1 /*- 2 * Copyright (c) 2001 Robert N. M. Watson 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/param.h> 28 #include <sys/uio.h> 29 #include <sys/ptrace.h> 30 #include <sys/time.h> 31 #include <sys/resource.h> 32 #include <sys/syscall.h> 33 #include <sys/wait.h> 34 #include <sys/ktrace.h> 35 36 #include <assert.h> 37 #include <errno.h> 38 #include <signal.h> 39 #include <stdio.h> 40 #include <string.h> 41 #include <unistd.h> 42 43 /* 44 * Relevant parts of a process credential. 45 */ 46 struct cred { 47 uid_t cr_euid, cr_ruid, cr_svuid; 48 int cr_issetugid; 49 }; 50 51 /* 52 * Description of a scenario. 53 */ 54 struct scenario { 55 struct cred *sc_cred1, *sc_cred2; /* credentials of p1 and p2 */ 56 int sc_canptrace_errno; /* desired ptrace failure */ 57 int sc_canktrace_errno; /* desired ktrace failure */ 58 int sc_cansighup_errno; /* desired SIGHUP failure */ 59 int sc_cansigsegv_errno; /* desired SIGSEGV failure */ 60 int sc_cansee_errno; /* desired getprio failure */ 61 int sc_cansched_errno; /* desired setprio failure */ 62 char *sc_name; /* test name */ 63 }; 64 65 /* 66 * Table of relevant credential combinations. 67 */ 68 static struct cred creds[] = { 69 /* euid ruid svuid issetugid */ 70 /* 0 */ { 0, 0, 0, 0 }, /* privileged */ 71 /* 1 */ { 0, 0, 0, 1 }, /* privileged + issetugid */ 72 /* 2 */ { 1000, 1000, 1000, 0 }, /* unprivileged1 */ 73 /* 3 */ { 1000, 1000, 1000, 1 }, /* unprivileged1 + issetugid */ 74 /* 4 */ { 1001, 1001, 1001, 0 }, /* unprivileged2 */ 75 /* 5 */ { 1001, 1001, 1001, 1 }, /* unprivileged2 + issetugid */ 76 /* 6 */ { 1000, 0, 0, 0 }, /* daemon1 */ 77 /* 7 */ { 1000, 0, 0, 1 }, /* daemon1 + issetugid */ 78 /* 8 */ { 1001, 0, 0, 0 }, /* daemon2 */ 79 /* 9 */ { 1001, 0, 0, 1 }, /* daemon2 + issetugid */ 80 /* 10 */{ 0, 1000, 1000, 0 }, /* setuid1 */ 81 /* 11 */{ 0, 1000, 1000, 1 }, /* setuid1 + issetugid */ 82 /* 12 */{ 0, 1001, 1001, 0 }, /* setuid2 */ 83 /* 13 */{ 0, 1001, 1001, 1 }, /* setuid2 + issetugid */ 84 }; 85 86 /* 87 * Table of scenarios. 88 */ 89 static const struct scenario scenarios[] = { 90 /* cred1 cred2 ptrace ktrace, sighup sigsegv see sched name */ 91 /* privileged on privileged */ 92 { &creds[0], &creds[0], 0, 0, 0, 0, 0, 0, "0. priv on priv"}, 93 { &creds[0], &creds[1], 0, 0, 0, 0, 0, 0, "1. priv on priv"}, 94 { &creds[1], &creds[0], 0, 0, 0, 0, 0, 0, "2. priv on priv"}, 95 { &creds[1], &creds[1], 0, 0, 0, 0, 0, 0, "3. priv on priv"}, 96 /* privileged on unprivileged */ 97 { &creds[0], &creds[2], 0, 0, 0, 0, 0, 0, "4. priv on unpriv1"}, 98 { &creds[0], &creds[3], 0, 0, 0, 0, 0, 0, "5. priv on unpriv1"}, 99 { &creds[1], &creds[2], 0, 0, 0, 0, 0, 0, "6. priv on unpriv1"}, 100 { &creds[1], &creds[3], 0, 0, 0, 0, 0, 0, "7. priv on unpriv1"}, 101 /* unprivileged on privileged */ 102 { &creds[2], &creds[0], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "8. unpriv1 on priv"}, 103 { &creds[2], &creds[1], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "9. unpriv1 on priv"}, 104 { &creds[3], &creds[0], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "10. unpriv1 on priv"}, 105 { &creds[3], &creds[1], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "11. unpriv1 on priv"}, 106 /* unprivileged on same unprivileged */ 107 { &creds[2], &creds[2], 0, 0, 0, 0, 0, 0, "12. unpriv1 on unpriv1"}, 108 { &creds[2], &creds[3], EPERM, EPERM, 0, EPERM, 0, 0, "13. unpriv1 on unpriv1"}, 109 { &creds[3], &creds[2], 0, 0, 0, 0, 0, 0, "14. unpriv1 on unpriv1"}, 110 { &creds[3], &creds[3], EPERM, EPERM, 0, EPERM, 0, 0, "15. unpriv1 on unpriv1"}, 111 /* unprivileged on different unprivileged */ 112 { &creds[2], &creds[4], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "16. unpriv1 on unpriv2"}, 113 { &creds[2], &creds[5], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "17. unpriv1 on unpriv2"}, 114 { &creds[3], &creds[4], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "18. unpriv1 on unpriv2"}, 115 { &creds[3], &creds[5], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "19. unpriv1 on unpriv2"}, 116 /* unprivileged on daemon, same */ 117 { &creds[2], &creds[6], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "20. unpriv1 on daemon1"}, 118 { &creds[2], &creds[7], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "21. unpriv1 on daemon1"}, 119 { &creds[3], &creds[6], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "22. unpriv1 on daemon1"}, 120 { &creds[3], &creds[7], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "23. unpriv1 on daemon1"}, 121 /* unprivileged on daemon, different */ 122 { &creds[2], &creds[8], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "24. unpriv1 on daemon2"}, 123 { &creds[2], &creds[9], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "25. unpriv1 on daemon2"}, 124 { &creds[3], &creds[8], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "26. unpriv1 on daemon2"}, 125 { &creds[3], &creds[9], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "27. unpriv1 on daemon2"}, 126 /* unprivileged on setuid, same */ 127 { &creds[2], &creds[10], EPERM, EPERM, 0, 0, 0, 0, "28. unpriv1 on setuid1"}, 128 { &creds[2], &creds[11], EPERM, EPERM, 0, EPERM, 0, 0, "29. unpriv1 on setuid1"}, 129 { &creds[3], &creds[10], EPERM, EPERM, 0, 0, 0, 0, "30. unpriv1 on setuid1"}, 130 { &creds[3], &creds[11], EPERM, EPERM, 0, EPERM, 0, 0, "31. unpriv1 on setuid1"}, 131 /* unprivileged on setuid, different */ 132 { &creds[2], &creds[12], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "32. unpriv1 on setuid2"}, 133 { &creds[2], &creds[13], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "33. unpriv1 on setuid2"}, 134 { &creds[3], &creds[12], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "34. unpriv1 on setuid2"}, 135 { &creds[3], &creds[13], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "35. unpriv1 on setuid2"}, 136 }; 137 int scenarios_count = sizeof(scenarios) / sizeof(struct scenario); 138 139 /* 140 * Convert an error number to a compact string representation. For now, 141 * implement only the error numbers we are likely to see. 142 */ 143 static char * 144 errno_to_string(int error) 145 { 146 147 switch (error) { 148 case EPERM: 149 return ("EPERM"); 150 case EACCES: 151 return ("EACCES"); 152 case EINVAL: 153 return ("EINVAL"); 154 case ENOSYS: 155 return ("ENOSYS"); 156 case ESRCH: 157 return ("ESRCH"); 158 case EOPNOTSUPP: 159 return ("EOPNOTSUPP"); 160 case 0: 161 return ("0"); 162 default: 163 printf("%d\n", error); 164 return ("unknown"); 165 } 166 } 167 168 /* 169 * Return a process credential describing the current process. 