* [LTP] [PATCH] securebits: add secure_keepcaps testcases
@ 2010-09-29 13:56 Serge E. Hallyn
2010-09-29 15:02 ` Subrata Modak
2010-10-04 13:43 ` Garrett Cooper
0 siblings, 2 replies; 9+ messages in thread
From: Serge E. Hallyn @ 2010-09-29 13:56 UTC (permalink / raw)
To: ltp-list; +Cc: Subrata Modak1
This adds basic tests of the keepcaps securebits settings.
Lots more securebits tests to come (see my email from one
or 1.5 years ago, and, heck, write them if you have time :).
Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
---
m4/ltp-securebits.m4 | 24 +++
runtest/securebits | 2 +
testcases/kernel/security/Makefile | 5 +-
testcases/kernel/security/securebits/Makefile | 28 ++++
.../kernel/security/securebits/check_keepcaps.c | 161 ++++++++++++++++++++
.../kernel/security/securebits/run_securebits.sh | 20 +++
6 files changed, 239 insertions(+), 1 deletions(-)
create mode 100644 m4/ltp-securebits.m4
create mode 100644 runtest/securebits
create mode 100644 testcases/kernel/security/securebits/Makefile
create mode 100644 testcases/kernel/security/securebits/check_keepcaps.c
create mode 100644 testcases/kernel/security/securebits/run_securebits.sh
diff --git a/m4/ltp-securebits.m4 b/m4/ltp-securebits.m4
new file mode 100644
index 0000000..6407eb8
--- /dev/null
+++ b/m4/ltp-securebits.m4
@@ -0,0 +1,24 @@
+dnl
+dnl Copyright (c) Serge Hallyn (2010)
+dnl
+dnl This program is free software; you can redistribute it and/or modify
+dnl it under the terms of the GNU General Public License as published by
+dnl the Free Software Foundation; either version 2 of the License, or
+dnl (at your option) any later version.
+dnl
+dnl This program is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
+dnl the GNU General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU General Public License
+dnl along with this program; if not, write to the Free Software
+dnl Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+dnl
+
+
+AC_DEFUN([LTP_CHECK_SECUREBITS],
+AC_CHECK_HEADERS(linux/securebits.h,[
+ LTP_SECUREBITS=yes
+])
+)
diff --git a/runtest/securebits b/runtest/securebits
new file mode 100644
index 0000000..d78a66f
--- /dev/null
+++ b/runtest/securebits
@@ -0,0 +1,2 @@
+#DESCRIPTION:securebits tests
+Securebits run_securebits.sh
diff --git a/testcases/kernel/security/Makefile b/testcases/kernel/security/Makefile
index 52b8d06..a877836 100644
--- a/testcases/kernel/security/Makefile
+++ b/testcases/kernel/security/Makefile
@@ -27,11 +27,14 @@ include $(top_srcdir)/include/mk/env_pre.mk
# For broken compilers and toolchains, like Montavista, that improperly detect
# system headers when running autoconf -_-... bleh.
ifeq ($(strip $(CAP_LIBS)),)
-FILTER_OUT_DIRS := cap_bound filecaps
+FILTER_OUT_DIRS := cap_bound filecaps securebits
endif
ifeq ($(HAVE_SETCAP),false)
FILTER_OUT_DIRS += filecaps
endif
+ifeq ($(LTP_SECUREBITS),false)
+FILTER_OUT_DIRS += securebits
+endif
# XXX (garrcoop): avoid compilation failures on RHEL 5.4, as reported by
# Mitani-san, because of policy versioning issues...
diff --git a/testcases/kernel/security/securebits/Makefile b/testcases/kernel/security/securebits/Makefile
new file mode 100644
index 0000000..a76f2e0
--- /dev/null
+++ b/testcases/kernel/security/securebits/Makefile
@@ -0,0 +1,28 @@
+################################################################################
+## ##
+## Copyright (c) International Business Machines Corp., 2009 ##
+## ##
+## This program is free software; you can redistribute it and#or modify ##
+## it under the terms of the GNU General Public License as published by ##
+## the Free Software Foundation; either version 2 of the License, or ## ## (at your option) any later version. ##
+## ##
+## This program is distributed in the hope that it will be useful, but ##
+## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
+## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ##
+## for more details. ##
+## ##
+## You should have received a copy of the GNU General Public License ##
+## along with this program; if not, write to the Free Software ##
+## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ##
+## ##
+################################################################################
+
+top_srcdir ?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+
+LDLIBS += $(CAP_LIBS)
+
+INSTALL_TARGETS := *.sh
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/securebits/check_keepcaps.c b/testcases/kernel/security/securebits/check_keepcaps.c
new file mode 100644
index 0000000..e969ae4
--- /dev/null
+++ b/testcases/kernel/security/securebits/check_keepcaps.c
@@ -0,0 +1,161 @@
+#include <errno.h>
+#include "config.h"
+#if HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+#endif
+#include <sys/prctl.h>
+#include <linux/securebits.h>
+#include <test.h>
+
+int errno;
+
+/* Tests:
+ 1. drop capabilities at setuid if KEEPCAPS is not set and
+ new user is nonroot
+ 2. keep capabilities if set and new user is nonroot
+ a. do with prctl(PR_SET_KEEPCAPS)
+ (call this test 2)
+ b. do with prctl(PR_SET_SECUREBITS, SECURE_KEEP_CAPS)
+ (call this test 3)
+ TODO: test that exec clears KEEPCAPS
+ (just create a simple executable that checks PR_GET_KEEPCAPS
+ results, and execute that as test 4 after doing PR_SET_KEEPCAPS).
