#include <limits.h>
#include <linux/types.h>
#include <linux/unistd.h>
-#include "kselftest.h"
+#include "kselftest_harness.h"
#define BUILD_BUG_ON(e) ((void)(sizeof(struct { int:(-!!(e)); })))
(similar to chroot(2)). */
#endif /* RESOLVE_IN_ROOT */
-#define E_func(func, ...) \
- do { \
- errno = 0; \
- if (func(__VA_ARGS__) < 0) \
- ksft_exit_fail_msg("%s:%d %s failed - errno:%d\n", \
- __FILE__, __LINE__, #func, errno); \
- } while (0)
-
-#define E_asprintf(...) E_func(asprintf, __VA_ARGS__)
-#define E_chmod(...) E_func(chmod, __VA_ARGS__)
-#define E_dup2(...) E_func(dup2, __VA_ARGS__)
-#define E_fchdir(...) E_func(fchdir, __VA_ARGS__)
-#define E_fstatat(...) E_func(fstatat, __VA_ARGS__)
-#define E_kill(...) E_func(kill, __VA_ARGS__)
-#define E_mkdirat(...) E_func(mkdirat, __VA_ARGS__)
-#define E_mount(...) E_func(mount, __VA_ARGS__)
-#define E_prctl(...) E_func(prctl, __VA_ARGS__)
-#define E_readlink(...) E_func(readlink, __VA_ARGS__)
-#define E_setresuid(...) E_func(setresuid, __VA_ARGS__)
-#define E_symlinkat(...) E_func(symlinkat, __VA_ARGS__)
-#define E_touchat(...) E_func(touchat, __VA_ARGS__)
-#define E_unshare(...) E_func(unshare, __VA_ARGS__)
-
-#define E_assert(expr, msg, ...) \
- do { \
- if (!(expr)) \
- ksft_exit_fail_msg("ASSERT(%s:%d) failed (%s): " msg "\n", \
- __FILE__, __LINE__, #expr, ##__VA_ARGS__); \
- } while (0)
-
__maybe_unused
static bool needs_openat2(const struct open_how *how)
{
}
__maybe_unused
-static char *fdreadlink(int fd)
+static char *fdreadlink(struct __test_metadata *_metadata, int fd)
{
char *target, *tmp;
- E_asprintf(&tmp, "/proc/self/fd/%d", fd);
+ ASSERT_GT(asprintf(&tmp, "/proc/self/fd/%d", fd), 0);
target = malloc(PATH_MAX);
- if (!target)
- ksft_exit_fail_msg("fdreadlink: malloc failed\n");
+ ASSERT_NE(target, NULL);
memset(target, 0, PATH_MAX);
- E_readlink(tmp, target, PATH_MAX);
+ ASSERT_GT(readlink(tmp, target, PATH_MAX), 0);
+
free(tmp);
return target;
}
__maybe_unused
-static bool fdequal(int fd, int dfd, const char *path)
+static bool fdequal(struct __test_metadata *_metadata, int fd,
+ int dfd, const char *path)
{
char *fdpath, *dfdpath, *other;
bool cmp;
- fdpath = fdreadlink(fd);
- dfdpath = fdreadlink(dfd);
+ fdpath = fdreadlink(_metadata, fd);
+ dfdpath = fdreadlink(_metadata, dfd);
- if (!path)
- E_asprintf(&other, "%s", dfdpath);
- else if (*path == '/')
- E_asprintf(&other, "%s", path);
- else
- E_asprintf(&other, "%s/%s", dfdpath, path);
+ if (!path) {
+ ASSERT_GT(asprintf(&other, "%s", dfdpath), 0);
+ } else if (*path == '/') {
+ ASSERT_GT(asprintf(&other, "%s", path), 0);
+ } else {
+ ASSERT_GT(asprintf(&other, "%s/%s", dfdpath, path), 0);
+ }
cmp = !strcmp(fdpath, other);
#include <stdbool.h>
#include <string.h>
-#include "kselftest.h"
#include "helpers.h"
+#include "kselftest_harness.h"
/*
* O_LARGEFILE is set to 0 by glibc.
int err;
};
-#define NUM_OPENAT2_STRUCT_TESTS 7
-#define NUM_OPENAT2_STRUCT_VARIATIONS 13
+struct flag_test {
+ const char *name;
+ struct open_how how;
+ int err;
+};
+
+FIXTURE(openat2) {};
-void test_openat2_struct(void)
+FIXTURE_SETUP(openat2)
{
- int misalignments[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 17, 87 };
+ if (!openat2_supported)
+ SKIP(return, "openat2(2) not supported");
+}
+
+FIXTURE_TEARDOWN(openat2) {}
+/*
+ * Verify that the struct size and misalignment handling for openat2(2) is
+ * correct, including that is_zeroed_user() works.
