o First pass at an inter-process authorization regression testing suite.

This test utility attempts to evaluate the current kernel policy
  for authorization inter-process activities, currently ptrace(),
  kill(, SIGHUP), getpriority(), and setpriority().  The utility creates
  pairs of processes, initializes their credential sets to useful
  cases, and reports on whether the results are in keeping with hard-coded
  safety expectations.

o Currently, this utility relies on the availability of __setugid(),
  an uncomitted system call used for managing the P_SUGID bit.  Due to
  continuing discussion of optional regression testing kernel components
  ("options REGRESSION") I'll hold off on committing that until the
  discussion has reached its natural termination.

o A number of additional testing factors should be taken into account
  in the testing, including tests for different classes of signals,
  interactions with process session characteristics, I/O signalling,
  broadcast activities such as broadcast signalling, mass priority
  setting, and to take into group-related aspects of credentials.
  Additional operations should also be taken into account, such as ktrace,
  debugging attach using procfs, and so on.

o This testing suite is intended to prevent the introduction of bugs
  in the upcoming sets of authorization changes associated with the
  introduction of process capabilities and mandatory access control.

Obtained from: TrustedBSD Project
This commit is contained in:
Robert Watson 2001-04-11 17:21:14 +00:00
parent 2fea957dc5
commit 274f7445fd
5 changed files with 563 additions and 0 deletions

View File

@ -0,0 +1,12 @@
# $FreeBSD$
PROG= testuid
NOMAN= yes
#ADDITIONAL_FLAGS=-DSETSUGID_SUPPORTED
#ADDITIONAL_FLAGS= -DSETSUGID_SUPPORTED_BUT_NO_LIBC_STUB
ADDITIONAL_FLAGS+= -DCHECK_CRED_SET
CFLAGS+= ${ADDITIONAL_FLAGS}
SRCS= testuid.c scenario.c
.include <bsd.prog.mk>

View File

@ -0,0 +1,53 @@
$FreeBSD$
Inter-Process Authorization Test Suite
Robert Watson, TrustedBSD Project
This test suite attempts to determine the behavior of inter-process
authorization policy present in the kernel. It analyzes a series of
important scenarios using specifically crafted process credentials
and a set of operations. It then reports on any divergence from the
expected results.
Test operations:
ptrace cred1 attempts ptrace attach to cred2
signal cred1 attempts SIGHUP of cred2
see cred1 attempts getpriority() on cred2
sched cred1 attempts setpriority() on cred2
Test scenarioes:
priv on priv root process on another root process
priv on unpriv1 root process on a non-root process
unpriv1 on priv non-root process on a root process
unpriv1 on unpriv1 non-root process on a similar non-root process
unpriv1 on unpriv2 non-root process on a different non-root process
unpriv1 on daemon1 non-root process on a root daemon process acting with
same non-root effective credentials
unpriv1 on daemon2 non-root process on a root daemon process acting with
different non-root effective credentials
unpriv1 on setuid1 non-root process on a setuid-root process with same
non-root real credentials
unpriv1 on setuid2 non-root process on a setuid-root process with
different non-root real credentials
The credential elements supported by the test suite are:
effective uid
real uid
saved uid
P_SUGID flag
Other untested aspects of interest include groups, as well as session
relationship. Other test operations that might be of interest are SIGCONT,
SIGIO, and SIGSEGV.
The current set of tests includes some tests where normally the P_SUGID
flag is set, but isn't in the test. The result is that some tests fail
that may not reflect real-world software configurations. However, they
do point to possible changes that could be made in the authorization system
to improve resilience to failure or violation of invariants.
These tests rely on __setugid(), a system call enabled using options
REGRESSION.

