1 files changed, 231 insertions, 0 deletions
diff --git a/src/regress/lib/libc/sys/t_ptrace.c b/src/regress/lib/libc/sys/t_ptrace.c
new file mode 100644
index 0000000000..756c9c514e
--- /dev/null
+++ b/src/regress/lib/libc/sys/t_ptrace.c
@@ -0,0 +1,231 @@
+/*      $OpenBSD: t_ptrace.c,v 1.1.1.1 2019/11/19 19:57:04 bluhm Exp $  */
+/*      $NetBSD: t_ptrace.c,v 1.4 2018/05/14 12:44:40 kamil Exp $       */
+/*-
+ * Copyright (c) 2016 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "macros.h"
+#include <sys/cdefs.h>
+__RCSID("$NetBSD: t_ptrace.c,v 1.4 2018/05/14 12:44:40 kamil Exp $");
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/stat.h>
+#include <sys/sysctl.h>
+#include <err.h>
+#include <errno.h>
+#include <unistd.h>
+#include "atf-c.h"
+#include "h_macros.h"
+/*
+ * A child process cannot call atf functions and expect them to magically
+ * work like in the parent.
+ * The printf(3) messaging from a child will not work out of the box as well
+ * without estabilishing a communication protocol with its parent. To not
+ * overcomplicate the tests - do not log from a child and use err(3)/errx(3)
+ * wrapped with FORKEE_ASSERT()/FORKEE_ASSERTX() as that is guaranteed to work.
+ */
+#define FORKEE_ASSERTX(x)                                                       \
+do {                                                                            \
+        int ret = (x);                                                          \
+        if (!ret)                                                               \
+                errx(EXIT_FAILURE, "%s:%d %s(): Assertion failed for: %s",      \
+                     __FILE__, __LINE__, __func__, #x);                         \
+} while (0)
+#define FORKEE_ASSERT(x)                                                        \
+do {                                                                            \
+        int ret = (x);                                                          \
+        if (!ret)                                                               \
+                err(EXIT_FAILURE, "%s:%d %s(): Assertion failed for: %s",       \
+                     __FILE__, __LINE__, __func__, #x);                         \
+} while (0)
+ATF_TC(attach_pid0);
+ATF_TC_HEAD(attach_pid0, tc)
+{
+        atf_tc_set_md_var(tc, "descr",
+            "Assert that a debugger cannot attach to PID 0");
+}
+ATF_TC_BODY(attach_pid0, tc)
+{
+        errno = 0;
+        ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 0, NULL, 0) == -1);
+}
+ATF_TC(attach_pid1);
+ATF_TC_HEAD(attach_pid1, tc)
+{
+        atf_tc_set_md_var(tc, "descr",
+            "Assert that a debugger cannot attach to PID 1 (as non-root)");
+        atf_tc_set_md_var(tc, "require.user", "unprivileged");
+}
+ATF_TC_BODY(attach_pid1, tc)
+{
+        ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 1, NULL, 0) == -1);
+}
+ATF_TC(attach_pid1_securelevel);
+ATF_TC_HEAD(attach_pid1_securelevel, tc)
+{
+        atf_tc_set_md_var(tc, "descr",
+            "Assert that a debugger cannot attach to PID 1 with "
+            "securelevel >= 0 (as root)");
+        atf_tc_set_md_var(tc, "require.user", "root");
+}
+ATF_TC_BODY(attach_pid1_securelevel, tc)
+{
+        int level;
+        size_t len = sizeof(level);
+        ATF_REQUIRE(sysctlbyname("kern.securelevel", &level, &len, NULL, 0)
+            != -1);
+        if (level < 0) {
+                atf_tc_skip("Test must be run with securelevel >= 0");
+        }
+        ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 1, NULL, 0) == -1);
+}
+ATF_TC(attach_self);
+ATF_TC_HEAD(attach_self, tc)
+{
+        atf_tc_set_md_var(tc, "descr",
+            "Assert that a debugger cannot attach to self (as it's nonsense)");
+}
+ATF_TC_BODY(attach_self, tc)
+{
+        ATF_REQUIRE_ERRNO(EINVAL, ptrace(PT_ATTACH, getpid(), NULL, 0) == -1);
