1 // Test routines to make sure a variety of system calls are or are not
2 // available in capability mode. The goal is not to see if they work, just
3 // whether or not they return the expected ECAPMODE.
4 #include <sys/types.h>
5 #include <sys/socket.h>
6 #include <sys/sockio.h>
7 #include <sys/stat.h>
8 #include <sys/mount.h>
9 #include <sys/mman.h>
10 #include <sys/wait.h>
11 #include <sys/time.h>
12 #include <sys/resource.h>
13 #include <sys/ptrace.h>
14 #include <dirent.h>
15 #include <net/if.h>
16 #include <netinet/in.h>
17 #include <fcntl.h>
18 #include <sched.h>
19 #include <time.h>
20 #include <unistd.h>
21 #include <pthread.h>
22
23 #include "capsicum.h"
24 #include "syscalls.h"
25 #include "capsicum-test.h"
26
27 // Test fixture that opens (and closes) a bunch of files.
28 class WithFiles : public ::testing::Test {
29 public:
WithFiles()30 WithFiles() :
31 fd_file_(open(TmpFile("cap_capmode"), O_RDWR|O_CREAT, 0644)),
32 fd_close_(open("/dev/null", O_RDWR)),
33 fd_dir_(open(tmpdir.c_str(), O_RDONLY)),
34 fd_socket_(socket(PF_INET, SOCK_DGRAM, 0)),
35 fd_tcp_socket_(socket(PF_INET, SOCK_STREAM, 0)) {
36 EXPECT_OK(fd_file_);
37 EXPECT_OK(fd_close_);
38 EXPECT_OK(fd_dir_);
39 EXPECT_OK(fd_socket_);
40 EXPECT_OK(fd_tcp_socket_);
41 }
~WithFiles()42 ~WithFiles() {
43 if (fd_tcp_socket_ >= 0) close(fd_tcp_socket_);
44 if (fd_socket_ >= 0) close(fd_socket_);
45 if (fd_dir_ >= 0) close(fd_dir_);
46 if (fd_close_ >= 0) close(fd_close_);
47 if (fd_file_ >= 0) close(fd_file_);
48 unlink(TmpFile("cap_capmode"));
49 }
50 protected:
51 int fd_file_;
52 int fd_close_;
53 int fd_dir_;
54 int fd_socket_;
55 int fd_tcp_socket_;
56 };
57
FORK_TEST_F(WithFiles,DisallowedFileSyscalls)58 FORK_TEST_F(WithFiles, DisallowedFileSyscalls) {
59 unsigned int mode = -1;
60 EXPECT_OK(cap_getmode(&mode));
61 EXPECT_EQ(0, (int)mode);
62 EXPECT_OK(cap_enter()); // Enter capability mode.
63 EXPECT_OK(cap_getmode(&mode));
64 EXPECT_EQ(1, (int)mode);
65
66 // System calls that are not permitted in capability mode.
67 EXPECT_CAPMODE(access(TmpFile("cap_capmode_access"), F_OK));
68 EXPECT_CAPMODE(acct(TmpFile("cap_capmode_acct")));
69 EXPECT_CAPMODE(chdir(TmpFile("cap_capmode_chdir")));
70 EXPECT_CAPMODE(chflags(TmpFile("cap_capmode_chflags"), UF_NODUMP));
71 EXPECT_CAPMODE(chmod(TmpFile("cap_capmode_chmod"), 0644));
72 EXPECT_CAPMODE(chown(TmpFile("cap_capmode_chown"), -1, -1));
73 EXPECT_CAPMODE(chroot(TmpFile("cap_capmode_chroot")));
74 EXPECT_CAPMODE(creat(TmpFile("cap_capmode_creat"), 0644));
75 EXPECT_CAPMODE(fchdir(fd_dir_));
76 struct statfs statfs;
77 EXPECT_CAPMODE(getfsstat(&statfs, sizeof(statfs), MNT_NOWAIT));
78 EXPECT_CAPMODE(link(TmpFile("foo"), TmpFile("bar")));
79 struct stat sb;
80 EXPECT_CAPMODE(lstat(TmpFile("cap_capmode_lstat"), &sb));
81 EXPECT_CAPMODE(mknod(TmpFile("capmode_mknod"), 0644 | S_IFIFO, 0));
82 EXPECT_CAPMODE(bogus_mount_());
83 EXPECT_CAPMODE(open("/dev/null", O_RDWR));
84 char buf[64];
85 EXPECT_CAPMODE(readlink(TmpFile("cap_capmode_readlink"), buf, sizeof(buf)));
86 EXPECT_CAPMODE(revoke(TmpFile("cap_capmode_revoke")));
87 EXPECT_CAPMODE(stat(TmpFile("cap_capmode_stat"), &sb));
88 EXPECT_CAPMODE(symlink(TmpFile("cap_capmode_symlink_from"), TmpFile("cap_capmode_symlink_to")));
89 EXPECT_CAPMODE(unlink(TmpFile("cap_capmode_unlink")));
90 EXPECT_CAPMODE(umount2("/not_mounted", 0));
91 }
92
FORK_TEST_F(WithFiles,DisallowedSocketSyscalls)93 FORK_TEST_F(WithFiles, DisallowedSocketSyscalls) {
