1
/*-
2
 * Copyright (c) 2001 Robert N. M. Watson
3
 * All rights reserved.
4
 *
5
 * Redistribution and use in source and binary forms, with or without
6
 * modification, are permitted provided that the following conditions
7
 * are met:
8
 * 1. Redistributions of source code must retain the above copyright
9
 *    notice, this list of conditions and the following disclaimer.
10
 * 2. Redistributions in binary form must reproduce the above copyright
11
 *    notice, this list of conditions and the following disclaimer in the
12
 *    documentation and/or other materials provided with the distribution.
13
 *
14
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24
 * SUCH DAMAGE.
25
 */
26

27
#include <sys/param.h>
28
#include <sys/uio.h>
29
#include <sys/ptrace.h>
30
#include <sys/time.h>
31
#include <sys/resource.h>
32
#include <sys/syscall.h>
33
#include <sys/wait.h>
34
#include <sys/ktrace.h>
35

36
#include <assert.h>
37
#include <errno.h>
38
#include <signal.h>
39
#include <stdio.h>
40
#include <string.h>
41
#include <unistd.h>
42

43
/*
44
 * Relevant parts of a process credential.
45
 */
46
struct cred {
47
	uid_t	cr_euid, cr_ruid, cr_svuid;
48
	int	cr_issetugid;
49
};
50

51
/*
52
 * Description of a scenario.
53
 */
54
struct scenario {
55
	struct cred	*sc_cred1, *sc_cred2;	/* credentials of p1 and p2 */
56
	int		sc_canptrace_errno;	/* desired ptrace failure */
57
	int		sc_canktrace_errno;	/* desired ktrace failure */
58
	int		sc_cansighup_errno;	/* desired SIGHUP failure */
59
	int		sc_cansigsegv_errno;	/* desired SIGSEGV failure */
60
	int		sc_cansee_errno;	/* desired getprio failure */
61
	int		sc_cansched_errno;	/* desired setprio failure */
62
	char		*sc_name;		/* test name */
63
};
64

65
/*
66
 * Table of relevant credential combinations.
67
 */
68
static struct cred creds[] = {
69
/*		euid	ruid	svuid	issetugid	*/
70
/* 0 */ {	0,	0,	0,	0 },	/* privileged */
71
/* 1 */ {	0,	0,	0,	1 },	/* privileged + issetugid */
72
/* 2 */ {	1000,	1000,	1000,	0 },	/* unprivileged1 */
73
/* 3 */ {	1000,	1000,	1000,	1 },	/* unprivileged1 + issetugid */
74
/* 4 */ {	1001,	1001,	1001,	0 },	/* unprivileged2 */
75
/* 5 */ {	1001,	1001,	1001,	1 },	/* unprivileged2 + issetugid */
76
/* 6 */ {	1000,	0,	0,	0 },	/* daemon1 */
77
/* 7 */ {	1000,	0,	0,	1 },	/* daemon1 + issetugid */
78
/* 8 */ {	1001,	0,	0,	0 },	/* daemon2 */
79
/* 9 */ {	1001,	0,	0,	1 },	/* daemon2 + issetugid */
80
/* 10 */{	0,	1000,	1000,	0 },	/* setuid1 */
81
/* 11 */{	0, 	1000,	1000,	1 },	/* setuid1 + issetugid */
82
/* 12 */{	0,	1001,	1001,	0 },	/* setuid2 */
83
/* 13 */{	0,	1001,	1001,	1 },	/* setuid2 + issetugid */
84
};
85

