1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #include <netinet/in.h>
5 #include <sys/capability.h>
7 #include <sys/socket.h>
11 #include "alloc-util.h"
12 #include "capability-util.h"
16 #include "parse-util.h"
20 static uid_t test_uid
= -1;
21 static gid_t test_gid
= -1;
23 #if HAS_FEATURE_ADDRESS_SANITIZER
24 /* Keep CAP_SYS_PTRACE when running under Address Sanitizer */
25 static const uint64_t test_flags
= UINT64_C(1) << CAP_SYS_PTRACE
;
27 /* We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage */
28 static const uint64_t test_flags
= UINT64_C(1) << CAP_DAC_OVERRIDE
;
31 /* verify cap_last_cap() against /proc/sys/kernel/cap_last_cap */
32 static void test_last_cap_file(void) {
33 _cleanup_free_
char *content
= NULL
;
34 unsigned long val
= 0;
37 r
= read_one_line_file("/proc/sys/kernel/cap_last_cap", &content
);
40 r
= safe_atolu(content
, &val
);
43 assert_se(val
== cap_last_cap());
46 /* verify cap_last_cap() against syscall probing */
47 static void test_last_cap_probe(void) {
48 unsigned long p
= (unsigned long)CAP_LAST_CAP
;
50 if (prctl(PR_CAPBSET_READ
, p
) < 0) {
51 for (p
--; p
> 0; p
--)
52 if (prctl(PR_CAPBSET_READ
, p
) >= 0)
56 if (prctl(PR_CAPBSET_READ
, p
+1) < 0)
61 assert_se(p
== cap_last_cap());
64 static void fork_test(void (*test_func
)(void)) {
75 assert_se(waitpid(pid
, &status
, 0) > 0);
76 assert_se(WIFEXITED(status
) && WEXITSTATUS(status
) == 0);
80 static void show_capabilities(void) {
84 caps
= cap_get_proc();
87 text
= cap_to_text(caps
, NULL
);
90 log_info("Capabilities:%s", text
);
95 static int setup_tests(bool *run_ambient
) {
96 struct passwd
*nobody
;
99 nobody
= getpwnam(NOBODY_USER_NAME
);
101 return log_error_errno(errno
, "Could not find nobody user: %m");
103 test_uid
= nobody
->pw_uid
;
104 test_gid
= nobody
->pw_gid
;
106 *run_ambient
= false;
108 r
= prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_CLEAR_ALL
, 0, 0, 0);
110 /* There's support for PR_CAP_AMBIENT if the prctl() call
111 * succeeded or error code was something else than EINVAL. The
112 * EINVAL check should be good enough to rule out false
115 if (r
>= 0 || errno
!= EINVAL
)
121 static void test_drop_privileges_keep_net_raw(void) {
124 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
125 assert_se(sock
>= 0);
128 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
| (1ULL << CAP_NET_RAW
)) >= 0);
129 assert_se(getuid() == test_uid
);
130 assert_se(getgid() == test_gid
);
133 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
134 assert_se(sock
>= 0);
138 static void test_drop_privileges_dontkeep_net_raw(void) {
141 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
142 assert_se(sock
>= 0);
145 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) >= 0);
146 assert_se(getuid() == test_uid
);
147 assert_se(getgid() == test_gid
);
150 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
154 static void test_drop_privileges_fail(void) {
155 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) >= 0);
156 assert_se(getuid() == test_uid
);
157 assert_se(getgid() == test_gid
);
159 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) < 0);
160 assert_se(drop_privileges(0, 0, test_flags
) < 0);
163 static void test_drop_privileges(void) {
164 fork_test(test_drop_privileges_keep_net_raw
);
165 fork_test(test_drop_privileges_dontkeep_net_raw
);
166 fork_test(test_drop_privileges_fail
);
169 static void test_have_effective_cap(void) {
170 assert_se(have_effective_cap(CAP_KILL
));
171 assert_se(have_effective_cap(CAP_CHOWN
));
173 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
| (1ULL << CAP_KILL
)) >= 0);
174 assert_se(getuid() == test_uid
);
175 assert_se(getgid() == test_gid
);
177 assert_se(have_effective_cap(CAP_KILL
));
178 assert_se(!have_effective_cap(CAP_CHOWN
));
181 static void test_update_inherited_set(void) {
186 caps
= cap_get_proc();
189 set
= (UINT64_C(1) << CAP_CHOWN
);
191 assert_se(!capability_update_inherited_set(caps
, set
));
192 assert_se(!cap_get_flag(caps
, CAP_CHOWN
, CAP_INHERITABLE
, &fv
));
193 assert(fv
== CAP_SET
);
198 static void test_set_ambient_caps(void) {
203 assert_se(prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, CAP_CHOWN
, 0, 0) == 0);
205 set
= (UINT64_C(1) << CAP_CHOWN
);
207 assert_se(!capability_ambient_set_apply(set
, true));
209 caps
= cap_get_proc();
210 assert_se(!cap_get_flag(caps
, CAP_CHOWN
, CAP_INHERITABLE
, &fv
));
211 assert(fv
== CAP_SET
);
214 assert_se(prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, CAP_CHOWN
, 0, 0) == 1);
217 int main(int argc
, char *argv
[]) {
220 test_setup_logging(LOG_INFO
);
222 test_last_cap_file();
223 test_last_cap_probe();
225 log_info("have ambient caps: %s", yes_no(ambient_capabilities_supported()));
228 return log_tests_skipped("not running as root");
230 if (setup_tests(&run_ambient
) < 0)
231 return log_tests_skipped("setup failed");
235 test_drop_privileges();
236 test_update_inherited_set();
238 fork_test(test_have_effective_cap
);
241 fork_test(test_set_ambient_caps
);