--- /dev/null
+/* Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public License as
+ published by the Free Software Foundation; either version 2.1 of the
+ License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; see the file COPYING.LIB. If
+ not, see <http://www.gnu.org/licenses/>. */
+
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <sched.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include <support/check.h>
+#include <support/namespace.h>
+#include <support/support.h>
+#include <support/temp_file.h>
+#include <support/test-driver.h>
+#include <support/xunistd.h>
+
+/* generic utilities */
+
+#define VERIFY(expr) \
+ do { \
+ if (!(expr)) \
+ { \
+ printf ("error: %s:%d: %s: %m\n", \
+ __FILE__, __LINE__, #expr); \
+ exit (1); \
+ } \
+ } while (0)
+
+static void
+touch (const char *path, mode_t mode)
+{
+ xclose (xopen (path, O_WRONLY|O_CREAT|O_NOCTTY, mode));
+}
+
+static size_t
+trim_prefix (char *str, size_t str_len, const char *prefix)
+{
+ size_t prefix_len = strlen (prefix);
+ if (str_len > prefix_len && memcmp (str, prefix, prefix_len) == 0)
+ {
+ memmove (str, str + prefix_len, str_len - prefix_len);
+ return str_len - prefix_len;
+ }
+ return str_len;
+}
+
+/* returns a pointer to static storage */
+static char *
+proc_fd_readlink (const char *linkname)
+{
+ static char target[PATH_MAX+1];
+ ssize_t target_len = readlink (linkname, target, PATH_MAX);
+ VERIFY (target_len > 0);
+ target_len = trim_prefix (target, target_len, "(unreachable)");
+ target[target_len] = '\0';
+ return target;
+}
+
+static void
+become_root_in_mount_ns (void)
+{
+ uid_t orig_uid = getuid ();
+ gid_t orig_gid = getgid ();
+
+ support_become_root ();
+
+ if (unshare (CLONE_NEWNS) < 0)
+ FAIL_UNSUPPORTED ("could not enter new mount namespace");
+
+ /* support_become_root might have put us in a new user namespace;
+ most filesystems (including tmpfs) don't allow file or directory
+ creation from a user namespace unless uid and gid maps are set,
+ even if we have root privileges in the namespace (failing with
+ EOVERFLOW, since the uid overflows the empty (0-length) uid map).
+
+ Also, stat always reports that uid and gid maps are empty, so we
+ have to try actually reading from them to check if they are
+ empty. */
+ int fd;
+
+ if ((fd = open ("/proc/self/uid_map", O_RDWR, 0)) >= 0)
+ {
+ char buf;
+ if (read (fd, &buf, 1) == 0)
+ {
+ char *str = xasprintf ("0 %ld 1\n", (long)orig_uid);
+ if (write (fd, str, strlen (str)) < 0)
+ FAIL_EXIT1 ("write (uid_map, \"%s\"): %m", str);
+ free (str);
+ }
+ xclose (fd);
+ }
+
+ /* Setting the gid map has the additional complexity that we have to
+ first turn off setgroups. */
+ if ((fd = open ("/proc/self/setgroups", O_WRONLY, 0)) >= 0)
+ {
+ const char *str = "deny";
+ if (write (fd, str, strlen (str)) < 0)
+ FAIL_EXIT1 ("write (setroups, \"%s\"): %m", str);
+ xclose (fd);
+ }
+
+ if ((fd = open ("/proc/self/gid_map", O_RDWR, 0)) >= 0)
+ {
+ char buf;
+ if (read (fd, &buf, 1) == 0)
+ {
+ char *str = xasprintf ("0 %ld 1\n", (long)orig_gid);
+ if (write (fd, str, strlen (str)) < 0)
+ FAIL_EXIT1 ("write (gid_map, \"%s\"): %m", str);
+ free (str);
+ }
+ xclose (fd);
+ }
+}
+
+/* plain ttyname runner */
+
+struct result
+{
+ const char *name;
+ int err;
+};
+
+/* strings in result structure are in static storage */
+static struct result
