Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/tests/sys/vfs/lookup_cap_dotdot.c
39478 views
1
/*-

2
 * Copyright (c) 2016 Ed Maste <[email protected]>

3
 * Copyright (c) 2016 Conrad Meyer <[email protected]>

4
 *

5
 * Redistribution and use in source and binary forms, with or without

6
 * modification, are permitted provided that the following conditions

7
 * are met:

8
 * 1. Redistributions of source code must retain the above copyright

9
 *    notice, this list of conditions and the following disclaimer.

10
 * 2. Redistributions in binary form must reproduce the above copyright

11
 *    notice, this list of conditions and the following disclaimer in the

12
 *    documentation and/or other materials provided with the distribution.

13
 *

14
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

15
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

16
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

17
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

18
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

19
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

20
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

21
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

22
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

23
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

24
 * SUCH DAMAGE.

25
 */

26


27
#include <sys/param.h>

28
#include <sys/capsicum.h>

29
#include <sys/sysctl.h>

30
#include <sys/stat.h>

31


32
#include <atf-c.h>

33
#include <errno.h>

34
#include <stdlib.h>

35
#include <string.h>

36


37
#include "freebsd_test_suite/macros.h"

38


39
static int dirfd = -1;

40
static char *abspath;

41


42
static void

43
touchat(int _dirfd, const char *name)

44
{

45
	int fd;

46


47
	ATF_REQUIRE((fd = openat(_dirfd, name, O_CREAT | O_TRUNC | O_WRONLY,

48
	    0777)) >= 0);

49
	ATF_REQUIRE(close(fd) == 0);

50
}

51


52
static void

53
prepare_dotdot_tests(void)

54
{

55
	char cwd[MAXPATHLEN];

56


57
	ATF_REQUIRE(getcwd(cwd, sizeof(cwd)) != NULL);

58
	asprintf(&abspath, "%s/testdir/d1/f1", cwd);

59


60
	ATF_REQUIRE(mkdir("testdir", 0777) == 0);

61
	ATF_REQUIRE((dirfd = open("testdir", O_RDONLY)) >= 0);

62


63
	ATF_REQUIRE(mkdirat(dirfd, "d1", 0777) == 0);

64
	ATF_REQUIRE(mkdirat(dirfd, "d1/d2", 0777) == 0);

65
	ATF_REQUIRE(mkdirat(dirfd, "d1/d2/d3", 0777) == 0);

66
	touchat(dirfd, "d1/f1");

67
	touchat(dirfd, "d1/d2/f2");

68
	touchat(dirfd, "d1/d2/d3/f3");

69
	ATF_REQUIRE(symlinkat("d1/d2/d3", dirfd, "l3") == 0);

70
	ATF_REQUIRE(symlinkat("../testdir/d1", dirfd, "lup") == 0);

71
	ATF_REQUIRE(symlinkat("../..", dirfd, "d1/d2/d3/ld1") == 0);

72
	ATF_REQUIRE(symlinkat("../../f1", dirfd, "d1/d2/d3/lf1") == 0);

73
}

74


75
static void

76
check_capsicum(void)

77
{

78
	ATF_REQUIRE_FEATURE("security_capabilities");

79
	ATF_REQUIRE_FEATURE("security_capability_mode");

80
	ATF_REQUIRE_SYSCTL_BOOL("kern.trap_enotcap", false);

81
}

82


83
/*

84
 * Positive tests

85
 */

86
ATF_TC(openat__basic_positive);

87
ATF_TC_HEAD(openat__basic_positive, tc)

88
{

89
	atf_tc_set_md_var(tc, "descr", "Basic positive openat testcases");

90
}

91


92
ATF_TC_BODY(openat__basic_positive, tc)

93
{

94
	prepare_dotdot_tests();

