Commit | Line | Data |
---|---|---|
c9b26b81 DD |
1 | /* |
2 | * Copyright (c) 2014 Google, Inc. | |
3 | * | |
4 | * Licensed under the terms of the GNU GPL License version 2 | |
5 | * | |
6 | * Selftests for execveat(2). | |
7 | */ | |
8 | ||
9 | #define _GNU_SOURCE /* to get O_PATH, AT_EMPTY_PATH */ | |
10 | #include <sys/sendfile.h> | |
11 | #include <sys/stat.h> | |
12 | #include <sys/syscall.h> | |
13 | #include <sys/types.h> | |
14 | #include <sys/wait.h> | |
15 | #include <errno.h> | |
16 | #include <fcntl.h> | |
17 | #include <limits.h> | |
18 | #include <stdio.h> | |
19 | #include <stdlib.h> | |
20 | #include <string.h> | |
21 | #include <unistd.h> | |
22 | ||
23 | static char longpath[2 * PATH_MAX] = ""; | |
24 | static char *envp[] = { "IN_TEST=yes", NULL, NULL }; | |
25 | static char *argv[] = { "execveat", "99", NULL }; | |
26 | ||
27 | static int execveat_(int fd, const char *path, char **argv, char **envp, | |
28 | int flags) | |
29 | { | |
30 | #ifdef __NR_execveat | |
31 | return syscall(__NR_execveat, fd, path, argv, envp, flags); | |
32 | #else | |
33 | errno = -ENOSYS; | |
34 | return -1; | |
35 | #endif | |
36 | } | |
37 | ||
38 | #define check_execveat_fail(fd, path, flags, errno) \ | |
39 | _check_execveat_fail(fd, path, flags, errno, #errno) | |
40 | static int _check_execveat_fail(int fd, const char *path, int flags, | |
41 | int expected_errno, const char *errno_str) | |
42 | { | |
43 | int rc; | |
44 | ||
45 | errno = 0; | |
46 | printf("Check failure of execveat(%d, '%s', %d) with %s... ", | |
47 | fd, path?:"(null)", flags, errno_str); | |
48 | rc = execveat_(fd, path, argv, envp, flags); | |
49 | ||
50 | if (rc > 0) { | |
51 | printf("[FAIL] (unexpected success from execveat(2))\n"); | |
52 | return 1; | |
53 | } | |
54 | if (errno != expected_errno) { | |
55 | printf("[FAIL] (expected errno %d (%s) not %d (%s)\n", | |
56 | expected_errno, strerror(expected_errno), | |
57 | errno, strerror(errno)); | |
58 | return 1; | |
59 | } | |
60 | printf("[OK]\n"); | |
61 | return 0; | |
62 | } | |
63 | ||
64 | static int check_execveat_invoked_rc(int fd, const char *path, int flags, | |
cd805f36 | 65 | int expected_rc, int expected_rc2) |
c9b26b81 DD |
66 | { |
67 | int status; | |
68 | int rc; | |
69 | pid_t child; | |
70 | int pathlen = path ? strlen(path) : 0; | |
71 | ||
72 | if (pathlen > 40) | |
73 | printf("Check success of execveat(%d, '%.20s...%s', %d)... ", | |
74 | fd, path, (path + pathlen - 20), flags); | |
75 | else | |
76 | printf("Check success of execveat(%d, '%s', %d)... ", | |
77 | fd, path?:"(null)", flags); | |
78 | child = fork(); | |
79 | if (child < 0) { | |
80 | printf("[FAIL] (fork() failed)\n"); | |
81 | return 1; | |
82 | } | |
83 | if (child == 0) { | |
84 | /* Child: do execveat(). */ | |
85 | rc = execveat_(fd, path, argv, envp, flags); | |
86 | printf("[FAIL]: execveat() failed, rc=%d errno=%d (%s)\n", | |
87 | rc, errno, strerror(errno)); | |
88 | exit(1); /* should not reach here */ | |
89 | } | |
90 | /* Parent: wait for & check child's exit status. */ | |
91 | rc = waitpid(child, &status, 0); | |
92 | if (rc != child) { | |
93 | printf("[FAIL] (waitpid(%d,...) returned %d)\n", child, rc); | |
94 | return 1; | |
95 | } | |
96 | if (!WIFEXITED(status)) { | |
