src/test/test-capability.c

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2
   3 #include <netinet/in.h>
   4 #include <pwd.h>
   5 #include <sys/prctl.h>
   6 #include <sys/socket.h>
   7 #include <sys/wait.h>
   8 #include <unistd.h>
   9
  10 #define TEST_CAPABILITY_C
  11
  12 #include "alloc-util.h"
  13 #include "capability-util.h"
  14 #include "errno-util.h"
  15 #include "fd-util.h"
  16 #include "fileio.h"
  17 #include "macro.h"
  18 #include "missing_prctl.h"
  19 #include "parse-util.h"
  20 #include "string-util.h"
  21 #include "tests.h"
  22
  23 static uid_t test_uid = -1;
  24 static gid_t test_gid = -1;
  25
  26 #if HAS_FEATURE_ADDRESS_SANITIZER
  27 /* Keep CAP_SYS_PTRACE when running under Address Sanitizer */
  28 static const uint64_t test_flags = UINT64_C(1) << CAP_SYS_PTRACE;
  29 #else
  30 /* We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage */
  31 static const uint64_t test_flags = UINT64_C(1) << CAP_DAC_OVERRIDE;
  32 #endif
  33
  34 /* verify cap_last_cap() against /proc/sys/kernel/cap_last_cap */
  35 static void test_last_cap_file(void) {
  36         _cleanup_free_ char *content = NULL;
  37         unsigned long val = 0;
  38         int r;
  39
  40         r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content);
  41         if (r == -ENOENT || ERRNO_IS_PRIVILEGE(r)) /* kernel pre 3.2 or no access */
  42                 return;
  43         assert_se(r >= 0);
  44
  45         r = safe_atolu(content, &val);
  46         assert_se(r >= 0);
  47         assert_se(val != 0);
  48         assert_se(val == cap_last_cap());
  49 }
  50
  51 /* verify cap_last_cap() against syscall probing */
  52 static void test_last_cap_probe(void) {
  53         unsigned long p = (unsigned long)CAP_LAST_CAP;
  54
  55         if (prctl(PR_CAPBSET_READ, p) < 0) {
  56                 for (p--; p > 0; p --)
  57                         if (prctl(PR_CAPBSET_READ, p) >= 0)
  58                                 break;
  59         } else {
  60                 for (;; p++)
  61                         if (prctl(PR_CAPBSET_READ, p+1) < 0)
  62                                 break;
  63         }
  64
  65         assert_se(p != 0);
  66         assert_se(p == cap_last_cap());
  67 }
  68
  69 static void fork_test(void (*test_func)(void)) {
  70         pid_t pid = 0;
  71
  72         pid = fork();
  73         assert_se(pid >= 0);
  74         if (pid == 0) {
  75                 test_func();
  76                 exit(EXIT_SUCCESS);
  77         } else if (pid > 0) {
  78                 int status;
  79
  80                 assert_se(waitpid(pid, &status, 0) > 0);
  81                 assert_se(WIFEXITED(status) && WEXITSTATUS(status) == 0);
  82         }
  83 }
  84
  85 static void show_capabilities(void) {
  86         cap_t caps;
  87         char *text;
  88
  89         caps = cap_get_proc();
  90         assert_se(caps);
  91
  92         text = cap_to_text(caps, NULL);
  93         assert_se(text);
  94
  95         log_info("Capabilities:%s", text);
  96         cap_free(caps);
  97         cap_free(text);
  98 }
  99
 100 static int setup_tests(bool *run_ambient) {
 101         struct passwd *nobody;
 102         int r;
 103
 104         nobody = getpwnam(NOBODY_USER_NAME);
 105         if (!nobody)
 106                 return log_warning_errno(SYNTHETIC_ERRNO(ENOENT), "Couldn't find 'nobody' user: %m");
 107
 108         test_uid = nobody->pw_uid;
 109         test_gid = nobody->pw_gid;
 110
 111         r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
 112         /* There's support for PR_CAP_AMBIENT if the prctl() call succeeded or error code was something else
 113          * than EINVAL. The EINVAL check should be good enough to rule out false positives. */
 114         *run_ambient = r >= 0 || errno != EINVAL;
 115
 116         return 0;
 117 }
 118
 119 static void test_drop_privileges_keep_net_raw(void) {
 120         int sock;
 121
 122         sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
 123         assert_se(sock >= 0);
 124         safe_close(sock);
 125
 126         assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_NET_RAW)) >= 0);
 127         assert_se(getuid() == test_uid);
 128         assert_se(getgid() == test_gid);
 129         show_capabilities();
 130
 131         sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
 132         assert_se(sock >= 0);
 133         safe_close(sock);
 134 }
 135
 136 static void test_drop_privileges_dontkeep_net_raw(void) {
 137         int sock;
 138
 139         sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
 140         assert_se(sock >= 0);
 141         safe_close(sock);
 142
 143         assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0);
