Call get/setsockopt(2) with various sockets and check which options

cause aborts due to pledge(2) restrictions.

2 files changed, 134 insertions, 0 deletions

diff --git a/regress/sys/kern/pledge/sockopt/Makefile b/regress/sys/kern/pledge/sockopt/Makefile
new file mode 100644
index 00000000000..39e1d9e80b2
--- /dev/null
+++ b/regress/sys/kern/pledge/sockopt/Makefile
@@ -0,0 +1,53 @@
+# $OpenBSD $
+
+#	promises	domain		type		protocol	call	level		optname			optval	errno		abort
+TESTS =	inet		AF_INET		SOCK_STREAM	IPPROTO_TCP	get	SOL_SOCKET	SO_ERROR		0	0		0	\
+	inet		AF_INET		SOCK_STREAM	IPPROTO_TCP	set	SOL_SOCKET	SO_ERROR		0	ENOPROTOOPT	0	\
+	inet		AF_INET		SOCK_DGRAM	IPPROTO_UDP	set	SOL_SOCKET	SO_RCVBUF		10000	0		0	\
+	unix		AF_LOCAL	SOCK_STREAM	0		set	SOL_SOCKET	SO_RCVBUF		10000	0		0	\
+	inet		AF_INET		SOCK_STREAM	IPPROTO_TCP	get	SOL_SOCKET	SO_TIMESTAMP		0	0		0	\
+	inet		AF_INET		SOCK_STREAM	IPPROTO_TCP	set	SOL_SOCKET	SO_RTABLE		0	22		inet	\
+	0		AF_INET		SOCK_STREAM	IPPROTO_TCP	set	SOL_SOCKET	SO_RTABLE		0	0		0	\
+	inet		AF_INET		SOCK_STREAM	IPPROTO_TCP	set	IPPROTO_TCP	TCP_NODELAY		0	0		0	\
+	inet		AF_INET		SOCK_DGRAM	IPPROTO_UDP	get	IPPROTO_IP	IP_OPTIONS		0	0		0	\
+	inet		AF_INET		SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_IP	IP_OPTIONS		1	1		inet	\
+	inet		AF_INET		SOCK_DGRAM	IPPROTO_UDP	get	IPPROTO_IP	IP_TOS			0	0		0	\
+	inet		AF_INET		SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_IP	IP_TOS			1	0		0	\
+	0		AF_INET		SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_IP	IP_MULTICAST_IF		1	49		0	\
+	inet		AF_INET		SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_IP	IP_MULTICAST_IF		1	1		inet	\
+	inet+mcast	AF_INET		SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_IP	IP_MULTICAST_IF		1	49		0	\
+	inet		AF_INET		SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_IP	IP_MULTICAST_LOOP	1	1		inet	\
+	inet+mcast	AF_INET		SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_IP	IP_MULTICAST_LOOP	1	22		0	\
+	inet		AF_INET		SOCK_DGRAM	IPPROTO_UDP	get	IPPROTO_ICMP	0			0	1		inet	\
+	inet		AF_INET6	SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_ICMPV6	0			0	1		inet	\
+	inet		AF_INET6	SOCK_DGRAM	IPPROTO_UDP	get	IPPROTO_IPV6	IPV6_TCLASS		0	0		0	\
+	inet		AF_INET6	SOCK_DGRAM	IPPROTO_UDP	get	IPPROTO_IPV6	IPV6_V6ONLY		0	1		inet	\
+	inet		AF_INET6	SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_IPV6	IPV6_MULTICAST_LOOP	1	1		inet	\
+	inet+mcast	AF_INET6	SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_IPV6	IPV6_MULTICAST_LOOP	1	0		0	\
+	inet		AF_INET6	SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_IPV6	IPV6_JOIN_GROUP		0	1		inet	\
+	inet+mcast	AF_INET6	SOCK_DGRAM	IPPROTO_UDP	set	IPPROTO_IPV6	IPV6_JOIN_GROUP		0	EINVAL		0	\
+
+WARNINGS =	yes
+CLEANFILES =	sockopt sockopt.o ktrace.out
+REGRESS_TARGETS	=
+
+.for promises domain type protocol call level optname optval errno abort in ${TESTS}
+REGRESS_TARGETS +=	run-regress-${promises}-${domain}-${type}-${protocol}-${call}-${level}-${optname}-${optval}-${errno}-${abort}
+run-regress-${promises}-${domain}-${type}-${protocol}-${call}-${level}-${optname}-${optval}-${errno}-${abort}:
+	@echo "\n$@"
+	rm -f sockopt sockopt.core
+	COPTS='-DPROMISES=\"${promises}\" -DDOMAIN=${domain} -DTYPE=${type} \
+	    -DPROTOCOL=${protocol} -DCALL=\"${call}\" \
+	    -DLEVEL=${level} -DOPTNAME=${optname} -DOPTVAL=${optval} \
+	    -DERRNO=${errno}' ${.MAKE} sockopt
+.if "${abort}" == 0
+	ktrace ./sockopt
+	! [ -f sockopt.core ]
+.else
+	sh -c 'ktrace ./sockopt ; [ $$? = 134 ]'
+	[ -f sockopt.core ]
+	kdump | fgrep -q 'PLDG  ${call}sockopt, "${abort}", errno ${errno} '
+.endif
+.endfor
+
+.include <bsd.regress.mk>
diff --git a/regress/sys/kern/pledge/sockopt/sockopt.c b/regress/sys/kern/pledge/sockopt/sockopt.c
new file mode 100644
index 00000000000..61e79358e56
--- /dev/null
+++ b/regress/sys/kern/pledge/sockopt/sockopt.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2017 Alexander Bluhm <bluhm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/icmp6.h>
+
+#include <err.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+int
+main(void)
+{
+	char promises[1024];
+	size_t i, l;
+	int s, r;
+	int optval;
+	socklen_t optlen;
+
+	if (strcmp(PROMISES, "0") != 0) {
+		l = strlcpy(promises, "stdio ", sizeof(promises));
+		for (i = 0;
+		    PROMISES[i] != '\0'&& l < sizeof(promises);
+		    i++, l++) {
+			promises[l] = PROMISES[i] == '+' ?
+			    ' ' : PROMISES[i];
+		}
+		if (l >= sizeof(promises))
+			l = sizeof(promises) - 1;
+		promises[l] = '\0';
+		warnx("pledge(%s)", promises);
+		if (pledge(promises, NULL) == -1)
+			err(1, "pledge");
+	}
+
+	if ((s = socket(DOMAIN, TYPE, PROTOCOL)) == -1)
+		err(1, "socket");
+	optlen = sizeof(int);
+	if (strcmp(CALL, "set") == 0) {
+		optval = OPTVAL;
+		r = setsockopt(s, LEVEL, OPTNAME, &optval, optlen);
+	} else if (strcmp(CALL, "get") == 0) {
+		optval = 0;
+		r = getsockopt(s, LEVEL, OPTNAME, &optval, &optlen);
+	} else {
+		errx(1, "call: %s", CALL);
+	}
+	if (r == 0) {
+		if (ERRNO != 0)
+			errx(1, "success");
+	} else if (r == -1) {
+		if (errno != ERRNO)
+			err(1, "error");
+	} else {
+		errx(1, "return: %d", r);
+	}
+	if (optval != OPTVAL)
+		errx(1, "optval: %d", optval);
+
+	return (0);
+}