1 // Test routines to make sure a variety of system calls are or are not 2 // available in capability mode. The goal is not to see if they work, just 3 // whether or not they return the expected ECAPMODE. 4 #include <sys/types.h> 5 #include <sys/socket.h> 6 #include <sys/sockio.h> 7 #include <sys/stat.h> 8 #include <sys/mount.h> 9 #include <sys/mman.h> 10 #include <sys/wait.h> 11 #include <sys/time.h> 12 #include <sys/resource.h> 13 #include <sys/ptrace.h> 14 #include <dirent.h> 15 #include <net/if.h> 16 #include <netinet/in.h> 17 #include <fcntl.h> 18 #include <sched.h> 19 #include <time.h> 20 #include <unistd.h> 21 #include <pthread.h> 22 23 #include "capsicum.h" 24 #include "syscalls.h" 25 #include "capsicum-test.h" 26 27 // Test fixture that opens (and closes) a bunch of files. 28 class WithFiles : public ::testing::Test { 29 public: 30 WithFiles() : 31 fd_file_(open(TmpFile("cap_capmode"), O_RDWR|O_CREAT, 0644)), 32 fd_close_(open("/dev/null", O_RDWR)), 33 fd_dir_(open(tmpdir.c_str(), O_RDONLY)), 34 fd_socket_(socket(PF_INET, SOCK_DGRAM, 0)), 35 fd_tcp_socket_(socket(PF_INET, SOCK_STREAM, 0)) { 36 EXPECT_OK(fd_file_); 37 EXPECT_OK(fd_close_); 38 EXPECT_OK(fd_dir_); 39 EXPECT_OK(fd_socket_); 40 EXPECT_OK(fd_tcp_socket_); 41 } 42 ~WithFiles() { 43 if (fd_tcp_socket_ >= 0) close(fd_tcp_socket_); 44 if (fd_socket_ >= 0) close(fd_socket_); 45 if (fd_dir_ >= 0) close(fd_dir_); 46 if (fd_close_ >= 0) close(fd_close_); 47 if (fd_file_ >= 0) close(fd_file_); 48 unlink(TmpFile("cap_capmode")); 49 } 50 protected: 51 int fd_file_; 52 int fd_close_; 53 int fd_dir_; 54 int fd_socket_; 55 int fd_tcp_socket_; 56 }; 57 58 FORK_TEST_F(WithFiles, DisallowedFileSyscalls) { 59 unsigned int mode = -1; 60 EXPECT_OK(cap_getmode(&mode)); 61 EXPECT_EQ(0, (int)mode); 62 EXPECT_OK(cap_enter()); // Enter capability mode. 63 EXPECT_OK(cap_getmode(&mode)); 64 EXPECT_EQ(1, (int)mode); 65 66 // System calls that are not permitted in capability mode. 67 EXPECT_CAPMODE(access(TmpFile("cap_capmode_access"), F_OK)); 68 EXPECT_CAPMODE(acct(TmpFile("cap_capmode_acct"))); 69 EXPECT_CAPMODE(chdir(TmpFile("cap_capmode_chdir"))); 70 EXPECT_CAPMODE(chflags(TmpFile("cap_capmode_chflags"), UF_NODUMP)); 71 EXPECT_CAPMODE(chmod(TmpFile("cap_capmode_chmod"), 0644)); 72 EXPECT_CAPMODE(chown(TmpFile("cap_capmode_chown"), -1, -1)); 73 EXPECT_CAPMODE(chroot(TmpFile("cap_capmode_chroot"))); 74 EXPECT_CAPMODE(creat(TmpFile("cap_capmode_creat"), 0644)); 75 EXPECT_CAPMODE(fchdir(fd_dir_)); 76 struct statfs statfs; 77 EXPECT_CAPMODE(getfsstat(&statfs, sizeof(statfs), MNT_NOWAIT)); 78 EXPECT_CAPMODE(link(TmpFile("foo"), TmpFile("bar"))); 79 struct stat sb; 80 EXPECT_CAPMODE(lstat(TmpFile("cap_capmode_lstat"), &sb)); 81 EXPECT_CAPMODE(mknod(TmpFile("capmode_mknod"), 0644 | S_IFIFO, 0)); 82 EXPECT_CAPMODE(bogus_mount_()); 83 EXPECT_CAPMODE(open("/dev/null", O_RDWR)); 84 char buf[64]; 85 EXPECT_CAPMODE(readlink(TmpFile("cap_capmode_readlink"), buf, sizeof(buf))); 86 EXPECT_CAPMODE(revoke(TmpFile("cap_capmode_revoke"))); 87 EXPECT_CAPMODE(stat(TmpFile("cap_capmode_stat"), &sb)); 88 EXPECT_CAPMODE(symlink(TmpFile("cap_capmode_symlink_from"), TmpFile("cap_capmode_symlink_to"))); 89 EXPECT_CAPMODE(unlink(TmpFile("cap_capmode_unlink"))); 