예제 #1
1
파일: capget.c 프로젝트: CarterTsai/rr
int main(void) {
  struct __user_cap_header_struct* hdr;
  struct __user_cap_data_struct* data;

  ALLOCATE_GUARD(hdr, 'a');
  hdr->version = 0;
  hdr->pid = 0;
  test_assert(0 == capget(hdr, NULL));
  test_assert(hdr->version > 0);
  VERIFY_GUARD(hdr);

  ALLOCATE_GUARD(hdr, 'a');
  hdr->version = _LINUX_CAPABILITY_VERSION_1;
  hdr->pid = 0;
  ALLOCATE_GUARD(data, 'b');
  test_assert(0 == capget(hdr, data));
  VERIFY_GUARD(hdr);
  VERIFY_GUARD(data);

  ALLOCATE_GUARD(hdr, 'c');
  hdr->version = _LINUX_CAPABILITY_VERSION_3;
  hdr->pid = 0;
  data = allocate_guard(sizeof(*data) * 2, 'd');
  test_assert(0 == capget(hdr, data));
  VERIFY_GUARD(hdr);
  verify_guard(sizeof(*data) * 2, data);

  atomic_puts("EXIT-SUCCESS");
  return 0;
}
예제 #2
1
int
main(void)
{
    const int data[] = { 2, 4, 0, 8, 16, 0 };
    const int v3 = 0x20080522;

    int * const head = tail_alloc(sizeof(int) * 2);
    head[0] = v3;
    head[1] = 0;
    int * const tail_data = tail_alloc(sizeof(data));

    capget(NULL, NULL);
    capget(head + 2, tail_data);
    capget(head, tail_data + ARRAY_SIZE(data));

    if (capget(head, tail_data))
        perror_msg_and_skip("capget");
    if (head[0] != v3)
        error_msg_and_skip("capget: v3 expected");

    memcpy(tail_data, data, sizeof(data));
    if (capset(head, data) == 0 || errno != EPERM)
        perror_msg_and_skip("capset");

    return 0;
}
예제 #3
0
static void lower_my_caps(void)
{
	struct __user_cap_header_struct caphdr = {
		.version = _LINUX_CAPABILITY_VERSION
	};
	cap_user_data_t capdata;
	ssize_t capstrlen = 0;
	cap_t my_cap;
	char *cap_text;
	int capsz;

	(void) capget(&caphdr, NULL);
	switch (caphdr.version) {
	case _LINUX_CAPABILITY_VERSION_1:
		capsz = _LINUX_CAPABILITY_U32S_1;
		break;
	case _LINUX_CAPABILITY_VERSION_2:
		capsz = _LINUX_CAPABILITY_U32S_2;
		break;
	default:
		abort(); /* can't happen */
	}

	capdata = gsh_calloc(capsz, sizeof(struct __user_cap_data_struct));
	caphdr.pid = getpid();

	if (capget(&caphdr, capdata) != 0)
		LogFatal(COMPONENT_INIT,
			 "Failed to query capabilities for process, errno=%u",
			 errno);

	/* Set the capability bitmask to remove CAP_SYS_RESOURCE */
	if (capdata->effective & CAP_TO_MASK(CAP_SYS_RESOURCE))
		capdata->effective &= ~CAP_TO_MASK(CAP_SYS_RESOURCE);

	if (capdata->permitted & CAP_TO_MASK(CAP_SYS_RESOURCE))
		capdata->permitted &= ~CAP_TO_MASK(CAP_SYS_RESOURCE);

	if (capdata->inheritable & CAP_TO_MASK(CAP_SYS_RESOURCE))
		capdata->inheritable &= ~CAP_TO_MASK(CAP_SYS_RESOURCE);

	if (capset(&caphdr, capdata) != 0)
		LogFatal(COMPONENT_INIT,
			 "Failed to set capabilities for process, errno=%u",
			 errno);
	else
		LogEvent(COMPONENT_INIT,
			 "CAP_SYS_RESOURCE was successfully removed for proper quota management in FSAL");

	/* Print newly set capabilities (same as what CLI "getpcaps" displays */
	my_cap = cap_get_proc();
	cap_text = cap_to_text(my_cap, &capstrlen);
	LogEvent(COMPONENT_INIT, "currenty set capabilities are: %s",
		 cap_text);
	cap_free(cap_text);
	cap_free(my_cap);
	gsh_free(capdata);
}
예제 #4
0
static void raise_caps() {
  // Raise CapInh to match CapPrm, so that we can set the ambient bits.
  __user_cap_header_struct capheader;
  memset(&capheader, 0, sizeof(capheader));
  capheader.version = _LINUX_CAPABILITY_VERSION_3;
  capheader.pid = 0;

