| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 27 Aug 2022 19:48:25 +0200
From: Günther Noack <gnoack3000@...il.com>
To: Xiu Jianfeng <xiujianfeng@...wei.com>
Cc: mic@...ikod.net, paul@...l-moore.com, jmorris@...ei.org,
serge@...lyn.com, shuah@...nel.org, corbet@....net,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
linux-doc@...r.kernel.org
Subject: Re: [PATCH -next v2 4/6] landlock/selftests: add selftests for chmod
and chown
On Sat, Aug 27, 2022 at 07:12:13PM +0800, Xiu Jianfeng wrote:
> The following APIs are tested with simple scenarios.
> 1. chmod/fchmod/fchmodat;
> 2. chmod/fchmod/lchown/fchownat;
>
> The key point is that set these access rights on a directory but only for
> its content, not the directory itself. this scenario is covered.
>
> Signed-off-by: Xiu Jianfeng <xiujianfeng@...wei.com>
> ---
> tools/testing/selftests/landlock/fs_test.c | 261 +++++++++++++++++++++
> 1 file changed, 261 insertions(+)
>
> diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
> index f513cd8d9d51..982cb824967c 100644
> --- a/tools/testing/selftests/landlock/fs_test.c
> +++ b/tools/testing/selftests/landlock/fs_test.c
> @@ -3272,6 +3272,267 @@ TEST_F_FORK(layout1, truncate)
> EXPECT_EQ(0, test_creat(file_in_dir_w));
> }
>
> +/* Invokes chmod(2) and returns its errno or 0. */
> +static int test_chmod(const char *const path, mode_t mode)
> +{
> + if (chmod(path, mode) < 0)
> + return errno;
> + return 0;
> +}
Nice, this is much simpler than in the last revision :)
> +
> +/* Invokes fchmod(2) and returns its errno or 0. */
> +static int test_fchmod(int fd, mode_t mode)
> +{
> + if (fchmod(fd, mode) < 0)
> + return errno;
> + return 0;
> +}
> +
> +/* Invokes fchmodat(2) and returns its errno or 0. */
> +static int test_fchmodat(int dirfd, const char *path, mode_t mode, int flags)
Nitpick: Some of these functions have path arguments declared as
const char *path
and others as
const char *const path
-- would be nice to stay consistent.
> +{
> + if (fchmodat(dirfd, path, mode, flags) < 0)
> + return errno;
> + return 0;
> +}
> +
> +/* Invokes chown(2) and returns its errno or 0. */
> +static int test_chown(const char *path, uid_t uid, gid_t gid)
> +{
> + if (chown(path, uid, gid) < 0)
> + return errno;
> + return 0;
> +}
> +
> +/* Invokes fchown(2) and returns its errno or 0. */
> +static int test_fchown(int fd, uid_t uid, gid_t gid)
> +{
> + if (fchown(fd, uid, gid) < 0)
> + return errno;
> + return 0;
> +}
> +
> +/* Invokes lchown(2) and returns its errno or 0. */
> +static int test_lchown(const char *path, uid_t uid, gid_t gid)
> +{
> + if (lchown(path, uid, gid) < 0)
> + return errno;
> + return 0;
> +}
> +
> +/* Invokes fchownat(2) and returns its errno or 0. */
> +static int test_fchownat(int dirfd, const char *path,
> + uid_t uid, gid_t gid, int flags)
> +{
> + if (fchownat(dirfd, path, uid, gid, flags) < 0)
> + return errno;
> + return 0;
> +}
> +
> +TEST_F_FORK(layout1, unhandled_chmod)
> +{
> + int ruleset_fd, file1_fd;
> + const char *file1 = file1_s1d1;
> + const char *file2 = file2_s1d1;
> + const char *dir1 = dir_s1d1;
I'd suggest to name these kinds of variables according to the rights
that are granted on these files and directories, for example as as
w_file and rw_file. (Then, when looking at the EXPECT_EQ checks below,
you don't need to jump back up to the start of the test to remember
which of the rights is being tested.)
Nitpick: The same remark as above about the 'const' modifier applies
here as well. The rest of the file uses "const char *const varname".
