b28a10aedc
Test all of the various openat2(2) flags. A small stress-test of a symlink-rename attack is included to show that the protections against ".."-based attacks are sufficient. The main things these self-tests are enforcing are: * The struct+usize ABI for openat2(2) and copy_struct_from_user() to ensure that upgrades will be handled gracefully (in addition, ensuring that misaligned structures are also handled correctly). * The -EINVAL checks for openat2(2) are all correctly handled to avoid userspace passing unknown or conflicting flag sets (most importantly, ensuring that invalid flag combinations are checked). * All of the RESOLVE_* semantics (including errno values) are correctly handled with various combinations of paths and flags. * RESOLVE_IN_ROOT correctly protects against the symlink rename(2) attack that has been responsible for several CVEs (and likely will be responsible for several more). Cc: Shuah Khan <shuah@kernel.org> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
161 lines
3.6 KiB
C
161 lines
3.6 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* Author: Aleksa Sarai <cyphar@cyphar.com>
|
|
* Copyright (C) 2018-2019 SUSE LLC.
|
|
*/
|
|
|
|
#define _GNU_SOURCE
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <sched.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/types.h>
|
|
#include <sys/mount.h>
|
|
#include <sys/mman.h>
|
|
#include <sys/prctl.h>
|
|
#include <signal.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <stdbool.h>
|
|
#include <string.h>
|
|
#include <syscall.h>
|
|
#include <limits.h>
|
|
#include <unistd.h>
|
|
|
|
#include "../kselftest.h"
|
|
#include "helpers.h"
|
|
|
|
/* Construct a test directory with the following structure:
|
|
*
|
|
* root/
|
|
* |-- a/
|
|
* | `-- c/
|
|
* `-- b/
|
|
*/
|
|
int setup_testdir(void)
|
|
{
|
|
int dfd;
|
|
char dirname[] = "/tmp/ksft-openat2-rename-attack.XXXXXX";
|
|
|
|
/* Make the top-level directory. */
|
|
if (!mkdtemp(dirname))
|
|
ksft_exit_fail_msg("setup_testdir: failed to create tmpdir\n");
|
|
dfd = open(dirname, O_PATH | O_DIRECTORY);
|
|
if (dfd < 0)
|
|
ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n");
|
|
|
|
E_mkdirat(dfd, "a", 0755);
|
|
E_mkdirat(dfd, "b", 0755);
|
|
E_mkdirat(dfd, "a/c", 0755);
|
|
|
|
return dfd;
|
|
}
|
|
|
|
/* Swap @dirfd/@a and @dirfd/@b constantly. Parent must kill this process. */
|
|
pid_t spawn_attack(int dirfd, char *a, char *b)
|
|
{
|
|
pid_t child = fork();
|
|
if (child != 0)
|
|
return child;
|
|
|
|
/* If the parent (the test process) dies, kill ourselves too. */
|
|
E_prctl(PR_SET_PDEATHSIG, SIGKILL);
|
|
|
|
/* Swap @a and @b. */
|
|
for (;;)
|
|
renameat2(dirfd, a, dirfd, b, RENAME_EXCHANGE);
|
|
exit(1);
|
|
}
|
|
|
|
#define NUM_RENAME_TESTS 2
|
|
#define ROUNDS 400000
|
|
|
|
const char *flagname(int resolve)
|
|
{
|
|
switch (resolve) {
|
|
case RESOLVE_IN_ROOT:
|
|
return "RESOLVE_IN_ROOT";
|
|
case RESOLVE_BENEATH:
|
|
return "RESOLVE_BENEATH";
|
|
}
|
|
return "(unknown)";
|
|
}
|
|
|
|
void test_rename_attack(int resolve)
|
|
{
|
|
int dfd, afd;
|
|
pid_t child;
|
|
void (*resultfn)(const char *msg, ...) = ksft_test_result_pass;
|
|
int escapes = 0, other_errs = 0, exdevs = 0, eagains = 0, successes = 0;
|
|
|
|
struct open_how how = {
|
|
.flags = O_PATH,
|
|
.resolve = resolve,
|
|
};
|
|
|
|
if (!openat2_supported) {
|
|
how.resolve = 0;
|
|
ksft_print_msg("openat2(2) unsupported -- using openat(2) instead\n");
|
|
}
|
|
|
|
dfd = setup_testdir();
|
|
afd = openat(dfd, "a", O_PATH);
|
|
if (afd < 0)
|
|
ksft_exit_fail_msg("test_rename_attack: failed to open 'a'\n");
|
|
|
|
child = spawn_attack(dfd, "a/c", "b");
|
|
|
|
for (int i = 0; i < ROUNDS; i++) {
|
|
int fd;
|
|
char *victim_path = "c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../..";
|
|
|
|
if (openat2_supported)
|
|
fd = sys_openat2(afd, victim_path, &how);
|
|
else
|
|
fd = sys_openat(afd, victim_path, &how);
|
|
|
|
if (fd < 0) {
|
|
if (fd == -EAGAIN)
|
|
eagains++;
|
|
else if (fd == -EXDEV)
|
|
exdevs++;
|
|
else if (fd == -ENOENT)
|
|
escapes++; /* escaped outside and got ENOENT... */
|
|
else
|
|
other_errs++; /* unexpected error */
|
|
} else {
|
|
if (fdequal(fd, afd, NULL))
|
|
successes++;
|
|
else
|
|
escapes++; /* we got an unexpected fd */
|
|
}
|
|
close(fd);
|
|
}
|
|
|
|
if (escapes > 0)
|
|
resultfn = ksft_test_result_fail;
|
|
ksft_print_msg("non-escapes: EAGAIN=%d EXDEV=%d E<other>=%d success=%d\n",
|
|
eagains, exdevs, other_errs, successes);
|
|
resultfn("rename attack with %s (%d runs, got %d escapes)\n",
|
|
flagname(resolve), ROUNDS, escapes);
|
|
|
|
/* Should be killed anyway, but might as well make sure. */
|
|
E_kill(child, SIGKILL);
|
|
}
|
|
|
|
#define NUM_TESTS NUM_RENAME_TESTS
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
ksft_print_header();
|
|
ksft_set_plan(NUM_TESTS);
|
|
|
|
test_rename_attack(RESOLVE_BENEATH);
|
|
test_rename_attack(RESOLVE_IN_ROOT);
|
|
|
|
if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0)
|
|
ksft_exit_fail();
|
|
else
|
|
ksft_exit_pass();
|
|
}
|