1b0d29bc4SBrooks Davis // Copyright 2014 The Kyua Authors.
2b0d29bc4SBrooks Davis // All rights reserved.
3b0d29bc4SBrooks Davis //
4b0d29bc4SBrooks Davis // Redistribution and use in source and binary forms, with or without
5b0d29bc4SBrooks Davis // modification, are permitted provided that the following conditions are
6b0d29bc4SBrooks Davis // met:
7b0d29bc4SBrooks Davis //
8b0d29bc4SBrooks Davis // * Redistributions of source code must retain the above copyright
9b0d29bc4SBrooks Davis // notice, this list of conditions and the following disclaimer.
10b0d29bc4SBrooks Davis // * Redistributions in binary form must reproduce the above copyright
11b0d29bc4SBrooks Davis // notice, this list of conditions and the following disclaimer in the
12b0d29bc4SBrooks Davis // documentation and/or other materials provided with the distribution.
13b0d29bc4SBrooks Davis // * Neither the name of Google Inc. nor the names of its contributors
14b0d29bc4SBrooks Davis // may be used to endorse or promote products derived from this software
15b0d29bc4SBrooks Davis // without specific prior written permission.
16b0d29bc4SBrooks Davis //
17b0d29bc4SBrooks Davis // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
18b0d29bc4SBrooks Davis // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
19b0d29bc4SBrooks Davis // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
20b0d29bc4SBrooks Davis // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
21b0d29bc4SBrooks Davis // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
22b0d29bc4SBrooks Davis // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
23b0d29bc4SBrooks Davis // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24b0d29bc4SBrooks Davis // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25b0d29bc4SBrooks Davis // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26b0d29bc4SBrooks Davis // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27b0d29bc4SBrooks Davis // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28b0d29bc4SBrooks Davis
29b0d29bc4SBrooks Davis #include "utils/process/isolation.hpp"
30b0d29bc4SBrooks Davis
31b0d29bc4SBrooks Davis extern "C" {
32b0d29bc4SBrooks Davis #include <sys/types.h>
33b0d29bc4SBrooks Davis #include <sys/resource.h>
34b0d29bc4SBrooks Davis #include <sys/stat.h>
35b0d29bc4SBrooks Davis
36b0d29bc4SBrooks Davis #include <unistd.h>
37b0d29bc4SBrooks Davis }
38b0d29bc4SBrooks Davis
39b0d29bc4SBrooks Davis #include <cerrno>
40b0d29bc4SBrooks Davis #include <cstdlib>
41b0d29bc4SBrooks Davis #include <fstream>
42b0d29bc4SBrooks Davis #include <iostream>
43b0d29bc4SBrooks Davis
44b0d29bc4SBrooks Davis #include <atf-c++.hpp>
45b0d29bc4SBrooks Davis
46b0d29bc4SBrooks Davis #include "utils/defs.hpp"
47b0d29bc4SBrooks Davis #include "utils/env.hpp"
48b0d29bc4SBrooks Davis #include "utils/format/macros.hpp"
49b0d29bc4SBrooks Davis #include "utils/fs/operations.hpp"
50b0d29bc4SBrooks Davis #include "utils/fs/path.hpp"
51b0d29bc4SBrooks Davis #include "utils/optional.ipp"
52b0d29bc4SBrooks Davis #include "utils/passwd.hpp"
53b0d29bc4SBrooks Davis #include "utils/process/child.ipp"
54b0d29bc4SBrooks Davis #include "utils/process/status.hpp"
55b0d29bc4SBrooks Davis #include "utils/sanity.hpp"
56b0d29bc4SBrooks Davis #include "utils/test_utils.ipp"
57b0d29bc4SBrooks Davis
58b0d29bc4SBrooks Davis namespace fs = utils::fs;
59b0d29bc4SBrooks Davis namespace passwd = utils::passwd;
60b0d29bc4SBrooks Davis namespace process = utils::process;
61b0d29bc4SBrooks Davis
62b0d29bc4SBrooks Davis using utils::none;
63b0d29bc4SBrooks Davis using utils::optional;
64b0d29bc4SBrooks Davis
65b0d29bc4SBrooks Davis
66b0d29bc4SBrooks Davis namespace {
67b0d29bc4SBrooks Davis
68b0d29bc4SBrooks Davis
69b0d29bc4SBrooks Davis /// Runs the given hook in a subprocess.
70b0d29bc4SBrooks Davis ///
71b0d29bc4SBrooks Davis /// \param hook The code to run in the subprocess.
72b0d29bc4SBrooks Davis ///
73b0d29bc4SBrooks Davis /// \return The status of the subprocess for further validation.
74b0d29bc4SBrooks Davis ///
75b0d29bc4SBrooks Davis /// \post The subprocess.stdout and subprocess.stderr files, created in the
76b0d29bc4SBrooks Davis /// current directory, contain the output of the subprocess.
77b0d29bc4SBrooks Davis template< typename Hook >
78b0d29bc4SBrooks Davis static process::status
fork_and_run(Hook hook)79b0d29bc4SBrooks Davis fork_and_run(Hook hook)
80b0d29bc4SBrooks Davis {
81*b392a90bSJohn Baldwin std::unique_ptr< process::child > child = process::child::fork_files(
82b0d29bc4SBrooks Davis hook, fs::path("subprocess.stdout"), fs::path("subprocess.stderr"));
83b0d29bc4SBrooks Davis const process::status status = child->wait();
84b0d29bc4SBrooks Davis
85b0d29bc4SBrooks Davis atf::utils::cat_file("subprocess.stdout", "isolated child stdout: ");
86b0d29bc4SBrooks Davis atf::utils::cat_file("subprocess.stderr", "isolated child stderr: ");
87b0d29bc4SBrooks Davis
88b0d29bc4SBrooks Davis return status;
89b0d29bc4SBrooks Davis }
90b0d29bc4SBrooks Davis
91b0d29bc4SBrooks Davis
92b0d29bc4SBrooks Davis /// Subprocess that validates the cleanliness of the environment.
