int main(int argc, char *argv[])
{
#ifdef __linux__
#if defined HAVE_CAP_SYS_OPERATIONS && HAVE_CAP_SYS_OPERATIONS > 0
cap_t old_caps, new_caps;
int setcaps[] = { CAP_SYS_OPERATIONS };
#endif
if (ptrace(0x4281, 0, 0, 0) >= 0) {
// new secure exec interface
/* if getppid works, CAP_SYS_OPERATIONS has no effect :-( */
if (dup(0) >= 0) {
fprintf(stderr,
"capexec: CAP_SYS_OPERATIONS is not supported on this system\n");
return 6;
}
execve(argv[1], argv + 1, environ);
perror("capexec: execve");
/* 6 exit code means that check is failed */
return 6;
}
#if defined HAVE_CAP_SYS_OPERATIONS && HAVE_CAP_SYS_OPERATIONS > 0
old_caps = cap_get_proc();
new_caps = cap_dup(old_caps);
cap_set_flag(new_caps, CAP_EFFECTIVE, 1, setcaps, CAP_CLEAR);
cap_set_flag(new_caps, CAP_PERMITTED, 1, setcaps, CAP_CLEAR);
cap_set_flag(new_caps, CAP_INHERITABLE, 1, setcaps, CAP_CLEAR);
cap_set_proc(new_caps);
#endif
/* if getppid works, CAP_SYS_OPERATIONS has no effect :-( */
if (dup(0) >= 0) {
fprintf(stderr,
"capexec: CAP_SYS_OPERATIONS is not supported on this system\n");
return 6;
}
execve(argv[1], argv + 1, environ);
perror("capexec: execve");
#endif
/* 6 exit code means that check is failed */
return 6;
}
int main(void)
{
#if defined HAVE_CAP_SYS_OPERATIONS && HAVE_CAP_SYS_OPERATIONS > 0
cap_t old_caps, new_caps;
int setcaps[] = { CAP_SYS_OPERATIONS };
#endif
int p;
fprintf(stderr, "t1: checking for disabled syscalls\n");
if (ptrace(0x4281, 0, 0, 0) >= 0) {
// new interface
fprintf(stderr, "t1: new interface detected\n");
} else {
#if defined HAVE_CAP_SYS_OPERATIONS && HAVE_CAP_SYS_OPERATIONS > 0
old_caps = cap_get_proc();
new_caps = cap_dup(old_caps);
cap_set_flag(new_caps, CAP_EFFECTIVE, 1, setcaps, CAP_CLEAR);
cap_set_flag(new_caps, CAP_PERMITTED, 1, setcaps, CAP_CLEAR);
cap_set_flag(new_caps, CAP_INHERITABLE, 1, setcaps, CAP_CLEAR);
if (cap_set_proc(new_caps) < 0) {
fprintf(stderr, "failed: cap_set_proc() failed\n");
return 1;
}
#endif
}
errno = 0;
if ((p = fork()) < 0 && errno == EPERM) {
fprintf(stderr, "ok\n");
return 0;
}
if (p < 0) {
fprintf(stderr, "failed: unexpected fork() error: %s\n", strerror(errno));
return 1;
}
if (!p) _exit(1);
fprintf(stderr, "failed: fork() succeeded\n");
return 1;
}
int main(int argc, char *argv[], char *envp[])
{
pid_t child;
unsigned i;
child = 0;
for (i=1; i<argc; ++i) {
if (!memcmp("--drop=", argv[i], 4)) {
char *ptr;
cap_t orig, raised_for_setpcap;
/*
* We need to do this here because --inh=XXX may have reset
* orig and it isn't until we are within the --drop code that
* we know what the prevailing (orig) pI value is.
