xref: /freebsd/tests/sys/vfs/lookup_cap_dotdot.c (revision 1db64f89363c97858961c4df0b7d02f3223723cf) 
1 /*-
2  * Copyright (c) 2016 Ed Maste <emaste@FreeBSD.org>
3  * Copyright (c) 2016 Conrad Meyer <cem@FreeBSD.org>
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 
27 #include <sys/param.h>
28 #include <sys/capsicum.h>
29 #include <sys/sysctl.h>
30 #include <sys/stat.h>
31 
32 #include <atf-c.h>
33 #include <errno.h>
34 #include <stdlib.h>
35 #include <string.h>
36 
37 #include "freebsd_test_suite/macros.h"
38 
39 static int dirfd = -1;
40 static char *abspath;
41 
42 static void
43 touchat(int _dirfd, const char *name)
44 {
45 	int fd;
46 
47 	ATF_REQUIRE((fd = openat(_dirfd, name, O_CREAT | O_TRUNC | O_WRONLY,
48 	    0777)) >= 0);
49 	ATF_REQUIRE(close(fd) == 0);
50 }
51 
52 static void
53 prepare_dotdot_tests(void)
54 {
55 	char cwd[MAXPATHLEN];
56 
57 	ATF_REQUIRE(getcwd(cwd, sizeof(cwd)) != NULL);
58 	asprintf(&abspath, "%s/testdir/d1/f1", cwd);
59 
60 	ATF_REQUIRE(mkdir("testdir", 0777) == 0);
61 	ATF_REQUIRE((dirfd = open("testdir", O_RDONLY)) >= 0);
62 
63 	ATF_REQUIRE(mkdirat(dirfd, "d1", 0777) == 0);
64 	ATF_REQUIRE(mkdirat(dirfd, "d1/d2", 0777) == 0);
65 	ATF_REQUIRE(mkdirat(dirfd, "d1/d2/d3", 0777) == 0);
66 	touchat(dirfd, "d1/f1");
67 	touchat(dirfd, "d1/d2/f2");
68 	touchat(dirfd, "d1/d2/d3/f3");
69 	ATF_REQUIRE(symlinkat("d1/d2/d3", dirfd, "l3") == 0);
70 	ATF_REQUIRE(symlinkat("../testdir/d1", dirfd, "lup") == 0);
71 	ATF_REQUIRE(symlinkat("../..", dirfd, "d1/d2/d3/ld1") == 0);
72 	ATF_REQUIRE(symlinkat("../../f1", dirfd, "d1/d2/d3/lf1") == 0);
73 }
74 
75 static void
76 check_capsicum(void)
77 {
78 	ATF_REQUIRE_FEATURE("security_capabilities");
79 	ATF_REQUIRE_FEATURE("security_capability_mode");
80 	ATF_REQUIRE_SYSCTL_BOOL("kern.trap_enotcap", false);
81 }
82 
83 /*
84  * Positive tests
85  */
86 ATF_TC(openat__basic_positive);
87 ATF_TC_HEAD(openat__basic_positive, tc)
88 {
89 	atf_tc_set_md_var(tc, "descr", "Basic positive openat testcases");
90 }
91 
92 ATF_TC_BODY(openat__basic_positive, tc)
93 {
94 	prepare_dotdot_tests();
95 
96 	ATF_REQUIRE(openat(dirfd, "d1/d2/d3/f3", O_RDONLY) >= 0);
97 	ATF_REQUIRE(openat(dirfd, "d1/d2/d3/../../f1", O_RDONLY) >= 0);
98 	ATF_REQUIRE(openat(dirfd, "l3/f3", O_RDONLY) >= 0);
99 	ATF_REQUIRE(openat(dirfd, "l3/../../f1", O_RDONLY) >= 0);
100 	ATF_REQUIRE(openat(dirfd, "../testdir/d1/f1", O_RDONLY) >= 0);
101 	ATF_REQUIRE(openat(dirfd, "lup/f1", O_RDONLY) >= 0);
102 	ATF_REQUIRE(openat(dirfd, "l3/ld1", O_RDONLY) >= 0);
103 	ATF_REQUIRE(openat(dirfd, "l3/lf1", O_RDONLY) >= 0);
104 	ATF_REQUIRE(open(abspath, O_RDONLY) >= 0);
105 	ATF_REQUIRE(openat(dirfd, abspath, O_RDONLY) >= 0);
106 }
107 
108 ATF_TC(lookup_cap_dotdot__basic);
109 ATF_TC_HEAD(lookup_cap_dotdot__basic, tc)
110 {
111 	atf_tc_set_md_var(tc, "descr",
112 	    "Validate cap-mode (testdir)/d1/.. lookup");
113 }
114 
115 ATF_TC_BODY(lookup_cap_dotdot__basic, tc)
116 {
117 	cap_rights_t rights;
118 
119 	check_capsicum();
120 	prepare_dotdot_tests();
121 
122 	cap_rights_init(&rights, CAP_LOOKUP, CAP_READ);
123 	ATF_REQUIRE(cap_rights_limit(dirfd, &rights) >= 0);
124 
125 	ATF_REQUIRE(cap_enter() >= 0);
126 
127 	ATF_REQUIRE_MSG(openat(dirfd, "d1/..", O_RDONLY) >= 0, "%s",
128 	    strerror(errno));
129 }
130 
131 ATF_TC(lookup_cap_dotdot__advanced);
132 ATF_TC_HEAD(lookup_cap_dotdot__advanced, tc)
133 {
134 	atf_tc_set_md_var(tc, "descr",
135 	    "Validate cap-mode (testdir)/d1/.. lookup");
136 }
137 
138 ATF_TC_BODY(lookup_cap_dotdot__advanced, tc)
139 {
140 	cap_rights_t rights;
141 
142 	check_capsicum();
143 	prepare_dotdot_tests();
144 
145 	cap_rights_init(&rights, CAP_LOOKUP, CAP_READ);
146 	ATF_REQUIRE(cap_rights_limit(dirfd, &rights) >= 0);
147 
