xref: /openbmc/linux/tools/testing/selftests/landlock/ptrace_test.c (revision 25ebbc57ca56df3cf9149e9da6b1d3169c8487db)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Landlock tests - Ptrace
4  *
5  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
6  * Copyright © 2019-2020 ANSSI
7  */
8 
9 #define _GNU_SOURCE
10 #include <errno.h>
11 #include <fcntl.h>
12 #include <linux/landlock.h>
13 #include <signal.h>
14 #include <sys/prctl.h>
15 #include <sys/ptrace.h>
16 #include <sys/types.h>
17 #include <sys/wait.h>
18 #include <unistd.h>
19 
20 #include "common.h"
21 
22 /* Copied from security/yama/yama_lsm.c */
23 #define YAMA_SCOPE_DISABLED 0
24 #define YAMA_SCOPE_RELATIONAL 1
25 #define YAMA_SCOPE_CAPABILITY 2
26 #define YAMA_SCOPE_NO_ATTACH 3
27 
28 static void create_domain(struct __test_metadata *const _metadata)
29 {
30 	int ruleset_fd;
31 	struct landlock_ruleset_attr ruleset_attr = {
32 		.handled_access_fs = LANDLOCK_ACCESS_FS_MAKE_BLOCK,
33 	};
34 
35 	ruleset_fd =
36 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
37 	EXPECT_LE(0, ruleset_fd)
38 	{
39 		TH_LOG("Failed to create a ruleset: %s", strerror(errno));
40 	}
41 	EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
42 	EXPECT_EQ(0, landlock_restrict_self(ruleset_fd, 0));
43 	EXPECT_EQ(0, close(ruleset_fd));
44 }
45 
46 static int test_ptrace_read(const pid_t pid)
47 {
48 	static const char path_template[] = "/proc/%d/environ";
49 	char procenv_path[sizeof(path_template) + 10];
50 	int procenv_path_size, fd;
51 
52 	procenv_path_size = snprintf(procenv_path, sizeof(procenv_path),
53 				     path_template, pid);
54 	if (procenv_path_size >= sizeof(procenv_path))
55 		return E2BIG;
56 
57 	fd = open(procenv_path, O_RDONLY | O_CLOEXEC);
58 	if (fd < 0)
59 		return errno;
60 	/*
61 	 * Mixing error codes from close(2) and open(2) should not lead to any
62 	 * (access type) confusion for this test.
63 	 */
64 	if (close(fd) != 0)
65 		return errno;
66 	return 0;
67 }
68 
69 static int get_yama_ptrace_scope(void)
70 {
71 	int ret;
72 	char buf[2] = {};
73 	const int fd = open("/proc/sys/kernel/yama/ptrace_scope", O_RDONLY);
74 
75 	if (fd < 0)
76 		return 0;
77 
78 	if (read(fd, buf, 1) < 0) {
79 		close(fd);
80 		return -1;
81 	}
82 
83 	ret = atoi(buf);
84 	close(fd);
85 	return ret;
86 }
87 
88 /* clang-format off */
89 FIXTURE(hierarchy) {};
90 /* clang-format on */
91 
92 FIXTURE_VARIANT(hierarchy)
93 {
94 	const bool domain_both;
95 	const bool domain_parent;
96 	const bool domain_child;
97 };
98 
99 /*
100  * Test multiple tracing combinations between a parent process P1 and a child
101  * process P2.
102  *
103  * Yama's scoped ptrace is presumed disabled.  If enabled, this optional
104  * restriction is enforced in addition to any Landlock check, which means that
105  * all P2 requests to trace P1 would be denied.
106  */
107 
108 /*
109  *        No domain
110  *
111  *   P1-.               P1 -> P2 : allow
112  *       \              P2 -> P1 : allow
113  *        'P2
114  */
115 /* clang-format off */
116 FIXTURE_VARIANT_ADD(hierarchy, allow_without_domain) {
117 	/* clang-format on */
118 	.domain_both = false,
119 	.domain_parent = false,
120 	.domain_child = false,
121 };
122 
123 /*
124  *        Child domain
125  *
126  *   P1--.              P1 -> P2 : allow
127  *        \             P2 -> P1 : deny
128  *        .'-----.
