1*053f45beSAndroid Build Coastguard Worker // SPDX-License-Identifier: GPL-2.0
2*053f45beSAndroid Build Coastguard Worker #define _GNU_SOURCE
3*053f45beSAndroid Build Coastguard Worker #include <stdio.h>
4*053f45beSAndroid Build Coastguard Worker #include <errno.h>
5*053f45beSAndroid Build Coastguard Worker #include <pwd.h>
6*053f45beSAndroid Build Coastguard Worker #include <grp.h>
7*053f45beSAndroid Build Coastguard Worker #include <string.h>
8*053f45beSAndroid Build Coastguard Worker #include <syscall.h>
9*053f45beSAndroid Build Coastguard Worker #include <sys/capability.h>
10*053f45beSAndroid Build Coastguard Worker #include <sys/types.h>
11*053f45beSAndroid Build Coastguard Worker #include <sys/mount.h>
12*053f45beSAndroid Build Coastguard Worker #include <sys/prctl.h>
13*053f45beSAndroid Build Coastguard Worker #include <sys/wait.h>
14*053f45beSAndroid Build Coastguard Worker #include <stdlib.h>
15*053f45beSAndroid Build Coastguard Worker #include <unistd.h>
16*053f45beSAndroid Build Coastguard Worker #include <fcntl.h>
17*053f45beSAndroid Build Coastguard Worker #include <stdbool.h>
18*053f45beSAndroid Build Coastguard Worker #include <stdarg.h>
19*053f45beSAndroid Build Coastguard Worker
20*053f45beSAndroid Build Coastguard Worker /*
21*053f45beSAndroid Build Coastguard Worker * NOTES about this test:
22*053f45beSAndroid Build Coastguard Worker * - requries libcap-dev to be installed on test system
23*053f45beSAndroid Build Coastguard Worker * - requires securityfs to me mounted at /sys/kernel/security, e.g.:
24*053f45beSAndroid Build Coastguard Worker * mount -n -t securityfs -o nodev,noexec,nosuid securityfs /sys/kernel/security
25*053f45beSAndroid Build Coastguard Worker * - needs CONFIG_SECURITYFS and CONFIG_SAFESETID to be enabled
26*053f45beSAndroid Build Coastguard Worker */
27*053f45beSAndroid Build Coastguard Worker
28*053f45beSAndroid Build Coastguard Worker #ifndef CLONE_NEWUSER
29*053f45beSAndroid Build Coastguard Worker # define CLONE_NEWUSER 0x10000000
30*053f45beSAndroid Build Coastguard Worker #endif
31*053f45beSAndroid Build Coastguard Worker
32*053f45beSAndroid Build Coastguard Worker #define ROOT_UGID 0
33*053f45beSAndroid Build Coastguard Worker #define RESTRICTED_PARENT_UGID 1
34*053f45beSAndroid Build Coastguard Worker #define ALLOWED_CHILD1_UGID 2
35*053f45beSAndroid Build Coastguard Worker #define ALLOWED_CHILD2_UGID 3
36*053f45beSAndroid Build Coastguard Worker #define NO_POLICY_UGID 4
37*053f45beSAndroid Build Coastguard Worker
38*053f45beSAndroid Build Coastguard Worker #define UGID_POLICY_STRING "1:2\n1:3\n2:2\n3:3\n"
39*053f45beSAndroid Build Coastguard Worker
40*053f45beSAndroid Build Coastguard Worker char* add_uid_whitelist_policy_file = "/sys/kernel/security/safesetid/uid_allowlist_policy";
41*053f45beSAndroid Build Coastguard Worker char* add_gid_whitelist_policy_file = "/sys/kernel/security/safesetid/gid_allowlist_policy";
42*053f45beSAndroid Build Coastguard Worker
die(char * fmt,...)43*053f45beSAndroid Build Coastguard Worker static void die(char *fmt, ...)
44*053f45beSAndroid Build Coastguard Worker {
45*053f45beSAndroid Build Coastguard Worker va_list ap;
46*053f45beSAndroid Build Coastguard Worker va_start(ap, fmt);
47*053f45beSAndroid Build Coastguard Worker vfprintf(stderr, fmt, ap);
48*053f45beSAndroid Build Coastguard Worker va_end(ap);
49*053f45beSAndroid Build Coastguard Worker exit(EXIT_FAILURE);
50*053f45beSAndroid Build Coastguard Worker }
51*053f45beSAndroid Build Coastguard Worker
vmaybe_write_file(bool enoent_ok,char * filename,char * fmt,va_list ap)52*053f45beSAndroid Build Coastguard Worker static bool vmaybe_write_file(bool enoent_ok, char *filename, char *fmt, va_list ap)
53*053f45beSAndroid Build Coastguard Worker {
54*053f45beSAndroid Build Coastguard Worker char buf[4096];
55*053f45beSAndroid Build Coastguard Worker int fd;
56*053f45beSAndroid Build Coastguard Worker ssize_t written;
57*053f45beSAndroid Build Coastguard Worker int buf_len;
58*053f45beSAndroid Build Coastguard Worker
59*053f45beSAndroid Build Coastguard Worker buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);
60*053f45beSAndroid Build Coastguard Worker if (buf_len < 0) {
61*053f45beSAndroid Build Coastguard Worker printf("vsnprintf failed: %s\n",
62*053f45beSAndroid Build Coastguard Worker strerror(errno));
63*053f45beSAndroid Build Coastguard Worker return false;
64*053f45beSAndroid Build Coastguard Worker }
65*053f45beSAndroid Build Coastguard Worker if (buf_len >= sizeof(buf)) {
66*053f45beSAndroid Build Coastguard Worker printf("vsnprintf output truncated\n");
67*053f45beSAndroid Build Coastguard Worker return false;
68*053f45beSAndroid Build Coastguard Worker }
69*053f45beSAndroid Build Coastguard Worker