94 EXPECT_OK(cap_enter()); // Enter capability mode.
95
96 // System calls that are not permitted in capability mode.
97 struct sockaddr_in addr;
98 addr.sin_family = AF_INET;
99 addr.sin_port = 0;
100 addr.sin_addr.s_addr = htonl(INADDR_ANY);
101 EXPECT_CAPMODE(bind_(fd_socket_, (sockaddr*)&addr, sizeof(addr)));
102 addr.sin_family = AF_INET;
103 addr.sin_port = 53;
104 addr.sin_addr.s_addr = htonl(0x08080808);
105 EXPECT_CAPMODE(connect_(fd_tcp_socket_, (sockaddr*)&addr, sizeof(addr)));
106 }
107
FORK_TEST_F(WithFiles,AllowedFileSyscalls)108 FORK_TEST_F(WithFiles, AllowedFileSyscalls) {
109 int rc;
110 EXPECT_OK(cap_enter()); // Enter capability mode.
111
112 EXPECT_OK(close(fd_close_));
113 fd_close_ = -1;
114 int fd_dup = dup(fd_file_);
115 EXPECT_OK(fd_dup);
116 EXPECT_OK(dup2(fd_file_, fd_dup));
117 EXPECT_OK(dup3(fd_file_, fd_dup, 0));
118 if (fd_dup >= 0) close(fd_dup);
119
120 struct stat sb;
121 EXPECT_OK(fstat(fd_file_, &sb));
122 EXPECT_OK(lseek(fd_file_, 0, SEEK_SET));
123 char ch;
124 EXPECT_OK(read(fd_file_, &ch, sizeof(ch)));
125 EXPECT_OK(write(fd_file_, &ch, sizeof(ch)));
126
127 rc = fchflags(fd_file_, UF_NODUMP);
128 if (rc < 0) {
129 EXPECT_NE(ECAPMODE, errno);
130 }
131
132 char buf[1024];
133 rc = getdents_(fd_dir_, (void*)buf, sizeof(buf));
134 EXPECT_OK(rc);
135
136 char data[] = "123";
137 EXPECT_OK(pwrite(fd_file_, data, 1, 0));
138 EXPECT_OK(pread(fd_file_, data, 1, 0));
139
140 struct iovec io;
141 io.iov_base = data;
142 io.iov_len = 2;
143 #if !defined(__i386__)
144 // TODO(drysdale): reinstate these tests for 32-bit runs when possible
145 // libc bug is fixed.
146 EXPECT_OK(pwritev(fd_file_, &io, 1, 0));
147 EXPECT_OK(preadv(fd_file_, &io, 1, 0));
148 #endif
149 EXPECT_OK(writev(fd_file_, &io, 1));
150 EXPECT_OK(readv(fd_file_, &io, 1));
151 }
152
FORK_TEST_F(WithFiles,AllowedSocketSyscalls)153 FORK_TEST_F(WithFiles, AllowedSocketSyscalls) {
154 EXPECT_OK(cap_enter()); // Enter capability mode.
155
156 // recvfrom() either returns -1 with EAGAIN, or 0.
157 int rc = recvfrom(fd_socket_, NULL, 0, MSG_DONTWAIT, NULL, NULL);
158 if (rc < 0) {
159 EXPECT_EQ(EAGAIN, errno);
160 }
161 char ch;
162 EXPECT_OK(write(fd_file_, &ch, sizeof(ch)));
163
164 // These calls will fail for lack of e.g. a proper name to send to,
165 // but they are allowed in capability mode, so errno != ECAPMODE.