  __user_cap_data_struct capdata[2];
  if (capget(&capheader, &capdata[0]) == -1) {
    fatal_errno("capget failed");
  }

  if (capdata[0].permitted != capdata[0].inheritable ||
      capdata[1].permitted != capdata[1].inheritable) {
    capdata[0].inheritable = capdata[0].permitted;
    capdata[1].inheritable = capdata[1].permitted;

    if (capset(&capheader, &capdata[0]) == -1) {
      async_safe_format_log(ANDROID_LOG_ERROR, "libc", "capset failed: %s", strerror(errno));
    }
  }

  // Set the ambient capability bits so that crash_dump gets all of our caps and can ptrace us.
  uint64_t capmask = capdata[0].inheritable;
  capmask |= static_cast<uint64_t>(capdata[1].inheritable) << 32;
  for (unsigned long i = 0; i < 64; ++i) {
    if (capmask & (1ULL << i)) {
      if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) != 0) {
        async_safe_format_log(ANDROID_LOG_ERROR, "libc",
                              "failed to raise ambient capability %lu: %s", i, strerror(errno));
      }
    }
  }
}
예제 #5
0
파일: oor.c 프로젝트: biels/oor
int
check_capabilities()
{
    struct __user_cap_header_struct cap_header;
    struct __user_cap_data_struct cap_data;

    cap_header.pid = getpid();
    cap_header.version = _LINUX_CAPABILITY_VERSION;

    /* Check if oor is already running: /var/run/oor.pid */

    if (capget(&cap_header, &cap_data) < 0)
    {
        OOR_LOG(LCRIT, "Could not retrieve capabilities");
        return BAD;
    }

    OOR_LOG(LWRN, "Rights: Effective [%u] Permitted  [%u]", cap_data.effective, cap_data.permitted);

    /* check for capabilities */
    if(  (cap_data.effective & CAP_TO_MASK(CAP_NET_ADMIN)) && (cap_data.effective & CAP_TO_MASK(CAP_NET_RAW))  )  {
    }
    else {
        OOR_LOG(LCRIT, "Insufficient rights, you need CAP_NET_ADMIN and CAP_NET_RAW. See README");
        return BAD;
    }

    return GOOD;
}
예제 #6
0
static int drop_privs()
{
    int res;
    struct __user_cap_header_struct head;
    struct __user_cap_data_struct newcaps;

    head.version = _LINUX_CAPABILITY_VERSION;
    head.pid = 0;
    res = capget(&head, &oldcaps);
    if(res == -1) {
        fprintf(stderr, "%s: failed to get capabilities: %s\n", progname,
                strerror(errno));
        return -1;
    }

    oldfsuid = setfsuid(getuid());
    oldfsgid = setfsgid(getgid());
    newcaps = oldcaps;
    /* Keep CAP_SYS_ADMIN for mount */
    newcaps.effective &= (1 << CAP_SYS_ADMIN);

    head.version = _LINUX_CAPABILITY_VERSION;
    head.pid = 0;
    res = capset(&head, &newcaps);
    if(res == -1) {
        fprintf(stderr, "%s: failed to set capabilities: %s\n", progname,
                strerror(errno));
        return -1;
    }
    return 0;
}
예제 #7
0
파일: oplock_linux.c 프로젝트: jophxy/samba
static void set_capability(unsigned capability)
{
#ifndef _LINUX_CAPABILITY_VERSION
#define _LINUX_CAPABILITY_VERSION 0x19980330
#endif
	/* these can be removed when they are in glibc headers */
	struct  {
		uint32 version;
		int pid;
	} header;
	struct {
		uint32 effective;
		uint32 permitted;
		uint32 inheritable;
	} data;

	header.version = _LINUX_CAPABILITY_VERSION;
	header.pid = 0;

	if (capget(&header, &data) == -1) {
		DEBUG(3,("Unable to get kernel capabilities (%s)\n", strerror(errno)));
		return;
	}

	data.effective |= (1<<capability);

	if (capset(&header, &data) == -1) {
		DEBUG(3,("Unable to set %d capability (%s)\n", 
			 capability, strerror(errno)));
	}
}
예제 #8
0
int main(void)
{
	struct __user_cap_header_struct uch;
	struct __user_cap_data_struct ucd;

	uch.version = _LINUX_CAPABILITY_VERSION_3;
	uch.pid = getpid();

	return capget(&uch, &ucd);
}
예제 #9
0
파일: lispd.c 프로젝트: Alphalink/lispmob
/*
 *  Check for superuser privileges
 */
int check_capabilities()
{
    struct __user_cap_header_struct cap_header;
    struct __user_cap_data_struct cap_data;

    cap_header.pid = getpid();
    cap_header.version = _LINUX_CAPABILITY_VERSION;
    if (capget(&cap_header, &cap_data) < 0)
    {
        lispd_log_msg(LISP_LOG_ERR, "Could not retrieve capabilities");
        return BAD;
    }

    lispd_log_msg(LISP_LOG_DEBUG_1, "Rights: Effective [%u] Permitted  [%u]", cap_data.effective, cap_data.permitted);