*/
orig = cap_get_proc();
if (orig == NULL) {
perror("Capabilities not available");
exit(1);
}
raised_for_setpcap = cap_dup(orig);
if (raised_for_setpcap == NULL) {
fprintf(stderr, "BSET modification requires CAP_SETPCAP\n");
exit(1);
}
if (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1,
raise_setpcap, CAP_SET) != 0) {
perror("unable to select CAP_SETPCAP");
exit(1);
}
if (strcmp("all", argv[i]+7) == 0) {
unsigned j = 0;
while (CAP_IS_SUPPORTED(j)) {
if (cap_drop_bound(j) != 0) {
char *name_ptr;
name_ptr = cap_to_name(j);
fprintf(stderr,
"Unable to drop bounding capability [%s]\n",
name_ptr);
cap_free(name_ptr);
exit(1);
}
j++;
}
} else {
for (ptr = argv[i]+7; (ptr = strtok(ptr, ",")); ptr = NULL) {
/* find name for token */
cap_value_t cap;
int status;
if (cap_from_name(ptr, &cap) != 0) {
fprintf(stderr,
"capability [%s] is unknown to libcap\n",
ptr);
exit(1);
}
if (cap_set_proc(raised_for_setpcap) != 0) {
perror("unable to raise CAP_SETPCAP for BSET changes");
exit(1);
}
status = prctl(PR_CAPBSET_DROP, cap);
if (cap_set_proc(orig) != 0) {
perror("unable to lower CAP_SETPCAP post BSET change");
exit(1);
}
if (status) {
fprintf(stderr, "failed to drop [%s=%u]\n", ptr, cap);
exit(1);
}
}
}
cap_free(raised_for_setpcap);
cap_free(orig);
} else if (!memcmp("--inh=", argv[i], 6)) {
cap_t all, raised_for_setpcap;
char *text;
char *ptr;
all = cap_get_proc();
if (all == NULL) {
perror("Capabilities not available");
exit(1);
}
if (cap_clear_flag(all, CAP_INHERITABLE) != 0) {
perror("libcap:cap_clear_flag() internal error");
exit(1);
}
raised_for_setpcap = cap_dup(all);
if ((raised_for_setpcap != NULL)
&& (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1,
raise_setpcap, CAP_SET) != 0)) {
cap_free(raised_for_setpcap);
raised_for_setpcap = NULL;
}
text = cap_to_text(all, NULL);
cap_free(all);
if (text == NULL) {
perror("Fatal error concerning process capabilities");
exit(1);
}
ptr = malloc(10 + strlen(argv[i]+6) + strlen(text));
if (ptr == NULL) {
perror("Out of memory for inh set");
exit(1);
}
if (argv[i][6] && strcmp("none", argv[i]+6)) {
sprintf(ptr, "%s %s+i", text, argv[i]+6);
} else {
strcpy(ptr, text);
}
all = cap_from_text(ptr);
if (all == NULL) {
perror("Fatal error internalizing capabilities");
exit(1);
}
cap_free(text);
free(ptr);
if (raised_for_setpcap != NULL) {
/*
* This is only for the case that pP does not contain
* the requested change to pI.. Failing here is not
* indicative of the cap_set_proc(all) failing (always).
*/
(void) cap_set_proc(raised_for_setpcap);
cap_free(raised_for_setpcap);
raised_for_setpcap = NULL;
}
if (cap_set_proc(all) != 0) {
perror("Unable to set inheritable capabilities");
exit(1);
}
/*
* Since status is based on orig, we don't want to restore
* the previous value of 'all' again here!
*/
cap_free(all);
} else if (!memcmp("--caps=", argv[i], 7)) {
cap_t all, raised_for_setpcap;
raised_for_setpcap = cap_get_proc();
if (raised_for_setpcap == NULL) {
perror("Capabilities not available");
exit(1);
}
if ((raised_for_setpcap != NULL)
&& (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1,
raise_setpcap, CAP_SET) != 0)) {
cap_free(raised_for_setpcap);
raised_for_setpcap = NULL;
}
all = cap_from_text(argv[i]+7);
if (all == NULL) {
fprintf(stderr, "unable to interpret [%s]\n", argv[i]);
exit(1);
}
if (raised_for_setpcap != NULL) {
/*
* This is only for the case that pP does not contain
* the requested change to pI.. Failing here is not
* indicative of the cap_set_proc(all) failing (always).
