• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /******************************************************************************/
2 /*                                                                            */
3 /* Copyright (c) International Business Machines  Corp., 2008                 */
4 /*                                                                            */
5 /* This program is free software;  you can redistribute it and/or modify      */
6 /* it under the terms of the GNU General Public License as published by       */
7 /* the Free Software Foundation; either version 2 of the License, or          */
8 /* (at your option) any later version.                                        */
9 /*                                                                            */
10 /* This program is distributed in the hope that it will be useful,            */
11 /* but WITHOUT ANY WARRANTY;  without even the implied warranty of            */
12 /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See                  */
13 /* the GNU General Public License for more details.                           */
14 /*                                                                            */
15 /* You should have received a copy of the GNU General Public License          */
16 /* along with this program;  if not, write to the Free Software               */
17 /* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA    */
18 /*                                                                            */
19 /******************************************************************************/
20 /*
21  * File: inh_capped
22  * Author: Serge Hallyn
23  * Purpose: test that CAP_SETPCAP is needed to add bits to pI
24  * Uses no command line arguments.
25  */
26 
27 #include <stdio.h>
28 #include "config.h"
29 #if HAVE_SYS_CAPABILITY_H
30 #include <linux/types.h>
31 #include <sys/capability.h>
32 #endif
33 #include "test.h"
34 
35 char *TCID = "filecaps";
36 int TST_TOTAL = 1;
37 
38 #ifdef HAVE_LIBCAP
debug_print_caps(char * when)39 void debug_print_caps(char *when)
40 {
41 	char buf[2000];
42 	tst_resm(TINFO, "%s", when);
43 	snprintf(buf, 2000, "%s", cap_to_text(cap_get_proc(), NULL));
44 	tst_resm(TINFO, "%s", buf);
45 }
46 
set_caps_from_text(char * capstr)47 int set_caps_from_text(char *capstr)
48 {
49 	cap_t caps = cap_from_text(capstr);
50 	int ret;
51 
52 	if (!caps) {
53 		tst_resm(TFAIL, "Bad capability name: %s", capstr);
54 		return 1;
55 	}
56 	ret = cap_set_proc(caps);
57 	cap_free(caps);
58 	return ret;
59 }
60 #endif
61 
main(void)62 int main(void)
63 {
64 #ifdef HAVE_LIBCAP
65 	int ret;
66 
67 	debug_print_caps("start");
68 	ret = set_caps_from_text("all=eip");
69 	debug_print_caps("after raising all caps");
70 	if (ret) {
71 		tst_brkm(TFAIL, NULL, "failed to raise all caps");
72 	}
73 
74 	ret = set_caps_from_text("all=iep cap_sys_admin-iep");
75 	debug_print_caps("after first drop cap_sys_admin");
76 	if (ret) {
77 		tst_brkm(TFAIL, NULL, "failed to drop capsysadmin from pI");
78 	}
79 
80 	/* we can't regain cap_sys_admin in pE or pP, only pI */
81 	ret = set_caps_from_text("all=eip cap_sys_admin-ep+i");
82 	debug_print_caps("after first raise cap_sys_admin");
83 	if (ret) {
84 		tst_brkm(TFAIL, NULL, "failed to raise capsysadmin in pI");
85 	}
86 
87 	ret = set_caps_from_text("all=ip cap_setpcap-e+ip cap_sys_admin+i-ep");
88 	debug_print_caps("after drop cappset");
89 	if (ret) {
90 		tst_brkm(TFAIL, NULL, "failed to drop cappset from pE");
91 	}
92 
93 	ret = set_caps_from_text("all=iep cap_sys_admin-iep cap_setpcap-e+ip");
94 	debug_print_caps("after second drop cap_sys_admin");
95 	if (ret) {
96 		tst_brkm(TFAIL, NULL, "failed to drop capsysadmin from pI "
97 			 "after dropping cappset from pE");
98 	}
99 
100 	ret = set_caps_from_text("all=iep cap_sys_admin-ep+i cap_setpcap-e+ip");
101 	debug_print_caps("final");
102 	if (ret) {
103 		tst_resm(TPASS, "pI is properly capped");
104 		tst_exit();
105 	}
106 
107 	tst_resm(TFAIL, "succeeded raising capsysadmin in pI "
108 		 "without having setpcap");
109 #else
110 	tst_resm(TCONF, "System doesn't have POSIX capabilities support.");
111 #endif
112 	tst_exit();
113 }
114