[apple/xnu.git] / tests / task_create_suid_cred.c

#include <mach/mach.h>

#include <bootstrap.h>
#include <darwintest.h>
#include <darwintest_multiprocess.h>
#include <spawn.h>
#include <unistd.h>

#if defined(UNENTITLED)

/*
 * Creating an suid credential should fail without an entitlement.
 */
T_DECL(task_create_suid_cred_unentitled, "task_create_suid_cred (no entitlment)", T_META_ASROOT(true))
{
	kern_return_t ret = KERN_FAILURE;
	suid_cred_t sc = SUID_CRED_NULL;

	ret = task_create_suid_cred(mach_task_self(), "/usr/bin/id", 0, &sc);
	T_ASSERT_MACH_ERROR(ret, KERN_NO_ACCESS, "create a new suid cred for id (no entitlement)");
}

#else /* ENTITLED */

extern char **environ;
static const char *server_name = "com.apple.xnu.test.task_create_suid_cred";

/*
 * This is a positive test case which spawns /usr/bin/id with a properly created
 * suid credential and verifies that it correctly produces "euid=0"
 * Not running as root.
 */
static void
test_id_cred(suid_cred_t sc_id)
{
	posix_spawnattr_t attr;
	posix_spawn_file_actions_t file_actions;
	pid_t pid = -1;
	int status = -1;
	char template[] = "/tmp/suid_cred.XXXXXX";
	char *path = NULL;
	FILE *file = NULL;
	char *line = NULL;
	size_t linecap = 0;
	ssize_t linelen = 0;
	char *id[] = {"/usr/bin/id", NULL};
	kern_return_t ret = KERN_FAILURE;

	/* Send stdout to a temporary file. */
	path = mktemp(template);
	T_QUIET; T_ASSERT_NOTNULL(path, NULL);

	ret = posix_spawn_file_actions_init(&file_actions);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);

	ret = posix_spawn_file_actions_addopen(&file_actions, 1, path,
	    O_WRONLY | O_CREAT | O_TRUNC, 0666);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);

	ret = posix_spawnattr_init(&attr);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
	T_QUIET; T_ASSERT_NOTNULL(attr, NULL);

	// Attach the suid cred port
	ret = posix_spawnattr_setsuidcredport_np(&attr, sc_id);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);

	ret = posix_spawnp(&pid, id[0], &file_actions, &attr, id, environ);
	T_ASSERT_POSIX_ZERO(ret, "spawn with suid cred");

	ret = posix_spawnattr_destroy(&attr);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);

	ret = posix_spawn_file_actions_destroy(&file_actions);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);

	// Wait for id to finish executing and exit.
	do {
		ret = waitpid(pid, &status, 0);
	} while (ret < 0 && errno == EINTR);
	T_QUIET; T_ASSERT_POSIX_SUCCESS(ret, NULL);

	// Read from the temp file and verify that euid is 0.
	file = fopen(path, "re");
	T_QUIET; T_ASSERT_NOTNULL(file, NULL);

	linelen = getline(&line, &linecap, file);
	T_QUIET; T_ASSERT_GT_LONG(linelen, 0L, NULL);

	T_ASSERT_NOTNULL(strstr(line, "euid=0"), "verify that euid is zero");

	free(line);
	ret = fclose(file);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);

	ret = unlink(path);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
}

/*
 * This is a negative test case which tries to spawn /usr/bin/id with a
 * previously used credential.  It is expected that posix_spawn() fails.
 * sc_id should have already been used to successfully spawn /usr/bin/id.
 */
static void
test_id_cred_reuse(suid_cred_t sc_id)
{
	posix_spawnattr_t attr;
	char *id[] = {"/usr/bin/id", NULL};
	kern_return_t ret = KERN_FAILURE;

	ret = posix_spawnattr_init(&attr);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
	T_QUIET; T_ASSERT_NOTNULL(attr, NULL);

	// Attach the suid cred port
	ret = posix_spawnattr_setsuidcredport_np(&attr, sc_id);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);

	ret = posix_spawnp(NULL, id[0], NULL, &attr, id, environ);
	T_ASSERT_NE(ret, 0, "spawn with used suid cred");

	ret = posix_spawnattr_destroy(&attr);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
}