 144         assert_se(getuid() == test_uid);
 145         assert_se(getgid() == test_gid);
 146         show_capabilities();
 147
 148         sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
 149         assert_se(sock < 0);
 150 }
 151
 152 static void test_drop_privileges_fail(void) {
 153         assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0);
 154         assert_se(getuid() == test_uid);
 155         assert_se(getgid() == test_gid);
 156
 157         assert_se(drop_privileges(test_uid, test_gid, test_flags) < 0);
 158         assert_se(drop_privileges(0, 0, test_flags) < 0);
 159 }
 160
 161 static void test_drop_privileges(void) {
 162         fork_test(test_drop_privileges_fail);
 163
 164         if (have_effective_cap(CAP_NET_RAW) == 0) /* The remaining two tests only work if we have CAP_NET_RAW
 165                                                    * in the first place. If we are run in some restricted
 166                                                    * container environment we might not. */
 167                 return;
 168
 169         fork_test(test_drop_privileges_keep_net_raw);
 170         fork_test(test_drop_privileges_dontkeep_net_raw);
 171 }
 172
 173 static void test_have_effective_cap(void) {
 174         assert_se(have_effective_cap(CAP_KILL));
 175         assert_se(have_effective_cap(CAP_CHOWN));
 176
 177         assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_KILL)) >= 0);
 178         assert_se(getuid() == test_uid);
 179         assert_se(getgid() == test_gid);
 180
 181         assert_se(have_effective_cap(CAP_KILL));
 182         assert_se(!have_effective_cap(CAP_CHOWN));
 183 }
 184
 185 static void test_update_inherited_set(void) {
 186         cap_t caps;
 187         uint64_t set = 0;
 188         cap_flag_value_t fv;
 189
 190         caps = cap_get_proc();
 191         assert_se(caps);
 192
 193         set = (UINT64_C(1) << CAP_CHOWN);
 194
 195         assert_se(!capability_update_inherited_set(caps, set));
 196         assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
 197         assert(fv == CAP_SET);
 198
 199         cap_free(caps);
 200 }
 201
 202 static void test_apply_ambient_caps(void) {
 203         cap_t caps;
 204         uint64_t set = 0;
 205         cap_flag_value_t fv;
 206
 207         assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0);
 208
 209         set = (UINT64_C(1) << CAP_CHOWN);
 210
 211         assert_se(!capability_ambient_set_apply(set, true));
 212
 213         caps = cap_get_proc();
 214         assert_se(caps);
 215         assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
 216         assert_se(fv == CAP_SET);
 217         cap_free(caps);
 218
 219         assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1);
 220
 221         assert_se(!capability_ambient_set_apply(0, true));
 222         caps = cap_get_proc();
 223         assert_se(caps);
 224         assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
 225         assert_se(fv == CAP_CLEAR);
 226         cap_free(caps);
 227
 228         assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0);
 229 }
 230
 231 static void test_ensure_cap_64bit(void) {
 232         _cleanup_free_ char *content = NULL;
 233         unsigned long p = 0;
 234         int r;
 235
 236         r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content);
 237         if (r == -ENOENT || ERRNO_IS_PRIVILEGE(r)) /* kernel pre 3.2 or no access */
 238                 return;
 239         assert_se(r >= 0);
 240
 241         assert_se(safe_atolu(content, &p) >= 0);
 242
 243         /* If caps don't fit into 64bit anymore, we have a problem, fail the test. */
 244         assert_se(p <= 63);
 245
 246         /* Also check for the header definition */
 247         assert_cc(CAP_LAST_CAP <= 63);
 248 }
 249
 250 int main(int argc, char *argv[]) {
 251         bool run_ambient;
 252
 253         test_setup_logging(LOG_INFO);
 254
 255         test_ensure_cap_64bit();
 256
 257         test_last_cap_file();
 258         test_last_cap_probe();
 259
 260         log_info("have ambient caps: %s", yes_no(ambient_capabilities_supported()));
 261
 262         if (getuid() != 0)
 263                 return log_tests_skipped("not running as root");
 264
 265         if (setup_tests(&run_ambient) < 0)
 266                 return log_tests_skipped("setup failed");
 267
 268         show_capabilities();
 269
 270         test_drop_privileges();
 271         test_update_inherited_set();
 272
 273         fork_test(test_have_effective_cap);
 274
 275         if (run_ambient)
 276                 fork_test(test_apply_ambient_caps);
 277
 278         return 0;
 279 }