70*053f45beSAndroid Build Coastguard Worker fd = open(filename, O_WRONLY);
71*053f45beSAndroid Build Coastguard Worker if (fd < 0) {
72*053f45beSAndroid Build Coastguard Worker if ((errno == ENOENT) && enoent_ok)
73*053f45beSAndroid Build Coastguard Worker return true;
74*053f45beSAndroid Build Coastguard Worker return false;
75*053f45beSAndroid Build Coastguard Worker }
76*053f45beSAndroid Build Coastguard Worker written = write(fd, buf, buf_len);
77*053f45beSAndroid Build Coastguard Worker if (written != buf_len) {
78*053f45beSAndroid Build Coastguard Worker if (written >= 0) {
79*053f45beSAndroid Build Coastguard Worker printf("short write to %s\n", filename);
80*053f45beSAndroid Build Coastguard Worker return false;
81*053f45beSAndroid Build Coastguard Worker } else {
82*053f45beSAndroid Build Coastguard Worker printf("write to %s failed: %s\n",
83*053f45beSAndroid Build Coastguard Worker filename, strerror(errno));
84*053f45beSAndroid Build Coastguard Worker return false;
85*053f45beSAndroid Build Coastguard Worker }
86*053f45beSAndroid Build Coastguard Worker }
87*053f45beSAndroid Build Coastguard Worker if (close(fd) != 0) {
88*053f45beSAndroid Build Coastguard Worker printf("close of %s failed: %s\n",
89*053f45beSAndroid Build Coastguard Worker filename, strerror(errno));
90*053f45beSAndroid Build Coastguard Worker return false;
91*053f45beSAndroid Build Coastguard Worker }
92*053f45beSAndroid Build Coastguard Worker return true;
93*053f45beSAndroid Build Coastguard Worker }
94*053f45beSAndroid Build Coastguard Worker
write_file(char * filename,char * fmt,...)95*053f45beSAndroid Build Coastguard Worker static bool write_file(char *filename, char *fmt, ...)
96*053f45beSAndroid Build Coastguard Worker {
97*053f45beSAndroid Build Coastguard Worker va_list ap;
98*053f45beSAndroid Build Coastguard Worker bool ret;
99*053f45beSAndroid Build Coastguard Worker
100*053f45beSAndroid Build Coastguard Worker va_start(ap, fmt);
101*053f45beSAndroid Build Coastguard Worker ret = vmaybe_write_file(false, filename, fmt, ap);
102*053f45beSAndroid Build Coastguard Worker va_end(ap);
103*053f45beSAndroid Build Coastguard Worker
104*053f45beSAndroid Build Coastguard Worker return ret;
105*053f45beSAndroid Build Coastguard Worker }
106*053f45beSAndroid Build Coastguard Worker
ensure_user_exists(uid_t uid)107*053f45beSAndroid Build Coastguard Worker static void ensure_user_exists(uid_t uid)
108*053f45beSAndroid Build Coastguard Worker {
109*053f45beSAndroid Build Coastguard Worker struct passwd p;
110*053f45beSAndroid Build Coastguard Worker
111*053f45beSAndroid Build Coastguard Worker FILE *fd;
112*053f45beSAndroid Build Coastguard Worker char name_str[10];
113*053f45beSAndroid Build Coastguard Worker
114*053f45beSAndroid Build Coastguard Worker if (getpwuid(uid) == NULL) {
115*053f45beSAndroid Build Coastguard Worker memset(&p,0x00,sizeof(p));
116*053f45beSAndroid Build Coastguard Worker fd=fopen("/etc/passwd","a");
117*053f45beSAndroid Build Coastguard Worker if (fd == NULL)
118*053f45beSAndroid Build Coastguard Worker die("couldn't open file\n");
119*053f45beSAndroid Build Coastguard Worker if (fseek(fd, 0, SEEK_END))
120*053f45beSAndroid Build Coastguard Worker die("couldn't fseek\n");
121*053f45beSAndroid Build Coastguard Worker snprintf(name_str, 10, "user %d", uid);
122*053f45beSAndroid Build Coastguard Worker p.pw_name=name_str;
123*053f45beSAndroid Build Coastguard Worker p.pw_uid=uid;
124*053f45beSAndroid Build Coastguard Worker p.pw_gid=uid;
125*053f45beSAndroid Build Coastguard Worker p.pw_gecos="Test account";
126*053f45beSAndroid Build Coastguard Worker p.pw_dir="/dev/null";
127*053f45beSAndroid Build Coastguard Worker p.pw_shell="/bin/false";
128*053f45beSAndroid Build Coastguard Worker int value = putpwent(&p,fd);
129*053f45beSAndroid Build Coastguard Worker if (value != 0)
130*053f45beSAndroid Build Coastguard Worker die("putpwent failed\n");
131*053f45beSAndroid Build Coastguard Worker if (fclose(fd))
132*053f45beSAndroid Build Coastguard Worker die("fclose failed\n");
133*053f45beSAndroid Build Coastguard Worker }
134*053f45beSAndroid Build Coastguard Worker }
135*053f45beSAndroid Build Coastguard Worker
ensure_group_exists(gid_t gid)136*053f45beSAndroid Build Coastguard Worker static void ensure_group_exists(gid_t gid)
137*053f45beSAndroid Build Coastguard Worker {
138*053f45beSAndroid Build Coastguard Worker struct group g;
139*053f45beSAndroid Build Coastguard Worker
140*053f45beSAndroid Build Coastguard Worker FILE *fd;
141*053f45beSAndroid Build Coastguard Worker char name_str[10];
142*053f45beSAndroid Build Coastguard Worker
143*053f45beSAndroid Build Coastguard Worker if (getgrgid(gid) == NULL) {