+run_ttyname (int fd)
+{
+ struct result ret;
+ errno = 0;
+ ret.name = ttyname (fd);
+ ret.err = errno;
+ return ret;
+}
+
+static bool
+eq_ttyname (struct result actual, struct result expected)
+{
+ char *actual_name, *expected_name;
+
+ if ((actual.err == expected.err) &&
+ (!actual.name == !expected.name) &&
+ (actual.name ? strcmp (actual.name, expected.name) == 0 : true))
+ {
+ if (expected.name)
+ expected_name = xasprintf ("\"%s\"", expected.name);
+ else
+ expected_name = xstrdup ("NULL");
+
+ printf ("info: ttyname: PASS {name=%s, errno=%d}\n",
+ expected_name, expected.err);
+
+ free (expected_name);
+ return true;
+ }
+
+ if (actual.name)
+ actual_name = xasprintf ("\"%s\"", actual.name);
+ else
+ actual_name = xstrdup ("NULL");
+
+ if (expected.name)
+ expected_name = xasprintf ("\"%s\"", expected.name);
+ else
+ expected_name = xstrdup ("NULL");
+
+ printf ("error: ttyname: actual {name=%s, errno=%d} != expected {name=%s, errno=%d}\n",
+ actual_name, actual.err,
+ expected_name, expected.err);
+
+ free (actual_name);
+ free (expected_name);
+ return false;
+}
+
+/* ttyname_r runner */
+
+struct result_r
+{
+ const char *name;
+ int ret;
+ int err;
+};
+
+/* strings in result structure are in static storage */
+static struct result_r
+run_ttyname_r (int fd)
+{
+ static char buf[TTY_NAME_MAX];
+
+ struct result_r ret;
+ errno = 0;
+ ret.ret = ttyname_r (fd, buf, TTY_NAME_MAX);
+ ret.err = errno;
+ if (ret.ret == 0)
+ ret.name = buf;
+ else
+ ret.name = NULL;
+ return ret;
+}
+
+static bool
+eq_ttyname_r (struct result_r actual, struct result_r expected)
+{
+ char *actual_name, *expected_name;
+
+ if ((actual.err == expected.err) &&
+ (actual.ret == expected.ret) &&
+ (!actual.name == !expected.name) &&
+ (actual.name ? strcmp (actual.name, expected.name) == 0 : true))
+ {
+ if (expected.name)
+ expected_name = xasprintf ("\"%s\"", expected.name);
+ else
+ expected_name = xstrdup ("NULL");
+
+ printf ("info: ttyname_r: PASS {name=%s, ret=%d, errno=%d}\n",
+ expected_name, expected.ret, expected.err);
+
+ free (expected_name);
+ return true;
+ }
+
+ if (actual.name)
+ actual_name = xasprintf ("\"%s\"", actual.name);
+ else
+ actual_name = xstrdup ("NULL");
+
+ if (expected.name)
+ expected_name = xasprintf ("\"%s\"", expected.name);
+ else
+ expected_name = xstrdup ("NULL");
+
+ printf ("error: ttyname_r: actual {name=%s, ret=%d, errno=%d} != expected {name=%s, ret=%d, errno=%d}\n",
+ actual_name, actual.ret, actual.err,
+ expected_name, expected.ret, expected.err);
+
+ free (actual_name);
+ free (expected_name);
+ return false;
+}
+
+/* combined runner */
+
+static bool
+doit (int fd, const char *testname, struct result_r expected_r)
+{
+ struct result expected = {.name=expected_r.name, .err=expected_r.ret};
+ bool ret = true;
+
+ printf ("info: testcase: %s\n", testname);
+
+ if (!eq_ttyname (run_ttyname (fd), expected))
+ ret = false;
+ if (!eq_ttyname_r (run_ttyname_r (fd), expected_r))
+ ret = false;
+
+ if (!ret)
+ support_record_failure ();
+
+ return ret;
+}
+
+/* chroot setup */
+
+static char *chrootdir;
+
+static void
+prepare (int argc, char **argv)
+{
+ chrootdir = xasprintf ("%s/tst-ttyname-XXXXXX", test_dir);
+ if (mkdtemp (chrootdir) == NULL)
+ FAIL_EXIT1 ("mkdtemp (\"%s\"): %m", chrootdir);
+ add_temp_file (chrootdir);
+}
+#define PREPARE prepare
