1 // Test routines to make sure a variety of system calls are or are not 2 // available in capability mode. The goal is not to see if they work, just 3 // whether or not they return the expected ECAPMODE. 4 #include <sys/types.h> 5 #include <sys/socket.h> 6 #ifdef __FreeBSD__ 7 #include <sys/sockio.h> 8 #endif 9 #include <sys/stat.h> 10 #include <sys/mount.h> 11 #include <sys/mman.h> 12 #include <sys/wait.h> 13 #include <sys/time.h> 14 #include <sys/resource.h> 15 #include <sys/ptrace.h> 16 #include <dirent.h> 17 #include <net/if.h> 18 #include <netinet/in.h> 19 #include <fcntl.h> 20 #include <sched.h> 21 #include <time.h> 22 #include <unistd.h> 23 #include <pthread.h> 24 25 #include "capsicum.h" 26 #include "syscalls.h" 27 #include "capsicum-test.h" 28 29 // Test fixture that opens (and closes) a bunch of files. 30 class WithFiles : public ::testing::Test { 31 public: 32 WithFiles() : 33 fd_file_(open(TmpFile("cap_capmode"), O_RDWR|O_CREAT, 0644)), 34 fd_close_(open("/dev/null", O_RDWR)), 35 fd_dir_(open(tmpdir.c_str(), O_RDONLY)), 36 fd_socket_(socket(PF_INET, SOCK_DGRAM, 0)), 37 fd_tcp_socket_(socket(PF_INET, SOCK_STREAM, 0)) { 38 EXPECT_OK(fd_file_); 39 EXPECT_OK(fd_close_); 40 EXPECT_OK(fd_dir_); 41 EXPECT_OK(fd_socket_); 42 EXPECT_OK(fd_tcp_socket_); 43 } 44 ~WithFiles() { 45 if (fd_tcp_socket_ >= 0) close(fd_tcp_socket_); 46 if (fd_socket_ >= 0) close(fd_socket_); 47 if (fd_dir_ >= 0) close(fd_dir_); 48 if (fd_close_ >= 0) close(fd_close_); 49 if (fd_file_ >= 0) close(fd_file_); 50 unlink(TmpFile("cap_capmode")); 51 } 52 protected: 53 int fd_file_; 54 int fd_close_; 55 int fd_dir_; 56 int fd_socket_; 57 int fd_tcp_socket_; 58 }; 59 60 FORK_TEST_F(WithFiles, DisallowedFileSyscalls) { 61 unsigned int mode = -1; 62 EXPECT_OK(cap_getmode(&mode)); 63 EXPECT_EQ(0, (int)mode); 64 EXPECT_OK(cap_enter()); // Enter capability mode. 65 EXPECT_OK(cap_getmode(&mode)); 66 EXPECT_EQ(1, (int)mode); 67 68 // System calls that are not permitted in capability mode. 69 EXPECT_CAPMODE(access(TmpFile("cap_capmode_access"), F_OK)); 70 EXPECT_CAPMODE(acct(TmpFile("cap_capmode_acct"))); 71 EXPECT_CAPMODE(chdir(TmpFile("cap_capmode_chdir"))); 72 #ifdef HAVE_CHFLAGS 73 EXPECT_CAPMODE(chflags(TmpFile("cap_capmode_chflags"), UF_NODUMP)); 74 #endif 75 EXPECT_CAPMODE(chmod(TmpFile("cap_capmode_chmod"), 0644)); 76 EXPECT_CAPMODE(chown(TmpFile("cap_capmode_chown"), -1, -1)); 77 EXPECT_CAPMODE(chroot(TmpFile("cap_capmode_chroot"))); 78 EXPECT_CAPMODE(creat(TmpFile("cap_capmode_creat"), 0644)); 79 EXPECT_CAPMODE(fchdir(fd_dir_)); 80 #ifdef HAVE_GETFSSTAT 81 struct statfs statfs; 82 EXPECT_CAPMODE(getfsstat(&statfs, sizeof(statfs), MNT_NOWAIT)); 83 #endif 84 EXPECT_CAPMODE(link(TmpFile("foo"), TmpFile("bar"))); 85 struct stat sb; 86 EXPECT_CAPMODE(lstat(TmpFile("cap_capmode_lstat"), &sb)); 87 EXPECT_CAPMODE(mknod(TmpFile("capmode_mknod"), 0644 | S_IFIFO, 0)); 88 EXPECT_CAPMODE(bogus_mount_()); 89 EXPECT_CAPMODE(open("/dev/null", O_RDWR)); 90 char buf[64]; 91 EXPECT_CAPMODE(readlink(TmpFile("cap_capmode_readlink"), buf, sizeof(buf))); 92 #ifdef HAVE_REVOKE 93 EXPECT_CAPMODE(revoke(TmpFile("cap_capmode_revoke"))); 94 #endif 95 EXPECT_CAPMODE(stat(TmpFile("cap_capmode_stat"), &sb)); 96 EXPECT_CAPMODE(symlink(TmpFile("cap_capmode_symlink_from"), TmpFile("cap_capmode_symlink_to"))); 97 EXPECT_CAPMODE(unlink(TmpFile("cap_capmode_unlink"))); 