144*053f45beSAndroid Build Coastguard Worker memset(&g,0x00,sizeof(g));
145*053f45beSAndroid Build Coastguard Worker fd=fopen("/etc/group","a");
146*053f45beSAndroid Build Coastguard Worker if (fd == NULL)
147*053f45beSAndroid Build Coastguard Worker die("couldn't open group file\n");
148*053f45beSAndroid Build Coastguard Worker if (fseek(fd, 0, SEEK_END))
149*053f45beSAndroid Build Coastguard Worker die("couldn't fseek group file\n");
150*053f45beSAndroid Build Coastguard Worker snprintf(name_str, 10, "group %d", gid);
151*053f45beSAndroid Build Coastguard Worker g.gr_name=name_str;
152*053f45beSAndroid Build Coastguard Worker g.gr_gid=gid;
153*053f45beSAndroid Build Coastguard Worker g.gr_passwd=NULL;
154*053f45beSAndroid Build Coastguard Worker g.gr_mem=NULL;
155*053f45beSAndroid Build Coastguard Worker int value = putgrent(&g,fd);
156*053f45beSAndroid Build Coastguard Worker if (value != 0)
157*053f45beSAndroid Build Coastguard Worker die("putgrent failed\n");
158*053f45beSAndroid Build Coastguard Worker if (fclose(fd))
159*053f45beSAndroid Build Coastguard Worker die("fclose failed\n");
160*053f45beSAndroid Build Coastguard Worker }
161*053f45beSAndroid Build Coastguard Worker }
162*053f45beSAndroid Build Coastguard Worker
ensure_securityfs_mounted(void)163*053f45beSAndroid Build Coastguard Worker static void ensure_securityfs_mounted(void)
164*053f45beSAndroid Build Coastguard Worker {
165*053f45beSAndroid Build Coastguard Worker int fd = open(add_uid_whitelist_policy_file, O_WRONLY);
166*053f45beSAndroid Build Coastguard Worker if (fd < 0) {
167*053f45beSAndroid Build Coastguard Worker if (errno == ENOENT) {
168*053f45beSAndroid Build Coastguard Worker // Need to mount securityfs
169*053f45beSAndroid Build Coastguard Worker if (mount("securityfs", "/sys/kernel/security",
170*053f45beSAndroid Build Coastguard Worker "securityfs", 0, NULL) < 0)
171*053f45beSAndroid Build Coastguard Worker die("mounting securityfs failed\n");
172*053f45beSAndroid Build Coastguard Worker } else {
173*053f45beSAndroid Build Coastguard Worker die("couldn't find securityfs for unknown reason\n");
174*053f45beSAndroid Build Coastguard Worker }
175*053f45beSAndroid Build Coastguard Worker } else {
176*053f45beSAndroid Build Coastguard Worker if (close(fd) != 0) {
177*053f45beSAndroid Build Coastguard Worker die("close of %s failed: %s\n",
178*053f45beSAndroid Build Coastguard Worker add_uid_whitelist_policy_file, strerror(errno));
179*053f45beSAndroid Build Coastguard Worker }
180*053f45beSAndroid Build Coastguard Worker }
181*053f45beSAndroid Build Coastguard Worker }
182*053f45beSAndroid Build Coastguard Worker
write_uid_policies()183*053f45beSAndroid Build Coastguard Worker static void write_uid_policies()
184*053f45beSAndroid Build Coastguard Worker {
185*053f45beSAndroid Build Coastguard Worker static char *policy_str = UGID_POLICY_STRING;
186*053f45beSAndroid Build Coastguard Worker ssize_t written;
187*053f45beSAndroid Build Coastguard Worker int fd;
188*053f45beSAndroid Build Coastguard Worker
189*053f45beSAndroid Build Coastguard Worker fd = open(add_uid_whitelist_policy_file, O_WRONLY);
190*053f45beSAndroid Build Coastguard Worker if (fd < 0)
191*053f45beSAndroid Build Coastguard Worker die("can't open add_uid_whitelist_policy file\n");
192*053f45beSAndroid Build Coastguard Worker written = write(fd, policy_str, strlen(policy_str));
193*053f45beSAndroid Build Coastguard Worker if (written != strlen(policy_str)) {
194*053f45beSAndroid Build Coastguard Worker if (written >= 0) {
195*053f45beSAndroid Build Coastguard Worker die("short write to %s\n", add_uid_whitelist_policy_file);
196*053f45beSAndroid Build Coastguard Worker } else {
197*053f45beSAndroid Build Coastguard Worker die("write to %s failed: %s\n",
198*053f45beSAndroid Build Coastguard Worker add_uid_whitelist_policy_file, strerror(errno));
199*053f45beSAndroid Build Coastguard Worker }
200*053f45beSAndroid Build Coastguard Worker }
201*053f45beSAndroid Build Coastguard Worker if (close(fd) != 0) {
202*053f45beSAndroid Build Coastguard Worker die("close of %s failed: %s\n",
203*053f45beSAndroid Build Coastguard Worker add_uid_whitelist_policy_file, strerror(errno));
204*053f45beSAndroid Build Coastguard Worker }
205*053f45beSAndroid Build Coastguard Worker }
206*053f45beSAndroid Build Coastguard Worker
write_gid_policies()207*053f45beSAndroid Build Coastguard Worker static void write_gid_policies()
208*053f45beSAndroid Build Coastguard Worker {
209*053f45beSAndroid Build Coastguard Worker static char *policy_str = UGID_POLICY_STRING;
210*053f45beSAndroid Build Coastguard Worker ssize_t written;
211*053f45beSAndroid Build Coastguard Worker int fd;
212*053f45beSAndroid Build Coastguard Worker