View File

@ -0,0 +1,399 @@
/*-
* Copyright (c) 2001 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <assert.h>
#include <errno.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
/*
* Relevant parts of a process credential.
*/
struct cred {
uid_t cr_euid, cr_ruid, cr_svuid;
int cr_issetugid;
};
/*
* Description of a scenario.
*/
struct scenario {
struct cred *sc_cred1, *sc_cred2; /* credentials of p1 and p2 */
int sc_candebug_errno; /* desired ptrace failure */
int sc_cansignal_errno; /* desired SIGHUP failure */
int sc_cansee_errno; /* desired getprio failure */
int sc_cansched_errno; /* desired setprio failure */
char *sc_name; /* test name */
};
/*
* Table of relevant credential combinations.
*/
static struct cred creds[] = {
/* euid ruid svuid issetugid */
/* 0 */ { 0, 0, 0, 0 }, /* privileged */
/* 1 */ { 0, 0, 0, 1 }, /* privileged + issetugid */
/* 2 */ { 1000, 1000, 1000, 0 }, /* unprivileged1 */
/* 3 */ { 1000, 1000, 1000, 1 }, /* unprivileged1 + issetugid */
/* 4 */ { 1001, 1001, 1001, 0 }, /* unprivileged2 */
/* 5 */ { 1001, 1001, 1001, 1 }, /* unprivileged2 + issetugid */
/* 6 */ { 1000, 0, 0, 0 }, /* daemon1 */
/* 7 */ { 1000, 0, 0, 1 }, /* daemon1 + issetugid */
/* 8 */ { 1001, 0, 0, 0 }, /* daemon2 */
/* 9 */ { 1001, 0, 0, 1 }, /* daemon2 + issetugid */
/* 10 */{ 0, 1000, 1000, 0 }, /* setuid1 */
/* 11 */{ 0, 1000, 1000, 1 }, /* setuid1 + issetugid */
/* 12 */{ 0, 1001, 1001, 0 }, /* setuid2 */
/* 13 */{ 0, 1001, 1001, 1 }, /* setuid2 + issetugid */
};
/*
* Table of scenarios.
*/
static const struct scenario scenarios[] = {
/* cred1 cred2 debug signal see sched name */
{ &creds[0], &creds[0], 0, 0, 0, 0, "0. priv on priv"},
{ &creds[0], &creds[1], 0, 0, 0, 0, "1. priv on priv"},
{ &creds[1], &creds[0], 0, 0, 0, 0, "2. priv on priv"},
{ &creds[1], &creds[1], 0, 0, 0, 0, "3. priv on priv"},
/* privileged on unprivileged */
{ &creds[0], &creds[2], 0, 0, 0, 0, "4. priv on unpriv1"},
{ &creds[0], &creds[3], 0, 0, 0, 0, "5. priv on unpriv1"},
{ &creds[1], &creds[2], 0, 0, 0, 0, "6. priv on unpriv1"},
{ &creds[1], &creds[3], 0, 0, 0, 0, "7. priv on unpriv1"},
/* unprivileged on privileged */
{ &creds[2], &creds[0], EPERM, EPERM, 0, EPERM, "8. unpriv1 on priv"},
{ &creds[2], &creds[1], EPERM, EPERM, 0, EPERM, "9. unpriv1 on priv"},
{ &creds[3], &creds[0], EPERM, EPERM, 0, EPERM, "10. unpriv1 on priv"},
{ &creds[3], &creds[1], EPERM, EPERM, 0, EPERM, "11. unpriv1 on priv"},
/* unprivileged on same unprivileged */
{ &creds[2], &creds[2], 0, 0, 0, 0, "12. unpriv1 on unpriv1"},
{ &creds[2], &creds[3], EPERM, 0, 0, 0, "13. unpriv1 on unpriv1"},
{ &creds[3], &creds[2], 0, 0, 0, 0, "14. unpriv1 on unpriv1"},
{ &creds[3], &creds[3], EPERM, 0, 0, 0, "15. unpriv1 on unpriv1"},
/* unprivileged on different unprivileged */
{ &creds[2], &creds[4], EPERM, EPERM, 0, EPERM, "16. unpriv1 on unpriv2"},
{ &creds[2], &creds[5], EPERM, EPERM, 0, EPERM, "17. unpriv1 on unpriv2"},
{ &creds[3], &creds[4], EPERM, EPERM, 0, EPERM, "18. unpriv1 on unpriv2"},
{ &creds[3], &creds[5], EPERM, EPERM, 0, EPERM, "19. unpriv1 on unpriv2"},
/* unprivileged on daemon, same */
{ &creds[2], &creds[6], EPERM, EPERM, 0, EPERM, "20. unpriv1 on daemon1"},
{ &creds[2], &creds[7], EPERM, EPERM, 0, EPERM, "21. unpriv1 on daemon1"},
{ &creds[3], &creds[6], EPERM, EPERM, 0, EPERM, "22. unpriv1 on daemon1"},
{ &creds[3], &creds[7], EPERM, EPERM, 0, EPERM, "23. unpriv1 on daemon1"},