166 EXPECT_FAIL_NOT_CAPMODE(accept(fd_socket_, NULL, NULL));
167 EXPECT_FAIL_NOT_CAPMODE(getpeername(fd_socket_, NULL, NULL));
168 EXPECT_FAIL_NOT_CAPMODE(getsockname(fd_socket_, NULL, NULL));
169 EXPECT_FAIL_NOT_CAPMODE(recvmsg(fd_socket_, NULL, 0));
170 EXPECT_FAIL_NOT_CAPMODE(sendmsg(fd_socket_, NULL, 0));
171 EXPECT_FAIL_NOT_CAPMODE(sendto(fd_socket_, NULL, 0, 0, NULL, 0));
172 off_t offset = 0;
173 EXPECT_FAIL_NOT_CAPMODE(sendfile_(fd_socket_, fd_file_, &offset, 1));
174
175 // The socket/socketpair syscalls are allowed, but they don't give
176 // anything externally useful (can't call bind/connect on them).
177 int fd_socket2 = socket(PF_INET, SOCK_DGRAM, 0);
178 EXPECT_OK(fd_socket2);
179 if (fd_socket2 >= 0) close(fd_socket2);
180 int fd_pair[2] = {-1, -1};
181 EXPECT_OK(socketpair(AF_UNIX, SOCK_STREAM, 0, fd_pair));
182 if (fd_pair[0] >= 0) close(fd_pair[0]);
183 if (fd_pair[1] >= 0) close(fd_pair[1]);
184 }
185
FORK_TEST_F(WithFiles,AllowedSocketSyscallsIfRoot)186 FORK_TEST_F(WithFiles, AllowedSocketSyscallsIfRoot) {
187 GTEST_SKIP_IF_NOT_ROOT();
188
189 EXPECT_OK(cap_enter()); // Enter capability mode.
190
191 // Creation of raw sockets is not permitted in capability mode.
192 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, 0));
193 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, IPPROTO_ICMP));
194 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, IPPROTO_TCP));
195 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, IPPROTO_UDP));
196
197 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_ICMP));
198 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6));
199 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_TCP));
200 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_UDP));
201
202 EXPECT_CAPMODE(socket(AF_ROUTE, SOCK_RAW, 0));
203
204 // Interface configuration ioctls are not permitted in capability
205 // mode.
206 //
207 // This test is disabled for now as the corresponding kernel change was
208 // disabled.
209 #if 0
210 #ifdef __FreeBSD__
211 struct if_clonereq req;
212
213 req.ifcr_total = 0;
214 req.ifcr_count = 1;
215 req.ifcr_buffer = static_cast<char *>(malloc(IFNAMSIZ));
216
217 EXPECT_CAPMODE(ioctl(fd_socket_, SIOCIFGCLONERS, &req));
218
219 free(req.ifcr_buffer);
220 #endif
221 #endif
222 }
223
224 #ifdef HAVE_SEND_RECV_MMSG
FORK_TEST(Capmode,AllowedMmsgSendRecv)225 FORK_TEST(Capmode, AllowedMmsgSendRecv) {
226 int fd_socket = socket(PF_INET, SOCK_DGRAM, 0);
227
228 struct sockaddr_in addr;
229 addr.sin_family = AF_INET;
230 addr.sin_port = htons(0);
231 addr.sin_addr.s_addr = htonl(INADDR_ANY);
232 EXPECT_OK(bind(fd_socket, (sockaddr*)&addr, sizeof(addr)));
233
234 EXPECT_OK(cap_enter()); // Enter capability mode.
235
236 char buffer[256] = {0};
237 struct iovec iov;
238 iov.iov_base = buffer;
239 iov.iov_len = sizeof(buffer);
240 struct mmsghdr mm;
241 memset(&mm, 0, sizeof(mm));
242 mm.msg_hdr.msg_iov = &iov;
243 mm.msg_hdr.msg_iovlen = 1;
244 struct timespec ts;
245 ts.tv_sec = 1;
246 ts.tv_nsec = 100;
247 EXPECT_FAIL_NOT_CAPMODE(recvmmsg(fd_socket, &mm, 1, MSG_DONTWAIT, &ts));
248 EXPECT_FAIL_NOT_CAPMODE(sendmmsg(fd_socket, &mm, 1, 0));
249 close(fd_socket);
250 }
251 #endif
252
FORK_TEST(Capmode,AllowedIdentifierSyscalls)253 FORK_TEST(Capmode, AllowedIdentifierSyscalls) {
254 // Record some identifiers
255 gid_t my_gid = getgid();
256 pid_t my_pid = getpid();
257 pid_t my_ppid = getppid();
258 uid_t my_uid = getuid();
259 pid_t my_sid = getsid(my_pid);
260
261 EXPECT_OK(cap_enter()); // Enter capability mode.
262
263 EXPECT_EQ(my_gid, getegid_());
264 EXPECT_EQ(my_uid, geteuid_());
265 EXPECT_EQ(my_gid, getgid_());
266 EXPECT_EQ(my_pid, getpid());
267 EXPECT_EQ(my_ppid, getppid());
268 EXPECT_EQ(my_uid, getuid_());
269 EXPECT_EQ(my_sid, getsid(my_pid));
270 gid_t grps[128];
271 EXPECT_OK(getgroups_(128, grps));
272 uid_t ruid;
273 uid_t euid;
274 uid_t suid;
275 EXPECT_OK(getresuid(&ruid, &euid, &suid));
276 gid_t rgid;
277 gid_t egid;
278 gid_t sgid;
279 EXPECT_OK(getresgid(&rgid, &egid, &sgid));
280 EXPECT_TRUE(getlogin() != NULL);
281
282 // Set various identifiers (to their existing values).
