• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2017 Google, Inc.
4  */
5 
6 /*
7  * Regression test for commit 237bbd29f7a0 ("KEYS: prevent creating a different
8  * user's keyrings").  The bug allowed any random user to create a keyring named
9  * "_uid.$UID" (or "_uid_ses.$UID"), and it would become the user keyring (or
10  * user session keyring) for user $UID, provided that it hadn't already been
11  * created.
12  *
13  * This test must be run as root so that it has permission to switch to another
14  * user ID and check whether the keyrings are wrong.  However, the underlying
15  * bug is actually reachable/exploitable by a non-root user.
16  */
17 
18 #include <errno.h>
19 #include <pwd.h>
20 #include <stdio.h>
21 
22 #include "tst_test.h"
23 #include "lapi/keyctl.h"
24 
create_keyring(const char * description)25 static key_serial_t create_keyring(const char *description)
26 {
27 	TEST(add_key("keyring", description, NULL, 0,
28 		     KEY_SPEC_PROCESS_KEYRING));
29 	if (TST_RET < 0) {
30 		tst_brk(TBROK | TTERRNO,
31 			"unable to create keyring '%s'", description);
32 	}
33 	return TST_RET;
34 }
35 
get_keyring_id(key_serial_t special_id)36 static key_serial_t get_keyring_id(key_serial_t special_id)
37 {
38 	TEST(keyctl(KEYCTL_GET_KEYRING_ID, special_id, 1));
39 	if (TST_RET < 0) {
40 		tst_brk(TBROK | TTERRNO,
41 			"unable to get ID of keyring %d", special_id);
42 	}
43 	return TST_RET;
44 }
45 
do_test(void)46 static void do_test(void)
47 {
48 	uid_t uid = 1;
49 	char description[32];
50 	key_serial_t fake_user_keyring;
51 	key_serial_t fake_user_session_keyring;
52 
53 	/*
54 	 * We need a user to forge the keyrings for.  But the bug is not
55 	 * reproducible for a UID which already has its keyrings, so find an
56 	 * unused UID.  Note that it would be better to directly check for the
57 	 * presence of the UID's keyrings than to search the passwd file.
58 	 * However, that's not easy to do given that even if we assumed the UID
59 	 * temporarily to check, KEYCTL_GET_KEYRING_ID for the user and user
60 	 * session keyrings will create them rather than failing (even if the
61 	 * 'create' argument is 0).
62 	 */
63 	while (getpwuid(uid))
64 		uid++;
65 
66 	sprintf(description, "_uid.%u", uid);
67 	fake_user_keyring = create_keyring(description);
68 	sprintf(description, "_uid_ses.%u", uid);
69 	fake_user_session_keyring = create_keyring(description);
70 
71 	SAFE_SETUID(uid);
72 
73 	if (fake_user_keyring == get_keyring_id(KEY_SPEC_USER_KEYRING))
74 		tst_brk(TFAIL, "created user keyring for another user");
75 
76 	if (fake_user_session_keyring ==
77 	    get_keyring_id(KEY_SPEC_USER_SESSION_KEYRING))
78 		tst_brk(TFAIL, "created user session keyring for another user");
79 
80 	tst_res(TPASS, "expectedly could not create another user's keyrings");
81 }
82 
83 static struct tst_test test = {
84 	.test_all = do_test,
85 	.needs_root = 1,
86 	.tags = (const struct tst_tag[]) {
87 		{"linux-git", "237bbd29f7a0"},
88 		{}
89 	}
90 };
91