scenario.c revision 75482 
1/*-
2 * Copyright (c) 2001 Robert N. M. Watson
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $FreeBSD: head/tools/regression/security/proc_to_proc/scenario.c 75482 2001-04-13 16:09:40Z rwatson $
27 */
28
29#include <sys/types.h>
30#include <sys/ptrace.h>
31#include <sys/time.h>
32#include <sys/resource.h>
33#include <sys/syscall.h>
34#include <sys/wait.h>
35
36#include <assert.h>
37#include <errno.h>
38#include <signal.h>
39#include <stdio.h>
40#include <string.h>
41#include <unistd.h>
42
43/*
44 * Relevant parts of a process credential.
45 */
46struct cred {
47	uid_t	cr_euid, cr_ruid, cr_svuid;
48	int	cr_issetugid;
49};
50
51/*
52 * Description of a scenario.
53 */
54struct scenario {
55	struct cred	*sc_cred1, *sc_cred2;	/* credentials of p1 and p2 */
56	int		sc_canptrace_errno;	/* desired ptrace failure */
57	int		sc_cansighup_errno;	/* desired SIGHUP failure */
58	int		sc_cansigsegv_errno;	/* desired SIGSEGV failure */
59	int		sc_cansee_errno;	/* desired getprio failure */
60	int		sc_cansched_errno;	/* desired setprio failure */
61	char		*sc_name;		/* test name */
62};
63
64/*
65 * Table of relevant credential combinations.
66 */
67static struct cred creds[] = {
68/*		euid	ruid	svuid	issetugid	*/
69/* 0 */ {	0,	0,	0,	0 },	/* privileged */
70/* 1 */ {	0,	0,	0,	1 },	/* privileged + issetugid */
71/* 2 */ {	1000,	1000,	1000,	0 },	/* unprivileged1 */
72/* 3 */ {	1000,	1000,	1000,	1 },	/* unprivileged1 + issetugid */
73/* 4 */ {	1001,	1001,	1001,	0 },	/* unprivileged2 */
74/* 5 */ {	1001,	1001,	1001,	1 },	/* unprivileged2 + issetugid */
75/* 6 */ {	1000,	0,	0,	0 },	/* daemon1 */
76/* 7 */ {	1000,	0,	0,	1 },	/* daemon1 + issetugid */
77/* 8 */ {	1001,	0,	0,	0 },	/* daemon2 */
78/* 9 */ {	1001,	0,	0,	1 },	/* daemon2 + issetugid */
79/* 10 */{	0,	1000,	1000,	0 },	/* setuid1 */
80/* 11 */{	0, 	1000,	1000,	1 },	/* setuid1 + issetugid */
81/* 12 */{	0,	1001,	1001,	0 },	/* setuid2 */
82/* 13 */{	0,	1001,	1001,	1 },	/* setuid2 + issetugid */
83};
84
85/*
86 * Table of scenarios.
87 */
88static const struct scenario scenarios[] = {
89/*	cred1		cred2		ptrace	sighup	sigsegv	see	sched	name */
90{	&creds[0],	&creds[0],	0,	0,	0,	0,	0,	"0. priv on priv"},
91{	&creds[0],	&creds[1],	0,	0,	0,	0,	0,	"1. priv on priv"},
92{	&creds[1],	&creds[0],	0,	0,	0,	0,	0,	"2. priv on priv"},
93{	&creds[1],	&creds[1],	0,	0,	0,	0,	0,	"3. priv on priv"},
94/* privileged on unprivileged */
95{	&creds[0],	&creds[2],	0,	0,	0,	0,	0,	"4. priv on unpriv1"},
96{	&creds[0],	&creds[3],	0,	0,	0,	0,	0,	"5. priv on unpriv1"},
97{	&creds[1],	&creds[2],	0,	0,	0,	0,	0,	"6. priv on unpriv1"},
98{	&creds[1],	&creds[3],	0,	0,	0,	0,	0,	"7. priv on unpriv1"},
99/* unprivileged on privileged */
100{	&creds[2],	&creds[0],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"8. unpriv1 on priv"},
101{	&creds[2],	&creds[1],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"9. unpriv1 on priv"},
102{	&creds[3],	&creds[0],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"10. unpriv1 on priv"},
103{	&creds[3],	&creds[1],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"11. unpriv1 on priv"},
104/* unprivileged on same unprivileged */
105{	&creds[2],	&creds[2],	0,	0,	0,	0,	0,	"12. unpriv1 on unpriv1"},
106{	&creds[2],	&creds[3],	EPERM,	0,	EPERM,	0,	0,	"13. unpriv1 on unpriv1"},
107{	&creds[3],	&creds[2],	0,	0,	0,	0,	0,	"14. unpriv1 on unpriv1"},
108{	&creds[3],	&creds[3],	EPERM,	0,	EPERM,	0,	0,	"15. unpriv1 on unpriv1"},
109/* unprivileged on different unprivileged */
110{	&creds[2],	&creds[4],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"16. unpriv1 on unpriv2"},
111{	&creds[2],	&creds[5],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"17. unpriv1 on unpriv2"},
112{	&creds[3],	&creds[4],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"18. unpriv1 on unpriv2"},
113{	&creds[3],	&creds[5],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"19. unpriv1 on unpriv2"},
