tests/sys/fs/fusefs/allow_other.cc

   1 /*-
   2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
   3  *
   4  * Copyright (c) 2019 The FreeBSD Foundation
   5  *
   6  * This software was developed by BFF Storage Systems, LLC under sponsorship
   7  * from the FreeBSD Foundation.
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  *
  18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  21  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  28  * SUCH DAMAGE.
  29  */
  30
  31 /*
  32  * Tests for the "allow_other" mount option.  They must be in their own
  33  * file so they can be run as root
  34  */
  35
  36 extern "C" {
  37 #include <sys/types.h>
  38 #include <sys/extattr.h>
  39 #include <sys/wait.h>
  40 #include <fcntl.h>
  41 #include <unistd.h>
  42 }
  43
  44 #include "mockfs.hh"
  45 #include "utils.hh"
  46
  47 using namespace testing;
  48
  49 const static char FULLPATH[] = "mountpoint/some_file.txt";
  50 const static char RELPATH[] = "some_file.txt";
  51
  52 class NoAllowOther: public FuseTest {
  53
  54 public:
  55 /* Unprivileged user id */
  56 int m_uid;
  57
  58 virtual void SetUp() {
  59         if (geteuid() != 0) {
  60                 GTEST_SKIP() << "This test must be run as root";
  61         }
  62
  63         FuseTest::SetUp();
  64 }
  65 };
  66
  67 class AllowOther: public NoAllowOther {
  68
  69 public:
  70 virtual void SetUp() {
  71         m_allow_other = true;
  72         NoAllowOther::SetUp();
  73 }
  74 };
  75
  76 TEST_F(AllowOther, allowed)
  77 {
  78         int status;
  79
  80         fork(true, &status, [&] {
  81                         uint64_t ino = 42;
  82
  83                         expect_lookup(RELPATH, ino, S_IFREG | 0644, 0, 1);
  84                         expect_open(ino, 0, 1);
  85                         expect_flush(ino, 1, ReturnErrno(0));
  86                         expect_release(ino, FH);
  87                 }, []() {
  88                         int fd;
  89
  90                         fd = open(FULLPATH, O_RDONLY);
  91                         if (fd < 0) {
  92                                 perror("open");
  93                                 return(1);
  94                         }
  95                         return 0;
  96                 }
  97         );
  98         ASSERT_EQ(0, WEXITSTATUS(status));
  99 }
 100
 101 /*
 102  * A variation of the Open.multiple_creds test showing how the bug can lead to a
 103  * privilege elevation.  The first process is privileged and opens a file only
 104  * visible to root.  The second process is unprivileged and shouldn't be able
 105  * to open the file, but does thanks to the bug
 106  */
 107 TEST_F(AllowOther, privilege_escalation)
 108 {
 109         const static char FULLPATH[] = "mountpoint/some_file.txt";
 110         const static char RELPATH[] = "some_file.txt";
 111         int fd1, status;
 112         const static uint64_t ino = 42;
 113         const static uint64_t fh = 100;
 114
 115         /* Fork a child to open the file with different credentials */
 116         fork(true, &status, [&] {
 117
 118                 expect_lookup(RELPATH, ino, S_IFREG | 0600, 0, 2);
 119                 EXPECT_CALL(*m_mock, process(
 120                         ResultOf([=](auto in) {
 121                                 return (in->header.opcode == FUSE_OPEN &&
 122                                         in->header.pid == (uint32_t)getpid() &&
 123                                         in->header.uid == (uint32_t)geteuid() &&
 124                                         in->header.nodeid == ino);
 125                         }, Eq(true)),
 126                         _)
 127                 ).WillOnce(Invoke(
 128                         ReturnImmediate([](auto in __unused, auto out) {
 129                         out->body.open.fh = fh;
 130                         out->header.len = sizeof(out->header);
 131                         SET_OUT_HEADER_LEN(out, open);
 132                 })));
 133
 134                 EXPECT_CALL(*m_mock, process(
 135                         ResultOf([=](auto in) {
 136                                 return (in->header.opcode == FUSE_OPEN &&
 137                                         in->header.pid != (uint32_t)getpid() &&
 138                                         in->header.uid != (uint32_t)geteuid() &&
 139                                         in->header.nodeid == ino);
 140                         }, Eq(true)),
 141                         _)
 142                 ).Times(AnyNumber())
 143                 .WillRepeatedly(Invoke(ReturnErrno(EPERM)));
 144
 145                 fd1 = open(FULLPATH, O_RDONLY);
 146                 EXPECT_LE(0, fd1) << strerror(errno);
 147         }, [] {
 148                 int fd0;
 149
 150                 fd0 = open(FULLPATH, O_RDONLY);
 151                 if (fd0 >= 0) {
 152                         fprintf(stderr, "Privilege escalation!\n");
 153                         return 1;
 154                 }
 155                 if (errno != EPERM) {
 156                         fprintf(stderr, "Unexpected error %s\n",
 157                                 strerror(errno));
 158                         return 1;
