1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 The FreeBSD Foundation 5 * 6 * This software was developed by Mark Johnston under sponsorship from 7 * the FreeBSD Foundation. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions are 11 * met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31 /* 32 * Basic regression tests for handling of O_PATH descriptors. 33 */ 34 35 #include <sys/param.h> 36 #include <sys/capsicum.h> 37 #include <sys/event.h> 38 #include <sys/ioctl.h> 39 #include <sys/memrange.h> 40 #include <sys/mman.h> 41 #include <sys/ptrace.h> 42 #include <sys/socket.h> 43 #include <sys/stat.h> 44 #include <sys/time.h> 45 #include <sys/uio.h> 46 #include <sys/un.h> 47 #include <sys/wait.h> 48 49 #include <aio.h> 50 #include <dirent.h> 51 #include <errno.h> 52 #include <fcntl.h> 53 #include <poll.h> 54 #include <signal.h> 55 #include <stdio.h> 56 #include <stdlib.h> 57 #include <unistd.h> 58 59 #include <atf-c.h> 60 61 #define FMT_ERR(s) s ": %s", strerror(errno) 62 63 #define CHECKED_CLOSE(fd) \ 64 ATF_REQUIRE_MSG(close(fd) == 0, FMT_ERR("close")) 65 66 /* Create a temporary regular file containing some data. */ 67 static void 68 mktfile(char path[PATH_MAX], const char *template) 69 { 70 char buf[BUFSIZ]; 71 int fd; 72 73 snprintf(path, PATH_MAX, "%s", template); 74 fd = mkstemp(path); 75 ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("mkstemp")); 76 memset(buf, 0, sizeof(buf)); 77 ATF_REQUIRE_MSG(write(fd, buf, sizeof(buf)) == sizeof(buf), 78 FMT_ERR("write")); 79 CHECKED_CLOSE(fd); 80 } 81 82 /* Make a temporary directory. */ 83 static void 84 mktdir(char path[PATH_MAX], const char *template) 85 { 86 snprintf(path, PATH_MAX, "%s", template); 87 ATF_REQUIRE_MSG(mkdtemp(path) == path, FMT_ERR("mkdtemp")); 88 } 89 90 /* Wait for a child process to exit with status 0. */ 91 static void 92 waitchild(pid_t child, int exstatus) 93 { 94 int error, status; 95 96 error = waitpid(child, &status, 0); 97 ATF_REQUIRE_MSG(error != -1, FMT_ERR("waitpid")); 98 ATF_REQUIRE_MSG(WIFEXITED(status), "child exited abnormally, status %d", 99 status); 100 ATF_REQUIRE_MSG(WEXITSTATUS(status) == exstatus, 101 "child exit status is %d, expected %d", 102 WEXITSTATUS(status), exstatus); 103 } 104 105 ATF_TC_WITHOUT_HEAD(path_access); 106 ATF_TC_BODY(path_access, tc) 107 { 108 char path[PATH_MAX]; 109 struct stat sb; 110 struct timespec ts[2]; 111 struct timeval tv[2]; 112 int pathfd; 113 114 mktfile(path, "path_access.XXXXXX"); 115 116 pathfd = open(path, O_PATH); 117 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 118 119 ATF_REQUIRE_ERRNO(EBADF, fchmod(pathfd, 0666) == -1); 120 ATF_REQUIRE_ERRNO(EBADF, fchown(pathfd, getuid(), getgid()) == -1); 121 ATF_REQUIRE_ERRNO(EBADF, fchflags(pathfd, UF_NODUMP) == -1); 122 memset(tv, 0, sizeof(tv)); 123 ATF_REQUIRE_ERRNO(EBADF, futimes(pathfd, tv) == -1); 124 memset(ts, 0, sizeof(ts)); 125 ATF_REQUIRE_ERRNO(EBADF, futimens(pathfd, ts) == -1); 126 127 /* fpathconf(2) and fstat(2) are permitted. */ 128 ATF_REQUIRE_MSG(fstat(pathfd, &sb) == 0, FMT_ERR("fstat")); 129 ATF_REQUIRE_MSG(fpathconf(pathfd, _PC_LINK_MAX) != -1, 130 FMT_ERR("fpathconf")); 131 132 CHECKED_CLOSE(pathfd); 133 } 134 135 /* Basic tests to verify that AIO operations fail. */ 136 ATF_TC_WITHOUT_HEAD(path_aio); 137 ATF_TC_BODY(path_aio, tc) 138 { 139 struct aiocb aio; 140 char buf[BUFSIZ], path[PATH_MAX]; 141 int pathfd; 142 143 mktfile(path, "path_aio.XXXXXX"); 144 145 pathfd = open(path, O_PATH); 146 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 147 148 memset(&aio, 0, sizeof(aio)); 149 aio.aio_buf = buf; 150 aio.aio_nbytes = sizeof(buf); 151 aio.aio_fildes = pathfd; 152 aio.aio_offset = 0; 153 154 ATF_REQUIRE_ERRNO(EBADF, aio_read(&aio) == -1); 155 ATF_REQUIRE_ERRNO(EBADF, aio_write(&aio) == -1); 156 ATF_REQUIRE_ERRNO(EBADF, aio_fsync(O_SYNC, &aio) == -1); 157 ATF_REQUIRE_ERRNO(EBADF, aio_fsync(O_DSYNC, &aio) == -1); 158 159 CHECKED_CLOSE(pathfd); 160 } 161 162 /* Basic tests to verify that Capsicum restrictions apply to path fds. */ 163 