+}
+ATF_TC(attach_chroot);
+ATF_TC_HEAD(attach_chroot, tc)
+{
+        atf_tc_set_md_var(tc, "descr",
+            "Assert that a debugger cannot trace another process unless the "
+            "process's root directory is at or below the tracing process's "
+            "root");
+        atf_tc_set_md_var(tc, "require.user", "root");
+}                    
+ATF_TC_BODY(attach_chroot, tc)
+{
+        char buf[PATH_MAX];
+        pid_t child;
+        int fds_toparent[2], fds_fromparent[2];
+        int rv;
+        uint8_t msg = 0xde; /* dummy message for IPC based on pipe(2) */
+        (void)memset(buf, '\0', sizeof(buf));
+        ATF_REQUIRE(getcwd(buf, sizeof(buf)) != NULL);
+        (void)strlcat(buf, "/dir", sizeof(buf));
+        ATF_REQUIRE(mkdir(buf, 0500) == 0);
+        ATF_REQUIRE(chdir(buf) == 0);
+        ATF_REQUIRE(pipe(fds_toparent) == 0);
+        ATF_REQUIRE(pipe(fds_fromparent) == 0);
+        child = atf_utils_fork();
+        if (child == 0) {
+                FORKEE_ASSERT(close(fds_toparent[0]) == 0);
+                FORKEE_ASSERT(close(fds_fromparent[1]) == 0);
+                FORKEE_ASSERT(chroot(buf) == 0);
+                rv = write(fds_toparent[1], &msg, sizeof(msg));
+                FORKEE_ASSERTX(rv == sizeof(msg));
+                ATF_REQUIRE_ERRNO(EPERM,
+                        ptrace(PT_ATTACH, getppid(), NULL, 0) == -1);
+                rv = read(fds_fromparent[0], &msg, sizeof(msg));
+                FORKEE_ASSERTX(rv == sizeof(msg));
+                _exit(0);
+        }
+        ATF_REQUIRE(close(fds_toparent[1]) == 0);
+        ATF_REQUIRE(close(fds_fromparent[0]) == 0);
+        printf("Waiting for chrooting of the child PID %d", child);
+        rv = read(fds_toparent[0], &msg, sizeof(msg));
+        ATF_REQUIRE(rv == sizeof(msg)); 
+        printf("Child is ready, it will try to PT_ATTACH to parent\n");
+        rv = write(fds_fromparent[1], &msg, sizeof(msg));
+        ATF_REQUIRE(rv == sizeof(msg));
+        printf("fds_fromparent is no longer needed - close it\n");
+        ATF_REQUIRE(close(fds_fromparent[1]) == 0);
+        printf("fds_toparent is no longer needed - close it\n");
+        ATF_REQUIRE(close(fds_toparent[0]) == 0);
+}
+ATF_TC(traceme_twice);
+ATF_TC_HEAD(traceme_twice, tc)
+{
+        atf_tc_set_md_var(tc, "descr",
+            "Assert that a process cannot mark its parent a debugger twice");
+}
+ATF_TC_BODY(traceme_twice, tc)
+{
+        printf("Mark the parent process (PID %d) a debugger of PID %d",
+               getppid(), getpid());
+        ATF_REQUIRE(ptrace(PT_TRACE_ME, 0, NULL, 0) == 0);
+        printf("Mark the parent process (PID %d) a debugger of PID %d again",
+               getppid(), getpid());
+        ATF_REQUIRE_ERRNO(EBUSY, ptrace(PT_TRACE_ME, 0, NULL, 0) == -1);
+}
+ATF_TP_ADD_TCS(tp)
+{
+        setvbuf(stdout, NULL, _IONBF, 0);
+        setvbuf(stderr, NULL, _IONBF, 0);
+        ATF_TP_ADD_TC(tp, attach_pid0);
+        ATF_TP_ADD_TC(tp, attach_pid1);
+        ATF_TP_ADD_TC(tp, attach_pid1_securelevel);
+        ATF_TP_ADD_TC(tp, attach_self);
+        ATF_TP_ADD_TC(tp, attach_chroot);
+        ATF_TP_ADD_TC(tp, traceme_twice);
+        return atf_no_error();
+}

diff --git a/src/regress/lib/libc/sys/t_ptrace.c b/src/regress/lib/libc/sys/t_ptrace.c new file mode 100644 index 0000000000..756c9c514e --- /dev/null +++ b/src/regress/lib/libc/sys/t_ptrace.c
@@ -0,0 +1,231 @@
	1	/* $OpenBSD: t_ptrace.c,v 1.1.1.1 2019/11/19 19:57:04 bluhm Exp $ */
	2	/* $NetBSD: t_ptrace.c,v 1.4 2018/05/14 12:44:40 kamil Exp $ */
	3
	4	/*-
	5	* Copyright (c) 2016 The NetBSD Foundation, Inc.
	6	* All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	* 1. Redistributions of source code must retain the above copyright
	12	* notice, this list of conditions and the following disclaimer.
