xref: /freebsd/contrib/netbsd-tests/kernel/t_ptrace.c (revision 8ddb146abcdf061be9f2c0db7e391697dafad85c) 
1 /*	$NetBSD: t_ptrace.c,v 1.18 2017/01/13 21:30:41 christos Exp $	*/
2 
3 /*-
4  * Copyright (c) 2016 The NetBSD Foundation, Inc.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
17  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
18  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
19  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
20  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26  * POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 #include <sys/cdefs.h>
30 __RCSID("$NetBSD: t_ptrace.c,v 1.18 2017/01/13 21:30:41 christos Exp $");
31 
32 #include <sys/param.h>
33 #include <sys/types.h>
34 #include <sys/ptrace.h>
35 #include <sys/stat.h>
36 #include <sys/sysctl.h>
37 #include <err.h>
38 #include <errno.h>
39 #include <unistd.h>
40 
41 #include <atf-c.h>
42 
43 #include "h_macros.h"
44 
45 /*
46  * A child process cannot call atf functions and expect them to magically
47  * work like in the parent.
48  * The printf(3) messaging from a child will not work out of the box as well
49  * without estabilishing a communication protocol with its parent. To not
50  * overcomplicate the tests - do not log from a child and use err(3)/errx(3)
51  * wrapped with FORKEE_ASSERT()/FORKEE_ASSERTX() as that is guaranteed to work.
52  */
53 #define FORKEE_ASSERTX(x)							\
54 do {										\
55 	int ret = (x);								\
56 	if (!ret)								\
57 		errx(EXIT_FAILURE, "%s:%d %s(): Assertion failed for: %s",	\
58 		     __FILE__, __LINE__, __func__, #x);				\
59 } while (0)
60 
61 #define FORKEE_ASSERT(x)							\
62 do {										\
63 	int ret = (x);								\
64 	if (!ret)								\
65 		err(EXIT_FAILURE, "%s:%d %s(): Assertion failed for: %s",	\
66 		     __FILE__, __LINE__, __func__, #x);				\
67 } while (0)
68 
69 ATF_TC(attach_pid0);
70 ATF_TC_HEAD(attach_pid0, tc)
71 {
72 	atf_tc_set_md_var(tc, "descr",
73 	    "Assert that a debugger cannot attach to PID 0");
74 }
75 
76 ATF_TC_BODY(attach_pid0, tc)
77 {
78 	errno = 0;
79 	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 0, NULL, 0) == -1);
80 }
81 
82 ATF_TC(attach_pid1);
83 ATF_TC_HEAD(attach_pid1, tc)
84 {
85 	atf_tc_set_md_var(tc, "descr",
86 	    "Assert that a debugger cannot attach to PID 1 (as non-root)");
87 
88 	atf_tc_set_md_var(tc, "require.user", "unprivileged");
89 }
90 
91 ATF_TC_BODY(attach_pid1, tc)
92 {
93 	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 1, NULL, 0) == -1);
94 }
95 
96 ATF_TC(attach_pid1_securelevel);
97 ATF_TC_HEAD(attach_pid1_securelevel, tc)
98 {
99 	atf_tc_set_md_var(tc, "descr",
100 	    "Assert that a debugger cannot attach to PID 1 with "
101 	    "securelevel >= 1 (as root)");
102 
103 	atf_tc_set_md_var(tc, "require.user", "root");
104 }
105 
106 ATF_TC_BODY(attach_pid1_securelevel, tc)
107 {
108 	int level;
109 	size_t len = sizeof(level);
110 
111 	ATF_REQUIRE(sysctlbyname("kern.securelevel", &level, &len, NULL, 0)
