Google Git
Sign in
android-kvm / linux / refs/heads/tabba/fix-vcpu-init-v1 / . / tools / testing / selftests / exec / check-exec.c
blob: 55bce47e56b73d321635185ba5cb927215074d91 [file] [log] [blame] [edit]
// SPDX-License-Identifier: GPL-2.0
/*
* Test execveat(2) with AT_EXECVE_CHECK, and prctl(2) with
* SECBIT_EXEC_RESTRICT_FILE, SECBIT_EXEC_DENY_INTERACTIVE, and their locked
* counterparts.
*
* Copyright © 2018-2020 ANSSI
* Copyright © 2024 Microsoft Corporation
*
* Author: Mickaël Salaün <mic@digikod.net>
*/
#include <asm-generic/unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/prctl.h>
#include <linux/securebits.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/capability.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/sysmacros.h>
#include <unistd.h>
/* Defines AT_EXECVE_CHECK without type conflicts. */
#define _ASM_GENERIC_FCNTL_H
#include <linux/fcntl.h>
#include "../kselftest_harness.h"
static int sys_execveat(int dirfd, const char *pathname, char *const argv[],
char *const envp[], int flags)
{
return syscall(__NR_execveat, dirfd, pathname, argv, envp, flags);
}
static void drop_privileges(struct __test_metadata *const _metadata)
{
const unsigned int noroot = SECBIT_NOROOT | SECBIT_NOROOT_LOCKED;
cap_t cap_p;
if ((cap_get_secbits() & noroot) != noroot)
EXPECT_EQ(0, cap_set_secbits(noroot));
cap_p = cap_get_proc();
EXPECT_NE(NULL, cap_p);
EXPECT_NE(-1, cap_clear(cap_p));
/*
* Drops everything, especially CAP_SETPCAP, CAP_DAC_OVERRIDE, and
* CAP_DAC_READ_SEARCH.
*/
EXPECT_NE(-1, cap_set_proc(cap_p));
EXPECT_NE(-1, cap_free(cap_p));
}
static int test_secbits_set(const unsigned int secbits)
{
int err;
err = prctl(PR_SET_SECUREBITS, secbits);
if (err)
return errno;
return 0;
}
FIXTURE(access)
{
int memfd, pipefd;
int pipe_fds[2], socket_fds[2];
};
FIXTURE_VARIANT(access)
{
const bool mount_exec;
const bool file_exec;
};
/* clang-format off */
FIXTURE_VARIANT_ADD(access, mount_exec_file_exec) {
/* clang-format on */
.mount_exec = true,
.file_exec = true,
};
/* clang-format off */
FIXTURE_VARIANT_ADD(access, mount_exec_file_noexec) {
/* clang-format on */
.mount_exec = true,
.file_exec = false,
};
/* clang-format off */
FIXTURE_VARIANT_ADD(access, mount_noexec_file_exec) {
/* clang-format on */
.mount_exec = false,
.file_exec = true,
};
/* clang-format off */
FIXTURE_VARIANT_ADD(access, mount_noexec_file_noexec) {
/* clang-format on */
.mount_exec = false,
.file_exec = false,
};
static const char binary_path[] = "./false";
static const char workdir_path[] = "./test-mount";
static const char reg_file_path[] = "./test-mount/regular_file";
static const char dir_path[] = "./test-mount/directory";
static const char block_dev_path[] = "./test-mount/block_device";
static const char char_dev_path[] = "./test-mount/character_device";
static const char fifo_path[] = "./test-mount/fifo";
FIXTURE_SETUP(access)
{
int procfd_path_size;
static const char path_template[] = "/proc/self/fd/%d";
char procfd_path[sizeof(path_template) + 10];
/* Makes sure we are not already restricted nor locked. */
EXPECT_EQ(0, test_secbits_set(0));
/*
* Cleans previous workspace if any error previously happened (don't
* check errors).