283 EXPECT_OK(setgid(my_gid));
284 EXPECT_OK(setregid(my_gid, my_gid));
285 EXPECT_OK(setresgid(my_gid, my_gid, my_gid));
286 EXPECT_OK(setreuid(my_uid, my_uid));
287 EXPECT_OK(setresuid(my_uid, my_uid, my_uid));
288 EXPECT_OK(setsid());
289 }
290
FORK_TEST(Capmode,AllowedSchedSyscalls)291 FORK_TEST(Capmode, AllowedSchedSyscalls) {
292 EXPECT_OK(cap_enter()); // Enter capability mode.
293 int policy = sched_getscheduler(0);
294 EXPECT_OK(policy);
295 struct sched_param sp;
296 EXPECT_OK(sched_getparam(0, &sp));
297 if (policy >= 0 && (!SCHED_SETSCHEDULER_REQUIRES_ROOT || getuid() == 0)) {
298 EXPECT_OK(sched_setscheduler(0, policy, &sp));
299 }
300 EXPECT_OK(sched_setparam(0, &sp));
301 EXPECT_OK(sched_get_priority_max(policy));
302 EXPECT_OK(sched_get_priority_min(policy));
303 struct timespec ts;
304 EXPECT_OK(sched_rr_get_interval(0, &ts));
305 EXPECT_OK(sched_yield());
306 }
307
308
FORK_TEST(Capmode,AllowedTimerSyscalls)309 FORK_TEST(Capmode, AllowedTimerSyscalls) {
310 EXPECT_OK(cap_enter()); // Enter capability mode.
311 struct timespec ts;
312 EXPECT_OK(clock_getres(CLOCK_REALTIME, &ts));
313 EXPECT_OK(clock_gettime(CLOCK_REALTIME, &ts));
314 struct itimerval itv;
315 EXPECT_OK(getitimer(ITIMER_REAL, &itv));
316 EXPECT_OK(setitimer(ITIMER_REAL, &itv, NULL));
317 struct timeval tv;
318 struct timezone tz;
319 EXPECT_OK(gettimeofday(&tv, &tz));
320 ts.tv_sec = 0;
321 ts.tv_nsec = 1;
322 EXPECT_OK(nanosleep(&ts, NULL));
323 }
324
325
FORK_TEST(Capmode,AllowedProfilSyscall)326 FORK_TEST(Capmode, AllowedProfilSyscall) {
327 EXPECT_OK(cap_enter()); // Enter capability mode.
328 char sbuf[32];
329 EXPECT_OK(profil((profil_arg1_t*)sbuf, sizeof(sbuf), 0, 1));
330 }
331
332
FORK_TEST(Capmode,AllowedResourceSyscalls)333 FORK_TEST(Capmode, AllowedResourceSyscalls) {
334 EXPECT_OK(cap_enter()); // Enter capability mode.
335 errno = 0;
336 int rc = getpriority(PRIO_PROCESS, 0);
337 EXPECT_EQ(0, errno);
338 EXPECT_OK(setpriority(PRIO_PROCESS, 0, rc));
339 struct rlimit rlim;
340 EXPECT_OK(getrlimit_(RLIMIT_CORE, &rlim));
341 EXPECT_OK(setrlimit(RLIMIT_CORE, &rlim));
342 struct rusage ruse;
343 EXPECT_OK(getrusage(RUSAGE_SELF, &ruse));
344 }
345
FORK_TEST(CapMode,AllowedMmapSyscalls)346 FORK_TEST(CapMode, AllowedMmapSyscalls) {
347 // mmap() some memory.
