1 // Tests for socket functionality. 2 #include <sys/types.h> 3 #include <sys/socket.h> 4 #include <sys/un.h> 5 #include <netinet/in.h> 6 #include <arpa/inet.h> 7 #include <unistd.h> 8 9 #include <string> 10 11 #include "capsicum.h" 12 #include "syscalls.h" 13 #include "capsicum-test.h" 14 TEST(Socket,UnixDomain)15 TEST(Socket, UnixDomain) { 16 const char* socketName = TmpFile("capsicum-test.socket"); 17 unlink(socketName); 18 cap_rights_t r_rw; 19 cap_rights_init(&r_rw, CAP_READ, CAP_WRITE); 20 cap_rights_t r_all; 21 cap_rights_init(&r_all, CAP_READ, CAP_WRITE, CAP_SOCK_CLIENT, CAP_SOCK_SERVER); 22 23 int pipefds[2]; 24 EXPECT_EQ(0, pipe(pipefds)); 25 pid_t child = fork(); 26 if (child == 0) { 27 // Child process: wait for server setup 28 close(pipefds[0]); 29 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_CHILD_SHOULD_RUN); 30 31 // Create sockets 32 int sock = socket(AF_UNIX, SOCK_STREAM, 0); 33 EXPECT_OK(sock); 34 if (sock < 0) return; 35 36 int cap_sock_rw = dup(sock); 37 EXPECT_OK(cap_sock_rw); 38 EXPECT_OK(cap_rights_limit(cap_sock_rw, &r_rw)); 39 int cap_sock_all = dup(sock); 40 EXPECT_OK(cap_sock_all); 41 EXPECT_OK(cap_rights_limit(cap_sock_all, &r_all)); 42 EXPECT_OK(close(sock)); 43 44 // Connect socket 45 struct sockaddr_un un; 46 memset(&un, 0, sizeof(un)); 47 un.sun_family = AF_UNIX; 48 strcpy(un.sun_path, socketName); 49 socklen_t len = sizeof(un); 50 EXPECT_NOTCAPABLE(connect_(cap_sock_rw, (struct sockaddr *)&un, len)); 51 EXPECT_OK(connect_(cap_sock_all, (struct sockaddr *)&un, len)); 52 53 exit(HasFailure()); 54 } 55 56 int sock = socket(AF_UNIX, SOCK_STREAM, 0); 57 EXPECT_OK(sock); 58 if (sock < 0) return; 59 60 int cap_sock_rw = dup(sock); 61 EXPECT_OK(cap_sock_rw); 62 EXPECT_OK(cap_rights_limit(cap_sock_rw, &r_rw)); 63 int cap_sock_all = dup(sock); 64 EXPECT_OK(cap_sock_all); 65 EXPECT_OK(cap_rights_limit(cap_sock_all, &r_all)); 66 EXPECT_OK(close(sock)); 67 68 struct sockaddr_un un; 69 memset(&un, 0, sizeof(un)); 70 un.sun_family = AF_UNIX; 71 strcpy(un.sun_path, socketName); 72 socklen_t len = (sizeof(un) - sizeof(un.sun_path) + strlen(un.sun_path)); 73 74 // Can only bind the fully-capable socket. 75 EXPECT_NOTCAPABLE(bind_(cap_sock_rw, (struct sockaddr *)&un, len)); 76 EXPECT_OK(bind_(cap_sock_all, (struct sockaddr *)&un, len)); 77 78 // Can only listen on the fully-capable socket. 79 EXPECT_NOTCAPABLE(listen(cap_sock_rw, 3)); 80 EXPECT_OK(listen(cap_sock_all, 3)); 81 82 // Can only do socket operations on the fully-capable socket. 83 len = sizeof(un); 84 EXPECT_NOTCAPABLE(getsockname(cap_sock_rw, (struct sockaddr*)&un, &len)); 85 int value = 0; 86 EXPECT_NOTCAPABLE(setsockopt(cap_sock_rw, SOL_SOCKET, SO_DEBUG, &value, sizeof(value))); 87 len = sizeof(value); 88 EXPECT_NOTCAPABLE(getsockopt(cap_sock_rw, SOL_SOCKET, SO_DEBUG, &value, &len)); 89 90 len = sizeof(un); 91 memset(&un, 0, sizeof(un)); 92 EXPECT_OK(getsockname(cap_sock_all, (struct sockaddr*)&un, &len)); 93 EXPECT_EQ(AF_UNIX, un.sun_family); 94 EXPECT_EQ(std::string(socketName), std::string(un.sun_path)); 95 value = 0; 96 EXPECT_OK(setsockopt(cap_sock_all, SOL_SOCKET, SO_DEBUG, &value, sizeof(value))); 97 len = sizeof(value); 98 EXPECT_OK(getsockopt(cap_sock_all, SOL_SOCKET, SO_DEBUG, &value, &len)); 99 100 // Tell the child process that we are ready and accept the incoming connection. 