o First pass at an inter-process authorization regression testing suite.

  This test utility attempts to evaluate the current kernel policy
  for authorization inter-process activities, currently ptrace(),
  kill(, SIGHUP), getpriority(), and setpriority().  The utility creates
  pairs of processes, initializes their credential sets to useful
  cases, and reports on whether the results are in keeping with hard-coded
  safety expectations.

o Currently, this utility relies on the availability of __setugid(),
  an uncomitted system call used for managing the P_SUGID bit.  Due to
  continuing discussion of optional regression testing kernel components
  ("options REGRESSION") I'll hold off on committing that until the
  discussion has reached its natural termination.

o A number of additional testing factors should be taken into account
  in the testing, including tests for different classes of signals,
  interactions with process session characteristics, I/O signalling,
  broadcast activities such as broadcast signalling, mass priority
  setting, and to take into group-related aspects of credentials.
  Additional operations should also be taken into account, such as ktrace,
  debugging attach using procfs, and so on.

o This testing suite is intended to prevent the introduction of bugs
  in the upcoming sets of authorization changes associated with the
  introduction of process capabilities and mandatory access control.

Obtained from: TrustedBSD Project

5 files changed, 563 insertions, 0 deletions

diff --git a/tools/regression/security/proc_to_proc/Makefile b/tools/regression/security/proc_to_proc/Makefile
new file mode 100644
index 0000000..4880879
--- /dev/null
+++ b/tools/regression/security/proc_to_proc/Makefile
@@ -0,0 +1,12 @@
+# $FreeBSD$
+
+PROG=	testuid
+NOMAN=	yes
+
+#ADDITIONAL_FLAGS=-DSETSUGID_SUPPORTED
+#ADDITIONAL_FLAGS=	-DSETSUGID_SUPPORTED_BUT_NO_LIBC_STUB
+ADDITIONAL_FLAGS+=	-DCHECK_CRED_SET
+CFLAGS+=	${ADDITIONAL_FLAGS}
+SRCS=	testuid.c scenario.c
+
+.include <bsd.prog.mk>
diff --git a/tools/regression/security/proc_to_proc/README b/tools/regression/security/proc_to_proc/README
new file mode 100644
index 0000000..978ef68
--- /dev/null
+++ b/tools/regression/security/proc_to_proc/README
@@ -0,0 +1,53 @@
+$FreeBSD$
+
+  Inter-Process Authorization Test Suite
+  Robert Watson, TrustedBSD Project
+
+This test suite attempts to determine the behavior of inter-process
+authorization policy present in the kernel.  It analyzes a series of
+important scenarios using specifically crafted process credentials
+and a set of operations.  It then reports on any divergence from the
+expected results.
+
+Test operations:
+
+ptrace		cred1 attempts ptrace attach to cred2
+signal		cred1 attempts SIGHUP of cred2
+see		cred1 attempts getpriority() on cred2
+sched		cred1 attempts setpriority() on cred2
+
+Test scenarioes:
+
+priv on priv		root process on another root process
+priv on unpriv1		root process on a non-root process
+unpriv1 on priv		non-root process on a root process
+unpriv1 on unpriv1	non-root process on a similar non-root process
+unpriv1 on unpriv2	non-root process on a different non-root process
+unpriv1 on daemon1	non-root process on a root daemon process acting with
+			same non-root effective credentials
+unpriv1 on daemon2	non-root process on a root daemon process acting with
+			different non-root effective credentials
+unpriv1 on setuid1	non-root process on a setuid-root process with same
+			non-root real credentials
+unpriv1 on setuid2	non-root process on a setuid-root process with
+			different non-root real credentials
+
+The credential elements supported by the test suite are:
+
+	effective uid
+	real uid
+	saved uid
+	P_SUGID flag
+
+Other untested aspects of interest include groups, as well as session
+relationship.  Other test operations that might be of interest are SIGCONT,
+SIGIO, and SIGSEGV.
+
+The current set of tests includes some tests where normally the P_SUGID
+flag is set, but isn't in the test.  The result is that some tests fail
+that may not reflect real-world software configurations.  However, they
+do point to possible changes that could be made in the authorization system
+to improve resilience to failure or violation of invariants.