348 size_t mem_size = getpagesize();
349 void *mem = mmap(NULL, mem_size, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0);
350 EXPECT_TRUE(mem != NULL);
351 EXPECT_OK(cap_enter()); // Enter capability mode.
352
353 EXPECT_OK(msync(mem, mem_size, MS_ASYNC));
354 EXPECT_OK(madvise(mem, mem_size, MADV_NORMAL));
355 unsigned char vec[2];
356 EXPECT_OK(mincore_(mem, mem_size, vec));
357 EXPECT_OK(mprotect(mem, mem_size, PROT_READ|PROT_WRITE));
358
359 if (!MLOCK_REQUIRES_ROOT || getuid() == 0) {
360 EXPECT_OK(mlock(mem, mem_size));
361 EXPECT_OK(munlock(mem, mem_size));
362 int rc = mlockall(MCL_CURRENT);
363 if (rc != 0) {
364 // mlockall may well fail with ENOMEM for non-root users, as the
365 // default RLIMIT_MEMLOCK value isn't that big.
366 EXPECT_NE(ECAPMODE, errno);
367 }
368 EXPECT_OK(munlockall());
369 }
370 // Unmap the memory.
371 EXPECT_OK(munmap(mem, mem_size));
372 }
373
FORK_TEST(Capmode,AllowedPipeSyscalls)374 FORK_TEST(Capmode, AllowedPipeSyscalls) {
375 EXPECT_OK(cap_enter()); // Enter capability mode
376 int fd2[2];
377 int rc = pipe(fd2);
378 EXPECT_EQ(0, rc);
379
380 if (rc == 0) {
381 close(fd2[0]);
382 close(fd2[1]);
383 };
384 #ifdef HAVE_PIPE2
385 rc = pipe2(fd2, 0);
386 EXPECT_EQ(0, rc);
387 if (rc == 0) {
388 close(fd2[0]);
389 close(fd2[1]);
390 };
391 #endif
392 }
393
TEST(Capmode,AllowedAtSyscalls)394 TEST(Capmode, AllowedAtSyscalls) {
395 int rc = mkdir(TmpFile("cap_at_syscalls"), 0755);
396 EXPECT_OK(rc);
397 if (rc < 0 && errno != EEXIST) return;
398 int dfd = open(TmpFile("cap_at_syscalls"), O_RDONLY);
399 EXPECT_OK(dfd);
400
401 int file = openat(dfd, "testfile", O_RDONLY|O_CREAT, 0644);
402 EXPECT_OK(file);
403 EXPECT_OK(close(file));
404
405
406 pid_t child = fork();
407 if (child == 0) {
408 // Child: enter cap mode and run tests
409 EXPECT_OK(cap_enter()); // Enter capability mode
410
411 struct stat fs;
412 EXPECT_OK(fstatat(dfd, "testfile", &fs, 0));
413 EXPECT_OK(mkdirat(dfd, "subdir", 0600));
414 EXPECT_OK(fchmodat(dfd, "subdir", 0644, 0));
415 EXPECT_OK(faccessat(dfd, "subdir", F_OK, 0));
416 EXPECT_OK(renameat(dfd, "subdir", dfd, "subdir2"));
417 EXPECT_OK(renameat(dfd, "subdir2", dfd, "subdir"));
418 struct timeval tv[2];
419 struct timezone tz;
420 EXPECT_OK(gettimeofday(&tv[0], &tz));
421 EXPECT_OK(gettimeofday(&tv[1], &tz));
422 EXPECT_OK(futimesat(dfd, "testfile", tv));
423
424 EXPECT_OK(fchownat(dfd, "testfile", fs.st_uid, fs.st_gid, 0));
425 EXPECT_OK(linkat(dfd, "testfile", dfd, "linky", 0));
426 EXPECT_OK(symlinkat("testfile", dfd, "symlink"));
427 char buffer[256];
428 EXPECT_OK(readlinkat(dfd, "symlink", buffer, sizeof(buffer)));
429 EXPECT_OK(unlinkat(dfd, "linky", 0));
430 EXPECT_OK(unlinkat(dfd, "subdir", AT_REMOVEDIR));
431
432 // Check that invalid requests get a non-Capsicum errno.
433 errno = 0;
434 rc = readlinkat(-1, "symlink", buffer, sizeof(buffer));
435 EXPECT_GE(0, rc);
436 EXPECT_NE(ECAPMODE, errno);
437
438 exit(HasFailure());
439 }
440
441 // Wait for the child.
442 int status;
443 EXPECT_EQ(child, waitpid(child, &status, 0));
444 rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1;
445 EXPECT_EQ(0, rc);
446
447 // Tidy up.
