int main(int argc, char *argv[]) { #ifdef __linux__ #if defined HAVE_CAP_SYS_OPERATIONS && HAVE_CAP_SYS_OPERATIONS > 0 cap_t old_caps, new_caps; int setcaps[] = { CAP_SYS_OPERATIONS }; #endif if (ptrace(0x4281, 0, 0, 0) >= 0) { // new secure exec interface /* if getppid works, CAP_SYS_OPERATIONS has no effect :-( */ if (dup(0) >= 0) { fprintf(stderr, "capexec: CAP_SYS_OPERATIONS is not supported on this system\n"); return 6; } execve(argv[1], argv + 1, environ); perror("capexec: execve"); /* 6 exit code means that check is failed */ return 6; } #if defined HAVE_CAP_SYS_OPERATIONS && HAVE_CAP_SYS_OPERATIONS > 0 old_caps = cap_get_proc(); new_caps = cap_dup(old_caps); cap_set_flag(new_caps, CAP_EFFECTIVE, 1, setcaps, CAP_CLEAR); cap_set_flag(new_caps, CAP_PERMITTED, 1, setcaps, CAP_CLEAR); cap_set_flag(new_caps, CAP_INHERITABLE, 1, setcaps, CAP_CLEAR); cap_set_proc(new_caps); #endif /* if getppid works, CAP_SYS_OPERATIONS has no effect :-( */ if (dup(0) >= 0) { fprintf(stderr, "capexec: CAP_SYS_OPERATIONS is not supported on this system\n"); return 6; } execve(argv[1], argv + 1, environ); perror("capexec: execve"); #endif /* 6 exit code means that check is failed */ return 6; }
int main(void) { #if defined HAVE_CAP_SYS_OPERATIONS && HAVE_CAP_SYS_OPERATIONS > 0 cap_t old_caps, new_caps; int setcaps[] = { CAP_SYS_OPERATIONS }; #endif int p; fprintf(stderr, "t1: checking for disabled syscalls\n"); if (ptrace(0x4281, 0, 0, 0) >= 0) { // new interface fprintf(stderr, "t1: new interface detected\n"); } else { #if defined HAVE_CAP_SYS_OPERATIONS && HAVE_CAP_SYS_OPERATIONS > 0 old_caps = cap_get_proc(); new_caps = cap_dup(old_caps); cap_set_flag(new_caps, CAP_EFFECTIVE, 1, setcaps, CAP_CLEAR); cap_set_flag(new_caps, CAP_PERMITTED, 1, setcaps, CAP_CLEAR); cap_set_flag(new_caps, CAP_INHERITABLE, 1, setcaps, CAP_CLEAR); if (cap_set_proc(new_caps) < 0) { fprintf(stderr, "failed: cap_set_proc() failed\n"); return 1; } #endif } errno = 0; if ((p = fork()) < 0 && errno == EPERM) { fprintf(stderr, "ok\n"); return 0; } if (p < 0) { fprintf(stderr, "failed: unexpected fork() error: %s\n", strerror(errno)); return 1; } if (!p) _exit(1); fprintf(stderr, "failed: fork() succeeded\n"); return 1; }
int main(int argc, char *argv[], char *envp[]) { pid_t child; unsigned i; child = 0; for (i=1; i<argc; ++i) { if (!memcmp("--drop=", argv[i], 4)) { char *ptr; cap_t orig, raised_for_setpcap; /* * We need to do this here because --inh=XXX may have reset * orig and it isn't until we are within the --drop code that * we know what the prevailing (orig) pI value is. */ orig = cap_get_proc(); if (orig == NULL) { perror("Capabilities not available"); exit(1); } raised_for_setpcap = cap_dup(orig); if (raised_for_setpcap == NULL) { fprintf(stderr, "BSET modification requires CAP_SETPCAP\n"); exit(1); } if (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1, raise_setpcap, CAP_SET) != 0) { perror("unable to select CAP_SETPCAP"); exit(1); } if (strcmp("all", argv[i]+7) == 0) { unsigned j = 0; while (CAP_IS_SUPPORTED(j)) { if (cap_drop_bound(j) != 0) { char *name_ptr; name_ptr = cap_to_name(j); fprintf(stderr, "Unable to drop bounding capability [%s]\n", name_ptr); cap_free(name_ptr); exit(1); } j++; } } else { for (ptr = argv[i]+7; (ptr = strtok(ptr, ",")); ptr = NULL) { /* find name for token */ cap_value_t cap; int status; if (cap_from_name(ptr, &cap) != 0) { fprintf(stderr, "capability [%s] is unknown to libcap\n", ptr); exit(1); } if (cap_set_proc(raised_for_setpcap) != 0) { perror("unable to raise CAP_SETPCAP for BSET changes"); exit(1); } status = prctl(PR_CAPBSET_DROP, cap); if (cap_set_proc(orig) != 0) { perror("unable to lower CAP_SETPCAP post BSET change"); exit(1); } if (status) { fprintf(stderr, "failed to drop [%s=%u]\n", ptr, cap); exit(1); } } } cap_free(raised_for_setpcap); cap_free(orig); } else if (!memcmp("--inh=", argv[i], 6)) { cap_t all, raised_for_setpcap; char *text; char *ptr; all = cap_get_proc(); if (all == NULL) { perror("Capabilities not available"); exit(1); } if (cap_clear_flag(all, CAP_INHERITABLE) != 0) { perror("libcap:cap_clear_flag() internal error"); exit(1); } raised_for_setpcap = cap_dup(all); if ((raised_for_setpcap != NULL) && (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1, raise_setpcap, CAP_SET) != 0)) { cap_free(raised_for_setpcap); raised_for_setpcap = NULL; } text = cap_to_text(all, NULL); cap_free(all); if (text == NULL) { perror("Fatal error concerning process capabilities"); exit(1); } ptr = malloc(10 + strlen(argv[i]+6) + strlen(text)); if (ptr == NULL) { perror("Out of memory for inh set"); exit(1); } if (argv[i][6] && strcmp("none", argv[i]+6)) { sprintf(ptr, "%s %s+i", text, argv[i]+6); } else { strcpy(ptr, text); } all = cap_from_text(ptr); if (all == NULL) { perror("Fatal error internalizing capabilities"); exit(1); } cap_free(text); free(ptr); if (raised_for_setpcap != NULL) { /* * This is only for the case that pP does not contain * the requested change to pI.. Failing here is not * indicative of the cap_set_proc(all) failing (always). */ (void) cap_set_proc(raised_for_setpcap); cap_free(raised_for_setpcap); raised_for_setpcap = NULL; } if (cap_set_proc(all) != 0) { perror("Unable to set inheritable capabilities"); exit(1); } /* * Since status is based on orig, we don't want to restore * the previous value of 'all' again here! */ cap_free(all); } else if (!memcmp("--caps=", argv[i], 7)) { cap_t all, raised_for_setpcap; raised_for_setpcap = cap_get_proc(); if (raised_for_setpcap == NULL) { perror("Capabilities not available"); exit(1); } if ((raised_for_setpcap != NULL) && (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1, raise_setpcap, CAP_SET) != 0)) { cap_free(raised_for_setpcap); raised_for_setpcap = NULL; } all = cap_from_text(argv[i]+7); if (all == NULL) { fprintf(stderr, "unable to interpret [%s]\n", argv[i]); exit(1); } if (raised_for_setpcap != NULL) { /* * This is only for the case that pP does not contain * the requested change to pI.. Failing here is not * indicative of the cap_set_proc(all) failing (always). */ (void) cap_set_proc(raised_for_setpcap); cap_free(raised_for_setpcap); raised_for_setpcap = NULL; } if (cap_set_proc(all) != 0) { fprintf(stderr, "Unable to set capabilities [%s]\n", argv[i]); exit(1); } /* * Since status is based on orig, we don't want to restore * the previous value of 'all' again here! */ cap_free(all); } else if (!memcmp("--keep=", argv[i], 7)) { unsigned value; int set; value = strtoul(argv[i]+7, NULL, 0); set = prctl(PR_SET_KEEPCAPS, value); if (set < 0) { fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n", value, strerror(errno)); exit(1); } } else if (!memcmp("--chroot=", argv[i], 9)) { int status; cap_t orig, raised_for_chroot; orig = cap_get_proc(); if (orig == NULL) { perror("Capabilities not available"); exit(1); } raised_for_chroot = cap_dup(orig); if (raised_for_chroot == NULL) { perror("Unable to duplicate capabilities"); exit(1); } if (cap_set_flag(raised_for_chroot, CAP_EFFECTIVE, 1, raise_chroot, CAP_SET) != 0) { perror("unable to select CAP_SET_SYS_CHROOT"); exit(1); } if (cap_set_proc(raised_for_chroot) != 0) { perror("unable to raise CAP_SYS_CHROOT"); exit(1); } cap_free(raised_for_chroot); status = chroot(argv[i]+9); if (cap_set_proc(orig) != 0) { perror("unable to lower CAP_SYS_CHROOT"); exit(1); } /* * Given we are now in a new directory tree, its good practice * to start off in a sane location */ status = chdir("/"); cap_free(orig); if (status != 0) { fprintf(stderr, "Unable to chroot/chdir to [%s]", argv[i]+9); exit(1); } } else if (!memcmp("--secbits=", argv[i], 10)) { unsigned value; int status; value = strtoul(argv[i]+10, NULL, 0); status = prctl(PR_SET_SECUREBITS, value); if (status < 0) { fprintf(stderr, "failed to set securebits to 0%o/0x%x\n", value, value); exit(1); } } else if (!memcmp("--forkfor=", argv[i], 10)) { unsigned value; value = strtoul(argv[i]+10, NULL, 0); if (value == 0) { goto usage; } child = fork(); if (child < 0) { perror("unable to fork()"); } else if (!child) { sleep(value); exit(0); } } else if (!memcmp("--killit=", argv[i], 9)) { int retval, status; pid_t result; unsigned value; value = strtoul(argv[i]+9, NULL, 0); if (!child) { fprintf(stderr, "no forked process to kill\n"); exit(1); } retval = kill(child, value); if (retval != 0) { perror("Unable to kill child process"); exit(1); } result = waitpid(child, &status, 0); if (result != child) { fprintf(stderr, "waitpid didn't match child: %u != %u\n", child, result); exit(1); } if (WTERMSIG(status) != value) { fprintf(stderr, "child terminated with odd signal (%d != %d)\n" , value, WTERMSIG(status)); exit(1); } } else if (!memcmp("--uid=", argv[i], 6)) { unsigned value; int status; value = strtoul(argv[i]+6, NULL, 0); status = setuid(value); if (status < 0) { fprintf(stderr, "Failed to set uid=%u: %s\n", value, strerror(errno)); exit(1); } } else if (!memcmp("--gid=", argv[i], 6)) { unsigned value; int status; value = strtoul(argv[i]+6, NULL, 0); status = setgid(value); if (status < 0) { fprintf(stderr, "Failed to set gid=%u: %s\n", value, strerror(errno)); exit(1); } } else if (!memcmp("--groups=", argv[i], 9)) { char *ptr, *buf; long length, max_groups; gid_t *group_list; int g_count; length = sysconf(_SC_GETGR_R_SIZE_MAX); buf = calloc(1, length); if (NULL == buf) { fprintf(stderr, "No memory for [%s] operation\n", argv[i]); exit(1); } max_groups = sysconf(_SC_NGROUPS_MAX); group_list = calloc(max_groups, sizeof(gid_t)); if (NULL == group_list) { fprintf(stderr, "No memory for gid list\n"); exit(1); } g_count = 0; for (ptr = argv[i] + 9; (ptr = strtok(ptr, ",")); ptr = NULL, g_count++) { if (max_groups <= g_count) { fprintf(stderr, "Too many groups specified (%d)\n", g_count); exit(1); } if (!isdigit(*ptr)) { struct group *g, grp; getgrnam_r(ptr, &grp, buf, length, &g); if (NULL == g) { fprintf(stderr, "Failed to identify gid for group [%s]\n", ptr); exit(1); } group_list[g_count] = g->gr_gid; } else { group_list[g_count] = strtoul(ptr, NULL, 0); } } free(buf); if (setgroups(g_count, group_list) != 0) { fprintf(stderr, "Failed to setgroups.\n"); exit(1); } free(group_list); } else if (!memcmp("--user="******"User [%s] not known\n", user); exit(1); } ngroups = MAX_GROUPS; status = getgrouplist(user, pwd->pw_gid, groups, &ngroups); if (status < 1) { perror("Unable to get group list for user"); exit(1); } status = setgroups(ngroups, groups); if (status != 0) { perror("Unable to set group list for user"); exit(1); } status = setgid(pwd->pw_gid); if (status < 0) { fprintf(stderr, "Failed to set gid=%u(user=%s): %s\n", pwd->pw_gid, user, strerror(errno)); exit(1); } status = setuid(pwd->pw_uid); if (status < 0) { fprintf(stderr, "Failed to set uid=%u(user=%s): %s\n", pwd->pw_uid, user, strerror(errno)); exit(1); } } else if (!memcmp("--decode=", argv[i], 9)) { unsigned long long value; unsigned cap; const char *sep = ""; /* Note, if capabilities become longer than 64-bits we'll need to fixup the following code.. */ value = strtoull(argv[i]+9, NULL, 16); printf("0x%016llx=", value); for (cap=0; (cap < 64) && (value >> cap); ++cap) { if (value & (1ULL << cap)) { char *ptr; ptr = cap_to_name(cap); if (ptr != NULL) { printf("%s%s", sep, ptr); cap_free(ptr); } else { printf("%s%u", sep, cap); } sep = ","; } } printf("\n"); } else if (!memcmp("--supports=", argv[i], 11)) {
