selftests: kmod: Add module address visibility test

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Make sure we don't regress the CAP_SYSLOG behavior of the module address
visibility via /proc/modules nor /sys/module/*/sections/*.

Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>

Kees Cook 5 years ago 2c795839 63960260

+36

1 changed file

expand all

tools

testing

selftests

kmod

kmod.sh

+36

tools/testing/selftests/kmod/kmod.sh

··· 63 63 ALL_TESTS="$ALL_TESTS 0009:150:1" 64 64 ALL_TESTS="$ALL_TESTS 0010:1:1" 65 65 ALL_TESTS="$ALL_TESTS 0011:1:1" 66 + ALL_TESTS="$ALL_TESTS 0012:1:1" 67 + ALL_TESTS="$ALL_TESTS 0013:1:1" 66 68 67 69 # Kselftest framework requirement - SKIP code is 4. 68 70 ksft_skip=4 ··· 472 470 echo "$MODPROBE" > /proc/sys/kernel/modprobe 473 471 } 474 472 473 + kmod_check_visibility() 474 + { 475 + local name="$1" 476 + local cmd="$2" 477 + 478 + modprobe $DEFAULT_KMOD_DRIVER 479 + 480 + local priv=$(eval $cmd) 481 + local unpriv=$(capsh --drop=CAP_SYSLOG -- -c "$cmd") 482 + 483 + if [ "$priv" = "$unpriv" ] || \ 484 + [ "${priv:0:3}" = "0x0" ] || \ 485 + [ "${unpriv:0:3}" != "0x0" ] ; then 486 + echo "${FUNCNAME[0]}: FAIL, $name visible to unpriv: '$priv' vs '$unpriv'" >&2 487 + exit 1 488 + else 489 + echo "${FUNCNAME[0]}: OK!" 490 + fi 491 + } 492 + 493 + kmod_test_0012() 494 + { 495 + kmod_check_visibility /proc/modules \ 496 + "grep '^${DEFAULT_KMOD_DRIVER}\b' /proc/modules | awk '{print \$NF}'" 497 + } 498 + 499 + kmod_test_0013() 500 + { 501 + kmod_check_visibility '/sys/module/*/sections/*' \ 502 + "cat /sys/module/${DEFAULT_KMOD_DRIVER}/sections/.*text | head -n1" 503 + } 504 + 475 505 list_tests() 476 506 { 477 507 echo "Test ID list:" ··· 523 489 echo "0009 x $(get_test_count 0009) - multithreaded - push kmod_concurrent over max_modprobes for get_fs_type()" 524 490 echo "0010 x $(get_test_count 0010) - test nonexistent modprobe path" 525 491 echo "0011 x $(get_test_count 0011) - test completely disabling module autoloading" 492 + echo "0012 x $(get_test_count 0012) - test /proc/modules address visibility under CAP_SYSLOG" 493 + echo "0013 x $(get_test_count 0013) - test /sys/module/*/sections/* visibility under CAP_SYSLOG" 526 494 } 527 495 528 496 usage()