From: Mateusz Cegielka Date: Tue, 15 Sep 2020 08:44:53 +0000 (+0200) Subject: Remove libsmack tests X-Git-Url: http://review.tizen.org/git/?p=platform%2Fcore%2Ftest%2Fsecurity-tests.git;a=commitdiff_plain;h=b41030e31d42c3474eee2716e922211043896798 Remove libsmack tests These tests are not executed on Jenkins, and currently are also broken. More importantly, libsmack is an open-source library not specific to Tizen, so there's not actually a lot of benefit in testing it. I have removed libsmack-tests directory, as well as all related build commands. Change-Id: Ib5c78f2425d4a43567e50a41b90e25eab1597ae3 --- diff --git a/README b/README index a036712..fe33548 100644 --- a/README +++ b/README @@ -9,8 +9,6 @@ security-tests is repository for testing packages from domain Security. The security-tests repository is designed for testing packages mentioned below with binaries provided for testing them: -libsmack - libsmack-test security-manager security-manager-tests cynara diff --git a/packaging/security-tests.manifest b/packaging/security-tests.manifest index ea004f1..9b87770 100644 --- a/packaging/security-tests.manifest +++ b/packaging/security-tests.manifest @@ -2,7 +2,6 @@ - diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec index d7d6de7..249a34e 100644 --- a/packaging/security-tests.spec +++ b/packaging/security-tests.spec @@ -86,7 +86,6 @@ id -u security_test_user 1>/dev/null 2>&1 || \ %install %make_install -ln -sf /etc/smack/test_smack_rules %{buildroot}/etc/smack/test_smack_rules_lnk cp -a %{SOURCE1} %{buildroot}%{_datadir}/ %post @@ -108,14 +107,7 @@ echo "security-tests postinst done ..." /etc/dbus-1/system.d/security-tests.conf -/usr/bin/libsmack-test -/etc/smack/test_smack_rules_full -/etc/smack/test_smack_rules2 -/etc/smack/test_smack_rules3 -/etc/smack/test_smack_rules4 /usr/bin/security-manager-tests -/etc/smack/test_smack_rules -/etc/smack/test_smack_rules_lnk %{TZ_SYS_RW_APP}* %attr(755, security_test_user,users) %{TZ_SYS_HOME}/security_test_user/apps_rw/* /usr/bin/cynara-test diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index aadbe67..736b6e8 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright (c) 2011-2017 Samsung Electronics Co., Ltd All Rights Reserved +# Copyright (c) 2011-2020 Samsung Electronics Co., Ltd All Rights Reserved # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -87,7 +87,6 @@ INSTALL(FILES IF(BUILD_CKM OR BUILD_SM OR BUILD_CYNARA OR BUILD_WEB) ADD_SUBDIRECTORY(common) - ADD_SUBDIRECTORY(libsmack-tests) ENDIF(BUILD_CKM OR BUILD_SM OR BUILD_CYNARA OR BUILD_WEB) IF(BUILD_CKM) diff --git a/src/libsmack-tests/CMakeLists.txt b/src/libsmack-tests/CMakeLists.txt deleted file mode 100644 index 857d9ef..0000000 --- a/src/libsmack-tests/CMakeLists.txt +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright (c) 2012-2015 Samsung Electronics Co., Ltd All Rights Reserved -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# @file CMakeLists.txt -# @author Pawel Polawski (p.polawski@samsung.com) -# @version 0.1 -# @brief -# -INCLUDE(FindPkgConfig) -SET(TARGET_TEST "libsmack-test") - -#dependencies -PKG_CHECK_MODULES(TARGET_DEP - libsmack - REQUIRED - ) - -#files to compile -SET(TARGET_TEST_SOURCES - ${PROJECT_SOURCE_DIR}/src/libsmack-tests/libsmack-test.cpp - ${PROJECT_SOURCE_DIR}/src/libsmack-tests/test_cases.cpp - ) - -#header directories -INCLUDE_DIRECTORIES(SYSTEM - ${TARGET_DEP_INCLUDE_DIRS} - ) - -INCLUDE_DIRECTORIES( - ${PROJECT_SOURCE_DIR}/src/common/ - ) - -#preprocessor definitions -#ADD_DEFINITIONS("-DDPL_LOGS_ENABLED") - -#output format -ADD_EXECUTABLE(${TARGET_TEST} ${TARGET_TEST_SOURCES}) - -#linker directories -TARGET_LINK_LIBRARIES(${TARGET_TEST} - ${TARGET_DEP_LIBRARIES} - dpl-test-framework - tests-common - ) - -#place for output file -INSTALL(TARGETS ${TARGET_TEST} - DESTINATION /usr/bin - PERMISSIONS OWNER_READ - OWNER_WRITE - OWNER_EXECUTE - GROUP_READ - GROUP_EXECUTE - WORLD_READ - WORLD_EXECUTE - ) - -#place for additional files -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/src/libsmack-tests/test_smack_rules - DESTINATION /etc/smack - PERMISSIONS - OWNER_READ - OWNER_EXECUTE - GROUP_READ - GROUP_EXECUTE - WORLD_READ - WORLD_EXECUTE - ) - -#place for full rules -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/src/libsmack-tests/test_smack_rules_full - DESTINATION /etc/smack - PERMISSIONS - OWNER_READ - GROUP_READ - WORLD_READ - ) - -#place for rules2 -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/src/libsmack-tests/test_smack_rules2 - DESTINATION /etc/smack - PERMISSIONS - OWNER_READ - GROUP_READ - WORLD_READ - ) - -#place for rules3 -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/src/libsmack-tests/test_smack_rules3 - DESTINATION /etc/smack - PERMISSIONS - OWNER_READ - GROUP_READ - WORLD_READ - ) - -#place for rules4 -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/src/libsmack-tests/test_smack_rules4 - DESTINATION /etc/smack - PERMISSIONS - OWNER_READ - GROUP_READ - WORLD_READ - ) diff --git a/src/libsmack-tests/libsmack-test.cpp b/src/libsmack-tests/libsmack-test.cpp deleted file mode 100644 index ccbb00e..0000000 --- a/src/libsmack-tests/libsmack-test.cpp +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/* - * @file libprivilege-test.cpp - * @author Pawel Polawski (p.polawski@samsung.com) - * @version 1.0 - * @brief libsmack test runer - */ -#include - -int main (int argc, char *argv[]) -{ - int status = DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv); - return status; -} - diff --git a/src/libsmack-tests/test_cases.cpp b/src/libsmack-tests/test_cases.cpp deleted file mode 100644 index 6f87dd3..0000000 --- a/src/libsmack-tests/test_cases.cpp +++ /dev/null @@ -1,1727 +0,0 @@ -/* - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/* - * @file test_cases.cpp - * @author Pawel Polawski (p.polawski@samsung.com) - * @author Jan Olszak (j.olszak@samsung.com) - * @author Zofia Abramowska (z.abramowska@samsung.com) - * @version 1.0 - * @brief libsmack test runner - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "tests_common.h" -#include -#include -#include "memory.h" - -const char* const TEST_SUBJECT = "test_subject"; -const char* const TEST_OBJECT = "test_object"; -const char* const TEST_OBJECT_2 = "test_object_2"; - -const std::string testDir = "/tmp/"; -const std::vector accessesBasic = { "r", "w", "x", "wx", "rx", "rw", "rwx", "rwxat" }; - -//This one define is required for sockaddr_un initialization -#define SOCK_PATH "/tmp/test-smack-socket" - -RUNNER_TEST_GROUP_INIT(libsmack) -/** - * Helper method to reset privileges at the begginning of tests. - */ -void clean_up() -{ - smack_revoke_subject(TEST_SUBJECT); -} - -/** - * Checking if subject has any access to object - */ -bool checkNoAccesses(const char *subject, const char *object) -{ - int result; - - for(const auto &perm : std::vector {"r", "w", "a","t", "l"}) { - result = smack_have_access(subject, object, perm.c_str()); - if (result == 1) { - return false; - } - } - return true; -} - -void removeAccessesAll() -{ - for(int i = 1; i <=3; i++) - //smack_revoke_subject will fail, when subject does not exist in kernel - //as this function is called at test beginning we cannot check return value - smack_revoke_subject(("test_subject_0" + std::to_string(i)).c_str()); -} - -/** - * Add a new access with smack_accesses_add_modify() - */ -RUNNER_TEST_SMACK(smack_accesses_add_modify_test_1){ - int result; - - clean_up(); - - struct smack_accesses *rules = nullptr; - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - // THE TEST - result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"xr",""); - RUNNER_ASSERT_MSG(result == 0, "Unable to add modify by empty rules"); - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"xr"); - RUNNER_ASSERT_MSG(result == 1, "Rule modified (added 'xr'), but no change made."); - - // CLEAN UP - clean_up(); -} - - -/** - * Test if rules are applied in the right order, and modification works. - */ -RUNNER_TEST_SMACK(smack_accesses_add_modify_test_2){ - int result; - struct smack_accesses *rules = nullptr; - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - clean_up(); - - // THE TEST - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"r",""); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule."); - - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"","r"); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule."); - - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 