1 /*
2 * Copyright (c) 2017 Google, Inc.
3 *
4 * This program is free software: you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation, either version 2 of the License, or
7 * (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program, if not, see <http://www.gnu.org/licenses/>.
16 */
17
18 /*
19 * Regression test for commit 237bbd29f7a0 ("KEYS: prevent creating a different
20 * user's keyrings"). The bug allowed any random user to create a keyring named
21 * "_uid.$UID" (or "_uid_ses.$UID"), and it would become the user keyring (or
22 * user session keyring) for user $UID, provided that it hadn't already been
23 * created.
24 *
25 * This test must be run as root so that it has permission to switch to another
26 * user ID and check whether the keyrings are wrong. However, the underlying
27 * bug is actually reachable/exploitable by a non-root user.
28 */
29
30 #include <errno.h>
31 #include <pwd.h>
32 #include <stdio.h>
33
34 #include "tst_test.h"
35 #include "lapi/keyctl.h"
36
create_keyring(const char * description)37 static key_serial_t create_keyring(const char *description)
38 {
39 TEST(add_key("keyring", description, NULL, 0,
40 KEY_SPEC_PROCESS_KEYRING));
41 if (TST_RET < 0) {
42 tst_brk(TBROK | TTERRNO,
43 "unable to create keyring '%s'", description);
44 }
45 return TST_RET;
46 }
47
get_keyring_id(key_serial_t special_id)48 static key_serial_t get_keyring_id(key_serial_t special_id)
49 {
50 TEST(keyctl(KEYCTL_GET_KEYRING_ID, special_id, 1));
51 if (TST_RET < 0) {
52 tst_brk(TBROK | TTERRNO,
53 "unable to get ID of keyring %d", special_id);
54 }
55 return TST_RET;
56 }
57
do_test(void)58 static void do_test(void)
59 {
60 uid_t uid = 1;
61 char description[32];
62 key_serial_t fake_user_keyring;
63 key_serial_t fake_user_session_keyring;
64
65 /*
66 * We need a user to forge the keyrings for. But the bug is not
67 * reproducible for a UID which already has its keyrings, so find an
68 * unused UID. Note that it would be better to directly check for the
69 * presence of the UID's keyrings than to search the passwd file.
70 * However, that's not easy to do given that even if we assumed the UID
71 * temporarily to check, KEYCTL_GET_KEYRING_ID for the user and user
72 * session keyrings will create them rather than failing (even if the
73 * 'create' argument is 0).
74 */
75 while (getpwuid(uid))
76 uid++;
77
78 sprintf(description, "_uid.%u", uid);
79 fake_user_keyring = create_keyring(description);
80 sprintf(description, "_uid_ses.%u", uid);
81 fake_user_session_keyring = create_keyring(description);
82
83 SAFE_SETUID(uid);
84
85 if (fake_user_keyring == get_keyring_id(KEY_SPEC_USER_KEYRING))
86 tst_brk(TFAIL, "created user keyring for another user");
87
88 if (fake_user_session_keyring ==
89 get_keyring_id(KEY_SPEC_USER_SESSION_KEYRING))
90 tst_brk(TFAIL, "created user session keyring for another user");
91
92 tst_res(TPASS, "expectedly could not create another user's keyrings");
93 }
94
95 static struct tst_test test = {
96 .test_all = do_test,
97 .needs_root = 1,
98 };
99