From fe087927046cdbc7365bef4650d2d5451ce1ea8a Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 1 Apr 2026 11:28:02 +1100 Subject: selftests: move openat2 tests to selftests/filesystems/ These tests really should've always belonged there, doubly so now that they include a lot of other generic filesystem-related tests. Suggested-by: Christian Brauner Signed-off-by: Aleksa Sarai Link: https://patch.msgid.link/20260401-openat2-selftests-kunit-v2-1-ad153a07da0c@amutable.com Signed-off-by: Christian Brauner (Amutable) --- .../selftests/filesystems/openat2/.gitignore | 2 + .../testing/selftests/filesystems/openat2/Makefile | 19 + .../selftests/filesystems/openat2/helpers.c | 109 +++++ .../selftests/filesystems/openat2/helpers.h | 108 +++++ .../selftests/filesystems/openat2/openat2_test.c | 338 +++++++++++++ .../filesystems/openat2/rename_attack_test.c | 160 +++++++ .../selftests/filesystems/openat2/resolve_test.c | 523 +++++++++++++++++++++ tools/testing/selftests/openat2/.gitignore | 2 - tools/testing/selftests/openat2/Makefile | 18 - tools/testing/selftests/openat2/helpers.c | 109 ----- tools/testing/selftests/openat2/helpers.h | 108 ----- tools/testing/selftests/openat2/openat2_test.c | 338 ------------- .../testing/selftests/openat2/rename_attack_test.c | 160 ------- tools/testing/selftests/openat2/resolve_test.c | 523 --------------------- 14 files changed, 1259 insertions(+), 1258 deletions(-) create mode 100644 tools/testing/selftests/filesystems/openat2/.gitignore create mode 100644 tools/testing/selftests/filesystems/openat2/Makefile create mode 100644 tools/testing/selftests/filesystems/openat2/helpers.c create mode 100644 tools/testing/selftests/filesystems/openat2/helpers.h create mode 100644 tools/testing/selftests/filesystems/openat2/openat2_test.c create mode 100644 tools/testing/selftests/filesystems/openat2/rename_attack_test.c create mode 100644 tools/testing/selftests/filesystems/openat2/resolve_test.c delete mode 100644 tools/testing/selftests/openat2/.gitignore delete mode 100644 tools/testing/selftests/openat2/Makefile delete mode 100644 tools/testing/selftests/openat2/helpers.c delete mode 100644 tools/testing/selftests/openat2/helpers.h delete mode 100644 tools/testing/selftests/openat2/openat2_test.c delete mode 100644 tools/testing/selftests/openat2/rename_attack_test.c delete mode 100644 tools/testing/selftests/openat2/resolve_test.c diff --git a/tools/testing/selftests/filesystems/openat2/.gitignore b/tools/testing/selftests/filesystems/openat2/.gitignore new file mode 100644 index 000000000000..82a4846cbc4b --- /dev/null +++ b/tools/testing/selftests/filesystems/openat2/.gitignore @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: GPL-2.0-only +/*_test diff --git a/tools/testing/selftests/filesystems/openat2/Makefile b/tools/testing/selftests/filesystems/openat2/Makefile new file mode 100644 index 000000000000..f36dedccedb6 --- /dev/null +++ b/tools/testing/selftests/filesystems/openat2/Makefile @@ -0,0 +1,19 @@ +# SPDX-License-Identifier: GPL-2.0-or-later + +CFLAGS += $(KHDR_INCLUDES) +CFLAGS += -Wall -O2 -g -fsanitize=address -fsanitize=undefined +TEST_GEN_PROGS := openat2_test resolve_test rename_attack_test + +# gcc requires -static-libasan in order to ensure that Address Sanitizer's +# library is the first one loaded. However, clang already statically links the +# Address Sanitizer if -fsanitize is specified. Therefore, simply omit +# -static-libasan for clang builds. +ifeq ($(LLVM),) + CFLAGS += -static-libasan +endif + +LOCAL_HDRS += helpers.h + +include ../../lib.mk + +$(TEST_GEN_PROGS): helpers.c diff --git a/tools/testing/selftests/filesystems/openat2/helpers.c b/tools/testing/selftests/filesystems/openat2/helpers.c new file mode 100644 index 000000000000..5074681ffdc9 --- /dev/null +++ b/tools/testing/selftests/filesystems/openat2/helpers.c @@ -0,0 +1,109 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Author: Aleksa Sarai + * Copyright (C) 2018-2019 SUSE LLC. + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include + +#include "helpers.h" + +bool needs_openat2(const struct open_how *how) +{ + return how->resolve != 0; +} + +int raw_openat2(int dfd, const char *path, void *how, size_t size) +{ + int ret = syscall(__NR_openat2, dfd, path, how, size); + return ret >= 0 ? ret : -errno; +} + +int sys_openat2(int dfd, const char *path, struct open_how *how) +{ + return raw_openat2(dfd, path, how, sizeof(*how)); +} + +int sys_openat(int dfd, const char *path, struct open_how *how) +{ + int ret = openat(dfd, path, how->flags, how->mode); + return ret >= 0 ? ret : -errno; +} + +int sys_renameat2(int olddirfd, const char *oldpath, + int newdirfd, const char *newpath, unsigned int flags) +{ + int ret = syscall(__NR_renameat2, olddirfd, oldpath, + newdirfd, newpath, flags); + return ret >= 0 ? ret : -errno; +} + +int touchat(int dfd, const char *path) +{ + int fd = openat(dfd, path, O_CREAT, 0700); + if (fd >= 0) + close(fd); + return fd; +} + +char *fdreadlink(int fd) +{ + char *target, *tmp; + + E_asprintf(&tmp, "/proc/self/fd/%d", fd); + + target = malloc(PATH_MAX); + if (!target) + ksft_exit_fail_msg("fdreadlink: malloc failed\n"); + memset(target, 0, PATH_MAX); + + E_readlink(tmp, target, PATH_MAX); + free(tmp); + return target; +} + +bool fdequal(int fd, int dfd, const char *path) +{ + char *fdpath, *dfdpath, *other; + bool cmp; + + fdpath = fdreadlink(fd); + dfdpath = fdreadlink(dfd); + + if (!path) + E_asprintf(&other, "%s", dfdpath); + else if (*path == '/') + E_asprintf(&other, "%s", path); + else + E_asprintf(&other, "%s/%s", dfdpath, path); + + cmp = !strcmp(fdpath, other); + + free(fdpath); + free(dfdpath); + free(other); + return cmp; +} + +bool openat2_supported = false; + +void __attribute__((constructor)) init(void) +{ + struct open_how how = {}; + int fd; + + BUILD_BUG_ON(sizeof(struct open_how) != OPEN_HOW_SIZE_VER0); + + /* Check openat2(2) support. */ + fd = sys_openat2(AT_FDCWD, ".", &how); + openat2_supported = (fd >= 0); + + if (fd >= 0) + close(fd); +} diff --git a/tools/testing/selftests/filesystems/openat2/helpers.h b/tools/testing/selftests/filesystems/openat2/helpers.h new file mode 100644 index 000000000000..510e60602511 --- /dev/null +++ b/tools/testing/selftests/filesystems/openat2/helpers.h @@ -0,0 +1,108 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Author: Aleksa Sarai + * Copyright (C) 2018-2019 SUSE LLC. + */ + +#ifndef __RESOLVEAT_H__ +#define __RESOLVEAT_H__ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include "kselftest.h" + +#define ARRAY_LEN(X) (sizeof (X) / sizeof (*(X))) +#define BUILD_BUG_ON(e) ((void)(sizeof(struct { int:(-!!(e)); }))) + +#ifndef SYS_openat2 +#ifndef __NR_openat2 +#define __NR_openat2 437 +#endif /* __NR_openat2 */ +#define SYS_openat2 __NR_openat2 +#endif /* SYS_openat2 */ + +/* + * Arguments for how openat2(2) should open the target path. If @resolve is + * zero, then openat2(2) operates very similarly to openat(2). + * + * However, unlike openat(2), unknown bits in @flags result in -EINVAL rather + * than being silently ignored. @mode must be zero unless one of {O_CREAT, + * O_TMPFILE} are set. + * + * @flags: O_* flags. + * @mode: O_CREAT/O_TMPFILE file mode. + * @resolve: RESOLVE_* flags. + */ +struct open_how { + __u64 flags; + __u64 mode; + __u64 resolve; +}; + +#define OPEN_HOW_SIZE_VER0 24 /* sizeof first published struct */ +#define OPEN_HOW_SIZE_LATEST OPEN_HOW_SIZE_VER0 + +bool needs_openat2(const struct open_how *how); + +#ifndef RESOLVE_IN_ROOT +/* how->resolve flags for openat2(2). */ +#define RESOLVE_NO_XDEV 0x01 /* Block mount-point crossings + (includes bind-mounts). */ +#define RESOLVE_NO_MAGICLINKS 0x02 /* Block traversal through procfs-style + "magic-links". */ +#define RESOLVE_NO_SYMLINKS 0x04 /* Block traversal through all symlinks + (implies OEXT_NO_MAGICLINKS) */ +#define RESOLVE_BENEATH 0x08 /* Block "lexical" trickery like + "..", symlinks, and absolute + paths which escape the dirfd. */ +#define RESOLVE_IN_ROOT 0x10 /* Make all jumps to "/" and ".." + be scoped inside the dirfd + (similar to chroot(2)). */ +#endif /* RESOLVE_IN_ROOT */ + +#define E_func(func, ...) \ + do { \ + errno = 0; \ + if (func(__VA_ARGS__) < 0) \ + ksft_exit_fail_msg("%s:%d %s failed - errno:%d\n", \ + __FILE__, __LINE__, #func, errno); \ + } while (0) + +#define E_asprintf(...) E_func(asprintf, __VA_ARGS__) +#define E_chmod(...) E_func(chmod, __VA_ARGS__) +#define E_dup2(...) E_func(dup2, __VA_ARGS__) +#define E_fchdir(...) E_func(fchdir, __VA_ARGS__) +#define E_fstatat(...) E_func(fstatat, __VA_ARGS__) +#define E_kill(...) E_func(kill, __VA_ARGS__) +#define E_mkdirat(...) E_func(mkdirat, __VA_ARGS__) +#define E_mount(...) E_func(mount, __VA_ARGS__) +#define E_prctl(...) E_func(prctl, __VA_ARGS__) +#define E_readlink(...) E_func(readlink, __VA_ARGS__) +#define E_setresuid(...) E_func(setresuid, __VA_ARGS__) +#define E_symlinkat(...) E_func(symlinkat, __VA_ARGS__) +#define E_touchat(...) E_func(touchat, __VA_ARGS__) +#define E_unshare(...) E_func(unshare, __VA_ARGS__) + +#define E_assert(expr, msg, ...) \ + do { \ + if (!(expr)) \ + ksft_exit_fail_msg("ASSERT(%s:%d) failed (%s): " msg "\n", \ + __FILE__, __LINE__, #expr, ##__VA_ARGS__); \ + } while (0) + +int raw_openat2(int dfd, const char *path, void *how, size_t size); +int sys_openat2(int dfd, const char *path, struct open_how *how); +int sys_openat(int dfd, const char *path, struct open_how *how); +int sys_renameat2(int olddirfd, const char *oldpath, + int newdirfd, const char *newpath, unsigned int flags); + +int touchat(int dfd, const char *path); +char *fdreadlink(int fd); +bool fdequal(int fd, int dfd, const char *path); + +extern bool openat2_supported; + +#endif /* __RESOLVEAT_H__ */ diff --git a/tools/testing/selftests/filesystems/openat2/openat2_test.c b/tools/testing/selftests/filesystems/openat2/openat2_test.c new file mode 100644 index 000000000000..0e161ef9e9e4 --- /dev/null +++ b/tools/testing/selftests/filesystems/openat2/openat2_test.c @@ -0,0 +1,338 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Author: Aleksa Sarai + * Copyright (C) 2018-2019 SUSE LLC. + */ + +#define _GNU_SOURCE +#define __SANE_USERSPACE_TYPES__ // Use ll64 +#include +#include +#include +#include +#include +#include +#include +#include + +#include "kselftest.h" +#include "helpers.h" + +/* + * O_LARGEFILE is set to 0 by glibc. + * XXX: This is wrong on {mips, parisc, powerpc, sparc}. + */ +#undef O_LARGEFILE +#ifdef __aarch64__ +#define O_LARGEFILE 0x20000 +#else +#define O_LARGEFILE 0x8000 +#endif + +struct open_how_ext { + struct open_how inner; + uint32_t extra1; + char pad1[128]; + uint32_t extra2; + char pad2[128]; + uint32_t extra3; +}; + +struct struct_test { + const char *name; + struct open_how_ext arg; + size_t size; + int err; +}; + +#define NUM_OPENAT2_STRUCT_TESTS 7 +#define NUM_OPENAT2_STRUCT_VARIATIONS 13 + +void test_openat2_struct(void) +{ + int misalignments[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 17, 87 }; + + struct struct_test tests[] = { + /* Normal struct. */ + { .name = "normal struct", + .arg.inner.flags = O_RDONLY, + .size = sizeof(struct open_how) }, + /* Bigger struct, with zeroed out end. */ + { .name = "bigger struct (zeroed out)", + .arg.inner.flags = O_RDONLY, + .size = sizeof(struct open_how_ext) }, + + /* TODO: Once expanded, check zero-padding. */ + + /* Smaller than version-0 struct. */ + { .name = "zero-sized 'struct'", + .arg.inner.flags = O_RDONLY, .size = 0, .err = -EINVAL }, + { .name = "smaller-than-v0 struct", + .arg.inner.flags = O_RDONLY, + .size = OPEN_HOW_SIZE_VER0 - 1, .err = -EINVAL }, + + /* Bigger struct, with non-zero trailing bytes. */ + { .name = "bigger struct (non-zero data in first 'future field')", + .arg.inner.flags = O_RDONLY, .arg.extra1 = 0xdeadbeef, + .size = sizeof(struct open_how_ext), .err = -E2BIG }, + { .name = "bigger struct (non-zero data in middle of 'future fields')", + .arg.inner.flags = O_RDONLY, .arg.extra2 = 0xfeedcafe, + .size = sizeof(struct open_how_ext), .err = -E2BIG }, + { .name = "bigger struct (non-zero data at end of 'future fields')", + .arg.inner.flags = O_RDONLY, .arg.extra3 = 0xabad1dea, + .size = sizeof(struct open_how_ext), .err = -E2BIG }, + }; + + BUILD_BUG_ON(ARRAY_LEN(misalignments) != NUM_OPENAT2_STRUCT_VARIATIONS); + BUILD_BUG_ON(ARRAY_LEN(tests) != NUM_OPENAT2_STRUCT_TESTS); + + for (int i = 0; i < ARRAY_LEN(tests); i++) { + struct struct_test *test = &tests[i]; + struct open_how_ext how_ext = test->arg; + + for (int j = 0; j < ARRAY_LEN(misalignments); j++) { + int fd, misalign = misalignments[j]; + char *fdpath = NULL; + bool failed; + void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; + + void *copy = NULL, *how_copy = &how_ext; + + if (!openat2_supported) { + ksft_print_msg("openat2(2) unsupported\n"); + resultfn = ksft_test_result_skip; + goto skip; + } + + if (misalign) { + /* + * Explicitly misalign the structure copying it with the given + * (mis)alignment offset. The other data is set to be non-zero to + * make sure that non-zero bytes outside the struct aren't checked + * + * This is effectively to check that is_zeroed_user() works. + */ + copy = malloc(misalign + sizeof(how_ext)); + how_copy = copy + misalign; + memset(copy, 0xff, misalign); + memcpy(how_copy, &how_ext, sizeof(how_ext)); + } + + fd = raw_openat2(AT_FDCWD, ".", how_copy, test->size); + if (test->err >= 0) + failed = (fd < 0); + else + failed = (fd != test->err); + if (fd >= 0) { + fdpath = fdreadlink(fd); + close(fd); + } + + if (failed) { + resultfn = ksft_test_result_fail; + + ksft_print_msg("openat2 unexpectedly returned "); + if (fdpath) + ksft_print_msg("%d['%s']\n", fd, fdpath); + else + ksft_print_msg("%d (%s)\n", fd, strerror(-fd)); + } + +skip: + if (test->err >= 0) + resultfn("openat2 with %s argument [misalign=%d] succeeds\n", + test->name, misalign); + else + resultfn("openat2 with %s argument [misalign=%d] fails with %d (%s)\n", + test->name, misalign, test->err, + strerror(-test->err)); + + free(copy); + free(fdpath); + fflush(stdout); + } + } +} + +struct flag_test { + const char *name; + struct open_how how; + int err; +}; + +#define NUM_OPENAT2_FLAG_TESTS 25 + +void test_openat2_flags(void) +{ + struct flag_test tests[] = { + /* O_TMPFILE is incompatible with O_PATH and O_CREAT. */ + { .name = "incompatible flags (O_TMPFILE | O_PATH)", + .how.flags = O_TMPFILE | O_PATH | O_RDWR, .err = -EINVAL }, + { .name = "incompatible flags (O_TMPFILE | O_CREAT)", + .how.flags = O_TMPFILE | O_CREAT | O_RDWR, .err = -EINVAL }, + + /* O_PATH only permits certain other flags to be set ... */ + { .name = "compatible flags (O_PATH | O_CLOEXEC)", + .how.flags = O_PATH | O_CLOEXEC }, + { .name = "compatible flags (O_PATH | O_DIRECTORY)", + .how.flags = O_PATH | O_DIRECTORY }, + { .name = "compatible flags (O_PATH | O_NOFOLLOW)", + .how.flags = O_PATH | O_NOFOLLOW }, + /* ... and others are absolutely not permitted. */ + { .name = "incompatible flags (O_PATH | O_RDWR)", + .how.flags = O_PATH | O_RDWR, .err = -EINVAL }, + { .name = "incompatible flags (O_PATH | O_CREAT)", + .how.flags = O_PATH | O_CREAT, .err = -EINVAL }, + { .name = "incompatible flags (O_PATH | O_EXCL)", + .how.flags = O_PATH | O_EXCL, .err = -EINVAL }, + { .name = "incompatible flags (O_PATH | O_NOCTTY)", + .how.flags = O_PATH | O_NOCTTY, .err = -EINVAL }, + { .name = "incompatible flags (O_PATH | O_DIRECT)", + .how.flags = O_PATH | O_DIRECT, .err = -EINVAL }, + { .name = "incompatible flags (O_PATH | O_LARGEFILE)", + .how.flags = O_PATH | O_LARGEFILE, .err = -EINVAL }, + + /* ->mode must only be set with O_{CREAT,TMPFILE}. */ + { .name = "non-zero how.mode and O_RDONLY", + .how.flags = O_RDONLY, .how.mode = 