From patchwork Fri Dec  2 01:34:01 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Xu <jeffxu@chromium.org>
X-Patchwork-Id: 630745
Return-Path: <linux-kselftest-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 02D9AC47088
 for <linux-kselftest@archiver.kernel.org>;
 Fri,  2 Dec 2022 01:35:59 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S231591AbiLBBf6 (ORCPT
 <rfc822;linux-kselftest@archiver.kernel.org>);
 Thu, 1 Dec 2022 20:35:58 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52366 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S231400AbiLBBfz (ORCPT
 <rfc822;linux-kselftest@vger.kernel.org>);
 Thu, 1 Dec 2022 20:35:55 -0500
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com
 [IPv6:2607:f8b0:4864:20::52c])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9820D3A09
 for <linux-kselftest@vger.kernel.org>;
 Thu,  1 Dec 2022 17:35:52 -0800 (PST)
Received: by mail-pg1-x52c.google.com with SMTP id s196so3195190pgs.3
 for <linux-kselftest@vger.kernel.org>;
 Thu, 01 Dec 2022 17:35:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=I7MLjr3MjQu+vEYGPW7zVilB4153TCbmT2Qa9Is+kkA=;
 b=LxeM5dSegaw2mlu/73XHqy9gB1r8BqVrr8xehs4RWb4ERes96JpafPj6MFuHckmlH4
 pbZbIrtq9O7AgzZnKPn6oPAlpLf2Wiiz6vezDvKYzpLMylysFplwAZkEM0wtWXegJkxQ
 t51Beph/LXZUj4c9ZZw6I/8POYLF+8FmharWw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=I7MLjr3MjQu+vEYGPW7zVilB4153TCbmT2Qa9Is+kkA=;
 b=798QUcO4rULs6jRz8D0G6VzndWeeQoA6HjG6xJ0qZoKF0grjSHvAvMH36obKcuMiVD
 fGJxriInBe6Uagbt8l7yxh6O5mZTEyNMGzBmJ93Oh46TBPKFTrlmBmwbNvykur3/BiYE
 IdXhl/oEo/DloggLHHUVUdUKXk3mVbNum+0GCxVWgXFN2lneQmD5ufvOSWDoxFoYSmqA
 guWWS44IRjW6p1xc2y6YzxWwTAUdJN6PJ0dECctw56r7je+3JSzzrYuFgND1Xdpu1RHK
 LvHy1suB81pcKJkmSYTq+BLbii3RT3RuL+yImMeRiPBuvXF6EK2sTs/wiHez4TYzlhKF
 RdDg==
X-Gm-Message-State: ANoB5pnCAcX1oOb1eob/xhc8kCvXh7GeFztRbsZN2X1ip7C4BUNvQdsU
 UwIizstbXeQmPoG1VyWqMFgORg==
X-Google-Smtp-Source: AA0mqf5btiJ+9sgPAmd2+gxWEX4AKB8owo2RxGZ9a02ud+yJu7zGKa2xsO63ocKjcLmvwlZzsa2D4Q==
X-Received: by 2002:a63:d18:0:b0:46e:b0e3:ee46 with SMTP id
 c24-20020a630d18000000b0046eb0e3ee46mr42438144pgl.622.1669944952181;
 Thu, 01 Dec 2022 17:35:52 -0800 (PST)
Received: from jeffxud.c.googlers.com.com
 (30.202.168.34.bc.googleusercontent.com. [34.168.202.30])
 by smtp.gmail.com with ESMTPSA id
 s13-20020a65690d000000b00477fb27eaddsm3074241pgq.63.2022.12.01.17.35.51
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 01 Dec 2022 17:35:51 -0800 (PST)
From: jeffxu@chromium.org
To: skhan@linuxfoundation.org, keescook@chromium.org
Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com,
 dverkamp@chromium.org, hughd@google.com, jeffxu@google.com,
 jorgelo@chromium.org, linux-kernel@vger.kernel.org,
 linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
 mnissler@chromium.org, jannh@google.com,
 linux-hardening@vger.kernel.org, Jeff Xu <jeffxu@chromium.org>
Subject: [PATCH v3] selftests/memfd: add tests for F_SEAL_EXEC
Date: Fri,  2 Dec 2022 01:34:01 +0000
Message-Id: <20221202013404.163143-4-jeffxu@google.com>
X-Mailer: git-send-email 2.39.0.rc0.267.gcb52ba06e7-goog
In-Reply-To: <20221202013404.163143-1-jeffxu@google.com>
References: <20221202013404.163143-1-jeffxu@google.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-kselftest.vger.kernel.org>
X-Mailing-List: linux-kselftest@vger.kernel.org

From: Daniel Verkamp <dverkamp@chromium.org>

Basic tests to ensure that user/group/other execute bits cannot be
changed after applying F_SEAL_EXEC to a memfd.