ATF_TC_WITHOUT_HEAD(path_capsicum); 164 ATF_TC_BODY(path_capsicum, tc) 165 { 166 char path[PATH_MAX]; 167 cap_rights_t rights; 168 int truefd; 169 pid_t child; 170 171 mktfile(path, "path_capsicum.XXXXXX"); 172 173 /* Make sure that filesystem namespace restrictions apply to O_PATH. */ 174 child = fork(); 175 ATF_REQUIRE_MSG(child != -1, FMT_ERR("fork")); 176 if (child == 0) { 177 if (cap_enter() != 0) 178 _exit(1); 179 if (open(path, O_PATH) >= 0) 180 _exit(2); 181 if (errno != ECAPMODE) 182 _exit(3); 183 if (open("/usr/bin/true", O_PATH | O_EXEC) >= 0) 184 _exit(4); 185 if (errno != ECAPMODE) 186 _exit(5); 187 _exit(0); 188 } 189 waitchild(child, 0); 190 191 /* Make sure that CAP_FEXECVE is required. */ 192 child = fork(); 193 ATF_REQUIRE_MSG(child != -1, FMT_ERR("fork")); 194 if (child == 0) { 195 truefd = open("/usr/bin/true", O_PATH | O_EXEC); 196 if (truefd < 0) 197 _exit(1); 198 cap_rights_init(&rights); 199 if (cap_rights_limit(truefd, &rights) != 0) 200 _exit(2); 201 (void)fexecve(truefd, 202 (char * const[]){__DECONST(char *, "/usr/bin/true"), NULL}, 203 NULL); 204 if (errno != ENOTCAPABLE) 205 _exit(3); 206 _exit(4); 207 } 208 waitchild(child, 4); 209 } 210 211 /* 212 * Check that a pathfd can be converted to a regular fd using openat() in 213 * capability mode, but that rights on the pathfd are respected. 214 */ 215 ATF_TC_WITHOUT_HEAD(path_capsicum_empty); 216 ATF_TC_BODY(path_capsicum_empty, tc) 217 { 218 char path[PATH_MAX]; 219 cap_rights_t rights; 220 int dfd, fd, pathfd, pathdfd; 221 222 mktfile(path, "path_capsicum.XXXXXX"); 223 224 pathdfd = open(".", O_PATH); 225 ATF_REQUIRE_MSG(pathdfd >= 0, FMT_ERR("open")); 226 pathfd = open(path, O_PATH); 227 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 228 229 ATF_REQUIRE(cap_enter() == 0); 230 231 dfd = openat(pathdfd, "", O_DIRECTORY | O_EMPTY_PATH); 232 ATF_REQUIRE(dfd >= 0); 233 CHECKED_CLOSE(dfd); 234 235 /* 236 * CAP_READ and CAP_LOOKUP should be sufficient to open a directory. 237 */ 238 cap_rights_init(&rights, CAP_READ, CAP_LOOKUP); 239 ATF_REQUIRE(cap_rights_limit(pathdfd, &rights) == 0); 240 dfd = openat(pathdfd, "", O_DIRECTORY | O_EMPTY_PATH); 241 ATF_REQUIRE(dfd >= 0); 242 CHECKED_CLOSE(dfd); 243 244 /* 245 * ... CAP_READ on its own is not. 246 */ 247 cap_rights_init(&rights, CAP_READ); 248 ATF_REQUIRE(cap_rights_limit(pathdfd, &rights) == 0); 249 dfd = openat(pathdfd, "", O_DIRECTORY | O_EMPTY_PATH); 250 ATF_REQUIRE_ERRNO(ENOTCAPABLE, dfd == -1); 251 252 /* 253 * Now try with a regular file. 254 */ 255 fd = openat(pathfd, "", O_RDWR | O_EMPTY_PATH); 256 ATF_REQUIRE(fd >= 0); 257 CHECKED_CLOSE(fd); 258 259 cap_rights_init(&rights, CAP_READ, CAP_LOOKUP, CAP_WRITE); 260 ATF_REQUIRE(cap_rights_limit(pathfd, &rights) == 0); 261 fd = openat(pathfd, "", O_RDWR | O_EMPTY_PATH | O_APPEND); 262 ATF_REQUIRE(fd >= 0); 263 CHECKED_CLOSE(fd); 264 265 /* 266 * CAP_SEEK is needed to open a file for writing without O_APPEND. 267 */ 268 cap_rights_init(&rights, CAP_READ, CAP_LOOKUP, CAP_WRITE); 269 ATF_REQUIRE(cap_rights_limit(pathfd, &rights) == 0); 270 fd = openat(pathfd, "", O_RDWR | O_EMPTY_PATH); 271 ATF_REQUIRE_ERRNO(ENOTCAPABLE, fd == -1); 272 273 /* 274 * CAP_LOOKUP isn't sufficient to open a file for reading. 275 */ 276 cap_rights_init(&rights, CAP_LOOKUP); 277 ATF_REQUIRE(cap_rights_limit(pathfd, &rights) == 0); 278 fd = openat(pathfd, "", O_RDONLY | O_EMPTY_PATH); 279 ATF_REQUIRE_ERRNO(ENOTCAPABLE, fd == -1); 280 281 CHECKED_CLOSE(pathfd); 282 CHECKED_CLOSE(pathdfd); 283 } 284 285 /* Make sure that ptrace(PT_COREDUMP) cannot be used to write to a path fd. */ 286 ATF_TC_WITHOUT_HEAD(path_coredump); 287 ATF_TC_BODY(path_coredump, tc) 288 { 289 char path[PATH_MAX]; 290 struct ptrace_coredump pc; 291 int error, pathfd, status; 292 pid_t child; 293 294 mktdir(path, "path_coredump.XXXXXX"); 295 296 child = fork(); 297 ATF_REQUIRE_MSG(child != -1, FMT_ERR("fork")); 298 if (child == 0) { 299 while (true) 300 (void)sleep(1); 301 } 302 303 pathfd = open(path, O_PATH); 304 