tests/sys/fs/fusefs/allow_other.cc

   1 /*-
   2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
   3  *
   4  * Copyright (c) 2019 The FreeBSD Foundation
   5  *
   6  * This software was developed by BFF Storage Systems, LLC under sponsorship
   7  * from the FreeBSD Foundation.
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  *
  18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  21  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  28  * SUCH DAMAGE.
  29  */
  30
  31 /*
  32  * Tests for the "allow_other" mount option.  They must be in their own
  33  * file so they can be run as root
  34  */
  35
  36 extern "C" {
  37 #include <sys/types.h>
  38 #include <fcntl.h>
  39 #include <unistd.h>
  40 }
  41
  42 #include "mockfs.hh"
  43 #include "utils.hh"
  44
  45 using namespace testing;
  46
  47 const static char FULLPATH[] = "mountpoint/some_file.txt";
  48 const static char RELPATH[] = "some_file.txt";
  49
  50 class NoAllowOther: public FuseTest {
  51
  52 public:
  53 /* Unprivileged user id */
  54 int m_uid;
  55
  56 virtual void SetUp() {
  57         if (geteuid() != 0) {
  58                 GTEST_SKIP() << "This test must be run as root";
  59         }
  60
  61         FuseTest::SetUp();
  62 }
  63 };
  64
  65 class AllowOther: public NoAllowOther {
  66
  67 public:
  68 virtual void SetUp() {
  69         m_allow_other = true;
  70         NoAllowOther::SetUp();
  71 }
  72 };
  73
  74 TEST_F(AllowOther, allowed)
  75 {
  76         fork(true, [&] {
  77                         uint64_t ino = 42;
  78
  79                         expect_lookup(RELPATH, ino, S_IFREG | 0644, 0, 1);
  80                         expect_open(ino, 0, 1);
  81                         expect_flush(ino, 1, ReturnErrno(0));
  82                         expect_release(ino, FH);
  83                         expect_getattr(ino, 0);
  84                 }, []() {
  85                         int fd;
  86
  87                         fd = open(FULLPATH, O_RDONLY);
  88                         if (fd < 0) {
  89                                 perror("open");
  90                                 return(1);
  91                         }
  92                         return 0;
  93                 }
  94         );
  95 }
  96
  97 /*
  98  * A variation of the Open.multiple_creds test showing how the bug can lead to a
  99  * privilege elevation.  The first process is privileged and opens a file only
 100  * visible to root.  The second process is unprivileged and shouldn't be able
 101  * to open the file, but does thanks to the bug
 102  */
 103 TEST_F(AllowOther, privilege_escalation)
 104 {
 105         const static char FULLPATH[] = "mountpoint/some_file.txt";
 106         const static char RELPATH[] = "some_file.txt";
 107         int fd1;
 108         const static uint64_t ino = 42;
 109         const static uint64_t fh = 100;
 110
 111         /* Fork a child to open the file with different credentials */
 112         fork(true, [&] {
 113
 114                 expect_lookup(RELPATH, ino, S_IFREG | 0600, 0, 2);
 115                 EXPECT_CALL(*m_mock, process(
 116                         ResultOf([=](auto in) {
 117                                 return (in->header.opcode == FUSE_OPEN &&
 118                                         in->header.pid == (uint32_t)getpid() &&
 119                                         in->header.uid == (uint32_t)geteuid() &&
 120                                         in->header.nodeid == ino);
 121                         }, Eq(true)),
 122                         _)
 123                 ).WillOnce(Invoke(
 124                         ReturnImmediate([](auto in __unused, auto out) {
 125                         out->body.open.fh = fh;
 126                         out->header.len = sizeof(out->header);
 127                         SET_OUT_HEADER_LEN(out, open);
 128                 })));
 129
 130                 EXPECT_CALL(*m_mock, process(
 131                         ResultOf([=](auto in) {
 132                                 return (in->header.opcode == FUSE_OPEN &&
 133                                         in->header.pid != (uint32_t)getpid() &&
 134                                         in->header.uid != (uint32_t)geteuid() &&
 135                                         in->header.nodeid == ino);
 136                         }, Eq(true)),
 137                         _)
 138                 ).Times(AnyNumber())
 139                 .WillRepeatedly(Invoke(ReturnErrno(EPERM)));
 140                 expect_getattr(ino, 0);
 141
 142                 fd1 = open(FULLPATH, O_RDONLY);
 143                 EXPECT_LE(0, fd1) << strerror(errno);
 144         }, [] {
 145                 int fd0;
 146
 147                 fd0 = open(FULLPATH, O_RDONLY);
 148                 if (fd0 >= 0) {
 149                         fprintf(stderr, "Privilege escalation!\n");
 150                         return 1;
 151                 }
 152                 if (errno != EPERM) {
 153                         fprintf(stderr, "Unexpected error %s\n",
 154                                 strerror(errno));
 155                         return 1;
 156                 }
 157                 return 0;
 158         }
 159         );
 160         /* Deliberately leak fd1.  close(2) will be tested in release.cc */
 161 }
 162
 163 TEST_F(NoAllowOther, disallowed)
 164 {
 165         fork(true, [] {
 166                 }, []() {
 167                         int fd;
 168
 169                         fd = open(FULLPATH, O_RDONLY);
 170                         if (fd >= 0) {
 171                                 fprintf(stderr, "open should've failed\n");
 172                                 return(1);
 173                         } else if (errno != EPERM) {
 174                                 fprintf(stderr, "Unexpected error: %s\n",
 175                                         strerror(errno));
 176                                 return(1);
 177                         }
 178                         return 0;
 179                 }
 180         );
 181 }