projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
| 6160e473 | 2 | |
| 6160e473 RC |
3 | #include <netinet/in.h> |
| 4 | #include <pwd.h> | |
| 70d7aea5 | 5 | #include <sys/prctl.h> |
| 3ffd4af2 LP |
6 | #include <sys/socket.h> |
| 7 | #include <sys/wait.h> | |
| 6160e473 RC |
8 | #include <unistd.h> |
| 9 | ||
| b7be416f ZJS |
10 | #define TEST_CAPABILITY_C |
| 11 | ||
| 4c1a95fd | 12 | #include "alloc-util.h" |
| 430f0182 | 13 | #include "capability-util.h" |
| 3c14dc61 | 14 | #include "errno-util.h" |
| 3ffd4af2 | 15 | #include "fd-util.h" |
| 4c1a95fd | 16 | #include "fileio.h" |
| 6160e473 | 17 | #include "macro.h" |
| a22692d7 | 18 | #include "missing_prctl.h" |
| 4c1a95fd | 19 | #include "parse-util.h" |
| a649419a | 20 | #include "process-util.h" |
| 55fced5a | 21 | #include "string-util.h" |
| 317bb217 | 22 | #include "tests.h" |
| 6160e473 RC |
23 | |
| 24 | static uid_t test_uid = -1; | |
| 25 | static gid_t test_gid = -1; | |
| 3ffd4af2 | 26 | |
| 0df54921 | 27 | #if HAS_FEATURE_ADDRESS_SANITIZER |
| 7a302565 FS |
28 | /* Keep CAP_SYS_PTRACE when running under Address Sanitizer */ |
| 29 | static const uint64_t test_flags = UINT64_C(1) << CAP_SYS_PTRACE; | |
| 30 | #else | |
| 3ffd4af2 | 31 | /* We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage */ |
| 7a302565 FS |
32 | static const uint64_t test_flags = UINT64_C(1) << CAP_DAC_OVERRIDE; |
| 33 | #endif | |
| 6160e473 | 34 | |
| 4c1a95fd YW |
35 | /* verify cap_last_cap() against /proc/sys/kernel/cap_last_cap */ |
| 36 | static void test_last_cap_file(void) { | |
| 37 | _cleanup_free_ char *content = NULL; | |
| 38 | unsigned long val = 0; | |
| 39 | int r; | |
| 40 | ||
| 41 | r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content); | |
| 13d84288 | 42 | if (r == -ENOENT || ERRNO_IS_NEG_PRIVILEGE(r)) /* kernel pre 3.2 or no access */ |
| 3c14dc61 | 43 | return; |
| 4c1a95fd YW |
44 | assert_se(r >= 0); |
| 45 | ||
| 46 | r = safe_atolu(content, &val); | |
| 47 | assert_se(r >= 0); | |
| 48 | assert_se(val != 0); | |
| 49 | assert_se(val == cap_last_cap()); | |
| 50 | } | |
| 51 | ||
| 52 | /* verify cap_last_cap() against syscall probing */ | |
| 53 | static void test_last_cap_probe(void) { | |
| 54 | unsigned long p = (unsigned long)CAP_LAST_CAP; | |
| 55 | ||
| 56 | if (prctl(PR_CAPBSET_READ, p) < 0) { | |
| b3a9d980 | 57 | for (p--; p > 0; p--) |
| 4c1a95fd YW |
58 | if (prctl(PR_CAPBSET_READ, p) >= 0) |
| 59 | break; | |
| 60 | } else { | |
| 61 | for (;; p++) | |
| 62 | if (prctl(PR_CAPBSET_READ, p+1) < 0) | |
| 63 | break; | |
| 64 | } | |
| 65 | ||
| 66 | assert_se(p != 0); | |
| 67 | assert_se(p == cap_last_cap()); | |
| 68 | } | |
| 69 | ||
| 6160e473 RC |
70 | static void fork_test(void (*test_func)(void)) { |
| 71 | pid_t pid = 0; | |
| 72 | ||
| 73 | pid = fork(); | |
| 74 | assert_se(pid >= 0); | |
| 75 | if (pid == 0) { | |
| 76 | test_func(); | |
| a45d7127 | 77 | exit(EXIT_SUCCESS); |
| 6160e473 RC |
78 | } else if (pid > 0) { |
| 79 | int status; | |
| 80 | ||
| 81 | assert_se(waitpid(pid, &status, 0) > 0); | |
| 82 | assert_se(WIFEXITED(status) && WEXITSTATUS(status) == 0); | |
| 83 | } | |
| 84 | } | |
| 85 | ||
| 86 | static void show_capabilities(void) { | |
| 87 | cap_t caps; | |
| 88 | char *text; | |