    /* check for capabilities */
    if(  (cap_data.effective & CAP_TO_MASK(CAP_NET_ADMIN)) && (cap_data.effective & CAP_TO_MASK(CAP_NET_RAW))  )  {
    }
    else {
        lispd_log_msg(LISP_LOG_CRIT, "Insufficient rights, you need CAP_NET_ADMIN and CAP_NET_RAW. See README");
        return BAD;
    }

    /* Clear all but the capability to bind to low ports */
    cap_data.effective = CAP_TO_MASK(CAP_NET_ADMIN) | CAP_TO_MASK(CAP_NET_RAW);
    cap_data.permitted = cap_data.effective ;
    cap_data.inheritable = 0;
    if (capset(&cap_header, &cap_data) < 0) {
        lispd_log_msg(LISP_LOG_WARNING, "Could not drop privileges");
        return BAD;
    }

    /* Tell kernel not clear permitted capabilities when dropping root */
    if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
        lispd_log_msg(LISP_LOG_WARNING, "Sprctl(PR_SET_KEEPCAPS) failed");
        return GOOD;
    }

    /* Now we can drop privilege, drop effective rights even with KEEPCAPS */
    if (setuid(getuid()) < 0) {
        lispd_log_msg(LISP_LOG_WARNING, "Could not drop privileges");
    }

    /* that's why we need to set effective rights equal to permitted rights */
    if (capset(&cap_header, &cap_data) < 0)
    {
        lispd_log_msg(LISP_LOG_CRIT, "Could not set effective rights to permitted ones");
        return (BAD);
    }

    lispd_log_msg(LISP_LOG_DEBUG_1, "Rights: Effective [%u] Permitted  [%u]", cap_data.effective, cap_data.permitted);

    return GOOD;
}
static bool set_capabilities(void)
{
#if defined(ANDROID)
	struct __user_cap_header_struct header;
	struct __user_cap_data_struct cap;

	header.version = _LINUX_CAPABILITY_VERSION;
	header.pid = 0;

	/*
	 * CAP_NET_ADMIN: Allow use of MGMT interface
	 * CAP_NET_BIND_SERVICE: Allow use of privileged PSM
	 * CAP_NET_RAW: Allow use of bnep ioctl calls
	 */
	cap.effective = cap.permitted =
		CAP_TO_MASK(CAP_NET_RAW) |
		CAP_TO_MASK(CAP_NET_ADMIN) |
		CAP_TO_MASK(CAP_NET_BIND_SERVICE);
	cap.inheritable = 0;

	/* don't clear capabilities when dropping root */
	if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
		error("%s: prctl(): %s", __func__, strerror(errno));
		return false;
	}

	/* Android bluetooth user UID=1002 */
	if (setuid(1002) < 0) {
		error("%s: setuid(): %s", __func__, strerror(errno));
		return false;
	}

	/* TODO: Move to cap_set_proc once bionic support it */
	if (capset(&header, &cap) < 0) {
		error("%s: capset(): %s", __func__, strerror(errno));
		return false;
	}

	/* TODO: Move to cap_get_proc once bionic support it */
	if (capget(&header, &cap) < 0) {
		error("%s: capget(): %s", __func__, strerror(errno));
		return false;
	}

	DBG("Caps: eff: 0x%x, perm: 0x%x, inh: 0x%x", cap.effective,
					cap.permitted, cap.inheritable);

#endif
	return true;
}
예제 #11
0
int
main(void)
{
	int unused[6];
	const int data[] = { 2, 4, 0, 8, 16, 0 };
	const int v3 = 0x20080522;
	int head[] = { v3, 0 };

	if (capget(head, unused) || head[0] != v3 ||
	    capset(head, data) == 0 || errno != EPERM)
		return 77;

	return 0;
}
예제 #12
0
static int has_capabilities(__u32 mask)
{
  struct __user_cap_header_struct header;
  struct __user_cap_data_struct data;

  header.version = _LINUX_CAPABILITY_VERSION;
  header.pid = getpid();

  if (capget(&header, &data)) {
    NMF_LOG("Error: capget failed : %s\n", strerror(errno));
  }

  return data.effective & mask;
}
예제 #13
0
static void
show(pid_t pid)
{
  struct __user_cap_header_struct header;
  struct __user_cap_data_struct user;
  header.version = _LINUX_CAPABILITY_VERSION;
  header.pid     = pid;
  if (capget(&header,&user)==-1){
    perror ("reducecap: capget()");
    exit(wrapper_exit_code);
  }
  
