google / capsicum-test Goto Github PK

Test suite for Capsicum

License: BSD 2-Clause "Simplified" License

Makefile 1.30% C 6.02% C++ 78.67% Shell 4.70% CMake 0.67% Python 7.26% M4 0.42% Roff 0.78% Starlark 0.20%

capsicum-test's Introduction

Capsicum User Space Tests

This directory holds unit tests for Capsicum object-capabilities. The tests exercise the syscall interface to a Capsicum-enabled operating system, currently either FreeBSD >=10.x or a modified Linux kernel (the capsicum-linux project).

The tests are written in C++11 and use the Google Test framework, with some additions to fork off particular tests (because a process that enters capability mode cannot leave it again).

Provenance

The original basis for these tests was:

unit tests written by Robert Watson and Jonathan Anderson for the original FreeBSD 9.x Capsicum implementation
unit tests written by Meredydd Luff for the original Capsicum-Linux port.

These tests were coalesced and moved into an independent repository to enable comparative testing across multiple OSes, and then substantially extended.

OS Configuration

Linux

The following kernel configuration options are needed to run the tests:

CONFIG_SECURITY_CAPSICUM: enable the Capsicum framework
CONFIG_PROCDESC: enable Capsicum process-descriptor functionality
CONFIG_DEBUG_FS: enable debug filesystem
CONFIG_IP_SCTP: enable SCTP support

FreeBSD (>= 10.x)

The following kernel configuration options are needed so that all tests can run:

options P1003_1B_MQUEUE: Enable POSIX message queues (or kldload mqueuefs)

Other Dependencies

Linux

The following additional development packages are needed to build the full test suite on Linux.

libcaprights: See below
libcap-dev: Provides headers for POSIX.1e capabilities.
libsctp1: Provides SCTP library functions.
libsctp-dev: Provides headers for SCTP library functions.

Linux libcaprights

The Capsicum userspace library is held in the libcaprights/ subdirectory. Ideally, this library should be built (with ./configure; make or dpkg-buildpackage -uc -us) and installed (with make install or dpkg -i libcaprights*.deb) so that the tests will use behave like a normal Capsicum-aware application.

However, if no installed copy of the library is found, the GNUmakefile will attempt to use the local libcaprights/*.c source; this requires ./configure to have been performed in the libcaprights subdirectory. The local code is also used for cross-compiled builds of the test suite (e.g. make ARCH=32 or make ARCH=x32).

capsicum-test's People

Contributors

Stargazers

Watchers

capsicum-test's Issues

build fails on systems without O_BENEATH

openat.cc:84:3: error: use of undeclared identifier 'O_BENEATH'
  EXPECT_OPENAT_FAIL_TRAVERSAL(etc_cap_ro, "../etc/passwd", O_RDONLY);
  ^
./capsicum-test.h:158:22: note: expanded from macro
      'EXPECT_OPENAT_FAIL_TRAVERSAL'
      if (((flags) & O_BENEATH) == O_BENEATH) { \
                     ^

Check the value of kern.trap_enotcap when running on FreeBSD

I left kern.trap_enotcap set to 1 while doing some capsicum-related work. This causes many of the capsicum tests to fail; it would be nice if the suite verified that the sysctl is set to 0 as a precondition.

OpenatTest.* failures if vfs.lookup_cap_dotdot is disabled

While trying to figure out why all of the O_BENEATH positive cases were failing, I stumbled upon this issue.

Procedure:

$ sudo sysctl vfs.lookup_cap_dotdot=0
$ make test

Expected result:

The testcase should skip any cases that would trip with relative dot-dot lookups.

Actual result:

OpenatTest.WithCapability and ForkedOpenatTest_InCapabilityMode._ fail this check:

268 #ifdef HAVE_OPENAT_INTERMEDIATE_DOTDOT
269     // OK for dotdot lookups that don't escape the top directory
270     EXPECT_OPEN_OK(openat(dir_fd_, "subdir/../topfile", O_RDONLY|oflag));
271 #endif

They likely also fail this check, errantly:

272 
273     // Check that we can't escape the top directory by the cunning
274     // ruse of going via a subdirectory.
275     EXPECT_OPENAT_FAIL_TRAVERSAL(dir_fd_, "subdir/../../etc/passwd", O_RDONLY|oflag);

cap_rights_init() macro doesn't catch mandatory rights argument

The cap_rights_init() macro in libcaprights/capsicum.h has a mandatory rights argument that is subsumed in the varargs macro; it should be explicitly present to move the error for incorrect use from run-time to compile-time.