86
/*
87
 * Table of scenarios.
88
 */
89
static const struct scenario scenarios[] = {
90
/*	cred1		cred2		ptrace	ktrace, sighup	sigsegv	see	sched	name */
91
/* privileged on privileged */
92
{	&creds[0],	&creds[0],	0,	0,	0,	0,	0,	0,	"0. priv on priv"},
93
{	&creds[0],	&creds[1],	0,	0,	0,	0,	0,	0,	"1. priv on priv"},
94
{	&creds[1],	&creds[0],	0,	0,	0,	0,	0,	0,	"2. priv on priv"},
95
{	&creds[1],	&creds[1],	0,	0,	0,	0,	0,	0,	"3. priv on priv"},
96
/* privileged on unprivileged */
97
{	&creds[0],	&creds[2],	0,	0,	0,	0,	0,	0,	"4. priv on unpriv1"},
98
{	&creds[0],	&creds[3],	0,	0,	0,	0,	0,	0,	"5. priv on unpriv1"},
99
{	&creds[1],	&creds[2],	0,	0,	0,	0,	0,	0,	"6. priv on unpriv1"},
100
{	&creds[1],	&creds[3],	0,	0,	0,	0,	0,	0,	"7. priv on unpriv1"},
101
/* unprivileged on privileged */
102
{	&creds[2],	&creds[0],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"8. unpriv1 on priv"},
103
{	&creds[2],	&creds[1],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"9. unpriv1 on priv"},
104
{	&creds[3],	&creds[0],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"10. unpriv1 on priv"},
105
{	&creds[3],	&creds[1],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"11. unpriv1 on priv"},
106
/* unprivileged on same unprivileged */
107
{	&creds[2],	&creds[2],	0,	0,	0,	0,	0,	0,	"12. unpriv1 on unpriv1"},
108
{	&creds[2],	&creds[3],	EPERM,	EPERM,	0,	EPERM,	0,	0,	"13. unpriv1 on unpriv1"},
109
{	&creds[3],	&creds[2],	0,	0,	0,	0,	0,	0,	"14. unpriv1 on unpriv1"},
110
{	&creds[3],	&creds[3],	EPERM,	EPERM,	0,	EPERM,	0,	0,	"15. unpriv1 on unpriv1"},
111
/* unprivileged on different unprivileged */
112
{	&creds[2],	&creds[4],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"16. unpriv1 on unpriv2"},
113
{	&creds[2],	&creds[5],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"17. unpriv1 on unpriv2"},
114
{	&creds[3],	&creds[4],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"18. unpriv1 on unpriv2"},
115
{	&creds[3],	&creds[5],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"19. unpriv1 on unpriv2"},
116
/* unprivileged on daemon, same */
117
{	&creds[2],	&creds[6],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"20. unpriv1 on daemon1"},
118
{	&creds[2],	&creds[7],	EPERM,	EPERM,	EPERM,	EPERM,	0, 	EPERM,	"21. unpriv1 on daemon1"},
119
{	&creds[3],	&creds[6],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"22. unpriv1 on daemon1"},
120
{	&creds[3],	&creds[7],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"23. unpriv1 on daemon1"},
121
/* unprivileged on daemon, different */
122
{	&creds[2],	&creds[8],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"24. unpriv1 on daemon2"},
123
{	&creds[2],	&creds[9],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"25. unpriv1 on daemon2"},
124
{	&creds[3],	&creds[8],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"26. unpriv1 on daemon2"},
125
{	&creds[3],	&creds[9],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"27. unpriv1 on daemon2"},
126
/* unprivileged on setuid, same */
127
{	&creds[2],	&creds[10],	EPERM,	EPERM,	0,	0,	0,	0,	"28. unpriv1 on setuid1"},
128
{	&creds[2],	&creds[11],	EPERM,	EPERM,	0,	EPERM,	0,	0,	"29. unpriv1 on setuid1"},
129
{	&creds[3],	&creds[10],	EPERM,	EPERM,	0,	0,	0,	0,	"30. unpriv1 on setuid1"},
130
{	&creds[3],	&creds[11],	EPERM,	EPERM,	0,	EPERM,	0,	0,	"31. unpriv1 on setuid1"},
131
/* unprivileged on setuid, different */
132
{	&creds[2],	&creds[12],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"32. unpriv1 on setuid2"},
133
{	&creds[2],	&creds[13],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"33. unpriv1 on setuid2"},
134
{	&creds[3],	&creds[12],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"34. unpriv1 on setuid2"},
135
{	&creds[3],	&creds[13],	EPERM,	EPERM,	EPERM,	EPERM,	0,	EPERM,	"35. unpriv1 on setuid2"},
136
};
137
int scenarios_count = sizeof(scenarios) / sizeof(struct scenario);
138

139
/*
140
 * Convert an error number to a compact string representation.  For now,
141
 * implement only the error numbers we are likely to see.
142
 */
143
static char *
144
errno_to_string(int error)
145
{
146

