48 static ssize_t fd2name(int fd, char *buf, size_t bufsize)
54 	size = snprintf(buf1, PATH_MAX, "/proc/self/fd/%d", fd);
56 		printf("snprintf(%d) failed on %m\n", fd);
74 	int r, fd;
76 	fd = sys_memfd_create(name, flags);
77 	if (fd < 0) {
83 	r = ftruncate(fd, sz);
89 	return fd;
94 	int fd = open("/proc/sys/vm/memfd_noexec", O_WRONLY | O_CLOEXEC);
96 	if (fd < 0) {
101 	if (write(fd, val, strlen(val)) < 0) {
109 	int fd = open("/proc/sys/vm/memfd_noexec", O_WRONLY | O_CLOEXEC);
111 	if (fd < 0) {
116 	if (write(fd, val, strlen(val)) >= 0) {
126 	int fd = open("/proc/sys/vm/memfd_noexec", O_RDONLY | O_CLOEXEC);
128 	if (fd < 0) {
133 	if (read(fd, buf, sizeof(buf)) < 0) {
152 	int fd;
155 	sprintf(path, "/proc/self/fd/%d", fd_in);
157 	fd = open(path, O_RDWR);
158 	if (fd < 0) {
159 		printf("re-open of existing fd %d failed\n", fd_in);
163 	return fd;
179 static unsigned int mfd_assert_get_seals(int fd)
183 	r = fcntl(fd, F_GET_SEALS);
185 		printf("GET_SEALS(%d) failed: %m\n", fd);
192 static void mfd_assert_has_seals(int fd, unsigned int seals)
196 	fd2name(fd, buf, PATH_MAX);
198 	s = mfd_assert_get_seals(fd);
205 static void mfd_assert_add_seals(int fd, unsigned int seals)
210 	s = mfd_assert_get_seals(fd);
211 	r = fcntl(fd, F_ADD_SEALS, seals);
213 		printf("ADD_SEALS(%d, %u -> %u) failed: %m\n", fd, s, seals);
218 static void mfd_fail_add_seals(int fd, unsigned int seals)
223 	r = fcntl(fd, F_GET_SEALS);
229 	r = fcntl(fd, F_ADD_SEALS, seals);
232 				fd, s, seals);
237 static void mfd_assert_size(int fd, size_t size)
242 	r = fstat(fd, &st);
244 		printf("fstat(%d) failed: %m\n", fd);
253 static int mfd_assert_dup(int fd)
257 	r = dup(fd);
259 		printf("dup(%d) failed: %m\n", fd);
266 static void *mfd_assert_mmap_shared(int fd)
274 		 fd,
284 static void *mfd_assert_mmap_private(int fd)
292 		 fd,
302 static int mfd_assert_open(int fd, int flags, mode_t mode)
307 	sprintf(buf, "/proc/self/fd/%d", fd);
317 static void mfd_fail_open(int fd, int flags, mode_t mode)
322 	sprintf(buf, "/proc/self/fd/%d", fd);
330 static void mfd_assert_read(int fd)
336 	l = read(fd, buf, sizeof(buf));
347 		 fd,
360 		 fd,
370 static void mfd_assert_read_shared(int fd)
379 		 fd,
388 static void mfd_assert_fork_private_write(int fd)
397 		 fd,
422 static void mfd_assert_write(int fd)
434 		l = write(fd, "\0\0\0\0", 4);
446 		 fd,
460 		 fd,
475 		 fd,
492 	r = fallocate(fd,
502 static void mfd_fail_write(int fd)
509 	l = write(fd, "data", 4);
520 		 fd,
532 		 fd,
545 		 fd,
557 	r = fallocate(fd,
567 static void mfd_assert_shrink(int fd)
571 	r = ftruncate(fd, mfd_def_size / 2);
577 	mfd_assert_size(fd, mfd_def_size / 2);
579 	fd2 = mfd_assert_open(fd,
584 	mfd_assert_size(fd, 0);
587 static void mfd_fail_shrink(int fd)
591 	r = ftruncate(fd, mfd_def_size / 2);
597 	mfd_fail_open(fd,