213*053f45beSAndroid Build Coastguard Worker fd = open(add_gid_whitelist_policy_file, O_WRONLY);
214*053f45beSAndroid Build Coastguard Worker if (fd < 0)
215*053f45beSAndroid Build Coastguard Worker die("can't open add_gid_whitelist_policy file\n");
216*053f45beSAndroid Build Coastguard Worker written = write(fd, policy_str, strlen(policy_str));
217*053f45beSAndroid Build Coastguard Worker if (written != strlen(policy_str)) {
218*053f45beSAndroid Build Coastguard Worker if (written >= 0) {
219*053f45beSAndroid Build Coastguard Worker die("short write to %s\n", add_gid_whitelist_policy_file);
220*053f45beSAndroid Build Coastguard Worker } else {
221*053f45beSAndroid Build Coastguard Worker die("write to %s failed: %s\n",
222*053f45beSAndroid Build Coastguard Worker add_gid_whitelist_policy_file, strerror(errno));
223*053f45beSAndroid Build Coastguard Worker }
224*053f45beSAndroid Build Coastguard Worker }
225*053f45beSAndroid Build Coastguard Worker if (close(fd) != 0) {
226*053f45beSAndroid Build Coastguard Worker die("close of %s failed: %s\n",
227*053f45beSAndroid Build Coastguard Worker add_gid_whitelist_policy_file, strerror(errno));
228*053f45beSAndroid Build Coastguard Worker }
229*053f45beSAndroid Build Coastguard Worker }
230*053f45beSAndroid Build Coastguard Worker
231*053f45beSAndroid Build Coastguard Worker
test_userns(bool expect_success)232*053f45beSAndroid Build Coastguard Worker static bool test_userns(bool expect_success)
233*053f45beSAndroid Build Coastguard Worker {
234*053f45beSAndroid Build Coastguard Worker uid_t uid;
235*053f45beSAndroid Build Coastguard Worker char map_file_name[32];
236*053f45beSAndroid Build Coastguard Worker size_t sz = sizeof(map_file_name);
237*053f45beSAndroid Build Coastguard Worker pid_t cpid;
238*053f45beSAndroid Build Coastguard Worker bool success;
239*053f45beSAndroid Build Coastguard Worker
240*053f45beSAndroid Build Coastguard Worker uid = getuid();
241*053f45beSAndroid Build Coastguard Worker
242*053f45beSAndroid Build Coastguard Worker int clone_flags = CLONE_NEWUSER;
243*053f45beSAndroid Build Coastguard Worker cpid = syscall(SYS_clone, clone_flags, NULL);
244*053f45beSAndroid Build Coastguard Worker if (cpid == -1) {
245*053f45beSAndroid Build Coastguard Worker printf("clone failed");
246*053f45beSAndroid Build Coastguard Worker return false;
247*053f45beSAndroid Build Coastguard Worker }
248*053f45beSAndroid Build Coastguard Worker
249*053f45beSAndroid Build Coastguard Worker if (cpid == 0) { /* Code executed by child */
250*053f45beSAndroid Build Coastguard Worker // Give parent 1 second to write map file
251*053f45beSAndroid Build Coastguard Worker sleep(1);
252*053f45beSAndroid Build Coastguard Worker exit(EXIT_SUCCESS);
253*053f45beSAndroid Build Coastguard Worker } else { /* Code executed by parent */
254*053f45beSAndroid Build Coastguard Worker if(snprintf(map_file_name, sz, "/proc/%d/uid_map", cpid) < 0) {
255*053f45beSAndroid Build Coastguard Worker printf("preparing file name string failed");
256*053f45beSAndroid Build Coastguard Worker return false;
257*053f45beSAndroid Build Coastguard Worker }
258*053f45beSAndroid Build Coastguard Worker success = write_file(map_file_name, "0 %d 1", uid);
259*053f45beSAndroid Build Coastguard Worker return success == expect_success;
260*053f45beSAndroid Build Coastguard Worker }
261*053f45beSAndroid Build Coastguard Worker
262*053f45beSAndroid Build Coastguard Worker printf("should not reach here");
263*053f45beSAndroid Build Coastguard Worker return false;
264*053f45beSAndroid Build Coastguard Worker }
265*053f45beSAndroid Build Coastguard Worker
test_setuid(uid_t child_uid,bool expect_success)266*053f45beSAndroid Build Coastguard Worker static void test_setuid(uid_t child_uid, bool expect_success)
267*053f45beSAndroid Build Coastguard Worker {
268*053f45beSAndroid Build Coastguard Worker pid_t cpid, w;
269*053f45beSAndroid Build Coastguard Worker int wstatus;
270*053f45beSAndroid Build Coastguard Worker
271*053f45beSAndroid Build Coastguard Worker cpid = fork();
272*053f45beSAndroid Build Coastguard Worker if (cpid == -1) {
273*053f45beSAndroid Build Coastguard Worker die("fork\n");
274*053f45beSAndroid Build Coastguard Worker }
275*053f45beSAndroid Build Coastguard Worker
276*053f45beSAndroid Build Coastguard Worker if (cpid == 0) { /* Code executed by child */
277*053f45beSAndroid Build Coastguard Worker if (setuid(child_uid) < 0)
278*053f45beSAndroid Build Coastguard Worker exit(EXIT_FAILURE);
279*053f45beSAndroid Build Coastguard Worker if (getuid() == child_uid)
280*053f45beSAndroid Build Coastguard Worker exit(EXIT_SUCCESS);
281*053f45beSAndroid Build Coastguard Worker else
282*053f45beSAndroid Build Coastguard Worker exit(EXIT_FAILURE);
