LSM: SafeSetID: add setgroups() testing to selftest

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

LSM: SafeSetID: add setgroups() testing to selftest

Selftest already has support for testing UID and GID transitions.

Signed-off-by: Micah Morton <mortonm@chromium.org>

Micah Morton 3 years ago 64b63483 3e3374d3

+69

1 changed file

expand all

tools

testing

selftests

safesetid

safesetid-test.c

+69

tools/testing/selftests/safesetid/safesetid-test.c

··· 375 375 die("should not reach here\n"); 376 376 } 377 377 378 + static void test_setgroups(gid_t* child_groups, size_t len, bool expect_success) 379 + { 380 + pid_t cpid, w; 381 + int wstatus; 382 + gid_t groupset[len]; 383 + int i, j; 384 + 385 + cpid = fork(); 386 + if (cpid == -1) { 387 + die("fork\n"); 388 + } 389 + 390 + if (cpid == 0) { /* Code executed by child */ 391 + if (setgroups(len, child_groups) != 0) 392 + exit(EXIT_FAILURE); 393 + if (getgroups(len, groupset) != len) 394 + exit(EXIT_FAILURE); 395 + for (i = 0; i < len; i++) { 396 + for (j = 0; j < len; j++) { 397 + if (child_groups[i] == groupset[j]) 398 + break; 399 + if (j == len - 1) 400 + exit(EXIT_FAILURE); 401 + } 402 + } 403 + exit(EXIT_SUCCESS); 404 + } else { /* Code executed by parent */ 405 + do { 406 + w = waitpid(cpid, &wstatus, WUNTRACED | WCONTINUED); 407 + if (w == -1) { 408 + die("waitpid\n"); 409 + } 410 + 411 + if (WIFEXITED(wstatus)) { 412 + if (WEXITSTATUS(wstatus) == EXIT_SUCCESS) { 413 + if (expect_success) { 414 + return; 415 + } else { 416 + die("unexpected success\n"); 417 + } 418 + } else { 419 + if (expect_success) { 420 + die("unexpected failure\n"); 421 + } else { 422 + return; 423 + } 424 + } 425 + } else if (WIFSIGNALED(wstatus)) { 426 + if (WTERMSIG(wstatus) == 9) { 427 + if (expect_success) 428 + die("killed unexpectedly\n"); 429 + else 430 + return; 431 + } else { 432 + die("unexpected signal: %d\n", wstatus); 433 + } 434 + } else { 435 + die("unexpected status: %d\n", wstatus); 436 + } 437 + } while (!WIFEXITED(wstatus) && !WIFSIGNALED(wstatus)); 438 + } 439 + 440 + die("should not reach here\n"); 441 + } 442 + 378 443 379 444 static void ensure_users_exist(void) 380 445 { ··· 517 452 test_setgid(ALLOWED_CHILD2_UGID, true); 518 453 test_setgid(NO_POLICY_UGID, false); 519 454 455 + gid_t allowed_supp_groups[2] = {ALLOWED_CHILD1_UGID, ALLOWED_CHILD2_UGID}; 456 + gid_t disallowed_supp_groups[2] = {ROOT_UGID, NO_POLICY_UGID}; 457 + test_setgroups(allowed_supp_groups, 2, true); 458 + test_setgroups(disallowed_supp_groups, 2, false); 520 459 521 460 if (!test_userns(false)) { 522 461 die("test_userns worked when it should fail\n");