0600, .err = -EINVAL }, + { .name = "non-zero how.mode and O_PATH", + .how.flags = O_PATH, .how.mode = 0600, .err = -EINVAL }, + { .name = "valid how.mode and O_CREAT", + .how.flags = O_CREAT, .how.mode = 0600 }, + { .name = "valid how.mode and O_TMPFILE", + .how.flags = O_TMPFILE | O_RDWR, .how.mode = 0600 }, + /* ->mode must only contain 0777 bits. */ + { .name = "invalid how.mode and O_CREAT", + .how.flags = O_CREAT, + .how.mode = 0xFFFF, .err = -EINVAL }, + { .name = "invalid (very large) how.mode and O_CREAT", + .how.flags = O_CREAT, + .how.mode = 0xC000000000000000ULL, .err = -EINVAL }, + { .name = "invalid how.mode and O_TMPFILE", + .how.flags = O_TMPFILE | O_RDWR, + .how.mode = 0x1337, .err = -EINVAL }, + { .name = "invalid (very large) how.mode and O_TMPFILE", + .how.flags = O_TMPFILE | O_RDWR, + .how.mode = 0x0000A00000000000ULL, .err = -EINVAL }, + + /* ->resolve flags must not conflict. */ + { .name = "incompatible resolve flags (BENEATH | IN_ROOT)", + .how.flags = O_RDONLY, + .how.resolve = RESOLVE_BENEATH | RESOLVE_IN_ROOT, + .err = -EINVAL }, + + /* ->resolve must only contain RESOLVE_* flags. */ + { .name = "invalid how.resolve and O_RDONLY", + .how.flags = O_RDONLY, + .how.resolve = 0x1337, .err = -EINVAL }, + { .name = "invalid how.resolve and O_CREAT", + .how.flags = O_CREAT, + .how.resolve = 0x1337, .err = -EINVAL }, + { .name = "invalid how.resolve and O_TMPFILE", + .how.flags = O_TMPFILE | O_RDWR, + .how.resolve = 0x1337, .err = -EINVAL }, + { .name = "invalid how.resolve and O_PATH", + .how.flags = O_PATH, + .how.resolve = 0x1337, .err = -EINVAL }, + + /* currently unknown upper 32 bit rejected. */ + { .name = "currently unknown bit (1 << 63)", + .how.flags = O_RDONLY | (1ULL << 63), + .how.resolve = 0, .err = -EINVAL }, + }; + + BUILD_BUG_ON(ARRAY_LEN(tests) != NUM_OPENAT2_FLAG_TESTS); + + for (int i = 0; i < ARRAY_LEN(tests); i++) { + int fd, fdflags = -1; + char *path, *fdpath = NULL; + bool failed = false; + struct flag_test *test = &tests[i]; + void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; + + if (!openat2_supported) { + ksft_print_msg("openat2(2) unsupported\n"); + resultfn = ksft_test_result_skip; + goto skip; + } + + path = (test->how.flags & O_CREAT) ? "/tmp/ksft.openat2_tmpfile" : "."; + unlink(path); + + fd = sys_openat2(AT_FDCWD, path, &test->how); + if (fd < 0 && fd == -EOPNOTSUPP) { + /* + * Skip the testcase if it failed because not supported + * by FS. (e.g. a valid O_TMPFILE combination on NFS) + */ + ksft_test_result_skip("openat2 with %s fails with %d (%s)\n", + test->name, fd, strerror(-fd)); + goto next; + } + + if (test->err >= 0) + failed = (fd < 0); + else + failed = (fd != test->err); + if (fd >= 0) { + int otherflags; + + fdpath = fdreadlink(fd); + fdflags = fcntl(fd, F_GETFL); + otherflags = fcntl(fd, F_GETFD); + close(fd); + + E_assert(fdflags >= 0, "fcntl F_GETFL of new fd"); + E_assert(otherflags >= 0, "fcntl F_GETFD of new fd"); + + /* O_CLOEXEC isn't shown in F_GETFL. */ + if (otherflags & FD_CLOEXEC) + fdflags |= O_CLOEXEC; + /* O_CREAT is hidden from F_GETFL. */ + if (test->how.flags & O_CREAT) + fdflags |= O_CREAT; + if (!(test->how.flags & O_LARGEFILE)) + fdflags &= ~O_LARGEFILE; + failed |= (fdflags != test->how.flags); + } + + if (failed) { + resultfn = ksft_test_result_fail; + + ksft_print_msg("openat2 unexpectedly returned "); + if (fdpath) + ksft_print_msg("%d['%s'] with %X (!= %llX)\n", + fd, fdpath, fdflags, + test->how.flags); + else + ksft_print_msg("%d (%s)\n", fd, strerror(-fd)); + } + +skip: + if (test->err >= 0) + resultfn("openat2 with %s succeeds\n", test->name); + else + resultfn("openat2 with %s fails with %d (%s)\n", + test->name, test->err, strerror(-test->err)); +next: + free(fdpath); + fflush(stdout); + } +} + +#define NUM_TESTS (NUM_OPENAT2_STRUCT_VARIATIONS * NUM_OPENAT2_STRUCT_TESTS + \ + NUM_OPENAT2_FLAG_TESTS) + +int main(int argc, char **argv) +{ + ksft_print_header(); + ksft_set_plan(NUM_TESTS); + + test_openat2_struct(); + test_openat2_flags(); + + if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0) + ksft_exit_fail(); + else + ksft_exit_pass(); +} diff --git a/tools/testing/selftests/filesystems/openat2/rename_attack_test.c b/tools/testing/selftests/filesystems/openat2/rename_attack_test.c new file mode 100644 index 000000000000..aa5699e45729 --- /dev/null +++ b/tools/testing/selftests/filesystems/openat2/rename_attack_test.c @@ -0,0 +1,160 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Author: Aleksa Sarai + * Copyright (C) 2018-2019 SUSE LLC. + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "kselftest.h" +#include "helpers.h" + +/* Construct a test directory with the following structure: + * + * root/ + * |-- a/ + * | `-- c/ + * `-- b/ + */ +int setup_testdir(void) +{ + int dfd; + char dirname[] = "/tmp/ksft-openat2-rename-attack.XXXXXX"; + + /* Make the top-level directory. */ + if (!mkdtemp(dirname)) + ksft_exit_fail_msg("setup_testdir: failed to create tmpdir\n"); + dfd = open(dirname, O_PATH | O_DIRECTORY); + if (dfd < 0) + ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n"); + + E_mkdirat(dfd, "a", 0755); + E_mkdirat(dfd, "b", 0755); + E_mkdirat(dfd, "a/c", 0755); + + return dfd; +} + +/* Swap @dirfd/@a and @dirfd/@b constantly. Parent must kill this process. */ +pid_t spawn_attack(int dirfd, char *a, char *b) +{ + pid_t child = fork(); + if (child != 0) + return child; + + /* If the parent (the test process) dies, kill ourselves too. */ + E_prctl(PR_SET_PDEATHSIG, SIGKILL); + + /* Swap @a and @b. */ + for (;;) + renameat2(dirfd, a, dirfd, b, RENAME_EXCHANGE); + exit(1); +} + +#define NUM_RENAME_TESTS 2 +#define ROUNDS 400000 + +const char *flagname(int resolve) +{ + switch (resolve) { + case RESOLVE_IN_ROOT: + return "RESOLVE_IN_ROOT"; + case RESOLVE_BENEATH: + return "RESOLVE_BENEATH"; + } + return "(unknown)"; +} + +void test_rename_attack(int resolve) +{ + int dfd, afd; + pid_t child; + void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; + int escapes = 0, other_errs = 0, exdevs = 0, eagains = 0, successes = 0; + + struct open_how how = { + .flags = O_PATH, + .resolve = resolve, + }; + + if (!openat2_supported) { + how.resolve = 0; + ksft_print_msg("openat2(2) unsupported -- using openat(2) instead\n"); + } + + dfd = setup_testdir(); + afd = openat(dfd, "a", O_PATH); + if (afd < 0) + ksft_exit_fail_msg("test_rename_attack: failed to open 'a'\n"); + + child = spawn_attack(dfd, "a/c", "b"); + + for (int i = 0; i < ROUNDS; i++) { + int fd; + char *victim_path = "c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../.."; + + if (openat2_supported) + fd = sys_openat2(afd, victim_path, &how); + else + fd = sys_openat(afd, victim_path, &how); + + if (fd < 0) { + if (fd == -EAGAIN) + eagains++; + else if (fd == -EXDEV) + exdevs++; + else if (fd == -ENOENT) + escapes++; /* escaped outside and got ENOENT... */ + else + other_errs++; /* unexpected error */ + } else { + if (fdequal(fd, afd, NULL)) + successes++; + else + escapes++; /* we got an unexpected fd */ + } + close(fd); + } + + if (escapes > 0) + resultfn = ksft_test_result_fail; + ksft_print_msg("non-escapes: EAGAIN=%d EXDEV=%d E=%d success=%d\n", + eagains, exdevs, other_errs, successes); + resultfn("rename attack with %s (%d runs, got %d escapes)\n", + flagname(resolve), ROUNDS, escapes); + + /* Should be killed anyway, but might as well make sure. */ + E_kill(child, SIGKILL); +} + +#define NUM_TESTS NUM_RENAME_TESTS + +int main(int argc, char **argv) +{ + ksft_print_header(); + ksft_set_plan(NUM_TESTS); + + test_rename_attack(RESOLVE_BENEATH); + test_rename_attack(RESOLVE_IN_ROOT); + + if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0) + ksft_exit_fail(); + else + ksft_exit_pass(); +} diff --git a/tools/testing/selftests/filesystems/openat2/resolve_test.c b/tools/testing/selftests/filesystems/openat2/resolve_test.c new file mode 100644 index 000000000000..a76ef15ceb90 --- /dev/null +++ b/tools/testing/selftests/filesystems/openat2/resolve_test.c @@ -0,0 +1,523 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Author: Aleksa Sarai + * Copyright (C) 2018-2019 SUSE LLC. + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include + +#include "kselftest.h" +#include "helpers.h" + +/* + * Construct a test directory with the following structure: + * + * root/ + * |-- procexe -> /proc/self/exe + * |-- procroot -> /proc/self/root + * |-- root/ + * |-- mnt/ [mountpoint] + * | |-- self -> ../mnt/ + * | `-- absself -> /mnt/ + * |-- etc/ + * | `-- passwd + * |-- creatlink -> /newfile3 + * |-- reletc -> etc/ + * |-- relsym -> etc/passwd + * |-- absetc -> /etc/ + * |-- abssym -> /etc/passwd + * |-- abscheeky -> /cheeky + * `-- cheeky/ + * |-- absself -> / + * |-- self -> ../../root/ + * |-- garbageself -> /../../root/ + * |-- passwd -> ../cheeky/../cheeky/../etc/../etc/passwd + * |-- abspasswd -> /../cheeky/../cheeky/../etc/../etc/passwd + * |-- dotdotlink -> ../../../../../../../../../../../../../../etc/passwd + * `-- garbagelink -> /../../../../../../../../../../../../../../etc/passwd + */ +int setup_testdir(void) +{ + int dfd, tmpfd; + char dirname[] = "/tmp/ksft-openat2-testdir.XXXXXX"; + + /* Unshare and make /tmp a new directory. */ + E_unshare(CLONE_NEWNS); + E_mount("", "/tmp", "", MS_PRIVATE, ""); + + /* Make the top-level directory. */ + if (!mkdtemp(dirname)) + ksft_exit_fail_msg("setup_testdir: failed to create tmpdir\n"); + dfd = open(dirname, O_PATH | O_DIRECTORY); + if (dfd < 0) + ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n"); + + /* A sub-directory which is actually used for tests. */ + E_mkdirat(dfd, "root", 0755); + tmpfd = openat(dfd, "root", O_PATH | O_DIRECTORY); + if (tmpfd < 0) + ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n"); + close(dfd); + dfd = tmpfd; + + E_symlinkat("/proc/self/exe", dfd, "procexe"); + E_symlinkat("/proc/self/root", dfd, "procroot"); + E_mkdirat(dfd, "root", 0755); + + /* There is no mountat(2), so use chdir. */ + E_mkdirat(dfd, "mnt", 0755); + E_fchdir(dfd); + E_mount("tmpfs", "./mnt", "tmpfs", MS_NOSUID | MS_NODEV, ""); + E_symlinkat("../mnt/", dfd, "mnt/self"); + E_symlinkat("/mnt/", dfd, "mnt/absself"); + + E_mkdirat(dfd, "etc", 0755); + E_touchat(dfd, "etc/passwd"); + + E_symlinkat("/newfile3", dfd, "creatlink"); + E_symlinkat("etc/", dfd, "reletc"); + E_symlinkat("etc/passwd", dfd, "relsym"); + E_symlinkat("/etc/", dfd, "absetc"); + E_symlinkat("/etc/passwd", dfd, "abssym"); + E_symlinkat("/cheeky", dfd, "abscheeky"); + + E_mkdirat(dfd, "cheeky", 0755); + + E_symlinkat("/", dfd, "cheeky/absself"); + E_symlinkat("../../root/", dfd, "cheeky/self"); + E_symlinkat("/../../root/", dfd, "cheeky/garbageself"); + + E_symlinkat("../cheeky/../etc/../etc/passwd", dfd, "cheeky/passwd"); + E_symlinkat("/../cheeky/../etc/../etc/passwd", dfd, "cheeky/abspasswd"); + + E_symlinkat("../../../../../../../../../../../../../../etc/passwd", + dfd, "cheeky/dotdotlink"); + E_symlinkat("/../../../../../../../../../../../../../../etc/passwd", + dfd, "cheeky/garbagelink"); + + return dfd; +} + +struct basic_test { + const char *name; + const char *dir; + const char *path; + struct open_how how; + bool pass; + union { + int err; + const char *path; + } out; +}; + +#define NUM_OPENAT2_OPATH_TESTS 88 + +void test_openat2_opath_tests(void) +{ + int rootfd, hardcoded_fd; + char *procselfexe, *hardcoded_fdpath; + + E_asprintf(&procselfexe, "/proc/%d/exe", getpid()); + rootfd = setup_testdir(); + + hardcoded_fd = open("/dev/null", O_RDONLY); + E_assert(hardcoded_fd >= 0, "open fd to hardcode"); + E_asprintf(&hardcoded_fdpath, "self/fd/%d", hardcoded_fd); + + struct basic_test tests[] = { + /** RESOLVE_BENEATH **/ + /* Attempts to cross dirfd should be blocked. */ + { .name = "[beneath] jump to /", + .path = "/", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] absolute link to $root", + .path = "cheeky/absself", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] chained absolute links to $root", + .path = "abscheeky/absself", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] jump outside $root", + .path = "..", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] temporary jump outside $root", + .path = "../root/", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] symlink temporary jump outside $root", + .path = "cheeky/self", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] chained symlink temporary jump outside $root", + .path = "abscheeky/self", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] garbage links to $root", + .path = "cheeky/garbageself", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] chained garbage links to $root", + .path = "abscheeky/garbageself", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + /* Only relative paths that stay inside dirfd should work. */ + { .name = "[beneath] ordinary path to 'root'", + .path = "root", .how.resolve = RESOLVE_BENEATH, + .out.path = "root", .pass = true }, + { .name = "[beneath] ordinary path to 'etc'", + .path = "etc", .how.resolve = RESOLVE_BENEATH, + .out.path = "etc", .pass = true }, + { .name = "[beneath] ordinary path to 'etc/passwd'", + .path = "etc/passwd", .how.resolve = RESOLVE_BENEATH, + .out.path = "etc/passwd", .pass = true }, + { .name = "[beneath] relative symlink inside $root", + .path = "relsym", .how.resolve = RESOLVE_BENEATH, + .out.path = "etc/passwd", .pass = true }, + { .name = "[beneath] chained-'..' relative symlink inside $root", + .path = "cheeky/passwd", .how.resolve = RESOLVE_BENEATH, + .out.path = "etc/passwd", .pass = true }, + { .name = "[beneath] absolute symlink component outside $root", + .path = "abscheeky/passwd", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] absolute symlink target outside $root", + .path = "abssym", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] absolute path outside $root", + .path = "/etc/passwd", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] cheeky absolute path outside $root", + .path = "cheeky/abspasswd", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] chained cheeky absolute path outside $root", + .path = "abscheeky/abspasswd", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + /* Tricky paths should fail. */ + { .name = "[beneath] tricky '..'-chained symlink outside $root", + .path = "cheeky/dotdotlink", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] tricky absolute + '..'