2 * Test metadata and policies in new namespaces. Even if our tests
3 * can run in a namespaced setup, this test is necessary so we can
4 * inspect policies on the same kdbusfs but between multiple
7 * Copyright (C) 2014-2015 Djalal Harouni
9 * kdbus is free software; you can redistribute it and/or modify it under
10 * the terms of the GNU Lesser General Public License as published by the
11 * Free Software Foundation; either version 2.1 of the License, or (at
12 * your option) any later version.
28 #include <sys/prctl.h>
29 #include <sys/eventfd.h>
30 #include <sys/syscall.h>
31 #include <sys/capability.h>
32 #include <linux/sched.h>
34 #include "kdbus-test.h"
35 #include "kdbus-util.h"
36 #include "kdbus-enum.h"
39 #define POLICY_NAME "foo.test.policy-test"
41 #define KDBUS_CONN_MAX_MSGS_PER_USER 16
44 * Note: this test can be used to inspect policy_db->talk_access_hash
46 * The purpose of these tests:
47 * 1) Check KDBUS_POLICY_TALK
48 * 2) Check the cache state: kdbus_policy_db->talk_access_hash
53 * Check a list of connections against conn_db[0]
54 * conn_db[0] will own the name "foo.test.policy-test" and the
55 * policy holder connection for this name will update the policy
56 * entries, so different use cases can be tested.
58 static struct kdbus_conn **conn_db;
60 static wur void *kdbus_recv_echo(void *ptr)
63 struct kdbus_conn *conn = ptr;
65 ret = kdbus_msg_recv_poll(conn, 3009, NULL, NULL);
67 return (void *)(long)ret;
70 /* Trigger kdbus_policy_set() */
71 static wur int kdbus_set_policy_talk(struct kdbus_conn *conn,
73 uid_t id, unsigned int type)
75 struct kdbus_policy_access access = {
78 .access = KDBUS_POLICY_TALK,
81 ASSERT_ZERO(kdbus_conn_update_policy(conn, name, &access, 1));
86 /* return TEST_OK or TEST_ERR on failure */
87 static wur int kdbus_register_same_activator(char *bus, const char *name,
88 struct kdbus_conn **c)
91 struct kdbus_conn *activator;
93 activator = kdbus_hello_activator(bus, name, NULL, 0);
96 print("--- error was able to register name twice '%s'.\n", name);
101 /* -EEXIST means test succeeded */
108 /* return TEST_OK or TEST_ERR on failure */
109 static wur int kdbus_register_policy_holder(char *bus, const char *name,
110 struct kdbus_conn **conn)
112 struct kdbus_conn *c;
113 struct kdbus_policy_access access[2];
115 access[0].type = KDBUS_POLICY_ACCESS_USER;
116 access[0].access = KDBUS_POLICY_OWN;
117 access[0].id = geteuid();
119 access[1].type = KDBUS_POLICY_ACCESS_WORLD;
120 access[1].access = KDBUS_POLICY_TALK;
121 access[1].id = geteuid();
123 ASSERT_NONZERO(c = kdbus_hello_registrar(bus, name, access, 2, KDBUS_HELLO_POLICY_HOLDER));
131 * Create new threads for receiving from multiple senders,
132 * The 'conn_db' will be populated by newly created connections.
133 * Caller should free all allocated connections.
135 * return 0 on success, negative errno on failure.
