freebsd-dev/tools/regression/security/proc_to_proc/scenario.c
Robert Watson 274f7445fd o First pass at an inter-process authorization regression testing suite.
This test utility attempts to evaluate the current kernel policy
  for authorization inter-process activities, currently ptrace(),
  kill(, SIGHUP), getpriority(), and setpriority().  The utility creates
  pairs of processes, initializes their credential sets to useful
  cases, and reports on whether the results are in keeping with hard-coded
  safety expectations.

o Currently, this utility relies on the availability of __setugid(),
  an uncomitted system call used for managing the P_SUGID bit.  Due to
  continuing discussion of optional regression testing kernel components
  ("options REGRESSION") I'll hold off on committing that until the
  discussion has reached its natural termination.

o A number of additional testing factors should be taken into account
  in the testing, including tests for different classes of signals,
  interactions with process session characteristics, I/O signalling,
  broadcast activities such as broadcast signalling, mass priority
  setting, and to take into group-related aspects of credentials.
  Additional operations should also be taken into account, such as ktrace,
  debugging attach using procfs, and so on.

o This testing suite is intended to prevent the introduction of bugs
  in the upcoming sets of authorization changes associated with the
  introduction of process capabilities and mandatory access control.

Obtained from: TrustedBSD Project
2001-04-11 17:21:14 +00:00

400 lines
11 KiB
C

/*-
* Copyright (c) 2001 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <assert.h>
#include <errno.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
/*
* Relevant parts of a process credential.
*/
struct cred {
uid_t cr_euid, cr_ruid, cr_svuid;
int cr_issetugid;
};
/*
* Description of a scenario.
*/
struct scenario {
struct cred *sc_cred1, *sc_cred2; /* credentials of p1 and p2 */
int sc_candebug_errno; /* desired ptrace failure */
int sc_cansignal_errno; /* desired SIGHUP failure */
int sc_cansee_errno; /* desired getprio failure */
int sc_cansched_errno; /* desired setprio failure */
char *sc_name; /* test name */
};
/*
* Table of relevant credential combinations.
*/
static struct cred creds[] = {
/* euid ruid svuid issetugid */
/* 0 */ { 0, 0, 0, 0 }, /* privileged */
/* 1 */ { 0, 0, 0, 1 }, /* privileged + issetugid */
/* 2 */ { 1000, 1000, 1000, 0 }, /* unprivileged1 */
/* 3 */ { 1000, 1000, 1000, 1 }, /* unprivileged1 + issetugid */
/* 4 */ { 1001, 1001, 1001, 0 }, /* unprivileged2 */
/* 5 */ { 1001, 1001, 1001, 1 }, /* unprivileged2 + issetugid */
/* 6 */ { 1000, 0, 0, 0 }, /* daemon1 */
/* 7 */ { 1000, 0, 0, 1 }, /* daemon1 + issetugid */
/* 8 */ { 1001, 0, 0, 0 }, /* daemon2 */
/* 9 */ { 1001, 0, 0, 1 }, /* daemon2 + issetugid */
/* 10 */{ 0, 1000, 1000, 0 }, /* setuid1 */
/* 11 */{ 0, 1000, 1000, 1 }, /* setuid1 + issetugid */
/* 12 */{ 0, 1001, 1001, 0 }, /* setuid2 */
/* 13 */{ 0, 1001, 1001, 1 }, /* setuid2 + issetugid */
};
/*
* Table of scenarios.
*/
static const struct scenario scenarios[] = {
/* cred1 cred2 debug signal see sched name */
{ &creds[0], &creds[0], 0, 0, 0, 0, "0. priv on priv"},
{ &creds[0], &creds[1], 0, 0, 0, 0, "1. priv on priv"},
{ &creds[1], &creds[0], 0, 0, 0, 0, "2. priv on priv"},
{ &creds[1], &creds[1], 0, 0, 0, 0, "3. priv on priv"},
/* privileged on unprivileged */
{ &creds[0], &creds[2], 0, 0, 0, 0, "4. priv on unpriv1"},
{ &creds[0], &creds[3], 0, 0, 0, 0, "5. priv on unpriv1"},
{ &creds[1], &creds[2], 0, 0, 0, 0, "6. priv on unpriv1"},
