1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * Copyright (c) 2017 Google, Inc. 4 */ 5 6/* 7 * Regression test for commit 237bbd29f7a0 ("KEYS: prevent creating a different 8 * user's keyrings"). The bug allowed any random user to create a keyring named 9 * "_uid.$UID" (or "_uid_ses.$UID"), and it would become the user keyring (or 10 * user session keyring) for user $UID, provided that it hadn't already been 11 * created. 12 * 13 * This test must be run as root so that it has permission to switch to another 14 * user ID and check whether the keyrings are wrong. However, the underlying 15 * bug is actually reachable/exploitable by a non-root user. 16 */ 17 18#include <errno.h> 19#include <pwd.h> 20#include <stdio.h> 21 22#include "tst_test.h" 23#include "lapi/keyctl.h" 24 25static key_serial_t create_keyring(const char *description) 26{ 27 TEST(add_key("keyring", description, NULL, 0, 28 KEY_SPEC_PROCESS_KEYRING)); 29 if (TST_RET < 0) { 30 tst_brk(TBROK | TTERRNO, 31 "unable to create keyring '%s'", description); 32 } 33 return TST_RET; 34} 35 36static key_serial_t get_keyring_id(key_serial_t special_id) 37{ 38 TEST(keyctl(KEYCTL_GET_KEYRING_ID, special_id, 1)); 39 if (TST_RET < 0) { 40 tst_brk(TBROK | TTERRNO, 41 "unable to get ID of keyring %d", special_id); 42 } 43 return TST_RET; 44} 45 46static void do_test(void) 47{ 48 uid_t uid = 1; 49 char description[32]; 50 key_serial_t fake_user_keyring; 51 key_serial_t fake_user_session_keyring; 52 53 /* 54 * We need a user to forge the keyrings for. But the bug is not 55 * reproducible for a UID which already has its keyrings, so find an 56 * unused UID. Note that it would be better to directly check for the 57 * presence of the UID's keyrings than to search the passwd file. 58 * However, that's not easy to do given that even if we assumed the UID 59 * temporarily to check, KEYCTL_GET_KEYRING_ID for the user and user 60 * session keyrings will create them rather than failing (even if the 61 * 'create' argument is 0). 62 */ 63 while (getpwuid(uid)) 64 uid++; 65 66 sprintf(description, "_uid.%u", uid); 67 fake_user_keyring = create_keyring(description); 68 sprintf(description, "_uid_ses.%u", uid); 69 fake_user_session_keyring = create_keyring(description); 70 71 SAFE_SETUID(uid); 72 73 if (fake_user_keyring == get_keyring_id(KEY_SPEC_USER_KEYRING)) 74 tst_brk(TFAIL, "created user keyring for another user"); 75 76 if (fake_user_session_keyring == 77 get_keyring_id(KEY_SPEC_USER_SESSION_KEYRING)) 78 tst_brk(TFAIL, "created user session keyring for another user"); 79 80 tst_res(TPASS, "expectedly could not create another user's keyrings"); 81} 82 83static struct tst_test test = { 84 .test_all = do_test, 85 .needs_root = 1, 86 .tags = (const struct tst_tag[]) { 87 {"linux-git", "237bbd29f7a0"}, 88 {} 89 } 90}; 91