From 55d8ac528097013ee3c072406952e0394ce6ff34 Mon Sep 17 00:00:00 2001 From: David Disseldorp Date: Mon, 23 Feb 2015 20:24:11 +0100 Subject: torture/ioctl: add ioctl_sparse_perms test This test confirms that correct FSCTL_SET_SPARSE permission checks are in place on the server. Signed-off-by: David Disseldorp Reviewed-by: Jeremy Allison --- source4/torture/smb2/ioctl.c | 241 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 241 insertions(+) diff --git a/source4/torture/smb2/ioctl.c b/source4/torture/smb2/ioctl.c index c7b870c863..a0cc29ad39 100644 --- a/source4/torture/smb2/ioctl.c +++ b/source4/torture/smb2/ioctl.c @@ -4017,6 +4017,245 @@ static bool test_ioctl_sparse_punch_invalid(struct torture_context *torture, return true; } +static bool test_ioctl_sparse_perms(struct torture_context *torture, + struct smb2_tree *tree) +{ + struct smb2_handle fh; + NTSTATUS status; + TALLOC_CTX *tmp_ctx = talloc_new(tree); + bool ok; + bool is_sparse; + struct file_alloced_range_buf *far_rsp = NULL; + uint64_t far_count = 0; + + ok = test_setup_create_fill(torture, tree, tmp_ctx, + FNAME, &fh, 0, SEC_RIGHTS_FILE_ALL, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + + status = test_ioctl_sparse_fs_supported(torture, tree, tmp_ctx, &fh, + &ok); + torture_assert_ntstatus_ok(torture, status, "SMB2_GETINFO_FS"); + smb2_util_close(tree, fh); + if (!ok) { + torture_skip(torture, "Sparse files not supported\n"); + } + + /* set sparse without WRITE_ATTR permission should succeed */ + ok = test_setup_create_fill(torture, tree, tmp_ctx, + FNAME, &fh, 0, + (SEC_RIGHTS_FILE_WRITE & ~(SEC_FILE_WRITE_ATTRIBUTE + | SEC_STD_WRITE_DAC + | SEC_FILE_WRITE_EA)), + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + + status = test_ioctl_sparse_req(torture, tmp_ctx, tree, fh, true); + torture_assert_ntstatus_ok(torture, status, "FSCTL_SET_SPARSE"); + smb2_util_close(tree, fh); + + ok = test_setup_open(torture, tree, tmp_ctx, + FNAME, &fh, SEC_RIGHTS_FILE_ALL, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + status = test_sparse_get(torture, tmp_ctx, tree, fh, &is_sparse); + torture_assert_ntstatus_ok(torture, status, "test_sparse_get"); + torture_assert(torture, is_sparse, "sparse after set"); + smb2_util_close(tree, fh); + + /* attempt get sparse without READ_DATA permission */ + ok = test_setup_create_fill(torture, tree, tmp_ctx, + FNAME, &fh, 0, + (SEC_RIGHTS_FILE_READ & ~SEC_FILE_READ_DATA), + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + + status = test_sparse_get(torture, tmp_ctx, tree, fh, &is_sparse); + torture_assert_ntstatus_ok(torture, status, "test_sparse_get"); + torture_assert(torture, !is_sparse, "sparse set"); + smb2_util_close(tree, fh); + + /* attempt to set sparse with only WRITE_ATTR permission */ + ok = test_setup_create_fill(torture, tree, tmp_ctx, + FNAME, &fh, 0, + SEC_FILE_WRITE_ATTRIBUTE, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + + status = test_ioctl_sparse_req(torture, tmp_ctx, tree, fh, true); + torture_assert_ntstatus_ok(torture, status, "FSCTL_SET_SPARSE"); + smb2_util_close(tree, fh); + + /* attempt to set sparse with only WRITE_DATA permission */ + ok = test_setup_create_fill(torture, tree, tmp_ctx, + FNAME, &fh, 0, + SEC_FILE_WRITE_DATA, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + + status = test_ioctl_sparse_req(torture, tmp_ctx, tree, fh, true); + torture_assert_ntstatus_ok(torture, status, "FSCTL_SET_SPARSE"); + smb2_util_close(tree, fh); + + ok = test_setup_open(torture, tree, tmp_ctx, + FNAME, &fh, SEC_RIGHTS_FILE_ALL, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + status = test_sparse_get(torture, tmp_ctx, tree, fh, &is_sparse); + torture_assert_ntstatus_ok(torture, status, "test_sparse_get"); + torture_assert(torture, is_sparse, "sparse after set"); + smb2_util_close(tree, fh); + + /* attempt to set sparse with only APPEND_DATA permission */ + ok = test_setup_create_fill(torture, tree, tmp_ctx, + FNAME, &fh, 0, + SEC_FILE_APPEND_DATA, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + + status = test_ioctl_sparse_req(torture, tmp_ctx, tree, fh, true); + torture_assert_ntstatus_ok(torture, status, "FSCTL_SET_SPARSE"); + smb2_util_close(tree, fh); + + ok = test_setup_open(torture, tree, tmp_ctx, + FNAME, &fh, SEC_RIGHTS_FILE_ALL, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + status = test_sparse_get(torture, tmp_ctx, tree, fh, &is_sparse); + torture_assert_ntstatus_ok(torture, status, "test_sparse_get"); + torture_assert(torture, is_sparse, "sparse after set"); + smb2_util_close(tree, fh); + + /* attempt to set sparse with only WRITE_EA permission - should fail */ + ok = test_setup_create_fill(torture, tree, tmp_ctx, + FNAME, &fh, 