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 305 306 error = ptrace(PT_ATTACH, child, 0, 0); 307 ATF_REQUIRE_MSG(error == 0, FMT_ERR("ptrace")); 308 error = waitpid(child, &status, 0); 309 ATF_REQUIRE_MSG(error != -1, FMT_ERR("waitpid")); 310 ATF_REQUIRE_MSG(WIFSTOPPED(status), "unexpected status %d", status); 311 312 pc.pc_fd = pathfd; 313 pc.pc_flags = 0; 314 pc.pc_limit = 0; 315 error = ptrace(PT_COREDUMP, child, (void *)&pc, sizeof(pc)); 316 ATF_REQUIRE_ERRNO(EBADF, error == -1); 317 318 error = ptrace(PT_DETACH, child, 0, 0); 319 ATF_REQUIRE_MSG(error == 0, FMT_ERR("ptrace")); 320 321 ATF_REQUIRE_MSG(kill(child, SIGKILL) == 0, FMT_ERR("kill")); 322 323 CHECKED_CLOSE(pathfd); 324 } 325 326 /* Verify operations on directory path descriptors. */ 327 ATF_TC_WITHOUT_HEAD(path_directory); 328 ATF_TC_BODY(path_directory, tc) 329 { 330 struct dirent de; 331 struct stat sb; 332 char path[PATH_MAX]; 333 int fd, pathfd; 334 335 mktdir(path, "path_directory.XXXXXX"); 336 337 pathfd = open(path, O_PATH | O_DIRECTORY); 338 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 339 340 /* Should not be possible to list directory entries. */ 341 ATF_REQUIRE_ERRNO(EBADF, 342 getdirentries(pathfd, (char *)&de, sizeof(de), NULL) == -1); 343 344 /* It should be possible to create files under pathfd. */ 345 fd = openat(pathfd, "test", O_RDWR | O_CREAT, 0600); 346 ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); 347 ATF_REQUIRE_MSG(fstatat(pathfd, "test", &sb, 0) == 0, 348 FMT_ERR("fstatat")); 349 CHECKED_CLOSE(fd); 350 351 /* ... but doing so requires write access. */ 352 if (geteuid() != 0) { 353 ATF_REQUIRE_ERRNO(EBADF, fchmod(pathfd, 0500) == -1); 354 ATF_REQUIRE_MSG(chmod(path, 0500) == 0, FMT_ERR("chmod")); 355 ATF_REQUIRE_ERRNO(EACCES, 356 openat(pathfd, "test2", O_RDWR | O_CREAT, 0600) < 0); 357 } 358 359 /* fchdir(2) is permitted. */ 360 ATF_REQUIRE_MSG(fchdir(pathfd) == 0, FMT_ERR("fchdir")); 361 362 CHECKED_CLOSE(pathfd); 363 } 364 365 /* Verify access permission checking for a directory path fd. */ 366 ATF_TC_WITH_CLEANUP(path_directory_not_root); 367 ATF_TC_HEAD(path_directory_not_root, tc) 368 { 369 atf_tc_set_md_var(tc, "require.user", "unprivileged"); 370 } 371 ATF_TC_BODY(path_directory_not_root, tc) 372 { 373 char path[PATH_MAX]; 374 int pathfd; 375 376 mktdir(path, "path_directory.XXXXXX"); 377 378 pathfd = open(path, O_PATH | O_DIRECTORY); 379 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 380 381 ATF_REQUIRE_ERRNO(EBADF, fchmod(pathfd, 0500) == -1); 382 ATF_REQUIRE_MSG(chmod(path, 0500) == 0, FMT_ERR("chmod")); 383 ATF_REQUIRE_ERRNO(EACCES, 384 openat(pathfd, "test2", O_RDWR | O_CREAT, 0600) < 0); 385 386 CHECKED_CLOSE(pathfd); 387 } 388 ATF_TC_CLEANUP(path_directory_not_root, tc) 389 { 390 } 391 392 /* Validate system calls that handle AT_EMPTY_PATH. */ 393 ATF_TC_WITHOUT_HEAD(path_empty); 394 ATF_TC_BODY(path_empty, tc) 395 { 396 char path[PATH_MAX]; 397 struct timespec ts[2]; 398 struct stat sb; 399 int pathfd; 400 401 mktfile(path, "path_empty.XXXXXX"); 402 403 pathfd = open(path, O_PATH); 404 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 405 406 /* Various *at operations should work on path fds. */ 407 ATF_REQUIRE_MSG(faccessat(pathfd, "", F_OK, AT_EMPTY_PATH) == 0, 408 FMT_ERR("faccessat")); 409 ATF_REQUIRE_MSG(chflagsat(pathfd, "", UF_NODUMP, AT_EMPTY_PATH) == 0, 410 FMT_ERR("chflagsat")); 411 ATF_REQUIRE_MSG(fchmodat(pathfd, "", 0600, AT_EMPTY_PATH) == 0, 412 FMT_ERR("fchmodat")); 413 ATF_REQUIRE_MSG(fchownat(pathfd, "", getuid(), getgid(), 414 AT_EMPTY_PATH) == 0, FMT_ERR("fchownat")); 415 ATF_REQUIRE_MSG(fstatat(pathfd, "", &sb, AT_EMPTY_PATH) == 0, 416 FMT_ERR("fstatat")); 417 ATF_REQUIRE_MSG(sb.st_size == BUFSIZ, 418 "unexpected size %ju", (uintmax_t)sb.st_size); 419 memset(ts, 0, sizeof(ts)); 420 ATF_REQUIRE_MSG(utimensat(pathfd, "", ts, AT_EMPTY_PATH) == 0, 421 FMT_ERR("utimensat")); 422 423 CHECKED_CLOSE(pathfd); 424 } 425 426 /* Verify that various operations on a path fd have access checks. */ 427 ATF_TC_WITH_CLEANUP(path_empty_not_root); 