> + const struct rule rules[] = {
> + {
> + .path = file1,
> + .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
> + },
> + {
> + .path = file2,
> + .access = LANDLOCK_ACCESS_FS_READ_FILE |
> + LANDLOCK_ACCESS_FS_WRITE_FILE,
> + },
> + {
> + .path = dir1,
> + .access = ACCESS_RW,
> + },
> + {},
> + };
> +
> + ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
> + ASSERT_LE(0, ruleset_fd);
> + file1_fd = open(file1, O_WRONLY | O_CLOEXEC);
> + ASSERT_LE(0, file1_fd);
> +
> + enforce_ruleset(_metadata, ruleset_fd);
> + ASSERT_EQ(0, close(ruleset_fd));
> +
> + EXPECT_EQ(0, test_chmod(file1, 0400));
> + EXPECT_EQ(0, test_fchmod(file1_fd, 0400));
> + EXPECT_EQ(0, test_fchmodat(AT_FDCWD, file1, 0400, 0));
> + EXPECT_EQ(0, test_chmod(file2, 0400));
> + EXPECT_EQ(0, test_chmod(dir1, 0700));
> + ASSERT_EQ(0, close(file1_fd));
> +}
> +
> +TEST_F_FORK(layout1, chmod)
> +{
> + int ruleset_fd, file1_fd;
> + const char *file1 = file1_s1d1;
> + const char *file2 = file2_s1d1;
> + const char *file3 = file1_s2d1;
> + const char *dir1 = dir_s1d1;
> + const char *dir2 = dir_s2d1;
> + const struct rule rules[] = {
> + {
> + .path = file1,
> + .access = LANDLOCK_ACCESS_FS_WRITE_FILE |
> + LANDLOCK_ACCESS_FS_CHMOD,
> + },
> + {
> + .path = file2,
> + .access = LANDLOCK_ACCESS_FS_READ_FILE |
> + LANDLOCK_ACCESS_FS_WRITE_FILE,
> + },
> + {
> + .path = dir1,
> + .access = ACCESS_RW,
> + },
> + {
> + .path = dir2,
> + .access = ACCESS_RW | LANDLOCK_ACCESS_FS_CHMOD,
> + },
> + {},
> + };
> +
> + ruleset_fd = create_ruleset(_metadata, ACCESS_RW | LANDLOCK_ACCESS_FS_CHMOD, rules);
> + ASSERT_LE(0, ruleset_fd);
> + file1_fd = open(file1, O_WRONLY | O_CLOEXEC);
> + ASSERT_LE(0, file1_fd);
> +
> + enforce_ruleset(_metadata, ruleset_fd);
> + ASSERT_EQ(0, close(ruleset_fd));
> +
> + EXPECT_EQ(0, test_chmod(file1, 0400));
> + EXPECT_EQ(0, test_fchmod(file1_fd, 0400));
> + EXPECT_EQ(0, test_fchmodat(AT_FDCWD, file1, 0400, 0));
> + EXPECT_EQ(EACCES, test_chmod(file2, 0400));
> + EXPECT_EQ(EACCES, test_chmod(dir1, 0700));
> + /* set CHMOD right on dir will only affect its context not dir itself*/
> + EXPECT_EQ(0, test_chmod(file3, 0400));
> + EXPECT_EQ(0, test_fchmodat(AT_FDCWD, file3, 0400, 0));
> + EXPECT_EQ(EACCES, test_chmod(dir2, 0700));
> + EXPECT_EQ(EACCES, test_fchmodat(AT_FDCWD, dir2, 0700, 0));
> + ASSERT_EQ(0, close(file1_fd));
> +}
> +
> +TEST_F_FORK(layout1, unhandled_chown)
> +{
> + int ruleset_fd, file1_fd;
> + const char *file1 = file1_s1d1;
> + const char *file2 = file2_s1d1;
> + const char *dir1 = dir_s1d1;
> + const struct rule rules[] = {
> + {
> + .path = file1,
> + .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
> + },
> + {
> + .path = file2,
> + .access = LANDLOCK_ACCESS_FS_READ_FILE |
> + LANDLOCK_ACCESS_FS_WRITE_FILE,
> + },
> + {
> + .path = dir1,
> + .access = ACCESS_RW,
> + },
> + {},
> + };
> + struct stat st;
> + uid_t uid;
> + gid_t gid;
> +
> + ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
> + ASSERT_LE(0, ruleset_fd);
> + file1_fd = open(file1, O_WRONLY | O_CLOEXEC);
> + ASSERT_LE(0, file1_fd);
> + /*
> + * there is no CAP_CHOWN when the testcases framework setup,
> + * and we cannot assume the testcases are run as root, to make
> + * sure {f}chown syscall won't fail, get the original uid/gid and
> + * use them in test_{f}chown.