0, - "Modification didn't work"); - - // CLEAN UP - clean_up(); -} - - -/** - * Test if rules are applied in the right order, and modification works. - * Using different smack_accesses list to add and delete. - */ -RUNNER_TEST_SMACK(smack_accesses_add_modify_test_3){ - int result; - struct smack_accesses *rules = nullptr; - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - clean_up(); - - // THE TEST - // Add r privilage - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"r",""); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule."); - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - RUNNER_ASSERT_MSG(smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r") == 1, - "Adding privileges didn't work"); - - // Revoke r privilege - rules_ptr.release(); - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - rules_ptr.reset(rules); - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"","r"); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule."); - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r"); - RUNNER_ASSERT_MSG(result == 0, "Modification didn't work, rule has still 'r' privileges."); - - // CLEAN UP - clean_up(); -} - -/** - * Add a list of privileges and then revoke just ONE of them. - */ -RUNNER_TEST_SMACK(smack_accesses_add_modify_test_4){ - int result; - struct smack_accesses *rules = nullptr; - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - clean_up(); - - // THE TEST - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"rwxat",""); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule."); - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"","r"); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule."); - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt"); - RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'awxt' privileges."); - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r"); - RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege."); - - // CLEAN UP - clean_up(); -} - -/** - * Add a list of privileges and then revoke just ONE of them. - * Without applying privileges in between those actions. - */ -RUNNER_TEST_SMACK(smack_accesses_add_modify_test_5){ - int result; - struct smack_accesses *rules = nullptr; - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - clean_up(); - - // THE TEST - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"rwxat",""); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule."); - - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"","r"); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule."); - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"awxt"); - RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'awxt' privileges."); - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r"); - RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege."); - - // CLEAN UP - clean_up(); -} - - -/** - * Add a list of privileges and then revoke just TWO of them. - */ -RUNNER_TEST_SMACK(smack_accesses_add_modify_test_6){ - int result; - struct smack_accesses *rules = nullptr; - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - clean_up(); - - // THE TEST - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"rwt",""); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule."); - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"ax","rt"); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule."); - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"wax"); - RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule should have 'wax' privileges."); - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,"r"); - RUNNER_ASSERT_MSG(result != 1, "Modification didn't work. Rule should NOT have 'r' privilege."); - - // CLEAN UP - clean_up(); -} - -/** - * Run smack_accesses_add_modify with the same accesses_add and accesses_del. - */ -RUNNER_TEST_SMACK(smack_accesses_add_modify_test_7){ - unsigned int i; - int result; - - struct smack_accesses *rules = nullptr; - - for (i = 0; i < accessesBasic.size(); ++i) { - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT, - accessesBasic[i].c_str(), accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance"); - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - - RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT), - " Error while checking smack access. Accesses exist."); - - // CLEAN UP - clean_up(); - } -} - -/** - * Revoke subject with previously added rules and revoke it again. - */ -RUNNER_TEST_SMACK(smack_revoke_subject_test_1){ - unsigned int i; - int result; - - struct smack_accesses *rules = nullptr; - - for (i = 0; i < accessesBasic.size(); ++i) { - // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2 - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT, - accessesBasic[i].c_str(),""); - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT_2, - accessesBasic[i].c_str(),""); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance"); - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. " - "Rule " << accessesBasic[i].c_str() << " does not exist."); - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. " - "Rule " << accessesBasic[i].c_str() << " does not exist."); - - // Revoking subject - result = smack_revoke_subject(TEST_SUBJECT); - RUNNER_ASSERT_MSG(result == 0, "Revoking subject didn't work."); - - RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT), - " Revoke didn't work. Accesses exist."); - RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2), - " Revoke didn't work. Accesses exist."); - - - // Revoking subject again - result = smack_revoke_subject(TEST_SUBJECT); - RUNNER_ASSERT_MSG(result == 0, "Revoking subject didn't work."); - - RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT), - " Revoke didn't work. Accesses exist."); - RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2), - " Revoke didn't work. Accesses exist."); - - } -} - -/** - * Clearing accesses - */ -RUNNER_TEST_SMACK(smack_accesses_clear_test_1){ - unsigned int i; - int result; - - struct smack_accesses *rules = nullptr; - - for (i = 0; i < accessesBasic.size(); ++i) { - // Creating and adding rules with TEST_OBJECT and TEST_OBJECT_2 - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - result = smack_accesses_add(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT, - accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance"); - result = smack_accesses_add(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT_2, - accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance"); - RUNNER_ASSERT_MSG(smack_accesses_apply(rules_ptr.get()) == 0, "Unable to apply rules"); - - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " - << accessesBasic[i].c_str() << " does not exist."); - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 1, "Modification didn't work. Rule " - << accessesBasic[i].c_str() << " does not exist."); - - // Creating and clearing rules with TEST_OBJECT - rules_ptr.release(); - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - rules_ptr.reset(rules); - result = smack_accesses_add(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT, - accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance"); - result = smack_accesses_clear(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work."); - - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT,accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work. Rule " - << accessesBasic[i].c_str() << " does exist."); - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT_2,accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 1, "Clearing rules didn't work. Rule " - << accessesBasic[i].c_str() << " does not exist."); - - // Creating and clearing rules with TEST_OBJECT - rules_ptr.release(); - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - rules_ptr.reset(rules); - - result = smack_accesses_add(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT_2, - accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify accesses instance"); - result = smack_accesses_clear(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Clearing rules didn't work."); - - RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT), - " Clear didn't work. Accesses exist."); - RUNNER_ASSERT_MSG(checkNoAccesses(TEST_SUBJECT, TEST_OBJECT_2), - " Clear didn't work. Accesses exist."); - } -} - -RUNNER_TEST(smack01_storing_and_restoring_rules) -{ - /* - * author: Pawel Polawski - * test: smack_accesses_new, smack_accesses_add, smack_accesses_add_modify, smack_accesses_add_from_file, - * smack_accesses_free, smack_accesses_save - * description: This test case will create structure holding SMACK rules and add new one to it. Next rules will be - * stored and restored from file. - * expect: Rules created and stored in file should be identical to predefined template. - */ - - struct smack_accesses *rules = nullptr; //rules prepared in this test case - struct smack_accesses *import_test = nullptr; //rules imported from file - - int result; //result of each operation to be tested by RUNNER_ASSERT - int fd, tmp, sample; //file descripptors for save / restore rules tests - - //int smack_accesses_new(struct smack_accesses **accesses); - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - RUNNER_ASSERT(smack_accesses_new(&import_test) == 0); - SmackAccessesPtr import_ptr(import_test); - - //opening files - fd = open("/tmp/smack01_rules", O_RDWR | O_CREAT | O_TRUNC, 0644); //for export prepared rules - RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to create /tmp/smack01_rules"); - FdUniquePtr fd_ptr(&fd); - tmp = open("/tmp/smack01_tmp", O_RDWR | O_CREAT | O_TRUNC, 0644); //for import rules exported before - RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to create /tmp/smack01_tmp"); - FdUniquePtr tmp_ptr(&tmp); - sample = open("/etc/smack/test_smack_rules", O_RDONLY, 0644); //reference preinstalled rules - RUNNER_ASSERT_ERRNO_MSG(sample >= 0, "Unable to open /etc/smack/test_smack_rules"); - FdUniquePtr sample_ptr(&sample); - - result = smack_accesses_add(rules_ptr.get(), "writer", "book", "rw"); - RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules"); - result = smack_accesses_add(rules_ptr.get(), "reader", "book", "wx"); - RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules"); - - result = smack_accesses_add_modify(rules_ptr.get(), "reader", "book", "r", "wx"); - RUNNER_ASSERT_MSG(0 == result, "Unable to modify smack rules"); - - result = smack_accesses_save(rules_ptr.get(), fd); - RUNNER_ASSERT_MSG(0 == result, "Unable to save smack_accesses instance in file"); - - result = lseek(fd, 0, SEEK_SET); - RUNNER_ASSERT_ERRNO_MSG(result == 0, "lseek() error"); - result = smack_accesses_add_from_file(import_ptr.get(), fd); - RUNNER_ASSERT_MSG(result == 0, "Unable to import rules from file"); - - result = smack_accesses_save(import_ptr.get(), tmp); - RUNNER_ASSERT_MSG(result == 0, "Unable to save smack_accesses instance in file"); - - //comparing rules saved in file, restored from it and stored one more time - result = files_compare(fd, tmp); - RUNNER_ASSERT_MSG(result == 0, "No match in stored and restored rules"); - - //comparing rules stored in file with reference preinstalled rules - result = files_compare(tmp, sample); - RUNNER_ASSERT_MSG(result == 0, "No match in stored rules and pattern file"); -} - -RUNNER_TEST_SMACK(smack02_aplying_rules_into_kernel) -{ - /* - * author: Pawel Polawski - * test: smack_accesses_apply, smack_have_access, smack_revoke_subject, smack_accesses_clear, smack_accesses_new, - * smack_accesses_add, smack_accesses_free - * description: In this test case aplying rules to kernel will be tested. After that function for test - * accesses will be used. - * expect: In case of correct rules access should be granted. - */ - - //CAP_MAC_ADMIN needed for process to be able to change rules in kernel (apllying, removing) - - struct smack_accesses *rules = nullptr; //rules prepared in this test case - int result; //for storing functions results - - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - //adding test rules to struct - result = smack_accesses_add(rules_ptr.get(), "writer", "book", "rwx"); - RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules"); - result = smack_accesses_add(rules_ptr.get(), "reader", "book", "r"); - RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules"); - result = smack_accesses_add(rules_ptr.get(), "spy", "book", "rwx"); - RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules"); - - result = smack_accesses_apply(rules_ptr.get()); //applying rules to kernel - RUNNER_ASSERT_MSG(result == 0, "Unable to apply rules into kernel"); - - //should have access - rule exist - result = smack_have_access("spy", "book", "rwx"); - RUNNER_ASSERT_MSG(result == 1, "Error while checking Smack access"); - //should have no access - wrong rule, should be "r" only - result = smack_have_access("reader", "book", "rwx"); - RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access"); - //should have no access - rule not exist - result = smack_have_access("s02badsubjectlabel", "book", "rwx"); - RUNNER_ASSERT_MSG(result == 0, "Error while checking Smack access"); - - //this subject do not exist in kernel rules - result = smack_revoke_subject("s02nonexistinglabel"); - RUNNER_ASSERT_MSG(result == 0, "Error in removing not existing subject from kernel"); - result = smack_revoke_subject("spy"); //this subject exist in kernel rules - RUNNER_ASSERT_MSG(result == 0, "Error in removing existing subject from kernel"); - - //testing access after revoke_subject() from kernel - result = smack_have_access("spy", "book", "rwx"); - //now spy should have no access - RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel"); - - //for create new rule as a consequence of use accesses_clear() below - result = smack_accesses_add(rules_ptr.get(), "s02subjectlabel", "book", "rwx"); - RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules"); - - //"spy" removed before by using smack_revoke_subject() - result = smack_accesses_clear(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Error in clearing rules in kernel"); - - //testing acces after acces_clear() - result = smack_have_access("writer", "book", "rwx"); - //now writer also should have no access - RUNNER_ASSERT_MSG(result == 0, "Error in acces aplied to kernel"); - -} - -//pairs of rules for test with mixed cases, different length and mixed order -std::vector< std::vector > correct_rules = { - { "reader1", "-", "------" }, - { "reader2", "--------", "------" }, - { "reader3", "RwXaTl", "rwxatl" }, - { "reader4", "RrrXXXXTTT", "r-x-t-" }, - { "reader5", "-r-w-a-t-", "rw-at-" }, - { "reader6", "", "------" }, - { "reader7", "xa--Rt---W--L", "rwxatl" }, -}; - -RUNNER_TEST_SMACK(smack03_mixed_rule_string_add) -{ - /* - * author: Pawel Polawski - * test: smack_have_access, smack_accesses_new, smack_accesses_add, smack_accesses_apply, smack_accesses_free - * description: In thist test case rules based on mixed string are added to kernel. - * Strings are presented above and contains lower / upper case alpha, numbers and special signs. - * expect: Rules should be parsed correct and aplied to kernel. - */ - - //In thist test case mixed string are used as rules applied to kernel, next they are - //readed and compared with correct form of rules - - struct smack_accesses *rules = nullptr; //rules prepared in this test case - int result; //for storing functions results - int expected; - - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - //adding test rules with mixed string - for (auto rule=correct_rules.begin(); rule != correct_rules.end(); ++rule) { - //using mixed rules from table - result = smack_accesses_add(rules_ptr.get(), - (*rule)[0].c_str(), - "book", - (*rule)[1].