90 EXPECT_CAPMODE(umount2("/not_mounted", 0)); 91 } 92 93 FORK_TEST_F(WithFiles, DisallowedSocketSyscalls) { 94 EXPECT_OK(cap_enter()); // Enter capability mode. 95 96 // System calls that are not permitted in capability mode. 97 struct sockaddr_in addr; 98 addr.sin_family = AF_INET; 99 addr.sin_port = 0; 100 addr.sin_addr.s_addr = htonl(INADDR_ANY); 101 EXPECT_CAPMODE(bind_(fd_socket_, (sockaddr*)&addr, sizeof(addr))); 102 addr.sin_family = AF_INET; 103 addr.sin_port = 53; 104 addr.sin_addr.s_addr = htonl(0x08080808); 105 EXPECT_CAPMODE(connect_(fd_tcp_socket_, (sockaddr*)&addr, sizeof(addr))); 106 } 107 108 FORK_TEST_F(WithFiles, AllowedFileSyscalls) { 109 int rc; 110 EXPECT_OK(cap_enter()); // Enter capability mode. 111 112 EXPECT_OK(close(fd_close_)); 113 fd_close_ = -1; 114 int fd_dup = dup(fd_file_); 115 EXPECT_OK(fd_dup); 116 EXPECT_OK(dup2(fd_file_, fd_dup)); 117 EXPECT_OK(dup3(fd_file_, fd_dup, 0)); 118 if (fd_dup >= 0) close(fd_dup); 119 120 struct stat sb; 121 EXPECT_OK(fstat(fd_file_, &sb)); 122 EXPECT_OK(lseek(fd_file_, 0, SEEK_SET)); 123 char ch; 124 EXPECT_OK(read(fd_file_, &ch, sizeof(ch))); 125 EXPECT_OK(write(fd_file_, &ch, sizeof(ch))); 126 127 rc = fchflags(fd_file_, UF_NODUMP); 128 if (rc < 0) { 129 EXPECT_NE(ECAPMODE, errno); 130 } 131 132 char buf[1024]; 133 rc = getdents_(fd_dir_, (void*)buf, sizeof(buf)); 134 EXPECT_OK(rc); 135 136 char data[] = "123"; 137 EXPECT_OK(pwrite(fd_file_, data, 1, 0)); 138 EXPECT_OK(pread(fd_file_, data, 1, 0)); 139 140 struct iovec io; 141 io.iov_base = data; 142 io.iov_len = 2; 143 #if !defined(__i386__) 144 // TODO(drysdale): reinstate these tests for 32-bit runs when possible 145 // libc bug is fixed. 146 EXPECT_OK(pwritev(fd_file_, &io, 1, 0)); 147 EXPECT_OK(preadv(fd_file_, &io, 1, 0)); 148 #endif 149 EXPECT_OK(writev(fd_file_, &io, 1)); 150 EXPECT_OK(readv(fd_file_, &io, 1)); 151 } 152 153 FORK_TEST_F(WithFiles, AllowedSocketSyscalls) { 154 EXPECT_OK(cap_enter()); // Enter capability mode. 155 156 // recvfrom() either returns -1 with EAGAIN, or 0. 157 int rc = recvfrom(fd_socket_, NULL, 0, MSG_DONTWAIT, NULL, NULL); 158 if (rc < 0) { 159 EXPECT_EQ(EAGAIN, errno); 160 } 161 char ch; 162 EXPECT_OK(write(fd_file_, &ch, sizeof(ch))); 163 164 // These calls will fail for lack of e.g. a proper name to send to, 165 // but they are allowed in capability mode, so errno != ECAPMODE. 166 EXPECT_FAIL_NOT_CAPMODE(accept(fd_socket_, NULL, NULL)); 167 EXPECT_FAIL_NOT_CAPMODE(getpeername(fd_socket_, NULL, NULL)); 168 EXPECT_FAIL_NOT_CAPMODE(getsockname(fd_socket_, NULL, NULL)); 169 EXPECT_FAIL_NOT_CAPMODE(recvmsg(fd_socket_, NULL, 0)); 170 EXPECT_FAIL_NOT_CAPMODE(sendmsg(fd_socket_, NULL, 0)); 171 EXPECT_FAIL_NOT_CAPMODE(sendto(fd_socket_, NULL, 0, 0, NULL, 0)); 172 off_t offset = 0; 173 EXPECT_FAIL_NOT_CAPMODE(sendfile_(fd_socket_, fd_file_, &offset, 1)); 174 175 // The socket/socketpair syscalls are allowed, but they don't give 176 // anything externally useful (can't call bind/connect on them). 