From 38e0c9e0c522801a70ba498357c833880d6f5865 Mon Sep 17 00:00:00 2001
From: Tomohiro Kusumi <kusumi.tomohiro@gmail.com>
Date: Wed, 17 Jul 2019 01:14:52 +0900
Subject: [PATCH] Implement secpolicy_vnode_setid_retain()

Don't unconditionally return 0 (i.e. retain SUID/SGID).
Test CAP_FSETID capability.

https://github.com/pjd/pjdfstest/blob/master/tests/chmod/12.t
which expects SUID/SGID to be dropped on write(2) by non-owner fails
without this. Most filesystems make this decision within VFS by using
a generic file write for fops.

Signed-off-by: Tomohiro Kusumi <kusumi.tomohiro@osnexus.com>
---
 configure.ac                                  |   1 +
 module/zfs/policy.c                           |   2 +-
 tests/runfiles/linux.run                      |   4 +
 tests/zfs-tests/tests/functional/Makefile.am  |   1 +
 .../tests/functional/suid/.gitignore          |   1 +
 .../tests/functional/suid/Makefile.am         |  12 ++
 .../tests/functional/suid/cleanup.ksh         |  34 +++++
 .../zfs-tests/tests/functional/suid/setup.ksh |  35 +++++
 .../functional/suid/suid_write_to_file.c      | 122 ++++++++++++++++++
 9 files changed, 211 insertions(+), 1 deletion(-)
 create mode 100644 tests/zfs-tests/tests/functional/suid/.gitignore
 create mode 100644 tests/zfs-tests/tests/functional/suid/Makefile.am
 create mode 100755 tests/zfs-tests/tests/functional/suid/cleanup.ksh
 create mode 100755 tests/zfs-tests/tests/functional/suid/setup.ksh
 create mode 100644 tests/zfs-tests/tests/functional/suid/suid_write_to_file.c

diff --git a/configure.ac b/configure.ac
index f1d3ddc20cfa..94caaae14639 100644
--- a/configure.ac
+++ b/configure.ac
@@ -330,6 +330,7 @@ AC_CONFIG_FILES([
 	tests/zfs-tests/tests/functional/snapshot/Makefile
 	tests/zfs-tests/tests/functional/snapused/Makefile
 	tests/zfs-tests/tests/functional/sparse/Makefile
+	tests/zfs-tests/tests/functional/suid/Makefile
 	tests/zfs-tests/tests/functional/alloc_class/Makefile
 	tests/zfs-tests/tests/functional/threadsappend/Makefile
 	tests/zfs-tests/tests/functional/tmpfile/Makefile
diff --git a/module/zfs/policy.c b/module/zfs/policy.c
index 55c932747915..a723235d3015 100644
--- a/module/zfs/policy.c
+++ b/module/zfs/policy.c
@@ -209,7 +209,7 @@ secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
 int
 secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
 {
-	return (0);
+	return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
 }
 
 /*
diff --git a/tests/runfiles/linux.run b/tests/runfiles/linux.run
index 4a0e151f442d..92e84e35c4f3 100644
--- a/tests/runfiles/linux.run
+++ b/tests/runfiles/linux.run
@@ -850,6 +850,10 @@ tags = ['functional', 'snapused']
 tests = ['sparse_001_pos']
 tags = ['functional', 'sparse']
 