+ */
+TEST_F(openat2, struct_argument_sizes)
+{
+ int misalignments[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 17, 87 };
struct struct_test tests[] = {
/* Normal struct. */
{ .name = "normal struct",
.size = sizeof(struct open_how_ext), .err = -E2BIG },
};
- BUILD_BUG_ON(ARRAY_SIZE(misalignments) != NUM_OPENAT2_STRUCT_VARIATIONS);
- BUILD_BUG_ON(ARRAY_SIZE(tests) != NUM_OPENAT2_STRUCT_TESTS);
-
for (int i = 0; i < ARRAY_SIZE(tests); i++) {
struct struct_test *test = &tests[i];
struct open_how_ext how_ext = test->arg;
for (int j = 0; j < ARRAY_SIZE(misalignments); j++) {
int fd, misalign = misalignments[j];
- char *fdpath = NULL;
- bool failed;
- void (*resultfn)(const char *msg, ...) = ksft_test_result_pass;
-
void *copy = NULL, *how_copy = &how_ext;
-
- if (!openat2_supported) {
- ksft_print_msg("openat2(2) unsupported\n");
- resultfn = ksft_test_result_skip;
- goto skip;
- }
+ char *fdpath = NULL;
if (misalign) {
/*
}
fd = raw_openat2(AT_FDCWD, ".", how_copy, test->size);
- if (test->err >= 0)
- failed = (fd < 0);
- else
- failed = (fd != test->err);
if (fd >= 0) {
- fdpath = fdreadlink(fd);
+ fdpath = fdreadlink(_metadata, fd);
close(fd);
}
- if (failed) {
- resultfn = ksft_test_result_fail;
-
- ksft_print_msg("openat2 unexpectedly returned ");
- if (fdpath)
- ksft_print_msg("%d['%s']\n", fd, fdpath);
- else
- ksft_print_msg("%d (%s)\n", fd, strerror(-fd));
+ if (test->err >= 0) {
+ EXPECT_GE(fd, 0) {
+ TH_LOG("openat2 with %s [misalign=%d] should succeed, got %d (%s)",
+ test->name, misalign,
+ fd, strerror(-fd));
+ }
+ } else {
+ EXPECT_EQ(test->err, fd) {
+ if (fdpath)
+ TH_LOG("openat2 with %s [misalign=%d] should fail with %d (%s), got %d['%s']",
+ test->name, misalign,
+ test->err,
+ strerror(-test->err),
+ fd, fdpath);
+ else
+ TH_LOG("openat2 with %s [misalign=%d] should fail with %d (%s), got %d (%s)",
+ test->name, misalign,
+ test->err,
+ strerror(-test->err),
+ fd, strerror(-fd));
+ }
}
-skip:
- if (test->err >= 0)
- resultfn("openat2 with %s argument [misalign=%d] succeeds\n",
- test->name, misalign);
- else
- resultfn("openat2 with %s argument [misalign=%d] fails with %d (%s)\n",
- test->name, misalign, test->err,
- strerror(-test->err));
-
free(copy);
free(fdpath);
- fflush(stdout);
}
}
}
-struct flag_test {
- const char *name;
- struct open_how how;
- int err;
-};
-
-#define NUM_OPENAT2_FLAG_TESTS 25
-
-void test_openat2_flags(void)
+/* Verify openat2(2) flag and mode validation. */
+TEST_F(openat2, flag_validation)
{
struct flag_test tests[] = {
/* O_TMPFILE is incompatible with O_PATH and O_CREAT. */
.how.resolve = 0, .err = -EINVAL },
};
- BUILD_BUG_ON(ARRAY_SIZE(tests) != NUM_OPENAT2_FLAG_TESTS);
-
for (int i = 0; i < ARRAY_SIZE(tests); i++) {
int fd, fdflags = -1;
char *path, *fdpath = NULL;
- bool failed = false;
struct flag_test *test = &tests[i];
- void (*resultfn)(const char *msg, ...) = ksft_test_result_pass;
-
- if (!openat2_supported) {
- ksft_print_msg("openat2(2) unsupported\n");
- resultfn = ksft_test_result_skip;
- goto skip;
- }
path = (test->how.flags & O_CREAT) ? "/tmp/ksft.openat2_tmpfile" : ".";
unlink(path);
* Skip the testcase if it failed because not supported
* by FS. (e.g. a valid O_TMPFILE combination on NFS)
*/
- ksft_test_result_skip("openat2 with %s fails with %d (%s)\n",
- test->name, fd, strerror(-fd));
- goto next;
+ TH_LOG("openat2 with %s not supported by FS -- skipping",
+ test->name);
+ continue;
}
- if (test->err >= 0)
- failed = (fd < 0);
- else
- failed = (fd != test->err);
- if (fd >= 0) {
- int otherflags;
-
- fdpath = fdreadlink(fd);
- fdflags = fcntl(fd, F_GETFL);
- otherflags = fcntl(fd, F_GETFD);
- close(fd);
-
- E_assert(fdflags >= 0, "fcntl F_GETFL of new fd");
- E_assert(otherflags >= 0, "fcntl F_GETFD of new fd");
-
- /* O_CLOEXEC isn't shown in F_GETFL. */
- if (otherflags & FD_CLOEXEC)
- fdflags |= O_CLOEXEC;
- /* O_CREAT is hidden from F_GETFL. */