602 static void mfd_assert_grow(int fd)
606 	r = ftruncate(fd, mfd_def_size * 2);
612 	mfd_assert_size(fd, mfd_def_size * 2);
614 	r = fallocate(fd,
623 	mfd_assert_size(fd, mfd_def_size * 4);
626 static void mfd_fail_grow(int fd)
630 	r = ftruncate(fd, mfd_def_size * 2);
636 	r = fallocate(fd,
646 static void mfd_assert_grow_write(int fd)
661 	l = pwrite(fd, buf, mfd_def_size * 8, 0);
667 	mfd_assert_size(fd, mfd_def_size * 8);
670 static void mfd_fail_grow_write(int fd)
685 	l = pwrite(fd, buf, mfd_def_size * 8, 0);
692 static void mfd_assert_mode(int fd, int mode)
697 	fd2name(fd, buf, PATH_MAX);
699 	if (fstat(fd, &st) < 0) {
711 static void mfd_assert_chmod(int fd, int mode)
715 	fd2name(fd, buf, PATH_MAX);
717 	if (fchmod(fd, mode) < 0) {
722 	mfd_assert_mode(fd, mode);
725 static void mfd_fail_chmod(int fd, int mode)
730 	fd2name(fd, buf, PATH_MAX);
732 	if (fstat(fd, &st) < 0) {
737 	if (fchmod(fd, mode) == 0) {
744 	mfd_assert_mode(fd, st.st_mode & 07777);
821 	int fd;
838 	fd = mfd_assert_new("", 0, 0);
839 	close(fd);
852 	fd = mfd_assert_new("", 0, MFD_CLOEXEC);
853 	close(fd);
856 	fd = mfd_assert_new("", 0, MFD_ALLOW_SEALING);
857 	close(fd);
860 	fd = mfd_assert_new("", 0, MFD_ALLOW_SEALING | MFD_CLOEXEC);
861 	close(fd);
870 	int fd;
874 	fd = mfd_assert_new("kern_memfd_basic",
879 	mfd_assert_has_seals(fd, 0);
880 	mfd_assert_add_seals(fd, F_SEAL_SHRINK |
882 	mfd_assert_has_seals(fd, F_SEAL_SHRINK |
886 	mfd_assert_add_seals(fd, F_SEAL_SHRINK |
888 	mfd_assert_has_seals(fd, F_SEAL_SHRINK |
892 	mfd_assert_add_seals(fd, F_SEAL_GROW | F_SEAL_SEAL);
893 	mfd_assert_has_seals(fd, F_SEAL_SHRINK |
899 	mfd_fail_add_seals(fd, F_SEAL_GROW);
900 	mfd_fail_add_seals(fd, 0);
902 	close(fd);
905 	fd = mfd_assert_new("kern_memfd_basic",
908 	mfd_assert_has_seals(fd, F_SEAL_SEAL);
909 	mfd_fail_add_seals(fd, F_SEAL_SHRINK |
912 	mfd_assert_has_seals(fd, F_SEAL_SEAL);
913 	close(fd);
922 	int fd;
926 	fd = mfd_assert_new("kern_memfd_seal_write",
929 	mfd_assert_has_seals(fd, 0);
930 	mfd_assert_add_seals(fd, F_SEAL_WRITE);
931 	mfd_assert_has_seals(fd, F_SEAL_WRITE);
933 	mfd_assert_read(fd);
934 	mfd_fail_write(fd);
935 	mfd_assert_shrink(fd);
936 	mfd_assert_grow(fd);
937 	mfd_fail_grow_write(fd);
939 	close(fd);
948 	int fd, fd2;
953 	fd = mfd_assert_new("kern_memfd_seal_future_write",
957 	p = mfd_assert_mmap_shared(fd);
959 	mfd_assert_has_seals(fd, 0);
961 	mfd_assert_add_seals(fd, F_SEAL_FUTURE_WRITE);
962 	mfd_assert_has_seals(fd, F_SEAL_FUTURE_WRITE);
965 	mfd_assert_read(fd);
966 	mfd_assert_read_shared(fd);
967 	mfd_fail_write(fd);
969 	fd2 = mfd_assert_reopen_fd(fd);
975 	mfd_assert_fork_private_write(fd);
979 	close(fd);
988 	int fd;
992 	fd = mfd_assert_new("kern_memfd_seal_shrink",
995 	mfd_assert_has_seals(fd, 0);
996 	mfd_assert_add_seals(fd, F_SEAL_SHRINK);
997 	mfd_assert_has_seals(fd, F_SEAL_SHRINK);
