a35d80
support: Add capability to fork an sgid child
a35d80
a35d80
Add a new function support_capture_subprogram_self_sgid that spawns an
a35d80
sgid child of the running program with its own image and returns the
a35d80
exit code of the child process.  This functionality is used by at
a35d80
least three tests in the testsuite at the moment, so it makes sense to
a35d80
consolidate.
a35d80
a35d80
There is also a new function support_subprogram_wait which should
a35d80
provide simple system() like functionality that does not set up file
a35d80
actions.  This is useful in cases where only the return code of the
a35d80
spawned subprocess is interesting.
a35d80
a35d80
This patch also ports tst-secure-getenv to this new function.  A
a35d80
subsequent patch will port other tests.  This also brings an important
a35d80
change to tst-secure-getenv behaviour.  Now instead of succeeding, the
a35d80
test fails as UNSUPPORTED if it is unable to spawn a setgid child,
a35d80
which is how it should have been in the first place.
a35d80
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
a35d80
a35d80
(cherry picked from commit 716a3bdc41b2b4b864dc64475015ba51e35e1273)
a35d80
a35d80
diff --git a/stdlib/tst-secure-getenv.c b/stdlib/tst-secure-getenv.c
a35d80
index a682b7493e41f200..156c92fea216729f 100644
a35d80
--- a/stdlib/tst-secure-getenv.c
a35d80
+++ b/stdlib/tst-secure-getenv.c
a35d80
@@ -30,156 +30,12 @@
a35d80
 #include <sys/wait.h>
a35d80
 #include <unistd.h>
a35d80
 
a35d80
+#include <support/check.h>
a35d80
 #include <support/support.h>
a35d80
+#include <support/capture_subprocess.h>
a35d80
 #include <support/test-driver.h>
a35d80
 