137 static wur int kdbus_recv_in_threads(const char *bus, const char *name,
138 struct kdbus_conn **conn_db)
141 bool pool_full = false;
142 unsigned int sent_packets = 0;
143 unsigned int lost_packets = 0;
145 unsigned long dst_id;
146 unsigned long cookie = 1;
147 unsigned int thread_nr = MAX_CONN - 1;
148 pthread_t thread_id[MAX_CONN - 1] = {'\0'};
150 dst_id = name ? KDBUS_DST_ID_NAME : conn_db[0]->id;
152 for (tid = 0, i = 1; tid < thread_nr; tid++, i++) {
153 ret = pthread_create(&thread_id[tid], NULL,
154 kdbus_recv_echo, (void *)conn_db[0]);
157 kdbus_printf("error pthread_create: %d (%m)\n",
162 /* just free before re-using */
163 kdbus_conn_free(conn_db[i]);
166 /* We need to create connections here */
167 conn_db[i] = kdbus_hello(bus, 0, NULL, 0);
173 ret = kdbus_add_match_empty(conn_db[i]);
177 ret = kdbus_msg_send(conn_db[i], name, cookie++,
181 * Receivers are not reading their messages,
184 * So set the pool full here, perhaps the
185 * connection pool or queue was full, later
186 * recheck receivers errors
188 if (ret == -ENOBUFS || ret == -EXFULL)
196 for (tid = 0; tid < thread_nr; tid++) {
199 if (thread_id[tid]) {
200 pthread_join(thread_id[tid], (void *)&thread_ret);
201 if (thread_ret < 0) {
202 /* Update only if send did not fail */
212 * When sending if we did fail with -ENOBUFS or -EXFULL
213 * then we should have set lost_packet and we should at
214 * least have sent_packets set to KDBUS_CONN_MAX_MSGS_PER_USER
217 ASSERT_NONZERO(lost_packets);
220 * We should at least send KDBUS_CONN_MAX_MSGS_PER_USER
222 * For every send operation we create a thread to
223 * recv the packet, so we keep the queue clean
225 ASSERT_RETURN(sent_packets,>=,(unsigned)KDBUS_CONN_MAX_MSGS_PER_USER);
228 * Set ret to zero since we only failed due to
229 * the receiving threads that have not been
238 /* Return: TEST_OK or TEST_ERR on failure */
239 static wur int kdbus_normal_test(const char *bus, const char *name,
240 struct kdbus_conn **conn_db)
242 ASSERT_RETURN(0,<=,kdbus_recv_in_threads(bus, name, conn_db));
246 static wur int kdbus_fork_test_by_id(const char *bus,
247 struct kdbus_conn **conn_db,
248 int parent_status, int child_status)
252 uint64_t cookie = 0x9876ecba;
253 struct kdbus_msg *msg = NULL;
257 bool parent_timedout;
261 child_status = parent_status = 0;
265 * If the child_status is not EXIT_SUCCESS, then we expect
266 * that sending from the child will fail, thus receiving
267 * from parent must error with -ETIMEDOUT, and vice versa.
269 parent_timedout = !!child_status;
270 child_timedout = !!parent_status;
273 ASSERT_RETURN_VAL(pid,>=,0, pid);
276 struct kdbus_conn *conn_src;
278 ASSERT_EXIT_ZERO(prctl(PR_SET_PDEATHSIG, SIGKILL));
280 ASSERT_EXIT_ZERO(drop_privileges(65534, 65534));
282 ASSERT_EXIT_NONZERO(conn_src = kdbus_hello(bus, 0, NULL, 0));
284 ASSERT_EXIT_ZERO(kdbus_add_match_empty(conn_src));
287 * child_status is always checked against send
288 * operations, in case it fails always return
291 ASSERT_EXIT(child_status,==,kdbus_msg_send(conn_src, NULL, cookie, 0, 0, 0, conn_db[0]->id));
293 ret = kdbus_msg_recv_poll(conn_src, 1009, NULL, NULL);
295 kdbus_conn_free(conn_src);
298 * Child kdbus_msg_recv_poll() should timeout since
299 * the parent_status was set to a non EXIT_SUCCESS
303 exit(ret == -ETIMEDOUT ? EXIT_SUCCESS : EXIT_FAILURE);
305 exit(ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE);
308 ret = kdbus_msg_recv_poll(conn_db[0], 1009, &msg, &offset);
310 * If parent_timedout is set then this should fail with
311 * -ETIMEDOUT since the child_status was set to a non
312 * EXIT_SUCCESS value. Otherwise, assume
313 * that kdbus_msg_recv_poll() has succeeded.
315 if (parent_timedout) {
316 ASSERT_RETURN_VAL(ret,==,-ETIMEDOUT, TEST_ERR);
318 /* timedout no need to continue, we don't have the
319 * child connection ID, so just terminate. */
322 ASSERT_RETURN_VAL(ret,==,0, ret);
324 ret = kdbus_msg_send(conn_db[0], NULL, ++cookie, 0, 0, 0, msg->src_id);
326 * parent_status is checked against send operations,
327 * on failures always return TEST_ERR.
329 ASSERT_RETURN_VAL(ret,==,parent_status, TEST_ERR);
332 ASSERT_ZERO(kdbus_free(conn_db[0], offset));
335 ret = waitpid(pid, &status, 0);
336 ASSERT_RETURN_VAL(ret,>=,0, ret);
338 return (status == EXIT_SUCCESS) ? TEST_OK : TEST_ERR;
342 * Return: TEST_OK, TEST_ERR or TEST_SKIP
343 * we return TEST_OK only if the children return with the expected
344 * 'expected_status' that is specified as an argument.
