]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
6160e473 | 2 | |
6160e473 RC |
3 | #include <netinet/in.h> |
4 | #include <pwd.h> | |
70d7aea5 | 5 | #include <sys/prctl.h> |
3ffd4af2 LP |
6 | #include <sys/socket.h> |
7 | #include <sys/wait.h> | |
6160e473 RC |
8 | #include <unistd.h> |
9 | ||
b7be416f ZJS |
10 | #define TEST_CAPABILITY_C |
11 | ||
4c1a95fd | 12 | #include "alloc-util.h" |
430f0182 | 13 | #include "capability-util.h" |
3c14dc61 | 14 | #include "errno-util.h" |
3ffd4af2 | 15 | #include "fd-util.h" |
4c1a95fd | 16 | #include "fileio.h" |
6160e473 | 17 | #include "macro.h" |
a22692d7 | 18 | #include "missing_prctl.h" |
4c1a95fd | 19 | #include "parse-util.h" |
a649419a | 20 | #include "process-util.h" |
55fced5a | 21 | #include "string-util.h" |
317bb217 | 22 | #include "tests.h" |
6160e473 RC |
23 | |
24 | static uid_t test_uid = -1; | |
25 | static gid_t test_gid = -1; | |
3ffd4af2 | 26 | |
0df54921 | 27 | #if HAS_FEATURE_ADDRESS_SANITIZER |
7a302565 FS |
28 | /* Keep CAP_SYS_PTRACE when running under Address Sanitizer */ |
29 | static const uint64_t test_flags = UINT64_C(1) << CAP_SYS_PTRACE; | |
30 | #else | |
3ffd4af2 | 31 | /* We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage */ |
7a302565 FS |
32 | static const uint64_t test_flags = UINT64_C(1) << CAP_DAC_OVERRIDE; |
33 | #endif | |
6160e473 | 34 | |
4c1a95fd YW |
35 | /* verify cap_last_cap() against /proc/sys/kernel/cap_last_cap */ |
36 | static void test_last_cap_file(void) { | |
37 | _cleanup_free_ char *content = NULL; | |
38 | unsigned long val = 0; | |
39 | int r; | |
40 | ||
41 | r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content); | |
13d84288 | 42 | if (r == -ENOENT || ERRNO_IS_NEG_PRIVILEGE(r)) /* kernel pre 3.2 or no access */ |
3c14dc61 | 43 | return; |
4c1a95fd YW |
44 | assert_se(r >= 0); |
45 | ||
46 | r = safe_atolu(content, &val); | |
47 | assert_se(r >= 0); | |
48 | assert_se(val != 0); | |
49 | assert_se(val == cap_last_cap()); | |
50 | } | |
51 | ||
52 | /* verify cap_last_cap() against syscall probing */ | |
53 | static void test_last_cap_probe(void) { | |
54 | unsigned long p = (unsigned long)CAP_LAST_CAP; | |
55 | ||
56 | if (prctl(PR_CAPBSET_READ, p) < 0) { | |
b3a9d980 | 57 | for (p--; p > 0; p--) |
4c1a95fd YW |
58 | if (prctl(PR_CAPBSET_READ, p) >= 0) |
59 | break; | |
60 | } else { | |
61 | for (;; p++) | |
62 | if (prctl(PR_CAPBSET_READ, p+1) < 0) | |
63 | break; | |
64 | } | |
65 | ||
66 | assert_se(p != 0); | |
67 | assert_se(p == cap_last_cap()); | |
68 | } | |
69 | ||
6160e473 RC |
70 | static void fork_test(void (*test_func)(void)) { |
71 | pid_t pid = 0; | |
72 | ||
73 | pid = fork(); | |
74 | assert_se(pid >= 0); | |
75 | if (pid == 0) { | |
76 | test_func(); | |
a45d7127 | 77 | exit(EXIT_SUCCESS); |
6160e473 RC |
78 | } else if (pid > 0) { |
79 | int status; | |
80 | ||
81 | assert_se(waitpid(pid, &status, 0) > 0); | |
82 | assert_se(WIFEXITED(status) && WEXITSTATUS(status) == 0); | |
83 | } | |
84 | } | |
85 | ||
86 | static void show_capabilities(void) { | |
87 | cap_t caps; | |
88 | char *text; | |
89 | ||
90 | caps = cap_get_proc(); | |
91 | assert_se(caps); | |
92 | ||
93 | text = cap_to_text(caps, NULL); | |
94 | assert_se(text); | |
95 | ||
96 | log_info("Capabilities:%s", text); | |
97 | cap_free(caps); | |
98 | cap_free(text); | |
99 | } | |
100 | ||
70d7aea5 | 101 | static int setup_tests(bool *run_ambient) { |
6160e473 | 102 | struct passwd *nobody; |
70d7aea5 | 103 | int r; |
6160e473 | 104 | |
a3d37fe9 | 105 | nobody = getpwnam(NOBODY_USER_NAME); |
08d541ca | 106 | if (!nobody) |
0a94e77e | 107 | return log_warning_errno(SYNTHETIC_ERRNO(ENOENT), "Couldn't find 'nobody' user: %m"); |
08d541ca | 108 | |
6160e473 RC |
109 | test_uid = nobody->pw_uid; |
110 | test_gid = nobody->pw_gid; | |
111 | ||
70d7aea5 | 112 | r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); |
0a94e77e ZJS |
113 | /* There's support for PR_CAP_AMBIENT if the prctl() call succeeded or error code was something else |
114 | * than EINVAL. The EINVAL check should be good enough to rule out false positives. */ | |