93b0d29bc4SBrooks Davis ///
94b0d29bc4SBrooks Davis /// \post Exits with success if the environment is clean; failure otherwise.
95b0d29bc4SBrooks Davis static void
check_clean_environment(void)96b0d29bc4SBrooks Davis check_clean_environment(void)
97b0d29bc4SBrooks Davis {
98b0d29bc4SBrooks Davis fs::mkdir(fs::path("some-directory"), 0755);
99b0d29bc4SBrooks Davis process::isolate_child(none, fs::path("some-directory"));
100b0d29bc4SBrooks Davis
101b0d29bc4SBrooks Davis bool failed = false;
102b0d29bc4SBrooks Davis
103b0d29bc4SBrooks Davis const char* empty[] = { "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE",
104b0d29bc4SBrooks Davis "LC_MESSAGES", "LC_MONETARY", "LC_NUMERIC",
105b0d29bc4SBrooks Davis "LC_TIME", NULL };
106b0d29bc4SBrooks Davis const char** iter;
107b0d29bc4SBrooks Davis for (iter = empty; *iter != NULL; ++iter) {
108b0d29bc4SBrooks Davis if (utils::getenv(*iter)) {
109b0d29bc4SBrooks Davis failed = true;
110b0d29bc4SBrooks Davis std::cout << F("%s was not unset\n") % *iter;
111b0d29bc4SBrooks Davis }
112b0d29bc4SBrooks Davis }
113b0d29bc4SBrooks Davis
114b0d29bc4SBrooks Davis if (utils::getenv_with_default("HOME", "") != "some-directory") {
115b0d29bc4SBrooks Davis failed = true;
116b0d29bc4SBrooks Davis std::cout << "HOME was not set to the work directory\n";
117b0d29bc4SBrooks Davis }
118b0d29bc4SBrooks Davis
119b0d29bc4SBrooks Davis if (utils::getenv_with_default("TMPDIR", "") != "some-directory") {
120b0d29bc4SBrooks Davis failed = true;
121b0d29bc4SBrooks Davis std::cout << "TMPDIR was not set to the work directory\n";
122b0d29bc4SBrooks Davis }
123b0d29bc4SBrooks Davis
124b0d29bc4SBrooks Davis if (utils::getenv_with_default("TZ", "") != "UTC") {
125b0d29bc4SBrooks Davis failed = true;
126b0d29bc4SBrooks Davis std::cout << "TZ was not set to UTC\n";
127b0d29bc4SBrooks Davis }
128b0d29bc4SBrooks Davis
129b0d29bc4SBrooks Davis if (utils::getenv_with_default("LEAVE_ME_ALONE", "") != "kill-some-day") {
130b0d29bc4SBrooks Davis failed = true;
131b0d29bc4SBrooks Davis std::cout << "LEAVE_ME_ALONE was modified while it should not have "
132b0d29bc4SBrooks Davis "been\n";
133b0d29bc4SBrooks Davis }
134b0d29bc4SBrooks Davis
135b0d29bc4SBrooks Davis std::exit(failed ? EXIT_FAILURE : EXIT_SUCCESS);
136b0d29bc4SBrooks Davis }
137b0d29bc4SBrooks Davis
138b0d29bc4SBrooks Davis
139b0d29bc4SBrooks Davis /// Subprocess that checks if user privileges are dropped.
140b0d29bc4SBrooks Davis class check_drop_privileges {
141b0d29bc4SBrooks Davis /// The user to drop the privileges to.
142b0d29bc4SBrooks Davis const passwd::user _unprivileged_user;
143b0d29bc4SBrooks Davis
144b0d29bc4SBrooks Davis public:
145b0d29bc4SBrooks Davis /// Constructor.
146b0d29bc4SBrooks Davis ///
147b0d29bc4SBrooks Davis /// \param unprivileged_user The user to drop the privileges to.
check_drop_privileges(const passwd::user & unprivileged_user)148b0d29bc4SBrooks Davis check_drop_privileges(const passwd::user& unprivileged_user) :
149b0d29bc4SBrooks Davis _unprivileged_user(unprivileged_user)
150b0d29bc4SBrooks Davis {
151b0d29bc4SBrooks Davis }
152b0d29bc4SBrooks Davis
153b0d29bc4SBrooks Davis /// Body of the subprocess.
154b0d29bc4SBrooks Davis ///
155b0d29bc4SBrooks Davis /// \post Exits with success if the process has dropped privileges as
156b0d29bc4SBrooks Davis /// expected.
