From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from sfi-mx-4.v28.ch3.sourceforge.com ([172.29.28.124] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.69) (envelope-from ) id 1Nt0uX-0005Nx-GF for ltp-list@lists.sourceforge.net; Sat, 20 Mar 2010 15:48:25 +0000 Received: from e39.co.us.ibm.com ([32.97.110.160]) by sfi-mx-4.v28.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) id 1Nt0uV-000339-U9 for ltp-list@lists.sourceforge.net; Sat, 20 Mar 2010 15:48:25 +0000 Received: from d03relay03.boulder.ibm.com (d03relay03.boulder.ibm.com [9.17.195.228]) by e39.co.us.ibm.com (8.14.3/8.13.1) with ESMTP id o2KFeLvA001125 for ; Sat, 20 Mar 2010 09:40:21 -0600 Received: from d03av05.boulder.ibm.com (d03av05.boulder.ibm.com [9.17.195.85]) by d03relay03.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id o2KFmHlE141224 for ; Sat, 20 Mar 2010 09:48:17 -0600 Received: from d03av05.boulder.ibm.com (loopback [127.0.0.1]) by d03av05.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id o2KFmHF2014025 for ; Sat, 20 Mar 2010 09:48:17 -0600 Date: Sat, 20 Mar 2010 10:48:17 -0500 From: "Serge E. Hallyn" Message-ID: <20100320154817.GA13351@us.ibm.com> MIME-Version: 1.0 Content-Disposition: inline Subject: [LTP] [PATCH ltp] fix up filecaps and cap_bound testcases List-Id: Linux Test Project General Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ltp-list-bounces@lists.sourceforge.net To: LTP list Here's an attempt at fixing up and simplifying the autoconf for detecting libcap and prctl support. After this, make autotools etc work fine on my f12 system, and runltp -f cap_bounds passes. the filecaps tests refuse to run claiming to be unable to find setcap, which I'll worry about next week. (I'm sure there is an AC_ macro for finding a command) Signed-off-by: Serge E. Hallyn --- configure.ac | 1 + m4/ltp-cap.m4 | 16 +---- m4/ltp-prctl.m4 | 31 ++++++++++ testcases/kernel/security/cap_bound/cap_bounds_r.c | 44 +++++++------- .../kernel/security/cap_bound/cap_bounds_rw.c | 58 +++++++++++-------- .../security/cap_bound/cap_bset_inh_bounds.c | 61 ++++---------------- testcases/kernel/security/cap_bound/check_pe.c | 20 ++----- testcases/kernel/security/cap_bound/dummy.c | 26 +++------ .../kernel/security/cap_bound/exec_with_inh.c | 34 ++--------- .../kernel/security/cap_bound/exec_without_inh.c | 35 ++--------- testcases/kernel/security/filecaps/c.c | 44 ++++++++++++++ .../kernel/security/filecaps/check_simple_capset.c | 11 +--- testcases/kernel/security/filecaps/inh_capped.c | 12 +--- testcases/kernel/security/filecaps/print_caps.c | 2 +- .../kernel/security/filecaps/verify_caps_exec.c | 21 +------ 15 files changed, 182 insertions(+), 234 deletions(-) create mode 100644 m4/ltp-prctl.m4 create mode 100644 testcases/kernel/security/filecaps/c.c diff --git a/configure.ac b/configure.ac index 8a2ebe2..3dd9829 100644 --- a/configure.ac +++ b/configure.ac @@ -61,6 +61,7 @@ AC_CONFIG_SUBDIRS([ \ ]) LTP_CHECK_CAPABILITY_SUPPORT +LTP_CHECK_PRCTL_SUPPORT LTP_CHECK_CRYPTO LTP_CHECK_LINUX_PTRACE LTP_CHECK_SELINUX diff --git a/m4/ltp-cap.m4 b/m4/ltp-cap.m4 index 5f8d969..28d998d 100644 --- a/m4/ltp-cap.m4 +++ b/m4/ltp-cap.m4 @@ -23,21 +23,11 @@ dnl LTP_CHECK_CAPABILITY_SUPPORT dnl ---------------------------- dnl