/*
 * This is a negative test case which tries to spawn /usr/bin/id with a
 * credential for /bin/ls. It is expected that posix_spawn() fails.
 */
static void
test_ls_cred(suid_cred_t sc_ls)
{
	posix_spawnattr_t attr;
	char *id[] = {"/usr/bin/id", NULL};
	kern_return_t ret = KERN_FAILURE;

	ret = posix_spawnattr_init(&attr);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
	T_QUIET; T_ASSERT_NOTNULL(attr, NULL);

	// Attach the suid cred port
	ret = posix_spawnattr_setsuidcredport_np(&attr, sc_ls);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);

	ret = posix_spawnp(NULL, id[0], NULL, &attr, id, environ);
	T_ASSERT_NE(ret, 0, "spawn with bad suid cred");

	ret = posix_spawnattr_destroy(&attr);
	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
}

/*
 * The privileged/entitled "server" which creates suid credentials to pass to a
 * client. Two creds are created, one for /usr/bin/id and the other for /bin/ls.
 * It waits for the client to contact and replies with the above ports.
 */
T_HELPER_DECL(suid_cred_server_helper, "suid cred server")
{
	mach_port_t server_port = MACH_PORT_NULL;
	kern_return_t ret = KERN_FAILURE;
	suid_cred_t sc_id = SUID_CRED_NULL;
	suid_cred_t sc_ls = SUID_CRED_NULL;
	mach_msg_empty_rcv_t rmsg = {};
	struct {
		mach_msg_header_t          header;
		mach_msg_body_t            body;
		mach_msg_port_descriptor_t id_port;
		mach_msg_port_descriptor_t ls_port;
	} smsg = {};

	T_SETUPBEGIN;

	ret = bootstrap_check_in(bootstrap_port, server_name, &server_port);
	T_ASSERT_MACH_SUCCESS(ret, NULL);

	T_SETUPEND;

	// Wait for a message to reply to.
	rmsg.header.msgh_size = sizeof(rmsg);
	rmsg.header.msgh_local_port = server_port;

	ret = mach_msg_receive(&rmsg.header);
	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, NULL);

	// Setup the reply.
	smsg.header.msgh_remote_port = rmsg.header.msgh_remote_port;
	smsg.header.msgh_local_port = MACH_PORT_NULL;
	smsg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND_ONCE, 0) | MACH_MSGH_BITS_COMPLEX;
	smsg.header.msgh_size = sizeof(smsg);

	smsg.body.msgh_descriptor_count = 2;

	// Create an suid cred for 'id'
	ret = task_create_suid_cred(mach_task_self(), "/usr/bin/id", 0, &sc_id);
	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, "create a new suid cred for id");
	T_QUIET; T_ASSERT_NE(sc_id, SUID_CRED_NULL, NULL);

	smsg.id_port.name = sc_id;
	smsg.id_port.disposition = MACH_MSG_TYPE_COPY_SEND;
	smsg.id_port.type = MACH_MSG_PORT_DESCRIPTOR;

	// Create an suid cred for 'ls'
	ret = task_create_suid_cred(mach_task_self(), "/bin/ls", 0, &sc_ls);
	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, "create a new suid cred for ls");
	T_QUIET; T_ASSERT_NE(sc_ls, SUID_CRED_NULL, NULL);

	smsg.ls_port.name = sc_ls;
	smsg.ls_port.disposition = MACH_MSG_TYPE_COPY_SEND;
	smsg.ls_port.type = MACH_MSG_PORT_DESCRIPTOR;

	ret = mach_msg_send(&smsg.header);
	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, NULL);
}

/*
 * The unprivileged "client" which requests suid credentials from the "server",
 * and runs some test cases with those credentials:
 *  - A positive test case to spawn something with euid 0
 *  - A negative test case to check that a cred can't be used twice
 *  - A negative test case to check that only the approved binary can be used
 *  with the credential.
 */
T_HELPER_DECL(suid_cred_client_helper, "suid cred client")
{
	mach_port_t server_port = MACH_PORT_NULL;
	mach_port_t client_port = MACH_PORT_NULL;
	kern_return_t ret = KERN_FAILURE;
	suid_cred_t sc_id = SUID_CRED_NULL;
	suid_cred_t sc_ls = SUID_CRED_NULL;
	mach_msg_empty_send_t smsg = {};
	struct {
		mach_msg_header_t          header;
		mach_msg_body_t            body;
		mach_msg_port_descriptor_t id_port;
		mach_msg_port_descriptor_t ls_port;
		mach_msg_trailer_t         trailer;
	} rmsg = {};

	uid_t euid = geteuid();