{ &creds[1], &creds[3], 0, 0, 0, 0, "7. priv on unpriv1"},
/* unprivileged on privileged */
{ &creds[2], &creds[0], EPERM, EPERM, 0, EPERM, "8. unpriv1 on priv"},
{ &creds[2], &creds[1], EPERM, EPERM, 0, EPERM, "9. unpriv1 on priv"},
{ &creds[3], &creds[0], EPERM, EPERM, 0, EPERM, "10. unpriv1 on priv"},
{ &creds[3], &creds[1], EPERM, EPERM, 0, EPERM, "11. unpriv1 on priv"},
/* unprivileged on same unprivileged */
{ &creds[2], &creds[2], 0, 0, 0, 0, "12. unpriv1 on unpriv1"},
{ &creds[2], &creds[3], EPERM, 0, 0, 0, "13. unpriv1 on unpriv1"},
{ &creds[3], &creds[2], 0, 0, 0, 0, "14. unpriv1 on unpriv1"},
{ &creds[3], &creds[3], EPERM, 0, 0, 0, "15. unpriv1 on unpriv1"},
/* unprivileged on different unprivileged */
{ &creds[2], &creds[4], EPERM, EPERM, 0, EPERM, "16. unpriv1 on unpriv2"},
{ &creds[2], &creds[5], EPERM, EPERM, 0, EPERM, "17. unpriv1 on unpriv2"},
{ &creds[3], &creds[4], EPERM, EPERM, 0, EPERM, "18. unpriv1 on unpriv2"},
{ &creds[3], &creds[5], EPERM, EPERM, 0, EPERM, "19. unpriv1 on unpriv2"},
/* unprivileged on daemon, same */
{ &creds[2], &creds[6], EPERM, EPERM, 0, EPERM, "20. unpriv1 on daemon1"},
{ &creds[2], &creds[7], EPERM, EPERM, 0, EPERM, "21. unpriv1 on daemon1"},
{ &creds[3], &creds[6], EPERM, EPERM, 0, EPERM, "22. unpriv1 on daemon1"},
{ &creds[3], &creds[7], EPERM, EPERM, 0, EPERM, "23. unpriv1 on daemon1"},
/* unprivileged on daemon, different */
{ &creds[2], &creds[8], EPERM, EPERM, 0, EPERM, "24. unpriv1 on daemon2"},
{ &creds[2], &creds[9], EPERM, EPERM, 0, EPERM, "25. unpriv1 on daemon2"},
{ &creds[3], &creds[8], EPERM, EPERM, 0, EPERM, "26. unpriv1 on daemon2"},
{ &creds[3], &creds[9], EPERM, EPERM, 0, EPERM, "27. unpriv1 on daemon2"},
/* unprivileged on setuid, same */
{ &creds[2], &creds[10], EPERM, 0, 0, 0, "28. unpriv1 on setuid1"},
{ &creds[2], &creds[11], EPERM, 0, 0, 0, "29. unpriv1 on setuid1"},
{ &creds[3], &creds[10], EPERM, 0, 0, 0, "30. unpriv1 on setuid1"},
{ &creds[3], &creds[11], EPERM, 0, 0, 0, "31. unpriv1 on setuid1"},
/* unprivileged on setuid, different */
{ &creds[2], &creds[12], EPERM, EPERM, 0, EPERM, "32. unpriv1 on setuid2"},
{ &creds[2], &creds[13], EPERM, EPERM, 0, EPERM, "33. unpriv1 on setuid2"},
{ &creds[3], &creds[12], EPERM, EPERM, 0, EPERM, "34. unpriv1 on setuid2"},
{ &creds[3], &creds[13], EPERM, EPERM, 0, EPERM, "35. unpriv1 on setuid2"},
};
int scenarios_count = sizeof(scenarios) / sizeof(struct scenario);
/*
* Convert an error number to a compact string representation. For now,
* implement only the error numbers we are likely to see.
*/
static char *
errno_to_string(int error)
{
switch (error) {
case EPERM:
return ("EPERM");
case EACCES:
return ("EACCES");
case EINVAL:
return ("EINVAL");
case ENOSYS:
return ("ENOSYS");
case ESRCH:
return ("ESRCH");
case 0:
return ("0");
default:
return ("unknown");
}
}
/*
* Return a process credential describing the current process.
*/
static int
cred_get(struct cred *cred)
{
int error;
error = getresuid(&cred->cr_ruid, &cred->cr_euid, &cred->cr_svuid);
if (error)
return (error);
cred->cr_issetugid = issetugid();
return (0);
}
/*
* Userland stub for __setsugid() to take into account possible presence
* in C library, kernel, et al.
*/
int
setugid(int flag)
{
#ifdef SETSUGID_SUPPORTED
return (__setugid(flag));
#else
#ifdef SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB
return (syscall(374, flag));
#else
return (ENOSYS);
#endif
#endif
}
/*
* Set the current process's credentials to match the passed credential.
*/
static int
cred_set(struct cred *cred)
{
int error;
error = setresuid(cred->cr_ruid, cred->cr_euid, cred->cr_svuid);
if (error)
return (error);
error = setugid(cred->cr_issetugid);