177 int fd_socket2 = socket(PF_INET, SOCK_DGRAM, 0); 178 EXPECT_OK(fd_socket2); 179 if (fd_socket2 >= 0) close(fd_socket2); 180 int fd_pair[2] = {-1, -1}; 181 EXPECT_OK(socketpair(AF_UNIX, SOCK_STREAM, 0, fd_pair)); 182 if (fd_pair[0] >= 0) close(fd_pair[0]); 183 if (fd_pair[1] >= 0) close(fd_pair[1]); 184 } 185 186 FORK_TEST_F(WithFiles, AllowedSocketSyscallsIfRoot) { 187 GTEST_SKIP_IF_NOT_ROOT(); 188 189 EXPECT_OK(cap_enter()); // Enter capability mode. 190 191 // Creation of raw sockets is not permitted in capability mode. 192 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, 0)); 193 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)); 194 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, IPPROTO_TCP)); 195 EXPECT_CAPMODE(socket(AF_INET, SOCK_RAW, IPPROTO_UDP)); 196 197 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_ICMP)); 198 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6)); 199 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_TCP)); 200 EXPECT_CAPMODE(socket(AF_INET6, SOCK_RAW, IPPROTO_UDP)); 201 202 EXPECT_CAPMODE(socket(AF_ROUTE, SOCK_RAW, 0)); 203 204 // Interface configuration ioctls are not permitted in capability 205 // mode. 206 // 207 // This test is disabled for now as the corresponding kernel change was 208 // disabled. 209 #if 0 210 #ifdef __FreeBSD__ 211 struct if_clonereq req; 212 213 req.ifcr_total = 0; 214 req.ifcr_count = 1; 215 req.ifcr_buffer = static_cast<char *>(malloc(IFNAMSIZ)); 216 217 EXPECT_CAPMODE(ioctl(fd_socket_, SIOCIFGCLONERS, &req)); 218 219 free(req.ifcr_buffer); 220 #endif 221 #endif 222 } 223 224 #ifdef HAVE_SEND_RECV_MMSG 225 FORK_TEST(Capmode, AllowedMmsgSendRecv) { 226 int fd_socket = socket(PF_INET, SOCK_DGRAM, 0); 227 228 struct sockaddr_in addr; 229 addr.sin_family = AF_INET; 230 addr.sin_port = htons(0); 231 addr.sin_addr.s_addr = htonl(INADDR_ANY); 232 EXPECT_OK(bind(fd_socket, (sockaddr*)&addr, sizeof(addr))); 233 234 EXPECT_OK(cap_enter()); // Enter capability mode. 235 236 char buffer[256] = {0}; 237 struct iovec iov; 238 iov.iov_base = buffer; 239 iov.iov_len = sizeof(buffer); 240 struct mmsghdr mm; 241 memset(&mm, 0, sizeof(mm)); 242 mm.msg_hdr.msg_iov = &iov; 243 mm.msg_hdr.msg_iovlen = 1; 244 struct timespec ts; 245 ts.tv_sec = 1; 246 ts.tv_nsec = 100; 247 EXPECT_FAIL_NOT_CAPMODE(recvmmsg(fd_socket, &mm, 1, MSG_DONTWAIT, &ts)); 248 EXPECT_FAIL_NOT_CAPMODE(sendmmsg(fd_socket, &mm, 1, 0)); 249 close(fd_socket); 250 } 251 #endif 252 253 FORK_TEST(Capmode, AllowedIdentifierSyscalls) { 254 // Record some identifiers 255 gid_t my_gid = getgid(); 256 pid_t my_pid = getpid(); 257 pid_t my_ppid = getppid(); 258 uid_t my_uid = getuid(); 259 pid_t my_sid = getsid(my_pid); 260 261 EXPECT_OK(cap_enter()); // Enter capability mode. 262 263 EXPECT_EQ(my_gid, getegid_()); 264 EXPECT_EQ(my_uid, geteuid_()); 265 EXPECT_EQ(my_gid, getgid_()); 266 EXPECT_EQ(my_pid, getpid()); 267 EXPECT_EQ(my_ppid, getppid()); 268 EXPECT_EQ(my_uid, getuid_()); 269 EXPECT_EQ(my_sid, getsid(my_pid)); 270 gid_t grps[128]; 271 EXPECT_OK(getgroups_(128, grps)); 272 uid_t ruid; 273 uid_t euid; 274 uid_t suid; 275 EXPECT_OK(getresuid(&ruid, &euid, &suid)); 276 gid_t rgid; 277 gid_t egid; 278 gid_t sgid; 279 EXPECT_OK(getresgid(&rgid, &egid, &sgid)); 280 EXPECT_TRUE(getlogin() != NULL); 281 282 // Set various identifiers (to their existing values). 