*/
umount(workdir_path);
rmdir(workdir_path);
/* Creates a clean mount point. */
ASSERT_EQ(0, mkdir(workdir_path, 00700));
ASSERT_EQ(0, mount("test", workdir_path, "tmpfs",
MS_MGC_VAL | (variant->mount_exec ? 0 : MS_NOEXEC),
"mode=0700,size=9m"));
/* Creates a regular file. */
ASSERT_EQ(0, mknod(reg_file_path,
S_IFREG | (variant->file_exec ? 0700 : 0600), 0));
/* Creates a directory. */
ASSERT_EQ(0, mkdir(dir_path, variant->file_exec ? 0700 : 0600));
/* Creates a character device: /dev/null. */
ASSERT_EQ(0, mknod(char_dev_path, S_IFCHR | 0400, makedev(1, 3)));
/* Creates a block device: /dev/loop0 */
ASSERT_EQ(0, mknod(block_dev_path, S_IFBLK | 0400, makedev(7, 0)));
/* Creates a fifo. */
ASSERT_EQ(0, mknod(fifo_path, S_IFIFO | 0600, 0));
/* Creates a regular file without user mount point. */
self->memfd = memfd_create("test-exec-probe", MFD_CLOEXEC);
ASSERT_LE(0, self->memfd);
/* Sets mode, which must be ignored by the exec check. */
ASSERT_EQ(0, fchmod(self->memfd, variant->file_exec ? 0700 : 0600));
/* Creates a pipefs file descriptor. */
ASSERT_EQ(0, pipe(self->pipe_fds));
procfd_path_size = snprintf(procfd_path, sizeof(procfd_path),
path_template, self->pipe_fds[0]);
ASSERT_LT(procfd_path_size, sizeof(procfd_path));
self->pipefd = open(procfd_path, O_RDWR | O_CLOEXEC);
ASSERT_LE(0, self->pipefd);
ASSERT_EQ(0, fchmod(self->pipefd, variant->file_exec ? 0700 : 0600));
/* Creates a socket file descriptor. */
ASSERT_EQ(0, socketpair(AF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0,
self->socket_fds));
}
FIXTURE_TEARDOWN_PARENT(access)
{
/* There is no need to unlink the test files. */
EXPECT_EQ(0, umount(workdir_path));
EXPECT_EQ(0, rmdir(workdir_path));
}
static void fill_exec_fd(struct __test_metadata *_metadata, const int fd_out)
{
char buf[1024];
size_t len;
int fd_in;
fd_in = open(binary_path, O_CLOEXEC | O_RDONLY);
ASSERT_LE(0, fd_in);
/* Cannot use copy_file_range(2) because of EXDEV. */
len = read(fd_in, buf, sizeof(buf));
EXPECT_LE(0, len);
while (len > 0) {
EXPECT_EQ(len, write(fd_out, buf, len))
{
TH_LOG("Failed to write: %s (%d)", strerror(errno),
errno);
}
len = read(fd_in, buf, sizeof(buf));
EXPECT_LE(0, len);
}
EXPECT_EQ(0, close(fd_in));
}
static void fill_exec_path(struct __test_metadata *_metadata,
const char *const path)
{
int fd_out;
fd_out = open(path, O_CLOEXEC | O_WRONLY);
ASSERT_LE(0, fd_out)
{
TH_LOG("Failed to open %s: %s", path, strerror(errno));
}
fill_exec_fd(_metadata, fd_out);
EXPECT_EQ(0, close(fd_out));
}
static void test_exec_fd(struct __test_metadata *_metadata, const int fd,
const int err_code)
{
char *const argv[] = { "", NULL };
int access_ret, access_errno;
/*
* If we really execute fd, filled with the "false" binary, the current
* thread will exits with an error, which will be interpreted by the
* test framework as an error. With AT_EXECVE_CHECK, we only check a
* potential successful execution.