346 static wur int kdbus_fork_test(const char *bus, const char *name,
347 struct kdbus_conn **conn_db, int expected_status)
354 ASSERT_RETURN_VAL(pid,>=,0, pid);
357 ASSERT_EXIT_ZERO(prctl(PR_SET_PDEATHSIG, SIGKILL));
359 ASSERT_EXIT_ZERO(drop_privileges(65534, 65534));
361 ret = kdbus_recv_in_threads(bus, name, conn_db);
362 exit(ret == expected_status ? EXIT_SUCCESS : EXIT_FAILURE);
365 ASSERT_RETURN(0,<=,waitpid(pid, &status, 0));
367 return (status == EXIT_SUCCESS) ? TEST_OK : TEST_ERR;
370 /* Return EXIT_SUCCESS, EXIT_FAILURE or negative errno */
371 static wur int __kdbus_clone_userns_test(const char *bus,
378 unsigned int uid = 65534;
381 ret = drop_privileges(uid, uid);
382 ASSERT_RETURN_VAL(ret,==,0, ret);
385 * Since we just dropped privileges, the dumpable flag was just
386 * cleared which makes the /proc/$clone_child/uid_map to be
387 * owned by root, hence any userns uid mapping will fail with
388 * -EPERM since the mapping will be done by uid 65534.
390 * To avoid this set the dumpable flag again which makes procfs
391 * update the /proc/$clone_child/ inodes owner to 65534.
393 * Using this we will be able write to /proc/$clone_child/uid_map
394 * as uid 65534 and map the uid 65534 to 0 inside the user
397 ret = prctl(PR_SET_DUMPABLE, SUID_DUMP_USER);
398 ASSERT_RETURN_VAL(ret,==,0, ret);
400 /* sync parent/child */
401 efd = eventfd(0, EFD_CLOEXEC);
402 ASSERT_RETURN_VAL(efd,>=,0, efd);
404 pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWUSER, NULL);
407 kdbus_printf("error clone: %d (%m)\n", ret);
409 * Normal user not allowed to create userns,
410 * so nothing to worry about ?
413 kdbus_printf("-- CLONE_NEWUSER TEST Failed for uid: %u\n"
414 "-- Make sure that your kernel do not allow "
415 "CLONE_NEWUSER for unprivileged users\n"
416 "-- Upstream Commit: "
417 "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5eaf563e\n",
426 struct kdbus_conn *conn_src;
427 eventfd_t event_status = 0;
429 ASSERT_EXIT_ZERO(prctl(PR_SET_PDEATHSIG, SIGKILL));
431 ASSERT_EXIT(0,<=,eventfd_read(efd, &event_status));
432 ASSERT_EXIT(event_status,==,(eventfd_t)1);
434 /* ping connection from the new user namespace */
435 ASSERT_EXIT_NONZERO(conn_src = kdbus_hello(bus, 0, NULL, 0));
437 ASSERT_EXIT_ZERO(kdbus_add_match_empty(conn_src));
439 ret = kdbus_msg_send(conn_src, name, 0xabcd1234, 0, 0, 0, KDBUS_DST_ID_NAME);
440 kdbus_conn_free(conn_src);
442 exit(ret == expected_status ? EXIT_SUCCESS : EXIT_FAILURE);
445 ret = userns_map_uid_gid(pid, "0 65534 1", "0 65534 1");
446 ASSERT_RETURN_VAL(ret,==,0, ret);
448 /* Tell child we are ready */
449 ret = eventfd_write(efd, 1);
450 ASSERT_RETURN_VAL(ret,==,0, ret);
452 ret = waitpid(pid, &status, 0);
453 ASSERT_RETURN_VAL(ret,>=,0, ret);
457 return status == EXIT_SUCCESS ? TEST_OK : TEST_ERR;
460 static wur int kdbus_clone_userns_test(const char *bus,
462 struct kdbus_conn **conn_db,
470 ASSERT_RETURN_VAL(pid,>=,0, -errno);
473 ret = prctl(PR_SET_PDEATHSIG, SIGKILL);
477 exit(__kdbus_clone_userns_test(bus, name, expected_status));
481 * Receive in the original (root privileged) user namespace,
482 * must fail with -ETIMEDOUT.