283 EXPECT_OK(setgid(my_gid)); 284 EXPECT_OK(setregid(my_gid, my_gid)); 285 EXPECT_OK(setresgid(my_gid, my_gid, my_gid)); 286 EXPECT_OK(setreuid(my_uid, my_uid)); 287 EXPECT_OK(setresuid(my_uid, my_uid, my_uid)); 288 EXPECT_OK(setsid()); 289 } 290 291 FORK_TEST(Capmode, AllowedSchedSyscalls) { 292 EXPECT_OK(cap_enter()); // Enter capability mode. 293 int policy = sched_getscheduler(0); 294 EXPECT_OK(policy); 295 struct sched_param sp; 296 EXPECT_OK(sched_getparam(0, &sp)); 297 if (policy >= 0 && (!SCHED_SETSCHEDULER_REQUIRES_ROOT || getuid() == 0)) { 298 EXPECT_OK(sched_setscheduler(0, policy, &sp)); 299 } 300 EXPECT_OK(sched_setparam(0, &sp)); 301 EXPECT_OK(sched_get_priority_max(policy)); 302 EXPECT_OK(sched_get_priority_min(policy)); 303 struct timespec ts; 304 EXPECT_OK(sched_rr_get_interval(0, &ts)); 305 EXPECT_OK(sched_yield()); 306 } 307 308 309 FORK_TEST(Capmode, AllowedTimerSyscalls) { 310 EXPECT_OK(cap_enter()); // Enter capability mode. 311 struct timespec ts; 312 EXPECT_OK(clock_getres(CLOCK_REALTIME, &ts)); 313 EXPECT_OK(clock_gettime(CLOCK_REALTIME, &ts)); 314 struct itimerval itv; 315 EXPECT_OK(getitimer(ITIMER_REAL, &itv)); 316 EXPECT_OK(setitimer(ITIMER_REAL, &itv, NULL)); 317 struct timeval tv; 318 struct timezone tz; 319 EXPECT_OK(gettimeofday(&tv, &tz)); 320 ts.tv_sec = 0; 321 ts.tv_nsec = 1; 322 EXPECT_OK(nanosleep(&ts, NULL)); 323 } 324 325 326 FORK_TEST(Capmode, AllowedProfilSyscall) { 327 EXPECT_OK(cap_enter()); // Enter capability mode. 328 char sbuf[32]; 329 EXPECT_OK(profil((profil_arg1_t*)sbuf, sizeof(sbuf), 0, 1)); 330 } 331 332 333 FORK_TEST(Capmode, AllowedResourceSyscalls) { 334 EXPECT_OK(cap_enter()); // Enter capability mode. 335 errno = 0; 336 int rc = getpriority(PRIO_PROCESS, 0); 337 EXPECT_EQ(0, errno); 338 EXPECT_OK(setpriority(PRIO_PROCESS, 0, rc)); 339 struct rlimit rlim; 340 EXPECT_OK(getrlimit_(RLIMIT_CORE, &rlim)); 341 EXPECT_OK(setrlimit(RLIMIT_CORE, &rlim)); 342 struct rusage ruse; 343 EXPECT_OK(getrusage(RUSAGE_SELF, &ruse)); 344 } 345 346 FORK_TEST(CapMode, AllowedMmapSyscalls) { 347 // mmap() some memory. 348 size_t mem_size = getpagesize(); 349 void *mem = mmap(NULL, mem_size, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0); 350 EXPECT_TRUE(mem != NULL); 351 EXPECT_OK(cap_enter()); // Enter capability mode. 352 353 EXPECT_OK(msync(mem, mem_size, MS_ASYNC)); 354 EXPECT_OK(madvise(mem, mem_size, MADV_NORMAL)); 355 unsigned char vec[2]; 356 EXPECT_OK(mincore_(mem, mem_size, vec)); 357 EXPECT_OK(mprotect(mem, mem_size, PROT_READ|PROT_WRITE)); 358 359 if (!MLOCK_REQUIRES_ROOT || getuid() == 0) { 360 EXPECT_OK(mlock(mem, mem_size)); 361 EXPECT_OK(munlock(mem, mem_size)); 362 int rc = mlockall(MCL_CURRENT); 363 if (rc != 0) { 364 // mlockall may well fail with ENOMEM for non-root users, as the 365 // default RLIMIT_MEMLOCK value isn't that big. 366 EXPECT_NE(ECAPMODE, errno); 367 } 368 EXPECT_OK(munlockall()); 369 } 370 // Unmap the memory. 