AC_DEFUN([LTP_CHECK_CAPABILITY_SUPPORT],[ +AH_TEMPLATE(HAVE_LIBCAP, +[Define to 1 if you have libcap-2 installed.]) AC_CHECK_HEADERS(sys/capability.h,[ - AC_CHECK_HEADERS(attr/xattr.h) LTP_CAPABILITY_SUPPORT=yes - AC_CHECK_LIB(cap,cap_free,[ - AC_CHECK_LIB(cap,cap_from_text,[ - AC_CHECK_LIB(cap,cap_set_proc,[ - AC_CHECK_LIB(cap,cap_compare,[ - CAP_LIBS="-lcap" - ]) - ]) - ]) - ]) - AC_CHECK_DECLS([CAP_BSET_DROP, CAP_BSET_READ, PR_CAPBSET_READ, cap_compare, cap_free, cap_from_text, cap_get_proc, cap_set_file, cap_set_flag, cap_set_proc, cap_to_text],[],[],[dnl -#include -]) dnl AC_CHECK_DECLS + AC_CHECK_LIB(cap,cap_compare,[AC_DEFINE(HAVE_LIBCAP) CAP_LIBS="-lcap"], [CAP_LIBS=""]) ])] AC_SUBST(CAP_LIBS) ) diff --git a/m4/ltp-prctl.m4 b/m4/ltp-prctl.m4 new file mode 100644 index 0000000..51edb08 --- /dev/null +++ b/m4/ltp-prctl.m4 @@ -0,0 +1,31 @@ +dnl +dnl Copyright (c) Cisco Systems Inc., 2009 +dnl +dnl This program is free software; you can redistribute it and/or modify +dnl it under the terms of the GNU General Public License as published by +dnl the Free Software Foundation; either version 2 of the License, or +dnl (at your option) any later version. +dnl +dnl This program is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +dnl the GNU General Public License for more details. +dnl +dnl You should have received a copy of the GNU General Public License +dnl along with this program; if not, write to the Free Software +dnl Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +dnl +dnl Author: Garrett Cooper +dnl + +dnl +dnl LTP_CHECK_PRCTL_SUPPORT +dnl ---------------------------- +dnl +AC_DEFUN([LTP_CHECK_PRCTL_SUPPORT],[ +AC_CHECK_HEADERS(sys/prctl.h,[ + AC_CHECK_DECLS([PR_CAPBSET_DROP, PR_CAPBSET_READ], [],[],[dnl +#include +]) dnl AC_CHECK_DECLS +])] +) diff --git a/testcases/kernel/security/cap_bound/cap_bounds_r.c b/testcases/kernel/security/cap_bound/cap_bounds_r.c index 917d889..0b1c5b3 100644 --- a/testcases/kernel/security/cap_bound/cap_bounds_r.c +++ b/testcases/kernel/security/cap_bound/cap_bounds_r.c @@ -32,21 +32,6 @@ #include #include -#ifndef CAP_LAST_CAP -#warning out-of-date capability.h does not define CAP_LAST_CAP -#define CAP_LAST_CAP 28 /* be ultra-conservative */ -#endif - -#ifndef CAP_BSET_READ -#warning CAP_BSET_READ not defined -#define CAP_BSET_READ 23 -#endif - -#ifndef CAP_BSET_DROP -#warning CAP_BSET_DROP not defined -#define CAP_BSET_DROP 24 -#endif - char *TCID = "cap_bounds_r"; int TST_TOTAL=1; @@ -59,17 +44,27 @@ int main(int argc, char *argv[]) int i; for (i=0; i<=CAP_LAST_CAP; i++) { - ret = prctl(CAP_BSET_READ, i); +#if HAVE_DECL_PR_CAPBSET_READ + ret = prctl(PR_CAPBSET_READ, i); +#else + errno = ENOSYS; + ret = -1; +#endif if (ret != 1) { - tst_resm(TFAIL, "prctl(CAP_BSET_READ, %d) returned %d\n", i, ret); + tst_resm(TFAIL, "prctl(PR_CAPBSET_READ, %d) returned %d\n", i, ret); if (ret == -1) tst_resm(TINFO, "errno was %d\n", errno); tst_exit(); } } - ret = prctl(CAP_BSET_READ, -1); +#if HAVE_DECL_PR_CAPBSET_READ + ret = prctl(PR_CAPBSET_READ, -1); +#else + errno = ENOSYS; + ret = -1; +#endif if (ret != -1) { - tst_resm(TFAIL, "prctl(CAP_BSET_READ, -1) returned %d\n", -1, ret); + tst_resm(TFAIL, "prctl(PR_CAPBSET_READ, -1) returned %d\n", ret); tst_exit(); } @@ -79,13 +74,18 @@ int main(int