[thirdparty/systemd.git] / src / test / test-capability.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd

  Copyright 2014 Ronny Chevalier

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <netinet/in.h>
#include <pwd.h>
#include <sys/capability.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>

#include "alloc-util.h"
#include "capability-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "macro.h"
#include "parse-util.h"
#include "util.h"

static uid_t test_uid = -1;
static gid_t test_gid = -1;

/* We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage */
static uint64_t test_flags = 1ULL << CAP_DAC_OVERRIDE;

/* verify cap_last_cap() against /proc/sys/kernel/cap_last_cap */
static void test_last_cap_file(void) {
        _cleanup_free_ char *content = NULL;
        unsigned long val = 0;
        int r;

        r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content);
        assert_se(r >= 0);

        r = safe_atolu(content, &val);
        assert_se(r >= 0);
        assert_se(val != 0);
        assert_se(val == cap_last_cap());
}

/* verify cap_last_cap() against syscall probing */
static void test_last_cap_probe(void) {
        unsigned long p = (unsigned long)CAP_LAST_CAP;

        if (prctl(PR_CAPBSET_READ, p) < 0) {
                for (p--; p > 0; p --)
                        if (prctl(PR_CAPBSET_READ, p) >= 0)
                                break;
        } else {
                for (;; p++)
                        if (prctl(PR_CAPBSET_READ, p+1) < 0)
                                break;
        }

        assert_se(p != 0);
        assert_se(p == cap_last_cap());
}

static void fork_test(void (*test_func)(void)) {
        pid_t pid = 0;

        pid = fork();
        assert_se(pid >= 0);
        if (pid == 0) {
                test_func();
                exit(0);
        } else if (pid > 0) {
                int status;

                assert_se(waitpid(pid, &status, 0) > 0);
                assert_se(WIFEXITED(status) && WEXITSTATUS(status) == 0);
        }
}

static void show_capabilities(void) {
        cap_t caps;
        char *text;

        caps = cap_get_proc();
        assert_se(caps);

        text = cap_to_text(caps, NULL);
        assert_se(text);

        log_info("Capabilities:%s", text);
        cap_free(caps);
        cap_free(text);
}

static int setup_tests(bool *run_ambient) {
        struct passwd *nobody;
        int r;

        nobody = getpwnam("nobody");
        if (!nobody) {
                log_error_errno(errno, "Could not find nobody user: %m");
                return -EXIT_TEST_SKIP;
        }
        test_uid = nobody->pw_uid;
        test_gid = nobody->pw_gid;

        *run_ambient = false;

        r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);

        /* There's support for PR_CAP_AMBIENT if the prctl() call
         * succeeded or error code was something else than EINVAL. The
         * EINVAL check should be good enough to rule out false
         * positives. */

        if (r >= 0 || errno != EINVAL)
                *run_ambient = true;

        return 0;
}

static void test_drop_privileges_keep_net_raw(void) {
        int sock;

        sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
        assert_se(sock >= 0);
        safe_close(sock);

        assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_NET_RAW)) >= 0);
        assert_se(getuid() == test_uid);
        assert_se(getgid() == test_gid);
        show_capabilities();

        sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
        assert_se(sock >= 0);
        safe_close(sock);
}

static void test_drop_privileges_dontkeep_net_raw(void) {
        int sock;

        sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
        assert_se(sock >= 0);
        safe_close(sock);

        assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0);
        assert_se(getuid() == test_uid);
        assert_se(getgid() == test_gid);
        show_capabilities();

        sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
        assert_se(sock < 0);
}

static void test_drop_privileges_fail(void) {
        assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0);
        assert_se(getuid() == test_uid);
        assert_se(getgid() == test_gid);

        assert_se(drop_privileges(test_uid, test_gid, test_flags) < 0);
        assert_se(drop_privileges(0, 0, test_flags) < 0);
}

static void test_drop_privileges(void) {
        fork_test(test_drop_privileges_keep_net_raw);
        fork_test(test_drop_privileges_dontkeep_net_raw);
        fork_test(test_drop_privileges_fail);
}

static void test_have_effective_cap(void) {
        assert_se(have_effective_cap(CAP_KILL));
        assert_se(have_effective_cap(CAP_CHOWN));

        assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_KILL)) >= 0);
        assert_se(getuid() == test_uid);
        assert_se(getgid() == test_gid);

        assert_se(have_effective_cap(CAP_KILL));
        assert_se(!have_effective_cap(CAP_CHOWN));
}

static void test_update_inherited_set(void) {
        cap_t caps;
        uint64_t set = 0;
        cap_flag_value_t fv;

        caps = cap_get_proc();
        assert_se(caps);
        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
        assert(fv == CAP_CLEAR);

        set = (UINT64_C(1) << CAP_CHOWN);

        assert_se(!capability_update_inherited_set(caps, set));
        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
        assert(fv == CAP_SET);

        cap_free(caps);
}

static void test_set_ambient_caps(void) {
        cap_t caps;
        uint64_t set = 0;
        cap_flag_value_t fv;