  printReducecap(&user);
}
예제 #14
0
static void init(void)
{
	if (m.state != CAPNG_NEW)
		return;

	memset(&m.hdr, 0, sizeof(m.hdr));
	(void)capget(&m.hdr, NULL); // Returns -EINVAL
	if (m.hdr.version == _LINUX_CAPABILITY_VERSION_3 ||
		m.hdr.version == _LINUX_CAPABILITY_VERSION_2) {
		m.cap_ver = 3;
	} else if (m.hdr.version == _LINUX_CAPABILITY_VERSION_1) {
		m.cap_ver = 1;
	} else {
		m.state = CAPNG_ERROR;
		return;
	}

	memset(&m.data, 0, sizeof(cap_data_t));
#ifdef HAVE_SYSCALL_H
	m.hdr.pid = (unsigned)syscall(__NR_gettid);
#else
	m.hdr.pid = (unsigned)getpid();
#endif
	// Detect last cap
	if (last_cap == -1) {
		int fd;

		fd = open("/proc/sys/kernel/cap_last_cap", O_RDONLY);
		if (fd == -1) {
			if (errno != ENOENT) {
				m.state = CAPNG_ERROR;
				return;
			}
		} else {
			char buf[8];
			int num = read(fd, buf, sizeof(buf) - 1);
			if (num > 0) {
				buf[num] = 0;
				errno = 0;
				int val = strtoul(buf, NULL, 10);
				if (errno == 0)
					last_cap = val;
			}
			close(fd);
		}
		if (last_cap == -1)
			last_cap = CAP_LAST_CAP;
	}
	m.state = CAPNG_ALLOCATED;
}
예제 #15
0
파일: cap_proc.c 프로젝트: OPSF/uClinux
cap_t cap_get_proc(void)
{
    cap_t result;

    /* allocate a new capability set */
    result = cap_init();
    if (result) {
	_cap_debug("getting current process' capabilities");

	/* fill the capability sets via a system call */
	if (capget(&result->head, &result->set)) {
	    cap_free(&result);
	}
    }

    return result;
}
예제 #16
0
파일: cap_proc.c 프로젝트: OPSF/uClinux
int capgetp(pid_t pid, cap_t cap_d)
{
    int error;

    if (!good_cap_t(cap_d)) {
	errno = EINVAL;
	return -1;
    }

    _cap_debug("getting process capabilities for proc %d", pid);

    cap_d->head.pid = pid;
    error = capget(&cap_d->head, &cap_d->set);
    cap_d->head.version = _LINUX_CAPABILITY_VERSION;
    cap_d->head.pid = 0;

    return error;
}
예제 #17
0
파일: capget02.c 프로젝트: ystk/debian-ltp
int main(int ac, char **av)
{

	int lc, i;		/* loop counter */
	char *msg;		/* message returned from parse_opts */

	/* parse standard options */
	if ((msg = parse_opts(ac, av, (option_t *) NULL, NULL))
	    != (char *)NULL) {
		tst_brkm(TBROK, tst_exit, "OPTION PARSING ERROR - %s", msg);
	}

	/* perform global setup for test */
	setup();

	/* check looping state if -i option given */
	for (lc = 0; TEST_LOOPING(lc); lc++) {

		/* reset Tst_count in case we are looping. */
		Tst_count = 0;

		for (i = 0; i < TST_TOTAL; ++i) {
			test_setup(i);
			TEST(capget(test_cases[i].headerp,
				    test_cases[i].datap));

			if ((TEST_RETURN == -1) && (TEST_ERRNO ==
						    test_cases[i].exp_errno)) {
				tst_resm(TPASS, "capget() returned -1,"
					 " errno: %s", test_cases[i].errdesc);
			} else {
				tst_resm(TFAIL|TTERRNO, "Test Failed, capget() returned %ld",
					 TEST_RETURN);
			}
			TEST_ERROR_LOG(TEST_ERRNO);
		}
	}			/* End for TEST_LOOPING */

	/* cleanup and exit */
	cleanup();

	 /*NOTREACHED*/ return 0;

}				/* End main */
예제 #18
0
static void
acquire_caps (void)
{
  struct __user_cap_header_struct hdr = { _LINUX_CAPABILITY_VERSION_3, 0 };
  struct __user_cap_data_struct data[2] = { { 0 } };

  if (capget (&hdr, data)  < 0)
    die_with_error ("capget failed");

  if (((data[0].effective & REQUIRED_CAPS_0) == REQUIRED_CAPS_0) &&
      ((data[0].permitted & REQUIRED_CAPS_0) == REQUIRED_CAPS_0) &&
      ((data[1].effective & REQUIRED_CAPS_1) == REQUIRED_CAPS_1) &&
      ((data[1].permitted & REQUIRED_CAPS_1) == REQUIRED_CAPS_1))
    is_privileged = TRUE;

  if (getuid () != geteuid ())
    {
      /* Tell kernel not clear capabilities when dropping root */
      if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0)
        die_with_error ("prctl(PR_SET_KEEPCAPS) failed");

