From: Rishikesh K Rajak <risrajak@linux.vnet.ibm.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: LTP list <ltp-list@lists.sourceforge.net>
Subject: Re: [LTP] [PATCH ltp] fix up filecaps and cap_bound testcases
Date: Mon, 22 Mar 2010 12:15:46 +0530 [thread overview]
Message-ID: <20100322064546.GC20606@linux.vnet.ibm.com> (raw)
In-Reply-To: <20100320154817.GA13351@us.ibm.com>
On Sat, Mar 20, 2010 at 10:48:17AM -0500, Serge E. Hallyn wrote:
> Here's an attempt at fixing up and simplifying the autoconf for
> detecting libcap and prctl support. After this, make autotools
> etc work fine on my f12 system, and runltp -f cap_bounds passes.
> the filecaps tests refuse to run claiming to be unable to find
> setcap, which I'll worry about next week.
>
> (I'm sure there is an AC_ macro for finding a command)
>
> Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Applied to next. Will merge soon to master once i/someone get a chance to test
on multiple boxes.
-Thanks
Rishi
> ---
> configure.ac | 1 +
> m4/ltp-cap.m4 | 16 +----
> m4/ltp-prctl.m4 | 31 ++++++++++
> testcases/kernel/security/cap_bound/cap_bounds_r.c | 44 +++++++-------
> .../kernel/security/cap_bound/cap_bounds_rw.c | 58 +++++++++++--------
> .../security/cap_bound/cap_bset_inh_bounds.c | 61 ++++----------------
> testcases/kernel/security/cap_bound/check_pe.c | 20 ++-----
> testcases/kernel/security/cap_bound/dummy.c | 26 +++------
> .../kernel/security/cap_bound/exec_with_inh.c | 34 ++---------
> .../kernel/security/cap_bound/exec_without_inh.c | 35 ++---------
> testcases/kernel/security/filecaps/c.c | 44 ++++++++++++++
> .../kernel/security/filecaps/check_simple_capset.c | 11 +---
> testcases/kernel/security/filecaps/inh_capped.c | 12 +---
> testcases/kernel/security/filecaps/print_caps.c | 2 +-
> .../kernel/security/filecaps/verify_caps_exec.c | 21 +------
> 15 files changed, 182 insertions(+), 234 deletions(-)
> create mode 100644 m4/ltp-prctl.m4
> create mode 100644 testcases/kernel/security/filecaps/c.c
>
> diff --git a/configure.ac b/configure.ac
> index 8a2ebe2..3dd9829 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -61,6 +61,7 @@ AC_CONFIG_SUBDIRS([ \
> ])
>
> LTP_CHECK_CAPABILITY_SUPPORT
> +LTP_CHECK_PRCTL_SUPPORT
> LTP_CHECK_CRYPTO
> LTP_CHECK_LINUX_PTRACE
> LTP_CHECK_SELINUX
> diff --git a/m4/ltp-cap.m4 b/m4/ltp-cap.m4
> index 5f8d969..28d998d 100644
> --- a/m4/ltp-cap.m4
> +++ b/m4/ltp-cap.m4
> @@ -23,21 +23,11 @@ dnl LTP_CHECK_CAPABILITY_SUPPORT
> dnl ----------------------------
> dnl
> AC_DEFUN([LTP_CHECK_CAPABILITY_SUPPORT],[
> +AH_TEMPLATE(HAVE_LIBCAP,
> +[Define to 1 if you have libcap-2 installed.])
> AC_CHECK_HEADERS(sys/capability.h,[
> - AC_CHECK_HEADERS(attr/xattr.h)
> LTP_CAPABILITY_SUPPORT=yes
> - AC_CHECK_LIB(cap,cap_free,[
> - AC_CHECK_LIB(cap,cap_from_text,[
> - AC_CHECK_LIB(cap,cap_set_proc,[
> - AC_CHECK_LIB(cap,cap_compare,[
> - CAP_LIBS="-lcap"
> - ])
> - ])
> - ])
> - ])
> - AC_CHECK_DECLS([CAP_BSET_DROP, CAP_BSET_READ, PR_CAPBSET_READ, cap_compare, cap_free, cap_from_text, cap_get_proc, cap_set_file, cap_set_flag, cap_set_proc, cap_to_text],[],[],[dnl
> -#include <sys/capability.h>
> -]) dnl AC_CHECK_DECLS
> + AC_CHECK_LIB(cap,cap_compare,[AC_DEFINE(HAVE_LIBCAP) CAP_LIBS="-lcap"], [CAP_LIBS=""])
> ])]
> AC_SUBST(CAP_LIBS)
> )
> diff --git a/m4/ltp-prctl.m4 b/m4/ltp-prctl.m4
> new file mode 100644
> index 0000000..51edb08
> --- /dev/null
> +++ b/m4/ltp-prctl.m4
> @@ -0,0 +1,31 @@
> +dnl
> +dnl Copyright (c) Cisco Systems Inc., 2009
> +dnl
> +dnl This program is free software; you can redistribute it and/or modify
> +dnl it under the terms of the GNU General Public License as published by
> +dnl the Free Software Foundation; either version 2 of the License, or
> +dnl (at your option) any later version.