> + */
> + ASSERT_EQ(0, stat(dir1, &st));
> + uid = st.st_uid;
> + gid = st.st_gid;
> +
> + enforce_ruleset(_metadata, ruleset_fd);
> + ASSERT_EQ(0, close(ruleset_fd));
> +
> + EXPECT_EQ(0, test_chown(file1, uid, gid));
> + EXPECT_EQ(0, test_fchown(file1_fd, uid, gid));
> + EXPECT_EQ(0, test_lchown(file1, uid, gid));
> + EXPECT_EQ(0, test_fchownat(AT_FDCWD, file1, uid, gid, 0));
> + EXPECT_EQ(0, test_chown(file2, uid, gid));
> + EXPECT_EQ(0, test_chown(dir1, uid, gid));
> + ASSERT_EQ(0, close(file1_fd));
> +}
> +
> +TEST_F_FORK(layout1, chown)
> +{
> + int ruleset_fd, file1_fd;
> + const char *file1 = file1_s1d1;
> + const char *file2 = file2_s1d1;
> + const char *file3 = file1_s2d1;
> + const char *dir1 = dir_s1d1;
> + const char *dir2 = dir_s2d1;
> + const struct rule rules[] = {
> + {
> + .path = file1,
> + .access = LANDLOCK_ACCESS_FS_WRITE_FILE |
> + LANDLOCK_ACCESS_FS_CHGRP,
> + },
> + {
> + .path = file2,
> + .access = LANDLOCK_ACCESS_FS_READ_FILE |
> + LANDLOCK_ACCESS_FS_WRITE_FILE,
> + },
> + {
> + .path = dir1,
> + .access = ACCESS_RW,
> + },
> + {
> + .path = dir2,
> + .access = ACCESS_RW | LANDLOCK_ACCESS_FS_CHGRP,
> + },
> + {},
> + };
> + struct stat st;
> + uid_t uid;
> + gid_t gid;
> +
> + ruleset_fd = create_ruleset(_metadata, ACCESS_RW | LANDLOCK_ACCESS_FS_CHGRP, rules);
> + ASSERT_LE(0, ruleset_fd);
> + file1_fd = open(file1, O_WRONLY | O_CLOEXEC);
> + ASSERT_LE(0, file1_fd);
> + /*
> + * there is no CAP_CHOWN when the testcases framework setup,
> + * and we cannot assume the testcases are run as root, to make
> + * sure {f}chown syscall won't fail, get the original uid/gid and
> + * use them in test_{f}chown.
> + */
> + ASSERT_EQ(0, stat(dir1, &st));
> + uid = st.st_uid;
> + gid = st.st_gid;
> +
> + enforce_ruleset(_metadata, ruleset_fd);
> + ASSERT_EQ(0, close(ruleset_fd));
> +
> + EXPECT_EQ(0, test_chown(file1, uid, gid));
> + EXPECT_EQ(0, test_fchown(file1_fd, uid, gid));
> + EXPECT_EQ(0, test_lchown(file1, uid, gid));
> + EXPECT_EQ(0, test_fchownat(AT_FDCWD, file1, uid, gid, 0));
> + EXPECT_EQ(EACCES, test_chown(file2, uid, gid));
> + EXPECT_EQ(EACCES, test_chown(dir1, uid, gid));
> + /* set CHOWN right on dir will only affect its context not dir itself*/
> + EXPECT_EQ(0, test_chown(file3, uid, gid));
> + EXPECT_EQ(EACCES, test_chown(dir2, uid, gid));
> + ASSERT_EQ(0, close(file1_fd));
> +}
> +
> /* clang-format off */
> FIXTURE(layout1_bind) {};
> /* clang-format on */
> --
> 2.17.1
>
--
Powered by blists - more mailing lists