*/
(void) cap_set_proc(raised_for_setpcap);
cap_free(raised_for_setpcap);
raised_for_setpcap = NULL;
}
if (cap_set_proc(all) != 0) {
fprintf(stderr, "Unable to set capabilities [%s]\n", argv[i]);
exit(1);
}
/*
* Since status is based on orig, we don't want to restore
* the previous value of 'all' again here!
*/
cap_free(all);
} else if (!memcmp("--keep=", argv[i], 7)) {
unsigned value;
int set;
value = strtoul(argv[i]+7, NULL, 0);
set = prctl(PR_SET_KEEPCAPS, value);
if (set < 0) {
fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n",
value, strerror(errno));
exit(1);
}
} else if (!memcmp("--chroot=", argv[i], 9)) {
int status;
cap_t orig, raised_for_chroot;
orig = cap_get_proc();
if (orig == NULL) {
perror("Capabilities not available");
exit(1);
}
raised_for_chroot = cap_dup(orig);
if (raised_for_chroot == NULL) {
perror("Unable to duplicate capabilities");
exit(1);
}
if (cap_set_flag(raised_for_chroot, CAP_EFFECTIVE, 1, raise_chroot,
CAP_SET) != 0) {
perror("unable to select CAP_SET_SYS_CHROOT");
exit(1);
}
if (cap_set_proc(raised_for_chroot) != 0) {
perror("unable to raise CAP_SYS_CHROOT");
exit(1);
}
cap_free(raised_for_chroot);
status = chroot(argv[i]+9);
if (cap_set_proc(orig) != 0) {
perror("unable to lower CAP_SYS_CHROOT");
exit(1);
}
/*
* Given we are now in a new directory tree, its good practice
* to start off in a sane location
*/
status = chdir("/");
cap_free(orig);
if (status != 0) {
fprintf(stderr, "Unable to chroot/chdir to [%s]", argv[i]+9);
exit(1);
}
} else if (!memcmp("--secbits=", argv[i], 10)) {
unsigned value;
int status;
value = strtoul(argv[i]+10, NULL, 0);
status = prctl(PR_SET_SECUREBITS, value);
if (status < 0) {
fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
value, value);
exit(1);
}
} else if (!memcmp("--forkfor=", argv[i], 10)) {
unsigned value;
value = strtoul(argv[i]+10, NULL, 0);
if (value == 0) {
goto usage;
}
child = fork();
if (child < 0) {
perror("unable to fork()");
} else if (!child) {
sleep(value);
exit(0);
}
} else if (!memcmp("--killit=", argv[i], 9)) {
int retval, status;
pid_t result;
unsigned value;
value = strtoul(argv[i]+9, NULL, 0);
if (!child) {
fprintf(stderr, "no forked process to kill\n");
exit(1);
}
retval = kill(child, value);
if (retval != 0) {
perror("Unable to kill child process");
exit(1);
}
result = waitpid(child, &status, 0);
if (result != child) {
fprintf(stderr, "waitpid didn't match child: %u != %u\n",
child, result);
exit(1);
}
if (WTERMSIG(status) != value) {
fprintf(stderr, "child terminated with odd signal (%d != %d)\n"
, value, WTERMSIG(status));
exit(1);
}
} else if (!memcmp("--uid=", argv[i], 6)) {
unsigned value;
int status;
value = strtoul(argv[i]+6, NULL, 0);
status = setuid(value);
if (status < 0) {
fprintf(stderr, "Failed to set uid=%u: %s\n",
value, strerror(errno));
exit(1);
}
} else if (!memcmp("--gid=", argv[i], 6)) {