> +dnl
> +dnl This program is distributed in the hope that it will be useful,
> +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
> +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
> +dnl the GNU General Public License for more details.
> +dnl
> +dnl You should have received a copy of the GNU General Public License
> +dnl along with this program; if not, write to the Free Software
> +dnl Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> +dnl
> +dnl Author: Garrett Cooper <yanegomi@gmail.com>
> +dnl
> +
> +dnl
> +dnl LTP_CHECK_PRCTL_SUPPORT
> +dnl ----------------------------
> +dnl
> +AC_DEFUN([LTP_CHECK_PRCTL_SUPPORT],[
> +AC_CHECK_HEADERS(sys/prctl.h,[
> + AC_CHECK_DECLS([PR_CAPBSET_DROP, PR_CAPBSET_READ], [],[],[dnl
> +#include <sys/prctl.h>
> +]) dnl AC_CHECK_DECLS
> +])]
> +)
> diff --git a/testcases/kernel/security/cap_bound/cap_bounds_r.c b/testcases/kernel/security/cap_bound/cap_bounds_r.c
> index 917d889..0b1c5b3 100644
> --- a/testcases/kernel/security/cap_bound/cap_bounds_r.c
> +++ b/testcases/kernel/security/cap_bound/cap_bounds_r.c
> @@ -32,21 +32,6 @@
> #include <sys/prctl.h>
> #include <test.h>
>
> -#ifndef CAP_LAST_CAP
> -#warning out-of-date capability.h does not define CAP_LAST_CAP
> -#define CAP_LAST_CAP 28 /* be ultra-conservative */
> -#endif
> -
> -#ifndef CAP_BSET_READ
> -#warning CAP_BSET_READ not defined
> -#define CAP_BSET_READ 23
> -#endif
> -
> -#ifndef CAP_BSET_DROP
> -#warning CAP_BSET_DROP not defined
> -#define CAP_BSET_DROP 24
> -#endif
> -
> char *TCID = "cap_bounds_r";
> int TST_TOTAL=1;
>
> @@ -59,17 +44,27 @@ int main(int argc, char *argv[])
> int i;
>
> for (i=0; i<=CAP_LAST_CAP; i++) {
> - ret = prctl(CAP_BSET_READ, i);
> +#if HAVE_DECL_PR_CAPBSET_READ
> + ret = prctl(PR_CAPBSET_READ, i);
> +#else
> + errno = ENOSYS;
> + ret = -1;
> +#endif
> if (ret != 1) {
> - tst_resm(TFAIL, "prctl(CAP_BSET_READ, %d) returned %d\n", i, ret);
> + tst_resm(TFAIL, "prctl(PR_CAPBSET_READ, %d) returned %d\n", i, ret);
> if (ret == -1)
> tst_resm(TINFO, "errno was %d\n", errno);
> tst_exit();
> }
> }
> - ret = prctl(CAP_BSET_READ, -1);
> +#if HAVE_DECL_PR_CAPBSET_READ
> + ret = prctl(PR_CAPBSET_READ, -1);
> +#else
> + errno = ENOSYS;
> + ret = -1;
> +#endif
> if (ret != -1) {
> - tst_resm(TFAIL, "prctl(CAP_BSET_READ, -1) returned %d\n", -1, ret);
> + tst_resm(TFAIL, "prctl(PR_CAPBSET_READ, -1) returned %d\n", ret);
> tst_exit();
> }
>
> @@ -79,13 +74,18 @@ int main(int argc, char *argv[])
> * testing... So let's take an insanely high value */
> #define INSANE 63
> #define max(x,y) (x > y ? x : y)
> - ret = prctl(CAP_BSET_READ, max(INSANE,CAP_LAST_CAP+1));
> +#if HAVE_DECL_PR_CAPBSET_READ
> + ret = prctl(PR_CAPBSET_READ, max(INSANE,CAP_LAST_CAP+1));
> +#else
> + errno = ENOSYS;
> + ret = -1;
> +#endif
> if (ret != -1) {
> - tst_resm(TFAIL, "prctl(CAP_BSET_READ, %d) returned %d\n", CAP_LAST_CAP+1, ret);
> + tst_resm(TFAIL, "prctl(PR_CAPBSET_READ, %d) returned %d\n", CAP_LAST_CAP+1, ret);
> tst_resm(TINFO, " %d is CAP_LAST_CAP+1 and should not exist\n", CAP_LAST_CAP+1);
> tst_exit();
> }
> - tst_resm(TPASS, "CAP_BSET_READ tests passed\n");
> + tst_resm(TPASS, "PR_CAPBSET_READ tests passed\n");
> #else
> tst_resm(TCONF, "System doesn't have POSIX capabilities.");
> #endif
> diff --git a/testcases/kernel/security/cap_bound/cap_bounds_rw.c b/testcases/kernel/security/cap_bound/cap_bounds_rw.c
> index 9129c4e..827a305 100644
> --- a/testcases/kernel/security/cap_bound/cap_bounds_rw.c