98 EXPECT_CAPMODE(umount2("/not_mounted", 0)); 99 } 100 101 FORK_TEST_F(WithFiles, DisallowedSocketSyscalls) { 102 EXPECT_OK(cap_enter()); // Enter capability mode. 103 104 // System calls that are not permitted in capability mode. 105 struct sockaddr_in addr; 106 addr.sin_family = AF_INET; 107 addr.sin_port = 0; 108 addr.sin_addr.s_addr = htonl(INADDR_ANY); 109 EXPECT_CAPMODE(bind_(fd_socket_, (sockaddr*)&addr, sizeof(addr))); 110 addr.sin_family = AF_INET; 111 addr.sin_port = 53; 112 addr.sin_addr.s_addr = htonl(0x08080808); 113 EXPECT_CAPMODE(connect_(fd_tcp_socket_, (sockaddr*)&addr, sizeof(addr))); 114 } 115 116 FORK_TEST_F(WithFiles, AllowedFileSyscalls) { 117 int rc; 118 EXPECT_OK(cap_enter()); // Enter capability mode. 119 120 EXPECT_OK(close(fd_close_)); 121 fd_close_ = -1; 122 int fd_dup = dup(fd_file_); 123 EXPECT_OK(fd_dup); 124 EXPECT_OK(dup2(fd_file_, fd_dup)); 125 #ifdef HAVE_DUP3 126 EXPECT_OK(dup3(fd_file_, fd_dup, 0)); 127 #endif 128 if (fd_dup >= 0) close(fd_dup); 129 130 struct stat sb; 131 EXPECT_OK(fstat(fd_file_, &sb)); 132 EXPECT_OK(lseek(fd_file_, 0, SEEK_SET)); 133 char ch; 134 EXPECT_OK(read(fd_file_, &ch, sizeof(ch))); 135 EXPECT_OK(write(fd_file_, &ch, sizeof(ch))); 136 137 #ifdef HAVE_CHFLAGS 138 rc = fchflags(fd_file_, UF_NODUMP); 139 if (rc < 0) { 140 EXPECT_NE(ECAPMODE, errno); 141 } 142 #endif 143 144 char buf[1024]; 145 rc = getdents_(fd_dir_, (void*)buf, sizeof(buf)); 146 EXPECT_OK(rc); 147 148 char data[] = "123"; 149 EXPECT_OK(pwrite(fd_file_, data, 1, 0)); 150 EXPECT_OK(pread(fd_file_, data, 1, 0)); 151 152 struct iovec io; 153 io.iov_base = data; 154 io.iov_len = 2; 155 #if !defined(__i386__) && !defined(__linux__) 156 // TODO(drysdale): reinstate these tests for 32-bit runs when possible 157 // libc bug is fixed. 158 EXPECT_OK(pwritev(fd_file_, &io, 1, 0)); 159 EXPECT_OK(preadv(fd_file_, &io, 1, 0)); 160 #endif 161 EXPECT_OK(writev(fd_file_, &io, 1)); 162 EXPECT_OK(readv(fd_file_, &io, 1)); 163 164 #ifdef HAVE_SYNCFS 165 EXPECT_OK(syncfs(fd_file_)); 166 #endif 167 #ifdef HAVE_SYNC_FILE_RANGE 168 EXPECT_OK(sync_file_range(fd_file_, 0, 1, 0)); 169 #endif 170 #ifdef HAVE_READAHEAD 171 if (!tmpdir_on_tmpfs) { // tmpfs doesn't support readahead(2) 172 EXPECT_OK(readahead(fd_file_, 0, 1)); 173 } 174 #endif 175 } 176 177 FORK_TEST_F(WithFiles, AllowedSocketSyscalls) { 178 EXPECT_OK(cap_enter()); // Enter capability mode. 179 180 // recvfrom() either returns -1 with EAGAIN, or 0. 181 int rc = recvfrom(fd_socket_, NULL, 0, MSG_DONTWAIT, NULL, NULL); 182 if (rc < 0) { 183 EXPECT_EQ(EAGAIN, errno); 184 } 185 char ch; 186 EXPECT_OK(write(fd_file_, &ch, sizeof(ch))); 187 188 // These calls will fail for lack of e.g. a proper name to send to, 189 // but they are allowed in capability mode, so errno != ECAPMODE. 190 EXPECT_FAIL_NOT_CAPMODE(accept(fd_socket_, NULL, NULL)); 191 EXPECT_FAIL_NOT_CAPMODE(getpeername(fd_socket_, NULL, NULL)); 192 EXPECT_FAIL_NOT_CAPMODE(getsockname(fd_socket_, NULL, NULL)); 193 EXPECT_FAIL_NOT_CAPMODE(recvmsg(fd_socket_, NULL, 0)); 194 EXPECT_FAIL_NOT_CAPMODE(sendmsg(fd_socket_, NULL, 0)); 195 EXPECT_FAIL_NOT_CAPMODE(sendto(fd_socket_, NULL, 0, 0, NULL, 0)); 196 off_t offset = 0; 197 EXPECT_FAIL_NOT_CAPMODE(sendfile_(fd_socket_, fd_file_, &offset, 1)); 198 199 // The socket/socketpair syscalls are allowed, but they don't give 200 // anything externally useful (can't call bind/connect on them). 