From d3a2d86d313133b9429eb21f45a36e8d39de73b6 Mon Sep 17 00:00:00 2001
From: Michael Orlitzky <mjo@gentoo.org>
Date: Sat, 27 Jan 2018 20:05:02 -0500
Subject: [PATCH 1/3] tests: add test case for fchown/fchmod with O_RDONLY
 (Gentoo bug 599706).

---
 tests/Makefile.am |  2 ++
 tests/fchmod-0.c  | 27 +++++++++++++++++++++++++++
 tests/fchmod-1.sh | 14 ++++++++++++++
 tests/fchmod.at   |  1 +
 tests/fchown-0.c  | 27 +++++++++++++++++++++++++++
 tests/fchown-1.sh | 14 ++++++++++++++
 tests/fchown.at   |  1 +
 7 files changed, 86 insertions(+)
 create mode 100644 tests/fchmod-0.c
 create mode 100755 tests/fchmod-1.sh
 create mode 100644 tests/fchmod.at
 create mode 100644 tests/fchown-0.c
 create mode 100755 tests/fchown-1.sh
 create mode 100644 tests/fchown.at

diff --git a/tests/Makefile.am b/tests/Makefile.am
index d98898f..33518a5 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -20,7 +20,9 @@ check_PROGRAMS = \
 	creat64-0 \
 	execvp-0 \
 	faccessat-0 \
+	fchmod-0 \
 	fchmodat-0 \
+	fchown-0 \
 	fchownat-0 \
 	fopen-0 \
 	fopen64-0 \
diff --git a/tests/fchmod-0.c b/tests/fchmod-0.c
new file mode 100644
index 0000000..33e551b
--- /dev/null
+++ b/tests/fchmod-0.c
@@ -0,0 +1,27 @@
+/*
+ * https://bugs.gentoo.org/599706
+ *
+ */
+
+#include "headers.h"
+
+int main(int argc, char *argv[])
+{
+	if (argc < 2)
+		return -2;
+
+	int mode = 0;
+	sscanf(argv[1], "%i", &mode);
+	/* The sandbox catches this:
+	 *
+	 *   int fd = open(argv[2], O_RDWR);
+	 *
+	 * And it /should/ catch this:
+	 *
+	 *    int fd = open(argv[2], O_RDONLY);
+	*/
+	int fd = open(argv[2], O_RDONLY);
+	int fchmod_result = fchmod(fd, (mode_t)mode);
+	close(fd);
+	return fchmod_result;
+}
diff --git a/tests/fchmod-1.sh b/tests/fchmod-1.sh
new file mode 100755
index 0000000..db404ba
--- /dev/null
+++ b/tests/fchmod-1.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+#
+# https://bugs.gentoo.org/599706
+#
+
+addwrite $PWD
+
+# The sandbox doesn't log anything when it returns a junk file
+# descriptor? It doesn't look like we can test the contents of
+# sandbox.log here... instead, we just have to count on fchmod
+# failing, which it does if you use O_RDWR, and it *should* if you use
+# O_RDONLY (because that won't stop the change of permissions).
+fchmod-0 $(stat --format='%#04a' ../..) ../.. && exit 1
+exit 0
diff --git a/tests/fchmod.at b/tests/fchmod.at
new file mode 100644
index 0000000..081d7d2
--- /dev/null
+++ b/tests/fchmod.at
@@ -0,0 +1 @@
+SB_CHECK(1)
diff --git a/tests/fchown-0.c b/tests/fchown-0.c
new file mode 100644
index 0000000..cfbce38
--- /dev/null
+++ b/tests/fchown-0.c
@@ -0,0 +1,27 @@
+/*
+ * https://bugs.gentoo.org/599706
+ *
+ */
+
+#include "headers.h"
+
+int main(int argc, char *argv[])
+{
+	if (argc < 3)
+		return -2;
+
+	uid_t uid = atoi(argv[1]);
+	gid_t gid = atoi(argv[2]);
+	/* The sandbox catches this:
+	 *
+	 *   int fd = open(argv[3], O_RDWR);
+	 *
+	 * And it /should/ catch this:
+	 *
+	 *    int fd = open(argv[3], O_RDONLY);
+	*/
+	int fd = open(argv[3], O_RDONLY);
+	int fchown_result = fchown(fd, uid, gid);
+	close(fd);
+	return fchown_result;
+}
diff --git a/tests/fchown-1.sh b/tests/fchown-1.sh
new file mode 100755
index 0000000..1b4a173
--- /dev/null
+++ b/tests/fchown-1.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+#
+# https://bugs.gentoo.org/599706
+#
+
+addwrite $PWD
+
+# The sandbox doesn't log anything when it returns a junk file
+# descriptor? It doesn't look like we can test the contents of
+# sandbox.log here... instead, we just have to count on fchown
+# failing, which it does if you use O_RDWR, and it *should* if you use
+# O_RDONLY (because that won't stop the change of ownership).
+fchown-0 ${SB_UID} ${SB_GID} ../.. && exit 1
+exit 0
diff --git a/tests/fchown.at b/tests/fchown.at
new file mode 100644
index 0000000..081d7d2
--- /dev/null
+++ b/tests/fchown.at
@@ -0,0 +1 @@
+SB_CHECK(1)
-- 
2.13.6