From d2181b0b29be5a0e8a0d926a85a0dcf2fd84fb13 Mon Sep 17 00:00:00 2001 From: Alexander Bluhm Date: Tue, 28 Mar 2017 16:12:46 +0000 Subject: Call get/setsockopt(2) with various sockets and check which options cause aborts due to pledge(2) restrictions. --- regress/sys/kern/pledge/sockopt/Makefile | 53 ++++++++++++++++++++ regress/sys/kern/pledge/sockopt/sockopt.c | 81 +++++++++++++++++++++++++++++++ 2 files changed, 134 insertions(+) create mode 100644 regress/sys/kern/pledge/sockopt/Makefile create mode 100644 regress/sys/kern/pledge/sockopt/sockopt.c (limited to 'regress/sys/kern') diff --git a/regress/sys/kern/pledge/sockopt/Makefile b/regress/sys/kern/pledge/sockopt/Makefile new file mode 100644 index 00000000000..39e1d9e80b2 --- /dev/null +++ b/regress/sys/kern/pledge/sockopt/Makefile @@ -0,0 +1,53 @@ +# $OpenBSD $ + +# promises domain type protocol call level optname optval errno abort +TESTS = inet AF_INET SOCK_STREAM IPPROTO_TCP get SOL_SOCKET SO_ERROR 0 0 0 \ + inet AF_INET SOCK_STREAM IPPROTO_TCP set SOL_SOCKET SO_ERROR 0 ENOPROTOOPT 0 \ + inet AF_INET SOCK_DGRAM IPPROTO_UDP set SOL_SOCKET SO_RCVBUF 10000 0 0 \ + unix AF_LOCAL SOCK_STREAM 0 set SOL_SOCKET SO_RCVBUF 10000 0 0 \ + inet AF_INET SOCK_STREAM IPPROTO_TCP get SOL_SOCKET SO_TIMESTAMP 0 0 0 \ + inet AF_INET SOCK_STREAM IPPROTO_TCP set SOL_SOCKET SO_RTABLE 0 22 inet \ + 0 AF_INET SOCK_STREAM IPPROTO_TCP set SOL_SOCKET SO_RTABLE 0 0 0 \ + inet AF_INET SOCK_STREAM IPPROTO_TCP set IPPROTO_TCP TCP_NODELAY 0 0 0 \ + inet AF_INET SOCK_DGRAM IPPROTO_UDP get IPPROTO_IP IP_OPTIONS 0 0 0 \ + inet AF_INET SOCK_DGRAM IPPROTO_UDP set IPPROTO_IP IP_OPTIONS 1 1 inet \ + inet AF_INET SOCK_DGRAM IPPROTO_UDP get IPPROTO_IP IP_TOS 0 0 0 \ + inet AF_INET SOCK_DGRAM IPPROTO_UDP set IPPROTO_IP IP_TOS 1 0 0 \ + 0 AF_INET SOCK_DGRAM IPPROTO_UDP set IPPROTO_IP IP_MULTICAST_IF 1 49 0 \ + inet AF_INET SOCK_DGRAM IPPROTO_UDP set IPPROTO_IP IP_MULTICAST_IF 1 1 inet \ + inet+mcast AF_INET SOCK_DGRAM IPPROTO_UDP set IPPROTO_IP IP_MULTICAST_IF 1 49 0 \ + inet AF_INET SOCK_DGRAM IPPROTO_UDP set IPPROTO_IP IP_MULTICAST_LOOP 1 1 inet \ + inet+mcast AF_INET SOCK_DGRAM IPPROTO_UDP set IPPROTO_IP IP_MULTICAST_LOOP 1 22 0 \ + inet AF_INET SOCK_DGRAM IPPROTO_UDP get IPPROTO_ICMP 0 0 1 inet \ + inet AF_INET6 SOCK_DGRAM IPPROTO_UDP set IPPROTO_ICMPV6 0 0 1 inet \ + inet AF_INET6 SOCK_DGRAM IPPROTO_UDP get IPPROTO_IPV6 IPV6_TCLASS 0 0 0 \ + inet AF_INET6 SOCK_DGRAM IPPROTO_UDP get IPPROTO_IPV6 IPV6_V6ONLY 0 1 inet \ + inet AF_INET6 SOCK_DGRAM IPPROTO_UDP set IPPROTO_IPV6 IPV6_MULTICAST_LOOP 1 1 inet \ + inet+mcast AF_INET6 