201 int fd_socket2 = socket(PF_INET, SOCK_DGRAM, 0); 202 EXPECT_OK(fd_socket2); 203 if (fd_socket2 >= 0) close(fd_socket2); 204 int fd_pair[2] = {-1, -1}; 205 EXPECT_OK(socketpair(AF_UNIX, SOCK_STREAM, 0, fd_pair)); 206 if (fd_pair[0] >= 0) close(fd_pair[0]); 207 if (fd_pair[1] >= 0) close(fd_pair[1]); 208 } 209 210 FORK_TEST_F(WithFiles, AllowedSocketSyscallsIfRoot) { 211 GTEST_SKIP_IF_NOT_ROOT(); 212 213 EXPECT_OK(cap_enter()); // Enter capability mode. 214 215 // Creation of raw sockets is not permitted in capability mode. 216 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, 0)); 217 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)); 218 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, IPPROTO_TCP)); 219 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, IPPROTO_UDP)); 220 221 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_ICMP)); 222 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6)); 223 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_TCP)); 224 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_UDP)); 225 226 EXPECT_CAPMODE(socket(AF_ROUTE, SOCK_RAW, 0)); 227 228 // Interface configuration ioctls are not permitted in capability 229 // mode. 230 // 231 // This test is disabled for now as the corresponding kernel change was 232 // disabled. 233 #if 0 234 #ifdef __FreeBSD__ 235 struct if_clonereq req; 236 237 req.ifcr_total = 0; 238 req.ifcr_count = 1; 239 req.ifcr_buffer = static_cast<char *>(malloc(IFNAMSIZ)); 240 241 EXPECT_CAPMODE(ioctl(fd_socket_, SIOCIFGCLONERS, &req)); 242 243 free(req.ifcr_buffer); 244 #endif 245 #endif 246 } 247 248 #ifdef HAVE_SEND_RECV_MMSG 249 FORK_TEST(Capmode, AllowedMmsgSendRecv) { 250 int fd_socket = socket(PF_INET, SOCK_DGRAM, 0); 251 252 struct sockaddr_in addr; 253 addr.sin_family = AF_INET; 254 addr.sin_port = htons(0); 255 addr.sin_addr.s_addr = htonl(INADDR_ANY); 256 EXPECT_OK(bind(fd_socket, (sockaddr*)&addr, sizeof(addr))); 257 258 EXPECT_OK(cap_enter()); // Enter capability mode. 259 260 char buffer[256] = {0}; 261 struct iovec iov; 262 iov.iov_base = buffer; 263 iov.iov_len = sizeof(buffer); 264 struct mmsghdr mm; 265 memset(&mm, 0, sizeof(mm)); 266 mm.msg_hdr.msg_iov = &iov; 267 mm.msg_hdr.msg_iovlen = 1; 268 struct timespec ts; 269 ts.tv_sec = 1; 270 ts.tv_nsec = 100; 271 EXPECT_FAIL_NOT_CAPMODE(recvmmsg(fd_socket, &mm, 1, MSG_DONTWAIT, &ts)); 272 EXPECT_FAIL_NOT_CAPMODE(sendmmsg(fd_socket, &mm, 1, 0)); 273 close(fd_socket); 274 } 275 #endif 276 277 FORK_TEST(Capmode, AllowedIdentifierSyscalls) { 278 // Record some identifiers 279 gid_t my_gid = getgid(); 280 pid_t my_pid = getpid(); 281 pid_t my_ppid = getppid(); 282 uid_t my_uid = getuid(); 283 pid_t my_sid = getsid(my_pid); 284 285 EXPECT_OK(cap_enter()); // Enter capability mode. 286 287 EXPECT_EQ(my_gid, getegid_()); 288 EXPECT_EQ(my_uid, geteuid_()); 289 EXPECT_EQ(my_gid, getgid_()); 290 EXPECT_EQ(my_pid, getpid()); 291 EXPECT_EQ(my_ppid, getppid()); 292 EXPECT_EQ(my_uid, getuid_()); 293 EXPECT_EQ(my_sid, getsid(my_pid)); 294 gid_t grps[128]; 295 EXPECT_OK(getgroups_(128, grps)); 296 uid_t ruid; 297 uid_t euid; 298 uid_t suid; 299 EXPECT_OK(getresuid(&ruid, &euid, &suid)); 300 gid_t rgid; 301 gid_t egid; 302 gid_t sgid; 303 EXPECT_OK(getresgid(&rgid, &egid, &sgid)); 304 #ifdef HAVE_GETLOGIN 305 EXPECT_TRUE(getlogin() != NULL); 306 #endif 307 308 // Set various identifiers (to their existing values). 