97 | printf("[FAIL] (child %d did not exit cleanly, status=%08x)\n", | |
98 | child, status); | |
99 | return 1; | |
100 | } | |
cd805f36 DD |
101 | if ((WEXITSTATUS(status) != expected_rc) && |
102 | (WEXITSTATUS(status) != expected_rc2)) { | |
103 | printf("[FAIL] (child %d exited with %d not %d nor %d)\n", | |
104 | child, WEXITSTATUS(status), expected_rc, expected_rc2); | |
c9b26b81 DD |
105 | return 1; |
106 | } | |
107 | printf("[OK]\n"); | |
108 | return 0; | |
109 | } | |
110 | ||
111 | static int check_execveat(int fd, const char *path, int flags) | |
112 | { | |
cd805f36 | 113 | return check_execveat_invoked_rc(fd, path, flags, 99, 99); |
c9b26b81 DD |
114 | } |
115 | ||
116 | static char *concat(const char *left, const char *right) | |
117 | { | |
118 | char *result = malloc(strlen(left) + strlen(right) + 1); | |
119 | ||
120 | strcpy(result, left); | |
121 | strcat(result, right); | |
122 | return result; | |
123 | } | |
124 | ||
125 | static int open_or_die(const char *filename, int flags) | |
126 | { | |
127 | int fd = open(filename, flags); | |
128 | ||
129 | if (fd < 0) { | |
130 | printf("Failed to open '%s'; " | |
131 | "check prerequisites are available\n", filename); | |
132 | exit(1); | |
133 | } | |
134 | return fd; | |
135 | } | |
136 | ||
137 | static void exe_cp(const char *src, const char *dest) | |
138 | { | |
139 | int in_fd = open_or_die(src, O_RDONLY); | |
140 | int out_fd = open(dest, O_RDWR|O_CREAT|O_TRUNC, 0755); | |
141 | struct stat info; | |
142 | ||
143 | fstat(in_fd, &info); | |
144 | sendfile(out_fd, in_fd, NULL, info.st_size); | |
145 | close(in_fd); | |
146 | close(out_fd); | |
147 | } | |
148 | ||
149 | #define XX_DIR_LEN 200 | |
150 | static int check_execveat_pathmax(int dot_dfd, const char *src, int is_script) | |
151 | { | |
152 | int fail = 0; | |
153 | int ii, count, len; | |
154 | char longname[XX_DIR_LEN + 1]; | |
155 | int fd; | |
156 | ||
157 | if (*longpath == '\0') { | |
158 | /* Create a filename close to PATH_MAX in length */ | |
159 | memset(longname, 'x', XX_DIR_LEN - 1); | |
160 | longname[XX_DIR_LEN - 1] = '/'; | |
161 | longname[XX_DIR_LEN] = '\0'; | |
162 | count = (PATH_MAX - 3) / XX_DIR_LEN; | |
163 | for (ii = 0; ii < count; ii++) { | |
164 | strcat(longpath, longname); | |
165 | mkdir(longpath, 0755); | |
166 | } | |
167 | len = (PATH_MAX - 3) - (count * XX_DIR_LEN); | |
168 | if (len <= 0) | |
169 | len = 1; | |
170 | memset(longname, 'y', len); | |
171 | longname[len] = '\0'; | |
172 | strcat(longpath, longname); | |
173 | } | |
174 | exe_cp(src, longpath); | |
175 | ||
176 | /* | |
177 | * Execute as a pre-opened file descriptor, which works whether this is | |
178 | * a script or not (because the interpreter sees a filename like | |
179 | * "/dev/fd/20"). | |
180 | */ | |
181 | fd = open(longpath, O_RDONLY); | |
182 | if (fd > 0) { | |
6898b627 | 183 | printf("Invoke copy of '%s' via filename of length %zu:\n", |
c9b26b81 DD |
184 | src, strlen(longpath)); |
185 | fail += check_execveat(fd, "", AT_EMPTY_PATH); | |
186 | } else { | |
6898b627 | 187 | printf("Failed to open length %zu filename, errno=%d (%s)\n", |
c9b26b81 DD |
188 | strlen(longpath), errno, strerror(errno)); |
189 | fail++; | |
190 | } | |
191 | ||
192 | /* | |
193 | * Execute as a long pathname relative to ".". If this is a script, | |