147
	switch (error) {
148
	case EPERM:
149
		return ("EPERM");
150
	case EACCES:
151
		return ("EACCES");
152
	case EINVAL:
153
		return ("EINVAL");
154
	case ENOSYS:
155
		return ("ENOSYS");
156
	case ESRCH:
157
		return ("ESRCH");
158
	case EOPNOTSUPP:
159
		return ("EOPNOTSUPP");
160
	case 0:
161
		return ("0");
162
	default:
163
		printf("%d\n", error);
164
		return ("unknown");
165
	}
166
}
167

168
/*
169
 * Return a process credential describing the current process.
170
 */
171
static int
172
cred_get(struct cred *cred)
173
{
174
	int error;
175

176
	error = getresuid(&cred->cr_ruid, &cred->cr_euid, &cred->cr_svuid);
177
	if (error)
178
		return (error);
179

180
	cred->cr_issetugid = issetugid();
181

182
	return (0);
183
}
184

185
/*
186
 * Userland stub for __setsugid() to take into account possible presence
187
 * in C library, kernel, et al.
188
 */
189
int
190
setugid(int flag)
191
{
192

193
#ifdef SETSUGID_SUPPORTED
194
	return (__setugid(flag));
195
#else
196
#ifdef SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB
197
	return (syscall(374, flag));
198
#else
199
	return (ENOSYS);
200
#endif
201
#endif
202
}
203

204
/*
205
 * Set the current process's credentials to match the passed credential.
206
 */
207
static int
208
cred_set(struct cred *cred)
209
{
210
	int error;
211

212
	error = setresuid(cred->cr_ruid, cred->cr_euid, cred->cr_svuid);
213
	if (error)
214
		return (error);
215

216
	error = setugid(cred->cr_issetugid);
217
	if (error) {
218
		perror("__setugid");
219
		return (error);
220
	}
221

222
#ifdef CHECK_CRED_SET
223
	{
224
		uid_t ruid, euid, svuid;
225
		error = getresuid(&ruid, &euid, &svuid);
226
		if (error) {
227
			perror("getresuid");
228
			return (-1);
229
		}
230
		assert(ruid == cred->cr_ruid);
231
		assert(euid == cred->cr_euid);
232
		assert(svuid == cred->cr_svuid);
233
		assert(cred->cr_issetugid == issetugid());
234
	}
235
#endif /* !CHECK_CRED_SET */
236

237
	return (0);
238
}
239

240
/*
241
 * Print the passed process credential to the passed I/O stream.
242
 */
243
static void
244
cred_print(FILE *output, struct cred *cred)
245
{
246

247
	fprintf(output, "(e:%d r:%d s:%d P_SUGID:%d)", cred->cr_euid,
248
	    cred->cr_ruid, cred->cr_svuid, cred->cr_issetugid);
249
}
250

251
#define	LOOP_PTRACE	0
252
#define	LOOP_KTRACE	1
253
#define	LOOP_SIGHUP	2
254
#define	LOOP_SIGSEGV	3
255
#define	LOOP_SEE	4
256
#define	LOOP_SCHED	5
257
#define	LOOP_MAX	LOOP_SCHED
258

259
/*
260
 * Enact a scenario by looping through the four test cases for the scenario,
261
 * spawning off pairs of processes with the desired credentials, and
262
 * reporting results to stdout.
263
 */
264
static int
265
enact_scenario(int scenario)
266
{
267
	pid_t pid1, pid2;
268
	char *name, *tracefile;
269
	int error, desirederror, loop;
270

271
	for (loop = 0; loop < LOOP_MAX+1; loop++) {
272
		/*
273
		 * Spawn the first child, target of the operation.
274
		 */
275
		pid1 = fork();
276
		switch (pid1) {
277
		case -1:
278
			return (-1);
279
		case 0:
280
			/* child */
281
			error = cred_set(scenarios[scenario].sc_cred2);
282
			if (error) {
283
				perror("cred_set");
284
				return (error);
285
			}
286
			/* 200 seconds should be plenty of time. */
287
			sleep(200);
288
			exit(0);
289
		default:
290
			/* parent */
291
			break;
292
		}
293