        caps = cap_get_proc();
        assert_se(caps);
        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
        assert(fv == CAP_CLEAR);
        cap_free(caps);

        assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0);

        set = (UINT64_C(1) << CAP_CHOWN);

        assert_se(!capability_ambient_set_apply(set, true));

        caps = cap_get_proc();
        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
        assert(fv == CAP_SET);
        cap_free(caps);

        assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1);
}

int main(int argc, char *argv[]) {
        int r;
        bool run_ambient;

        test_last_cap_file();
        test_last_cap_probe();

        log_parse_environment();
        log_open();

        log_info("have ambient caps: %s", yes_no(ambient_capabilities_supported()));

        if (getuid() != 0)
                return EXIT_TEST_SKIP;

        r = setup_tests(&run_ambient);
        if (r < 0)
                return -r;

        show_capabilities();

        test_drop_privileges();
        test_update_inherited_set();

        fork_test(test_have_effective_cap);

        if (run_ambient)
                fork_test(test_set_ambient_caps);

        return 0;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
6160e473 RC	2	/***
	3	This file is part of systemd
	4
	5	Copyright 2014 Ronny Chevalier
	6
	7	systemd is free software; you can redistribute it and/or modify it
	8	under the terms of the GNU Lesser General Public License as published by
	9	the Free Software Foundation; either version 2.1 of the License, or
	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	15	Lesser General Public License for more details.
	16
	17	You should have received a copy of the GNU Lesser General Public License
	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
6160e473 RC	21	#include <netinet/in.h>
6160e473 RC	22	#include <pwd.h>
3ffd4af2	23	#include <sys/capability.h>
70d7aea5	24	#include <sys/prctl.h>
3ffd4af2 LP	25	#include <sys/socket.h>
3ffd4af2 LP	26	#include <sys/wait.h>
6160e473 RC	27	#include <unistd.h>
6160e473 RC	28
4c1a95fd	29	#include "alloc-util.h"
430f0182	30	#include "capability-util.h"
3ffd4af2	31	#include "fd-util.h"
4c1a95fd	32	#include "fileio.h"
6160e473	33	#include "macro.h"
4c1a95fd	34	#include "parse-util.h"
3ffd4af2	35	#include "util.h"
6160e473 RC	36
	37	static uid_t test_uid = -1;
	38	static gid_t test_gid = -1;
3ffd4af2 LP	39
3ffd4af2 LP	40	/* We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage */
6160e473 RC	41	static uint64_t test_flags = 1ULL << CAP_DAC_OVERRIDE;
6160e473 RC	42
4c1a95fd YW	43	/* verify cap_last_cap() against /proc/sys/kernel/cap_last_cap */
	44	static void test_last_cap_file(void) {
	45	_cleanup_free_ char *content = NULL;
	46	unsigned long val = 0;
	47	int r;
	48
	49	r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content);
	50	assert_se(r >= 0);
	51
	52	r = safe_atolu(content, &val);
	53	assert_se(r >= 0);
	54	assert_se(val != 0);
	55	assert_se(val == cap_last_cap());
	56	}
	57
	58	/* verify cap_last_cap() against syscall probing */
	59	static void test_last_cap_probe(void) {
	60	unsigned long p = (unsigned long)CAP_LAST_CAP;
	61
	62	if (prctl(PR_CAPBSET_READ, p) < 0) {
	63	for (p--; p > 0; p --)
	64	if (prctl(PR_CAPBSET_READ, p) >= 0)
	65	break;
	66	} else {
	67	for (;; p++)
	68	if (prctl(PR_CAPBSET_READ, p+1) < 0)
	69	break;
	70	}
	71
	72	assert_se(p != 0);
	73	assert_se(p == cap_last_cap());
	74	}
	75
6160e473 RC	76	static void fork_test(void (*test_func)(void)) {
	77	pid_t pid = 0;
	78
	79	pid = fork();
	80	assert_se(pid >= 0);
	81	if (pid == 0) {
	82	test_func();
	83	exit(0);
	84	} else if (pid > 0) {
	85	int status;
	86
	87	assert_se(waitpid(pid, &status, 0) > 0);
	88	assert_se(WIFEXITED(status) && WEXITSTATUS(status) == 0);
	89	}
	90	}
	91
	92	static void show_capabilities(void) {
	93	cap_t caps;
	94	char *text;
	95
	96	caps = cap_get_proc();
	97	assert_se(caps);
	98
	99	text = cap_to_text(caps, NULL);
	100	assert_se(text);
	101
	102	log_info("Capabilities:%s", text);
	103	cap_free(caps);
	104	cap_free(text);
	105	}
	106
70d7aea5	107	static int setup_tests(bool *run_ambient) {
6160e473	108	struct passwd *nobody;
70d7aea5	109	int r;
6160e473 RC	110
	111	nobody = getpwnam("nobody");
	112	if (!nobody) {
56f64d95	113	log_error_errno(errno, "Could not find nobody user: %m");
6160e473 RC	114	return -EXIT_TEST_SKIP;
	115	}
	116	test_uid = nobody->pw_uid;