> +++ b/testcases/kernel/security/cap_bound/cap_bounds_rw.c
> @@ -31,21 +31,6 @@
> #include <sys/prctl.h>
> #include <test.h>
>
> -#ifndef CAP_LAST_CAP
> -#warning out-of-date capability.h does not define CAP_LAST_CAP
> -#define CAP_LAST_CAP 28 /* be ultra-conservative */
> -#endif
> -
> -#ifndef CAP_BSET_READ
> -#warning CAP_BSET_READ not defined
> -#define CAP_BSET_READ 23
> -#endif
> -
> -#ifndef CAP_BSET_DROP
> -#warning CAP_BSET_DROP not defined
> -#define CAP_BSET_DROP 24
> -#endif
> -
> char *TCID = "cap_bounds_rw";
> int TST_TOTAL=1;
>
> @@ -57,7 +42,12 @@ int check_remaining_caps(int lastdropped)
> int ret;
>
> for (i=0; i <= lastdropped; i++) {
> - ret = prctl(CAP_BSET_READ, i);
> +#if HAVE_DECL_PR_CAPBSET_READ
> + ret = prctl(PR_CAPBSET_READ, i);
> +#else
> + errno = ENOSYS;
> + ret = -1;
> +#endif
> if (ret == -1) {
> tst_resm(TBROK, "Failed to read bounding set during sanity check\n");
> tst_exit();
> @@ -68,7 +58,12 @@ int check_remaining_caps(int lastdropped)
> }
> }
> for (; i<=CAP_LAST_CAP; i++) {
> - ret = prctl(CAP_BSET_READ, i);
> +#if HAVE_DECL_PR_CAPBSET_READ
> + ret = prctl(PR_CAPBSET_READ, i);
> +#else
> + errno = ENOSYS;
> + ret = -1;
> +#endif
> if (ret == -1) {
> tst_resm(TBROK, "Failed to read bounding set during sanity check\n");
> tst_exit();
> @@ -86,9 +81,14 @@ int main(int argc, char *argv[])
> int ret = 1;
> int i;
>
> - ret = prctl(CAP_BSET_DROP, -1);
> +#if HAVE_DECL_PR_CAPBSET_DROP
> + ret = prctl(PR_CAPBSET_READ, -1);
> +#else
> + errno = ENOSYS;
> + ret = -1;
> +#endif
> if (ret != -1) {
> - tst_resm(TFAIL, "prctl(CAP_BSET_DROP, -1) returned %d\n", ret);
> + tst_resm(TFAIL, "prctl(PR_CAPBSET_DROP, -1) returned %d\n", ret);
> tst_exit();
> }
> /* Ideally I'd check CAP_LAST_CAP+1, but userspace
> @@ -97,16 +97,26 @@ int main(int argc, char *argv[])
> * testing... So let's take an insanely high value */
> #define INSANE 63
> #define max(x,y) (x > y ? x : y)
> - ret = prctl(CAP_BSET_DROP, max(INSANE,CAP_LAST_CAP+1));
> +#if HAVE_DECL_PR_CAPBSET_DROP
> + ret = prctl(PR_CAPBSET_DROP, max(INSANE,CAP_LAST_CAP+1));
> +#else
> + errno = ENOSYS;
> + ret = -1;
> +#endif
> if (ret != -1) {
> - tst_resm(TFAIL, "prctl(CAP_BSET_DROP, %d) returned %d\n", max(INSANE, CAP_LAST_CAP+1), ret);
> + tst_resm(TFAIL, "prctl(PR_CAPBSET_DROP, %d) returned %d\n", max(INSANE, CAP_LAST_CAP+1), ret);
> tst_resm(TINFO, " %d is should not exist\n", max(INSANE, CAP_LAST_CAP+1));
> tst_exit();
> }
> for (i=0; i<=CAP_LAST_CAP; i++) {
> - ret = prctl(CAP_BSET_DROP, i);
> +#if HAVE_DECL_PR_CAPBSET_DROP
> + ret = prctl(PR_CAPBSET_DROP, i);
> +#else
> + errno = ENOSYS;
> + ret = -1;
> +#endif
> if (ret != 0) {
> - tst_resm(TFAIL, "prctl(CAP_BSET_DROP, %d) returned %d\n", i, ret);
> + tst_resm(TFAIL, "prctl(PR_CAPBSET_DROP, %d) returned %d\n", i, ret);
> if (ret == -1)
> tst_resm(TINFO, "errno was %d\n", errno);
> tst_exit();
> @@ -122,6 +132,6 @@ int main(int argc, char *argv[])
> tst_exit();
> }
> }
> - tst_resm(TPASS, "CAP_BSET_DROP tests passed\n");
> + tst_resm(TPASS, "PR_CAPBSET_DROP tests passed\n");
> tst_exit();
> }
> diff --git a/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c b/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c
> index 894e0a5..c6c34c0 100644
> --- a/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c
> +++ b/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c
> @@ -39,9 +39,11 @@ int TST_TOTAL=2;
>
> int errno;
>
> +#if HAVE_SYS_CAPABILITY_H