-chained symlink outside $root", + .path = "abscheeky/dotdotlink", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] tricky garbage link outside $root", + .path = "cheeky/garbagelink", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + { .name = "[beneath] tricky absolute + garbage link outside $root", + .path = "abscheeky/garbagelink", .how.resolve = RESOLVE_BENEATH, + .out.err = -EXDEV, .pass = false }, + + /** RESOLVE_IN_ROOT **/ + /* All attempts to cross the dirfd will be scoped-to-root. */ + { .name = "[in_root] jump to /", + .path = "/", .how.resolve = RESOLVE_IN_ROOT, + .out.path = NULL, .pass = true }, + { .name = "[in_root] absolute symlink to /root", + .path = "cheeky/absself", .how.resolve = RESOLVE_IN_ROOT, + .out.path = NULL, .pass = true }, + { .name = "[in_root] chained absolute symlinks to /root", + .path = "abscheeky/absself", .how.resolve = RESOLVE_IN_ROOT, + .out.path = NULL, .pass = true }, + { .name = "[in_root] '..' at root", + .path = "..", .how.resolve = RESOLVE_IN_ROOT, + .out.path = NULL, .pass = true }, + { .name = "[in_root] '../root' at root", + .path = "../root/", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "root", .pass = true }, + { .name = "[in_root] relative symlink containing '..' above root", + .path = "cheeky/self", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "root", .pass = true }, + { .name = "[in_root] garbage link to /root", + .path = "cheeky/garbageself", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "root", .pass = true }, + { .name = "[in_root] chained garbage links to /root", + .path = "abscheeky/garbageself", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "root", .pass = true }, + { .name = "[in_root] relative path to 'root'", + .path = "root", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "root", .pass = true }, + { .name = "[in_root] relative path to 'etc'", + .path = "etc", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc", .pass = true }, + { .name = "[in_root] relative path to 'etc/passwd'", + .path = "etc/passwd", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] relative symlink to 'etc/passwd'", + .path = "relsym", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] chained-'..' relative symlink to 'etc/passwd'", + .path = "cheeky/passwd", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] chained-'..' absolute + relative symlink to 'etc/passwd'", + .path = "abscheeky/passwd", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] absolute symlink to 'etc/passwd'", + .path = "abssym", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] absolute path 'etc/passwd'", + .path = "/etc/passwd", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] cheeky absolute path 'etc/passwd'", + .path = "cheeky/abspasswd", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] chained cheeky absolute path 'etc/passwd'", + .path = "abscheeky/abspasswd", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] tricky '..'-chained symlink outside $root", + .path = "cheeky/dotdotlink", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] tricky absolute + '..'-chained symlink outside $root", + .path = "abscheeky/dotdotlink", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] tricky absolute path + absolute + '..'-chained symlink outside $root", + .path = "/../../../../abscheeky/dotdotlink", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] tricky garbage link outside $root", + .path = "cheeky/garbagelink", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] tricky absolute + garbage link outside $root", + .path = "abscheeky/garbagelink", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + { .name = "[in_root] tricky absolute path + absolute + garbage link outside $root", + .path = "/../../../../abscheeky/garbagelink", .how.resolve = RESOLVE_IN_ROOT, + .out.path = "etc/passwd", .pass = true }, + /* O_CREAT should handle trailing symlinks correctly. */ + { .name = "[in_root] O_CREAT of relative path inside $root", + .path = "newfile1", .how.flags = O_CREAT, + .how.mode = 0700, + .how.resolve = RESOLVE_IN_ROOT, + .out.path = "newfile1", .pass = true }, + { .name = "[in_root] O_CREAT of absolute path", + .path = "/newfile2", .how.flags = O_CREAT, + .how.mode = 0700, + .how.resolve = RESOLVE_IN_ROOT, + .out.path = "newfile2", .pass = true }, + { .name = "[in_root] O_CREAT of tricky symlink outside root", + .path = "/creatlink", .how.flags = O_CREAT, + .how.mode = 0700, + .how.resolve = RESOLVE_IN_ROOT, + .out.path = "newfile3", .pass = true }, + + /** RESOLVE_NO_XDEV **/ + /* Crossing *down* into a mountpoint is disallowed. */ + { .name = "[no_xdev] cross into $mnt", + .path = "mnt", .how.resolve = RESOLVE_NO_XDEV, + .out.err = -EXDEV, .pass = false }, + { .name = "[no_xdev] cross into $mnt/", + .path = "mnt/", .how.resolve = RESOLVE_NO_XDEV, + .out.err = -EXDEV, .pass = false }, + { .name = "[no_xdev] cross into $mnt/.", + .path = "mnt/.", .how.resolve = RESOLVE_NO_XDEV, + .out.err = -EXDEV, .pass = false }, + /* Crossing *up* out of a mountpoint is disallowed. */ + { .name = "[no_xdev] goto mountpoint root", + .dir = "mnt", .path = ".", .how.resolve = RESOLVE_NO_XDEV, + .out.path = "mnt", .pass = true }, + { .name = "[no_xdev] cross up through '..'", + .dir = "mnt", .path = "..", .how.resolve = RESOLVE_NO_XDEV, + .out.err = -EXDEV, .pass = false }, + { .name = "[no_xdev] temporary cross up through '..'", + .dir = "mnt", .path = "../mnt", .how.resolve = RESOLVE_NO_XDEV, + .out.err = -EXDEV, .pass = false }, + { .name = "[no_xdev] temporary relative symlink cross up", + .dir = "mnt", .path = "self", .how.resolve = RESOLVE_NO_XDEV, + .out.err = -EXDEV, .pass = false }, + { .name = "[no_xdev] temporary absolute symlink cross up", + .dir = "mnt", .path = "absself", .how.resolve = RESOLVE_NO_XDEV, + .out.err = -EXDEV, .pass = false }, + /* Jumping to "/" is ok, but later components cannot cross. */ + { .name = "[no_xdev] jump to / directly", + .dir = "mnt", .path = "/", .how.resolve = RESOLVE_NO_XDEV, + .out.path = "/", .pass = true }, + { .name = "[no_xdev] jump to / (from /) directly", + .dir = "/", .path = "/", .how.resolve = RESOLVE_NO_XDEV, + .out.path = "/", .pass = true }, + { .name = "[no_xdev] jump to / then proc", + .path = "/proc/1", .how.resolve = RESOLVE_NO_XDEV, + .out.err = -EXDEV, .pass = false }, + { .name = "[no_xdev] jump to / then tmp", + .path = "/tmp", .how.resolve = RESOLVE_NO_XDEV, + .out.err = -EXDEV, .pass = false }, + /* Magic-links are blocked since they can switch vfsmounts. */ + { .name = "[no_xdev] cross through magic-link to self/root", + .dir = "/proc", .path = "self/root", .how.resolve = RESOLVE_NO_XDEV, + .out.err = -EXDEV, .pass = false }, + { .name = "[no_xdev] cross through magic-link to self/cwd", + .dir = "/proc", .path = "self/cwd", .how.resolve = RESOLVE_NO_XDEV, + .out.err = -EXDEV, .pass = false }, + /* Except magic-link jumps inside the same vfsmount. */ + { .name = "[no_xdev] jump through magic-link to same procfs", + .dir = "/proc", .path = hardcoded_fdpath, .how.resolve = RESOLVE_NO_XDEV, + .out.path = "/proc", .pass = true, }, + + /** RESOLVE_NO_MAGICLINKS **/ + /* Regular symlinks should work. */ + { .name = "[no_magiclinks] ordinary relative symlink", + .path = "relsym", .how.resolve = RESOLVE_NO_MAGICLINKS, + .out.path = "etc/passwd", .pass = true }, + /* Magic-links should not work. */ + { .name = "[no_magiclinks] symlink to magic-link", + .path = "procexe", .how.resolve = RESOLVE_NO_MAGICLINKS, + .out.err = -ELOOP, .pass = false }, + { .name = "[no_magiclinks] normal path to magic-link", + .path = "/proc/self/exe", .how.resolve = RESOLVE_NO_MAGICLINKS, + .out.err = -ELOOP, .pass = false }, + { .name = "[no_magiclinks] normal path to magic-link with O_NOFOLLOW", + .path = "/proc/self/exe", .how.flags = O_NOFOLLOW, + .how.resolve = RESOLVE_NO_MAGICLINKS, + .out.path = procselfexe, .pass = true }, + { .name = "[no_magiclinks] symlink to magic-link path component", + .path = "procroot/etc", .how.resolve = RESOLVE_NO_MAGICLINKS, + .out.err = -ELOOP, .pass = false }, + { .name = "[no_magiclinks] magic-link path component", + .path = "/proc/self/root/etc", .how.resolve = RESOLVE_NO_MAGICLINKS, + .out.err = -ELOOP, .pass = false }, + { .name = "[no_magiclinks] magic-link path component with O_NOFOLLOW", + .path = "/proc/self/root/etc", .how.flags = O_NOFOLLOW, + .how.resolve = RESOLVE_NO_MAGICLINKS, + .out.err = -ELOOP, .pass = false }, + + /** RESOLVE_NO_SYMLINKS **/ + /* Normal paths should work. */ + { .name = "[no_symlinks] ordinary path to '.'", + .path = ".", .how.resolve = RESOLVE_NO_SYMLINKS, + .out.path = NULL, .pass = true }, + { .name = "[no_symlinks] ordinary path to 'root'", + .path = "root", .how.resolve = RESOLVE_NO_SYMLINKS, + .out.path = "root", .pass = true }, + { .name = "[no_symlinks] ordinary path to 'etc'", + .path = "etc", .how.resolve = RESOLVE_NO_SYMLINKS, + .out.path = "etc", .pass = true }, + { .name = "[no_symlinks] ordinary path to 'etc/passwd'", + .path = "etc/passwd", .how.resolve = RESOLVE_NO_SYMLINKS, + .out.path = "etc/passwd", .pass = true }, + /* Regular symlinks are blocked. */ + { .name = "[no_symlinks] relative symlink target", + .path = "relsym", .how.resolve = RESOLVE_NO_SYMLINKS, + .out.err = -ELOOP, .pass = false }, + { .name = "[no_symlinks] relative symlink component", + .path = "reletc/passwd", .how.resolve = RESOLVE_NO_SYMLINKS, + .out.err = -ELOOP, .pass = false }, + { .name = "[no_symlinks] absolute symlink target", + .path = "abssym", .how.resolve = RESOLVE_NO_SYMLINKS, + .out.err = -ELOOP, .pass = false }, + { .name = "[no_symlinks] absolute symlink component", + .path = "absetc/passwd", .how.resolve = RESOLVE_NO_SYMLINKS, + .out.err = -ELOOP, .pass = false }, + { .name = "[no_symlinks] cheeky garbage link", + .path = "cheeky/garbagelink", .how.resolve = RESOLVE_NO_SYMLINKS, + .out.err = -ELOOP, .pass = false }, + { .name = "[no_symlinks] cheeky absolute + garbage link", + .path = "abscheeky/garbagelink", .how.resolve = RESOLVE_NO_SYMLINKS, + .out.err = -ELOOP, .pass = false }, + { .name = "[no_symlinks] cheeky absolute + absolute symlink", + .path = "abscheeky/absself", .how.resolve = RESOLVE_NO_SYMLINKS, + .out.err = -ELOOP, .pass = false }, + /* Trailing symlinks with NO_FOLLOW. */ + { .name = "[no_symlinks] relative symlink with O_NOFOLLOW", + .path = "relsym", .how.flags = O_NOFOLLOW, + .how.resolve = RESOLVE_NO_SYMLINKS, + .out.path = "relsym", .pass = true }, + { .name = "[no_symlinks] absolute symlink with O_NOFOLLOW", + .path = "abssym", .how.flags = O_NOFOLLOW, + .how.resolve = RESOLVE_NO_SYMLINKS, + .out.path = "abssym", .pass = true }, + { .name = "[no_symlinks] trailing symlink with O_NOFOLLOW", + .path = "cheeky/garbagelink", .how.flags = O_NOFOLLOW, + .how.resolve = RESOLVE_NO_SYMLINKS, + .out.path = "cheeky/garbagelink", .pass = true }, + { .name = "[no_symlinks] multiple symlink components with O_NOFOLLOW", + .path = "abscheeky/absself", .how.flags = O_NOFOLLOW, + .how.resolve = RESOLVE_NO_SYMLINKS, + .out.err = -ELOOP, .pass = false }, + { .name = "[no_symlinks] multiple symlink (and garbage link) components with O_NOFOLLOW", + .path = "abscheeky/garbagelink", .how.flags = O_NOFOLLOW, + .how.resolve = RESOLVE_NO_SYMLINKS, + .out.err = -ELOOP, .pass = false }, + }; + + BUILD_BUG_ON(ARRAY_LEN(tests) != NUM_OPENAT2_OPATH_TESTS); + + for (int i = 0; i < ARRAY_LEN(tests); i++) { + int dfd, fd; + char *fdpath = NULL; + bool failed; + void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; + struct basic_test *test = &tests[i]; + + if (!openat2_supported) { + ksft_print_msg("openat2(2) unsupported\n"); + resultfn = ksft_test_result_skip; + goto skip; + } + + /* Auto-set O_PATH. */ + if (!(test->how.flags & O_CREAT)) + test->how.flags |= O_PATH; + + if (test->dir) + dfd = openat(rootfd, test->dir, O_PATH | O_DIRECTORY); + else + dfd = dup(rootfd); + E_assert(dfd, "failed to openat root '%s': %m", test->dir); + + E_dup2(dfd, hardcoded_fd); + + fd = sys_openat2(dfd, test->path, &test->how); + if (test->pass) + failed = (fd < 0 || !fdequal(fd, rootfd, test->out.path)); + else + failed = (fd != test->out.err); + if (fd >= 0) { + fdpath = fdreadlink(fd); + close(fd); + } + close(dfd); + + if (failed) { + resultfn = ksft_test_result_fail; + + ksft_print_msg("openat2 unexpectedly returned "); + if (fdpath) + ksft_print_msg("%d['%s']\n", fd, fdpath); + else + ksft_print_msg("%d (%s)\n", fd, strerror(-fd)); + } + +skip: + if (test->pass) + resultfn("%s gives path '%s'\n", test->name, + test->out.path ?: "."); + else + resultfn("%s fails with %d (%s)\n", test->name, + test->out.err, strerror(-test->out.err)); + + fflush(stdout); + free(fdpath); + } + + free(procselfexe); + close(rootfd); + + free(hardcoded_fdpath); + close(hardcoded_fd); +} + +#define NUM_TESTS NUM_OPENAT2_OPATH_TESTS + +int main(int argc, char **argv) +{ + ksft_print_header(); + ksft_set_plan(NUM_TESTS); + + /* NOTE: We should be checking for CAP_SYS_ADMIN here... */ + if (geteuid() != 0) + ksft_exit_skip("all tests require euid == 0\n"); + + test_openat2_opath_tests(); + + if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0) + ksft_exit_fail(); + else + ksft_exit_pass(); +} diff --git a/tools/testing/selftests/openat2/.gitignore b/tools/testing/selftests/openat2/.gitignore deleted file mode 100644 index 82a4846cbc4b..000000000000 --- a/tools/testing/selftests/openat2/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -# SPDX-License-Identifier: GPL-2.0-only -/*_test diff --git a/tools/testing/selftests/openat2/Makefile b/tools/testing/selftests/openat2/Makefile deleted file mode 100644 index 185dc76ebb5f..000000000000 --- a/tools/testing/selftests/openat2/Makefile +++ /dev/null @@ -1,18 +0,0 @@ -# SPDX-License-Identifier: GPL-2.0-or-later - -CFLAGS += -Wall -O2 -g -fsanitize=address -fsanitize=undefined -TEST_GEN_PROGS := openat2_test resolve_test rename_attack_test - -# gcc requires -static-libasan in order to ensure that Address Sanitizer's -# library is the first one loaded. However, clang already statically links the -# Address Sanitizer if -fsanitize is specified. Therefore, simply omit -# -static-libasan for clang builds. -ifeq ($(LLVM),) - CFLAGS += -static-libasan -endif - -LOCAL_HDRS += helpers.h - -include ../lib.mk - -$(TEST_GEN_PROGS): helpers.c diff --git a/tools/testing/selftests/openat2/helpers.c b/tools/testing/selftests/openat2/helpers.c deleted file mode 100644 index 5074681ffdc9..000000000000 --- a/tools/testing/selftests/openat2/helpers.c +++ /dev/null @@ -1,109 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Author: Aleksa Sarai - * Copyright (C) 2018-2019 SUSE LLC. - */ - -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include - -#include "helpers.h" - -bool needs_openat2(const struct open_how *how) -{ - return how->resolve != 0; -} - -int raw_openat2(int dfd, const char *path, void *how, size_t size) -{ - int ret = syscall(__NR_openat2, dfd, path, how, size); - return ret >= 0 ? ret : -errno; -} - -int sys_openat2(int dfd, const char *path, struct open_how *how) -{ - return raw_openat2(dfd, path, how, sizeof(*how)); -} - -int sys_openat(int dfd, const char *path, struct open_how *how) -{ - int ret = openat(dfd, path, how->flags, how->mode); - return ret >= 0 ? ret : -errno; -} - -int sys_renameat2(int olddirfd, const char *oldpath, - int newdirfd, const char *newpath, unsigned int flags) -{ - int ret = syscall(__NR_renameat2, olddirfd, oldpath, - newdirfd, newpath, flags); - return ret >= 0 ? ret : -errno; -} - -int touchat(int dfd, const char *path) -{ - int fd = openat(dfd, path, O_CREAT, 0700); - if (fd >= 0) - close(fd); - return fd; -} - -char *fdreadlink(int fd) -{ - char *target, *tmp; - - E_asprintf(&tmp, "/proc/self/fd/%d", fd); - - target = malloc(PATH_MAX); - if (!target) - ksft_exit_fail_msg("fdreadlink: malloc failed\n"); - memset(target, 0, PATH_MAX); - - E_readlink(tmp, target, PATH_MAX); - free(tmp); - return target; -} - -bool fdequal(int fd, int dfd, const char *path) -{ - char *fdpath, *dfdpath, *other; - bool cmp; - - fdpath = fdreadlink(fd); - dfdpath = fdreadlink(dfd); - - if (!path) - E_asprintf(&other, "%s", dfdpath); - else if (*path == '/') - E_asprintf(&other, "%s", path); - else - E_asprintf(&other, "%s/%s", dfdpath, path); - - cmp = !strcmp(fdpath, other); - - free(fdpath); - free(dfdpath); - free(other); - return cmp; -} - -bool openat2_supported = false; - -void __attribute__((constructor)) init(void) -{ - struct open_how how = {}; - int fd; - - BUILD_BUG_ON(sizeof(struct open_how) != OPEN_HOW_SIZE_VER0); - - /* Check openat2(2) support. */ - fd = sys_openat2(AT_FDCWD, ".", &how); - openat2_supported = (fd >= 0); - - if (fd >= 0) - close(fd); -} diff --git a/tools/testing/selftests/openat2/helpers.h b/tools/testing/selftests/openat2/helpers.h deleted file mode 100644 index 510e60602511..000000000000 --- a/tools/testing/selftests/openat2/helpers.h +++ /dev/null @@ -1,108 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Author: Aleksa Sarai - * Copyright (C) 2018-2019 SUSE LLC. - */ - -#ifndef __RESOLVEAT_H__ -#define __RESOLVEAT_H__ - -#define _GNU_SOURCE -#include -#include -#include -#include -#include "kselftest.h" - -#define ARRAY_LEN(X) (sizeof (X) / sizeof (*(X))) -#define BUILD_BUG_ON(e) ((void)(sizeof(struct { int:(-!!