diff options
Diffstat (limited to 'tools/regression')
-rw-r--r-- | tools/regression/capsicum/syscalls/Makefile | 28 | ||||
-rw-r--r-- | tools/regression/capsicum/syscalls/cap_fcntls_limit.c | 540 | ||||
-rw-r--r-- | tools/regression/capsicum/syscalls/cap_getmode.c | 167 | ||||
-rw-r--r-- | tools/regression/capsicum/syscalls/cap_ioctls_limit.c | 462 | ||||
-rw-r--r-- | tools/regression/capsicum/syscalls/misc.c | 128 | ||||
-rw-r--r-- | tools/regression/capsicum/syscalls/misc.h | 62 | ||||
-rw-r--r-- | tools/regression/security/cap_test/cap_test_capabilities.c | 447 | ||||
-rw-r--r-- | tools/regression/security/cap_test/cap_test_relative.c | 3 |
8 files changed, 1736 insertions, 101 deletions
diff --git a/tools/regression/capsicum/syscalls/Makefile b/tools/regression/capsicum/syscalls/Makefile new file mode 100644 index 0000000..5d34226 --- /dev/null +++ b/tools/regression/capsicum/syscalls/Makefile @@ -0,0 +1,28 @@ +# $FreeBSD$ + +SYSCALLS= cap_fcntls_limit cap_getmode cap_ioctls_limit + +CFLAGS= -O2 -pipe -std=gnu99 -fstack-protector +CFLAGS+= -Wsystem-headers -Werror -Wall -Wno-format-y2k -W -Wno-unused-parameter +CFLAGS+= -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type +CFLAGS+= -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wunused-parameter +CFLAGS+= -Wcast-align -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls +CFLAGS+= -Wold-style-definition -Wno-pointer-sign + +all: ${SYSCALLS} ${SYSCALLS:=.t} + +.for SYSCALL in ${SYSCALLS} + +${SYSCALL}: ${SYSCALL}.c misc.c + ${CC} ${CFLAGS} ${@}.c misc.c -o $@ + +${SYSCALL}.t: ${SYSCALL} + @printf "#!/bin/sh\n\n%s/%s\n" ${.CURDIR} ${@:.t=} > $@ + +.endfor + +test: all + @prove -r ${.CURDIR} + +clean: + rm -f ${SYSCALLS} ${SYSCALLS:=.t} diff --git a/tools/regression/capsicum/syscalls/cap_fcntls_limit.c b/tools/regression/capsicum/syscalls/cap_fcntls_limit.c new file mode 100644 index 0000000..c97203d --- /dev/null +++ b/tools/regression/capsicum/syscalls/cap_fcntls_limit.c @@ -0,0 +1,540 @@ +/*- + * Copyright (c) 2012 The FreeBSD Foundation + * All rights reserved. + * + * This software was developed by Pawel Jakub Dawidek under sponsorship from + * the FreeBSD Foundation. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/types.h> +#include <sys/capability.h> +#include <sys/procdesc.h> +#include <sys/socket.h> +#include <sys/wait.h> + +#include <err.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +#include "misc.h" + +static void +fcntl_tests_0(int fd) +{ + uint32_t fcntlrights; + + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == CAP_FCNTL_ALL); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + CHECK(fcntl(fd, F_SETFL, O_NONBLOCK) == 0); + CHECK(fcntl(fd, F_GETFL) == (O_RDWR | O_NONBLOCK)); + CHECK(fcntl(fd, F_SETFL, 0) == 0); + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + + errno = 0; + CHECK(cap_fcntls_limit(fd, ~CAP_FCNTL_ALL) == -1); + CHECK(errno == EINVAL); + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL | CAP_FCNTL_SETFL) == 0); + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == (CAP_FCNTL_GETFL | CAP_FCNTL_SETFL)); + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL | CAP_FCNTL_SETFL) == 0); + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == (CAP_FCNTL_GETFL | CAP_FCNTL_SETFL)); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + CHECK(fcntl(fd, F_SETFL, O_NONBLOCK) == 0); + CHECK(fcntl(fd, F_GETFL) == (O_RDWR | O_NONBLOCK)); + CHECK(fcntl(fd, F_SETFL, 0) == 0); + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL) == 0); + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == CAP_FCNTL_GETFL); + errno = 0; + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL | CAP_FCNTL_SETFL) == -1); + CHECK(errno == ENOTCAPABLE); + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == CAP_FCNTL_GETFL); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + errno = 0; + CHECK(fcntl(fd, F_SETFL, O_NONBLOCK) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + errno = 0; + CHECK(fcntl(fd, F_SETFL, 0) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + + CHECK(cap_fcntls_limit(fd, 0) == 0); + fcntlrights = CAP_FCNTL_ALL; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + errno = 0; + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL | CAP_FCNTL_SETFL) == -1); + CHECK(errno == ENOTCAPABLE); + fcntlrights = CAP_FCNTL_ALL; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + errno = 0; + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); + fcntlrights = CAP_FCNTL_ALL; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + errno = 0; + CHECK(fcntl(fd, F_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_SETFL, O_NONBLOCK) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_SETFL, 0) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); +} + +static void +fcntl_tests_1(int fd) +{ + uint32_t fcntlrights; + + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL) == 0); + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == CAP_FCNTL_GETFL); + + CHECK(cap_rights_limit(fd, CAP_ALL & ~CAP_FCNTL) == 0); + + fcntlrights = CAP_FCNTL_ALL; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + + errno = 0; + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL | CAP_FCNTL_SETFL) == -1); + CHECK(errno == ENOTCAPABLE); + fcntlrights = CAP_FCNTL_ALL; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + errno = 0; + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); + fcntlrights = CAP_FCNTL_ALL; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + errno = 0; + CHECK(fcntl(fd, F_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_SETFL, O_NONBLOCK) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_SETFL, 0) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); +} + +static void +fcntl_tests_2(int fd) +{ + uint32_t fcntlrights; + + CHECK(cap_rights_limit(fd, CAP_ALL & ~CAP_FCNTL) == 0); + + fcntlrights = CAP_FCNTL_ALL; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + + errno = 0; + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL | CAP_FCNTL_SETFL) == -1); + CHECK(errno == ENOTCAPABLE); + fcntlrights = CAP_FCNTL_ALL; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + errno = 0; + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); + fcntlrights = CAP_FCNTL_ALL; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + errno = 0; + CHECK(fcntl(fd, F_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_SETFL, O_NONBLOCK) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_SETFL, 0) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); +} + +static void +fcntl_tests_send_0(int sock) +{ + int fd; + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK(descriptor_send(sock, fd) == 0); + CHECK(close(fd) == 0); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL | CAP_FCNTL_SETFL) == 0); + CHECK(descriptor_send(sock, fd) == 0); + CHECK(close(fd) == 0); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL) == 0); + CHECK(descriptor_send(sock, fd) == 0); + CHECK(close(fd) == 0); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK(cap_fcntls_limit(fd, 0) == 0); + CHECK(descriptor_send(sock, fd) == 0); + CHECK(close(fd) == 0); +} + +static void +fcntl_tests_recv_0(int sock) +{ + uint32_t fcntlrights; + int fd; + + CHECK(descriptor_recv(sock, &fd) == 0); + + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == CAP_FCNTL_ALL); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + CHECK(fcntl(fd, F_SETFL, O_NONBLOCK) == 0); + CHECK(fcntl(fd, F_GETFL) == (O_RDWR | O_NONBLOCK)); + CHECK(fcntl(fd, F_SETFL, 0) == 0); + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + + CHECK(close(fd) == 0); + + CHECK(descriptor_recv(sock, &fd) == 0); + + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == (CAP_FCNTL_GETFL | CAP_FCNTL_SETFL)); + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL | CAP_FCNTL_SETFL) == 0); + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == (CAP_FCNTL_GETFL | CAP_FCNTL_SETFL)); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + CHECK(fcntl(fd, F_SETFL, O_NONBLOCK) == 0); + CHECK(fcntl(fd, F_GETFL) == (O_RDWR | O_NONBLOCK)); + CHECK(fcntl(fd, F_SETFL, 0) == 0); + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + + CHECK(close(fd) == 0); + + CHECK(descriptor_recv(sock, &fd) == 0); + + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == CAP_FCNTL_GETFL); + errno = 0; + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL | CAP_FCNTL_SETFL) == -1); + CHECK(errno == ENOTCAPABLE); + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == CAP_FCNTL_GETFL); + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL) == 0); + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == CAP_FCNTL_GETFL); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + errno = 0; + CHECK(fcntl(fd, F_SETFL, O_NONBLOCK) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + errno = 0; + CHECK(fcntl(fd, F_SETFL, 0) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFL) == O_RDWR); + + CHECK(close(fd) == 0); + + CHECK(descriptor_recv(sock, &fd) == 0); + + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + errno = 0; + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL | CAP_FCNTL_SETFL) == -1); + CHECK(errno == ENOTCAPABLE); + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + errno = 0; + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + errno = 0; + CHECK(cap_fcntls_limit(fd, CAP_FCNTL_SETFL) == -1); + CHECK(errno == ENOTCAPABLE); + fcntlrights = 0; + CHECK(cap_fcntls_get(fd, &fcntlrights) == 0); + CHECK(fcntlrights == 0); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + errno = 0; + CHECK(fcntl(fd, F_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_SETFL, O_NONBLOCK) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_SETFL, 0) == -1); + CHECK(errno == ENOTCAPABLE); + errno = 0; + CHECK(fcntl(fd, F_GETFL) == -1); + CHECK(errno == ENOTCAPABLE); + + CHECK(close(fd) == 0); +} + +int +main(void) +{ + int fd, pfd, sp[2]; + pid_t pid; + + printf("1..870\n"); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + fcntl_tests_0(fd); + CHECK(close(fd) == 0); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + fcntl_tests_1(fd); + CHECK(close(fd) == 0); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + fcntl_tests_2(fd); + CHECK(close(fd) == 0); + + /* Child inherits descriptor and operates on it first. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK((pid = fork()) >= 0); + if (pid == 0) { + fcntl_tests_0(fd); + CHECK(close(fd) == 0); + exit(0); + } else { + CHECK(waitpid(pid, NULL, 0) == pid); + fcntl_tests_0(fd); + } + CHECK(close(fd) == 0); + + /* Child inherits descriptor, but operates on it after parent. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK((pid = fork()) >= 0); + if (pid == 0) { + sleep(1); + fcntl_tests_0(fd); + CHECK(close(fd) == 0); + exit(0); + } else { + fcntl_tests_0(fd); + CHECK(waitpid(pid, NULL, 0) == pid); + } + CHECK(close(fd) == 0); + + /* Child inherits descriptor and operates on it first. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK((pid = pdfork(&pfd, 0)) >= 0); + if (pid == 0) { + fcntl_tests_1(fd); + exit(0); + } else { + CHECK(pdwait(pfd) == 0); +/* + It fails with EBADF, which I believe is a bug. + CHECK(close(pfd) == 0); +*/ + fcntl_tests_1(fd); + } + CHECK(close(fd) == 0); + + /* Child inherits descriptor, but operates on it after parent. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK((pid = pdfork(&pfd, 0)) >= 0); + if (pid == 0) { + sleep(1); + fcntl_tests_1(fd); + exit(0); + } else { + fcntl_tests_1(fd); + CHECK(pdwait(pfd) == 0); +/* + It fails with EBADF, which I believe is a bug. + CHECK(close(pfd) == 0); +*/ + } + CHECK(close(fd) == 0); + + /* Child inherits descriptor and operates on it first. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK((pid = fork()) >= 0); + if (pid == 0) { + fcntl_tests_2(fd); + exit(0); + } else { + CHECK(waitpid(pid, NULL, 0) == pid); + fcntl_tests_2(fd); + } + CHECK(close(fd) == 0); + + /* Child inherits descriptor, but operates on it after parent. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK((pid = fork()) >= 0); + if (pid == 0) { + sleep(1); + fcntl_tests_2(fd); + exit(0); + } else { + fcntl_tests_2(fd); + CHECK(waitpid(pid, NULL, 0) == pid); + } + CHECK(close(fd) == 0); + + /* Send descriptors from parent to child. */ + CHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, sp) == 0); + CHECK((pid = fork()) >= 0); + if (pid == 0) { + CHECK(close(sp[0]) == 0); + fcntl_tests_recv_0(sp[1]); + CHECK(close(sp[1]) == 0); + exit(0); + } else { + CHECK(close(sp[1]) == 0); + fcntl_tests_send_0(sp[0]); + CHECK(waitpid(pid, NULL, 0) == pid); + CHECK(close(sp[0]) == 0); + } + + /* Send descriptors from child to parent. */ + CHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, sp) == 0); + CHECK((pid = fork()) >= 0); + if (pid == 0) { + CHECK(close(sp[0]) == 0); + fcntl_tests_send_0(sp[1]); + CHECK(close(sp[1]) == 0); + exit(0); + } else { + CHECK(close(sp[1]) == 0); + fcntl_tests_recv_0(sp[0]); + CHECK(waitpid(pid, NULL, 0) == pid); + CHECK(close(sp[0]) == 0); + } + + exit(0); +} diff --git a/tools/regression/capsicum/syscalls/cap_getmode.c b/tools/regression/capsicum/syscalls/cap_getmode.c new file mode 100644 index 0000000..1a38202 --- /dev/null +++ b/tools/regression/capsicum/syscalls/cap_getmode.c @@ -0,0 +1,167 @@ +/*- + * Copyright (c) 2012 The FreeBSD Foundation + * All rights reserved. + * + * This software was developed by Pawel Jakub Dawidek under sponsorship from + * the FreeBSD Foundation. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/types.h> +#include <sys/capability.h> +#include <sys/procdesc.h> +#include <sys/wait.h> + +#include <err.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +#include "misc.h" + +int +main(void) +{ + unsigned int mode; + pid_t pid; + int pfd; + + printf("1..27\n"); + + mode = 666; + CHECK(cap_getmode(&mode) == 0); + /* If cap_getmode() succeeded mode should be modified. */ + CHECK(mode != 666); + /* We are not in capability mode. */ + CHECK(mode == 0); + + /* Expect EFAULT. */ + errno = 0; + CHECK(cap_getmode(NULL) == -1); + CHECK(errno == EFAULT); + errno = 0; + CHECK(cap_getmode((void *)(uintptr_t)0xdeadc0de) == -1); + CHECK(errno == EFAULT); + + /* If parent is not in capability mode, child after fork() also won't be. */ + pid = fork(); + switch (pid) { + case -1: + err(1, "fork() failed"); + case 0: + mode = 666; + CHECK(cap_getmode(&mode) == 0); + /* If cap_getmode() succeeded mode should be modified. */ + CHECK(mode != 666); + /* We are not in capability mode. */ + CHECK(mode == 0); + exit(0); + default: + if (waitpid(pid, NULL, 0) == -1) + err(1, "waitpid() failed"); + } + + /* If parent is not in capability mode, child after pdfork() also won't be. */ + pid = pdfork(&pfd, 0); + switch (pid) { + case -1: + err(1, "pdfork() failed"); + case 0: + mode = 666; + CHECK(cap_getmode(&mode) == 0); + /* If cap_getmode() succeeded mode should be modified. */ + CHECK(mode != 666); + /* We are not in capability mode. */ + CHECK(mode == 0); + exit(0); + default: + if (pdwait(pfd) == -1) + err(1, "pdwait() failed"); + close(pfd); + } + + /* In capability mode... */ + + CHECK(cap_enter() == 0); + + mode = 666; + CHECK(cap_getmode(&mode) == 0); + /* If cap_getmode() succeeded mode should be modified. */ + CHECK(mode != 666); + /* We are in capability mode. */ + CHECK(mode == 1); + + /* Expect EFAULT. */ + errno = 0; + CHECK(cap_getmode(NULL) == -1); + CHECK(errno == EFAULT); + errno = 0; + CHECK(cap_getmode((void *)(uintptr_t)0xdeadc0de) == -1); + CHECK(errno == EFAULT); + + /* If parent is in capability mode, child after fork() also will be. */ + pid = fork(); + switch (pid) { + case -1: + err(1, "fork() failed"); + case 0: + mode = 666; + CHECK(cap_getmode(&mode) == 0); + /* If cap_getmode() succeeded mode should be modified. */ + CHECK(mode != 666); + /* We are in capability mode. */ + CHECK(mode == 1); + exit(0); + default: + /* + * wait(2) and friends are not permitted in the capability mode, + * so we can only just wait for a while. + */ + sleep(1); + } + + /* If parent is in capability mode, child after pdfork() also will be. */ + pid = pdfork(&pfd, 0); + switch (pid) { + case -1: + err(1, "pdfork() failed"); + case 0: + mode = 666; + CHECK(cap_getmode(&mode) == 0); + /* If cap_getmode() succeeded mode should be modified. */ + CHECK(mode != 666); + /* We are in capability mode. */ + CHECK(mode == 1); + exit(0); + default: + if (pdwait(pfd) == -1) + err(1, "pdwait() failed"); + close(pfd); + } + + exit(0); +} diff --git a/tools/regression/capsicum/syscalls/cap_ioctls_limit.c b/tools/regression/capsicum/syscalls/cap_ioctls_limit.c new file mode 100644 index 0000000..3a08fac --- /dev/null +++ b/tools/regression/capsicum/syscalls/cap_ioctls_limit.c @@ -0,0 +1,462 @@ +/*- + * Copyright (c) 2012 The FreeBSD Foundation + * All rights reserved. + * + * This software was developed by Pawel Jakub Dawidek under sponsorship from + * the FreeBSD Foundation. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/param.h> +#include <sys/capability.h> +#include <sys/ioctl.h> +#include <sys/procdesc.h> +#include <sys/socket.h> +#include <sys/wait.h> + +#include <err.h> +#include <errno.h> +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +#include "misc.h" + +static void +ioctl_tests_0(int fd) +{ + unsigned long cmds[2]; + + CHECK(cap_ioctls_get(fd, NULL, 0) == INT_MAX); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(ioctl(fd, FIOCLEX) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(ioctl(fd, FIONCLEX) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + cmds[0] = FIOCLEX; + cmds[1] = FIONCLEX; + CHECK(cap_ioctls_limit(fd, cmds, nitems(cmds)) == 0); + cmds[0] = cmds[1] = 0; + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == nitems(cmds)); + CHECK((cmds[0] == FIOCLEX && cmds[1] == FIONCLEX) || + (cmds[0] == FIONCLEX && cmds[1] == FIOCLEX)); + cmds[0] = FIOCLEX; + cmds[1] = FIONCLEX; + CHECK(cap_ioctls_limit(fd, cmds, nitems(cmds)) == 0); + cmds[0] = cmds[1] = 0; + CHECK(cap_ioctls_get(fd, cmds, 1) == nitems(cmds)); + CHECK(cmds[0] == FIOCLEX || cmds[0] == FIONCLEX); + CHECK(cmds[1] == 0); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(ioctl(fd, FIOCLEX) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(ioctl(fd, FIONCLEX) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + