tests/sys/fs/fusefs/allow_other.cc

   1 /*-
   2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
   3  *
   4  * Copyright (c) 2019 The FreeBSD Foundation
   5  *
   6  * This software was developed by BFF Storage Systems, LLC under sponsorship
   7  * from the FreeBSD Foundation.
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  *
  18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  21  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  28  * SUCH DAMAGE.
  29  */
  30
  31 /*
  32  * Tests for the "allow_other" mount option.  They must be in their own
  33  * file so they can be run as root
  34  */
  35
  36 extern "C" {
  37 #include <sys/types.h>
  38 #include <fcntl.h>
  39 #include <unistd.h>
  40 }
  41
  42 #include "mockfs.hh"
  43 #include "utils.hh"
  44
  45 using namespace testing;
  46
  47 const static char FULLPATH[] = "mountpoint/some_file.txt";
  48 const static char RELPATH[] = "some_file.txt";
  49
  50 class NoAllowOther: public FuseTest {
  51
  52 public:
  53 /* Unprivileged user id */
  54 int m_uid;
  55
  56 virtual void SetUp() {
  57         if (geteuid() != 0) {
  58                 GTEST_SKIP() << "This test must be run as root";
  59         }
  60
  61         FuseTest::SetUp();
  62 }
  63 };
  64
  65 class AllowOther: public NoAllowOther {
  66
  67 public:
  68 virtual void SetUp() {
  69         m_allow_other = true;
  70         NoAllowOther::SetUp();
  71 }
  72 };
  73
  74 TEST_F(AllowOther, allowed)
  75 {
  76         fork(true, [&] {
  77                         uint64_t ino = 42;
  78
  79                         expect_lookup(RELPATH, ino, S_IFREG | 0644, 0, 1);
  80                         expect_open(ino, 0, 1);
  81                         expect_release(ino, FH);
  82                         expect_getattr(ino, 0);
  83                 }, []() {
  84                         int fd;
  85
  86                         fd = open(FULLPATH, O_RDONLY);
  87                         if (fd < 0) {
  88                                 perror("open");
  89                                 return(1);
  90                         }
  91                         return 0;
  92                 }
  93         );
  94 }
  95
  96 /*
  97  * A variation of the Open.multiple_creds test showing how the bug can lead to a
  98  * privilege elevation.  The first process is privileged and opens a file only
  99  * visible to root.  The second process is unprivileged and shouldn't be able
 100  * to open the file, but does thanks to the bug
 101  */
 102 TEST_F(AllowOther, privilege_escalation)
 103 {
 104         const static char FULLPATH[] = "mountpoint/some_file.txt";
 105         const static char RELPATH[] = "some_file.txt";
 106         int fd1;
 107         const static uint64_t ino = 42;
 108         const static uint64_t fh = 100;
 109
 110         /* Fork a child to open the file with different credentials */
 111         fork(true, [&] {
 112
 113                 expect_lookup(RELPATH, ino, S_IFREG | 0600, 0, 2);
 114                 EXPECT_CALL(*m_mock, process(
 115                         ResultOf([=](auto in) {
 116                                 return (in->header.opcode == FUSE_OPEN &&
 117                                         in->header.pid == (uint32_t)getpid() &&
 118                                         in->header.uid == (uint32_t)geteuid() &&
 119                                         in->header.nodeid == ino);
 120                         }, Eq(true)),
 121                         _)
 122                 ).WillOnce(Invoke(
 123                         ReturnImmediate([](auto in __unused, auto out) {
 124                         out->body.open.fh = fh;
 125                         out->header.len = sizeof(out->header);
 126                         SET_OUT_HEADER_LEN(out, open);
 127                 })));
 128
 129                 EXPECT_CALL(*m_mock, process(
 130                         ResultOf([=](auto in) {
 131                                 return (in->header.opcode == FUSE_OPEN &&
 132                                         in->header.pid != (uint32_t)getpid() &&
 133                                         in->header.uid != (uint32_t)geteuid() &&
 134                                         in->header.nodeid == ino);
 135                         }, Eq(true)),
 136                         _)
 137                 ).Times(AnyNumber())
 138                 .WillRepeatedly(Invoke(ReturnErrno(EPERM)));
 139                 expect_getattr(ino, 0);
 140
 141                 fd1 = open(FULLPATH, O_RDONLY);
 142                 EXPECT_LE(0, fd1) << strerror(errno);
 143         }, [] {
 144                 int fd0;
 145
 146                 fd0 = open(FULLPATH, O_RDONLY);
 147                 if (fd0 >= 0) {
 148                         fprintf(stderr, "Privilege escalation!\n");
 149                         return 1;
 150                 }
 151                 if (errno != EPERM) {
 152                         fprintf(stderr, "Unexpected error %s\n",
 153                                 strerror(errno));
 154                         return 1;
 155                 }
 156                 return 0;
 157         }
 158         );
 159         /* Deliberately leak fd1.  close(2) will be tested in release.cc */
 160 }
 161
 162 TEST_F(NoAllowOther, disallowed)
 163 {
 164         fork(true, [] {
 165                 }, []() {
 166                         int fd;
 167
 168                         fd = open(FULLPATH, O_RDONLY);
 169                         if (fd >= 0) {
 170                                 fprintf(stderr, "open should've failed\n");
 171                                 return(1);
 172                         } else if (errno != EPERM) {
 173                                 fprintf(stderr, "Unexpected error: %s\n",
 174                                         strerror(errno));
 175                                 return(1);
 176                         }
 177                         return 0;
 178                 }
 179         );
 180 }