2 * Copyright (c) 2001 Robert N. M. Watson
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <sys/param.h>
31 #include <sys/ptrace.h>
33 #include <sys/resource.h>
34 #include <sys/syscall.h>
36 #include <sys/ktrace.h>
46 * Relevant parts of a process credential.
49 uid_t cr_euid, cr_ruid, cr_svuid;
54 * Description of a scenario.
57 struct cred *sc_cred1, *sc_cred2; /* credentials of p1 and p2 */
58 int sc_canptrace_errno; /* desired ptrace failure */
59 int sc_canktrace_errno; /* desired ktrace failure */
60 int sc_cansighup_errno; /* desired SIGHUP failure */
61 int sc_cansigsegv_errno; /* desired SIGSEGV failure */
62 int sc_cansee_errno; /* desired getprio failure */
63 int sc_cansched_errno; /* desired setprio failure */
64 char *sc_name; /* test name */
68 * Table of relevant credential combinations.
70 static struct cred creds[] = {
71 /* euid ruid svuid issetugid */
72 /* 0 */ { 0, 0, 0, 0 }, /* privileged */
73 /* 1 */ { 0, 0, 0, 1 }, /* privileged + issetugid */
74 /* 2 */ { 1000, 1000, 1000, 0 }, /* unprivileged1 */
75 /* 3 */ { 1000, 1000, 1000, 1 }, /* unprivileged1 + issetugid */
76 /* 4 */ { 1001, 1001, 1001, 0 }, /* unprivileged2 */
77 /* 5 */ { 1001, 1001, 1001, 1 }, /* unprivileged2 + issetugid */
78 /* 6 */ { 1000, 0, 0, 0 }, /* daemon1 */
79 /* 7 */ { 1000, 0, 0, 1 }, /* daemon1 + issetugid */
80 /* 8 */ { 1001, 0, 0, 0 }, /* daemon2 */
81 /* 9 */ { 1001, 0, 0, 1 }, /* daemon2 + issetugid */
82 /* 10 */{ 0, 1000, 1000, 0 }, /* setuid1 */
83 /* 11 */{ 0, 1000, 1000, 1 }, /* setuid1 + issetugid */
84 /* 12 */{ 0, 1001, 1001, 0 }, /* setuid2 */
85 /* 13 */{ 0, 1001, 1001, 1 }, /* setuid2 + issetugid */
91 static const struct scenario scenarios[] = {
92 /* cred1 cred2 ptrace ktrace, sighup sigsegv see sched name */
93 /* privileged on privileged */
94 { &creds[0], &creds[0], 0, 0, 0, 0, 0, 0, "0. priv on priv"},
95 { &creds[0], &creds[1], 0, 0, 0, 0, 0, 0, "1. priv on priv"},
96 { &creds[1], &creds[0], 0, 0, 0, 0, 0, 0, "2. priv on priv"},
97 { &creds[1], &creds[1], 0, 0, 0, 0, 0, 0, "3. priv on priv"},
98 /* privileged on unprivileged */
99 { &creds[0], &creds[2], 0, 0, 0, 0, 0, 0, "4. priv on unpriv1"},
100 { &creds[0], &creds[3], 0, 0, 0, 0, 0, 0, "5. priv on unpriv1"},
101 { &creds[1], &creds[2], 0, 0, 0, 0, 0, 0, "6. priv on unpriv1"},
102 { &creds[1], &creds[3], 0, 0, 0, 0, 0, 0, "7. priv on unpriv1"},
103 /* unprivileged on privileged */
104 { &creds[2], &creds[0], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "8. unpriv1 on priv"},
105 { &creds[2], &creds[1], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "9. unpriv1 on priv"},
106 { &creds[3], &creds[0], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "10. unpriv1 on priv"},
107 { &creds[3], &creds[1], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "11. unpriv1 on priv"},
108 /* unprivileged on same unprivileged */
109 { &creds[2], &creds[2], 0, 0, 0, 0, 0, 0, "12. unpriv1 on unpriv1"},
110 { &creds[2], &creds[3], EPERM, EPERM, 0, EPERM, 0, 0, "13. unpriv1 on unpriv1"},
111 { &creds[3], &creds[2], 0, 0, 0, 0, 0, 0, "14. unpriv1 on unpriv1"},
112 { &creds[3], &creds[3], EPERM, EPERM, 0, EPERM, 0, 0, "15. unpriv1 on unpriv1"},
113 /* unprivileged on different unprivileged */
114 { &creds[2], &creds[4], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "16. unpriv1 on unpriv2"},
115 { &creds[2], &creds[5], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "17. unpriv1 on unpriv2"},
116 { &creds[3], &creds[4], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "18. unpriv1 on unpriv2"},
117 { &creds[3], &creds[5], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "19. unpriv1 on unpriv2"},
118 /* unprivileged on daemon, same */
119 { &creds[2], &creds[6], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "20. unpriv1 on daemon1"},
120 { &creds[2], &creds[7], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "21. unpriv1 on daemon1"},
121 { &creds[3], &creds[6], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "22. unpriv1 on daemon1"},
122 { &creds[3], &creds[7], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "23. unpriv1 on daemon1"},
123 /* unprivileged on daemon, different */
124 { &creds[2], &creds[8], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "24. unpriv1 on daemon2"},
125 { &creds[2], &creds[9], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "25. unpriv1 on daemon2"},
126 { &creds[3], &creds[8], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "26. unpriv1 on daemon2"},
127 { &creds[3], &creds[9], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "27. unpriv1 on daemon2"},
128 /* unprivileged on setuid, same */
129 { &creds[2], &creds[10], EPERM, EPERM, 0, 0, 0, 0, "28. unpriv1 on setuid1"},
130 { &creds[2], &creds[11], EPERM, EPERM, 0, EPERM, 0, 0, "29. unpriv1 on setuid1"},
131 { &creds[3], &creds[10], EPERM, EPERM, 0, 0, 0, 0, "30. unpriv1 on setuid1"},
132 { &creds[3], &creds[11], EPERM, EPERM, 0, EPERM, 0, 0, "31. unpriv1 on setuid1"},
133 /* unprivileged on setuid, different */
134 { &creds[2], &creds[12], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "32. unpriv1 on setuid2"},
135 { &creds[2], &creds[13], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "33. unpriv1 on setuid2"},
136 { &creds[3], &creds[12], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "34. unpriv1 on setuid2"},
137 { &creds[3], &creds[13], EPERM, EPERM, EPERM, EPERM, 0, EPERM, "35. unpriv1 on setuid2"},
139 int scenarios_count = sizeof(scenarios) / sizeof(struct scenario);
142 * Convert an error number to a compact string representation. For now,
143 * implement only the error numbers we are likely to see.
