scenario.c revision 75482
1/*- 2 * Copyright (c) 2001 Robert N. M. Watson 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD: head/tools/regression/security/proc_to_proc/scenario.c 75482 2001-04-13 16:09:40Z rwatson $ 27 */ 28 29#include <sys/types.h> 30#include <sys/ptrace.h> 31#include <sys/time.h> 32#include <sys/resource.h> 33#include <sys/syscall.h> 34#include <sys/wait.h> 35 36#include <assert.h> 37#include <errno.h> 38#include <signal.h> 39#include <stdio.h> 40#include <string.h> 41#include <unistd.h> 42 43/* 44 * Relevant parts of a process credential. 45 */ 46struct cred { 47 uid_t cr_euid, cr_ruid, cr_svuid; 48 int cr_issetugid; 49}; 50 51/* 52 * Description of a scenario. 53 */ 54struct scenario { 55 struct cred *sc_cred1, *sc_cred2; /* credentials of p1 and p2 */ 56 int sc_canptrace_errno; /* desired ptrace failure */ 57 int sc_cansighup_errno; /* desired SIGHUP failure */ 58 int sc_cansigsegv_errno; /* desired SIGSEGV failure */ 59 int sc_cansee_errno; /* desired getprio failure */ 60 int sc_cansched_errno; /* desired setprio failure */ 61 char *sc_name; /* test name */ 62}; 63 64/* 65 * Table of relevant credential combinations. 66 */ 67static struct cred creds[] = { 68/* euid ruid svuid issetugid */ 69/* 0 */ { 0, 0, 0, 0 }, /* privileged */ 70/* 1 */ { 0, 0, 0, 1 }, /* privileged + issetugid */ 71/* 2 */ { 1000, 1000, 1000, 0 }, /* unprivileged1 */ 72/* 3 */ { 1000, 1000, 1000, 1 }, /* unprivileged1 + issetugid */ 73/* 4 */ { 1001, 1001, 1001, 0 }, /* unprivileged2 */ 74/* 5 */ { 1001, 1001, 1001, 1 }, /* unprivileged2 + issetugid */ 75/* 6 */ { 1000, 0, 0, 0 }, /* daemon1 */ 76/* 7 */ { 1000, 0, 0, 1 }, /* daemon1 + issetugid */ 77/* 8 */ { 1001, 0, 0, 0 }, /* daemon2 */ 78/* 9 */ { 1001, 0, 0, 1 }, /* daemon2 + issetugid */ 79/* 10 */{ 0, 1000, 1000, 0 }, /* setuid1 */ 80/* 11 */{ 0, 1000, 1000, 1 }, /* setuid1 + issetugid */ 81/* 12 */{ 0, 1001, 1001, 0 }, /* setuid2 */ 82/* 13 */{ 0, 1001, 1001, 1 }, /* setuid2 + issetugid */ 83}; 84 85/* 86 * Table of scenarios. 87 */ 88static const struct scenario scenarios[] = { 89/* cred1 cred2 ptrace sighup sigsegv see sched name */ 90{ &creds[0], &creds[0], 0, 0, 0, 0, 0, "0. priv on priv"}, 91{ &creds[0], &creds[1], 0, 0, 0, 0, 0, "1. priv on priv"}, 92{ &creds[1], &creds[0], 0, 0, 0, 0, 0, "2. priv on priv"}, 93{ &creds[1], &creds[1], 0, 0, 0, 0, 0, "3. priv on priv"}, 94/* privileged on unprivileged */ 95{ &creds[0], &creds[2], 0, 0, 0, 0, 0, "4. priv on unpriv1"}, 96{ &creds[0], &creds[3], 0, 0, 0, 0, 0, "5. priv on unpriv1"}, 97{ &creds[1], &creds[2], 0, 0, 0, 0, 0, "6. priv on unpriv1"}, 98{ &creds[1], &creds[3], 0, 0, 0, 0, 0, "7. priv on unpriv1"}, 99/* unprivileged on privileged */ 100{ &creds[2], &creds[0], EPERM, EPERM, EPERM, 0, EPERM, "8. unpriv1 on priv"}, 101{ &creds[2], &creds[1], EPERM, EPERM, EPERM, 0, EPERM, "9. unpriv1 on priv"}, 