194 | * the interpreter will launch but fail to open the script because its | |
195 | * name ("/dev/fd/5/xxx....") is bigger than PATH_MAX. | |
cd805f36 DD |
196 | * |
197 | * The failure code is usually 127 (POSIX: "If a command is not found, | |
198 | * the exit status shall be 127."), but some systems give 126 (POSIX: | |
199 | * "If the command name is found, but it is not an executable utility, | |
200 | * the exit status shall be 126."), so allow either. | |
c9b26b81 DD |
201 | */ |
202 | if (is_script) | |
cd805f36 DD |
203 | fail += check_execveat_invoked_rc(dot_dfd, longpath, 0, |
204 | 127, 126); | |
c9b26b81 DD |
205 | else |
206 | fail += check_execveat(dot_dfd, longpath, 0); | |
207 | ||
208 | return fail; | |
209 | } | |
210 | ||
211 | static int run_tests(void) | |
212 | { | |
213 | int fail = 0; | |
214 | char *fullname = realpath("execveat", NULL); | |
215 | char *fullname_script = realpath("script", NULL); | |
216 | char *fullname_symlink = concat(fullname, ".symlink"); | |
217 | int subdir_dfd = open_or_die("subdir", O_DIRECTORY|O_RDONLY); | |
218 | int subdir_dfd_ephemeral = open_or_die("subdir.ephemeral", | |
219 | O_DIRECTORY|O_RDONLY); | |
220 | int dot_dfd = open_or_die(".", O_DIRECTORY|O_RDONLY); | |
221 | int dot_dfd_path = open_or_die(".", O_DIRECTORY|O_RDONLY|O_PATH); | |
222 | int dot_dfd_cloexec = open_or_die(".", O_DIRECTORY|O_RDONLY|O_CLOEXEC); | |
223 | int fd = open_or_die("execveat", O_RDONLY); | |
224 | int fd_path = open_or_die("execveat", O_RDONLY|O_PATH); | |
225 | int fd_symlink = open_or_die("execveat.symlink", O_RDONLY); | |
226 | int fd_denatured = open_or_die("execveat.denatured", O_RDONLY); | |
227 | int fd_denatured_path = open_or_die("execveat.denatured", | |
228 | O_RDONLY|O_PATH); | |
229 | int fd_script = open_or_die("script", O_RDONLY); | |
230 | int fd_ephemeral = open_or_die("execveat.ephemeral", O_RDONLY); | |
231 | int fd_ephemeral_path = open_or_die("execveat.path.ephemeral", | |
232 | O_RDONLY|O_PATH); | |
233 | int fd_script_ephemeral = open_or_die("script.ephemeral", O_RDONLY); | |
234 | int fd_cloexec = open_or_die("execveat", O_RDONLY|O_CLOEXEC); | |
235 | int fd_script_cloexec = open_or_die("script", O_RDONLY|O_CLOEXEC); | |
236 | ||
237 | /* Change file position to confirm it doesn't affect anything */ | |
238 | lseek(fd, 10, SEEK_SET); | |
239 | ||
240 | /* Normal executable file: */ | |
241 | /* dfd + path */ | |
242 | fail += check_execveat(subdir_dfd, "../execveat", 0); | |
243 | fail += check_execveat(dot_dfd, "execveat", 0); | |
244 | fail += check_execveat(dot_dfd_path, "execveat", 0); | |
245 | /* absolute path */ | |
246 | fail += check_execveat(AT_FDCWD, fullname, 0); | |
247 | /* absolute path with nonsense dfd */ | |
248 | fail += check_execveat(99, fullname, 0); | |
249 | /* fd + no path */ | |
250 | fail += check_execveat(fd, "", AT_EMPTY_PATH); | |
251 | /* O_CLOEXEC fd + no path */ | |
252 | fail += check_execveat(fd_cloexec, "", AT_EMPTY_PATH); | |
253 | /* O_PATH fd */ | |
254 | fail += check_execveat(fd_path, "", AT_EMPTY_PATH); | |
255 | ||
256 | /* Mess with executable file that's already open: */ | |
257 | /* fd + no path to a file that's been renamed */ | |
258 | rename("execveat.ephemeral", "execveat.moved"); | |