	13	* 2. Redistributions in binary form must reproduce the above copyright
	14	* notice, this list of conditions and the following disclaimer in the
	15	* documentation and/or other materials provided with the distribution.
	16	*
	17	* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
	18	* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
	19	* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	20	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
	21	* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	22	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	23	* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	24	* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	25	* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	26	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	27	* POSSIBILITY OF SUCH DAMAGE.
	28	*/
	29
	30	#include "macros.h"
	31
	32	#include <sys/cdefs.h>
	33	__RCSID("$NetBSD: t_ptrace.c,v 1.4 2018/05/14 12:44:40 kamil Exp $");
	34
	35	#include <sys/param.h>
	36	#include <sys/types.h>
	37	#include <sys/ptrace.h>
	38	#include <sys/stat.h>
	39	#include <sys/sysctl.h>
	40	#include <err.h>
	41	#include <errno.h>
	42	#include <unistd.h>
	43
	44	#include "atf-c.h"
	45
	46	#include "h_macros.h"
	47
	48	/*
	49	* A child process cannot call atf functions and expect them to magically
	50	* work like in the parent.
	51	* The printf(3) messaging from a child will not work out of the box as well
	52	* without estabilishing a communication protocol with its parent. To not
	53	* overcomplicate the tests - do not log from a child and use err(3)/errx(3)
	54	* wrapped with FORKEE_ASSERT()/FORKEE_ASSERTX() as that is guaranteed to work.
	55	*/
	56	#define FORKEE_ASSERTX(x) \
	57	do { \
	58	int ret = (x); \
	59	if (!ret) \
	60	errx(EXIT_FAILURE, "%s:%d %s(): Assertion failed for: %s", \
	61	__FILE__, __LINE__, __func__, #x); \
	62	} while (0)
	63
	64	#define FORKEE_ASSERT(x) \
	65	do { \
	66	int ret = (x); \
	67	if (!ret) \
	68	err(EXIT_FAILURE, "%s:%d %s(): Assertion failed for: %s", \
	69	__FILE__, __LINE__, __func__, #x); \
	70	} while (0)
	71
	72	ATF_TC(attach_pid0);
	73	ATF_TC_HEAD(attach_pid0, tc)
	74	{
	75	atf_tc_set_md_var(tc, "descr",
	76	"Assert that a debugger cannot attach to PID 0");
	77	}
	78
	79	ATF_TC_BODY(attach_pid0, tc)
	80	{
	81	errno = 0;
	82	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 0, NULL, 0) == -1);
	83	}
	84
	85	ATF_TC(attach_pid1);
	86	ATF_TC_HEAD(attach_pid1, tc)
	87	{
	88	atf_tc_set_md_var(tc, "descr",
	89	"Assert that a debugger cannot attach to PID 1 (as non-root)");
	90
	91	atf_tc_set_md_var(tc, "require.user", "unprivileged");
	92	}
	93
	94	ATF_TC_BODY(attach_pid1, tc)
	95	{
	96	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 1, NULL, 0) == -1);
	97	}
	98
	99	ATF_TC(attach_pid1_securelevel);
	100	ATF_TC_HEAD(attach_pid1_securelevel, tc)
	101	{
	102	atf_tc_set_md_var(tc, "descr",
	103	"Assert that a debugger cannot attach to PID 1 with "
	104	"securelevel >= 0 (as root)");
	105
	106	atf_tc_set_md_var(tc, "require.user", "root");
	107	}
	108
	109	ATF_TC_BODY(attach_pid1_securelevel, tc)
	110	{
	111	int level;
	112	size_t len = sizeof(level);
	113
	114	ATF_REQUIRE(sysctlbyname("kern.securelevel", &level, &len, NULL, 0)
	115	!= -1);
	116
	117	if (level < 0) {
	118	atf_tc_skip("Test must be run with securelevel >= 0");
	119	}
	120