102{ &creds[3], &creds[0], EPERM, EPERM, EPERM, 0, EPERM, "10. unpriv1 on priv"}, 103{ &creds[3], &creds[1], EPERM, EPERM, EPERM, 0, EPERM, "11. unpriv1 on priv"}, 104/* unprivileged on same unprivileged */ 105{ &creds[2], &creds[2], 0, 0, 0, 0, 0, "12. unpriv1 on unpriv1"}, 106{ &creds[2], &creds[3], EPERM, 0, EPERM, 0, 0, "13. unpriv1 on unpriv1"}, 107{ &creds[3], &creds[2], 0, 0, 0, 0, 0, "14. unpriv1 on unpriv1"}, 108{ &creds[3], &creds[3], EPERM, 0, EPERM, 0, 0, "15. unpriv1 on unpriv1"}, 109/* unprivileged on different unprivileged */ 110{ &creds[2], &creds[4], EPERM, EPERM, EPERM, 0, EPERM, "16. unpriv1 on unpriv2"}, 111{ &creds[2], &creds[5], EPERM, EPERM, EPERM, 0, EPERM, "17. unpriv1 on unpriv2"}, 112{ &creds[3], &creds[4], EPERM, EPERM, EPERM, 0, EPERM, "18. unpriv1 on unpriv2"}, 113{ &creds[3], &creds[5], EPERM, EPERM, EPERM, 0, EPERM, "19. unpriv1 on unpriv2"}, 114/* unprivileged on daemon, same */ 115{ &creds[2], &creds[6], EPERM, EPERM, EPERM, 0, EPERM, "20. unpriv1 on daemon1"}, 116{ &creds[2], &creds[7], EPERM, EPERM, EPERM, 0, EPERM, "21. unpriv1 on daemon1"}, 117{ &creds[3], &creds[6], EPERM, EPERM, EPERM, 0, EPERM, "22. unpriv1 on daemon1"}, 118{ &creds[3], &creds[7], EPERM, EPERM, EPERM, 0, EPERM, "23. unpriv1 on daemon1"}, 119/* unprivileged on daemon, different */ 120{ &creds[2], &creds[8], EPERM, EPERM, EPERM, 0, EPERM, "24. unpriv1 on daemon2"}, 121{ &creds[2], &creds[9], EPERM, EPERM, EPERM, 0, EPERM, "25. unpriv1 on daemon2"}, 122{ &creds[3], &creds[8], EPERM, EPERM, EPERM, 0, EPERM, "26. unpriv1 on daemon2"}, 123{ &creds[3], &creds[9], EPERM, EPERM, EPERM, 0, EPERM, "27. unpriv1 on daemon2"}, 124/* unprivileged on setuid, same */ 125{ &creds[2], &creds[10], EPERM, 0, 0, 0, 0, "28. unpriv1 on setuid1"}, 126{ &creds[2], &creds[11], EPERM, 0, EPERM, 0, 0, "29. unpriv1 on setuid1"}, 127{ &creds[3], &creds[10], EPERM, 0, 0, 0, 0, "30. unpriv1 on setuid1"}, 128{ &creds[3], &creds[11], EPERM, 0, EPERM, 0, 0, "31. unpriv1 on setuid1"}, 129/* unprivileged on setuid, different */ 130{ &creds[2], &creds[12], EPERM, EPERM, EPERM, 0, EPERM, "32. unpriv1 on setuid2"}, 131{ &creds[2], &creds[13], EPERM, EPERM, EPERM, 0, EPERM, "33. unpriv1 on setuid2"}, 132{ &creds[3], &creds[12], EPERM, EPERM, EPERM, 0, EPERM, "34. unpriv1 on setuid2"}, 133{ &creds[3], &creds[13], EPERM, EPERM, EPERM, 0, EPERM, "35. unpriv1 on setuid2"}, 134}; 135int scenarios_count = sizeof(scenarios) / sizeof(struct scenario); 136 137/* 138 * Convert an error number to a compact string representation. For now, 139 * implement only the error numbers we are likely to see. 140 */ 141static char * 142errno_to_string(int error) 143{ 144 145 switch (error) { 146 case EPERM: 147 return ("EPERM"); 148 case EACCES: 149 return ("EACCES"); 150 case EINVAL: 151 return ("EINVAL"); 152 case ENOSYS: 153 return ("ENOSYS"); 154 case ESRCH: 155 return ("ESRCH"); 156 case EOPNOTSUPP: 157 return ("EOPNOTSUPP"); 158 case 0: 159 return ("0"); 160 default: 161 return ("unknown"); 162 } 163} 164 165/* 166 * Return a process credential describing the current process. 