Re: [PATCH] selftests/capabilities: Fix the test_execve test

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Andy Lutomirski <luto@xxxxxxxxxx> writes:

> test_execve does rather odd mount manipulations to safely create
> temporary setuid and setgid executables that aren't visible to the
> rest of the system.  Those executables end up in the test's cwd, but
> that cwd is MNT_DETACHed.
>
> The core namespace code considers MNT_DETACHed trees to belong to no
> mount namespace at all and, in general, MNT_DETACHed trees are only
> barely function.  This interacted with commit 380cf5ba6b0a ("fs:
> Treat foreign mounts as nosuid") to cause all MNT_DETACHed trees to
> act as though they're nosuid, breaking the test.
>
> Fix it by just not detaching the tree.  It's still in a private
> mount namespace and is therefore still invisible to the rest of the
> system (except via /proc, and the same nosuid logic will protect all
> other programs on the system from believing in test_execve's setuid
> bits).
>
> While we're at it, fix some blatant whitespace problems.
>
> Reported-by: Naresh Kamboju <naresh.kamboju@xxxxxxxxxx>
> Fixes: 380cf5ba6b0a ("fs: Treat foreign mounts as nosuid")
> Cc: stable@xxxxxxxxxxxxxxx
> Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Shuah Khan <shuahkh@xxxxxxxxxxxxxxx>
> Cc: Greg KH <greg@xxxxxxxxx>
> Cc: linux-kselftest@xxxxxxxxxxxxxxx
> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxx>

Acked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>

> ---
>  tools/testing/selftests/capabilities/test_execve.c | 7 ++-----
>  1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/tools/testing/selftests/capabilities/test_execve.c b/tools/testing/selftests/capabilities/test_execve.c
> index 10a21a958aaf..763f37fecfb8 100644
> --- a/tools/testing/selftests/capabilities/test_execve.c
> +++ b/tools/testing/selftests/capabilities/test_execve.c
> @@ -138,9 +138,6 @@ static void chdir_to_tmpfs(void)
>  
>  	if (chdir(cwd) != 0)
>  		err(1, "chdir to private tmpfs");
> -
> -	if (umount2(".", MNT_DETACH) != 0)
> -		err(1, "detach private tmpfs");
>  }
>  
>  static void copy_fromat_to(int fromfd, const char *fromname, const char *toname)
> @@ -248,7 +245,7 @@ static int do_tests(int uid, const char *our_path)
>  			err(1, "chown");
>  		if (chmod("validate_cap_sgidnonroot", S_ISGID | 0710) != 0)
>  			err(1, "chmod");
> -}
> +	}
>  
>  	capng_get_caps_process();
>  
> @@ -384,7 +381,7 @@ static int do_tests(int uid, const char *our_path)
>  	} else {
>  		printf("[RUN]\tNon-root +ia, sgidnonroot => i\n");
>  		exec_other_validate_cap("./validate_cap_sgidnonroot",
> -						false, false, true, false);
> +					false, false, true, false);
>  
>  		if (fork_wait()) {
>  			printf("[RUN]\tNon-root +ia, sgidroot => i\n");



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]