[LTP] [PATCH 4/4] syscalls/add_key03: new test for forging user keyrings
Cyril Hrubis
chrubis@suse.cz
Wed Oct 11 15:47:48 CEST 2017
Hi!
> +static key_serial_t create_keyring(const char *description)
> +{
> + TEST(add_key("keyring", description, NULL, 0,
> + KEY_SPEC_PROCESS_KEYRING));
> + if (TEST_RETURN < 0) {
> + tst_brk(TBROK | TTERRNO,
> + "unable to create keyring '%s'", description);
> + }
> + return TEST_RETURN;
> +}
> +
> +static key_serial_t get_keyring_id(key_serial_t special_id)
> +{
> + TEST(keyctl(KEYCTL_GET_KEYRING_ID, special_id, 1));
> + if (TEST_RETURN < 0) {
> + tst_brk(TBROK | TTERRNO,
> + "unable to get ID of keyring %d", special_id);
> + }
> + return TEST_RETURN;
> +}
> +
> +static void unlink_keyring(key_serial_t id)
> +{
> + TEST(keyctl(KEYCTL_UNLINK, id, KEY_SPEC_PROCESS_KEYRING));
> + if (TEST_RETURN < 0) {
> + tst_brk(TBROK | TTERRNO,
> + "unable to unlink the keyring we created");
> + }
> +}
> +
> +static void do_test(void)
> +{
> + int i;
> +
> + /*
> + * Try with multiple user IDs before reporting success. By chance, some
> + * users may already have an existing user keyring; the bug will not be
> + * reproducible for them.
> + */
> + for (i = 0; i < 10; i++) {
> + char description[32];
> + uid_t uid;
> + key_serial_t fake_user_keyring;
> + key_serial_t fake_user_session_keyring;
> +
> + uid = rand();
> + if (uid == 0)
> + continue;
We have testcases that look for unused uid with this loop:
for (i = 1; i < 1000; i++) {
if (!getpwuid(i))
return i;
}
What about using this instead of doing 10 random tries?
> + sprintf(description, "_uid.%u", uid);
> + fake_user_keyring = create_keyring(description);
> + sprintf(description, "_uid_ses.%u", uid);
> + fake_user_session_keyring = create_keyring(description);
> +
> + TEST(setreuid(uid, 0));
> + if (TEST_RETURN < 0) {
> + tst_brk(TBROK | TTERRNO,
> + "unable to set real uid to %u", uid);
> + }
I guess that we should add SAFE_SETREUID() to the tst_safe_macros.h
library. We do have SAFE_SETRESUID() though, so we may as well use
SAFE_SETRESUID(uid, -1, -1) here.
> + if (fake_user_keyring == get_keyring_id(KEY_SPEC_USER_KEYRING)) {
> + tst_brk(TFAIL,
> + "created user keyring for another user");
> + }
> +
> + if (fake_user_session_keyring ==
> + get_keyring_id(KEY_SPEC_USER_SESSION_KEYRING)) {
> + tst_brk(TFAIL,
> + "created user session keyring for another user");
> + }
> +
> + TEST(setreuid(0, 0));
> + if (TEST_RETURN < 0)
> + tst_brk(TBROK | TTERRNO, "unable to reset real uid");
> + uid++;
> +
> + unlink_keyring(fake_user_keyring);
> + unlink_keyring(fake_user_session_keyring);
> + }
> + tst_res(TPASS, "expectedly could not create another user's keyrings");
> +}
> +
> +static struct tst_test test = {
> + .test_all = do_test,
> + .needs_root = 1,
> +};
> --
> 2.14.2.920.gcf0c67979c-goog
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp
--
Cyril Hrubis
chrubis@suse.cz
More information about the ltp
mailing list