167 */ 168static int 169cred_get(struct cred *cred) 170{ 171 int error; 172 173 error = getresuid(&cred->cr_ruid, &cred->cr_euid, &cred->cr_svuid); 174 if (error) 175 return (error); 176 177 cred->cr_issetugid = issetugid(); 178 179 return (0); 180} 181 182/* 183 * Userland stub for __setsugid() to take into account possible presence 184 * in C library, kernel, et al. 185 */ 186int 187setugid(int flag) 188{ 189 190#ifdef SETSUGID_SUPPORTED 191 return (__setugid(flag)); 192#else 193#ifdef SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB 194 return (syscall(374, flag)); 195#else 196 return (ENOSYS); 197#endif 198#endif 199} 200 201/* 202 * Set the current process's credentials to match the passed credential. 203 */ 204static int 205cred_set(struct cred *cred) 206{ 207 int error; 208 209 error = setresuid(cred->cr_ruid, cred->cr_euid, cred->cr_svuid); 210 if (error) 211 return (error); 212 213 error = setugid(cred->cr_issetugid); 214 if (error) { 215 perror("__setugid"); 216 return (error); 217 } 218 219#ifdef CHECK_CRED_SET 220 { 221 uid_t ruid, euid, svuid; 222 error = getresuid(&ruid, &euid, &svuid); 223 if (error) { 224 perror("getresuid"); 225 return (-1); 226 } 227 assert(ruid == cred->cr_ruid); 228 assert(euid == cred->cr_euid); 229 assert(svuid == cred->cr_svuid); 230 assert(cred->cr_issetugid == issetugid()); 231 } 232#endif /* !CHECK_CRED_SET */ 233 234 return (0); 235} 236 237/* 238 * Print the passed process credential to the passed I/O stream. 239 */ 240static void 241cred_print(FILE *output, struct cred *cred) 242{ 243 244 fprintf(output, "(e:%d r:%d s:%d P_SUGID:%d)", cred->cr_euid, 245 cred->cr_ruid, cred->cr_svuid, cred->cr_issetugid); 246} 247 248#define LOOP_PTRACE 0 249#define LOOP_SIGHUP 1 250#define LOOP_SIGSEGV 2 251#define LOOP_SEE 3 252#define LOOP_SCHED 4 253#define LOOP_MAX LOOP_SCHED 254 255/* 256 * Enact a scenario by looping through the four test cases for the scenario, 257 * spawning off pairs of processes with the desired credentials, and 258 * reporting results to stdout. 259 */ 260static int 261enact_scenario(int scenario) 262{ 263 pid_t pid1, pid2; 264 char *name; 265 int error, desirederror, loop; 266 267 for (loop = 0; loop < LOOP_MAX+1; loop++) { 268 /* 269 * Spawn the first child, target of the operation. 270 */ 271 pid1 = fork(); 272 switch (pid1) { 273 case -1: 274 return (-1); 275 case 0: 276 /* child */ 277 error = cred_set(scenarios[scenario].sc_cred2); 278 if (error) { 279 perror("cred_set"); 280 return (error); 281 } 282 /* 200 seconds should be plenty of time. */ 283 sleep(200); 284 exit(0); 285 default: 286 /* parent */ 287 } 288 289 /* 290 * XXX 291 * This really isn't ideal -- give proc 1 a chance to set 292 * its credentials, or we may get spurious errors. Really, 293 * some for of IPC should be used to allow the parent to 294 * wait for the first child to be ready before spawning 295 * the second child. 