> +#if HAVE_DECL_PR_CAPBSET_READ && HAVE_DECL_PR_CAPBSET_DROP
> +#ifdef HAVE_LIBCAP
> int main(int argc, char *argv[])
> {
> -#if HAVE_SYS_CAPABILITY_H
> int ret = 1;
> cap_value_t v[1];
> cap_flag_value_t f;
> @@ -49,12 +51,7 @@ int main(int argc, char *argv[])
>
> /* We pick a random capability... let's use CAP_SYS_ADMIN */
> /* make sure we have the capability now */
> -#if HAVE_DECL_CAP_BSET_READ
> - ret = prctl(CAP_BSET_READ, CAP_SYS_ADMIN);
> -#else
> - errno = ENOSYS;
> - ret = -1;
> -#endif
> + ret = prctl(PR_CAPBSET_READ, CAP_SYS_ADMIN);
> if (ret != 1) {
> tst_resm(TBROK, "Not starting with CAP_SYS_ADMIN\n");
> tst_exit();
> @@ -66,47 +63,23 @@ int main(int argc, char *argv[])
> tst_resm(TBROK, "Failed to create cap_sys_admin+i cap_t (errno %d)\n", errno);
> tst_exit();
> }
> -#if HAVE_DECL_CAP_SET_PROC
> ret = cap_set_proc(cur);
> -#else
> - errno = ENOSYS;
> - ret = -1;
> -#endif
> if (ret) {
> tst_resm(TBROK, "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n",
> ret, errno);
> tst_exit();
> }
> -#if HAVE_DECL_CAP_FREE
> cap_free(cur);
> -#endif
> -#if HAVE_DECL_CAP_GET_FLAG
> -#if HAVE_DECL_CAP_GET_PROC
> cur = cap_get_proc();
> ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
> -#else
> - errno = ENOSYS;
> - ret = -1;
> -#endif
> -#else
> - errno = ENOSYS;
> - ret = -1;
> -#endif
> if (ret || f != CAP_SET) {
> tst_resm(TBROK, "Failed to add CAP_SYS_ADMIN to pI\n");
> tst_exit();
> }
> -#if HAVE_DECL_CAP_FREE
> cap_free(cur);
> -#endif
>
> /* drop the capability from bounding set */
> -#if HAVE_DECL_CAP_BSET_DROP
> - ret = prctl(CAP_BSET_DROP, CAP_SYS_ADMIN);
> -#else
> - errno = ENOSYS;
> - ret = -1;
> -#endif
> + ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN);
> if (ret) {
> tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n");
> tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno);
> @@ -114,18 +87,8 @@ int main(int argc, char *argv[])
> }
>
> /* test 1: is CAP_SYS_ADMIN still in pI? */
> -#if HAVE_DECL_CAP_GET_FLAG
> -#if HAVE_DECL_CAP_GET_PROC
> cur = cap_get_proc();
> ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
> -#else
> - errno = ENOSYS;
> - ret = -1;
> -#endif
> -#else
> - errno = ENOSYS;
> - ret = -1;
> -#endif
> if (ret || f != CAP_SET) {
> tst_resm(TFAIL, "CAP_SYS_ADMIN not in pI after dropping from bounding set\n");
> tst_exit();
> @@ -144,24 +107,24 @@ int main(int argc, char *argv[])
> tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from pI\n");
> tst_exit();
> }
> -#if HAVE_DECL_CAP_FREE
> cap_free(tmpcap);
> -#endif
> /* test 2: can we put it back in pI? */
> -#if HAVE_DECL_CAP_SET_PROC
> ret = cap_set_proc(cur);
> -#endif
> if (ret == 0) { /* success means pI was not bounded by X */
> tst_resm(TFAIL, "Managed to put CAP_SYS_ADMIN back into pI though not in X\n");
> tst_exit();
> }
> -#if HAVE_DECL_CAP_FREE
> cap_free(cur);
> -#endif
>
> tst_resm(TPASS, "Couldn't put CAP_SYS_ADMIN back into pI when not in bounding set\n");
> -#else
> +#else /* HAVE_LIBCAP */
> tst_resm(TCONF, "System doesn't have POSIX capabilities.");
> #endif
> +#else /* HAVE_DECL_PR_CAPBSET_READ && HAVE_DECL_PR_CAPBSET_DROP */
> + tst_resm(TCONF, "System doesn't have CAPBSET prctls.");
> +#endif
> +#else /* HAVE_SYS_CAPABILITY_H */
> + tst_resm(TCONF, "System doesn't have sys/capability.h.");
> +#endif
> tst_exit();
> }
> diff --git a/testcases/kernel/security/cap_bound/check_pe.c b/testcases/kernel/security/cap_bound/check_pe.c
> index 2e0451a..f621e70 100644
> --- a/testcases/kernel/security/cap_bound/check_pe.c