unsigned value;
int status;
value = strtoul(argv[i]+6, NULL, 0);
status = setgid(value);
if (status < 0) {
fprintf(stderr, "Failed to set gid=%u: %s\n",
value, strerror(errno));
exit(1);
}
} else if (!memcmp("--groups=", argv[i], 9)) {
char *ptr, *buf;
long length, max_groups;
gid_t *group_list;
int g_count;
length = sysconf(_SC_GETGR_R_SIZE_MAX);
buf = calloc(1, length);
if (NULL == buf) {
fprintf(stderr, "No memory for [%s] operation\n", argv[i]);
exit(1);
}
max_groups = sysconf(_SC_NGROUPS_MAX);
group_list = calloc(max_groups, sizeof(gid_t));
if (NULL == group_list) {
fprintf(stderr, "No memory for gid list\n");
exit(1);
}
g_count = 0;
for (ptr = argv[i] + 9; (ptr = strtok(ptr, ","));
ptr = NULL, g_count++) {
if (max_groups <= g_count) {
fprintf(stderr, "Too many groups specified (%d)\n", g_count);
exit(1);
}
if (!isdigit(*ptr)) {
struct group *g, grp;
getgrnam_r(ptr, &grp, buf, length, &g);
if (NULL == g) {
fprintf(stderr, "Failed to identify gid for group [%s]\n", ptr);
exit(1);
}
group_list[g_count] = g->gr_gid;
} else {
group_list[g_count] = strtoul(ptr, NULL, 0);
}
}
free(buf);
if (setgroups(g_count, group_list) != 0) {
fprintf(stderr, "Failed to setgroups.\n");
exit(1);
}
free(group_list);
} else if (!memcmp("--user="******"User [%s] not known\n", user);
exit(1);
}
ngroups = MAX_GROUPS;
status = getgrouplist(user, pwd->pw_gid, groups, &ngroups);
if (status < 1) {
perror("Unable to get group list for user");
exit(1);
}
status = setgroups(ngroups, groups);
if (status != 0) {
perror("Unable to set group list for user");
exit(1);
}
status = setgid(pwd->pw_gid);
if (status < 0) {
fprintf(stderr, "Failed to set gid=%u(user=%s): %s\n",
pwd->pw_gid, user, strerror(errno));
exit(1);
}
status = setuid(pwd->pw_uid);
if (status < 0) {
fprintf(stderr, "Failed to set uid=%u(user=%s): %s\n",
pwd->pw_uid, user, strerror(errno));
exit(1);
}
} else if (!memcmp("--decode=", argv[i], 9)) {
unsigned long long value;
unsigned cap;
const char *sep = "";
/* Note, if capabilities become longer than 64-bits we'll need
to fixup the following code.. */
value = strtoull(argv[i]+9, NULL, 16);
printf("0x%016llx=", value);
for (cap=0; (cap < 64) && (value >> cap); ++cap) {
if (value & (1ULL << cap)) {
char *ptr;
ptr = cap_to_name(cap);
if (ptr != NULL) {
printf("%s%s", sep, ptr);
cap_free(ptr);
} else {
printf("%s%u", sep, cap);
}
sep = ",";
}
}
printf("\n");
} else if (!memcmp("--supports=", argv[i], 11)) {
int caps_actually_set_test(void)
{
int whichcap, finalret = 0, ret;
cap_t fcap, pcap, cap_fullpi;
cap_value_t capvalue[1];
int i;
fcap = cap_init();
pcap = cap_init();
if (!fcap || !pcap) {
perror("cap_init");
exit(2);
}
create_fifo();
int num_caps;
for (num_caps = 0;; num_caps++) {
ret = prctl(PR_CAPBSET_READ, num_caps);
/*
* Break from the loop in this manner to avoid incrementing,
* then having to decrement value.
