Page MenuHomeFreeBSD

Simple regression tests for O_PATH/AT_EMPTY_PATH
ClosedPublic

Authored by markj on Apr 11 2021, 10:17 PM.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

kib added inline comments.
tests/sys/file/path_test.c
97

Canonical way, AFAIU, is to not specify O_RDONLY. O_PATH is the access mode on its own. When requesting O_PATH | O_EXEC, we requesting two modes.

On the other hand, O_RDONLY is zero so it is fine either way for testing the implementation.

232

It would be most interesting to do something in reverse, namely, check that AT_EMPTY_PATH verifies access permissions when non-root user tries to e.g. linkat(AT_EMPTY_PATH) to file he does not own. In other words, check that AT_EMPTY_PATH does not create a security hole.

But I have no idea how to do it with atf.

markj added inline comments.
tests/sys/file/path_test.c
232

I tried to do this in the test above, with the geteuid() == 0 check. It is not ideal, nothing ensures that the test is ever run as a non-root user.

  • getuid -> geteuid
  • Drop permissions flags in open() calls specifying O_PATH

Verify that capability mode namespace checks work on path fds.

Make sure that CAP_FEXECVE is checked on path fds.

tests/sys/file/path_test.c
232

There is some mechanism in ATF triggered by atf_tc_set_md_var(tc, "require.user", "unprivileged");. See for instance contrib/netbsd-tests/lib/libc/sys/t_access.c access_access

But I have no idea about details.

tests/sys/file/path_test.c
232

Thanks, I didn't know about it. Apparently it causes kyua to run the test without privileges if invoked as root.

Split unprivileged tests into separate test cases and annotate them.

This revision is now accepted and ready to land.Apr 14 2021, 2:34 PM