> +++ b/testcases/kernel/security/cap_bound/check_pe.c
> @@ -40,9 +40,10 @@ int TST_TOTAL=1;
>
> int errno;
>
> +#if HAVE_SYS_CAPABILITY_H
> +#ifdef HAVE_LIBCAP
> int main(int argc, char *argv[])
> {
> -#if HAVE_SYS_CAPABILITY_H
> int ret = 1;
> cap_flag_value_t f;
> cap_t cur;
> @@ -58,26 +59,14 @@ int main(int argc, char *argv[])
> tst_exit();
> }
>
> -#if HAVE_DECL_CAP_GET_FLAG
> -#if HAVE_DECL_CAP_GET_PROC
> cur = cap_get_proc();
> ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_EFFECTIVE, &f);
> -#else
> - ret = -1;
> - errno = ENOSYS;
> -#endif
> -#else
> - ret = -1;
> - errno = ENOSYS;
> -#endif
> if (ret) {
> tst_resm(TBROK, "cap_get_flag failed (errno %d)\n", errno);
> tst_exit();
> }
>
> -#if HAVE_DECL_CAP_FREE
> cap_free(cur);
> -#endif
> if (n == 1) {
> if (f == CAP_SET) {
> tst_resm(TPASS, "cap is in pE\n");
> @@ -91,8 +80,11 @@ int main(int argc, char *argv[])
> tst_exit();
> }
> tst_resm(TFAIL, "Cap is in pE\n");
> -#else
> +#else /* libcap */
> tst_resm(TCONF, "System doesn't have POSIX capabilities.");
> #endif
> +#else /* capability_h */
> + tst_resm(TCONF, "System doesn't have sys/capability.h");
> +#endif
> tst_exit();
> }
> diff --git a/testcases/kernel/security/cap_bound/dummy.c b/testcases/kernel/security/cap_bound/dummy.c
> index ad65007..e882940 100644
> --- a/testcases/kernel/security/cap_bound/dummy.c
> +++ b/testcases/kernel/security/cap_bound/dummy.c
> @@ -5,31 +5,21 @@
> #include <sys/capability.h>
> #endif
>
> -#define END \
> - printf("System doesn't support POSIX capabilities.\n"); \
> - return 1
> -
> int main()
> {
> #if HAVE_SYS_CAPABILITY_H
> +#ifdef HAVE_LIBCAP
> cap_t cur;
> -#if HAVE_DECL_CAP_SET_PROC
> -#if HAVE_DECL_CAP_FROM_TEXT
> cur = cap_from_text("all=eip");
> cap_set_proc(cur);
> -#else
> - END;
> -#endif
> -#else
> - END;
> -#endif
> -#if HAVE_DECL_CAP_FREE
> cap_free(cur);
> -#else
> - END;
> + return 0;
> +#else /* libcap */
> + printf("System doesn't support POSIX capabilities.\n");
> + return 1;
> #endif
> -#else
> - END;
> +#else /* capability_h */
> + printf("System doesn't support sys/capability.h\n");
> + return 1;
> #endif
> - return 0;
> }
> diff --git a/testcases/kernel/security/cap_bound/exec_with_inh.c b/testcases/kernel/security/cap_bound/exec_with_inh.c
> index 21c60fd..123f665 100644
> --- a/testcases/kernel/security/cap_bound/exec_with_inh.c
> +++ b/testcases/kernel/security/cap_bound/exec_with_inh.c
> @@ -42,59 +42,34 @@ int errno;
> int main(int argc, char *argv[])
> {
> #if HAVE_SYS_CAPABILITY_H
> +#ifdef HAVE_LIBCAP
> int ret = 1;
> cap_flag_value_t f;
> cap_t cur = 0;
>
> /* Make sure CAP_SYS_ADMIN is in pI */
> -#if HAVE_DECL_CAP_FROM_TEXT
> cur = cap_from_text("all=eip");
> -#endif
> if (!cur) {
> tst_resm(TBROK, "Failed to create cap_sys_admin+i cap_t (errno %d)\n", errno);
> tst_exit();
> }
> -#if HAVE_DECL_CAP_SET_PROC
> ret = cap_set_proc(cur);
> -#else
> - ret = -1;
> - errno = ENOSYS;
> -#endif
> if (ret) {
> tst_resm(TBROK, "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n",
> ret, errno);
> tst_exit();
> }
> -#if HAVE_DECL_CAP_FREE
> cap_free(cur);
> -#endif
> -#if HAVE_DECL_CAP_GET_FLAG
> -#if HAVE_DECL_CAP_GET_PROC
> cur = cap_get_proc();
> ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
> -#else
> - ret = -1;
> - errno = ENOSYS;
> -#endif
> -#else
> - ret = -1;
> - errno = ENOSYS;
> -#endif
> if (ret || f != CAP_SET) {
> tst_resm(TBROK, "Failed to add CAP_SYS_ADMIN to pI\n");
> tst_exit();