448 close(dfd);
449 rmdir(TmpFile("cap_at_syscalls/subdir"));
450 unlink(TmpFile("cap_at_syscalls/symlink"));
451 unlink(TmpFile("cap_at_syscalls/linky"));
452 unlink(TmpFile("cap_at_syscalls/testfile"));
453 rmdir(TmpFile("cap_at_syscalls"));
454 }
455
TEST(Capmode,AllowedAtSyscallsCwd)456 TEST(Capmode, AllowedAtSyscallsCwd) {
457 int rc = mkdir(TmpFile("cap_at_syscalls_cwd"), 0755);
458 EXPECT_OK(rc);
459 if (rc < 0 && errno != EEXIST) return;
460 int dfd = open(TmpFile("cap_at_syscalls_cwd"), O_RDONLY);
461 EXPECT_OK(dfd);
462
463 int file = openat(dfd, "testfile", O_RDONLY|O_CREAT, 0644);
464 EXPECT_OK(file);
465 EXPECT_OK(close(file));
466
467 pid_t child = fork();
468 if (child == 0) {
469 // Child: move into temp dir, enter cap mode and run tests
470 EXPECT_OK(fchdir(dfd));
471 EXPECT_OK(cap_enter()); // Enter capability mode
472
473 // Test that *at(AT_FDCWD, path,...) is policed with ECAPMODE.
474 EXPECT_CAPMODE(openat(AT_FDCWD, "testfile", O_RDONLY));
475 struct stat fs;
476 EXPECT_CAPMODE(fstatat(AT_FDCWD, "testfile", &fs, 0));
477 EXPECT_CAPMODE(mkdirat(AT_FDCWD, "subdir", 0600));
478 EXPECT_CAPMODE(fchmodat(AT_FDCWD, "subdir", 0644, 0));
479 EXPECT_CAPMODE(faccessat(AT_FDCWD, "subdir", F_OK, 0));
480 EXPECT_CAPMODE(renameat(AT_FDCWD, "subdir", AT_FDCWD, "subdir2"));
481 EXPECT_CAPMODE(renameat(AT_FDCWD, "subdir2", AT_FDCWD, "subdir"));
482 struct timeval tv[2];
483 struct timezone tz;
484 EXPECT_OK(gettimeofday(&tv[0], &tz));
485 EXPECT_OK(gettimeofday(&tv[1], &tz));
486 EXPECT_CAPMODE(futimesat(AT_FDCWD, "testfile", tv));
487
488 EXPECT_CAPMODE(fchownat(AT_FDCWD, "testfile", fs.st_uid, fs.st_gid, 0));
489 EXPECT_CAPMODE(linkat(AT_FDCWD, "testfile", AT_FDCWD, "linky", 0));
490 EXPECT_CAPMODE(symlinkat("testfile", AT_FDCWD, "symlink"));
491 char buffer[256];
492 EXPECT_CAPMODE(readlinkat(AT_FDCWD, "symlink", buffer, sizeof(buffer)));
493 EXPECT_CAPMODE(unlinkat(AT_FDCWD, "linky", 0));
494
495 exit(HasFailure());
496 }
497
498 // Wait for the child.
499 int status;
500 EXPECT_EQ(child, waitpid(child, &status, 0));
501 rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1;
502 EXPECT_EQ(0, rc);
503
504 // Tidy up.
505 close(dfd);
506 rmdir(TmpFile("cap_at_syscalls_cwd/subdir"));
507 unlink(TmpFile("cap_at_syscalls_cwd/symlink"));
508 unlink(TmpFile("cap_at_syscalls_cwd/linky"));
509 unlink(TmpFile("cap_at_syscalls_cwd/testfile"));
510 rmdir(TmpFile("cap_at_syscalls_cwd"));
511 }
512
TEST(Capmode,Abort)513 TEST(Capmode, Abort) {
514 // Check that abort(3) works even in capability mode.
515 pid_t child = fork();
516 if (child == 0) {
517 // Child: enter capability mode and call abort(3).
518 // Triggers something like kill(getpid(), SIGABRT).
519 cap_enter(); // Enter capability mode.
520 abort();
521 exit(99);
522 }
523 int status;
524 EXPECT_EQ(child, waitpid(child, &status, 0));
525 EXPECT_TRUE(WIFSIGNALED(status)) << " status = " << std::hex << status;
526 EXPECT_EQ(SIGABRT, WTERMSIG(status)) << " status = " << std::hex << status;
527 }
528
FORK_TEST_F(WithFiles,AllowedMiscSyscalls)529 FORK_TEST_F(WithFiles, AllowedMiscSyscalls) {
530 umask(022);
531 mode_t um_before = umask(022);
532 int pipefds[2];
533 EXPECT_OK(pipe(pipefds));
534 EXPECT_OK(cap_enter()); // Enter capability mode.
535
536 mode_t um = umask(022);
537 EXPECT_NE(-ECAPMODE, (int)um);
538 EXPECT_EQ(um_before, um);
539 stack_t ss;
540 EXPECT_OK(sigaltstack(NULL, &ss));
541
542 // Finally, tests for system calls that don't fit the pattern very well.