if (error) {
perror("__setugid");
return (error);
}
#ifdef CHECK_CRED_SET
{
uid_t ruid, euid, svuid;
error = getresuid(&ruid, &euid, &svuid);
if (error) {
perror("getresuid");
return (-1);
}
assert(ruid == cred->cr_ruid);
assert(euid == cred->cr_euid);
assert(svuid == cred->cr_svuid);
assert(cred->cr_issetugid == issetugid());
}
#endif /* !CHECK_CRED_SET */
return (0);
}
/*
* Print the passed process credential to the passed I/O stream.
*/
static void
cred_print(FILE *output, struct cred *cred)
{
fprintf(output, "(e:%d r:%d s:%d P_SUGID:%d)", cred->cr_euid,
cred->cr_ruid, cred->cr_svuid, cred->cr_issetugid);
}
#define LOOP_PTRACE 0
#define LOOP_SIGNAL 1
#define LOOP_SEE 2
#define LOOP_SCHED 3
#define LOOP_MAX LOOP_SCHED
/*
* Enact a scenario by looping through the four test cases for the scenario,
* spawning off pairs of processes with the desired credentials, and
* reporting results to stdout.
*/
static int
enact_scenario(int scenario)
{
pid_t pid1, pid2;
char *name;
int error, desirederror, loop;
for (loop = 0; loop < LOOP_MAX+1; loop++) {
/*
* Spawn the first child, target of the operation.
*/
pid1 = fork();
switch (pid1) {
case -1:
return (-1);
case 0:
/* child */
error = cred_set(scenarios[scenario].sc_cred2);
if (error) {
perror("cred_set");
return (error);
}
/* 200 seconds should be plenty of time. */
sleep(200);
exit(0);
default:
/* parent */
}
/*
* XXX
* This really isn't ideal -- give proc 1 a chance to set
* its credentials, or we may get spurious errors. Really,
* some for of IPC should be used to allow the parent to
* wait for the first child to be ready before spawning
* the second child.
*/
sleep(1);
/*
* Spawn the second child, source of the operation.
*/
pid2 = fork();
switch (pid2) {
case -1:
return (-1);
case 0:
/* child */
error = cred_set(scenarios[scenario].sc_cred1);
if (error) {
perror("cred_set");
return (error);
}
/*
* Initialize errno to zero so as to catch any
* generated errors. In each case, perform the
* operation. Preserve the error number for later
* use so it doesn't get stomped on by any I/O.
* Determine the desired error for the given case
* by extracting it from the scenario table.
* Initialize a function name string for output
* prettiness.
*/
errno = 0;
switch (loop) {
case LOOP_PTRACE:
error = ptrace(PT_ATTACH, pid1, NULL, 0);
error = errno;
name = "ptrace";
desirederror =
scenarios[scenario].sc_candebug_errno;
break;
case LOOP_SIGNAL:
error = kill(pid1, SIGHUP);
error = errno;
name = "signal";
desirederror =
scenarios[scenario].sc_cansignal_errno;
break;
case LOOP_SEE:
getpriority(PRIO_PROCESS, pid1);
error = errno;
name = "see";
desirederror =
scenarios[scenario].sc_cansee_errno;
break;
case LOOP_SCHED:
error = setpriority(PRIO_PROCESS, pid1,
0);
error = errno;
name = "sched";
desirederror =
scenarios[scenario].sc_cansched_errno;
break;
default:
name = "broken";
}
if (error != desirederror) {
fprintf(stdout,
"[%s].%s: expected %s, got %s\n ",
scenarios[scenario].sc_name, name,
errno_to_string(desirederror),
errno_to_string(error));
cred_print(stdout,
scenarios[scenario].sc_cred1);
cred_print(stdout,
scenarios[scenario].sc_cred2);
fprintf(stdout, "\n");
}
exit(0);
default:
/* parent */
}
error = waitpid(pid2, NULL, 0);
/*
* Once pid2 has died, it's safe to kill pid1, if it's still
* alive. Mask signal failure in case the test actually
* killed pid1 (not unlikely: can occur in both signal and
* ptrace cases).
*/
kill(pid1, SIGKILL);
error = waitpid(pid2, NULL, 0);
}
return (0);
}
void
enact_scenarios(void)
{
int i, error;
for (i = 0; i < scenarios_count; i++) {
error = enact_scenario(i);
if (error)
perror("enact_scenario");
}
}