cmds[0] = FIOCLEX; + CHECK(cap_ioctls_limit(fd, cmds, 1) == 0); + cmds[0] = cmds[1] = 0; + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 1); + CHECK(cmds[0] == FIOCLEX); + cmds[0] = FIOCLEX; + cmds[1] = FIONCLEX; + errno = 0; + CHECK(cap_ioctls_limit(fd, cmds, nitems(cmds)) == -1); + CHECK(errno == ENOTCAPABLE); + cmds[0] = cmds[1] = 0; + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 1); + CHECK(cmds[0] == FIOCLEX); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(ioctl(fd, FIOCLEX) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + errno = 0; + CHECK(ioctl(fd, FIONCLEX) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + CHECK(cap_ioctls_limit(fd, NULL, 0) == 0); + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 0); + cmds[0] = FIOCLEX; + errno = 0; + CHECK(cap_ioctls_limit(fd, cmds, 1) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 0); + + CHECK(fcntl(fd, F_GETFD) == 0); + errno = 0; + CHECK(ioctl(fd, FIOCLEX) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + errno = 0; + CHECK(ioctl(fd, FIONCLEX) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); +} + +static void +ioctl_tests_1(int fd) +{ + unsigned long cmds[2]; + + cmds[0] = FIOCLEX; + CHECK(cap_ioctls_limit(fd, cmds, 1) == 0); + cmds[0] = cmds[1] = 0; + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 1); + CHECK(cmds[0] == FIOCLEX); + CHECK(cmds[1] == 0); + + CHECK(cap_rights_limit(fd, CAP_ALL & ~CAP_IOCTL) == 0); + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 0); + + cmds[0] = FIOCLEX; + cmds[1] = FIONCLEX; + errno = 0; + CHECK(cap_ioctls_limit(fd, cmds, nitems(cmds)) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 0); + cmds[0] = FIOCLEX; + errno = 0; + CHECK(cap_ioctls_limit(fd, cmds, 1) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 0); + + CHECK(fcntl(fd, F_GETFD) == 0); + errno = 0; + CHECK(ioctl(fd, FIOCLEX) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + errno = 0; + CHECK(ioctl(fd, FIONCLEX) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); +} + +static void +ioctl_tests_2(int fd) +{ + unsigned long cmds[2]; + + CHECK(cap_rights_limit(fd, CAP_ALL & ~CAP_IOCTL) == 0); + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 0); + + cmds[0] = FIOCLEX; + cmds[1] = FIONCLEX; + errno = 0; + CHECK(cap_ioctls_limit(fd, cmds, nitems(cmds)) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 0); + cmds[0] = FIOCLEX; + errno = 0; + CHECK(cap_ioctls_limit(fd, cmds, 1) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 0); + + CHECK(fcntl(fd, F_GETFD) == 0); + errno = 0; + CHECK(ioctl(fd, FIOCLEX) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + errno = 0; + CHECK(ioctl(fd, FIONCLEX) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); +} + +static void +ioctl_tests_send_0(int sock) +{ + unsigned long cmds[2]; + int fd; + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK(descriptor_send(sock, fd) == 0); + CHECK(close(fd) == 0); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + cmds[0] = FIOCLEX; + cmds[1] = FIONCLEX; + CHECK(cap_ioctls_limit(fd, cmds, nitems(cmds)) == 0); + CHECK(descriptor_send(sock, fd) == 0); + CHECK(close(fd) == 0); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + cmds[0] = FIOCLEX; + CHECK(cap_ioctls_limit(fd, cmds, 1) == 0); + CHECK(descriptor_send(sock, fd) == 0); + CHECK(close(fd) == 0); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + CHECK(cap_ioctls_limit(fd, NULL, 0) == 0); + CHECK(descriptor_send(sock, fd) == 0); + CHECK(close(fd) == 0); +} + +static void +ioctl_tests_recv_0(int sock) +{ + unsigned long cmds[2]; + int fd; + + CHECK(descriptor_recv(sock, &fd) == 0); + + CHECK(cap_ioctls_get(fd, NULL, 0) == INT_MAX); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(ioctl(fd, FIOCLEX) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(ioctl(fd, FIONCLEX) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + CHECK(close(fd) == 0); + + CHECK(descriptor_recv(sock, &fd) == 0); + + cmds[0] = cmds[1] = 0; + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == nitems(cmds)); + CHECK((cmds[0] == FIOCLEX && cmds[1] == FIONCLEX) || + (cmds[0] == FIONCLEX && cmds[1] == FIOCLEX)); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(ioctl(fd, FIOCLEX) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(ioctl(fd, FIONCLEX) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + CHECK(close(fd) == 0); + + CHECK(descriptor_recv(sock, &fd) == 0); + + cmds[0] = cmds[1] = 0; + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 1); + CHECK(cmds[0] == FIOCLEX); + + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(ioctl(fd, FIOCLEX) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + errno = 0; + CHECK(ioctl(fd, FIONCLEX) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + CHECK(close(fd) == 0); + + CHECK(descriptor_recv(sock, &fd) == 0); + + CHECK(cap_ioctls_get(fd, cmds, nitems(cmds)) == 0); + + CHECK(fcntl(fd, F_GETFD) == 0); + errno = 0; + CHECK(ioctl(fd, FIOCLEX) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFD) == 0); + CHECK(fcntl(fd, F_SETFD, FD_CLOEXEC) == 0); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + errno = 0; + CHECK(ioctl(fd, FIONCLEX) == -1); + CHECK(errno == ENOTCAPABLE); + CHECK(fcntl(fd, F_GETFD) == FD_CLOEXEC); + CHECK(fcntl(fd, F_SETFD, 0) == 0); + CHECK(fcntl(fd, F_GETFD) == 0); + + CHECK(close(fd) == 0); +} + +int +main(void) +{ + int fd, pfd, sp[2]; + pid_t pid; + + printf("1..607\n"); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + ioctl_tests_0(fd); + CHECK(close(fd) == 0); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + ioctl_tests_1(fd); + CHECK(close(fd) == 0); + + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + ioctl_tests_2(fd); + CHECK(close(fd) == 0); + + /* Child inherits descriptor and operates on it first. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + pid = fork(); + switch (pid) { + case -1: + err(1, "fork() failed"); + case 0: + ioctl_tests_0(fd); + CHECK(close(fd) == 0); + exit(0); + default: + if (waitpid(pid, NULL, 0) == -1) + err(1, "waitpid() failed"); + ioctl_tests_0(fd); + } + CHECK(close(fd) == 0); + + /* Child inherits descriptor, but operates on it after parent. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + pid = fork(); + switch (pid) { + case -1: + err(1, "fork() failed"); + case 0: + sleep(1); + ioctl_tests_0(fd); + CHECK(close(fd) == 0); + exit(0); + default: + ioctl_tests_0(fd); + if (waitpid(pid, NULL, 0) == -1) + err(1, "waitpid() failed"); + } + CHECK(close(fd) == 0); + + /* Child inherits descriptor and operates on it first. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + pid = pdfork(&pfd, 0); + switch (pid) { + case -1: + err(1, "pdfork() failed"); + case 0: + ioctl_tests_1(fd); + exit(0); + default: + if (pdwait(pfd) == -1) + err(1, "pdwait() failed"); + close(pfd); + ioctl_tests_1(fd); + } + CHECK(close(fd) == 0); + + /* Child inherits descriptor, but operates on it after parent. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + pid = pdfork(&pfd, 0); + switch (pid) { + case -1: + err(1, "pdfork() failed"); + case 0: + sleep(1); + ioctl_tests_1(fd); + exit(0); + default: + ioctl_tests_1(fd); + if (pdwait(pfd) == -1) + err(1, "pdwait() failed"); + close(pfd); + } + CHECK(close(fd) == 0); + + /* Child inherits descriptor and operates on it first. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + pid = fork(); + switch (pid) { + case -1: + err(1, "fork() failed"); + case 0: + ioctl_tests_2(fd); + exit(0); + default: + if (waitpid(pid, NULL, 0) == -1) + err(1, "waitpid() failed"); + ioctl_tests_2(fd); + } + CHECK(close(fd) == 0); + + /* Child inherits descriptor, but operates on it after parent. */ + CHECK((fd = socket(AF_UNIX, SOCK_STREAM, 0)) >= 0); + pid = fork(); + switch (pid) { + case -1: + err(1, "fork() failed"); + case 0: + sleep(1); + ioctl_tests_2(fd); + exit(0); + default: + ioctl_tests_2(fd); + if (waitpid(pid, NULL, 0) == -1) + err(1, "waitpid() failed"); + } + CHECK(close(fd) == 0); + + /* Send descriptors from parent to child. */ + CHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, sp) == 0); + CHECK((pid = fork()) >= 0); + if (pid == 0) { + CHECK(close(sp[0]) == 0); + ioctl_tests_recv_0(sp[1]); + CHECK(close(sp[1]) == 0); + exit(0); + } else { + CHECK(close(sp[1]) == 0); + ioctl_tests_send_0(sp[0]); + CHECK(waitpid(pid, NULL, 0) == pid); + CHECK(close(sp[0]) == 0); + } + + /* Send descriptors from child to parent. */ + CHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, sp) == 0); + CHECK((pid = fork()) >= 0); + if (pid == 0) { + CHECK(close(sp[0]) == 0); + ioctl_tests_send_0(sp[1]); + CHECK(close(sp[1]) == 0); + exit(0); + } else { + CHECK(close(sp[1]) == 0); + ioctl_tests_recv_0(sp[0]); + CHECK(waitpid(pid, NULL, 0) == pid); + CHECK(close(sp[0]) == 0); + } + + exit(0); +} diff --git a/tools/regression/capsicum/syscalls/misc.c b/tools/regression/capsicum/syscalls/misc.c new file mode 100644 index 0000000..303a911 --- /dev/null +++ b/tools/regression/capsicum/syscalls/misc.c @@ -0,0 +1,128 @@ +/*- + * Copyright (c) 2012 The FreeBSD Foundation + * All rights reserved. + * + * This software was developed by Pawel Jakub Dawidek under sponsorship from + * the FreeBSD Foundation. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/types.h> +#include <sys/select.h> +#include <sys/socket.h> + +#include <assert.h> +#include <errno.h> +#include <stdlib.h> +#include <strings.h> + +#include "misc.h" + +int +pdwait(int pfd) +{ + fd_set fdset; + + FD_ZERO(&fdset); + FD_SET(pfd, &fdset); + + return (select(pfd + 1, NULL, &fdset, NULL, NULL) == -1 ? -1 : 0); +} + +int +descriptor_send(int sock, int fd) +{ + unsigned char ctrl[CMSG_SPACE(sizeof(fd))]; + struct msghdr msg; + struct cmsghdr *cmsg; + + assert(sock >= 0); + assert(fd >= 0); + + bzero(&msg, sizeof(msg)); + bzero(&ctrl, sizeof(ctrl)); + + msg.msg_iov = NULL; + msg.msg_iovlen = 0; + msg.msg_control = ctrl; + msg.msg_controllen = sizeof(ctrl); + + cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; + cmsg->cmsg_len = CMSG_LEN(sizeof(fd)); + bcopy(&fd, CMSG_DATA(cmsg), sizeof(fd)); + + if (sendmsg(sock, &msg, 0) == -1) + return (errno); + + return (0); +} + +int +descriptor_recv(int sock, int *fdp) +{ + unsigned char ctrl[CMSG_SPACE(sizeof(*fdp))]; + struct msghdr msg; + struct cmsghdr *cmsg; + struct iovec iov; + int val; + + assert(sock >= 0); + assert(fdp != NULL); + + bzero(&msg, sizeof(msg)); + bzero(&ctrl, sizeof(ctrl)); + +#if 1 + /* + * This doesn't really make sense, as we don't plan to receive any + * data, but if no buffer is provided and recv(2) returns 0 without + * control message. Must be kernel bug. + */ + iov.iov_base = &val; + iov.iov_len = sizeof(val); + msg.msg_iov = &iov; + msg.msg_iovlen = 1; +#else + msg.msg_iov = NULL; + msg.msg_iovlen = 0; +#endif + msg.msg_control = ctrl; + msg.msg_controllen = sizeof(ctrl); + + if (recvmsg(sock, &msg, 0) == -1) + return (errno); + + cmsg = CMSG_FIRSTHDR(&msg); + if (cmsg == NULL || cmsg->cmsg_level != SOL_SOCKET || + cmsg->cmsg_type != SCM_RIGHTS) { + return (EINVAL); + } + bcopy(CMSG_DATA(cmsg), fdp, sizeof(*fdp)); + + return (0); +} diff --git a/tools/regression/capsicum/syscalls/misc.h b/tools/regression/capsicum/syscalls/misc.h new file mode 100644 index 0000000..4968c3e --- /dev/null +++ b/tools/regression/capsicum/syscalls/misc.h @@ -0,0 +1,62 @@ +/*- + * Copyright (c) 2012 The FreeBSD Foundation + * All rights reserved. + * + * This software was developed by Pawel Jakub Dawidek under sponsorship from + * the FreeBSD Foundation. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _MISC_H_ +#define _MISC_H_ + +#define OK() do { \ + int _serrno = errno; \ + printf("ok # line %u\n", __LINE__); \ + fflush(stdout); \ + errno = _serrno; \ +} while (0) +#define NOK() do { \ + int _serrno = errno; \ + printf("not ok # line %u\n", __LINE__); \ + fflush(stdout); \ + errno = _serrno; \ +} while (0) +#define CHECK(cond) do { \ + if ((cond)) \ + OK(); \ + else \ + NOK(); \ +} while (0) + +/* + * This can be removed once pdwait4(2) is implemented. + */ +int pdwait(int pfd); + +int descriptor_send(int sock, int fd); +int descriptor_recv(int sock, int *fdp); + +#endif /* !