- if (test->how.flags & O_CREAT)
- fdflags |= O_CREAT;
- if (!(test->how.flags & O_LARGEFILE))
- fdflags &= ~O_LARGEFILE;
- failed |= (fdflags != test->how.flags);
- }
+ if (test->err >= 0) {
+ EXPECT_GE(fd, 0) {
+ TH_LOG("openat2 with %s should succeed, got %d (%s)",
+ test->name, fd, strerror(-fd));
+ }
+ if (fd >= 0) {
+ int otherflags;
- if (failed) {
- resultfn = ksft_test_result_fail;
+ fdpath = fdreadlink(_metadata, fd);
+ fdflags = fcntl(fd, F_GETFL);
+ otherflags = fcntl(fd, F_GETFD);
+ close(fd);
- ksft_print_msg("openat2 unexpectedly returned ");
- if (fdpath)
- ksft_print_msg("%d['%s'] with %X (!= %llX)\n",
- fd, fdpath, fdflags,
- test->how.flags);
- else
- ksft_print_msg("%d (%s)\n", fd, strerror(-fd));
+ ASSERT_GE(fdflags, 0);
+ ASSERT_GE(otherflags, 0);
+
+ /* O_CLOEXEC isn't shown in F_GETFL. */
+ if (otherflags & FD_CLOEXEC)
+ fdflags |= O_CLOEXEC;
+ /* O_CREAT is hidden from F_GETFL. */
+ if (test->how.flags & O_CREAT)
+ fdflags |= O_CREAT;
+ if (!(test->how.flags & O_LARGEFILE))
+ fdflags &= ~O_LARGEFILE;
+
+ EXPECT_EQ(fdflags, (int)test->how.flags) {
+ TH_LOG("openat2 with %s: flags mismatch %X != %llX",
+ test->name, fdflags,
+ (unsigned long long)test->how.flags);
+ }
+ }
+ } else {
+ EXPECT_EQ(test->err, fd) {
+ if (fd >= 0) {
+ fdpath = fdreadlink(_metadata, fd);
+ TH_LOG("openat2 with %s should fail with %d (%s), got %d['%s']",
+ test->name, test->err,
+ strerror(-test->err),
+ fd, fdpath);
+ } else {
+ TH_LOG("openat2 with %s should fail with %d (%s), got %d (%s)",
+ test->name, test->err,
+ strerror(-test->err),
+ fd, strerror(-fd));
+ }
+ }
+ if (fd >= 0)
+ close(fd);
}
-skip:
- if (test->err >= 0)
- resultfn("openat2 with %s succeeds\n", test->name);
- else
- resultfn("openat2 with %s fails with %d (%s)\n",
- test->name, test->err, strerror(-test->err));
-next:
free(fdpath);
- fflush(stdout);
}
}
-#define NUM_TESTS (NUM_OPENAT2_STRUCT_VARIATIONS * NUM_OPENAT2_STRUCT_TESTS + \
- NUM_OPENAT2_FLAG_TESTS)
-
-int main(int argc, char **argv)
-{
- ksft_print_header();
- ksft_set_plan(NUM_TESTS);
-
- test_openat2_struct();
- test_openat2_flags();
-
- if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0)
- ksft_exit_fail();
- else
- ksft_exit_pass();
-}
+TEST_HARNESS_MAIN
#include <limits.h>
#include <unistd.h>
-#include "kselftest.h"
#include "helpers.h"
+#include "kselftest_harness.h"
-/* Construct a test directory with the following structure:
- *
- * root/
- * |-- a/
- * | `-- c/
- * `-- b/
- */
-int setup_testdir(void)
-{
- int dfd;
- char dirname[] = "/tmp/ksft-openat2-rename-attack.XXXXXX";
-
- /* Make the top-level directory. */
- if (!mkdtemp(dirname))
- ksft_exit_fail_msg("setup_testdir: failed to create tmpdir\n");
- dfd = open(dirname, O_PATH | O_DIRECTORY);
- if (dfd < 0)
- ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n");
-
- E_mkdirat(dfd, "a", 0755);
- E_mkdirat(dfd, "b", 0755);
- E_mkdirat(dfd, "a/c", 0755);
-
- return dfd;
-}
+#define ROUNDS 400000
/* Swap @dirfd/@a and @dirfd/@b constantly. Parent must kill this process. */
-pid_t spawn_attack(int dirfd, char *a, char *b)
+pid_t spawn_attack(struct __test_metadata *_metadata,
+ int dirfd, char *a, char *b)
{
pid_t child = fork();
if (child != 0)
return child;
/* If the parent (the test process) dies, kill ourselves too. */
- E_prctl(PR_SET_PDEATHSIG, SIGKILL);
+ ASSERT_EQ(prctl(PR_SET_PDEATHSIG, SIGKILL), 0);
/* Swap @a and @b. */
for (;;)
exit(1);
}
-#define NUM_RENAME_TESTS 2
-#define ROUNDS 400000
+/*
+ * Construct a test directory with the following structure:
+ *
+ * root/
+ * |-- a/
+ * | `-- c/
+ * `-- b/
+ */
+FIXTURE(rename_attack) {
+ int dfd;
+ int afd;
+ pid_t child;
+};
-const char *flagname(int resolve)
+FIXTURE_SETUP(rename_attack)
{
- switch (resolve) {
- case RESOLVE_IN_ROOT:
- return "RESOLVE_IN_ROOT";
- case RESOLVE_BENEATH:
- return "RESOLVE_BENEATH";
- }
- return "(unknown)";