*/
if (ret == -1)
break;
}
/* first, try each bit in fP (forced) with fE on and off. */
for (whichcap = 0; whichcap < num_caps; whichcap++) {
/*
* fP=whichcap, fE=fI=0
* pP'=whichcap, pI'=pE'=0
*/
capvalue[0] = whichcap;
cap_clear(fcap);
cap_set_flag(fcap, CAP_PERMITTED, 1, capvalue, CAP_SET);
ret = cap_set_file(TSTPATH, fcap);
if (ret) {
tst_resm(TINFO, "%d\n", whichcap);
continue;
}
ret = fork_drop_and_exec(DROP_PERMS, fcap);
if (ret) {
tst_resm(TINFO,
"Failed CAP_PERMITTED=%d CAP_EFFECTIVE=0\n",
whichcap);
if (!finalret)
finalret = ret;
}
/* SERGE here */
/*
* fP = fE = whichcap, fI = 0
* pP = pE = whichcap, pI = 0
*/
cap_clear(fcap);
cap_set_flag(fcap, CAP_PERMITTED, 1, capvalue, CAP_SET);
cap_set_flag(fcap, CAP_EFFECTIVE, 1, capvalue, CAP_SET);
ret = cap_set_file(TSTPATH, fcap);
if (ret) {
tst_resm(TINFO, "%d\n", whichcap);
continue;
}
ret = fork_drop_and_exec(DROP_PERMS, fcap);
if (ret) {
tst_resm(TINFO,
"Failed CAP_PERMITTED=%d CAP_EFFECTIVE=1\n",
whichcap);
if (!finalret)
finalret = ret;
}
}
cap_free(pcap);
cap_free(fcap);
cap_fullpi = cap_init();
for (i = 0; i < num_caps; i++) {
capvalue[0] = i;
cap_set_flag(cap_fullpi, CAP_INHERITABLE, 1, capvalue, CAP_SET);
}
/*
* For the inheritable tests, we want to make sure pI starts
* filled.
*/
ret = cap_set_proc(cap_fullpi);
if (ret)
tst_resm(TINFO, "Could not fill pI. pI tests will fail.\n");
/*
* next try each bit in fI
* The first two attemps have the bit which is in fI in pI.
* This should result in the bit being in pP'.
* If fE was set then it should also be in pE'.
* The last attempt starts with an empty pI.
* This should result in empty capability, as there were
* no bits to be inherited from the original process.
*/
for (whichcap = 0; whichcap < num_caps; whichcap++) {
cap_t cmpcap;
capvalue[0] = whichcap;
/*
* fI=whichcap, fP=fE=0
* pI=full
* pI'=full, pP'=whichcap, pE'=0
*/
/* fill pI' */
pcap = cap_dup(cap_fullpi);
/* pP' = whichcap */
cap_set_flag(pcap, CAP_PERMITTED, 1, capvalue, CAP_SET);
/* fI = whichcap */
fcap = cap_init();
cap_set_flag(fcap, CAP_INHERITABLE, 1, capvalue, CAP_SET);
ret = cap_set_file(TSTPATH, fcap);
if (ret) {
tst_resm(TINFO, "%d\n", whichcap);
continue;
}
ret = fork_drop_and_exec(KEEP_PERMS, pcap);
if (ret) {
tst_resm(TINFO, "Failed with_perms CAP_INHERITABLE=%d "
"CAP_EFFECTIVE=0\n", whichcap);
if (!finalret)
finalret = ret;
}
/*
* fI=fE=whichcap, fP=0
* pI=full
* pI'=full, pP'=whichcap, pE'=whichcap
*
* Note that only fE and pE' change, so keep prior
* fcap and pcap and set those bits.
*/
cap_set_flag(fcap, CAP_EFFECTIVE, 1, capvalue, CAP_SET);
cap_set_flag(pcap, CAP_EFFECTIVE, 1, capvalue, CAP_SET);
ret = cap_set_file(TSTPATH, fcap);
if (ret) {
tst_resm(TINFO, "%d\n", whichcap);
continue;
}
/* The actual result will be a full pI, with
* pE and pP containing just whichcap. */
cmpcap = cap_dup(cap_fullpi);
cap_set_flag(cmpcap, CAP_PERMITTED, 1, capvalue, CAP_SET);
cap_set_flag(cmpcap, CAP_EFFECTIVE, 1, capvalue, CAP_SET);
ret = fork_drop_and_exec(KEEP_PERMS, cmpcap);
cap_free(cmpcap);
if (ret) {
tst_resm(TINFO, "Failed with_perms CAP_INHERITABLE=%d "
"CAP_EFFECTIVE=1\n", whichcap);
if (!finalret)
finalret = ret;