0, + SEC_FILE_WRITE_EA, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + + status = test_ioctl_sparse_req(torture, tmp_ctx, tree, fh, true); + torture_assert_ntstatus_equal(torture, status, + NT_STATUS_ACCESS_DENIED, + "FSCTL_SET_SPARSE permission"); + smb2_util_close(tree, fh); + + ok = test_setup_open(torture, tree, tmp_ctx, + FNAME, &fh, SEC_RIGHTS_FILE_ALL, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + status = test_sparse_get(torture, tmp_ctx, tree, fh, &is_sparse); + torture_assert_ntstatus_ok(torture, status, "test_sparse_get"); + torture_assert(torture, !is_sparse, "sparse after set"); + smb2_util_close(tree, fh); + + /* attempt QAR with only READ_ATTR permission - should fail */ + ok = test_setup_open(torture, tree, tmp_ctx, + FNAME, &fh, SEC_FILE_READ_ATTRIBUTE, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + status = test_ioctl_qar_req(torture, tmp_ctx, tree, fh, + 4096, /* off */ + 1024, /* len */ + &far_rsp, &far_count); + torture_assert_ntstatus_equal(torture, status, + NT_STATUS_ACCESS_DENIED, + "FSCTL_QUERY_ALLOCATED_RANGES req passed"); + smb2_util_close(tree, fh); + + /* attempt QAR with only READ_DATA permission */ + ok = test_setup_open(torture, tree, tmp_ctx, + FNAME, &fh, SEC_FILE_READ_DATA, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + status = test_ioctl_qar_req(torture, tmp_ctx, tree, fh, + 0, /* off */ + 1024, /* len */ + &far_rsp, &far_count); + torture_assert_ntstatus_ok(torture, status, + "FSCTL_QUERY_ALLOCATED_RANGES req failed"); + torture_assert_u64_equal(torture, far_count, 0, + "unexpected response len"); + smb2_util_close(tree, fh); + + /* attempt QAR with only READ_EA permission - should fail */ + ok = test_setup_open(torture, tree, tmp_ctx, + FNAME, &fh, SEC_FILE_READ_EA, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + status = test_ioctl_qar_req(torture, tmp_ctx, tree, fh, + 4096, /* off */ + 1024, /* len */ + &far_rsp, &far_count); + torture_assert_ntstatus_equal(torture, status, + NT_STATUS_ACCESS_DENIED, + "FSCTL_QUERY_ALLOCATED_RANGES req passed"); + smb2_util_close(tree, fh); + + /* setup file for ZERO_DATA permissions tests */ + ok = test_setup_create_fill(torture, tree, tmp_ctx, + FNAME, &fh, 8192, + SEC_RIGHTS_FILE_ALL, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + + status = test_ioctl_sparse_req(torture, tmp_ctx, tree, fh, true); + torture_assert_ntstatus_ok(torture, status, "FSCTL_SET_SPARSE"); + smb2_util_close(tree, fh); + + /* attempt ZERO_DATA with only WRITE_ATTR permission - should fail */ + ok = test_setup_open(torture, tree, tmp_ctx, + FNAME, &fh, SEC_FILE_WRITE_ATTRIBUTE, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + status = test_ioctl_zdata_req(torture, tmp_ctx, tree, fh, + 0, /* off */ + 4096); /* beyond_final_zero */ + torture_assert_ntstatus_equal(torture, status, + NT_STATUS_ACCESS_DENIED, + "zero_data permission"); + smb2_util_close(tree, fh); + + /* attempt ZERO_DATA with only WRITE_DATA permission */ + ok = test_setup_open(torture, tree, tmp_ctx, + FNAME, &fh, SEC_FILE_WRITE_DATA, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + status = test_ioctl_zdata_req(torture, tmp_ctx, tree, fh, + 0, /* off */ + 4096); /* beyond_final_zero */ + torture_assert_ntstatus_ok(torture, status, "zero_data"); + smb2_util_close(tree, fh); + + /* attempt ZERO_DATA with only APPEND_DATA permission - should fail */ + ok = test_setup_open(torture, tree, tmp_ctx, + FNAME, &fh, SEC_FILE_APPEND_DATA, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + status = test_ioctl_zdata_req(torture, tmp_ctx, tree, fh, + 0, /* off */ + 4096); /* beyond_final_zero */ + torture_assert_ntstatus_equal(torture, status, + NT_STATUS_ACCESS_DENIED, + "zero_data permission"); + smb2_util_close(tree, fh); + + /* attempt ZERO_DATA with only WRITE_EA permission - should fail */ + ok = test_setup_open(torture, tree, tmp_ctx, + FNAME, &fh, SEC_FILE_WRITE_EA, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + status = test_ioctl_zdata_req(torture, tmp_ctx, tree, fh, + 0, /* off */ + 4096); /* beyond_final_zero */ + torture_assert_ntstatus_equal(torture, status, + NT_STATUS_ACCESS_DENIED, + "zero_data permission"); + smb2_util_close(tree, fh); + + talloc_free(tmp_ctx); + return true; +} + /* * basic testing of SMB2 ioctls */ @@ -4108,6 +4347,8 @@ struct torture_suite *torture_smb2_ioctl_init(void) test_ioctl_sparse_copy_chunk); torture_suite_add_1smb2_test(suite, "sparse_punch_invalid", test_ioctl_sparse_punch_invalid); + torture_suite_add_1smb2_test(suite, "sparse_perms", + test_ioctl_sparse_perms); suite->description = talloc_strdup(suite, "SMB2-IOCTL tests"); -- cgit