Co-developed-by: Jeff Xu <jeffxu@chromium.org>
Signed-off-by: Jeff Xu <jeffxu@chromium.org>
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
---
 tools/testing/selftests/memfd/memfd_test.c | 129 ++++++++++++++++++++-
 1 file changed, 128 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c
index 94df2692e6e4..1d7e7b36bbdd 100644
--- a/tools/testing/selftests/memfd/memfd_test.c
+++ b/tools/testing/selftests/memfd/memfd_test.c
@@ -28,12 +28,44 @@
 #define MFD_DEF_SIZE 8192
 #define STACK_SIZE 65536
 
+#ifndef F_SEAL_EXEC
+#define F_SEAL_EXEC	0x0020
+#endif
+
+#ifndef MAX_PATH
+#define MAX_PATH 256
+#endif
+
 /*
  * Default is not to test hugetlbfs
  */
 static size_t mfd_def_size = MFD_DEF_SIZE;
 static const char *memfd_str = MEMFD_STR;
 
+static ssize_t fd2name(int fd, char *buf, size_t bufsize)
+{
+	char buf1[MAX_PATH];
+	int size;
+	ssize_t nbytes;
+
+	size = snprintf(buf1, MAX_PATH, "/proc/self/fd/%d", fd);
+	if (size < 0) {
+		printf("snprintf(%d) failed on %m\n", fd);
+		abort();
+	}
+
+	/*
+	 * reserver one byte for string termination.
+	 */
+	nbytes = readlink(buf1, buf, bufsize-1);
+	if (nbytes == -1) {
+		printf("readlink(%s) failed %m\n", buf1);
+		abort();
+	}
+	buf[nbytes] = '\0';
+	return nbytes;
+}
+
 static int mfd_assert_new(const char *name, loff_t sz, unsigned int flags)
 {
 	int r, fd;
@@ -98,11 +130,14 @@ static unsigned int mfd_assert_get_seals(int fd)
 
 static void mfd_assert_has_seals(int fd, unsigned int seals)
 {
+	char buf[MAX_PATH];
+	int nbytes;
 	unsigned int s;
+	fd2name(fd, buf, MAX_PATH);
 
 	s = mfd_assert_get_seals(fd);
 	if (s != seals) {
-		printf("%u != %u = GET_SEALS(%d)\n", seals, s, fd);
+		printf("%u != %u = GET_SEALS(%s)\n", seals, s, buf);
 		abort();
 	}
 }
@@ -594,6 +629,64 @@ static void mfd_fail_grow_write(int fd)
 	}
 }
 
+static void mfd_assert_mode(int fd, int mode)
+{
+	struct stat st;
+	char buf[MAX_PATH];
+	int nbytes;
+
+	fd2name(fd, buf, MAX_PATH);
+
+	if (fstat(fd, &st) < 0) {
+		printf("fstat(%s) failed: %m\n", buf);
+		abort();
+	}
+
+	if ((st.st_mode & 07777) != mode) {
+		printf("fstat(%s) wrong file mode 0%04o, but expected 0%04o\n",
+		       buf, (int)st.st_mode & 07777, mode);
+		abort();
+	}
+}
+
+static void mfd_assert_chmod(int fd, int mode)
+{
+	char buf[MAX_PATH];
+	int nbytes;
+
+	fd2name(fd, buf, MAX_PATH);
+
+	if (fchmod(fd, mode) < 0) {
+		printf("fchmod(%s, 0%04o) failed: %m\n", buf, mode);
+		abort();
+	}
+
+	mfd_assert_mode(fd, mode);
+}
+
+static void mfd_fail_chmod(int fd, int mode)
+{
+	struct stat st;
+	char buf[MAX_PATH];
+	int nbytes;
+
+	fd2name(fd, buf, MAX_PATH);
+
+	if (fstat(fd, &st) < 0) {
+		printf("fstat(%s) failed: %m\n", buf);
+		abort();
+	}
+
+	if (fchmod(fd, mode) == 0) {
+		printf("fchmod(%s, 0%04o) didn't fail as expected\n",
+		       buf, mode);
+		abort();
+	}
+
+	/* verify that file mode bits did not change */
+	mfd_assert_mode(fd, st.st_mode & 07777);
+}
+
 static int idle_thread_fn(void *arg)
 {
 	sigset_t set;
@@ -880,6 +973,39 @@ static void test_seal_resize(void)
 	close(fd);
 }
 
+/*
+ * Test SEAL_EXEC
+ * Test that chmod() cannot change x bits after sealing
+ */
+static void test_seal_exec(void)
+{
+	int fd;
+
+	printf("%s SEAL-EXEC\n", memfd_str);
+
+	fd = mfd_assert_new("kern_memfd_seal_exec",
+			    mfd_def_size,
+			    MFD_CLOEXEC | MFD_ALLOW_SEALING);
+
+	mfd_assert_mode(fd, 0777);
+
+	mfd_assert_chmod(fd, 0644);
+
+	mfd_assert_has_seals(fd, 0);
+	mfd_assert_add_seals(fd, F_SEAL_EXEC);
+	mfd_assert_has_seals(fd, F_SEAL_EXEC);
+
+	mfd_assert_chmod(fd, 0600);
+	mfd_fail_chmod(fd, 0777);
+	mfd_fail_chmod(fd, 0670);
+	mfd_fail_chmod(fd, 0605);
+	mfd_fail_chmod(fd, 0700);
+	mfd_fail_chmod(fd, 0100);
+	mfd_assert_chmod(fd, 0666);
+
+	close(fd);
+}
+
 /*
  * Test sharing via dup()
  * Test that seals are shared between dupped FDs and they're all equal.
@@ -1059,6 +1185,7 @@ int main(int argc, char **argv)
 	test_seal_shrink();
 	test_seal_grow();
 	test_seal_resize();
+	test_seal_exec();
 
 	test_share_dup("SHARE-DUP", "");
 	test_share_mmap("SHARE-MMAP", "");