xref: /netbsd-src/tests/kernel/t_kauth_pr_47598.c (revision d16b7486a53dcb8072b60ec6fcb4373a2d0c27b7) 
1 /*-
2  * Copyright (c) 2013 The NetBSD Foundation, Inc.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
15  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
16  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
18  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
19  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
20  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
21  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
22  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
23  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
24  * POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __COPYRIGHT("@(#) Copyright (c) 2013\
29  The NetBSD Foundation, inc. All rights reserved.");
30 __RCSID("$NetBSD: t_kauth_pr_47598.c,v 1.6 2022/01/26 11:48:54 andvar Exp $");
31 
32 #include <errno.h>
33 #include <unistd.h>
34 #include <stdio.h>
35 #include <stdlib.h>
36 #include <sys/sysctl.h>
37 #include <sys/socket.h>
38 #include <netinet/in.h>
39 #include <arpa/inet.h>
40 #include <atf-c.h>
41 
42 /*
43  * helper function
44  */
45 static const char curtain_name[] = "security.models.bsd44.curtain";
46 static const char securelevel_name[] = "security.models.bsd44.securelevel";
47 
48 static bool may_lower_curtain(void);
49 static int get_curtain(void);
50 static void set_curtain(int newval);
51 
52 static bool
53 may_lower_curtain(void)
54 {
55 	int seclevel;
56 	size_t len = sizeof(seclevel);
57 
58 	if (sysctlbyname(securelevel_name, &seclevel, &len, NULL, 0) != 0)
59 		atf_tc_fail("failed to read %s", securelevel_name);
60 
61 	return seclevel <= 0;
62 }
63 
64 static int
65 get_curtain(void)
66 {
67 	int curtain;
68 	size_t len = sizeof(curtain);
69 
70 	if (sysctlbyname(curtain_name, &curtain, &len, NULL, 0) != 0)
71 		atf_tc_fail("failed to read %s", curtain_name);
72 
73 	return curtain;
74 }
75 
76 static void
77 set_curtain(int newval)
78 {
79 
80 	if (sysctlbyname(curtain_name, NULL, 0, &newval, sizeof(newval)) != 0)
81 		atf_tc_fail("failed to set %s to %d", curtain_name, newval);
82 }
83 
84 /*
85  * PR kern/47598: if security.models.extensions.curtain = 1 we crash when
86  * doing a netstat while an embryonic (not yet fully accepted) connection
87  * exists.
88  * This has been fixed with rev. 1.5 of
89  *   src/sys/secmodel/extensions/secmodel_extensions.c.
90  */
91 
92 
93 ATF_TC(kauth_curtain);
94 ATF_TC_HEAD(kauth_curtain, tc)
95 {
96 	atf_tc_set_md_var(tc, "require.user", "root");
97 	atf_tc_set_md_var(tc, "require.progs", "netstat");
98 	atf_tc_set_md_var(tc, "descr",
99 	    "Checks for kernel crash with curtain active (PR kern/47598)");
100 }
101 
102 ATF_TC_BODY(kauth_curtain, tc)
103 {
104 
105 	int old_curtain, s, s2, err;
106 	socklen_t slen;
107 	struct sockaddr_in sa;
108 
109 	/*
110 	 * save old value of "curtain" and enable it
111 	 */
112 	old_curtain = get_curtain();
113 	if (old_curtain < 1 && !may_lower_curtain())
114 		atf_tc_skip("curtain is not enabled and we would not be able"
115 		    " to drop it later due to securelevel settings");
116 
117 	set_curtain(1);
118 
119 	/*
120 	 * create a socket and bind it to some arbitrary free port
121 	 */
122 	s = socket(PF_INET, SOCK_STREAM|SOCK_NONBLOCK, 0);
123 	ATF_REQUIRE_MSG(s != -1, "socket: %d", errno);
124 	memset(&sa, 0, sizeof(sa));
125 	sa.sin_family = AF_INET;
126 	sa.sin_len = sizeof(sa);
127 	sa.sin_addr.s_addr = inet_addr("127.0.0.1");
128 	ATF_REQUIRE_MSG(bind(s, (struct sockaddr *)&sa, sizeof(sa)) == 0,
129 	    "bind: %d", errno);
130 	ATF_REQUIRE_MSG(listen(s, 16) == 0, "listen: %d", errno);
131 
132 	/*
133 	 * extract address and open a connection to the port
134 	 */
135 	slen = sizeof(sa);
136 	ATF_REQUIRE_MSG(getsockname(s, (struct sockaddr *)&sa, &slen) == 0,
137 	    "getsockname: %d", errno);
138 	s2 = socket(PF_INET, SOCK_STREAM|SOCK_NONBLOCK, 0);
139 	ATF_REQUIRE_MSG(s2 != -1, "socket: %d", errno);
140 	printf("port is %d\n", ntohs(sa.sin_port));
141 	err = connect(s2, (struct sockaddr *)&sa, sizeof(sa));
142 	ATF_REQUIRE_MSG(err == -1 && errno == EINPROGRESS,
143 	    "connect returned %d with errno %d", err, errno);
144 	fflush(stdout);
145 	fflush(stderr);
146 
147 	/*
148 	 * we now have a pending, not yet accepted connection - run netstat
149 	 */
150 	system("netstat -aA");
151 
152 	/*
153 	 * cleanup
154 	 */
155 	close(s2);
156 	close(s);
157 
158 	/*
159 	 * restore old value of curtain
160 	 */
161 	set_curtain(old_curtain);
162 }
163 
164 ATF_TP_ADD_TCS(tp)
165 {
166 	ATF_TP_ADD_TC(tp, kauth_curtain);
167 
168 	return atf_no_error();
169 }
170 
171 
172