      /* Drop root uid, but retain the required permitted caps */
      if (setuid (getuid ()) < 0)
        die_with_error ("unable to drop privs");
    }

  if (is_privileged)
    {
      /* Drop all non-require capabilities */
      data[0].effective = REQUIRED_CAPS_0;
      data[0].permitted = REQUIRED_CAPS_0;
      data[0].inheritable = 0;
      data[1].effective = REQUIRED_CAPS_1;
      data[1].permitted = REQUIRED_CAPS_1;
      data[1].inheritable = 0;
      if (capset (&hdr, data) < 0)
        die_with_error ("capset failed");
    }
  /* Else, we try unprivileged user namespaces */

  /* We need the process to be dumpable, or we can't access /proc/self/uid_map */
  if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) < 0)
    die_with_error ("prctl(PR_SET_DUMPABLE) failed");
}
예제 #19
0
static bool
verifyCap()
{
  int retried = 0;
  struct __user_cap_header_struct header;
  struct __user_cap_data_struct user[2];

  header.version = _LINUX_CAPABILITY_VERSION_3;
  header.pid     = 0;

  if (getuid()!=0) {
    WRITE_MSG(2, "'VERIFYCAP' can be executed as root only\n");
    return false;
  }

//  if( prctl( PR_SET_KEEPCAPS, 1,0,0,0 ) < 0 ) {
//    perror( "prctl:" );
//    return false;
//  }

retry:
  if (capget(&header, user)==-1) {
    if (!retried &&
	header.version != _LINUX_CAPABILITY_VERSION_3) {
      header.version = _LINUX_CAPABILITY_VERSION_1;
      retried = 1;
      goto retry;
    }
    perror("capget()");
    return false;
  }

  user[0].effective   = user[1].effective   = 0;
  user[0].permitted   = user[1].permitted   = 0;
  user[0].inheritable = user[1].inheritable = 0;

  if (capset(&header, user)==-1) {
    perror("capset()");
    return false;
  }

  return chroot("/")==-1;
}
예제 #20
0
파일: capset01.c 프로젝트: CSU-GH/okl4_3.0
/* setup() - performs all ONE TIME setup for this test */
void
setup()
{
	/* capture signals */
	tst_sig(NOFORK, DEF_HANDLER, cleanup);

	/* Pause if that option was specified */
	TEST_PAUSE;

	/*
	 * Save current capability data.
	 * header.version must be _LINUX_CAPABILITY_VERSION
	 */
	header.version = _LINUX_CAPABILITY_VERSION;
	header.pid = 0;
	if ((capget(&header, &data)) == -1) {
		tst_brkm(TBROK, tst_exit, "capget() failed");
	}

}	/* End setup() */
예제 #21
0
static int stress_capgetset_pid(
	const char *name,
	const pid_t pid,
	const bool do_set,
	uint64_t *counter,
	const bool exists)
{
	int ret;
	struct __user_cap_header_struct uch;
	struct __user_cap_data_struct ucd[_LINUX_CAPABILITY_U32S_3];

	memset(&uch, 0, sizeof uch);
	memset(ucd, 0, sizeof ucd);

	uch.version = _LINUX_CAPABILITY_VERSION_3;
	uch.pid = pid;

	ret = capget(&uch, ucd);
	if (ret < 0) {
		if (((errno == ESRCH) && exists) ||
		    (errno != ESRCH)) {
			pr_fail(stderr, "%s: capget on pid %d failed: errno=%d (%s)\n",
				name, pid, errno, strerror(errno));
		}
	}

	if (do_set) {
		ret = capset(&uch, ucd);
		if (ret < 0) {
			if (((errno == ESRCH) && exists) ||
			    (errno != ESRCH)) {
				pr_fail(stderr, "%s: capget on pid %d failed: errno=%d (%s)\n",
					name, pid, errno, strerror(errno));
			}
		}
	}