95


96
	ATF_REQUIRE(openat(dirfd, "d1/d2/d3/f3", O_RDONLY) >= 0);

97
	ATF_REQUIRE(openat(dirfd, "d1/d2/d3/../../f1", O_RDONLY) >= 0);

98
	ATF_REQUIRE(openat(dirfd, "l3/f3", O_RDONLY) >= 0);

99
	ATF_REQUIRE(openat(dirfd, "l3/../../f1", O_RDONLY) >= 0);

100
	ATF_REQUIRE(openat(dirfd, "../testdir/d1/f1", O_RDONLY) >= 0);

101
	ATF_REQUIRE(openat(dirfd, "lup/f1", O_RDONLY) >= 0);

102
	ATF_REQUIRE(openat(dirfd, "l3/ld1", O_RDONLY) >= 0);

103
	ATF_REQUIRE(openat(dirfd, "l3/lf1", O_RDONLY) >= 0);

104
	ATF_REQUIRE(open(abspath, O_RDONLY) >= 0);

105
	ATF_REQUIRE(openat(dirfd, abspath, O_RDONLY) >= 0);

106
}

107


108
ATF_TC(lookup_cap_dotdot__basic);

109
ATF_TC_HEAD(lookup_cap_dotdot__basic, tc)

110
{

111
	atf_tc_set_md_var(tc, "descr",

112
	    "Validate cap-mode (testdir)/d1/.. lookup");

113
}

114


115
ATF_TC_BODY(lookup_cap_dotdot__basic, tc)

116
{

117
	cap_rights_t rights;

118


119
	check_capsicum();

120
	prepare_dotdot_tests();

121


122
	cap_rights_init(&rights, CAP_LOOKUP, CAP_READ);

123
	ATF_REQUIRE(cap_rights_limit(dirfd, &rights) >= 0);

124


125
	ATF_REQUIRE(cap_enter() >= 0);

126


127
	ATF_REQUIRE_MSG(openat(dirfd, "d1/..", O_RDONLY) >= 0, "%s",

128
	    strerror(errno));

129
}

130


131
ATF_TC(lookup_cap_dotdot__advanced);

132
ATF_TC_HEAD(lookup_cap_dotdot__advanced, tc)

133
{

134
	atf_tc_set_md_var(tc, "descr",

135
	    "Validate cap-mode (testdir)/d1/.. lookup");

136
}

137


138
ATF_TC_BODY(lookup_cap_dotdot__advanced, tc)

139
{

140
	cap_rights_t rights;

141


142
	check_capsicum();

143
	prepare_dotdot_tests();

144


145
	cap_rights_init(&rights, CAP_LOOKUP, CAP_READ);

146
	ATF_REQUIRE(cap_rights_limit(dirfd, &rights) >= 0);

147


148
	ATF_REQUIRE(cap_enter() >= 0);

149


150
	ATF_REQUIRE(openat(dirfd, "d1/d2/d3/../../f1", O_RDONLY) >= 0);

151
	ATF_REQUIRE(openat(dirfd, "l3/../../f1", O_RDONLY) >= 0);

152
	ATF_REQUIRE(openat(dirfd, "l3/ld1", O_RDONLY) >= 0);

153
	ATF_REQUIRE(openat(dirfd, "l3/lf1", O_RDONLY) >= 0);

154
}

155


156
/*

157
 * Negative tests

158
 */

159
ATF_TC(openat__basic_negative);

160
ATF_TC_HEAD(openat__basic_negative, tc)

161
{

162
	atf_tc_set_md_var(tc, "descr", "Basic negative openat testcases");

163
}

164


165
ATF_TC_BODY(openat__basic_negative, tc)

166
{

167
	prepare_dotdot_tests();

168


169
	ATF_REQUIRE_ERRNO(ENOENT,

170
	    openat(dirfd, "does-not-exist", O_RDONLY) < 0);

171
	ATF_REQUIRE_ERRNO(ENOENT,

172
	    openat(dirfd, "l3/does-not-exist", O_RDONLY) < 0);

173
}

174


175
ATF_TC(capmode__negative);

176
ATF_TC_HEAD(capmode__negative, tc)

177
{

178
	atf_tc_set_md_var(tc, "descr", "Negative Capability mode testcases");