129  *        |  P2  |
130  *        '------'
131  */
132 /* clang-format off */
133 FIXTURE_VARIANT_ADD(hierarchy, allow_with_one_domain) {
134 	/* clang-format on */
135 	.domain_both = false,
136 	.domain_parent = false,
137 	.domain_child = true,
138 };
139 
140 /*
141  *        Parent domain
142  * .------.
143  * |  P1  --.           P1 -> P2 : deny
144  * '------'  \          P2 -> P1 : allow
145  *            '
146  *            P2
147  */
148 /* clang-format off */
149 FIXTURE_VARIANT_ADD(hierarchy, deny_with_parent_domain) {
150 	/* clang-format on */
151 	.domain_both = false,
152 	.domain_parent = true,
153 	.domain_child = false,
154 };
155 
156 /*
157  *        Parent + child domain (siblings)
158  * .------.
159  * |  P1  ---.          P1 -> P2 : deny
160  * '------'   \         P2 -> P1 : deny
161  *         .---'--.
162  *         |  P2  |
163  *         '------'
164  */
165 /* clang-format off */
166 FIXTURE_VARIANT_ADD(hierarchy, deny_with_sibling_domain) {
167 	/* clang-format on */
168 	.domain_both = false,
169 	.domain_parent = true,
170 	.domain_child = true,
171 };
172 
173 /*
174  *         Same domain (inherited)
175  * .-------------.
176  * | P1----.     |      P1 -> P2 : allow
177  * |        \    |      P2 -> P1 : allow
178  * |         '   |
179  * |         P2  |
180  * '-------------'
181  */
182 /* clang-format off */
183 FIXTURE_VARIANT_ADD(hierarchy, allow_sibling_domain) {
184 	/* clang-format on */
185 	.domain_both = true,
186 	.domain_parent = false,
187 	.domain_child = false,
188 };
189 
190 /*
191  *         Inherited + child domain
192  * .-----------------.
193  * |  P1----.        |  P1 -> P2 : allow
194  * |         \       |  P2 -> P1 : deny
195  * |        .-'----. |
196  * |        |  P2  | |
197  * |        '------' |
198  * '-----------------'
199  */
200 /* clang-format off */
201 FIXTURE_VARIANT_ADD(hierarchy, allow_with_nested_domain) {
202 	/* clang-format on */
203 	.domain_both = true,
204 	.domain_parent = false,
205 	.domain_child = true,
206 };
207 
208 /*
209  *         Inherited + parent domain
210  * .-----------------.
211  * |.------.         |  P1 -> P2 : deny
212  * ||  P1  ----.     |  P2 -> P1 : allow
213  * |'------'    \    |
214  * |             '   |
215  * |             P2  |
216  * '-----------------'
217  */
218 /* clang-format off */
219 FIXTURE_VARIANT_ADD(hierarchy, deny_with_nested_and_parent_domain) {
220 	/* clang-format on */
221 	.domain_both = true,
222 	.domain_parent = true,
223 	.domain_child = false,
224 };
225 
226 /*
227  *         Inherited + parent and child domain (siblings)
228  * .-----------------.