428 ATF_TC_HEAD(path_empty_not_root, tc) 429 { 430 atf_tc_set_md_var(tc, "require.user", "unprivileged"); 431 } 432 ATF_TC_BODY(path_empty_not_root, tc) 433 { 434 int pathfd; 435 436 pathfd = open("/dev/null", O_PATH); 437 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 438 439 ATF_REQUIRE_ERRNO(EPERM, 440 chflagsat(pathfd, "", UF_NODUMP, AT_EMPTY_PATH) == -1); 441 ATF_REQUIRE_ERRNO(EPERM, 442 fchownat(pathfd, "", getuid(), getgid(), AT_EMPTY_PATH) == -1); 443 ATF_REQUIRE_ERRNO(EPERM, 444 fchmodat(pathfd, "", 0600, AT_EMPTY_PATH) == -1); 445 ATF_REQUIRE_ERRNO(EPERM, 446 linkat(pathfd, "", AT_FDCWD, "test", AT_EMPTY_PATH) == -1); 447 448 CHECKED_CLOSE(pathfd); 449 } 450 ATF_TC_CLEANUP(path_empty_not_root, tc) 451 { 452 } 453 454 /* Test linkat(2) with AT_EMPTY_PATH, which requires privileges. */ 455 ATF_TC_WITH_CLEANUP(path_empty_root); 456 ATF_TC_HEAD(path_empty_root, tc) 457 { 458 atf_tc_set_md_var(tc, "require.user", "root"); 459 } 460 ATF_TC_BODY(path_empty_root, tc) 461 { 462 char path[PATH_MAX]; 463 struct stat sb, sb2; 464 int pathfd; 465 466 mktfile(path, "path_empty_root.XXXXXX"); 467 468 pathfd = open(path, O_PATH); 469 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 470 ATF_REQUIRE_MSG(fstatat(pathfd, "", &sb, AT_EMPTY_PATH) == 0, 471 FMT_ERR("fstatat")); 472 473 ATF_REQUIRE_MSG(linkat(pathfd, "", AT_FDCWD, "test", AT_EMPTY_PATH) == 474 0, FMT_ERR("linkat")); 475 ATF_REQUIRE_MSG(fstatat(AT_FDCWD, "test", &sb2, 0) == 0, 476 FMT_ERR("fstatat")); 477 ATF_REQUIRE_MSG(sb.st_dev == sb2.st_dev, "st_dev mismatch"); 478 ATF_REQUIRE_MSG(sb.st_ino == sb2.st_ino, "st_ino mismatch"); 479 480 CHECKED_CLOSE(pathfd); 481 482 } 483 ATF_TC_CLEANUP(path_empty_root, tc) 484 { 485 } 486 487 /* poll(2) never returns an event for path fds, but kevent(2) does. */ 488 ATF_TC_WITHOUT_HEAD(path_event); 489 ATF_TC_BODY(path_event, tc) 490 { 491 char buf[BUFSIZ], path[PATH_MAX]; 492 struct kevent ev; 493 struct pollfd pollfd; 494 int kq, pathfd; 495 496 mktfile(path, "path_event.XXXXXX"); 497 498 pathfd = open(path, O_PATH); 499 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 500 501 /* poll(2) should return POLLNVAL. */ 502 pollfd.fd = pathfd; 503 pollfd.events = POLLIN; 504 pollfd.revents = 0; 505 ATF_REQUIRE_MSG(poll(&pollfd, 1, 0) == 1, FMT_ERR("poll")); 506 ATF_REQUIRE_MSG(pollfd.revents == POLLNVAL, "unexpected revents %x", 507 pollfd.revents); 508 pollfd.events = POLLOUT; 509 pollfd.revents = 0; 510 ATF_REQUIRE_MSG(poll(&pollfd, 1, 0) == 1, FMT_ERR("poll")); 511 ATF_REQUIRE_MSG(pollfd.revents == POLLNVAL, "unexpected revents %x", 512 pollfd.revents); 513 514 /* Try to get a EVFILT_READ event through a path fd. */ 515 kq = kqueue(); 516 ATF_REQUIRE_MSG(kq >= 0, FMT_ERR("kqueue")); 517 EV_SET(&ev, pathfd, EVFILT_READ, EV_ADD | EV_ENABLE, 0, 0, 0); 518 ATF_REQUIRE_MSG(kevent(kq, &ev, 1, NULL, 0, NULL) == 0, 519 FMT_ERR("kevent")); 520 ATF_REQUIRE_MSG(kevent(kq, NULL, 0, &ev, 1, NULL) == 1, 521 FMT_ERR("kevent")); 522 ATF_REQUIRE_MSG((ev.flags & EV_ERROR) == 0, "EV_ERROR is set"); 523 ATF_REQUIRE_MSG(ev.data == sizeof(buf), 524 "data is %jd", (intmax_t)ev.data); 525 EV_SET(&ev, pathfd, EVFILT_READ, EV_DELETE, 0, 0, 0); 526 ATF_REQUIRE_MSG(kevent(kq, &ev, 1, NULL, 0, NULL) == 0, 527 FMT_ERR("kevent")); 528 529 /* Try to get a EVFILT_VNODE/NOTE_DELETE event through a path fd. */ 530 EV_SET(&ev, pathfd, EVFILT_VNODE, EV_ADD | EV_ENABLE, NOTE_DELETE, 0, 531 0); 532 ATF_REQUIRE_MSG(kevent(kq, &ev, 1, NULL, 0, NULL) == 0, 533 FMT_ERR("kevent")); 534 ATF_REQUIRE_MSG(funlinkat(AT_FDCWD, path, pathfd, 0) == 0, 535 FMT_ERR("funlinkat")); 536 ATF_REQUIRE_MSG(kevent(kq, NULL, 0, &ev, 1, NULL) == 1, 537 FMT_ERR("kevent")); 538 ATF_REQUIRE_MSG(ev.fflags == NOTE_DELETE, 539 "unexpected fflags %#x", ev.fflags); 540 EV_SET(&ev, pathfd, EVFILT_VNODE, EV_DELETE, 0, 0, 0); 541 ATF_REQUIRE_MSG(kevent(kq, &ev, 1, NULL, 0, NULL) == 0, 542 FMT_ERR("kevent")); 543 544 CHECKED_CLOSE(kq); 545 CHECKED_CLOSE(pathfd); 546 } 547 548 /* Check various fcntl(2) operations on a path