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules"); - } - - //clearing - //FIXME: Using clear() here can cover error in accesses_apply() function - //result = smack_accesses_clear(rules); - //RUNNER_ASSERT_MSG(result == 0, "Error in clearing rules in kernel"); - - //applying rules to kernel - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Unable to apply rules into kernel"); - - //checking accesses using normal rules - for (auto rule=correct_rules.begin(); rule != correct_rules.end(); ++rule) { - if ((*rule)[2] == "------") - expected = 0; - else - expected = 1; - //using normal rules from table - result = smack_have_access((*rule)[0].c_str(), - "book", - (*rule)[2].c_str()); - RUNNER_ASSERT_MSG(result == expected, "Error while checking Smack access"); - } -} - -RUNNER_TEST_SMACK(smack04_mixed_rule_string_have_access) -{ - /* - * author: Pawel Polawski - * test: smack_have_access - * description: In this test case we testing aplied before SMACK rules and comparing them using mixed strings. - * expect: Subjects should have accesses to the objects. - */ - - //In this test case we checking previous aplied rules but for compare mixed strings are used - - int result; - int expected; - - //rules were added in previous RUNNER_TEST section - //checking accesses using mixed rules - for (auto rule=correct_rules.begin(); rule != correct_rules.end(); ++rule) { - if ((*rule)[2] == "------") - expected = 0; - else - expected = 1; - //using mixed rules from table - result = smack_have_access((*rule)[0].c_str(), - "book", - (*rule)[1].c_str()); - RUNNER_ASSERT_MSG(result == expected, "Error while checking Smack access"); - } -} - -//RUNNER_TEST(smackXX_accesses_add_modify) -//{ -//IDEAS FOR TESTS -// - what if we want to apply rule that is already in kernel? -// - tests for smack_accesses_add_modify() + smack_have_access() (check if add_modify sets the proper rule) -// - smack_accesses_add_modify("subject", "object", "rwx", "rwx") should create empty rule -//} - -RUNNER_TEST_SMACK(smack05_self_label) -{ - /* - * author: Pawel Polawski - * test: smack_set_label_for_self, smack_new_label_from_self - * description: In this test case process test it own default label. Next label is changed - * and tested one more time if change was successfull. - * expect: Proces should have default "-" label and can change it to the oter one. - */ - - //In this test case process will manipulate it own label - - char *label = nullptr; - int result; - int fd; - - const int B_SIZE = 8; - char buff[B_SIZE]; - - const char *def_rule = "_"; - - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result >= 0, "Error in getting self label"); - //comparing this label with default one "_" - result = strcmp(label, def_rule); - free(label); - RUNNER_ASSERT_MSG(result == 0, "Wrong default process label"); - - //comparing this rule with received from /proc/self/attr/current - fd = open("/proc/self/attr/current", O_RDONLY, 0644); - RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /proc/self/attr/current"); - FdUniquePtr fd_ptr(&fd); - result = read(fd, buff, B_SIZE); - RUNNER_ASSERT_ERRNO_MSG(result >= 0, "Error in reading from file /proc/self/attr/current"); - result = strncmp(buff, def_rule, result); - RUNNER_ASSERT_MSG(result == 0, "Wrong default process rule"); - - //now time for setting labels: - - result = smack_set_label_for_self("cola"); - RUNNER_ASSERT_MSG(result == 0, "Error in setting self label"); - - //checking new label using smack function - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result >= 0, "Error in getting self label"); - result = strcmp(label, "cola"); - free(label); - RUNNER_ASSERT_MSG(result == 0, "Wrong process label"); - - //checking new label using /proc/self/attr/current - result = lseek(fd, 0, SEEK_SET); //going to the file beginning - RUNNER_ASSERT_ERRNO_MSG(result == 0, "lseek() error"); - result = read(fd, buff, B_SIZE); - RUNNER_ASSERT_ERRNO_MSG(result >= 0, "Error in reading from file /proc/self/attr/current"); - result = strncmp(buff, "cola", result); - RUNNER_ASSERT_MSG(result == 0, "Proces rule in /proc/self/attr/current other than set"); -} - -RUNNER_TEST_SMACK(smack06_setlabel_getlabel_test_0) -{ - RUNNER_IGNORED_MSG("Upstream does not support label removal yet"); - const std::string fsLabel = "smack06_setlabel_getlabel_test_0"; - const std::string fsPath = std::string("/tmp/") + fsLabel; - - const std::string filePath = "file"; - - FsLabelManager fs(fsPath, fsLabel); - fs.createFile(filePath); - - // reset labels first time - fs.testSmackClearLabels(filePath); - - // reset labels second time - fs.testSmackClearLabels(filePath); -} - -RUNNER_TEST_SMACK(smack06_setlabel_getlabel_test_1) -{ - const std::string fsLabel = "smack06_setlabel_getlabel_test_1"; - const std::string fsPath = std::string("/tmp/") + fsLabel; - - const char* testLabelAccess = "access"; - const char* testLabelExec = "exec"; - const std::string filePath = "file"; - - FsLabelManager fs(fsPath, fsLabel); - fs.createFile(filePath); - - // set and get labels first time - fs.testSmackSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); - fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); - - fs.testSmackSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); - fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); - - // set and get same labels second time - fs.testSmackSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); - fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); - - fs.testSmackSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); - fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); -} - -RUNNER_TEST_SMACK(smack06_setlabel_getlabel_test_2) -{ - RUNNER_IGNORED_MSG("Upstream does not support label removal yet"); - const std::string fsLabel = "smack06_setlabel_getlabel_test_2"; - const std::string fsPath = std::string("/tmp/") + fsLabel; - - const char* testLabelAccess = "access"; - const char* testLabelExec = "exec"; - const std::string filePath = "file"; - const std::string linkPath = "link"; - - FsLabelManager fs(fsPath, fsLabel); - fs.createFile(filePath); - fs.createLink(linkPath, filePath); - - // set and get labels for file to which link points - fs.testSmackSetLabel(linkPath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackSetLabel(linkPath, testLabelExec, SMACK_LABEL_EXEC); - fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); - fs.testSmackGetLabel(linkPath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackGetLabel(linkPath, testLabelExec, SMACK_LABEL_EXEC); - - // link labels should not be changed - fs.testSmackLGetLabel(linkPath, nullptr, SMACK_LABEL_ACCESS); - fs.testSmackLGetLabel(linkPath, nullptr, SMACK_LABEL_EXEC); -} - -RUNNER_TEST_SMACK(smack06_lsetlabel_lgetlabel_test_1) -{ - const std::string fsLabel = "smack06_lsetlabel_lgetlabel_test_1"; - const std::string fsPath = std::string("/tmp/") + fsLabel; - - const char* testLabelAccess = "fileAccess"; - const char* testLabelExec = "fileExec"; - const char* testLinkLabelAccess = "linkAccess"; - const char* testLinkLabelExec = "linkExec"; - const std::string filePath = "file"; - const std::string linkPath = "link"; - - FsLabelManager fs(fsPath, fsLabel); - fs.createFile(filePath); - fs.createLink(linkPath, filePath); - - // set different labels for link and file - fs.testSmackSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); - fs.testSmackLSetLabel(linkPath, testLinkLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackLSetLabel(linkPath, testLinkLabelExec, SMACK_LABEL_EXEC); - - // get those labels - fs.testSmackGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); - fs.testSmackLGetLabel(linkPath, testLinkLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackLGetLabel(linkPath, testLinkLabelExec, SMACK_LABEL_EXEC); -} - -RUNNER_TEST_SMACK(smack06_fsetlabel_fgetlabel_test_1) -{ - const std::string fsLabel = "smack06_fsetlabel_fgetlabel_test_1"; - const std::string fsPath = std::string("/tmp/") + fsLabel; - - const char* testLabelAccess = "access"; - const char* testLabelExec = "exec"; - const std::string filePath = "file"; - - FsLabelManager fs(fsPath, fsLabel); - fs.createFile(filePath); - - // set and get labels for fd - fs.testSmackFSetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackFSetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); - fs.testSmackFGetLabel(filePath, testLabelAccess, SMACK_LABEL_ACCESS); - fs.testSmackFGetLabel(filePath, testLabelExec, SMACK_LABEL_EXEC); -} - -RUNNER_TEST_SMACK(smack10_adding_removing_rules) -{ - unsigned int i; - int result; - - struct smack_accesses *rules = nullptr; - - for (i = 0; i < accessesBasic.size(); ++i) - { - // Creating rules - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - // Adding accesses - result = smack_accesses_add(rules_ptr.get(), TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result); - - // Applying rules - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result); - - // Checking if accesses were created - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access. Result: " << result); - - // Deleting all rules - clean_up(); - } - - for (i = 0; i < 3; ++i) - { - // --- Creating rules (r or w or x) - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - // Adding accesses - result = smack_accesses_add(rules_ptr.get(), TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Unable to add rulesBasic. Result: " << result); - - // Applying rules - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result); - // Checking if accesses were created - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access. Result: " << result); - - // Checking if wrong accesses were not created - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str()); - RUNNER_ASSERT_MSG(result == 0, - " Error while checking smack access. Result: " << result); - - // --- Modifying accesses (r for wx or w for rx or x for rw) - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT, - accessesBasic[i + 3].c_str(),accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result); - - // Applying rules - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result); - - // Checking if accesses were created - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str()); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access. Result: " << result); - - // Checking if wrong accesses were not created - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, - " Error while checking smack access. Result: " << result); - - rules_ptr.release(); - // --- Creating complementary rules (r or w or x) - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - rules_ptr.reset(rules); - - // Adding accesses - result = smack_accesses_add(rules_ptr.get(), TEST_SUBJECT, TEST_OBJECT, - accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Unable to add rulesBasic. Result: " << result); - - // Checking if accesses were created - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str()); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access. Result: " << result); - - // Applying rules - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result); - - // Checking if accesses were created - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access. Result: " << result); - - // --- Modifying accesses (adding rwx and removing r or w or x) - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT,"rwx", - accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result); - - // Applying rules - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result); - - // Checking if accesses were created - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i + 3].c_str()); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access. Result: " << result); - - // Checking if wrong accesses were not created - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, accessesBasic[i].c_str()); - RUNNER_ASSERT_MSG(result == 0, - " Error while checking smack access. Result: " << result); - - // --- Adding crossing accesses (rx or rw or wx) - result = smack_accesses_add_modify(rules_ptr.get(),TEST_SUBJECT, TEST_OBJECT, - accessesBasic[3 + ((i + 1) % 3)].c_str(),""); - RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result); - - // Applying rules - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result); - - // Checking if accesses were created - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, - accessesBasic[3 + ((i + 1) % 3)].c_str()); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access. Result: " << result); - - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, "rwx"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access. Result: " << result); - - // Deleting all rules - result = smack_accesses_add_modify(rules,TEST_SUBJECT, TEST_OBJECT,"","rwx"); - RUNNER_ASSERT_MSG(result == 0, "Unable to add modify rulesBasic. Result: " << result); - - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Error while checking smack access. Result: " << result); - - // Deleting all rules - clean_up(); - } -} - -RUNNER_TEST_SMACK(smack11_saving_loading_rules) -{ - int result; - int fd; - - struct smack_accesses *rules = nullptr; - - // Pre-cleanup - removeAccessesAll(); - - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - SmackAccessesPtr rules_ptr(rules); - - // Loading file with rwxat rules - test_smack_rules_full - fd = open("/etc/smack/test_smack_rules_full", O_RDONLY, 0644); - RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules_full"); - - // Adding rules from file - result = smack_accesses_add_from_file(rules_ptr.get(), fd); - close(fd); - RUNNER_ASSERT_MSG(result == 0, "Error importing accesses from file"); - - // Applying rules - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result); - - // Checking rules - result = smack_have_access("test_subject_01", "test_object_02", "rwxat"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack accesses."); - result = smack_have_access("test_subject_01", "test_object_03", "rwxat"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack accesses."); - result = smack_have_access("test_subject_02", "test_object_01", "rwxat"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack accesses."); - result = smack_have_access("test_subject_02", "test_object_02", "rwxat"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack accesses."); - result = smack_have_access("test_subject_02", "test_object_03", "rwxat"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack accesses."); - result = smack_have_access("test_subject_03", "test_object_01", "rwxat"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack accesses."); - result = smack_have_access("test_subject_03", "test_object_02", "rwxat"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack accesses."); - result = smack_have_access("test_subject_03", "test_object_03", "rwxat"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack accesses."); - - // Removing rules - removeAccessesAll(); - - // Creating rules - rules_ptr.release(); - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - rules_ptr.reset(rules); - - // Loading file with partial wrong rules - test_smack_rules2 - fd = open("/etc/smack/test_smack_rules2", O_RDONLY, 0644); - RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules2"); - - // Adding rules from file - result = smack_accesses_add_from_file(rules_ptr.get(), fd); - close(fd); - RUNNER_ASSERT_MSG(result == 0, "Error importing accesses from file"); - - // Applying rules - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == 0, "Error while applying accesses. Result: " << result); - - // Checking rules - RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_01", "test_object_01"), - " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist."); - result = smack_have_access("test_subject_01", "test_object_02", "rwatl"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result ); - result = smack_have_access("test_subject_01", "test_object_03", "wat"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result ); - RUNNER_ASSERT_MSG(checkNoAccesses("test_subject_02", "test_object_01"), - " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Accesses exist."); - result = smack_have_access("test_subject_02", "test_object_02", "wa-lt"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result ); - result = smack_have_access("test_subject_02", "test_object_03", "wr"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result ); - result = smack_have_access("test_subject_03", "test_object_01", "a"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result ); - result = smack_have_access("test_subject_03", "test_object_02", "rwat"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result ); - result = smack_have_access("test_subject_03", "test_object_03", "w---l-"); - RUNNER_ASSERT_MSG(result == 1, - " Error while checking smack access loaded from /etc/smack/test_smack_rules2. Result: " << result ); - - // Removing rules - removeAccessesAll(); - - // Creating rules - rules_ptr.release(); - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - rules_ptr.reset(rules); - - // Loading file with partial wrong rules - test_smack_rules3 - fd = open("/etc/smack/test_smack_rules3", O_RDONLY, 0644); - RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules3"); - - // Adding rules from file - result = smack_accesses_add_from_file(rules_ptr.get(), fd); - close(fd); - RUNNER_ASSERT_MSG(result != 0, "Accesses were loaded from file"); - - // Removing rules - removeAccessesAll(); - - // Creating rules - rules_ptr.release(); - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - rules_ptr.reset(rules); - - // Loading file with partial wrong rules - test_smack_rules4 - fd = open("/etc/smack/test_smack_rules4", O_RDONLY, 0644); - RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules4"); - - // Adding rules from file - result = smack_accesses_add_from_file(rules_ptr.get(), fd); - close(fd); - RUNNER_ASSERT_MSG(result != 0, "Accesses were loaded from file"); - - // Removing rules - removeAccessesAll(); -} - -//int smack_new_label_from_socket(int