543 pid_t pid = fork();
544 EXPECT_OK(pid);
545 if (pid == 0) {
546 // Child: wait for an exit message from parent (so we can test waitpid).
547 EXPECT_OK(close(pipefds[0]));
548 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED);
549 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_REQUEST_CHILD_EXIT);
550 exit(0);
551 } else if (pid > 0) {
552 EXPECT_OK(close(pipefds[1]));
553 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED);
554 errno = 0;
555 EXPECT_CAPMODE(ptrace_(PTRACE_PEEKDATA_, pid, &pid, NULL));
556 SEND_INT_MESSAGE(pipefds[0], MSG_PARENT_REQUEST_CHILD_EXIT);
557 if (verbose) fprintf(stderr, " child finished\n");
558 }
559
560 // No error return from sync(2) to test, but check errno remains unset.
561 errno = 0;
562 sync();
563 EXPECT_EQ(0, errno);
564
565 // TODO(FreeBSD): ktrace
566
567 // sysarch() is, by definition, architecture-dependent
568 #if defined (__amd64__) || defined (__i386__)
569 long sysarch_arg = 0;
570 EXPECT_CAPMODE(sysarch(I386_SET_IOPERM, &sysarch_arg));
571 #else
572 // TOOD(jra): write a test for other architectures, like arm
573 #endif
574 }
575
thread_fn(void * p)576 void *thread_fn(void *p) {
577 int fd = (int)(intptr_t)p;
578 if (verbose) fprintf(stderr, " thread waiting to run\n");
579 AWAIT_INT_MESSAGE(fd, MSG_PARENT_CHILD_SHOULD_RUN);
580 EXPECT_OK(getpid());
581 EXPECT_CAPMODE(open("/dev/null", O_RDWR));
582 // Return whether there have been any failures to the main thread.
583 void *rval = (void *)(intptr_t)testing::Test::HasFailure();
584 if (verbose) fprintf(stderr, " thread finished: %p\n", rval);
585 return rval;
586 }
587
588 // Check that restrictions are the same in subprocesses and threads
FORK_TEST(Capmode,NewThread)589 FORK_TEST(Capmode, NewThread) {
590 // Fire off a new thread before entering capability mode
591 pthread_t early_thread;
592 void *thread_rval;
593 // Create two pipes, one for synchronization with the threads, the other to
594 // synchronize with the children (since we can't use waitpid after cap_enter).
595 // Note: Could use pdfork+pdwait instead, but that is tested in procdesc.cc.
596 int thread_pipe[2];
597 EXPECT_OK(pipe(thread_pipe));
598 int proc_pipe[2];
599 EXPECT_OK(pipe(proc_pipe));
600 EXPECT_OK(pthread_create(&early_thread, NULL, thread_fn,
601 (void *)(intptr_t)thread_pipe[1]));
602
603 // Fire off a new process before entering capability mode.
604 if (verbose) fprintf(stderr, " starting second child (non-capability mode)\n");
605 int early_child = fork();
606 EXPECT_OK(early_child);
607 if (early_child == 0) {
608 if (verbose) fprintf(stderr, " first child started\n");
609 EXPECT_OK(close(proc_pipe[0]));
610 // Child: wait and then confirm this process is unaffected by capability mode in the parent.
611 AWAIT_INT_MESSAGE(proc_pipe[1], MSG_PARENT_CHILD_SHOULD_RUN);
612 int fd = open("/dev/null", O_RDWR);
613 EXPECT_OK(fd);
614 close(fd);
615 // Notify the parent of success/failure.
616 int rval = (int)testing::Test::HasFailure();
617 SEND_INT_MESSAGE(proc_pipe[1], rval);
618 if (verbose) fprintf(stderr, " first child finished: %d\n", rval);
619 exit(rval);
620 }
621
622 EXPECT_OK(cap_enter()); // Enter capability mode.
623 // At this point the current process has both a child process and a
624 // child thread that were created before entering capability mode.
625 // - The child process is unaffected by capability mode.
626 // - The child thread is affected by capability mode.
627 SEND_INT_MESSAGE(proc_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN);
628
629 // Do an allowed syscall.
630 EXPECT_OK(getpid());
631 // Wait for the first child to exit (should get a zero exit code message).
632 AWAIT_INT_MESSAGE(proc_pipe[0], 0);
633
634 // The child processes/threads return HasFailure(), so we depend on no prior errors.