309 EXPECT_OK(setgid(my_gid)); 310 #ifdef HAVE_SETFSGID 311 EXPECT_OK(setfsgid(my_gid)); 312 #endif 313 EXPECT_OK(setuid(my_uid)); 314 #ifdef HAVE_SETFSUID 315 EXPECT_OK(setfsuid(my_uid)); 316 #endif 317 EXPECT_OK(setregid(my_gid, my_gid)); 318 EXPECT_OK(setresgid(my_gid, my_gid, my_gid)); 319 EXPECT_OK(setreuid(my_uid, my_uid)); 320 EXPECT_OK(setresuid(my_uid, my_uid, my_uid)); 321 EXPECT_OK(setsid()); 322 } 323 324 FORK_TEST(Capmode, AllowedSchedSyscalls) { 325 EXPECT_OK(cap_enter()); // Enter capability mode. 326 int policy = sched_getscheduler(0); 327 EXPECT_OK(policy); 328 struct sched_param sp; 329 EXPECT_OK(sched_getparam(0, &sp)); 330 if (policy >= 0 && (!SCHED_SETSCHEDULER_REQUIRES_ROOT || getuid() == 0)) { 331 EXPECT_OK(sched_setscheduler(0, policy, &sp)); 332 } 333 EXPECT_OK(sched_setparam(0, &sp)); 334 EXPECT_OK(sched_get_priority_max(policy)); 335 EXPECT_OK(sched_get_priority_min(policy)); 336 struct timespec ts; 337 EXPECT_OK(sched_rr_get_interval(0, &ts)); 338 EXPECT_OK(sched_yield()); 339 } 340 341 342 FORK_TEST(Capmode, AllowedTimerSyscalls) { 343 EXPECT_OK(cap_enter()); // Enter capability mode. 344 struct timespec ts; 345 EXPECT_OK(clock_getres(CLOCK_REALTIME, &ts)); 346 EXPECT_OK(clock_gettime(CLOCK_REALTIME, &ts)); 347 struct itimerval itv; 348 EXPECT_OK(getitimer(ITIMER_REAL, &itv)); 349 EXPECT_OK(setitimer(ITIMER_REAL, &itv, NULL)); 350 struct timeval tv; 351 struct timezone tz; 352 EXPECT_OK(gettimeofday(&tv, &tz)); 353 ts.tv_sec = 0; 354 ts.tv_nsec = 1; 355 EXPECT_OK(nanosleep(&ts, NULL)); 356 } 357 358 359 FORK_TEST(Capmode, AllowedProfilSyscall) { 360 EXPECT_OK(cap_enter()); // Enter capability mode. 361 char sbuf[32]; 362 EXPECT_OK(profil((profil_arg1_t*)sbuf, sizeof(sbuf), 0, 1)); 363 } 364 365 366 FORK_TEST(Capmode, AllowedResourceSyscalls) { 367 EXPECT_OK(cap_enter()); // Enter capability mode. 368 errno = 0; 369 int rc = getpriority(PRIO_PROCESS, 0); 370 EXPECT_EQ(0, errno); 371 EXPECT_OK(setpriority(PRIO_PROCESS, 0, rc)); 372 struct rlimit rlim; 373 EXPECT_OK(getrlimit_(RLIMIT_CORE, &rlim)); 374 EXPECT_OK(setrlimit(RLIMIT_CORE, &rlim)); 375 struct rusage ruse; 376 EXPECT_OK(getrusage(RUSAGE_SELF, &ruse)); 377 } 378 379 FORK_TEST(CapMode, AllowedMmapSyscalls) { 380 // mmap() some memory. 381 size_t mem_size = getpagesize(); 382 void *mem = mmap(NULL, mem_size, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0); 383 EXPECT_TRUE(mem != NULL); 384 EXPECT_OK(cap_enter()); // Enter capability mode. 385 386 EXPECT_OK(msync(mem, mem_size, MS_ASYNC)); 387 EXPECT_OK(madvise(mem, mem_size, MADV_NORMAL)); 388 unsigned char vec[2]; 389 EXPECT_OK(mincore_(mem, mem_size, vec)); 390 EXPECT_OK(mprotect(mem, mem_size, PROT_READ|PROT_WRITE)); 391 392 if (!MLOCK_REQUIRES_ROOT || getuid() == 0) { 393 EXPECT_OK(mlock(mem, mem_size)); 394 EXPECT_OK(munlock(mem, mem_size)); 395 int rc = mlockall(MCL_CURRENT); 396 if (rc != 0) { 397 // mlockall may well fail with ENOMEM for non-root users, as the 398 // default RLIMIT_MEMLOCK value isn't that big. 399 EXPECT_NE(ECAPMODE, errno); 400 } 401 EXPECT_OK(munlockall()); 402 } 403 // Unmap the memory. 