--- /dev/null
+/*
+ * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ */
+
+/*
+ * @file security_server_tests_cookie_api.cpp
+ * @author Pawel Polawski (p.polawski@partner.samsung.com)
+ * @version 1.0
+ * @brief Test cases for security server cookie api
+ *
+ */
+
+/*
+Tested API functions in this file:
+
+Protected by "security-server::api-cookie-get" label:
+ int security_server_get_cookie_size(void);
+ int security_server_request_cookie(char *cookie, size_t bufferSize);
+
+
+Protected by "security-server::api-cookie-check" label:
+ int security_server_check_privilege(const char *cookie, gid_t privilege);
+ int security_server_check_privilege_by_cookie(const char *cookie,
+ const char *object,
+ const char *access_rights);
+ int security_server_get_cookie_pid(const char *cookie);
+ char *security_server_get_smacklabel_cookie(const char *cookie);
+ int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
+ int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
+*/
+
+#include <dpl/test/test_runner.h>
+#include <dpl/test/test_runner_multiprocess.h>
+#include <tests_common.h>
+#include <sys/smack.h>
+#include <cstddef>
+#include <sys/types.h>
+#include <unistd.h>
+#include "security-server.h"
+
+
+typedef std::unique_ptr<char, void(*)(void *)> UniquePtrCstring;
+//const char API_LABEL_GET[] = "security-server::api-cookie-get";
+const char API_LABEL_CHECK[] = "security-server::api-cookie-check";
+const char API_ACCESS[] = "w";
+const int KNOWN_COOKIE_SIZE = 20;
+
+
+void getCookieFromSS(const int line, std::vector<char> &cookie)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
+ "Wrong cookie size received from server: " << cookieSize
+ << ", line: " << line);
+
+ cookie.resize(cookieSize);
+
+ int ret = security_server_request_cookie(cookie.data(), cookieSize);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_request_cookie(): " << ret
+ << ", line: " << line);
+}
+
+
+RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS)
+
+/*
+ * **************************************************************************
+ * Test cases fot check various functions input params cases
+ * **************************************************************************
+ */
+
+//---------------------------------------------------------------------------
+//passing NULL as a buffer pointer
+RUNNER_CHILD_TEST(tc_arguments_01_01_security_server_request_cookie)
+{
+ int ret = security_server_request_cookie(NULL, KNOWN_COOKIE_SIZE);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_request_cookie() argument checking: " << ret);
+}
+
+//passing too small value as a buffer size
+RUNNER_CHILD_TEST(tc_arguments_01_02_security_server_request_cookie)
+{
+ std::vector<char> cookie(KNOWN_COOKIE_SIZE);
+
+ int ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE - 1);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL,
+ "Error in security_server_request_cookie() argument checking: " << ret);
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as a cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_02_01_security_server_check_privilege)
+{
+ int ret = security_server_check_privilege(NULL, 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_check_privilege() argument checking: " << ret);
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as a cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie)
+{
+ int ret = security_server_check_privilege_by_cookie(NULL, "wiadro", "rwx");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_check_privilege_by_cookie() argument checking: "
+ << ret);
+}
+
+//passing NULL as an object pointer
+RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ int ret = security_server_check_privilege_by_cookie(cookie.data(), NULL, "rwx");
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_check_privilege_by_cookie() argument checking: "
+ << ret);
+}
+
+//passing NULL as an access pointer
+RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", NULL);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_check_privilege_by_cookie() argument checking: "
+ << ret);
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as a cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_04_01_security_server_get_cookie_pid)
+{
+ int ret = security_server_get_cookie_pid(NULL);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_get_cookie_pid() argument checking: " << ret);
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as a cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie)
+{
+ char *label = NULL;
+ label = security_server_get_smacklabel_cookie(NULL);
+ RUNNER_ASSERT_MSG(label == NULL,
+ "Error in security_server_get_smacklabel_cookie() argument checking");
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as a cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_06_01_security_server_get_uid_by_cookie)
+{
+ uid_t uid;