296 */ 297 sleep(1); 298 299 /* 300 * Spawn the second child, source of the operation. 301 */ 302 pid2 = fork(); 303 switch (pid2) { 304 case -1: 305 return (-1); 306 307 case 0: 308 /* child */ 309 error = cred_set(scenarios[scenario].sc_cred1); 310 if (error) { 311 perror("cred_set"); 312 return (error); 313 } 314 315 /* 316 * Initialize errno to zero so as to catch any 317 * generated errors. In each case, perform the 318 * operation. Preserve the error number for later 319 * use so it doesn't get stomped on by any I/O. 320 * Determine the desired error for the given case 321 * by extracting it from the scenario table. 322 * Initialize a function name string for output 323 * prettiness. 324 */ 325 errno = 0; 326 switch (loop) { 327 case LOOP_PTRACE: 328 error = ptrace(PT_ATTACH, pid1, NULL, 0); 329 error = errno; 330 name = "ptrace"; 331 desirederror = 332 scenarios[scenario].sc_canptrace_errno; 333 break; 334 case LOOP_SIGHUP: 335 error = kill(pid1, SIGHUP); 336 error = errno; 337 name = "sighup"; 338 desirederror = 339 scenarios[scenario].sc_cansighup_errno; 340 break; 341 case LOOP_SIGSEGV: 342 error = kill(pid1, SIGSEGV); 343 error = errno; 344 name = "sigsegv"; 345 desirederror = 346 scenarios[scenario].sc_cansigsegv_errno; 347 break; 348 case LOOP_SEE: 349 getpriority(PRIO_PROCESS, pid1); 350 error = errno; 351 name = "see"; 352 desirederror = 353 scenarios[scenario].sc_cansee_errno; 354 break; 355 case LOOP_SCHED: 356 error = setpriority(PRIO_PROCESS, pid1, 357 0); 358 error = errno; 359 name = "sched"; 360 desirederror = 361 scenarios[scenario].sc_cansched_errno; 362 break; 363 default: 364 name = "broken"; 365 } 366 367 if (error != desirederror) { 368 fprintf(stdout, 369 "[%s].%s: expected %s, got %s\n ", 370 scenarios[scenario].sc_name, name, 371 errno_to_string(desirederror), 372 errno_to_string(error)); 373 cred_print(stdout, 374 scenarios[scenario].sc_cred1); 375 cred_print(stdout, 376 scenarios[scenario].sc_cred2); 377 fprintf(stdout, "\n"); 378 } 379 380 exit(0); 381 382 default: 383 /* parent */ 384 } 385 386 error = waitpid(pid2, NULL, 0); 387 /* 388 * Once pid2 has died, it's safe to kill pid1, if it's still 389 * alive. Mask signal failure in case the test actually 390 * killed pid1 (not unlikely: can occur in both signal and 391 * ptrace cases). 392 */ 393 kill(pid1, SIGKILL); 394 error = waitpid(pid2, NULL, 0); 395 } 396 397 return (0); 398} 399 400void 401enact_scenarios(void) 402{ 403 int i, error; 404 405 for (i = 0; i < scenarios_count; i++) { 406 error = enact_scenario(i); 407 if (error) 408 perror("enact_scenario"); 409 } 410} 411