argc, char *argv[]) * testing... So let's take an insanely high value */ #define INSANE 63 #define max(x,y) (x > y ? x : y) - ret = prctl(CAP_BSET_READ, max(INSANE,CAP_LAST_CAP+1)); +#if HAVE_DECL_PR_CAPBSET_READ + ret = prctl(PR_CAPBSET_READ, max(INSANE,CAP_LAST_CAP+1)); +#else + errno = ENOSYS; + ret = -1; +#endif if (ret != -1) { - tst_resm(TFAIL, "prctl(CAP_BSET_READ, %d) returned %d\n", CAP_LAST_CAP+1, ret); + tst_resm(TFAIL, "prctl(PR_CAPBSET_READ, %d) returned %d\n", CAP_LAST_CAP+1, ret); tst_resm(TINFO, " %d is CAP_LAST_CAP+1 and should not exist\n", CAP_LAST_CAP+1); tst_exit(); } - tst_resm(TPASS, "CAP_BSET_READ tests passed\n"); + tst_resm(TPASS, "PR_CAPBSET_READ tests passed\n"); #else tst_resm(TCONF, "System doesn't have POSIX capabilities."); #endif diff --git a/testcases/kernel/security/cap_bound/cap_bounds_rw.c b/testcases/kernel/security/cap_bound/cap_bounds_rw.c index 9129c4e..827a305 100644 --- a/testcases/kernel/security/cap_bound/cap_bounds_rw.c +++ b/testcases/kernel/security/cap_bound/cap_bounds_rw.c @@ -31,21 +31,6 @@ #include #include -#ifndef CAP_LAST_CAP -#warning out-of-date capability.h does not define CAP_LAST_CAP -#define CAP_LAST_CAP 28 /* be ultra-conservative */ -#endif - -#ifndef CAP_BSET_READ -#warning CAP_BSET_READ not defined -#define CAP_BSET_READ 23 -#endif - -#ifndef CAP_BSET_DROP -#warning CAP_BSET_DROP not defined -#define CAP_BSET_DROP 24 -#endif - char *TCID = "cap_bounds_rw"; int TST_TOTAL=1; @@ -57,7 +42,12 @@ int check_remaining_caps(int lastdropped) int ret; for (i=0; i <= lastdropped; i++) { - ret = prctl(CAP_BSET_READ, i); +#if HAVE_DECL_PR_CAPBSET_READ + ret = prctl(PR_CAPBSET_READ, i); +#else + errno = ENOSYS; + ret = -1; +#endif if (ret == -1) { tst_resm(TBROK, "Failed to read bounding set during sanity check\n"); tst_exit(); @@ -68,7 +58,12 @@ int check_remaining_caps(int lastdropped) } } for (; i<=CAP_LAST_CAP; i++) { - ret = prctl(CAP_BSET_READ, i); +#if HAVE_DECL_PR_CAPBSET_READ + ret = prctl(PR_CAPBSET_READ, i); +#else + errno = ENOSYS; + ret = -1; +#endif if (ret == -1) { tst_resm(TBROK, "Failed to read bounding set during sanity check\n"); tst_exit(); @@ -86,9 +81,14 @@ int main(int argc, char *argv[]) int ret = 1; int i; - ret = prctl(CAP_BSET_DROP, -1); +#if HAVE_DECL_PR_CAPBSET_DROP + ret = prctl(PR_CAPBSET_READ, -1); +#else + errno = ENOSYS; + ret = -1; +#endif if (ret != -1) { - tst_resm(TFAIL, "prctl(CAP_BSET_DROP, -1) returned %d\n", ret); + tst_resm(TFAIL, "prctl(PR_CAPBSET_DROP, -1) returned %d\n", ret); tst_exit(); } /* Ideally I'd check CAP_LAST_CAP+1, but userspace @@ -97,16 +97,26 @@ int main(int argc, char *argv[]) * testing... So let's take an insanely high value */ #define INSANE 63 #define max(x,y) (x > y ? x : y) - ret = prctl(CAP_BSET_DROP, max(INSANE,CAP_LAST_CAP+1)); +#if HAVE_DECL_PR_CAPBSET_DROP + ret = prctl(PR_CAPBSET_DROP, max(INSANE,CAP_LAST_CAP+1)); +#else + errno = ENOSYS; + ret = -1; +#endif if (ret != -1) { - tst_resm(TFAIL, "prctl(CAP_BSET_DROP, %d) returned %d\n", max(INSANE, CAP_LAST_CAP+1), ret); + tst_resm(TFAIL, "prctl(PR_CAPBSET_DROP, %d) returned %d\n", max(INSANE, CAP_LAST_CAP+1), ret); tst_resm(TINFO, " %d is should not exist\n", max(INSANE, CAP_LAST_CAP+1)); tst_exit(); } for (i=0; i<=CAP_LAST_CAP; i++) { - ret = prctl(CAP_BSET_DROP, i); +#if HAVE_DECL_PR_CAPBSET_DROP + ret = prctl(PR_CAPBSET_DROP, i); +#else + errno = ENOSYS; + ret = -1; +#endif if (ret != 0) { - tst_resm(TFAIL, "prctl(CAP_BSET_DROP, %d) returned %d\n", i, ret); + tst_resm(TFAIL, "prctl(PR_CAPBSET_DROP, %d) returned %d\n", i, ret); if (ret == -1) tst_resm(TINFO, "errno was %d\n", errno); tst_exit(); @@ -122,6 +132,6 @@ int main(int argc, char *argv[]) tst_exit(); } } - tst_resm(TPASS, "CAP_BSET_DROP tests passed\n"); + tst_resm(TPASS, "PR_CAPBSET_DROP tests passed\n"); tst_exit(); } diff --git a/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c b/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c index 894e0a5..c6c34c0 100644 --- a/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c +++ b/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c @@ -39,9 +39,11 @@ int TST_TOTAL=2; int errno; +#if HAVE_SYS_CAPABILITY_H +#if HAVE_DECL_PR_CAPBSET_READ && HAVE_DECL_PR_CAPBSET_DROP +#ifdef HAVE_LIBCAP int main(int argc, char *argv[]) { -#if HAVE_SYS_CAPABILITY_H int ret = 1; cap_value_t v[1]; cap_flag_value_t f; @@ -49,12 +51,7 @@ int main(int argc, char *argv[]) /* We pick a random capability... let's use CAP_SYS_ADMIN */ /* make sure we have the capability now */ -#if HAVE_DECL_CAP_BSET_READ - ret = prctl(CAP_BSET_READ, CAP_SYS_ADMIN); -#else - errno = ENOSYS; - ret = -1; -#endif + ret = prctl(PR_CAPBSET_READ, CAP_SYS_ADMIN); if (ret != 1) { tst_resm(TBROK, "Not starting with CAP_SYS_ADMIN\n"); tst_exit(); @@ -66,47 +63,23 @@ int main(int argc, char *argv[]) tst_resm(TBROK, "Failed to create cap_sys_admin+i cap_t (errno %d)\n", errno); tst_exit(); } -#if HAVE_DECL_CAP_SET_PROC ret = cap_set_proc(cur); -#else - errno = ENOSYS; - ret = -1; -#endif if (ret) { tst_resm(TBROK, "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n", ret, errno); tst_exit(); } -#if HAVE_DECL_CAP_FREE cap_free(cur); -#endif -#if HAVE_DECL_CAP_GET_FLAG -#if HAVE_DECL_CAP_GET_PROC cur = cap_get_proc(); ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f); -#else - errno = ENOSYS; - ret = -1; -#endif -#else - errno = ENOSYS; - ret = -1; -#endif if (ret || f != CAP_SET) { tst_resm(TBROK, "Failed to add CAP_SYS_ADMIN to pI\n"); tst_exit(); } -#if HAVE_DECL_CAP_FREE cap_free(cur); -#endif /* drop the capability from bounding set */ -#if HAVE_DECL_CAP_BSET_DROP - ret = prctl(CAP_BSET_DROP, CAP_SYS_ADMIN); -#else - errno = ENOSYS; - ret = -1; -#endif + ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN); if (ret) { tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n"); tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno); @@ -114,18 +87,8 @@ int main(int argc, char *argv[]) } /* test 1: is CAP_SYS_ADMIN still in pI? */ -#if HAVE_DECL_CAP_GET_FLAG -#if HAVE_DECL_CAP_GET_PROC cur = cap_get_proc(); ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f); -#else - errno = ENOSYS; - ret = -1; -#endif -#else - errno = ENOSYS; - ret = -1; -#endif if (ret || f != CAP_SET) { tst_resm(TFAIL, "CAP_SYS_ADMIN not in pI after dropping from bounding set\n"); tst_exit(); @@ -144,24 +107,24 @@ int main(int argc, char *argv[]) tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from pI\n"); tst_exit(); } -#if HAVE_DECL_CAP_FREE cap_free(tmpcap); -#endif /* test 2: can we put it