371 EXPECT_OK(munmap(mem, mem_size)); 372 } 373 374 FORK_TEST(Capmode, AllowedPipeSyscalls) { 375 EXPECT_OK(cap_enter()); // Enter capability mode 376 int fd2[2]; 377 int rc = pipe(fd2); 378 EXPECT_EQ(0, rc); 379 380 if (rc == 0) { 381 close(fd2[0]); 382 close(fd2[1]); 383 }; 384 #ifdef HAVE_PIPE2 385 rc = pipe2(fd2, 0); 386 EXPECT_EQ(0, rc); 387 if (rc == 0) { 388 close(fd2[0]); 389 close(fd2[1]); 390 }; 391 #endif 392 } 393 394 TEST(Capmode, AllowedAtSyscalls) { 395 int rc = mkdir(TmpFile("cap_at_syscalls"), 0755); 396 EXPECT_OK(rc); 397 if (rc < 0 && errno != EEXIST) return; 398 int dfd = open(TmpFile("cap_at_syscalls"), O_RDONLY); 399 EXPECT_OK(dfd); 400 401 int file = openat(dfd, "testfile", O_RDONLY|O_CREAT, 0644); 402 EXPECT_OK(file); 403 EXPECT_OK(close(file)); 404 405 406 pid_t child = fork(); 407 if (child == 0) { 408 // Child: enter cap mode and run tests 409 EXPECT_OK(cap_enter()); // Enter capability mode 410 411 struct stat fs; 412 EXPECT_OK(fstatat(dfd, "testfile", &fs, 0)); 413 EXPECT_OK(mkdirat(dfd, "subdir", 0600)); 414 EXPECT_OK(fchmodat(dfd, "subdir", 0644, 0)); 415 EXPECT_OK(faccessat(dfd, "subdir", F_OK, 0)); 416 EXPECT_OK(renameat(dfd, "subdir", dfd, "subdir2")); 417 EXPECT_OK(renameat(dfd, "subdir2", dfd, "subdir")); 418 struct timeval tv[2]; 419 struct timezone tz; 420 EXPECT_OK(gettimeofday(&tv[0], &tz)); 421 EXPECT_OK(gettimeofday(&tv[1], &tz)); 422 EXPECT_OK(futimesat(dfd, "testfile", tv)); 423 424 EXPECT_OK(fchownat(dfd, "testfile", fs.st_uid, fs.st_gid, 0)); 425 EXPECT_OK(linkat(dfd, "testfile", dfd, "linky", 0)); 426 EXPECT_OK(symlinkat("testfile", dfd, "symlink")); 427 char buffer[256]; 428 EXPECT_OK(readlinkat(dfd, "symlink", buffer, sizeof(buffer))); 429 EXPECT_OK(unlinkat(dfd, "linky", 0)); 430 EXPECT_OK(unlinkat(dfd, "subdir", AT_REMOVEDIR)); 431 432 // Check that invalid requests get a non-Capsicum errno. 433 errno = 0; 434 rc = readlinkat(-1, "symlink", buffer, sizeof(buffer)); 435 EXPECT_GE(0, rc); 436 EXPECT_NE(ECAPMODE, errno); 437 438 exit(HasFailure()); 439 } 440 441 // Wait for the child. 442 int status; 443 EXPECT_EQ(child, waitpid(child, &status, 0)); 444 rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1; 445 EXPECT_EQ(0, rc); 446 447 // Tidy up. 448 close(dfd); 449 rmdir(TmpFile("cap_at_syscalls/subdir")); 450 unlink(TmpFile("cap_at_syscalls/symlink")); 451 unlink(TmpFile("cap_at_syscalls/linky")); 452 unlink(TmpFile("cap_at_syscalls/testfile")); 453 rmdir(TmpFile("cap_at_syscalls")); 454 } 455 456 TEST(Capmode, AllowedAtSyscallsCwd) { 457 int rc = mkdir(TmpFile("cap_at_syscalls_cwd"), 0755); 458 EXPECT_OK(rc); 459 if (rc < 0 && errno != EEXIST) return; 460 int dfd = open(TmpFile("cap_at_syscalls_cwd"), O_RDONLY); 461 EXPECT_OK(dfd); 462 463 int file = openat(dfd, "testfile", O_RDONLY|O_CREAT, 0644); 464 EXPECT_OK(file); 465 EXPECT_OK(close(file)); 466 467 pid_t child = fork(); 468 if (child == 0) { 469 // Child: move into temp dir, enter cap mode and run tests 470 EXPECT_OK(fchdir(dfd)); 471 EXPECT_OK(cap_enter()); // Enter capability mode 472 473 // Test that *at(AT_FDCWD, path,...) is policed with ECAPMODE. 474 EXPECT_CAPMODE(openat(AT_FDCWD, "testfile", O_RDONLY)); 475 struct stat fs; 476 EXPECT_CAPMODE(fstatat(AT_FDCWD, "testfile", &fs, 0)); 477 EXPECT_CAPMODE(mkdirat(AT_FDCWD, "subdir", 0600)); 478 EXPECT_CAPMODE(fchmodat(AT_FDCWD, "subdir", 0644, 0)); 479 EXPECT_CAPMODE(faccessat(AT_FDCWD, "subdir", F_OK, 0)); 480 EXPECT_CAPMODE(renameat(AT_FDCWD, "subdir", AT_FDCWD, "subdir2")); 481 EXPECT_CAPMODE(renameat(AT_FDCWD, "subdir2", AT_FDCWD, "subdir")); 482 struct timeval tv[2]; 483 struct