+ int ret = security_server_get_uid_by_cookie(NULL, &uid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_get_uid_by_cookie() argument checking: "
+ << ret);
+}
+
+//passing NULL as an uid pointer
+RUNNER_CHILD_TEST(tc_arguments_06_02_security_server_get_uid_by_cookie)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ int ret = security_server_get_uid_by_cookie(cookie.data(), NULL);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_get_uid_by_cookie() argument checking: "
+ << ret);
+}
+
+//---------------------------------------------------------------------------
+//passing NULL as an cookie pointer
+RUNNER_CHILD_TEST(tc_arguments_07_01_security_server_get_gid_by_cookie)
+{
+ gid_t gid;
+ int ret = security_server_get_gid_by_cookie(NULL, &gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_get_gid_by_cookie() argument checking: "
+ << ret);
+}
+
+//passing NULL as an gid pointer
+RUNNER_CHILD_TEST(tc_arguments_07_02_security_server_get_gid_by_cookie)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ int ret = security_server_get_gid_by_cookie(cookie.data(), NULL);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM,
+ "Error in security_server_get_gid_by_cookie() argument checking: "
+ << ret);
+}
+
+
+
+/*
+ * **************************************************************************
+ * Unit tests for each function from API
+ * **************************************************************************
+ */
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size)
+{
+ int ret = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << ret);
+}
+
+/*
+ * security_server_get_cookie_size() is no longer ptotected by SMACK
+ *
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST(tc_unit_01_02_security_server_get_cookie_size)
+{
+ setLabelForSelf("selflabel_01_02", __LINE__);
+ dropRootPrivileges(__LINE__);
+
+ int ret = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "Error in security_server_get_cookie_size(): " << ret);
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST(tc_unit_01_03_security_server_get_cookie_size)
+{
+ addSmackRule("selflabel_01_03", API_LABEL_GET, API_ACCESS, __LINE__);
+ setLabelForSelf("selflabel_01_03", __LINE__);
+ dropRootPrivileges(__LINE__);
+
+ int ret = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << ret);
+}
+*/
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << cookieSize);
+
+ std::vector<char> cookie(cookieSize);
+ int ret = security_server_request_cookie(cookie.data(), cookie.size());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_request_cookie(): " << ret);
+}
+
+/*
+ * security_server_get_cookie_size() is no longer protected by SMACK
+ *
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST(tc_unit_02_02_security_server_request_cookie)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << cookieSize);
+
+ setLabelForSelf("selflabel_02_02", __LINE__);
+ dropRootPrivileges(__LINE__);
+
+ std::vector<char> cookie(cookieSize);
+ int ret = security_server_request_cookie(cookie.data(), cookie.size());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "Error in security_server_request_cookie(): " << ret);
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST(tc_unit_02_03_security_server_request_cookie)
+{
+ int cookieSize = security_server_get_cookie_size();
+ RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE,
+ "Error in security_server_get_cookie_size(): " << cookieSize);
+
+ addSmackRule("selflabel_02_03", API_LABEL_GET, API_ACCESS, __LINE__);
+ setLabelForSelf("selflabel_02_03", __LINE__);
+ dropRootPrivileges(__LINE__);
+
+ std::vector<char> cookie(cookieSize);
+ int ret = security_server_request_cookie(cookie.data(), cookie.size());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_request_cookie(): " << ret);
+}
+*/
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ int ret = security_server_check_privilege(cookie.data(), 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_check_privilege(): " << ret);
+}
+
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_security_server_check_privilege)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ setLabelForSelf(__LINE__, "selflabel_03_02");
+ dropRootPrivileges(__LINE__);
+
+ int ret = security_server_check_privilege(cookie.data(), 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "Error in security_server_check_privilege(): " << ret);
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_security_server_check_privilege)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ addSmackRule(__LINE__, "selflabel_03_03", API_LABEL_CHECK, API_ACCESS);
+ setLabelForSelf(__LINE__, "selflabel_03_03");
+ dropRootPrivileges(__LINE__);
+
+ int ret = security_server_check_privilege(cookie.data(), 0);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_check_privilege(): " << ret);
+}
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ int ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
+
+ int pid = getpid();
+ RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie");
+}
+
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_security_server_get_cookie_pid)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ setLabelForSelf(__LINE__, "selflabel_05_02");
+ dropRootPrivileges(__LINE__);
+
+ int ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "Error in security_server_get_cookie_pid(): " << ret);
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_security_server_get_cookie_pid)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ addSmackRule(__LINE__, "selflabel_05_03", API_LABEL_CHECK, API_ACCESS);
+ setLabelForSelf(__LINE__, "selflabel_05_03");
+ dropRootPrivileges(__LINE__);
+
+ int ret = security_server_get_cookie_pid(cookie.data());
+ RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret);
+
+ int pid = getpid();
+ RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie");
+}
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_06_01_security_server_get_smacklabel_cookie)
+{
+ setLabelForSelf(__LINE__, "selflabel_06_01");
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_01") == 0,
+ "No match in smack label received from cookie, received label: "
+ << label.get());
+}
+
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_security_server_get_smacklabel_cookie)
+{
+ setLabelForSelf(__LINE__, "selflabel_06_02");
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ dropRootPrivileges(__LINE__);
+
+ UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG(label.get() == NULL,
+ "NULL should be received due to access denied, received label: "
+ << label.get());
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_security_server_get_smacklabel_cookie)
+{
+ setLabelForSelf(__LINE__, "selflabel_06_03");
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+
+ addSmackRule(__LINE__, "selflabel_06_03", API_LABEL_CHECK, API_ACCESS);
+ dropRootPrivileges(__LINE__);
+
+ UniquePtrCstring label(security_server_get_smacklabel_cookie(cookie.data()), free);
+ RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_03") == 0,
+ "No match in smack label received from cookie, received label: "
+ << label.get());
+}
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_07_01_security_server_get_uid_by_cookie)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+ uid_t uid;
+
+ int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_get_uid_by_cookie(): " << ret);
+ ret = getuid();
+ RUNNER_ASSERT_MSG(ret == (int)uid, "No match in UID received from cookie");
+}
+
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_07_02_security_server_get_uid_by_cookie)
+{
+ setLabelForSelf(__LINE__, "selflabel_07_02");
+ dropRootPrivileges(__LINE__);
+
+ std::vector<char> cookie(KNOWN_COOKIE_SIZE);
+ uid_t uid;
+
+ int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "Error in security_server_get_uid_by_cookie(): " << ret);
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_07_03_security_server_get_uid_by_cookie)
+{
+ addSmackRule(__LINE__, "selflabel_07_03", API_LABEL_CHECK, API_ACCESS);
+ setLabelForSelf(__LINE__, "selflabel_07_03");
+ dropRootPrivileges(__LINE__);
+
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+ uid_t uid;
+
+ int ret = security_server_get_uid_by_cookie(cookie.data(), &uid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_get_uid_by_cookie(): " << ret);
+ ret = getuid();
+ RUNNER_ASSERT_MSG(ret == (int)uid, "No match in UID received from cookie");
+}
+
+//---------------------------------------------------------------------------
+//root has access to API
+RUNNER_CHILD_TEST(tc_unit_08_01_security_server_get_gid_by_cookie)
+{
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+ gid_t gid;
+
+ int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_get_gid_by_cookie(): " << ret);
+ ret = getgid();
+ RUNNER_ASSERT_MSG(ret == (int)gid, "No match in GID received from cookie");
+}
+
+//privileges drop and no smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_08_02_security_server_get_gid_by_cookie)
+{
+ setLabelForSelf(__LINE__, "selflabel_08_02");
+ dropRootPrivileges(__LINE__);
+
+ std::vector<char> cookie(KNOWN_COOKIE_SIZE);
+ gid_t gid;
+
+ int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
+ "Error in security_server_get_gid_by_cookie(): " << ret);
+}
+
+//privileges drop and added smack rule
+RUNNER_CHILD_TEST_SMACK(tc_unit_08_03_security_server_get_gid_by_cookie)
+{
+ addSmackRule(__LINE__, "selflabel_08_03", API_LABEL_CHECK, API_ACCESS);
+ setLabelForSelf(__LINE__, "selflabel_08_03");
+ dropRootPrivileges(__LINE__);
+
+ std::vector<char> cookie;
+ getCookieFromSS(__LINE__, cookie);
+ gid_t gid;
+
+ int ret = security_server_get_gid_by_cookie(cookie.data(), &gid);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
+ "Error in security_server_get_gid_by_cookie(): " << ret);
+ ret = getgid();
+ RUNNER_ASSERT_MSG(ret == (int)gid, "No match in GID received from cookie");
+}
+