> }
> -#if HAVE_DECL_CAP_FREE
> cap_free(cur);
> -#endif
>
> /* drop the capability from bounding set */
> -#if HAVE_DECL_CAP_BSET_DROP
> - ret = prctl(CAP_BSET_DROP, CAP_SYS_ADMIN);
> -#else
> - errno = ENOSYS;
> - ret = -1;
> -#endif
> + ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN);
> if (ret) {
> tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n");
> tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno);
> @@ -104,8 +79,11 @@ int main(int argc, char *argv[])
> /* execute "check_pe 1" */
> execl("check_pe", "check_pe", "1", NULL);
> tst_resm(TBROK, "Failed to execute check_pe (errno %d)\n", errno);
> -#else
> +#else /* HAVE_LIBCAP */
> tst_resm(TCONF, "System doesn't have POSIX capabilities.");
> #endif
> +#else /* HAVE_SYS_CAPABILITY_H */
> + tst_resm(TCONF, "System doesn't have sys/capability.h.");
> +#endif
> tst_exit();
> }
> diff --git a/testcases/kernel/security/cap_bound/exec_without_inh.c b/testcases/kernel/security/cap_bound/exec_without_inh.c
> index 81216f3..df3c4d9 100644
> --- a/testcases/kernel/security/cap_bound/exec_without_inh.c
> +++ b/testcases/kernel/security/cap_bound/exec_without_inh.c
> @@ -42,39 +42,20 @@ int errno;
> int main(int argc, char *argv[])
> {
> #if HAVE_SYS_CAPABILITY_H
> +#ifdef HAVE_LIBCAP
> int ret = 1;
> cap_flag_value_t f;
> cap_value_t v[1];
> cap_t cur;
>
> /* Make sure CAP_SYS_ADMIN is not in pI */
> -#if HAVE_DECL_CAP_GET_FLAG
> -#if HAVE_DECL_CAP_GET_PROC
> cur = cap_get_proc();
> ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
> -#else
> - ret = -1;
> - errno = ENOSYS;
> -#endif
> -#else
> - ret = -1;
> - errno = ENOSYS;
> -#endif
> if (f == CAP_SET) {
> v[0] = CAP_SYS_ADMIN;
> -#if HAVE_DECL_CAP_SET_FLAG
> ret = cap_set_flag(cur, CAP_INHERITABLE, 1, v, CAP_CLEAR);
> -#else
> - ret = -1;
> - errno = ENOSYS;
> -#endif
> -#if HAVE_DECL_CAP_SET_PROC
> if (!ret)
> ret = cap_set_proc(cur);
> -#else
> - ret = -1;
> - errno = ENOSYS;
> -#endif
> if (ret) {
> tst_resm(TBROK, "Failed to drop cap_sys_admin from pI\n");
> tst_exit();
> @@ -83,17 +64,10 @@ int main(int argc, char *argv[])
> tst_brkm(TBROK | TERRNO, tst_exit, "Failed to add \
> CAP_SYS_ADMIN to pI");
> }
> -#if HAVE_DECL_CAP_FREE
> cap_free(cur);
> -#endif
>
> /* drop the capability from bounding set */
> -#if HAVE_DECL_CAP_BSET_DROP
> - ret = prctl(CAP_BSET_DROP, CAP_SYS_ADMIN);
> -#else
> - errno = ENOSYS;
> - ret = -1;
> -#endif
> + ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN);
> if (ret) {
> tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n");
> tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno);
> @@ -103,8 +77,11 @@ int main(int argc, char *argv[])
> /* execute "check_pe 0" */
> execl("check_pe", "check_pe", "0", NULL);
> tst_resm(TBROK, "Failed to execute check_pe (errno %d)\n", errno);
> -#else
> +#else /* libcap */
> tst_resm(TCONF, "System doesn't have POSIX capabilities.");
> #endif
> +#else /* capability_h */
> + tst_resm(TCONF, "System doesn't have sys/capability.h.");
> +#endif
> tst_exit();
> }
> diff --git a/testcases/kernel/security/filecaps/c.c b/testcases/kernel/security/filecaps/c.c
> new file mode 100644
> index 0000000..ee6cf05
> --- /dev/null
> +++ b/testcases/kernel/security/filecaps/c.c
> @@ -0,0 +1,44 @@
> +/******************************************************************************/
> +/* */
> +/* Copyright (c) International Business Machines Corp., 2008 */
> +/* */
> +/* This program is free software; you can redistribute it and/or modify */