+
+These tests rely on __setugid(), a system call enabled using options
+REGRESSION.
diff --git a/tools/regression/security/proc_to_proc/scenario.c b/tools/regression/security/proc_to_proc/scenario.c
new file mode 100644
index 0000000..1eafd1c
--- /dev/null
+++ b/tools/regression/security/proc_to_proc/scenario.c
@@ -0,0 +1,399 @@
+/*-
+ * Copyright (c) 2001 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <sys/syscall.h>
+#include <sys/wait.h>
+
+#include <assert.h>
+#include <errno.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+/*
+ * Relevant parts of a process credential.
+ */
+struct cred {
+	uid_t	cr_euid, cr_ruid, cr_svuid;
+	int	cr_issetugid;
+};
+
+/*
+ * Description of a scenario.
+ */
+struct scenario {
+	struct cred	*sc_cred1, *sc_cred2;	/* credentials of p1 and p2 */
+	int		sc_candebug_errno;	/* desired ptrace failure */
+	int		sc_cansignal_errno;	/* desired SIGHUP failure */
+	int		sc_cansee_errno;	/* desired getprio failure */
+	int		sc_cansched_errno;	/* desired setprio failure */
+	char		*sc_name;		/* test name */
+};
+
+/*
+ * Table of relevant credential combinations.
+ */
+static struct cred creds[] = {
+/*		euid	ruid	svuid	issetugid	*/
+/* 0 */ {	0,	0,	0,	0 },	/* privileged */
+/* 1 */ {	0,	0,	0,	1 },	/* privileged + issetugid */
+/* 2 */ {	1000,	1000,	1000,	0 },	/* unprivileged1 */
+/* 3 */ {	1000,	1000,	1000,	1 },	/* unprivileged1 + issetugid */
+/* 4 */ {	1001,	1001,	1001,	0 },	/* unprivileged2 */
+/* 5 */ {	1001,	1001,	1001,	1 },	/* unprivileged2 + issetugid */
+/* 6 */ {	1000,	0,	0,	0 },	/* daemon1 */
+/* 7 */ {	1000,	0,	0,	1 },	/* daemon1 + issetugid */
+/* 8 */ {	1001,	0,	0,	0 },	/* daemon2 */
+/* 9 */ {	1001,	0,	0,	1 },	/* daemon2 + issetugid */
+/* 10 */{	0,	1000,	1000,	0 },	/* setuid1 */
+/* 11 */{	0, 	1000,	1000,	1 },	/* setuid1 + issetugid */
+/* 12 */{	0,	1001,	1001,	0 },	/* setuid2 */
+/* 13 */{	0,	1001,	1001,	1 },	/* setuid2 + issetugid */
+};
+
+/*
+ * Table of scenarios.
+ */
+static const struct scenario scenarios[] = {
+/*	cred1		cred2		debug	signal	see	sched	name */
+{	&creds[0],	&creds[0],	0,	0,	0,	0,	"0. priv on priv"},
+{	&creds[0],	&creds[1],	0,	0,	0,	0,	"1. priv on priv"},
+{	&creds[1],	&creds[0],	0,	0,	0,	0,	"2. priv on priv"},
+{	&creds[1],	&creds[1],	0,	0,	0,	0,	"3. priv on priv"},
+/* privileged on unprivileged */
+{	&creds[0],	&creds[2],	0,	0,	0,	0,	"4. priv on unpriv1"},
+{	&creds[0],	&creds[3],	0,	0,	0,	0,	"5. priv on unpriv1"},
+{	&creds[1],	&creds[2],	0,	0,	0,	0,	"6. priv on unpriv1"},
+{	&creds[1],	&creds[3],	0,	0,	0,	0,	"7. priv on unpriv1"},
+/* unprivileged on privileged */
+{	&creds[2],	&creds[0],	EPERM,	EPERM,	0,	EPERM,	"8. unpriv1 on priv"},
+{	&creds[2],	&creds[1],	EPERM,	EPERM,	0,	EPERM,	"9. unpriv1 on priv"},
