#include <sys/stat.h>
#include <sys/smack.h>
#include <sys/wait.h>
+#include <grp.h>
#include "security-server.h"
#include "security_server_clean_env.h"
#include <dpl/test/test_runner.h>
#define API_PASSWD_SET "security-server::api-password-set"
#define API_PASSWD_CHECK "security-server::api-password-check"
#define API_DATA_SHARE "security-server::api-data-share"
-#define API_MIDDLEWARE "security-server::api-middleware"
#define API_PRIVILEGE_BY_NAME "security-server::api-app-privilege-by-name"
#define API_FREE_ACCESS "*"
#define API_RULE_REQUIRED "w"
+// we assume that the group 'audio' exists in the system
+const char* PROC_AUDIO_GROUP_NAME = "audio";
+
/* Message */
typedef struct
return -1;
}
+/*
+ * Add a new group to the current process groups.
+ */
+void add_process_group(const char* group_name)
+{
+ // get group ID by gtoup name
+ group *gr = getgrnam(group_name);
+ RUNNER_ASSERT_MSG(gr != NULL, "Group '" << group_name << "' does not exist.");
+ const gid_t new_group_id = gr->gr_gid;
+
+ // get number of groups that the current process belongs to
+ int ngroups = getgroups(0, NULL);
+
+ //allocate groups table + space for new group entry
+ std::vector<gid_t> groups(ngroups + 1);
+ getgroups(ngroups, groups.data());
+
+ // check if the process already belongs to the group
+ for (int i = 0; i < ngroups; ++i)
+ if (groups[i] == new_group_id)
+ return;
+
+ // add new group & apply change
+ groups[ngroups] = new_group_id;
+ int ret = setgroups(ngroups + 1, groups.data());
+ RUNNER_ASSERT_MSG(ret == 0, "setgroups failed. ret = " << ret);
+}
+
+/*
+ * Remove specific group from the current process groups.
+ */
+void remove_process_group(const char* group_name)
+{
+ // get group ID by gtoup name
+ group *gr = getgrnam(group_name);
+ RUNNER_ASSERT_MSG(gr != NULL, "Group '" << group_name << "' does not exist.");
+ const gid_t new_group_id = gr->gr_gid;
+
+ // get number of groups that the current process belongs to
+ int ngroups = getgroups(0, NULL);
+
+ //allocate groups table + space for new group entry
+ std::vector<gid_t> groups(ngroups);
+ getgroups(ngroups, groups.data());
+
+ // check if the process already belongs to the group
+ for (int i = 0; i < ngroups; ++i)
+ if (groups[i] == new_group_id) {
+ groups[i] = groups[ngroups-1]; // replace with last
+
+ // apply change
+ int ret = setgroups(ngroups - 1, groups.data());
+ RUNNER_ASSERT_MSG(ret == 0, "setgroups failed. ret = " << ret);
+ return;
+ }
+}
+
RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_SERVER);
RUNNER_TEST(tc_getting_default_cookie)
RUNNER_ASSERT(security_server_get_gid("teltel") == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT);
}
-RUNNER_TEST(tc_ask_for_privilege_with_default_cookie_normal_case_to_check_audio_privilege)
+RUNNER_CHILD_TEST(tc_cookie_check_groups_privilege_negative)
{
- printhex(cookie, COOKIE_SIZE);
- RUNNER_ASSERT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) == SECURITY_SERVER_API_SUCCESS);
- ret = security_server_get_gid("audio");
+ remove_process_group(PROC_AUDIO_GROUP_NAME);
+
+ RUNNER_ASSERT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) ==
+ SECURITY_SERVER_API_SUCCESS);
+ ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ ret = security_server_check_privilege((char*) cookie, ret);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
+RUNNER_CHILD_TEST(tc_cookie_check_groups_privilege_positive)
+{
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
+ RUNNER_ASSERT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) ==
+ SECURITY_SERVER_API_SUCCESS);
+ ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
ret = security_server_check_privilege((char*) cookie, ret);
RUNNER_ASSERT(ret == SECURITY_SERVER_API_SUCCESS);
}
RUNNER_TEST(tc_ask_for_privilege_with_default_cookie_case_with_wrong_cookie)
{
- ret = security_server_get_gid("audio");
+ ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
srand(time(NULL));
for (i = 0; i < COOKIE_SIZE; i++)
wrong_cookie[i] = rand() % 255;
ret = security_server_check_privilege((const char*) wrong_cookie, ret);
- RUNNER_ASSERT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED);
+ RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
}
/* Close socket just after sending request msg.
* This is done with fake security_server_get_gid()*/
- ret = fake_get_gid("audio");
+ ret = fake_get_gid(PROC_AUDIO_GROUP_NAME);
RUNNER_IGNORED_MSG("Watch whether security server has crashed or not.");
}
RUNNER_CHILD_TEST_SMACK(tc05_check_API_middleware_allow)
{
int ret = -1;
- const char *subject_allow = TEST05_SUBJECT;
size_t cookie_size = security_server_get_cookie_size();
char cookie[20];
char *ss_label = NULL;
- struct smack_accesses *handle = NULL;
- /* allow subject 'subjet_allow' to security-server::api-middleware */
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_add(handle, subject_allow, API_MIDDLEWARE, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
- ret = smack_accesses_apply(handle);
- RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- smack_accesses_free(handle);
-
- ret = smack_set_label_for_self(subject_allow);
- RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+ add_process_group(PROC_AUDIO_GROUP_NAME);
// drop root privileges
RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
ret = security_server_request_cookie(cookie, cookie_size);
RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
- ret = security_server_get_gid("audio");
+ ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
ret = security_server_check_privilege(cookie, ret);
RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
char cookie[20];
char *ss_label = NULL;
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
ret = smack_set_label_for_self(subject_denied);
RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
char cookie[20];
char* ss_label = NULL;
+ add_process_group(PROC_AUDIO_GROUP_NAME);
+
// drop root privileges
ret = drop_root_privileges();
RUNNER_ASSERT_MSG(ret == 0,
RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
"request_cookie failed. Result: " << ret);
- ret = security_server_get_gid("audio");
- RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"audio\" gid. Result: " << ret);
+ ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+ RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME << "\" gid. Result: "
+ << ret);
ret = security_server_check_privilege(cookie, ret);
RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,