| 89 | ||
| 90 | caps = cap_get_proc(); | |
| 91 | assert_se(caps); | |
| 92 | ||
| 93 | text = cap_to_text(caps, NULL); | |
| 94 | assert_se(text); | |
| 95 | ||
| 96 | log_info("Capabilities:%s", text); | |
| 97 | cap_free(caps); | |
| 98 | cap_free(text); | |
| 99 | } | |
| 100 | ||
| 70d7aea5 | 101 | static int setup_tests(bool *run_ambient) { |
| 6160e473 | 102 | struct passwd *nobody; |
| 70d7aea5 | 103 | int r; |
| 6160e473 | 104 | |
| a3d37fe9 | 105 | nobody = getpwnam(NOBODY_USER_NAME); |
| 08d541ca | 106 | if (!nobody) |
| 0a94e77e | 107 | return log_warning_errno(SYNTHETIC_ERRNO(ENOENT), "Couldn't find 'nobody' user: %m"); |
| 08d541ca | 108 | |
| 6160e473 RC |
109 | test_uid = nobody->pw_uid; |
| 110 | test_gid = nobody->pw_gid; | |
| 111 | ||
| 70d7aea5 | 112 | r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); |
| 0a94e77e ZJS |
113 | /* There's support for PR_CAP_AMBIENT if the prctl() call succeeded or error code was something else |
| 114 | * than EINVAL. The EINVAL check should be good enough to rule out false positives. */ | |
| 115 | *run_ambient = r >= 0 || errno != EINVAL; | |
| 70d7aea5 | 116 | |
| 6160e473 RC |
117 | return 0; |
| 118 | } | |
| 119 | ||
| 120 | static void test_drop_privileges_keep_net_raw(void) { | |
| 121 | int sock; | |
| 122 | ||
| 123 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
| 124 | assert_se(sock >= 0); | |
| 125 | safe_close(sock); | |
| 126 | ||
| 127 | assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_NET_RAW)) >= 0); | |
| 128 | assert_se(getuid() == test_uid); | |
| 129 | assert_se(getgid() == test_gid); | |
| 130 | show_capabilities(); | |
| 131 | ||
| 132 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
| 133 | assert_se(sock >= 0); | |
| 134 | safe_close(sock); | |
| 135 | } | |
| 136 | ||
| 137 | static void test_drop_privileges_dontkeep_net_raw(void) { | |
| 138 | int sock; | |
| 139 | ||
| 140 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
| 141 | assert_se(sock >= 0); | |
| 142 | safe_close(sock); | |
| 143 | ||
| 144 | assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0); | |
| 145 | assert_se(getuid() == test_uid); | |
| 146 | assert_se(getgid() == test_gid); | |
| 147 | show_capabilities(); | |
| 148 | ||
| 149 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
| 150 | assert_se(sock < 0); | |
| 151 | } | |
| 152 | ||
| 153 | static void test_drop_privileges_fail(void) { | |
| 154 | assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0); | |
| 155 | assert_se(getuid() == test_uid); | |
| 156 | assert_se(getgid() == test_gid); | |
| 157 | ||
| 158 | assert_se(drop_privileges(test_uid, test_gid, test_flags) < 0); | |
| 159 | assert_se(drop_privileges(0, 0, test_flags) < 0); | |
| 160 | } | |
| 161 | ||
| 162 | static void test_drop_privileges(void) { | |
| e80cb4cb LP |
163 | fork_test(test_drop_privileges_fail); |
| 164 | ||
| 26c45a6c | 165 | if (have_effective_cap(CAP_NET_RAW) <= 0) /* The remaining two tests only work if we have CAP_NET_RAW |
| e80cb4cb LP |
166 | * in the first place. If we are run in some restricted |
| 167 | * container environment we might not. */ | |
| 168 | return; | |
| 169 | ||
| 6160e473 RC |
170 | fork_test(test_drop_privileges_keep_net_raw); |