back in pI? */ -#if HAVE_DECL_CAP_SET_PROC ret = cap_set_proc(cur); -#endif if (ret == 0) { /* success means pI was not bounded by X */ tst_resm(TFAIL, "Managed to put CAP_SYS_ADMIN back into pI though not in X\n"); tst_exit(); } -#if HAVE_DECL_CAP_FREE cap_free(cur); -#endif tst_resm(TPASS, "Couldn't put CAP_SYS_ADMIN back into pI when not in bounding set\n"); -#else +#else /* HAVE_LIBCAP */ tst_resm(TCONF, "System doesn't have POSIX capabilities."); #endif +#else /* HAVE_DECL_PR_CAPBSET_READ && HAVE_DECL_PR_CAPBSET_DROP */ + tst_resm(TCONF, "System doesn't have CAPBSET prctls."); +#endif +#else /* HAVE_SYS_CAPABILITY_H */ + tst_resm(TCONF, "System doesn't have sys/capability.h."); +#endif tst_exit(); } diff --git a/testcases/kernel/security/cap_bound/check_pe.c b/testcases/kernel/security/cap_bound/check_pe.c index 2e0451a..f621e70 100644 --- a/testcases/kernel/security/cap_bound/check_pe.c +++ b/testcases/kernel/security/cap_bound/check_pe.c @@ -40,9 +40,10 @@ int TST_TOTAL=1; int errno; +#if HAVE_SYS_CAPABILITY_H +#ifdef HAVE_LIBCAP int main(int argc, char *argv[]) { -#if HAVE_SYS_CAPABILITY_H int ret = 1; cap_flag_value_t f; cap_t cur; @@ -58,26 +59,14 @@ int main(int argc, char *argv[]) tst_exit(); } -#if HAVE_DECL_CAP_GET_FLAG -#if HAVE_DECL_CAP_GET_PROC cur = cap_get_proc(); ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_EFFECTIVE, &f); -#else - ret = -1; - errno = ENOSYS; -#endif -#else - ret = -1; - errno = ENOSYS; -#endif if (ret) { tst_resm(TBROK, "cap_get_flag failed (errno %d)\n", errno); tst_exit(); } -#if HAVE_DECL_CAP_FREE cap_free(cur); -#endif if (n == 1) { if (f == CAP_SET) { tst_resm(TPASS, "cap is in pE\n"); @@ -91,8 +80,11 @@ int main(int argc, char *argv[]) tst_exit(); } tst_resm(TFAIL, "Cap is in pE\n"); -#else +#else /* libcap */ tst_resm(TCONF, "System doesn't have POSIX capabilities."); #endif +#else /* capability_h */ + tst_resm(TCONF, "System doesn't have sys/capability.h"); +#endif tst_exit(); } diff --git a/testcases/kernel/security/cap_bound/dummy.c b/testcases/kernel/security/cap_bound/dummy.c index ad65007..e882940 100644 --- a/testcases/kernel/security/cap_bound/dummy.c +++ b/testcases/kernel/security/cap_bound/dummy.c @@ -5,31 +5,21 @@ #include #endif -#define END \ - printf("System doesn't support POSIX capabilities.\n"); \ - return 1 - int main() { #if HAVE_SYS_CAPABILITY_H +#ifdef HAVE_LIBCAP cap_t cur; -#if HAVE_DECL_CAP_SET_PROC -#if HAVE_DECL_CAP_FROM_TEXT cur = cap_from_text("all=eip"); cap_set_proc(cur); -#else - END; -#endif -#else - END; -#endif -#if HAVE_DECL_CAP_FREE cap_free(cur); -#else - END; + return 0; +#else /* libcap */ + printf("System doesn't support POSIX capabilities.\n"); + return 1; #endif -#else - END; +#else /* capability_h */ + printf("System doesn't support sys/capability.h\n"); + return 1; #endif - return 0; } diff --git a/testcases/kernel/security/cap_bound/exec_with_inh.c b/testcases/kernel/security/cap_bound/exec_with_inh.c index 21c60fd..123f665 100644 --- a/testcases/kernel/security/cap_bound/exec_with_inh.c +++ b/testcases/kernel/security/cap_bound/exec_with_inh.c @@ -42,59 +42,34 @@ int errno; int main(int argc, char *argv[]) { #if HAVE_SYS_CAPABILITY_H +#ifdef HAVE_LIBCAP int ret = 1; cap_flag_value_t f; cap_t cur = 0; /* Make sure