170 */ 171 static int 172 cred_get(struct cred *cred) 173 { 174 int error; 175 176 error = getresuid(&cred->cr_ruid, &cred->cr_euid, &cred->cr_svuid); 177 if (error) 178 return (error); 179 180 cred->cr_issetugid = issetugid(); 181 182 return (0); 183 } 184 185 /* 186 * Userland stub for __setsugid() to take into account possible presence 187 * in C library, kernel, et al. 188 */ 189 int 190 setugid(int flag) 191 { 192 193 #ifdef SETSUGID_SUPPORTED 194 return (__setugid(flag)); 195 #else 196 #ifdef SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB 197 return (syscall(374, flag)); 198 #else 199 return (ENOSYS); 200 #endif 201 #endif 202 } 203 204 /* 205 * Set the current process's credentials to match the passed credential. 206 */ 207 static int 208 cred_set(struct cred *cred) 209 { 210 int error; 211 212 error = setresuid(cred->cr_ruid, cred->cr_euid, cred->cr_svuid); 213 if (error) 214 return (error); 215 216 error = setugid(cred->cr_issetugid); 217 if (error) { 218 perror("__setugid"); 219 return (error); 220 } 221 222 #ifdef CHECK_CRED_SET 223 { 224 uid_t ruid, euid, svuid; 225 error = getresuid(&ruid, &euid, &svuid); 226 if (error) { 227 perror("getresuid"); 228 return (-1); 229 } 230 assert(ruid == cred->cr_ruid); 231 assert(euid == cred->cr_euid); 232 assert(svuid == cred->cr_svuid); 233 assert(cred->cr_issetugid == issetugid()); 234 } 235 #endif /* !CHECK_CRED_SET */ 236 237 return (0); 238 } 239 240 /* 241 * Print the passed process credential to the passed I/O stream. 242 */ 243 static void 244 cred_print(FILE *output, struct cred *cred) 245 { 246 247 fprintf(output, "(e:%d r:%d s:%d P_SUGID:%d)", cred->cr_euid, 248 cred->cr_ruid, cred->cr_svuid, cred->cr_issetugid); 249 } 250 251 #define LOOP_PTRACE 0 252 #define LOOP_KTRACE 1 253 #define LOOP_SIGHUP 2 254 #define LOOP_SIGSEGV 3 255 #define LOOP_SEE 4 256 #define LOOP_SCHED 5 257 #define LOOP_MAX LOOP_SCHED 258 259 /* 260 * Enact a scenario by looping through the four test cases for the scenario, 261 * spawning off pairs of processes with the desired credentials, and 262 * reporting results to stdout. 263 */ 264 static int 265 enact_scenario(int scenario) 266 { 267 pid_t pid1, pid2; 268 char *name, *tracefile; 269 int error, desirederror, loop; 270 271 for (loop = 0; loop < LOOP_MAX+1; loop++) { 272 /* 273 * Spawn the first child, target of the operation. 274 */ 275 pid1 = fork(); 276 switch (pid1) { 277 case -1: 278 return (-1); 279 case 0: 280 /* child */ 281 error = cred_set(scenarios[scenario].sc_cred2); 282 if (error) { 283 perror("cred_set"); 284 return (error); 285 } 286 /* 200 seconds should be plenty of time. */ 287 sleep(200); 288 exit(0); 289 default: 290 /* parent */ 291 break; 292 } 293 294 /* 295 * XXX 296 * This really isn't ideal -- give proc 1 a chance to set 297 * its credentials, or we may get spurious errors. Really, 298 * some for of IPC should be used to allow the parent to 299 * wait for the first child to be ready before spawning 300 * the second child. 