+
+/* These chroot setup functions put the TTY at at "/console" (where it
+ won't be found by ttyname), and create "/dev/console" as an
+ ordinary file. This way, it's easier to write test-cases that
+ expect ttyname to fail; test-cases that expect it to succeed need
+ to explicitly remount it at "/dev/console". */
+
+static int
+do_in_chroot_1 (int (*cb)(const char *, int))
+{
+ printf ("info: entering chroot 1\n");
+
+ /* Open the PTS that we'll be testing on. */
+ int master;
+ char *slavename;
+ VERIFY ((master = posix_openpt (O_RDWR|O_NOCTTY|O_NONBLOCK)) >= 0);
+ VERIFY ((slavename = ptsname (master)));
+ VERIFY (unlockpt (master) == 0);
+ if (strncmp (slavename, "/dev/pts/", 9) != 0)
+ FAIL_UNSUPPORTED ("slave pseudo-terminal is not under /dev/pts/: %s",
+ slavename);
+ int slave = xopen (slavename, O_RDWR, 0);
+ if (!doit (slave, "basic smoketest",
+ (struct result_r){.name=slavename, .ret=0, .err=0}))
+ return 1;
+
+ pid_t pid = xfork ();
+ if (pid == 0)
+ {
+ xclose (master);
+
+ become_root_in_mount_ns ();
+
+ VERIFY (mount ("tmpfs", chrootdir, "tmpfs", 0, "mode=755") == 0);
+ VERIFY (chdir (chrootdir) == 0);
+
+ xmkdir ("proc", 0755);
+ xmkdir ("dev", 0755);
+ xmkdir ("dev/pts", 0755);
+
+ VERIFY (mount ("/proc", "proc", NULL, MS_BIND|MS_REC, NULL) == 0);
+ VERIFY (mount ("devpts", "dev/pts", "devpts",
+ MS_NOSUID|MS_NOEXEC,
+ "newinstance,ptmxmode=0666,mode=620") == 0);
+ VERIFY (symlink ("pts/ptmx", "dev/ptmx") == 0);
+
+ touch ("console", 0);
+ touch ("dev/console", 0);
+ VERIFY (mount (slavename, "console", NULL, MS_BIND, NULL) == 0);
+
+ xchroot (".");
+
+ char *linkname = xasprintf ("/proc/self/fd/%d", slave);
+ char *target = proc_fd_readlink (linkname);
+ VERIFY (strcmp (target, slavename) == 0);
+ free (linkname);
+
+ _exit (cb (slavename, slave));
+ }
+ int status;
+ xwaitpid (pid, &status, 0);
+ VERIFY (WIFEXITED (status));
+ xclose (master);
+ xclose (slave);
+ return WEXITSTATUS (status);
+}
+
+static int
+do_in_chroot_2 (int (*cb)(const char *, int))
+{
+ printf ("info: entering chroot 2\n");
+
+ int pid_pipe[2];
+ xpipe (pid_pipe);
+ int exit_pipe[2];
+ xpipe (exit_pipe);
+
+ /* Open the PTS that we'll be testing on. */
+ int master;
+ char *slavename;
+ VERIFY ((master = posix_openpt (O_RDWR|O_NOCTTY|O_NONBLOCK)) >= 0);
+ VERIFY ((slavename = ptsname (master)));
+ VERIFY (unlockpt (master) == 0);
+ if (strncmp (slavename, "/dev/pts/", 9) != 0)
+ FAIL_UNSUPPORTED ("slave pseudo-terminal is not under /dev/pts/: %s",
+ slavename);
+ /* wait until in a new mount ns to open the slave */
+
+ /* enable `wait`ing on grandchildren */
+ VERIFY (prctl (PR_SET_CHILD_SUBREAPER, 1) == 0);
+
+ pid_t pid = xfork (); /* outer child */
+ if (pid == 0)
+ {
+ xclose (master);
+ xclose (pid_pipe[0]);
+ xclose (exit_pipe[1]);
+
+ become_root_in_mount_ns ();
+
+ int slave = xopen (slavename, O_RDWR, 0);
+ if (!doit (slave, "basic smoketest",
+ (struct result_r){.name=slavename, .ret=0, .err=0}))
+ _exit (1);
+
+ VERIFY (mount ("tmpfs", chrootdir, "tmpfs", 0, "mode=755") == 0);
+ VERIFY (chdir (chrootdir) == 0);
+
+ xmkdir ("proc", 0755);
+ xmkdir ("dev", 0755);
+ xmkdir ("dev/pts", 0755);
+
+ VERIFY (mount ("devpts", "dev/pts", "devpts",
+ MS_NOSUID|MS_NOEXEC,
+ "newinstance,ptmxmode=0666,mode=620") == 0);
+ VERIFY (symlink ("pts/ptmx", "dev/ptmx") == 0);
+
+ touch ("console", 0);
