werunplugged/unplugged-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
06ee9615ad
unplugged-system/external/ltp/testcases/kernel/containers/userns/userns08.c

147 lines
3.0 KiB
C
Raw Normal View History

Initial commit: AOSP 14 with modifications for Unplugged OS
2025-10-06 13:59:42 +00:00
// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Copyright (C) 2021 SUSE LLC <rpalethorpe@suse.com>
*/
/*\
* [Description]
*
* Reproducer of CVE-2018-18955; broken uid/gid mapping for nested
* user namespaces with >5 ranges
*
* See original reproducer and description by Jan Horn:
* https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
*
* Note that calling seteuid from root can cause the dumpable bit to
* be unset. The proc files of non dumpable processes are then owned
* by (the real) root. So on the second level we reset dumpable to 1.
*
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <sys/mount.h>
#include "tst_test.h"
#include "tst_clone.h"
#include "lapi/sched.h"
#include "tst_safe_file_at.h"
static pid_t clone_newuser(void)
{
const struct tst_clone_args cargs = {
CLONE_NEWUSER,
SIGCHLD
};
return SAFE_CLONE(&cargs);
}
static void write_mapping(const pid_t proc_in_ns,
const char *const id_mapping)
{
char proc_path[PATH_MAX];
int proc_dir;
sprintf(proc_path, "/proc/%d", (int)proc_in_ns);
proc_dir = SAFE_OPEN(proc_path, O_DIRECTORY);
TEST(faccessat(proc_dir, "uid_map", F_OK, 0));
if (TST_RET && TST_ERR == ENOENT)
tst_brk(TCONF, "No uid_map file; interface was added in v3.5");
SAFE_FILE_PRINTFAT(proc_dir, "setgroups", "%s", "deny");
SAFE_FILE_PRINTFAT(proc_dir, "uid_map", "%s", id_mapping);
SAFE_FILE_PRINTFAT(proc_dir, "gid_map", "%s", id_mapping);
SAFE_CLOSE(proc_dir);
}
static void ns_level2(void)
{
if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0))
tst_res(TINFO | TERRNO, "Failed to set dumpable flag");
TST_CHECKPOINT_WAKE_AND_WAIT(1);
TST_EXP_FAIL(open("restricted", O_WRONLY), EACCES,
"Denied write access to ./restricted");
exit(0);
}
static void ns_level1(void)
{
const char *const map_over_5 = "0 0 1\n1 1 1\n2 2 1\n3 3 1\n4 4 1\n5 5 990";
pid_t level2_proc;
TST_CHECKPOINT_WAIT(0);
SAFE_SETGID(0);
SAFE_SETUID(0);
level2_proc = clone_newuser();
if (!level2_proc)
ns_level2();
TST_CHECKPOINT_WAIT(1);
write_mapping(level2_proc, map_over_5);
TST_CHECKPOINT_WAKE(1);
tst_reap_children();
exit(0);
}
static void run(void)
{
pid_t level1_proc;
SAFE_SETEGID(100000);
SAFE_SETEUID(100000);
level1_proc = clone_newuser();
if (!level1_proc)
ns_level1();
SAFE_SETEGID(0);
SAFE_SETEUID(0);
write_mapping(level1_proc, "0 100000 1000");
TST_CHECKPOINT_WAKE(0);
tst_reap_children();
}
static void setup(void)
{
int fd = SAFE_OPEN("restricted", O_CREAT | O_WRONLY, 0700);
SAFE_WRITE(SAFE_WRITE_ALL, fd, "\n", 1);
SAFE_CLOSE(fd);
SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
}
static struct tst_test test = {
.setup = setup,
.test_all = run,
.needs_checkpoints = 1,
.needs_root = 1,
.forks_child = 1,
.needs_kconfigs = (const char *[]) {
"CONFIG_USER_NS",
NULL
},
.save_restore = (const struct tst_path_val[]) {
{"/proc/sys/user/max_user_namespaces", NULL, TST_SR_SKIP},
{}
},
.tags = (const struct tst_tag[]) {
{"linux-git", "d2f007dbe7e4"},
{"CVE", "CVE-2018-18955"},
{}
},
};
Reference in New Issue Copy Permalink