283*053f45beSAndroid Build Coastguard Worker } else { /* Code executed by parent */
284*053f45beSAndroid Build Coastguard Worker do {
285*053f45beSAndroid Build Coastguard Worker w = waitpid(cpid, &wstatus, WUNTRACED | WCONTINUED);
286*053f45beSAndroid Build Coastguard Worker if (w == -1) {
287*053f45beSAndroid Build Coastguard Worker die("waitpid\n");
288*053f45beSAndroid Build Coastguard Worker }
289*053f45beSAndroid Build Coastguard Worker
290*053f45beSAndroid Build Coastguard Worker if (WIFEXITED(wstatus)) {
291*053f45beSAndroid Build Coastguard Worker if (WEXITSTATUS(wstatus) == EXIT_SUCCESS) {
292*053f45beSAndroid Build Coastguard Worker if (expect_success) {
293*053f45beSAndroid Build Coastguard Worker return;
294*053f45beSAndroid Build Coastguard Worker } else {
295*053f45beSAndroid Build Coastguard Worker die("unexpected success\n");
296*053f45beSAndroid Build Coastguard Worker }
297*053f45beSAndroid Build Coastguard Worker } else {
298*053f45beSAndroid Build Coastguard Worker if (expect_success) {
299*053f45beSAndroid Build Coastguard Worker die("unexpected failure\n");
300*053f45beSAndroid Build Coastguard Worker } else {
301*053f45beSAndroid Build Coastguard Worker return;
302*053f45beSAndroid Build Coastguard Worker }
303*053f45beSAndroid Build Coastguard Worker }
304*053f45beSAndroid Build Coastguard Worker } else if (WIFSIGNALED(wstatus)) {
305*053f45beSAndroid Build Coastguard Worker if (WTERMSIG(wstatus) == 9) {
306*053f45beSAndroid Build Coastguard Worker if (expect_success)
307*053f45beSAndroid Build Coastguard Worker die("killed unexpectedly\n");
308*053f45beSAndroid Build Coastguard Worker else
309*053f45beSAndroid Build Coastguard Worker return;
310*053f45beSAndroid Build Coastguard Worker } else {
311*053f45beSAndroid Build Coastguard Worker die("unexpected signal: %d\n", wstatus);
312*053f45beSAndroid Build Coastguard Worker }
313*053f45beSAndroid Build Coastguard Worker } else {
314*053f45beSAndroid Build Coastguard Worker die("unexpected status: %d\n", wstatus);
315*053f45beSAndroid Build Coastguard Worker }
316*053f45beSAndroid Build Coastguard Worker } while (!WIFEXITED(wstatus) && !WIFSIGNALED(wstatus));
317*053f45beSAndroid Build Coastguard Worker }
318*053f45beSAndroid Build Coastguard Worker
319*053f45beSAndroid Build Coastguard Worker die("should not reach here\n");
320*053f45beSAndroid Build Coastguard Worker }
321*053f45beSAndroid Build Coastguard Worker
test_setgid(gid_t child_gid,bool expect_success)322*053f45beSAndroid Build Coastguard Worker static void test_setgid(gid_t child_gid, bool expect_success)
323*053f45beSAndroid Build Coastguard Worker {
324*053f45beSAndroid Build Coastguard Worker pid_t cpid, w;
325*053f45beSAndroid Build Coastguard Worker int wstatus;
326*053f45beSAndroid Build Coastguard Worker
327*053f45beSAndroid Build Coastguard Worker cpid = fork();
328*053f45beSAndroid Build Coastguard Worker if (cpid == -1) {
329*053f45beSAndroid Build Coastguard Worker die("fork\n");
330*053f45beSAndroid Build Coastguard Worker }
331*053f45beSAndroid Build Coastguard Worker
332*053f45beSAndroid Build Coastguard Worker if (cpid == 0) { /* Code executed by child */
333*053f45beSAndroid Build Coastguard Worker if (setgid(child_gid) < 0)
334*053f45beSAndroid Build Coastguard Worker exit(EXIT_FAILURE);
335*053f45beSAndroid Build Coastguard Worker if (getgid() == child_gid)
336*053f45beSAndroid Build Coastguard Worker exit(EXIT_SUCCESS);
337*053f45beSAndroid Build Coastguard Worker else
338*053f45beSAndroid Build Coastguard Worker exit(EXIT_FAILURE);
339*053f45beSAndroid Build Coastguard Worker } else { /* Code executed by parent */
340*053f45beSAndroid Build Coastguard Worker do {
341*053f45beSAndroid Build Coastguard Worker w = waitpid(cpid, &wstatus, WUNTRACED | WCONTINUED);
342*053f45beSAndroid Build Coastguard Worker if (w == -1) {
343*053f45beSAndroid Build Coastguard Worker die("waitpid\n");
344*053f45beSAndroid Build Coastguard Worker }
345*053f45beSAndroid Build Coastguard Worker
346*053f45beSAndroid Build Coastguard Worker if (WIFEXITED(wstatus)) {
347*053f45beSAndroid Build Coastguard Worker if (WEXITSTATUS(wstatus) == EXIT_SUCCESS) {
348*053f45beSAndroid Build Coastguard Worker if (expect_success) {
349*053f45beSAndroid Build Coastguard Worker return;
350*053f45beSAndroid Build Coastguard Worker } else {
351*053f45beSAndroid Build Coastguard Worker die("unexpected success\n");
352*053f45beSAndroid Build Coastguard Worker }
353*053f45beSAndroid Build Coastguard Worker } else {
354*053f45beSAndroid Build Coastguard Worker if (expect_success) {
355*053f45beSAndroid Build Coastguard Worker die("unexpected failure\n");
356*053f45beSAndroid Build Coastguard Worker } else {