157b0d29bc4SBrooks Davis void
operator ()(void) const158b0d29bc4SBrooks Davis operator()(void) const
159b0d29bc4SBrooks Davis {
160b0d29bc4SBrooks Davis fs::mkdir(fs::path("subdir"), 0755);
161b0d29bc4SBrooks Davis process::isolate_child(utils::make_optional(_unprivileged_user),
162b0d29bc4SBrooks Davis fs::path("subdir"));
163b0d29bc4SBrooks Davis
164b0d29bc4SBrooks Davis if (::getuid() == 0) {
165b0d29bc4SBrooks Davis std::cout << "UID is still 0\n";
166b0d29bc4SBrooks Davis std::exit(EXIT_FAILURE);
167b0d29bc4SBrooks Davis }
168b0d29bc4SBrooks Davis
169b0d29bc4SBrooks Davis if (::getgid() == 0) {
170b0d29bc4SBrooks Davis std::cout << "GID is still 0\n";
171b0d29bc4SBrooks Davis std::exit(EXIT_FAILURE);
172b0d29bc4SBrooks Davis }
173b0d29bc4SBrooks Davis
174b0d29bc4SBrooks Davis ::gid_t groups[1];
175b0d29bc4SBrooks Davis if (::getgroups(1, groups) == -1) {
176b0d29bc4SBrooks Davis // Should only fail if we get more than one group notifying about
177b0d29bc4SBrooks Davis // not enough space in the groups variable to store the whole
178b0d29bc4SBrooks Davis // result.
179b0d29bc4SBrooks Davis INV(errno == EINVAL);
180b0d29bc4SBrooks Davis std::exit(EXIT_FAILURE);
181b0d29bc4SBrooks Davis }
182b0d29bc4SBrooks Davis if (groups[0] == 0) {
183b0d29bc4SBrooks Davis std::cout << "Primary group is still 0\n";
184b0d29bc4SBrooks Davis std::exit(EXIT_FAILURE);
185b0d29bc4SBrooks Davis }
186b0d29bc4SBrooks Davis
187b0d29bc4SBrooks Davis std::ofstream output("file.txt");
188b0d29bc4SBrooks Davis if (!output) {
189b0d29bc4SBrooks Davis std::cout << "Cannot write to isolated directory; owner not "
190b0d29bc4SBrooks Davis "changed?\n";
191b0d29bc4SBrooks Davis std::exit(EXIT_FAILURE);
192b0d29bc4SBrooks Davis }
193b0d29bc4SBrooks Davis
194b0d29bc4SBrooks Davis std::exit(EXIT_SUCCESS);
195b0d29bc4SBrooks Davis }
196b0d29bc4SBrooks Davis };
197b0d29bc4SBrooks Davis
198b0d29bc4SBrooks Davis
199b0d29bc4SBrooks Davis /// Subprocess that dumps core to validate core dumping abilities.
200b0d29bc4SBrooks Davis static void
check_enable_core_dumps(void)201b0d29bc4SBrooks Davis check_enable_core_dumps(void)
202b0d29bc4SBrooks Davis {
203b0d29bc4SBrooks Davis process::isolate_child(none, fs::path("."));
204b0d29bc4SBrooks Davis std::abort();
205b0d29bc4SBrooks Davis }
206b0d29bc4SBrooks Davis
207b0d29bc4SBrooks Davis
208b0d29bc4SBrooks Davis /// Subprocess that checks if the work directory is entered.
209b0d29bc4SBrooks Davis class check_enter_work_directory {
210b0d29bc4SBrooks Davis /// Directory to enter. May be releative.
211b0d29bc4SBrooks Davis const fs::path _directory;
212b0d29bc4SBrooks Davis
213b0d29bc4SBrooks Davis public:
214b0d29bc4SBrooks Davis /// Constructor.
215b0d29bc4SBrooks Davis ///
216b0d29bc4SBrooks Davis /// \param directory Directory to enter.
check_enter_work_directory(const fs::path & directory)217b0d29bc4SBrooks Davis check_enter_work_directory(const fs::path& directory) :
218b0d29bc4SBrooks Davis _directory(directory)
219b0d29bc4SBrooks Davis {
220b0d29bc4SBrooks Davis }
221b0d29bc4SBrooks Davis
222b0d29bc4SBrooks Davis /// Body of the subprocess.
223b0d29bc4SBrooks Davis ///
224b0d29bc4SBrooks Davis /// \post Exits with success if the process has entered the given work
225b0d29bc4SBrooks Davis /// directory; false otherwise.
226b0d29bc4SBrooks Davis void
operator ()(void) const227b0d29bc4SBrooks Davis operator()(void) const
228b0d29bc4SBrooks Davis {
229b0d29bc4SBrooks Davis const fs::path exp_subdir = fs::current_path() / _directory;
230b0d29bc4SBrooks Davis process::isolate_child(none, _directory);
231b0d29bc4SBrooks Davis std::exit(fs::current_path() == exp_subdir ?
232b0d29bc4SBrooks Davis EXIT_SUCCESS : EXIT_FAILURE);
233b0d29bc4SBrooks Davis }
234b0d29bc4SBrooks Davis };
235b0d29bc4SBrooks Davis
236b0d29bc4SBrooks Davis
237b0d29bc4SBrooks Davis /// Subprocess that validates that it owns a session.
238b0d29bc4SBrooks Davis ///
239b0d29bc4SBrooks Davis /// \post Exits with success if the process lives in its own session;
240b0d29bc4SBrooks Davis /// failure otherwise.
241b0d29bc4SBrooks Davis static void
check_new_session(void)242b0d29bc4SBrooks Davis check_new_session(void)
243b0d29bc4SBrooks Davis {
244b0d29bc4SBrooks Davis process::isolate_child(none, fs::path("."));
245b0d29bc4SBrooks Davis std::exit(::getsid(::getpid()) == ::getpid() ? EXIT_SUCCESS : EXIT_FAILURE);
246b0d29bc4SBrooks Davis }
247b0d29bc4SBrooks Davis
248b0d29bc4SBrooks Davis
249b0d29bc4SBrooks Davis /// Subprocess that validates the disconnection from any terminal.