int caps_actually_set_test(void) { int whichcap, finalret = 0, ret; cap_t fcap, pcap, cap_fullpi; cap_value_t capvalue[1]; int i; fcap = cap_init(); pcap = cap_init(); if (!fcap || !pcap) { perror("cap_init"); exit(2); } create_fifo(); int num_caps; for (num_caps = 0;; num_caps++) { ret = prctl(PR_CAPBSET_READ, num_caps); /* * Break from the loop in this manner to avoid incrementing, * then having to decrement value. */ if (ret == -1) break; } /* first, try each bit in fP (forced) with fE on and off. */ for (whichcap = 0; whichcap < num_caps; whichcap++) { /* * fP=whichcap, fE=fI=0 * pP'=whichcap, pI'=pE'=0 */ capvalue[0] = whichcap; cap_clear(fcap); cap_set_flag(fcap, CAP_PERMITTED, 1, capvalue, CAP_SET); ret = cap_set_file(TSTPATH, fcap); if (ret) { tst_resm(TINFO, "%d\n", whichcap); continue; } ret = fork_drop_and_exec(DROP_PERMS, fcap); if (ret) { tst_resm(TINFO, "Failed CAP_PERMITTED=%d CAP_EFFECTIVE=0\n", whichcap); if (!finalret) finalret = ret; } /* SERGE here */ /* * fP = fE = whichcap, fI = 0 * pP = pE = whichcap, pI = 0 */ cap_clear(fcap); cap_set_flag(fcap, CAP_PERMITTED, 1, capvalue, CAP_SET); cap_set_flag(fcap, CAP_EFFECTIVE, 1, capvalue, CAP_SET); ret = cap_set_file(TSTPATH, fcap); if (ret) { tst_resm(TINFO, "%d\n", whichcap); continue; } ret = fork_drop_and_exec(DROP_PERMS, fcap); if (ret) { tst_resm(TINFO, "Failed CAP_PERMITTED=%d CAP_EFFECTIVE=1\n", whichcap); if (!finalret) finalret = ret; } } cap_free(pcap); cap_free(fcap); cap_fullpi = cap_init(); for (i = 0; i < num_caps; i++) { capvalue[0] = i; cap_set_flag(cap_fullpi, CAP_INHERITABLE, 1, capvalue, CAP_SET); } /* * For the inheritable tests, we want to make sure pI starts * filled. */ ret = cap_set_proc(cap_fullpi); if (ret) tst_resm(TINFO, "Could not fill pI. pI tests will fail.\n"); /* * next try each bit in fI * The first two attemps have the bit which is in fI in pI. * This should result in the bit being in pP'. * If fE was set then it should also be in pE'. * The last attempt starts with an empty pI. * This should result in empty capability, as there were * no bits to be inherited from the original process. */ for (whichcap = 0; whichcap < num_caps; whichcap++) { cap_t cmpcap; capvalue[0] = whichcap; /* * fI=whichcap, fP=fE=0 * pI=full * pI'=full, pP'=whichcap, pE'=0 */ /* fill pI' */ pcap = cap_dup(cap_fullpi); /* pP' = whichcap */ cap_set_flag(pcap, CAP_PERMITTED, 1, capvalue, CAP_SET); /* fI = whichcap */ fcap = cap_init(); cap_set_flag(fcap, CAP_INHERITABLE, 1, capvalue, CAP_SET); ret = cap_set_file(TSTPATH, fcap); if (ret) { tst_resm(TINFO, "%d\n", whichcap); continue; } ret = fork_drop_and_exec(KEEP_PERMS, pcap); if (ret) { tst_resm(TINFO, "Failed with_perms CAP_INHERITABLE=%d " "CAP_EFFECTIVE=0\n", whichcap); if (!finalret) finalret = ret; } /* * fI=fE=whichcap, fP=0 * pI=full * pI'=full, pP'=whichcap, pE'=whichcap * * Note that only fE and pE' change, so keep prior * fcap and pcap and set those bits. */ cap_set_flag(fcap, CAP_EFFECTIVE, 1, capvalue, CAP_SET); cap_set_flag(pcap, CAP_EFFECTIVE, 1, capvalue, CAP_SET); ret = cap_set_file(TSTPATH, fcap); if (ret) { tst_resm(TINFO, "%d\n", whichcap); continue; } /* The actual result will be a full pI, with * pE and pP containing just whichcap. */ cmpcap = cap_dup(cap_fullpi); cap_set_flag(cmpcap, CAP_PERMITTED, 1, capvalue, CAP_SET); cap_set_flag(cmpcap, CAP_EFFECTIVE, 1, capvalue, CAP_SET); ret = fork_drop_and_exec(KEEP_PERMS, cmpcap); cap_free(cmpcap); if (ret) { tst_resm(TINFO, "Failed with_perms CAP_INHERITABLE=%d " "CAP_EFFECTIVE=1\n", whichcap); if (!finalret) finalret = ret; } /* * fI=fE=whichcap, fP=0 (so fcap is same as before) * pI=0 (achieved using DROP_PERMS) * pI'=pP'=pE'=0 */ cap_clear(pcap); ret = fork_drop_and_exec(DROP_PERMS, pcap); if (ret) { tst_resm(TINFO, "Failed without_perms CAP_INHERITABLE=%d", whichcap); if (!finalret) finalret = ret; } cap_free(fcap); cap_free(pcap); } cap_free(cap_fullpi); return finalret; }
int main(int argc, char *argv[]) { #if HAVE_SYS_CAPABILITY_H int ret = 1; cap_value_t v[1]; cap_flag_value_t f; cap_t cur, tmpcap; /* We pick a random capability... let's use CAP_SYS_ADMIN */ /* make sure we have the capability now */ #if HAVE_DECL_CAP_BSET_READ ret = prctl(CAP_BSET_READ, CAP_SYS_ADMIN); #else errno = ENOSYS; ret = -1; #endif if (ret != 1) { tst_resm(TBROK, "Not starting with CAP_SYS_ADMIN\n"); tst_exit(); } /* Make sure it's in pI */ cur = cap_from_text("all=eip"); if (!cur) { tst_resm(TBROK, "Failed to create cap_sys_admin+i cap_t (errno %d)\n", errno); tst_exit(); } #if HAVE_DECL_CAP_SET_PROC ret = cap_set_proc(cur); #else errno = ENOSYS; ret = -1; #endif if (ret) { tst_resm(TBROK, "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n", ret, errno); tst_exit(); } #if HAVE_DECL_CAP_FREE cap_free(cur); #endif #if HAVE_DECL_CAP_GET_FLAG #if HAVE_DECL_CAP_GET_PROC cur = cap_get_proc(); ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f); #else errno = ENOSYS; ret = -1; #endif #else errno = ENOSYS; ret = -1; #endif if (ret || f != CAP_SET) { tst_resm(TBROK, "Failed to add CAP_SYS_ADMIN to pI\n"); tst_exit(); } #if HAVE_DECL_CAP_FREE cap_free(cur); #endif /* drop the capability from bounding set */ #if HAVE_DECL_CAP_BSET_DROP ret = prctl(CAP_BSET_DROP, CAP_SYS_ADMIN); #else errno = ENOSYS; ret = -1; #endif if (ret) { tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n"); tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno); tst_exit(); } /* test 1: is CAP_SYS_ADMIN still in pI? */ #if HAVE_DECL_CAP_GET_FLAG #if HAVE_DECL_CAP_GET_PROC cur = cap_get_proc(); ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f); #else errno = ENOSYS; ret = -1; #endif #else errno = ENOSYS; ret = -1; #endif if (ret || f != CAP_SET) { tst_resm(TFAIL, "CAP_SYS_ADMIN not in pI after dropping from bounding set\n"); tst_exit(); } tst_resm(TPASS, "CAP_SYS_ADMIN remains in pI after removing from bounding set\n"); tmpcap = cap_dup(cur); v[0] = CAP_SYS_ADMIN; ret = cap_set_flag(tmpcap, CAP_INHERITABLE, 1, v, CAP_CLEAR); if (ret) { tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from cap_t\n"); tst_exit(); } ret = cap_set_proc(tmpcap); if (ret) { tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from pI\n"); tst_exit(); } #if HAVE_DECL_CAP_FREE cap_free(tmpcap); #endif /* test 2: can we put it back in pI? */ #if HAVE_DECL_CAP_SET_PROC ret = cap_set_proc(cur); #endif if (ret == 0) { /* success means pI was not bounded by X */ tst_resm(TFAIL, "Managed to put CAP_SYS_ADMIN back into pI though not in X\n"); tst_exit(); } #if HAVE_DECL_CAP_FREE cap_free(cur); #endif tst_resm(TPASS, "Couldn't put CAP_SYS_ADMIN back into pI when not in bounding set\n"); #else tst_resm(TCONF, "System doesn't have POSIX capabilities."); #endif tst_exit(); }