357*053f45beSAndroid Build Coastguard Worker return;
358*053f45beSAndroid Build Coastguard Worker }
359*053f45beSAndroid Build Coastguard Worker }
360*053f45beSAndroid Build Coastguard Worker } else if (WIFSIGNALED(wstatus)) {
361*053f45beSAndroid Build Coastguard Worker if (WTERMSIG(wstatus) == 9) {
362*053f45beSAndroid Build Coastguard Worker if (expect_success)
363*053f45beSAndroid Build Coastguard Worker die("killed unexpectedly\n");
364*053f45beSAndroid Build Coastguard Worker else
365*053f45beSAndroid Build Coastguard Worker return;
366*053f45beSAndroid Build Coastguard Worker } else {
367*053f45beSAndroid Build Coastguard Worker die("unexpected signal: %d\n", wstatus);
368*053f45beSAndroid Build Coastguard Worker }
369*053f45beSAndroid Build Coastguard Worker } else {
370*053f45beSAndroid Build Coastguard Worker die("unexpected status: %d\n", wstatus);
371*053f45beSAndroid Build Coastguard Worker }
372*053f45beSAndroid Build Coastguard Worker } while (!WIFEXITED(wstatus) && !WIFSIGNALED(wstatus));
373*053f45beSAndroid Build Coastguard Worker }
374*053f45beSAndroid Build Coastguard Worker
375*053f45beSAndroid Build Coastguard Worker die("should not reach here\n");
376*053f45beSAndroid Build Coastguard Worker }
377*053f45beSAndroid Build Coastguard Worker
test_setgroups(gid_t * child_groups,size_t len,bool expect_success)378*053f45beSAndroid Build Coastguard Worker static void test_setgroups(gid_t* child_groups, size_t len, bool expect_success)
379*053f45beSAndroid Build Coastguard Worker {
380*053f45beSAndroid Build Coastguard Worker pid_t cpid, w;
381*053f45beSAndroid Build Coastguard Worker int wstatus;
382*053f45beSAndroid Build Coastguard Worker gid_t groupset[len];
383*053f45beSAndroid Build Coastguard Worker int i, j;
384*053f45beSAndroid Build Coastguard Worker
385*053f45beSAndroid Build Coastguard Worker cpid = fork();
386*053f45beSAndroid Build Coastguard Worker if (cpid == -1) {
387*053f45beSAndroid Build Coastguard Worker die("fork\n");
388*053f45beSAndroid Build Coastguard Worker }
389*053f45beSAndroid Build Coastguard Worker
390*053f45beSAndroid Build Coastguard Worker if (cpid == 0) { /* Code executed by child */
391*053f45beSAndroid Build Coastguard Worker if (setgroups(len, child_groups) != 0)
392*053f45beSAndroid Build Coastguard Worker exit(EXIT_FAILURE);
393*053f45beSAndroid Build Coastguard Worker if (getgroups(len, groupset) != len)
394*053f45beSAndroid Build Coastguard Worker exit(EXIT_FAILURE);
395*053f45beSAndroid Build Coastguard Worker for (i = 0; i < len; i++) {
396*053f45beSAndroid Build Coastguard Worker for (j = 0; j < len; j++) {
397*053f45beSAndroid Build Coastguard Worker if (child_groups[i] == groupset[j])
398*053f45beSAndroid Build Coastguard Worker break;
399*053f45beSAndroid Build Coastguard Worker if (j == len - 1)
400*053f45beSAndroid Build Coastguard Worker exit(EXIT_FAILURE);
401*053f45beSAndroid Build Coastguard Worker }
402*053f45beSAndroid Build Coastguard Worker }
403*053f45beSAndroid Build Coastguard Worker exit(EXIT_SUCCESS);
404*053f45beSAndroid Build Coastguard Worker } else { /* Code executed by parent */
405*053f45beSAndroid Build Coastguard Worker do {
406*053f45beSAndroid Build Coastguard Worker w = waitpid(cpid, &wstatus, WUNTRACED | WCONTINUED);
407*053f45beSAndroid Build Coastguard Worker if (w == -1) {
408*053f45beSAndroid Build Coastguard Worker die("waitpid\n");
409*053f45beSAndroid Build Coastguard Worker }
410*053f45beSAndroid Build Coastguard Worker
411*053f45beSAndroid Build Coastguard Worker if (WIFEXITED(wstatus)) {
412*053f45beSAndroid Build Coastguard Worker if (WEXITSTATUS(wstatus) == EXIT_SUCCESS) {
413*053f45beSAndroid Build Coastguard Worker if (expect_success) {
414*053f45beSAndroid Build Coastguard Worker return;
415*053f45beSAndroid Build Coastguard Worker } else {
416*053f45beSAndroid Build Coastguard Worker die("unexpected success\n");
417*053f45beSAndroid Build Coastguard Worker }
418*053f45beSAndroid Build Coastguard Worker } else {
419*053f45beSAndroid Build Coastguard Worker if (expect_success) {
420*053f45beSAndroid Build Coastguard Worker die("unexpected failure\n");
421*053f45beSAndroid Build Coastguard Worker } else {
422*053f45beSAndroid Build Coastguard Worker return;
423*053f45beSAndroid Build Coastguard Worker }
424*053f45beSAndroid Build Coastguard Worker }
425*053f45beSAndroid Build Coastguard Worker } else if (WIFSIGNALED(wstatus)) {
426*053f45beSAndroid Build Coastguard Worker if (WTERMSIG(wstatus) == 9) {
427*053f45beSAndroid Build Coastguard Worker if (expect_success)
428*053f45beSAndroid Build Coastguard Worker die("killed unexpectedly\n");
429*053f45beSAndroid Build Coastguard Worker else
430*053f45beSAndroid Build Coastguard Worker return;