fd, char **label); - - -static void smack_set_another_label_for_self(void) -{ - static int number = time(nullptr); - - number++; - std::string smack_label("s" + std::to_string(number)); - - int result = smack_set_label_for_self(smack_label.c_str()); - RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self(" << smack_label << ") failed"); -} - -static void smack_unix_sock_server(int sock) -{ - int fd, result; - char *label; - - alarm(2); - fd = accept(sock, nullptr, nullptr); - alarm(0); - RUNNER_ASSERT_ERRNO(fd >= 0); - FdUniquePtr fd_ptr(&fd); - - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result >= 0, "smack_new_label_from_self() failed"); - CStringPtr label_ptr(label); - result = write(fd, label, strlen(label)); - RUNNER_ASSERT_ERRNO_MSG(result == (int)strlen(label), "write() failed"); - -} - -RUNNER_CHILD_TEST_SMACK(smack09_new_label_from_socket) -{ - int pid; - struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH}; - unlink(SOCK_PATH); - smack_set_another_label_for_self(); - pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (!pid) { /* child process, server */ - int sock, result; - - - sock = socket(AF_UNIX, SOCK_STREAM, 0); - RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed"); - SockUniquePtr sock_ptr(&sock); - result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); - RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed"); - result = listen(sock, 1); - RUNNER_ASSERT_ERRNO_MSG(result == 0, "listen failed"); - smack_unix_sock_server(sock); - - pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - /* Test if socket label was unaffected by fork() */ - smack_unix_sock_server(sock); - if (!pid) { - usleep (100); - smack_set_another_label_for_self(); - smack_unix_sock_server(sock); - } - - exit(0); - } else { /* parent process, client */ - sleep(1); /* Give server some time to setup listening socket */ - for (int i = 0; i < 4; ++i) { - int sock, result; - char smack_label1[SMACK_LABEL_LEN + 1]; - char *smack_label2; - - sock = socket(AF_UNIX, SOCK_STREAM, 0); - RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed"); - SockUniquePtr sock_ptr(&sock); - result = connect(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); - RUNNER_ASSERT_ERRNO_MSG(result == 0, "connect failed"); - alarm(2); - result = read(sock, smack_label1, SMACK_LABEL_LEN); - alarm(0); - RUNNER_ASSERT_ERRNO_MSG(result >= 0, "read failed"); - smack_label1[result] = '\0'; - result = smack_new_label_from_socket(sock, &smack_label2); - SmackLabelPtr label2_ptr(smack_label2); - RUNNER_ASSERT_MSG(result >= 0, "smack_label_from_socket failed"); - result = strcmp(smack_label1, label2_ptr.get()); - if (i < 3) - RUNNER_ASSERT_MSG(result == 0, "smack labels differ: '" << smack_label1 - << "' != '" << smack_label2 << "' i == " << i); - else - RUNNER_ASSERT_MSG(result != 0, "smack labels do not differ: '" << smack_label1 - << "' != '" << smack_label2 << "' i == " << i); - } - } -} - -void createFileWithLabel(const std::string &filePath, const std::string &fileLabel) -{ - //create temporary file and set label for it - mode_t systemMask; - - unlink(filePath.c_str()); - //allow to create file with 777 rights - systemMask = umask(0000); - int fd = open(filePath.c_str(), O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO); - //restore system mask - umask(systemMask); - RUNNER_ASSERT_ERRNO_MSG(fd > -1, "Unable to create file for tests"); - - //for descriptor protection - FdUniquePtr fd_ptr(&fd); - - //change owner and group to user APP - int ret = chown(filePath.c_str(), APP_UID, APP_GID); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Unable to change file owner"); - - //set smack label on file - ret = smack_setlabel(filePath.c_str(), fileLabel.c_str(), SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG(ret == 0, "Unable to set label for file: " << ret); - - char *label = nullptr; - ret = smack_getlabel(filePath.c_str(), &label, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG(ret == 0, "Unable to get label from file"); - std::string label_str(label ? label : ""); - free(label); - RUNNER_ASSERT_MSG(label_str == fileLabel, "File label not match set label"); -} - -void prepareEnvironment(const std::string &subject, const std::string &object, const std::string &access) -{ - const std::string ruleAll = "x"; - - SecurityServer::AccessProvider provider(subject); - provider.addObjectRule("User", ruleAll); - provider.addObjectRule(object, access); - provider.applyAndSwithToUser(APP_UID, APP_GID); -} - -//- Add "l" rule to system -// -//Should be able to add "l" rule to system -RUNNER_CHILD_TEST_SMACK(smack13_0_checking_laccess_mode_enabled_on_device) -{ - std::string selfLabel = "smack13_0"; - std::string filename = "smack13_0_file"; - - //function inside checks if rule exist after add it - SecurityServer::AccessProvider provider(selfLabel); - provider.addObjectRule(filename, "l"); - provider.apply(); - - int ret = smack_have_access(selfLabel.c_str(), filename.c_str(), "l"); - RUNNER_ASSERT_MSG(ret == 1, "Error in adding laccess rule - l"); -} - -//- Create file -//- Set label for file and self -//- Drop privileges -// -//Should have no access due to missing SMACK rule -RUNNER_CHILD_TEST_SMACK(smack13_1_checking_laccess_mode) -{ - std::string selfLabel = "smack13_1"; - std::string filename = "smack13_1_file"; - std::string filePath = testDir + filename; - - createFileWithLabel(filePath, filename); - int fd = open(filePath.c_str(), O_RDWR, 0); - FdUniquePtr fd_ptr(&fd); - - SecurityServer::AccessProvider provider(selfLabel); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - int ret = flock(fd, LOCK_EX | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret < 0, "Error, able to lock file"); - ret = flock(fd, LOCK_UN | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret < 0, "Error, able to lock file"); - ret = flock(fd, LOCK_SH | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret < 0, "Error, able to lock file"); -} - -//- Create file -//- Set label for file and self -//- Add SMACK rule "l" -//- Drop privileges -// -//Should be able to lock file even without "w" rule -RUNNER_CHILD_TEST_SMACK(smack13_2_checking_laccess_mode_with_l_rule) -{ - std::string selfLabel = "smack13_2"; - std::string filename = "smack13_2_file"; - std::string filePath = testDir + filename; - - createFileWithLabel(filePath, filename); - int fd = open(filePath.c_str(), O_RDWR, 0); - FdUniquePtr fd_ptr(&fd); - - prepareEnvironment(selfLabel, filename, "l"); - - int ret = flock(fd, LOCK_EX | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to exclusive lock file"); - ret = flock(fd, LOCK_UN | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to unlock file"); - ret = flock(fd, LOCK_SH | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to shared lock file"); -} - -//- Create file -//- Set label for file and self -//- Add SMACK rule "w" -//- Drop privileges -// -//Should be able to lock file even without "l" rule -RUNNER_CHILD_TEST_SMACK(smack13_3_checking_laccess_mode_with_w_rule) -{ - std::string selfLabel = "smack13_3"; - std::string filename = "smack13_3_file"; - std::string filePath = testDir + filename; - - createFileWithLabel(filePath, filename); - int fd = open(filePath.c_str(), O_RDWR, 0); - FdUniquePtr fd_ptr(&fd); - - prepareEnvironment(selfLabel, filename, "w"); - - int ret = flock(fd, LOCK_EX | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to exclusive lock file"); - ret = flock(fd, LOCK_UN | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to unlock file"); - ret = flock(fd, LOCK_SH | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to shared lock file"); -} - -//- Create file -//- Set label for file and self -//- Add SMACK rule "rw" -//- Drop privileges -//- Lock file (shared lock) -//- Spawn child process -//- Child tries to lock file (shared) -// -//Child should be able to lock file due to shared lock -RUNNER_CHILD_TEST_SMACK(smack13_4_0_checking_laccess_mode_w_rule_child) -{ - std::string selfLabel = "smack13_4_0"; - std::string filename = "smack13_4_0_file"; - std::string filePath = testDir + filename; - - createFileWithLabel(filePath, filename); - int fd = open(filePath.c_str(), O_RDWR); - FdUniquePtr fd_ptr(&fd); - int ret = flock(fd, LOCK_SH | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to shared lock file"); - - pid_t pid = fork(); - if (pid == 0) { - //child process - prepareEnvironment(selfLabel, filename, "rw"); - - int