114/* unprivileged on daemon, same */
115{	&creds[2],	&creds[6],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"20. unpriv1 on daemon1"},
116{	&creds[2],	&creds[7],	EPERM,	EPERM,	EPERM,	0, 	EPERM,	"21. unpriv1 on daemon1"},
117{	&creds[3],	&creds[6],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"22. unpriv1 on daemon1"},
118{	&creds[3],	&creds[7],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"23. unpriv1 on daemon1"},
119/* unprivileged on daemon, different */
120{	&creds[2],	&creds[8],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"24. unpriv1 on daemon2"},
121{	&creds[2],	&creds[9],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"25. unpriv1 on daemon2"},
122{	&creds[3],	&creds[8],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"26. unpriv1 on daemon2"},
123{	&creds[3],	&creds[9],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"27. unpriv1 on daemon2"},
124/* unprivileged on setuid, same */
125{	&creds[2],	&creds[10],	EPERM,	0,	0,	0,	0,	"28. unpriv1 on setuid1"},
126{	&creds[2],	&creds[11],	EPERM,	0,	EPERM,	0,	0,	"29. unpriv1 on setuid1"},
127{	&creds[3],	&creds[10],	EPERM,	0,	0,	0,	0,	"30. unpriv1 on setuid1"},
128{	&creds[3],	&creds[11],	EPERM,	0,	EPERM,	0,	0,	"31. unpriv1 on setuid1"},
129/* unprivileged on setuid, different */
130{	&creds[2],	&creds[12],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"32. unpriv1 on setuid2"},
131{	&creds[2],	&creds[13],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"33. unpriv1 on setuid2"},
132{	&creds[3],	&creds[12],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"34. unpriv1 on setuid2"},
133{	&creds[3],	&creds[13],	EPERM,	EPERM,	EPERM,	0,	EPERM,	"35. unpriv1 on setuid2"},
134};
135int scenarios_count = sizeof(scenarios) / sizeof(struct scenario);
136
137/*
138 * Convert an error number to a compact string representation.  For now,
139 * implement only the error numbers we are likely to see.
140 */
141static char *
142errno_to_string(int error)
143{
144
145	switch (error) {
146	case EPERM:
147		return ("EPERM");
148	case EACCES:
149		return ("EACCES");
150	case EINVAL:
151		return ("EINVAL");
152	case ENOSYS:
153		return ("ENOSYS");
154	case ESRCH:
155		return ("ESRCH");
156	case EOPNOTSUPP:
157		return ("EOPNOTSUPP");
158	case 0:
159		return ("0");
160	default:
161		return ("unknown");
162	}
163}
164
165/*
166 * Return a process credential describing the current process.
167 */
168static int
169cred_get(struct cred *cred)
170{
171	int error;
172
173	error = getresuid(&cred->cr_ruid, &cred->cr_euid, &cred->cr_svuid);
174	if (error)
175		return (error);
176
177	cred->cr_issetugid = issetugid();
178
179	return (0);
180}
181
182/*
183 * Userland stub for __setsugid() to take into account possible presence
184 * in C library, kernel, et al.
185 */
186int
187setugid(int flag)
188{
189
190#ifdef SETSUGID_SUPPORTED
191	return (__setugid(flag));
192#else
193#ifdef SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB
194	return (syscall(374, flag));
195#else
196	return (ENOSYS);
197#endif
198#endif
199}
200
201/*
202 * Set the current process's credentials to match the passed credential.
203 */
204static int
205cred_set(struct cred *cred)
206{
207	int error;
208
209	error = setresuid(cred->cr_ruid, cred->cr_euid, cred->cr_svuid);
210	if (error)
211		return (error);
212
213	error = setugid(cred->cr_issetugid);
214	if (error) {
215		perror("__setugid");
216		return (error);
217	}
218
219#ifdef CHECK_CRED_SET
220	{
221		uid_t ruid, euid, svuid;
222		error = getresuid(&ruid, &euid, &svuid);
223		if (error) {
224			perror("getresuid");
225			return (-1);
226		}
227		assert(ruid == cred->cr_ruid);
228		assert(euid == cred->cr_euid);
229		assert(svuid == cred->cr_svuid);
230		assert(cred->cr_issetugid == issetugid());
231	}
232#endif /* !CHECK_CRED_SET */
233
234	return (0);
235}
236
237/*
238 * Print the passed process credential to the passed I/O stream.