101 EXPECT_OK(close(pipefds[1])); 102 SEND_INT_MESSAGE(pipefds[0], MSG_PARENT_CHILD_SHOULD_RUN); 103 len = sizeof(un); 104 memset(&un, 0, sizeof(un)); 105 EXPECT_NOTCAPABLE(accept(cap_sock_rw, (struct sockaddr *)&un, &len)); 106 int conn_fd = accept(cap_sock_all, (struct sockaddr *)&un, &len); 107 EXPECT_OK(conn_fd); 108 109 #ifdef CAP_FROM_ACCEPT 110 // New connection should also be a capability. 111 cap_rights_t rights; 112 cap_rights_init(&rights, 0); 113 EXPECT_OK(cap_rights_get(conn_fd, &rights)); 114 EXPECT_RIGHTS_IN(&rights, &r_all); 115 #endif 116 117 // Wait for the child. 118 int status; 119 EXPECT_EQ(child, waitpid(child, &status, 0)); 120 int rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1; 121 EXPECT_EQ(0, rc); 122 123 close(conn_fd); 124 close(cap_sock_rw); 125 close(cap_sock_all); 126 unlink(socketName); 127 } 128 TEST(Socket,TCP)129 TEST(Socket, TCP) { 130 int sock = socket(AF_INET, SOCK_STREAM, 0); 131 EXPECT_OK(sock); 132 if (sock < 0) return; 133 134 cap_rights_t r_rw; 135 cap_rights_init(&r_rw, CAP_READ, CAP_WRITE); 136 cap_rights_t r_all; 137 cap_rights_init(&r_all, CAP_READ, CAP_WRITE, CAP_SOCK_CLIENT, CAP_SOCK_SERVER); 138 139 int cap_sock_rw = dup(sock); 140 EXPECT_OK(cap_sock_rw); 141 EXPECT_OK(cap_rights_limit(cap_sock_rw, &r_rw)); 142 int cap_sock_all = dup(sock); 143 EXPECT_OK(cap_sock_all); 144 EXPECT_OK(cap_rights_limit(cap_sock_all, &r_all)); 145 close(sock); 146 147 struct sockaddr_in addr; 148 memset(&addr, 0, sizeof(addr)); 149 addr.sin_family = AF_INET; 150 addr.sin_port = htons(0); 151 addr.sin_addr.s_addr = htonl(INADDR_ANY); 152 socklen_t len = sizeof(addr); 153 154 // Can only bind the fully-capable socket. 155 EXPECT_NOTCAPABLE(bind_(cap_sock_rw, (struct sockaddr *)&addr, len)); 156 EXPECT_OK(bind_(cap_sock_all, (struct sockaddr *)&addr, len)); 157 158 getsockname(cap_sock_all, (struct sockaddr *)&addr, &len); 159 int port = ntohs(addr.sin_port); 160 161 int pipefds[2]; 162 EXPECT_EQ(0, pipe(pipefds)); 163 // Now we know the port involved, fork off a child. 164 pid_t child = fork(); 165 if (child == 0) { 166 // Child process: wait for server setup 167 close(pipefds[0]); 168 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_CHILD_SHOULD_RUN); 169 170 // Create sockets 171 int sock = socket(AF_INET, SOCK_STREAM, 0); 172 EXPECT_OK(sock); 173 if (sock < 0) return; 174 int cap_sock_rw = dup(sock); 175 EXPECT_OK(cap_sock_rw); 176 EXPECT_OK(cap_rights_limit(cap_sock_rw, &r_rw)); 177 int cap_sock_all = dup(sock); 178 EXPECT_OK(cap_sock_all); 179 EXPECT_OK(cap_rights_limit(cap_sock_all, &r_all)); 180 close(sock); 181 182 // Connect socket 183 struct sockaddr_in addr; 184 memset(&addr, 0, sizeof(addr)); 185 addr.sin_family = AF_INET; 186 addr.sin_port = htons(port); // Pick unused port 187 addr.sin_addr.s_addr = inet_addr("127.0.0.1"); 188 socklen_t len = sizeof(addr); 189 EXPECT_NOTCAPABLE(connect_(cap_sock_rw, (struct sockaddr *)&addr, len)); 190 EXPECT_OK(connect_(cap_sock_all, (struct sockaddr *)&addr, len)); 191 192 exit(HasFailure()); 193 } 194 195 // Can only listen on the fully-capable socket. 