]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
6160e473 | 2 | |
6160e473 RC |
3 | #include <netinet/in.h> |
4 | #include <pwd.h> | |
3ffd4af2 | 5 | #include <sys/capability.h> |
70d7aea5 | 6 | #include <sys/prctl.h> |
3ffd4af2 LP |
7 | #include <sys/socket.h> |
8 | #include <sys/wait.h> | |
6160e473 RC |
9 | #include <unistd.h> |
10 | ||
4c1a95fd | 11 | #include "alloc-util.h" |
430f0182 | 12 | #include "capability-util.h" |
3ffd4af2 | 13 | #include "fd-util.h" |
4c1a95fd | 14 | #include "fileio.h" |
6160e473 | 15 | #include "macro.h" |
a22692d7 | 16 | #include "missing_prctl.h" |
4c1a95fd | 17 | #include "parse-util.h" |
317bb217 | 18 | #include "tests.h" |
3ffd4af2 | 19 | #include "util.h" |
6160e473 RC |
20 | |
21 | static uid_t test_uid = -1; | |
22 | static gid_t test_gid = -1; | |
3ffd4af2 | 23 | |
0df54921 | 24 | #if HAS_FEATURE_ADDRESS_SANITIZER |
7a302565 FS |
25 | /* Keep CAP_SYS_PTRACE when running under Address Sanitizer */ |
26 | static const uint64_t test_flags = UINT64_C(1) << CAP_SYS_PTRACE; | |
27 | #else | |
3ffd4af2 | 28 | /* We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage */ |
7a302565 FS |
29 | static const uint64_t test_flags = UINT64_C(1) << CAP_DAC_OVERRIDE; |
30 | #endif | |
6160e473 | 31 | |
4c1a95fd YW |
32 | /* verify cap_last_cap() against /proc/sys/kernel/cap_last_cap */ |
33 | static void test_last_cap_file(void) { | |
34 | _cleanup_free_ char *content = NULL; | |
35 | unsigned long val = 0; | |
36 | int r; | |
37 | ||
38 | r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content); | |
39 | assert_se(r >= 0); | |
40 | ||
41 | r = safe_atolu(content, &val); | |
42 | assert_se(r >= 0); | |
43 | assert_se(val != 0); | |
44 | assert_se(val == cap_last_cap()); | |
45 | } | |
46 | ||
47 | /* verify cap_last_cap() against syscall probing */ | |
48 | static void test_last_cap_probe(void) { | |
49 | unsigned long p = (unsigned long)CAP_LAST_CAP; | |
50 | ||
51 | if (prctl(PR_CAPBSET_READ, p) < 0) { | |
52 | for (p--; p > 0; p --) | |
53 | if (prctl(PR_CAPBSET_READ, p) >= 0) | |
54 | break; | |
55 | } else { | |
56 | for (;; p++) | |
57 | if (prctl(PR_CAPBSET_READ, p+1) < 0) | |
58 | break; | |
59 | } | |
60 | ||
61 | assert_se(p != 0); | |
62 | assert_se(p == cap_last_cap()); | |
63 | } | |
64 | ||
6160e473 RC |
65 | static void fork_test(void (*test_func)(void)) { |
66 | pid_t pid = 0; | |
67 | ||
68 | pid = fork(); | |
69 | assert_se(pid >= 0); | |
70 | if (pid == 0) { | |
71 | test_func(); | |
a45d7127 | 72 | exit(EXIT_SUCCESS); |
6160e473 RC |
73 | } else if (pid > 0) { |
74 | int status; | |
75 | ||
76 | assert_se(waitpid(pid, &status, 0) > 0); | |
77 | assert_se(WIFEXITED(status) && WEXITSTATUS(status) == 0); | |
78 | } | |
79 | } | |
80 | ||
81 | static void show_capabilities(void) { | |
82 | cap_t caps; | |
83 | char *text; | |
84 | ||
85 | caps = cap_get_proc(); | |
86 | assert_se(caps); | |
87 | ||
88 | text = cap_to_text(caps, NULL); | |
89 | assert_se(text); | |
90 | ||
91 | log_info("Capabilities:%s", text); | |
92 | cap_free(caps); | |
93 | cap_free(text); | |
94 | } | |
95 | ||
70d7aea5 | 96 | static int setup_tests(bool *run_ambient) { |
6160e473 | 97 | struct passwd *nobody; |
70d7aea5 | 98 | int r; |
6160e473 | 99 | |
a3d37fe9 | 100 | nobody = getpwnam(NOBODY_USER_NAME); |
08d541ca | 101 | if (!nobody) |
6ab66833 | 102 | return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Could not find nobody user: %m"); |
08d541ca | 103 | |
6160e473 RC |
104 | test_uid = nobody->pw_uid; |
105 | test_gid = nobody->pw_gid; | |
106 | ||
70d7aea5 IP |
107 | *run_ambient = false; |
108 | ||
109 | r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); | |
110 | ||
111 | /* There's support for PR_CAP_AMBIENT if the prctl() call | |
112 | * succeeded or error code was something else than EINVAL. The | |
113 | * EINVAL check should be good enough to rule out false | |
114 | * positives. */ | |
115 | ||
116 | if (r >= 0 || errno != EINVAL) | |
117 | *run_ambient = true; | |
118 | ||
6160e473 RC |
119 | return 0; |
120 | } | |
121 | ||
122 | static void test_drop_privileges_keep_net_raw(void) { | |
123 | int sock; | |
124 | ||
125 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
126 | assert_se(sock >= 0); | |
127 | safe_close(sock); | |
128 | ||
129 | assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_NET_RAW)) >= 0); | |
130 | assert_se(getuid() == test_uid); | |
131 | assert_se(getgid() == test_gid); | |
132 | show_capabilities(); | |
133 | ||
