Home | History | Annotate | Download | only in cap_bound 
      1 /******************************************************************************/
      2 /*                                                                            */
      3 /* Copyright (c) International Business Machines  Corp., 2007, 2008           */
      4 /*                                                                            */
      5 /* This program is free software;  you can redistribute it and/or modify      */
      6 /* it under the terms of the GNU General Public License as published by       */
      7 /* the Free Software Foundation; either version 2 of the License, or          */
      8 /* (at your option) any later version.                                        */
      9 /*                                                                            */
     10 /* This program is distributed in the hope that it will be useful,            */
     11 /* but WITHOUT ANY WARRANTY;  without even the implied warranty of            */
     12 /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See                  */
     13 /* the GNU General Public License for more details.                           */
     14 /*                                                                            */
     15 /* You should have received a copy of the GNU General Public License          */
     16 /* along with this program;  if not, write to the Free Software               */
     17 /* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA    */
     18 /*                                                                            */
     19 /******************************************************************************/
     20 /*
     21  * File: cap_bset_inh_bounds.c
     22  * Author: Serge Hallyn
     23  * Purpose: test bounding set constraint on pI
     24  * 	(X = the capability bounding set)
     25  * 	1. if N \in pI, then dropping N from X does not drop it from pI
     26  * 	2. if N \notin X and N \notin pI, then adding N to pI fails
     27  */
     28 
     29 #include <errno.h>
     30 #include "config.h"
     31 #if HAVE_SYS_CAPABILITY_H
     32 #include <linux/types.h>
     33 #include <sys/capability.h>
     34 #endif
     35 #include <sys/prctl.h>
     36 #include "test.h"
     37 
     38 char *TCID = "cap_bounds_r";
     39 int TST_TOTAL = 2;
     40 
     41 int main(int argc, char *argv[])
     42 {
     43 #if HAVE_SYS_CAPABILITY_H
     44 #if HAVE_DECL_PR_CAPBSET_READ && HAVE_DECL_PR_CAPBSET_DROP
     45 #ifdef HAVE_LIBCAP
     46 	int ret = 1;
     47 	cap_value_t v[1];
     48 	cap_flag_value_t f;
     49 	cap_t cur, tmpcap;
     50 
     51 	/* We pick a random capability... let's use CAP_SYS_ADMIN */
     52 	/* make sure we have the capability now */
     53 	ret = prctl(PR_CAPBSET_READ, CAP_SYS_ADMIN);
     54 	if (ret != 1) {
     55 		tst_brkm(TBROK, NULL, "Not starting with CAP_SYS_ADMIN\n");
     56 	}
     57 
     58 	/* Make sure it's in pI */
     59 	cur = cap_from_text("all=eip");
     60 	if (!cur) {
     61 		tst_brkm(TBROK,
     62 			 NULL,
     63 			 "Failed to create cap_sys_admin+i cap_t (errno %d)\n",
     64 			 errno);
     65 	}
     66 	ret = cap_set_proc(cur);
     67 	if (ret) {
     68 		tst_brkm(TBROK,
     69 			 NULL,
     70 			 "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n",
     71 			 ret, errno);
     72 	}
     73 	cap_free(cur);
     74 	cur = cap_get_proc();
     75 	ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
     76 	if (ret || f != CAP_SET) {
     77 		tst_brkm(TBROK, NULL, "Failed to add CAP_SYS_ADMIN to pI\n");
     78 	}
     79 	cap_free(cur);
     80 
     81 	/* drop the capability from bounding set */
     82 	ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN);
     83 	if (ret) {
     84 		tst_resm(TFAIL,
     85 			 "Failed to drop CAP_SYS_ADMIN from bounding set.\n");
     86 		tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno);
     87 		tst_exit();
     88 	}
     89 
     90 	/* test 1: is CAP_SYS_ADMIN still in pI? */
     91 	cur = cap_get_proc();
     92 	ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
     93 	if (ret || f != CAP_SET) {
     94 		tst_brkm(TFAIL,
     95 			 NULL,
     96 			 "CAP_SYS_ADMIN not in pI after dropping from bounding set\n");
     97 	}
     98 	tst_resm(TPASS,
     99 		 "CAP_SYS_ADMIN remains in pI after removing from bounding set\n");
    100 
    101 	tmpcap = cap_dup(cur);
    102 	v[0] = CAP_SYS_ADMIN;
    103 	ret = cap_set_flag(tmpcap, CAP_INHERITABLE, 1, v, CAP_CLEAR);
    104 	if (ret) {
    105 		tst_brkm(TFAIL, NULL,
    106 			 "Failed to drop CAP_SYS_ADMIN from cap_t\n");
    107 	}
    108 	ret = cap_set_proc(tmpcap);
    109 	if (ret) {
    110 		tst_brkm(TFAIL, NULL,
    111 			 "Failed to drop CAP_SYS_ADMIN from pI\n");
    112 	}
    113 	cap_free(tmpcap);
    114 	/* test 2: can we put it back in pI? */
    115 	ret = cap_set_proc(cur);
    116 	if (ret == 0) {		/* success means pI was not bounded by X */
    117 		tst_brkm(TFAIL,
    118 			 NULL,
    119 			 "Managed to put CAP_SYS_ADMIN back into pI though not in X\n");
    120 	}
    121 	cap_free(cur);
    122 
    123 	tst_resm(TPASS,
    124 		 "Couldn't put CAP_SYS_ADMIN back into pI when not in bounding set\n");
    125 #else /* HAVE_LIBCAP */
    126 	tst_resm(TCONF, "System doesn't have POSIX capabilities.");
    127 #endif
    128 #else /* HAVE_DECL_PR_CAPBSET_READ && HAVE_DECL_PR_CAPBSET_DROP */
    129 	tst_resm(TCONF, "System doesn't have CAPBSET prctls.");
    130 #endif
    131 #else /* HAVE_SYS_CAPABILITY_H */
    132 	tst_resm(TCONF, "System doesn't have sys/capability.h.");
    133 #endif
    134 	tst_exit();
    135 }
    136