[CRIU] [PATCH 3/3] test: security
Ruslan Kuprieiev
kupruser at gmail.com
Mon Jul 14 11:24:26 PDT 2014
This test creates 2 users to check how secure is using criu with setuid bit set.
Signed-off-by: Ruslan Kuprieiev <kupruser at gmail.com>
---
test/Makefile | 2 +-
test/security/Makefile | 32 ++++++++++++++++++++
test/security/loop.sh | 12 ++++++++
test/security/run.sh | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 125 insertions(+), 1 deletion(-)
create mode 100644 test/security/Makefile
create mode 100755 test/security/loop.sh
create mode 100755 test/security/run.sh
diff --git a/test/Makefile b/test/Makefile
index ef5fc8a..351b37b 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -9,7 +9,7 @@ all: .FORCE
$(MAKE) zdtm
.PHONY: all
-TESTS = unix-callback mem-snap rpc libcriu mounts/ext
+TESTS = unix-callback mem-snap rpc libcriu mounts/ext security
other: .FORCE
for t in $(TESTS); do \
diff --git a/test/security/Makefile b/test/security/Makefile
new file mode 100644
index 0000000..a1e3efc
--- /dev/null
+++ b/test/security/Makefile
@@ -0,0 +1,32 @@
+DIR := /tmp/criu-test
+LOOP := $(DIR)/loop.sh
+PIDFILE := $(DIR)/loop.pid
+IMGS := $(DIR)/imgs
+CRIU := $(DIR)/criu
+
+ROOT :=root
+USR1 :=criu-test-user1
+USR2 :=criu-test-user2
+
+export DIR LOOP PIDFILE IMGS CRIU ROOT USR1 USR2
+
+run: testdir users
+ ./run.sh
+
+testdir: ../../criu
+ mkdir -p $(DIR)
+ mkdir -p $(IMGS)
+ cp ../../criu $(CRIU)
+ chmod u+s $(CRIU)
+ cp loop.sh $(LOOP)
+ chmod 777 $(DIR)
+
+users:
+ useradd -M -U $(USR1)
+ useradd -M -U $(USR2)
+ usermod -a -G $(USR2) $(USR1)
+
+clean:
+ rm -rf $(DIR)
+ -userdel -f $(USR1)
+ -userdel -f $(USR2)
diff --git a/test/security/loop.sh b/test/security/loop.sh
new file mode 100755
index 0000000..b8ebc6f
--- /dev/null
+++ b/test/security/loop.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+echo $$
+
+if [ "$1" == "--chgrp" ]; then
+ grps=( $(groups) )
+ newgrp ${grps[1]}
+fi
+
+while :; do
+ sleep 1
+done
diff --git a/test/security/run.sh b/test/security/run.sh
new file mode 100755
index 0000000..a159918
--- /dev/null
+++ b/test/security/run.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+PID=
+
+function run_as {
+ echo "== Run ${LOOP} as $1"
+ echo ${PIDFILE}
+ rm -f ${PIDFILE}
+ su $1 -c "${LOOP} $2 < /dev/null 2> /dev/null > ${PIDFILE} &"
+ PID=`cat ${PIDFILE}`
+ echo ${PID}
+}
+
+function dump_as {
+ echo "== Dump ${PID} as $@"
+ su $@ -c "${CRIU} dump --tree ${PID} --images-dir ${IMGS} --shell-job"
+ return $?
+}
+
+function rstr_as {
+ echo "== Restore ${IMGS} as $@"
+ su $@ -c "${CRIU} restore --images-dir ${IMGS} --shell-job --restore-detached"
+ return $?
+}
+
+function result {
+ local BGRED='\033[41m'
+ local BGGREEN='\033[42m'
+ local NORMAL=$(tput sgr0)
+
+ if [ $1 -ne 0 ]; then
+ echo -e "${BGRED}FAIL${NORMAL}"
+ else
+ echo -e "${BGGREEN}PASS${NORMAL}"
+ fi
+}
+
+function test_root {
+ echo "==== Check that non-root can't dump/restore process owned by root"
+
+ run_as ${ROOT}
+
+ dump_as ${USR1} ; result $((!$?))
+ dump_as ${ROOT} ; result $(($?))
+
+ rstr_as ${USR1} ; result $((!$?))
+ rstr_as ${ROOT} ; result $(($?))
+
+ kill -SIGKILL ${PID}
+}
+
+function test_other {
+ echo "==== Check that user2 can't dump/restore process owned by user1"
+
+ run_as ${USR1}
+
+ dump_as ${USR2} ; result $((!$?))
+ dump_as ${USR1} ; result $(($?))
+
+ rstr_as ${USR2} ; result $((!$?))
+ rstr_as ${USR1} ; result $(($?))
+
+ kill -SIGKILL ${PID}
+}
+
+function test_own {
+ echo "==== Check that user1 can dump/restore his own process that changes it's gid to one from groups"
+
+ run_as ${USR1} "--chgrp"
+
+ dump_as ${USR1} ; result $(($?))
+
+ rstr_as ${USR1} ; result $(($?))
+
+ kill -SIGKILL ${PID}
+}
+
+test_root
+test_other
+test_own
--
1.8.3.2
More information about the CRIU
mailing list