libc/sys/t_ptrace.c

1.1Skamil/*	$NetBSD: t_ptrace.c,v 1.1 2017/04/02 21:44:00 kamil Exp $	*/
1.1Skamil
1.1Skamil/*-
1.1Skamil * Copyright (c) 2016 The NetBSD Foundation, Inc.
1.1Skamil * All rights reserved.
1.1Skamil *
1.1Skamil * Redistribution and use in source and binary forms, with or without
1.1Skamil * modification, are permitted provided that the following conditions
1.1Skamil * are met:
1.1Skamil * 1. Redistributions of source code must retain the above copyright
1.1Skamil *    notice, this list of conditions and the following disclaimer.
1.1Skamil * 2. Redistributions in binary form must reproduce the above copyright
1.1Skamil *    notice, this list of conditions and the following disclaimer in the
1.1Skamil *    documentation and/or other materials provided with the distribution.
1.1Skamil *
1.1Skamil * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
1.1Skamil * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
1.1Skamil * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.1Skamil * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
1.1Skamil * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
1.1Skamil * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
1.1Skamil * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
1.1Skamil * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
1.1Skamil * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.1Skamil * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
1.1Skamil * POSSIBILITY OF SUCH DAMAGE.
1.1Skamil */
1.1Skamil
1.1Skamil#include <sys/cdefs.h>
1.1Skamil__RCSID("$NetBSD: t_ptrace.c,v 1.1 2017/04/02 21:44:00 kamil Exp $");
1.1Skamil
1.1Skamil#include <sys/param.h>
1.1Skamil#include <sys/types.h>
1.1Skamil#include <sys/ptrace.h>
1.1Skamil#include <sys/stat.h>
1.1Skamil#include <sys/sysctl.h>
1.1Skamil#include <err.h>
1.1Skamil#include <errno.h>
1.1Skamil#include <unistd.h>
1.1Skamil
1.1Skamil#include <atf-c.h>
1.1Skamil
1.1Skamil#include "h_macros.h"
1.1Skamil
1.1Skamil/*
1.1Skamil * A child process cannot call atf functions and expect them to magically
1.1Skamil * work like in the parent.
1.1Skamil * The printf(3) messaging from a child will not work out of the box as well
1.1Skamil * without estabilishing a communication protocol with its parent. To not
1.1Skamil * overcomplicate the tests - do not log from a child and use err(3)/errx(3)
1.1Skamil * wrapped with FORKEE_ASSERT()/FORKEE_ASSERTX() as that is guaranteed to work.
1.1Skamil */
1.1Skamil#define FORKEE_ASSERTX(x)							\
1.1Skamildo {										\
1.1Skamil	int ret = (x);								\
1.1Skamil	if (!ret)								\
1.1Skamil		errx(EXIT_FAILURE, "%s:%d %s(): Assertion failed for: %s",	\
1.1Skamil		     __FILE__, __LINE__, __func__, #x);				\
1.1Skamil} while (0)
1.1Skamil
1.1Skamil#define FORKEE_ASSERT(x)							\
1.1Skamildo {										\
1.1Skamil	int ret = (x);								\
1.1Skamil	if (!ret)								\
1.1Skamil		err(EXIT_FAILURE, "%s:%d %s(): Assertion failed for: %s",	\
1.1Skamil		     __FILE__, __LINE__, __func__, #x);				\
1.1Skamil} while (0)
1.1Skamil
1.1SkamilATF_TC(attach_pid0);
1.1SkamilATF_TC_HEAD(attach_pid0, tc)
1.1Skamil{
1.1Skamil	atf_tc_set_md_var(tc, "descr",
1.1Skamil	    "Assert that a debugger cannot attach to PID 0");
1.1Skamil}
1.1Skamil
1.1SkamilATF_TC_BODY(attach_pid0, tc)
1.1Skamil{
1.1Skamil	errno = 0;
1.1Skamil	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 0, NULL, 0) == -1);
1.1Skamil}
1.1Skamil
1.1SkamilATF_TC(attach_pid1);
1.1SkamilATF_TC_HEAD(attach_pid1, tc)
1.1Skamil{
1.1Skamil	atf_tc_set_md_var(tc, "descr",
1.1Skamil	    "Assert that a debugger cannot attach to PID 1 (as non-root)");
1.1Skamil
1.1Skamil	atf_tc_set_md_var(tc, "require.user", "unprivileged");
1.1Skamil}
1.1Skamil
1.1SkamilATF_TC_BODY(attach_pid1, tc)
1.1Skamil{
1.1Skamil	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 1, NULL, 0) == -1);
1.1Skamil}
1.1Skamil
1.1SkamilATF_TC(attach_pid1_securelevel);