> +/* it under the terms of the GNU General Public License as published by */
> +/* the Free Software Foundation; either version 2 of the License, or */
> +/* (at your option) any later version. */
> +/* */
> +/* This program is distributed in the hope that it will be useful, */
> +/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
> +/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See */
> +/* the GNU General Public License for more details. */
> +/* */
> +/* You should have received a copy of the GNU General Public License */
> +/* along with this program; if not, write to the Free Software */
> +/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
> +/* */
> +/******************************************************************************/
> +
> +
> +#include <stdio.h>
> +#include <sys/capability.h>
> +
> +int main()
> +{
> + cap_t caps, caps2;
> + int ret;
> +
> +#ifdef HAVE_LIBCAP
> + caps = cap_from_text("cap_setpcap+ep");
> + caps2 = cap_from_text("cap_setpcap+ep");
> + ret = cap_set_proc(caps);
> + ret = cap_compare(caps, caps2);
> + printf("Caps were %sthe same\n", ret ? "not " : "");
> +
> + cap_free(caps);
> + cap_free(caps2);
> + return ret;
> +#else
> + printf("System doesn't support full POSIX capabilities.\n");
> + return 1;
> +#endif
> +}
> diff --git a/testcases/kernel/security/filecaps/check_simple_capset.c b/testcases/kernel/security/filecaps/check_simple_capset.c
> index 7851e01..6c7790d 100644
> --- a/testcases/kernel/security/filecaps/check_simple_capset.c
> +++ b/testcases/kernel/security/filecaps/check_simple_capset.c
> @@ -27,28 +27,21 @@
>
> int main()
> {
> -#if HAVE_SYS_CAPABILITY_H
> +#ifdef HAVE_LIBCAP
> cap_t caps, caps2;
> int ret;
>
> -#if HAVE_DECL_CAP_FROM_TEXT && HAVE_DECL_CAP_SET_PROC && HAVE_DECL_CAP_COMPARE
> caps = cap_from_text("cap_setpcap+ep");
> caps2 = cap_from_text("cap_setpcap+ep");
> ret = cap_set_proc(caps);
> ret = cap_compare(caps, caps2);
> -#else
> - printf("System doesn't support full POSIX capabilities.\n");
> - return 1;
> -#endif
> printf("Caps were %sthe same\n", ret ? "not " : "");
>
> -#if HAVE_DECL_CAP_FREE
> cap_free(caps);
> cap_free(caps2);
> -#endif
> return ret;
> #else
> - printf("System doesn't support POSIX capabilities.\n");
> + printf("System doesn't support full POSIX capabilities.\n");
> return 1;
> #endif
> }
> diff --git a/testcases/kernel/security/filecaps/inh_capped.c b/testcases/kernel/security/filecaps/inh_capped.c
> index 513fcb9..794e8b1 100644
> --- a/testcases/kernel/security/filecaps/inh_capped.c
> +++ b/testcases/kernel/security/filecaps/inh_capped.c
> @@ -34,21 +34,17 @@
> char *TCID = "filecaps";
> int TST_TOTAL=1;
>
> +#ifdef HAVE_LIBCAP
> void debug_print_caps(char *when)
> {
> -#ifdef DEBUG
> char buf[2000];
> tst_resm(TINFO, "%s", when);
> -#if HAVE_DECL_SET_CAP_TO_TEXT
> snprintf(buf, 2000, "%s", cap_to_text(cap_get_proc(), NULL));
> -#endif
> tst_resm(TINFO, "%s", buf);
> -#endif
> }
>
> int set_caps_from_text(char *capstr)
> {
> -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_SET_CAP_SET_PROC && HAVE_DECL_SET_CAP_FREE
> cap_t caps = cap_from_text(capstr);
> int ret;
>
> @@ -59,14 +55,12 @@ int set_caps_from_text(char *capstr)
> ret = cap_set_proc(caps);
> cap_free(caps);
> return ret;
> -#else
> - return -1;
> -#endif
> }
> +#endif
>
> int main()
> {
> -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_SET_CAPS_FROM_TEXT
> +#ifdef HAVE_LIBCAP
> int ret;
>
> debug_print_caps("start");
