forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
335 lines
7.3 KiB
335 lines
7.3 KiB
// SPDX-License-Identifier: GPL-2.0 |
|
#define _GNU_SOURCE |
|
#include <stdio.h> |
|
#include <errno.h> |
|
#include <pwd.h> |
|
#include <string.h> |
|
#include <syscall.h> |
|
#include <sys/capability.h> |
|
#include <sys/types.h> |
|
#include <sys/mount.h> |
|
#include <sys/prctl.h> |
|
#include <sys/wait.h> |
|
#include <stdlib.h> |
|
#include <unistd.h> |
|
#include <fcntl.h> |
|
#include <stdbool.h> |
|
#include <stdarg.h> |
|
|
|
#ifndef CLONE_NEWUSER |
|
# define CLONE_NEWUSER 0x10000000 |
|
#endif |
|
|
|
#define ROOT_USER 0 |
|
#define RESTRICTED_PARENT 1 |
|
#define ALLOWED_CHILD1 2 |
|
#define ALLOWED_CHILD2 3 |
|
#define NO_POLICY_USER 4 |
|
|
|
char* add_whitelist_policy_file = "/sys/kernel/security/safesetid/add_whitelist_policy"; |
|
|
|
static void die(char *fmt, ...) |
|
{ |
|
va_list ap; |
|
va_start(ap, fmt); |
|
vfprintf(stderr, fmt, ap); |
|
va_end(ap); |
|
exit(EXIT_FAILURE); |
|
} |
|
|
|
static bool vmaybe_write_file(bool enoent_ok, char *filename, char *fmt, va_list ap) |
|
{ |
|
char buf[4096]; |
|
int fd; |
|
ssize_t written; |
|
int buf_len; |
|
|
|
buf_len = vsnprintf(buf, sizeof(buf), fmt, ap); |
|
if (buf_len < 0) { |
|
printf("vsnprintf failed: %s\n", |
|
strerror(errno)); |
|
return false; |
|
} |
|
if (buf_len >= sizeof(buf)) { |
|
printf("vsnprintf output truncated\n"); |
|
return false; |
|
} |
|
|
|
fd = open(filename, O_WRONLY); |
|
if (fd < 0) { |
|
if ((errno == ENOENT) && enoent_ok) |
|
return true; |
|
return false; |
|
} |
|
written = write(fd, buf, buf_len); |
|
if (written != buf_len) { |
|
if (written >= 0) { |
|
printf("short write to %s\n", filename); |
|
return false; |
|
} else { |
|
printf("write to %s failed: %s\n", |
|
filename, strerror(errno)); |
|
return false; |
|
} |
|
} |
|
if (close(fd) != 0) { |
|
printf("close of %s failed: %s\n", |
|
filename, strerror(errno)); |
|
return false; |
|
} |
|
return true; |
|
} |
|
|
|
static bool write_file(char *filename, char *fmt, ...) |
|
{ |
|
va_list ap; |
|
bool ret; |
|
|
|
va_start(ap, fmt); |
|
ret = vmaybe_write_file(false, filename, fmt, ap); |
|
va_end(ap); |
|
|
|
return ret; |
|
} |
|
|
|
static void ensure_user_exists(uid_t uid) |
|
{ |
|
struct passwd p; |
|
|
|
FILE *fd; |
|
char name_str[10]; |
|
|
|
if (getpwuid(uid) == NULL) { |
|
memset(&p,0x00,sizeof(p)); |
|
fd=fopen("/etc/passwd","a"); |
|
if (fd == NULL) |
|
die("couldn't open file\n"); |
|
if (fseek(fd, 0, SEEK_END)) |
|
die("couldn't fseek\n"); |
|
snprintf(name_str, 10, "%d", uid); |
|
p.pw_name=name_str; |
|
p.pw_uid=uid; |
|
p.pw_gecos="Test account"; |
|
p.pw_dir="/dev/null"; |
|
p.pw_shell="/bin/false"; |
|
int value = putpwent(&p,fd); |
|
if (value != 0) |
|
die("putpwent failed\n"); |
