1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include <netinet/in.h>
6 #include <sys/socket.h>
10 #define TEST_CAPABILITY_C
12 #include "alloc-util.h"
13 #include "capability-util.h"
14 #include "errno-util.h"
18 #include "missing_prctl.h"
19 #include "parse-util.h"
20 #include "string-util.h"
23 static uid_t test_uid
= -1;
24 static gid_t test_gid
= -1;
26 #if HAS_FEATURE_ADDRESS_SANITIZER
27 /* Keep CAP_SYS_PTRACE when running under Address Sanitizer */
28 static const uint64_t test_flags
= UINT64_C(1) << CAP_SYS_PTRACE
;
30 /* We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage */
31 static const uint64_t test_flags
= UINT64_C(1) << CAP_DAC_OVERRIDE
;
34 /* verify cap_last_cap() against /proc/sys/kernel/cap_last_cap */
35 static void test_last_cap_file(void) {
36 _cleanup_free_
char *content
= NULL
;
37 unsigned long val
= 0;
40 r
= read_one_line_file("/proc/sys/kernel/cap_last_cap", &content
);
41 if (r
== -ENOENT
|| ERRNO_IS_PRIVILEGE(r
)) /* kernel pre 3.2 or no access */
45 r
= safe_atolu(content
, &val
);
48 assert_se(val
== cap_last_cap());
51 /* verify cap_last_cap() against syscall probing */
52 static void test_last_cap_probe(void) {
53 unsigned long p
= (unsigned long)CAP_LAST_CAP
;
55 if (prctl(PR_CAPBSET_READ
, p
) < 0) {
56 for (p
--; p
> 0; p
--)
57 if (prctl(PR_CAPBSET_READ
, p
) >= 0)
61 if (prctl(PR_CAPBSET_READ
, p
+1) < 0)
66 assert_se(p
== cap_last_cap());
69 static void fork_test(void (*test_func
)(void)) {
80 assert_se(waitpid(pid
, &status
, 0) > 0);
81 assert_se(WIFEXITED(status
) && WEXITSTATUS(status
) == 0);
85 static void show_capabilities(void) {
89 caps
= cap_get_proc();
92 text
= cap_to_text(caps
, NULL
);
95 log_info("Capabilities:%s", text
);
100 static int setup_tests(bool *run_ambient
) {
101 struct passwd
*nobody
;
104 nobody
= getpwnam(NOBODY_USER_NAME
);
106 return log_error_errno(SYNTHETIC_ERRNO(ENOENT
), "Could not find nobody user: %m");
108 test_uid
= nobody
->pw_uid
;
109 test_gid
= nobody
->pw_gid
;
111 *run_ambient
= false;
113 r
= prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_CLEAR_ALL
, 0, 0, 0);
115 /* There's support for PR_CAP_AMBIENT if the prctl() call
116 * succeeded or error code was something else than EINVAL. The
117 * EINVAL check should be good enough to rule out false
120 if (r
>= 0 || errno
!= EINVAL
)
126 static void test_drop_privileges_keep_net_raw(void) {
129 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
130 assert_se(sock
>= 0);
133 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
| (1ULL << CAP_NET_RAW
)) >= 0);
134 assert_se(getuid() == test_uid
);
135 assert_se(getgid() == test_gid
);
138 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
139 assert_se(sock
>= 0);
143 static void test_drop_privileges_dontkeep_net_raw(void) {
146 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
147 assert_se(sock
>= 0);
150 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) >= 0);
151 assert_se(getuid() == test_uid
);
152 assert_se(getgid() == test_gid
);
155 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
159 static void test_drop_privileges_fail(void) {
160 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) >= 0);
161 assert_se(getuid() == test_uid
);
162 assert_se(getgid() == test_gid
);
164 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) < 0);
165 assert_se(drop_privileges(0, 0, test_flags
) < 0);
168 static void test_drop_privileges(void) {
169 fork_test(test_drop_privileges_keep_net_raw
);
170 fork_test(test_drop_privileges_dontkeep_net_raw
);
171 fork_test(test_drop_privileges_fail
);
174 static void test_have_effective_cap(void) {
175 assert_se(have_effective_cap(CAP_KILL
));
176 assert_se(have_effective_cap(CAP_CHOWN
));
178 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
| (1ULL << CAP_KILL
)) >= 0);
179 assert_se(getuid() == test_uid
);
180 assert_se(getgid() == test_gid
);
182 assert_se(have_effective_cap(CAP_KILL
));
183 assert_se(!have_effective_cap(CAP_CHOWN
));
186 static void test_update_inherited_set(void) {
191 caps
= cap_get_proc();
194 set
= (UINT64_C(1) << CAP_CHOWN
);
196 assert_se(!capability_update_inherited_set(caps
, set
));
197 assert_se(!cap_get_flag(caps
, CAP_CHOWN
, CAP_INHERITABLE
, &fv
));
198 assert(fv
== CAP_SET
);
203 static void test_apply_ambient_caps(void) {
208 assert_se(prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, CAP_CHOWN
, 0, 0) == 0);
210 set
= (UINT64_C(1) << CAP_CHOWN
);
212 assert_se(!capability_ambient_set_apply(set
, true));
214 caps
= cap_get_proc();
216 assert_se(!cap_get_flag(caps
, CAP_CHOWN
, CAP_INHERITABLE
, &fv
));
217 assert_se(fv
== CAP_SET
);
220 assert_se(prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, CAP_CHOWN
, 0, 0) == 1);
222 assert_se(!capability_ambient_set_apply(0, true));
223 caps
= cap_get_proc();
225 assert_se(!cap_get_flag(caps
, CAP_CHOWN
, CAP_INHERITABLE
, &fv
));
226 assert_se(fv
== CAP_CLEAR
);
229 assert_se(prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, CAP_CHOWN
, 0, 0) == 0);
232 static void test_ensure_cap_64bit(void) {
233 _cleanup_free_
char *content
= NULL
;
237 r
= read_one_line_file("/proc/sys/kernel/cap_last_cap", &content
);
238 if (r
== -ENOENT
|| ERRNO_IS_PRIVILEGE(r
)) /* kernel pre 3.2 or no access */
242 assert_se(safe_atolu(content
, &p
) >= 0);
244 /* If caps don't fit into 64bit anymore, we have a problem, fail the test. */
247 /* Also check for the header definition */
248 assert_cc(CAP_LAST_CAP
<= 63);
251 int main(int argc
, char *argv
[]) {
254 test_setup_logging(LOG_INFO
);
256 test_ensure_cap_64bit();
258 test_last_cap_file();
259 test_last_cap_probe();
261 log_info("have ambient caps: %s", yes_no(ambient_capabilities_supported()));
264 return log_tests_skipped("not running as root");
266 if (setup_tests(&run_ambient
) < 0)
267 return log_tests_skipped("setup failed");
271 test_drop_privileges();
272 test_update_inherited_set();
274 fork_test(test_have_effective_cap
);
277 fork_test(test_apply_ambient_caps
);