250b0d29bc4SBrooks Davis ///
251b0d29bc4SBrooks Davis /// \post Exits with success if the environment is clean; failure otherwise.
252b0d29bc4SBrooks Davis static void
check_no_terminal(void)253b0d29bc4SBrooks Davis check_no_terminal(void)
254b0d29bc4SBrooks Davis {
255b0d29bc4SBrooks Davis process::isolate_child(none, fs::path("."));
256b0d29bc4SBrooks Davis
257b0d29bc4SBrooks Davis const char* const args[] = {
258b0d29bc4SBrooks Davis "/bin/sh",
259b0d29bc4SBrooks Davis "-i",
260b0d29bc4SBrooks Davis "-c",
261b0d29bc4SBrooks Davis "echo success",
262b0d29bc4SBrooks Davis NULL
263b0d29bc4SBrooks Davis };
264b0d29bc4SBrooks Davis ::execv("/bin/sh", UTILS_UNCONST(char*, args));
265b0d29bc4SBrooks Davis std::abort();
266b0d29bc4SBrooks Davis }
267b0d29bc4SBrooks Davis
268b0d29bc4SBrooks Davis
269b0d29bc4SBrooks Davis /// Subprocess that validates that it has become the leader of a process group.
270b0d29bc4SBrooks Davis ///
271b0d29bc4SBrooks Davis /// \post Exits with success if the process lives in its own process group;
272b0d29bc4SBrooks Davis /// failure otherwise.
273b0d29bc4SBrooks Davis static void
check_process_group(void)274b0d29bc4SBrooks Davis check_process_group(void)
275b0d29bc4SBrooks Davis {
276b0d29bc4SBrooks Davis process::isolate_child(none, fs::path("."));
277b0d29bc4SBrooks Davis std::exit(::getpgid(::getpid()) == ::getpid() ?
278b0d29bc4SBrooks Davis EXIT_SUCCESS : EXIT_FAILURE);
279b0d29bc4SBrooks Davis }
280b0d29bc4SBrooks Davis
281b0d29bc4SBrooks Davis
282b0d29bc4SBrooks Davis /// Subprocess that validates that the umask has been reset.
283b0d29bc4SBrooks Davis ///
284b0d29bc4SBrooks Davis /// \post Exits with success if the umask matches the expected value; failure
285b0d29bc4SBrooks Davis /// otherwise.
286b0d29bc4SBrooks Davis static void
check_umask(void)287b0d29bc4SBrooks Davis check_umask(void)
288b0d29bc4SBrooks Davis {
289b0d29bc4SBrooks Davis process::isolate_child(none, fs::path("."));
290b0d29bc4SBrooks Davis std::exit(::umask(0) == 0022 ? EXIT_SUCCESS : EXIT_FAILURE);
291b0d29bc4SBrooks Davis }
292b0d29bc4SBrooks Davis
293b0d29bc4SBrooks Davis
294b0d29bc4SBrooks Davis } // anonymous namespace
295b0d29bc4SBrooks Davis
296b0d29bc4SBrooks Davis
297b0d29bc4SBrooks Davis ATF_TEST_CASE_WITHOUT_HEAD(isolate_child__clean_environment);
ATF_TEST_CASE_BODY(isolate_child__clean_environment)298b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__clean_environment)
299b0d29bc4SBrooks Davis {
300b0d29bc4SBrooks Davis utils::setenv("HOME", "/non-existent/directory");
301b0d29bc4SBrooks Davis utils::setenv("TMPDIR", "/non-existent/directory");
302b0d29bc4SBrooks Davis utils::setenv("LANG", "C");
303b0d29bc4SBrooks Davis utils::setenv("LC_ALL", "C");
304b0d29bc4SBrooks Davis utils::setenv("LC_COLLATE", "C");
305b0d29bc4SBrooks Davis utils::setenv("LC_CTYPE", "C");
306b0d29bc4SBrooks Davis utils::setenv("LC_MESSAGES", "C");
307b0d29bc4SBrooks Davis utils::setenv("LC_MONETARY", "C");
308b0d29bc4SBrooks Davis utils::setenv("LC_NUMERIC", "C");
309b0d29bc4SBrooks Davis utils::setenv("LC_TIME", "C");
310b0d29bc4SBrooks Davis utils::setenv("LEAVE_ME_ALONE", "kill-some-day");
311b0d29bc4SBrooks Davis utils::setenv("TZ", "EST+5");
312b0d29bc4SBrooks Davis
313b0d29bc4SBrooks Davis const process::status status = fork_and_run(check_clean_environment);
314b0d29bc4SBrooks Davis ATF_REQUIRE(status.exited());
315b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(EXIT_SUCCESS, status.exitstatus());
316b0d29bc4SBrooks Davis }
317b0d29bc4SBrooks Davis
318b0d29bc4SBrooks Davis
319b0d29bc4SBrooks Davis ATF_TEST_CASE(isolate_child__other_user_when_unprivileged);
ATF_TEST_CASE_HEAD(isolate_child__other_user_when_unprivileged)320b0d29bc4SBrooks Davis ATF_TEST_CASE_HEAD(isolate_child__other_user_when_unprivileged)
321b0d29bc4SBrooks Davis {
322b0d29bc4SBrooks Davis set_md_var("require.user", "unprivileged");
323b0d29bc4SBrooks Davis }
ATF_TEST_CASE_BODY(isolate_child__other_user_when_unprivileged)324b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__other_user_when_unprivileged)
325b0d29bc4SBrooks Davis {
326b0d29bc4SBrooks Davis const passwd::user user = passwd::current_user();