a35d80
 static char MAGIC_ARGUMENT[] = "run-actual-test";
a35d80
-#define MAGIC_STATUS 19
a35d80
-
a35d80
-/* Return a GID which is not our current GID, but is present in the
a35d80
-   supplementary group list.  */
a35d80
-static gid_t
a35d80
-choose_gid (void)
a35d80
-{
a35d80
-  const int count = 64;
a35d80
-  gid_t groups[count];
a35d80
-  int ret = getgroups (count, groups);
a35d80
-  if (ret < 0)
a35d80
-    {
a35d80
-      printf ("getgroups: %m\n");
a35d80
-      exit (1);
a35d80
-    }
a35d80
-  gid_t current = getgid ();
a35d80
-  for (int i = 0; i < ret; ++i)
a35d80
-    {
a35d80
-      if (groups[i] != current)
a35d80
-	return groups[i];
a35d80
-    }
a35d80
-  return 0;
a35d80
-}
a35d80
-
a35d80
-
a35d80
-/* Copies the executable into a restricted directory, so that we can
a35d80
-   safely make it SGID with the TARGET group ID.  Then runs the
a35d80
-   executable.  */
a35d80
-static int
a35d80
-run_executable_sgid (gid_t target)
a35d80
-{
a35d80
-  char *dirname = xasprintf ("%s/secure-getenv.%jd",
a35d80
-			     test_dir, (intmax_t) getpid ());
a35d80
-  char *execname = xasprintf ("%s/bin", dirname);
a35d80
-  int infd = -1;
a35d80
-  int outfd = -1;
a35d80
-  int ret = -1;
a35d80
-  if (mkdir (dirname, 0700) < 0)
a35d80
-    {
a35d80
-      printf ("mkdir: %m\n");
a35d80
-      goto err;
a35d80
-    }
a35d80
-  infd = open ("/proc/self/exe", O_RDONLY);
a35d80
-  if (infd < 0)
a35d80
-    {
a35d80
-      printf ("open (/proc/self/exe): %m\n");
a35d80
-      goto err;
a35d80
-    }
a35d80
-  outfd = open (execname, O_WRONLY | O_CREAT | O_EXCL, 0700);
a35d80
-  if (outfd < 0)
a35d80
-    {
a35d80
-      printf ("open (%s): %m\n", execname);
a35d80
-      goto err;
a35d80
-    }
a35d80
-  char buf[4096];
a35d80
-  for (;;)
a35d80
-    {
a35d80
-      ssize_t rdcount = read (infd, buf, sizeof (buf));
a35d80
-      if (rdcount < 0)
a35d80
-	{
a35d80
-	  printf ("read: %m\n");
a35d80
-	  goto err;
a35d80
-	}
a35d80
-      if (rdcount == 0)
a35d80
-	break;
a35d80
-      char *p = buf;
a35d80
-      char *end = buf + rdcount;
a35d80
-      while (p != end)
a35d80
-	{
a35d80
-	  ssize_t wrcount = write (outfd, buf, end - p);
a35d80
-	  if (wrcount == 0)
a35d80
-	    errno = ENOSPC;
a35d80
-	  if (wrcount <= 0)
a35d80
-	    {
a35d80
-	      printf ("write: %m\n");
a35d80
-	      goto err;
a35d80
-	    }
a35d80
-	  p += wrcount;
a35d80
-	}
a35d80
-    }
a35d80
-  if (fchown (outfd, getuid (), target) < 0)
a35d80
-    {
a35d80
-      printf ("fchown (%s): %m\n", execname);
a35d80
-      goto err;
a35d80
-    }
a35d80
-  if (fchmod (outfd, 02750) < 0)
a35d80
-    {
a35d80
-      printf ("fchmod (%s): %m\n", execname);
a35d80
-      goto err;
a35d80
-    }
a35d80
-  if (close (outfd) < 0)
a35d80
-    {
a35d80
-      printf ("close (outfd): %m\n");
a35d80
-      goto err;
a35d80
-    }
a35d80
-  if (close (infd) < 0)
a35d80
-    {
a35d80
-      printf ("close (infd): %m\n");
a35d80
-      goto err;
a35d80
-    }
a35d80
-
a35d80
-  int kid = fork ();
a35d80
-  if (kid < 0)
a35d80
-    {
a35d80
-      printf ("fork: %m\n");
a35d80
-      goto err;
a35d80
-    }
a35d80
-  if (kid == 0)
a35d80
-    {
a35d80
-      /* Child process.  */
a35d80
-      char *args[] = { execname, MAGIC_ARGUMENT, NULL };
a35d80
-      execve (execname, args, environ);
a35d80
-      printf ("execve (%s): %m\n", execname);
a35d80
-      _exit (1);
a35d80
-    }
a35d80
-  int status;
a35d80
-  if (waitpid (kid, &status, 0) < 0)
a35d80
-    {
a35d80
-      printf ("waitpid: %m\n");
a35d80
-      goto err;
a35d80
-    }
a35d80
-  if (!WIFEXITED (status) || WEXITSTATUS (status) != MAGIC_STATUS)
a35d80
-    {
a35d80
-      printf ("Unexpected exit status %d from child process\n",
a35d80
-	      status);
a35d80
-      goto err;
a35d80
-    }
a35d80
-  ret = 0;
a35d80
-
a35d80
-err:
a35d80
-  if (outfd >= 0)
a35d80
-    close (outfd);
a35d80
-  if (infd >= 0)
a35d80
-    close (infd);
a35d80
-  if (execname)
a35d80
-    {
a35d80
-      unlink (execname);
a35d80
-      free (execname);
a35d80
-    }
a35d80
-  if (dirname)
a35d80
-    {
a35d80
-      rmdir (dirname);
a35d80
-      free (dirname);
a35d80
-    }
a35d80
-  return ret;
a35d80
-}
a35d80
 
a35d80
 static int
a35d80
 do_test (void)
a35d80
@@ -201,15 +57,15 @@ do_test (void)
a35d80
       exit (1);
a35d80
     }
a35d80
 