115 | *run_ambient = r >= 0 || errno != EINVAL; | |
70d7aea5 | 116 | |
6160e473 RC |
117 | return 0; |
118 | } | |
119 | ||
120 | static void test_drop_privileges_keep_net_raw(void) { | |
121 | int sock; | |
122 | ||
123 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
124 | assert_se(sock >= 0); | |
125 | safe_close(sock); | |
126 | ||
127 | assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_NET_RAW)) >= 0); | |
128 | assert_se(getuid() == test_uid); | |
129 | assert_se(getgid() == test_gid); | |
130 | show_capabilities(); | |
131 | ||
132 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
133 | assert_se(sock >= 0); | |
134 | safe_close(sock); | |
135 | } | |
136 | ||
137 | static void test_drop_privileges_dontkeep_net_raw(void) { | |
138 | int sock; | |
139 | ||
140 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
141 | assert_se(sock >= 0); | |
142 | safe_close(sock); | |
143 | ||
144 | assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0); | |
145 | assert_se(getuid() == test_uid); | |
146 | assert_se(getgid() == test_gid); | |
147 | show_capabilities(); | |
148 | ||
149 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
150 | assert_se(sock < 0); | |
151 | } | |
152 | ||
153 | static void test_drop_privileges_fail(void) { | |
154 | assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0); | |
155 | assert_se(getuid() == test_uid); | |
156 | assert_se(getgid() == test_gid); | |
157 | ||
158 | assert_se(drop_privileges(test_uid, test_gid, test_flags) < 0); | |
159 | assert_se(drop_privileges(0, 0, test_flags) < 0); | |
160 | } | |
161 | ||
162 | static void test_drop_privileges(void) { | |
e80cb4cb LP |
163 | fork_test(test_drop_privileges_fail); |
164 | ||
26c45a6c | 165 | if (have_effective_cap(CAP_NET_RAW) <= 0) /* The remaining two tests only work if we have CAP_NET_RAW |
e80cb4cb LP |
166 | * in the first place. If we are run in some restricted |
167 | * container environment we might not. */ | |
168 | return; | |
169 | ||
6160e473 RC |
170 | fork_test(test_drop_privileges_keep_net_raw); |
171 | fork_test(test_drop_privileges_dontkeep_net_raw); | |
6160e473 RC |
172 | } |
173 | ||
174 | static void test_have_effective_cap(void) { | |
26c45a6c YW |
175 | assert_se(have_effective_cap(CAP_KILL) > 0); |
176 | assert_se(have_effective_cap(CAP_CHOWN) > 0); | |
6160e473 RC |
177 | |
178 | assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_KILL)) >= 0); | |
179 | assert_se(getuid() == test_uid); | |
180 | assert_se(getgid() == test_gid); | |
181 | ||
26c45a6c YW |
182 | assert_se(have_effective_cap(CAP_KILL) > 0); |
183 | assert_se(have_effective_cap(CAP_CHOWN) == 0); | |
6160e473 RC |
184 | } |
185 | ||
70d7aea5 IP |
186 | static void test_update_inherited_set(void) { |
187 | cap_t caps; | |
188 | uint64_t set = 0; | |
189 | cap_flag_value_t fv; | |
190 | ||
191 | caps = cap_get_proc(); | |
192 | assert_se(caps); | |
70d7aea5 IP |
193 | |
194 | set = (UINT64_C(1) << CAP_CHOWN); | |
195 | ||
196 | assert_se(!capability_update_inherited_set(caps, set)); | |
197 | assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); | |
f21b863e | 198 | assert_se(fv == CAP_SET); |
70d7aea5 IP |
199 | |
200 | cap_free(caps); | |
201 | } | |
202 | ||
155a6234 | 203 | static void test_apply_ambient_caps(void) { |
70d7aea5 IP |
204 | cap_t caps; |
205 | uint64_t set = 0; | |
206 | cap_flag_value_t fv; | |
207 | ||
70d7aea5 IP |
208 | assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0); |
209 | ||
210 | set = (UINT64_C(1) << CAP_CHOWN); | |
211 | ||
212 | assert_se(!capability_ambient_set_apply(set, true)); | |
213 | ||
214 | caps = cap_get_proc(); | |
155a6234 | 215 | assert_se(caps); |
70d7aea5 | 216 | assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); |
155a6234 | 217 | assert_se(fv == CAP_SET); |
70d7aea5 IP |
218 | cap_free(caps); |
219 | ||
220 | assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1); | |
155a6234 KK |
221 | |
222 | assert_se(!capability_ambient_set_apply(0, true)); | |
223 | caps = cap_get_proc(); | |
224 | assert_se(caps); | |
225 | assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); | |
226 | assert_se(fv == CAP_CLEAR); | |