	121	ATF_REQUIRE_ERRNO(EPERM, ptrace(PT_ATTACH, 1, NULL, 0) == -1);
	122	}
	123
	124	ATF_TC(attach_self);
	125	ATF_TC_HEAD(attach_self, tc)
	126	{
	127	atf_tc_set_md_var(tc, "descr",
	128	"Assert that a debugger cannot attach to self (as it's nonsense)");
	129	}
	130
	131	ATF_TC_BODY(attach_self, tc)
	132	{
	133	ATF_REQUIRE_ERRNO(EINVAL, ptrace(PT_ATTACH, getpid(), NULL, 0) == -1);
	134	}
	135
	136	ATF_TC(attach_chroot);
	137	ATF_TC_HEAD(attach_chroot, tc)
	138	{
	139	atf_tc_set_md_var(tc, "descr",
	140	"Assert that a debugger cannot trace another process unless the "
	141	"process's root directory is at or below the tracing process's "
	142	"root");
	143
	144	atf_tc_set_md_var(tc, "require.user", "root");
	145	}
	146
	147	ATF_TC_BODY(attach_chroot, tc)
	148	{
	149	char buf[PATH_MAX];
	150	pid_t child;
	151	int fds_toparent[2], fds_fromparent[2];
	152	int rv;
	153	uint8_t msg = 0xde; /* dummy message for IPC based on pipe(2) */
	154
	155	(void)memset(buf, '\0', sizeof(buf));
	156	ATF_REQUIRE(getcwd(buf, sizeof(buf)) != NULL);
	157	(void)strlcat(buf, "/dir", sizeof(buf));
	158
	159	ATF_REQUIRE(mkdir(buf, 0500) == 0);
	160	ATF_REQUIRE(chdir(buf) == 0);
	161
	162	ATF_REQUIRE(pipe(fds_toparent) == 0);
	163	ATF_REQUIRE(pipe(fds_fromparent) == 0);
	164	child = atf_utils_fork();
	165	if (child == 0) {
	166	FORKEE_ASSERT(close(fds_toparent[0]) == 0);
	167	FORKEE_ASSERT(close(fds_fromparent[1]) == 0);
	168
	169	FORKEE_ASSERT(chroot(buf) == 0);
	170
	171	rv = write(fds_toparent[1], &msg, sizeof(msg));
	172	FORKEE_ASSERTX(rv == sizeof(msg));
	173
	174	ATF_REQUIRE_ERRNO(EPERM,
	175	ptrace(PT_ATTACH, getppid(), NULL, 0) == -1);
	176
	177	rv = read(fds_fromparent[0], &msg, sizeof(msg));
	178	FORKEE_ASSERTX(rv == sizeof(msg));
	179
	180	_exit(0);
	181	}
	182	ATF_REQUIRE(close(fds_toparent[1]) == 0);
	183	ATF_REQUIRE(close(fds_fromparent[0]) == 0);
	184
	185	printf("Waiting for chrooting of the child PID %d", child);
	186	rv = read(fds_toparent[0], &msg, sizeof(msg));
	187	ATF_REQUIRE(rv == sizeof(msg));
	188
	189	printf("Child is ready, it will try to PT_ATTACH to parent\n");
	190	rv = write(fds_fromparent[1], &msg, sizeof(msg));
	191	ATF_REQUIRE(rv == sizeof(msg));
	192
	193	printf("fds_fromparent is no longer needed - close it\n");
	194	ATF_REQUIRE(close(fds_fromparent[1]) == 0);
	195
	196	printf("fds_toparent is no longer needed - close it\n");
	197	ATF_REQUIRE(close(fds_toparent[0]) == 0);
	198	}
	199
	200	ATF_TC(traceme_twice);
	201	ATF_TC_HEAD(traceme_twice, tc)
	202	{
	203	atf_tc_set_md_var(tc, "descr",
	204	"Assert that a process cannot mark its parent a debugger twice");
	205	}
	206
	207	ATF_TC_BODY(traceme_twice, tc)
	208	{
	209
	210	printf("Mark the parent process (PID %d) a debugger of PID %d",
	211	getppid(), getpid());
	212	ATF_REQUIRE(ptrace(PT_TRACE_ME, 0, NULL, 0) == 0);
	213
	214	printf("Mark the parent process (PID %d) a debugger of PID %d again",
	215	getppid(), getpid());
	216	ATF_REQUIRE_ERRNO(EBUSY, ptrace(PT_TRACE_ME, 0, NULL, 0) == -1);
	217	}
	218
	219	ATF_TP_ADD_TCS(tp)
	220	{
	221	setvbuf(stdout, NULL, _IONBF, 0);
	222	setvbuf(stderr, NULL, _IONBF, 0);
	223	ATF_TP_ADD_TC(tp, attach_pid0);
	224	ATF_TP_ADD_TC(tp, attach_pid1);
	225	ATF_TP_ADD_TC(tp, attach_pid1_securelevel);
	226	ATF_TP_ADD_TC(tp, attach_self);
	227	ATF_TP_ADD_TC(tp, attach_chroot);
	228	ATF_TP_ADD_TC(tp, traceme_twice);
	229
	230	return atf_no_error();
	231	}