src/test/test-capability.c

   1 /***
   2   This file is part of systemd
   3
   4   Copyright 2014 Ronny Chevalier
   5
   6   systemd is free software; you can redistribute it and/or modify it
   7   under the terms of the GNU Lesser General Public License as published by
   8   the Free Software Foundation; either version 2.1 of the License, or
   9   (at your option) any later version.
  10
  11   systemd is distributed in the hope that it will be useful, but
  12   WITHOUT ANY WARRANTY; without even the implied warranty of
  13   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  14   Lesser General Public License for more details.
  15
  16   You should have received a copy of the GNU Lesser General Public License
  17   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  18 ***/
  19
  20 #include <sys/wait.h>
  21 #include <sys/capability.h>
  22 #include <sys/socket.h>
  23 #include <netinet/in.h>
  24 #include <pwd.h>
  25 #include <unistd.h>
  26
  27 #include "capability.h"
  28 #include "util.h"
  29 #include "macro.h"
  30
  31 static uid_t test_uid = -1;
  32 static gid_t test_gid = -1;
  33 // We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage
  34 static uint64_t test_flags = 1ULL << CAP_DAC_OVERRIDE;
  35
  36 static void fork_test(void (*test_func)(void)) {
  37         pid_t pid = 0;
  38
  39         pid = fork();
  40         assert_se(pid >= 0);
  41         if (pid == 0) {
  42                 test_func();
  43                 exit(0);
  44         } else if (pid > 0) {
  45                 int status;
  46
  47                 assert_se(waitpid(pid, &status, 0) > 0);
  48                 assert_se(WIFEXITED(status) && WEXITSTATUS(status) == 0);
  49         }
  50 }
  51
  52 static void show_capabilities(void) {
  53         cap_t caps;
  54         char *text;
  55
  56         caps = cap_get_proc();
  57         assert_se(caps);
  58
  59         text = cap_to_text(caps, NULL);
  60         assert_se(text);
  61
  62         log_info("Capabilities:%s", text);
  63         cap_free(caps);
  64         cap_free(text);
  65 }
  66
  67 static int setup_tests(void) {
  68         struct passwd *nobody;
  69
  70         nobody = getpwnam("nobody");
  71         if (!nobody) {
  72                 log_error_errno(errno, "Could not find nobody user: %m");
  73                 return -EXIT_TEST_SKIP;
  74         }
  75         test_uid = nobody->pw_uid;
  76         test_gid = nobody->pw_gid;
  77
  78         return 0;
  79 }
  80
  81 static void test_drop_privileges_keep_net_raw(void) {
  82         int sock;
  83
  84         sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
  85         assert_se(sock >= 0);
  86         safe_close(sock);
  87
  88         assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_NET_RAW)) >= 0);
  89         assert_se(getuid() == test_uid);
  90         assert_se(getgid() == test_gid);
  91         show_capabilities();
  92
  93         sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
  94         assert_se(sock >= 0);
  95         safe_close(sock);
  96 }
  97
  98 static void test_drop_privileges_dontkeep_net_raw(void) {
  99         int sock;
 100
 101         sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
 102         assert_se(sock >= 0);
 103         safe_close(sock);
 104
 105         assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0);
 106         assert_se(getuid() == test_uid);
 107         assert_se(getgid() == test_gid);
 108         show_capabilities();
 109
 110         sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
 111         assert_se(sock < 0);
 112 }
 113
 114 static void test_drop_privileges_fail(void) {
 115         assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0);
 116         assert_se(getuid() == test_uid);
 117         assert_se(getgid() == test_gid);
 118
 119         assert_se(drop_privileges(test_uid, test_gid, test_flags) < 0);
 120         assert_se(drop_privileges(0, 0, test_flags) < 0);
 121 }
 122
 123 static void test_drop_privileges(void) {
 124         fork_test(test_drop_privileges_keep_net_raw);
 125         fork_test(test_drop_privileges_dontkeep_net_raw);
 126         fork_test(test_drop_privileges_fail);
 127 }
 128
 129 static void test_have_effective_cap(void) {
 130         assert_se(have_effective_cap(CAP_KILL));
 131         assert_se(have_effective_cap(CAP_CHOWN));
 132
 133         assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_KILL)) >= 0);
 134         assert_se(getuid() == test_uid);
 135         assert_se(getgid() == test_gid);
 136
 137         assert_se(have_effective_cap(CAP_KILL));
 138         assert_se(!have_effective_cap(CAP_CHOWN));
 139 }
 140
 141 int main(int argc, char *argv[]) {
 142         int r;
 143
 144         log_parse_environment();
 145         log_open();
 146
 147         if (getuid() != 0)
 148                 return EXIT_TEST_SKIP;
 149
 150         r = setup_tests();
 151         if (r < 0)
 152                 return -r;
 153
 154         show_capabilities();
 155
 156         test_drop_privileges();
 157         fork_test(test_have_effective_cap);
 158
 159         return 0;
 160 }