(e)); }))) - -#ifndef SYS_openat2 -#ifndef __NR_openat2 -#define __NR_openat2 437 -#endif /* __NR_openat2 */ -#define SYS_openat2 __NR_openat2 -#endif /* SYS_openat2 */ - -/* - * Arguments for how openat2(2) should open the target path. If @resolve is - * zero, then openat2(2) operates very similarly to openat(2). - * - * However, unlike openat(2), unknown bits in @flags result in -EINVAL rather - * than being silently ignored. @mode must be zero unless one of {O_CREAT, - * O_TMPFILE} are set. - * - * @flags: O_* flags. - * @mode: O_CREAT/O_TMPFILE file mode. - * @resolve: RESOLVE_* flags. - */ -struct open_how { - __u64 flags; - __u64 mode; - __u64 resolve; -}; - -#define OPEN_HOW_SIZE_VER0 24 /* sizeof first published struct */ -#define OPEN_HOW_SIZE_LATEST OPEN_HOW_SIZE_VER0 - -bool needs_openat2(const struct open_how *how); - -#ifndef RESOLVE_IN_ROOT -/* how->resolve flags for openat2(2). */ -#define RESOLVE_NO_XDEV 0x01 /* Block mount-point crossings - (includes bind-mounts). */ -#define RESOLVE_NO_MAGICLINKS 0x02 /* Block traversal through procfs-style - "magic-links". */ -#define RESOLVE_NO_SYMLINKS 0x04 /* Block traversal through all symlinks - (implies OEXT_NO_MAGICLINKS) */ -#define RESOLVE_BENEATH 0x08 /* Block "lexical" trickery like - "..", symlinks, and absolute - paths which escape the dirfd. */ -#define RESOLVE_IN_ROOT 0x10 /* Make all jumps to "/" and ".." - be scoped inside the dirfd - (similar to chroot(2)). */ -#endif /* RESOLVE_IN_ROOT */ - -#define E_func(func, ...) \ - do { \ - errno = 0; \ - if (func(__VA_ARGS__) < 0) \ - ksft_exit_fail_msg("%s:%d %s failed - errno:%d\n", \ - __FILE__, __LINE__, #func, errno); \ - } while (0) - -#define E_asprintf(...) E_func(asprintf, __VA_ARGS__) -#define E_chmod(...) E_func(chmod, __VA_ARGS__) -#define E_dup2(...) E_func(dup2, __VA_ARGS__) -#define E_fchdir(...) E_func(fchdir, __VA_ARGS__) -#define E_fstatat(...) E_func(fstatat, __VA_ARGS__) -#define E_kill(...) E_func(kill, __VA_ARGS__) -#define E_mkdirat(...) E_func(mkdirat, __VA_ARGS__) -#define E_mount(...) E_func(mount, __VA_ARGS__) -#define E_prctl(...) E_func(prctl, __VA_ARGS__) -#define E_readlink(...) E_func(readlink, __VA_ARGS__) -#define E_setresuid(...) E_func(setresuid, __VA_ARGS__) -#define E_symlinkat(...) E_func(symlinkat, __VA_ARGS__) -#define E_touchat(...) E_func(touchat, __VA_ARGS__) -#define E_unshare(...) E_func(unshare, __VA_ARGS__) - -#define E_assert(expr, msg, ...) \ - do { \ - if (!(expr)) \ - ksft_exit_fail_msg("ASSERT(%s:%d) failed (%s): " msg "\n", \ - __FILE__, __LINE__, #expr, ##__VA_ARGS__); \ - } while (0) - -int raw_openat2(int dfd, const char *path, void *how, size_t size); -int sys_openat2(int dfd, const char *path, struct open_how *how); -int sys_openat(int dfd, const char *path, struct open_how *how); -int sys_renameat2(int olddirfd, const char *oldpath, - int newdirfd, const char *newpath, unsigned int flags); - -int touchat(int dfd, const char *path); -char *fdreadlink(int fd); -bool fdequal(int fd, int dfd, const char *path); - -extern bool openat2_supported; - -#endif /* __RESOLVEAT_H__ */ diff --git a/tools/testing/selftests/openat2/openat2_test.c b/tools/testing/selftests/openat2/openat2_test.c deleted file mode 100644 index 0e161ef9e9e4..000000000000 --- a/tools/testing/selftests/openat2/openat2_test.c +++ /dev/null @@ -1,338 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Author: Aleksa Sarai - * Copyright (C) 2018-2019 SUSE LLC. - */ - -#define _GNU_SOURCE -#define __SANE_USERSPACE_TYPES__ // Use ll64 -#include -#include -#include -#include -#include -#include -#include -#include - -#include "kselftest.h" -#include "helpers.h" - -/* - * O_LARGEFILE is set to 0 by glibc. - * XXX: This is wrong on {mips, parisc, powerpc, sparc}. - */ -#undef O_LARGEFILE -#ifdef __aarch64__ -#define O_LARGEFILE 0x20000 -#else -#define O_LARGEFILE 0x8000 -#endif - -struct open_how_ext { - struct open_how inner; - uint32_t extra1; - char pad1[128]; - uint32_t extra2; - char pad2[128]; - uint32_t extra3; -}; - -struct struct_test { - const char *name; - struct open_how_ext arg; - size_t size; - int err; -}; - -#define NUM_OPENAT2_STRUCT_TESTS 7 -#define NUM_OPENAT2_STRUCT_VARIATIONS 13 - -void test_openat2_struct(void) -{ - int misalignments[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 17, 87 }; - - struct struct_test tests[] = { - /* Normal struct. */ - { .name = "normal struct", - .arg.inner.flags = O_RDONLY, - .size = sizeof(struct open_how) }, - /* Bigger struct, with zeroed out end. */ - { .name = "bigger struct (zeroed out)", - .arg.inner.flags = O_RDONLY, - .size = sizeof(struct open_how_ext) }, - - /* TODO: Once expanded, check zero-padding. */ - - /* Smaller than version-0 struct. */ - { .name = "zero-sized 'struct'", - .arg.inner.flags = O_RDONLY, .size = 0, .err = -EINVAL }, - { .name = "smaller-than-v0 struct", - .arg.inner.flags = O_RDONLY, - .size = OPEN_HOW_SIZE_VER0 - 1, .err = -EINVAL }, - - /* Bigger struct, with non-zero trailing bytes. */ - { .name = "bigger struct (non-zero data in first 'future field')", - .arg.inner.flags = O_RDONLY, .arg.extra1 = 0xdeadbeef, - .size = sizeof(struct open_how_ext), .err = -E2BIG }, - { .name = "bigger struct (non-zero data in middle of 'future fields')", - .arg.inner.flags = O_RDONLY, .arg.extra2 = 0xfeedcafe, - .size = sizeof(struct open_how_ext), .err = -E2BIG }, - { .name = "bigger struct (non-zero data at end of 'future fields')", - .arg.inner.flags = O_RDONLY, .arg.extra3 = 0xabad1dea, - .size = sizeof(struct open_how_ext), .err = -E2BIG }, - }; - - BUILD_BUG_ON(ARRAY_LEN(misalignments) != NUM_OPENAT2_STRUCT_VARIATIONS); - BUILD_BUG_ON(ARRAY_LEN(tests) != NUM_OPENAT2_STRUCT_TESTS); - - for (int i = 0; i < ARRAY_LEN(tests); i++) { - struct struct_test *test = &tests[i]; - struct open_how_ext how_ext = test->arg; - - for (int j = 0; j < ARRAY_LEN(misalignments); j++) { - int fd, misalign = misalignments[j]; - char *fdpath = NULL; - bool failed; - void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; - - void *copy = NULL, *how_copy = &how_ext; - - if (!openat2_supported) { - ksft_print_msg("openat2(2) unsupported\n"); - resultfn = ksft_test_result_skip; - goto skip; - } - - if (misalign) { - /* - * Explicitly misalign the structure copying it with the given - * (mis)alignment offset. The other data is set to be non-zero to - * make sure that non-zero bytes outside the struct aren't checked - * - * This is effectively to check that is_zeroed_user() works. - */ - copy = malloc(misalign + sizeof(how_ext)); - how_copy = copy + misalign; - memset(copy, 0xff, misalign); - memcpy(how_copy, &how_ext, sizeof(how_ext)); - } - - fd = raw_openat2(AT_FDCWD, ".", how_copy, test->size); - if (test->err >= 0) - failed = (fd < 0); - else - failed = (fd != test->err); - if (fd >= 0) { - fdpath = fdreadlink(fd); - close(fd); - } - - if (failed) { - resultfn = ksft_test_result_fail; - - ksft_print_msg("openat2 unexpectedly returned "); - if (fdpath) - ksft_print_msg("%d['%s']\n", fd, fdpath); - else - ksft_print_msg("%d (%s)\n", fd, strerror(-fd)); - } - -skip: - if (test->err >= 0) - resultfn("openat2 with %s argument [misalign=%d] succeeds\n", - test->name, misalign); - else - resultfn("openat2 with %s argument [misalign=%d] fails with %d (%s)\n", - test->name, misalign, test->err, - strerror(-test->err)); - - free(copy); - free(fdpath); - fflush(stdout); - } - } -} - -struct flag_test { - const char *name; - struct open_how how; - int err; -}; - -#define NUM_OPENAT2_FLAG_TESTS 25 - -void test_openat2_flags(void) -{ - struct flag_test tests[] = { - /* O_TMPFILE is incompatible with O_PATH and O_CREAT. */ - { .name = "incompatible flags (O_TMPFILE | O_PATH)", - .how.flags = O_TMPFILE | O_PATH | O_RDWR, .err = -EINVAL }, - { .name = "incompatible flags (O_TMPFILE | O_CREAT)", - .how.flags = O_TMPFILE | O_CREAT | O_RDWR, .err = -EINVAL }, - - /* O_PATH only permits certain other flags to be set ... */ - { .name = "compatible flags (O_PATH | O_CLOEXEC)", - .how.flags = O_PATH | O_CLOEXEC }, - { .name = "compatible flags (O_PATH | O_DIRECTORY)", - .how.flags = O_PATH | O_DIRECTORY }, - { .name = "compatible flags (O_PATH | O_NOFOLLOW)", - .how.flags = O_PATH | O_NOFOLLOW }, - /* ... and others are absolutely not permitted. */ - { .name = "incompatible flags (O_PATH | O_RDWR)", - .how.flags = O_PATH | O_RDWR, .err = -EINVAL }, - { .name = "incompatible flags (O_PATH | O_CREAT)", - .how.flags = O_PATH | O_CREAT, .err = -EINVAL }, - { .name = "incompatible flags (O_PATH | O_EXCL)", - .how.flags = O_PATH | O_EXCL, .err = -EINVAL }, - { .name = "incompatible flags (O_PATH | O_NOCTTY)", - .how.flags = O_PATH | O_NOCTTY, .err = -EINVAL }, - { .name = "incompatible flags (O_PATH | O_DIRECT)", - .how.flags = O_PATH | O_DIRECT, .err = -EINVAL }, - { .name = "incompatible flags (O_PATH | O_LARGEFILE)", - .how.flags = O_PATH | O_LARGEFILE, .err = -EINVAL }, - - /* ->mode must only be set with O_{CREAT,TMPFILE}. */ - { .name = "non-zero how.mode and O_RDONLY", - .how.flags = O_RDONLY, .how.mode = 0600, .err = -EINVAL }, - { .name = "non-zero how.mode and O_PATH", - .how.flags = O_PATH, .how.mode = 0600, .err = -EINVAL }, - { .name = "valid how.mode and O_CREAT", - .how.flags = O_CREAT, .how.mode = 0600 }, - { .name = "valid how.mode and O_TMPFILE", - .how.flags = O_TMPFILE | O_RDWR, .how.mode = 0600 }, - /* ->mode must only contain 0777 bits. */ - { .name = "invalid how.mode and O_CREAT", - .how.flags = O_CREAT, - .how.mode = 0xFFFF, .err = -EINVAL }, - { .name = "invalid (very large) how.mode and O_CREAT", - .how.flags = O_CREAT, - .how.mode = 0xC000000000000000ULL, .err = -EINVAL }, - { .name = "invalid how.mode and O_TMPFILE", - .how.flags = O_TMPFILE | O_RDWR, - .how.mode = 0x1337, .err = -EINVAL }, - { .name = "invalid (very large) how.mode and O_TMPFILE", - .how.flags = O_TMPFILE | O_RDWR, - .how.mode = 0x0000A00000000000ULL, .err = -EINVAL }, - - /* ->resolve flags must not conflict. */ - { .name = "incompatible resolve flags (BENEATH | IN_ROOT)", - .how.flags = O_RDONLY, - .how.resolve = RESOLVE_BENEATH | RESOLVE_IN_ROOT, - .err = -EINVAL }, - - /* ->resolve must only contain RESOLVE_* flags. */ - { .name = "invalid how.resolve and O_RDONLY", - .how.flags = O_RDONLY, - .how.resolve = 0x1337, .err = -EINVAL }, - { .name = "invalid how.resolve and O_CREAT", - .how.flags = O_CREAT, - .how.resolve = 0x1337, .err = -EINVAL }, - { .name = "invalid how.resolve and O_TMPFILE", - .how.flags = O_TMPFILE | O_RDWR, - .how.resolve = 0x1337, .err = -EINVAL }, - { .name = "invalid how.resolve and O_PATH", - .how.flags = O_PATH, - .how.resolve = 0x1337, .err = -EINVAL }, - - /* currently unknown upper 32 bit rejected. */ - { .name = "currently unknown bit (1 << 63)", - .how.flags = O_RDONLY | (1ULL << 63), - .how.resolve = 0, .err = -EINVAL }, - }; - - BUILD_BUG_ON(ARRAY_LEN(tests) != NUM_OPENAT2_FLAG_TESTS); - - for (int i = 0; i < ARRAY_LEN(tests); i++) { - int fd, fdflags = -1; - char *path, *fdpath = NULL; - bool failed = false; - struct flag_test *test = &tests[i]; - void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; - - if (!openat2_supported) { - ksft_print_msg("openat2(2) unsupported\n"); - resultfn = ksft_test_result_skip; - goto skip; - } - - path = (test->how.flags & O_CREAT) ? "/tmp/ksft.openat2_tmpfile" : "."; - unlink(path); - - fd = sys_openat2(AT_FDCWD, path, &test->how); - if (fd < 0 && fd == -EOPNOTSUPP) { - /* - * Skip the testcase if it failed because not supported - * by FS. (e.g. a valid O_TMPFILE combination on NFS) - */ - ksft_test_result_skip("openat2 with %s fails with %d (%s)\n", - test->name, fd, strerror(-fd)); - goto next; - } - - if (test->err >= 0) - failed = (fd < 0); - else - failed = (fd != test->err); - if (fd >= 0) { - int otherflags; - - fdpath = fdreadlink(fd); - fdflags = fcntl(fd, F_GETFL); - otherflags = fcntl(fd, F_GETFD); - close(fd); - - E_assert(fdflags >= 0, "fcntl F_GETFL of new fd"); - E_assert(otherflags >= 0, "fcntl F_GETFD of new fd"); - - /* O_CLOEXEC isn't shown in F_GETFL. */ - if (otherflags & FD_CLOEXEC) - fdflags |= O_CLOEXEC; - /* O_CREAT is hidden from F_GETFL. */ - if (test->how.flags & O_CREAT) - fdflags |= O_CREAT; - if (!(test->how.flags & O_LARGEFILE)) - fdflags &= ~O_LARGEFILE; - failed |= (fdflags != test->how.flags); - } - - if (failed) { - resultfn = ksft_test_result_fail; - - ksft_print_msg("openat2 unexpectedly returned "); - if (fdpath) - ksft_print_msg("%d['%s'] with %X (!= %llX)\n", - fd, fdpath, fdflags, - test->how.flags); - else - ksft_print_msg("%d (%s)\n", fd, strerror(-fd)); - } - -skip: - if (test->err >= 0) - resultfn("openat2 with %s succeeds\n", test->name); - else - resultfn("openat2 with %s fails with %d (%s)\n", - test->name, test->err, strerror(-test->err)); -next: - free(fdpath); - fflush(stdout); - } -} - -#define NUM_TESTS (NUM_OPENAT2_STRUCT_VARIATIONS * NUM_OPENAT2_STRUCT_TESTS + \ - NUM_OPENAT2_FLAG_TESTS) - -int main(int argc, char **argv) -{ - ksft_print_header(); - ksft_set_plan(NUM_TESTS); - - test_openat2_struct(); - test_openat2_flags(); - - if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0) - ksft_exit_fail(); - else - ksft_exit_pass(); -} diff --git a/tools/testing/selftests/openat2/rename_attack_test.c b/tools/testing/selftests/openat2/rename_attack_test.c deleted file mode 100644 index aa5699e45729..000000000000 --- a/tools/testing/selftests/openat2/rename_attack_test.c +++ /dev/null @@ -1,160 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Author: Aleksa Sarai - * Copyright (C) 2018-2019 SUSE LLC. - */ - -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "kselftest.h" -#include "helpers.h" - -/* Construct a test directory with the following structure: - * - * root/ - * |-- a/ - * | `-- c/ - * `-- b/ - */ -int setup_testdir(void) -{ - int dfd; - char dirname[] = "/tmp/ksft-openat2-rename-attack.XXXXXX"; - - /* Make the top-level directory. */ - if (!mkdtemp(dirname)) - ksft_exit_fail_msg("setup_testdir: failed to create tmpdir\n"); - dfd = open(dirname, O_PATH | O_DIRECTORY); - if (dfd < 0) - ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n"); - - E_mkdirat(dfd, "a", 0755); - E_mkdirat(dfd, "b", 0755); - E_mkdirat(dfd, "a/c", 0755); - - return dfd; -} - -/* Swap @dirfd/@a and @dirfd/@b constantly. Parent must kill this process. */ -pid_t spawn_attack(int dirfd, char *a, char *b) -{ - pid_t child = fork(); - if (child != 0) - return child; - - /* If the parent (the test process) dies, kill ourselves too. */ - E_prctl(PR_SET_PDEATHSIG, SIGKILL); - - /* Swap @a and @b. */ - for (;;) - renameat2(dirfd, a, dirfd, b, RENAME_EXCHANGE); - exit(1); -} - -#define NUM_RENAME_TESTS 2 -#define ROUNDS 400000 - -const char *flagname(int resolve) -{ - switch (resolve) { - case RESOLVE_IN_ROOT: - return "RESOLVE_IN_ROOT"; - case RESOLVE_BENEATH: - return "RESOLVE_BENEATH"; - } - return "(unknown)"; -} - -void test_rename_attack(int resolve) -{ - int dfd, afd; - pid_t child; - void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; - int escapes = 0, other_errs = 0, exdevs = 0, eagains = 0, successes = 0; - - struct open_how how = { - .flags = O_PATH, - .resolve = resolve, - }; - - if (!openat2_supported) { - how.resolve = 0; - ksft_print_msg("openat2(2) unsupported -- using openat(2) instead\n"); - } - - dfd = setup_testdir(); - afd = openat(dfd, "a", O_PATH); - if (afd < 0) - ksft_exit_fail_msg("test_rename_attack: failed to open 'a'\n"); - - child = spawn_attack(dfd, "a/c", "b"); - - for (int i = 0; i < ROUNDS; i++) { - int fd; - char *victim_path = "c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../.."; - - if (openat2_supported) - fd = sys_openat2(afd, victim_path, &how); - else - fd = sys_openat(afd, victim_path, &how); - - if (fd < 0) { - if (fd == -EAGAIN) - eagains++; - else if (fd == -EXDEV) - exdevs++; - else if (fd == -ENOENT) - escapes++; /* escaped outside and got ENOENT... */ - else - other_errs++; /* unexpected error */ - } else { - if (fdequal(fd, afd, NULL)) - successes++; - else - escapes++; /* we got an unexpected fd */ - } - close(fd); - } - - if (escapes > 0) - resultfn = ksft_test_result_fail; - ksft_print_msg("non-escapes: EAGAIN=%d EXDEV=%d E=%d success=%d\n", - eagains, exdevs, other_errs, successes); - resultfn("rename attack with %s (%d runs, got %d escapes)\n", - flagname(resolve), ROUNDS, escapes); - - /* Should be killed anyway, but might as well make sure. */ - E_kill(child, SIGKILL); -} - -#define NUM_TESTS NUM_RENAME_TESTS - -int main(int argc, char **argv) -{ - ksft_print_header(); - ksft_set_plan(NUM_TESTS); - - test_rename_attack(RESOLVE_BENEATH); - test_rename_attack(RESOLVE_IN_ROOT); - - if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0) - ksft_exit_fail(); - else - ksft_exit_pass(); -} diff --git a/tools/testing/selftests/openat2/resolve_test.c b/tools/testing/selftests/openat2/resolve_test.c deleted file mode 100644 index a76ef15ceb90..000000000000 --- a/tools/testing/selftests/openat2/resolve_test.c +++ /dev/null @@ -1,523 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Author: Aleksa Sarai - * Copyright (C) 2018-2019 SUSE LLC. - */ - -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include - -#include "kselftest.h" -#include "helpers.h" - -/* - * Construct a test directory with the following structure: - * - * root/ - * |-- procexe -> /proc/self/exe - * |-- procroot -> /proc/self/root - * |-- root/ - * |-- mnt/ [mountpoint] - * | |-- self -> ../mnt/ - * | `-- absself -> /mnt/ - * |-- etc/ - * | `-- passwd - * |-- creatlink -> /newfile3 - * |-- reletc -> etc/ - * |-- relsym -> etc/passwd - * |-- absetc -> /etc/ - * |-- abssym -> /etc/passwd - * |-- abscheeky -> /cheeky - * `-- cheeky/ - * |-- absself -> / - * |-- self -> ../../root/ - * |-- garbageself -> /../../root/ - * |-- passwd -> ../cheeky/../cheeky/../etc/../etc/passwd - * |-- abspasswd -> /../cheeky/../cheeky/../etc/../etc/passwd - * |-- dotdotlink -> ../../../../../../../../../../../../../../etc/passwd - * `-- garbagelink -> /../../../../../../../../../../../../../../etc/passwd - */ -int setup_testdir(void) -{ - int dfd, tmpfd; - char dirname[] = "/tmp/ksft-openat2-testdir.XXXXXX"; - - /* Unshare and make /tmp a new directory. */ - E_unshare(CLONE_NEWNS); - E_mount("", "/tmp", "", MS_PRIVATE, ""); - - /* Make the top-level directory. */ - if (!mkdtemp(dirname)) - ksft_exit_fail_msg("setup_testdir: failed to create tmpdir\n"); - dfd = open(dirname, O_PATH | O_DIRECTORY); - if (dfd < 0) - ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n"); - - /* A sub-directory which is actually used for tests. */ - E_mkdirat(dfd, "root", 0755); - tmpfd = openat(dfd, "root", O_PATH | O_DIRECTORY); - if (tmpfd < 0) - ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n"); - close(dfd); - dfd = tmpfd; - - E_symlinkat("/proc/self/exe", dfd, "procexe"); - E_symlinkat("/proc/self/root", dfd, "procroot"); - E_mkdirat(dfd, "root", 0755); - - /* There is no mountat(2), so use chdir. */ - E_mkdirat(dfd, "mnt", 0755); - E_fchdir(dfd); - E_mount("tmpfs", "./mnt", "tmpfs", MS_NOSUID | MS_NODEV, ""); - E_symlinkat("../mnt/", dfd, "mnt/self"); - E_symlinkat("/mnt/", dfd, "mnt/absself"); - - E_mkdirat(dfd, "etc", 0755); - E_touchat(dfd, "etc/passwd"); - - E_symlinkat("/newfile3", dfd, "creatlink"); - E_symlinkat("etc/", dfd, "reletc"); - E_symlinkat("etc/passwd", dfd, "relsym"); - E_symlinkat("/etc/", dfd, "absetc"); - E_symlinkat("/etc/passwd", dfd, "abssym"); - E_symlinkat("/cheeky", dfd, "abscheeky"); - - E_mkdirat(dfd, "cheeky", 0755); - - E_symlinkat("/", dfd, "cheeky/absself"); - E_symlinkat("../../root/", dfd, "cheeky/self"); - E_symlinkat("/../../root/", dfd, "cheeky/garbageself"); - - E_symlinkat("../cheeky/../etc/../etc/passwd", dfd, "cheeky/passwd"); - E_symlinkat("/../cheeky/../etc/../etc/passwd", dfd, "cheeky/abspasswd"); - - E_symlinkat("../../../../../../../../../../../../../../etc/passwd", - dfd, "cheeky/dotdotlink"); - E_symlinkat("/../../../../../../../../../../../../../../etc/passwd", - dfd, "cheeky/garbagelink"); - - return dfd; -} - -struct basic_test { - const char *name; - const char *dir; - const char *path; - struct open_how how; - bool pass; - union { - int err; - const char *path; - } out; -}; - -#define NUM_OPENAT2_OPATH_TESTS 88 - -void test_openat2_opath_tests(void) -{ - int rootfd, hardcoded_fd; - char *procselfexe, *hardcoded_fdpath; - - E_asprintf(&procselfexe, "/proc/%d/exe", getpid()); - rootfd = setup_testdir(); - - hardcoded_fd = open("/dev/null", O_RDONLY); - E_assert(hardcoded_fd >= 0, "open fd to hardcode"); - E_asprintf(&hardcoded_fdpath, "self/fd/%d", hardcoded_fd); - - struct basic_test tests[] = { - /** RESOLVE_BENEATH **/ - /* Attempts to cross dirfd should be blocked. */ - { .name = "[beneath] jump to /", - .path = "/", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] absolute link to $root", - .path = "cheeky/absself", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] chained absolute links to $root", - .path = "abscheeky/absself", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] jump outside $root", - .path = "..", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] temporary jump outside $root", - .path = "../root/", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] symlink temporary jump outside $root", - .path = "cheeky/self", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] chained symlink temporary jump outside $root", - .path = "abscheeky/self", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] garbage links to $root", - .path = "cheeky/garbageself", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] chained garbage links to $root", - .path = "abscheeky/garbageself", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - /* Only relative paths that stay inside dirfd should work. */ - { .name = "[beneath] ordinary path to 'root'", - .path = "root", .how.resolve = RESOLVE_BENEATH, - .out.path = "root", .pass = true }, - { .name = "[beneath] ordinary path to 'etc'", - .path = "etc", .how.resolve = RESOLVE_BENEATH, - .out.path = "etc", .pass = true }, - { .name = "[beneath] ordinary path to 'etc/passwd'", - .path = "etc/passwd", .how.resolve = RESOLVE_BENEATH, - .out.path = "etc/passwd", .pass = true }, - { .name = "[beneath] relative symlink inside $root", - .path = "relsym", .how.resolve = RESOLVE_BENEATH, - .out.path = "etc/passwd", .pass = true }, - { .name = "[beneath] chained-'..' relative symlink inside $root", - .path = "cheeky/passwd", .how.resolve = RESOLVE_BENEATH, - .out.path = "etc/passwd", .pass = true }, - { .name = "[beneath] absolute symlink component outside $root", - .path = "abscheeky/passwd", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] absolute symlink target outside $root", - .path = "abssym", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] absolute path outside $root", - .path = "/etc/passwd", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] cheeky absolute path outside $root", - .path = "cheeky/abspasswd", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] chained cheeky absolute path outside $root", - .path = "abscheeky/abspasswd", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - /* Tricky paths should fail. */ - { .name = "[beneath] tricky '..'-chained symlink outside $root", - .path = "cheeky/dotdotlink", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] tricky absolute + '..'-chained symlink outside $root", - .path = "abscheeky/dotdotlink", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] tricky garbage link outside $root", - .path = "cheeky/garbagelink", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - { .name = "[beneath] tricky absolute + garbage link outside $root", - .path = "abscheeky/garbagelink", .how.resolve = RESOLVE_BENEATH, - .out.err = -EXDEV, .pass = false }, - - /** RESOLVE_IN_ROOT **/ - /* All attempts to cross the dirfd will be scoped-to-root. */ - { .name = "[in_root] jump to /", - .path = "/", .how.resolve = RESOLVE_IN_ROOT, - .out.path = NULL, .pass = true }, - { .name = "[in_root] absolute symlink to /root", - .path = "cheeky/absself", .how.resolve = RESOLVE_IN_ROOT, - .out.path = NULL, .pass = true }, - { .name = "[in_root] chained absolute symlinks to /root", - .path = "abscheeky/absself", .how.resolve = RESOLVE_IN_ROOT, - .out.path = NULL, .pass = true }, - { .name = "[in_root] '..' at root", - .path = "..", .how.resolve = RESOLVE_IN_ROOT, - .out.path = NULL, .pass = true }, - { .name = "[in_root] '../root' at root", - .path = "../root/", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "root", .pass = true }, - { .name = "[in_root] relative symlink containing '..' above root", - .path = "cheeky/self", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "root", .pass = true }, - { .name = "[in_root] garbage link to /root", - .path = "cheeky/garbageself", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "root", .pass = true }, - { .name = "[in_root] chained garbage links to /root", - .path = "abscheeky/garbageself", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "root", .pass = true }, - { .name = "[in_root] relative path to 'root'", - .path = "root", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "root", .pass = true }, - { .name = "[in_root] relative path to 'etc'", - .path = "etc", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc", .pass = true }, - { .name = "[in_root] relative path to 'etc/passwd'", - .path = "etc/passwd", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] relative symlink to 'etc/passwd'", - .path = "relsym", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] chained-'..' relative symlink to 'etc/passwd'", - .path = "cheeky/passwd", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] chained-'..' absolute + relative symlink to 'etc/passwd'", - .path = "abscheeky/passwd", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] absolute symlink to 'etc/passwd'", - .path = "abssym", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] absolute path 'etc/passwd'", - .path = "/etc/passwd", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] cheeky absolute path 'etc/passwd'", - .path = "cheeky/abspasswd", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] chained cheeky absolute path 'etc/passwd'", - .path = "abscheeky/abspasswd", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] tricky '..'-chained symlink outside $root", - .path = "cheeky/dotdotlink", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] tricky absolute + '..'-chained symlink outside $root", - .path = "abscheeky/dotdotlink", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] tricky absolute path + absolute + '..'-chained symlink outside $root", - .path = "/../../../../abscheeky/dotdotlink", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] tricky garbage link outside $root", - .path = "cheeky/garbagelink", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] tricky absolute + garbage link outside $root", - .path = "abscheeky/garbagelink", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - { .name = "[in_root] tricky absolute path + absolute + garbage link outside $root", - .path = "/../../../../abscheeky/garbagelink", .how.resolve = RESOLVE_IN_ROOT, - .out.path = "etc/passwd", .pass = true }, - /* O_CREAT should handle trailing symlinks correctly. */ - { .name = "[in_root] O_CREAT of relative path inside $root", - .path = "newfile1", .how.flags = O_CREAT, - .how.mode = 0700, - .how.resolve = RESOLVE_IN_ROOT, - .out.path = "newfile1", .pass = true }, - { .name = "[in_root] O_CREAT of absolute path", - .path = "/newfile2", .how.flags = O_CREAT, - .how.mode = 0700, - .how.resolve = RESOLVE_IN_ROOT, - .out.path = "newfile2", .pass = true }, - { .name = "[in_root] O_CREAT of tricky symlink outside root", - .path = "/creatlink", .how.flags = O_CREAT, - .how.mode = 0700, - .how.resolve = RESOLVE_IN_ROOT, - .out.path = "newfile3", .pass = true }, - - /** RESOLVE_NO_XDEV **/ - /* Crossing *down* into a mountpoint is disallowed. */ - { .name = "[no_xdev] cross into $mnt", - .path = "mnt", .how.resolve = RESOLVE_NO_XDEV, - .out.err = -EXDEV, .pass = false }, - { .name = "[no_xdev] cross into $mnt/", - .path = "mnt/", .how.resolve = RESOLVE_NO_XDEV, - .out.err = -EXDEV, .pass = false }, - { .name = "[no_xdev] cross into $mnt/.", - .path = "mnt/.", .how.resolve = RESOLVE_NO_XDEV, - .out.err = -EXDEV, .pass = false }, - /* Crossing *up* out of a mountpoint is disallowed. */ - { .name = "[no_xdev] goto mountpoint root", - .dir = "mnt", .path = ".", .how.resolve = RESOLVE_NO_XDEV, - .out.path = "mnt", .pass = true }, - { .name = "[no_xdev] cross up through '..'", - .dir = "mnt", .path = "..", .how.resolve = RESOLVE_NO_XDEV, - .out.err = -EXDEV, .pass = false }, - { .name = "[no_xdev] temporary cross up through '..'", - .dir = "mnt", .path = "../mnt", .how.resolve = RESOLVE_NO_XDEV, - .out.err = -EXDEV, .pass = false }, - { .name = "[no_xdev] temporary relative symlink cross up", - .dir = "mnt", .path = "self", .how.resolve = RESOLVE_NO_XDEV, - .out.err = -EXDEV, .pass = false }, - { .name = "[no_xdev] temporary absolute symlink cross up", - .dir = "mnt", .path = "absself", .how.resolve = RESOLVE_NO_XDEV, - .out.err = -EXDEV, .pass = false }, - /* Jumping to "/" is ok, but later components cannot cross. */ - { .name = "[no_xdev] jump to / directly", - .dir = "mnt", .path = "/", .how.resolve = RESOLVE_NO_XDEV, - .out.path = "/", .pass = true }, - { .name = "[no_xdev] jump to / (from /) directly", - .dir = "/", .path = "/", .how.resolve = RESOLVE_NO_XDEV, - .out.path = "/", .pass = true }, - { .name = "[no_xdev] jump to / then proc", - .path = "/proc/1", .how.resolve = RESOLVE_NO_XDEV, - .out.err = -EXDEV, .pass = false }, - { .name = "[no_xdev] jump to / then tmp", - .path = "/tmp", .how.resolve = RESOLVE_NO_XDEV, - .out.err = -EXDEV, .pass = false }, - /* Magic-links are blocked since they can switch vfsmounts. */ - { .name = "[no_xdev] cross through magic-link to self/root", - .dir = "/proc", .path = "self/root", .how.resolve = RESOLVE_NO_XDEV, - .out.err = -EXDEV, .pass = false }, - { .name = "[no_xdev] cross through magic-link to self/cwd", - .dir = "/proc", .path = "self/cwd", .how.resolve = RESOLVE_NO_XDEV, - .out.err = -EXDEV, .pass = false }, - /* Except magic-link jumps inside the same vfsmount. */ - { .name = "[no_xdev] jump through magic-link to same procfs", - .dir = "/proc", .path = hardcoded_fdpath, .how.resolve = RESOLVE_NO_XDEV, - .out.path = "/proc", .pass = true, }, - - /** RESOLVE_NO_MAGICLINKS **/ - /* Regular symlinks should work. */ - { .name = "[no_magiclinks] ordinary relative symlink", - .path = "relsym", .how.resolve = RESOLVE_NO_MAGICLINKS, - .out.path = "etc/passwd", .pass = true }, - /* Magic-links should not work. */ - { .name = "[no_magiclinks] symlink to magic-link", - .path = "procexe", .how.resolve = RESOLVE_NO_MAGICLINKS, - .out.err = -ELOOP, .pass = false }, - { .name = "[no_magiclinks] normal path to magic-link", - .path = "/proc/self/exe", .how.resolve = RESOLVE_NO_MAGICLINKS, - .out.err = -ELOOP, .pass = false }, - { .name = "[no_magiclinks] normal path to magic-link with O_NOFOLLOW", - .path = "/proc/self/exe", .how.flags = O_NOFOLLOW, - .how.resolve = RESOLVE_NO_MAGICLINKS, - .out.path = procselfexe, .pass = true }, - { .name = "[no_magiclinks] symlink to magic-link path