}
/*
* fI=fE=whichcap, fP=0 (so fcap is same as before)
* pI=0 (achieved using DROP_PERMS)
* pI'=pP'=pE'=0
*/
cap_clear(pcap);
ret = fork_drop_and_exec(DROP_PERMS, pcap);
if (ret) {
tst_resm(TINFO,
"Failed without_perms CAP_INHERITABLE=%d",
whichcap);
if (!finalret)
finalret = ret;
}
cap_free(fcap);
cap_free(pcap);
}
cap_free(cap_fullpi);
return finalret;
}
int main(int argc, char *argv[])
{
#if HAVE_SYS_CAPABILITY_H
int ret = 1;
cap_value_t v[1];
cap_flag_value_t f;
cap_t cur, tmpcap;
/* We pick a random capability... let's use CAP_SYS_ADMIN */
/* make sure we have the capability now */
#if HAVE_DECL_CAP_BSET_READ
ret = prctl(CAP_BSET_READ, CAP_SYS_ADMIN);
#else
errno = ENOSYS;
ret = -1;
#endif
if (ret != 1) {
tst_resm(TBROK, "Not starting with CAP_SYS_ADMIN\n");
tst_exit();
}
/* Make sure it's in pI */
cur = cap_from_text("all=eip");
if (!cur) {
tst_resm(TBROK, "Failed to create cap_sys_admin+i cap_t (errno %d)\n", errno);
tst_exit();
}
#if HAVE_DECL_CAP_SET_PROC
ret = cap_set_proc(cur);
#else
errno = ENOSYS;
ret = -1;
#endif
if (ret) {
tst_resm(TBROK, "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n",
ret, errno);
tst_exit();
}
#if HAVE_DECL_CAP_FREE
cap_free(cur);
#endif
#if HAVE_DECL_CAP_GET_FLAG
#if HAVE_DECL_CAP_GET_PROC
cur = cap_get_proc();
ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
#else
errno = ENOSYS;
ret = -1;
#endif
#else
errno = ENOSYS;
ret = -1;
#endif
if (ret || f != CAP_SET) {
tst_resm(TBROK, "Failed to add CAP_SYS_ADMIN to pI\n");
tst_exit();
}
#if HAVE_DECL_CAP_FREE
cap_free(cur);
#endif
/* drop the capability from bounding set */
#if HAVE_DECL_CAP_BSET_DROP
ret = prctl(CAP_BSET_DROP, CAP_SYS_ADMIN);
#else
errno = ENOSYS;
ret = -1;
#endif
if (ret) {
tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n");
tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno);
tst_exit();
}
/* test 1: is CAP_SYS_ADMIN still in pI? */
#if HAVE_DECL_CAP_GET_FLAG
#if HAVE_DECL_CAP_GET_PROC
cur = cap_get_proc();
ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
#else
errno = ENOSYS;
ret = -1;
#endif
#else
errno = ENOSYS;
ret = -1;
#endif
if (ret || f != CAP_SET) {
tst_resm(TFAIL, "CAP_SYS_ADMIN not in pI after dropping from bounding set\n");
tst_exit();
}
tst_resm(TPASS, "CAP_SYS_ADMIN remains in pI after removing from bounding set\n");
tmpcap = cap_dup(cur);
v[0] = CAP_SYS_ADMIN;
ret = cap_set_flag(tmpcap, CAP_INHERITABLE, 1, v, CAP_CLEAR);
if (ret) {
tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from cap_t\n");
tst_exit();
}
ret = cap_set_proc(tmpcap);
if (ret) {
tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from pI\n");
tst_exit();
}
#if HAVE_DECL_CAP_FREE
cap_free(tmpcap);
#endif
/* test 2: can we put it back in pI? */
#if HAVE_DECL_CAP_SET_PROC
ret = cap_set_proc(cur);
#endif
if (ret == 0) { /* success means pI was not bounded by X */
tst_resm(TFAIL, "Managed to put CAP_SYS_ADMIN back into pI though not in X\n");
tst_exit();
}
#if HAVE_DECL_CAP_FREE
cap_free(cur);
#endif
tst_resm(TPASS, "Couldn't put CAP_SYS_ADMIN back into pI when not in bounding set\n");
#else
tst_resm(TCONF, "System doesn't have POSIX capabilities.");
#endif
tst_exit();
}
