xref: /openbsd-src/regress/lib/libc/sys/t_ptrace.c (revision 4e1ee0786f11cc571bd0be17d38e46f635c719fc) 
1 /*	$OpenBSD: t_ptrace.c,v 1.4 2020/11/09 23:18:51 bluhm Exp $	*/
2 /*	$NetBSD: t_ptrace.c,v 1.4 2018/05/14 12:44:40 kamil Exp $	*/
3 
4 /*-
5  * Copyright (c) 2016 The NetBSD Foundation, Inc.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
18  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
19  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
20  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
21  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27  * POSSIBILITY OF SUCH DAMAGE.
28  */
29 
30 #include "macros.h"
31 
32 #include <sys/cdefs.h>
33 __RCSID("$NetBSD: t_ptrace.c,v 1.4 2018/05/14 12:44:40 kamil Exp $");
34 
35 #include <sys/param.h>
36 #include <sys/types.h>
37 #include <sys/ptrace.h>
38 #include <sys/stat.h>
39 #include <sys/sysctl.h>
40 #include <err.h>
41 #include <errno.h>
42 #include <unistd.h>
43 
44 #include "atf-c.h"
45 
46 #include "h_macros.h"
47 
48 /*
49  * A child process cannot call atf functions and expect them to magically
50  * work like in the parent.
51  * The printf(3) messaging from a child will not work out of the box as well
52  * without estabilishing a communication protocol with its parent. To not
53  * overcomplicate the tests - do not log from a child and use err(3)/errx(3)
54  * wrapped with FORKEE_ASSERT()/FORKEE_ASSERTX() as that is guaranteed to work.
55  */
56 #define FORKEE_ASSERTX(x)							\
57 do {										\
58 	int ret = (x);								\
59 	if (!ret)								\
60 		errx(EXIT_FAILURE, "%s:%d %s(): Assertion failed for: %s",	\
61 		     __FILE__, __LINE__, __func__, #x);				\
62 } while (0)
63 
64 #define FORKEE_ASSERT(x)							\
65 do {										\
66 	int ret = (x);								\
67 	if (!ret)								\
68 		err(EXIT_FAILURE, "%s:%d %s(): Assertion failed for: %s",	\
69 		     __FILE__, __LINE__, __func__, #x);				\
70 } while (0)
71 
72 ATF_TC(attach_pid0);
73 ATF_TC_HEAD(attach_pid0, tc)
74 {
75 	atf_tc_set_md_var(tc, "descr",
76 	    "Assert that a debugger cannot attach to PID 0");
77 }
78 
79 ATF_TC_BODY(attach_pid0, tc)
80 {
81 	errno = 0;
82 	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 0, NULL, 0) == -1);
83 }
84 
85 ATF_TC(attach_pid1);
86 ATF_TC_HEAD(attach_pid1, tc)
87 {
88 	atf_tc_set_md_var(tc, "descr",
89 	    "Assert that a debugger cannot attach to PID 1 (as non-root)");
90 
91 	atf_tc_set_md_var(tc, "require.user", "unprivileged");
92 }
93 
94 ATF_TC_BODY(attach_pid1, tc)
95 {
96 	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 1, NULL, 0) == -1);
97 }
98 
99 ATF_TC(attach_pid1_securelevel);
100 ATF_TC_HEAD(attach_pid1_securelevel, tc)
101 {
102 	atf_tc_set_md_var(tc, "descr",
103 	    "Assert that a debugger cannot attach to PID 1 with "
104 	    "securelevel >= 0 (as root)");
105 
106 	atf_tc_set_md_var(tc, "require.user", "root");
107 }
108 
109 ATF_TC_BODY(attach_pid1_securelevel, tc)
110 {
111 	int level;
112 	size_t len = sizeof(level);
113 
114 	ATF_REQUIRE(sysctlbyname("kern.securelevel", &level, &len, NULL, 0)
115 	    != -1);
116 
117 	if (level < 0) {
118 		atf_tc_skip("Test must be run with securelevel >= 0");
119 	}
120 
121 	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 1, NULL, 0) == -1);
122 }
123 
124 ATF_TC(attach_self);
125 ATF_TC_HEAD(attach_self, tc)
126 {
127 	atf_tc_set_md_var(tc, "descr",