component", - .path = "procroot/etc", .how.resolve = RESOLVE_NO_MAGICLINKS, - .out.err = -ELOOP, .pass = false }, - { .name = "[no_magiclinks] magic-link path component", - .path = "/proc/self/root/etc", .how.resolve = RESOLVE_NO_MAGICLINKS, - .out.err = -ELOOP, .pass = false }, - { .name = "[no_magiclinks] magic-link path component with O_NOFOLLOW", - .path = "/proc/self/root/etc", .how.flags = O_NOFOLLOW, - .how.resolve = RESOLVE_NO_MAGICLINKS, - .out.err = -ELOOP, .pass = false }, - - /** RESOLVE_NO_SYMLINKS **/ - /* Normal paths should work. */ - { .name = "[no_symlinks] ordinary path to '.'", - .path = ".", .how.resolve = RESOLVE_NO_SYMLINKS, - .out.path = NULL, .pass = true }, - { .name = "[no_symlinks] ordinary path to 'root'", - .path = "root", .how.resolve = RESOLVE_NO_SYMLINKS, - .out.path = "root", .pass = true }, - { .name = "[no_symlinks] ordinary path to 'etc'", - .path = "etc", .how.resolve = RESOLVE_NO_SYMLINKS, - .out.path = "etc", .pass = true }, - { .name = "[no_symlinks] ordinary path to 'etc/passwd'", - .path = "etc/passwd", .how.resolve = RESOLVE_NO_SYMLINKS, - .out.path = "etc/passwd", .pass = true }, - /* Regular symlinks are blocked. */ - { .name = "[no_symlinks] relative symlink target", - .path = "relsym", .how.resolve = RESOLVE_NO_SYMLINKS, - .out.err = -ELOOP, .pass = false }, - { .name = "[no_symlinks] relative symlink component", - .path = "reletc/passwd", .how.resolve = RESOLVE_NO_SYMLINKS, - .out.err = -ELOOP, .pass = false }, - { .name = "[no_symlinks] absolute symlink target", - .path = "abssym", .how.resolve = RESOLVE_NO_SYMLINKS, - .out.err = -ELOOP, .pass = false }, - { .name = "[no_symlinks] absolute symlink component", - .path = "absetc/passwd", .how.resolve = RESOLVE_NO_SYMLINKS, - .out.err = -ELOOP, .pass = false }, - { .name = "[no_symlinks] cheeky garbage link", - .path = "cheeky/garbagelink", .how.resolve = RESOLVE_NO_SYMLINKS, - .out.err = -ELOOP, .pass = false }, - { .name = "[no_symlinks] cheeky absolute + garbage link", - .path = "abscheeky/garbagelink", .how.resolve = RESOLVE_NO_SYMLINKS, - .out.err = -ELOOP, .pass = false }, - { .name = "[no_symlinks] cheeky absolute + absolute symlink", - .path = "abscheeky/absself", .how.resolve = RESOLVE_NO_SYMLINKS, - .out.err = -ELOOP, .pass = false }, - /* Trailing symlinks with NO_FOLLOW. */ - { .name = "[no_symlinks] relative symlink with O_NOFOLLOW", - .path = "relsym", .how.flags = O_NOFOLLOW, - .how.resolve = RESOLVE_NO_SYMLINKS, - .out.path = "relsym", .pass = true }, - { .name = "[no_symlinks] absolute symlink with O_NOFOLLOW", - .path = "abssym", .how.flags = O_NOFOLLOW, - .how.resolve = RESOLVE_NO_SYMLINKS, - .out.path = "abssym", .pass = true }, - { .name = "[no_symlinks] trailing symlink with O_NOFOLLOW", - .path = "cheeky/garbagelink", .how.flags = O_NOFOLLOW, - .how.resolve = RESOLVE_NO_SYMLINKS, - .out.path = "cheeky/garbagelink", .pass = true }, - { .name = "[no_symlinks] multiple symlink components with O_NOFOLLOW", - .path = "abscheeky/absself", .how.flags = O_NOFOLLOW, - .how.resolve = RESOLVE_NO_SYMLINKS, - .out.err = -ELOOP, .pass = false }, - { .name = "[no_symlinks] multiple symlink (and garbage link) components with O_NOFOLLOW", - .path = "abscheeky/garbagelink", .how.flags = O_NOFOLLOW, - .how.resolve = RESOLVE_NO_SYMLINKS, - .out.err = -ELOOP, .pass = false }, - }; - - BUILD_BUG_ON(ARRAY_LEN(tests) != NUM_OPENAT2_OPATH_TESTS); - - for (int i = 0; i < ARRAY_LEN(tests); i++) { - int dfd, fd; - char *fdpath = NULL; - bool failed; - void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; - struct basic_test *test = &tests[i]; - - if (!openat2_supported) { - ksft_print_msg("openat2(2) unsupported\n"); - resultfn = ksft_test_result_skip; - goto skip; - } - - /* Auto-set O_PATH. */ - if (!(test->how.flags & O_CREAT)) - test->how.flags |= O_PATH; - - if (test->dir) - dfd = openat(rootfd, test->dir, O_PATH | O_DIRECTORY); - else - dfd = dup(rootfd); - E_assert(dfd, "failed to openat root '%s': %m", test->dir); - - E_dup2(dfd, hardcoded_fd); - - fd = sys_openat2(dfd, test->path, &test->how); - if (test->pass) - failed = (fd < 0 || !fdequal(fd, rootfd, test->out.path)); - else - failed = (fd != test->out.err); - if (fd >= 0) { - fdpath = fdreadlink(fd); - close(fd); - } - close(dfd); - - if (failed) { - resultfn = ksft_test_result_fail; - - ksft_print_msg("openat2 unexpectedly returned "); - if (fdpath) - ksft_print_msg("%d['%s']\n", fd, fdpath); - else - ksft_print_msg("%d (%s)\n", fd, strerror(-fd)); - } - -skip: - if (test->pass) - resultfn("%s gives path '%s'\n", test->name, - test->out.path ?: "."); - else - resultfn("%s fails with %d (%s)\n", test->name, - test->out.err, strerror(-test->out.err)); - - fflush(stdout); - free(fdpath); - } - - free(procselfexe); - close(rootfd); - - free(hardcoded_fdpath); - close(hardcoded_fd); -} - -#define NUM_TESTS NUM_OPENAT2_OPATH_TESTS - -int main(int argc, char **argv) -{ - ksft_print_header(); - ksft_set_plan(NUM_TESTS); - - /* NOTE: We should be checking for CAP_SYS_ADMIN here... */ - if (geteuid() != 0) - ksft_exit_skip("all tests require euid == 0\n"); - - test_openat2_opath_tests(); - - if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0) - ksft_exit_fail(); - else - ksft_exit_pass(); -} -- cgit v1.2.3 From d2fcf57ffc3b85b816550b3ee404ffcc83ace16c Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 1 Apr 2026 11:28:03 +1100 Subject: selftests: openat2: move helpers to header This is a bit ugly, but in the next patch we will move to using kselftest_harness.h -- which doesn't play well with being included in multiple compilation units due to duplicate function definitions. Not including kselftest_harness.h would let us avoid this patch, but the helpers will need include kselftest_harness.h in order to switch to TH_LOG. Signed-off-by: Aleksa Sarai Link: https://patch.msgid.link/20260401-openat2-selftests-kunit-v2-2-ad153a07da0c@amutable.com Signed-off-by: Christian Brauner (Amutable) --- .../testing/selftests/filesystems/openat2/Makefile | 2 - .../selftests/filesystems/openat2/helpers.c | 109 ------------------ .../selftests/filesystems/openat2/helpers.h | 125 ++++++++++++++++++--- 3 files changed, 107 insertions(+), 129 deletions(-) delete mode 100644 tools/testing/selftests/filesystems/openat2/helpers.c diff --git a/tools/testing/selftests/filesystems/openat2/Makefile b/tools/testing/selftests/filesystems/openat2/Makefile index f36dedccedb6..7736e37b7986 100644 --- a/tools/testing/selftests/filesystems/openat2/Makefile +++ b/tools/testing/selftests/filesystems/openat2/Makefile @@ -15,5 +15,3 @@ endif LOCAL_HDRS += helpers.h include ../../lib.mk - -$(TEST_GEN_PROGS): helpers.c diff --git a/tools/testing/selftests/filesystems/openat2/helpers.c b/tools/testing/selftests/filesystems/openat2/helpers.c deleted file mode 100644 index 5074681ffdc9..000000000000 --- a/tools/testing/selftests/filesystems/openat2/helpers.c +++ /dev/null @@ -1,109 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Author: Aleksa Sarai - * Copyright (C) 2018-2019 SUSE LLC. - */ - -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include - -#include "helpers.h" - -bool needs_openat2(const struct open_how *how) -{ - return how->resolve != 0; -} - -int raw_openat2(int dfd, const char *path, void *how, size_t size) -{ - int ret = syscall(__NR_openat2, dfd, path, how, size); - return ret >= 0 ? ret : -errno; -} - -int sys_openat2(int dfd, const char *path, struct open_how *how) -{ - return raw_openat2(dfd, path, how, sizeof(*how)); -} - -int sys_openat(int dfd, const char *path, struct open_how *how) -{ - int ret = openat(dfd, path, how->flags, how->mode); - return ret >= 0 ? ret : -errno; -} - -int sys_renameat2(int olddirfd, const char *oldpath, - int newdirfd, const char *newpath, unsigned int flags) -{ - int ret = syscall(__NR_renameat2, olddirfd, oldpath, - newdirfd, newpath, flags); - return ret >= 0 ? ret : -errno; -} - -int touchat(int dfd, const char *path) -{ - int fd = openat(dfd, path, O_CREAT, 0700); - if (fd >= 0) - close(fd); - return fd; -} - -char *fdreadlink(int fd) -{ - char *target, *tmp; - - E_asprintf(&tmp, "/proc/self/fd/%d", fd); - - target = malloc(PATH_MAX); - if (!target) - ksft_exit_fail_msg("fdreadlink: malloc failed\n"); - memset(target, 0, PATH_MAX); - - E_readlink(tmp, target, PATH_MAX); - free(tmp); - return target; -} - -bool fdequal(int fd, int dfd, const char *path) -{ - char *fdpath, *dfdpath, *other; - bool cmp; - - fdpath = fdreadlink(fd); - dfdpath = fdreadlink(dfd); - - if (!path) - E_asprintf(&other, "%s", dfdpath); - else if (*path == '/') - E_asprintf(&other, "%s", path); - else - E_asprintf(&other, "%s/%s", dfdpath, path); - - cmp = !strcmp(fdpath, other); - - free(fdpath); - free(dfdpath); - free(other); - return cmp; -} - -bool openat2_supported = false; - -void __attribute__((constructor)) init(void) -{ - struct open_how how = {}; - int fd; - - BUILD_BUG_ON(sizeof(struct open_how) != OPEN_HOW_SIZE_VER0); - - /* Check openat2(2) support. */ - fd = sys_openat2(AT_FDCWD, ".", &how); - openat2_supported = (fd >= 0); - - if (fd >= 0) - close(fd); -} diff --git a/tools/testing/selftests/filesystems/openat2/helpers.h b/tools/testing/selftests/filesystems/openat2/helpers.h index 510e60602511..975de513af86 100644 --- a/tools/testing/selftests/filesystems/openat2/helpers.h +++ b/tools/testing/selftests/filesystems/openat2/helpers.h @@ -2,6 +2,7 @@ /* * Author: Aleksa Sarai * Copyright (C) 2018-2019 SUSE LLC. + * Copyright (C) 2026 Amutable GmbH */ #ifndef __RESOLVEAT_H__ @@ -11,19 +12,14 @@ #include #include #include +#include #include +#include #include "kselftest.h" #define ARRAY_LEN(X) (sizeof (X) / sizeof (*(X))) #define BUILD_BUG_ON(e) ((void)(sizeof(struct { int:(-!!(e)); }))) -#ifndef SYS_openat2 -#ifndef __NR_openat2 -#define __NR_openat2 437 -#endif /* __NR_openat2 */ -#define SYS_openat2 __NR_openat2 -#endif /* SYS_openat2 */ - /* * Arguments for how openat2(2) should open the target path. If @resolve is * zero, then openat2(2) operates very similarly to openat(2). @@ -45,8 +41,6 @@ struct open_how { #define OPEN_HOW_SIZE_VER0 24 /* sizeof first published struct */ #define OPEN_HOW_SIZE_LATEST OPEN_HOW_SIZE_VER0 -bool needs_openat2(const struct open_how *how); - #ifndef RESOLVE_IN_ROOT /* how->resolve flags for openat2(2). */ #define RESOLVE_NO_XDEV 0x01 /* Block mount-point crossings @@ -93,16 +87,111 @@ bool needs_openat2(const struct open_how *how); __FILE__, __LINE__, #expr, ##__VA_ARGS__); \ } while (0) -int raw_openat2(int dfd, const char *path, void *how, size_t size); -int sys_openat2(int dfd, const char *path, struct open_how *how); -int sys_openat(int dfd, const char *path, struct open_how *how); -int sys_renameat2(int olddirfd, const char *oldpath, - int newdirfd, const char *newpath, unsigned int flags); +__maybe_unused +static bool needs_openat2(const struct open_how *how) +{ + return how->resolve != 0; +} + +__maybe_unused +static int raw_openat2(int dfd, const char *path, void *how, size_t size) +{ + int ret = syscall(__NR_openat2, dfd, path, how, size); + + return ret >= 0 ? ret : -errno; +} + +__maybe_unused +static int sys_openat2(int dfd, const char *path, struct open_how *how) +{ + return raw_openat2(dfd, path, how, sizeof(*how)); +} + +__maybe_unused +static int sys_openat(int dfd, const char *path, struct open_how *how) +{ + int ret = openat(dfd, path, how->flags, how->mode); + + return ret >= 0 ? ret : -errno; +} + +__maybe_unused +static int sys_renameat2(int olddirfd, const char *oldpath, + int newdirfd, const char *newpath, unsigned int flags) +{ + int ret = syscall(__NR_renameat2, olddirfd, oldpath, + newdirfd, newpath, flags); + + return ret >= 0 ? ret : -errno; +} + +__maybe_unused +static int touchat(int dfd, const char *path) +{ + int fd = openat(dfd, path, O_CREAT, 0700); + + if (fd >= 0) + close(fd); + return fd; +} + +__maybe_unused +static char *fdreadlink(int fd) +{ + char *target, *tmp; + + E_asprintf(&tmp, "/proc/self/fd/%d", fd); + + target = malloc(PATH_MAX); + if (!target) + ksft_exit_fail_msg("fdreadlink: malloc failed\n"); + memset(target, 0, PATH_MAX); + + E_readlink(tmp, target, PATH_MAX); + free(tmp); + return target; +} + +__maybe_unused +static bool fdequal(int fd, int dfd, const char *path) +{ + char *fdpath, *dfdpath, *other; + bool cmp; + + fdpath = fdreadlink(fd); + dfdpath = fdreadlink(dfd); + + if (!path) + E_asprintf(&other, "%s", dfdpath); + else if (*path == '/') + E_asprintf(&other, "%s", path); + else + E_asprintf(&other, "%s/%s", dfdpath, path); + + cmp = !strcmp(fdpath, other); + + free(fdpath); + free(dfdpath); + free(other); + return cmp; +} + +static bool openat2_supported = false; + +__attribute__((constructor)) +static void __detect_openat2_supported(void) +{ + struct open_how how = {}; + int fd; + + BUILD_BUG_ON(sizeof(struct open_how) != OPEN_HOW_SIZE_VER0); -int touchat(int dfd, const char *path); -char *fdreadlink(int fd); -bool fdequal(int fd, int dfd, const char *path); + /* Check openat2(2) support. */ + fd = sys_openat2(AT_FDCWD, ".", &how); + openat2_supported = (fd >= 0); -extern bool openat2_supported; + if (fd >= 0) + close(fd); +} #endif /* __RESOLVEAT_H__ */ -- cgit v1.2.3 From 582c904573a63eac7ecbac1a285899ffbf0d43ac Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 1 Apr 2026 11:28:04 +1100 Subject: selftests: openat2: switch from custom ARRAY_LEN to ARRAY_SIZE For whatever reason, the original version of the tests used a custom version of ARRAY_SIZE, but ARRAY_SIZE works just as well. Signed-off-by: Aleksa Sarai Link: https://patch.msgid.link/20260401-openat2-selftests-kunit-v2-3-ad153a07da0c@amutable.com Signed-off-by: Christian Brauner (Amutable) --- tools/testing/selftests/filesystems/openat2/helpers.h | 1 - tools/testing/selftests/filesystems/openat2/openat2_test.c | 12 ++++++------ tools/testing/selftests/filesystems/openat2/resolve_test.c | 4 ++-- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/tools/testing/selftests/filesystems/openat2/helpers.h b/tools/testing/selftests/filesystems/openat2/helpers.h index 975de513af86..f56c0c6e3ad1 100644 --- a/tools/testing/selftests/filesystems/openat2/helpers.h +++ b/tools/testing/selftests/filesystems/openat2/helpers.h @@ -17,7 +17,6 @@ #include #include "kselftest.h" -#define ARRAY_LEN(X) (sizeof (X) / sizeof (*(X))) #define BUILD_BUG_ON(e) ((void)(sizeof(struct { int:(-!!