+ touch ("dev/console", 0);
+ VERIFY (mount (slavename, "console", NULL, MS_BIND, NULL) == 0);
+
+ xchroot (".");
+
+ if (unshare (CLONE_NEWNS | CLONE_NEWPID) < 0)
+ FAIL_UNSUPPORTED ("could not enter new PID namespace");
+ pid = xfork (); /* inner child */
+ if (pid == 0)
+ {
+ xclose (pid_pipe[1]);
+
+ /* wait until the outer child has exited */
+ char c;
+ VERIFY (read (exit_pipe[0], &c, 1) == 0);
+ xclose (exit_pipe[0]);
+
+ VERIFY (mount ("proc", "/proc", "proc",
+ MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL) == 0);
+
+ char *linkname = xasprintf ("/proc/self/fd/%d", slave);
+ char *target = proc_fd_readlink (linkname);
+ VERIFY (strcmp (target, strrchr (slavename, '/')) == 0);
+ free (linkname);
+
+ _exit (cb (slavename, slave));
+ }
+ xwrite (pid_pipe[1], &pid, sizeof pid);
+ _exit (0);
+ }
+ xclose (pid_pipe[1]);
+ xclose (exit_pipe[0]);
+ xclose (exit_pipe[1]);
+
+ /* wait for the outer child */
+ int status;
+ xwaitpid (pid, &status, 0);
+ VERIFY (WIFEXITED (status));
+ int ret = WEXITSTATUS (status);
+ if (ret != 0)
+ return ret;
+
+ /* set 'pid' to the inner child */
+ VERIFY (read (pid_pipe[0], &pid, sizeof pid) == sizeof pid);
+ xclose (pid_pipe[0]);
+
+ /* wait for the inner child */
+ xwaitpid (pid, &status, 0);
+ VERIFY (WIFEXITED (status));
+ xclose (master);
+ return WEXITSTATUS (status);
+}
+
+/* main test */
+
+static int
+run_chroot_tests (const char *slavename, int slave)
+{
+ struct stat st;
+ bool ok = true;
+
+ /* There are 3 groups of tests here. The first group fairly
+ generically does things known to mess up ttyname, and verifies
+ that ttyname copes correctly. The remaining groups are
+ increasingly convoluted, as we target specific parts of ttyname
+ to try to confuse. */
+
+ /* Basic tests that it doesn't get confused by multiple devpts
+ instances. */
+ {
+ VERIFY (stat (slavename, &st) < 0); /* sanity check */
+ if (!doit (slave, "no conflict, no match",
+ (struct result_r){.name=NULL, .ret=ENODEV, .err=ENODEV}))
+ ok = false;
+ VERIFY (mount ("/console", "/dev/console", NULL, MS_BIND, NULL) == 0);
+ if (!doit (slave, "no conflict, console",
+ (struct result_r){.name="/dev/console", .ret=0, .err=0}))
+ ok = false;
+ VERIFY (umount ("/dev/console") == 0);
+
+ /* keep creating PTYs until we we get a name collision */
+ while (stat (slavename, &st) < 0)
+ posix_openpt (O_RDWR|O_NOCTTY|O_NONBLOCK);
+ VERIFY (stat (slavename, &st) == 0);
+
+ if (!doit (slave, "conflict, no match",
+ (struct result_r){.name=NULL, .ret=ENODEV, .err=ENODEV}))
+ ok = false;
+ VERIFY (mount ("/console", "/dev/console", NULL, MS_BIND, NULL) == 0);
+ if (!doit (slave, "conflict, console",
+ (struct result_r){.name="/dev/console", .ret=0, .err=0}))
+ ok = false;
+ VERIFY (umount ("/dev/console") == 0);
+ }
+
+ /* The first tests kinda assumed that they hit certain code-paths
+ based on assuming that the readlink target is 'slavename', but
+ that's not quite always true. They're still a good preliminary
+ sanity check, so keep them, but let's add tests that make sure
+ that those code-paths are hit by doing a readlink ourself. */
+ {
+ char *linkname = xasprintf ("/proc/self/fd/%d", slave);
+ char *target = proc_fd_readlink (linkname);
+ free (linkname);
+ /* Depeding on how we set up the chroot, the kernel may or may not
+ trim the leading path to the target (it may give us "/6",
