1 // SPDX-License-Identifier: GPL-2.0 2 3 /* 4 * Based on Christian Brauner's clone3() example. 5 * These tests are assuming to be running in the host's 6 * PID namespace. 7 */ 8 9 /* capabilities related code based on selftests/bpf/test_verifier.c */ 10 11 #define _GNU_SOURCE 12 #include <errno.h> 13 #include <linux/types.h> 14 #include <linux/sched.h> 15 #include <stdio.h> 16 #include <stdlib.h> 17 #include <stdbool.h> 18 #include <sys/capability.h> 19 #include <sys/prctl.h> 20 #include <sys/syscall.h> 21 #include <sys/types.h> 22 #include <sys/un.h> 23 #include <sys/wait.h> 24 #include <unistd.h> 25 #include <sched.h> 26 27 #include "../kselftest_harness.h" 28 #include "clone3_selftests.h" 29 30 static void child_exit(int ret) 31 { 32 fflush(stdout); 33 fflush(stderr); 34 _exit(ret); 35 } 36 37 static int call_clone3_set_tid(struct __test_metadata *_metadata, 38 pid_t *set_tid, size_t set_tid_size) 39 { 40 int status; 41 pid_t pid = -1; 42 43 struct __clone_args args = { 44 .exit_signal = SIGCHLD, 45 .set_tid = ptr_to_u64(set_tid), 46 .set_tid_size = set_tid_size, 47 }; 48 49 pid = sys_clone3(&args, sizeof(args)); 50 if (pid < 0) { 51 TH_LOG("%s - Failed to create new process", strerror(errno)); 52 return -errno; 53 } 54 55 if (pid == 0) { 56 int ret; 57 char tmp = 0; 58 59 TH_LOG("I am the child, my PID is %d (expected %d)", getpid(), set_tid[0]); 60 61 if (set_tid[0] != getpid()) 62 child_exit(EXIT_FAILURE); 63 child_exit(EXIT_SUCCESS); 64 } 65 66 TH_LOG("I am the parent (%d). My child's pid is %d", getpid(), pid); 67 68 if (waitpid(pid, &status, 0) < 0) { 69 TH_LOG("Child returned %s", strerror(errno)); 70 return -errno; 71 } 72 73 if (!WIFEXITED(status)) 74 return -1; 75 76 return WEXITSTATUS(status); 77 } 78 79 static int test_clone3_set_tid(struct __test_metadata *_metadata, 80 pid_t *set_tid, size_t set_tid_size) 81 { 82 int ret; 83 84 TH_LOG("[%d] Trying clone3() with CLONE_SET_TID to %d", getpid(), set_tid[0]); 85 ret = call_clone3_set_tid(_metadata, set_tid, set_tid_size); 86 TH_LOG("[%d] clone3() with CLONE_SET_TID %d says:%d", getpid(), set_tid[0], ret); 87 return ret; 88 } 89 90 struct libcap { 91 struct __user_cap_header_struct hdr; 92 struct __user_cap_data_struct data[2]; 93 }; 94 95 static int set_capability(void) 96 { 97 cap_value_t cap_values[] = { CAP_SETUID, CAP_SETGID }; 98 struct libcap *cap; 99 int ret = -1; 100 cap_t caps; 101 102 caps = cap_get_proc(); 103 if (!caps) { 104 perror("cap_get_proc"); 105 return -1; 106 } 107 108 /* Drop all capabilities */ 109 if (cap_clear(caps)) { 110 perror("cap_clear"); 111 goto out; 112 } 113 114 cap_set_flag(caps, CAP_EFFECTIVE, 2, cap_values, CAP_SET); 115 cap_set_flag(caps, CAP_PERMITTED, 2, cap_values, CAP_SET); 116 117 cap = (struct libcap *) caps; 118 119 /* 40 -> CAP_CHECKPOINT_RESTORE */ 120 cap->data[1].effective |= 1 << (40 - 32); 121 cap->data[1].permitted |= 1 << (40 - 32); 122 123 if (cap_set_proc(caps)) { 124 perror("cap_set_proc"); 125 goto out; 126 } 127 ret = 0; 128 out: 129 if (cap_free(caps)) 130 perror("cap_free"); 131 return ret; 132 } 133 134 TEST(clone3_cap_checkpoint_restore) 135 { 136 pid_t pid; 137 int status; 138 int ret = 0; 139 pid_t set_tid[1]; 140 141 test_clone3_supported(); 142 143 EXPECT_EQ(getuid(), 0) 144 SKIP(return, "Skipping all tests as non-root"); 145 146 memset(&set_tid, 0, sizeof(set_tid)); 147 148 /* Find the current active PID */ 149 pid = fork(); 150 if (pid == 0) { 151 TH_LOG("Child has PID %d", getpid()); 152 child_exit(EXIT_SUCCESS); 153 } 154 ASSERT_GT(waitpid(pid, &status, 0), 0) 155 TH_LOG("Waiting for child %d failed", pid); 156 157 /* After the child has finished, its PID should be free. */ 158 set_tid[0] = pid; 159 160 ASSERT_EQ(set_capability(), 0) 161 TH_LOG("Could not set CAP_CHECKPOINT_RESTORE"); 162 163 ASSERT_EQ(prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0), 0); 164 165 EXPECT_EQ(setgid(65534), 0) 166 TH_LOG("Failed to setgid(65534)"); 167 ASSERT_EQ(setuid(65534), 0); 168 169 set_tid[0] = pid; 170 /* This would fail without CAP_CHECKPOINT_RESTORE */ 171 ASSERT_EQ(test_clone3_set_tid(_metadata, set_tid, 1), -EPERM); 172 ASSERT_EQ(set_capability(), 0) 173 TH_LOG("Could not set CAP_CHECKPOINT_RESTORE"); 174 /* This should work as we have CAP_CHECKPOINT_RESTORE as non-root */ 175 ASSERT_EQ(test_clone3_set_tid(_metadata, set_tid, 1), 0); 176 } 177 178 TEST_HARNESS_MAIN 179