(Transferred from capsicum-linux issue #5)

OpenatTest.WithFlag / ForkedOpenatTest_WithFlagInCapabilityMode._ fail fails on FreeBSD

Stock FreeBSD fails OpenatTest.WithFlag / ForkedOpenatTest_WithFlagInCapabilityMode._ for two reasons:

The testcases are expecting -1/EPERM instead of -1/ENOTCAPABLE`:

openat.cc:264: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:265: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:266: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:275: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
...
openat.cc:280: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:281: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:282: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:283: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:284: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
...
openat.cc:288: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:289: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:290: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:291: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:292: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 93
openat.cc:353: Failure
Expected equality of these values:
  0
  rc
    Which is: 1

These testcases don't fail when O_BENEATH is passed:

openat.cc:280: Failure
Expected: (0) > (result), actual: 0 vs 49
...
openat.cc:288: Failure
Expected: (0) > (result), actual: 0 vs 50

Item 1. is a test bug. I'm unsure if item 2 is a kernel bug or a test bug.

These issues can be triggered out of the box on a FreeBSD 13.0-CURRENT image.

Pdfork.OtherUserForked fails on FreeBSD 12 current

This test case tries to test killing a process created with pdfork as a different user. FreeBSD disallows this behaviour, so it fails with EPERM.

From kill(2):

For a process to have permission to send a signal to a process designated
by pid, the user must be the super-user, or the real or saved user ID of
the receiving process must match the real or effective user ID of the
sending process.

Call stack:

sys_pdkill() -> p_cansignal() -> ... -> priv_check_cred()

int
priv_check_cred(struct ucred *cred, int priv, int flags)
{
        ...
        // No other policies grant privilege
        ...
        /*
	 * The default is deny, so if no policies have granted it, reject
	 * with a privilege error here.
	 */
	error = EPERM;
        ...
}

Build fails on FreeBSD stable/10 due to lack of x32 support

feynman% gmake
cc -m64 -Wall -g -mx32 -static -o mini-me.x32 mini-me.c
cc: error: unknown argument: '-mx32'
GNUmakefile:64: recipe for target 'mini-me.x32' failed
gmake: *** [mini-me.x32] Error 1

Need to avoid adding mini-me.x32 to EXTRA_PROGS when the compiler does not support -mx32

"ps -p <zombie-pid>" returns nothing on FreeBSD

Pdfork.Simple fails on FreeBSD because ProcessState(<zombie-pid>) returns nothing. As a temporary workaround, #17 changes ProcessState(...) to use ps -a -p <zombie-pid>. This should be removed when FreeBSD reports zombie processes with sysctl kern.proc.pid.<pid>.

Forked WithFiles.DisallowedFileSyscalls fails on FreeBSD 12 current

The following assertion fails with EINVAL:

EXPECT_CAPMODE(mknod(TmpFile("capmode_mknod"), 0644, 0));

This fails with EINVAL because capability mode validation occurs after a few checks on mode and dev. It might not be a useful test on FreeBSD for this reason. Furthermore, if we changed the arguments to reflect the creation of an actual special file (e.g. a character device), we would require root access to run the test.

