/* * Test sharing via dup() * Test that seals are shared between dupped FDs and they're all equal. */ static void test_share_dup(void) { int fd, fd2; fd = mfd_assert_new("kern_memfd_share_dup", MFD_DEF_SIZE, MFD_CLOEXEC | MFD_ALLOW_SEALING); mfd_assert_has_seals(fd, 0); fd2 = mfd_assert_dup(fd); mfd_assert_has_seals(fd2, 0); mfd_assert_add_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd2, F_SEAL_WRITE); mfd_assert_add_seals(fd2, F_SEAL_SHRINK); mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK); mfd_assert_has_seals(fd2, F_SEAL_WRITE | F_SEAL_SHRINK); mfd_assert_add_seals(fd, F_SEAL_SEAL); mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK | F_SEAL_SEAL); mfd_assert_has_seals(fd2, F_SEAL_WRITE | F_SEAL_SHRINK | F_SEAL_SEAL); mfd_fail_add_seals(fd, F_SEAL_GROW); mfd_fail_add_seals(fd2, F_SEAL_GROW); mfd_fail_add_seals(fd, F_SEAL_SEAL); mfd_fail_add_seals(fd2, F_SEAL_SEAL); close(fd2); mfd_fail_add_seals(fd, F_SEAL_GROW); close(fd); }
/* * Test sharing via fork() * Test whether seal-modifications work as expected with forked childs. */ static void test_share_fork(char *banner, char *b_suffix) { int fd; pid_t pid; printf("%s %s %s\n", memfd_str, banner, b_suffix); fd = mfd_assert_new("kern_memfd_share_fork", mfd_def_size, MFD_CLOEXEC | MFD_ALLOW_SEALING); mfd_assert_has_seals(fd, 0); pid = spawn_idle_thread(0); mfd_assert_add_seals(fd, F_SEAL_SEAL); mfd_assert_has_seals(fd, F_SEAL_SEAL); mfd_fail_add_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd, F_SEAL_SEAL); join_idle_thread(pid); mfd_fail_add_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd, F_SEAL_SEAL); close(fd); }
/* * Test sealing with active mmap()s * Modifying seals is only allowed if no other mmap() refs exist. */ static void test_share_mmap(void) { int fd; void *p; fd = mfd_assert_new("kern_memfd_share_mmap", MFD_DEF_SIZE, MFD_CLOEXEC | MFD_ALLOW_SEALING); mfd_assert_has_seals(fd, 0); /* shared/writable ref prevents sealing WRITE, but allows others */ p = mfd_assert_mmap_shared(fd); mfd_fail_add_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd, 0); mfd_assert_add_seals(fd, F_SEAL_SHRINK); mfd_assert_has_seals(fd, F_SEAL_SHRINK); munmap(p, MFD_DEF_SIZE); /* readable ref allows sealing */ p = mfd_assert_mmap_private(fd); mfd_assert_add_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK); munmap(p, MFD_DEF_SIZE); close(fd); }
/* * Test sealing with active mmap()s * Modifying seals is only allowed if no other mmap() refs exist. */ static void test_share_mmap(char *banner, char *b_suffix) { int fd; void *p; printf("%s %s %s\n", memfd_str, banner, b_suffix); fd = mfd_assert_new("kern_memfd_share_mmap", mfd_def_size, MFD_CLOEXEC | MFD_ALLOW_SEALING); mfd_assert_has_seals(fd, 0); /* shared/writable ref prevents sealing WRITE, but allows others */ p = mfd_assert_mmap_shared(fd); mfd_fail_add_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd, 0); mfd_assert_add_seals(fd, F_SEAL_SHRINK); mfd_assert_has_seals(fd, F_SEAL_SHRINK); munmap(p, mfd_def_size); /* readable ref allows sealing */ p = mfd_assert_mmap_private(fd); mfd_assert_add_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK); munmap(p, mfd_def_size); close(fd); }
/* * Test basic sealing * A very basic sealing test to see whether setting/retrieving seals works. */ static void test_basic(void) { int fd; printf("%s BASIC\n", memfd_str); fd = mfd_assert_new("kern_memfd_basic", mfd_def_size, MFD_CLOEXEC | MFD_ALLOW_SEALING); /* add basic seals */ mfd_assert_has_seals(fd, 0); mfd_assert_add_seals(fd, F_SEAL_SHRINK | F_SEAL_WRITE); mfd_assert_has_seals(fd, F_SEAL_SHRINK | F_SEAL_WRITE); /* add them again */ mfd_assert_add_seals(fd, F_SEAL_SHRINK | F_SEAL_WRITE); mfd_assert_has_seals(fd, F_SEAL_SHRINK | F_SEAL_WRITE); /* add more seals and seal against sealing */ mfd_assert_add_seals(fd, F_SEAL_GROW | F_SEAL_SEAL); mfd_assert_has_seals(fd, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL); /* verify that sealing no longer works */ mfd_fail_add_seals(fd, F_SEAL_GROW); mfd_fail_add_seals(fd, 0); close(fd); /* verify sealing does not work without MFD_ALLOW_SEALING */ fd = mfd_assert_new("kern_memfd_basic", mfd_def_size, MFD_CLOEXEC); mfd_assert_has_seals(fd, F_SEAL_SEAL); mfd_fail_add_seals(fd, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE); mfd_assert_has_seals(fd, F_SEAL_SEAL); close(fd); }
/* * Test sharing via fork() * Test whether seal-modifications work as expected with forked childs. */ static void test_share_fork(void) { int fd; pid_t pid; fd = mfd_assert_new("kern_memfd_share_fork", MFD_DEF_SIZE, MFD_CLOEXEC | MFD_ALLOW_SEALING); mfd_assert_has_seals(fd, 0); pid = spawn_idle_thread(0); mfd_assert_add_seals(fd, F_SEAL_SEAL); mfd_assert_has_seals(fd, F_SEAL_SEAL); mfd_fail_add_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd, F_SEAL_SEAL); join_idle_thread(pid); mfd_fail_add_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd, F_SEAL_SEAL); close(fd); }
/* * Test sharing via dup() * Test that seals are shared between dupped FDs and they're all equal. */ static void test_share_dup(char *banner, char *b_suffix) { int fd, fd2; printf("%s %s %s\n", memfd_str, banner, b_suffix); fd = mfd_assert_new("kern_memfd_share_dup", mfd_def_size, MFD_CLOEXEC | MFD_ALLOW_SEALING); mfd_assert_has_seals(fd, 0); fd2 = mfd_assert_dup(fd); mfd_assert_has_seals(fd2, 0); mfd_assert_add_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd, F_SEAL_WRITE); mfd_assert_has_seals(fd2, F_SEAL_WRITE); mfd_assert_add_seals(fd2, F_SEAL_SHRINK); mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK); mfd_assert_has_seals(fd2, F_SEAL_WRITE | F_SEAL_SHRINK); mfd_assert_add_seals(fd, F_SEAL_SEAL); mfd_assert_has_seals(fd, F_SEAL_WRITE | F_SEAL_SHRINK | F_SEAL_SEAL); mfd_assert_has_seals(fd2, F_SEAL_WRITE | F_SEAL_SHRINK | F_SEAL_SEAL); mfd_fail_add_seals(fd, F_SEAL_GROW); mfd_fail_add_seals(fd2, F_SEAL_GROW); mfd_fail_add_seals(fd, F_SEAL_SEAL); mfd_fail_add_seals(fd2, F_SEAL_SEAL); close(fd2); mfd_fail_add_seals(fd, F_SEAL_GROW); close(fd); }