| 171 | fork_test(test_drop_privileges_dontkeep_net_raw); | |
| 6160e473 RC |
172 | } |
| 173 | ||
| 174 | static void test_have_effective_cap(void) { | |
| 26c45a6c YW |
175 | assert_se(have_effective_cap(CAP_KILL) > 0); |
| 176 | assert_se(have_effective_cap(CAP_CHOWN) > 0); | |
| 6160e473 RC |
177 | |
| 178 | assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_KILL)) >= 0); | |
| 179 | assert_se(getuid() == test_uid); | |
| 180 | assert_se(getgid() == test_gid); | |
| 181 | ||
| 26c45a6c YW |
182 | assert_se(have_effective_cap(CAP_KILL) > 0); |
| 183 | assert_se(have_effective_cap(CAP_CHOWN) == 0); | |
| 6160e473 RC |
184 | } |
| 185 | ||
| 70d7aea5 IP |
186 | static void test_update_inherited_set(void) { |
| 187 | cap_t caps; | |
| 188 | uint64_t set = 0; | |
| 189 | cap_flag_value_t fv; | |
| 190 | ||
| 191 | caps = cap_get_proc(); | |
| 192 | assert_se(caps); | |
| 70d7aea5 IP |
193 | |
| 194 | set = (UINT64_C(1) << CAP_CHOWN); | |
| 195 | ||
| 196 | assert_se(!capability_update_inherited_set(caps, set)); | |
| 197 | assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); | |
| f21b863e | 198 | assert_se(fv == CAP_SET); |
| 70d7aea5 IP |
199 | |
| 200 | cap_free(caps); | |
| 201 | } | |
| 202 | ||
| 155a6234 | 203 | static void test_apply_ambient_caps(void) { |
| 70d7aea5 IP |
204 | cap_t caps; |
| 205 | uint64_t set = 0; | |
| 206 | cap_flag_value_t fv; | |
| 207 | ||
| 70d7aea5 IP |
208 | assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0); |
| 209 | ||
| 210 | set = (UINT64_C(1) << CAP_CHOWN); | |
| 211 | ||
| 212 | assert_se(!capability_ambient_set_apply(set, true)); | |
| 213 | ||
| 214 | caps = cap_get_proc(); | |
| 155a6234 | 215 | assert_se(caps); |
| 70d7aea5 | 216 | assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); |
| 155a6234 | 217 | assert_se(fv == CAP_SET); |
| 70d7aea5 IP |
218 | cap_free(caps); |
| 219 | ||
| 220 | assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1); | |
| 155a6234 KK |
221 | |
| 222 | assert_se(!capability_ambient_set_apply(0, true)); | |
| 223 | caps = cap_get_proc(); | |
| 224 | assert_se(caps); | |
| 225 | assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); | |
| 226 | assert_se(fv == CAP_CLEAR); | |
| 227 | cap_free(caps); | |
| 228 | ||
| 229 | assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0); | |
| 70d7aea5 IP |
230 | } |
| 231 | ||
| da890466 | 232 | static void test_ensure_cap_64_bit(void) { |
| 74b6ce90 LP |
233 | _cleanup_free_ char *content = NULL; |
| 234 | unsigned long p = 0; | |
| 235 | int r; | |
| 236 | ||
| 237 | r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content); | |
| 13d84288 | 238 | if (r == -ENOENT || ERRNO_IS_NEG_PRIVILEGE(r)) /* kernel pre 3.2 or no access */ |
| 74b6ce90 LP |
239 | return; |
| 240 | assert_se(r >= 0); | |
| 241 | ||
| 242 | assert_se(safe_atolu(content, &p) >= 0); | |
| 243 | ||
| da890466 | 244 | /* If caps don't fit into 64-bit anymore, we have a problem, fail the test. */ |
| 74b6ce90 LP |
245 | assert_se(p <= 63); |
| 246 | ||
| 247 | /* Also check for the header definition */ | |
| 864a25d9 | 248 | assert_cc(CAP_LAST_CAP <= 63); |
| 74b6ce90 LP |
249 | } |
| 250 | ||
| a649419a LP |
251 | static void test_capability_get_ambient(void) { |
| 252 | uint64_t c; | |
| 253 | int r; | |