a35d80
-  gid_t target = choose_gid ();
a35d80
-  if (target == 0)
a35d80
-    {
a35d80
-      fprintf (stderr,
a35d80
-	       "Could not find a suitable GID for user %jd, skipping test\n",
a35d80
-	       (intmax_t) getuid ());
a35d80
-      exit (0);
a35d80
-    }
a35d80
-  return run_executable_sgid (target);
a35d80
+  int status = support_capture_subprogram_self_sgid (MAGIC_ARGUMENT);
a35d80
+
a35d80
+  if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
a35d80
+    return EXIT_UNSUPPORTED;
a35d80
+
a35d80
+  if (!WIFEXITED (status))
a35d80
+    FAIL_EXIT1 ("Unexpected exit status %d from child process\n", status);
a35d80
+
a35d80
+  return 0;
a35d80
 }
a35d80
 
a35d80
 static void
a35d80
@@ -218,23 +74,15 @@ alternative_main (int argc, char **argv)
a35d80
   if (argc == 2 && strcmp (argv[1], MAGIC_ARGUMENT) == 0)
a35d80
     {
a35d80
       if (getgid () == getegid ())
a35d80
-	{
a35d80
-	  /* This can happen if the file system is mounted nosuid.  */
a35d80
-	  fprintf (stderr, "SGID failed: GID and EGID match (%jd)\n",
a35d80
-		  (intmax_t) getgid ());
a35d80
-	  exit (MAGIC_STATUS);
a35d80
-	}
a35d80
+	/* This can happen if the file system is mounted nosuid.  */
a35d80
+	FAIL_UNSUPPORTED ("SGID failed: GID and EGID match (%jd)\n",
a35d80
+		   (intmax_t) getgid ());
a35d80
       if (getenv ("PATH") == NULL)
a35d80
-	{
a35d80
-	  printf ("PATH variable not present\n");
a35d80
-	  exit (3);
a35d80
-	}
a35d80
+	FAIL_EXIT (3, "PATH variable not present\n");
a35d80
       if (secure_getenv ("PATH") != NULL)
a35d80
-	{
a35d80
-	  printf ("PATH variable not filtered out\n");
a35d80
-	  exit (4);
a35d80
-	}
a35d80
-      exit (MAGIC_STATUS);
a35d80
+	FAIL_EXIT (4, "PATH variable not filtered out\n");
a35d80
+
a35d80
+      exit (EXIT_SUCCESS);
a35d80
     }
a35d80
 }
a35d80
 
a35d80
diff --git a/support/capture_subprocess.h b/support/capture_subprocess.h
a35d80
index 2d2384e73df0d2d0..72fb30504684a84e 100644
a35d80
--- a/support/capture_subprocess.h
a35d80
+++ b/support/capture_subprocess.h
a35d80
@@ -41,6 +41,12 @@ struct support_capture_subprocess support_capture_subprocess
a35d80
 struct support_capture_subprocess support_capture_subprogram
a35d80
   (const char *file, char *const argv[]);
a35d80
 
a35d80
+/* Copy the running program into a setgid binary and run it with CHILD_ID
a35d80
+   argument.  If execution is successful, return the exit status of the child
a35d80
+   program, otherwise return a non-zero failure exit code.  */
a35d80
+int support_capture_subprogram_self_sgid
a35d80
+  (char *child_id);
a35d80
+
a35d80
 /* Deallocate the subprocess data captured by
a35d80
    support_capture_subprocess.  */
a35d80
 void support_capture_subprocess_free (struct support_capture_subprocess *);
a35d80
diff --git a/support/subprocess.h b/support/subprocess.h
a35d80
index c031878d94c70c71..a19335ee5dbfcf98 100644
a35d80
--- a/support/subprocess.h
a35d80
+++ b/support/subprocess.h
a35d80
@@ -38,6 +38,11 @@ struct support_subprocess support_subprocess
a35d80
 struct support_subprocess support_subprogram
a35d80
   (const char *file, char *const argv[]);
a35d80
 