desriptor. */ 549 ATF_TC_WITHOUT_HEAD(path_fcntl); 550 ATF_TC_BODY(path_fcntl, tc) 551 { 552 char path[PATH_MAX]; 553 int flags, pathfd, pathfd2; 554 555 mktfile(path, "path_fcntl.XXXXXX"); 556 557 pathfd = open(path, O_PATH); 558 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 559 560 /* O_PATH should appear in the fd flags. */ 561 flags = fcntl(pathfd, F_GETFL); 562 ATF_REQUIRE_MSG(flags != -1, FMT_ERR("fcntl")); 563 ATF_REQUIRE_MSG((flags & O_PATH) != 0, "O_PATH not set"); 564 565 ATF_REQUIRE_ERRNO(EBADF, 566 fcntl(pathfd, F_SETFL, flags & ~O_PATH)); 567 ATF_REQUIRE_ERRNO(EBADF, 568 fcntl(pathfd, F_SETFL, flags | O_APPEND)); 569 570 /* A dup'ed O_PATH fd had better have O_PATH set too. */ 571 pathfd2 = fcntl(pathfd, F_DUPFD, 0); 572 ATF_REQUIRE_MSG(pathfd2 >= 0, FMT_ERR("fcntl")); 573 flags = fcntl(pathfd2, F_GETFL); 574 ATF_REQUIRE_MSG(flags != -1, FMT_ERR("fcntl")); 575 ATF_REQUIRE_MSG((flags & O_PATH) != 0, "O_PATH not set"); 576 CHECKED_CLOSE(pathfd2); 577 578 /* Double check with dup(2). */ 579 pathfd2 = dup(pathfd); 580 ATF_REQUIRE_MSG(pathfd2 >= 0, FMT_ERR("dup")); 581 flags = fcntl(pathfd2, F_GETFL); 582 ATF_REQUIRE_MSG(flags != -1, FMT_ERR("fcntl")); 583 ATF_REQUIRE_MSG((flags & O_PATH) != 0, "O_PATH not set"); 584 CHECKED_CLOSE(pathfd2); 585 586 /* It should be possible to set O_CLOEXEC. */ 587 ATF_REQUIRE_MSG(fcntl(pathfd, F_SETFD, FD_CLOEXEC) == 0, 588 FMT_ERR("fcntl")); 589 ATF_REQUIRE_MSG(fcntl(pathfd, F_GETFD) == FD_CLOEXEC, 590 FMT_ERR("fcntl")); 591 592 CHECKED_CLOSE(pathfd); 593 } 594 595 /* Verify that we can execute a file opened with O_PATH. */ 596 ATF_TC_WITHOUT_HEAD(path_fexecve); 597 ATF_TC_BODY(path_fexecve, tc) 598 { 599 char path[PATH_MAX]; 600 pid_t child; 601 int fd, pathfd; 602 603 child = fork(); 604 ATF_REQUIRE_MSG(child != -1, FMT_ERR("fork")); 605 if (child == 0) { 606 pathfd = open("/usr/bin/true", O_PATH | O_EXEC); 607 if (pathfd < 0) 608 _exit(1); 609 fexecve(pathfd, 610 (char * const[]){__DECONST(char *, "/usr/bin/true"), NULL}, 611 NULL); 612 _exit(2); 613 } 614 waitchild(child, 0); 615 616 /* 617 * Also verify that access permissions are checked when opening with 618 * O_PATH. 619 */ 620 snprintf(path, sizeof(path), "path_fexecve.XXXXXX"); 621 ATF_REQUIRE_MSG(mktemp(path) == path, FMT_ERR("mktemp")); 622 623 fd = open(path, O_CREAT | O_RDONLY, 0600); 624 ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); 625 626 pathfd = open(path, O_PATH | O_EXEC); 627 ATF_REQUIRE_ERRNO(EACCES, pathfd < 0); 628 } 629 630 /* Make sure that O_PATH restrictions apply to named pipes as well. */ 631 ATF_TC_WITHOUT_HEAD(path_fifo); 632 ATF_TC_BODY(path_fifo, tc) 633 { 634 char path[PATH_MAX], buf[BUFSIZ]; 635 struct kevent ev; 636 int kq, pathfd; 637 638 snprintf(path, sizeof(path), "path_fifo.XXXXXX"); 639 ATF_REQUIRE_MSG(mktemp(path) == path, FMT_ERR("mktemp")); 640 641 ATF_REQUIRE_MSG(mkfifo(path, 0666) == 0, FMT_ERR("mkfifo")); 642 643 pathfd = open(path, O_PATH); 644 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 645 memset(buf, 0, sizeof(buf)); 646 ATF_REQUIRE_ERRNO(EBADF, write(pathfd, buf, sizeof(buf))); 647 ATF_REQUIRE_ERRNO(EBADF, read(pathfd, buf, sizeof(buf))); 648 649 kq = kqueue(); 650 ATF_REQUIRE_MSG(kq >= 0, FMT_ERR("kqueue")); 651 EV_SET(&ev, pathfd, EVFILT_READ, EV_ADD | EV_ENABLE, 0, 0, 0); 652 ATF_REQUIRE_ERRNO(EBADF, kevent(kq, &ev, 1, NULL, 0, NULL) == -1); 653 654 CHECKED_CLOSE(pathfd); 655 } 656 657 /* Files may be unlinked using a path fd. */ 658 ATF_TC_WITHOUT_HEAD(path_funlinkat); 659 ATF_TC_BODY(path_funlinkat, tc) 660 { 661 char path[PATH_MAX]; 662 struct stat sb; 663 int pathfd; 664 665 mktfile(path, "path_rights.XXXXXX"); 666 667 pathfd = open(path, O_PATH); 668 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 669 670 ATF_REQUIRE_MSG(funlinkat(AT_FDCWD, path, pathfd, 0) == 0, 671 FMT_ERR("funlinkat")); 672 ATF_REQUIRE_ERRNO(ENOENT, stat(path, &sb) == -1); 673 674 CHECKED_CLOSE(pathfd); 675 } 676 677 /* Verify that various I/O operations fail on an O_PATH descriptor. */ 678 