+ char dirname[] = "/tmp/ksft-openat2-rename-attack.XXXXXX";
+
+ self->dfd = -1;
+ self->afd = -1;
+ self->child = 0;
+
+ /* Make the top-level directory. */
+ ASSERT_NE(mkdtemp(dirname), NULL);
+ self->dfd = open(dirname, O_PATH | O_DIRECTORY);
+ ASSERT_GE(self->dfd, 0);
+
+ ASSERT_EQ(mkdirat(self->dfd, "a", 0755), 0);
+ ASSERT_EQ(mkdirat(self->dfd, "b", 0755), 0);
+ ASSERT_EQ(mkdirat(self->dfd, "a/c", 0755), 0);
+
+ self->afd = openat(self->dfd, "a", O_PATH);
+ ASSERT_GE(self->afd, 0);
+
+ self->child = spawn_attack(_metadata, self->dfd, "a/c", "b");
+ ASSERT_GT(self->child, 0);
}
-void test_rename_attack(int resolve)
+FIXTURE_TEARDOWN(rename_attack)
{
- int dfd, afd;
- pid_t child;
- void (*resultfn)(const char *msg, ...) = ksft_test_result_pass;
- int escapes = 0, other_errs = 0, exdevs = 0, eagains = 0, successes = 0;
+ if (self->child > 0)
+ kill(self->child, SIGKILL);
+ if (self->afd >= 0)
+ close(self->afd);
+ if (self->dfd >= 0)
+ close(self->dfd);
+}
+
+FIXTURE_VARIANT(rename_attack) {
+ int resolve;
+ const char *name;
+};
+FIXTURE_VARIANT_ADD(rename_attack, resolve_beneath) {
+ .resolve = RESOLVE_BENEATH,
+ .name = "RESOLVE_BENEATH",
+};
+
+FIXTURE_VARIANT_ADD(rename_attack, resolve_in_root) {
+ .resolve = RESOLVE_IN_ROOT,
+ .name = "RESOLVE_IN_ROOT",
+};
+
+TEST_F_TIMEOUT(rename_attack, test, 120)
+{
+ int escapes = 0, successes = 0, other_errs = 0, exdevs = 0, eagains = 0;
+ char *victim_path = "c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../..";
struct open_how how = {
.flags = O_PATH,
- .resolve = resolve,
+ .resolve = variant->resolve,
};
if (!openat2_supported) {
how.resolve = 0;
- ksft_print_msg("openat2(2) unsupported -- using openat(2) instead\n");
+ TH_LOG("openat2(2) unsupported -- using openat(2) instead");
}
- dfd = setup_testdir();
- afd = openat(dfd, "a", O_PATH);
- if (afd < 0)
- ksft_exit_fail_msg("test_rename_attack: failed to open 'a'\n");
-
- child = spawn_attack(dfd, "a/c", "b");
-
for (int i = 0; i < ROUNDS; i++) {
int fd;
- char *victim_path = "c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../..";
if (openat2_supported)
- fd = sys_openat2(afd, victim_path, &how);
+ fd = sys_openat2(self->afd, victim_path, &how);
else
- fd = sys_openat(afd, victim_path, &how);
+ fd = sys_openat(self->afd, victim_path, &how);
if (fd < 0) {
if (fd == -EAGAIN)
else
other_errs++; /* unexpected error */
} else {
- if (fdequal(fd, afd, NULL))
+ if (fdequal(_metadata, fd, self->afd, NULL))
successes++;
else
escapes++; /* we got an unexpected fd */
}
- close(fd);
+ if (fd >= 0)
+ close(fd);
}
- if (escapes > 0)
- resultfn = ksft_test_result_fail;
- ksft_print_msg("non-escapes: EAGAIN=%d EXDEV=%d E<other>=%d success=%d\n",
- eagains, exdevs, other_errs, successes);
- resultfn("rename attack with %s (%d runs, got %d escapes)\n",
- flagname(resolve), ROUNDS, escapes);
-
- /* Should be killed anyway, but might as well make sure. */
- E_kill(child, SIGKILL);
+ TH_LOG("non-escapes: EAGAIN=%d EXDEV=%d E<other>=%d success=%d",
+ eagains, exdevs, other_errs, successes);
+ ASSERT_EQ(escapes, 0) {
+ TH_LOG("rename attack with %s (%d runs, got %d escapes)",
+ variant->name, ROUNDS, escapes);
+ }
}
-#define NUM_TESTS NUM_RENAME_TESTS
-
-int main(int argc, char **argv)
-{
- ksft_print_header();
- ksft_set_plan(NUM_TESTS);
-
- test_rename_attack(RESOLVE_BENEATH);
- test_rename_attack(RESOLVE_IN_ROOT);
-
- if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0)
- ksft_exit_fail();
- else
- ksft_exit_pass();
-}
+TEST_HARNESS_MAIN
#include <stdbool.h>
#include <string.h>
-#include "kselftest.h"
#include "helpers.h"
+#include "kselftest_harness.h"
+
+struct resolve_test {
+ const char *name;
+ const char *dir;
+ const char *path;
+ struct open_how how;
+ bool pass;
+ union {
+ int err;
+ const char *path;
+ } out;
+};
+
+/*
+ * Verify a single resolve test case. This must be called from within a TEST_F
+ * function with _metadata in scope.
