• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /******************************************************************************/
2 /*                                                                            */
3 /* Copyright (c) International Business Machines  Corp., 2007, 2008           */
4 /*                                                                            */
5 /* This program is free software;  you can redistribute it and/or modify      */
6 /* it under the terms of the GNU General Public License as published by       */
7 /* the Free Software Foundation; either version 2 of the License, or          */
8 /* (at your option) any later version.                                        */
9 /*                                                                            */
10 /* This program is distributed in the hope that it will be useful,            */
11 /* but WITHOUT ANY WARRANTY;  without even the implied warranty of            */
12 /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See                  */
13 /* the GNU General Public License for more details.                           */
14 /*                                                                            */
15 /* You should have received a copy of the GNU General Public License          */
16 /* along with this program;  if not, write to the Free Software               */
17 /* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA    */
18 /*                                                                            */
19 /******************************************************************************/
20 /*
21  * File: exec_with_inh.c
22  * Author: Serge Hallyn
23  * Make sure that CAP_SYS_ADMIN is in pI
24  * drop CAP_SYS_ADMIN from bounding set
25  * Then exec "check_pe 1"
26  * check_pe will return PASS if it has CAP_SYS_ADMIN in pE.
27  */
28 
29 #include <errno.h>
30 #include "config.h"
31 #if HAVE_SYS_CAPABILITY_H
32 #include <linux/types.h>
33 #include <sys/capability.h>
34 #endif
35 #include <sys/prctl.h>
36 #include "test.h"
37 
38 char *TCID = "exec_with_inh";
39 int TST_TOTAL = 1;
40 
main(int argc,char * argv[])41 int main(int argc, char *argv[])
42 {
43 #if HAVE_SYS_CAPABILITY_H
44 #if HAVE_DECL_PR_CAPBSET_DROP
45 #ifdef HAVE_LIBCAP
46 	int ret = 1;
47 	cap_flag_value_t f;
48 	cap_t cur = 0;
49 
50 	/* Make sure CAP_SYS_ADMIN is in pI */
51 	cur = cap_from_text("all=eip");
52 	if (!cur) {
53 		tst_brkm(TBROK,
54 			 NULL,
55 			 "Failed to create cap_sys_admin+i cap_t (errno %d)",
56 			 errno);
57 	}
58 	ret = cap_set_proc(cur);
59 	if (ret) {
60 		tst_brkm(TBROK,
61 			 NULL,
62 			 "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)",
63 			 ret, errno);
64 	}
65 	cap_free(cur);
66 	cur = cap_get_proc();
67 	ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
68 	if (ret || f != CAP_SET) {
69 		tst_brkm(TBROK, NULL, "Failed to add CAP_SYS_ADMIN to pI");
70 	}
71 	cap_free(cur);
72 
73 	/* drop the capability from bounding set */
74 	ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN);
75 	if (ret) {
76 		tst_resm(TFAIL,
77 			 "Failed to drop CAP_SYS_ADMIN from bounding set.");
78 		tst_resm(TINFO, "(ret=%d, errno %d)", ret, errno);
79 		tst_exit();
80 	}
81 
82 	/* execute "check_pe 1" */
83 	execl("check_pe", "check_pe", "1", NULL);
84 	tst_resm(TBROK, "Failed to execute check_pe (errno %d)", errno);
85 #else /* HAVE_LIBCAP */
86 	tst_resm(TCONF, "System doesn't have POSIX capabilities.");
87 #endif
88 #else /* HAVE_DECL_PR_CAPBSET_DROP*/
89 	tst_resm(TCONF, "System doesn't have CAPBSET prctls");
90 #endif
91 #else /* HAVE_SYS_CAPABILITY_H */
92 	tst_resm(TCONF, "System doesn't have sys/capability.h.");
93 #endif
94 	tst_exit();
95 }
96