1 // SPDX-License-Identifier: GPL-2.0
4 * Copyright (C) 2020 Google LLC.
7 #include <test_progs.h>
8 #include <linux/limits.h>
10 #include "bprm_opts.skel.h"
11 #include "network_helpers.h"
12 #include "task_local_storage_helpers.h"
14 static const char * const bash_envp[] = { "TMPDIR=shouldnotbeset", NULL };
16 static int update_storage(int map_fd, int secureexec)
20 task_fd = sys_pidfd_open(getpid(), 0);
24 ret = bpf_map_update_elem(map_fd, &task_fd, &secureexec, BPF_NOEXIST);
32 static int run_set_secureexec(int map_fd, int secureexec)
34 int child_pid, child_status, ret, null_fd;
38 null_fd = open("/dev/null", O_WRONLY);
41 dup2(null_fd, STDOUT_FILENO);
42 dup2(null_fd, STDERR_FILENO);
45 /* Ensure that all executions from hereon are
46 * secure by setting a local storage which is read by
47 * the bprm_creds_for_exec hook and sets bprm->secureexec.
49 ret = update_storage(map_fd, secureexec);
53 /* If the binary is executed with securexec=1, the dynamic
54 * loader ignores and unsets certain variables like LD_PRELOAD,
55 * TMPDIR etc. TMPDIR is used here to simplify the example, as
56 * LD_PRELOAD requires a real .so file.
58 * If the value of TMPDIR is set, the bash command returns 10
59 * and if the value is unset, it returns 20.
61 execle("/bin/bash", "bash", "-c",
62 "[[ -z \"${TMPDIR}\" ]] || exit 10 && exit 20", NULL,
65 } else if (child_pid > 0) {
66 waitpid(child_pid, &child_status, 0);
67 ret = WEXITSTATUS(child_status);
69 /* If a secureexec occurred, the exit status should be 20 */
70 if (secureexec && ret == 20)
73 /* If normal execution happened, the exit code should be 10 */
74 if (!secureexec && ret == 10)
81 void test_test_bprm_opts(void)
83 int err, duration = 0;
84 struct bprm_opts *skel = NULL;
86 skel = bprm_opts__open_and_load();
87 if (CHECK(!skel, "skel_load", "skeleton failed\n"))
90 err = bprm_opts__attach(skel);
91 if (CHECK(err, "attach", "attach failed: %d\n", err))
94 /* Run the test with the secureexec bit unset */
95 err = run_set_secureexec(bpf_map__fd(skel->maps.secure_exec_task_map),
97 if (CHECK(err, "run_set_secureexec:0", "err = %d\n", err))
100 /* Run the test with the secureexec bit set */
101 err = run_set_secureexec(bpf_map__fd(skel->maps.secure_exec_task_map),
103 if (CHECK(err, "run_set_secureexec:1", "err = %d\n", err))
107 bprm_opts__destroy(skel);