404 EXPECT_OK(munmap(mem, mem_size)); 405 } 406 407 FORK_TEST(Capmode, AllowedPipeSyscalls) { 408 EXPECT_OK(cap_enter()); // Enter capability mode 409 int fd2[2]; 410 int rc = pipe(fd2); 411 EXPECT_EQ(0, rc); 412 413 #ifdef HAVE_VMSPLICE 414 char buf[11] = "0123456789"; 415 struct iovec iov; 416 iov.iov_base = buf; 417 iov.iov_len = sizeof(buf); 418 EXPECT_FAIL_NOT_CAPMODE(vmsplice(fd2[0], &iov, 1, SPLICE_F_NONBLOCK)); 419 #endif 420 421 if (rc == 0) { 422 close(fd2[0]); 423 close(fd2[1]); 424 }; 425 #ifdef HAVE_PIPE2 426 rc = pipe2(fd2, 0); 427 EXPECT_EQ(0, rc); 428 if (rc == 0) { 429 close(fd2[0]); 430 close(fd2[1]); 431 }; 432 #endif 433 } 434 435 TEST(Capmode, AllowedAtSyscalls) { 436 int rc = mkdir(TmpFile("cap_at_syscalls"), 0755); 437 EXPECT_OK(rc); 438 if (rc < 0 && errno != EEXIST) return; 439 int dfd = open(TmpFile("cap_at_syscalls"), O_RDONLY); 440 EXPECT_OK(dfd); 441 442 int file = openat(dfd, "testfile", O_RDONLY|O_CREAT, 0644); 443 EXPECT_OK(file); 444 EXPECT_OK(close(file)); 445 446 447 pid_t child = fork(); 448 if (child == 0) { 449 // Child: enter cap mode and run tests 450 EXPECT_OK(cap_enter()); // Enter capability mode 451 452 struct stat fs; 453 EXPECT_OK(fstatat(dfd, "testfile", &fs, 0)); 454 EXPECT_OK(mkdirat(dfd, "subdir", 0600)); 455 EXPECT_OK(fchmodat(dfd, "subdir", 0644, 0)); 456 EXPECT_OK(faccessat(dfd, "subdir", F_OK, 0)); 457 EXPECT_OK(renameat(dfd, "subdir", dfd, "subdir2")); 458 EXPECT_OK(renameat(dfd, "subdir2", dfd, "subdir")); 459 struct timeval tv[2]; 460 struct timezone tz; 461 EXPECT_OK(gettimeofday(&tv[0], &tz)); 462 EXPECT_OK(gettimeofday(&tv[1], &tz)); 463 EXPECT_OK(futimesat(dfd, "testfile", tv)); 464 465 EXPECT_OK(fchownat(dfd, "testfile", fs.st_uid, fs.st_gid, 0)); 466 EXPECT_OK(linkat(dfd, "testfile", dfd, "linky", 0)); 467 EXPECT_OK(symlinkat("testfile", dfd, "symlink")); 468 char buffer[256]; 469 EXPECT_OK(readlinkat(dfd, "symlink", buffer, sizeof(buffer))); 470 EXPECT_OK(unlinkat(dfd, "linky", 0)); 471 EXPECT_OK(unlinkat(dfd, "subdir", AT_REMOVEDIR)); 472 473 // Check that invalid requests get a non-Capsicum errno. 474 errno = 0; 475 rc = readlinkat(-1, "symlink", buffer, sizeof(buffer)); 476 EXPECT_GE(0, rc); 477 EXPECT_NE(ECAPMODE, errno); 478 479 exit(HasFailure()); 480 } 481 482 // Wait for the child. 483 int status; 484 EXPECT_EQ(child, waitpid(child, &status, 0)); 485 rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1; 486 EXPECT_EQ(0, rc); 487 488 // Tidy up. 489 close(dfd); 490 rmdir(TmpFile("cap_at_syscalls/subdir")); 491 unlink(TmpFile("cap_at_syscalls/symlink")); 492 unlink(TmpFile("cap_at_syscalls/linky")); 493 unlink(TmpFile("cap_at_syscalls/testfile")); 494 rmdir(TmpFile("cap_at_syscalls")); 495 } 496 497 TEST(Capmode, AllowedAtSyscallsCwd) { 498 int rc = mkdir(TmpFile("cap_at_syscalls_cwd"), 0755); 499 EXPECT_OK(rc); 500 if (rc < 0 && errno != EEXIST) return; 501 int dfd = open(TmpFile("cap_at_syscalls_cwd"), O_RDONLY); 502 EXPECT_OK(dfd); 503 504 int file = openat(dfd, "testfile", O_RDONLY|O_CREAT, 0644); 505 EXPECT_OK(file); 506 EXPECT_OK(close(file)); 507 508 pid_t child = fork(); 509 if (child == 0) { 510 // Child: move into temp dir, enter cap mode and run tests 511 EXPECT_OK(fchdir(dfd)); 512 EXPECT_OK(cap_enter()); // Enter capability mode 513 514 // Test that *at(AT_FDCWD, path,...) is policed with ECAPMODE. 