294
		/*
295
		 * XXX
296
		 * This really isn't ideal -- give proc 1 a chance to set
297
		 * its credentials, or we may get spurious errors.  Really,
298
		 * some for of IPC should be used to allow the parent to
299
		 * wait for the first child to be ready before spawning
300
		 * the second child.
301
		 */
302
		sleep(1);
303

304
		/*
305
		 * Spawn the second child, source of the operation.
306
		 */
307
		pid2 = fork();
308
		switch (pid2) {
309
		case -1:
310
			return (-1);
311
	
312
		case 0:
313
			/* child */
314
			error = cred_set(scenarios[scenario].sc_cred1);
315
			if (error) {
316
				perror("cred_set");
317
				return (error);
318
			}
319
	
320
			/*
321
			 * Initialize errno to zero so as to catch any
322
			 * generated errors.  In each case, perform the
323
			 * operation.  Preserve the error number for later
324
			 * use so it doesn't get stomped on by any I/O.
325
			 * Determine the desired error for the given case
326
			 * by extracting it from the scenario table.
327
			 * Initialize a function name string for output
328
			 * prettiness.
329
			 */
330
			errno = 0;
331
			switch (loop) {
332
			case LOOP_PTRACE:
333
				error = ptrace(PT_ATTACH, pid1, NULL, 0);
334
				error = errno;
335
				name = "ptrace";
336
				desirederror =
337
				    scenarios[scenario].sc_canptrace_errno;
338
				break;
339
			case LOOP_KTRACE:
340
				tracefile = mktemp("/tmp/testuid_ktrace.XXXXXX");
341
				if (tracefile == NULL) {
342
					error = errno;
343
					perror("mktemp");
344
					break;
345
				}
346
				error = ktrace(tracefile, KTROP_SET,
347
				    KTRFAC_SYSCALL, pid1);
348
				error = errno;
349
				name = "ktrace";
350
				desirederror =
351
				    scenarios[scenario].sc_canktrace_errno;
352
				unlink(tracefile);
353
				break;
354
			case LOOP_SIGHUP:
355
				error = kill(pid1, SIGHUP);
356
				error = errno;
357
				name = "sighup";
358
				desirederror =
359
				    scenarios[scenario].sc_cansighup_errno;
360
				break;
361
			case LOOP_SIGSEGV:
362
				error = kill(pid1, SIGSEGV);
363
				error = errno;
364
				name = "sigsegv";
365
				desirederror =
366
				    scenarios[scenario].sc_cansigsegv_errno;
367
				break;
368
			case LOOP_SEE:
369
				getpriority(PRIO_PROCESS, pid1);
370
				error = errno;
371
				name = "see";
372
				desirederror =
373
				    scenarios[scenario].sc_cansee_errno;
374
				break;
375
			case LOOP_SCHED:
376
				error = setpriority(PRIO_PROCESS, pid1,
377
				   0);
378
				error = errno;
379
				name = "sched";
380
				desirederror =
381
				    scenarios[scenario].sc_cansched_errno;
382
				break;
383
			default:
384
				name = "broken";
385
			}
386

387
			if (error != desirederror) {
388
				fprintf(stdout,
389
				    "[%s].%s: expected %s, got %s\n  ",
390
				    scenarios[scenario].sc_name, name,
391
				    errno_to_string(desirederror),
392
				    errno_to_string(error));
393
				cred_print(stdout,
394
				    scenarios[scenario].sc_cred1);
395
				cred_print(stdout,
396
				    scenarios[scenario].sc_cred2);
397
				fprintf(stdout, "\n");
398
			}
399

400
			exit(0);
401

402
		default:
403
			/* parent */
404
			break;
405
		}
406

407
		error = waitpid(pid2, NULL, 0);
408
		/*
409
		 * Once pid2 has died, it's safe to kill pid1, if it's still
410
		 * alive.  Mask signal failure in case the test actually
411
		 * killed pid1 (not unlikely: can occur in both signal and
412
		 * ptrace cases).
413
		 */
414
		kill(pid1, SIGKILL);
415
		error = waitpid(pid2, NULL, 0);
416
	}
417
	
418
	return (0);
419
}
420

421
void
422
enact_scenarios(void)
423
{
424
	int i, error;
425

426
	for (i = 0; i < scenarios_count; i++) {
427
		error = enact_scenario(i);
428
		if (error)
429
			perror("enact_scenario");
430
	}
431
}
432

433