179
}

180


181
ATF_TC_BODY(capmode__negative, tc)

182
{

183
	int subdirfd;

184


185
	check_capsicum();

186
	prepare_dotdot_tests();

187


188
	ATF_REQUIRE(cap_enter() == 0);

189


190
	/* open() not permitted in capability mode */

191
	ATF_REQUIRE_ERRNO(ECAPMODE, open("testdir", O_RDONLY) < 0);

192


193
	/* AT_FDCWD not permitted in capability mode */

194
	ATF_REQUIRE_ERRNO(ECAPMODE, openat(AT_FDCWD, "d1/f1", O_RDONLY) < 0);

195


196
	/* Relative path above dirfd not capable */

197
	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, "..", O_RDONLY) < 0);

198
	ATF_REQUIRE((subdirfd = openat(dirfd, "l3", O_RDONLY)) >= 0);

199
	ATF_REQUIRE_ERRNO(ENOTCAPABLE,

200
	    openat(subdirfd, "../../f1", O_RDONLY) < 0);

201


202
	/* Absolute paths not capable */

203
	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, abspath, O_RDONLY) < 0);

204


205
	/* Symlink above dirfd */

206
	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, "lup/f1", O_RDONLY) < 0);

207
}

208


209
ATF_TC(lookup_cap_dotdot__negative);

210
ATF_TC_HEAD(lookup_cap_dotdot__negative, tc)

211
{

212
	atf_tc_set_md_var(tc, "descr",

213
	    "Validate cap-mode (testdir)/.. lookup fails");

214
}

215


216
ATF_TC_BODY(lookup_cap_dotdot__negative, tc)

217
{

218
	cap_rights_t rights;

219


220
	check_capsicum();

221
	prepare_dotdot_tests();

222


223
	cap_rights_init(&rights, CAP_LOOKUP, CAP_READ);

224
	ATF_REQUIRE(cap_rights_limit(dirfd, &rights) >= 0);

225


226
	ATF_REQUIRE(cap_enter() >= 0);

227


228
	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, "..", O_RDONLY) < 0);

229
	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, "d1/../..", O_RDONLY) < 0);

230
	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dirfd, "../testdir/d1/f1", O_RDONLY) < 0);

231
}

232


233
ATF_TC(lookup_cap_dotdot__root);

234
ATF_TC_HEAD(lookup_cap_dotdot__root, tc)

235
{

236
	atf_tc_set_md_var(tc, "descr", "Validate cap-mode /.. lookup fails");

237
}

238


239
ATF_TC_BODY(lookup_cap_dotdot__root, tc)

240
{

241
	int dfd, dfd2;

242


243
	check_capsicum();

244


245
	dfd = open("/", O_DIRECTORY);

246
	ATF_REQUIRE(dfd >= 0);

247


248
	dfd2 = openat(dfd, "..", O_DIRECTORY);

249
	ATF_REQUIRE(dfd2 >= 0);

250
	ATF_REQUIRE(close(dfd2) == 0);

251


252
	ATF_REQUIRE(cap_enter() >= 0);

253


254
	dfd2 = openat(dfd, "..", O_DIRECTORY);

255
	ATF_REQUIRE_ERRNO(ENOTCAPABLE, openat(dfd, "..", O_DIRECTORY));

256
}

257


258
ATF_TP_ADD_TCS(tp)

259
{

260


261
	ATF_TP_ADD_TC(tp, openat__basic_positive);

262
	ATF_TP_ADD_TC(tp, openat__basic_negative);

263


264
	ATF_TP_ADD_TC(tp, capmode__negative);

265


266
	ATF_TP_ADD_TC(tp, lookup_cap_dotdot__basic);

267
	ATF_TP_ADD_TC(tp, lookup_cap_dotdot__advanced);

268
	ATF_TP_ADD_TC(tp, lookup_cap_dotdot__negative);

269
	ATF_TP_ADD_TC(tp, lookup_cap_dotdot__root);

270


271
	return (atf_no_error());

272
}

273


274