	(*counter)++;

	return ret;
}
예제 #22
0
int capng_get_caps_process(void)
{
	int rc;

	if (m.state == CAPNG_NEW)
		init();
	if (m.state == CAPNG_ERROR)
		return -1;

	rc = capget((cap_user_header_t)&m.hdr, (cap_user_data_t)&m.data);
	if (rc == 0) {
		m.state = CAPNG_INIT;
#ifdef PR_CAPBSET_DROP
		rc = get_bounding_set();
		if (rc < 0)
			m.state = CAPNG_ERROR;
#endif
	}

	return rc;
}
예제 #23
0
int main(int argc, char **argv)
{
	struct __user_cap_header_struct hdr;
	struct __user_cap_data_struct data[2];
	
	memset(&hdr, 0, sizeof(hdr));
	memset(&data, 0, sizeof(data));
	
	hdr.version = _LINUX_CAPABILITY_VERSION_3;
	hdr.pid = 0;
	
	if(capget(&hdr, &data[0])) {
		put(2, "capget() error\n");
		exit(2);
	}
	
	if(argc > 1) {
		int i, p;
		for(p=1;p>=0;p--) {
			for(i=31;i>=0;i--) {
				if(data[p].permitted & 1<<i)
					put(1, "x");
				else
					put(1, "-");
			}
		}
		put(1, "\n");
	}
	
	/* this cap may be turned off by default depending on kernel config */
	data[0].permitted |= (1 << CAP_SETPCAP);
	
	if(data[0].permitted == 0xffffffff &&
	   data[1].permitted == 0xffffffff) {
		put(1, "yes\n");
		exit(0);
	}
	put(1, "no\n");
	exit(1);
}
예제 #24
0
파일: capget01.c 프로젝트: ystk/debian-ltp
int main(int ac, char **av)
{

    int lc;			/* loop counter */
    char *msg;		/* message returned from parse_opts */

    /* parse standard options */
    if ((msg = parse_opts(ac, av, (option_t *) NULL, NULL))
            != (char *)NULL) {
        tst_brkm(TBROK, tst_exit, "OPTION PARSING ERROR - %s", msg);
    }

    /* perform global setup for test */
    setup();

    /* check looping state if -i option given */
    for (lc = 0; TEST_LOOPING(lc); lc++) {

        /* reset Tst_count in case we are looping. */
        Tst_count = 0;

        /* header.version must be _LINUX_CAPABILITY_VERSION */
        header.version = _LINUX_CAPABILITY_VERSION;
        TEST(capget(&header, &data));

        if (TEST_RETURN == 0) {
            tst_resm(TPASS, "capget() returned %ld", TEST_RETURN);
        } else {
            tst_resm(TFAIL|TTERRNO, "Test Failed, capget() returned %ld",
                     TEST_RETURN);
        }
    }			/* End for TEST_LOOPING */

    /* cleanup and exit */
    cleanup();

    /*NOTREACHED*/ return 0;

}				/* End main */
예제 #25
0
파일: capset02.c 프로젝트: ystk/debian-ltp
/* setup() - performs all ONE TIME setup for this test */
void setup()
{

	/* capture signals */
	tst_sig(NOFORK, DEF_HANDLER, cleanup);

	/* Set up the expected error numbers for -e option */
	TEST_EXP_ENOS(exp_enos);

	/* Pause if that option was specified */
	TEST_PAUSE;

	/*
	 * Save current capability data.
	 * header.version must be _LINUX_CAPABILITY_VERSION
	 */
	header.version = _LINUX_CAPABILITY_VERSION;
	if ((capget(&header, &data)) == -1) {
		tst_brkm(TBROK|TERRNO, tst_exit, "capget() failed");
	}

}				/* End setup() */
static jlong com_android_internal_os_ZygoteInit_capgetPermitted (JNIEnv *env,
    jobject clazz, jint pid)
{
    struct __user_cap_header_struct capheader;
    struct __user_cap_data_struct capdata;
    int err;

    memset (&capheader, 0, sizeof(capheader));
    memset (&capdata, 0, sizeof(capdata));

    capheader.version = _LINUX_CAPABILITY_VERSION;
    capheader.pid = pid;

    err = capget (&capheader, &capdata);

    if (err < 0) {
        jniThrowIOException(env, errno);
        return 0;
    }

    return (jlong) capdata.permitted;
}
예제 #27
0
int main(int argc, char **argv) {
  struct __user_cap_header_struct header = { _LINUX_CAPABILITY_VERSION_3, 0 };
  struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3];

  if (argc < 2) {
    fprintf(stderr, "Usage: %s COMMAND [ARGS]\n", argv[0]);
    exit(1);
  }

  prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
  if (setgid(getgid()) < 0 || setuid(getuid()) < 0)
    error(EXIT_FAILURE, 0, "Failed to drop privileges");

  capget(&header, data);
  data[CAP_NET_BIND_SERVICE >> 5].inheritable
    = 1 << (CAP_NET_BIND_SERVICE & 31);
  capset(&header, data);
  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_BIND_SERVICE, 0, 0);

  execvp(argv[1], argv + 1);
  error(EXIT_FAILURE, errno, "exec %s", argv[1]);
}
예제 #28
0
파일: syscalls.c 프로젝트: HackLinux/linux
int main(int argc, char **argv)
{	int	x = 0;
	char	*args[10];

