diff options
| author | Ben Wiederhake <BenWiederhake.GitHub@gmx.de> | 2021-10-28 00:44:35 +0200 |
|---|---|---|
| committer | Linus Groh <mail@linusgroh.de> | 2021-10-31 18:44:12 +0100 |
| commit | f20a42e871e64ce34fac87d415a0f5718f7bae0c (patch) | |
| tree | 5001e8b4581ee496ce2fa7c2d5aaf1c8d4a86e84 | |
| parent | 03526a7f2b3281fb40f3b1bd9b21064a19c7cd93 (diff) | |
| download | serenity-f20a42e871e64ce34fac87d415a0f5718f7bae0c.zip | |
Kernel: Write test that crashes ProcFS
| -rwxr-xr-x | Meta/build-root-filesystem.sh | 4 | ||||
| -rw-r--r-- | Tests/Kernel/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | Tests/Kernel/TestProcFSWrite.cpp | 43 |
3 files changed, 48 insertions, 0 deletions
diff --git a/Meta/build-root-filesystem.sh b/Meta/build-root-filesystem.sh index e11a7b97c8..8844ccdb57 100755 --- a/Meta/build-root-filesystem.sh +++ b/Meta/build-root-filesystem.sh @@ -106,6 +106,10 @@ if [ -f mnt/usr/Tests/Kernel/TestMemoryDeviceMmap ]; then chown 0:0 mnt/usr/Tests/Kernel/TestMemoryDeviceMmap chmod 4755 mnt/usr/Tests/Kernel/TestMemoryDeviceMmap fi +if [ -f mnt/usr/Tests/Kernel/TestProcFSWrite ]; then + chown 0:0 mnt/usr/Tests/Kernel/TestProcFSWrite + chmod 4755 mnt/usr/Tests/Kernel/TestProcFSWrite +fi chmod 0400 mnt/res/kernel.map chmod 0400 mnt/boot/Kernel diff --git a/Tests/Kernel/CMakeLists.txt b/Tests/Kernel/CMakeLists.txt index 18abcba55a..2b1364a667 100644 --- a/Tests/Kernel/CMakeLists.txt +++ b/Tests/Kernel/CMakeLists.txt @@ -40,6 +40,7 @@ set(LIBTEST_BASED_SOURCES TestMemoryDeviceMmap.cpp TestMunMap.cpp TestProcFS.cpp + TestProcFSWrite.cpp ) foreach(libtest_source IN LISTS LIBTEST_BASED_SOURCES) diff --git a/Tests/Kernel/TestProcFSWrite.cpp b/Tests/Kernel/TestProcFSWrite.cpp new file mode 100644 index 0000000000..2559543777 --- /dev/null +++ b/Tests/Kernel/TestProcFSWrite.cpp @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2021, Ben Wiederhake <BenWiederhake.GitHub@gmx.de> + * + * SPDX-License-Identifier: BSD-2-Clause + */ + +#include <LibTest/TestCase.h> +#include <fcntl.h> +#include <sys/prctl.h> +#include <unistd.h> + +TEST_CASE(check_root) +{ + auto uid = geteuid(); + // This test only makes sense as root. + EXPECT_EQ(uid, 0u); + + // Before we make the process dumpable, become "fully" root, so that the user cannot tamper with our memory: + EXPECT_EQ(setuid(0), 0); + + // If running as setuid, the process is automatically marked as non-dumpable, which bars access to /proc/self/. + // However, that is the easiest guess for a /proc/$PID/ directory, so we'd like to use that. + // In order to do so, mark this process as dumpable: + EXPECT_EQ(prctl(PR_SET_DUMPABLE, 1, 0), 0); +} + +TEST_CASE(root_writes_to_procfs) +{ + int fd = open("/proc/self/unveil", O_RDWR | O_APPEND | O_CREAT, 0666); // = 6 + if (fd < 0) { + perror("open"); + dbgln("fd was {}", fd); + FAIL("open failed?! See debugout"); + return; + } + + int rc = write(fd, "hello", 5); + perror("write"); + dbgln("write rc = {}", rc); + if (rc >= 0) { + FAIL("Wrote successfully?!"); + } +} |