327b0d29bc4SBrooks Davis
328b0d29bc4SBrooks Davis passwd::user other_user = user;
329b0d29bc4SBrooks Davis other_user.uid += 1;
330b0d29bc4SBrooks Davis other_user.gid += 1;
331b0d29bc4SBrooks Davis process::isolate_child(utils::make_optional(other_user), fs::path("."));
332b0d29bc4SBrooks Davis
333b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(user.uid, ::getuid());
334b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(user.gid, ::getgid());
335b0d29bc4SBrooks Davis }
336b0d29bc4SBrooks Davis
337b0d29bc4SBrooks Davis
338b0d29bc4SBrooks Davis ATF_TEST_CASE(isolate_child__drop_privileges);
ATF_TEST_CASE_HEAD(isolate_child__drop_privileges)339b0d29bc4SBrooks Davis ATF_TEST_CASE_HEAD(isolate_child__drop_privileges)
340b0d29bc4SBrooks Davis {
341b0d29bc4SBrooks Davis set_md_var("require.config", "unprivileged-user");
342b0d29bc4SBrooks Davis set_md_var("require.user", "root");
343b0d29bc4SBrooks Davis }
ATF_TEST_CASE_BODY(isolate_child__drop_privileges)344b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__drop_privileges)
345b0d29bc4SBrooks Davis {
346b0d29bc4SBrooks Davis const passwd::user unprivileged_user = passwd::find_user_by_name(
347b0d29bc4SBrooks Davis get_config_var("unprivileged-user"));
348b0d29bc4SBrooks Davis
349b0d29bc4SBrooks Davis const process::status status = fork_and_run(check_drop_privileges(
350b0d29bc4SBrooks Davis unprivileged_user));
351b0d29bc4SBrooks Davis ATF_REQUIRE(status.exited());
352b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(EXIT_SUCCESS, status.exitstatus());
353b0d29bc4SBrooks Davis }
354b0d29bc4SBrooks Davis
355b0d29bc4SBrooks Davis
356b0d29bc4SBrooks Davis ATF_TEST_CASE(isolate_child__drop_privileges_fail_uid);
ATF_TEST_CASE_HEAD(isolate_child__drop_privileges_fail_uid)357b0d29bc4SBrooks Davis ATF_TEST_CASE_HEAD(isolate_child__drop_privileges_fail_uid)
358b0d29bc4SBrooks Davis {
359b0d29bc4SBrooks Davis set_md_var("require.user", "unprivileged");
360b0d29bc4SBrooks Davis }
ATF_TEST_CASE_BODY(isolate_child__drop_privileges_fail_uid)361b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__drop_privileges_fail_uid)
362b0d29bc4SBrooks Davis {
363b0d29bc4SBrooks Davis // Fake the current user as root so that we bypass the protections in
364b0d29bc4SBrooks Davis // isolate_child that prevent us from attempting a user switch when we are
365b0d29bc4SBrooks Davis // not root. We do this so we can trigger the setuid failure.
366b0d29bc4SBrooks Davis passwd::user root = passwd::user("root", 0, 0);
367b0d29bc4SBrooks Davis ATF_REQUIRE(root.is_root());
368b0d29bc4SBrooks Davis passwd::set_current_user_for_testing(root);
369b0d29bc4SBrooks Davis
370b0d29bc4SBrooks Davis passwd::user unprivileged_user = passwd::current_user();
371b0d29bc4SBrooks Davis unprivileged_user.uid += 1;
372b0d29bc4SBrooks Davis
373b0d29bc4SBrooks Davis const process::status status = fork_and_run(check_drop_privileges(
374b0d29bc4SBrooks Davis unprivileged_user));
375b0d29bc4SBrooks Davis ATF_REQUIRE(status.exited());
376b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(process::exit_isolation_failure, status.exitstatus());
377b0d29bc4SBrooks Davis ATF_REQUIRE(atf::utils::grep_file("(chown|setuid).*failed",
378b0d29bc4SBrooks Davis "subprocess.stderr"));
379b0d29bc4SBrooks Davis }
380b0d29bc4SBrooks Davis
381b0d29bc4SBrooks Davis
382b0d29bc4SBrooks Davis ATF_TEST_CASE(isolate_child__drop_privileges_fail_gid);
ATF_TEST_CASE_HEAD(isolate_child__drop_privileges_fail_gid)383b0d29bc4SBrooks Davis ATF_TEST_CASE_HEAD(isolate_child__drop_privileges_fail_gid)
384b0d29bc4SBrooks Davis {
385b0d29bc4SBrooks Davis set_md_var("require.user", "unprivileged");
386b0d29bc4SBrooks Davis }
ATF_TEST_CASE_BODY(isolate_child__drop_privileges_fail_gid)387b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__drop_privileges_fail_gid)
388b0d29bc4SBrooks Davis {
389b0d29bc4SBrooks Davis // Fake the current user as root so that we bypass the protections in
390b0d29bc4SBrooks Davis // isolate_child that prevent us from attempting a user switch when we are
391b0d29bc4SBrooks Davis // not root. We do this so we can trigger the setgid failure.