	setuid(2);

	signal(SIGCHLD, sigchld);
	do_signals();

	x += getpid();
	x += getppid();
	x += getuid();
	x += getgid();
	x += setsid();
	x += seteuid();
	x += setegid();
	lseek(0, 0, -1);
	kill(0, 0);
	signal(99, 0);
	signal(SIGINT, int_handler);
	signal(SIGSEGV, segv_handler);
//	*(int *) 0 = 0;
	pipe(0);
	munmap(0, 0);
	mincore(0, 0);
	shmget(0);
	shmat(0);

	line = __LINE__;
	poll(-1, 0, 0);
	signal(SIGSEGV, SIG_IGN);
//	ppoll(-1, -1, -1, 0);
	signal(SIGSEGV, SIG_DFL);
	sched_yield();
	readv(-1, 0, 0, 0);
	writev(-1, 0, 0, 0);
	msync(0, 0, 0);
	fsync(-1);
	fdatasync(-1);
	semget(0, 0, 0);
	semctl(0, 0, 0);
	uselib(NULL);
	pivot_root(0, 0);
	personality(-1);
	setfsuid(-1);
	flock(-1, 0);
	shmdt(0, 0, 0);
	times(0);
	mremap(0, 0, 0, 0, 0);
	madvise(0, 0, 0);
	fchown(-1, 0, 0);
	lchown(0, 0, 0);
	setreuid();
	setregid();
	link("/nonexistant", "/also-nonexistant");

	do_slow();

	symlink("/nothing", "/");
	rename("/", "/");
	mkdir("/junk/stuff////0", 0777);
	geteuid();
	getsid();
	getpgid();
	getresuid();
	getresgid();
	getpgid();
	ptrace(-1, 0, 0, 0);
	semop(0, 0, 0);
	capget(0, 0);

	line = __LINE__;
	gettimeofday(0, 0);
	settimeofday(0, 0);
	dup(-1);
	dup2(-1, -1);
	shmctl(0, 0, 0, 0);
	execve("/bin/nothing", "/bin/nothing", 0);
	alarm(9999);
	bind(0, 0, 0);
	socket(0, 0, 0);
	accept(0, 0, 0);
	listen(0);
	shutdown(0);
	getsockname(0, 0, 0);
	getpeername(0, 0, 0);
	truncate(0, 0);
	ftruncate(0, 0);
	line = __LINE__;
	if (vfork() == 0)
		exit(0);
	line = __LINE__;
	x = opendir("/", 0, 0);
	line = __LINE__;
	readdir(x, 0, 0);
	line = __LINE__;
	closedir(x);
	line = __LINE__;
	chroot("/");
	line = __LINE__;
	sigaction(0, 0, 0);
	line = __LINE__;
	sigprocmask(0, 0, 0);
	x += open("/nothing", 0);
	x += chdir("/nothing");
	x += mknod("/nothing/nothing", 0);
	x += ioctl();
	execve("/nothing", NULL, NULL);
	line = __LINE__;
	x += close(-2);
	line = __LINE__;
	if (fork() == 0)
		exit(0);
	line = __LINE__;
	clone(clone_func, 0, 0, 0);
	line = __LINE__;
	brk(0);
	sbrk(0);
	line = __LINE__;
	mmap(0, 0, 0, 0, 0);
	line = __LINE__;
	uname(0);
	line = __LINE__;
	getcwd(0, 0);
	line = __LINE__;
	iopl(3);
	ioperm(0, 0, 0);
	mount(0, 0, 0, 0, 0);
	umount(0, 0);
	umount(0, 0, 0);
	swapon(0, 0);
	swapoff(0);
	sethostname(0);
	line = __LINE__;
	time(NULL);
	unlink("/nothing");
	line = __LINE__;
	rmdir("/nothing");
	chmod(0, 0);
	line = __LINE__;
# if defined(__i386) || defined(__amd64)
	modify_ldt(0);
# endif

	stat("/doing-nice", 0);
	nice(0);

	args[0] = "/bin/df";
	args[1] = "-l";
	args[2] = NULL;
	close(1);
	open("/dev/null", O_WRONLY);
	/***********************************************/
	/*   Some  syscalls  arent  available  direct  */
	/*   from  libc,  so get them here. We mostly  */
	/*   care  about  the  ones which have caused  */
	/*   implementation   difficulty  and  kernel  */
	/*   crashes - eventually we can be complete.  */
	/***********************************************/
	line = __LINE__;
	open("/system-dependent-syscalls-follow", 0);
	line = __LINE__;
	if (fork() == 0)
		exit(0);

	{int status;
	while (wait(&status) >= 0)
		;
	}

	sigaltstack(0, 0);