timezone tz; 484 EXPECT_OK(gettimeofday(&tv[0], &tz)); 485 EXPECT_OK(gettimeofday(&tv[1], &tz)); 486 EXPECT_CAPMODE(futimesat(AT_FDCWD, "testfile", tv)); 487 488 EXPECT_CAPMODE(fchownat(AT_FDCWD, "testfile", fs.st_uid, fs.st_gid, 0)); 489 EXPECT_CAPMODE(linkat(AT_FDCWD, "testfile", AT_FDCWD, "linky", 0)); 490 EXPECT_CAPMODE(symlinkat("testfile", AT_FDCWD, "symlink")); 491 char buffer[256]; 492 EXPECT_CAPMODE(readlinkat(AT_FDCWD, "symlink", buffer, sizeof(buffer))); 493 EXPECT_CAPMODE(unlinkat(AT_FDCWD, "linky", 0)); 494 495 exit(HasFailure()); 496 } 497 498 // Wait for the child. 499 int status; 500 EXPECT_EQ(child, waitpid(child, &status, 0)); 501 rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1; 502 EXPECT_EQ(0, rc); 503 504 // Tidy up. 505 close(dfd); 506 rmdir(TmpFile("cap_at_syscalls_cwd/subdir")); 507 unlink(TmpFile("cap_at_syscalls_cwd/symlink")); 508 unlink(TmpFile("cap_at_syscalls_cwd/linky")); 509 unlink(TmpFile("cap_at_syscalls_cwd/testfile")); 510 rmdir(TmpFile("cap_at_syscalls_cwd")); 511 } 512 513 TEST(Capmode, Abort) { 514 // Check that abort(3) works even in capability mode. 515 pid_t child = fork(); 516 if (child == 0) { 517 // Child: enter capability mode and call abort(3). 518 // Triggers something like kill(getpid(), SIGABRT). 519 cap_enter(); // Enter capability mode. 520 abort(); 521 exit(99); 522 } 523 int status; 524 EXPECT_EQ(child, waitpid(child, &status, 0)); 525 EXPECT_TRUE(WIFSIGNALED(status)) << " status = " << std::hex << status; 526 EXPECT_EQ(SIGABRT, WTERMSIG(status)) << " status = " << std::hex << status; 527 } 528 529 FORK_TEST_F(WithFiles, AllowedMiscSyscalls) { 530 umask(022); 531 mode_t um_before = umask(022); 532 int pipefds[2]; 533 EXPECT_OK(pipe(pipefds)); 534 EXPECT_OK(cap_enter()); // Enter capability mode. 535 536 mode_t um = umask(022); 537 EXPECT_NE(-ECAPMODE, (int)um); 538 EXPECT_EQ(um_before, um); 539 stack_t ss; 540 EXPECT_OK(sigaltstack(NULL, &ss)); 541 542 // Finally, tests for system calls that don't fit the pattern very well. 543 pid_t pid = fork(); 544 EXPECT_OK(pid); 545 if (pid == 0) { 546 // Child: wait for an exit message from parent (so we can test waitpid). 547 EXPECT_OK(close(pipefds[0])); 548 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 549 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 550 exit(0); 551 } else if (pid > 0) { 552 EXPECT_OK(close(pipefds[1])); 553 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 554 errno = 0; 555 EXPECT_CAPMODE(ptrace_(PTRACE_PEEKDATA_, pid, &pid, NULL)); 556 SEND_INT_MESSAGE(pipefds[0], MSG_PARENT_REQUEST_CHILD_EXIT); 557 if (verbose) fprintf(stderr, " child finished\n"); 558 } 559 560 // No error return from sync(2) to test, but check errno remains unset. 561 errno = 0; 562 sync(); 563 EXPECT_EQ(0, errno); 564 565 // TODO(FreeBSD): ktrace 566 567 // sysarch() is, by definition, architecture-dependent 568 #if defined (__amd64__) || defined (__i386__) 569 long sysarch_arg = 0; 570 EXPECT_CAPMODE(sysarch(I386_SET_IOPERM, &sysarch_arg)); 571 #else 572 // TOOD(jra): write a test for other architectures, like arm 573 #endif 574 } 575 576 void *thread_fn(void *p) { 577 int fd = (int)(intptr_t)p; 578 if (verbose) fprintf(stderr, " thread waiting to run\n"); 579 AWAIT_INT_MESSAGE(fd, MSG_PARENT_CHILD_SHOULD_RUN); 580 EXPECT_OK(getpid()); 581 EXPECT_CAPMODE(open("/dev/null", O_RDWR)); 582 // Return whether there have been any failures to the main thread. 