 159                 }
 160                 return 0;
 161         }
 162         );
 163         ASSERT_EQ(0, WEXITSTATUS(status));
 164         /* Deliberately leak fd1.  close(2) will be tested in release.cc */
 165 }
 166
 167 TEST_F(NoAllowOther, disallowed)
 168 {
 169         int status;
 170
 171         fork(true, &status, [] {
 172                 }, []() {
 173                         int fd;
 174
 175                         fd = open(FULLPATH, O_RDONLY);
 176                         if (fd >= 0) {
 177                                 fprintf(stderr, "open should've failed\n");
 178                                 return(1);
 179                         } else if (errno != EPERM) {
 180                                 fprintf(stderr, "Unexpected error: %s\n",
 181                                         strerror(errno));
 182                                 return(1);
 183                         }
 184                         return 0;
 185                 }
 186         );
 187         ASSERT_EQ(0, WEXITSTATUS(status));
 188 }
 189
 190 /*
 191  * When -o allow_other is not used, users other than the owner aren't allowed
 192  * to open anything inside of the mount point, not just the mountpoint itself
 193  * This is a regression test for bug 237052
 194  */
 195 TEST_F(NoAllowOther, disallowed_beneath_root)
 196 {
 197         const static char FULLPATH[] = "mountpoint/some_dir";
 198         const static char RELPATH[] = "some_dir";
 199         const static char RELPATH2[] = "other_dir";
 200         const static uint64_t ino = 42;
 201         const static uint64_t ino2 = 43;
 202         int dfd, status;
 203
 204         expect_lookup(RELPATH, ino, S_IFDIR | 0755, 0, 1);
 205         EXPECT_LOOKUP(ino, RELPATH2)
 206         .WillRepeatedly(Invoke(ReturnImmediate([=](auto in __unused, auto out) {
 207                 SET_OUT_HEADER_LEN(out, entry);
 208                 out->body.entry.attr.mode = S_IFREG | 0644;
 209                 out->body.entry.nodeid = ino2;
 210                 out->body.entry.attr.nlink = 1;
 211                 out->body.entry.attr_valid = UINT64_MAX;
 212         })));
 213         expect_opendir(ino);
 214         dfd = open(FULLPATH, O_DIRECTORY);
 215         ASSERT_LE(0, dfd) << strerror(errno);
 216
 217         fork(true, &status, [] {
 218                 }, [&]() {
 219                         int fd;
 220
 221                         fd = openat(dfd, RELPATH2, O_RDONLY);
 222                         if (fd >= 0) {
 223                                 fprintf(stderr, "openat should've failed\n");
 224                                 return(1);
 225                         } else if (errno != EPERM) {
 226                                 fprintf(stderr, "Unexpected error: %s\n",
 227                                         strerror(errno));
 228                                 return(1);
 229                         }
 230                         return 0;
 231                 }
 232         );
 233         ASSERT_EQ(0, WEXITSTATUS(status));
 234 }
 235
 236 /*
 237  * Provide coverage for the extattr methods, which have a slightly different
 238  * code path
 239  */
 240 TEST_F(NoAllowOther, setextattr)
 241 {
 242         int ino = 42, status;
 243
 244         fork(true, &status, [&] {
 245                         EXPECT_LOOKUP(1, RELPATH)
 246                         .WillOnce(Invoke(
 247                         ReturnImmediate([=](auto in __unused, auto out) {
 248                                 SET_OUT_HEADER_LEN(out, entry);
 249                                 out->body.entry.attr_valid = UINT64_MAX;
 250                                 out->body.entry.entry_valid = UINT64_MAX;
 251                                 out->body.entry.attr.mode = S_IFREG | 0644;
 252                                 out->body.entry.nodeid = ino;
 253                         })));
 254
 255                         /*
 256                          * lookup the file to get it into the cache.
 257                          * Otherwise, the unprivileged lookup will fail with
 258                          * EACCES
 259                          */
 260                         ASSERT_EQ(0, access(FULLPATH, F_OK)) << strerror(errno);
 261                 }, [&]() {
 262                         const char value[] = "whatever";
 263                         ssize_t value_len = strlen(value) + 1;
 264                         int ns = EXTATTR_NAMESPACE_USER;
 265                         ssize_t r;
 266
 267                         r = extattr_set_file(FULLPATH, ns, "foo",
 268                                 (void*)value, value_len);
 269                         if (r >= 0) {
 270                                 fprintf(stderr, "should've failed\n");
 271                                 return(1);
 272                         } else if (errno != EPERM) {
 273                                 fprintf(stderr, "Unexpected error: %s\n",
 274                                         strerror(errno));
 275                                 return(1);
 276                         }
 277                         return 0;
 278                 }
 279         );
 280         ASSERT_EQ(0, WEXITSTATUS(status));
 281 }