1 | // SPDX-License-Identifier: GPL-2.0 |
2 | |
3 | /* |
4 | * Based on Christian Brauner's clone3() example. |
5 | * These tests are assuming to be running in the host's |
6 | * PID namespace. |
7 | */ |
8 | |
9 | /* capabilities related code based on selftests/bpf/test_verifier.c */ |
10 | |
11 | #define _GNU_SOURCE |
12 | #include <errno.h> |
13 | #include <linux/types.h> |
14 | #include <linux/sched.h> |
15 | #include <stdio.h> |
16 | #include <stdlib.h> |
17 | #include <stdbool.h> |
18 | #include <sys/capability.h> |
19 | #include <sys/prctl.h> |
20 | #include <sys/syscall.h> |
21 | #include <sys/types.h> |
22 | #include <sys/un.h> |
23 | #include <sys/wait.h> |
24 | #include <unistd.h> |
25 | #include <sched.h> |
26 | |
27 | #include "../kselftest_harness.h" |
28 | #include "clone3_selftests.h" |
29 | |
30 | #define MAX_PID_NS_LEVEL 32 |
31 | |
32 | static void child_exit(int ret) |
33 | { |
34 | fflush(stdout); |
35 | fflush(stderr); |
36 | _exit(ret); |
37 | } |
38 | |
39 | static int call_clone3_set_tid(struct __test_metadata *_metadata, |
40 | pid_t *set_tid, size_t set_tid_size) |
41 | { |
42 | int status; |
43 | pid_t pid = -1; |
44 | |
45 | struct __clone_args args = { |
46 | .exit_signal = SIGCHLD, |
47 | .set_tid = ptr_to_u64(set_tid), |
48 | .set_tid_size = set_tid_size, |
49 | }; |
50 | |
51 | pid = sys_clone3(args: &args, size: sizeof(args)); |
52 | if (pid < 0) { |
53 | TH_LOG("%s - Failed to create new process" , strerror(errno)); |
54 | return -errno; |
55 | } |
56 | |
57 | if (pid == 0) { |
58 | int ret; |
59 | char tmp = 0; |
60 | |
61 | TH_LOG("I am the child, my PID is %d (expected %d)" , getpid(), set_tid[0]); |
62 | |
63 | if (set_tid[0] != getpid()) |
64 | child_exit(ret: EXIT_FAILURE); |
65 | child_exit(ret: EXIT_SUCCESS); |
66 | } |
67 | |
68 | TH_LOG("I am the parent (%d). My child's pid is %d" , getpid(), pid); |
69 | |
70 | if (waitpid(pid, &status, 0) < 0) { |
71 | TH_LOG("Child returned %s" , strerror(errno)); |
72 | return -errno; |
73 | } |
74 | |
75 | if (!WIFEXITED(status)) |
76 | return -1; |
77 | |
78 | return WEXITSTATUS(status); |
79 | } |
80 | |
81 | static int test_clone3_set_tid(struct __test_metadata *_metadata, |
82 | pid_t *set_tid, size_t set_tid_size) |
83 | { |
84 | int ret; |
85 | |
86 | TH_LOG("[%d] Trying clone3() with CLONE_SET_TID to %d" , getpid(), set_tid[0]); |
87 | ret = call_clone3_set_tid(_metadata, set_tid, set_tid_size); |
88 | TH_LOG("[%d] clone3() with CLONE_SET_TID %d says:%d" , getpid(), set_tid[0], ret); |
89 | return ret; |
90 | } |
91 | |
92 | struct libcap { |
93 | struct hdr; |
94 | struct __user_cap_data_struct data[2]; |
95 | }; |
96 | |
97 | static int set_capability(void) |
98 | { |
99 | cap_value_t cap_values[] = { CAP_SETUID, CAP_SETGID }; |
100 | struct libcap *cap; |
101 | int ret = -1; |
102 | cap_t caps; |
103 | |
104 | caps = cap_get_proc(); |
105 | if (!caps) { |
106 | perror("cap_get_proc" ); |
107 | return -1; |
108 | } |
109 | |
110 | /* Drop all capabilities */ |
111 | if (cap_clear(caps)) { |
112 | perror("cap_clear" ); |
113 | goto out; |
114 | } |
115 | |
116 | cap_set_flag(caps, CAP_EFFECTIVE, 2, cap_values, CAP_SET); |
117 | cap_set_flag(caps, CAP_PERMITTED, 2, cap_values, CAP_SET); |
118 | |
119 | cap = (struct libcap *) caps; |
120 | |
121 | /* 40 -> CAP_CHECKPOINT_RESTORE */ |
122 | cap->data[1].effective |= 1 << (40 - 32); |
123 | cap->data[1].permitted |= 1 << (40 - 32); |
124 | |
125 | if (cap_set_proc(caps)) { |
126 | perror("cap_set_proc" ); |
127 | goto out; |
128 | } |
129 | ret = 0; |
130 | out: |
131 | if (cap_free(caps)) |
132 | perror("cap_free" ); |
133 | return ret; |
134 | } |
135 | |
136 | TEST(clone3_cap_checkpoint_restore) |
137 | { |
138 | pid_t pid; |
139 | int status; |
140 | int ret = 0; |
141 | pid_t set_tid[1]; |
142 | |
143 | test_clone3_supported(); |
144 | |
145 | EXPECT_EQ(getuid(), 0) |
146 | SKIP(return, "Skipping all tests as non-root" ); |
147 | |
148 | memset(&set_tid, 0, sizeof(set_tid)); |
149 | |
150 | /* Find the current active PID */ |
151 | pid = fork(); |
152 | if (pid == 0) { |
153 | TH_LOG("Child has PID %d" , getpid()); |
154 | child_exit(EXIT_SUCCESS); |
155 | } |
156 | ASSERT_GT(waitpid(pid, &status, 0), 0) |
157 | TH_LOG("Waiting for child %d failed" , pid); |
158 | |
159 | /* After the child has finished, its PID should be free. */ |
160 | set_tid[0] = pid; |
161 | |
162 | ASSERT_EQ(set_capability(), 0) |
163 | TH_LOG("Could not set CAP_CHECKPOINT_RESTORE" ); |
164 | |
165 | ASSERT_EQ(prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0), 0); |
166 | |
167 | EXPECT_EQ(setgid(65534), 0) |
168 | TH_LOG("Failed to setgid(65534)" ); |
169 | ASSERT_EQ(setuid(65534), 0); |
170 | |
171 | set_tid[0] = pid; |
172 | /* This would fail without CAP_CHECKPOINT_RESTORE */ |
173 | ASSERT_EQ(test_clone3_set_tid(_metadata, set_tid, 1), -EPERM); |
174 | ASSERT_EQ(set_capability(), 0) |
175 | TH_LOG("Could not set CAP_CHECKPOINT_RESTORE" ); |
176 | /* This should work as we have CAP_CHECKPOINT_RESTORE as non-root */ |
177 | ASSERT_EQ(test_clone3_set_tid(_metadata, set_tid, 1), 0); |
178 | } |
179 | |
180 | TEST_HARNESS_MAIN |
181 | |