CAP_SYS_ADMIN is in pI */ -#if HAVE_DECL_CAP_FROM_TEXT cur = cap_from_text("all=eip"); -#endif if (!cur) { tst_resm(TBROK, "Failed to create cap_sys_admin+i cap_t (errno %d)\n", errno); tst_exit(); } -#if HAVE_DECL_CAP_SET_PROC ret = cap_set_proc(cur); -#else - ret = -1; - errno = ENOSYS; -#endif if (ret) { tst_resm(TBROK, "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n", ret, errno); tst_exit(); } -#if HAVE_DECL_CAP_FREE cap_free(cur); -#endif -#if HAVE_DECL_CAP_GET_FLAG -#if HAVE_DECL_CAP_GET_PROC cur = cap_get_proc(); ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f); -#else - ret = -1; - errno = ENOSYS; -#endif -#else - ret = -1; - errno = ENOSYS; -#endif if (ret || f != CAP_SET) { tst_resm(TBROK, "Failed to add CAP_SYS_ADMIN to pI\n"); tst_exit(); } -#if HAVE_DECL_CAP_FREE cap_free(cur); -#endif /* drop the capability from bounding set */ -#if HAVE_DECL_CAP_BSET_DROP - ret = prctl(CAP_BSET_DROP, CAP_SYS_ADMIN); -#else - errno = ENOSYS; - ret = -1; -#endif + ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN); if (ret) { tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n"); tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno); @@ -104,8 +79,11 @@ int main(int argc, char *argv[]) /* execute "check_pe 1" */ execl("check_pe", "check_pe", "1", NULL); tst_resm(TBROK, "Failed to execute check_pe (errno %d)\n", errno); -#else +#else /* HAVE_LIBCAP */ tst_resm(TCONF, "System doesn't have POSIX capabilities."); #endif +#else /* HAVE_SYS_CAPABILITY_H */ + tst_resm(TCONF, "System doesn't have sys/capability.h."); +#endif tst_exit(); } diff --git a/testcases/kernel/security/cap_bound/exec_without_inh.c b/testcases/kernel/security/cap_bound/exec_without_inh.c index 81216f3..df3c4d9 100644 --- a/testcases/kernel/security/cap_bound/exec_without_inh.c +++ b/testcases/kernel/security/cap_bound/exec_without_inh.c @@ -42,39 +42,20 @@ int errno; int main(int argc, char *argv[]) { #if HAVE_SYS_CAPABILITY_H +#ifdef HAVE_LIBCAP int ret = 1; cap_flag_value_t f; cap_value_t v[1]; cap_t cur; /* Make sure CAP_SYS_ADMIN is not in pI */ -#if HAVE_DECL_CAP_GET_FLAG -#if HAVE_DECL_CAP_GET_PROC cur = cap_get_proc(); ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f); -#else - ret = -1; - errno = ENOSYS; -#endif -#else - ret = -1; - errno = ENOSYS; -#endif if (f == CAP_SET) { v[0] = CAP_SYS_ADMIN; -#if HAVE_DECL_CAP_SET_FLAG ret = cap_set_flag(cur, CAP_INHERITABLE, 1, v, CAP_CLEAR); -#else - ret = -1; - errno = ENOSYS; -#endif -#if HAVE_DECL_CAP_SET_PROC if (!ret) ret = cap_set_proc(cur); -#else - ret = -1; - errno = ENOSYS; -#endif if (ret) { tst_resm(TBROK, "Failed to drop cap_sys_admin from pI\n"); tst_exit(); @@ -83,17 +64,10 @@ int main(int argc, char *argv[]) tst_brkm(TBROK | TERRNO, tst_exit, "Failed to add \ CAP_SYS_ADMIN to pI"); } -#if HAVE_DECL_CAP_FREE cap_free(cur); -#endif /* drop the capability from bounding set */ -#if HAVE_DECL_CAP_BSET_DROP - ret = prctl(CAP_BSET_DROP, CAP_SYS_ADMIN); -#else - errno = ENOSYS; - ret = -1; -#endif + ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN); if (ret) { tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n"); tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno); @@ -103,8 +77,11 @@ int main(int argc, char *argv[]) /* execute "check_pe 0" */ execl("check_pe", "check_pe", "0", NULL); tst_resm(TBROK, "Failed to execute check_pe (errno %d)\n", errno); -#else +#else /* libcap */ tst_resm(TCONF, "System doesn't have POSIX capabilities."); #endif +#else /* capability_h */ + tst_resm(TCONF, "System doesn't have sys/capability.h."); +#endif tst_exit(); } diff --git a/testcases/kernel/security/filecaps/c.c b/testcases/kernel/security/filecaps/c.c new file mode 100644 index 0000000..ee6cf05 --- /dev/null +++ b/testcases/kernel/security/filecaps/c.c @@ -0,0 +1,44 @@ +/******************************************************************************/ +/* */ +/* Copyright (c) International Business Machines Corp., 2008 */ +/* */ +/* This program is free software; you can redistribute it and/or modify */ +/* it under the terms of the GNU General Public License as published by */ +/* the Free Software Foundation; either version 2 of the License, or */ +/* (at your option) any later version. */ +/* */ +/* This program is distributed in the hope that it will be useful, */ +/* but WITHOUT ANY WARRANTY; without even the implied warranty of */ +/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See */ +/* the GNU General Public License for more details. */ +/* */ +/* You should have received a copy of the GNU General Public License */ +/* along with this program; if not, write to the Free Software */ +/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ +/* */ +/******************************************************************************/ + + +#include +#include + +int main() +{ + cap_t caps, caps2; + int ret; + +#ifdef HAVE_LIBCAP + caps = cap_from_text("cap_setpcap+ep"); + caps2 = cap_from_text("cap_setpcap+ep"); + ret = cap_set_proc(caps); + ret = cap_compare(caps, caps2); + printf("Caps were %sthe same\n", ret ? "not " : ""); + + cap_free(caps); + cap_free(caps2); + return ret; +#else + printf("System doesn't support full POSIX capabilities.\n"); + return 1; +#endif +} diff --git a/testcases/kernel/security/filecaps/check_simple_capset.c b/testcases/kernel/security/filecaps/check_simple_capset.c index 7851e01..6c7790d 100644 --- a/testcases/kernel/security/filecaps/check_simple_capset.c +++ b/testcases/kernel/security/filecaps/check_simple_capset.c @@ -27,28 +27,21 @@ int main() { -#if HAVE_SYS_CAPABILITY_H +#ifdef HAVE_LIBCAP cap_t caps, caps2; int ret; -#if HAVE_DECL_CAP_FROM_TEXT && HAVE_DECL_CAP_SET_PROC && HAVE_DECL_CAP_COMPARE caps = cap_from_text("cap_setpcap+ep"); caps2 = cap_from_text("cap_setpcap+ep"); ret = cap_set_proc(caps); ret = cap_compare(caps, caps2); -#else - printf("System doesn't support full POSIX capabilities.\n"); - return 1; -#endif printf("Caps were %sthe same\n", ret ? "not " : ""); -#if HAVE_DECL_CAP_FREE cap_free(caps); cap_free(caps2); -#endif return ret; #else - printf("System doesn't support POSIX capabilities.\n"); + printf("System doesn't support full POSIX capabilities.