root/tools/testing/selftests/openat2/rename_attack_test.c 
// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * Author: Aleksa Sarai <cyphar@cyphar.com>
 * Copyright (C) 2018-2019 SUSE LLC.
 */

#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include <syscall.h>
#include <limits.h>
#include <unistd.h>

#include "kselftest.h"
#include "helpers.h"

/* Construct a test directory with the following structure:
 *
 * root/
 * |-- a/
 * |   `-- c/
 * `-- b/
 */
int setup_testdir(void)
{
        int dfd;
        char dirname[] = "/tmp/ksft-openat2-rename-attack.XXXXXX";

        /* Make the top-level directory. */
        if (!mkdtemp(dirname))
                ksft_exit_fail_msg("setup_testdir: failed to create tmpdir\n");
        dfd = open(dirname, O_PATH | O_DIRECTORY);
        if (dfd < 0)
                ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n");

        E_mkdirat(dfd, "a", 0755);
        E_mkdirat(dfd, "b", 0755);
        E_mkdirat(dfd, "a/c", 0755);

        return dfd;
}

/* Swap @dirfd/@a and @dirfd/@b constantly. Parent must kill this process. */
pid_t spawn_attack(int dirfd, char *a, char *b)
{
        pid_t child = fork();
        if (child != 0)
                return child;

        /* If the parent (the test process) dies, kill ourselves too. */
        E_prctl(PR_SET_PDEATHSIG, SIGKILL);

        /* Swap @a and @b. */
        for (;;)
                renameat2(dirfd, a, dirfd, b, RENAME_EXCHANGE);
        exit(1);
}

#define NUM_RENAME_TESTS 2
#define ROUNDS 400000

const char *flagname(int resolve)
{
        switch (resolve) {
        case RESOLVE_IN_ROOT:
                return "RESOLVE_IN_ROOT";
        case RESOLVE_BENEATH:
                return "RESOLVE_BENEATH";
        }
        return "(unknown)";
}

void test_rename_attack(int resolve)
{
        int dfd, afd;
        pid_t child;
        void (*resultfn)(const char *msg, ...) = ksft_test_result_pass;
        int escapes = 0, other_errs = 0, exdevs = 0, eagains = 0, successes = 0;

        struct open_how how = {
                .flags = O_PATH,
                .resolve = resolve,
        };

        if (!openat2_supported) {
                how.resolve = 0;
                ksft_print_msg("openat2(2) unsupported -- using openat(2) instead\n");
        }

        dfd = setup_testdir();
        afd = openat(dfd, "a", O_PATH);
        if (afd < 0)
                ksft_exit_fail_msg("test_rename_attack: failed to open 'a'\n");

        child = spawn_attack(dfd, "a/c", "b");

        for (int i = 0; i < ROUNDS; i++) {
                int fd;
                char *victim_path = "c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../..";

                if (openat2_supported)
                        fd = sys_openat2(afd, victim_path, &how);
                else
                        fd = sys_openat(afd, victim_path, &how);

                if (fd < 0) {
                        if (fd == -EAGAIN)
                                eagains++;
                        else if (fd == -EXDEV)
                                exdevs++;
                        else if (fd == -ENOENT)
                                escapes++; /* escaped outside and got ENOENT... */
                        else
                                other_errs++; /* unexpected error */
                } else {
                        if (fdequal(fd, afd, NULL))
                                successes++;
                        else
                                escapes++; /* we got an unexpected fd */
                }
                close(fd);
        }

        if (escapes > 0)
                resultfn = ksft_test_result_fail;
        ksft_print_msg("non-escapes: EAGAIN=%d EXDEV=%d E<other>=%d success=%d\n",
                       eagains, exdevs, other_errs, successes);
        resultfn("rename attack with %s (%d runs, got %d escapes)\n",
                 flagname(resolve), ROUNDS, escapes);

        /* Should be killed anyway, but might as well make sure. */
        E_kill(child, SIGKILL);
}

#define NUM_TESTS NUM_RENAME_TESTS

int main(int argc, char **argv)
{
        ksft_print_header();
        ksft_set_plan(NUM_TESTS);

        test_rename_attack(RESOLVE_BENEATH);
        test_rename_attack(RESOLVE_IN_ROOT);

        if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0)
                ksft_exit_fail();
        else
                ksft_exit_pass();
}