2 This file is part of systemd
4 Copyright 2014 Ronny Chevalier
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <sys/capability.h>
22 #include <sys/socket.h>
23 #include <netinet/in.h>
27 #include "capability.h"
31 static uid_t test_uid
= -1;
32 static gid_t test_gid
= -1;
33 // We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage
34 static uint64_t test_flags
= 1ULL << CAP_DAC_OVERRIDE
;
36 static void fork_test(void (*test_func
)(void)) {
47 assert_se(waitpid(pid
, &status
, 0) > 0);
48 assert_se(WIFEXITED(status
) && WEXITSTATUS(status
) == 0);
52 static void show_capabilities(void) {
56 caps
= cap_get_proc();
59 text
= cap_to_text(caps
, NULL
);
62 log_info("Capabilities:%s", text
);
67 static int setup_tests(void) {
68 struct passwd
*nobody
;
70 nobody
= getpwnam("nobody");
72 log_error_errno(errno
, "Could not find nobody user: %m");
73 return -EXIT_TEST_SKIP
;
75 test_uid
= nobody
->pw_uid
;
76 test_gid
= nobody
->pw_gid
;
81 static void test_drop_privileges_keep_net_raw(void) {
84 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
88 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
| (1ULL << CAP_NET_RAW
)) >= 0);
89 assert_se(getuid() == test_uid
);
90 assert_se(getgid() == test_gid
);
93 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
98 static void test_drop_privileges_dontkeep_net_raw(void) {
101 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
102 assert_se(sock
>= 0);
105 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) >= 0);
106 assert_se(getuid() == test_uid
);
107 assert_se(getgid() == test_gid
);
110 sock
= socket(AF_INET
, SOCK_RAW
, IPPROTO_UDP
);
114 static void test_drop_privileges_fail(void) {
115 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) >= 0);
116 assert_se(getuid() == test_uid
);
117 assert_se(getgid() == test_gid
);
119 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
) < 0);
120 assert_se(drop_privileges(0, 0, test_flags
) < 0);
123 static void test_drop_privileges(void) {
124 fork_test(test_drop_privileges_keep_net_raw
);
125 fork_test(test_drop_privileges_dontkeep_net_raw
);
126 fork_test(test_drop_privileges_fail
);
129 static void test_have_effective_cap(void) {
130 assert_se(have_effective_cap(CAP_KILL
));
131 assert_se(have_effective_cap(CAP_CHOWN
));
133 assert_se(drop_privileges(test_uid
, test_gid
, test_flags
| (1ULL << CAP_KILL
)) >= 0);
134 assert_se(getuid() == test_uid
);
135 assert_se(getgid() == test_gid
);
137 assert_se(have_effective_cap(CAP_KILL
));
138 assert_se(!have_effective_cap(CAP_CHOWN
));
141 int main(int argc
, char *argv
[]) {
144 log_parse_environment();
148 return EXIT_TEST_SKIP
;
156 test_drop_privileges();
157 fork_test(test_have_effective_cap
);