515 EXPECT_CAPMODE(openat(AT_FDCWD, "testfile", O_RDONLY)); 516 struct stat fs; 517 EXPECT_CAPMODE(fstatat(AT_FDCWD, "testfile", &fs, 0)); 518 EXPECT_CAPMODE(mkdirat(AT_FDCWD, "subdir", 0600)); 519 EXPECT_CAPMODE(fchmodat(AT_FDCWD, "subdir", 0644, 0)); 520 EXPECT_CAPMODE(faccessat(AT_FDCWD, "subdir", F_OK, 0)); 521 EXPECT_CAPMODE(renameat(AT_FDCWD, "subdir", AT_FDCWD, "subdir2")); 522 EXPECT_CAPMODE(renameat(AT_FDCWD, "subdir2", AT_FDCWD, "subdir")); 523 struct timeval tv[2]; 524 struct timezone tz; 525 EXPECT_OK(gettimeofday(&tv[0], &tz)); 526 EXPECT_OK(gettimeofday(&tv[1], &tz)); 527 EXPECT_CAPMODE(futimesat(AT_FDCWD, "testfile", tv)); 528 529 EXPECT_CAPMODE(fchownat(AT_FDCWD, "testfile", fs.st_uid, fs.st_gid, 0)); 530 EXPECT_CAPMODE(linkat(AT_FDCWD, "testfile", AT_FDCWD, "linky", 0)); 531 EXPECT_CAPMODE(symlinkat("testfile", AT_FDCWD, "symlink")); 532 char buffer[256]; 533 EXPECT_CAPMODE(readlinkat(AT_FDCWD, "symlink", buffer, sizeof(buffer))); 534 EXPECT_CAPMODE(unlinkat(AT_FDCWD, "linky", 0)); 535 536 exit(HasFailure()); 537 } 538 539 // Wait for the child. 540 int status; 541 EXPECT_EQ(child, waitpid(child, &status, 0)); 542 rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1; 543 EXPECT_EQ(0, rc); 544 545 // Tidy up. 546 close(dfd); 547 rmdir(TmpFile("cap_at_syscalls_cwd/subdir")); 548 unlink(TmpFile("cap_at_syscalls_cwd/symlink")); 549 unlink(TmpFile("cap_at_syscalls_cwd/linky")); 550 unlink(TmpFile("cap_at_syscalls_cwd/testfile")); 551 rmdir(TmpFile("cap_at_syscalls_cwd")); 552 } 553 554 TEST(Capmode, Abort) { 555 // Check that abort(3) works even in capability mode. 556 pid_t child = fork(); 557 if (child == 0) { 558 // Child: enter capability mode and call abort(3). 559 // Triggers something like kill(getpid(), SIGABRT). 560 cap_enter(); // Enter capability mode. 561 abort(); 562 exit(99); 563 } 564 int status; 565 EXPECT_EQ(child, waitpid(child, &status, 0)); 566 EXPECT_TRUE(WIFSIGNALED(status)) << " status = " << std::hex << status; 567 EXPECT_EQ(SIGABRT, WTERMSIG(status)) << " status = " << std::hex << status; 568 } 569 570 FORK_TEST_F(WithFiles, AllowedMiscSyscalls) { 571 umask(022); 572 mode_t um_before = umask(022); 573 int pipefds[2]; 574 EXPECT_OK(pipe(pipefds)); 575 EXPECT_OK(cap_enter()); // Enter capability mode. 576 577 mode_t um = umask(022); 578 EXPECT_NE(-ECAPMODE, (int)um); 579 EXPECT_EQ(um_before, um); 580 stack_t ss; 581 EXPECT_OK(sigaltstack(NULL, &ss)); 582 583 // Finally, tests for system calls that don't fit the pattern very well. 584 pid_t pid = fork(); 585 EXPECT_OK(pid); 586 if (pid == 0) { 587 // Child: wait for an exit message from parent (so we can test waitpid). 588 EXPECT_OK(close(pipefds[0])); 589 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 590 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 591 exit(0); 592 } else if (pid > 0) { 593 EXPECT_OK(close(pipefds[1])); 594 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 595 errno = 0; 596 EXPECT_CAPMODE(ptrace_(PTRACE_PEEKDATA_, pid, &pid, NULL)); 597 SEND_INT_MESSAGE(pipefds[0], MSG_PARENT_REQUEST_CHILD_EXIT); 598 if (verbose) fprintf(stderr, " child finished\n"); 599 } 600 601 // No error return from sync(2) to test, but check errno remains unset. 