+ instead of "/dev/pts/6"). We test it both ways (do_in_chroot_1
+ and do_in_chroot_2). This test group relies on the target
+ existing, so guarantee that it does exist by creating it if
+ necessary. */
+ if (stat (target, &st) < 0)
+ {
+ VERIFY (errno == ENOENT);
+ touch (target, 0);
+ }
+
+ VERIFY (mount ("/console", "/dev/console", NULL, MS_BIND, NULL) == 0);
+ VERIFY (mount ("/console", target, NULL, MS_BIND, NULL) == 0);
+ if (!doit (slave, "with readlink target",
+ (struct result_r){.name=target, .ret=0, .err=0}))
+ ok = false;
+ VERIFY (umount (target) == 0);
+ VERIFY (umount ("/dev/console") == 0);
+
+ VERIFY (mount ("/console", "/dev/console", NULL, MS_BIND, NULL) == 0);
+ VERIFY (mount (slavename, target, NULL, MS_BIND, NULL) == 0);
+ if (!doit (slave, "with readlink trap; fallback",
+ (struct result_r){.name="/dev/console", .ret=0, .err=0}))
+ ok = false;
+ VERIFY (umount (target) == 0);
+ VERIFY (umount ("/dev/console") == 0);
+
+ VERIFY (mount (slavename, target, NULL, MS_BIND, NULL) == 0);
+ if (!doit (slave, "with readlink trap; no fallback",
+ (struct result_r){.name=NULL, .ret=ENODEV, .err=ENODEV}))
+ ok = false;
+ VERIFY (umount (target) == 0);
+ }
+
+ /* This test makes sure that everything still works OK if readdir
+ finds a pseudo-match before and/or after the actual match. Now,
+ to do that, we need to control that readdir finds the
+ pseudo-matches before and after the actual match; and there's no
+ good way to control that order in absence of whitebox testing.
+ So, just create 3 files, then use opendir/readdir to see what
+ order they are in, and assign meaning based on that order, not by
+ name; assigning the first to be a pseudo-match, the second to be
+ the actual match, and the third to be a pseudo-match. This
+ assumes that (on tmpfs) ordering within the directory is stable
+ in the absence of modification, which seems reasonably safe. */
+ {
+ /* since we're testing the fallback search, disable the readlink
+ happy-path */
+ VERIFY (umount2 ("/proc", MNT_DETACH) == 0);
+
+ touch ("/dev/console1", 0);
+ touch ("/dev/console2", 0);
+ touch ("/dev/console3", 0);
+
+ char *c[3];
+ int ci = 0;
+ DIR *dirstream = opendir ("/dev");
+ VERIFY (dirstream != NULL);
+ struct dirent *d;
+ while ((d = readdir (dirstream)) != NULL && ci < 3)
+ {
+ if (strcmp (d->d_name, "console1") &&
+ strcmp (d->d_name, "console2") &&
+ strcmp (d->d_name, "console3") )
+ continue;
+ c[ci++] = xasprintf ("/dev/%s", d->d_name);
+ }
+ VERIFY (ci == 3);
+ VERIFY (closedir (dirstream) == 0);
+
+ VERIFY (mount (slavename, c[0], NULL, MS_BIND, NULL) == 0);
+ VERIFY (mount ("/console", c[1], NULL, MS_BIND, NULL) == 0);
+ VERIFY (mount (slavename, c[2], NULL, MS_BIND, NULL) == 0);
+ VERIFY (umount2 ("/dev/pts", MNT_DETACH) == 0);
+ if (!doit (slave, "with search-path trap",
+ (struct result_r){.name=c[1], .ret=0, .err=0}))
+ ok = false;
+ for (int i = 0; i < 3; i++)
+ {
+ VERIFY (umount (c[i]) == 0);
+ VERIFY (unlink (c[i]) == 0);
+ free (c[i]);
+ }
+ }
+
+ return ok ? 0 : 1;
+}
+
+static int
+do_test (void)
+{
+ int ret1 = do_in_chroot_1 (run_chroot_tests);
+ if (ret1 == EXIT_UNSUPPORTED)
+ return ret1;
+
+ int ret2 = do_in_chroot_2 (run_chroot_tests);
+ if (ret2 == EXIT_UNSUPPORTED)
+ return ret2;
+
+ return ret1 | ret2;
+}
+
+#include <support/test-driver.c>