Kernel: Write test that crashes ProcFS

Author: https://github.com/BenWiederhake Commit: https://github.com/SerenityOS/serenity/commit/f20a42e871e Pull-request: https://github.com/SerenityOS/serenity/pull/10661 Reviewed-by: https://github.com/ADKaster Reviewed-by: https://github.com/IdanHo Reviewed-by: https://github.com/awesomekling Reviewed-by: https://github.com/bcoles
2021-10-28 00:44:35 +02:00 · 2021-10-28 00:44:35 +02:00 · f20a42e871 · 2024-07-18 01:40:11 +09:00
commit f20a42e871
parent 03526a7f2b
3 changed files with 48 additions and 0 deletions
--- a/Meta/build-root-filesystem.sh
+++ b/Meta/build-root-filesystem.sh
@ -106,6 +106,10 @@ if [ -f mnt/usr/Tests/Kernel/TestMemoryDeviceMmap ]; then
    chown 0:0 mnt/usr/Tests/Kernel/TestMemoryDeviceMmap
    chmod 4755 mnt/usr/Tests/Kernel/TestMemoryDeviceMmap
 fi
+if [ -f mnt/usr/Tests/Kernel/TestProcFSWrite ]; then
+    chown 0:0 mnt/usr/Tests/Kernel/TestProcFSWrite
+    chmod 4755 mnt/usr/Tests/Kernel/TestProcFSWrite
+fi

 chmod 0400 mnt/res/kernel.map
 chmod 0400 mnt/boot/Kernel
--- a/Tests/Kernel/CMakeLists.txt
+++ b/Tests/Kernel/CMakeLists.txt
@ -40,6 +40,7 @@ set(LIBTEST_BASED_SOURCES
    TestMemoryDeviceMmap.cpp
    TestMunMap.cpp
    TestProcFS.cpp
+    TestProcFSWrite.cpp
 )

 foreach(libtest_source IN LISTS LIBTEST_BASED_SOURCES)
--- a/Tests/Kernel/TestProcFSWrite.cpp
+++ b/Tests/Kernel/TestProcFSWrite.cpp
@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2021, Ben Wiederhake <BenWiederhake.GitHub@gmx.de>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibTest/TestCase.h>
+#include <fcntl.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+
+TEST_CASE(check_root)
+{
+    auto uid = geteuid();
+    // This test only makes sense as root.
+    EXPECT_EQ(uid, 0u);
+
+    // Before we make the process dumpable, become "fully" root, so that the user cannot tamper with our memory:
+    EXPECT_EQ(setuid(0), 0);
+
+    // If running as setuid, the process is automatically marked as non-dumpable, which bars access to /proc/self/.
+    // However, that is the easiest guess for a /proc/$PID/ directory, so we'd like to use that.
+    // In order to do so, mark this process as dumpable:
+    EXPECT_EQ(prctl(PR_SET_DUMPABLE, 1, 0), 0);
+}
+
+TEST_CASE(root_writes_to_procfs)
+{
+    int fd = open("/proc/self/unveil", O_RDWR | O_APPEND | O_CREAT, 0666); // = 6
+    if (fd < 0) {
+        perror("open");
+        dbgln("fd was {}", fd);
+        FAIL("open failed?! See debugout");
+        return;
+    }
+
+    int rc = write(fd, "hello", 5);
+    perror("write");
+    dbgln("write rc = {}", rc);
+    if (rc >= 0) {
+        FAIL("Wrote successfully?!");
+    }
+}