999 	mfd_assert_read(fd);
1000 	mfd_assert_write(fd);
1001 	mfd_fail_shrink(fd);
1002 	mfd_assert_grow(fd);
1003 	mfd_assert_grow_write(fd);
1005 	close(fd);
1014 	int fd;
1018 	fd = mfd_assert_new("kern_memfd_seal_grow",
1021 	mfd_assert_has_seals(fd, 0);
1022 	mfd_assert_add_seals(fd, F_SEAL_GROW);
1023 	mfd_assert_has_seals(fd, F_SEAL_GROW);
1025 	mfd_assert_read(fd);
1026 	mfd_assert_write(fd);
1027 	mfd_assert_shrink(fd);
1028 	mfd_fail_grow(fd);
1029 	mfd_fail_grow_write(fd);
1031 	close(fd);
1040 	int fd;
1044 	fd = mfd_assert_new("kern_memfd_seal_resize",
1047 	mfd_assert_has_seals(fd, 0);
1048 	mfd_assert_add_seals(fd, F_SEAL_SHRINK | F_SEAL_GROW);
1049 	mfd_assert_has_seals(fd, F_SEAL_SHRINK | F_SEAL_GROW);
1051 	mfd_assert_read(fd);
1052 	mfd_assert_write(fd);
1053 	mfd_fail_shrink(fd);
1054 	mfd_fail_grow(fd);
1055 	mfd_fail_grow_write(fd);
1057 	close(fd);
1062  * Test fd is created with exec and allow sealing.
1067 	int fd;
1072 	fd = mfd_assert_new("kern_memfd_seal_exec",
1076 	mfd_assert_mode(fd, 0777);
1077 	mfd_assert_chmod(fd, 0644);
1079 	mfd_assert_has_seals(fd, 0);
1080 	mfd_assert_add_seals(fd, F_SEAL_EXEC);
1081 	mfd_assert_has_seals(fd, F_SEAL_EXEC);
1083 	mfd_assert_chmod(fd, 0600);
1084 	mfd_fail_chmod(fd, 0777);
1085 	mfd_fail_chmod(fd, 0670);
1086 	mfd_fail_chmod(fd, 0605);
1087 	mfd_fail_chmod(fd, 0700);
1088 	mfd_fail_chmod(fd, 0100);
1089 	mfd_assert_chmod(fd, 0666);
1090 	mfd_assert_write(fd);
1091 	close(fd);
1094 	fd = mfd_assert_new("kern_memfd_seal_exec",
1098 	mfd_assert_mode(fd, 0777);
1099 	mfd_assert_chmod(fd, 0700);
1101 	mfd_assert_has_seals(fd, 0);
1102 	mfd_assert_add_seals(fd, F_SEAL_EXEC);
1103 	mfd_assert_has_seals(fd, F_WX_SEALS);
1105 	mfd_fail_chmod(fd, 0711);
1106 	mfd_fail_chmod(fd, 0600);
1107 	mfd_fail_write(fd);
1108 	close(fd);
1113  * Test fd is created with exec and not allow sealing.
1117 	int fd;
1122 	fd = mfd_assert_new("kern_memfd_exec_no_sealing",
1125 	mfd_assert_mode(fd, 0777);
1126 	mfd_assert_has_seals(fd, F_SEAL_SEAL);
1127 	mfd_assert_chmod(fd, 0666);
1128 	close(fd);
1136 	int fd;
1141 	fd = mfd_assert_new("kern_memfd_noexec",
1144 	mfd_assert_mode(fd, 0666);
1145 	mfd_assert_has_seals(fd, F_SEAL_EXEC);
1146 	mfd_fail_chmod(fd, 0777);
1147 	close(fd);
1150 	fd = mfd_assert_new("kern_memfd_noexec",
1153 	mfd_assert_mode(fd, 0666);
1154 	mfd_assert_has_seals(fd, F_SEAL_EXEC);
1155 	mfd_fail_chmod(fd, 0777);
1156 	close(fd);
1161 	int fd;
1165 	fd = mfd_assert_new("kern_memfd_sysctl_0_dfl",
1168 	mfd_assert_mode(fd, 0777);
1169 	mfd_assert_has_seals(fd, 0);
1170 	mfd_assert_chmod(fd, 0644);
1171 	close(fd);
1182 	int fd;
1186 	fd = mfd_assert_new("kern_memfd_sysctl_1_dfl",
1189 	mfd_assert_mode(fd, 0666);
1190 	mfd_assert_has_seals(fd, F_SEAL_EXEC);
1191 	mfd_fail_chmod(fd, 0777);
1192 	close(fd);
