1
// SPDX-License-Identifier: GPL-2.0
2

3
#include <linux/limits.h>
4
#include <signal.h>
5

6
#include "../kselftest.h"
7
#include "cgroup_util.h"
8

9
static int idle_process_fn(const char *cgroup, void *arg)
10
{
11
	(void)pause();
12
	return 0;
13
}
14

15
static int do_migration_fn(const char *cgroup, void *arg)
16
{
17
	int object_pid = (int)(size_t)arg;
18

19
	if (setuid(TEST_UID))
20
		return EXIT_FAILURE;
21

22
	// XXX checking /proc/$pid/cgroup would be quicker than wait
23
	if (cg_enter(cgroup, object_pid) ||
24
	    cg_wait_for_proc_count(cgroup, 1))
25
		return EXIT_FAILURE;
26

27
	return EXIT_SUCCESS;
28
}
29

30
static int do_controller_fn(const char *cgroup, void *arg)
31
{
32
	const char *child = cgroup;
33
	const char *parent = arg;
34

35
	if (setuid(TEST_UID))
36
		return EXIT_FAILURE;
37

38
	if (!cg_read_strstr(child, "cgroup.controllers", "cpuset"))
39
		return EXIT_FAILURE;
40

41
	if (cg_write(parent, "cgroup.subtree_control", "+cpuset"))
42
		return EXIT_FAILURE;
43

44
	if (cg_read_strstr(child, "cgroup.controllers", "cpuset"))
45
		return EXIT_FAILURE;
46

47
	if (cg_write(parent, "cgroup.subtree_control", "-cpuset"))
48
		return EXIT_FAILURE;
49

50
	if (!cg_read_strstr(child, "cgroup.controllers", "cpuset"))
51
		return EXIT_FAILURE;
52

53
	return EXIT_SUCCESS;
54
}
55

56
/*
57
 * Migrate a process between two sibling cgroups.
58
 * The success should only depend on the parent cgroup permissions and not the
59
 * migrated process itself (cpuset controller is in place because it uses
60
 * security_task_setscheduler() in cgroup v1).
61
 *
62
 * Deliberately don't set cpuset.cpus in children to avoid definining migration
63
 * permissions between two different cpusets.
64
 */
65
static int test_cpuset_perms_object(const char *root, bool allow)
66
{
67
	char *parent = NULL, *child_src = NULL, *child_dst = NULL;
68
	char *parent_procs = NULL, *child_src_procs = NULL, *child_dst_procs = NULL;
69
	const uid_t test_euid = TEST_UID;
70
	int object_pid = 0;
71
	int ret = KSFT_FAIL;
72

73
	parent = cg_name(root, "cpuset_test_0");
74
	if (!parent)
75
		goto cleanup;
76
	parent_procs = cg_name(parent, "cgroup.procs");
77
	if (!parent_procs)
78
		goto cleanup;
79
	if (cg_create(parent))
80
		goto cleanup;
81

82
	child_src = cg_name(parent, "cpuset_test_1");
83
	if (!child_src)
84
		goto cleanup;
85
	child_src_procs = cg_name(child_src, "cgroup.procs");
86
	if (!child_src_procs)
87
		goto cleanup;
88
	if (cg_create(child_src))
89
		goto cleanup;
90

91
	child_dst = cg_name(parent, "cpuset_test_2");
92
	if (!child_dst)
93
		goto cleanup;
94
	child_dst_procs = cg_name(child_dst, "cgroup.procs");
95
	if (!child_dst_procs)
96
		goto cleanup;
97
	if (cg_create(child_dst))
98
		goto cleanup;
99

100
	if (cg_write(parent, "cgroup.subtree_control", "+cpuset"))
101
		goto cleanup;
102

103
	if (cg_read_strstr(child_src, "cgroup.controllers", "cpuset") ||
104
	    cg_read_strstr(child_dst, "cgroup.controllers", "cpuset"))
105
		goto cleanup;
106

107
	/* Enable permissions along src->dst tree path */
108
	if (chown(child_src_procs, test_euid, -1) ||
109
	    chown(child_dst_procs, test_euid, -1))
110
		goto cleanup;
111

112
	if (allow && chown(parent_procs, test_euid, -1))
113
		goto cleanup;
114

115
	/* Fork a privileged child as a test object */
116
	object_pid = cg_run_nowait(child_src, idle_process_fn, NULL);
117
	if (object_pid < 0)
118
		goto cleanup;
119

120
	/* Carry out migration in a child process that can drop all privileges
121
	 * (including capabilities), the main process must remain privileged for
122
	 * cleanup.
123
	 * Child process's cgroup is irrelevant but we place it into child_dst
124
	 * as hacky way to pass information about migration target to the child.
125
	 */
126
	if (allow ^ (cg_run(child_dst, do_migration_fn, (void *)(size_t)object_pid) == EXIT_SUCCESS))
127
		goto cleanup;
128

