2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright (c) 2020 Red Hat, Inc. All Rights Reserved.
7 # Test protected_symlink and protected_hardlink sysctls
10 seqres=$RESULT_DIR/$seq
11 echo "QA output created by $seq"
15 status=1 # failure is the default!
16 trap "_cleanup; exit \$status" 0 1 2 3 15
21 [ ! -z "$SYMLINK_PROTECTION" ] \
22 && sysctl -qw fs.protected_symlinks=$SYMLINK_PROTECTION
23 [ ! -z "$HARDLINK_PROTECTION" ] \
24 && sysctl -qw fs.protected_hardlinks=$HARDLINK_PROTECTION
29 # get standard environment, filters and checks
33 # remove previous $seqres.full before test
36 # real QA test starts here
38 # Modify as appropriate.
41 _require_sysctl_variable fs.protected_symlinks
42 _require_sysctl_variable fs.protected_hardlinks
44 # Do this SECOND so that qa_user is fsgqa, and _user_do uses that account
51 # Save current system state to reset when done
52 SYMLINK_PROTECTION=`sysctl -n fs.protected_symlinks`
53 HARDLINK_PROTECTION=`sysctl -n fs.protected_hardlinks`
57 ln -s $TEST_DIR/$seq/target $TEST_DIR/$seq/sticky_dir/symlink
58 chown $OTHER.$OTHER $TEST_DIR/$seq/sticky_dir
59 chown $OWNER.$OWNER $TEST_DIR/$seq/sticky_dir/symlink
60 # If we can read the target, we followed the link
61 _user_do "cat $TEST_DIR/$seq/sticky_dir/symlink" | _filter_test_dir
62 rm -f $TEST_DIR/$seq/sticky_dir/symlink
67 chown $OWNER.$OWNER $TEST_DIR/$seq/target
68 chmod go-rw $TEST_DIR/$seq/target
69 _user_do "ln $TEST_DIR/$seq/target $TEST_DIR/$seq/sticky_dir/hardlink" \
71 test -f $TEST_DIR/$seq/sticky_dir/hardlink \
72 && echo "successfully created hardlink"
73 rm -f $TEST_DIR/$seq/sticky_dir/hardlink
78 # Create world-writable sticky dir
79 mkdir -p $TEST_DIR/$seq/sticky_dir
80 chmod 1777 $TEST_DIR/$seq/sticky_dir
81 # And a file elsewhere that will be linked to from that sticky dir
82 mkdir -p $TEST_DIR/$seq
83 # If we can read it, we followed the link.
84 echo "successfully followed symlink" > $TEST_DIR/$seq/target
89 # First test fs.protected_symlinks
90 # With protection on, symlink follows should fail if the
91 # link owner != the sticky directory owner, and the process
92 # is not the link owner.
93 echo "== Test symlink follow protection when"
94 echo "== process != link owner and dir owner != link owner"
95 sysctl -w fs.protected_symlinks=0
97 sysctl -w fs.protected_symlinks=1
102 # Now test fs.protected_hardlinks
103 # With protection on, hardlink creation should fail if the
104 # process does not own the target file, and the process does not have
105 # read-write access to the target
106 echo "== Test hardlink create protection when"
107 echo "== process != target owner and process cannot read target"
108 sysctl -w fs.protected_hardlinks=0
110 sysctl -w fs.protected_hardlinks=1