+ */
+static void verify_resolve_test(struct __test_metadata *_metadata,
+ int rootfd, int hardcoded_fd,
+ const struct resolve_test *test)
+{
+ struct open_how how = test->how;
+ int dfd, fd;
+ char *fdpath = NULL;
+
+ /* Auto-set O_PATH. */
+ if (!(how.flags & O_CREAT))
+ how.flags |= O_PATH;
+
+ if (test->dir)
+ dfd = openat(rootfd, test->dir, O_PATH | O_DIRECTORY);
+ else
+ dfd = dup(rootfd);
+ ASSERT_GE(dfd, 0) TH_LOG("failed to open dir '%s': %m", test->dir ?: ".");
+ ASSERT_EQ(dup2(dfd, hardcoded_fd), hardcoded_fd);
+
+ fd = sys_openat2(dfd, test->path, &how);
+
+ if (test->pass) {
+ EXPECT_GE(fd, 0) {
+ TH_LOG("%s: expected success, got %d (%s)",
+ test->name, fd, strerror(-fd));
+ }
+ if (fd >= 0) {
+ EXPECT_TRUE(fdequal(_metadata, fd, rootfd, test->out.path)) {
+ fdpath = fdreadlink(_metadata, fd);
+ TH_LOG("%s: wrong path '%s', expected '%s'",
+ test->name, fdpath,
+ test->out.path ?: ".");
+ free(fdpath);
+ }
+ }
+ } else {
+ EXPECT_EQ(test->out.err, fd) {
+ if (fd >= 0) {
+ fdpath = fdreadlink(_metadata, fd);
+ TH_LOG("%s: expected %d (%s), got %d['%s']",
+ test->name, test->out.err,
+ strerror(-test->out.err), fd, fdpath);
+ free(fdpath);
+ } else {
+ TH_LOG("%s: expected %d (%s), got %d (%s)",
+ test->name, test->out.err,
+ strerror(-test->out.err),
+ fd, strerror(-fd));
+ }
+ }
+ }
+
+ if (fd >= 0)
+ close(fd);
+ close(dfd);
+}
/*
* Construct a test directory with the following structure:
* |-- absself -> /
* |-- self -> ../../root/
* |-- garbageself -> /../../root/
- * |-- passwd -> ../cheeky/../cheeky/../etc/../etc/passwd
- * |-- abspasswd -> /../cheeky/../cheeky/../etc/../etc/passwd
+ * |-- passwd -> ../cheeky/../etc/../etc/passwd
+ * |-- abspasswd -> /../cheeky/../etc/../etc/passwd
* |-- dotdotlink -> ../../../../../../../../../../../../../../etc/passwd
* `-- garbagelink -> /../../../../../../../../../../../../../../etc/passwd
*/
-int setup_testdir(void)
+FIXTURE(openat2_resolve) {
+ int rootfd;
+ int hardcoded_fd;
+ char *hardcoded_fdpath;
+ char *procselfexe;
+};
+
+FIXTURE_SETUP(openat2_resolve)
{
- int dfd, tmpfd;
char dirname[] = "/tmp/ksft-openat2-testdir.XXXXXX";
+ int dfd, tmpfd;
+
+ self->rootfd = -1;
+ self->hardcoded_fd = -1;
+ self->hardcoded_fdpath = NULL;
+ self->procselfexe = NULL;
+
+ /* NOTE: We should be checking for CAP_SYS_ADMIN here... */
+ if (geteuid() != 0)
+ SKIP(return, "all tests require euid == 0");
+ if (!openat2_supported)
+ SKIP(return, "openat2(2) not supported");
/* Unshare and make /tmp a new directory. */
- E_unshare(CLONE_NEWNS);
- E_mount("", "/tmp", "", MS_PRIVATE, "");
+ ASSERT_EQ(unshare(CLONE_NEWNS), 0);
+ ASSERT_EQ(mount("", "/tmp", "", MS_PRIVATE, ""), 0);
/* Make the top-level directory. */
- if (!mkdtemp(dirname))
- ksft_exit_fail_msg("setup_testdir: failed to create tmpdir\n");
+ ASSERT_NE(mkdtemp(dirname), NULL);
dfd = open(dirname, O_PATH | O_DIRECTORY);
- if (dfd < 0)
- ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n");
+ ASSERT_GE(dfd, 0);
/* A sub-directory which is actually used for tests. */
- E_mkdirat(dfd, "root", 0755);
+ ASSERT_EQ(mkdirat(dfd, "root", 0755), 0);
tmpfd = openat(dfd, "root", O_PATH | O_DIRECTORY);
