1 // SPDX-License-Identifier: GPL-2.0 2 #define _GNU_SOURCE 3 #include <stdio.h> 4 #include <errno.h> 5 #include <pwd.h> 6 #include <string.h> 7 #include <syscall.h> 8 #include <sys/capability.h> 9 #include <sys/types.h> 10 #include <sys/mount.h> 11 #include <sys/prctl.h> 12 #include <sys/wait.h> 13 #include <stdlib.h> 14 #include <unistd.h> 15 #include <fcntl.h> 16 #include <stdbool.h> 17 #include <stdarg.h> 18 19 #ifndef CLONE_NEWUSER 20 # define CLONE_NEWUSER 0x10000000 21 #endif 22 23 #define ROOT_USER 0 24 #define RESTRICTED_PARENT 1 25 #define ALLOWED_CHILD1 2 26 #define ALLOWED_CHILD2 3 27 #define NO_POLICY_USER 4 28 29 char* add_whitelist_policy_file = "/sys/kernel/security/safesetid/add_whitelist_policy"; 30 31 static void die(char *fmt, ...) 32 { 33 va_list ap; 34 va_start(ap, fmt); 35 vfprintf(stderr, fmt, ap); 36 va_end(ap); 37 exit(EXIT_FAILURE); 38 } 39 40 static bool vmaybe_write_file(bool enoent_ok, char *filename, char *fmt, va_list ap) 41 { 42 char buf[4096]; 43 int fd; 44 ssize_t written; 45 int buf_len; 46 47 buf_len = vsnprintf(buf, sizeof(buf), fmt, ap); 48 if (buf_len < 0) { 49 printf("vsnprintf failed: %s\n", 50 strerror(errno)); 51 return false; 52 } 53 if (buf_len >= sizeof(buf)) { 54 printf("vsnprintf output truncated\n"); 55 return false; 56 } 57 58 fd = open(filename, O_WRONLY); 59 if (fd < 0) { 60 if ((errno == ENOENT) && enoent_ok) 61 return true; 62 return false; 63 } 64 written = write(fd, buf, buf_len); 65 if (written != buf_len) { 66 if (written >= 0) { 67 printf("short write to %s\n", filename); 68 return false; 69 } else { 70 printf("write to %s failed: %s\n", 71 filename, strerror(errno)); 72 return false; 73 } 74 } 75 if (close(fd) != 0) { 76 printf("close of %s failed: %s\n", 77 filename, strerror(errno)); 78 return false; 79 } 80 return true; 81 } 82 83 static bool write_file(char *filename, char *fmt, ...) 84 { 85 va_list ap; 86 bool ret; 87 88 va_start(ap, fmt); 89 ret = vmaybe_write_file(false, filename, fmt, ap); 90 va_end(ap); 91 92 return ret; 93 } 94 95 static void ensure_user_exists(uid_t uid) 96 { 97 struct passwd p; 98 99 FILE *fd; 100 char name_str[10]; 101 102 if (getpwuid(uid) == NULL) { 103 memset(&p,0x00,sizeof(p)); 104 fd=fopen("/etc/passwd","a"); 105 if (fd == NULL) 106 die("couldn't open file\n"); 107 if (fseek(fd, 0, SEEK_END)) 108 die("couldn't fseek\n"); 109 snprintf(name_str, 10, "%d", uid); 110 p.pw_name=name_str; 111 p.pw_uid=uid; 112 p.pw_gecos="Test account"; 113 p.pw_dir="/dev/null"; 114 p.pw_shell="/bin/false"; 115 int value = putpwent(&p,fd); 116 if (value != 0) 117 die("putpwent failed\n"); 118 if (fclose(fd)) 119 die("fclose failed\n"); 120 } 121 } 122 123 static void ensure_securityfs_mounted(void) 124 { 125 int fd = open(add_whitelist_policy_file, O_WRONLY); 126 if (fd < 0) { 127 if (errno == ENOENT) { 128 // Need to mount securityfs 129 if (mount("securityfs", "/sys/kernel/security", 130 "securityfs", 0, NULL) < 0) 131 die("mounting securityfs failed\n"); 132 } else { 133 die("couldn't find securityfs for unknown reason\n"); 134 } 135 } else { 136 if (close(fd) != 0) { 137 die("close of %s failed: %s\n", 138 add_whitelist_policy_file, strerror(errno)); 139 } 140 } 141 } 142 143 static void write_policies(void) 144 { 145 static char *policy_str = 146 "1:2\n" 147 "1:3\n" 148 "2:2\n" 149 "3:3\n"; 150 ssize_t written; 151 int fd; 152 153 fd = open(add_whitelist_policy_file, O_WRONLY); 154 if (fd < 0) 155 die("can't open add_whitelist_policy file\n"); 156 written = write(fd, policy_str, strlen(policy_str)); 157 if (written != strlen(policy_str)) { 158 if (written >= 0) { 159 die("short write to %s\n", add_whitelist_policy_file); 160 } else { 161 die("write to %s failed: %s\n", 162 add_whitelist_policy_file, strerror(errno)); 163 } 164 } 165 if (close(fd) != 0) { 166 die("close of %s failed: %s\n", 167 add_whitelist_policy_file, strerror(errno)); 168 } 169 } 170 171 static bool test_userns(bool expect_success) 172 { 173 uid_t uid; 174 char map_file_name[32]; 175 size_t sz = sizeof(map_file_name); 176 pid_t cpid; 177 bool success; 178 179 uid = getuid(); 