1.1SkamilATF_TC_HEAD(attach_pid1_securelevel, tc)
1.1Skamil{
1.1Skamil	atf_tc_set_md_var(tc, "descr",
1.1Skamil	    "Assert that a debugger cannot attach to PID 1 with "
1.1Skamil	    "securelevel >= 0 (as root)");
1.1Skamil
1.1Skamil	atf_tc_set_md_var(tc, "require.user", "root");
1.1Skamil}
1.1Skamil
1.1SkamilATF_TC_BODY(attach_pid1_securelevel, tc)
1.1Skamil{
1.1Skamil	int level;
1.1Skamil	size_t len = sizeof(level);
1.1Skamil
1.1Skamil	ATF_REQUIRE(sysctlbyname("kern.securelevel", &level, &len, NULL, 0)
1.1Skamil	    != -1);
1.1Skamil
1.1Skamil	if (level < 0) {
1.1Skamil		atf_tc_skip("Test must be run with securelevel >= 0");
1.1Skamil	}
1.1Skamil
1.1Skamil	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 1, NULL, 0) == -1);
1.1Skamil}
1.1Skamil
1.1SkamilATF_TC(attach_self);
1.1SkamilATF_TC_HEAD(attach_self, tc)
1.1Skamil{
1.1Skamil	atf_tc_set_md_var(tc, "descr",
1.1Skamil	    "Assert that a debugger cannot attach to self (as it's nonsense)");
1.1Skamil}
1.1Skamil
1.1SkamilATF_TC_BODY(attach_self, tc)
1.1Skamil{
1.1Skamil	ATF_REQUIRE_ERRNO(EINVAL, ptrace(PT_ATTACH, getpid(), NULL, 0) == -1);
1.1Skamil}
1.1Skamil
1.1SkamilATF_TC(attach_chroot);
1.1SkamilATF_TC_HEAD(attach_chroot, tc)
1.1Skamil{
1.1Skamil	atf_tc_set_md_var(tc, "descr",
1.1Skamil	    "Assert that a debugger cannot trace another process unless the "
1.1Skamil	    "process's root directory is at or below the tracing process's "
1.1Skamil	    "root");
1.1Skamil
1.1Skamil	atf_tc_set_md_var(tc, "require.user", "root");
1.1Skamil}
1.1Skamil
1.1SkamilATF_TC_BODY(attach_chroot, tc)
1.1Skamil{
1.1Skamil	char buf[PATH_MAX];
1.1Skamil	pid_t child;
1.1Skamil	int fds_toparent[2], fds_fromparent[2];
1.1Skamil	int rv;
1.1Skamil	uint8_t msg = 0xde; /* dummy message for IPC based on pipe(2) */
1.1Skamil
1.1Skamil	(void)memset(buf, '\0', sizeof(buf));
1.1Skamil	ATF_REQUIRE(getcwd(buf, sizeof(buf)) != NULL);
1.1Skamil	(void)strlcat(buf, "/dir", sizeof(buf));
1.1Skamil
1.1Skamil	ATF_REQUIRE(mkdir(buf, 0500) == 0);
1.1Skamil	ATF_REQUIRE(chdir(buf) == 0);
1.1Skamil
1.1Skamil	ATF_REQUIRE(pipe(fds_toparent) == 0);
1.1Skamil	ATF_REQUIRE(pipe(fds_fromparent) == 0);
1.1Skamil	child = atf_utils_fork();
1.1Skamil	if (child == 0) {
1.1Skamil		FORKEE_ASSERT(close(fds_toparent[0]) == 0);
1.1Skamil		FORKEE_ASSERT(close(fds_fromparent[1]) == 0);
1.1Skamil
1.1Skamil		FORKEE_ASSERT(chroot(buf) == 0);
1.1Skamil
1.1Skamil		rv = write(fds_toparent[1], &msg, sizeof(msg));
1.1Skamil		FORKEE_ASSERTX(rv == sizeof(msg));
1.1Skamil
1.1Skamil		ATF_REQUIRE_ERRNO(EPERM,
1.1Skamil			ptrace(PT_ATTACH, getppid(), NULL, 0) == -1);
1.1Skamil
1.1Skamil		rv = read(fds_fromparent[0], &msg, sizeof(msg));
1.1Skamil		FORKEE_ASSERTX(rv == sizeof(msg));
1.1Skamil
1.1Skamil		_exit(0);
1.1Skamil	}
1.1Skamil	ATF_REQUIRE(close(fds_toparent[1]) == 0);
1.1Skamil	ATF_REQUIRE(close(fds_fromparent[0]) == 0);
1.1Skamil
1.1Skamil	printf("Waiting for chrooting of the child PID %d", child);
1.1Skamil	rv = read(fds_toparent[0], &msg, sizeof(msg));
1.1Skamil	ATF_REQUIRE(rv == sizeof(msg));
1.1Skamil
1.1Skamil	printf("Child is ready, it will try to PT_ATTACH to parent\n");
1.1Skamil	rv = write(fds_fromparent[1], &msg, sizeof(msg));
1.1Skamil	ATF_REQUIRE(rv == sizeof(msg));
1.1Skamil
1.1Skamil        printf("fds_fromparent is no longer needed - close it\n");
1.1Skamil        ATF_REQUIRE(close(fds_fromparent[1]) == 0);
1.1Skamil
1.1Skamil        printf("fds_toparent is no longer needed - close it\n");
1.1Skamil        ATF_REQUIRE(close(fds_toparent[0]) == 0);
1.1Skamil}
1.1Skamil
1.1SkamilATF_TP_ADD_TCS(tp)
1.1Skamil{
1.1Skamil	setvbuf(stdout, NULL, _IONBF, 0);
1.1Skamil	setvbuf(stderr, NULL, _IONBF, 0);
1.1Skamil	ATF_TP_ADD_TC(tp, attach_pid0);
1.1Skamil	ATF_TP_ADD_TC(tp, attach_pid1);
1.1Skamil	ATF_TP_ADD_TC(tp, attach_pid1_securelevel);
1.1Skamil	ATF_TP_ADD_TC(tp, attach_self);
1.1Skamil	ATF_TP_ADD_TC(tp, attach_chroot);
1.1Skamil
1.1Skamil	return atf_no_error();
1.1Skamil}