_MISC_H_ */ diff --git a/tools/regression/security/cap_test/cap_test_capabilities.c b/tools/regression/security/cap_test/cap_test_capabilities.c index 450ad88..b6423f8 100644 --- a/tools/regression/security/cap_test/cap_test_capabilities.c +++ b/tools/regression/security/cap_test/cap_test_capabilities.c @@ -1,8 +1,12 @@ /*- * Copyright (c) 2009-2011 Robert N. M. Watson * Copyright (c) 2011 Jonathan Anderson + * Copyright (c) 2012 FreeBSD Foundation * All rights reserved. * + * Portions of this software were developed by Pawel Jakub Dawidek under + * sponsorship from the FreeBSD Foundation. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -43,6 +47,7 @@ __FBSDID("$FreeBSD$"); #include <err.h> #include <fcntl.h> #include <poll.h> +#include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -60,14 +65,20 @@ __FBSDID("$FreeBSD$"); */ #define CHECK_RESULT(syscall, rights_needed, succeeded) do { \ if ((rights & (rights_needed)) == (rights_needed)) { \ - if (!(succeeded)) \ + if (succeeded) { \ + if (success == -1) \ + success = PASSED; \ + } else { \ SYSCALL_FAIL(syscall, "failed"); \ + } \ } else { \ - if (succeeded) \ + if (succeeded) { \ FAILX("%s:\tsucceeded when it shouldn't have" \ - " (rights 0x%jx)", #syscall, rights); \ - else if (errno != ENOTCAPABLE) \ + " (rights 0x%jx)", #syscall, \ + (uintmax_t)rights); \ + } else if (errno != ENOTCAPABLE) { \ SYSCALL_FAIL(syscall, "errno != ENOTCAPABLE"); \ + } \ } \ errno = 0; \ } while (0) @@ -79,8 +90,11 @@ __FBSDID("$FreeBSD$"); if ((rights & (rights_needed)) == (rights_needed)) { \ if (p == MAP_FAILED) \ SYSCALL_FAIL(mmap, "failed"); \ - else \ + else { \ (void)munmap(p, getpagesize()); \ + if (success == -1) \ + success = PASSED; \ + } \ } else { \ if (p != MAP_FAILED) { \ FAILX("%s:\tsucceeded when it shouldn't have" \ @@ -97,96 +111,200 @@ __FBSDID("$FreeBSD$"); * make sure only those rights work. */ static int -try_file_ops(int fd, cap_rights_t rights) +try_file_ops(int filefd, int dirfd, cap_rights_t rights) { struct stat sb; struct statfs sf; - int fd_cap, fd_capcap; + cap_rights_t erights; + int fd_cap, fd_capcap, dfd_cap; ssize_t ssize, ssize2; off_t off; void *p; char ch; int ret, is_nfs; struct pollfd pollfd; - int success = PASSED; + int success = -1; - REQUIRE(fstatfs(fd, &sf)); - is_nfs = (strncmp("nfs", sf.f_fstypename, sizeof(sf.f_fstypename)) - == 0); + REQUIRE(fstatfs(filefd, &sf)); + is_nfs = (strcmp("nfs", sf.f_fstypename) == 0); - REQUIRE(fd_cap = cap_new(fd, rights)); + REQUIRE(fd_cap = cap_new(filefd, rights)); + CHECK(cap_getrights(fd_cap, &erights) == 0); + CHECK(rights == erights); REQUIRE(fd_capcap = cap_new(fd_cap, rights)); + CHECK(cap_getrights(fd_capcap, &erights) == 0); + CHECK(rights == erights); CHECK(fd_capcap != fd_cap); - - pollfd.fd = fd_cap; - pollfd.events = POLLIN | POLLERR | POLLHUP; - pollfd.revents = 0; + REQUIRE(dfd_cap = cap_new(dirfd, rights)); + CHECK(cap_getrights(dfd_cap, &erights) == 0); + CHECK(rights == erights); ssize = read(fd_cap, &ch, sizeof(ch)); - CHECK_RESULT(read, CAP_READ | CAP_SEEK, ssize >= 0); - - ssize = pread(fd_cap, &ch, sizeof(ch), 0); - ssize2 = pread(fd_cap, &ch, sizeof(ch), 0); - CHECK_RESULT(pread, CAP_READ, ssize >= 0); - CHECK(ssize == ssize2); + CHECK_RESULT(read, CAP_READ, ssize >= 0); ssize = write(fd_cap, &ch, sizeof(ch)); - CHECK_RESULT(write, CAP_WRITE | CAP_SEEK, ssize >= 0); - - ssize = pwrite(fd_cap, &ch, sizeof(ch), 0); - CHECK_RESULT(pwrite, CAP_WRITE, ssize >= 0); + CHECK_RESULT(write, CAP_WRITE, ssize >= 0); off = lseek(fd_cap, 0, SEEK_SET); CHECK_RESULT(lseek, CAP_SEEK, off >= 0); - /* - * Note: this is not expected to work over NFS. - */ - ret = fchflags(fd_cap, UF_NODUMP); - CHECK_RESULT(fchflags, CAP_FCHFLAGS, - (ret == 0) || (is_nfs && (errno == EOPNOTSUPP))); + ssize = pread(fd_cap, &ch, sizeof(ch), 0); + ssize2 = pread(fd_cap, &ch, sizeof(ch), 0); + CHECK_RESULT(pread, CAP_PREAD, ssize >= 0); + CHECK(ssize == ssize2); - ret = fstat(fd_cap, &sb); - CHECK_RESULT(fstat, CAP_FSTAT, ret == 0); + ssize = pwrite(fd_cap, &ch, sizeof(ch), 0); + CHECK_RESULT(pwrite, CAP_PWRITE, ssize >= 0); + + p = mmap(NULL, getpagesize(), PROT_NONE, MAP_SHARED, fd_cap, 0); + CHECK_MMAP_RESULT(CAP_MMAP); p = mmap(NULL, getpagesize(), PROT_READ, MAP_SHARED, fd_cap, 0); - CHECK_MMAP_RESULT(CAP_MMAP | CAP_READ); + CHECK_MMAP_RESULT(CAP_MMAP_R); p = mmap(NULL, getpagesize(), PROT_WRITE, MAP_SHARED, fd_cap, 0); - CHECK_MMAP_RESULT(CAP_MMAP | CAP_WRITE); + CHECK_MMAP_RESULT(CAP_MMAP_W); p = mmap(NULL, getpagesize(), PROT_EXEC, MAP_SHARED, fd_cap, 0); - CHECK_MMAP_RESULT(CAP_MMAP | CAP_MAPEXEC); + CHECK_MMAP_RESULT(CAP_MMAP_X); p = mmap(NULL, getpagesize(), PROT_READ | PROT_WRITE, MAP_SHARED, fd_cap, 0); - CHECK_MMAP_RESULT(CAP_MMAP | CAP_READ | CAP_WRITE); + CHECK_MMAP_RESULT(CAP_MMAP_RW); p = mmap(NULL, getpagesize(), PROT_READ | PROT_EXEC, MAP_SHARED, fd_cap, 0); - CHECK_MMAP_RESULT(CAP_MMAP | CAP_READ | CAP_MAPEXEC); + CHECK_MMAP_RESULT(CAP_MMAP_RX); p = mmap(NULL, getpagesize(), PROT_EXEC | PROT_WRITE, MAP_SHARED, fd_cap, 0); - CHECK_MMAP_RESULT(CAP_MMAP | CAP_MAPEXEC | CAP_WRITE); + CHECK_MMAP_RESULT(CAP_MMAP_WX); p = mmap(NULL, getpagesize(), PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED, fd_cap, 0); - CHECK_MMAP_RESULT(CAP_MMAP | CAP_READ | CAP_WRITE | CAP_MAPEXEC); + CHECK_MMAP_RESULT(CAP_MMAP_RWX); + + /* TODO: openat(O_APPEND) */ + ret = openat(dfd_cap, "cap_create", O_CREAT | O_RDONLY, 0600); + CHECK_RESULT(openat(O_CREATE | O_RDONLY), + CAP_CREATE | CAP_READ | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + CHECK(ret == -1 || unlinkat(dirfd, "cap_create", 0) == 0); + ret = openat(dfd_cap, "cap_create", O_CREAT | O_WRONLY, 0600); + CHECK_RESULT(openat(O_CREATE | O_WRONLY), + CAP_CREATE | CAP_WRITE | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + CHECK(ret == -1 || unlinkat(dirfd, "cap_create", 0) == 0); + ret = openat(dfd_cap, "cap_create", O_CREAT | O_RDWR, 0600); + CHECK_RESULT(openat(O_CREATE | O_RDWR), + CAP_CREATE | CAP_READ | CAP_WRITE | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + CHECK(ret == -1 || unlinkat(dirfd, "cap_create", 0) == 0); ret = fsync(fd_cap); CHECK_RESULT(fsync, CAP_FSYNC, ret == 0); + ret = openat(dirfd, "cap_fsync", O_CREAT, 0600); + CHECK(ret >= 0); + CHECK(close(ret) == 0); + ret = openat(dfd_cap, "cap_fsync", O_FSYNC | O_RDONLY, 0600); + CHECK_RESULT(openat(O_FSYNC | O_RDONLY), + CAP_FSYNC | CAP_READ | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + ret = openat(dfd_cap, "cap_fsync", O_FSYNC | O_WRONLY, 0600); + CHECK_RESULT(openat(O_FSYNC | O_WRONLY), + CAP_FSYNC | CAP_WRITE | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + ret = openat(dfd_cap, "cap_fsync", O_FSYNC | O_RDWR, 0600); + CHECK_RESULT(openat(O_FSYNC | O_RDWR), + CAP_FSYNC | CAP_READ | CAP_WRITE | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + ret = openat(dfd_cap, "cap_fsync", O_SYNC | O_RDONLY, 0600); + CHECK_RESULT(openat(O_SYNC | O_RDONLY), + CAP_FSYNC | CAP_READ | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + ret = openat(dfd_cap, "cap_fsync", O_SYNC | O_WRONLY, 0600); + CHECK_RESULT(openat(O_SYNC | O_WRONLY), + CAP_FSYNC | CAP_WRITE | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + ret = openat(dfd_cap, "cap_fsync", O_SYNC | O_RDWR, 0600); + CHECK_RESULT(openat(O_SYNC | O_RDWR), + CAP_FSYNC | CAP_READ | CAP_WRITE | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + CHECK(unlinkat(dirfd, "cap_fsync", 0) == 0); + + ret = ftruncate(fd_cap, 0); + CHECK_RESULT(ftruncate, CAP_FTRUNCATE, ret == 0); + + ret = openat(dirfd, "cap_ftruncate", O_CREAT, 0600); + CHECK(ret >= 0); + CHECK(close(ret) == 0); + ret = openat(dfd_cap, "cap_ftruncate", O_TRUNC | O_RDONLY); + CHECK_RESULT(openat(O_TRUNC | O_RDONLY), + CAP_FTRUNCATE | CAP_READ | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + ret = openat(dfd_cap, "cap_ftruncate", O_TRUNC | O_WRONLY); + CHECK_RESULT(openat(O_TRUNC | O_WRONLY), + CAP_FTRUNCATE | CAP_WRITE | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + ret = openat(dfd_cap, "cap_ftruncate", O_TRUNC | O_RDWR); + CHECK_RESULT(openat(O_TRUNC | O_RDWR), + CAP_FTRUNCATE | CAP_READ | CAP_WRITE | CAP_LOOKUP, ret >= 0); + CHECK(ret == -1 || close(ret) == 0); + CHECK(unlinkat(dirfd, "cap_ftruncate", 0) == 0); + + /* + * Note: this is not expected to work over NFS. + */ + ret = fchflags(fd_cap, UF_NODUMP); + CHECK_RESULT(fchflags, CAP_FCHFLAGS, + ret == 0 || (is_nfs && errno == EOPNOTSUPP)); + +#ifdef TODO /* No such syscalls yet. */ + ret = openat(dirfd, "cap_fchflagsat", O_CREAT, 0600); + CHECK(ret >= 0); + CHECK(close(ret) == 0); + ret = fchflagsat(dfd_cap, "cap_fchflagsat", UF_NODUMP, 0); + CHECK_RESULT(fchflagsat, CAP_FCHFLAGSAT | CAP_LOOKUP, ret == 0); + CHECK(unlinkat(dirfd, "cap_fchflagsat", 0) == 0); +#endif + ret = fchown(fd_cap, -1, -1); CHECK_RESULT(fchown, CAP_FCHOWN, ret == 0); + ret = openat(dirfd, "cap_fchownat", O_CREAT, 0600); + CHECK(ret >= 0); + CHECK(close(ret) == 0); + ret = fchownat(dfd_cap, "cap_fchownat", -1, -1, 0); + CHECK_RESULT(fchownat, CAP_FCHOWN | CAP_LOOKUP, ret == 0); + CHECK(unlinkat(dirfd, "cap_fchownat", 0) == 0); + ret = fchmod(fd_cap, 0644); CHECK_RESULT(fchmod, CAP_FCHMOD, ret == 0); + ret = openat(dirfd, "cap_fchmodat", O_CREAT, 0600); + CHECK(ret >= 0); + CHECK(close(ret) == 0); + ret = fchmodat(dfd_cap, "cap_fchmodat", 0600, 0); + CHECK_RESULT(fchmodat, CAP_FCHMOD | CAP_LOOKUP, ret == 0); + CHECK(unlinkat(dirfd, "cap_fchmodat", 0) == 0); + + ret = fcntl(fd_cap, F_GETFL); + CHECK_RESULT(fcntl(F_GETFL), CAP_FCNTL, ret >= 0); + ret = fcntl(fd_cap, F_SETFL, ret); + CHECK_RESULT(fcntl(F_SETFL), CAP_FCNTL, ret == 0); + /* XXX flock */ - ret = ftruncate(fd_cap, 0); - CHECK_RESULT(ftruncate, CAP_FTRUNCATE, ret == 0); + ret = fstat(fd_cap, &sb); + CHECK_RESULT(fstat, CAP_FSTAT, ret == 0); + + ret = openat(dirfd, "cap_fstatat", O_CREAT, 0600); + CHECK(ret >= 0); + CHECK(close(ret) == 0); + ret = fstatat(dfd_cap, "cap_fstatat", &sb, 0); + CHECK_RESULT(fstatat, CAP_FSTAT | CAP_LOOKUP, ret == 0); + CHECK(unlinkat(dirfd, "cap_fstatat", 0) == 0); ret = fstatfs(fd_cap, &sf); CHECK_RESULT(fstatfs, CAP_FSTATFS, ret == 0); @@ -197,6 +315,55 @@ try_file_ops(int fd, cap_rights_t rights) ret = futimes(fd_cap, NULL); CHECK_RESULT(futimes, CAP_FUTIMES, ret == 0); + ret = openat(dirfd, "cap_futimesat", O_CREAT, 0600); + CHECK(ret >= 0); + CHECK(close(ret) == 0); + ret = futimesat(dfd_cap, "cap_futimesat", NULL); + CHECK_RESULT(futimesat, CAP_FUTIMES | CAP_LOOKUP, ret == 0); + CHECK(unlinkat(dirfd, "cap_futimesat", 0) == 0); + + ret = openat(dirfd, "cap_linkat_src", O_CREAT, 0600); + CHECK(ret >= 0); + CHECK(close(ret) == 0); + ret = linkat(dirfd, "cap_linkat_src", dfd_cap, "cap_linkat_dst", 0); + CHECK_RESULT(linkat, CAP_LINKAT | CAP_LOOKUP, ret == 0); + CHECK(unlinkat(dirfd, "cap_linkat_src", 0) == 0); + CHECK(ret == -1 || unlinkat(dirfd, "cap_linkat_dst", 0) == 0); + + ret = mkdirat(dfd_cap, "cap_mkdirat", 0700); + CHECK_RESULT(mkdirat, CAP_MKDIRAT | CAP_LOOKUP, ret == 0); + CHECK(ret == -1 || unlinkat(dirfd, "cap_mkdirat", AT_REMOVEDIR) == 0); + + ret = mkfifoat(dfd_cap, "cap_mkfifoat", 0600); + CHECK_RESULT(mkfifoat, CAP_MKFIFOAT | CAP_LOOKUP, ret == 0); + CHECK(ret == -1 || unlinkat(dirfd, "cap_mkfifoat", 0) == 0); + + ret = mknodat(dfd_cap, "cap_mknodat", S_IFCHR | 0600, 0); + CHECK_RESULT(mknodat, CAP_MKNODAT | CAP_LOOKUP, ret == 0); + CHECK(ret == -1 || unlinkat(dirfd, "cap_mknodat", 0) == 0); + + /* TODO: renameat(2) */ + + ret = symlinkat("test", dfd_cap, "cap_symlinkat"); + CHECK_RESULT(symlinkat, CAP_SYMLINKAT | CAP_LOOKUP, ret == 0); + CHECK(ret == -1 || unlinkat(dirfd, "cap_symlinkat", 0) == 0); + + ret = openat(dirfd, "cap_unlinkat", O_CREAT, 0600); + CHECK(ret >= 0); + CHECK(close(ret) == 0); + ret = unlinkat(dfd_cap, "cap_unlinkat", 0); + CHECK_RESULT(unlinkat, CAP_UNLINKAT | CAP_LOOKUP, ret == 0); + CHECK(ret == 0 || unlinkat(dirfd, "cap_unlinkat", 0) == 0); + ret = mkdirat(dirfd, "cap_unlinkat", 0700); + CHECK(ret == 0); + ret = unlinkat(dfd_cap, "cap_unlinkat", AT_REMOVEDIR); + CHECK_RESULT(unlinkat, CAP_UNLINKAT | CAP_LOOKUP, ret == 0); + CHECK(ret == 0 || unlinkat(dirfd, "cap_unlinkat", AT_REMOVEDIR) == 0); + + pollfd.fd = fd_cap; + pollfd.events = POLLIN | POLLERR | POLLHUP; + pollfd.revents = 0; + ret = poll(&pollfd, 1, 0); if (rights & CAP_POLL_EVENT) CHECK((pollfd.revents & POLLNVAL) == 0); @@ -205,79 +372,159 @@ try_file_ops(int fd, cap_rights_t rights) /* XXX: select, kqueue */ - close (fd_cap); + close(fd_cap); + close(fd_capcap); + + if (success == -1) { + fprintf(stderr, "No tests for rights 0x%jx.