180 181 int clone_flags = CLONE_NEWUSER; 182 cpid = syscall(SYS_clone, clone_flags, NULL); 183 if (cpid == -1) { 184 printf("clone failed"); 185 return false; 186 } 187 188 if (cpid == 0) { /* Code executed by child */ 189 // Give parent 1 second to write map file 190 sleep(1); 191 exit(EXIT_SUCCESS); 192 } else { /* Code executed by parent */ 193 if(snprintf(map_file_name, sz, "/proc/%d/uid_map", cpid) < 0) { 194 printf("preparing file name string failed"); 195 return false; 196 } 197 success = write_file(map_file_name, "0 0 1", uid); 198 return success == expect_success; 199 } 200 201 printf("should not reach here"); 202 return false; 203 } 204 205 static void test_setuid(uid_t child_uid, bool expect_success) 206 { 207 pid_t cpid, w; 208 int wstatus; 209 210 cpid = fork(); 211 if (cpid == -1) { 212 die("fork\n"); 213 } 214 215 if (cpid == 0) { /* Code executed by child */ 216 if (setuid(child_uid) < 0) 217 exit(EXIT_FAILURE); 218 if (getuid() == child_uid) 219 exit(EXIT_SUCCESS); 220 else 221 exit(EXIT_FAILURE); 222 } else { /* Code executed by parent */ 223 do { 224 w = waitpid(cpid, &wstatus, WUNTRACED | WCONTINUED); 225 if (w == -1) { 226 die("waitpid\n"); 227 } 228 229 if (WIFEXITED(wstatus)) { 230 if (WEXITSTATUS(wstatus) == EXIT_SUCCESS) { 231 if (expect_success) { 232 return; 233 } else { 234 die("unexpected success\n"); 235 } 236 } else { 237 if (expect_success) { 238 die("unexpected failure\n"); 239 } else { 240 return; 241 } 242 } 243 } else if (WIFSIGNALED(wstatus)) { 244 if (WTERMSIG(wstatus) == 9) { 245 if (expect_success) 246 die("killed unexpectedly\n"); 247 else 248 return; 249 } else { 250 die("unexpected signal: %d\n", wstatus); 251 } 252 } else { 253 die("unexpected status: %d\n", wstatus); 254 } 255 } while (!WIFEXITED(wstatus) && !WIFSIGNALED(wstatus)); 256 } 257 258 die("should not reach here\n"); 259 } 260 261 static void ensure_users_exist(void) 262 { 263 ensure_user_exists(ROOT_USER); 264 ensure_user_exists(RESTRICTED_PARENT); 265 ensure_user_exists(ALLOWED_CHILD1); 266 ensure_user_exists(ALLOWED_CHILD2); 267 ensure_user_exists(NO_POLICY_USER); 268 } 269 270 static void drop_caps(bool setid_retained) 271 { 272 cap_value_t cap_values[] = {CAP_SETUID, CAP_SETGID}; 273 cap_t caps; 274 275 caps = cap_get_proc(); 276 if (setid_retained) 277 cap_set_flag(caps, CAP_EFFECTIVE, 2, cap_values, CAP_SET); 278 else 279 cap_clear(caps); 280 cap_set_proc(caps); 281 cap_free(caps); 282 } 283 284 int main(int argc, char **argv) 285 { 286 ensure_users_exist(); 287 ensure_securityfs_mounted(); 288 write_policies(); 289 290 if (prctl(PR_SET_KEEPCAPS, 1L)) 291 die("Error with set keepcaps\n"); 292 293 // First test to make sure we can write userns mappings from a user 294 // that doesn't have any restrictions (as long as it has CAP_SETUID); 295 if (setuid(NO_POLICY_USER) < 0) 296 die("Error with set uid(%d)\n", NO_POLICY_USER); 297 if (setgid(NO_POLICY_USER) < 0) 298 die("Error with set gid(%d)\n", NO_POLICY_USER); 299 300 // Take away all but setid caps 301 drop_caps(true); 302 303 // Need PR_SET_DUMPABLE flag set so we can write /proc/[pid]/uid_map 304 // from non-root parent process. 305 if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0)) 306 die("Error with set dumpable\n"); 307 308 if (!test_userns(true)) { 309 die("test_userns failed when it should work\n"); 310 } 311 312 if (setuid(RESTRICTED_PARENT) < 0) 313 die("Error with set uid(%d)\n", RESTRICTED_PARENT); 314 if (setgid(RESTRICTED_PARENT) < 0) 315 die("Error with set gid(%d)\n", RESTRICTED_PARENT); 316 317 test_setuid(ROOT_USER, false); 318 test_setuid(ALLOWED_CHILD1, true); 319 test_setuid(ALLOWED_CHILD2, true); 320 test_setuid(NO_POLICY_USER, false); 321 322 if (!test_userns(false)) { 323 die("test_userns worked when it should fail\n"); 324 } 325 326 // Now take away all caps 327 drop_caps(false); 328 test_setuid(2, false); 329 test_setuid(3, false); 330 test_setuid(4, false); 331 332 // NOTE: this test doesn't clean up users that were created in 333 // /etc/passwd or flush policies that were added to the LSM. 334 return EXIT_SUCCESS; 335 } 336