	/*vm86(0, 0);*/

	/***********************************************/
	/*   Some syscalls arent directly accessible,  */
	/*   e.g. legacy.			       */
	/***********************************************/
#if defined(__x86_64__)
	trace(__LINE__, "x64 syscalls");
	syscall(174, 0, 0, 0); // create_module
	syscall(176, 0, 0, 0); // delete_module
	syscall(178, 0, 0, 0); // query_module
#else
	trace(__LINE__, "x32 syscalls");
	syscall(0, 0, 0, 0); // restart_syscall
	syscall(34, 0, 0, 0); // nice
	syscall(59, 0, 0, 0); // oldolduname	
	syscall(109, 0, 0, 0); // olduname	
	if (fork() == 0)
		syscall(1, 0, 0, 0); // exit
#endif
	line = __LINE__;
	execve("/bin/df", args, NULL);

	fprintf(stderr, "Error: should not get here -- %s\n", strerror(errno));

	exit(1);
}
int main(void)
{
    int retVal;
    pthread_attr_t attr;
    struct sched_param schedParam;
    pthread_t thread;


     struct __user_cap_header_struct cap_header_data;
     cap_user_header_t cap_header = &cap_header_data;

     struct __user_cap_data_struct cap_data_data;
     cap_user_data_t cap_data = &cap_data_data;
	 int ret;

    if (setresuid(0, 0, 0)) {
        fprintf(stderr, "Cannot switch to root: %s.\n", strerror(errno));
        return 1;
    }

     cap_header->pid = getpid();
     cap_header->version = _LINUX_CAPABILITY_VERSION;
 
     if (capget(cap_header, cap_data) < 0) {
         perror("Failed capget");
         exit(1);
     }
     printf("Cap data 0x%x, 0x%x, 0x%x\n", cap_data->effective,
         cap_data->permitted, cap_data->inheritable);

     /* Clear all but the capability to bind to low ports */
     cap_data->effective |= CAP_TO_MASK(CAP_SYS_ADMIN) | CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SYS_NICE);
     cap_data->permitted |= CAP_TO_MASK(CAP_SYS_ADMIN) | CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SYS_NICE);
     cap_data->inheritable |= CAP_TO_MASK(CAP_SYS_ADMIN) | CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SYS_NICE); 

	 if (capset(cap_header, cap_data) < 0)
		 printf("capset failed");

	 printf("Cap data 0x%x, 0x%x, 0x%x\n", cap_data->effective,
			 cap_data->permitted, cap_data->inheritable);

	ret = nice(-1);
	printf("nice: %d\n", ret);

	 /* Tell kernel not clear capabilities when dropping root */
	 if (prctl(PR_SET_KEEPCAPS, 1) < 0)
		 printf("prctl(PR_SET_KEEPCAPS) failed ");

	setresuid(1000,1000,1000);
	printf("setresuid\n");
	
	/* Clear all but the capability to bind to low ports */
     cap_data->effective |= CAP_TO_MASK(CAP_SYS_ADMIN) | CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SYS_NICE);
     cap_data->permitted |= CAP_TO_MASK(CAP_SYS_ADMIN) | CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SYS_NICE);
     cap_data->inheritable |= CAP_TO_MASK(CAP_SYS_ADMIN) | CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SYS_NICE); 

	 if (capset(cap_header, cap_data) < 0)
		 printf("capset failed");

	 printf("Cap data 0x%x, 0x%x, 0x%x\n", cap_data->effective,
			 cap_data->permitted, cap_data->inheritable);




    retVal = pthread_attr_init(&attr);
    if (retVal)
    {
        fprintf(stderr, "pthread_attr_init error %d\n", retVal);
        exit(1);
    }

    retVal = pthread_attr_setinheritsched(&attr, PTHREAD_EXPLICIT_SCHED);
    if (retVal)
    {
        fprintf(stderr, "pthread_attr_setinheritsched error %d\n", retVal);
        exit(1);
    }

    retVal = pthread_attr_setschedpolicy(&attr, SCHED_RR);
    if (retVal)
    {
        fprintf(stderr, "pthread_attr_setschedpolicy error %d\n", retVal);
        exit(1);
    }

    schedParam.sched_priority = 99;
    retVal = pthread_attr_setschedparam(&attr, &schedParam);
    if (retVal)
    {
        fprintf(stderr, "pthread_attr_setschedparam error %d\n", retVal);
        exit(1);
    }

    retVal = pthread_create(&thread,
                            &attr,
                            _Thread,
                            NULL);
    if (retVal)
    {
        fprintf(stderr, "pthread_create error %d\n", retVal);
        exit(1);
    }

    retVal = pthread_join(thread, NULL);
    if (retVal)
    {
        fprintf(stderr, "pthread_join error %d\n", retVal);
        exit(1);
    }

    printf("main run successfully\n");
    return 0;
}