child_fd = open(filePath.c_str(), O_RDWR); - RUNNER_ASSERT_ERRNO_MSG(child_fd > -1, "Unable to open created file"); - //for descriptor protection - FdUniquePtr child_fd_ptr(&child_fd); - - ret = flock(child_fd, LOCK_SH | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to lock file with shared lock"); - } -} - -//- Create file -//- Set label for file and self -//- Add SMACK rule "l" -//- Drop privileges -//- Lock file (shared lock) -//- Spawn child process -//- Child tries to lock file (shared) -// -//Child should be able to lock file due to shared lock -RUNNER_CHILD_TEST_SMACK(smack13_4_1_checking_laccess_mode_l_rule_child) -{ - std::string selfLabel = "smack13_4_1"; - std::string filename = "smack13_4_1_file"; - std::string filePath = testDir + filename; - - createFileWithLabel(filePath, filename); - int fd = open(filePath.c_str(), O_RDWR); - FdUniquePtr fd_str(&fd); - int ret = flock(fd, LOCK_SH | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to shared lock file"); - - pid_t pid = fork(); - if (pid == 0) { - //child process - //"r" is only for open in O_RDONLY mode - prepareEnvironment(selfLabel, filename, "rl"); - - int child_fd = open(filePath.c_str(), O_RDONLY, 0); - RUNNER_ASSERT_ERRNO_MSG(child_fd > -1, "Unable to open created file"); - //for descriptor protection - FdUniquePtr child_fd_ptr(&child_fd); - - ret = flock(child_fd, LOCK_SH | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to lock file with shared lock"); - } -} - -//- Create file -//- Set label for file and self -//- Add SMACK rule "rw" -//- Drop privileges -//- Lock file (exclusive lock) -//- Spawn child process -//- Child tries to lock file (exclusive / shared) -// -//Child should not be able to lock file due to exclusive lock -RUNNER_CHILD_TEST_SMACK(smack13_4_2_checking_laccess_mode_w_rule_child) -{ - std::string selfLabel = "smack13_4_2"; - std::string filename = "smack13_4_2_file"; - std::string filePath = testDir + filename; - - createFileWithLabel(filePath, filename); - int fd = open(filePath.c_str(), O_RDWR); - FdUniquePtr fd_ptr(&fd); - int ret = flock(fd, LOCK_EX | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to exclusive lock file"); - - pid_t pid = fork(); - if (pid == 0) { - //child process - prepareEnvironment(selfLabel, filename, "rw"); - - int child_fd = open(filePath.c_str(), O_RDWR, 0); - RUNNER_ASSERT_ERRNO_MSG(child_fd > -1, "Unable to open created file"); - //for descriptor protection - FdUniquePtr child_fd_ptr(&child_fd); - - ret = flock(child_fd, LOCK_EX | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret < 0, "Error, able to lock file with exclusive lock"); - } -} - -//- Create file -//- Set label for file and self -//- Add SMACK rule "l" -//- Drop privileges -//- Lock file (exclusive lock) -//- Spawn child process -//- Child tries to lock file (exclusive / shared) -// -//Child should not be able to lock file due to exclusive lock -RUNNER_CHILD_TEST_SMACK(smack13_4_3_checking_laccess_mode_l_rule_child) -{ - std::string selfLabel = "smack13_4_3"; - std::string filename = "smack13_4_3_file"; - std::string filePath = testDir + filename; - - createFileWithLabel(filePath, filename); - int fd = open(filePath.c_str(), O_RDWR, 0); - FdUniquePtr fd_ptr(&fd); - int ret = flock(fd, LOCK_EX | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Error, unable to exclusive lock file"); - - pid_t pid = fork(); - if (pid == 0) { - //child process - //"r" is only for open in O_RDONLY mode - prepareEnvironment(selfLabel, filename, "rl"); - - int child_fd = open(filePath.c_str(), O_RDONLY, 0); - RUNNER_ASSERT_ERRNO_MSG(child_fd > -1, "Unable to open created file"); - //for descriptor protection - FdUniquePtr child_fd_ptr(&child_fd); - - ret = flock(child_fd, LOCK_EX | LOCK_NB); - RUNNER_ASSERT_ERRNO_MSG(ret < 0, "Error, able to lock file with eclusive lock"); - } -} - - -///////////////////////////////////////// -//////NOSMACK ENVIRONMENT TESTS////////// -///////////////////////////////////////// - -/** - * NOSMACK version of smack02 test. Functions, that should return error instead of success: - * - smack_accesses_apply - * - smack_have_access - * - smack_revoke_subject - * - smack_acceesses_clear - * - * Tests smack03, smack04, smack10, smack_accesses_clear, smack_revoke_subject all use functions - * tested in smack02 test. Results from those functions (smack_have_access, smack_accesses_apply, - * smack_accesses_clear, smack_revoke_subject) would be the same as in this test. Tests mentioned - * above doesn't make much sense on NOSMACK environment when test smack02 exists and passes - * correctly, thus those tests are are not implemented. - */ -RUNNER_TEST_NOSMACK(smack02_aplying_rules_into_kernel_nosmack) -{ - - smack_accesses *rules = nullptr; - int result; - - //init rules - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - //pass rules to unique_ptr - SmackAccessesPtr rules_ptr(rules); - - //adding test rules to struct (same as SMACK version of smack02 test) - result = smack_accesses_add(rules_ptr.get(), "writer", "book", "rwx"); - RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules"); - result = smack_accesses_add(rules_ptr.get(), "reader", "book", "r"); - RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules"); - result = smack_accesses_add(rules_ptr.get(), "spy", "book", "rwx"); - RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules"); - - //applying rules to kernel (should fail) - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == -1, "Unable to apply rules into kernel"); - - //calls from SMACK version of this test - all should fail because of SMACK being turned off - result = smack_have_access("spy", "book", "rwx"); - RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off)"); - result = smack_have_access("reader", "book", "rwx"); - RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off)"); - result = smack_have_access("s02badsubjectlabel", "book", "rwx"); - RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off)"); - - //testing subject revoking - should return error (no accesses applied = no subjects to revoke) - result = smack_revoke_subject("s02nonexistinglabel"); - RUNNER_ASSERT_MSG(result == -1, "smack_revoke_subject error - subject doesn't exist."); - result = smack_revoke_subject("spy"); - RUNNER_ASSERT_MSG(result == -1, "smack_revoke_subject error - subject doesn't exist."); - - //after revoking smack_have_access still should return error - result = smack_have_access("spy", "book", "rwx"); - RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off)."); - - result = smack_accesses_add(rules_ptr.get(), "s02subjectlabel", "book", "rwx"); - RUNNER_ASSERT_MSG(result == 0, "Unable to add smack rules"); - - //smack_accesses_clear should return error aswell - result = smack_accesses_clear(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == -1, "Clearing rules should return error - no SMACK on system."); - - result = smack_have_access("writer", "book", "rwx"); - RUNNER_ASSERT_MSG(result == -1, "smack_have_access should return error (SMACK is off)."); -} - -/** - * NOSMACK version of smack11 test. Tests functions: - * - smack_accesses_add_from_file - * - * Since other SMACK functions were tested in smack02 test, the only function needed to be checked - * is applying rules loaded from file. - */ -RUNNER_TEST_NOSMACK(smack03_saving_loading_rules_nosmack) -{ - int result; - int fd; - - smack_accesses* tmp = nullptr; - - RUNNER_ASSERT(smack_accesses_new(&tmp) == 0); - SmackAccessesPtr rules(tmp); - - //open file with rules - fd = open("/etc/smack/test_smack_rules_full", O_RDONLY, 0644); - RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Unable to open /etc/smack/test_smack_rules_full"); - - //load accesses from file - result = smack_accesses_add_from_file(rules.get(), fd); - close(fd); - RUNNER_ASSERT_MSG(result == 0, "Error while importing accesses from file. Result: " << result); -} - -/** - * NOSMACK version of smack05 test. Tests if functions getting, or - * setting self label work correctly (that is, return error). - */ -RUNNER_TEST_NOSMACK(smack04_self_label_nosmack) -{ - char* label = nullptr; - int result; - int fd; - - char buff[SMACK_LABEL_LEN+1]; - - //smack_new_label_from_self should fail - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == -1, "new_label_from_self should return error (SMACK is off)."); - RUNNER_ASSERT_MSG(label == nullptr, "new_label_from_self shouldn't allocate memory to label."); - //We