\n", + (uintmax_t)rights); + success = FAILED; + } return (success); } -#define TRY(fd, rights) \ +#define TRY(rights) \ do { \ if (success == PASSED) \ - success = try_file_ops(fd, rights); \ + success = try_file_ops(filefd, dirfd, (rights)); \ else \ /* We've already failed, but try the test anyway. */ \ - try_file_ops(fd, rights); \ + try_file_ops(filefd, dirfd, (rights)); \ } while (0) +#define KEEP_ERRNO(...) do { \ + int _saved_errno = errno; \ + __VA_ARGS__; \ + errno = _saved_errno; \ +} while (0); + int test_capabilities(void) { - int fd; + int filefd, dirfd, tmpfd; int success = PASSED; - - fd = open("/tmp/cap_test_capabilities", O_RDWR | O_CREAT, 0644); - if (fd < 0) + char file[] = "/tmp/cap_test.XXXXXXXXXX"; + char dir[] = "/tmp/cap_test.XXXXXXXXXX"; + + filefd = mkstemp(file); + if (filefd < 0) + err(-1, "mkstemp"); + if (mkdtemp(dir) == NULL) { + KEEP_ERRNO(unlink(file)); + err(-1, "mkdtemp"); + } + dirfd = open(dir, O_RDONLY | O_DIRECTORY); + if (dirfd == -1) { + KEEP_ERRNO(unlink(file)); + KEEP_ERRNO(rmdir(dir)); err(-1, "open"); + } + tmpfd = open("/tmp", O_RDONLY | O_DIRECTORY); + if (tmpfd == -1) { + KEEP_ERRNO(unlink(file)); + KEEP_ERRNO(rmdir(dir)); + err(-1, "open"); + } - if (cap_enter() < 0) + if (cap_enter() == -1) { + KEEP_ERRNO(unlink(file)); + KEEP_ERRNO(rmdir(dir)); err(-1, "cap_enter"); - - /* XXX: Really want to try all combinations. */ - TRY(fd, CAP_READ); - TRY(fd, CAP_READ | CAP_SEEK); - TRY(fd, CAP_WRITE); - TRY(fd, CAP_WRITE | CAP_SEEK); - TRY(fd, CAP_READ | CAP_WRITE); - TRY(fd, CAP_READ | CAP_WRITE | CAP_SEEK); - TRY(fd, CAP_SEEK); - TRY(fd, CAP_FCHFLAGS); - TRY(fd, CAP_IOCTL); - TRY(fd, CAP_FSTAT); - TRY(fd, CAP_MMAP); - TRY(fd, CAP_MMAP | CAP_READ); - TRY(fd, CAP_MMAP | CAP_WRITE); - TRY(fd, CAP_MMAP | CAP_MAPEXEC); - TRY(fd, CAP_MMAP | CAP_READ | CAP_WRITE); - TRY(fd, CAP_MMAP | CAP_READ | CAP_MAPEXEC); - TRY(fd, CAP_MMAP | CAP_MAPEXEC | CAP_WRITE); - TRY(fd, CAP_MMAP | CAP_READ | CAP_WRITE | CAP_MAPEXEC); - TRY(fd, CAP_FCNTL); - TRY(fd, CAP_POST_EVENT); - TRY(fd, CAP_POLL_EVENT); - TRY(fd, CAP_FSYNC); - TRY(fd, CAP_FCHOWN); - TRY(fd, CAP_FCHMOD); - TRY(fd, CAP_FTRUNCATE); - TRY(fd, CAP_FLOCK); - TRY(fd, CAP_FSTATFS); - TRY(fd, CAP_FPATHCONF); - TRY(fd, CAP_FUTIMES); - TRY(fd, CAP_ACL_GET); - TRY(fd, CAP_ACL_SET); - TRY(fd, CAP_ACL_DELETE); - TRY(fd, CAP_ACL_CHECK); - TRY(fd, CAP_EXTATTR_GET); - TRY(fd, CAP_EXTATTR_SET); - TRY(fd, CAP_EXTATTR_DELETE); - TRY(fd, CAP_EXTATTR_LIST); - TRY(fd, CAP_MAC_GET); - TRY(fd, CAP_MAC_SET); - - /* - * Socket-specific. - */ - TRY(fd, CAP_GETPEERNAME); - TRY(fd, CAP_GETSOCKNAME); - TRY(fd, CAP_ACCEPT); + } + + TRY(CAP_READ); + TRY(CAP_WRITE); + TRY(CAP_SEEK); + TRY(CAP_PREAD); + TRY(CAP_PWRITE); + TRY(CAP_READ | CAP_WRITE); + TRY(CAP_PREAD | CAP_PWRITE); + TRY(CAP_MMAP); + TRY(CAP_MMAP_R); + TRY(CAP_MMAP_W); + TRY(CAP_MMAP_X); + TRY(CAP_MMAP_RW); + TRY(CAP_MMAP_RX); + TRY(CAP_MMAP_WX); + TRY(CAP_MMAP_RWX); + TRY(CAP_CREATE | CAP_READ | CAP_LOOKUP); + TRY(CAP_CREATE | CAP_WRITE | CAP_LOOKUP); + TRY(CAP_CREATE | CAP_READ | CAP_WRITE | CAP_LOOKUP); +#ifdef TODO + TRY(CAP_FEXECVE); +#endif + TRY(CAP_FSYNC); + TRY(CAP_FSYNC | CAP_READ | CAP_LOOKUP); + TRY(CAP_FSYNC | CAP_WRITE | CAP_LOOKUP); + TRY(CAP_FSYNC | CAP_READ | CAP_WRITE | CAP_LOOKUP); + TRY(CAP_FTRUNCATE); + TRY(CAP_FTRUNCATE | CAP_READ | CAP_LOOKUP); + TRY(CAP_FTRUNCATE | CAP_WRITE | CAP_LOOKUP); + TRY(CAP_FTRUNCATE | CAP_READ | CAP_WRITE | CAP_LOOKUP); +#ifdef TODO + TRY(CAP_FCHDIR); +#endif + TRY(CAP_FCHFLAGS); + TRY(CAP_FCHOWN); + TRY(CAP_FCHOWN | CAP_LOOKUP); + TRY(CAP_FCHMOD | CAP_LOOKUP); + TRY(CAP_FCNTL); +#ifdef TODO + TRY(CAP_FLOCK); +#endif + TRY(CAP_FPATHCONF); +#ifdef TODO + TRY(CAP_FSCK); +#endif + TRY(CAP_FSTAT | CAP_LOOKUP); + TRY(CAP_FSTATFS); + TRY(CAP_FUTIMES | CAP_LOOKUP); + TRY(CAP_LINKAT | CAP_LOOKUP); + TRY(CAP_MKDIRAT | CAP_LOOKUP); + TRY(CAP_MKFIFOAT | CAP_LOOKUP); + TRY(CAP_MKNODAT | CAP_LOOKUP); + TRY(CAP_SYMLINKAT | CAP_LOOKUP); + TRY(CAP_UNLINKAT | CAP_LOOKUP); + /* Rename needs CAP_RENAMEAT on source directory and CAP_LINKAT on destination directory. */ + TRY(CAP_RENAMEAT | CAP_UNLINKAT | CAP_LOOKUP); +#ifdef TODO + TRY(CAP_LOOKUP); + TRY(CAP_EXTATTR_DELETE); + TRY(CAP_EXTATTR_GET); + TRY(CAP_EXTATTR_LIST); + TRY(CAP_EXTATTR_SET); + TRY(CAP_ACL_CHECK); + TRY(CAP_ACL_DELETE); + TRY(CAP_ACL_GET); + TRY(CAP_ACL_SET); + TRY(CAP_ACCEPT); + TRY(CAP_BIND); + TRY(CAP_CONNECT); + TRY(CAP_GETPEERNAME); + TRY(CAP_GETSOCKNAME); + TRY(CAP_GETSOCKOPT); + TRY(CAP_LISTEN); + TRY(CAP_PEELOFF); + TRY(CAP_RECV); + TRY(CAP_SEND); + TRY(CAP_SETSOCKOPT); + TRY(CAP_SHUTDOWN); + TRY(CAP_MAC_GET); + TRY(CAP_MAC_SET); + TRY(CAP_SEM_GETVALUE); + TRY(CAP_SEM_POST); + TRY(CAP_SEM_WAIT); + TRY(CAP_POST_EVENT); + TRY(CAP_POLL_EVENT); + TRY(CAP_IOCTL); + TRY(CAP_TTYHOOK); + TRY(CAP_PDGETPID); + TRY(CAP_PDWAIT); + TRY(CAP_PDKILL); +#endif + + (void)unlinkat(tmpfd, file + strlen("/tmp/"), 0); + (void)unlinkat(tmpfd, dir + strlen("/tmp/"), AT_REMOVEDIR); return (success); } diff --git a/tools/regression/security/cap_test/cap_test_relative.c b/tools/regression/security/cap_test/cap_test_relative.c index 1f62e84..27410eb 100644 --- a/tools/regression/security/cap_test/cap_test_relative.c +++ b/tools/regression/security/cap_test/cap_test_relative.c @@ -61,7 +61,8 @@ test_relative(void) cap_rights_t rights; REQUIRE(etc = open("/etc/", O_RDONLY)); - CHECK_SYSCALL_FAILS(EINVAL, cap_getrights, etc, &rights); + CHECK_SYSCALL_SUCCEEDS(cap_getrights, etc, &rights); + CHECK_RIGHTS(rights, CAP_ALL); MAKE_CAPABILITY(etc_cap, etc, CAP_READ); MAKE_CAPABILITY(etc_cap_ro, etc, CAP_READ | CAP_LOOKUP); |