239 */
240static void
241cred_print(FILE *output, struct cred *cred)
242{
243
244	fprintf(output, "(e:%d r:%d s:%d P_SUGID:%d)", cred->cr_euid,
245	    cred->cr_ruid, cred->cr_svuid, cred->cr_issetugid);
246}
247
248#define	LOOP_PTRACE	0
249#define	LOOP_SIGHUP	1
250#define	LOOP_SIGSEGV	2
251#define	LOOP_SEE	3
252#define	LOOP_SCHED	4
253#define	LOOP_MAX	LOOP_SCHED
254
255/*
256 * Enact a scenario by looping through the four test cases for the scenario,
257 * spawning off pairs of processes with the desired credentials, and
258 * reporting results to stdout.
259 */
260static int
261enact_scenario(int scenario)
262{
263	pid_t pid1, pid2;
264	char *name;
265	int error, desirederror, loop;
266
267	for (loop = 0; loop < LOOP_MAX+1; loop++) {
268		/*
269		 * Spawn the first child, target of the operation.
270		 */
271		pid1 = fork();
272		switch (pid1) {
273		case -1:
274			return (-1);
275		case 0:
276			/* child */
277			error = cred_set(scenarios[scenario].sc_cred2);
278			if (error) {
279				perror("cred_set");
280				return (error);
281			}
282			/* 200 seconds should be plenty of time. */
283			sleep(200);
284			exit(0);
285		default:
286			/* parent */
287		}
288
289		/*
290		 * XXX
291		 * This really isn't ideal -- give proc 1 a chance to set
292		 * its credentials, or we may get spurious errors.  Really,
293		 * some for of IPC should be used to allow the parent to
294		 * wait for the first child to be ready before spawning
295		 * the second child.
296		 */
297		sleep(1);
298
299		/*
300		 * Spawn the second child, source of the operation.
301		 */
302		pid2 = fork();
303		switch (pid2) {
304		case -1:
305			return (-1);
306
307		case 0:
308			/* child */
309			error = cred_set(scenarios[scenario].sc_cred1);
310			if (error) {
311				perror("cred_set");
312				return (error);
313			}
314
315			/*
316			 * Initialize errno to zero so as to catch any
317			 * generated errors.  In each case, perform the
318			 * operation.  Preserve the error number for later
319			 * use so it doesn't get stomped on by any I/O.
320			 * Determine the desired error for the given case
321			 * by extracting it from the scenario table.
322			 * Initialize a function name string for output
323			 * prettiness.
324			 */
325			errno = 0;
326			switch (loop) {
327			case LOOP_PTRACE:
328				error = ptrace(PT_ATTACH, pid1, NULL, 0);
329				error = errno;
330				name = "ptrace";
331				desirederror =
332				    scenarios[scenario].sc_canptrace_errno;
333				break;
334			case LOOP_SIGHUP:
335				error = kill(pid1, SIGHUP);
336				error = errno;
337				name = "sighup";
338				desirederror =
339				    scenarios[scenario].sc_cansighup_errno;
340				break;
341			case LOOP_SIGSEGV:
342				error = kill(pid1, SIGSEGV);
343				error = errno;
344				name = "sigsegv";
345				desirederror =
346				    scenarios[scenario].sc_cansigsegv_errno;
347				break;
348			case LOOP_SEE:
349				getpriority(PRIO_PROCESS, pid1);
350				error = errno;
351				name = "see";
352				desirederror =
353				    scenarios[scenario].sc_cansee_errno;
354				break;
355			case LOOP_SCHED:
356				error = setpriority(PRIO_PROCESS, pid1,
357				   0);
358				error = errno;
359				name = "sched";
360				desirederror =
361				    scenarios[scenario].sc_cansched_errno;
362				break;
363			default:
364				name = "broken";
365			}
366
367			if (error != desirederror) {
368				fprintf(stdout,
369				    "[%s].%s: expected %s, got %s\n  ",
370				    scenarios[scenario].sc_name, name,
371				    errno_to_string(desirederror),
372				    errno_to_string(error));
373				cred_print(stdout,
374				    scenarios[scenario].sc_cred1);
375				cred_print(stdout,
376				    scenarios[scenario].sc_cred2);
377				fprintf(stdout, "\n");
378			}
379
380			exit(0);
381
382		default:
383			/* parent */
384		}
385
386		error = waitpid(pid2, NULL, 0);
387		/*
388		 * Once pid2 has died, it's safe to kill pid1, if it's still
389		 * alive.  Mask signal failure in case the test actually
390		 * killed pid1 (not unlikely: can occur in both signal and
391		 * ptrace cases).
392		 */
393		kill(pid1, SIGKILL);
394		error = waitpid(pid2, NULL, 0);
395	}
396
397	return (0);
398}
399
400void
401enact_scenarios(void)
402{
403	int i, error;
404
405	for (i = 0; i < scenarios_count; i++) {
406		error = enact_scenario(i);
407		if (error)
408			perror("enact_scenario");
409	}
410}
411