431*053f45beSAndroid Build Coastguard Worker } else {
432*053f45beSAndroid Build Coastguard Worker die("unexpected signal: %d\n", wstatus);
433*053f45beSAndroid Build Coastguard Worker }
434*053f45beSAndroid Build Coastguard Worker } else {
435*053f45beSAndroid Build Coastguard Worker die("unexpected status: %d\n", wstatus);
436*053f45beSAndroid Build Coastguard Worker }
437*053f45beSAndroid Build Coastguard Worker } while (!WIFEXITED(wstatus) && !WIFSIGNALED(wstatus));
438*053f45beSAndroid Build Coastguard Worker }
439*053f45beSAndroid Build Coastguard Worker
440*053f45beSAndroid Build Coastguard Worker die("should not reach here\n");
441*053f45beSAndroid Build Coastguard Worker }
442*053f45beSAndroid Build Coastguard Worker
443*053f45beSAndroid Build Coastguard Worker
ensure_users_exist(void)444*053f45beSAndroid Build Coastguard Worker static void ensure_users_exist(void)
445*053f45beSAndroid Build Coastguard Worker {
446*053f45beSAndroid Build Coastguard Worker ensure_user_exists(ROOT_UGID);
447*053f45beSAndroid Build Coastguard Worker ensure_user_exists(RESTRICTED_PARENT_UGID);
448*053f45beSAndroid Build Coastguard Worker ensure_user_exists(ALLOWED_CHILD1_UGID);
449*053f45beSAndroid Build Coastguard Worker ensure_user_exists(ALLOWED_CHILD2_UGID);
450*053f45beSAndroid Build Coastguard Worker ensure_user_exists(NO_POLICY_UGID);
451*053f45beSAndroid Build Coastguard Worker }
452*053f45beSAndroid Build Coastguard Worker
ensure_groups_exist(void)453*053f45beSAndroid Build Coastguard Worker static void ensure_groups_exist(void)
454*053f45beSAndroid Build Coastguard Worker {
455*053f45beSAndroid Build Coastguard Worker ensure_group_exists(ROOT_UGID);
456*053f45beSAndroid Build Coastguard Worker ensure_group_exists(RESTRICTED_PARENT_UGID);
457*053f45beSAndroid Build Coastguard Worker ensure_group_exists(ALLOWED_CHILD1_UGID);
458*053f45beSAndroid Build Coastguard Worker ensure_group_exists(ALLOWED_CHILD2_UGID);
459*053f45beSAndroid Build Coastguard Worker ensure_group_exists(NO_POLICY_UGID);
460*053f45beSAndroid Build Coastguard Worker }
461*053f45beSAndroid Build Coastguard Worker
drop_caps(bool setid_retained)462*053f45beSAndroid Build Coastguard Worker static void drop_caps(bool setid_retained)
463*053f45beSAndroid Build Coastguard Worker {
464*053f45beSAndroid Build Coastguard Worker cap_value_t cap_values[] = {CAP_SETUID, CAP_SETGID};
465*053f45beSAndroid Build Coastguard Worker cap_t caps;
466*053f45beSAndroid Build Coastguard Worker
467*053f45beSAndroid Build Coastguard Worker caps = cap_get_proc();
468*053f45beSAndroid Build Coastguard Worker if (setid_retained)
469*053f45beSAndroid Build Coastguard Worker cap_set_flag(caps, CAP_EFFECTIVE, 2, cap_values, CAP_SET);
470*053f45beSAndroid Build Coastguard Worker else
471*053f45beSAndroid Build Coastguard Worker cap_clear(caps);
472*053f45beSAndroid Build Coastguard Worker cap_set_proc(caps);
473*053f45beSAndroid Build Coastguard Worker cap_free(caps);
474*053f45beSAndroid Build Coastguard Worker }
475*053f45beSAndroid Build Coastguard Worker
main(int argc,char ** argv)476*053f45beSAndroid Build Coastguard Worker int main(int argc, char **argv)
477*053f45beSAndroid Build Coastguard Worker {
478*053f45beSAndroid Build Coastguard Worker ensure_groups_exist();
479*053f45beSAndroid Build Coastguard Worker ensure_users_exist();
480*053f45beSAndroid Build Coastguard Worker ensure_securityfs_mounted();
481*053f45beSAndroid Build Coastguard Worker write_uid_policies();
482*053f45beSAndroid Build Coastguard Worker write_gid_policies();
483*053f45beSAndroid Build Coastguard Worker
484*053f45beSAndroid Build Coastguard Worker if (prctl(PR_SET_KEEPCAPS, 1L))
485*053f45beSAndroid Build Coastguard Worker die("Error with set keepcaps\n");
486*053f45beSAndroid Build Coastguard Worker
487*053f45beSAndroid Build Coastguard Worker // First test to make sure we can write userns mappings from a non-root
488*053f45beSAndroid Build Coastguard Worker // user that doesn't have any restrictions (as long as it has
489*053f45beSAndroid Build Coastguard Worker // CAP_SETUID);
490*053f45beSAndroid Build Coastguard Worker if (setgid(NO_POLICY_UGID) < 0)
491*053f45beSAndroid Build Coastguard Worker die("Error with set gid(%d)\n", NO_POLICY_UGID);
492*053f45beSAndroid Build Coastguard Worker if (setuid(NO_POLICY_UGID) < 0)
493*053f45beSAndroid Build Coastguard Worker die("Error with set uid(%d)\n", NO_POLICY_UGID);
494*053f45beSAndroid Build Coastguard Worker // Take away all but setid caps
495*053f45beSAndroid Build Coastguard Worker drop_caps(true);
496*053f45beSAndroid Build Coastguard Worker // Need PR_SET_DUMPABLE flag set so we can write /proc/[pid]/uid_map
497*053f45beSAndroid Build Coastguard Worker // from non-root parent process.