/* unprivileged on daemon, different */
{ &creds[2], &creds[8], EPERM, EPERM, 0, EPERM, "24. unpriv1 on daemon2"},
{ &creds[2], &creds[9], EPERM, EPERM, 0, EPERM, "25. unpriv1 on daemon2"},
{ &creds[3], &creds[8], EPERM, EPERM, 0, EPERM, "26. unpriv1 on daemon2"},
{ &creds[3], &creds[9], EPERM, EPERM, 0, EPERM, "27. unpriv1 on daemon2"},
/* unprivileged on setuid, same */
{ &creds[2], &creds[10], EPERM, 0, 0, 0, "28. unpriv1 on setuid1"},
{ &creds[2], &creds[11], EPERM, 0, 0, 0, "29. unpriv1 on setuid1"},
{ &creds[3], &creds[10], EPERM, 0, 0, 0, "30. unpriv1 on setuid1"},
{ &creds[3], &creds[11], EPERM, 0, 0, 0, "31. unpriv1 on setuid1"},
/* unprivileged on setuid, different */
{ &creds[2], &creds[12], EPERM, EPERM, 0, EPERM, "32. unpriv1 on setuid2"},
{ &creds[2], &creds[13], EPERM, EPERM, 0, EPERM, "33. unpriv1 on setuid2"},
{ &creds[3], &creds[12], EPERM, EPERM, 0, EPERM, "34. unpriv1 on setuid2"},
{ &creds[3], &creds[13], EPERM, EPERM, 0, EPERM, "35. unpriv1 on setuid2"},
};
int scenarios_count = sizeof(scenarios) / sizeof(struct scenario);
/*
* Convert an error number to a compact string representation. For now,
* implement only the error numbers we are likely to see.
*/
static char *
errno_to_string(int error)
{
switch (error) {
case EPERM:
return ("EPERM");
case EACCES:
return ("EACCES");
case EINVAL:
return ("EINVAL");
case ENOSYS:
return ("ENOSYS");
case ESRCH:
return ("ESRCH");
case 0:
return ("0");
default:
return ("unknown");
}
}
/*
* Return a process credential describing the current process.
*/
static int
cred_get(struct cred *cred)
{
int error;
error = getresuid(&cred->cr_ruid, &cred->cr_euid, &cred->cr_svuid);
if (error)
return (error);
cred->cr_issetugid = issetugid();
return (0);
}
/*
* Userland stub for __setsugid() to take into account possible presence
* in C library, kernel, et al.
*/
int
setugid(int flag)
{
#ifdef SETSUGID_SUPPORTED
return (__setugid(flag));
#else
#ifdef SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB
return (syscall(374, flag));
#else
return (ENOSYS);
#endif
#endif
}
/*
* Set the current process's credentials to match the passed credential.
*/
static int
cred_set(struct cred *cred)
{
int error;
error = setresuid(cred->cr_ruid, cred->cr_euid, cred->cr_svuid);
if (error)
return (error);
error = setugid(cred->cr_issetugid);
if (error) {
perror("__setugid");
return (error);
}
#ifdef CHECK_CRED_SET
{
uid_t ruid, euid, svuid;
error = getresuid(&ruid, &euid, &svuid);
if (error) {
perror("getresuid");
return (-1);
}
assert(ruid == cred->cr_ruid);
assert(euid == cred->cr_euid);
assert(svuid == cred->cr_svuid);
assert(cred->cr_issetugid == issetugid());
}
#endif /* !CHECK_CRED_SET */
return (0);
}
/*
* Print the passed process credential to the passed I/O stream.
*/
static void
cred_print(FILE *output, struct cred *cred)
{
fprintf(output, "(e:%d r:%d s:%d P_SUGID:%d)", cred->cr_euid,
cred->cr_ruid, cred->cr_svuid, cred->cr_issetugid);
}
#define LOOP_PTRACE 0
#define LOOP_SIGNAL 1
#define LOOP_SEE 2
#define LOOP_SCHED 3
#define LOOP_MAX LOOP_SCHED
/*
* Enact a scenario by looping through the four test cases for the scenario,
* spawning off pairs of processes with the desired credentials, and
* reporting results to stdout.
*/
static int
enact_scenario(int scenario)
{
pid_t pid1, pid2;
char *name;
int error, desirederror, loop;
for (loop = 0; loop < LOOP_MAX+1; loop++) {
/*
* Spawn the first child, target of the operation.
*/
pid1 = fork();
