go
/
gvisor
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
gvisor/test/syscalls/linux/proc_pid_uid_gid_map.cc

312 lines
11 KiB
C++
Raw Blame History

// Copyright 2019 The gVisor Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <fcntl.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <functional>
#include <string>
#include <tuple>
#include <utility>
#include <vector>
#include "gtest/gtest.h"
#include "absl/strings/ascii.h"
#include "absl/strings/str_cat.h"
#include "absl/strings/str_split.h"
#include "test/util/capability_util.h"
#include "test/util/cleanup.h"
#include "test/util/file_descriptor.h"
#include "test/util/fs_util.h"
#include "test/util/logging.h"
#include "test/util/multiprocess_util.h"
#include "test/util/posix_error.h"
#include "test/util/save_util.h"
#include "test/util/test_util.h"
#include "test/util/time_util.h"
namespace gvisor {
namespace testing {
PosixErrorOr<int> InNewUserNamespace(const std::function<void()>& fn) {
return InForkedProcess([&] {
TEST_PCHECK(unshare(CLONE_NEWUSER) == 0);
MaybeSave();
fn();
});
}
PosixErrorOr<std::tuple<pid_t, Cleanup>> CreateProcessInNewUserNamespace() {
int pipefd[2];
if (pipe(pipefd) < 0) {
return PosixError(errno, "pipe failed");
}
const auto cleanup_pipe_read =
Cleanup([&] { EXPECT_THAT(close(pipefd[0]), SyscallSucceeds()); });
auto cleanup_pipe_write =
Cleanup([&] { EXPECT_THAT(close(pipefd[1]), SyscallSucceeds()); });
pid_t child_pid = fork();
if (child_pid < 0) {
return PosixError(errno, "fork failed");
}
if (child_pid == 0) {
// Close our copy of the pipe's read end, which doesn't really matter.
TEST_PCHECK(close(pipefd[0]) >= 0);
TEST_PCHECK(unshare(CLONE_NEWUSER) == 0);
MaybeSave();
// Indicate that we've switched namespaces by unblocking the parent's read.
TEST_PCHECK(close(pipefd[1]) >= 0);
while (true) {
SleepSafe(absl::Minutes(1));
}
}
auto cleanup_child = Cleanup([child_pid] {
EXPECT_THAT(kill(child_pid, SIGKILL), SyscallSucceeds());
int status;
ASSERT_THAT(RetryEINTR(waitpid)(child_pid, &status, 0),
SyscallSucceedsWithValue(child_pid));
EXPECT_TRUE(WIFSIGNALED(status) && WTERMSIG(status) == SIGKILL)
<< "status = " << status;
});
// Close our copy of the pipe's write end, then wait for the child to close
// its copy, indicating that it's switched namespaces.
cleanup_pipe_write.Release()();
char buf;
if (RetryEINTR(read)(pipefd[0], &buf, 1) < 0) {
return PosixError(errno, "reading from pipe failed");
}
MaybeSave();
return std::make_tuple(child_pid, std::move(cleanup_child));
}
// TEST_CHECK-fails on error, since this function is used in contexts that
// require async-signal-safety.
void DenySetgroupsByPath(const char* path) {
int fd = open(path, O_WRONLY);
if (fd < 0 && errno == ENOENT) {
// On kernels where this file doesn't exist, writing "deny" to it isn't
// necessary to write to gid_map.
return;
}
TEST_PCHECK(fd >= 0);
MaybeSave();
char deny[] = "deny";
TEST_PCHECK(write(fd, deny, sizeof(deny)) == sizeof(deny));
MaybeSave();
TEST_PCHECK(close(fd) == 0);
}
void DenySelfSetgroups() { DenySetgroupsByPath("/proc/self/setgroups"); }
void DenyPidSetgroups(pid_t pid) {
DenySetgroupsByPath(absl::StrCat("/proc/", pid, "/setgroups").c_str());
}
// Returns a valid UID/GID that isn't id.
