ret: " << ss_label);
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ /* we revoke all rules for subject 'subject_allow' */
+ ret = smack_revoke_subject(subject_allow);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ ret = smack_set_label_for_self(subject_denied);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ ret = security_server_request_cookie(cookie, cookie_size);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = security_server_check_privilege(cookie, gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_get_object_name(gid, object, sizeof(object));
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_get_gid("root");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_get_cookie_pid(cookie);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ss_label = security_server_get_smacklabel_cookie(cookie);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+
+ ret = security_server_check_privilege_by_pid(getpid(), "_", "rx");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
+RUNNER_TEST(tc05_check_API_data_share)
+{
+ int ret = -1;
+ const char *subject_allow = "subject_allow";
+ const char *subject_denied = "subject_denied";
+ struct smack_accesses *handle = NULL;
+
+ /* allow subject 'subjet_allow' to security-server::api-data-share */
+ ret = smack_accesses_new(&handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_accesses_add(handle, subject_allow, API_DATA_SHARE, API_RULE_REQUIRED);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ ret = smack_accesses_apply(handle);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+ smack_accesses_free(handle);
+
+ ret = smack_set_label_for_self(subject_allow);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ ret = security_server_app_give_access(subject_allow, getpid());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
+
+ /* we revoke all rules for subject 'subject_allow' */
+ ret = smack_revoke_subject(subject_allow);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ ret = smack_set_label_for_self(subject_denied);
+ RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+
+ ret = security_server_app_give_access(subject_allow, getpid());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
int main(int argc, char *argv[])
{
server_sockfd = -1;