196 EXPECT_NOTCAPABLE(listen(cap_sock_rw, 3)); 197 EXPECT_OK(listen(cap_sock_all, 3)); 198 199 // Can only do socket operations on the fully-capable socket. 200 len = sizeof(addr); 201 EXPECT_NOTCAPABLE(getsockname(cap_sock_rw, (struct sockaddr*)&addr, &len)); 202 int value = 1; 203 EXPECT_NOTCAPABLE(setsockopt(cap_sock_rw, SOL_SOCKET, SO_REUSEPORT, &value, sizeof(value))); 204 len = sizeof(value); 205 EXPECT_NOTCAPABLE(getsockopt(cap_sock_rw, SOL_SOCKET, SO_REUSEPORT, &value, &len)); 206 207 len = sizeof(addr); 208 memset(&addr, 0, sizeof(addr)); 209 EXPECT_OK(getsockname(cap_sock_all, (struct sockaddr*)&addr, &len)); 210 EXPECT_EQ(AF_INET, addr.sin_family); 211 EXPECT_EQ(htons(port), addr.sin_port); 212 value = 0; 213 EXPECT_OK(setsockopt(cap_sock_all, SOL_SOCKET, SO_REUSEPORT, &value, sizeof(value))); 214 len = sizeof(value); 215 EXPECT_OK(getsockopt(cap_sock_all, SOL_SOCKET, SO_REUSEPORT, &value, &len)); 216 217 // Tell the child process that we are ready and accept the incoming connection. 218 EXPECT_OK(close(pipefds[1])); 219 SEND_INT_MESSAGE(pipefds[0], MSG_PARENT_CHILD_SHOULD_RUN); 220 len = sizeof(addr); 221 memset(&addr, 0, sizeof(addr)); 222 EXPECT_NOTCAPABLE(accept(cap_sock_rw, (struct sockaddr *)&addr, &len)); 223 int conn_fd = accept(cap_sock_all, (struct sockaddr *)&addr, &len); 224 EXPECT_OK(conn_fd); 225 226 #ifdef CAP_FROM_ACCEPT 227 // New connection should also be a capability. 228 cap_rights_t rights; 229 cap_rights_init(&rights, 0); 230 EXPECT_OK(cap_rights_get(conn_fd, &rights)); 231 EXPECT_RIGHTS_IN(&rights, &r_all); 232 #endif 233 234 // Wait for the child. 235 int status; 236 EXPECT_EQ(child, waitpid(child, &status, 0)); 237 int rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1; 238 EXPECT_EQ(0, rc); 239 240 close(conn_fd); 241 close(cap_sock_rw); 242 close(cap_sock_all); 243 } 244 TEST(Socket,UDP)245 TEST(Socket, UDP) { 246 int sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); 247 EXPECT_OK(sock); 248 if (sock < 0) return; 249 250 cap_rights_t r_rw; 251 cap_rights_init(&r_rw, CAP_READ, CAP_WRITE); 252 cap_rights_t r_all; 253 cap_rights_init(&r_all, CAP_READ, CAP_WRITE, CAP_SOCK_CLIENT, CAP_SOCK_SERVER); 254 cap_rights_t r_connect; 255 cap_rights_init(&r_connect, CAP_READ, CAP_WRITE, CAP_CONNECT); 256 257 int cap_sock_rw = dup(sock); 258 EXPECT_OK(cap_sock_rw); 259 EXPECT_OK(cap_rights_limit(cap_sock_rw, &r_rw)); 260 int cap_sock_all = dup(sock); 261 EXPECT_OK(cap_sock_all); 262 EXPECT_OK(cap_rights_limit(cap_sock_all, &r_all)); 263 close(sock); 264 265 struct sockaddr_in addr; 266 memset(&addr, 0, sizeof(addr)); 267 addr.sin_family = AF_INET; 268 addr.sin_port = htons(0); 269 addr.sin_addr.s_addr = htonl(INADDR_ANY); 270 socklen_t len = sizeof(addr); 271 272 // Can only bind the fully-capable socket. 