- if (tmpfd < 0)
- ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n");
+ ASSERT_GE(tmpfd, 0);
close(dfd);
dfd = tmpfd;
- E_symlinkat("/proc/self/exe", dfd, "procexe");
- E_symlinkat("/proc/self/root", dfd, "procroot");
- E_mkdirat(dfd, "root", 0755);
+ ASSERT_EQ(symlinkat("/proc/self/exe", dfd, "procexe"), 0);
+ ASSERT_EQ(symlinkat("/proc/self/root", dfd, "procroot"), 0);
+ ASSERT_EQ(mkdirat(dfd, "root", 0755), 0);
/* There is no mountat(2), so use chdir. */
- E_mkdirat(dfd, "mnt", 0755);
- E_fchdir(dfd);
- E_mount("tmpfs", "./mnt", "tmpfs", MS_NOSUID | MS_NODEV, "");
- E_symlinkat("../mnt/", dfd, "mnt/self");
- E_symlinkat("/mnt/", dfd, "mnt/absself");
-
- E_mkdirat(dfd, "etc", 0755);
- E_touchat(dfd, "etc/passwd");
-
- E_symlinkat("/newfile3", dfd, "creatlink");
- E_symlinkat("etc/", dfd, "reletc");
- E_symlinkat("etc/passwd", dfd, "relsym");
- E_symlinkat("/etc/", dfd, "absetc");
- E_symlinkat("/etc/passwd", dfd, "abssym");
- E_symlinkat("/cheeky", dfd, "abscheeky");
-
- E_mkdirat(dfd, "cheeky", 0755);
-
- E_symlinkat("/", dfd, "cheeky/absself");
- E_symlinkat("../../root/", dfd, "cheeky/self");
- E_symlinkat("/../../root/", dfd, "cheeky/garbageself");
-
- E_symlinkat("../cheeky/../etc/../etc/passwd", dfd, "cheeky/passwd");
- E_symlinkat("/../cheeky/../etc/../etc/passwd", dfd, "cheeky/abspasswd");
-
- E_symlinkat("../../../../../../../../../../../../../../etc/passwd",
- dfd, "cheeky/dotdotlink");
- E_symlinkat("/../../../../../../../../../../../../../../etc/passwd",
- dfd, "cheeky/garbagelink");
-
- return dfd;
+ ASSERT_EQ(mkdirat(dfd, "mnt", 0755), 0);
+ ASSERT_EQ(fchdir(dfd), 0);
+ ASSERT_EQ(mount("tmpfs", "./mnt", "tmpfs", MS_NOSUID | MS_NODEV, ""), 0);
+ ASSERT_EQ(symlinkat("../mnt/", dfd, "mnt/self"), 0);
+ ASSERT_EQ(symlinkat("/mnt/", dfd, "mnt/absself"), 0);
+
+ ASSERT_EQ(mkdirat(dfd, "etc", 0755), 0);
+ ASSERT_GE(touchat(dfd, "etc/passwd"), 0);
+
+ ASSERT_EQ(symlinkat("/newfile3", dfd, "creatlink"), 0);
+ ASSERT_EQ(symlinkat("etc/", dfd, "reletc"), 0);
+ ASSERT_EQ(symlinkat("etc/passwd", dfd, "relsym"), 0);
+ ASSERT_EQ(symlinkat("/etc/", dfd, "absetc"), 0);
+ ASSERT_EQ(symlinkat("/etc/passwd", dfd, "abssym"), 0);
+ ASSERT_EQ(symlinkat("/cheeky", dfd, "abscheeky"), 0);
+
+ ASSERT_EQ(mkdirat(dfd, "cheeky", 0755), 0);
+
+ ASSERT_EQ(symlinkat("/", dfd, "cheeky/absself"), 0);
+ ASSERT_EQ(symlinkat("../../root/", dfd, "cheeky/self"), 0);
+ ASSERT_EQ(symlinkat("/../../root/", dfd, "cheeky/garbageself"), 0);
+
+ ASSERT_EQ(symlinkat("../cheeky/../etc/../etc/passwd",
+ dfd, "cheeky/passwd"), 0);
+ ASSERT_EQ(symlinkat("/../cheeky/../etc/../etc/passwd",
+ dfd, "cheeky/abspasswd"), 0);
+
+ ASSERT_EQ(symlinkat("../../../../../../../../../../../../../../etc/passwd",
+ dfd, "cheeky/dotdotlink"), 0);
+ ASSERT_EQ(symlinkat("/../../../../../../../../../../../../../../etc/passwd",
+ dfd, "cheeky/garbagelink"), 0);
+
+ self->rootfd = dfd;
+
+ self->hardcoded_fd = open("/dev/null", O_RDONLY);
+ ASSERT_GE(self->hardcoded_fd, 0);
+ ASSERT_GE(asprintf(&self->hardcoded_fdpath, "self/fd/%d",
+ self->hardcoded_fd), 0);
+ ASSERT_GE(asprintf(&self->procselfexe, "/proc/%d/exe", getpid()), 0);