392b0d29bc4SBrooks Davis passwd::user root = passwd::user("root", 0, 0);
393b0d29bc4SBrooks Davis ATF_REQUIRE(root.is_root());
394b0d29bc4SBrooks Davis passwd::set_current_user_for_testing(root);
395b0d29bc4SBrooks Davis
396b0d29bc4SBrooks Davis passwd::user unprivileged_user = passwd::current_user();
397b0d29bc4SBrooks Davis unprivileged_user.gid += 1;
398b0d29bc4SBrooks Davis
399b0d29bc4SBrooks Davis const process::status status = fork_and_run(check_drop_privileges(
400b0d29bc4SBrooks Davis unprivileged_user));
401b0d29bc4SBrooks Davis ATF_REQUIRE(status.exited());
402b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(process::exit_isolation_failure, status.exitstatus());
403b0d29bc4SBrooks Davis ATF_REQUIRE(atf::utils::grep_file("(chown|setgid).*failed",
404b0d29bc4SBrooks Davis "subprocess.stderr"));
405b0d29bc4SBrooks Davis }
406b0d29bc4SBrooks Davis
407b0d29bc4SBrooks Davis
408b0d29bc4SBrooks Davis ATF_TEST_CASE_WITHOUT_HEAD(isolate_child__enable_core_dumps);
ATF_TEST_CASE_BODY(isolate_child__enable_core_dumps)409b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__enable_core_dumps)
410b0d29bc4SBrooks Davis {
411b0d29bc4SBrooks Davis utils::require_run_coredump_tests(this);
412b0d29bc4SBrooks Davis
413b0d29bc4SBrooks Davis struct ::rlimit rl;
414b0d29bc4SBrooks Davis if (::getrlimit(RLIMIT_CORE, &rl) == -1)
415b0d29bc4SBrooks Davis fail("Failed to query the core size limit");
416b0d29bc4SBrooks Davis if (rl.rlim_cur == 0 || rl.rlim_max == 0)
417b0d29bc4SBrooks Davis skip("Maximum core size is zero; cannot run test");
418b0d29bc4SBrooks Davis rl.rlim_cur = 0;
419b0d29bc4SBrooks Davis if (::setrlimit(RLIMIT_CORE, &rl) == -1)
420b0d29bc4SBrooks Davis fail("Failed to lower the core size limit");
421b0d29bc4SBrooks Davis
422b0d29bc4SBrooks Davis const process::status status = fork_and_run(check_enable_core_dumps);
423b0d29bc4SBrooks Davis ATF_REQUIRE(status.signaled());
424b0d29bc4SBrooks Davis ATF_REQUIRE(status.coredump());
425b0d29bc4SBrooks Davis }
426b0d29bc4SBrooks Davis
427b0d29bc4SBrooks Davis
428b0d29bc4SBrooks Davis ATF_TEST_CASE_WITHOUT_HEAD(isolate_child__enter_work_directory);
ATF_TEST_CASE_BODY(isolate_child__enter_work_directory)429b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__enter_work_directory)
430b0d29bc4SBrooks Davis {
431b0d29bc4SBrooks Davis const fs::path directory("some/sub/directory");
432b0d29bc4SBrooks Davis fs::mkdir_p(directory, 0755);
433b0d29bc4SBrooks Davis const process::status status = fork_and_run(
434b0d29bc4SBrooks Davis check_enter_work_directory(directory));
435b0d29bc4SBrooks Davis ATF_REQUIRE(status.exited());
436b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(EXIT_SUCCESS, status.exitstatus());
437b0d29bc4SBrooks Davis }
438b0d29bc4SBrooks Davis
439b0d29bc4SBrooks Davis
440b0d29bc4SBrooks Davis ATF_TEST_CASE_WITHOUT_HEAD(isolate_child__enter_work_directory_failure);
ATF_TEST_CASE_BODY(isolate_child__enter_work_directory_failure)441b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__enter_work_directory_failure)
442b0d29bc4SBrooks Davis {
443b0d29bc4SBrooks Davis const fs::path directory("some/sub/directory");
444b0d29bc4SBrooks Davis const process::status status = fork_and_run(
445b0d29bc4SBrooks Davis check_enter_work_directory(directory));
446b0d29bc4SBrooks Davis ATF_REQUIRE(status.exited());
447b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(process::exit_isolation_failure, status.exitstatus());
448b0d29bc4SBrooks Davis ATF_REQUIRE(atf::utils::grep_file("chdir\\(some/sub/directory\\) failed",
449b0d29bc4SBrooks Davis "subprocess.stderr"));
450b0d29bc4SBrooks Davis }
451b0d29bc4SBrooks Davis
452b0d29bc4SBrooks Davis
453b0d29bc4SBrooks Davis ATF_TEST_CASE_WITHOUT_HEAD(isolate_child__new_session);
ATF_TEST_CASE_BODY(isolate_child__new_session)454b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__new_session)
455b0d29bc4SBrooks Davis {
456b0d29bc4SBrooks Davis const process::status status = fork_and_run(check_new_session);
457b0d29bc4SBrooks Davis ATF_REQUIRE(status.exited());
458b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(EXIT_SUCCESS, status.exitstatus());
459b0d29bc4SBrooks Davis }
460b0d29bc4SBrooks Davis
461b0d29bc4SBrooks Davis
462b0d29bc4SBrooks Davis ATF_TEST_CASE_WITHOUT_HEAD(isolate_child__no_terminal);
ATF_TEST_CASE_BODY(isolate_child__no_terminal)463b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__no_terminal)
464b0d29bc4SBrooks Davis {
465b0d29bc4SBrooks Davis const process::status status = fork_and_run(check_no_terminal);
466b0d29bc4SBrooks Davis ATF_REQUIRE(status.exited());
467b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(EXIT_SUCCESS, status.exitstatus());
468b0d29bc4SBrooks Davis }
469b0d29bc4SBrooks Davis
470b0d29bc4SBrooks Davis
471b0d29bc4SBrooks Davis ATF_TEST_CASE_WITHOUT_HEAD(isolate_child__process_group);
ATF_TEST_CASE_BODY(isolate_child__process_group)472b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__process_group)
473b0d29bc4SBrooks Davis {
474b0d29bc4SBrooks Davis const process::status status = fork_and_run(check_process_group);
475b0d29bc4SBrooks Davis ATF_REQUIRE(status.exited());
476b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(EXIT_SUCCESS, status.exitstatus());
477b0d29bc4SBrooks Davis }
478b0d29bc4SBrooks Davis
479b0d29bc4SBrooks Davis
480b0d29bc4SBrooks Davis ATF_TEST_CASE_WITHOUT_HEAD(isolate_child__reset_umask);
ATF_TEST_CASE_BODY(isolate_child__reset_umask)481b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_child__reset_umask)
482b0d29bc4SBrooks Davis {
483b0d29bc4SBrooks Davis const process::status status = fork_and_run(check_umask);
484b0d29bc4SBrooks Davis ATF_REQUIRE(status.exited());
485b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(EXIT_SUCCESS, status.exitstatus());
486b0d29bc4SBrooks Davis }
487b0d29bc4SBrooks Davis
488b0d29bc4SBrooks Davis
489b0d29bc4SBrooks Davis /// Executes isolate_path() and compares the on-disk changes to expected values.
