/* * Copyright (c) 2017 Jan Kokemüller * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "freebsd_test_suite/macros.h" static int rootfd = -1; /* circumvent bug 215690 */ int open(const char *path, int flags, ...) { mode_t mode = 0; if (flags & O_CREAT) { va_list ap; va_start(ap, flags); mode = (mode_t) va_arg(ap, int); va_end(ap); } if (path && path[0] == '/' && rootfd >= 0) { return (openat(rootfd, path + 1, flags, mode)); } else { return (openat(AT_FDCWD, path, flags, mode)); } } static void check_capsicum(void) { ATF_REQUIRE_FEATURE("security_capabilities"); ATF_REQUIRE_FEATURE("security_capability_mode"); ATF_REQUIRE((rootfd = open("/", O_EXEC | O_CLOEXEC)) >= 0); } typedef int (*socket_fun)(int, const struct sockaddr *, socklen_t); static int connectat_fdcwd(int s, const struct sockaddr *name, socklen_t namelen) { return (connectat(AT_FDCWD, s, name, namelen)); } static int bindat_fdcwd(int s, const struct sockaddr *name, socklen_t namelen) { return (bindat(AT_FDCWD, s, name, namelen)); } ATF_TC(bindat_connectat_1); ATF_TC_HEAD(bindat_connectat_1, tc) { atf_tc_set_md_var(tc, "descr", "Verify that connect/bind work in normal case"); } static void check_1(socket_fun f, int s, const struct sockaddr_in *name) { ATF_REQUIRE((s = socket(AF_INET, SOCK_STREAM, 0)) >= 0); ATF_REQUIRE_ERRNO(EAFNOSUPPORT, f(s, (const struct sockaddr *)(name), sizeof(struct sockaddr_in)) < 0); } ATF_TC_BODY(bindat_connectat_1, tc) { struct sockaddr_in sin; memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(0); sin.sin_addr.s_addr = htonl(0xE0000000); check_1(bindat_fdcwd, 0, &sin); check_1(bind, 0, &sin); check_1(connectat_fdcwd, 0, &sin); check_1(connect, 0, &sin); } ATF_TC(bindat_connectat_2); ATF_TC_HEAD(bindat_connectat_2, tc) { atf_tc_set_md_var(tc, "descr", "Verify that connect/bind are disabled in cap-mode"); } static void check_2(socket_fun f, int s, const struct sockaddr_in *name) { ATF_REQUIRE_ERRNO(ECAPMODE, f(s, (const struct sockaddr *)name, sizeof(struct sockaddr_in)) < 0); } ATF_TC_BODY(bindat_connectat_2, tc) { int sock; struct sockaddr_in sin; check_capsicum(); ATF_REQUIRE(cap_enter() >= 0); /* note: sock is created _after_ cap_enter() and contains all rights */ ATF_REQUIRE((sock = socket(AF_INET, SOCK_STREAM, 0)) >= 0); memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; /* dummy port and multicast address (224.0.0.0) to distinguish two * cases: * - ECAPMODE/ENOTCAPABLE --> call blocked by capsicum * - EAFNOSUPPORT --> call went through to protocol layer */ sin.sin_port = htons(0); sin.sin_addr.s_addr = htonl(0xE0000000); check_2(bindat_fdcwd, sock, &sin); check_2(bind, sock, &sin); check_2(connectat_fdcwd, sock, &sin); check_2(connect, sock, &sin); } ATF_TC(bindat_connectat_3); ATF_TC_HEAD(bindat_connectat_3, tc) { atf_tc_set_md_var(tc, "descr", "Check that taking away CAP_BIND/CAP_CONNECT " "sabotages bind/connect"); } static void check_3(socket_fun f, int s, const struct sockaddr_in *name, cap_rights_t *rights, cap_rights_t *sub_rights) { ATF_REQUIRE((s = socket(AF_INET, SOCK_STREAM, 0)) >= 0); ATF_REQUIRE(cap_rights_limit(s, rights) >= 0); ATF_REQUIRE_ERRNO(EAFNOSUPPORT, f(s, (const struct sockaddr *)name, sizeof(struct sockaddr_in)) < 0); ATF_REQUIRE(cap_rights_limit(s, cap_rights_remove(rights, sub_rights)) >= 0); ATF_REQUIRE_ERRNO(ENOTCAPABLE, f(s, (const struct sockaddr *)name, sizeof(struct sockaddr_in)) < 0); } ATF_TC_BODY(bindat_connectat_3, tc) { struct sockaddr_in sin; cap_rights_t rights, sub_rights; check_capsicum(); memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(0); sin.sin_addr.s_addr = htonl(0xE0000000); check_3(bindat_fdcwd, 0, &sin, cap_rights_init(&rights, CAP_SOCK_SERVER), cap_rights_init(&sub_rights, CAP_BIND)); check_3(bind, 0, &sin, cap_rights_init(&rights, CAP_SOCK_SERVER), cap_rights_init(&sub_rights, CAP_BIND)); check_3(connectat_fdcwd, 0, &sin, cap_rights_init(&rights, CAP_SOCK_CLIENT), cap_rights_init(&sub_rights, CAP_CONNECT)); check_3(connect, 0, &sin, cap_rights_init(&rights, CAP_SOCK_CLIENT), cap_rights_init(&sub_rights, CAP_CONNECT)); } ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, bindat_connectat_1); ATF_TP_ADD_TC(tp, bindat_connectat_2); ATF_TP_ADD_TC(tp, bindat_connectat_3); return (atf_no_error()); }