(e)); }))) /* diff --git a/tools/testing/selftests/filesystems/openat2/openat2_test.c b/tools/testing/selftests/filesystems/openat2/openat2_test.c index 0e161ef9e9e4..c6c26652ac1b 100644 --- a/tools/testing/selftests/filesystems/openat2/openat2_test.c +++ b/tools/testing/selftests/filesystems/openat2/openat2_test.c @@ -83,14 +83,14 @@ void test_openat2_struct(void) .size = sizeof(struct open_how_ext), .err = -E2BIG }, }; - BUILD_BUG_ON(ARRAY_LEN(misalignments) != NUM_OPENAT2_STRUCT_VARIATIONS); - BUILD_BUG_ON(ARRAY_LEN(tests) != NUM_OPENAT2_STRUCT_TESTS); + BUILD_BUG_ON(ARRAY_SIZE(misalignments) != NUM_OPENAT2_STRUCT_VARIATIONS); + BUILD_BUG_ON(ARRAY_SIZE(tests) != NUM_OPENAT2_STRUCT_TESTS); - for (int i = 0; i < ARRAY_LEN(tests); i++) { + for (int i = 0; i < ARRAY_SIZE(tests); i++) { struct struct_test *test = &tests[i]; struct open_how_ext how_ext = test->arg; - for (int j = 0; j < ARRAY_LEN(misalignments); j++) { + for (int j = 0; j < ARRAY_SIZE(misalignments); j++) { int fd, misalign = misalignments[j]; char *fdpath = NULL; bool failed; @@ -241,9 +241,9 @@ void test_openat2_flags(void) .how.resolve = 0, .err = -EINVAL }, }; - BUILD_BUG_ON(ARRAY_LEN(tests) != NUM_OPENAT2_FLAG_TESTS); + BUILD_BUG_ON(ARRAY_SIZE(tests) != NUM_OPENAT2_FLAG_TESTS); - for (int i = 0; i < ARRAY_LEN(tests); i++) { + for (int i = 0; i < ARRAY_SIZE(tests); i++) { int fd, fdflags = -1; char *path, *fdpath = NULL; bool failed = false; diff --git a/tools/testing/selftests/filesystems/openat2/resolve_test.c b/tools/testing/selftests/filesystems/openat2/resolve_test.c index a76ef15ceb90..f7acb4300641 100644 --- a/tools/testing/selftests/filesystems/openat2/resolve_test.c +++ b/tools/testing/selftests/filesystems/openat2/resolve_test.c @@ -436,9 +436,9 @@ void test_openat2_opath_tests(void) .out.err = -ELOOP, .pass = false }, }; - BUILD_BUG_ON(ARRAY_LEN(tests) != NUM_OPENAT2_OPATH_TESTS); + BUILD_BUG_ON(ARRAY_SIZE(tests) != NUM_OPENAT2_OPATH_TESTS); - for (int i = 0; i < ARRAY_LEN(tests); i++) { + for (int i = 0; i < ARRAY_SIZE(tests); i++) { int dfd, fd; char *fdpath = NULL; bool failed; -- cgit v1.2.3 From 215be76e025d1311acd6eafc5cfd444974f0f30e Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 1 Apr 2026 11:28:05 +1100 Subject: selftests: openat2: migrate to kselftest harness These tests were written in the early days of selftests' TAP support, the more modern kselftest harness is much easier to follow and maintain. The actual contents of the tests are unchanged by this change. Most of the diff involves switching from the E_* syscall wrappers we previously used to ASSERT_EQ(fn(...), 0) in tests and helper functions. The first pass of the migration was done using Claude, followed by a manual rework and review. Assisted-by: Claude:claude-4.6-opus Signed-off-by: Aleksa Sarai Link: https://patch.msgid.link/20260401-openat2-selftests-kunit-v2-4-ad153a07da0c@amutable.com Signed-off-by: Christian Brauner (Amutable) --- .../selftests/filesystems/openat2/helpers.h | 62 +--- .../selftests/filesystems/openat2/openat2_test.c | 217 ++++++------ .../filesystems/openat2/rename_attack_test.c | 161 +++++---- .../selftests/filesystems/openat2/resolve_test.c | 368 ++++++++++++--------- 4 files changed, 396 insertions(+), 412 deletions(-) diff --git a/tools/testing/selftests/filesystems/openat2/helpers.h b/tools/testing/selftests/filesystems/openat2/helpers.h index f56c0c6e3ad1..7ca54c718c45 100644 --- a/tools/testing/selftests/filesystems/openat2/helpers.h +++ b/tools/testing/selftests/filesystems/openat2/helpers.h @@ -15,7 +15,7 @@ #include #include #include -#include "kselftest.h" +#include "kselftest_harness.h" #define BUILD_BUG_ON(e) ((void)(sizeof(struct { int:(-!!(e)); }))) @@ -56,36 +56,6 @@ struct open_how { (similar to chroot(2)). */ #endif /* RESOLVE_IN_ROOT */ -#define E_func(func, ...) \ - do { \ - errno = 0; \ - if (func(__VA_ARGS__) < 0) \ - ksft_exit_fail_msg("%s:%d %s failed - errno:%d\n", \ - __FILE__, __LINE__, #func, errno); \ - } while (0) - -#define E_asprintf(...) E_func(asprintf, __VA_ARGS__) -#define E_chmod(...) E_func(chmod, __VA_ARGS__) -#define E_dup2(...) E_func(dup2, __VA_ARGS__) -#define E_fchdir(...) E_func(fchdir, __VA_ARGS__) -#define E_fstatat(...) E_func(fstatat, __VA_ARGS__) -#define E_kill(...) E_func(kill, __VA_ARGS__) -#define E_mkdirat(...) E_func(mkdirat, __VA_ARGS__) -#define E_mount(...) E_func(mount, __VA_ARGS__) -#define E_prctl(...) E_func(prctl, __VA_ARGS__) -#define E_readlink(...) E_func(readlink, __VA_ARGS__) -#define E_setresuid(...) E_func(setresuid, __VA_ARGS__) -#define E_symlinkat(...) E_func(symlinkat, __VA_ARGS__) -#define E_touchat(...) E_func(touchat, __VA_ARGS__) -#define E_unshare(...) E_func(unshare, __VA_ARGS__) - -#define E_assert(expr, msg, ...) \ - do { \ - if (!(expr)) \ - ksft_exit_fail_msg("ASSERT(%s:%d) failed (%s): " msg "\n", \ - __FILE__, __LINE__, #expr, ##__VA_ARGS__); \ - } while (0) - __maybe_unused static bool needs_openat2(const struct open_how *how) { @@ -135,37 +105,39 @@ static int touchat(int dfd, const char *path) } __maybe_unused -static char *fdreadlink(int fd) +static char *fdreadlink(struct __test_metadata *_metadata, int fd) { char *target, *tmp; - E_asprintf(&tmp, "/proc/self/fd/%d", fd); + ASSERT_GT(asprintf(&tmp, "/proc/self/fd/%d", fd), 0); target = malloc(PATH_MAX); - if (!target) - ksft_exit_fail_msg("fdreadlink: malloc failed\n"); + ASSERT_NE(target, NULL); memset(target, 0, PATH_MAX); - E_readlink(tmp, target, PATH_MAX); + ASSERT_GT(readlink(tmp, target, PATH_MAX), 0); + free(tmp); return target; } __maybe_unused -static bool fdequal(int fd, int dfd, const char *path) +static bool fdequal(struct __test_metadata *_metadata, int fd, + int dfd, const char *path) { char *fdpath, *dfdpath, *other; bool cmp; - fdpath = fdreadlink(fd); - dfdpath = fdreadlink(dfd); + fdpath = fdreadlink(_metadata, fd); + dfdpath = fdreadlink(_metadata, dfd); - if (!path) - E_asprintf(&other, "%s", dfdpath); - else if (*path == '/') - E_asprintf(&other, "%s", path); - else - E_asprintf(&other, "%s/%s", dfdpath, path); + if (!path) { + ASSERT_GT(asprintf(&other, "%s", dfdpath), 0); + } else if (*path == '/') { + ASSERT_GT(asprintf(&other, "%s", path), 0); + } else { + ASSERT_GT(asprintf(&other, "%s/%s", dfdpath, path), 0); + } cmp = !strcmp(fdpath, other); diff --git a/tools/testing/selftests/filesystems/openat2/openat2_test.c b/tools/testing/selftests/filesystems/openat2/openat2_test.c index c6c26652ac1b..5ea3eebb7b59 100644 --- a/tools/testing/selftests/filesystems/openat2/openat2_test.c +++ b/tools/testing/selftests/filesystems/openat2/openat2_test.c @@ -15,8 +15,8 @@ #include #include -#include "kselftest.h" #include "helpers.h" +#include "kselftest_harness.h" /* * O_LARGEFILE is set to 0 by glibc. @@ -45,13 +45,29 @@ struct struct_test { int err; }; -#define NUM_OPENAT2_STRUCT_TESTS 7 -#define NUM_OPENAT2_STRUCT_VARIATIONS 13 +struct flag_test { + const char *name; + struct open_how how; + int err; +}; + +FIXTURE(openat2) {}; -void test_openat2_struct(void) +FIXTURE_SETUP(openat2) { - int misalignments[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 17, 87 }; + if (!openat2_supported) + SKIP(return, "openat2(2) not supported"); +} + +FIXTURE_TEARDOWN(openat2) {} +/* + * Verify that the struct size and misalignment handling for openat2(2) is + * correct, including that is_zeroed_user() works. + */ +TEST_F(openat2, struct_argument_sizes) +{ + int misalignments[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 17, 87 }; struct struct_test tests[] = { /* Normal struct. */ { .name = "normal struct", @@ -83,26 +99,14 @@ void test_openat2_struct(void) .size = sizeof(struct open_how_ext), .err = -E2BIG }, }; - BUILD_BUG_ON(ARRAY_SIZE(misalignments) != NUM_OPENAT2_STRUCT_VARIATIONS); - BUILD_BUG_ON(ARRAY_SIZE(tests) != NUM_OPENAT2_STRUCT_TESTS); - for (int i = 0; i < ARRAY_SIZE(tests); i++) { struct struct_test *test = &tests[i]; struct open_how_ext how_ext = test->arg; for (int j = 0; j < ARRAY_SIZE(misalignments); j++) { int fd, misalign = misalignments[j]; - char *fdpath = NULL; - bool failed; - void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; - void *copy = NULL, *how_copy = &how_ext; - - if (!openat2_supported) { - ksft_print_msg("openat2(2) unsupported\n"); - resultfn = ksft_test_result_skip; - goto skip; - } + char *fdpath = NULL; if (misalign) { /* @@ -119,50 +123,42 @@ void test_openat2_struct(void) } fd = raw_openat2(AT_FDCWD, ".", how_copy, test->size); - if (test->err >= 0) - failed = (fd < 0); - else - failed = (fd != test->err); if (fd >= 0) { - fdpath = fdreadlink(fd); + fdpath = fdreadlink(_metadata, fd); close(fd); } - if (failed) { - resultfn = ksft_test_result_fail; - - ksft_print_msg("openat2 unexpectedly returned "); - if (fdpath) - ksft_print_msg("%d['%s']\n", fd, fdpath); - else - ksft_print_msg("%d (%s)\n", fd, strerror(-fd)); + if (test->err >= 0) { + EXPECT_GE(fd, 0) { + TH_LOG("openat2 with %s [misalign=%d] should succeed, got %d (%s)", + test->name, misalign, + fd, strerror(-fd)); + } + } else { + EXPECT_EQ(test->err, fd) { + if (fdpath) + TH_LOG("openat2 with %s [misalign=%d] should fail with %d (%s), got %d['%s']", + test->name, misalign, + test->err, + strerror(-test->err), + fd, fdpath); + else + TH_LOG("openat2 with %s [misalign=%d] should fail with %d (%s), got %d (%s)", + test->name, misalign, + test->err, + strerror(-test->err), + fd, strerror(-fd)); + } } -skip: - if (test->err >= 0) - resultfn("openat2 with %s argument [misalign=%d] succeeds\n", - test->name, misalign); - else - resultfn("openat2 with %s argument [misalign=%d] fails with %d (%s)\n", - test->name, misalign, test->err, - strerror(-test->err)); - free(copy); free(fdpath); - fflush(stdout); } } } -struct flag_test { - const char *name; - struct open_how how; - int err; -}; - -#define NUM_OPENAT2_FLAG_TESTS 25 - -void test_openat2_flags(void) +/* Verify openat2(2) flag and mode validation. */ +TEST_F(openat2, flag_validation) { struct flag_test tests[] = { /* O_TMPFILE is incompatible with O_PATH and O_CREAT. */ @@ -241,20 +237,10 @@ void test_openat2_flags(void) .how.resolve = 0, .err = -EINVAL }, }; - BUILD_BUG_ON(ARRAY_SIZE(tests) != NUM_OPENAT2_FLAG_TESTS); - for (int i = 0; i < ARRAY_SIZE(tests); i++) { int fd, fdflags = -1; char *path, *fdpath = NULL; - bool failed = false; struct flag_test *test = &tests[i]; - void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; - - if (!openat2_supported) { - ksft_print_msg("openat2(2) unsupported\n"); - resultfn = ksft_test_result_skip; - goto skip; - } path = (test->how.flags & O_CREAT) ? "/tmp/ksft.openat2_tmpfile" : "."; unlink(path); @@ -265,74 +251,63 @@ void test_openat2_flags(void) * Skip the testcase if it failed because not supported * by FS. (e.g. a valid O_TMPFILE combination on NFS) */ - ksft_test_result_skip("openat2 with %s fails with %d (%s)\n", - test->name, fd, strerror(-fd)); - goto next; + TH_LOG("openat2 with %s not supported by FS -- skipping", + test->name); + continue; } - if (test->err >= 0) - failed = (fd < 0); - else - failed = (fd != test->err); - if (fd >= 0) { - int otherflags; - - fdpath = fdreadlink(fd); - fdflags = fcntl(fd, F_GETFL); - otherflags = fcntl(fd, F_GETFD); - close(fd); - - E_assert(fdflags >= 0, "fcntl F_GETFL of new fd"); - E_assert(otherflags >= 0, "fcntl F_GETFD of new fd"); - - /* O_CLOEXEC isn't shown in F_GETFL. */ - if (otherflags & FD_CLOEXEC) - fdflags |= O_CLOEXEC; - /* O_CREAT is hidden from F_GETFL. */ - if (test->how.flags & O_CREAT) - fdflags |= O_CREAT; - if (!(test->how.flags & O_LARGEFILE)) - fdflags &= ~O_LARGEFILE; - failed |= (fdflags != test->how.flags); - } + if (test->err >= 0) { + EXPECT_GE(fd, 0) { + TH_LOG("openat2 with %s should succeed, got %d (%s)", + test->name, fd, strerror(-fd)); + } + if (fd >= 0) { + int otherflags; - if (failed) { - resultfn = ksft_test_result_fail; + fdpath = fdreadlink(_metadata, fd); + fdflags = fcntl(fd, F_GETFL); + otherflags = fcntl(fd, F_GETFD); + close(fd); - ksft_print_msg("openat2 unexpectedly returned "); - if (fdpath) - ksft_print_msg("%d['%s'] with %X (!= %llX)\n", - fd, fdpath, fdflags, - test->how.flags); - else - ksft_print_msg("%d (%s)\n", fd, strerror(-fd)); + ASSERT_GE(fdflags, 0); + ASSERT_GE(otherflags, 0); + + /* O_CLOEXEC isn't shown in F_GETFL. */ + if (otherflags & FD_CLOEXEC) + fdflags |= O_CLOEXEC; + /* O_CREAT is hidden from F_GETFL. */ + if (test->how.flags & O_CREAT) + fdflags |= O_CREAT; + if (!(test->how.flags & O_LARGEFILE)) + fdflags &= ~O_LARGEFILE; + + EXPECT_EQ(fdflags, (int)test->how.flags) { + TH_LOG("openat2 with %s: flags mismatch %X != %llX", + test->name, fdflags, + (unsigned long long)test->how.flags); + } + } + } else { + EXPECT_EQ(test->err, fd) { + if (fd >= 0) { + fdpath = fdreadlink(_metadata, fd); + TH_LOG("openat2 with %s should fail with %d (%s), got %d['%s']", + test->name, test->err, + strerror(-test->err), + fd, fdpath); + } else { + TH_LOG("openat2 with %s should fail with %d (%s), got %d (%s)", + test->name, test->err, + strerror(-test->err), + fd, strerror(-fd)); + } + } + if (fd >= 0) + close(fd); } -skip: - if (test->err >= 0) - resultfn("openat2 with %s succeeds\n", test->name); - else - resultfn("openat2 with %s fails with %d (%s)\n", - test->name, test->err, strerror(-test->err)); -next: free(fdpath); - fflush(stdout); } } -#define NUM_TESTS (NUM_OPENAT2_STRUCT_VARIATIONS * NUM_OPENAT2_STRUCT_TESTS + \ - NUM_OPENAT2_FLAG_TESTS) - -int main(int argc, char **argv) -{ - ksft_print_header(); - ksft_set_plan(NUM_TESTS); - - test_openat2_struct(); - test_openat2_flags(); - - if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0) - ksft_exit_fail(); - else - ksft_exit_pass(); -} +TEST_HARNESS_MAIN diff --git a/tools/testing/selftests/filesystems/openat2/rename_attack_test.c b/tools/testing/selftests/filesystems/openat2/rename_attack_test.c index aa5699e45729..1f33c34f56be 100644 --- a/tools/testing/selftests/filesystems/openat2/rename_attack_test.c +++ b/tools/testing/selftests/filesystems/openat2/rename_attack_test.c @@ -22,44 +22,21 @@ #include #include -#include "kselftest.h" #include "helpers.h" +#include "kselftest_harness.h" -/* Construct a test directory with the following structure: - * - * root/ - * |-- a/ - * | `-- c/ - * `-- b/ - */ -int setup_testdir(void) -{ - int dfd; - char dirname[] = "/tmp/ksft-openat2-rename-attack.XXXXXX"; - - /* Make the top-level directory. */ - if (!mkdtemp(dirname)) - ksft_exit_fail_msg("setup_testdir: failed to create tmpdir\n"); - dfd = open(dirname, O_PATH | O_DIRECTORY); - if (dfd < 0) - ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n"); - - E_mkdirat(dfd, "a", 0755); - E_mkdirat(dfd, "b", 0755); - E_mkdirat(dfd, "a/c", 0755); - - return dfd; -} +#define ROUNDS 400000 /* Swap @dirfd/@a and @dirfd/@b constantly. Parent must kill this process. */ -pid_t spawn_attack(int dirfd, char *a, char *b) +pid_t spawn_attack(struct __test_metadata *_metadata, + int dirfd, char *a, char *b) { pid_t child = fork(); if (child != 0) return child; /* If the parent (the test process) dies, kill ourselves too. */ - E_prctl(PR_SET_PDEATHSIG, SIGKILL); + ASSERT_EQ(prctl(PR_SET_PDEATHSIG, SIGKILL), 0); /* Swap @a and @b. */ for (;;) @@ -67,52 +44,90 @@ pid_t spawn_attack(int dirfd, char *a, char *b) exit(1); } -#define NUM_RENAME_TESTS 2 -#define ROUNDS 400000 +/* + * Construct a test directory with the following structure: + * + * root/ + * |-- a/ + * | `-- c/ + * `-- b/ + */ +FIXTURE(rename_attack) { + int dfd; + int afd; + pid_t child; +}; -const char *flagname(int resolve) +FIXTURE_SETUP(rename_attack) { - switch (resolve) { - case RESOLVE_IN_ROOT: - return "RESOLVE_IN_ROOT"; - case RESOLVE_BENEATH: - return "RESOLVE_BENEATH"; - } - return "(unknown)"; + char dirname[] = "/tmp/ksft-openat2-rename-attack.XXXXXX"; + + self->dfd = -1; + self->afd = -1; + self->child = 0; + + /* Make the top-level directory. */ + ASSERT_NE(mkdtemp(dirname), NULL); + self->dfd = open(dirname, O_PATH | O_DIRECTORY); + ASSERT_GE(self->dfd, 0); + + ASSERT_EQ(mkdirat(self->dfd, "a", 0755), 0); + ASSERT_EQ(mkdirat(self->dfd, "b", 0755), 0); + ASSERT_EQ(mkdirat(self->dfd, "a/c", 0755), 0); + + self->afd = openat(self->dfd, "a", O_PATH); + ASSERT_GE(self->afd, 0); + + self->child = spawn_attack(_metadata, self->dfd, "a/c", "b"); + ASSERT_GT(self->child, 0); } -void test_rename_attack(int resolve) +FIXTURE_TEARDOWN(rename_attack) { - int dfd, afd; - pid_t child; - void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; - int escapes = 0, other_errs = 0, exdevs = 0, eagains = 0, successes = 0; + if (self->child > 0) + kill(self->child, SIGKILL); + if (self->afd >= 0) + close(self->afd); + if (self->dfd >= 0) + close(self->dfd); +} + +FIXTURE_VARIANT(rename_attack) { + int resolve; + const char *name; +}; +FIXTURE_VARIANT_ADD(rename_attack, resolve_beneath) { + .resolve = RESOLVE_BENEATH, + .name = "RESOLVE_BENEATH", +}; + +FIXTURE_VARIANT_ADD(rename_attack, resolve_in_root) { + .resolve = RESOLVE_IN_ROOT, + .name = "RESOLVE_IN_ROOT", +}; + +TEST_F_TIMEOUT(rename_attack, test, 120) +{ + int escapes = 0, successes = 0, other_errs = 0, exdevs = 0, eagains = 0; + char *victim_path = "c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../.."; struct open_how how = { .flags = O_PATH, - .resolve = resolve, + .resolve = variant->resolve, }; if (!openat2_supported) { how.resolve = 0; - ksft_print_msg("openat2(2) unsupported -- using openat(2) instead\n"); + TH_LOG("openat2(2) unsupported -- using openat(2) instead"); } - dfd = setup_testdir(); - afd = openat(dfd, "a", O_PATH); - if (afd < 0) - ksft_exit_fail_msg("test_rename_attack: failed to open 'a'\n"); - - child = spawn_attack(dfd, "a/c", "b"); - for (int i = 0; i < ROUNDS; i++) { int fd; - char *victim_path = "c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../.."; if (openat2_supported) - fd = sys_openat2(afd, victim_path, &how); + fd = sys_openat2(self->afd, victim_path, &how); else - fd = sys_openat(afd, victim_path, &how); + fd = sys_openat(self->afd, victim_path, &how); if (fd < 0) { if (fd == -EAGAIN) @@ -124,37 +139,21 @@ void test_rename_attack(int resolve) else other_errs++; /* unexpected error */ } else { - if (fdequal(fd, afd, NULL)) + if (fdequal(_metadata, fd, self->afd, NULL)) successes++; else escapes++; /* we got an unexpected fd */ } - close(fd); + if (fd >= 0) + close(fd); } - if (escapes > 0) - resultfn = ksft_test_result_fail; - ksft_print_msg("non-escapes: EAGAIN=%d EXDEV=%d E=%d success=%d\n", - eagains, exdevs, other_errs, successes); - resultfn("rename attack with %s (%d runs, got %d escapes)\n", - flagname(resolve), ROUNDS, escapes); - - /* Should be killed anyway, but might as well make sure. */ - E_kill(child, SIGKILL); + TH_LOG("non-escapes: EAGAIN=%d EXDEV=%d E=%d success=%d", + eagains, exdevs, other_errs, successes); + ASSERT_EQ(escapes, 0) { + TH_LOG("rename attack with %s (%d runs, got %d escapes)", + variant->name, ROUNDS, escapes); + } } -#define NUM_TESTS NUM_RENAME_TESTS - -int main(int argc, char **argv) -{ - ksft_print_header(); - ksft_set_plan(NUM_TESTS); - - test_rename_attack(RESOLVE_BENEATH); - test_rename_attack(RESOLVE_IN_ROOT); - - if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0) - ksft_exit_fail(); - else - ksft_exit_pass(); -} +TEST_HARNESS_MAIN diff --git a/tools/testing/selftests/filesystems/openat2/resolve_test.c b/tools/testing/selftests/filesystems/openat2/resolve_test.c index f7acb4300641..eacde59ce158 100644 --- a/tools/testing/selftests/filesystems/openat2/resolve_test.c +++ b/tools/testing/selftests/filesystems/openat2/resolve_test.c @@ -14,8 +14,81 @@ #include #include -#include "kselftest.h" #include "helpers.h" +#include "kselftest_harness.h" + +struct resolve_test { + const char *name; + const char *dir; + const char *path; + struct open_how how; + bool pass; + union { + int err; + const char *path; + } out; +}; + +/* + * Verify a single resolve test case. This must be called from within a TEST_F + * function with _metadata in scope. + */ +static void verify_resolve_test(struct __test_metadata *_metadata, + int rootfd, int hardcoded_fd, + const struct resolve_test *test) +{ + struct open_how how = test->how; + int dfd, fd; + char *fdpath = NULL; + + /* Auto-set O_PATH. */ + if (!(how.flags & O_CREAT)) + how.flags |= O_PATH; + + if (test->dir) + dfd = openat(rootfd, test->dir, O_PATH | O_DIRECTORY); + else + dfd = dup(rootfd); + ASSERT_GE(dfd, 0) TH_LOG("failed to open dir '%s': %m", test->dir ?: "."); + ASSERT_EQ(dup2(dfd, hardcoded_fd), hardcoded_fd); + + fd = sys_openat2(dfd, test->path, &how); + + if (test->pass) { + EXPECT_GE(fd, 0) { + TH_LOG("%s: expected success, got %d (%s)", + test->name, fd, strerror(-fd)); + } + if (fd >= 0) { + EXPECT_TRUE(fdequal(_metadata, fd, rootfd, test->out.path)) { + fdpath = fdreadlink(_metadata, fd); + TH_LOG("%s: wrong path '%s', expected '%s'", + test->name, fdpath, + test->out.path ?: "."); + free(fdpath); + } + } + } else { + EXPECT_EQ(test->out.err, fd) { + if (fd >= 0) { + fdpath = fdreadlink(_metadata, fd); + TH_LOG("%s: expected %d (%s), got %d['%s']", + test->name, test->out.err, + strerror(-test->out.err), fd, fdpath); + free(fdpath); + } else { + TH_LOG("%s: expected %d (%s), got %d (%s)", + test->name, test->out.err, + strerror(-test->out.err), + fd, strerror(-fd)); + } + } + } + + if (fd >= 0) + close(fd); + close(dfd); +} /* * Construct a test directory with the following structure: @@ -39,101 +112,110 @@ * |-- absself -> / * |-- self -> ../../root/ * |-- garbageself -> /../../root/ - * |-- passwd -> ../cheeky/../cheeky/../etc/../etc/passwd - * |-- abspasswd -> /../cheeky/../cheeky/../etc/../etc/passwd + * |-- passwd -> ../cheeky/../etc/../etc/passwd + * |-- abspasswd -> /../cheeky/../etc/../etc/passwd * |-- dotdotlink -> ../../../../../../../../../../../../../../etc/passwd * `-- garbagelink -> /../../../../../../../../../../../../../../etc/passwd */ -int setup_testdir(void) +FIXTURE(openat2_resolve) { + int rootfd; + int hardcoded_fd; + char *hardcoded_fdpath; + char *procselfexe; +}; + +FIXTURE_SETUP(openat2_resolve) { - int dfd, tmpfd; char dirname[] = "/tmp/ksft-openat2-testdir.XXXXXX"; + int dfd, tmpfd; + + self->rootfd = -1; + self->hardcoded_fd = -1; + self->hardcoded_fdpath = NULL; + self->procselfexe = NULL; + + /* NOTE: We should be checking for CAP_SYS_ADMIN here... */ + if (geteuid() != 0) + SKIP(return, "all tests require euid == 0"); + if (!openat2_supported) + SKIP(return, "openat2(2) not supported"); /* Unshare and make /tmp a new directory. */ - E_unshare(CLONE_NEWNS); - E_mount("", "/tmp", "", MS_PRIVATE, ""); + ASSERT_EQ(unshare(CLONE_NEWNS), 0); + ASSERT_EQ(mount("", "/tmp", "", MS_PRIVATE, ""), 0); /* Make the top-level directory. */ - if (!mkdtemp(dirname)) - ksft_exit_fail_msg("setup_testdir: failed to create tmpdir\n"); + ASSERT_NE(mkdtemp(dirname), NULL); dfd = open(dirname, O_PATH | O_DIRECTORY); - if (dfd < 0) - ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n"); + ASSERT_GE(dfd, 0); /* A sub-directory which is actually used for tests. */ - E_mkdirat(dfd, "root", 0755); + ASSERT_EQ(mkdirat(dfd, "root", 0755), 0); tmpfd = openat(dfd, "root", O_PATH | O_DIRECTORY); - if (tmpfd < 0) - ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n"); + ASSERT_GE(tmpfd, 0); close(dfd); dfd = tmpfd; - E_symlinkat("/proc/self/exe", dfd, "procexe"); - E_symlinkat("/proc/self/root", dfd, "procroot"); - E_mkdirat(dfd, "root", 0755); + ASSERT_EQ(symlinkat("/proc/self/exe", dfd, "procexe"), 0); + ASSERT_EQ(symlinkat("/proc/self/root", dfd, "procroot"), 0); + ASSERT_EQ(mkdirat(dfd, "root", 0755), 0); /* There is no mountat(2), so use chdir. */ - E_mkdirat(dfd, "mnt", 0755); - E_fchdir(dfd); - E_mount("tmpfs", "./mnt", "tmpfs", MS_NOSUID | MS_NODEV, ""); - E_symlinkat("../mnt/", dfd, "mnt/self"); - E_symlinkat("/mnt/", dfd, "mnt/absself"); - - E_mkdirat(dfd, "etc", 0755); - E_touchat(dfd, "etc/passwd"); - - E_symlinkat("/newfile3", dfd, "creatlink"); - E_symlinkat("etc/", dfd, "reletc"); - E_symlinkat("etc/passwd", dfd, "relsym"); - E_symlinkat("/etc/", dfd, "absetc"); - E_symlinkat("/etc/passwd", dfd, "abssym"); - E_symlinkat("/cheeky", dfd, "abscheeky"); - - E_mkdirat(dfd, "cheeky", 0755); - - E_symlinkat("/", dfd, "cheeky/absself"); - E_symlinkat("../../root/", dfd, "cheeky/self"); - E_symlinkat("/../../root/", dfd, "cheeky/garbageself"); - - E_symlinkat("../cheeky/../etc/../etc/passwd", dfd, "cheeky/passwd"); - E_symlinkat("/../cheeky/../etc/../etc/passwd", dfd, "cheeky/abspasswd"); - - E_symlinkat("../../../../../../../../../../../../../../etc/passwd", - dfd, "cheeky/dotdotlink"); - E_symlinkat("/../../../../../../../../../../../../../../etc/passwd", - dfd, "cheeky/garbagelink"); - - return dfd; + ASSERT_EQ(mkdirat(dfd, "mnt", 0755), 0); + ASSERT_EQ(fchdir(dfd), 0); + ASSERT_EQ(mount("tmpfs", "./mnt", "tmpfs", MS_NOSUID | MS_NODEV, ""), 0); + ASSERT_EQ(symlinkat("../mnt/", dfd, "mnt/self"), 0); + ASSERT_EQ(symlinkat("/mnt/", dfd, "mnt/absself"), 0); + + ASSERT_EQ(mkdirat(dfd, "etc", 0755), 0); + ASSERT_GE(touchat(dfd, "etc/passwd"), 0); + + ASSERT_EQ(symlinkat("/newfile3", dfd, "creatlink"), 0); + ASSERT_EQ(symlinkat("etc/", dfd, "reletc"), 0); + ASSERT_EQ(symlinkat("etc/passwd", dfd, "relsym"), 0); + ASSERT_EQ(symlinkat("/etc/", dfd, "absetc"), 0); + ASSERT_EQ(symlinkat("/etc/passwd", dfd, "abssym"), 0); + ASSERT_EQ(symlinkat("/cheeky", dfd, "abscheeky"), 0); + + ASSERT_EQ(mkdirat(dfd, "cheeky", 0755), 0); + + ASSERT_EQ(symlinkat("/", dfd, "cheeky/absself"), 0); + ASSERT_EQ(symlinkat("../../root/", dfd, "cheeky/self"), 0); + ASSERT_EQ(symlinkat("/../../root/", dfd, "cheeky/garbageself"), 0); + + ASSERT_EQ(symlinkat("../cheeky/../etc/../etc/passwd", + dfd, "cheeky/passwd"), 0); + ASSERT_EQ(symlinkat("/../cheeky/../etc/../etc/passwd", + dfd, "cheeky/abspasswd"), 0); + + ASSERT_EQ(symlinkat("../../../../../../../../../../../../../../etc/passwd", + dfd, "cheeky/dotdotlink"), 0); + ASSERT_EQ(symlinkat("/../../../../../../../../../../../../../../etc/passwd", + dfd, "cheeky/garbagelink"), 0); + + self->rootfd = dfd; + + self->hardcoded_fd = open("/dev/null", O_RDONLY); + ASSERT_GE(self->hardcoded_fd, 0); + ASSERT_GE(asprintf(&self->hardcoded_fdpath, "self/fd/%d", + self->hardcoded_fd), 0); + ASSERT_GE(asprintf(&self->procselfexe, "/proc/%d/exe", getpid()), 0); } -struct basic_test { - const char *name; - const char *dir; - const char *path; - struct open_how how; - bool pass; - union { - int err; - const char *path; - } out; -}; - -#define NUM_OPENAT2_OPATH_TESTS 88 - -void test_openat2_opath_tests(void) +FIXTURE_TEARDOWN(openat2_resolve) { - int rootfd, hardcoded_fd; - char *procselfexe, *hardcoded_fdpath; - - E_asprintf(&procselfexe, "/proc/%d/exe", getpid()); - rootfd = setup_testdir(); - - hardcoded_fd = open("/dev/null", O_RDONLY); - E_assert(hardcoded_fd >= 0, "open fd to hardcode"); - E_asprintf(&hardcoded_fdpath, "self/fd/%d", hardcoded_fd); + free(self->procselfexe); + free(self->hardcoded_fdpath); + if (self->hardcoded_fd >= 0) + close(self->hardcoded_fd); + if (self->rootfd >= 0) + close(self->rootfd); +} - struct basic_test tests[] = { - /** RESOLVE_BENEATH **/ +/* Attempts to cross the dirfd should be blocked with -EXDEV. */ +TEST_F(openat2_resolve, resolve_beneath) +{ + struct resolve_test tests[] = { /* Attempts to cross dirfd should be blocked. */ { .name = "[beneath] jump to /", .path = "/", .how.resolve = RESOLVE_BENEATH, @@ -206,9 +288,17 @@ void test_openat2_opath_tests(void) { .name = "[beneath] tricky absolute + garbage link outside $root", .path = "abscheeky/garbagelink", .how.resolve = RESOLVE_BENEATH, .out.err = -EXDEV, .pass = false }, + }; + + for (int i = 0; i < ARRAY_SIZE(tests); i++) + verify_resolve_test(_metadata, self->rootfd, + self->hardcoded_fd, &tests[i]); +} - /** RESOLVE_IN_ROOT **/ - /* All attempts to cross the dirfd will be scoped-to-root. */ +/* All attempts to cross the dirfd will be scoped-to-root. */ +TEST_F(openat2_resolve, resolve_in_root) +{ + struct resolve_test tests[] = { { .name = "[in_root] jump to /", .path = "/", .how.resolve = RESOLVE_IN_ROOT, .out.path = NULL, .pass = true }, @@ -297,8 +387,17 @@ void test_openat2_opath_tests(void) .how.mode = 0700, .how.resolve = RESOLVE_IN_ROOT, .out.path = "newfile3", .pass = true }, + }; - /** RESOLVE_NO_XDEV **/ + for (int i = 0; i < ARRAY_SIZE(tests); i++) + verify_resolve_test(_metadata, self->rootfd, + self->hardcoded_fd, &tests[i]); +} + +/* Crossing mount boundaries should be blocked. */ +TEST_F(openat2_resolve, resolve_no_xdev) +{ + struct resolve_test tests[] = { /* Crossing *down* into a mountpoint is disallowed. */ { .name = "[no_xdev] cross into $mnt", .path = "mnt", .how.resolve = RESOLVE_NO_XDEV, @@ -347,10 +446,19 @@ void test_openat2_opath_tests(void) .out.err = -EXDEV, .pass = false }, /* Except magic-link jumps inside the same vfsmount. */ { .name = "[no_xdev] jump through magic-link to same procfs", - .dir = "/proc", .path = hardcoded_fdpath, .how.resolve = RESOLVE_NO_XDEV, - .out.path = "/proc", .pass = true, }, + .dir = "/proc", .path = self->hardcoded_fdpath, .how.resolve = RESOLVE_NO_XDEV, + .out.path = "/proc", .pass = true, }, + }; + + for (int i = 0; i < ARRAY_SIZE(tests); i++) + verify_resolve_test(_metadata, self->rootfd, + self->hardcoded_fd, &tests[i]); +} - /** RESOLVE_NO_MAGICLINKS **/ +/* Procfs-style magic-link resolution should be blocked. */ +TEST_F(openat2_resolve, resolve_no_magiclinks) +{ + struct resolve_test tests[] = { /* Regular symlinks should work. */ { .name = "[no_magiclinks] ordinary relative symlink", .path = "relsym", .how.resolve = RESOLVE_NO_MAGICLINKS, @@ -365,7 +473,7 @@ void test_openat2_opath_tests(void) { .name = "[no_magiclinks] normal path to magic-link with O_NOFOLLOW", .path = "/proc/self/exe", .how.flags = O_NOFOLLOW, .how.resolve = RESOLVE_NO_MAGICLINKS, - .out.path = procselfexe, .pass = true }, + .out.path = self->procselfexe, .pass = true }, { .name = "[no_magiclinks] symlink to magic-link path component", .path = "procroot/etc", .how.resolve = RESOLVE_NO_MAGICLINKS, .out.err = -ELOOP, .pass = false }, @@ -376,8 +484,17 @@ void test_openat2_opath_tests(void) .path = "/proc/self/root/etc", .how.flags = O_NOFOLLOW, .how.resolve = RESOLVE_NO_MAGICLINKS, .out.err = -ELOOP, .pass = false }, + }; + + for (int i = 0; i < ARRAY_SIZE(tests); i++) + verify_resolve_test(_metadata, self->rootfd, + self->hardcoded_fd, &tests[i]); +} - /** RESOLVE_NO_SYMLINKS **/ +/* All symlink resolution should be blocked. */ +TEST_F(openat2_resolve, resolve_no_symlinks) +{ + struct resolve_test tests[] = { /* Normal paths should work. */ { .name = "[no_symlinks] ordinary path to '.'", .path = ".", .how.resolve = RESOLVE_NO_SYMLINKS, @@ -436,88 +553,9 @@ void test_openat2_opath_tests(void) .out.err = -ELOOP, .pass = false }, }; - BUILD_BUG_ON(ARRAY_SIZE(tests) != NUM_OPENAT2_OPATH_TESTS); - - for (int i = 0; i < ARRAY_SIZE(tests); i++) { - int dfd, fd; - char *fdpath = NULL; - bool failed; - void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; - struct basic_test *test = &tests[i]; - - if (!openat2_supported) { - ksft_print_msg("openat2(2) unsupported\n"); - resultfn = ksft_test_result_skip; - goto skip; - } - - /* Auto-set O_PATH. */ - if (!(test->how.flags & O_CREAT)) - test->how.flags |= O_PATH; - - if (test->dir) - dfd = openat(rootfd, test->dir, O_PATH | O_DIRECTORY); - else - dfd = dup(rootfd); - E_assert(dfd, "failed to openat root '%s': %m", test->dir); - - E_dup2(dfd, hardcoded_fd); - - fd = sys_openat2(dfd, test->path, &test->how); - if (test->pass) - failed = (fd < 0 || !fdequal(fd, rootfd, test->out.path)); - else - failed = (fd != test->out.err); - if (fd >= 0) { - fdpath = fdreadlink(fd); - close(fd); - } - close(dfd); - - if (failed) { - resultfn = ksft_test_result_fail; - - ksft_print_msg("openat2 unexpectedly returned "); - if (fdpath) - ksft_print_msg("%d['%s']\n", fd, fdpath); - else - ksft_print_msg("%d (%s)\n", fd, strerror(-fd)); - } - -skip: - if (test->pass) - resultfn("%s gives path '%s'\n", test->name, - test->out.path ?: "."); - else - resultfn("%s fails with %d (%s)\n", test->name, - test->out.err, strerror(-test->out.err)); - - fflush(stdout); - free(fdpath); - } - - free(procselfexe); - close(rootfd); - - free(hardcoded_fdpath); - close(hardcoded_fd); + for (int i = 0; i < ARRAY_SIZE(tests); i++) + verify_resolve_test(_metadata, self->rootfd, + self->hardcoded_fd, &tests[i]); } -#define NUM_TESTS NUM_OPENAT2_OPATH_TESTS - -int main(int argc, char **argv) -{ - ksft_print_header(); - ksft_set_plan(NUM_TESTS); - - /* NOTE: We should be checking for CAP_SYS_ADMIN here... */ - if (geteuid() != 0) - ksft_exit_skip("all tests require euid == 0\n"); - - test_openat2_opath_tests(); - - if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0) - ksft_exit_fail(); - else - ksft_exit_pass(); -} +TEST_HARNESS_MAIN -- cgit v1.2.3