a35d80
+/* Invoke program FILE with ARGV arguments by using posix_spawn and wait for it
a35d80
+   to complete.  Return program exit status.  */
a35d80
+int support_subprogram_wait
a35d80
+  (const char *file, char *const argv[]);
a35d80
+
a35d80
 /* Wait for the subprocess indicated by PROC::PID.  Return the status
a35d80
    indicate by waitpid call.  */
a35d80
 int support_process_wait (struct support_subprocess *proc);
a35d80
diff --git a/support/support_capture_subprocess.c b/support/support_capture_subprocess.c
a35d80
index c475e2004da3183e..eec5371d5602aa29 100644
a35d80
--- a/support/support_capture_subprocess.c
a35d80
+++ b/support/support_capture_subprocess.c
a35d80
@@ -20,11 +20,14 @@
a35d80
 #include <support/capture_subprocess.h>
a35d80
 
a35d80
 #include <errno.h>
a35d80
+#include <fcntl.h>
a35d80
 #include <stdlib.h>
a35d80
 #include <support/check.h>
a35d80
 #include <support/xunistd.h>
a35d80
 #include <support/xsocket.h>
a35d80
 #include <support/xspawn.h>
a35d80
+#include <support/support.h>
a35d80
+#include <support/test-driver.h>
a35d80
 
a35d80
 static void
a35d80
 transfer (const char *what, struct pollfd *pfd, struct xmemstream *stream)
a35d80
@@ -101,6 +104,129 @@ support_capture_subprogram (const char *file, char *const argv[])
a35d80
   return result;
a35d80
 }
a35d80
 