	T_SETUPBEGIN;

	// Make sure the effective UID is non-root.
	if (euid == 0) {
		ret = setuid(501);
		T_ASSERT_POSIX_ZERO(ret, "setuid");
	}

	/*
	 * As this can race with the "server" starting, give it time to
	 * start up.
	 */
	for (int i = 0; i < 30; i++) {
		ret = bootstrap_look_up(bootstrap_port, server_name, &server_port);
		if (ret != BOOTSTRAP_UNKNOWN_SERVICE) {
			break;
		}
		sleep(1);
	}

	T_QUIET; T_ASSERT_NE(server_port, MACH_PORT_NULL, NULL);

	// Create a report to receive the reply on.
	ret = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &client_port);
	T_ASSERT_MACH_SUCCESS(ret, NULL);

	T_SETUPEND;

	// Request the SUID cred ports
	smsg.header.msgh_remote_port = server_port;
	smsg.header.msgh_local_port = client_port;
	smsg.header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_MOVE_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE, 0, 0);
	smsg.header.msgh_size = sizeof(smsg);

	ret = mach_msg_send(&smsg.header);
	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, NULL);

	// Wait for the reply.
	rmsg.header.msgh_size = sizeof(rmsg);
	rmsg.header.msgh_local_port = client_port;

	ret = mach_msg_receive(&rmsg.header);
	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, NULL);

	sc_id = rmsg.id_port.name;
	T_QUIET; T_ASSERT_NE(sc_id, SUID_CRED_NULL, NULL);
	test_id_cred(sc_id);
	test_id_cred_reuse(sc_id);

	sc_ls = rmsg.ls_port.name;
	T_QUIET; T_ASSERT_NE(sc_ls, SUID_CRED_NULL, NULL);
	test_ls_cred(sc_ls);
}

T_DECL(task_create_suid_cred, "task_create_suid_cred", T_META_ASROOT(true))
{
	dt_helper_t helpers[] = {
		dt_launchd_helper_domain("com.apple.xnu.test.task_create_suid_cred.plist",
	    "suid_cred_server_helper", NULL, LAUNCH_SYSTEM_DOMAIN),
		dt_fork_helper("suid_cred_client_helper"),
	};

	dt_run_helpers(helpers, sizeof(helpers) / sizeof(helpers[0]), 60);
}

/*
 * Creating an suid credential should fail for non-root (even if entitled).
 */
T_DECL(task_create_suid_cred_no_root, "task_create_suid_cred (no root)", T_META_ASROOT(true))
{
	kern_return_t ret = KERN_FAILURE;
	suid_cred_t sc = SUID_CRED_NULL;
	uid_t euid = geteuid();

	// Make sure the effective UID is non-root.
	if (euid == 0) {
		ret = setuid(501);
		T_QUIET; T_ASSERT_POSIX_ZERO(ret, "setuid");
	}

	ret = task_create_suid_cred(mach_task_self(), "/usr/bin/id", 0, &sc);
	T_ASSERT_MACH_ERROR(ret, KERN_NO_ACCESS, "create a new suid cred for id (non-root)");
}