Relevant mknod functionality in FreeBSD 12 current from sys/kern/vfs_syscalls.c:

int
kern_mknodat(struct thread *td, int fd, char *path, enum uio_seg pathseg,
    int mode, dev_t dev)
{
	struct vnode *vp;
	struct mount *mp;
	struct vattr vattr;
	struct nameidata nd;
	cap_rights_t rights;
	int error, whiteout = 0;

	AUDIT_ARG_MODE(mode);
	AUDIT_ARG_DEV(dev);
	switch (mode & S_IFMT) {
	case S_IFCHR:
	case S_IFBLK:
		error = priv_check(td, PRIV_VFS_MKNOD_DEV);
		if (error == 0 && dev == VNOVAL)
			error = EINVAL;
		break;
	case S_IFMT:
		error = priv_check(td, PRIV_VFS_MKNOD_BAD);
		break;
	case S_IFWHT:
		error = priv_check(td, PRIV_VFS_MKNOD_WHT);
		break;
	case S_IFIFO:
		if (dev == 0)
			return (kern_mkfifoat(td, fd, path, pathseg, mode));
		/* FALLTHROUGH */
	default:
		error = EINVAL;
		break;
	}
	if (error != 0)
		return (error);
restart:
	bwillwrite();
	NDINIT_ATRIGHTS(&nd, CREATE, LOCKPARENT | SAVENAME | AUDITVNODE1 |
	    NOCACHE, pathseg, path, fd, cap_rights_init(&rights, CAP_MKNODAT),
	    td);
	if ((error = namei(&nd)) != 0)
		return (error);

PipePdfork.Close and PipePdforkDaemon.NoPDSigchld fail when calling waitpid with ECHILD

Both of these testcases fail as follows on vanilla FreeBSD 13.0-CURRENT:

[ RUN      ] PipePdfork.Close
procdesc.cc:488: Failure
Expected equality of these values:
  pid_
    Which is: 6569
  waitpid(pid_, &status, 0|1)
    Which is: -1
...
[ RUN      ] PipePdforkDaemon.NoPDSigchld
procdesc.cc:733: Failure
Expected equality of these values:
  pid_
    Which is: 6629
  waitpid(pid_, &rc, 0)
    Which is: -1

Both tests fail with ECHILD, as shown below.

PipePdfork.Close:

$ ./capsicum-test --gtest_filter=PipePdfork.Close -v
Note: Google Test filter = PipePdfork.Close
[==========] Running 1 test from 1 test case.
[----------] Global test environment set-up.
[----------] 1 test from PipePdfork
[ RUN      ] PipePdfork.Close
[7324] about to pdfork()
  [7325] child of 7324 waiting for value on pipe
procdesc.cc:488: Failure
Expected equality of these values:
  pid_
    Which is: 7325
  waitpid(pid_, &status, 0|1)
    Which is: -1
No child processes
[  FAILED  ] PipePdfork.Close (108 ms)
[----------] 1 test from PipePdfork (108 ms total)

[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (110 ms total)
[  PASSED  ] 0 tests.
[  FAILED  ] 1 test, listed below:
[  FAILED  ] PipePdfork.Close

 1 FAILED TEST

PipePdforkDaemon.NoPDSigchld:

$ ./capsicum-test --gtest_filter=PipePdforkDaemon.NoPDSigchld -v
Note: Google Test filter = PipePdforkDaemon.NoPDSigchld
[==========] Running 1 test from 1 test case.
[----------] Global test environment set-up.
[----------] 1 test from PipePdforkDaemon
[ RUN      ] PipePdforkDaemon.NoPDSigchld
[7289] about to pdfork()
  [7290] child of 7289 waiting for value on pipe
[7289] write 0 to pipe
  [7290] got value 0 on pipe, exiting
procdesc.cc:733: Failure
Expected equality of these values:
  pid_
    Which is: 7290
  waitpid(pid_, &rc, 0)
    Which is: -1
No child processes
[  FAILED  ] PipePdforkDaemon.NoPDSigchld (1 ms)
[----------] 1 test from PipePdforkDaemon (1 ms total)

[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1 ms total)
[  PASSED  ] 0 tests.
[  FAILED  ] 1 test, listed below:
[  FAILED  ] PipePdforkDaemon.NoPDSigchld

 1 FAILED TEST

google / capsicum-test Goto Github PK

capsicum-test's Introduction

Capsicum User Space Tests

Provenance

OS Configuration

Linux

FreeBSD (>= 10.x)

Other Dependencies

Linux

Linux libcaprights

capsicum-test's People

Contributors

Stargazers

Watchers

Forkers

capsicum-test's Issues

Procedure:

Expected result:

Actual result:

Recommend Projects

Recommend Topics

Recommend Org

Jobs