Page MenuHomeFreeBSD

Simple regression tests for O_PATH/AT_EMPTY_PATH
ClosedPublic

Authored by markj on Apr 11 2021, 10:17 PM.
Tags
None
Referenced Files
F103472548: D29719.diff
Mon, Nov 25, 11:41 AM
Unknown Object (File)
Sat, Nov 23, 8:57 PM
Unknown Object (File)
Fri, Nov 22, 6:22 AM
Unknown Object (File)
Thu, Nov 21, 10:13 AM
Unknown Object (File)
Mon, Nov 4, 7:53 AM
Unknown Object (File)
Mon, Nov 4, 7:50 AM
Unknown Object (File)
Oct 18 2024, 12:53 AM
Unknown Object (File)
Oct 18 2024, 12:52 AM
Subscribers

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 38542
Build 35431: arc lint + arc unit

Event Timeline

kib added inline comments.
tests/sys/file/path_test.c
98

Canonical way, AFAIU, is to not specify O_RDONLY. O_PATH is the access mode on its own. When requesting O_PATH | O_EXEC, we requesting two modes.

On the other hand, O_RDONLY is zero so it is fine either way for testing the implementation.

233

It would be most interesting to do something in reverse, namely, check that AT_EMPTY_PATH verifies access permissions when non-root user tries to e.g. linkat(AT_EMPTY_PATH) to file he does not own. In other words, check that AT_EMPTY_PATH does not create a security hole.

But I have no idea how to do it with atf.

markj added inline comments.
tests/sys/file/path_test.c
233

I tried to do this in the test above, with the geteuid() == 0 check. It is not ideal, nothing ensures that the test is ever run as a non-root user.

  • getuid -> geteuid
  • Drop permissions flags in open() calls specifying O_PATH

Verify that capability mode namespace checks work on path fds.

Make sure that CAP_FEXECVE is checked on path fds.

tests/sys/file/path_test.c
233

There is some mechanism in ATF triggered by atf_tc_set_md_var(tc, "require.user", "unprivileged");. See for instance contrib/netbsd-tests/lib/libc/sys/t_access.c access_access

But I have no idea about details.

tests/sys/file/path_test.c
233

Thanks, I didn't know about it. Apparently it causes kyua to run the test without privileges if invoked as root.

Split unprivileged tests into separate test cases and annotate them.

This revision is now accepted and ready to land.Apr 14 2021, 2:34 PM