490b0d29bc4SBrooks Davis ///
491b0d29bc4SBrooks Davis /// \param unprivileged_user The user to pass to isolate_path; may be none.
492b0d29bc4SBrooks Davis /// \param exp_uid Expected UID or none to expect the old value.
493b0d29bc4SBrooks Davis /// \param exp_gid Expected GID or none to expect the old value.
494b0d29bc4SBrooks Davis static void
do_isolate_path_test(const optional<passwd::user> & unprivileged_user,const optional<uid_t> & exp_uid,const optional<gid_t> & exp_gid)495b0d29bc4SBrooks Davis do_isolate_path_test(const optional< passwd::user >& unprivileged_user,
496b0d29bc4SBrooks Davis const optional< uid_t >& exp_uid,
497b0d29bc4SBrooks Davis const optional< gid_t >& exp_gid)
498b0d29bc4SBrooks Davis {
499b0d29bc4SBrooks Davis const fs::path dir("dir");
500b0d29bc4SBrooks Davis fs::mkdir(dir, 0755);
501b0d29bc4SBrooks Davis struct ::stat old_sb;
502b0d29bc4SBrooks Davis ATF_REQUIRE(::stat(dir.c_str(), &old_sb) != -1);
503b0d29bc4SBrooks Davis
504b0d29bc4SBrooks Davis process::isolate_path(unprivileged_user, dir);
505b0d29bc4SBrooks Davis
506b0d29bc4SBrooks Davis struct ::stat new_sb;
507b0d29bc4SBrooks Davis ATF_REQUIRE(::stat(dir.c_str(), &new_sb) != -1);
508b0d29bc4SBrooks Davis
509b0d29bc4SBrooks Davis if (exp_uid)
510b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(exp_uid.get(), new_sb.st_uid);
511b0d29bc4SBrooks Davis else
512b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(old_sb.st_uid, new_sb.st_uid);
513b0d29bc4SBrooks Davis
514b0d29bc4SBrooks Davis if (exp_gid)
515b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(exp_gid.get(), new_sb.st_gid);
516b0d29bc4SBrooks Davis else
517b0d29bc4SBrooks Davis ATF_REQUIRE_EQ(old_sb.st_gid, new_sb.st_gid);
518b0d29bc4SBrooks Davis }
519b0d29bc4SBrooks Davis
520b0d29bc4SBrooks Davis
521b0d29bc4SBrooks Davis ATF_TEST_CASE_WITHOUT_HEAD(isolate_path__no_user);
ATF_TEST_CASE_BODY(isolate_path__no_user)522b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_path__no_user)
523b0d29bc4SBrooks Davis {
524b0d29bc4SBrooks Davis do_isolate_path_test(none, none, none);
525b0d29bc4SBrooks Davis }
526b0d29bc4SBrooks Davis
527b0d29bc4SBrooks Davis
528b0d29bc4SBrooks Davis ATF_TEST_CASE_WITHOUT_HEAD(isolate_path__same_user);
ATF_TEST_CASE_BODY(isolate_path__same_user)529b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_path__same_user)
530b0d29bc4SBrooks Davis {
531b0d29bc4SBrooks Davis do_isolate_path_test(utils::make_optional(passwd::current_user()),
532b0d29bc4SBrooks Davis none, none);
533b0d29bc4SBrooks Davis }
534b0d29bc4SBrooks Davis
535b0d29bc4SBrooks Davis
536b0d29bc4SBrooks Davis ATF_TEST_CASE(isolate_path__other_user_when_unprivileged);
ATF_TEST_CASE_HEAD(isolate_path__other_user_when_unprivileged)537b0d29bc4SBrooks Davis ATF_TEST_CASE_HEAD(isolate_path__other_user_when_unprivileged)
538b0d29bc4SBrooks Davis {
539b0d29bc4SBrooks Davis set_md_var("require.user", "unprivileged");
540b0d29bc4SBrooks Davis }
ATF_TEST_CASE_BODY(isolate_path__other_user_when_unprivileged)541b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_path__other_user_when_unprivileged)
542b0d29bc4SBrooks Davis {
543b0d29bc4SBrooks Davis passwd::user user = passwd::current_user();
544b0d29bc4SBrooks Davis user.uid += 1;
545b0d29bc4SBrooks Davis user.gid += 1;
546b0d29bc4SBrooks Davis
547b0d29bc4SBrooks Davis do_isolate_path_test(utils::make_optional(user), none, none);
548b0d29bc4SBrooks Davis }
549b0d29bc4SBrooks Davis
550b0d29bc4SBrooks Davis
551b0d29bc4SBrooks Davis ATF_TEST_CASE(isolate_path__drop_privileges);
ATF_TEST_CASE_HEAD(isolate_path__drop_privileges)552b0d29bc4SBrooks Davis ATF_TEST_CASE_HEAD(isolate_path__drop_privileges)
553b0d29bc4SBrooks Davis {
554b0d29bc4SBrooks Davis set_md_var("require.config", "unprivileged-user");
555b0d29bc4SBrooks Davis set_md_var("require.user", "root");
556b0d29bc4SBrooks Davis }
ATF_TEST_CASE_BODY(isolate_path__drop_privileges)557b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_path__drop_privileges)
558b0d29bc4SBrooks Davis {
559b0d29bc4SBrooks Davis const passwd::user unprivileged_user = passwd::find_user_by_name(
