Re: [PATCH] selftests/capabilities: Fix the test_execve test

From: ebiederm@xmission.com (Eric W. Biederman)
To: Andy Lutomirski <luto@kernel.org>
Cc: Naresh Kamboju <naresh.kamboju@linaro.org>,
	Shuah Khan <shuahkh@osg.samsung.com>,
	stable@vger.kernel.org, Kees Cook <keescook@chromium.org>,
	Greg KH <greg@kroah.com>,
	linux-kselftest@vger.kernel.org
Subject: Re: [PATCH] selftests/capabilities: Fix the test_execve test
Date: Thu, 29 Jun 2017 11:32:21 -0500	[thread overview]
Message-ID: <87o9t64uwa.fsf@xmission.com> (raw)
In-Reply-To: <57f82c0dce0388bdc38da5f45fbe0c8999a0bbbc.1498751145.git.luto@kernel.org> (Andy Lutomirski's message of "Thu, 29 Jun 2017 08:46:12 -0700")

Andy Lutomirski <luto@kernel.org> writes:

> test_execve does rather odd mount manipulations to safely create
> temporary setuid and setgid executables that aren't visible to the
> rest of the system.  Those executables end up in the test's cwd, but
> that cwd is MNT_DETACHed.
>
> The core namespace code considers MNT_DETACHed trees to belong to no
> mount namespace at all and, in general, MNT_DETACHed trees are only
> barely function.  This interacted with commit 380cf5ba6b0a ("fs:
> Treat foreign mounts as nosuid") to cause all MNT_DETACHed trees to
> act as though they're nosuid, breaking the test.
>
> Fix it by just not detaching the tree.  It's still in a private
> mount namespace and is therefore still invisible to the rest of the
> system (except via /proc, and the same nosuid logic will protect all
> other programs on the system from believing in test_execve's setuid
> bits).
>
> While we're at it, fix some blatant whitespace problems.
>
> Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
> Fixes: 380cf5ba6b0a ("fs: Treat foreign mounts as nosuid")
> Cc: stable@vger.kernel.org
> Cc: "Eric W. Biederman" <ebiederm@xmission.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Shuah Khan <shuahkh@osg.samsung.com>
> Cc: Greg KH <greg@kroah.com>
> Cc: linux-kselftest@vger.kernel.org
> Signed-off-by: Andy Lutomirski <luto@kernel.org>

Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>

> ---
>  tools/testing/selftests/capabilities/test_execve.c | 7 ++-----
>  1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/tools/testing/selftests/capabilities/test_execve.c b/tools/testing/selftests/capabilities/test_execve.c
> index 10a21a958aaf..763f37fecfb8 100644
> --- a/tools/testing/selftests/capabilities/test_execve.c
> +++ b/tools/testing/selftests/capabilities/test_execve.c
> @@ -138,9 +138,6 @@ static void chdir_to_tmpfs(void)
>  
>  	if (chdir(cwd) != 0)
>  		err(1, "chdir to private tmpfs");
> -
> -	if (umount2(".", MNT_DETACH) != 0)
> -		err(1, "detach private tmpfs");
>  }
>  
>  static void copy_fromat_to(int fromfd, const char *fromname, const char *toname)
> @@ -248,7 +245,7 @@ static int do_tests(int uid, const char *our_path)
>  			err(1, "chown");
>  		if (chmod("validate_cap_sgidnonroot", S_ISGID | 0710) != 0)
>  			err(1, "chmod");
> -}
> +	}
>  
>  	capng_get_caps_process();
>  
> @@ -384,7 +381,7 @@ static int do_tests(int uid, const char *our_path)
>  	} else {
>  		printf("[RUN]\tNon-root +ia, sgidnonroot => i\n");
>  		exec_other_validate_cap("./validate_cap_sgidnonroot",
> -						false, false, true, false);
> +					false, false, true, false);
>  
>  		if (fork_wait()) {
>  			printf("[RUN]\tNon-root +ia, sgidroot => i\n");