/* Returns the number of capabilities printed. */
static int print_caps(FILE *f, enum cap_type which)
{
int i, n = 0, max = real_cap_last_cap();
for (i = 0; i <= max; i++) {
int ret = has_cap(which, i);
if (i == 0 && ret < 0)
return -1;
if (ret == 1) {
const char *name = capng_capability_to_name(i);
if (n)
fputc(',', f);
if (name)
fputs(name, f);
else
/* cap-ng has very poor handling of
* CAP_LAST_CAP changes. This is the
* best we can do. */
printf("cap_%d", i);
n++;
}
}
return n;
}
static void list_known_caps(void)
{
int i, max = real_cap_last_cap();
for (i = 0; i <= max; i++) {
const char *name = capng_capability_to_name(i);
if (name)
printf("%s\n", name);
else
warnx(_("cap %d: libcap-ng is broken"), i);
}
}
const char * secure_capng_capability_to_name(unsigned int capability) {
static_assert(std::numeric_limits<decltype(capability)>::is_signed==false, "This must be unsigned (as we do not test for >=0)");
bool inputok = (capability<=get_last_cap_nr());
if (!inputok) {
std::ostringstream oss; oss<<"Error: " << "invalid input" << " in " << __func__
<< " for capability="<<capability<<"."; // WARNING: output only values that are valid enough
throw capmodpp_error(oss.str());
}
auto ret = t_const_char_ptr { capng_capability_to_name(capability) };
bool fail = (ret==nullptr);
bool badval = false;
if (fail||badval) {
std::ostringstream oss; oss<<"Error: " << (fail ? "FAILED":"") << " " << (badval ? "BAD-VALUE":"")
<< " (ret="<<ret<<") in " << __func__
<< " for capability="<<capability<<".";
throw capmodpp_error(oss.str());
}
return ret;
}
int main(void)
{
int rc, i, len, last = get_last_cap();
char *text;
void *saved;
puts("Doing basic bit tests...");
capng_clear(CAPNG_SELECT_BOTH);
if (capng_have_capabilities(CAPNG_SELECT_BOTH) != CAPNG_NONE) {
puts("Failed clearing capabilities");
abort();
}
saved = capng_save_state();
capng_fill(CAPNG_SELECT_BOTH);
if (capng_have_capabilities(CAPNG_SELECT_BOTH) != CAPNG_FULL) {
puts("Failed filling capabilities");
abort();
}
// Need to detect if version 1 or 2 capabilities
text = capng_print_caps_numeric(CAPNG_PRINT_BUFFER, CAPNG_SELECT_CAPS);
len = strlen(text);
free(text);
if (len < 80 && last > 30) // The kernel & headers are mismatched
last = 30;
// Now test that restore still works
capng_restore_state(&saved);
if (capng_have_capabilities(CAPNG_SELECT_BOTH) != CAPNG_NONE) {
puts("Failed restoring capabilities");
abort();
}
printf("Doing advanced bit tests for %d capabilities...\n", last);
for (i=0; i<=last; i++) {
const char *name;
capng_clear(CAPNG_SELECT_BOTH);
rc = capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, i);
if (rc) {
puts("Failed update test 1");
abort();
}
rc = capng_have_capability(CAPNG_EFFECTIVE, i);
if (rc == 0) {
puts("Failed have capability test 1");
capng_print_caps_numeric(CAPNG_PRINT_STDOUT,
CAPNG_SELECT_CAPS);
abort();
}
if(capng_have_capabilities(CAPNG_SELECT_CAPS)!=CAPNG_PARTIAL){
puts("Failed have capabilities test 1");
capng_print_caps_numeric(CAPNG_PRINT_STDOUT,
CAPNG_SELECT_CAPS);
abort();
}
#if CAP_LAST_CAP > 31
rc = capng_update(CAPNG_ADD, CAPNG_BOUNDING_SET, i);
if (rc) {
puts("Failed bset update test 2");
abort();
}
rc = capng_have_capability(CAPNG_BOUNDING_SET, i);
if (rc == 0) {
puts("Failed bset have capability test 2");
capng_print_caps_numeric(CAPNG_PRINT_STDOUT,
CAPNG_SELECT_BOTH);
abort();
}
if(capng_have_capabilities(CAPNG_SELECT_BOUNDS)!=CAPNG_PARTIAL){
puts("Failed bset have capabilities test 2");
capng_print_caps_numeric(CAPNG_PRINT_STDOUT,
CAPNG_SELECT_BOTH);
abort();
}
#endif
text=capng_print_caps_text(CAPNG_PRINT_BUFFER, CAPNG_EFFECTIVE);
if (text == NULL) {
puts("Failed getting print text to buffer");
abort();
}
name = capng_capability_to_name(i);
if (name == NULL) {
printf("Failed converting capability %d to name\n", i);
abort();
}
if (strcmp(text, name)) {
puts("Failed print text comparison");
printf("%s != %s\n", text, name);
abort();
}
free(text);
// Now make sure the mask part is working
capng_fill(CAPNG_SELECT_BOTH);
rc = capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, i);
if (rc) {
puts("Failed update test 3");
abort();
}
// Should be partial
if(capng_have_capabilities(CAPNG_SELECT_CAPS)!=CAPNG_PARTIAL){
puts("Failed have capabilities test 3");
capng_print_caps_numeric(CAPNG_PRINT_STDOUT,
CAPNG_SELECT_CAPS);
abort();
}
// Add back the bit and should be full capabilities
rc = capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, i);
if (rc) {
puts("Failed update test 4");
abort();
}
if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL){
puts("Failed have capabilities test 4");
capng_print_caps_numeric(CAPNG_PRINT_STDOUT,
CAPNG_SELECT_CAPS);
abort();
}
}
// Now test the updatev function
capng_clear(CAPNG_SELECT_BOTH);
rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE,
CAP_CHOWN, CAP_FOWNER, CAP_KILL, -1);
if (rc) {
puts("Failed updatev test");
abort();
}
rc = capng_have_capability(CAPNG_EFFECTIVE, CAP_CHOWN) &&
capng_have_capability(CAPNG_EFFECTIVE, CAP_FOWNER) &&
capng_have_capability(CAPNG_EFFECTIVE, CAP_KILL);
if (rc == 0) {
puts("Failed have updatev capability test");
capng_print_caps_numeric(CAPNG_PRINT_STDOUT,
CAPNG_SELECT_CAPS);
abort();
}
return EXIT_SUCCESS;
}