switch (pid1) {
case -1:
return (-1);
case 0:
/* child */
error = cred_set(scenarios[scenario].sc_cred2);
if (error) {
perror("cred_set");
return (error);
}
/* 200 seconds should be plenty of time. */
sleep(200);
exit(0);
default:
/* parent */
}
/*
* XXX
* This really isn't ideal -- give proc 1 a chance to set
* its credentials, or we may get spurious errors. Really,
* some for of IPC should be used to allow the parent to
* wait for the first child to be ready before spawning
* the second child.
*/
sleep(1);
/*
* Spawn the second child, source of the operation.
*/
pid2 = fork();
switch (pid2) {
case -1:
return (-1);
case 0:
/* child */
error = cred_set(scenarios[scenario].sc_cred1);
if (error) {
perror("cred_set");
return (error);
}
/*
* Initialize errno to zero so as to catch any
* generated errors. In each case, perform the
* operation. Preserve the error number for later
* use so it doesn't get stomped on by any I/O.
* Determine the desired error for the given case
* by extracting it from the scenario table.
* Initialize a function name string for output
* prettiness.
*/
errno = 0;
switch (loop) {
case LOOP_PTRACE:
error = ptrace(PT_ATTACH, pid1, NULL, 0);
error = errno;
name = "ptrace";
desirederror =
scenarios[scenario].sc_candebug_errno;
break;
case LOOP_SIGNAL:
error = kill(pid1, SIGHUP);
error = errno;
name = "signal";
desirederror =
scenarios[scenario].sc_cansignal_errno;
break;
case LOOP_SEE:
getpriority(PRIO_PROCESS, pid1);
error = errno;
name = "see";
desirederror =
scenarios[scenario].sc_cansee_errno;
break;
case LOOP_SCHED:
error = setpriority(PRIO_PROCESS, pid1,
0);
error = errno;
name = "sched";
desirederror =
scenarios[scenario].sc_cansched_errno;
break;
default:
name = "broken";
}
if (error != desirederror) {
fprintf(stdout,
"[%s].%s: expected %s, got %s\n ",
scenarios[scenario].sc_name, name,
errno_to_string(desirederror),
errno_to_string(error));
cred_print(stdout,
scenarios[scenario].sc_cred1);
cred_print(stdout,
scenarios[scenario].sc_cred2);
fprintf(stdout, "\n");
}
exit(0);
default:
/* parent */
}
error = waitpid(pid2, NULL, 0);
/*
* Once pid2 has died, it's safe to kill pid1, if it's still
* alive. Mask signal failure in case the test actually
* killed pid1 (not unlikely: can occur in both signal and
* ptrace cases).
*/
kill(pid1, SIGKILL);
error = waitpid(pid2, NULL, 0);
}
return (0);
}
void
enact_scenarios(void)
{
int i, error;
for (i = 0; i < scenarios_count; i++) {
error = enact_scenario(i);
if (error)
perror("enact_scenario");
}
}

View File

@ -0,0 +1,34 @@
/*-
* Copyright (c) 2001 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#ifndef _SCENARIO_H
#define _SCENARIO_H
int setugid __P((int flag));
int enact_scenarios __P((void));
#endif /* !_SCENARIO_H */

View File

@ -0,0 +1,65 @@
/*-
* Copyright (c) 2001 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include "scenario.h"
int
main(int argc, char *argv[])
{
int error;
fprintf(stderr, "test capabilities: ");
#ifdef SETSUGID_SUPPORTED
fprintf(stderr, "[SETSUGID_SUPPORTED] ");
#endif
#ifdef SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB
fprintf(stderr, "[SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB] ");
#endif
#ifdef CHECK_CRED_SET
fprintf(stderr, "[CHECK_CRED_SET] ");
#endif
fprintf(stderr, "\n");
error = setugid(1);
if (error) {
perror("setugid");
fprintf(stderr,
"This test suite requires options REGRESSION\n");
return (-1);
}
enact_scenarios();
return (0);
}