602 errno = 0; 603 sync(); 604 EXPECT_EQ(0, errno); 605 606 // TODO(FreeBSD): ktrace 607 608 #ifdef HAVE_SYSARCH 609 // sysarch() is, by definition, architecture-dependent 610 #if defined (__amd64__) || defined (__i386__) 611 long sysarch_arg = 0; 612 EXPECT_CAPMODE(sysarch(I386_SET_IOPERM, &sysarch_arg)); 613 #else 614 // TOOD(jra): write a test for other architectures, like arm 615 #endif 616 #endif 617 } 618 619 void *thread_fn(void *p) { 620 int fd = (int)(intptr_t)p; 621 if (verbose) fprintf(stderr, " thread waiting to run\n"); 622 AWAIT_INT_MESSAGE(fd, MSG_PARENT_CHILD_SHOULD_RUN); 623 EXPECT_OK(getpid_()); 624 EXPECT_CAPMODE(open("/dev/null", O_RDWR)); 625 // Return whether there have been any failures to the main thread. 626 void *rval = (void *)(intptr_t)testing::Test::HasFailure(); 627 if (verbose) fprintf(stderr, " thread finished: %p\n", rval); 628 return rval; 629 } 630 631 // Check that restrictions are the same in subprocesses and threads 632 FORK_TEST(Capmode, NewThread) { 633 // Fire off a new thread before entering capability mode 634 pthread_t early_thread; 635 void *thread_rval; 636 // Create two pipes, one for synchronization with the threads, the other to 637 // synchronize with the children (since we can't use waitpid after cap_enter). 638 // Note: Could use pdfork+pdwait instead, but that is tested in procdesc.cc. 639 int thread_pipe[2]; 640 EXPECT_OK(pipe(thread_pipe)); 641 int proc_pipe[2]; 642 EXPECT_OK(pipe(proc_pipe)); 643 EXPECT_OK(pthread_create(&early_thread, NULL, thread_fn, 644 (void *)(intptr_t)thread_pipe[1])); 645 646 // Fire off a new process before entering capability mode. 647 if (verbose) fprintf(stderr, " starting second child (non-capability mode)\n"); 648 int early_child = fork(); 649 EXPECT_OK(early_child); 650 if (early_child == 0) { 651 if (verbose) fprintf(stderr, " first child started\n"); 652 EXPECT_OK(close(proc_pipe[0])); 653 // Child: wait and then confirm this process is unaffected by capability mode in the parent. 654 AWAIT_INT_MESSAGE(proc_pipe[1], MSG_PARENT_CHILD_SHOULD_RUN); 655 int fd = open("/dev/null", O_RDWR); 656 EXPECT_OK(fd); 657 close(fd); 658 // Notify the parent of success/failure. 659 int rval = (int)testing::Test::HasFailure(); 660 SEND_INT_MESSAGE(proc_pipe[1], rval); 661 if (verbose) fprintf(stderr, " first child finished: %d\n", rval); 662 exit(rval); 663 } 664 665 EXPECT_OK(cap_enter()); // Enter capability mode. 666 // At this point the current process has both a child process and a 667 // child thread that were created before entering capability mode. 668 // - The child process is unaffected by capability mode. 669 // - The child thread is affected by capability mode. 670 SEND_INT_MESSAGE(proc_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN); 671 672 // Do an allowed syscall. 673 EXPECT_OK(getpid_()); 674 // Wait for the first child to exit (should get a zero exit code message). 675 AWAIT_INT_MESSAGE(proc_pipe[0], 0); 676 677 // The child processes/threads return HasFailure(), so we depend on no prior errors. 678 ASSERT_FALSE(testing::Test::HasFailure()) 679 << "Cannot continue test with pre-existing failures."; 680 // Now that we're in capability mode, if we create a second child process 681 // it will be affected by capability mode. 682 if (verbose) fprintf(stderr, " starting second child (in capability mode)\n"); 683 int child = fork(); 684 EXPECT_OK(child); 685 if (child == 0) { 686 if (verbose) fprintf(stderr, " second child started\n"); 687 EXPECT_OK(close(proc_pipe[0])); 688 // Child: do an allowed and a disallowed syscall. 689 EXPECT_OK(getpid_()); 690 EXPECT_CAPMODE(open("/dev/null", O_RDWR)); 691 // Notify the parent of success/failure. 