\n"); return 1; #endif } diff --git a/testcases/kernel/security/filecaps/inh_capped.c b/testcases/kernel/security/filecaps/inh_capped.c index 513fcb9..794e8b1 100644 --- a/testcases/kernel/security/filecaps/inh_capped.c +++ b/testcases/kernel/security/filecaps/inh_capped.c @@ -34,21 +34,17 @@ char *TCID = "filecaps"; int TST_TOTAL=1; +#ifdef HAVE_LIBCAP void debug_print_caps(char *when) { -#ifdef DEBUG char buf[2000]; tst_resm(TINFO, "%s", when); -#if HAVE_DECL_SET_CAP_TO_TEXT snprintf(buf, 2000, "%s", cap_to_text(cap_get_proc(), NULL)); -#endif tst_resm(TINFO, "%s", buf); -#endif } int set_caps_from_text(char *capstr) { -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_SET_CAP_SET_PROC && HAVE_DECL_SET_CAP_FREE cap_t caps = cap_from_text(capstr); int ret; @@ -59,14 +55,12 @@ int set_caps_from_text(char *capstr) ret = cap_set_proc(caps); cap_free(caps); return ret; -#else - return -1; -#endif } +#endif int main() { -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_SET_CAPS_FROM_TEXT +#ifdef HAVE_LIBCAP int ret; debug_print_caps("start"); diff --git a/testcases/kernel/security/filecaps/print_caps.c b/testcases/kernel/security/filecaps/print_caps.c index 188856e..f0e9bce 100644 --- a/testcases/kernel/security/filecaps/print_caps.c +++ b/testcases/kernel/security/filecaps/print_caps.c @@ -40,7 +40,7 @@ int main(int argc, char *argv[]) { -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_GET_PROC && HAVE_DECL_CAP_TO_TEXT +#ifdef HAVE_LIBCAP cap_t cap = cap_get_proc(); int fd; int seqno = 0; diff --git a/testcases/kernel/security/filecaps/verify_caps_exec.c b/testcases/kernel/security/filecaps/verify_caps_exec.c index 16fcc0f..5250007 100644 --- a/testcases/kernel/security/filecaps/verify_caps_exec.c +++ b/testcases/kernel/security/filecaps/verify_caps_exec.c @@ -60,20 +60,18 @@ void usage(char *me) #define DROP_PERMS 0 #define KEEP_PERMS 1 +#ifdef HAVE_LIBCAP void print_my_caps() { -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_GET_PROC && HAVE_DECL_CAP_TO_TEXT cap_t cap = cap_get_proc(); char *txt = cap_to_text(cap, NULL); tst_resm(TINFO, "\ncaps are %s\n", txt); cap_free(cap); cap_free(txt); -#endif } int drop_root(int keep_perms) { -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_FROM_TEXT && HAVE_DECL_CAP_SET_PROC int ret; if (keep_perms) @@ -89,15 +87,11 @@ int drop_root(int keep_perms) cap_set_proc(cap); cap_free(cap); } -#else - tst_resm(TCONF, "System doesn't have full POSIX capabilities support.\n"); -#endif tst_exit(); } int perms_test(void) { -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_SET_FILE int ret; cap_t cap; @@ -118,9 +112,6 @@ int perms_test(void) cap_free(cap); return ret; -#else - return -1; -#endif } #define FIFOFILE "caps_fifo" @@ -160,7 +151,6 @@ void read_from_fifo(char *buf) close(fd); } -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_COMPARE && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_TO_TEXT int fork_drop_and_exec(int keepperms, cap_t expected_caps) { @@ -219,12 +209,9 @@ int fork_drop_and_exec(int keepperms, cap_t expected_caps) } return ret; } -#endif int caps_actually_set_test(void) { - -#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_PR_CAPBSET_READ int whichcap, finalret = 0, ret; cap_t fcap, pcap, cap_fullpi; cap_value_t capvalue[1]; @@ -399,17 +386,15 @@ int caps_actually_set_test(void) cap_free(cap_fullpi); return finalret; -#else - return -1; -#endif } +#endif int main(int argc, char *argv[]) { +#ifdef HAVE_LIBCAP if (argc < 2) usage(argv[0]); -#if HAVE_SYS_CAPABILITY_H int ret = 0; switch(atoi(argv[1])) { -- 1.6.0.6 ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list