smack-test: add smack tests from meta-intel-iot-security

ported over smack tests

Signed-off-by: Armin Kuster <akuster808@gmail.com>

3 files changed, 275 insertions, 0 deletions

diff --git a/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh b/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh
new file mode 100644
index 0000000..419ab9f
--- /dev/null
+++ b/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh
@@ -0,0 +1,107 @@
+#!/bin/sh
+RC=0
+test_file="/tmp/smack_socket_udp"
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+
+udp_server=`which udp_server`
+if [ -z $udp_server ]; then
+        if [ -f "/tmp/udp_server" ]; then
+                udp_server="/tmp/udp_server"
+        else
+                echo "udp_server binary not found"
+                exit 1
+        fi
+fi
+udp_client=`which udp_client`
+if [ -z $udp_client ]; then
+        if [ -f "/tmp/udp_client" ]; then
+                udp_client="/tmp/udp_client"
+        else
+                echo "udp_client binary not found"
+                exit 1
+        fi
+fi
+
+# make sure no access is granted
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  -----" > $SMACK_PATH/load
+
+# checking access for sockets with different labels
+$udp_server 50021 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50021 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+        echo "Sockets with different labels should not communicate on udp"
+        exit 1
+fi
+
+# granting access between different labels
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$udp_server 50022 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50022 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+        echo "Sockets with different labels, but having rw access, should communicate on udp"
+        exit 1
+fi
+
+# checking access for sockets with the same label
+$udp_server 50023 label1 &
+server_pid=$!
+sleep 1
+$udp_client 50023 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+        echo "Sockets with same labels should communicate on udp"
+        exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$udp_server 50024 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50024 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+        echo "Should have access on udp socket labeled star (*)"
+        exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$udp_server 50025 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50025 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+        echo "Socket labeled star should not have access to any udp socket"
+        exit 1
+fi
diff --git a/recipes-mac/smack/udp-smack-test/udp_client.c b/recipes-mac/smack/udp-smack-test/udp_client.c
new file mode 100644
index 0000000..4d3afbe
--- /dev/null
+++ b/recipes-mac/smack/udp-smack-test/udp_client.c
@@ -0,0 +1,75 @@
+// (C) Copyright 2015 Intel Corporation

+//

+// Permission is hereby granted, free of charge, to any person obtaining a copy

+// of this software and associated documentation files (the "Software"), to deal

+// in the Software without restriction, including without limitation the rights

+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

+// copies of the Software, and to permit persons to whom the Software is

+// furnished to do so, subject to the following conditions:

+//

+// The above copyright notice and this permission notice shall be included in

+// all copies or substantial portions of the Software.

+//

+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

+// THE SOFTWARE.

+#include <sys/socket.h>

+#include <stdio.h>

+#include <netinet/in.h>

+#include <netdb.h>

+#include <string.h>

+

+int main(int argc, char* argv[])

+{

+        char* message = "hello";

+        int sock, ret;

+        struct sockaddr_in server_addr;

+        struct hostent*  host = gethostbyname("localhost");

+        char* label;

+        char* attr = "security.SMACK64IPOUT";

+        int port;

+        if (argc != 3)

+        {

+                perror("Client: Argument missing, please provide port and  label for SMACK64IPOUT");

+                return 2;

+        }

+

+        port = atoi(argv[1]);

+        label = argv[2];

+        sock = socket(AF_INET, SOCK_DGRAM,0);

+        if(sock < 0)

+        {

+                perror("Client: Socket failure");

+                return 2;

+        }

+        

+

+        if(fsetxattr(sock, attr, label, strlen(label),0) < 0)

+        {

+                perror("Client: Unable to set attribute ");

+                return 2;

+        }

+

+

+        server_addr.sin_family = AF_INET;

+        server_addr.sin_port = htons(port);

+        bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);

+        bzero(&(server_addr.sin_zero),8);

+        

+        ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,

+                        sizeof(struct sockaddr_in));

+

+        close(sock);

+        if(ret < 0)

+        {

+                perror("Client: Error sending message\n");

+                return 1;

+        }

+        

+        return 0;

+}

+

diff --git a/recipes-mac/smack/udp-smack-test/udp_server.c b/recipes-mac/smack/udp-smack-test/udp_server.c
new file mode 100644
index 0000000..cbab71e
--- /dev/null
+++ b/recipes-mac/smack/udp-smack-test/udp_server.c
@@ -0,0 +1,93 @@
+// (C) Copyright 2015 Intel Corporation

+//

+// Permission is hereby granted, free of charge, to any person obtaining a copy

+// of this software and associated documentation files (the "Software"), to deal

+// in the Software without restriction, including without limitation the rights

+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

+// copies of the Software, and to permit persons to whom the Software is

+// furnished to do so, subject to the following conditions:

+//

+// The above copyright notice and this permission notice shall be included in

+// all copies or substantial portions of the Software.

+//

+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

+// THE SOFTWARE.

+#include <sys/socket.h>

+#include <stdio.h>

+#include <netinet/in.h>

+#include <netdb.h>

+#include <string.h>

+

+int main(int argc, char* argv[])

+{

+        int sock,ret;

+        struct sockaddr_in server_addr, client_addr;

+        socklen_t len;

+        char message[5];

+        char* label;

+        char* attr = "security.SMACK64IPIN";

+        int port;

+

+        if(argc != 3)

+        {

+                perror("Server: Argument missing, please provide port and label for SMACK64IPIN");

+                return 2;

+        }

+        

+        port = atoi(argv[1]);

+        label = argv[2];

+

+        struct timeval timeout;

+        timeout.tv_sec = 15;

+        timeout.tv_usec = 0;

+

+        sock = socket(AF_INET,SOCK_DGRAM,0);

+        if(sock < 0)

+        {

+                perror("Server: Socket error");

+                return 2;

+        }

+        

+

+        if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)

+        {

+                perror("Server: Unable to set attribute ");

+                return 2;

+        }

+

+        server_addr.sin_family = AF_INET;         

+        server_addr.sin_port = htons(port);     

+        server_addr.sin_addr.s_addr = INADDR_ANY; 

+        bzero(&(server_addr.sin_zero),8); 

+        

+

+        if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)

+        {

+                perror("Server: Set timeout failed\n");

+                return 2;

+        }

+

+        if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)

+        {

+                perror("Server: Bind failure");

+                return 2;

+        }

+

+        len = sizeof(client_addr);

+        ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,

+                                        &len);

+        close(sock);

+        if(ret < 0)

+        {

+                perror("Server: Error receiving");

+                return 1;

+

+        }

+        return 0;

+}

+