560b0d29bc4SBrooks Davis get_config_var("unprivileged-user"));
561b0d29bc4SBrooks Davis do_isolate_path_test(utils::make_optional(unprivileged_user),
562b0d29bc4SBrooks Davis utils::make_optional(unprivileged_user.uid),
563b0d29bc4SBrooks Davis utils::make_optional(unprivileged_user.gid));
564b0d29bc4SBrooks Davis }
565b0d29bc4SBrooks Davis
566b0d29bc4SBrooks Davis
567b0d29bc4SBrooks Davis ATF_TEST_CASE(isolate_path__drop_privileges_only_uid);
ATF_TEST_CASE_HEAD(isolate_path__drop_privileges_only_uid)568b0d29bc4SBrooks Davis ATF_TEST_CASE_HEAD(isolate_path__drop_privileges_only_uid)
569b0d29bc4SBrooks Davis {
570b0d29bc4SBrooks Davis set_md_var("require.config", "unprivileged-user");
571b0d29bc4SBrooks Davis set_md_var("require.user", "root");
572b0d29bc4SBrooks Davis }
ATF_TEST_CASE_BODY(isolate_path__drop_privileges_only_uid)573b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_path__drop_privileges_only_uid)
574b0d29bc4SBrooks Davis {
575b0d29bc4SBrooks Davis passwd::user unprivileged_user = passwd::find_user_by_name(
576b0d29bc4SBrooks Davis get_config_var("unprivileged-user"));
577b0d29bc4SBrooks Davis unprivileged_user.gid = ::getgid();
578b0d29bc4SBrooks Davis do_isolate_path_test(utils::make_optional(unprivileged_user),
579b0d29bc4SBrooks Davis utils::make_optional(unprivileged_user.uid),
580b0d29bc4SBrooks Davis none);
581b0d29bc4SBrooks Davis }
582b0d29bc4SBrooks Davis
583b0d29bc4SBrooks Davis
584b0d29bc4SBrooks Davis ATF_TEST_CASE(isolate_path__drop_privileges_only_gid);
ATF_TEST_CASE_HEAD(isolate_path__drop_privileges_only_gid)585b0d29bc4SBrooks Davis ATF_TEST_CASE_HEAD(isolate_path__drop_privileges_only_gid)
586b0d29bc4SBrooks Davis {
587b0d29bc4SBrooks Davis set_md_var("require.config", "unprivileged-user");
588b0d29bc4SBrooks Davis set_md_var("require.user", "root");
589b0d29bc4SBrooks Davis }
ATF_TEST_CASE_BODY(isolate_path__drop_privileges_only_gid)590b0d29bc4SBrooks Davis ATF_TEST_CASE_BODY(isolate_path__drop_privileges_only_gid)
591b0d29bc4SBrooks Davis {
592b0d29bc4SBrooks Davis passwd::user unprivileged_user = passwd::find_user_by_name(
593b0d29bc4SBrooks Davis get_config_var("unprivileged-user"));
594b0d29bc4SBrooks Davis unprivileged_user.uid = ::getuid();
595b0d29bc4SBrooks Davis do_isolate_path_test(utils::make_optional(unprivileged_user),
596b0d29bc4SBrooks Davis none,
597b0d29bc4SBrooks Davis utils::make_optional(unprivileged_user.gid));
598b0d29bc4SBrooks Davis }
599b0d29bc4SBrooks Davis
600b0d29bc4SBrooks Davis
ATF_INIT_TEST_CASES(tcs)601b0d29bc4SBrooks Davis ATF_INIT_TEST_CASES(tcs)
602b0d29bc4SBrooks Davis {
603b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__clean_environment);
604b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__other_user_when_unprivileged);
605b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__drop_privileges);
606b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__drop_privileges_fail_uid);
607b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__drop_privileges_fail_gid);
608b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__enable_core_dumps);
609b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__enter_work_directory);
610b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__enter_work_directory_failure);
611b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__new_session);
612b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__no_terminal);
613b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__process_group);
614b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_child__reset_umask);
615b0d29bc4SBrooks Davis
616b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_path__no_user);
617b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_path__same_user);
618b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_path__other_user_when_unprivileged);
619b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_path__drop_privileges);
620b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_path__drop_privileges_only_uid);
621b0d29bc4SBrooks Davis ATF_ADD_TEST_CASE(tcs, isolate_path__drop_privileges_only_gid);
622b0d29bc4SBrooks Davis }
623