Tests SCM_RIGHTS fd passing on a socket with the new socket option SO_RIGHTS_NOTRUNC turned on.
The test uses the following Smack labels: "Sender" - label for the sending process "Receiver" - label for the receiving process "SecretX" - labels for the files being passed Socket communication (Sender <-> Receiver) is always allowed. The tests control whether Receiver can access "SecretX"-labeled fds. When the LSM blocks an fd, we should see a sentinel that corresponds to the error returned by the LSM, such as -EACCES. Signed-off-by: Jori Koolstra <[email protected]> --- tools/testing/selftests/Makefile | 1 + .../net/af_unix/scm_rights_denial/.gitignore | 2 + .../net/af_unix/scm_rights_denial/Makefile | 13 ++ .../net/af_unix/scm_rights_denial/helper.h | 38 ++++ .../net/af_unix/scm_rights_denial/receiver.c | 195 ++++++++++++++++++ .../scm_rights_denial/scm_rights_denial.sh | 171 +++++++++++++++ .../net/af_unix/scm_rights_denial/sender.c | 126 +++++++++++ 7 files changed, 546 insertions(+) create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial/.gitignore create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial/Makefile create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial/helper.h create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial/receiver.c create mode 100755 tools/testing/selftests/net/af_unix/scm_rights_denial/scm_rights_denial.sh create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial/sender.c diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index 8d4db2241cc2..7ff876692267 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -74,6 +74,7 @@ TARGETS += mseal_system_mappings TARGETS += nci TARGETS += net TARGETS += net/af_unix +TARGETS += net/af_unix/scm_rights_denial TARGETS += net/can TARGETS += net/forwarding TARGETS += net/hsr diff --git a/tools/testing/selftests/net/af_unix/scm_rights_denial/.gitignore b/tools/testing/selftests/net/af_unix/scm_rights_denial/.gitignore new file mode 100644 index 000000000000..5a1c58ff005f --- /dev/null +++ b/tools/testing/selftests/net/af_unix/scm_rights_denial/.gitignore @@ -0,0 +1,2 @@ +sender +receiver diff --git a/tools/testing/selftests/net/af_unix/scm_rights_denial/Makefile b/tools/testing/selftests/net/af_unix/scm_rights_denial/Makefile new file mode 100644 index 000000000000..03eb6d1427d7 --- /dev/null +++ b/tools/testing/selftests/net/af_unix/scm_rights_denial/Makefile @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: GPL-2.0 +top_srcdir := ../../../../../.. +include $(top_srcdir)/scripts/Makefile.compiler + +cc-option = $(call __cc-option, $(CC),,$(1),$(2)) + +CFLAGS += $(KHDR_INCLUDES) -Wall $(call cc-option,-Wflex-array-member-not-at-end) + +TEST_PROGS := scm_rights_denial.sh + +TEST_GEN_FILES := sender receiver + +include ../../../lib.mk diff --git a/tools/testing/selftests/net/af_unix/scm_rights_denial/helper.h b/tools/testing/selftests/net/af_unix/scm_rights_denial/helper.h new file mode 100644 index 000000000000..2ecdf2b8b973 --- /dev/null +++ b/tools/testing/selftests/net/af_unix/scm_rights_denial/helper.h @@ -0,0 +1,38 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <unistd.h> +#include <fcntl.h> + +#ifndef SO_RIGHTS_NOTRUNC +#define SO_RIGHTS_NOTRUNC 85 +#endif + +#define CMSG_IS_SCM_RIGHTS(cmsg) ({ \ + typeof(cmsg) _cmsg = (cmsg); \ + _cmsg && \ + _cmsg->cmsg_level == SOL_SOCKET && \ + _cmsg->cmsg_type == SCM_RIGHTS; \ +}) + +#define MIN(a, b) ({ \ + typeof(a) _a = (a); \ + typeof(b) _b = (b); \ + _a < _b ? _a : _b; \ +}) + +#define MAX_FDS 10 + +static inline int read_current_label(char *label, size_t size) +{ + int fd = open("/proc/self/attr/current", O_RDONLY); + if (fd < 0) + return fd; + + ssize_t r = read(fd, label, size - 1); + close(fd); + if (r < 0) + return r; + + label[r] = '\0'; + + return 0; +} diff --git a/tools/testing/selftests/net/af_unix/scm_rights_denial/receiver.c b/tools/testing/selftests/net/af_unix/scm_rights_denial/receiver.c new file mode 100644 index 000000000000..a9bd49a6e214 --- /dev/null +++ b/tools/testing/selftests/net/af_unix/scm_rights_denial/receiver.c @@ -0,0 +1,195 @@ +// SPDX-License-Identifier: GPL-2.0 + +/* + * receiver.c - Receive a file descriptor over a Unix domain socket via SCM_RIGHTS + * + * Usage: ./receiver <socket_path> + * + * Listens on the given Unix socket path, accepts a connection, and + * attempts to receive file descriptors via SCM_RIGHTS. Reports + * whether the fds were delivered or blocked. + * + * Used for testing LSM (Smack) blocking of fd passing. + */ + +#include <sys/socket.h> +#include <sys/un.h> +#include <sys/xattr.h> +#include <unistd.h> +#include <string.h> +#include <stdio.h> +#include <stdlib.h> +#include <fcntl.h> + +#include "helper.h" + +#define RECV_LOG(fmt, ...) printf("receiver: " fmt, ##__VA_ARGS__) +#define RECV_ERR(fmt, ...) fprintf(stderr, "receiver: " fmt, ##__VA_ARGS__) + +static int recv_fds(int sock, int *fds) +{ + char buf[1]; + char ctrl[CMSG_SPACE(MAX_FDS * sizeof(int))]; + + struct iovec iov = { + .iov_base = buf, + .iov_len = sizeof(buf), + }; + struct msghdr msg = { + .msg_iov = &iov, + .msg_iovlen = 1, + .msg_control = ctrl, + .msg_controllen = sizeof(ctrl), + }; + + ssize_t bytes_read = recvmsg(sock, &msg, 0); + if (bytes_read < 0) { + perror("receiver: recvmsg"); + return -1; + } + if (bytes_read == 0) { + RECV_ERR("connection closed, no data received\n"); + return -1; + } + + struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); + if (!CMSG_IS_SCM_RIGHTS(cmsg)) { + RECV_ERR("no SCM_RIGHTS in control message\n"); + return -1; + } + + int num_fd_slots = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int); + memcpy(fds, CMSG_DATA(cmsg), num_fd_slots * sizeof(int)); + + RECV_LOG("got %d fd slot(s):", num_fd_slots); + for (int i = 0; i < num_fd_slots ; i++) { + if (fds[i] < 0) + printf(" %s", strerrorname_np(-fds[i])); + else + printf(" %d", fds[i]); + } + putchar('\n'); + + return num_fd_slots; +} + +static inline int print_current_label(void) +{ + char label[256]; + if (!read_current_label(label, sizeof(label))) { + RECV_LOG("running with Smack label '%s'\n", label); + return 0; + } + return -1; +} + +int main(int argc, char *argv[]) +{ + if (argc != 2) { + fprintf(stderr, "Usage: %s <socket_path>\n", argv[0]); + return -1; + } + + if (print_current_label()) { + RECV_ERR("cannot read process Smack label"); + return -1; + } + + int listen_sock = socket(AF_UNIX, SOCK_STREAM, 0); + if (listen_sock < 0) { + perror("receiver: socket"); + return -1; + } + + struct sockaddr_un addr = {}; + addr.sun_family = AF_UNIX; + strncpy(addr.sun_path, argv[1], sizeof(addr.sun_path) - 1); + + /* Remove any stale socket file */ + unlink(argv[1]); + + if (bind(listen_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { + perror("receiver: bind"); + return -1; + } + + if (listen(listen_sock, 1) < 0) { + perror("receiver: listen"); + return -1; + } + + RECV_LOG("listening on '%s'\n", argv[1]); + + int conn_sock = accept(listen_sock, NULL, NULL); + if (conn_sock < 0) { + perror("receiver: accept"); + return -1; + } + + RECV_LOG("connection accepted\n"); + + int one = 1; + if (setsockopt(conn_sock, SOL_SOCKET, SO_RIGHTS_NOTRUNC, + &one, sizeof(one)) < 0) { + perror("receiver: setsockopt(SO_RIGHTS_NOTRUNC)"); + goto out_sock; + } + + /* Try to receive the fds */ + int fds[MAX_FDS]; + int num_fds = recv_fds(conn_sock, fds); + if (num_fds < 0) + goto out_sock; + + /* Try to use the received fds -- read and print their contents */ + RECV_LOG("attempting to read from received fds...\n"); + int i; + for (i = 0; i < num_fds; ++i) { + char readbuf[256]; + + if (fds[i] < 0) { + RECV_LOG("fd in position %i blocked\n", i); + continue; + } else if (fds[i] == 0) { + RECV_LOG("bad fd in position %i\n", i); + goto out_recv; + } + + ssize_t n = read(fds[i], readbuf, sizeof(readbuf) - 1); + if (n < 0) { + perror("receiver: read from received fd"); + goto out_recv; + } + + readbuf[n] = '\0'; + RECV_LOG("read %zd bytes from fd at position %i: '%s'\n", n, i, readbuf); + } + + RECV_LOG("final result:\n"); + for (int j = 0; j < num_fds; ++j) { + if (fds[j] < 0) { + printf("BLOCKED"); + } else { + printf("PASSED"); + close(fds[j]); + } + putchar(' '); + } + + close(conn_sock); + close(listen_sock); + unlink(argv[1]); + return 0; + +out_recv: + for (int j = 0; j < num_fds; ++j) { + if (fds[j] > 0) + close(fds[j]); + } + +out_sock: + close(conn_sock); + close(listen_sock); + unlink(argv[1]); + return -1; +} diff --git a/tools/testing/selftests/net/af_unix/scm_rights_denial/scm_rights_denial.sh b/tools/testing/selftests/net/af_unix/scm_rights_denial/scm_rights_denial.sh new file mode 100755 index 000000000000..9d7d4530cadd --- /dev/null +++ b/tools/testing/selftests/net/af_unix/scm_rights_denial/scm_rights_denial.sh @@ -0,0 +1,171 @@ +# SPDX-License-Identifier: GPL-2.0 + +# +# test_scm_rights_smack.sh - Test SCM_RIGHTS fd passing using Smack LSM blocking +# +# Must be run as root on a kernel with Smack enabled (security=smack). +# Requires: capsh (libcap), setfattr/getfattr (attr) +# +# We use the following Smack labels: +# "Sender" - label for the sending process +# "Receiver" - label for the receiving process +# "SecretX" - labels for the files being passed +# +# Socket communication (Sender <-> Receiver) is always allowed. +# The tests control whether Receiver can access "SecretX"-labeled fds. +# + +set -e + +readonly SENDER="./sender" +readonly RECEIVER="./receiver" + +readonly TESTDIR="$(mktemp -d)" +readonly SOCK="$TESTDIR/scm_test.sock" +readonly TESTFILE1="$TESTDIR/secret_1" +readonly TESTFILE2="$TESTDIR/secret_2" + +trap 