227 | cap_free(caps); | |
228 | ||
229 | assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0); | |
70d7aea5 IP |
230 | } |
231 | ||
da890466 | 232 | static void test_ensure_cap_64_bit(void) { |
74b6ce90 LP |
233 | _cleanup_free_ char *content = NULL; |
234 | unsigned long p = 0; | |
235 | int r; | |
236 | ||
237 | r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content); | |
13d84288 | 238 | if (r == -ENOENT || ERRNO_IS_NEG_PRIVILEGE(r)) /* kernel pre 3.2 or no access */ |
74b6ce90 LP |
239 | return; |
240 | assert_se(r >= 0); | |
241 | ||
242 | assert_se(safe_atolu(content, &p) >= 0); | |
243 | ||
da890466 | 244 | /* If caps don't fit into 64-bit anymore, we have a problem, fail the test. */ |
74b6ce90 LP |
245 | assert_se(p <= 63); |
246 | ||
247 | /* Also check for the header definition */ | |
864a25d9 | 248 | assert_cc(CAP_LAST_CAP <= 63); |
74b6ce90 LP |
249 | } |
250 | ||
a649419a LP |
251 | static void test_capability_get_ambient(void) { |
252 | uint64_t c; | |
253 | int r; | |
254 | ||
255 | assert_se(capability_get_ambient(&c) >= 0); | |
256 | ||
e9ccae31 | 257 | r = safe_fork("(getambient)", FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGTERM|FORK_WAIT|FORK_LOG, NULL); |
a649419a LP |
258 | assert_se(r >= 0); |
259 | ||
260 | if (r == 0) { | |
261 | int x, y; | |
262 | /* child */ | |
263 | assert_se(capability_get_ambient(&c) >= 0); | |
264 | ||
265 | x = capability_ambient_set_apply( | |
266 | (UINT64_C(1) << CAP_MKNOD)| | |
267 | (UINT64_C(1) << CAP_LINUX_IMMUTABLE), | |
268 | /* also_inherit= */ true); | |
269 | assert_se(x >= 0 || ERRNO_IS_PRIVILEGE(x)); | |
270 | ||
271 | assert_se(capability_get_ambient(&c) >= 0); | |
272 | assert_se(x < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_MKNOD)); | |
273 | assert_se(x < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)); | |
274 | assert_se(x < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_SETPCAP)); | |
275 | ||
276 | y = capability_bounding_set_drop( | |
277 | ((UINT64_C(1) << CAP_LINUX_IMMUTABLE)| | |
278 | (UINT64_C(1) << CAP_SETPCAP)), | |
279 | /* right_now= */ true); | |
280 | assert_se(y >= 0 || ERRNO_IS_PRIVILEGE(y)); | |
281 | ||
282 | assert_se(capability_get_ambient(&c) >= 0); | |
283 | assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_MKNOD)); | |
284 | assert_se(x < 0 || y < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)); | |
285 | assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_SETPCAP)); | |
286 | ||
287 | y = capability_bounding_set_drop( | |
288 | (UINT64_C(1) << CAP_SETPCAP), | |
289 | /* right_now= */ true); | |
290 | assert_se(y >= 0 || ERRNO_IS_PRIVILEGE(y)); | |
291 | ||
292 | assert_se(capability_get_ambient(&c) >= 0); | |
293 | assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_MKNOD)); | |
294 | assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)); | |
295 | assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_SETPCAP)); | |
296 | ||
297 | _exit(EXIT_SUCCESS); | |
298 | } | |
299 | } | |
300 | ||
6160e473 | 301 | int main(int argc, char *argv[]) { |
21996f81 | 302 | bool run_ambient; |
6160e473 | 303 | |
a649419a | 304 | test_setup_logging(LOG_DEBUG); |
6d7c4033 | 305 | |
da890466 | 306 | test_ensure_cap_64_bit(); |
74b6ce90 | 307 | |
4c1a95fd YW |
308 | test_last_cap_file(); |
309 | test_last_cap_probe(); | |
310 | ||
39f608e4 LP |
311 | log_info("have ambient caps: %s", yes_no(ambient_capabilities_supported())); |
312 | ||
317bb217 ZJS |
313 | if (getuid() != 0) |
314 | return log_tests_skipped("not running as root"); | |
6160e473 | 315 | |
317bb217 ZJS |
316 | if (setup_tests(&run_ambient) < 0) |
317 | return log_tests_skipped("setup failed"); | |
6160e473 RC |
318 | |
319 | show_capabilities(); | |
320 | ||
321 | test_drop_privileges(); | |
70d7aea5 IP |
322 | test_update_inherited_set(); |
323 | ||
6160e473 RC |
324 | fork_test(test_have_effective_cap); |
325 | ||
70d7aea5 | 326 | if (run_ambient) |
155a6234 | 327 | fork_test(test_apply_ambient_caps); |
70d7aea5 | 328 | |
a649419a LP |
329 | test_capability_get_ambient(); |
330 | ||
6160e473 RC |
331 | return 0; |
332 | } |