don't need to remember about freeing label - smack_new_label_from_self must return nullptr - //label if it's working properly. - - // /proc/self/attr/current shouldn't keep any rules inside - fd = open("/proc/self/attr/current", O_RDONLY, 0644); //file exists, so it should open - RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "/proc/self/attr/current failed to open"); - FdUniquePtr fd_ptr(&fd); - - result = read(fd, buff, SMACK_LABEL_LEN); //however reading it should return error - RUNNER_ASSERT_ERRNO_MSG(result < 0, "Reading /proc/self/attr/current should return error"); - - //setting label for self should fail - result = smack_set_label_for_self("s04testlabel"); - RUNNER_ASSERT_MSG(result == -1, "set_label_for_self should return error (SMACK is off)."); - - //getting previously set label should also fail - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result == -1, "new_label_from_self should return error (SMACK is off)."); - RUNNER_ASSERT_MSG(label == nullptr, "new_label_from_self shouldn't allocate memory to label."); - - // /proc/self/attr/current still shouldn't keep any rules inside - result = lseek(fd, 0, SEEK_SET); //going to the file beginning - RUNNER_ASSERT_ERRNO_MSG(result == 0, "lseek() error"); - - result = read(fd, buff, SMACK_LABEL_LEN); //however it should return error - RUNNER_ASSERT_ERRNO_MSG(result < 0, "Reading /proc/self/attr/current should return error"); -} - -/** - * NOSMACK version of smack_accesses_add_modify_x tests. - * - * Because all smack_accesses_add_modify tests are basically the same (all use smack_accesses_apply - * and smack_have_access, which return -1 when SMACK is turned off), it makes much more sense to - * write one test which will create rules using smack_accesses_add_modify and then check if - * smack_accesses_apply and smack_have_access indeed return -1 when SMACK is turned off. - */ -RUNNER_TEST_NOSMACK(smack05_accesses_add_modify_nosmack) -{ - int result; - smack_accesses* rules = nullptr; - - RUNNER_ASSERT(smack_accesses_new(&rules) == 0); - - SmackAccessesPtr rules_ptr(rules); - - //Not doing clean_up() every RUNNER_ASSERT_MSG - what clean_up does is just a creation of new - //rule struct and removal of currenctly added and applied rules. clean_up() must be done only - //after smack_accesses_apply(). - result = smack_accesses_add_modify(rules_ptr.get(), TEST_SUBJECT, TEST_OBJECT, "rwx", ""); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule. Result: " << result); - - result = smack_accesses_add_modify(rules_ptr.get(), TEST_SUBJECT, TEST_OBJECT, "rwx", ""); - RUNNER_ASSERT_MSG(result == 0, "Unable to modify rule. Result: " << result); - - result = smack_accesses_apply(rules_ptr.get()); - RUNNER_ASSERT_MSG(result == -1, - "smack_accesses_apply should return error (SMACK is off). Result: " << result); - - result = smack_have_access(TEST_SUBJECT, TEST_OBJECT, "rwx"); - if(result != -1) { - clean_up(); - RUNNER_FAIL_MSG("smack_have_access should return error (SMACK is off). Result: " - << result); - } - - clean_up(); -} - -/** - * NOSMACK version of smack09 test. - * - * This test checks if smack_new_label_from_socket reacts correctly. Since label should be - * acquired from getsockopt, and it should fail, we must only set up socket and call - * smack_new_label_from_socket. It should return error. - */ -RUNNER_CHILD_TEST_NOSMACK(smack09_new_label_from_socket_nosmack) -{ - int pid; - struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH}; - unlink(SOCK_PATH); - char* smack_label; - - pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (!pid) { //child (server) - int sock, result; - int fd; - - //Create new socket - sock = socket(AF_UNIX, SOCK_STREAM, 0); - RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed"); - SockUniquePtr sock_ptr(&sock); - - //Bind it to sockaddr - result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); - RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed"); - - //Prepare for listening - result = listen(sock, 1); - RUNNER_ASSERT_ERRNO_MSG(result == 0, "listen failed"); - - //Accept client - alarm(2); - fd = accept(sock, nullptr, nullptr); - alarm(0); - RUNNER_ASSERT_ERRNO_MSG(fd >= 0, "Failed when accepting connection from client"); - FdUniquePtr fd_ptr(&fd); - - //wait for smack_new_label_from_socket execution - usleep(200); - - //Close server - exit(0); - } - else { //parent (client) - //Wait a little bit until server is set up - sleep(1); - int sock, result; - - //Create socket - sock = socket(AF_UNIX, SOCK_STREAM, 0); - RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed"); - SockUniquePtr sock_ptr(&sock); - - //Connect to sockaddr - result = connect(sock, (struct sockaddr*) &sockaddr, - sizeof(struct sockaddr_un)); - RUNNER_ASSERT_ERRNO_MSG(result == 0, "connect failed"); - - //Try getting label, should fail beacuse getsockopt won't get anything - result = smack_new_label_from_socket(sock, &smack_label); - RUNNER_ASSERT_MSG(result == -1, "smack_new_label_from_socket should fail."); - } -} diff --git a/src/libsmack-tests/test_smack_rules b/src/libsmack-tests/test_smack_rules deleted file mode 100644 index 4effa82..0000000 --- a/src/libsmack-tests/test_smack_rules +++ /dev/null @@ -1,2 +0,0 @@ -writer book rw---- -reader book r----- diff --git a/src/libsmack-tests/test_smack_rules2 b/src/libsmack-tests/test_smack_rules2 deleted file mode 100644 index 7708bb2..0000000 --- a/src/libsmack-tests/test_smack_rules2 +++ /dev/null @@ -1,9 +0,0 @@ -test_subject_01 test_object_01 --- -test_subject_01 test_object_02 rwatl -test_subject_01 test_object_03 wat -test_subject_02 test_object_01 ------- -test_subject_02 test_object_02 wa-lt -test_subject_02 test_object_03 -rw--r------ -test_subject_03 test_object_01 aaaaaa ------ -test_subject_03 test_object_02 rwat -test_subject_03 test_object_03 w---l- diff --git a/src/libsmack-tests/test_smack_rules3 b/src/libsmack-tests/test_smack_rules3 deleted file mode 100644 index e11b322..0000000 --- a/src/libsmack-tests/test_smack_rules3 +++ /dev/null @@ -1,3 +0,0 @@ -test_subject_01 test_object_01 rwatl -test_subject_01 test_object_02 -test_subject_01 test_object_03 xxxxx diff --git a/src/libsmack-tests/test_smack_rules4 b/src/libsmack-tests/test_smack_rules4 deleted file mode 100644 index 194ef01..0000000 --- a/src/libsmack-tests/test_smack_rules4 +++ /dev/null @@ -1,3 +0,0 @@ -test_subject_01 test_object_01 rwxatl -test_subject_01 test_object_02 +rwh4r9d32!@#$ 49$%^x2 rwxat -test_subject_01 test_object_03 aaaaaa xxxxxx diff --git a/src/libsmack-tests/test_smack_rules_full b/src/libsmack-tests/test_smack_rules_full deleted file mode 100644 index b8600a5..0000000 --- a/src/libsmack-tests/test_smack_rules_full +++ /dev/null @@ -1,9 +0,0 @@ -test_subject_01 test_object_01 rwxatl -test_subject_01 test_object_02 rwxatl -test_subject_01 test_object_03 rwxatl -test_subject_02 test_object_01 rwxatl -test_subject_02 test_object_02 rwxatl -test_subject_02 test_object_03 rwxatl -test_subject_03 test_object_01 rwxatl -test_subject_03 test_object_02 rwxatl -test_subject_03 test_object_03 rwxatl diff --git a/src/security-tests-all.sh b/src/security-tests-all.sh index 3584e95..3e5f249 100644 --- a/src/security-tests-all.sh +++ b/src/security-tests-all.sh @@ -52,7 +52,6 @@ function printSummary printf "\n" } -runTest smack runTest security-manager runTest cynara runTest ckm diff --git a/src/security-tests.sh b/src/security-tests.sh index 1cf60b6..d6f5a93 100644 --- a/src/security-tests.sh +++ b/src/security-tests.sh @@ -1,7 +1,7 @@ #!/bin/sh ##################################################################### -# Copyright (c) 2012 - 2019 Samsung Electronics Co., Ltd All Rights Reserved +# Copyright (c) 2012 - 2020 Samsung Electronics Co., Ltd All Rights Reserved # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,12 +22,6 @@ echo "### Starting tests ######################################################" case $1 in -"smack") - echo "=========================================================================" - echo $1 - echo - libsmack-test "${@:2}" # propagate all remaining arguments (except first) - ;; "security-manager") echo "=========================================================================" echo "SECURITY MANAGER TESTS" @@ -66,7 +60,7 @@ case $1 in echo "Correct using:" echo " security_test.sh " echo - echo "modules: smack, security-manager, cynara, ckm, yaca, nether" + echo "modules: security-manager, cynara, ckm, yaca, nether" ;; esac