1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2021 SUSE LLC <rpalethorpe@suse.com>
4 */
5
6 /*\
7 * [Description]
8 *
9 * Reproducer of CVE-2018-18955; broken uid/gid mapping for nested
10 * user namespaces with >5 ranges
11 *
12 * See original reproducer and description by Jan Horn:
13 * https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
14 *
15 * Note that calling seteuid from root can cause the dumpable bit to
16 * be unset. The proc files of non dumpable processes are then owned
17 * by (the real) root. So on the second level we reset dumpable to 1.
18 *
19 */
20 #define _GNU_SOURCE
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <sys/prctl.h>
24 #include <sys/mount.h>
25
26 #include "tst_test.h"
27 #include "tst_clone.h"
28 #include "lapi/clone.h"
29 #include "tst_safe_file_at.h"
30
clone_newuser(void)31 static pid_t clone_newuser(void)
32 {
33 const struct tst_clone_args cargs = {
34 CLONE_NEWUSER,
35 SIGCHLD
36 };
37
38 return SAFE_CLONE(&cargs);
39 }
40
write_mapping(const pid_t proc_in_ns,const char * const id_mapping)41 static void write_mapping(const pid_t proc_in_ns,
42 const char *const id_mapping)
43 {
44 char proc_path[PATH_MAX];
45 int proc_dir;
46
47 sprintf(proc_path, "/proc/%d", (int)proc_in_ns);
48 proc_dir = SAFE_OPEN(proc_path, O_DIRECTORY);
49
50 TEST(faccessat(proc_dir, "uid_map", F_OK, 0));
51 if (TST_RET && TST_ERR == ENOENT)
52 tst_brk(TCONF, "No uid_map file; interface was added in v3.5");
53
54 SAFE_FILE_PRINTFAT(proc_dir, "setgroups", "%s", "deny");
55 SAFE_FILE_PRINTFAT(proc_dir, "uid_map", "%s", id_mapping);
56 SAFE_FILE_PRINTFAT(proc_dir, "gid_map", "%s", id_mapping);
57
58 SAFE_CLOSE(proc_dir);
59 }
60
ns_level2(void)61 static void ns_level2(void)
62 {
63 if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0))
64 tst_res(TINFO | TERRNO, "Failed to set dumpable flag");
65 TST_CHECKPOINT_WAKE_AND_WAIT(1);
66
67 TST_EXP_FAIL(open("restricted", O_WRONLY), EACCES,
68 "Denied write access to ./restricted");
69
70 exit(0);
71 }
72
ns_level1(void)73 static void ns_level1(void)
74 {
75 const char *const map_over_5 = "0 0 1\n1 1 1\n2 2 1\n3 3 1\n4 4 1\n5 5 990";
76 pid_t level2_proc;
77
78 TST_CHECKPOINT_WAIT(0);
79
80 SAFE_SETGID(0);
81 SAFE_SETUID(0);
82
83 level2_proc = clone_newuser();
84 if (!level2_proc)
85 ns_level2();
86
87 TST_CHECKPOINT_WAIT(1);
88
89 write_mapping(level2_proc, map_over_5);
90
91 TST_CHECKPOINT_WAKE(1);
92 tst_reap_children();
93
94 exit(0);
95 }
96
run(void)97 static void run(void)
98 {
99 pid_t level1_proc;
100
101 SAFE_SETEGID(100000);
102 SAFE_SETEUID(100000);
103
104 level1_proc = clone_newuser();
105 if (!level1_proc)
106 ns_level1();
107
108 SAFE_SETEGID(0);
109 SAFE_SETEUID(0);
110
111 write_mapping(level1_proc, "0 100000 1000");
112
113 TST_CHECKPOINT_WAKE(0);
114 tst_reap_children();
115 }
116
setup(void)117 static void setup(void)
118 {
119 int fd = SAFE_OPEN("restricted", O_CREAT | O_WRONLY, 0700);
120
121 SAFE_WRITE(fd, 1, "\n", 1);
122 SAFE_CLOSE(fd);
123
124 SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
125 }
126
127 static struct tst_test test = {
128 .setup = setup,
129 .test_all = run,
130 .needs_checkpoints = 1,
131 .needs_root = 1,
132 .forks_child = 1,
133 .needs_kconfigs = (const char *[]) {
134 "CONFIG_USER_NS",
135 NULL
136 },
137 .save_restore = (const char * const[]) {
138 "?/proc/sys/user/max_user_namespaces",
139 NULL,
140 },
141 .tags = (const struct tst_tag[]) {
142 {"linux-git", "d2f007dbe7e4"},
143 {"CVE", "CVE-2018-18955"},
144 {}
145 },
146 };
147