diff --git a/test/Makefile b/test/Makefile index ef5fc8ad8..351b37bbb 100644 --- a/test/Makefile +++ b/test/Makefile @@ -9,7 +9,7 @@ all: .FORCE $(MAKE) zdtm .PHONY: all -TESTS = unix-callback mem-snap rpc libcriu mounts/ext +TESTS = unix-callback mem-snap rpc libcriu mounts/ext security other: .FORCE for t in $(TESTS); do \ diff --git a/test/security/Makefile b/test/security/Makefile new file mode 100644 index 000000000..a1e3efc10 --- /dev/null +++ b/test/security/Makefile @@ -0,0 +1,32 @@ +DIR := /tmp/criu-test +LOOP := $(DIR)/loop.sh +PIDFILE := $(DIR)/loop.pid +IMGS := $(DIR)/imgs +CRIU := $(DIR)/criu + +ROOT :=root +USR1 :=criu-test-user1 +USR2 :=criu-test-user2 + +export DIR LOOP PIDFILE IMGS CRIU ROOT USR1 USR2 + +run: testdir users + ./run.sh + +testdir: ../../criu + mkdir -p $(DIR) + mkdir -p $(IMGS) + cp ../../criu $(CRIU) + chmod u+s $(CRIU) + cp loop.sh $(LOOP) + chmod 777 $(DIR) + +users: + useradd -M -U $(USR1) + useradd -M -U $(USR2) + usermod -a -G $(USR2) $(USR1) + +clean: + rm -rf $(DIR) + -userdel -f $(USR1) + -userdel -f $(USR2) diff --git a/test/security/loop.sh b/test/security/loop.sh new file mode 100755 index 000000000..b8ebc6f9e --- /dev/null +++ b/test/security/loop.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +echo $$ + +if [ "$1" == "--chgrp" ]; then + grps=( $(groups) ) + newgrp ${grps[1]} +fi + +while :; do + sleep 1 +done diff --git a/test/security/run.sh b/test/security/run.sh new file mode 100755 index 000000000..a15991895 --- /dev/null +++ b/test/security/run.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +PID= + +function run_as { + echo "== Run ${LOOP} as $1" + echo ${PIDFILE} + rm -f ${PIDFILE} + su $1 -c "${LOOP} $2 < /dev/null 2> /dev/null > ${PIDFILE} &" + PID=`cat ${PIDFILE}` + echo ${PID} +} + +function dump_as { + echo "== Dump ${PID} as $@" + su $@ -c "${CRIU} dump --tree ${PID} --images-dir ${IMGS} --shell-job" + return $? +} + +function rstr_as { + echo "== Restore ${IMGS} as $@" + su $@ -c "${CRIU} restore --images-dir ${IMGS} --shell-job --restore-detached" + return $? +} + +function result { + local BGRED='\033[41m' + local BGGREEN='\033[42m' + local NORMAL=$(tput sgr0) + + if [ $1 -ne 0 ]; then + echo -e "${BGRED}FAIL${NORMAL}" + else + echo -e "${BGGREEN}PASS${NORMAL}" + fi +} + +function test_root { + echo "==== Check that non-root can't dump/restore process owned by root" + + run_as ${ROOT} + + dump_as ${USR1} ; result $((!$?)) + dump_as ${ROOT} ; result $(($?)) + + rstr_as ${USR1} ; result $((!$?)) + rstr_as ${ROOT} ; result $(($?)) + + kill -SIGKILL ${PID} +} + +function test_other { + echo "==== Check that user2 can't dump/restore process owned by user1" + + run_as ${USR1} + + dump_as ${USR2} ; result $((!$?)) + dump_as ${USR1} ; result $(($?)) + + rstr_as ${USR2} ; result $((!$?)) + rstr_as ${USR1} ; result $(($?)) + + kill -SIGKILL ${PID} +} + +function test_own { + echo "==== Check that user1 can dump/restore his own process that changes it's gid to one from groups" + + run_as ${USR1} "--chgrp" + + dump_as ${USR1} ; result $(($?)) + + rstr_as ${USR1} ; result $(($?)) + + kill -SIGKILL ${PID} +} + +test_root +test_other +test_own