635 ASSERT_FALSE(testing::Test::HasFailure())
636 << "Cannot continue test with pre-existing failures.";
637 // Now that we're in capability mode, if we create a second child process
638 // it will be affected by capability mode.
639 if (verbose) fprintf(stderr, " starting second child (in capability mode)\n");
640 int child = fork();
641 EXPECT_OK(child);
642 if (child == 0) {
643 if (verbose) fprintf(stderr, " second child started\n");
644 EXPECT_OK(close(proc_pipe[0]));
645 // Child: do an allowed and a disallowed syscall.
646 EXPECT_OK(getpid());
647 EXPECT_CAPMODE(open("/dev/null", O_RDWR));
648 // Notify the parent of success/failure.
649 int rval = (int)testing::Test::HasFailure();
650 SEND_INT_MESSAGE(proc_pipe[1], rval);
651 if (verbose) fprintf(stderr, " second child finished: %d\n", rval);
652 exit(rval);
653 }
654 // Now tell the early_started thread that it can run. We expect it to also
655 // be affected by capability mode since it's per-process not per-thread.
656 // Note: it is important that we don't allow the thread to run before fork(),
657 // since that could result in fork() being called while the thread holds one
658 // of the gtest-internal mutexes, so the child process deadlocks.
659 SEND_INT_MESSAGE(thread_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN);
660 // Wait for the early-started thread.
661 EXPECT_OK(pthread_join(early_thread, &thread_rval));
662 EXPECT_FALSE((bool)(intptr_t)thread_rval) << "thread returned failure";
663
664 // Wait for the second child to exit (should get a zero exit code message).
665 AWAIT_INT_MESSAGE(proc_pipe[0], 0);
666
667 // Fire off a new (second) child thread, which is also affected by capability mode.
668 ASSERT_FALSE(testing::Test::HasFailure())
669 << "Cannot continue test with pre-existing failures.";
670 pthread_t child_thread;
671 EXPECT_OK(pthread_create(&child_thread, NULL, thread_fn,
672 (void *)(intptr_t)thread_pipe[1]));
673 SEND_INT_MESSAGE(thread_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN);
674 EXPECT_OK(pthread_join(child_thread, &thread_rval));
675 EXPECT_FALSE((bool)(intptr_t)thread_rval) << "thread returned failure";
676
677 // Fork a subprocess which fires off a new thread.
678 ASSERT_FALSE(testing::Test::HasFailure())
679 << "Cannot continue test with pre-existing failures.";
680 if (verbose) fprintf(stderr, " starting third child (in capability mode)\n");
681 child = fork();
682 EXPECT_OK(child);
683 if (child == 0) {
684 if (verbose) fprintf(stderr, " third child started\n");
685 EXPECT_OK(close(proc_pipe[0]));
686 pthread_t child_thread2;
687 EXPECT_OK(pthread_create(&child_thread2, NULL, thread_fn,
688 (void *)(intptr_t)thread_pipe[1]));
689 SEND_INT_MESSAGE(thread_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN);
690 EXPECT_OK(pthread_join(child_thread2, &thread_rval));
691 EXPECT_FALSE((bool)(intptr_t)thread_rval) << "thread returned failure";
692 // Notify the parent of success/failure.
693 int rval = (int)testing::Test::HasFailure();
694 SEND_INT_MESSAGE(proc_pipe[1], rval);
695 if (verbose) fprintf(stderr, " third child finished: %d\n", rval);
696 exit(rval);
697 }
698 // Wait for the third child to exit (should get a zero exit code message).
699 AWAIT_INT_MESSAGE(proc_pipe[0], 0);
700 close(proc_pipe[0]);
701 close(proc_pipe[1]);
702 close(thread_pipe[0]);
703 close(thread_pipe[1]);
704 }
705
706 static volatile sig_atomic_t had_signal = 0;
handle_signal(int)707 static void handle_signal(int) { had_signal = 1; }
708
FORK_TEST(Capmode,SelfKill)709 FORK_TEST(Capmode, SelfKill) {
710 pid_t me = getpid();
711 sighandler_t original = signal(SIGUSR1, handle_signal);
712
713 pid_t child = fork();
714 if (child == 0) {
715 // Child: sleep and exit
716 sleep(1);
717 exit(0);
718 }
719
720 EXPECT_OK(cap_enter()); // Enter capability mode.
721
722 // Can only kill(2) to own pid.
723 EXPECT_CAPMODE(kill(child, SIGUSR1));
724 EXPECT_OK(kill(me, SIGUSR1));
725 EXPECT_EQ(1, had_signal);
726
727 signal(SIGUSR1, original);
728 }
729