clone3_cap_checkpoint_restore.c source code [linux/tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c]

1	// SPDX-License-Identifier: GPL-2.0
2
3	/*
4	* Based on Christian Brauner's clone3() example.
5	* These tests are assuming to be running in the host's
6	* PID namespace.
7	*/
8
9	/ capabilities related code based on selftests/bpf/test_verifier.c /
10
11	#define _GNU_SOURCE
12	#include <errno.h>
13	#include <linux/types.h>
14	#include <linux/sched.h>
15	#include <stdio.h>
16	#include <stdlib.h>
17	#include <stdbool.h>
18	#include <sys/capability.h>
19	#include <sys/prctl.h>
20	#include <sys/syscall.h>
21	#include <sys/types.h>
22	#include <sys/un.h>
23	#include <sys/wait.h>
24	#include <unistd.h>
25	#include <sched.h>
26
27	#include "../kselftest_harness.h"
28	#include "clone3_selftests.h"
29
30	#define MAX_PID_NS_LEVEL 32
31
32	static void child_exit(int ret)
33	{
34	fflush(stdout);
35	fflush(stderr);
36	_exit(ret);
37	}
38
39	static int call_clone3_set_tid(struct __test_metadata *_metadata,
40	pid_t *set_tid, size_t set_tid_size)
41	{
42	int status;
43	pid_t pid = -`1`;
44
45	struct __clone_args args = {
46	.exit_signal = SIGCHLD,
47	.set_tid = ptr_to_u64(set_tid),
48	.set_tid_size = set_tid_size,
49	};
50
51	pid = sys_clone3(args: &args, size: sizeof(args));
52	if (pid < `0`) {
53	TH_LOG("%s - Failed to create new process", strerror(errno));
54	return -errno;
55	}
56
57	if (pid == `0`) {
58	int ret;
59	char tmp = `0`;
60
61	TH_LOG("I am the child, my PID is %d (expected %d)", getpid(), set_tid[`0`]);
62
63	if (set_tid[`0`] != getpid())
64	child_exit(ret: EXIT_FAILURE);
65	child_exit(ret: EXIT_SUCCESS);
66	}
67
68	TH_LOG("I am the parent (%d). My child's pid is %d", getpid(), pid);
69
70	if (waitpid(pid, &status, `0`) < `0`) {
71	TH_LOG("Child returned %s", strerror(errno));
72	return -errno;
73	}
74
75	if (!WIFEXITED(status))
76	return -`1`;
77
78	return WEXITSTATUS(status);
79	}
80
81	static int test_clone3_set_tid(struct __test_metadata *_metadata,
82	pid_t *set_tid, size_t set_tid_size)
83	{
84	int ret;
85
86	TH_LOG("[%d] Trying clone3() with CLONE_SET_TID to %d", getpid(), set_tid[`0`]);
87	ret = call_clone3_set_tid(_metadata, set_tid, set_tid_size);
88	TH_LOG("[%d] clone3() with CLONE_SET_TID %d says:%d", getpid(), set_tid[`0`], ret);
89	return ret;
90	}
91
92	struct libcap {
93	struct __user_cap_header_struct hdr;
94	struct __user_cap_data_struct data[`2`];
95	};
96
97	static int set_capability(void)
98	{
99	cap_value_t cap_values[] = { CAP_SETUID, CAP_SETGID };
100	struct libcap *cap;
101	int ret = -`1`;
102	cap_t caps;
103
104	caps = cap_get_proc();
105	if (!caps) {
106	perror("cap_get_proc");
107	return -`1`;
108	}
109
110	/ Drop all capabilities /
111	if (cap_clear(caps)) {
112	perror("cap_clear");
113	goto out;
114	}
115
116	cap_set_flag(caps, CAP_EFFECTIVE, `2`, cap_values, CAP_SET);
117	cap_set_flag(caps, CAP_PERMITTED, `2`, cap_values, CAP_SET);
118
119	cap = (struct libcap *) caps;
120
121	/ 40 -> CAP_CHECKPOINT_RESTORE /
122	cap->data[`1`].effective \|= `1` << (`40` - `32`);
123	cap->data[`1`].permitted \|= `1` << (`40` - `32`);
124
125	if (cap_set_proc(caps)) {
126	perror("cap_set_proc");
127	goto out;
128	}
129	ret = `0`;
130	out:
131	if (cap_free(caps))
132	perror("cap_free");
133	return ret;
134	}
135
136	TEST(clone3_cap_checkpoint_restore)
137	{
138	pid_t pid;
139	int status;
140	int ret = `0`;
141	pid_t set_tid[`1`];
142
143	test_clone3_supported();
144
145	EXPECT_EQ(getuid(), `0`)
146	SKIP(return, "Skipping all tests as non-root");
147
148	memset(&set_tid, `0`, sizeof(set_tid));
149
150	/ Find the current active PID /
151	pid = fork();
152	if (pid == `0`) {
153	TH_LOG("Child has PID %d", getpid());
154	child_exit(EXIT_SUCCESS);
155	}
156	ASSERT_GT(waitpid(pid, &status, `0`), `0`)
157	TH_LOG("Waiting for child %d failed", pid);
158
159	/ After the child has finished, its PID should be free. /
160	set_tid[`0`] = pid;
161
162	ASSERT_EQ(set_capability(), `0`)
163	TH_LOG("Could not set CAP_CHECKPOINT_RESTORE");
164
165	ASSERT_EQ(prctl(PR_SET_KEEPCAPS, `1`, `0`, `0`, `0`), `0`);
166
167	EXPECT_EQ(setgid(`65534`), `0`)
168	TH_LOG("Failed to setgid(65534)");
169	ASSERT_EQ(setuid(`65534`), `0`);
170
171	set_tid[`0`] = pid;
172	/ This would fail without CAP_CHECKPOINT_RESTORE /
173	ASSERT_EQ(test_clone3_set_tid(_metadata, set_tid, `1`), -EPERM);
174	ASSERT_EQ(set_capability(), `0`)
175	TH_LOG("Could not set CAP_CHECKPOINT_RESTORE");
176	/ This should work as we have CAP_CHECKPOINT_RESTORE as non-root /
177	ASSERT_EQ(test_clone3_set_tid(_metadata, set_tid, `1`), `0`);
178	}
179
180	TEST_HARNESS_MAIN
181

source code of linux/tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c