259 | fail += check_execveat(fd_ephemeral, "", AT_EMPTY_PATH); | |
260 | /* fd + no path to a file that's been deleted */ | |
261 | unlink("execveat.moved"); /* remove the file now fd open */ | |
262 | fail += check_execveat(fd_ephemeral, "", AT_EMPTY_PATH); | |
263 | ||
264 | /* Mess with executable file that's already open with O_PATH */ | |
265 | /* fd + no path to a file that's been deleted */ | |
266 | unlink("execveat.path.ephemeral"); | |
267 | fail += check_execveat(fd_ephemeral_path, "", AT_EMPTY_PATH); | |
268 | ||
269 | /* Invalid argument failures */ | |
270 | fail += check_execveat_fail(fd, "", 0, ENOENT); | |
271 | fail += check_execveat_fail(fd, NULL, AT_EMPTY_PATH, EFAULT); | |
272 | ||
273 | /* Symlink to executable file: */ | |
274 | /* dfd + path */ | |
275 | fail += check_execveat(dot_dfd, "execveat.symlink", 0); | |
276 | fail += check_execveat(dot_dfd_path, "execveat.symlink", 0); | |
277 | /* absolute path */ | |
278 | fail += check_execveat(AT_FDCWD, fullname_symlink, 0); | |
279 | /* fd + no path, even with AT_SYMLINK_NOFOLLOW (already followed) */ | |
280 | fail += check_execveat(fd_symlink, "", AT_EMPTY_PATH); | |
281 | fail += check_execveat(fd_symlink, "", | |
282 | AT_EMPTY_PATH|AT_SYMLINK_NOFOLLOW); | |
283 | ||
284 | /* Symlink fails when AT_SYMLINK_NOFOLLOW set: */ | |
285 | /* dfd + path */ | |
286 | fail += check_execveat_fail(dot_dfd, "execveat.symlink", | |
287 | AT_SYMLINK_NOFOLLOW, ELOOP); | |
288 | fail += check_execveat_fail(dot_dfd_path, "execveat.symlink", | |
289 | AT_SYMLINK_NOFOLLOW, ELOOP); | |
290 | /* absolute path */ | |
291 | fail += check_execveat_fail(AT_FDCWD, fullname_symlink, | |
292 | AT_SYMLINK_NOFOLLOW, ELOOP); | |
293 | ||
294 | /* Shell script wrapping executable file: */ | |
295 | /* dfd + path */ | |
296 | fail += check_execveat(subdir_dfd, "../script", 0); | |
297 | fail += check_execveat(dot_dfd, "script", 0); | |
298 | fail += check_execveat(dot_dfd_path, "script", 0); | |
299 | /* absolute path */ | |
300 | fail += check_execveat(AT_FDCWD, fullname_script, 0); | |
301 | /* fd + no path */ | |
302 | fail += check_execveat(fd_script, "", AT_EMPTY_PATH); | |
303 | fail += check_execveat(fd_script, "", | |
304 | AT_EMPTY_PATH|AT_SYMLINK_NOFOLLOW); | |
305 | /* O_CLOEXEC fd fails for a script (as script file inaccessible) */ | |
306 | fail += check_execveat_fail(fd_script_cloexec, "", AT_EMPTY_PATH, | |
307 | ENOENT); | |
308 | fail += check_execveat_fail(dot_dfd_cloexec, "script", 0, ENOENT); | |
309 | ||
310 | /* Mess with script file that's already open: */ | |
311 | /* fd + no path to a file that's been renamed */ | |
312 | rename("script.ephemeral", "script.moved"); | |
313 | fail += check_execveat(fd_script_ephemeral, "", AT_EMPTY_PATH); | |
314 | /* fd + no path to a file that's been deleted */ | |
315 | unlink("script.moved"); /* remove the file while fd open */ | |
316 | fail += check_execveat(fd_script_ephemeral, "", AT_EMPTY_PATH); | |
317 | ||
318 | /* Rename a subdirectory in the path: */ | |
319 | rename("subdir.ephemeral", "subdir.moved"); | |
320 | fail += check_execveat(subdir_dfd_ephemeral, "../script", 0); | |
321 | fail += check_execveat(subdir_dfd_ephemeral, "script", 0); | |
322 | /* Remove the subdir and its contents */ | |