1194 	fd = mfd_assert_new("kern_memfd_sysctl_1_exec",
1197 	mfd_assert_mode(fd, 0777);
1198 	mfd_assert_has_seals(fd, 0);
1199 	mfd_assert_chmod(fd, 0644);
1200 	close(fd);
1202 	fd = mfd_assert_new("kern_memfd_sysctl_1_noexec",
1205 	mfd_assert_mode(fd, 0666);
1206 	mfd_assert_has_seals(fd, F_SEAL_EXEC);
1207 	mfd_fail_chmod(fd, 0777);
1208 	close(fd);
1219 	int fd;
1223 	fd = mfd_assert_new("kern_memfd_sysctl_2_dfl",
1226 	mfd_assert_mode(fd, 0666);
1227 	mfd_assert_has_seals(fd, F_SEAL_EXEC);
1228 	mfd_fail_chmod(fd, 0777);
1229 	close(fd);
1234 	fd = mfd_assert_new("kern_memfd_sysctl_2_noexec",
1237 	mfd_assert_mode(fd, 0666);
1238 	mfd_assert_has_seals(fd, F_SEAL_EXEC);
1239 	mfd_fail_chmod(fd, 0777);
1240 	close(fd);
1417 	int fd, fd2;
1421 	fd = mfd_assert_new("kern_memfd_share_dup",
1424 	mfd_assert_has_seals(fd, 0);
1426 	fd2 = mfd_assert_dup(fd);
1429 	mfd_assert_add_seals(fd, F_SEAL_WRITE);
1430 	mfd_assert_has_seals(fd, F_SEAL_WRITE);
1434 	mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK);
1437 	mfd_assert_add_seals(fd, F_SEAL_SEAL);
1438 	mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK | F_SEAL_SEAL);
1441 	mfd_fail_add_seals(fd, F_SEAL_GROW);
1443 	mfd_fail_add_seals(fd, F_SEAL_SEAL);
1448 	mfd_fail_add_seals(fd, F_SEAL_GROW);
1449 	close(fd);
1458 	int fd;
1463 	fd = mfd_assert_new("kern_memfd_share_mmap",
1466 	mfd_assert_has_seals(fd, 0);
1469 	p = mfd_assert_mmap_shared(fd);
1470 	mfd_fail_add_seals(fd, F_SEAL_WRITE);
1471 	mfd_assert_has_seals(fd, 0);
1472 	mfd_assert_add_seals(fd, F_SEAL_SHRINK);
1473 	mfd_assert_has_seals(fd, F_SEAL_SHRINK);
1477 	p = mfd_assert_mmap_private(fd);
1478 	mfd_assert_add_seals(fd, F_SEAL_WRITE);
1479 	mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK);
1482 	close(fd);
1486  * Test sealing with open(/proc/self/fd/%d)
1493 	int fd, fd2;
1497 	fd = mfd_assert_new("kern_memfd_share_open",
1500 	mfd_assert_has_seals(fd, 0);
1502 	fd2 = mfd_assert_open(fd, O_RDWR, 0);
1503 	mfd_assert_add_seals(fd, F_SEAL_WRITE);
1504 	mfd_assert_has_seals(fd, F_SEAL_WRITE);
1508 	mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK);
1511 	close(fd);
1512 	fd = mfd_assert_open(fd2, O_RDONLY, 0);
1514 	mfd_fail_add_seals(fd, F_SEAL_SEAL);
1515 	mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK);
1519 	fd2 = mfd_assert_open(fd, O_RDWR, 0);
1522 	mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK | F_SEAL_SEAL);
1526 	close(fd);
1535 	int fd;
1540 	fd = mfd_assert_new("kern_memfd_share_fork",
1543 	mfd_assert_has_seals(fd, 0);
1546 	mfd_assert_add_seals(fd, F_SEAL_SEAL);
1547 	mfd_assert_has_seals(fd, F_SEAL_SEAL);
1549 	mfd_fail_add_seals(fd, F_SEAL_WRITE);
1550 	mfd_assert_has_seals(fd, F_SEAL_SEAL);
1554 	mfd_fail_add_seals(fd, F_SEAL_WRITE);
1555 	mfd_assert_has_seals(fd, F_SEAL_SEAL);
1557 	close(fd);

Indexes created Sat May 04 09:44:38 MDT 2024