uint32_t another_id(uint32_t id) { return (id + 1) % 65535; }
struct TestParam {
std::string desc;
int cap;
std::function<std::string(absl::string_view)> get_map_filename;
std::function<uint32_t()> get_current_id;
};
std::string DescribeTestParam(const ::testing::TestParamInfo<TestParam>& info) {
return info.param.desc;
}
std::vector<TestParam> UidGidMapTestParams() {
return {TestParam{"UID", CAP_SETUID,
[](absl::string_view pid) {
return absl::StrCat("/proc/", pid, "/uid_map");
},
[]() -> uint32_t { return getuid(); }},
TestParam{"GID", CAP_SETGID,
[](absl::string_view pid) {
return absl::StrCat("/proc/", pid, "/gid_map");
},
[]() -> uint32_t { return getgid(); }}};
}
class ProcUidGidMapTest : public ::testing::TestWithParam<TestParam> {
protected:
uint32_t CurrentID() { return GetParam().get_current_id(); }
};
class ProcSelfUidGidMapTest : public ProcUidGidMapTest {
protected:
PosixErrorOr<int> InNewUserNamespaceWithMapFD(
const std::function<void(int)>& fn) {
std::string map_filename = GetParam().get_map_filename("self");
return InNewUserNamespace([&] {
int fd = open(map_filename.c_str(), O_RDWR);
TEST_PCHECK(fd >= 0);
MaybeSave();
fn(fd);
TEST_PCHECK(close(fd) == 0);
});
}
};
class ProcPidUidGidMapTest : public ProcUidGidMapTest {
protected:
PosixErrorOr<bool> HaveSetIDCapability() {
return HaveCapability(GetParam().cap);
}
// Returns true if the caller is running in a user namespace with all IDs
// mapped. This matters for tests that expect to successfully map arbitrary
// IDs into a child user namespace, since even with CAP_SET*ID this is only
// possible if those IDs are mapped into the current one.
PosixErrorOr<bool> AllIDsMapped() {
ASSIGN_OR_RETURN_ERRNO(std::string id_map,
GetContents(GetParam().get_map_filename("self")));
absl::StripTrailingAsciiWhitespace(&id_map);
std::vector<std::string> id_map_parts =
absl::StrSplit(id_map, ' ', absl::SkipEmpty());
return id_map_parts == std::vector<std::string>({"0", "0", "4294967295"});
}
PosixErrorOr<FileDescriptor> OpenMapFile(pid_t pid) {
return Open(GetParam().get_map_filename(absl::StrCat(pid)), O_RDWR);
}
};
TEST_P(ProcSelfUidGidMapTest, IsInitiallyEmpty) {
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(CanCreateUserNamespace()));
EXPECT_THAT(InNewUserNamespaceWithMapFD([](int fd) {
char buf[64];
TEST_PCHECK(read(fd, buf, sizeof(buf)) == 0);
}),
IsPosixErrorOkAndHolds(0));
}
TEST_P(ProcSelfUidGidMapTest, IdentityMapOwnID) {
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(CanCreateUserNamespace()));
uint32_t id = CurrentID();
std::string line = absl::StrCat(id, " ", id, " 1");
EXPECT_THAT(
InNewUserNamespaceWithMapFD([&](int fd) {
DenySelfSetgroups();
TEST_PCHECK(write(fd, line.c_str(), line.size()) == line.size());
}),
IsPosixErrorOkAndHolds(0));
}
TEST_P(ProcSelfUidGidMapTest, TrailingNewlineAndNULIgnored) {
// This is identical to IdentityMapOwnID, except that a trailing newline, NUL,
// and an invalid (incomplete) map entry are appended to the valid entry. The
// newline should be accepted, and everything after the NUL should be ignored.