> diff --git a/testcases/kernel/security/filecaps/print_caps.c b/testcases/kernel/security/filecaps/print_caps.c
> index 188856e..f0e9bce 100644
> --- a/testcases/kernel/security/filecaps/print_caps.c
> +++ b/testcases/kernel/security/filecaps/print_caps.c
> @@ -40,7 +40,7 @@
>
> int main(int argc, char *argv[])
> {
> -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_GET_PROC && HAVE_DECL_CAP_TO_TEXT
> +#ifdef HAVE_LIBCAP
> cap_t cap = cap_get_proc();
> int fd;
> int seqno = 0;
> diff --git a/testcases/kernel/security/filecaps/verify_caps_exec.c b/testcases/kernel/security/filecaps/verify_caps_exec.c
> index 16fcc0f..5250007 100644
> --- a/testcases/kernel/security/filecaps/verify_caps_exec.c
> +++ b/testcases/kernel/security/filecaps/verify_caps_exec.c
> @@ -60,20 +60,18 @@ void usage(char *me)
> #define DROP_PERMS 0
> #define KEEP_PERMS 1
>
> +#ifdef HAVE_LIBCAP
> void print_my_caps()
> {
> -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_GET_PROC && HAVE_DECL_CAP_TO_TEXT
> cap_t cap = cap_get_proc();
> char *txt = cap_to_text(cap, NULL);
> tst_resm(TINFO, "\ncaps are %s\n", txt);
> cap_free(cap);
> cap_free(txt);
> -#endif
> }
>
> int drop_root(int keep_perms)
> {
> -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_FROM_TEXT && HAVE_DECL_CAP_SET_PROC
> int ret;
>
> if (keep_perms)
> @@ -89,15 +87,11 @@ int drop_root(int keep_perms)
> cap_set_proc(cap);
> cap_free(cap);
> }
> -#else
> - tst_resm(TCONF, "System doesn't have full POSIX capabilities support.\n");
> -#endif
> tst_exit();
> }
>
> int perms_test(void)
> {
> -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_SET_FILE
> int ret;
> cap_t cap;
>
> @@ -118,9 +112,6 @@ int perms_test(void)
>
> cap_free(cap);
> return ret;
> -#else
> - return -1;
> -#endif
> }
>
> #define FIFOFILE "caps_fifo"
> @@ -160,7 +151,6 @@ void read_from_fifo(char *buf)
> close(fd);
> }
>
> -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_COMPARE && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_TO_TEXT
> int fork_drop_and_exec(int keepperms, cap_t expected_caps)
> {
>
> @@ -219,12 +209,9 @@ int fork_drop_and_exec(int keepperms, cap_t expected_caps)
> }
> return ret;
> }
> -#endif
>
> int caps_actually_set_test(void)
> {
> -
> -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_PR_CAPBSET_READ
> int whichcap, finalret = 0, ret;
> cap_t fcap, pcap, cap_fullpi;
> cap_value_t capvalue[1];
> @@ -399,17 +386,15 @@ int caps_actually_set_test(void)
> cap_free(cap_fullpi);
>
> return finalret;
> -#else
> - return -1;
> -#endif
> }
> +#endif
>
> int main(int argc, char *argv[])
> {
> +#ifdef HAVE_LIBCAP
> if (argc < 2)
> usage(argv[0]);
>
> -#if HAVE_SYS_CAPABILITY_H
> int ret = 0;
>
> switch(atoi(argv[1])) {
> --
> 1.6.0.6
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Ltp-list mailing list
> Ltp-list@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ltp-list
--
Thanks & Regards
Rishi
LTP Maintainer
IBM, LTC, Bangalore
Please join IRC #ltp @ irc.freenode.net
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
prev parent reply other threads:[~2010-03-22 6:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-20 15:48 [LTP] [PATCH ltp] fix up filecaps and cap_bound testcases Serge E. Hallyn
2010-03-22 6:45 ` Rishikesh K Rajak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100322064546.GC20606@linux.vnet.ibm.com \
--to=risrajak@linux.vnet.ibm.com \
--cc=ltp-list@lists.sourceforge.net \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.