*/
access_ret = sys_execveat(fd, "", argv, NULL,
AT_EMPTY_PATH | AT_EXECVE_CHECK);
access_errno = errno;
if (err_code) {
EXPECT_EQ(-1, access_ret);
EXPECT_EQ(err_code, access_errno)
{
TH_LOG("Wrong error for execveat(2): %s (%d)",
strerror(access_errno), errno);
}
} else {
EXPECT_EQ(0, access_ret)
{
TH_LOG("Access denied: %s", strerror(access_errno));
}
}
}
static void test_exec_path(struct __test_metadata *_metadata,
const char *const path, const int err_code)
{
int flags = O_CLOEXEC;
int fd;
/* Do not block on pipes. */
if (path == fifo_path)
flags |= O_NONBLOCK;
fd = open(path, flags | O_RDONLY);
ASSERT_LE(0, fd)
{
TH_LOG("Failed to open %s: %s", path, strerror(errno));
}
test_exec_fd(_metadata, fd, err_code);
EXPECT_EQ(0, close(fd));
}
/* Tests that we don't get ENOEXEC. */
TEST_F(access, regular_file_empty)
{
const int exec = variant->mount_exec && variant->file_exec;
test_exec_path(_metadata, reg_file_path, exec ? 0 : EACCES);
drop_privileges(_metadata);
test_exec_path(_metadata, reg_file_path, exec ? 0 : EACCES);
}
TEST_F(access, regular_file_elf)
{
const int exec = variant->mount_exec && variant->file_exec;
fill_exec_path(_metadata, reg_file_path);
test_exec_path(_metadata, reg_file_path, exec ? 0 : EACCES);
drop_privileges(_metadata);
test_exec_path(_metadata, reg_file_path, exec ? 0 : EACCES);
}
/* Tests that we don't get ENOEXEC. */
TEST_F(access, memfd_empty)
{
const int exec = variant->file_exec;
test_exec_fd(_metadata, self->memfd, exec ? 0 : EACCES);
drop_privileges(_metadata);
test_exec_fd(_metadata, self->memfd, exec ? 0 : EACCES);
}
TEST_F(access, memfd_elf)
{
const int exec = variant->file_exec;
fill_exec_fd(_metadata, self->memfd);
test_exec_fd(_metadata, self->memfd, exec ? 0 : EACCES);
drop_privileges(_metadata);
test_exec_fd(_metadata, self->memfd, exec ? 0 : EACCES);
}
TEST_F(access, non_regular_files)
{
test_exec_path(_metadata, dir_path, EACCES);
test_exec_path(_metadata, block_dev_path, EACCES);
test_exec_path(_metadata, char_dev_path, EACCES);
test_exec_path(_metadata, fifo_path, EACCES);
test_exec_fd(_metadata, self->socket_fds[0], EACCES);
test_exec_fd(_metadata, self->pipefd, EACCES);
}
/* clang-format off */
FIXTURE(secbits) {};
/* clang-format on */
FIXTURE_VARIANT(secbits)
{
const bool is_privileged;
const int error;
};
/* clang-format off */
FIXTURE_VARIANT_ADD(secbits, priv) {
/* clang-format on */
.is_privileged = true,
.error = 0,
};
/* clang-format off */
FIXTURE_VARIANT_ADD(secbits, unpriv) {
/* clang-format on */
.is_privileged = false,
.error = EPERM,
};
FIXTURE_SETUP(secbits)
{
/* Makes sure no exec bits are set. */
EXPECT_EQ(0, test_secbits_set(0));
EXPECT_EQ(0, prctl(PR_GET_SECUREBITS));
if (!variant->is_privileged)
drop_privileges(_metadata);
}
FIXTURE_TEARDOWN(secbits)
{
}
TEST_F(secbits, legacy)
{
EXPECT_EQ(variant->error, test_secbits_set(0));
}