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(CanCreateUserNamespace()));
uint32_t id = CurrentID();
std::string line = absl::StrCat(id, " ", id, " 1\n\0 4 3");
EXPECT_THAT(
InNewUserNamespaceWithMapFD([&](int fd) {
DenySelfSetgroups();
// The write should return the full size of the write, even though
// characters after the NUL were ignored.
TEST_PCHECK(write(fd, line.c_str(), line.size()) == line.size());
}),
IsPosixErrorOkAndHolds(0));
}
TEST_P(ProcSelfUidGidMapTest, NonIdentityMapOwnID) {
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(CanCreateUserNamespace()));
uint32_t id = CurrentID();
uint32_t id2 = another_id(id);
std::string line = absl::StrCat(id2, " ", id, " 1");
EXPECT_THAT(
InNewUserNamespaceWithMapFD([&](int fd) {
DenySelfSetgroups();
TEST_PCHECK(write(fd, line.c_str(), line.size()) == line.size());
}),
IsPosixErrorOkAndHolds(0));
}
TEST_P(ProcSelfUidGidMapTest, MapOtherID) {
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(CanCreateUserNamespace()));
// Whether or not we have CAP_SET*ID is irrelevant: the process running in the
// new (child) user namespace won't have any capabilities in the current
// (parent) user namespace, which is needed.
uint32_t id = CurrentID();
uint32_t id2 = another_id(id);
std::string line = absl::StrCat(id, " ", id2, " 1");
EXPECT_THAT(InNewUserNamespaceWithMapFD([&](int fd) {
DenySelfSetgroups();
TEST_PCHECK(write(fd, line.c_str(), line.size()) < 0);
TEST_CHECK(errno == EPERM);
}),
IsPosixErrorOkAndHolds(0));
}
INSTANTIATE_TEST_SUITE_P(All, ProcSelfUidGidMapTest,
::testing::ValuesIn(UidGidMapTestParams()),
DescribeTestParam);
TEST_P(ProcPidUidGidMapTest, MapOtherIDPrivileged) {
// Like ProcSelfUidGidMapTest_MapOtherID, but since we have CAP_SET*ID in the
// parent user namespace (this one), we can map IDs that aren't ours.
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(CanCreateUserNamespace()));
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveSetIDCapability()));
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(AllIDsMapped()));
pid_t child_pid;
Cleanup cleanup_child;
std::tie(child_pid, cleanup_child) =
ASSERT_NO_ERRNO_AND_VALUE(CreateProcessInNewUserNamespace());
uint32_t id = CurrentID();
uint32_t id2 = another_id(id);
std::string line = absl::StrCat(id, " ", id2, " 1");
DenyPidSetgroups(child_pid);
auto fd = ASSERT_NO_ERRNO_AND_VALUE(OpenMapFile(child_pid));
EXPECT_THAT(write(fd.get(), line.c_str(), line.size()),
SyscallSucceedsWithValue(line.size()));
}
TEST_P(ProcPidUidGidMapTest, MapAnyIDsPrivileged) {
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(CanCreateUserNamespace()));
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveSetIDCapability()));
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(AllIDsMapped()));
pid_t child_pid;
Cleanup cleanup_child;
std::tie(child_pid, cleanup_child) =
ASSERT_NO_ERRNO_AND_VALUE(CreateProcessInNewUserNamespace());
// Test all of:
//
// - Mapping ranges of length > 1
//
// - Mapping multiple ranges
//
// - Non-identity mappings
char entries[] = "2 0 2\n4 6 2";
DenyPidSetgroups(child_pid);
auto fd = ASSERT_NO_ERRNO_AND_VALUE(OpenMapFile(child_pid));
EXPECT_THAT(write(fd.get(), entries, sizeof(entries)),
SyscallSucceedsWithValue(sizeof(entries)));
}
INSTANTIATE_TEST_SUITE_P(All, ProcPidUidGidMapTest,
::testing::ValuesIn(UidGidMapTestParams()),
DescribeTestParam);
} // namespace testing
} // namespace gvisor
Reference in New Issue View Git Blame Copy Permalink