+[tests/functional/suid]
+tests = ['suid_write_to_file']
+tags = ['functional', 'suid']
+
 [tests/functional/threadsappend]
 tests = ['threadsappend_001_pos']
 tags = ['functional', 'threadsappend']
diff --git a/tests/zfs-tests/tests/functional/Makefile.am b/tests/zfs-tests/tests/functional/Makefile.am
index 783fdfb8aa7c..6c9cb3e04929 100644
--- a/tests/zfs-tests/tests/functional/Makefile.am
+++ b/tests/zfs-tests/tests/functional/Makefile.am
@@ -68,6 +68,7 @@ SUBDIRS = \
 	snapshot \
 	snapused \
 	sparse \
+	suid \
 	threadsappend \
 	tmpfile \
 	trim \
diff --git a/tests/zfs-tests/tests/functional/suid/.gitignore b/tests/zfs-tests/tests/functional/suid/.gitignore
new file mode 100644
index 000000000000..a9a3db79ba44
--- /dev/null
+++ b/tests/zfs-tests/tests/functional/suid/.gitignore
@@ -0,0 +1 @@
+/suid_write_to_file
diff --git a/tests/zfs-tests/tests/functional/suid/Makefile.am b/tests/zfs-tests/tests/functional/suid/Makefile.am
new file mode 100644
index 000000000000..d22e404291e8
--- /dev/null
+++ b/tests/zfs-tests/tests/functional/suid/Makefile.am
@@ -0,0 +1,12 @@
+include $(top_srcdir)/config/Rules.am
+
+pkgdatadir = $(datadir)/@PACKAGE@/zfs-tests/tests/functional/suid
+
+dist_pkgdata_SCRIPTS = \
+	cleanup.ksh \
+	setup.ksh
+
+pkgexecdir = $(datadir)/@PACKAGE@/zfs-tests/tests/functional/suid
+
+pkgexec_PROGRAMS = suid_write_to_file
+suid_write_to_file_SOURCES = suid_write_to_file.c
diff --git a/tests/zfs-tests/tests/functional/suid/cleanup.ksh b/tests/zfs-tests/tests/functional/suid/cleanup.ksh
new file mode 100755
index 000000000000..edffacc6f04f
--- /dev/null
+++ b/tests/zfs-tests/tests/functional/suid/cleanup.ksh
@@ -0,0 +1,34 @@
+#!/bin/ksh -p
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+
+#
+# Copyright (c) 2019 by Tomohiro Kusumi. All rights reserved.
+#
+
+. $STF_SUITE/include/libtest.shlib
+
+#default_cleanup
diff --git a/tests/zfs-tests/tests/functional/suid/setup.ksh b/tests/zfs-tests/tests/functional/suid/setup.ksh
new file mode 100755
index 000000000000..bc49350a431a
--- /dev/null
+++ b/tests/zfs-tests/tests/functional/suid/setup.ksh
@@ -0,0 +1,35 @@
+#!/bin/ksh -p
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+
+#
+# Copyright (c) 2019 by Tomohiro Kusumi. All rights reserved.
+#
+
+. $STF_SUITE/include/libtest.shlib
+
+#DISK=${DISKS%% *}
+#default_setup $DISK
diff --git a/tests/zfs-tests/tests/functional/suid/suid_write_to_file.c b/tests/zfs-tests/tests/functional/suid/suid_write_to_file.c
new file mode 100644
index 000000000000..87711821f9ca
--- /dev/null
+++ b/tests/zfs-tests/tests/functional/suid/suid_write_to_file.c
@@ -0,0 +1,122 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright (c) 2019 by Tomohiro Kusumi. All rights reserved.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+/*
+ * DESCRIPTION:
+ *	Verify SUID/SGID bit on write(2) by non-owner.
+ *	Also see https://github.com/pjd/pjdfstest/blob/master/tests/chmod/12.t
+ *
+ * STRATEGY:
+ *	1. creat(2) a file with SUID/SGID.
+ *	2. write(2) to the file with uid=65534.
+ *	3. stat(2) the file and verify .st_mode value.
+ */
+
+static void
+test_stat_mode(mode_t mode)
+{
+	struct stat st;
+	int i, fd;
+	char fpath[1024];
+	char *penv[] = {"TESTDIR", "TESTFILE0"};
+	char buf[] = "test";
+	mode_t res;
+
+	/*
+	 * Get the environment variable values.
+	 */
+	for (i = 0; i < sizeof (penv) / sizeof (char *); i++) {
+		if ((penv[i] = getenv(penv[i])) == NULL) {
+			fprintf(stderr, "getenv(penv[%d])\n", i);
+			exit(1);
+		}
+	}
+
+	umask(0);
+	if (stat(penv[0], &st) == -1 && mkdir(penv[0], mode) == -1) {
+		perror("mkdir");
+		exit(2);
+	}
+
+	snprintf(fpath, sizeof (fpath), "%s/%s", penv[0], penv[1]);
+	unlink(fpath);
+	if (stat(fpath, &st) == 0) {
+		fprintf(stderr, "%s exists\n", fpath);
+		exit(3);
+	}
+
+	fd = creat(fpath, mode);
+	if (fd == -1) {
+		perror("creat");
+		exit(4);
+	}
+	close(fd);
+
+	if (setuid(65534) == -1) {
+		perror("setuid");
+		exit(5);
+	}
+
+	fd = open(fpath, O_RDWR);
+	if (fd == -1) {
+		perror("open");
+		exit(6);
+	}
+
+	if (write(fd, buf, sizeof (buf)) == -1) {
+		perror("write");
+		exit(7);
+	}
+	close(fd);
+
+	if (stat(fpath, &st) == -1) {
+		perror("stat");
+		exit(8);
+	}
+	unlink(fpath);
+
+	/* Verify SUID/SGID are dropped */
+	res = st.st_mode & (0777 | S_ISUID | S_ISGID);
+	if (res != (mode & 0777)) {
+		fprintf(stderr, "stat(2) %o\n", res);
+		exit(9);
+	}
+}
+
+int
+main(int argc, char *argv[])
+{
+	fprintf(stdout, "Verify SUID/SGID bit on write(2) by non-owner\n");
+	test_stat_mode(0777 | S_ISUID | S_ISGID);
+
+	return (0);
+}