148 	ATF_REQUIRE(cap_enter() >= 0);
149 
150 	ATF_REQUIRE(openat(dirfd, "d1/d2/d3/../../f1", O_RDONLY) >= 0);
151 	ATF_REQUIRE(openat(dirfd, "l3/../../f1", O_RDONLY) >= 0);
152 	ATF_REQUIRE(openat(dirfd, "l3/ld1", O_RDONLY) >= 0);
153 	ATF_REQUIRE(openat(dirfd, "l3/lf1", O_RDONLY) >= 0);
154 }
155 
156 /*
157  * Negative tests
158  */
159 ATF_TC(openat__basic_negative);
160 ATF_TC_HEAD(openat__basic_negative, tc)
161 {
162 	atf_tc_set_md_var(tc, "descr", "Basic negative openat testcases");
163 }
164 
165 ATF_TC_BODY(openat__basic_negative, tc)
166 {
167 	prepare_dotdot_tests();
168 
169 	ATF_REQUIRE_ERRNO(ENOENT,
170 	    openat(dirfd, "does-not-exist", O_RDONLY) < 0);
171 	ATF_REQUIRE_ERRNO(ENOENT,
172 	    openat(dirfd, "l3/does-not-exist", O_RDONLY) < 0);
173 }
174 
175 ATF_TC(capmode__negative);
176 ATF_TC_HEAD(capmode__negative, tc)
177 {
178 	atf_tc_set_md_var(tc, "descr", "Negative Capability mode testcases");
179 }
180 
181 ATF_TC_BODY(capmode__negative, tc)
182 {
183 	int subdirfd;
184 
185 	check_capsicum();
186 	prepare_dotdot_tests();
187 
188 	ATF_REQUIRE(cap_enter() == 0);
189 
190 	/* open() not permitted in capability mode */
191 	ATF_REQUIRE_ERRNO(ECAPMODE, open("testdir", O_RDONLY) < 0);
192 
193 	/* AT_FDCWD not permitted in capability mode */
194 	ATF_REQUIRE_ERRNO(ECAPMODE, openat(AT_FDCWD, "d1/f1", O_RDONLY) < 0);
195 
196 	/* Relative path above dirfd not capable */
197 	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, "..", O_RDONLY) < 0);
198 	ATF_REQUIRE((subdirfd = openat(dirfd, "l3", O_RDONLY)) >= 0);
199 	ATF_REQUIRE_ERRNO(ENOTCAPABLE,
200 	    openat(subdirfd, "../../f1", O_RDONLY) < 0);
201 
202 	/* Absolute paths not capable */
203 	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, abspath, O_RDONLY) < 0);
204 
205 	/* Symlink above dirfd */
206 	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, "lup/f1", O_RDONLY) < 0);
207 }
208 
209 ATF_TC(lookup_cap_dotdot__negative);
210 ATF_TC_HEAD(lookup_cap_dotdot__negative, tc)
211 {
212 	atf_tc_set_md_var(tc, "descr",
213 	    "Validate cap-mode (testdir)/.. lookup fails");
214 }
215 
216 ATF_TC_BODY(lookup_cap_dotdot__negative, tc)
217 {
218 	cap_rights_t rights;
219 
220 	check_capsicum();
221 	prepare_dotdot_tests();
222 
223 	cap_rights_init(&rights, CAP_LOOKUP, CAP_READ);
224 	ATF_REQUIRE(cap_rights_limit(dirfd, &rights) >= 0);
225 
226 	ATF_REQUIRE(cap_enter() >= 0);
227 
228 	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, "..", O_RDONLY) < 0);
229 	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, "d1/../..", O_RDONLY) < 0);
230 	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, "../testdir/d1/f1", O_RDONLY) < 0);
231 }
232 
233 ATF_TC(lookup_cap_dotdot__root);
234 ATF_TC_HEAD(lookup_cap_dotdot__root, tc)
235 {
236 	atf_tc_set_md_var(tc, "descr", "Validate cap-mode /.. lookup fails");
237 }
238 
239 ATF_TC_BODY(lookup_cap_dotdot__root, tc)
240 {
241 	int dfd, dfd2;
242 
243 	check_capsicum();
244 
245 	dfd = open("/", O_DIRECTORY);
246 	ATF_REQUIRE(dfd >= 0);
247 
248 	dfd2 = openat(dfd, "..", O_DIRECTORY);
249 	ATF_REQUIRE(dfd2 >= 0);
250 	ATF_REQUIRE(close(dfd2) == 0);
251 
252 	ATF_REQUIRE(cap_enter() >= 0);
253 
254 	dfd2 = openat(dfd, "..", O_DIRECTORY);
255 	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dfd, "..", O_DIRECTORY));
256 }
257 
258 ATF_TP_ADD_TCS(tp)
259 {
260 
261 	ATF_TP_ADD_TC(tp, openat__basic_positive);
262 	ATF_TP_ADD_TC(tp, openat__basic_negative);
263 
264 	ATF_TP_ADD_TC(tp, capmode__negative);
265 
266 	ATF_TP_ADD_TC(tp, lookup_cap_dotdot__basic);
267 	ATF_TP_ADD_TC(tp, lookup_cap_dotdot__advanced);
268 	ATF_TP_ADD_TC(tp, lookup_cap_dotdot__negative);
269 	ATF_TP_ADD_TC(tp, lookup_cap_dotdot__root);
270 
271 	return (atf_no_error());
272 }
273