146 errno_to_string(int error)
161 return ("EOPNOTSUPP");
165 printf("%d\n", error);
171 * Return a process credential describing the current process.
174 cred_get(struct cred *cred)
178 error = getresuid(&cred->cr_ruid, &cred->cr_euid, &cred->cr_svuid);
182 cred->cr_issetugid = issetugid();
188 * Userland stub for __setsugid() to take into account possible presence
189 * in C library, kernel, et al.
195 #ifdef SETSUGID_SUPPORTED
196 return (__setugid(flag));
198 #ifdef SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB
199 return (syscall(374, flag));
207 * Set the current process's credentials to match the passed credential.
210 cred_set(struct cred *cred)
214 error = setresuid(cred->cr_ruid, cred->cr_euid, cred->cr_svuid);
218 error = setugid(cred->cr_issetugid);
224 #ifdef CHECK_CRED_SET
226 uid_t ruid, euid, svuid;
227 error = getresuid(&ruid, &euid, &svuid);
232 assert(ruid == cred->cr_ruid);
233 assert(euid == cred->cr_euid);
234 assert(svuid == cred->cr_svuid);
235 assert(cred->cr_issetugid == issetugid());
237 #endif /* !CHECK_CRED_SET */
243 * Print the passed process credential to the passed I/O stream.
246 cred_print(FILE *output, struct cred *cred)
249 fprintf(output, "(e:%d r:%d s:%d P_SUGID:%d)", cred->cr_euid,
250 cred->cr_ruid, cred->cr_svuid, cred->cr_issetugid);
253 #define LOOP_PTRACE 0
254 #define LOOP_KTRACE 1
255 #define LOOP_SIGHUP 2
256 #define LOOP_SIGSEGV 3
259 #define LOOP_MAX LOOP_SCHED
262 * Enact a scenario by looping through the four test cases for the scenario,
263 * spawning off pairs of processes with the desired credentials, and
264 * reporting results to stdout.
267 enact_scenario(int scenario)
270 char *name, *tracefile;
271 int error, desirederror, loop;
273 for (loop = 0; loop < LOOP_MAX+1; loop++) {
275 * Spawn the first child, target of the operation.
283 error = cred_set(scenarios[scenario].sc_cred2);
288 /* 200 seconds should be plenty of time. */
298 * This really isn't ideal -- give proc 1 a chance to set
299 * its credentials, or we may get spurious errors. Really,
300 * some for of IPC should be used to allow the parent to
301 * wait for the first child to be ready before spawning
307 * Spawn the second child, source of the operation.
316 error = cred_set(scenarios[scenario].sc_cred1);
323 * Initialize errno to zero so as to catch any
324 * generated errors. In each case, perform the
325 * operation. Preserve the error number for later
326 * use so it doesn't get stomped on by any I/O.
327 * Determine the desired error for the given case
328 * by extracting it from the scenario table.
329 * Initialize a function name string for output
335 error = ptrace(PT_ATTACH, pid1, NULL, 0);
339 scenarios[scenario].sc_canptrace_errno;
342 tracefile = mktemp("/tmp/testuid_ktrace.XXXXXX");
343 if (tracefile == NULL) {
348 error = ktrace(tracefile, KTROP_SET,
349 KTRFAC_SYSCALL, pid1);
353 scenarios[scenario].sc_canktrace_errno;
357 error = kill(pid1, SIGHUP);
361 scenarios[scenario].sc_cansighup_errno;
364 error = kill(pid1, SIGSEGV);
368 scenarios[scenario].sc_cansigsegv_errno;
371 getpriority(PRIO_PROCESS, pid1);
375 scenarios[scenario].sc_cansee_errno;
378 error = setpriority(PRIO_PROCESS, pid1,
383 scenarios[scenario].sc_cansched_errno;
389 if (error != desirederror) {
391 "[%s].%s: expected %s, got %s\n ",
392 scenarios[scenario].sc_name, name,
393 errno_to_string(desirederror),
394 errno_to_string(error));
396 scenarios[scenario].sc_cred1);
398 scenarios[scenario].sc_cred2);
399 fprintf(stdout, "\n");
409 error = waitpid(pid2, NULL, 0);
411 * Once pid2 has died, it's safe to kill pid1, if it's still
412 * alive. Mask signal failure in case the test actually
413 * killed pid1 (not unlikely: can occur in both signal and
417 error = waitpid(pid2, NULL, 0);
424 enact_scenarios(void)
428 for (i = 0; i < scenarios_count; i++) {
429 error = enact_scenario(i);
431 perror("enact_scenario");