|
if (fclose(fd)) |
|
die("fclose failed\n"); |
|
} |
|
} |
|
|
|
static void ensure_securityfs_mounted(void) |
|
{ |
|
int fd = open(add_whitelist_policy_file, O_WRONLY); |
|
if (fd < 0) { |
|
if (errno == ENOENT) { |
|
// Need to mount securityfs |
|
if (mount("securityfs", "/sys/kernel/security", |
|
"securityfs", 0, NULL) < 0) |
|
die("mounting securityfs failed\n"); |
|
} else { |
|
die("couldn't find securityfs for unknown reason\n"); |
|
} |
|
} else { |
|
if (close(fd) != 0) { |
|
die("close of %s failed: %s\n", |
|
add_whitelist_policy_file, strerror(errno)); |
|
} |
|
} |
|
} |
|
|
|
static void write_policies(void) |
|
{ |
|
static char *policy_str = |
|
"1:2\n" |
|
"1:3\n" |
|
"2:2\n" |
|
"3:3\n"; |
|
ssize_t written; |
|
int fd; |
|
|
|
fd = open(add_whitelist_policy_file, O_WRONLY); |
|
if (fd < 0) |
|
die("can't open add_whitelist_policy file\n"); |
|
written = write(fd, policy_str, strlen(policy_str)); |
|
if (written != strlen(policy_str)) { |
|
if (written >= 0) { |
|
die("short write to %s\n", add_whitelist_policy_file); |
|
} else { |
|
die("write to %s failed: %s\n", |
|
add_whitelist_policy_file, strerror(errno)); |
|
} |
|
} |
|
if (close(fd) != 0) { |
|
die("close of %s failed: %s\n", |
|
add_whitelist_policy_file, strerror(errno)); |
|
} |
|
} |
|
|
|
static bool test_userns(bool expect_success) |
|
{ |
|
uid_t uid; |
|
char map_file_name[32]; |
|
size_t sz = sizeof(map_file_name); |
|
pid_t cpid; |
|
bool success; |
|
|
|
uid = getuid(); |
|
|
|
int clone_flags = CLONE_NEWUSER; |
|
cpid = syscall(SYS_clone, clone_flags, NULL); |
|
if (cpid == -1) { |
|
printf("clone failed"); |
|
return false; |
|
} |
|
|
|
if (cpid == 0) { /* Code executed by child */ |
|
// Give parent 1 second to write map file |
|
sleep(1); |
|
exit(EXIT_SUCCESS); |
|
} else { /* Code executed by parent */ |
|
if(snprintf(map_file_name, sz, "/proc/%d/uid_map", cpid) < 0) { |
|
printf("preparing file name string failed"); |
|
return false; |
|
} |
|
success = write_file(map_file_name, "0 0 1", uid); |
|
return success == expect_success; |
|
} |
|
|
|
printf("should not reach here"); |
|
return false; |
|
} |
|
|
|
static void test_setuid(uid_t child_uid, bool expect_success) |
|
{ |
|
pid_t cpid, w; |
|
int wstatus; |
|
|
|
cpid = fork(); |
|
if (cpid == -1) { |
|
die("fork\n"); |
|
} |
|
|
|
if (cpid == 0) { /* Code executed by child */ |
|
if (setuid(child_uid) < 0) |
|
exit(EXIT_FAILURE); |
|
if (getuid() == child_uid) |
|
exit(EXIT_SUCCESS); |
|
else |
|
exit(EXIT_FAILURE); |
|
} else { /* Code executed by parent */ |
|
do { |
|
w = waitpid(cpid, &wstatus, WUNTRACED | WCONTINUED); |
|
if (w == -1) { |
|
die("waitpid\n"); |
|
} |
|
|
|
if (WIFEXITED(wstatus)) { |
|
if (WEXITSTATUS(wstatus) == EXIT_SUCCESS) { |
|
if (expect_success) { |
|