583 void *rval = (void *)(intptr_t)testing::Test::HasFailure(); 584 if (verbose) fprintf(stderr, " thread finished: %p\n", rval); 585 return rval; 586 } 587 588 // Check that restrictions are the same in subprocesses and threads 589 FORK_TEST(Capmode, NewThread) { 590 // Fire off a new thread before entering capability mode 591 pthread_t early_thread; 592 void *thread_rval; 593 // Create two pipes, one for synchronization with the threads, the other to 594 // synchronize with the children (since we can't use waitpid after cap_enter). 595 // Note: Could use pdfork+pdwait instead, but that is tested in procdesc.cc. 596 int thread_pipe[2]; 597 EXPECT_OK(pipe(thread_pipe)); 598 int proc_pipe[2]; 599 EXPECT_OK(pipe(proc_pipe)); 600 EXPECT_OK(pthread_create(&early_thread, NULL, thread_fn, 601 (void *)(intptr_t)thread_pipe[1])); 602 603 // Fire off a new process before entering capability mode. 604 if (verbose) fprintf(stderr, " starting second child (non-capability mode)\n"); 605 int early_child = fork(); 606 EXPECT_OK(early_child); 607 if (early_child == 0) { 608 if (verbose) fprintf(stderr, " first child started\n"); 609 EXPECT_OK(close(proc_pipe[0])); 610 // Child: wait and then confirm this process is unaffected by capability mode in the parent. 611 AWAIT_INT_MESSAGE(proc_pipe[1], MSG_PARENT_CHILD_SHOULD_RUN); 612 int fd = open("/dev/null", O_RDWR); 613 EXPECT_OK(fd); 614 close(fd); 615 // Notify the parent of success/failure. 616 int rval = (int)testing::Test::HasFailure(); 617 SEND_INT_MESSAGE(proc_pipe[1], rval); 618 if (verbose) fprintf(stderr, " first child finished: %d\n", rval); 619 exit(rval); 620 } 621 622 EXPECT_OK(cap_enter()); // Enter capability mode. 623 // At this point the current process has both a child process and a 624 // child thread that were created before entering capability mode. 625 // - The child process is unaffected by capability mode. 626 // - The child thread is affected by capability mode. 627 SEND_INT_MESSAGE(proc_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN); 628 629 // Do an allowed syscall. 630 EXPECT_OK(getpid()); 631 // Wait for the first child to exit (should get a zero exit code message). 632 AWAIT_INT_MESSAGE(proc_pipe[0], 0); 633 634 // The child processes/threads return HasFailure(), so we depend on no prior errors. 635 ASSERT_FALSE(testing::Test::HasFailure()) 636 << "Cannot continue test with pre-existing failures."; 637 // Now that we're in capability mode, if we create a second child process 638 // it will be affected by capability mode. 639 if (verbose) fprintf(stderr, " starting second child (in capability mode)\n"); 640 int child = fork(); 641 EXPECT_OK(child); 642 if (child == 0) { 643 if (verbose) fprintf(stderr, " second child started\n"); 644 EXPECT_OK(close(proc_pipe[0])); 645 // Child: do an allowed and a disallowed syscall. 646 EXPECT_OK(getpid()); 647 EXPECT_CAPMODE(open("/dev/null", O_RDWR)); 648 // Notify the parent of success/failure. 