From 4c65df7da4945c20b8afc128f89ce9a76d00066a Mon Sep 17 00:00:00 2001 From: Sebastian Grabowski Date: Tue, 25 Mar 2014 13:44:13 +0100 Subject: [PATCH] Removed use of pid_cycle file and ENVIRONMENT macros [Bug/Feature] Security-server client tests failure with smack disabled while test environment preparations [Cause] pid_cycle file was created in a nonexistent directory. Moreover, this file seems to be unused in any way further and not deleted either. [Solution] Get rid of pid_cycle file usage. In addition, ENVIRONMENT and ENVIRONMENT_NOSMACK macros were deleted in favour of drop_root_privileges function for nonsmack tests and AccessProvider class for smack tests. There were also duplicated tests about security server cookies - they were moved to cookie_api.cpp. Tests run as app user in cookie_api.cpp are now distinguished from others with changed name having "_app_user_" string. [Verification] Build, install and run tests, i.e.: security-tests.sh ss-server --runignored --output=text security-tests.sh ss-clientsmack --runignored --output=text Change-Id: I68ad3f0bb12f437fa927660327c5e44f91e91446 Signed-off-by: Sebastian Grabowski --- tests/security-server-tests/cookie_api.cpp | 106 ++++++++++++++++--- .../security_server_measurer_API_speed.cpp | 2 - .../security_server_tests_client_smack.cpp | 117 ++------------------- 3 files changed, 100 insertions(+), 125 deletions(-) diff --git a/tests/security-server-tests/cookie_api.cpp b/tests/security-server-tests/cookie_api.cpp index 5145174..6054726 100644 --- a/tests/security-server-tests/cookie_api.cpp +++ b/tests/security-server-tests/cookie_api.cpp @@ -170,10 +170,56 @@ RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size) } //--------------------------------------------------------------------------- -// security_server_get_cookie_size() is no longer ptotected by SMACK -RUNNER_CHILD_TEST(tc_unit_01_02_security_server_get_cookie_size) +// Get cookie size when smack is not loaded +RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_02_app_user_security_server_get_cookie_size_nosmack) { - SecurityServer::AccessProvider provider("selflabel_01_02"); + int ret; + + ret = drop_root_privileges(); + RUNNER_ASSERT_MSG_BT(ret == 0, + "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); + ret = security_server_get_cookie_size(); + RUNNER_ASSERT_MSG_BT(ret == KNOWN_COOKIE_SIZE, "ret = " << ret); +} + +//--------------------------------------------------------------------------- +// Test setting up a cookie in normal case when smack is not loaded +RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_03_app_user_security_server_request_cookie_nosmack) +{ + int ret; + int cookieSize = security_server_get_cookie_size(); + Cookie cookie(cookieSize); + + ret = drop_root_privileges(); + RUNNER_ASSERT_MSG_BT(ret == 0, + "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); + + ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE); + RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); +} + +//--------------------------------------------------------------------------- +// Test setting up a cookie when smack is not loaded but with too small +// buffer size +RUNNER_CHILD_TEST_NOSMACK(tc_init_01_04_app_user_security_server_request_cookie_too_small_buffer_size_nosmack) +{ + int ret; + int cookieSize = security_server_get_cookie_size(); + Cookie cookie(cookieSize); + + ret = drop_root_privileges(); + RUNNER_ASSERT_MSG_BT(ret == 0, + "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); + + ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE >> 1); + RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret); +} + +//--------------------------------------------------------------------------- +// Get cookie size when smack is loaded +RUNNER_CHILD_TEST_SMACK(tc_unit_01_05_app_user_security_server_get_cookie_size) +{ + SecurityServer::AccessProvider provider("selflabel_01_05"); provider.applyAndSwithToUser(APP_UID, APP_GID); int ret = security_server_get_cookie_size(); @@ -187,8 +233,25 @@ RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie) { int cookieSize = security_server_get_cookie_size(); RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE, + "Error in security_server_get_cookie_size(): " << cookieSize); + + Cookie cookie(cookieSize); + int ret = security_server_request_cookie(cookie.data(), cookie.size()); + RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, + "Error in security_server_request_cookie(): " << ret); +} + +//--------------------------------------------------------------------------- +// Test setting up a cookie in normal case when smack is loaded +RUNNER_CHILD_TEST_SMACK(tc_unit_02_02_app_user_security_server_request_cookie) +{ + int cookieSize = security_server_get_cookie_size(); + RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE, "Error in security_server_get_cookie_size(): " << cookieSize); + SecurityServer::AccessProvider provider("selflabel_02_01"); + provider.applyAndSwithToUser(APP_UID, APP_GID); + Cookie cookie(cookieSize); int ret = security_server_request_cookie(cookie.data(), cookie.size()); RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, @@ -196,6 +259,25 @@ RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie) } //--------------------------------------------------------------------------- +// Test setting up a cookie when smack is loaded but with too small buffer +// size +RUNNER_CHILD_TEST_SMACK(tc_unit_02_03_app_user_security_server_request_cookie_too_small_buffer_size) +{ + int cookieSize = security_server_get_cookie_size(); + RUNNER_ASSERT_MSG_BT(cookieSize == KNOWN_COOKIE_SIZE, + "Error in security_server_get_cookie_size(): " << cookieSize); + cookieSize >>= 1; + + SecurityServer::AccessProvider provider("selflabel_02_02"); + provider.applyAndSwithToUser(APP_UID, APP_GID); + + Cookie cookie(cookieSize); + int ret = security_server_request_cookie(cookie.data(), cookie.size()); + RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, + "Error in security_server_request_cookie(): " << ret); +} + +//--------------------------------------------------------------------------- //root has access to API RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege) { @@ -207,7 +289,7 @@ RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege) } //privileges drop and no smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_security_server_check_privilege) +RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_app_user_security_server_check_privilege) { RUNNER_IGNORED_MSG("Security-server sockets are not labeled."); Cookie cookie = getCookieFromSS(); @@ -221,7 +303,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_security_server_check_privilege) } //privileges drop and added smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_security_server_check_privilege) +RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_app_user_security_server_check_privilege) { Cookie cookie = getCookieFromSS(); @@ -291,7 +373,7 @@ RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid) } //privileges drop and no smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_security_server_get_cookie_pid) +RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_app_user_security_server_get_cookie_pid) { RUNNER_IGNORED_MSG("Security-server sockets are not labeled."); Cookie cookie = getCookieFromSS(); @@ -305,7 +387,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_security_server_get_cookie_pid) } //privileges drop and added smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_security_server_get_cookie_pid) +RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_app_user_security_server_get_cookie_pid) { Cookie cookie = getCookieFromSS(); @@ -335,7 +417,7 @@ RUNNER_CHILD_TEST(tc_unit_06_01_security_server_get_smacklabel_cookie) } //privileges drop and no smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_security_server_get_smacklabel_cookie) +RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_app_user_security_server_get_smacklabel_cookie) { RUNNER_IGNORED_MSG("Security-server sockets are not labeled."); Cookie cookie = getCookieFromSS(); @@ -350,7 +432,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_security_server_get_smacklabel_cookie) } //privileges drop and added smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_security_server_get_smacklabel_cookie) +RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie) { SecurityServer::AccessProvider provider("selflabel_06_03"); provider.allowFunction("security_server_get_smacklabel_cookie"); @@ -366,7 +448,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_security_server_get_smacklabel_cookie) //--------------------------------------------------------------------------- // apply smack labels and drop privileges -RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_cookie_API_access_allow) +RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_app_user_cookie_API_access_allow) { add_process_group(PROC_AUDIO_GROUP_NAME); @@ -402,7 +484,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_cookie_API_access_allow) } // disable access and drop privileges -RUNNER_CHILD_TEST(tc_unit_09_02_cookie_API_access_deny) +RUNNER_CHILD_TEST(tc_unit_09_02_app_user_cookie_API_access_deny) { RUNNER_IGNORED_MSG("Security-server sockets are not labeled."); SecurityServer::AccessProvider provider("subject_1d414140"); @@ -436,7 +518,7 @@ RUNNER_CHILD_TEST(tc_unit_09_02_cookie_API_access_deny) } // NOSMACK version of the test above -RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_cookie_API_access_allow_nosmack) +RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_app_user_cookie_API_access_allow_nosmack) { add_process_group(PROC_AUDIO_GROUP_NAME); diff --git a/tests/security-server-tests/security_server_measurer_API_speed.cpp b/tests/security-server-tests/security_server_measurer_API_speed.cpp index d9ca31e..f3c0eca 100644 --- a/tests/security-server-tests/security_server_measurer_API_speed.cpp +++ b/tests/security-server-tests/security_server_measurer_API_speed.cpp @@ -431,8 +431,6 @@ RUNNER_TEST(m060_security_server_check_privilege_by_cookie) { int ret; readwrite_stats stats; initialize_stats(&stats); - RUNNER_ASSERT_MSG_BT(-1 != system("touch /opt/home/root/pid_cycle"), - "Cannot prepare environment for test."); RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), "Cannot prepare environment for test."); RUNNER_ASSERT_MSG_BT(0 == (ret = smack_accesses_new(&handle)), "Error in smack_accesses_new()"); diff --git a/tests/security-server-tests/security_server_tests_client_smack.cpp b/tests/security-server-tests/security_server_tests_client_smack.cpp index 1fdedfd..9a9c783 100644 --- a/tests/security-server-tests/security_server_tests_client_smack.cpp +++ b/tests/security-server-tests/security_server_tests_client_smack.cpp @@ -36,37 +36,6 @@ #define PROPER_COOKIE_SIZE 20 -#define ENVIRONMENT \ - do { \ - const char *subject_label = "mylabel"; \ - RUNNER_ASSERT_MSG_BT(-1 != system("touch /opt/home/root/pid_cycle"), \ - "Cannot prepare environment for test."); \ - RUNNER_ASSERT_MSG_BT(0 == smack_set_label_for_self(subject_label), \ - "Cannot prepare environment for test."); \ - RUNNER_ASSERT_MSG_BT(-1 != setgid(1), \ - "Cannot prepare environment for test."); \ - RUNNER_ASSERT_MSG_BT(-1 != setuid(1), \ - "Cannot prepare environment for test"); \ - } while (0) - - -/** - * Environment preparation should only differ in setting label. On NOSMACK system - * smack_set_label_for_self returns error because of no access to /proc/self/attr/current. - */ -#define ENVIRONMENT_NOSMACK \ - do { \ - int fd = open("/opt/home/root/pid_cycle", O_CREAT|O_APPEND, 0444);\ - RUNNER_ASSERT_MSG_BT(fd >= 0, \ - "Couldn't create pid_cycle file. errno: " << strerror(errno));\ - close(fd); \ - RUNNER_ASSERT_MSG_BT(-1 != setgid(1), \ - "Cannot prepare environment for test."); \ - RUNNER_ASSERT_MSG_BT(-1 != setuid(1), \ - "Cannot prepare environment for test"); \ - } while (0) - - /** * Unique_ptr typedef for NOSMACK version of tc06 test */ @@ -79,54 +48,6 @@ typedef std::unique_ptr > SockFDUniquePtr; RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK) /* - * test: Check cookie size returned by security_server_get_cookie_size. - * description: Cookie used by security-server is 20 bytes long. - * Any other size of cookies should be treated as error. - * expected: Function security_server_get_cookie_size returns 20. - */ -RUNNER_CHILD_TEST_SMACK(tc01_security_server_get_cookie_size) -{ - ENVIRONMENT; - - int ret = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG_BT(20 == ret, "ret = " << ret); -} - -/* - * test: security_server_request_cookie - * description: Function security_server_request_cookie will return - * 20 bytes long cookie. - * expected: function will set up cookie in the array and return - * SECURITY_SERVER_API_SUCCESS. - */ -RUNNER_CHILD_TEST_SMACK(tc02_security_server_request_cookie_normal_case) -{ - ENVIRONMENT; - - char cookie[20]; - int ret = security_server_request_cookie(cookie, 20); - LogDebug("ret = " << ret); - RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS == ret); -} - -/* - * test: security_server_request_cookie - * description: Function security_server_request_cookie will return - * 20 bytes long cookie. - * expected: function will set up cookie in the array and return - * SECURITY_SERVER_API_SUCCESS. - */ -RUNNER_CHILD_TEST_SMACK(tc03_security_server_request_cookie_too_small_buffer_size) -{ - ENVIRONMENT; - - char cookie[20]; - int ret = security_server_request_cookie(cookie, 10); - LogDebug("ret = " << ret); - RUNNER_ASSERT_BT(SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL == ret); -} - -/* * test: tc04_security_server_get_gid * description: Checking for security_server_get_gid * with nonexisting gid and existing one @@ -357,41 +278,15 @@ RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd) /////NOSMACK ENV TESTS///// /////////////////////////// -/** - * First four test cases are the same as their SMACK versions. The only difference is environment - * preparation (described near ENVIRONMENT_NOSMACK macro). - */ -RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_get_cookie_size_nosmack) -{ - ENVIRONMENT_NOSMACK; - - int ret = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG_BT(ret == 20, "ret = " << ret); -} - -RUNNER_CHILD_TEST_NOSMACK(tc02_security_server_request_cookie_normal_case_nosmack) -{ - ENVIRONMENT_NOSMACK; - - char cookie[20]; - int ret = security_server_request_cookie(cookie, 20); - RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -RUNNER_CHILD_TEST_NOSMACK(tc03_security_server_request_cookie_too_small_buffer_size_nosmack) -{ - ENVIRONMENT_NOSMACK; - - char cookie[20]; - int ret = security_server_request_cookie(cookie, 10); - RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret); -} - RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack) { - ENVIRONMENT_NOSMACK; + int ret; + + ret = drop_root_privileges(); + RUNNER_ASSERT_MSG_BT(ret == 0, + "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); - int ret = security_server_get_gid("definitely_not_existing_object"); + ret = security_server_get_gid("definitely_not_existing_object"); RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret); ret = security_server_get_gid("root"); RUNNER_ASSERT_MSG_BT(ret == 0, "ret = " << ret); -- 2.7.4