273 EXPECT_NOTCAPABLE(bind_(cap_sock_rw, (struct sockaddr *)&addr, len)); 274 EXPECT_OK(bind_(cap_sock_all, (struct sockaddr *)&addr, len)); 275 getsockname(cap_sock_all, (struct sockaddr *)&addr, &len); 276 int port = ntohs(addr.sin_port); 277 278 // Can only do socket operations on the fully-capable socket. 279 len = sizeof(addr); 280 EXPECT_NOTCAPABLE(getsockname(cap_sock_rw, (struct sockaddr*)&addr, &len)); 281 int value = 1; 282 EXPECT_NOTCAPABLE(setsockopt(cap_sock_rw, SOL_SOCKET, SO_REUSEPORT, &value, sizeof(value))); 283 len = sizeof(value); 284 EXPECT_NOTCAPABLE(getsockopt(cap_sock_rw, SOL_SOCKET, SO_REUSEPORT, &value, &len)); 285 286 len = sizeof(addr); 287 memset(&addr, 0, sizeof(addr)); 288 EXPECT_OK(getsockname(cap_sock_all, (struct sockaddr*)&addr, &len)); 289 EXPECT_EQ(AF_INET, addr.sin_family); 290 EXPECT_EQ(htons(port), addr.sin_port); 291 value = 1; 292 EXPECT_OK(setsockopt(cap_sock_all, SOL_SOCKET, SO_REUSEPORT, &value, sizeof(value))); 293 len = sizeof(value); 294 EXPECT_OK(getsockopt(cap_sock_all, SOL_SOCKET, SO_REUSEPORT, &value, &len)); 295 296 pid_t child = fork(); 297 if (child == 0) { 298 int sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); 299 EXPECT_OK(sock); 300 int cap_sock_rw = dup(sock); 301 EXPECT_OK(cap_sock_rw); 302 EXPECT_OK(cap_rights_limit(cap_sock_rw, &r_rw)); 303 int cap_sock_connect = dup(sock); 304 EXPECT_OK(cap_sock_connect); 305 EXPECT_OK(cap_rights_limit(cap_sock_connect, &r_connect)); 306 close(sock); 307 308 // Can only sendmsg(2) to an address over a socket with CAP_CONNECT. 309 unsigned char buffer[256]; 310 struct iovec iov; 311 memset(&iov, 0, sizeof(iov)); 312 iov.iov_base = buffer; 313 iov.iov_len = sizeof(buffer); 314 315 struct msghdr mh; 316 memset(&mh, 0, sizeof(mh)); 317 mh.msg_iov = &iov; 318 mh.msg_iovlen = 1; 319 320 struct sockaddr_in addr; 321 memset(&addr, 0, sizeof(addr)); 322 addr.sin_family = AF_INET; 323 addr.sin_port = htons(port); 324 addr.sin_addr.s_addr = inet_addr("127.0.0.1"); 325 mh.msg_name = &addr; 326 mh.msg_namelen = sizeof(addr); 327 328 EXPECT_NOTCAPABLE(sendmsg(cap_sock_rw, &mh, 0)); 329 EXPECT_OK(sendmsg(cap_sock_connect, &mh, 0)); 330 331 #ifdef HAVE_SEND_RECV_MMSG 332 struct mmsghdr mv; 333 memset(&mv, 0, sizeof(mv)); 334 memcpy(&mv.msg_hdr, &mh, sizeof(struct msghdr)); 335 EXPECT_NOTCAPABLE(sendmmsg(cap_sock_rw, &mv, 1, 0)); 336 EXPECT_OK(sendmmsg(cap_sock_connect, &mv, 1, 0)); 337 #endif 338 close(cap_sock_rw); 339 close(cap_sock_connect); 340 exit(HasFailure()); 341 } 342 // Wait for the child. 343 int status; 344 EXPECT_EQ(child, waitpid(child, &status, 0)); 345 int rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1; 346 EXPECT_EQ(0, rc); 347 348 close(cap_sock_rw); 349 close(cap_sock_all); 350 } 351