1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #include <netinet/in.h>
6 #include <sys/socket.h>
10 #include "alloc-util.h"
11 #include "capability-util.h"
12 #include "errno-util.h"
16 #include "missing_prctl.h"
17 #include "parse-util.h"
18 #include "string-util.h"
21 static uid_t test_uid
= -1;
22 static gid_t test_gid
= -1;
24 #if HAS_FEATURE_ADDRESS_SANITIZER
25 /* Keep CAP_SYS_PTRACE when running under Address Sanitizer */
26 static const uint64_t test_flags
= UINT64_C(1) << CAP_SYS_PTRACE
;
28 /* We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage */
29 static const uint64_t test_flags
= UINT64_C(1) << CAP_DAC_OVERRIDE
;
32 /* verify cap_last_cap() against /proc/sys/kernel/cap_last_cap */
33 static void test_last_cap_file(void) {
34 _cleanup_free_
char *content
= NULL
;
35 unsigned long val
= 0;
38 r
= read_one_line_file("/proc/sys/kernel/cap_last_cap", &content
);
39 if (r
== -ENOENT
|| ERRNO_IS_PRIVILEGE(r
)) /* kernel pre 3.2 or no access */
43 r
= safe_atolu(content
, &val
);
46 assert_se(val
== cap_last_cap());
49 /* verify cap_last_cap() against syscall probing */
50 static void test_last_cap_probe(void) {
51 unsigned long p
= (unsigned long)CAP_LAST_CAP
;
53 if (prctl(PR_CAPBSET_READ
, p
) < 0) {
54 for (p
--; p
> 0; p
--)
55 if (prctl(PR_CAPBSET_READ
, p
) >= 0)
59 if (prctl(PR_CAPBSET_READ
, p
+1) < 0)
64 assert_se(p
== cap_last_cap());
67 static void fork_test(void (*test_func
)(void)) {
78 assert_se(waitpid(pid
, &status
, 0) > 0);
79 assert_se(WIFEXITED(status
) && WEXITSTATUS(status
) == 0);
83 static void show_capabilities(void) {
87 caps
= cap_get_proc();
90 text
= cap_to_text(caps
, NULL
);
93 log_info("Capabilities:%s", text
);
98 static int setup_tests(bool *run_ambient
) {
99 struct passwd
*nobody
;
102 nobody
= getpwnam(NOBODY_USER_NAME
);
104 return log_error_errno(SYNTHETIC_ERRNO(ENOENT
), "Could not find nobody user: %m");
106 test_uid
= nobody
->pw_uid
;
107 test_gid
= nobody
->pw_gid
;
109 *run_ambient
= false;
111 r
= prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_CLEAR_ALL
, 0, 0, 0);
113 /* There's support for PR_CAP_AMBIENT if the prctl() call
114 * succeeded or error code was something else than EINVAL. The
115 * EINVAL check should be good enough to rule out false
118 if (r
>= 0 || errno
!= EINVAL
)
124 static void test_drop_privileges_keep_net_raw(void) {
127 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
128 assert_se(sock
>= 0);
131 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
| (1ULL << CAP_NET_RAW
)) >= 0);
132 assert_se(getuid() == test_uid
);
133 assert_se(getgid() == test_gid
);
136 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
137 assert_se(sock
>= 0);
141 static void test_drop_privileges_dontkeep_net_raw(void) {
144 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
145 assert_se(sock
>= 0);
148 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) >= 0);
149 assert_se(getuid() == test_uid
);
150 assert_se(getgid() == test_gid
);
153 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
157 static void test_drop_privileges_fail(void) {
158 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) >= 0);
159 assert_se(getuid() == test_uid
);
160 assert_se(getgid() == test_gid
);
162 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) < 0);
163 assert_se(drop_privileges(0, 0, test_flags
) < 0);
166 static void test_drop_privileges(void) {
167 fork_test(test_drop_privileges_keep_net_raw
);
168 fork_test(test_drop_privileges_dontkeep_net_raw
);
169 fork_test(test_drop_privileges_fail
);
172 static void test_have_effective_cap(void) {
173 assert_se(have_effective_cap(CAP_KILL
));
174 assert_se(have_effective_cap(CAP_CHOWN
));
176 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
| (1ULL << CAP_KILL
)) >= 0);
177 assert_se(getuid() == test_uid
);
178 assert_se(getgid() == test_gid
);
180 assert_se(have_effective_cap(CAP_KILL
));
181 assert_se(!have_effective_cap(CAP_CHOWN
));
184 static void test_update_inherited_set(void) {
189 caps
= cap_get_proc();
192 set
= (UINT64_C(1) << CAP_CHOWN
);
194 assert_se(!capability_update_inherited_set(caps
, set
));
195 assert_se(!cap_get_flag(caps
, CAP_CHOWN
, CAP_INHERITABLE
, &fv
));
196 assert(fv
== CAP_SET
);
201 static void test_apply_ambient_caps(void) {
206 assert_se(prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, CAP_CHOWN
, 0, 0) == 0);
208 set
= (UINT64_C(1) << CAP_CHOWN
);
210 assert_se(!capability_ambient_set_apply(set
, true));
212 caps
= cap_get_proc();
214 assert_se(!cap_get_flag(caps
, CAP_CHOWN
, CAP_INHERITABLE
, &fv
));
215 assert_se(fv
== CAP_SET
);
218 assert_se(prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, CAP_CHOWN
, 0, 0) == 1);
220 assert_se(!capability_ambient_set_apply(0, true));
221 caps
= cap_get_proc();
223 assert_se(!cap_get_flag(caps
, CAP_CHOWN
, CAP_INHERITABLE
, &fv
));
224 assert_se(fv
== CAP_CLEAR
);
227 assert_se(prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, CAP_CHOWN
, 0, 0) == 0);
230 static void test_ensure_cap_64bit(void) {
231 _cleanup_free_
char *content
= NULL
;
235 r
= read_one_line_file("/proc/sys/kernel/cap_last_cap", &content
);
236 if (r
== -ENOENT
|| ERRNO_IS_PRIVILEGE(r
)) /* kernel pre 3.2 or no access */
240 assert_se(safe_atolu(content
, &p
) >= 0);
242 /* If caps don't fit into 64bit anymore, we have a problem, fail the test. */
245 /* Also check for the header definition */
246 assert_cc(CAP_LAST_CAP
<= 63);
249 int main(int argc
, char *argv
[]) {
252 test_setup_logging(LOG_INFO
);
254 test_ensure_cap_64bit();
256 test_last_cap_file();
257 test_last_cap_probe();
259 log_info("have ambient caps: %s", yes_no(ambient_capabilities_supported()));
262 return log_tests_skipped("not running as root");
264 if (setup_tests(&run_ambient
) < 0)
265 return log_tests_skipped("setup failed");
269 test_drop_privileges();
270 test_update_inherited_set();
272 fork_test(test_have_effective_cap
);
275 fork_test(test_apply_ambient_caps
);