}
-struct basic_test {
- const char *name;
- const char *dir;
- const char *path;
- struct open_how how;
- bool pass;
- union {
- int err;
- const char *path;
- } out;
-};
-
-#define NUM_OPENAT2_OPATH_TESTS 88
-
-void test_openat2_opath_tests(void)
+FIXTURE_TEARDOWN(openat2_resolve)
{
- int rootfd, hardcoded_fd;
- char *procselfexe, *hardcoded_fdpath;
-
- E_asprintf(&procselfexe, "/proc/%d/exe", getpid());
- rootfd = setup_testdir();
-
- hardcoded_fd = open("/dev/null", O_RDONLY);
- E_assert(hardcoded_fd >= 0, "open fd to hardcode");
- E_asprintf(&hardcoded_fdpath, "self/fd/%d", hardcoded_fd);
+ free(self->procselfexe);
+ free(self->hardcoded_fdpath);
+ if (self->hardcoded_fd >= 0)
+ close(self->hardcoded_fd);
+ if (self->rootfd >= 0)
+ close(self->rootfd);
+}
- struct basic_test tests[] = {
- /** RESOLVE_BENEATH **/
+/* Attempts to cross the dirfd should be blocked with -EXDEV. */
+TEST_F(openat2_resolve, resolve_beneath)
+{
+ struct resolve_test tests[] = {
/* Attempts to cross dirfd should be blocked. */
{ .name = "[beneath] jump to /",
.path = "/", .how.resolve = RESOLVE_BENEATH,
{ .name = "[beneath] tricky absolute + garbage link outside $root",
.path = "abscheeky/garbagelink", .how.resolve = RESOLVE_BENEATH,
.out.err = -EXDEV, .pass = false },
+ };
+
+ for (int i = 0; i < ARRAY_SIZE(tests); i++)
+ verify_resolve_test(_metadata, self->rootfd,
+ self->hardcoded_fd, &tests[i]);
+}
- /** RESOLVE_IN_ROOT **/
- /* All attempts to cross the dirfd will be scoped-to-root. */
+/* All attempts to cross the dirfd will be scoped-to-root. */
+TEST_F(openat2_resolve, resolve_in_root)
+{
+ struct resolve_test tests[] = {
{ .name = "[in_root] jump to /",
.path = "/", .how.resolve = RESOLVE_IN_ROOT,
.out.path = NULL, .pass = true },
.how.mode = 0700,
.how.resolve = RESOLVE_IN_ROOT,
.out.path = "newfile3", .pass = true },
+ };
- /** RESOLVE_NO_XDEV **/
+ for (int i = 0; i < ARRAY_SIZE(tests); i++)
+ verify_resolve_test(_metadata, self->rootfd,
+ self->hardcoded_fd, &tests[i]);
+}
+
+/* Crossing mount boundaries should be blocked. */
+TEST_F(openat2_resolve, resolve_no_xdev)
+{
+ struct resolve_test tests[] = {
/* Crossing *down* into a mountpoint is disallowed. */
{ .name = "[no_xdev] cross into $mnt",
.path = "mnt", .how.resolve = RESOLVE_NO_XDEV,
.out.err = -EXDEV, .pass = false },
/* Except magic-link jumps inside the same vfsmount. */
{ .name = "[no_xdev] jump through magic-link to same procfs",
- .dir = "/proc", .path = hardcoded_fdpath, .how.resolve = RESOLVE_NO_XDEV,
- .out.path = "/proc", .pass = true, },
+ .dir = "/proc", .path = self->hardcoded_fdpath, .how.resolve = RESOLVE_NO_XDEV,
+ .out.path = "/proc", .pass = true, },
+ };
+
+ for (int i = 0; i < ARRAY_SIZE(tests); i++)
+ verify_resolve_test(_metadata, self->rootfd,
+ self->hardcoded_fd, &tests[i]);
+}
- /** RESOLVE_NO_MAGICLINKS **/
+/* Procfs-style magic-link resolution should be blocked. */
+TEST_F(openat2_resolve, resolve_no_magiclinks)
+{
+ struct resolve_test tests[] = {
/* Regular symlinks should work. */
{ .name = "[no_magiclinks] ordinary relative symlink",
.path = "relsym", .how.resolve = RESOLVE_NO_MAGICLINKS,