+{	&creds[3],	&creds[0],	EPERM,	EPERM,	0,	EPERM,	"10. unpriv1 on priv"},
+{	&creds[3],	&creds[1],	EPERM,	EPERM,	0,	EPERM,	"11. unpriv1 on priv"},
+/* unprivileged on same unprivileged */
+{	&creds[2],	&creds[2],	0,	0,	0,	0,	"12. unpriv1 on unpriv1"},
+{	&creds[2],	&creds[3],	EPERM,	0,	0,	0,	"13. unpriv1 on unpriv1"},
+{	&creds[3],	&creds[2],	0,	0,	0,	0,	"14. unpriv1 on unpriv1"},
+{	&creds[3],	&creds[3],	EPERM,	0,	0,	0,	"15. unpriv1 on unpriv1"},
+/* unprivileged on different unprivileged */
+{	&creds[2],	&creds[4],	EPERM,	EPERM,	0,	EPERM,	"16. unpriv1 on unpriv2"},
+{	&creds[2],	&creds[5],	EPERM,	EPERM,	0,	EPERM,	"17. unpriv1 on unpriv2"},
+{	&creds[3],	&creds[4],	EPERM,	EPERM,	0,	EPERM,	"18. unpriv1 on unpriv2"},
+{	&creds[3],	&creds[5],	EPERM,	EPERM,	0,	EPERM,	"19. unpriv1 on unpriv2"},
+/* unprivileged on daemon, same */
+{	&creds[2],	&creds[6],	EPERM,	EPERM,	0,	EPERM,	"20. unpriv1 on daemon1"},
+{	&creds[2],	&creds[7],	EPERM,	EPERM,	0, 	EPERM,	"21. unpriv1 on daemon1"},
+{	&creds[3],	&creds[6],	EPERM,	EPERM,	0,	EPERM,	"22. unpriv1 on daemon1"},
+{	&creds[3],	&creds[7],	EPERM,	EPERM,	0,	EPERM,	"23. unpriv1 on daemon1"},
+/* unprivileged on daemon, different */
+{	&creds[2],	&creds[8],	EPERM,	EPERM,	0,	EPERM,	"24. unpriv1 on daemon2"},
+{	&creds[2],	&creds[9],	EPERM,	EPERM,	0,	EPERM,	"25. unpriv1 on daemon2"},
+{	&creds[3],	&creds[8],	EPERM,	EPERM,	0,	EPERM,	"26. unpriv1 on daemon2"},
+{	&creds[3],	&creds[9],	EPERM,	EPERM,	0,	EPERM,	"27. unpriv1 on daemon2"},
+/* unprivileged on setuid, same */
+{	&creds[2],	&creds[10],	EPERM,	0,	0,	0,	"28. unpriv1 on setuid1"},
+{	&creds[2],	&creds[11],	EPERM,	0,	0,	0,	"29. unpriv1 on setuid1"},
+{	&creds[3],	&creds[10],	EPERM,	0,	0,	0,	"30. unpriv1 on setuid1"},
+{	&creds[3],	&creds[11],	EPERM,	0,	0,	0,	"31. unpriv1 on setuid1"},
+/* unprivileged on setuid, different */
+{	&creds[2],	&creds[12],	EPERM,	EPERM,	0,	EPERM,	"32. unpriv1 on setuid2"},
+{	&creds[2],	&creds[13],	EPERM,	EPERM,	0,	EPERM,	"33. unpriv1 on setuid2"},
+{	&creds[3],	&creds[12],	EPERM,	EPERM,	0,	EPERM,	"34. unpriv1 on setuid2"},
+{	&creds[3],	&creds[13],	EPERM,	EPERM,	0,	EPERM,	"35. unpriv1 on setuid2"},
+};
+int scenarios_count = sizeof(scenarios) / sizeof(struct scenario);
+
+/*
+ * Convert an error number to a compact string representation.  For now,
+ * implement only the error numbers we are likely to see.
+ */
+static char *
+errno_to_string(int error)
+{
+
+	switch (error) {
+	case EPERM:
+		return ("EPERM");
+	case EACCES:
+		return ("EACCES");
+	case EINVAL:
+		return ("EINVAL");
+	case ENOSYS:
+		return ("ENOSYS");
+	case ESRCH:
+		return ("ESRCH");
+	case 0:
+		return ("0");
+	default:
+		return ("unknown");
+	}
+}
+
+/*
+ * Return a process credential describing the current process.