return; |
|
} else { |
|
die("unexpected success\n"); |
|
} |
|
} else { |
|
if (expect_success) { |
|
die("unexpected failure\n"); |
|
} else { |
|
return; |
|
} |
|
} |
|
} else if (WIFSIGNALED(wstatus)) { |
|
if (WTERMSIG(wstatus) == 9) { |
|
if (expect_success) |
|
die("killed unexpectedly\n"); |
|
else |
|
return; |
|
} else { |
|
die("unexpected signal: %d\n", wstatus); |
|
} |
|
} else { |
|
die("unexpected status: %d\n", wstatus); |
|
} |
|
} while (!WIFEXITED(wstatus) && !WIFSIGNALED(wstatus)); |
|
} |
|
|
|
die("should not reach here\n"); |
|
} |
|
|
|
static void ensure_users_exist(void) |
|
{ |
|
ensure_user_exists(ROOT_USER); |
|
ensure_user_exists(RESTRICTED_PARENT); |
|
ensure_user_exists(ALLOWED_CHILD1); |
|
ensure_user_exists(ALLOWED_CHILD2); |
|
ensure_user_exists(NO_POLICY_USER); |
|
} |
|
|
|
static void drop_caps(bool setid_retained) |
|
{ |
|
cap_value_t cap_values[] = {CAP_SETUID, CAP_SETGID}; |
|
cap_t caps; |
|
|
|
caps = cap_get_proc(); |
|
if (setid_retained) |
|
cap_set_flag(caps, CAP_EFFECTIVE, 2, cap_values, CAP_SET); |
|
else |
|
cap_clear(caps); |
|
cap_set_proc(caps); |
|
cap_free(caps); |
|
} |
|
|
|
int main(int argc, char **argv) |
|
{ |
|
ensure_users_exist(); |
|
ensure_securityfs_mounted(); |
|
write_policies(); |
|
|
|
if (prctl(PR_SET_KEEPCAPS, 1L)) |
|
die("Error with set keepcaps\n"); |
|
|
|
// First test to make sure we can write userns mappings from a user |
|
// that doesn't have any restrictions (as long as it has CAP_SETUID); |
|
if (setuid(NO_POLICY_USER) < 0) |
|
die("Error with set uid(%d)\n", NO_POLICY_USER); |
|
if (setgid(NO_POLICY_USER) < 0) |
|
die("Error with set gid(%d)\n", NO_POLICY_USER); |
|
|
|
// Take away all but setid caps |
|
drop_caps(true); |
|
|
|
// Need PR_SET_DUMPABLE flag set so we can write /proc/[pid]/uid_map |
|
// from non-root parent process. |
|
if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0)) |
|
die("Error with set dumpable\n"); |
|
|
|
if (!test_userns(true)) { |
|
die("test_userns failed when it should work\n"); |
|
} |
|
|
|
if (setuid(RESTRICTED_PARENT) < 0) |
|
die("Error with set uid(%d)\n", RESTRICTED_PARENT); |
|
if (setgid(RESTRICTED_PARENT) < 0) |
|
die("Error with set gid(%d)\n", RESTRICTED_PARENT); |
|
|
|
test_setuid(ROOT_USER, false); |
|
test_setuid(ALLOWED_CHILD1, true); |
|
test_setuid(ALLOWED_CHILD2, true); |
|
test_setuid(NO_POLICY_USER, false); |
|
|
|
if (!test_userns(false)) { |
|
die("test_userns worked when it should fail\n"); |
|
} |
|
|
|
// Now take away all caps |
|
drop_caps(false); |
|
test_setuid(2, false); |
|
test_setuid(3, false); |
|
test_setuid(4, false); |
|
|
|
// NOTE: this test doesn't clean up users that were created in |
|
// /etc/passwd or flush policies that were added to the LSM. |
|
return EXIT_SUCCESS; |
|
}
|
|
|