ATF_TC_WITHOUT_HEAD(path_io); 679 ATF_TC_BODY(path_io, tc) 680 { 681 char path[PATH_MAX], path2[PATH_MAX]; 682 char buf[BUFSIZ]; 683 struct iovec iov; 684 size_t page_size; 685 int error, fd, pathfd, sd[2]; 686 687 /* It is allowed to create new files with O_PATH. */ 688 snprintf(path, sizeof(path), "path_io.XXXXXX"); 689 ATF_REQUIRE_MSG(mktemp(path) == path, FMT_ERR("mktemp")); 690 pathfd = open(path, O_PATH | O_CREAT, 0600); 691 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open(O_PATH|O_CREAT)")); 692 /* Ensure that this is indeed O_PATH fd */ 693 ATF_REQUIRE_ERRNO(EBADF, write(pathfd, path, strlen(path)) == -1); 694 CHECKED_CLOSE(pathfd); 695 696 /* Create a non-empty file for use in the rest of the tests. */ 697 mktfile(path, "path_io.XXXXXX"); 698 699 pathfd = open(path, O_PATH); 700 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 701 702 /* Make sure that basic I/O operations aren't possible. */ 703 iov.iov_base = path; 704 iov.iov_len = strlen(path); 705 ATF_REQUIRE_ERRNO(EBADF, 706 write(pathfd, iov.iov_base, iov.iov_len) == -1); 707 ATF_REQUIRE_ERRNO(EBADF, 708 pwrite(pathfd, iov.iov_base, iov.iov_len, 0) == -1); 709 ATF_REQUIRE_ERRNO(EBADF, 710 writev(pathfd, &iov, 1) == -1); 711 ATF_REQUIRE_ERRNO(EBADF, 712 pwritev(pathfd, &iov, 1, 0) == -1); 713 ATF_REQUIRE_ERRNO(EBADF, 714 read(pathfd, path, 1) == -1); 715 ATF_REQUIRE_ERRNO(EBADF, 716 pread(pathfd, path, 1, 0) == -1); 717 ATF_REQUIRE_ERRNO(EBADF, 718 readv(pathfd, &iov, 1) == -1); 719 ATF_REQUIRE_ERRNO(EBADF, 720 preadv(pathfd, &iov, 1, 0) == -1); 721 722 /* copy_file_range() should not be permitted. */ 723 mktfile(path2, "path_io.XXXXXX"); 724 fd = open(path2, O_RDWR); 725 ATF_REQUIRE_ERRNO(EBADF, 726 copy_file_range(fd, NULL, pathfd, NULL, sizeof(buf), 0) == -1); 727 ATF_REQUIRE_ERRNO(EBADF, 728 copy_file_range(pathfd, NULL, fd, NULL, sizeof(buf), 0) == -1); 729 CHECKED_CLOSE(fd); 730 731 /* sendfile() should not be permitted. */ 732 ATF_REQUIRE_MSG(socketpair(PF_LOCAL, SOCK_STREAM, 0, sd) == 0, 733 FMT_ERR("socketpair")); 734 ATF_REQUIRE_ERRNO(EBADF, 735 sendfile(pathfd, sd[0], 0, 0, NULL, NULL, 0)); 736 CHECKED_CLOSE(sd[0]); 737 CHECKED_CLOSE(sd[1]); 738 739 /* No seeking. */ 740 ATF_REQUIRE_ERRNO(ESPIPE, 741 lseek(pathfd, 0, SEEK_SET) == -1); 742 743 /* No operations on the file extent. */ 744 ATF_REQUIRE_ERRNO(EINVAL, 745 ftruncate(pathfd, 0) == -1); 746 error = posix_fallocate(pathfd, 0, sizeof(buf) * 2); 747 ATF_REQUIRE_MSG(error == ESPIPE, "posix_fallocate() returned %d", error); 748 error = posix_fadvise(pathfd, 0, sizeof(buf), POSIX_FADV_NORMAL); 749 ATF_REQUIRE_MSG(error == ESPIPE, "posix_fadvise() returned %d", error); 750 751 /* mmap() is not allowed. */ 752 page_size = getpagesize(); 753 ATF_REQUIRE_ERRNO(ENODEV, 754 mmap(NULL, page_size, PROT_READ, MAP_SHARED, pathfd, 0) == 755 MAP_FAILED); 756 ATF_REQUIRE_ERRNO(ENODEV, 757 mmap(NULL, page_size, PROT_NONE, MAP_SHARED, pathfd, 0) == 758 MAP_FAILED); 759 ATF_REQUIRE_ERRNO(ENODEV, 760 mmap(NULL, page_size, PROT_READ, MAP_PRIVATE, pathfd, 0) == 761 MAP_FAILED); 762 763 /* No fsync() or fdatasync(). */ 764 ATF_REQUIRE_ERRNO(EBADF, fsync(pathfd) == -1); 765 ATF_REQUIRE_ERRNO(EBADF, fdatasync(pathfd) == -1); 766 767 CHECKED_CLOSE(pathfd); 768 } 769 770 /* ioctl(2) is not permitted on path fds. */ 771 ATF_TC_WITHOUT_HEAD(path_ioctl); 772 ATF_TC_BODY(path_ioctl, tc) 773 { 774 char path[PATH_MAX]; 775 struct mem_extract me; 776 int pathfd, val; 777 778 mktfile(path, "path_ioctl.XXXXXX"); 779 780 /* Standard file descriptor ioctls should fail. */ 781 pathfd = open(path, O_PATH); 782 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 783 784 val = 0; 785 ATF_REQUIRE_ERRNO(EBADF, ioctl(pathfd, FIONBIO, &val) == -1); 786 ATF_REQUIRE_ERRNO(EBADF, ioctl(pathfd, FIONREAD, &val) == -1); 787 ATF_REQUIRE_ERRNO(EBADF, ioctl(pathfd, FIONWRITE, &val) == -1); 788 ATF_REQUIRE_ERRNO(EBADF, ioctl(pathfd, FIONSPACE, &val) == -1); 789 790 CHECKED_CLOSE(pathfd); 791 792 /* Device ioctls should fail. */ 793 pathfd = open("/dev/mem", O_PATH); 794 