add_key03.c - Android社区 - https://www.androidos.net.cn/

/*
 * Copyright (c) 2017 Google, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program, if not, see <http://www.gnu.org/licenses/>.
 */

/*
 * Regression test for commit 237bbd29f7a0 ("KEYS: prevent creating a different
 * user's keyrings").  The bug allowed any random user to create a keyring named
 * "_uid.$UID" (or "_uid_ses.$UID"), and it would become the user keyring (or
 * user session keyring) for user $UID, provided that it hadn't already been
 * created.
 *
 * This test must be run as root so that it has permission to switch to another
 * user ID and check whether the keyrings are wrong.  However, the underlying
 * bug is actually reachable/exploitable by a non-root user.
 */

#include <errno.h>
#include <pwd.h>
#include <stdio.h>

#include "tst_test.h"
#include "lapi/keyctl.h"

static key_serial_t create_keyring(const char *description)
{
	TEST(add_key("keyring", description, NULL, 0,
		     KEY_SPEC_PROCESS_KEYRING));
	if (TEST_RETURN < 0) {
		tst_brk(TBROK | TTERRNO,
			"unable to create keyring '%s'", description);
	}
	return TEST_RETURN;
}

static key_serial_t get_keyring_id(key_serial_t special_id)
{
	TEST(keyctl(KEYCTL_GET_KEYRING_ID, special_id, 1));
	if (TEST_RETURN < 0) {
		tst_brk(TBROK | TTERRNO,
			"unable to get ID of keyring %d", special_id);
	}
	return TEST_RETURN;
}

static void do_test(void)
{
	uid_t uid = 1;
	char description[32];
	key_serial_t fake_user_keyring;
	key_serial_t fake_user_session_keyring;

	/*
	 * We need a user to forge the keyrings for.  But the bug is not
	 * reproducible for a UID which already has its keyrings, so find an
	 * unused UID.  Note that it would be better to directly check for the
	 * presence of the UID's keyrings than to search the passwd file.
	 * However, that's not easy to do given that even if we assumed the UID
	 * temporarily to check, KEYCTL_GET_KEYRING_ID for the user and user
	 * session keyrings will create them rather than failing (even if the
	 * 'create' argument is 0).
	 */
	while (getpwuid(uid))
		uid++;

	sprintf(description, "_uid.%u", uid);
	fake_user_keyring = create_keyring(description);
	sprintf(description, "_uid_ses.%u", uid);
	fake_user_session_keyring = create_keyring(description);

	SAFE_SETUID(uid);

	if (fake_user_keyring == get_keyring_id(KEY_SPEC_USER_KEYRING))
		tst_brk(TFAIL, "created user keyring for another user");

	if (fake_user_session_keyring ==
	    get_keyring_id(KEY_SPEC_USER_SESSION_KEYRING))
		tst_brk(TFAIL, "created user session keyring for another user");

	tst_res(TPASS, "expectedly could not create another user's keyrings");
}

static struct tst_test test = {
	.test_all = do_test,
	.needs_root = 1,
};