323 | unlink("subdir.moved/script"); | |
324 | unlink("subdir.moved"); | |
325 | /* Shell loads via deleted subdir OK because name starts with .. */ | |
326 | fail += check_execveat(subdir_dfd_ephemeral, "../script", 0); | |
327 | fail += check_execveat_fail(subdir_dfd_ephemeral, "script", 0, ENOENT); | |
328 | ||
329 | /* Flag values other than AT_SYMLINK_NOFOLLOW => EINVAL */ | |
330 | fail += check_execveat_fail(dot_dfd, "execveat", 0xFFFF, EINVAL); | |
331 | /* Invalid path => ENOENT */ | |
332 | fail += check_execveat_fail(dot_dfd, "no-such-file", 0, ENOENT); | |
333 | fail += check_execveat_fail(dot_dfd_path, "no-such-file", 0, ENOENT); | |
334 | fail += check_execveat_fail(AT_FDCWD, "no-such-file", 0, ENOENT); | |
335 | /* Attempt to execute directory => EACCES */ | |
336 | fail += check_execveat_fail(dot_dfd, "", AT_EMPTY_PATH, EACCES); | |
337 | /* Attempt to execute non-executable => EACCES */ | |
338 | fail += check_execveat_fail(dot_dfd, "Makefile", 0, EACCES); | |
339 | fail += check_execveat_fail(fd_denatured, "", AT_EMPTY_PATH, EACCES); | |
340 | fail += check_execveat_fail(fd_denatured_path, "", AT_EMPTY_PATH, | |
341 | EACCES); | |
342 | /* Attempt to execute nonsense FD => EBADF */ | |
343 | fail += check_execveat_fail(99, "", AT_EMPTY_PATH, EBADF); | |
344 | fail += check_execveat_fail(99, "execveat", 0, EBADF); | |
345 | /* Attempt to execute relative to non-directory => ENOTDIR */ | |
346 | fail += check_execveat_fail(fd, "execveat", 0, ENOTDIR); | |
347 | ||
348 | fail += check_execveat_pathmax(dot_dfd, "execveat", 0); | |
349 | fail += check_execveat_pathmax(dot_dfd, "script", 1); | |
350 | return fail; | |
351 | } | |
352 | ||
353 | static void prerequisites(void) | |
354 | { | |
355 | int fd; | |
356 | const char *script = "#!/bin/sh\nexit $*\n"; | |
357 | ||
358 | /* Create ephemeral copies of files */ | |
359 | exe_cp("execveat", "execveat.ephemeral"); | |
360 | exe_cp("execveat", "execveat.path.ephemeral"); | |
361 | exe_cp("script", "script.ephemeral"); | |
362 | mkdir("subdir.ephemeral", 0755); | |
363 | ||
364 | fd = open("subdir.ephemeral/script", O_RDWR|O_CREAT|O_TRUNC, 0755); | |
365 | write(fd, script, strlen(script)); | |
366 | close(fd); | |
367 | } | |
368 | ||
369 | int main(int argc, char **argv) | |
370 | { | |
371 | int ii; | |
372 | int rc; | |
373 | const char *verbose = getenv("VERBOSE"); | |
374 | ||
375 | if (argc >= 2) { | |
376 | /* If we are invoked with an argument, don't run tests. */ | |
377 | const char *in_test = getenv("IN_TEST"); | |
378 | ||
379 | if (verbose) { | |
380 | printf(" invoked with:"); | |
381 | for (ii = 0; ii < argc; ii++) | |
382 | printf(" [%d]='%s'", ii, argv[ii]); | |
383 | printf("\n"); | |
384 | } | |
385 | ||
386 | /* Check expected environment transferred. */ | |
387 | if (!in_test || strcmp(in_test, "yes") != 0) { | |
388 | printf("[FAIL] (no IN_TEST=yes in env)\n"); | |
389 | return 1; | |
390 | } | |
391 | ||
392 | /* Use the final argument as an exit code. */ | |
393 | rc = atoi(argv[argc - 1]); | |
394 | fflush(stdout); | |
395 | } else { | |
396 | prerequisites(); | |
397 | if (verbose) | |
398 | envp[1] = "VERBOSE=1"; | |
399 | rc = run_tests(); | |
400 | if (rc > 0) | |
401 | printf("%d tests failed\n", rc); | |
402 | } | |
403 | return rc; | |
404 | } |