301 */ 302 sleep(1); 303 304 /* 305 * Spawn the second child, source of the operation. 306 */ 307 pid2 = fork(); 308 switch (pid2) { 309 case -1: 310 return (-1); 311 312 case 0: 313 /* child */ 314 error = cred_set(scenarios[scenario].sc_cred1); 315 if (error) { 316 perror("cred_set"); 317 return (error); 318 } 319 320 /* 321 * Initialize errno to zero so as to catch any 322 * generated errors. In each case, perform the 323 * operation. Preserve the error number for later 324 * use so it doesn't get stomped on by any I/O. 325 * Determine the desired error for the given case 326 * by extracting it from the scenario table. 327 * Initialize a function name string for output 328 * prettiness. 329 */ 330 errno = 0; 331 switch (loop) { 332 case LOOP_PTRACE: 333 error = ptrace(PT_ATTACH, pid1, NULL, 0); 334 error = errno; 335 name = "ptrace"; 336 desirederror = 337 scenarios[scenario].sc_canptrace_errno; 338 break; 339 case LOOP_KTRACE: 340 tracefile = mktemp("/tmp/testuid_ktrace.XXXXXX"); 341 if (tracefile == NULL) { 342 error = errno; 343 perror("mktemp"); 344 break; 345 } 346 error = ktrace(tracefile, KTROP_SET, 347 KTRFAC_SYSCALL, pid1); 348 error = errno; 349 name = "ktrace"; 350 desirederror = 351 scenarios[scenario].sc_canktrace_errno; 352 unlink(tracefile); 353 break; 354 case LOOP_SIGHUP: 355 error = kill(pid1, SIGHUP); 356 error = errno; 357 name = "sighup"; 358 desirederror = 359 scenarios[scenario].sc_cansighup_errno; 360 break; 361 case LOOP_SIGSEGV: 362 error = kill(pid1, SIGSEGV); 363 error = errno; 364 name = "sigsegv"; 365 desirederror = 366 scenarios[scenario].sc_cansigsegv_errno; 367 break; 368 case LOOP_SEE: 369 getpriority(PRIO_PROCESS, pid1); 370 error = errno; 371 name = "see"; 372 desirederror = 373 scenarios[scenario].sc_cansee_errno; 374 break; 375 case LOOP_SCHED: 376 error = setpriority(PRIO_PROCESS, pid1, 377 0); 378 error = errno; 379 name = "sched"; 380 desirederror = 381 scenarios[scenario].sc_cansched_errno; 382 break; 383 default: 384 name = "broken"; 385 } 386 387 if (error != desirederror) { 388 fprintf(stdout, 389 "[%s].%s: expected %s, got %s\n ", 390 scenarios[scenario].sc_name, name, 391 errno_to_string(desirederror), 392 errno_to_string(error)); 393 cred_print(stdout, 394 scenarios[scenario].sc_cred1); 395 cred_print(stdout, 396 scenarios[scenario].sc_cred2); 397 fprintf(stdout, "\n"); 398 } 399 400 exit(0); 401 402 default: 403 /* parent */ 404 break; 405 } 406 407 error = waitpid(pid2, NULL, 0); 408 /* 409 * Once pid2 has died, it's safe to kill pid1, if it's still 410 * alive. Mask signal failure in case the test actually 411 * killed pid1 (not unlikely: can occur in both signal and 412 * ptrace cases). 413 */ 414 kill(pid1, SIGKILL); 415 error = waitpid(pid2, NULL, 0); 416 } 417 418 return (0); 419 } 420 421 void 422 enact_scenarios(void) 423 { 424 int i, error; 425 426 for (i = 0; i < scenarios_count; i++) { 427 error = enact_scenario(i); 428 if (error) 429 perror("enact_scenario"); 430 } 431 } 432