229  * | .------.        |  P1 -> P2 : deny
230  * | |  P1  .        |  P2 -> P1 : deny
231  * | '------'\       |
232  * |          \      |
233  * |        .--'---. |
234  * |        |  P2  | |
235  * |        '------' |
236  * '-----------------'
237  */
238 /* clang-format off */
239 FIXTURE_VARIANT_ADD(hierarchy, deny_with_forked_domain) {
240 	/* clang-format on */
241 	.domain_both = true,
242 	.domain_parent = true,
243 	.domain_child = true,
244 };
245 
246 FIXTURE_SETUP(hierarchy)
247 {
248 }
249 
250 FIXTURE_TEARDOWN(hierarchy)
251 {
252 }
253 
254 /* Test PTRACE_TRACEME and PTRACE_ATTACH for parent and child. */
255 TEST_F(hierarchy, trace)
256 {
257 	pid_t child, parent;
258 	int status, err_proc_read;
259 	int pipe_child[2], pipe_parent[2];
260 	int yama_ptrace_scope;
261 	char buf_parent;
262 	long ret;
263 	bool can_read_child, can_trace_child, can_read_parent, can_trace_parent;
264 
265 	yama_ptrace_scope = get_yama_ptrace_scope();
266 	ASSERT_LE(0, yama_ptrace_scope);
267 
268 	if (yama_ptrace_scope > YAMA_SCOPE_DISABLED)
269 		TH_LOG("Incomplete tests due to Yama restrictions (scope %d)",
270 		       yama_ptrace_scope);
271 
272 	/*
273 	 * can_read_child is true if a parent process can read its child
274 	 * process, which is only the case when the parent process is not
275 	 * isolated from the child with a dedicated Landlock domain.
276 	 */
277 	can_read_child = !variant->domain_parent;
278 
279 	/*
280 	 * can_trace_child is true if a parent process can trace its child
281 	 * process.  This depends on two conditions:
282 	 * - The parent process is not isolated from the child with a dedicated
283 	 *   Landlock domain.
284 	 * - Yama allows tracing children (up to YAMA_SCOPE_RELATIONAL).
285 	 */
286 	can_trace_child = can_read_child &&
287 			  yama_ptrace_scope <= YAMA_SCOPE_RELATIONAL;
288 
289 	/*
290 	 * can_read_parent is true if a child process can read its parent
291 	 * process, which is only the case when the child process is not
292 	 * isolated from the parent with a dedicated Landlock domain.
293 	 */
294 	can_read_parent = !variant->domain_child;
295 
296 	/*
297 	 * can_trace_parent is true if a child process can trace its parent
298 	 * process.  This depends on two conditions:
299 	 * - The child process is not isolated from the parent with a dedicated
300 	 *   Landlock domain.
301 	 * - Yama is disabled (YAMA_SCOPE_DISABLED).
302 	 */
303 	can_trace_parent = can_read_parent &&
304 			   yama_ptrace_scope <= YAMA_SCOPE_DISABLED;
305 
306 	/*
307 	 * Removes all effective and permitted capabilities to not interfere
308 	 * with cap_ptrace_access_check() in case of PTRACE_MODE_FSCREDS.
309 	 */
310 	drop_caps(_metadata);
311 
312 	parent = getpid();
313 	ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
314 	ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
315 	if (variant->domain_both) {
316 		create_domain(_metadata);
317 		if (!_metadata->passed)
318 			/* Aborts before forking. */
319 			return;
320 	}
321 
322 	child = fork();
323 	ASSERT_LE(0, child);
324 	if (child == 0) {
325 		char buf_child;
326 
327 		ASSERT_EQ(0, close(pipe_parent[1]));
328 		ASSERT_EQ(0, close(pipe_child[0]));
329 		if (variant->domain_child)
330 			create_domain(_metadata);
331 
332 		/* Waits for the parent to be in a domain, if any. */
333 		ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1));
334 
335 		/* Tests PTRACE_MODE_READ on the parent. */
336 		err_proc_read = test_ptrace_read(parent);
337 		if (can_read_parent) {
338 			EXPECT_EQ(0, err_proc_read);
339 		} else {
340 			EXPECT_EQ(EACCES, err_proc_read);
341 		}
342 
343 		/* Tests PTRACE_ATTACH on the parent. */
344 		ret = ptrace(PTRACE_ATTACH, parent, NULL, 0);
345 		if (can_trace_parent) {
346 			EXPECT_EQ(0, ret);
347 		} else {
348 			EXPECT_EQ(-1, ret);
349 			EXPECT_EQ(EPERM, errno);
350 		}
351 		if (ret == 0) {
352 			ASSERT_EQ(parent, waitpid(parent, &status, 0));
353 			ASSERT_EQ(1, WIFSTOPPED(status));
354 			ASSERT_EQ(0, ptrace(PTRACE_DETACH, parent, NULL, 0));
355 		}
356 
357 		/* Tests child PTRACE_TRACEME. */
358 		ret = ptrace(PTRACE_TRACEME);
359 		if (can_trace_child) {
360 			EXPECT_EQ(0, ret);
361 		} else {
362 			EXPECT_EQ(-1, ret);
363 			EXPECT_EQ(EPERM, errno);
364 		}
365 
366 		/*
367 		 * Signals that the PTRACE_ATTACH test is done and the
368 		 * PTRACE_TRACEME test is ongoing.