484 ret = kdbus_msg_recv_poll(conn_db[0], 1009, NULL, NULL);
485 ASSERT_RETURN(ret,==,expected_status?-ETIMEDOUT:0);
487 ret = waitpid(pid, &status, 0);
488 ASSERT_RETURN(ret,>=,0);
490 return (status == EXIT_SUCCESS) ? TEST_OK : TEST_ERR;
493 wur int kdbus_test_policy_ns(struct kdbus_test_env *env)
497 struct kdbus_conn *activator = NULL;
498 struct kdbus_conn *policy_holder = NULL;
499 char *bus = env->buspath;
501 ret = test_is_capable(CAP_SETUID, CAP_SETGID, -1);
502 ASSERT_RETURN(ret,>=,0);
504 /* no enough privileges, SKIP test */
508 /* we require user-namespaces */
509 if (access("/proc/self/uid_map", F_OK) != 0)
512 /* uids/gids must be mapped */
513 if (!all_uids_gids_are_mapped())
516 ASSERT_NONZERO(conn_db = calloc(MAX_CONN, sizeof(struct kdbus_conn *)));
518 memset(conn_db, 0, MAX_CONN * sizeof(struct kdbus_conn *));
520 ASSERT_NONZERO(conn_db[0] = kdbus_hello(bus, 0, NULL, 0));
522 ASSERT_ZERO(kdbus_add_match_empty(conn_db[0]));
524 ASSERT_EXIT_ZERO(kdbus_fork_test_by_id(bus, conn_db, -EPERM, -EPERM));
526 ASSERT_ZERO(kdbus_register_policy_holder(bus, POLICY_NAME, &policy_holder));
528 /* Try to register the same name with an activator */
529 ASSERT_ZERO(kdbus_register_same_activator(bus, POLICY_NAME, &activator));
531 /* Acquire POLICY_NAME */
532 ASSERT_ZERO(kdbus_name_acquire(conn_db[0], POLICY_NAME, NULL));
534 ASSERT_ZERO(kdbus_normal_test(bus, POLICY_NAME, conn_db));
536 ASSERT_ZERO(kdbus_list(conn_db[0], KDBUS_LIST_NAMES | KDBUS_LIST_UNIQUE | KDBUS_LIST_ACTIVATORS | KDBUS_LIST_QUEUED));
538 ASSERT_ZERO(kdbus_fork_test(bus, POLICY_NAME, conn_db, EXIT_SUCCESS));
541 * children connections are able to talk to conn_db[0] since
542 * current POLICY_NAME TALK type is KDBUS_POLICY_ACCESS_WORLD,
543 * so expect EXIT_SUCCESS when sending from child. However,
544 * since the child's connection does not own any well-known
545 * name, The parent connection conn_db[0] should fail with
546 * -EPERM but since it is a privileged bus user the TALK is
549 ASSERT_EXIT_ZERO(kdbus_fork_test_by_id(bus, conn_db, EXIT_SUCCESS, EXIT_SUCCESS));
552 * Connections that can talk are perhaps being destroyed now.
553 * Restrict the policy and purge cache entries where the
554 * conn_db[0] is the destination.
556 * Now only connections with uid == 0 are allowed to talk.
558 ASSERT_ZERO(kdbus_set_policy_talk(policy_holder, POLICY_NAME, geteuid(), KDBUS_POLICY_ACCESS_USER));
561 * Testing connections (FORK+DROP) again:
562 * After setting the policy re-check connections
563 * we expect the children to fail with -EPERM
565 ASSERT_ZERO(kdbus_fork_test(bus, POLICY_NAME, conn_db, ONTIZEN(0,-EPERM)));
568 * Now expect that both parent and child to fail.
570 * Child should fail with -EPERM since we just restricted
571 * the POLICY_NAME TALK to uid 0 and its uid is 65534.
573 * Since the parent's connection will timeout when receiving
574 * from the child, we never continue. FWIW just put -EPERM.
576 ASSERT_EXIT_ZERO(kdbus_fork_test_by_id(bus, conn_db, -EPERM, -EPERM));
578 /* Check if the name can be reached in a new userns */
579 ASSERT_ZERO(kdbus_clone_userns_test(bus, POLICY_NAME, conn_db, ONTIZEN(0,-EPERM)));
581 for (i = 0; i < MAX_CONN; i++)
582 kdbus_conn_free(conn_db[i]);
584 kdbus_conn_free(activator);
585 kdbus_conn_free(policy_holder);