692 int rval = (int)testing::Test::HasFailure(); 693 SEND_INT_MESSAGE(proc_pipe[1], rval); 694 if (verbose) fprintf(stderr, " second child finished: %d\n", rval); 695 exit(rval); 696 } 697 // Now tell the early_started thread that it can run. We expect it to also 698 // be affected by capability mode since it's per-process not per-thread. 699 // Note: it is important that we don't allow the thread to run before fork(), 700 // since that could result in fork() being called while the thread holds one 701 // of the gtest-internal mutexes, so the child process deadlocks. 702 SEND_INT_MESSAGE(thread_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN); 703 // Wait for the early-started thread. 704 EXPECT_OK(pthread_join(early_thread, &thread_rval)); 705 EXPECT_FALSE((bool)(intptr_t)thread_rval) << "thread returned failure"; 706 707 // Wait for the second child to exit (should get a zero exit code message). 708 AWAIT_INT_MESSAGE(proc_pipe[0], 0); 709 710 // Fire off a new (second) child thread, which is also affected by capability mode. 711 ASSERT_FALSE(testing::Test::HasFailure()) 712 << "Cannot continue test with pre-existing failures."; 713 pthread_t child_thread; 714 EXPECT_OK(pthread_create(&child_thread, NULL, thread_fn, 715 (void *)(intptr_t)thread_pipe[1])); 716 SEND_INT_MESSAGE(thread_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN); 717 EXPECT_OK(pthread_join(child_thread, &thread_rval)); 718 EXPECT_FALSE((bool)(intptr_t)thread_rval) << "thread returned failure"; 719 720 // Fork a subprocess which fires off a new thread. 721 ASSERT_FALSE(testing::Test::HasFailure()) 722 << "Cannot continue test with pre-existing failures."; 723 if (verbose) fprintf(stderr, " starting third child (in capability mode)\n"); 724 child = fork(); 725 EXPECT_OK(child); 726 if (child == 0) { 727 if (verbose) fprintf(stderr, " third child started\n"); 728 EXPECT_OK(close(proc_pipe[0])); 729 pthread_t child_thread2; 730 EXPECT_OK(pthread_create(&child_thread2, NULL, thread_fn, 731 (void *)(intptr_t)thread_pipe[1])); 732 SEND_INT_MESSAGE(thread_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN); 733 EXPECT_OK(pthread_join(child_thread2, &thread_rval)); 734 EXPECT_FALSE((bool)(intptr_t)thread_rval) << "thread returned failure"; 735 // Notify the parent of success/failure. 736 int rval = (int)testing::Test::HasFailure(); 737 SEND_INT_MESSAGE(proc_pipe[1], rval); 738 if (verbose) fprintf(stderr, " third child finished: %d\n", rval); 739 exit(rval); 740 } 741 // Wait for the third child to exit (should get a zero exit code message). 742 AWAIT_INT_MESSAGE(proc_pipe[0], 0); 743 close(proc_pipe[0]); 744 close(proc_pipe[1]); 745 close(thread_pipe[0]); 746 close(thread_pipe[1]); 747 } 748 749 static volatile sig_atomic_t had_signal = 0; 750 static void handle_signal(int) { had_signal = 1; } 751 752 FORK_TEST(Capmode, SelfKill) { 753 pid_t me = getpid(); 754 sighandler_t original = signal(SIGUSR1, handle_signal); 755 756 pid_t child = fork(); 757 if (child == 0) { 758 // Child: sleep and exit 759 sleep(1); 760 exit(0); 761 } 762 763 EXPECT_OK(cap_enter()); // Enter capability mode. 764 765 // Can only kill(2) to own pid. 766 EXPECT_CAPMODE(kill(child, SIGUSR1)); 767 EXPECT_OK(kill(me, SIGUSR1)); 768 EXPECT_EQ(1, had_signal); 769 770 signal(SIGUSR1, original); 771 } 772