134 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
135 | assert_se(sock >= 0); | |
136 | safe_close(sock); | |
137 | } | |
138 | ||
139 | static void test_drop_privileges_dontkeep_net_raw(void) { | |
140 | int sock; | |
141 | ||
142 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
143 | assert_se(sock >= 0); | |
144 | safe_close(sock); | |
145 | ||
146 | assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0); | |
147 | assert_se(getuid() == test_uid); | |
148 | assert_se(getgid() == test_gid); | |
149 | show_capabilities(); | |
150 | ||
151 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | |
152 | assert_se(sock < 0); | |
153 | } | |
154 | ||
155 | static void test_drop_privileges_fail(void) { | |
156 | assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0); | |
157 | assert_se(getuid() == test_uid); | |
158 | assert_se(getgid() == test_gid); | |
159 | ||
160 | assert_se(drop_privileges(test_uid, test_gid, test_flags) < 0); | |
161 | assert_se(drop_privileges(0, 0, test_flags) < 0); | |
162 | } | |
163 | ||
164 | static void test_drop_privileges(void) { | |
165 | fork_test(test_drop_privileges_keep_net_raw); | |
166 | fork_test(test_drop_privileges_dontkeep_net_raw); | |
167 | fork_test(test_drop_privileges_fail); | |
168 | } | |
169 | ||
170 | static void test_have_effective_cap(void) { | |
171 | assert_se(have_effective_cap(CAP_KILL)); | |
172 | assert_se(have_effective_cap(CAP_CHOWN)); | |
173 | ||
174 | assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_KILL)) >= 0); | |
175 | assert_se(getuid() == test_uid); | |
176 | assert_se(getgid() == test_gid); | |
177 | ||
178 | assert_se(have_effective_cap(CAP_KILL)); | |
179 | assert_se(!have_effective_cap(CAP_CHOWN)); | |
180 | } | |
181 | ||
70d7aea5 IP |
182 | static void test_update_inherited_set(void) { |
183 | cap_t caps; | |
184 | uint64_t set = 0; | |
185 | cap_flag_value_t fv; | |
186 | ||
187 | caps = cap_get_proc(); | |
188 | assert_se(caps); | |
70d7aea5 IP |
189 | |
190 | set = (UINT64_C(1) << CAP_CHOWN); | |
191 | ||
192 | assert_se(!capability_update_inherited_set(caps, set)); | |
193 | assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); | |
194 | assert(fv == CAP_SET); | |
195 | ||
196 | cap_free(caps); | |
197 | } | |
198 | ||
199 | static void test_set_ambient_caps(void) { | |
200 | cap_t caps; | |
201 | uint64_t set = 0; | |
202 | cap_flag_value_t fv; | |
203 | ||
70d7aea5 IP |
204 | assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0); |
205 | ||
206 | set = (UINT64_C(1) << CAP_CHOWN); | |
207 | ||
208 | assert_se(!capability_ambient_set_apply(set, true)); | |
209 | ||
210 | caps = cap_get_proc(); | |
211 | assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); | |
212 | assert(fv == CAP_SET); | |
213 | cap_free(caps); | |
214 | ||
215 | assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1); | |
216 | } | |
217 | ||
74b6ce90 LP |
218 | static void test_ensure_cap_64bit(void) { |
219 | _cleanup_free_ char *content = NULL; | |
220 | unsigned long p = 0; | |
221 | int r; | |
222 | ||
223 | r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content); | |
224 | if (r == -ENOENT) /* kernel pre 3.2 */ | |
225 | return; | |
226 | assert_se(r >= 0); | |
227 | ||
228 | assert_se(safe_atolu(content, &p) >= 0); | |
229 | ||
230 | /* If caps don't fit into 64bit anymore, we have a problem, fail the test. */ | |
231 | assert_se(p <= 63); | |
232 | ||
233 | /* Also check for the header definition */ | |
234 | assert_se(CAP_LAST_CAP <= 63); | |
235 | } | |
236 | ||
6160e473 | 237 | int main(int argc, char *argv[]) { |
70d7aea5 | 238 | bool run_ambient; |
6160e473 | 239 | |
6d7c4033 ZJS |
240 | test_setup_logging(LOG_INFO); |
241 | ||
74b6ce90 LP |
242 | test_ensure_cap_64bit(); |
243 | ||
4c1a95fd YW |
244 | test_last_cap_file(); |
245 | test_last_cap_probe(); | |
246 | ||
39f608e4 LP |
247 | log_info("have ambient caps: %s", yes_no(ambient_capabilities_supported())); |
248 | ||
317bb217 ZJS |
249 | if (getuid() != 0) |
250 | return log_tests_skipped("not running as root"); | |
6160e473 | 251 | |
317bb217 ZJS |
252 | if (setup_tests(&run_ambient) < 0) |
253 | return log_tests_skipped("setup failed"); | |
6160e473 RC |
254 | |
255 | show_capabilities(); | |
256 | ||
257 | test_drop_privileges(); | |
70d7aea5 IP |
258 | test_update_inherited_set(); |
259 | ||
6160e473 RC |
260 | fork_test(test_have_effective_cap); |
261 | ||
70d7aea5 IP |
262 | if (run_ambient) |
263 | fork_test(test_set_ambient_caps); | |
264 | ||
6160e473 RC |
265 | return 0; |
266 | } |