a35d80
+/* Copies the executable into a restricted directory, so that we can
a35d80
+   safely make it SGID with the TARGET group ID.  Then runs the
a35d80
+   executable.  */
a35d80
+static int
a35d80
+copy_and_spawn_sgid (char *child_id, gid_t gid)
a35d80
+{
a35d80
+  char *dirname = xasprintf ("%s/tst-tunables-setuid.%jd",
a35d80
+			     test_dir, (intmax_t) getpid ());
a35d80
+  char *execname = xasprintf ("%s/bin", dirname);
a35d80
+  int infd = -1;
a35d80
+  int outfd = -1;
a35d80
+  int ret = 1, status = 1;
a35d80
+
a35d80
+  TEST_VERIFY (mkdir (dirname, 0700) == 0);
a35d80
+  if (support_record_failure_is_failed ())
a35d80
+    goto err;
a35d80
+
a35d80
+  infd = open ("/proc/self/exe", O_RDONLY);
a35d80
+  if (infd < 0)
a35d80
+    FAIL_UNSUPPORTED ("unsupported: Cannot read binary from procfs\n");
a35d80
+
a35d80
+  outfd = open (execname, O_WRONLY | O_CREAT | O_EXCL, 0700);
a35d80
+  TEST_VERIFY (outfd >= 0);
a35d80
+  if (support_record_failure_is_failed ())
a35d80
+    goto err;
a35d80
+
a35d80
+  char buf[4096];
a35d80
+  for (;;)
a35d80
+    {
a35d80
+      ssize_t rdcount = read (infd, buf, sizeof (buf));
a35d80
+      TEST_VERIFY (rdcount >= 0);
a35d80
+      if (support_record_failure_is_failed ())
a35d80
+	goto err;
a35d80
+      if (rdcount == 0)
a35d80
+	break;
a35d80
+      char *p = buf;
a35d80
+      char *end = buf + rdcount;
a35d80
+      while (p != end)
a35d80
+	{
a35d80
+	  ssize_t wrcount = write (outfd, buf, end - p);
a35d80
+	  if (wrcount == 0)
a35d80
+	    errno = ENOSPC;
a35d80
+	  TEST_VERIFY (wrcount > 0);
a35d80
+	  if (support_record_failure_is_failed ())
a35d80
+	    goto err;
a35d80
+	  p += wrcount;
a35d80
+	}
a35d80
+    }
a35d80
+  TEST_VERIFY (fchown (outfd, getuid (), gid) == 0);
a35d80
+  if (support_record_failure_is_failed ())
a35d80
+    goto err;
a35d80
+  TEST_VERIFY (fchmod (outfd, 02750) == 0);
a35d80
+  if (support_record_failure_is_failed ())
a35d80
+    goto err;
a35d80
+  TEST_VERIFY (close (outfd) == 0);
a35d80
+  if (support_record_failure_is_failed ())
a35d80
+    goto err;
a35d80
+  TEST_VERIFY (close (infd) == 0);
a35d80
+  if (support_record_failure_is_failed ())
a35d80
+    goto err;
a35d80
+
a35d80
+  /* We have the binary, now spawn the subprocess.  Avoid using
a35d80
+     support_subprogram because we only want the program exit status, not the
a35d80
+     contents.  */
a35d80
+  ret = 0;
a35d80
+
a35d80
+  char * const args[] = {execname, child_id, NULL};
a35d80
+
a35d80
+  status = support_subprogram_wait (args[0], args);
a35d80
+
a35d80
+err:
a35d80
+  if (outfd >= 0)
a35d80
+    close (outfd);
a35d80
+  if (infd >= 0)
a35d80
+    close (infd);
a35d80
+  if (execname != NULL)
a35d80
+    {
a35d80
+      unlink (execname);
a35d80
+      free (execname);
a35d80
+    }
a35d80
+  if (dirname != NULL)
a35d80
+    {
a35d80
+      rmdir (dirname);
a35d80
+      free (dirname);
a35d80
+    }
a35d80
+
a35d80
+  if (ret != 0)
a35d80
+    FAIL_EXIT1("Failed to make sgid executable for test\n");
a35d80
+
a35d80
+  return status;
a35d80
+}
a35d80
+
a35d80
+int
a35d80
+support_capture_subprogram_self_sgid (char *child_id)
a35d80
+{
a35d80
+  gid_t target = 0;
a35d80
+  const int count = 64;
a35d80
+  gid_t groups[count];
a35d80
+
a35d80
+  /* Get a GID which is not our current GID, but is present in the
a35d80
+     supplementary group list.  */
a35d80
+  int ret = getgroups (count, groups);
a35d80
+  if (ret < 0)
a35d80
+    FAIL_UNSUPPORTED("Could not get group list for user %jd\n",
a35d80
+		     (intmax_t) getuid ());
a35d80
+
a35d80
+  gid_t current = getgid ();
a35d80
+  for (int i = 0; i < ret; ++i)
a35d80
+    {
a35d80
+      if (groups[i] != current)
a35d80
+	{
a35d80
+	  target = groups[i];
a35d80
+	  break;
a35d80
+	}
a35d80
+    }
a35d80
+
a35d80
+  if (target == 0)
a35d80
+    FAIL_UNSUPPORTED("Could not find a suitable GID for user %jd\n",
a35d80
+		     (intmax_t) getuid ());
a35d80
+
a35d80
+  return copy_and_spawn_sgid (child_id, target);
a35d80
+}
a35d80
+
a35d80
 void
a35d80
 support_capture_subprocess_free (struct support_capture_subprocess *p)
a35d80
 {
a35d80
diff --git a/support/support_subprocess.c b/support/support_subprocess.c
a35d80
index af01827cac81d80c..f7ee28af2531eda8 100644
a35d80
--- a/support/support_subprocess.c
a35d80
+++ b/support/support_subprocess.c
a35d80
@@ -92,6 +92,19 @@ support_subprogram (const char *file, char *const argv[])
a35d80
   return result;
a35d80
 }
a35d80
 
a35d80
+int
a35d80
+support_subprogram_wait (const char *file, char *const argv[])
a35d80
+{
a35d80
+  posix_spawn_file_actions_t fa;
a35d80
+
a35d80
+  posix_spawn_file_actions_init (&fa);
a35d80
+  struct support_subprocess res = support_subprocess_init ();
a35d80
+
a35d80
+  res.pid = xposix_spawn (file, &fa, NULL, argv, environ);
a35d80
+
a35d80
+  return support_process_wait (&res;;
a35d80
+}
a35d80
+
a35d80
 int
a35d80
 support_process_wait (struct support_subprocess *proc)
a35d80
 {