498*053f45beSAndroid Build Coastguard Worker if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0))
499*053f45beSAndroid Build Coastguard Worker die("Error with set dumpable\n");
500*053f45beSAndroid Build Coastguard Worker if (!test_userns(true)) {
501*053f45beSAndroid Build Coastguard Worker die("test_userns failed when it should work\n");
502*053f45beSAndroid Build Coastguard Worker }
503*053f45beSAndroid Build Coastguard Worker
504*053f45beSAndroid Build Coastguard Worker // Now switch to a user/group with restrictions
505*053f45beSAndroid Build Coastguard Worker if (setgid(RESTRICTED_PARENT_UGID) < 0)
506*053f45beSAndroid Build Coastguard Worker die("Error with set gid(%d)\n", RESTRICTED_PARENT_UGID);
507*053f45beSAndroid Build Coastguard Worker if (setuid(RESTRICTED_PARENT_UGID) < 0)
508*053f45beSAndroid Build Coastguard Worker die("Error with set uid(%d)\n", RESTRICTED_PARENT_UGID);
509*053f45beSAndroid Build Coastguard Worker
510*053f45beSAndroid Build Coastguard Worker test_setuid(ROOT_UGID, false);
511*053f45beSAndroid Build Coastguard Worker test_setuid(ALLOWED_CHILD1_UGID, true);
512*053f45beSAndroid Build Coastguard Worker test_setuid(ALLOWED_CHILD2_UGID, true);
513*053f45beSAndroid Build Coastguard Worker test_setuid(NO_POLICY_UGID, false);
514*053f45beSAndroid Build Coastguard Worker
515*053f45beSAndroid Build Coastguard Worker test_setgid(ROOT_UGID, false);
516*053f45beSAndroid Build Coastguard Worker test_setgid(ALLOWED_CHILD1_UGID, true);
517*053f45beSAndroid Build Coastguard Worker test_setgid(ALLOWED_CHILD2_UGID, true);
518*053f45beSAndroid Build Coastguard Worker test_setgid(NO_POLICY_UGID, false);
519*053f45beSAndroid Build Coastguard Worker
520*053f45beSAndroid Build Coastguard Worker gid_t allowed_supp_groups[2] = {ALLOWED_CHILD1_UGID, ALLOWED_CHILD2_UGID};
521*053f45beSAndroid Build Coastguard Worker gid_t disallowed_supp_groups[2] = {ROOT_UGID, NO_POLICY_UGID};
522*053f45beSAndroid Build Coastguard Worker test_setgroups(allowed_supp_groups, 2, true);
523*053f45beSAndroid Build Coastguard Worker test_setgroups(disallowed_supp_groups, 2, false);
524*053f45beSAndroid Build Coastguard Worker
525*053f45beSAndroid Build Coastguard Worker if (!test_userns(false)) {
526*053f45beSAndroid Build Coastguard Worker die("test_userns worked when it should fail\n");
527*053f45beSAndroid Build Coastguard Worker }
528*053f45beSAndroid Build Coastguard Worker
529*053f45beSAndroid Build Coastguard Worker // Now take away all caps
530*053f45beSAndroid Build Coastguard Worker drop_caps(false);
531*053f45beSAndroid Build Coastguard Worker test_setuid(2, false);
532*053f45beSAndroid Build Coastguard Worker test_setuid(3, false);
533*053f45beSAndroid Build Coastguard Worker test_setuid(4, false);
534*053f45beSAndroid Build Coastguard Worker test_setgid(2, false);
535*053f45beSAndroid Build Coastguard Worker test_setgid(3, false);
536*053f45beSAndroid Build Coastguard Worker test_setgid(4, false);
537*053f45beSAndroid Build Coastguard Worker
538*053f45beSAndroid Build Coastguard Worker // NOTE: this test doesn't clean up users that were created in
539*053f45beSAndroid Build Coastguard Worker // /etc/passwd or flush policies that were added to the LSM.
540*053f45beSAndroid Build Coastguard Worker printf("test successful!\n");
541*053f45beSAndroid Build Coastguard Worker return EXIT_SUCCESS;
542*053f45beSAndroid Build Coastguard Worker }
543