#endif /* ENTITLED */
Commit	Line	Data
ea3f0419 A	1	#include <mach/mach.h>
	2
	3	#include <bootstrap.h>
	4	#include <darwintest.h>
	5	#include <darwintest_multiprocess.h>
	6	#include <spawn.h>
	7	#include <unistd.h>
	8
	9	#if defined(UNENTITLED)
	10
	11	/*
	12	* Creating an suid credential should fail without an entitlement.
	13	*/
	14	T_DECL(task_create_suid_cred_unentitled, "task_create_suid_cred (no entitlment)", T_META_ASROOT(true))
	15	{
	16	kern_return_t ret = KERN_FAILURE;
	17	suid_cred_t sc = SUID_CRED_NULL;
	18
	19	ret = task_create_suid_cred(mach_task_self(), "/usr/bin/id", 0, &sc);
	20	T_ASSERT_MACH_ERROR(ret, KERN_NO_ACCESS, "create a new suid cred for id (no entitlement)");
	21	}
	22
	23	#else /* ENTITLED */
	24
	25	extern char **environ;
	26	static const char *server_name = "com.apple.xnu.test.task_create_suid_cred";
	27
	28	/*
	29	* This is a positive test case which spawns /usr/bin/id with a properly created
	30	* suid credential and verifies that it correctly produces "euid=0"
	31	* Not running as root.
	32	*/
	33	static void
	34	test_id_cred(suid_cred_t sc_id)
	35	{
	36	posix_spawnattr_t attr;
	37	posix_spawn_file_actions_t file_actions;
	38	pid_t pid = -1;
	39	int status = -1;
	40	char template[] = "/tmp/suid_cred.XXXXXX";
	41	char *path = NULL;
	42	FILE *file = NULL;
	43	char *line = NULL;
	44	size_t linecap = 0;
	45	ssize_t linelen = 0;
	46	char *id[] = {"/usr/bin/id", NULL};
	47	kern_return_t ret = KERN_FAILURE;
	48
	49	/* Send stdout to a temporary file. */
	50	path = mktemp(template);
	51	T_QUIET; T_ASSERT_NOTNULL(path, NULL);
	52
	53	ret = posix_spawn_file_actions_init(&file_actions);
	54	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
	55
	56	ret = posix_spawn_file_actions_addopen(&file_actions, 1, path,
	57	O_WRONLY \| O_CREAT \| O_TRUNC, 0666);
	58	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
	59
	60	ret = posix_spawnattr_init(&attr);
	61	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
	62	T_QUIET; T_ASSERT_NOTNULL(attr, NULL);
	63
	64	// Attach the suid cred port
65	ret = posix_spawnattr_setsuidcredport_np(&attr, sc_id);
66	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
67
68	ret = posix_spawnp(&pid, id[0], &file_actions, &attr, id, environ);
69	T_ASSERT_POSIX_ZERO(ret, "spawn with suid cred");
70
71	ret = posix_spawnattr_destroy(&attr);
72	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
73
74	ret = posix_spawn_file_actions_destroy(&file_actions);
75	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
76
77	// Wait for id to finish executing and exit.
78	do {
79	ret = waitpid(pid, &status, 0);
80	} while (ret < 0 && errno == EINTR);
81	T_QUIET; T_ASSERT_POSIX_SUCCESS(ret, NULL);
82
83	// Read from the temp file and verify that euid is 0.
84	file = fopen(path, "re");
85	T_QUIET; T_ASSERT_NOTNULL(file, NULL);
86
87	linelen = getline(&line, &linecap, file);
88	T_QUIET; T_ASSERT_GT_LONG(linelen, 0L, NULL);
89
90	T_ASSERT_NOTNULL(strstr(line, "euid=0"), "verify that euid is zero");
91
92	free(line);
93	ret = fclose(file);
94	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
95
96	ret = unlink(path);
97	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
98	}
99
100	/*
101	* This is a negative test case which tries to spawn /usr/bin/id with a
102	* previously used credential. It is expected that posix_spawn() fails.
103	* sc_id should have already been used to successfully spawn /usr/bin/id.
104	*/
105	static void
106	test_id_cred_reuse(suid_cred_t sc_id)
107	{
108	posix_spawnattr_t attr;
109	char *id[] = {"/usr/bin/id", NULL};
110	kern_return_t ret = KERN_FAILURE;
111
112	ret = posix_spawnattr_init(&attr);