#define CHILD(...) \
do { \
pid_t child = vfork(); \
EXPECT_LE(0, child); \
if (child == 0) { \
__VA_ARGS__; \
_exit(0); \
} \
} while (0)
TEST_F(secbits, exec)
{
unsigned int secbits = prctl(PR_GET_SECUREBITS);
secbits |= SECBIT_EXEC_RESTRICT_FILE;
EXPECT_EQ(0, test_secbits_set(secbits));
EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS));
CHILD(EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS)));
secbits |= SECBIT_EXEC_DENY_INTERACTIVE;
EXPECT_EQ(0, test_secbits_set(secbits));
EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS));
CHILD(EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS)));
secbits &= ~(SECBIT_EXEC_RESTRICT_FILE | SECBIT_EXEC_DENY_INTERACTIVE);
EXPECT_EQ(0, test_secbits_set(secbits));
EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS));
CHILD(EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS)));
}
TEST_F(secbits, check_locked_set)
{
unsigned int secbits = prctl(PR_GET_SECUREBITS);
secbits |= SECBIT_EXEC_RESTRICT_FILE;
EXPECT_EQ(0, test_secbits_set(secbits));
secbits |= SECBIT_EXEC_RESTRICT_FILE_LOCKED;
EXPECT_EQ(0, test_secbits_set(secbits));
/* Checks lock set but unchanged. */
EXPECT_EQ(variant->error, test_secbits_set(secbits));
CHILD(EXPECT_EQ(variant->error, test_secbits_set(secbits)));
secbits &= ~SECBIT_EXEC_RESTRICT_FILE;
EXPECT_EQ(EPERM, test_secbits_set(0));
CHILD(EXPECT_EQ(EPERM, test_secbits_set(0)));
}
TEST_F(secbits, check_locked_unset)
{
unsigned int secbits = prctl(PR_GET_SECUREBITS);
secbits |= SECBIT_EXEC_RESTRICT_FILE_LOCKED;
EXPECT_EQ(0, test_secbits_set(secbits));
/* Checks lock unset but unchanged. */
EXPECT_EQ(variant->error, test_secbits_set(secbits));
CHILD(EXPECT_EQ(variant->error, test_secbits_set(secbits)));
secbits &= ~SECBIT_EXEC_RESTRICT_FILE;
EXPECT_EQ(EPERM, test_secbits_set(0));
CHILD(EXPECT_EQ(EPERM, test_secbits_set(0)));
}
TEST_F(secbits, restrict_locked_set)
{
unsigned int secbits = prctl(PR_GET_SECUREBITS);
secbits |= SECBIT_EXEC_DENY_INTERACTIVE;
EXPECT_EQ(0, test_secbits_set(secbits));
secbits |= SECBIT_EXEC_DENY_INTERACTIVE_LOCKED;
EXPECT_EQ(0, test_secbits_set(secbits));
/* Checks lock set but unchanged. */
EXPECT_EQ(variant->error, test_secbits_set(secbits));
CHILD(EXPECT_EQ(variant->error, test_secbits_set(secbits)));
secbits &= ~SECBIT_EXEC_DENY_INTERACTIVE;
EXPECT_EQ(EPERM, test_secbits_set(0));
CHILD(EXPECT_EQ(EPERM, test_secbits_set(0)));
}
TEST_F(secbits, restrict_locked_unset)
{
unsigned int secbits = prctl(PR_GET_SECUREBITS);
secbits |= SECBIT_EXEC_DENY_INTERACTIVE_LOCKED;
EXPECT_EQ(0, test_secbits_set(secbits));
/* Checks lock unset but unchanged. */
EXPECT_EQ(variant->error, test_secbits_set(secbits));
CHILD(EXPECT_EQ(variant->error, test_secbits_set(secbits)));
secbits &= ~SECBIT_EXEC_DENY_INTERACTIVE;
EXPECT_EQ(EPERM, test_secbits_set(0));
CHILD(EXPECT_EQ(EPERM, test_secbits_set(0)));
}
TEST_HARNESS_MAIN