From 408f3d2cd64cae6b2f76a940c76236e9841c095f Mon Sep 17 00:00:00 2001
From: Dean Deng <deandeng@google.com>
Date: Thu, 18 Jun 2020 22:00:56 -0700
Subject: Fix vfs2 tmpfs link permission checks.

Updates #2923.

PiperOrigin-RevId: 317246916
---
 test/syscalls/BUILD         |  1 +
 test/syscalls/linux/link.cc | 15 +++++++++++++--
 test/util/test_util.h       |  1 +
 3 files changed, 15 insertions(+), 2 deletions(-)

(limited to 'test')

diff --git a/test/syscalls/BUILD b/test/syscalls/BUILD
index 1638a11c7..65a6a7f37 100644
--- a/test/syscalls/BUILD
+++ b/test/syscalls/BUILD
@@ -305,6 +305,7 @@ syscall_test(
     add_overlay = True,
     test = "//test/syscalls/linux:link_test",
     use_tmpfs = True,  # gofer needs CAP_DAC_READ_SEARCH to use AT_EMPTY_PATH with linkat(2)
+    vfs2 = "True",
 )
 
 syscall_test(
diff --git a/test/syscalls/linux/link.cc b/test/syscalls/linux/link.cc
index e74fa2ed5..544681168 100644
--- a/test/syscalls/linux/link.cc
+++ b/test/syscalls/linux/link.cc
@@ -79,8 +79,13 @@ TEST(LinkTest, PermissionDenied) {
 
   // Make the file "unsafe" to link by making it only readable, but not
   // writable.
-  const auto oldfile =
+  const auto unwriteable_file =
       ASSERT_NO_ERRNO_AND_VALUE(TempPath::CreateFileMode(0400));
+  const std::string special_path = NewTempAbsPath();
+  ASSERT_THAT(mkfifo(special_path.c_str(), 0666), SyscallSucceeds());
+  const auto setuid_file =
+      ASSERT_NO_ERRNO_AND_VALUE(TempPath::CreateFileMode(0666 | S_ISUID));
+
   const std::string newname = NewTempAbsPath();
 
   // Do setuid in a separate thread so that after finishing this test, the
@@ -97,8 +102,14 @@ TEST(LinkTest, PermissionDenied) {
     EXPECT_THAT(syscall(SYS_setuid, absl::GetFlag(FLAGS_scratch_uid)),
                 SyscallSucceeds());
 
-    EXPECT_THAT(link(oldfile.path().c_str(), newname.c_str()),
+    EXPECT_THAT(link(unwriteable_file.path().c_str(), newname.c_str()),
+                SyscallFailsWithErrno(EPERM));
+    EXPECT_THAT(link(special_path.c_str(), newname.c_str()),
                 SyscallFailsWithErrno(EPERM));
+    if (!IsRunningWithVFS1()) {
+      EXPECT_THAT(link(setuid_file.path().c_str(), newname.c_str()),
+                  SyscallFailsWithErrno(EPERM));
+    }
   });
 }
 
diff --git a/test/util/test_util.h b/test/util/test_util.h
index 8e3245b27..e635827e6 100644
--- a/test/util/test_util.h
+++ b/test/util/test_util.h
@@ -220,6 +220,7 @@ constexpr char kKVM[] = "kvm";
 bool IsRunningOnGvisor();
 const std::string GvisorPlatform();
 bool IsRunningWithHostinet();
+// TODO(gvisor.dev/issue/1624): Delete once VFS1 is gone.
 bool IsRunningWithVFS1();
 
 #ifdef __linux__
-- 
cgit v1.2.3