129
	ret = KSFT_PASS;
130

131
cleanup:
132
	if (object_pid > 0) {
133
		(void)kill(object_pid, SIGTERM);
134
		(void)clone_reap(object_pid, WEXITED);
135
	}
136

137
	cg_destroy(child_dst);
138
	free(child_dst_procs);
139
	free(child_dst);
140

141
	cg_destroy(child_src);
142
	free(child_src_procs);
143
	free(child_src);
144

145
	cg_destroy(parent);
146
	free(parent_procs);
147
	free(parent);
148

149
	return ret;
150
}
151

152
static int test_cpuset_perms_object_allow(const char *root)
153
{
154
	return test_cpuset_perms_object(root, true);
155
}
156

157
static int test_cpuset_perms_object_deny(const char *root)
158
{
159
	return test_cpuset_perms_object(root, false);
160
}
161

162
/*
163
 * Migrate a process between parent and child implicitely
164
 * Implicit migration happens when a controller is enabled/disabled.
165
 *
166
 */
167
static int test_cpuset_perms_subtree(const char *root)
168
{
169
	char *parent = NULL, *child = NULL;
170
	char *parent_procs = NULL, *parent_subctl = NULL, *child_procs = NULL;
171
	const uid_t test_euid = TEST_UID;
172
	int object_pid = 0;
173
	int ret = KSFT_FAIL;
174

175
	parent = cg_name(root, "cpuset_test_0");
176
	if (!parent)
177
		goto cleanup;
178
	parent_procs = cg_name(parent, "cgroup.procs");
179
	if (!parent_procs)
180
		goto cleanup;
181
	parent_subctl = cg_name(parent, "cgroup.subtree_control");
182
	if (!parent_subctl)
183
		goto cleanup;
184
	if (cg_create(parent))
185
		goto cleanup;
186

187
	child = cg_name(parent, "cpuset_test_1");
188
	if (!child)
189
		goto cleanup;
190
	child_procs = cg_name(child, "cgroup.procs");
191
	if (!child_procs)
192
		goto cleanup;
193
	if (cg_create(child))
194
		goto cleanup;
195

196
	/* Enable permissions as in a delegated subtree */
197
	if (chown(parent_procs, test_euid, -1) ||
198
	    chown(parent_subctl, test_euid, -1) ||
199
	    chown(child_procs, test_euid, -1))
200
		goto cleanup;
201

202
	/* Put a privileged child in the subtree and modify controller state
203
	 * from an unprivileged process, the main process remains privileged
204
	 * for cleanup.
205
	 * The unprivileged child runs in subtree too to avoid parent and
206
	 * internal-node constraing violation.
207
	 */
208
	object_pid = cg_run_nowait(child, idle_process_fn, NULL);
209
	if (object_pid < 0)
210
		goto cleanup;
211

212
	if (cg_run(child, do_controller_fn, parent) != EXIT_SUCCESS)
213
		goto cleanup;
214

215
	ret = KSFT_PASS;
216

217
cleanup:
218
	if (object_pid > 0) {
219
		(void)kill(object_pid, SIGTERM);
220
		(void)clone_reap(object_pid, WEXITED);
221
	}
222

223
	cg_destroy(child);
224
	free(child_procs);
225
	free(child);
226

227
	cg_destroy(parent);
228
	free(parent_subctl);
229
	free(parent_procs);
230
	free(parent);
231

232
	return ret;
233
}
234

235

236
#define T(x) { x, #x }
237
struct cpuset_test {
238
	int (*fn)(const char *root);
239
	const char *name;
240
} tests[] = {
241
	T(test_cpuset_perms_object_allow),
242
	T(test_cpuset_perms_object_deny),
243
	T(test_cpuset_perms_subtree),
244
};
245
#undef T
246

247
int main(int argc, char *argv[])
248
{
249
	char root[PATH_MAX];
250
	int i, ret = EXIT_SUCCESS;
251

252
	if (cg_find_unified_root(root, sizeof(root), NULL))
253
		ksft_exit_skip("cgroup v2 isn't mounted\n");
254

255
	if (cg_read_strstr(root, "cgroup.subtree_control", "cpuset"))
256
		if (cg_write(root, "cgroup.subtree_control", "+cpuset"))
257
			ksft_exit_skip("Failed to set cpuset controller\n");
258

259
	for (i = 0; i < ARRAY_SIZE(tests); i++) {
260
		switch (tests[i].fn(root)) {
261
		case KSFT_PASS:
262
			ksft_test_result_pass("%s\n", tests[i].name);
263
			break;
264
		case KSFT_SKIP:
265
			ksft_test_result_skip("%s\n", tests[i].name);
266
			break;
267
		default:
268
			ret = EXIT_FAILURE;
269
			ksft_test_result_fail("%s\n", tests[i].name);
270
			break;
271
		}
272
	}
273

274
	return ret;
275
}
276

277