'rm -rf "$TESTDIR"' EXIT + +run_tests() { + + preflight + setup + + run_test "TEST 1" \ + "Receiver should NOT have access to Secret1." \ + "Receiver Secret1 --- +Receiver Secret2 ---" \ + "$TESTFILE1" \ + "BLOCKED" + + run_test "TEST 2" \ + "Receiver should have access to Secret1." \ + "Receiver Secret1 r-- +Receiver Secret2 ---" \ + "$TESTFILE1" \ + "PASSED" + + run_test "TEST 3" \ + "Receiver should have access to Secret2, but NOT Secret1." \ + "Receiver Secret1 --- +Receiver Secret2 r--" \ + "$TESTFILE1 $TESTFILE2" \ + "BLOCKED PASSED" +} + +run_test() { + local name="$1" + local description="$2" + local rules="$3" + local files="$4" + local expected="$5" + + echo "" + echo "$name: $description" + echo "Rules:" + echo "$rules" + echo "Expected: $expected" + echo "" + + while IFS= read -r rule; do + [ -n "$rule" ] && echo "$rule" > /sys/fs/smackfs/load2 + done <<< "$rules" + + local output status last_line + output=$(send_fds "$SOCK" $files) + status=$? + echo "$output" + last_line=$(echo "$output" | tail -n 1 | xargs) + + if [ "$status" -ne 0 ]; then + echo "TEST FAILED: receiver returned $status" + return 1 + fi + + if [[ "$last_line" == "$expected" ]]; then + echo "TEST PASSED: outcome was $expected as expected" + return 0 + else + echo "TEST FAILED: expected $expected, got '$last_line'" + return 1 + fi +} + +setup() { + + printf "Secret 1" > "$TESTFILE1" + printf "Secret 2" > "$TESTFILE2" + + setfattr -n security.SMACK64 -v "Secret1" "$TESTFILE1" + setfattr -n security.SMACK64 -v "Secret2" "$TESTFILE2" + setfattr -n security.SMACK64 -v "Tmp" /tmp + setfattr -n security.SMACK64 -v "Tmp" "$TESTDIR" + + echo "Sender Receiver -w-" > /sys/fs/smackfs/load2 + echo "Receiver Sender -w-" > /sys/fs/smackfs/load2 + echo "Sender Tmp rwx" > /sys/fs/smackfs/load2 + echo "Receiver Tmp rwx" > /sys/fs/smackfs/load2 + echo "Sender Secret1 r--" > /sys/fs/smackfs/load2 + echo "Sender Secret2 r--" > /sys/fs/smackfs/load2 +} + +send_fds() { + + local sk="$1" + shift + local files="$*" + + ( + echo "Receiver" > /proc/self/attr/current + exec capsh --drop=cap_mac_override,cap_mac_admin -- -c "$RECEIVER $sk" + ) & + local recv_pid=$! + sleep 1 + + ( + echo "Sender" > /proc/self/attr/current + exec capsh --drop=cap_mac_override,cap_mac_admin -- -c "$SENDER $sk $files" + ) || true + + local recv_status=0 + wait "$recv_pid" || recv_status=$? + + if [ "$recv_status" -ne 0 ]; then + echo "receiver exited with $recv_status" + fi + return "$recv_status" +} + +preflight() { + + if [ "$(id -u)" -ne 0 ]; then + echo "ERROR: must be run as root" + exit 1 + fi + + if ! grep -q smack /sys/kernel/security/lsm 2>/dev/null; then + echo "ERROR: Smack is not active" + echo " Check: cat /sys/kernel/security/lsm" + echo " Boot with: security=smack" + exit 1 + fi + + if ! mountpoint -q /sys/fs/smackfs 2>/dev/null; then + echo "Mounting smackfs..." + mount -t smackfs smackfs /sys/fs/smackfs + fi + + if ! command -v capsh &>/dev/null; then + echo "ERROR: capsh not found (install libcap)" + exit 1 + fi + + if [ ! -x "$SENDER" ] || [ ! -x "$RECEIVER" ]; then + echo "ERROR: $SENDER / $RECEIVER not built (run 'make' first)" + exit 1 + fi + +} + +run_tests