	117	test_gid = nobody->pw_gid;
	118
70d7aea5 IP	119	*run_ambient = false;
	120
	121	r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
	122
	123	/* There's support for PR_CAP_AMBIENT if the prctl() call
	124	* succeeded or error code was something else than EINVAL. The
	125	* EINVAL check should be good enough to rule out false
	126	* positives. */
	127
	128	if (r >= 0 \|\| errno != EINVAL)
	129	*run_ambient = true;
	130
6160e473 RC	131	return 0;
	132	}
	133
	134	static void test_drop_privileges_keep_net_raw(void) {
	135	int sock;
	136
	137	sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
	138	assert_se(sock >= 0);
	139	safe_close(sock);
	140
	141	assert_se(drop_privileges(test_uid, test_gid, test_flags \| (1ULL << CAP_NET_RAW)) >= 0);
	142	assert_se(getuid() == test_uid);
	143	assert_se(getgid() == test_gid);
	144	show_capabilities();
	145
	146	sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
	147	assert_se(sock >= 0);
	148	safe_close(sock);
	149	}
	150
	151	static void test_drop_privileges_dontkeep_net_raw(void) {
	152	int sock;
	153
	154	sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
	155	assert_se(sock >= 0);
	156	safe_close(sock);
	157
	158	assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0);
	159	assert_se(getuid() == test_uid);
	160	assert_se(getgid() == test_gid);
	161	show_capabilities();
	162
	163	sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
	164	assert_se(sock < 0);
	165	}
	166
	167	static void test_drop_privileges_fail(void) {
	168	assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0);
	169	assert_se(getuid() == test_uid);
	170	assert_se(getgid() == test_gid);
	171
	172	assert_se(drop_privileges(test_uid, test_gid, test_flags) < 0);
	173	assert_se(drop_privileges(0, 0, test_flags) < 0);
	174	}
	175
	176	static void test_drop_privileges(void) {
	177	fork_test(test_drop_privileges_keep_net_raw);
	178	fork_test(test_drop_privileges_dontkeep_net_raw);
	179	fork_test(test_drop_privileges_fail);
	180	}
	181
	182	static void test_have_effective_cap(void) {
	183	assert_se(have_effective_cap(CAP_KILL));
	184	assert_se(have_effective_cap(CAP_CHOWN));
	185
	186	assert_se(drop_privileges(test_uid, test_gid, test_flags \| (1ULL << CAP_KILL)) >= 0);
	187	assert_se(getuid() == test_uid);
	188	assert_se(getgid() == test_gid);
	189
	190	assert_se(have_effective_cap(CAP_KILL));
	191	assert_se(!have_effective_cap(CAP_CHOWN));
	192	}
	193
70d7aea5 IP	194	static void test_update_inherited_set(void) {
	195	cap_t caps;
	196	uint64_t set = 0;
	197	cap_flag_value_t fv;
	198
	199	caps = cap_get_proc();
	200	assert_se(caps);
	201	assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
	202	assert(fv == CAP_CLEAR);
	203
	204	set = (UINT64_C(1) << CAP_CHOWN);
	205
	206	assert_se(!capability_update_inherited_set(caps, set));
	207	assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
	208	assert(fv == CAP_SET);
	209
	210	cap_free(caps);
	211	}
	212
	213	static void test_set_ambient_caps(void) {
	214	cap_t caps;
	215	uint64_t set = 0;
	216	cap_flag_value_t fv;
	217
	218	caps = cap_get_proc();
	219	assert_se(caps);
	220	assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
	221	assert(fv == CAP_CLEAR);
	222	cap_free(caps);
	223
	224	assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0);
	225
	226	set = (UINT64_C(1) << CAP_CHOWN);
	227
	228	assert_se(!capability_ambient_set_apply(set, true));
	229
	230	caps = cap_get_proc();
	231	assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
	232	assert(fv == CAP_SET);
	233	cap_free(caps);
	234
	235	assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1);
	236	}
	237
6160e473 RC	238	int main(int argc, char *argv[]) {
6160e473 RC	239	int r;
70d7aea5	240	bool run_ambient;
6160e473	241
4c1a95fd YW	242	test_last_cap_file();
	243	test_last_cap_probe();
	244
6160e473 RC	245	log_parse_environment();
	246	log_open();
	247
39f608e4 LP	248	log_info("have ambient caps: %s", yes_no(ambient_capabilities_supported()));
39f608e4 LP	249
6160e473 RC	250	if (getuid() != 0)
	251	return EXIT_TEST_SKIP;
	252
70d7aea5	253	r = setup_tests(&run_ambient);
6160e473 RC	254	if (r < 0)
	255	return -r;
	256
	257	show_capabilities();
	258
	259	test_drop_privileges();
70d7aea5 IP	260	test_update_inherited_set();
70d7aea5 IP	261
6160e473 RC	262	fork_test(test_have_effective_cap);
6160e473 RC	263
70d7aea5 IP	264	if (run_ambient)
	265	fork_test(test_set_ambient_caps);
	266
6160e473 RC	267	return 0;
6160e473 RC	268	}