113	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
114	T_QUIET; T_ASSERT_NOTNULL(attr, NULL);
115
116	// Attach the suid cred port
117	ret = posix_spawnattr_setsuidcredport_np(&attr, sc_id);
118	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
119
120	ret = posix_spawnp(NULL, id[0], NULL, &attr, id, environ);
121	T_ASSERT_NE(ret, 0, "spawn with used suid cred");
122
123	ret = posix_spawnattr_destroy(&attr);
124	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
125	}
126
127	/*
128	* This is a negative test case which tries to spawn /usr/bin/id with a
129	* credential for /bin/ls. It is expected that posix_spawn() fails.
130	*/
131	static void
132	test_ls_cred(suid_cred_t sc_ls)
133	{
134	posix_spawnattr_t attr;
135	char *id[] = {"/usr/bin/id", NULL};
136	kern_return_t ret = KERN_FAILURE;
137
138	ret = posix_spawnattr_init(&attr);
139	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
140	T_QUIET; T_ASSERT_NOTNULL(attr, NULL);
141
142	// Attach the suid cred port
143	ret = posix_spawnattr_setsuidcredport_np(&attr, sc_ls);
144	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
145
146	ret = posix_spawnp(NULL, id[0], NULL, &attr, id, environ);
147	T_ASSERT_NE(ret, 0, "spawn with bad suid cred");
148
149	ret = posix_spawnattr_destroy(&attr);
150	T_QUIET; T_ASSERT_POSIX_ZERO(ret, NULL);
151	}
152
153	/*
154	* The privileged/entitled "server" which creates suid credentials to pass to a
155	* client. Two creds are created, one for /usr/bin/id and the other for /bin/ls.
156	* It waits for the client to contact and replies with the above ports.
157	*/
158	T_HELPER_DECL(suid_cred_server_helper, "suid cred server")
159	{
160	mach_port_t server_port = MACH_PORT_NULL;
161	kern_return_t ret = KERN_FAILURE;
162	suid_cred_t sc_id = SUID_CRED_NULL;
163	suid_cred_t sc_ls = SUID_CRED_NULL;
164	mach_msg_empty_rcv_t rmsg = {};
165	struct {
166	mach_msg_header_t header;
167	mach_msg_body_t body;
168	mach_msg_port_descriptor_t id_port;
169	mach_msg_port_descriptor_t ls_port;
170	} smsg = {};
171
172	T_SETUPBEGIN;
173
174	ret = bootstrap_check_in(bootstrap_port, server_name, &server_port);
175	T_ASSERT_MACH_SUCCESS(ret, NULL);
176
177	T_SETUPEND;
178
179	// Wait for a message to reply to.
180	rmsg.header.msgh_size = sizeof(rmsg);
181	rmsg.header.msgh_local_port = server_port;
182
183	ret = mach_msg_receive(&rmsg.header);
184	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, NULL);
185
186	// Setup the reply.
187	smsg.header.msgh_remote_port = rmsg.header.msgh_remote_port;
188	smsg.header.msgh_local_port = MACH_PORT_NULL;
189	smsg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND_ONCE, 0) \| MACH_MSGH_BITS_COMPLEX;
190	smsg.header.msgh_size = sizeof(smsg);
191
192	smsg.body.msgh_descriptor_count = 2;
193
194	// Create an suid cred for 'id'
195	ret = task_create_suid_cred(mach_task_self(), "/usr/bin/id", 0, &sc_id);
196	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, "create a new suid cred for id");
197	T_QUIET; T_ASSERT_NE(sc_id, SUID_CRED_NULL, NULL);
198
199	smsg.id_port.name = sc_id;
200	smsg.id_port.disposition = MACH_MSG_TYPE_COPY_SEND;
201	smsg.id_port.type = MACH_MSG_PORT_DESCRIPTOR;
202
203	// Create an suid cred for 'ls'
204	ret = task_create_suid_cred(mach_task_self(), "/bin/ls", 0, &sc_ls);
205	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, "create a new suid cred for ls");
206	T_QUIET; T_ASSERT_NE(sc_ls, SUID_CRED_NULL, NULL);
207
208	smsg.ls_port.name = sc_ls;
209	smsg.ls_port.disposition = MACH_MSG_TYPE_COPY_SEND;
210	smsg.ls_port.type = MACH_MSG_PORT_DESCRIPTOR;
211
212	ret = mach_msg_send(&smsg.header);
