Fix test to pass with smack_pid_have_access function.

[Issue#]   SSDWSSP-220
[Problem]  N/A
[Cause]    N/A
[Solution] N/A

[Verification] Run all security-server tests. All test should pass.

Change-Id: I1a6e61074d086867d4f730b7bb28515f452618a9

diff --git a/tests/security-server-tests/security_server_tests_client_smack.cpp b/tests/security-server-tests/security_server_tests_client_smack.cpp
index d52787e..fe44092 100644 (file)
--- a/tests/security-server-tests/security_server_tests_client_smack.cpp
+++ b/tests/security-server-tests/security_server_tests_client_smack.cpp
@@ -34,6 +34,26 @@ do {                                                                 \
         "Cannot prepare environment for test");                      \
 }while(0)
 
+/**
+ * Dropping root privileges
+ * returns 0 on success, 1 on error
+ */
+int drop_root_privileges()
+{
+       if (getuid() == 0) {
+               /* process is running as root, drop privileges */
+               if (setgid(5000) != 0)
+                       return 1;
+               if (setuid(5000) != 0)
+                       return 1;
+       }
+       int uid = getuid();
+       if (uid == 5000)
+               return 0;
+
+       return 1;
+}
+
 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
 
 /*
@@ -138,6 +158,8 @@ RUNNER_CHILD_TEST(tc05_check_privilege_by_cookie)
     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
         security_server_request_cookie(cookie,20));
 
+    RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
     RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS ==
         security_server_check_privilege_by_cookie(
             cookie,
@@ -199,6 +221,8 @@ RUNNER_TEST(tc06_check_privilege_by_sockfd)
         RUNNER_ASSERT_MSG(strcmp(label,"")==0, "label is \""<< label<<"\"");
         free(label);
 
+        RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
         LogDebug("child, listen");
         if (listen(sockfd, 5) < 0) {
             LogDebug("child, exit");
@@ -259,16 +283,17 @@ RUNNER_TEST(tc06_check_privilege_by_sockfd)
     int status;
     waitpid(pid, &status, 0);
 
-    RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == result1);
-    RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2);
+    RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1);
+    RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2);
 }
 
 /*
  * test: security_server_check_privilege_by_sockfd
  * description: This test will create dummy server that will accept connection
  * and die. The client will try to check access rights using connection descriptor.
- * Unfortunatelly in this cases smack_set_label_for_self will not change label
- * connected with unix socket. Thats why this test will fail.
+ * Because we read a smack label not from socket directly, but from from pid of process
+ * on the other end of socket - that's why smack label will be updated.
+ * In this test client is running under root and server is not - to test the extreme case.
  * expected: Function call with access rights set to "r" should return SUCCESS,
  * with "rw" should return ACCESS DENIED.
  */
@@ -282,6 +307,7 @@ RUNNER_TEST(tc07_check_privilege_by_sockfd)
 
     int result1 = -1;
     int result2 = -1;
+    int kill_result = -1;
 
     smack_accesses *handle;
     RUNNER_ASSERT(0 == smack_accesses_new(&handle));
@@ -305,6 +331,8 @@ RUNNER_TEST(tc07_check_privilege_by_sockfd)
             exit(1);
         }
 
+        RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
         LogDebug("child, listen");
         if (listen(sockfd, 5) < 0) {
             LogDebug("child, exit");
@@ -323,6 +351,9 @@ RUNNER_TEST(tc07_check_privilege_by_sockfd)
         exit(1);
     } else {
         // parent
+
+        RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
         LogDebug("Parent, sleep 2");
         sleep(2);
         int sockfd = connect_to_testserver();
@@ -340,14 +371,19 @@ RUNNER_TEST(tc07_check_privilege_by_sockfd)
         LogDebug("Parent: Close desc");
         close(sockfd);
         LogDebug("Parent: killing child");
-        kill(pid, SIGKILL);
+        // we cannot kill child - because of dropping privileges
+        kill_result = kill(pid, SIGKILL);
     }
 
-    int status;
-    waitpid(pid, &status, 0);
+    if (kill_result == 0) {
+        int status;
+        waitpid(pid, &status, 0);
+    }
+    else
+        sleep(2);
 
-    RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result1);
-    RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2);
+    RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1);
+    RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2);
 }
 
 int main(int argc, char *argv[])

diff --git a/tests/security-server-tests/security_server_tests_server.cpp b/tests/security-server-tests/security_server_tests_server.cpp
index 8feadd2..2e840b5 100644 (file)
--- a/tests/security-server-tests/security_server_tests_server.cpp
+++ b/tests/security-server-tests/security_server_tests_server.cpp
@@ -25,6 +25,7 @@
 #include <dpl/test/test_runner.h>
 #include <dpl/test/test_runner_child.h>
 #include <dlog.h>
+#include <privilege-control.h>
 #include "test.h"
 
 #define SECURITY_SERVER_SOCK_PATH    "/tmp/.security_server.sock"
@@ -53,6 +54,26 @@ unsigned char cookie[COOKIE_SIZE], wrong_cookie[COOKIE_SIZE];
 char obj_name[OBJ_NAME_SIZE];
 struct sockaddr_un clientaddr;
 
+/**
+ * Dropping root privileges
+ * returns 0 on success, 1 on error
+ */
+int drop_root_privileges()
+{
+       if (getuid() == 0) {
+               /* process is running as root, drop privileges */
+               if (setgid(5000) != 0)
+                       return 1;
+               if (setuid(5000) != 0)
+                       return 1;
+       }
+       int uid = getuid();
+       if (uid == 5000)
+               return 0;
+
+       return 1;
+}
+
 /* Create a Unix domain socket and bind */
 int create_new_socket()
 {
@@ -385,6 +406,9 @@ RUNNER_CHILD_TEST(tc01a_security_server_app_give_access)
     RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
 
     smack_set_label_for_self(object);
+
+    RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
     security_server_app_give_access(subject, getpid());
 
     RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxat"));
@@ -426,6 +450,9 @@ RUNNER_CHILD_TEST(tc01c_security_server_app_give_access_no_access)
     RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
 
     smack_set_label_for_self(object);
+
+    RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
+
     RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == security_server_app_give_access(subject, getpid()));
 
     RUNNER_ASSERT(0 == smack_have_access(subject, object, "r"));