112 	    != -1);
113 
114 	if (level < 1) {
115 		atf_tc_skip("Test must be run with securelevel >= 1");
116 	}
117 
118 	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 1, NULL, 0) == -1);
119 }
120 
121 ATF_TC(attach_self);
122 ATF_TC_HEAD(attach_self, tc)
123 {
124 	atf_tc_set_md_var(tc, "descr",
125 	    "Assert that a debugger cannot attach to self (as it's nonsense)");
126 }
127 
128 ATF_TC_BODY(attach_self, tc)
129 {
130 	ATF_REQUIRE_ERRNO(EINVAL, ptrace(PT_ATTACH, getpid(), NULL, 0) == -1);
131 }
132 
133 ATF_TC(attach_chroot);
134 ATF_TC_HEAD(attach_chroot, tc)
135 {
136 	atf_tc_set_md_var(tc, "descr",
137 	    "Assert that a debugger cannot trace another process unless the "
138 	    "process's root directory is at or below the tracing process's "
139 	    "root");
140 
141 	atf_tc_set_md_var(tc, "require.user", "root");
142 }
143 
144 ATF_TC_BODY(attach_chroot, tc)
145 {
146 	char buf[PATH_MAX];
147 	pid_t child;
148 	int fds_toparent[2], fds_fromparent[2];
149 	int rv;
150 	uint8_t msg = 0xde; /* dummy message for IPC based on pipe(2) */
151 
152 	(void)memset(buf, '\0', sizeof(buf));
153 	ATF_REQUIRE(getcwd(buf, sizeof(buf)) != NULL);
154 	(void)strlcat(buf, "/dir", sizeof(buf));
155 
156 	ATF_REQUIRE(mkdir(buf, 0500) == 0);
157 	ATF_REQUIRE(chdir(buf) == 0);
158 
159 	ATF_REQUIRE(pipe(fds_toparent) == 0);
160 	ATF_REQUIRE(pipe(fds_fromparent) == 0);
161 	child = atf_utils_fork();
162 	if (child == 0) {
163 		FORKEE_ASSERT(close(fds_toparent[0]) == 0);
164 		FORKEE_ASSERT(close(fds_fromparent[1]) == 0);
165 
166 		FORKEE_ASSERT(chroot(buf) == 0);
167 
168 		rv = write(fds_toparent[1], &msg, sizeof(msg));
169 		FORKEE_ASSERTX(rv == sizeof(msg));
170 
171 		ATF_REQUIRE_ERRNO(EPERM,
172 			ptrace(PT_ATTACH, getppid(), NULL, 0) == -1);
173 
174 		rv = read(fds_fromparent[0], &msg, sizeof(msg));
175 		FORKEE_ASSERTX(rv == sizeof(msg));
176 
177 		_exit(0);
178 	}
179 	ATF_REQUIRE(close(fds_toparent[1]) == 0);
180 	ATF_REQUIRE(close(fds_fromparent[0]) == 0);
181 
182 	printf("Waiting for chrooting of the child PID %d", child);
183 	rv = read(fds_toparent[0], &msg, sizeof(msg));
184 	ATF_REQUIRE(rv == sizeof(msg));
185 
186 	printf("Child is ready, it will try to PT_ATTACH to parent\n");
187 	rv = write(fds_fromparent[1], &msg, sizeof(msg));
188 	ATF_REQUIRE(rv == sizeof(msg));
189 
190         printf("fds_fromparent is no longer needed - close it\n");
191         ATF_REQUIRE(close(fds_fromparent[1]) == 0);
192 
193         printf("fds_toparent is no longer needed - close it\n");
194         ATF_REQUIRE(close(fds_toparent[0]) == 0);
195 }
196 
197 ATF_TP_ADD_TCS(tp)
198 {
199 	setvbuf(stdout, NULL, _IONBF, 0);
200 	setvbuf(stderr, NULL, _IONBF, 0);
201 	ATF_TP_ADD_TC(tp, attach_pid0);
202 	ATF_TP_ADD_TC(tp, attach_pid1);
203 	ATF_TP_ADD_TC(tp, attach_pid1_securelevel);
204 	ATF_TP_ADD_TC(tp, attach_self);
205 	ATF_TP_ADD_TC(tp, attach_chroot);
206 
207 	return atf_no_error();
208 }
209