{ .name = "[no_magiclinks] normal path to magic-link with O_NOFOLLOW",
.path = "/proc/self/exe", .how.flags = O_NOFOLLOW,
.how.resolve = RESOLVE_NO_MAGICLINKS,
- .out.path = procselfexe, .pass = true },
+ .out.path = self->procselfexe, .pass = true },
{ .name = "[no_magiclinks] symlink to magic-link path component",
.path = "procroot/etc", .how.resolve = RESOLVE_NO_MAGICLINKS,
.out.err = -ELOOP, .pass = false },
.path = "/proc/self/root/etc", .how.flags = O_NOFOLLOW,
.how.resolve = RESOLVE_NO_MAGICLINKS,
.out.err = -ELOOP, .pass = false },
+ };
+
+ for (int i = 0; i < ARRAY_SIZE(tests); i++)
+ verify_resolve_test(_metadata, self->rootfd,
+ self->hardcoded_fd, &tests[i]);
+}
- /** RESOLVE_NO_SYMLINKS **/
+/* All symlink resolution should be blocked. */
+TEST_F(openat2_resolve, resolve_no_symlinks)
+{
+ struct resolve_test tests[] = {
/* Normal paths should work. */
{ .name = "[no_symlinks] ordinary path to '.'",
.path = ".", .how.resolve = RESOLVE_NO_SYMLINKS,
.out.err = -ELOOP, .pass = false },
};
- BUILD_BUG_ON(ARRAY_SIZE(tests) != NUM_OPENAT2_OPATH_TESTS);
-
- for (int i = 0; i < ARRAY_SIZE(tests); i++) {
- int dfd, fd;
- char *fdpath = NULL;
- bool failed;
- void (*resultfn)(const char *msg, ...) = ksft_test_result_pass;
- struct basic_test *test = &tests[i];
-
- if (!openat2_supported) {
- ksft_print_msg("openat2(2) unsupported\n");
- resultfn = ksft_test_result_skip;
- goto skip;
- }
-
- /* Auto-set O_PATH. */
- if (!(test->how.flags & O_CREAT))
- test->how.flags |= O_PATH;
-
- if (test->dir)
- dfd = openat(rootfd, test->dir, O_PATH | O_DIRECTORY);
- else
- dfd = dup(rootfd);
- E_assert(dfd, "failed to openat root '%s': %m", test->dir);
-
- E_dup2(dfd, hardcoded_fd);
-
- fd = sys_openat2(dfd, test->path, &test->how);
- if (test->pass)
- failed = (fd < 0 || !fdequal(fd, rootfd, test->out.path));
- else
- failed = (fd != test->out.err);
- if (fd >= 0) {
- fdpath = fdreadlink(fd);
- close(fd);
- }
- close(dfd);
-
- if (failed) {
- resultfn = ksft_test_result_fail;
-
- ksft_print_msg("openat2 unexpectedly returned ");
- if (fdpath)
- ksft_print_msg("%d['%s']\n", fd, fdpath);
- else
- ksft_print_msg("%d (%s)\n", fd, strerror(-fd));
- }
-
-skip:
- if (test->pass)
- resultfn("%s gives path '%s'\n", test->name,
- test->out.path ?: ".");
- else
- resultfn("%s fails with %d (%s)\n", test->name,
- test->out.err, strerror(-test->out.err));
-
- fflush(stdout);
- free(fdpath);
- }
-
- free(procselfexe);
- close(rootfd);
-
- free(hardcoded_fdpath);
- close(hardcoded_fd);
+ for (int i = 0; i < ARRAY_SIZE(tests); i++)
+ verify_resolve_test(_metadata, self->rootfd,
+ self->hardcoded_fd, &tests[i]);
}
-#define NUM_TESTS NUM_OPENAT2_OPATH_TESTS
-
-int main(int argc, char **argv)
-{
- ksft_print_header();
- ksft_set_plan(NUM_TESTS);
-
- /* NOTE: We should be checking for CAP_SYS_ADMIN here... */
- if (geteuid() != 0)
- ksft_exit_skip("all tests require euid == 0\n");
-
- test_openat2_opath_tests();
-
- if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0)
- ksft_exit_fail();
- else
- ksft_exit_pass();
-}
+TEST_HARNESS_MAIN
projects / thirdparty / linux.git / commitdiff
