quicktest.sh - OpenGrok cross reference for /external/libcap/progs/quicktest.sh

Lines Matching +full:- +full:- +full:privileged
6 # [Run this as root in a root-enabled process tree.]
11     if [ $? -ne 0 ]; then
21     echo -n "EXPECT FAILURE: "
23     if [ $? -eq 1 ]; then
27 	echo "Undesired result - aborting"
34     echo -n "EXPECT SUCCESS: "
36     if [ $? -eq 0 ]; then
39 	echo "Undesired result - aborting"
45 pass_capsh --print
46 pass_capsh --current
49 PATH=$(/bin/pwd)/junk:$(/bin/pwd) capsh == == == --modes
50 if [ $? -ne 0 ]; then
55 # Make a local non-setuid-0 version of capsh and call it privileged
56 cp ./tcapsh-static ./privileged && /bin/chmod -s ./privileged
57 if [ $? -ne 0 ]; then
63 ./setcap all=ep ./privileged
64 if [ $? -ne 0 ]; then
68 ./setcap cap_setuid,cap_setgid=ep ./privileged
69 if [ $? -ne 0 ]; then
70     echo "Failed to set limited capabilities on privileged file"
75 pass_capsh --inh=cap_chown --mode=PURE1E --print --inmode=PURE1E
76 pass_capsh --mode=NOPRIV --print --inmode=NOPRIV
77 pass_capsh --mode=PURE1E --print --mode=NOPRIV --inmode=NOPRIV
78 fail_capsh --mode=NOPRIV --print --mode=PURE1E
79 fail_capsh --user=nobody --mode=NOPRIV --print -- ./privileged
82 pass_capsh --mode=PURE1E --iab='!%cap_chown,cap_sys_admin'
85 pass_capsh --keep=0 --keep=1 --keep=0 --keep=1 --print
87 /bin/rm -f tcapsh
88 /bin/cp tcapsh-static tcapsh
91 /bin/ls -l tcapsh
97 …capsh --uid=1 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --print --uid=1 --p…
101 …h --uid=1 -- -c "./tcapsh --caps=\"cap_net_raw,cap_net_admin=ip cap_setuid=p\" --print --cap-uid=2…
104 pass_capsh --uid=1 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --uid=1 --forkf…
106 # only continue with these if --secbits is supported
107 ./capsh --secbits=0x2f > /dev/null 2>&1
108 if [ $? -ne 0 ]; then
109     echo "unable to test securebits manipulation - assume not supported (PASS)"
110     rm -f tcapsh
111     rm -f privileged
117 nouid=$(/usr/bin/id nobody -u)
119 pass_capsh --secbits=42 --print
120 fail_capsh --secbits=32 --keep=1 --keep=0 --print
121 pass_capsh --secbits=10 --keep=0 --keep=1 --print
122 fail_capsh --secbits=47 -- -c "./tcapsh --uid=$nouid"
124 /bin/rm -f tcapsh
127 fail_capsh --secbits=47 --print -- -c "./capsh --uid=$nouid"
129 # suppress uid=0 privilege and test this privileged
130 pass_capsh --secbits=0x2f --print -- -c "./privileged --uid=$nouid"
133 fail_capsh --drop=cap_setuid --secbits=0x2f --print -- -c "./privileged --uid=$nouid"
136 ./setcap cap_setuid,cap_setgid=ei ./privileged
138 # Note, the bounding set (edited with --drop) only limits p
140 pass_capsh --secbits=47 --inh=cap_setuid,cap_setgid --drop=cap_setuid \
141     --uid=1 --print -- -c "./privileged --uid=$nouid"
143 # test that we do not support capabilities on setuid shell-scripts
148 caps=\$(./getpcaps \$mypid 2>&1 | /usr/bin/cut -d: -f2)
150   echo "Shell script got [\$caps] - you should upgrade your kernel"
153   ls -l \$0
154   echo "Good, no capabilities [\$caps] for this setuid-0 shell script"
159 ./capsh --uid=1 --inh=none --print -- ./hack.sh
161 /bin/rm -f ./hack.sh
162 if [ $status -ne 0 ]; then
169 if ./capsh --has-ambient ; then
170     secbits="0xef --noamb"
172 pass_capsh --keep=1 --uid=$nouid --caps=cap_setpcap=ep \
173 	   --drop=all --secbits=$secbits --caps= --print
176 pass_capsh --chroot=$(/bin/pwd)
177 pass_capsh -- -c "./tcapsh-static --chroot=$(/bin/pwd) =="
178 fail_capsh --chroot=$(/bin/pwd) -- -c "echo oops"
180 ./capsh --has-ambient
181 if [ $? -eq 0 ]; then
185     pass_capsh --noamb
192 caps=\$(./getpcaps \$mypid 2>&1 | /usr/bin/cut -d: -f2)
197 ls -l \$0
202     pass_capsh --keep=1 --uid=$nouid --inh=cap_setuid --addamb=cap_setuid -- ./hack.sh
204     /bin/rm -f hack.sh
206     # Next force the privileged binary to have an empty capability set.
207     # This is sort of the opposite of privileged - it should ensure that
209     ./setcap = ./privileged
210 …fail_capsh --keep=1 --uid=$nouid --inh=cap_setuid --addamb=cap_setuid -- -c "./privileged --print …
212     # finally remove the capability from the privileged binary and try again.
213     ./setcap -r ./privileged
214 …pass_capsh --keep=1 --uid=$nouid --inh=cap_setuid --addamb=cap_setuid -- -c "./privileged --print …
217     pass_capsh --iab='!%cap_chown,^cap_setpcap,cap_sys_admin'
218     fail_capsh --mode=PURE1E --iab='!%cap_chown,^cap_sys_admin'
220 /bin/rm -f ./privileged
226 rm -f nsprivileged
227 cp ./tcapsh-static ./nsprivileged && /bin/chmod -s ./nsprivileged
228 ./setcap -n 1 all=ep ./nsprivileged
229 if [ $? -eq 0 ]; then
230     ./getcap -n ./nsprivileged | fgrep "[rootid=1]"
231     if [ $? -ne 0 ]; then
239     fail_capsh --secbits=$secbits --print -- -c "./nsprivileged --uid=$nouid"
241     echo "ns file caps not supported - skipping test"
243 rm -f nsprivileged
246 if [ -f ../go/compare-cap ]; then
247     cp ../go/compare-cap .
248     LD_LIBRARY_PATH=../libcap ./compare-cap
249     if [ $? -ne 0 ]; then
253     LD_LIBRARY_PATH=../libcap ./compare-cap 2>&1 | grep "skipping file cap tests"
254     if [ $? -eq 0 ]; then
261 rm -f compare-cap
265 if [ $? -ne 0 ]; then