• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "sandbox/linux/services/credentials.h"
6 
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <stdio.h>
10 #include <sys/stat.h>
11 #include <sys/types.h>
12 #include <unistd.h>
13 
14 #include "base/files/file_util.h"
15 #include "base/files/scoped_file.h"
16 #include "base/logging.h"
17 #include "base/memory/scoped_ptr.h"
18 #include "sandbox/linux/tests/unit_tests.h"
19 #include "testing/gtest/include/gtest/gtest.h"
20 
21 namespace sandbox {
22 
23 namespace {
24 
DirectoryExists(const char * path)25 bool DirectoryExists(const char* path) {
26   struct stat dir;
27   errno = 0;
28   int ret = stat(path, &dir);
29   return -1 != ret || ENOENT != errno;
30 }
31 
WorkingDirectoryIsRoot()32 bool WorkingDirectoryIsRoot() {
33   char current_dir[PATH_MAX];
34   char* cwd = getcwd(current_dir, sizeof(current_dir));
35   PCHECK(cwd);
36   if (strcmp("/", cwd)) return false;
37 
38   // The current directory is the root. Add a few paranoid checks.
39   struct stat current;
40   CHECK_EQ(0, stat(".", &current));
41   struct stat parrent;
42   CHECK_EQ(0, stat("..", &parrent));
43   CHECK_EQ(current.st_dev, parrent.st_dev);
44   CHECK_EQ(current.st_ino, parrent.st_ino);
45   CHECK_EQ(current.st_mode, parrent.st_mode);
46   CHECK_EQ(current.st_uid, parrent.st_uid);
47   CHECK_EQ(current.st_gid, parrent.st_gid);
48   return true;
49 }
50 
51 // Give dynamic tools a simple thing to test.
TEST(Credentials,CreateAndDestroy)52 TEST(Credentials, CreateAndDestroy) {
53   {
54     Credentials cred1;
55     (void) cred1;
56   }
57   scoped_ptr<Credentials> cred2(new Credentials);
58 }
59 
TEST(Credentials,CountOpenFds)60 TEST(Credentials, CountOpenFds) {
61   base::ScopedFD proc_fd(open("/proc", O_RDONLY | O_DIRECTORY));
62   ASSERT_TRUE(proc_fd.is_valid());
63   Credentials creds;
64   int fd_count = creds.CountOpenFds(proc_fd.get());
65   int fd = open("/dev/null", O_RDONLY);
66   ASSERT_LE(0, fd);
67   EXPECT_EQ(fd_count + 1, creds.CountOpenFds(proc_fd.get()));
68   ASSERT_EQ(0, IGNORE_EINTR(close(fd)));
69   EXPECT_EQ(fd_count, creds.CountOpenFds(proc_fd.get()));
70 }
71 
TEST(Credentials,HasOpenDirectory)72 TEST(Credentials, HasOpenDirectory) {
73   Credentials creds;
74   // No open directory should exist at startup.
75   EXPECT_FALSE(creds.HasOpenDirectory(-1));
76   {
77     // Have a "/dev" file descriptor around.
78     int dev_fd = open("/dev", O_RDONLY | O_DIRECTORY);
79     base::ScopedFD dev_fd_closer(dev_fd);
80     EXPECT_TRUE(creds.HasOpenDirectory(-1));
81   }
82   EXPECT_FALSE(creds.HasOpenDirectory(-1));
83 }
84 
TEST(Credentials,HasOpenDirectoryWithFD)85 TEST(Credentials, HasOpenDirectoryWithFD) {
86   Credentials creds;
87 
88   int proc_fd = open("/proc", O_RDONLY | O_DIRECTORY);
89   base::ScopedFD proc_fd_closer(proc_fd);
90   ASSERT_LE(0, proc_fd);
91 
92   // Don't pass |proc_fd|, an open directory (proc_fd) should
93   // be detected.
94   EXPECT_TRUE(creds.HasOpenDirectory(-1));
95   // Pass |proc_fd| and no open directory should be detected.
96   EXPECT_FALSE(creds.HasOpenDirectory(proc_fd));
97 
98   {
99     // Have a "/dev" file descriptor around.
100     int dev_fd = open("/dev", O_RDONLY | O_DIRECTORY);
101     base::ScopedFD dev_fd_closer(dev_fd);
102     EXPECT_TRUE(creds.HasOpenDirectory(proc_fd));
103   }
104 
105   // The "/dev" file descriptor should now be closed, |proc_fd| is the only
106   // directory file descriptor open.