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 795 796 me.me_vaddr = (uintptr_t)&me; 797 ATF_REQUIRE_ERRNO(EBADF, ioctl(pathfd, MEM_EXTRACT_PADDR, &me) == -1); 798 799 CHECKED_CLOSE(pathfd); 800 } 801 802 ATF_TC_WITHOUT_HEAD(path_lock); 803 ATF_TC_BODY(path_lock, tc) 804 { 805 char buf[BUFSIZ], path[PATH_MAX]; 806 struct flock flk; 807 int fd, pathfd; 808 809 snprintf(path, sizeof(path), "path_rights.XXXXXX"); 810 fd = mkostemp(path, O_SHLOCK); 811 ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("mkostemp")); 812 memset(buf, 0, sizeof(buf)); 813 ATF_REQUIRE_MSG(write(fd, buf, sizeof(buf)) == sizeof(buf), 814 FMT_ERR("write()")); 815 816 /* Verify that O_EXLOCK is ignored when combined with O_PATH. */ 817 pathfd = open(path, O_PATH | O_EXLOCK); 818 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 819 820 CHECKED_CLOSE(fd); 821 822 /* flock(2) is prohibited. */ 823 ATF_REQUIRE_ERRNO(EOPNOTSUPP, flock(pathfd, LOCK_SH) == -1); 824 ATF_REQUIRE_ERRNO(EOPNOTSUPP, flock(pathfd, LOCK_EX) == -1); 825 ATF_REQUIRE_ERRNO(EOPNOTSUPP, flock(pathfd, LOCK_SH | LOCK_NB) == -1); 826 ATF_REQUIRE_ERRNO(EOPNOTSUPP, flock(pathfd, LOCK_EX | LOCK_NB) == -1); 827 ATF_REQUIRE_ERRNO(EOPNOTSUPP, flock(pathfd, LOCK_UN) == -1); 828 829 /* fcntl(2) file locks are prohibited. */ 830 memset(&flk, 0, sizeof(flk)); 831 flk.l_whence = SEEK_CUR; 832 ATF_REQUIRE_ERRNO(EBADF, fcntl(pathfd, F_GETLK, &flk) == -1); 833 flk.l_type = F_RDLCK; 834 ATF_REQUIRE_ERRNO(EBADF, fcntl(pathfd, F_SETLK, &flk) == -1); 835 ATF_REQUIRE_ERRNO(EBADF, fcntl(pathfd, F_SETLKW, &flk) == -1); 836 flk.l_type = F_WRLCK; 837 ATF_REQUIRE_ERRNO(EBADF, fcntl(pathfd, F_SETLK, &flk) == -1); 838 ATF_REQUIRE_ERRNO(EBADF, fcntl(pathfd, F_SETLKW, &flk) == -1); 839 840 CHECKED_CLOSE(pathfd); 841 } 842 843 /* 844 * Verify fstatat(AT_EMPTY_PATH) on non-regular dirfd. 845 * Verify that fstatat(AT_EMPTY_PATH) on NULL path returns EFAULT. 846 */ 847 ATF_TC_WITHOUT_HEAD(path_pipe_fstatat); 848 ATF_TC_BODY(path_pipe_fstatat, tc) 849 { 850 struct stat sb; 851 int fd[2]; 852 853 ATF_REQUIRE_MSG(pipe(fd) == 0, FMT_ERR("pipe")); 854 ATF_REQUIRE_MSG(fstatat(fd[0], "", &sb, AT_EMPTY_PATH) == 0, 855 FMT_ERR("fstatat pipe")); 856 ATF_REQUIRE_ERRNO(EFAULT, fstatat(fd[0], NULL, &sb, 857 AT_EMPTY_PATH) == -1); 858 CHECKED_CLOSE(fd[0]); 859 CHECKED_CLOSE(fd[1]); 860 } 861 862 /* Verify that we can send an O_PATH descriptor over a unix socket. */ 863 ATF_TC_WITHOUT_HEAD(path_rights); 864 ATF_TC_BODY(path_rights, tc) 865 { 866 char path[PATH_MAX]; 867 struct cmsghdr *cmsg; 868 struct msghdr msg; 869 struct iovec iov; 870 int flags, pathfd, pathfd_copy, sd[2]; 871 char c; 872 873 ATF_REQUIRE_MSG(socketpair(PF_LOCAL, SOCK_STREAM, 0, sd) == 0, 874 FMT_ERR("socketpair")); 875 876 mktfile(path, "path_rights.XXXXXX"); 877 878 pathfd = open(path, O_PATH); 879 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 880 881 /* Package up the O_PATH and send it over the socket pair. */ 882 cmsg = malloc(CMSG_SPACE(sizeof(pathfd))); 883 ATF_REQUIRE_MSG(cmsg != NULL, FMT_ERR("malloc")); 884 885 cmsg->cmsg_len = CMSG_LEN(sizeof(pathfd)); 886 cmsg->cmsg_level = SOL_SOCKET; 887 cmsg->cmsg_type = SCM_RIGHTS; 888 *(int *)(void *)CMSG_DATA(cmsg) = pathfd; 889 890 c = 0; 891 iov.iov_base = &c; 892 iov.iov_len = 1; 893 894 memset(&msg, 0, sizeof(msg)); 895 msg.msg_iov = &iov; 896 msg.msg_iovlen = 1; 897 msg.msg_control = cmsg; 898 msg.msg_controllen = CMSG_SPACE(sizeof(pathfd)); 899 900 ATF_REQUIRE_MSG(sendmsg(sd[0], &msg, 0) == sizeof(c), 901 FMT_ERR("sendmsg")); 902 903 /* Grab the pathfd copy from the other end of the pair. */ 904 memset(&msg, 0, sizeof(msg)); 905 msg.msg_iov = &iov; 906 msg.msg_iovlen = 1; 907 msg.msg_control = cmsg; 908 msg.msg_controllen = CMSG_SPACE(sizeof(pathfd)); 909 910 ATF_REQUIRE_MSG(recvmsg(sd[1], &msg, 0) == 1, 911 FMT_ERR("recvmsg")); 912 pathfd_copy = *(int *)(void *)CMSG_DATA(cmsg); 913 ATF_REQUIRE_MSG(pathfd_copy != pathfd, 914 "pathfd and pathfd_copy are equal"); 915 916 /* Verify that the copy has O_PATH properties. */ 917 flags = fcntl(pathfd_copy, F_GETFL); 918 ATF_REQUIRE_MSG(flags != -1, FMT_ERR("fcntl")); 919 ATF_REQUIRE_MSG((flags & O_PATH) != 0, "O_PATH is not set"); 920 ATF_REQUIRE_ERRNO(EBADF, 921 read(pathfd_copy, &c, 1) == -1); 922 ATF_REQUIRE_ERRNO(EBADF, 923 write(pathfd_copy, &c, 1) == -1); 924 925 CHECKED_CLOSE(pathfd); 926 CHECKED_CLOSE(pathfd_copy); 927 CHECKED_CLOSE(sd[0]); 928 CHECKED_CLOSE(sd[1]); 929 } 930 931 /* Verify that a local socket can be opened with O_PATH. */ 932 ATF_TC_WITHOUT_HEAD(path_unix); 933 ATF_TC_BODY(path_unix, tc) 934 { 935 char buf[BUFSIZ], path[PATH_MAX]; 936 struct kevent ev; 937 struct sockaddr_un sun; 938 struct stat sb; 939 int kq, pathfd, sd; 940 941 snprintf(path, sizeof(path), "path_unix.XXXXXX"); 942 ATF_REQUIRE_MSG(mktemp(path) == path, FMT_ERR("mktemp")); 943 944 sd = socket(PF_LOCAL, SOCK_STREAM, 0); 945 ATF_REQUIRE_MSG(sd >= 0, FMT_ERR("socket")); 946 947 memset(&sun, 0, sizeof(sun)); 948 sun.sun_family = PF_LOCAL; 949 (void)strlcpy(sun.sun_path, path, sizeof(sun.sun_path)); 950 ATF_REQUIRE_MSG(bind(sd, (struct sockaddr *)&sun, SUN_LEN(&sun)) == 0, 951 FMT_ERR("bind")); 952 953 pathfd = open(path, O_PATH); 954 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 955 956 ATF_REQUIRE_MSG(fstatat(pathfd, "", &sb, AT_EMPTY_PATH) == 0, 957 FMT_ERR("fstatat")); 958 ATF_REQUIRE_MSG(sb.st_mode & S_IFSOCK, "socket mode %#x", sb.st_mode); 959 ATF_REQUIRE_MSG(sb.st_ino != 0, "socket has inode number 0"); 960 961 memset(buf, 0, sizeof(buf)); 962 ATF_REQUIRE_ERRNO(EBADF, write(pathfd, buf, sizeof(buf))); 963 ATF_REQUIRE_ERRNO(EBADF, read(pathfd, buf, sizeof(buf))); 964 965 /* kevent() is disallowed with sockets. */ 966 kq = kqueue(); 967 ATF_REQUIRE_MSG(kq >= 0, FMT_ERR("kqueue")); 968 EV_SET(&ev, pathfd, EVFILT_READ, EV_ADD | EV_ENABLE, 0, 0, 0); 969 ATF_REQUIRE_ERRNO(EBADF, kevent(kq, &ev, 1, NULL, 0, NULL) == -1); 970 971 /* Should not be able to open a socket without O_PATH. */ 972 ATF_REQUIRE_ERRNO(EOPNOTSUPP, openat(pathfd, "", O_EMPTY_PATH) == -1); 973 974 ATF_REQUIRE_MSG(funlinkat(AT_FDCWD, path, pathfd, 0) == 0, 975 FMT_ERR("funlinkat")); 976 977 CHECKED_CLOSE(sd); 978 CHECKED_CLOSE(pathfd); 979 } 980 981 /* 982 * Check that we can perform operations using an O_PATH fd for an unlinked file. 983 */ 984 ATF_TC_WITHOUT_HEAD(path_unlinked); 985 ATF_TC_BODY(path_unlinked, tc) 986 { 987 char path[PATH_MAX]; 988 struct stat sb; 989 int pathfd; 990 991 mktfile(path, "path_rights.XXXXXX"); 992 993 pathfd = open(path, O_PATH); 994 ATF_REQUIRE_MSG(pathfd >= 0, FMT_ERR("open")); 995 996 ATF_REQUIRE_MSG(fstatat(pathfd, "", &sb, AT_EMPTY_PATH) == 0, 997 FMT_ERR("fstatat")); 998 ATF_REQUIRE(sb.st_nlink == 1); 999 ATF_REQUIRE_MSG(fstat(pathfd, &sb) == 0, FMT_ERR("fstat")); 1000 ATF_REQUIRE(sb.st_nlink == 1); 1001 1002 ATF_REQUIRE_MSG(unlink(path) == 0, FMT_ERR("unlink")); 1003 1004 ATF_REQUIRE_MSG(fstatat(pathfd, "", &sb, AT_EMPTY_PATH) == 0, 1005 FMT_ERR("fstatat")); 1006 ATF_REQUIRE(sb.st_nlink == 0); 1007 ATF_REQUIRE_MSG(fstat(pathfd, &sb) == 0, FMT_ERR("fstat")); 1008 ATF_REQUIRE(sb.st_nlink == 0); 1009 1010 CHECKED_CLOSE(pathfd); 1011 } 1012 1013 ATF_TP_ADD_TCS(tp) 1014 { 1015 ATF_TP_ADD_TC(tp, path_access); 1016 ATF_TP_ADD_TC(tp, path_aio); 1017 ATF_TP_ADD_TC(tp, path_capsicum); 1018 ATF_TP_ADD_TC(tp, path_capsicum_empty); 1019 ATF_TP_ADD_TC(tp, path_coredump); 1020 ATF_TP_ADD_TC(tp, path_directory); 1021 ATF_TP_ADD_TC(tp, path_directory_not_root); 1022 ATF_TP_ADD_TC(tp, path_empty); 1023 ATF_TP_ADD_TC(tp, path_empty_not_root); 1024 ATF_TP_ADD_TC(tp, path_empty_root); 1025 ATF_TP_ADD_TC(tp, path_event); 1026 ATF_TP_ADD_TC(tp, path_fcntl); 1027 ATF_TP_ADD_TC(tp, path_fexecve); 1028 ATF_TP_ADD_TC(tp, path_fifo); 1029 ATF_TP_ADD_TC(tp, path_funlinkat); 1030 ATF_TP_ADD_TC(tp, path_io); 1031 ATF_TP_ADD_TC(tp, path_ioctl); 1032 ATF_TP_ADD_TC(tp, path_lock); 1033 ATF_TP_ADD_TC(tp, path_pipe_fstatat); 1034 ATF_TP_ADD_TC(tp, path_rights); 1035 ATF_TP_ADD_TC(tp, path_unix); 1036 ATF_TP_ADD_TC(tp, path_unlinked); 1037 1038 return (atf_no_error()); 1039 } 1040