+ */
+static int
+cred_get(struct cred *cred)
+{
+	int error;
+
+	error = getresuid(&cred->cr_ruid, &cred->cr_euid, &cred->cr_svuid);
+	if (error)
+		return (error);
+
+	cred->cr_issetugid = issetugid();
+
+	return (0);
+}
+
+/*
+ * Userland stub for __setsugid() to take into account possible presence
+ * in C library, kernel, et al.
+ */
+int
+setugid(int flag)
+{
+
+#ifdef SETSUGID_SUPPORTED
+	return (__setugid(flag));
+#else
+#ifdef SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB
+	return (syscall(374, flag));
+#else
+	return (ENOSYS);
+#endif
+#endif
+}
+
+/*
+ * Set the current process's credentials to match the passed credential.
+ */
+static int
+cred_set(struct cred *cred)
+{
+	int error;
+
+	error = setresuid(cred->cr_ruid, cred->cr_euid, cred->cr_svuid);
+	if (error)
+		return (error);
+
+	error = setugid(cred->cr_issetugid);
+	if (error) {
+		perror("__setugid");
+		return (error);
+	}
+
+#ifdef CHECK_CRED_SET
+	{
+		uid_t ruid, euid, svuid;
+		error = getresuid(&ruid, &euid, &svuid);
+		if (error) {
+			perror("getresuid");
+			return (-1);
+		}
+		assert(ruid == cred->cr_ruid);
+		assert(euid == cred->cr_euid);
+		assert(svuid == cred->cr_svuid);
+		assert(cred->cr_issetugid == issetugid());
+	}
+#endif /* !CHECK_CRED_SET */
+
+	return (0);
+}
+
+/*
+ * Print the passed process credential to the passed I/O stream.
+ */
+static void
+cred_print(FILE *output, struct cred *cred)
+{
+
+	fprintf(output, "(e:%d r:%d s:%d P_SUGID:%d)", cred->cr_euid,
+	    cred->cr_ruid, cred->cr_svuid, cred->cr_issetugid);
+}
+
+#define	LOOP_PTRACE	0
+#define	LOOP_SIGNAL	1
+#define	LOOP_SEE	2
+#define	LOOP_SCHED	3
+#define	LOOP_MAX	LOOP_SCHED
+
+/*
+ * Enact a scenario by looping through the four test cases for the scenario,
+ * spawning off pairs of processes with the desired credentials, and
+ * reporting results to stdout.
+ */
+static int
+enact_scenario(int scenario)
+{
+	pid_t pid1, pid2;
+	char *name;
+	int error, desirederror, loop;
+
+	for (loop = 0; loop < LOOP_MAX+1; loop++) {
+		/*
+		 * Spawn the first child, target of the operation.
+		 */
+		pid1 = fork();
+		switch (pid1) {
+		case -1:
+			return (-1);
+		case 0:
+			/* child */
+			error = cred_set(scenarios[scenario].sc_cred2);
+			if (error) {
+				perror("cred_set");
+				return (error);
+			}
+			/* 200 seconds should be plenty of time. */
+			sleep(200);
+			exit(0);
+		default:
+			/* parent */
+		}
+
+		/*
+		 * XXX
+		 * This really isn't ideal -- give proc 1 a chance to set
+		 * its credentials, or we may get spurious errors.  Really,
+		 * some for of IPC should be used to allow the parent to
+		 * wait for the first child to be ready before spawning
+		 * the second child.
+		 */
+		sleep(1);
+
+		/*
+		 * Spawn the second child, source of the operation.
+		 */
+		pid2 = fork();
+		switch (pid2) {
+		case -1:
+			return (-1);
+	
+		case 0:
+			/* child */
+			error = cred_set(scenarios[scenario].sc_cred1);
+			if (error) {
+				perror("cred_set");
+				return (error);
+			}
+	
+			/*
+			 * Initialize errno to zero so as to catch any
+			 * generated errors.  In each case, perform the
+			 * operation.  Preserve the error number for later
+			 * use so it doesn't get stomped on by any I/O.
+			 * Determine the desired error for the given case
+			 * by extracting it from the scenario table.