213	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, NULL);
214	}
215
216	/*
217	* The unprivileged "client" which requests suid credentials from the "server",
218	* and runs some test cases with those credentials:
219	* - A positive test case to spawn something with euid 0
220	* - A negative test case to check that a cred can't be used twice
221	* - A negative test case to check that only the approved binary can be used
222	* with the credential.
223	*/
224	T_HELPER_DECL(suid_cred_client_helper, "suid cred client")
225	{
226	mach_port_t server_port = MACH_PORT_NULL;
227	mach_port_t client_port = MACH_PORT_NULL;
228	kern_return_t ret = KERN_FAILURE;
229	suid_cred_t sc_id = SUID_CRED_NULL;
230	suid_cred_t sc_ls = SUID_CRED_NULL;
231	mach_msg_empty_send_t smsg = {};
232	struct {
233	mach_msg_header_t header;
234	mach_msg_body_t body;
235	mach_msg_port_descriptor_t id_port;
236	mach_msg_port_descriptor_t ls_port;
237	mach_msg_trailer_t trailer;
238	} rmsg = {};
239
240	uid_t euid = geteuid();
241
242	T_SETUPBEGIN;
243
244	// Make sure the effective UID is non-root.
245	if (euid == 0) {
246	ret = setuid(501);
247	T_ASSERT_POSIX_ZERO(ret, "setuid");
248	}
249
250	/*
251	* As this can race with the "server" starting, give it time to
252	* start up.
253	*/
254	for (int i = 0; i < 30; i++) {
255	ret = bootstrap_look_up(bootstrap_port, server_name, &server_port);
256	if (ret != BOOTSTRAP_UNKNOWN_SERVICE) {
257	break;
258	}
259	sleep(1);
260	}
261
262	T_QUIET; T_ASSERT_NE(server_port, MACH_PORT_NULL, NULL);
263
264	// Create a report to receive the reply on.
265	ret = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &client_port);
266	T_ASSERT_MACH_SUCCESS(ret, NULL);
267
268	T_SETUPEND;
269
270	// Request the SUID cred ports
271	smsg.header.msgh_remote_port = server_port;
272	smsg.header.msgh_local_port = client_port;
273	smsg.header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_MOVE_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE, 0, 0);
274	smsg.header.msgh_size = sizeof(smsg);
275
276	ret = mach_msg_send(&smsg.header);
277	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, NULL);
278
279	// Wait for the reply.
280	rmsg.header.msgh_size = sizeof(rmsg);
281	rmsg.header.msgh_local_port = client_port;
282
283	ret = mach_msg_receive(&rmsg.header);
284	T_QUIET; T_ASSERT_MACH_SUCCESS(ret, NULL);
285
286	sc_id = rmsg.id_port.name;
287	T_QUIET; T_ASSERT_NE(sc_id, SUID_CRED_NULL, NULL);
288	test_id_cred(sc_id);
289	test_id_cred_reuse(sc_id);
290
291	sc_ls = rmsg.ls_port.name;
292	T_QUIET; T_ASSERT_NE(sc_ls, SUID_CRED_NULL, NULL);
293	test_ls_cred(sc_ls);
294	}
295
296	T_DECL(task_create_suid_cred, "task_create_suid_cred", T_META_ASROOT(true))
297	{
298	dt_helper_t helpers[] = {
299	dt_launchd_helper_domain("com.apple.xnu.test.task_create_suid_cred.plist",
300	"suid_cred_server_helper", NULL, LAUNCH_SYSTEM_DOMAIN),
301	dt_fork_helper("suid_cred_client_helper"),
302	};
303
304	dt_run_helpers(helpers, sizeof(helpers) / sizeof(helpers[0]), 60);
305	}
306
307	/*
308	* Creating an suid credential should fail for non-root (even if entitled).
309	*/
310	T_DECL(task_create_suid_cred_no_root, "task_create_suid_cred (no root)", T_META_ASROOT(true))
311	{
312	kern_return_t ret = KERN_FAILURE;
313	suid_cred_t sc = SUID_CRED_NULL;
314	uid_t euid = geteuid();
315
316	// Make sure the effective UID is non-root.
317	if (euid == 0) {
318	ret = setuid(501);
319	T_QUIET; T_ASSERT_POSIX_ZERO(ret, "setuid");
320	}
321
322	ret = task_create_suid_cred(mach_task_self(), "/usr/bin/id", 0, &sc);
323	T_ASSERT_MACH_ERROR(ret, KERN_NO_ACCESS, "create a new suid cred for id (non-root)");
324	}
325
326	#endif /* ENTITLED */