649 int rval = (int)testing::Test::HasFailure(); 650 SEND_INT_MESSAGE(proc_pipe[1], rval); 651 if (verbose) fprintf(stderr, " second child finished: %d\n", rval); 652 exit(rval); 653 } 654 // Now tell the early_started thread that it can run. We expect it to also 655 // be affected by capability mode since it's per-process not per-thread. 656 // Note: it is important that we don't allow the thread to run before fork(), 657 // since that could result in fork() being called while the thread holds one 658 // of the gtest-internal mutexes, so the child process deadlocks. 659 SEND_INT_MESSAGE(thread_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN); 660 // Wait for the early-started thread. 661 EXPECT_OK(pthread_join(early_thread, &thread_rval)); 662 EXPECT_FALSE((bool)(intptr_t)thread_rval) << "thread returned failure"; 663 664 // Wait for the second child to exit (should get a zero exit code message). 665 AWAIT_INT_MESSAGE(proc_pipe[0], 0); 666 667 // Fire off a new (second) child thread, which is also affected by capability mode. 668 ASSERT_FALSE(testing::Test::HasFailure()) 669 << "Cannot continue test with pre-existing failures."; 670 pthread_t child_thread; 671 EXPECT_OK(pthread_create(&child_thread, NULL, thread_fn, 672 (void *)(intptr_t)thread_pipe[1])); 673 SEND_INT_MESSAGE(thread_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN); 674 EXPECT_OK(pthread_join(child_thread, &thread_rval)); 675 EXPECT_FALSE((bool)(intptr_t)thread_rval) << "thread returned failure"; 676 677 // Fork a subprocess which fires off a new thread. 678 ASSERT_FALSE(testing::Test::HasFailure()) 679 << "Cannot continue test with pre-existing failures."; 680 if (verbose) fprintf(stderr, " starting third child (in capability mode)\n"); 681 child = fork(); 682 EXPECT_OK(child); 683 if (child == 0) { 684 if (verbose) fprintf(stderr, " third child started\n"); 685 EXPECT_OK(close(proc_pipe[0])); 686 pthread_t child_thread2; 687 EXPECT_OK(pthread_create(&child_thread2, NULL, thread_fn, 688 (void *)(intptr_t)thread_pipe[1])); 689 SEND_INT_MESSAGE(thread_pipe[0], MSG_PARENT_CHILD_SHOULD_RUN); 690 EXPECT_OK(pthread_join(child_thread2, &thread_rval)); 691 EXPECT_FALSE((bool)(intptr_t)thread_rval) << "thread returned failure"; 692 // Notify the parent of success/failure. 693 int rval = (int)testing::Test::HasFailure(); 694 SEND_INT_MESSAGE(proc_pipe[1], rval); 695 if (verbose) fprintf(stderr, " third child finished: %d\n", rval); 696 exit(rval); 697 } 698 // Wait for the third child to exit (should get a zero exit code message). 699 AWAIT_INT_MESSAGE(proc_pipe[0], 0); 700 close(proc_pipe[0]); 701 close(proc_pipe[1]); 702 close(thread_pipe[0]); 703 close(thread_pipe[1]); 704 } 705 706 static volatile sig_atomic_t had_signal = 0; 707 static void handle_signal(int) { had_signal = 1; } 708 709 FORK_TEST(Capmode, SelfKill) { 710 pid_t me = getpid(); 711 sighandler_t original = signal(SIGUSR1, handle_signal); 712 713 pid_t child = fork(); 714 if (child == 0) { 715 // Child: sleep and exit 716 sleep(1); 717 exit(0); 718 } 719 720 EXPECT_OK(cap_enter()); // Enter capability mode. 721 722 // Can only kill(2) to own pid. 723 EXPECT_CAPMODE(kill(child, SIGUSR1)); 724 EXPECT_OK(kill(me, SIGUSR1)); 725 EXPECT_EQ(1, had_signal); 726 727 signal(SIGUSR1, original); 728 } 729