+			 * Initialize a function name string for output
+			 * prettiness.
+			 */
+			errno = 0;
+			switch (loop) {
+			case LOOP_PTRACE:
+				error = ptrace(PT_ATTACH, pid1, NULL, 0);
+				error = errno;
+				name = "ptrace";
+				desirederror =
+				    scenarios[scenario].sc_candebug_errno;
+				break;
+			case LOOP_SIGNAL:
+				error = kill(pid1, SIGHUP);
+				error = errno;
+				name = "signal";
+				desirederror =
+				    scenarios[scenario].sc_cansignal_errno;
+				break;
+			case LOOP_SEE:
+				getpriority(PRIO_PROCESS, pid1);
+				error = errno;
+				name = "see";
+				desirederror =
+				    scenarios[scenario].sc_cansee_errno;
+				break;
+			case LOOP_SCHED:
+				error = setpriority(PRIO_PROCESS, pid1,
+				   0);
+				error = errno;
+				name = "sched";
+				desirederror =
+				    scenarios[scenario].sc_cansched_errno;
+				break;
+			default:
+				name = "broken";
+			}
+
+			if (error != desirederror) {
+				fprintf(stdout,
+				    "[%s].%s: expected %s, got %s\n  ",
+				    scenarios[scenario].sc_name, name,
+				    errno_to_string(desirederror),
+				    errno_to_string(error));
+				cred_print(stdout,
+				    scenarios[scenario].sc_cred1);
+				cred_print(stdout,
+				    scenarios[scenario].sc_cred2);
+				fprintf(stdout, "\n");
+			}
+
+			exit(0);
+
+		default:
+			/* parent */
+		}
+
+		error = waitpid(pid2, NULL, 0);
+		/*
+		 * Once pid2 has died, it's safe to kill pid1, if it's still
+		 * alive.  Mask signal failure in case the test actually
+		 * killed pid1 (not unlikely: can occur in both signal and
+		 * ptrace cases).
+		 */
+		kill(pid1, SIGKILL);
+		error = waitpid(pid2, NULL, 0);
+	}
+	
+	return (0);
+}
+
+void
+enact_scenarios(void)
+{
+	int i, error;
+
+	for (i = 0; i < scenarios_count; i++) {
+		error = enact_scenario(i);
+		if (error)
+			perror("enact_scenario");
+	}
+}
diff --git a/tools/regression/security/proc_to_proc/scenario.h b/tools/regression/security/proc_to_proc/scenario.h
new file mode 100644
index 0000000..da08720
--- /dev/null
+++ b/tools/regression/security/proc_to_proc/scenario.h
@@ -0,0 +1,34 @@
+/*-
+ * Copyright (c) 2001 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+#ifndef _SCENARIO_H
+#define _SCENARIO_H
+
+int	setugid __P((int flag));
+int	enact_scenarios __P((void));
+
+#endif /* !_SCENARIO_H */
diff --git a/tools/regression/security/proc_to_proc/testuid.c b/tools/regression/security/proc_to_proc/testuid.c
new file mode 100644
index 0000000..a9b81a08
--- /dev/null
+++ b/tools/regression/security/proc_to_proc/testuid.c
@@ -0,0 +1,65 @@
+/*-
+ * Copyright (c) 2001 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <unistd.h>
+
+#include "scenario.h"
+
+int
+main(int argc, char *argv[])
+{
+	int error;
+
+	fprintf(stderr, "test capabilities: ");
+#ifdef SETSUGID_SUPPORTED
+	fprintf(stderr, "[SETSUGID_SUPPORTED] ");
+#endif
+#ifdef SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB
+	fprintf(stderr, "[SETSUGID_SUPPORTED_BUT_NO_LIBC_STUB] ");
+#endif
+#ifdef CHECK_CRED_SET
+	fprintf(stderr, "[CHECK_CRED_SET] ");
+#endif
+	fprintf(stderr, "\n");
+
+	error = setugid(1);
+	if (error) {
+		perror("setugid");
+		fprintf(stderr,
+		    "This test suite requires options REGRESSION\n");
+		return (-1);
+	}
+
+	enact_scenarios();
+
+	return (0);
+}
+