128 	    "Assert that a debugger cannot attach to self (as it's nonsense)");
129 }
130 
131 ATF_TC_BODY(attach_self, tc)
132 {
133 	ATF_REQUIRE_ERRNO(EINVAL, ptrace(PT_ATTACH, getpid(), NULL, 0) == -1);
134 }
135 
136 ATF_TC(attach_chroot);
137 ATF_TC_HEAD(attach_chroot, tc)
138 {
139 	atf_tc_set_md_var(tc, "descr",
140 	    "Assert that a debugger cannot trace another process unless the "
141 	    "process's root directory is at or below the tracing process's "
142 	    "root");
143 
144 	atf_tc_set_md_var(tc, "require.user", "root");
145 }
146 
147 ATF_TC_BODY(attach_chroot, tc)
148 {
149 	char buf[PATH_MAX];
150 	pid_t child;
151 	int fds_toparent[2], fds_fromparent[2];
152 	int rv;
153 	uint8_t msg = 0xde; /* dummy message for IPC based on pipe(2) */
154 
155 	(void)memset(buf, '\0', sizeof(buf));
156 	ATF_REQUIRE(getcwd(buf, sizeof(buf)) != NULL);
157 	(void)strlcat(buf, "/dir", sizeof(buf));
158 
159 	ATF_REQUIRE(mkdir(buf, 0500) == 0);
160 	ATF_REQUIRE(chdir(buf) == 0);
161 
162 	ATF_REQUIRE(pipe(fds_toparent) == 0);
163 	ATF_REQUIRE(pipe(fds_fromparent) == 0);
164 	child = atf_utils_fork();
165 	if (child == 0) {
166 		FORKEE_ASSERT(close(fds_toparent[0]) == 0);
167 		FORKEE_ASSERT(close(fds_fromparent[1]) == 0);
168 
169 		FORKEE_ASSERT(chroot(buf) == 0);
170 
171 		rv = write(fds_toparent[1], &msg, sizeof(msg));
172 		FORKEE_ASSERTX(rv == sizeof(msg));
173 
174 #ifdef __OpenBSD__
175 		ATF_REQUIRE_ERRNO(EINVAL,
176 #else
177 		ATF_REQUIRE_ERRNO(EPERM,
178 #endif
179 			ptrace(PT_ATTACH, getppid(), NULL, 0) == -1);
180 
181 		rv = read(fds_fromparent[0], &msg, sizeof(msg));
182 		FORKEE_ASSERTX(rv == sizeof(msg));
183 
184 		_exit(0);
185 	}
186 	ATF_REQUIRE(close(fds_toparent[1]) == 0);
187 	ATF_REQUIRE(close(fds_fromparent[0]) == 0);
188 
189 	printf("Waiting for chrooting of the child PID %d\n", child);
190 	rv = read(fds_toparent[0], &msg, sizeof(msg));
191 	ATF_REQUIRE(rv == sizeof(msg));
192 
193 	printf("Child is ready, it will try to PT_ATTACH to parent\n");
194 	rv = write(fds_fromparent[1], &msg, sizeof(msg));
195 	ATF_REQUIRE(rv == sizeof(msg));
196 
197         printf("fds_fromparent is no longer needed - close it\n");
198         ATF_REQUIRE(close(fds_fromparent[1]) == 0);
199 
200         printf("fds_toparent is no longer needed - close it\n");
201         ATF_REQUIRE(close(fds_toparent[0]) == 0);
202 }
203 
204 ATF_TC(traceme_twice);
205 ATF_TC_HEAD(traceme_twice, tc)
206 {
207 	atf_tc_set_md_var(tc, "descr",
208 	    "Assert that a process cannot mark its parent a debugger twice");
209 }
210 
211 ATF_TC_BODY(traceme_twice, tc)
212 {
213 
214 	printf("Mark the parent process (PID %d) a debugger of PID %d\n",
215 	       getppid(), getpid());
216 	ATF_REQUIRE(ptrace(PT_TRACE_ME, 0, NULL, 0) == 0);
217 
218 	printf("Mark the parent process (PID %d) a debugger of PID %d again\n",
219 	       getppid(), getpid());
220 	ATF_REQUIRE_ERRNO(EBUSY, ptrace(PT_TRACE_ME, 0, NULL, 0) == -1);
221 }
222 
223 ATF_TP_ADD_TCS(tp)
224 {
225 	setvbuf(stdout, NULL, _IONBF, 0);
226 	setvbuf(stderr, NULL, _IONBF, 0);
227 	ATF_TP_ADD_TC(tp, attach_pid0);
228 	ATF_TP_ADD_TC(tp, attach_pid1);
229 	ATF_TP_ADD_TC(tp, attach_pid1_securelevel);
230 	ATF_TP_ADD_TC(tp, attach_self);
231 	ATF_TP_ADD_TC(tp, attach_chroot);
232 	ATF_TP_ADD_TC(tp, traceme_twice);
233 
234 	return atf_no_error();
235 }
236