SOCK_DGRAM IPPROTO_UDP set IPPROTO_IPV6 IPV6_MULTICAST_LOOP 1 0 0 \ + inet AF_INET6 SOCK_DGRAM IPPROTO_UDP set IPPROTO_IPV6 IPV6_JOIN_GROUP 0 1 inet \ + inet+mcast AF_INET6 SOCK_DGRAM IPPROTO_UDP set IPPROTO_IPV6 IPV6_JOIN_GROUP 0 EINVAL 0 \ + +WARNINGS = yes +CLEANFILES = sockopt sockopt.o ktrace.out +REGRESS_TARGETS = + +.for promises domain type protocol call level optname optval errno abort in ${TESTS} +REGRESS_TARGETS += run-regress-${promises}-${domain}-${type}-${protocol}-${call}-${level}-${optname}-${optval}-${errno}-${abort} +run-regress-${promises}-${domain}-${type}-${protocol}-${call}-${level}-${optname}-${optval}-${errno}-${abort}: + @echo "\n$@" + rm -f sockopt sockopt.core + COPTS='-DPROMISES=\"${promises}\" -DDOMAIN=${domain} -DTYPE=${type} \ + -DPROTOCOL=${protocol} -DCALL=\"${call}\" \ + -DLEVEL=${level} -DOPTNAME=${optname} -DOPTVAL=${optval} \ + -DERRNO=${errno}' ${.MAKE} sockopt +.if "${abort}" == 0 + ktrace ./sockopt + ! [ -f sockopt.core ] +.else + sh -c 'ktrace ./sockopt ; [ $$? = 134 ]' + [ -f sockopt.core ] + kdump | fgrep -q 'PLDG ${call}sockopt, "${abort}", errno ${errno} ' +.endif +.endfor + +.include diff --git a/regress/sys/kern/pledge/sockopt/sockopt.c b/regress/sys/kern/pledge/sockopt/sockopt.c new file mode 100644 index 00000000000..61e79358e56 --- /dev/null +++ b/regress/sys/kern/pledge/sockopt/sockopt.c @@ -0,0 +1,81 @@ +/* + * Copyright (c) 2017 Alexander Bluhm + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +int +main(void) +{ + char promises[1024]; + size_t i, l; + int s, r; + int optval; + socklen_t optlen; + + if (strcmp(PROMISES, "0") != 0) { + l = strlcpy(promises, "stdio ", sizeof(promises)); + for (i = 0; + PROMISES[i] != '\0'&& l < sizeof(promises); + i++, l++) { + promises[l] = PROMISES[i] == '+' ? + ' ' : PROMISES[i]; + } + if (l >= sizeof(promises)) + l = sizeof(promises) - 1; + promises[l] = '\0'; + warnx("pledge(%s)", promises); + if (pledge(promises, NULL) == -1) + err(1, "pledge"); + } + + if ((s = socket(DOMAIN, TYPE, PROTOCOL)) == -1) + err(1, "socket"); + optlen = sizeof(int); + if (strcmp(CALL, "set") == 0) { + optval = OPTVAL; + r = setsockopt(s, LEVEL, OPTNAME, &optval, optlen); + } else if (strcmp(CALL, "get") == 0) { + optval = 0; + r = getsockopt(s, LEVEL, OPTNAME, &optval, &optlen); + } else { + errx(1, "call: %s", CALL); + } + if (r == 0) { + if (ERRNO != 0) + errx(1, "success"); + } else if (r == -1) { + if (errno != ERRNO) + err(1, "error"); + } else { + errx(1, "return: %d", r); + } + if (optval != OPTVAL) + errx(1, "optval: %d", optval); + + return (0); +} -- cgit v1.2.3