diff --git a/tools/testing/selftests/net/af_unix/scm_rights_denial/sender.c b/tools/testing/selftests/net/af_unix/scm_rights_denial/sender.c new file mode 100644 index 000000000000..b1c76d23b8bd --- /dev/null +++ b/tools/testing/selftests/net/af_unix/scm_rights_denial/sender.c @@ -0,0 +1,126 @@ +// SPDX-License-Identifier: GPL-2.0-only + +/* + * sender.c - Send file descriptors over a Unix domain socket via SCM_RIGHTS + * + * Usage: ./sender <socket_path> <file_to_send> [<file_to_send>...] + * + * Opens the specified files and sends their fds to a receiver connected + * on the given Unix socket path. Used for testing LSM blocking of fd + * passing. + */ + +#include <sys/socket.h> +#include <sys/un.h> +#include <unistd.h> +#include <string.h> +#include <stdio.h> +#include <fcntl.h> + +#include "helper.h" + +#define SEND_LOG(fmt, ...) fprintf(stdout, "sender: " fmt, ##__VA_ARGS__) +#define SEND_ERR(fmt, ...) fprintf(stderr, "sender: " fmt, ##__VA_ARGS__) + +static int send_fds(int sock, int *fds, int num_fds) +{ + if (num_fds > MAX_FDS) + return -1; + + char buf[1] = { 'X' }; + char ctrl[CMSG_SPACE(MAX_FDS * sizeof(int))] = { 0 }; + + struct iovec iov = { + .iov_base = buf, + .iov_len = sizeof(buf), + }; + struct msghdr msg = { + .msg_iov = &iov, + .msg_iovlen = 1, + .msg_control = ctrl, + .msg_controllen = CMSG_SPACE(num_fds * sizeof(int)), + }; + + struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; + cmsg->cmsg_len = CMSG_LEN(num_fds * sizeof(int)); + memcpy(CMSG_DATA(cmsg), fds, num_fds * sizeof(int)); + + ssize_t bytes_send = sendmsg(sock, &msg, 0); + if (bytes_send < 0) { + perror("sender: sendmsg"); + return -1; + } + + return 0; +} + +static inline int print_current_label(void) +{ + char label[256]; + if (!read_current_label(label, sizeof(label))) { + SEND_LOG("running with Smack label '%s'\n", label); + return 0; + } + return -1; +} + +int main(int argc, char *argv[]) +{ + if (argc < 3 || argc > 2 + MAX_FDS) { + fprintf(stderr, "Usage: %s <socket_path> <file_to_send> [<file_to_send>...]\\n", + argv[0]); + fprintf(stderr, "Up to a maximum of %d files", MAX_FDS); + return -1; + } + + if (print_current_label()) { + SEND_ERR("cannot read process Smack label"); + return -1; + } + + int sock = socket(AF_UNIX, SOCK_STREAM, 0); + if (sock < 0) { + perror("sender: socket"); + return -1; + } + + struct sockaddr_un addr = {}; + addr.sun_family = AF_UNIX; + strncpy(addr.sun_path, argv[1], sizeof(addr.sun_path) - 1); + + if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { + perror("sender: connect"); + goto out_sock; + } + + SEND_LOG("connected to '%s'\n", argv[1]); + + int num_files = argc - 2; + int fds[MAX_FDS]; + int i; + for (i = 0; i < num_files; i++) { + fds[i] = open(argv[2 + i], O_RDONLY); + if (fds[i] < 0) { + perror("sender: open file"); + goto out_opened; + } + SEND_LOG("opened '%s' as fd %d\n", argv[2 + i], fds[i]); + } + + if (send_fds(sock, fds, num_files) < 0) + goto out_opened; + + SEND_LOG("fds successfully sent:"); + for (int j = 0; j < num_files; j++) + printf(" %d", fds[j]); + putchar('\n'); + +out_opened: + for (int j = 0; j < i; j++) + close(fds[j]); +out_sock: + close(sock); + return -1; +} -- 2.54.0