| 254 | ||
| 255 | assert_se(capability_get_ambient(&c) >= 0); | |
| 256 | ||
| e9ccae31 | 257 | r = safe_fork("(getambient)", FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGTERM|FORK_WAIT|FORK_LOG, NULL); |
| a649419a LP |
258 | assert_se(r >= 0); |
| 259 | ||
| 260 | if (r == 0) { | |
| 261 | int x, y; | |
| 262 | /* child */ | |
| 263 | assert_se(capability_get_ambient(&c) >= 0); | |
| 264 | ||
| 265 | x = capability_ambient_set_apply( | |
| 266 | (UINT64_C(1) << CAP_MKNOD)| | |
| 267 | (UINT64_C(1) << CAP_LINUX_IMMUTABLE), | |
| 268 | /* also_inherit= */ true); | |
| 269 | assert_se(x >= 0 || ERRNO_IS_PRIVILEGE(x)); | |
| 270 | ||
| 271 | assert_se(capability_get_ambient(&c) >= 0); | |
| 272 | assert_se(x < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_MKNOD)); | |
| 273 | assert_se(x < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)); | |
| 274 | assert_se(x < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_SETPCAP)); | |
| 275 | ||
| 276 | y = capability_bounding_set_drop( | |
| 277 | ((UINT64_C(1) << CAP_LINUX_IMMUTABLE)| | |
| 278 | (UINT64_C(1) << CAP_SETPCAP)), | |
| 279 | /* right_now= */ true); | |
| 280 | assert_se(y >= 0 || ERRNO_IS_PRIVILEGE(y)); | |
| 281 | ||
| 282 | assert_se(capability_get_ambient(&c) >= 0); | |
| 283 | assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_MKNOD)); | |
| 284 | assert_se(x < 0 || y < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)); | |
| 285 | assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_SETPCAP)); | |
| 286 | ||
| 287 | y = capability_bounding_set_drop( | |
| 288 | (UINT64_C(1) << CAP_SETPCAP), | |
| 289 | /* right_now= */ true); | |
| 290 | assert_se(y >= 0 || ERRNO_IS_PRIVILEGE(y)); | |
| 291 | ||
| 292 | assert_se(capability_get_ambient(&c) >= 0); | |
| 293 | assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_MKNOD)); | |
| 294 | assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)); | |
| 295 | assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_SETPCAP)); | |
| 296 | ||
| 297 | _exit(EXIT_SUCCESS); | |
| 298 | } | |
| 299 | } | |
| 300 | ||
| 6160e473 | 301 | int main(int argc, char *argv[]) { |
| 21996f81 | 302 | bool run_ambient; |
| 6160e473 | 303 | |
| a649419a | 304 | test_setup_logging(LOG_DEBUG); |
| 6d7c4033 | 305 | |
| da890466 | 306 | test_ensure_cap_64_bit(); |
| 74b6ce90 | 307 | |
| 4c1a95fd YW |
308 | test_last_cap_file(); |
| 309 | test_last_cap_probe(); | |
| 310 | ||
| 39f608e4 LP |
311 | log_info("have ambient caps: %s", yes_no(ambient_capabilities_supported())); |
| 312 | ||
| 317bb217 ZJS |
313 | if (getuid() != 0) |
| 314 | return log_tests_skipped("not running as root"); | |
| 6160e473 | 315 | |
| 317bb217 ZJS |
316 | if (setup_tests(&run_ambient) < 0) |
| 317 | return log_tests_skipped("setup failed"); | |
| 6160e473 RC |
318 | |
| 319 | show_capabilities(); | |
| 320 | ||
| 321 | test_drop_privileges(); | |
| 70d7aea5 IP |
322 | test_update_inherited_set(); |
| 323 | ||
| 6160e473 RC |
324 | fork_test(test_have_effective_cap); |
| 325 | ||
| 70d7aea5 | 326 | if (run_ambient) |
| 155a6234 | 327 | fork_test(test_apply_ambient_caps); |
| 70d7aea5 | 328 | |
| a649419a LP |
329 | test_capability_get_ambient(); |
| 330 | ||
| 6160e473 RC |
331 | return 0; |
| 332 | } |