107   EXPECT_FALSE(creds.HasOpenDirectory(proc_fd));
108 }
109 
SANDBOX_TEST(Credentials,DropAllCaps)110 SANDBOX_TEST(Credentials, DropAllCaps) {
111   Credentials creds;
112   CHECK(creds.DropAllCapabilities());
113   CHECK(!creds.HasAnyCapability());
114 }
115 
SANDBOX_TEST(Credentials,GetCurrentCapString)116 SANDBOX_TEST(Credentials, GetCurrentCapString) {
117   Credentials creds;
118   CHECK(creds.DropAllCapabilities());
119   const char kNoCapabilityText[] = "=";
120   CHECK(*creds.GetCurrentCapString() == kNoCapabilityText);
121 }
122 
SANDBOX_TEST(Credentials,MoveToNewUserNS)123 SANDBOX_TEST(Credentials, MoveToNewUserNS) {
124   Credentials creds;
125   creds.DropAllCapabilities();
126   bool moved_to_new_ns = creds.MoveToNewUserNS();
127   fprintf(stdout,
128           "Unprivileged CLONE_NEWUSER supported: %s\n",
129           moved_to_new_ns ? "true." : "false.");
130   fflush(stdout);
131   if (!moved_to_new_ns) {
132     fprintf(stdout, "This kernel does not support unprivileged namespaces. "
133             "USERNS tests will succeed without running.\n");
134     fflush(stdout);
135     return;
136   }
137   CHECK(creds.HasAnyCapability());
138   creds.DropAllCapabilities();
139   CHECK(!creds.HasAnyCapability());
140 }
141 
SANDBOX_TEST(Credentials,SupportsUserNS)142 SANDBOX_TEST(Credentials, SupportsUserNS) {
143   Credentials creds;
144   creds.DropAllCapabilities();
145   bool user_ns_supported = Credentials::SupportsNewUserNS();
146   bool moved_to_new_ns = creds.MoveToNewUserNS();
147   CHECK_EQ(user_ns_supported, moved_to_new_ns);
148 }
149 
SANDBOX_TEST(Credentials,UidIsPreserved)150 SANDBOX_TEST(Credentials, UidIsPreserved) {
151   Credentials creds;
152   creds.DropAllCapabilities();
153   uid_t old_ruid, old_euid, old_suid;
154   gid_t old_rgid, old_egid, old_sgid;
155   PCHECK(0 == getresuid(&old_ruid, &old_euid, &old_suid));
156   PCHECK(0 == getresgid(&old_rgid, &old_egid, &old_sgid));
157   // Probably missing kernel support.
158   if (!creds.MoveToNewUserNS()) return;
159   uid_t new_ruid, new_euid, new_suid;
160   PCHECK(0 == getresuid(&new_ruid, &new_euid, &new_suid));
161   CHECK(old_ruid == new_ruid);
162   CHECK(old_euid == new_euid);
163   CHECK(old_suid == new_suid);
164 
165   gid_t new_rgid, new_egid, new_sgid;
166   PCHECK(0 == getresgid(&new_rgid, &new_egid, &new_sgid));
167   CHECK(old_rgid == new_rgid);
168   CHECK(old_egid == new_egid);
169   CHECK(old_sgid == new_sgid);
170 }
171 
NewUserNSCycle(Credentials * creds)172 bool NewUserNSCycle(Credentials* creds) {
173   DCHECK(creds);
174   if (!creds->MoveToNewUserNS() ||
175       !creds->HasAnyCapability() ||
176       !creds->DropAllCapabilities() ||
177       creds->HasAnyCapability()) {
178     return false;
179   }
180   return true;
181 }
182 
SANDBOX_TEST(Credentials,NestedUserNS)183 SANDBOX_TEST(Credentials, NestedUserNS) {
184   Credentials creds;
185   CHECK(creds.DropAllCapabilities());
186   // Probably missing kernel support.
187   if (!creds.MoveToNewUserNS()) return;
188   creds.DropAllCapabilities();
189   // As of 3.12, the kernel has a limit of 32. See create_user_ns().
190   const int kNestLevel = 10;
191   for (int i = 0; i < kNestLevel; ++i) {
192     CHECK(NewUserNSCycle(&creds)) << "Creating new user NS failed at iteration "
193                                   << i << ".";
194   }
195 }
196 
197 // Test the WorkingDirectoryIsRoot() helper.
TEST(Credentials,CanDetectRoot)198 TEST(Credentials, CanDetectRoot) {
199   ASSERT_EQ(0, chdir("/proc/"));
200   ASSERT_FALSE(WorkingDirectoryIsRoot());
201   ASSERT_EQ(0, chdir("/"));
202   ASSERT_TRUE(WorkingDirectoryIsRoot());
203 }
204 
SANDBOX_TEST(Credentials,DISABLE_ON_LSAN (DropFileSystemAccessIsSafe))205 SANDBOX_TEST(Credentials, DISABLE_ON_LSAN(DropFileSystemAccessIsSafe)) {
206   Credentials creds;
207   CHECK(creds.DropAllCapabilities());
208   // Probably missing kernel support.
209   if (!creds.MoveToNewUserNS()) return;
210   CHECK(creds.DropFileSystemAccess());
211   CHECK(!DirectoryExists("/proc"));
212   CHECK(WorkingDirectoryIsRoot());
213   // We want the chroot to never have a subdirectory. A subdirectory
214   // could allow a chroot escape.
215   CHECK_NE(0, mkdir("/test", 0700));
216 }
217 
218 // Check that after dropping filesystem access and dropping privileges
219 // it is not possible to regain capabilities.
SANDBOX_TEST(Credentials,DISABLE_ON_LSAN (CannotRegainPrivileges))220 SANDBOX_TEST(Credentials, DISABLE_ON_LSAN(CannotRegainPrivileges)) {
221   Credentials creds;
222   CHECK(creds.DropAllCapabilities());
223   // Probably missing kernel support.
224   if (!creds.MoveToNewUserNS()) return;
225   CHECK(creds.DropFileSystemAccess());
226   CHECK(creds.DropAllCapabilities());
227 
228   // The kernel should now prevent us from regaining capabilities because we
229   // are in a chroot.
230   CHECK(!Credentials::SupportsNewUserNS());
231   CHECK(!creds.MoveToNewUserNS());
232 }
233 
234 }  // namespace.
235 
236 }  // namespace sandbox.
237