369 		 */
370 		ASSERT_EQ(1, write(pipe_child[1], ".", 1));
371 
372 		if (can_trace_child) {
373 			ASSERT_EQ(0, raise(SIGSTOP));
374 		}
375 
376 		/* Waits for the parent PTRACE_ATTACH test. */
377 		ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1));
378 		_exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
379 		return;
380 	}
381 
382 	ASSERT_EQ(0, close(pipe_child[1]));
383 	ASSERT_EQ(0, close(pipe_parent[0]));
384 	if (variant->domain_parent)
385 		create_domain(_metadata);
386 
387 	/* Signals that the parent is in a domain, if any. */
388 	ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
389 
390 	/*
391 	 * Waits for the child to test PTRACE_ATTACH on the parent and start
392 	 * testing PTRACE_TRACEME.
393 	 */
394 	ASSERT_EQ(1, read(pipe_child[0], &buf_parent, 1));
395 
396 	/* Tests child PTRACE_TRACEME. */
397 	if (can_trace_child) {
398 		ASSERT_EQ(child, waitpid(child, &status, 0));
399 		ASSERT_EQ(1, WIFSTOPPED(status));
400 		ASSERT_EQ(0, ptrace(PTRACE_DETACH, child, NULL, 0));
401 	} else {
402 		/* The child should not be traced by the parent. */
403 		EXPECT_EQ(-1, ptrace(PTRACE_DETACH, child, NULL, 0));
404 		EXPECT_EQ(ESRCH, errno);
405 	}
406 
407 	/* Tests PTRACE_MODE_READ on the child. */
408 	err_proc_read = test_ptrace_read(child);
409 	if (can_read_child) {
410 		EXPECT_EQ(0, err_proc_read);
411 	} else {
412 		EXPECT_EQ(EACCES, err_proc_read);
413 	}
414 
415 	/* Tests PTRACE_ATTACH on the child. */
416 	ret = ptrace(PTRACE_ATTACH, child, NULL, 0);
417 	if (can_trace_child) {
418 		EXPECT_EQ(0, ret);
419 	} else {
420 		EXPECT_EQ(-1, ret);
421 		EXPECT_EQ(EPERM, errno);
422 	}
423 
424 	if (ret == 0) {
425 		ASSERT_EQ(child, waitpid(child, &status, 0));
426 		ASSERT_EQ(1, WIFSTOPPED(status));
427 		ASSERT_EQ(0, ptrace(PTRACE_DETACH, child, NULL, 0));
428 	}
429 
430 	/* Signals that the parent PTRACE_ATTACH test is done. */
431 	ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
432 	ASSERT_EQ(child, waitpid(child, &status, 0));
433 	if (WIFSIGNALED(status) || !WIFEXITED(status) ||
434 	    WEXITSTATUS(status) != EXIT_SUCCESS)
435 		_metadata->passed = 0;
436 }
437 
438 TEST_HARNESS_MAIN
439