+ TODO: all of the other securebits tests.
+ */
+
+char *TCID = "keepcaps";
+int TST_TOTAL=1;
+
+#ifdef HAVE_LIBCAP
+static int eff_caps_empty(cap_t c)
+{
+ int i, ret, v, empty=1;
+
+ for (i = 0; i < CAP_LAST_CAP; i++) {
+ ret = cap_get_flag(c, i, CAP_PERMITTED, &v);
+ if (ret || v)
+ empty = 0;
+ }
+
+ return empty;
+}
+
+static int am_privileged(void)
+{
+ int am_privileged = 1;
+
+ cap_t cap = cap_get_proc();
+ if (eff_caps_empty(cap))
+ am_privileged = 0;
+ cap_free(cap);
+
+ return am_privileged;
+}
+#else
+static int am_privileged(void)
+{
+ tst_resm(TBROK, "libcap not installed.");
+ tst_exit();
+}
+#endif
+
+#define EXPECT_NOPRIVS 0
+#define EXPECT_PRIVS 1
+static void do_setuid(int expect_privs)
+{
+ int ret;
+ int have_privs;
+
+ ret = setuid(1000);
+ if (ret) {
+ tst_resm(TERRNO | TFAIL, "setuid failed");
+ tst_exit();
+ }
+
+ have_privs = am_privileged();
+ if (have_privs && expect_privs == EXPECT_PRIVS) {
+ tst_resm(TPASS, "kept privs as expected");
+ tst_exit();
+ }
+ if (!have_privs && expect_privs == EXPECT_PRIVS) {
+ tst_resm(TFAIL, "expected to keep privs but did not");
+ tst_exit();
+ }
+ if (!have_privs && expect_privs == EXPECT_NOPRIVS) {
+ tst_resm(TPASS, "dropped privs as expected");
+ tst_exit();
+ }
+
+ /* have_privs && EXPECT_NOPRIVS */
+ tst_resm(TFAIL, "expected to drop privs but did not");
+ tst_exit();
+}
+
+static int am_root(void)
+{
+ uid_t uid = getuid();
+ if (uid != 0)
+ return 0;
+ if (!am_privileged())
+ return 0;
+ return 1;
+}
+
+int main(int argc, char *argv[])
+{
+ int ret, whichtest;
+
+ ret = prctl(PR_GET_KEEPCAPS);
+ if (ret) {
+ tst_resm(TBROK, "keepcaps was already set?\n");
+ tst_exit();
+ }
+ if (!am_root()) {
+ tst_resm(TBROK, "Run me as root and privileged\n");
+ tst_exit();
+ }
+
+ if (argc < 2) {
+ tst_resm(TBROK, "Usage: %s <tescase_num>", argv[0]);
+ tst_exit();
+ }
+ whichtest = atoi(argv[1]);
+ if (whichtest < 1 || whichtest > 3) {
+ tst_resm(TFAIL, "Valid tests are 1-3\n");
+ tst_exit();
+ }
+ switch(whichtest) {
+ case 1:
+ do_setuid(EXPECT_NOPRIVS); /* does not return */
+ case 2:
+ ret = prctl(PR_SET_KEEPCAPS, 1);
+ if (ret == -1) {
+ tst_resm(TFAIL|TERRNO, "PR_SET_KEEPCAPS failed\n");
+ tst_exit();
+ }
+ ret = prctl(PR_GET_KEEPCAPS);
+ if (!ret) {
+ tst_resm(TFAIL|TERRNO, "PR_SET_KEEPCAPS did not set keepcaps\n");
+ tst_exit();
+ }
+ do_setuid(EXPECT_PRIVS); /* does not return */
+ case 3:
+ ret = prctl(PR_GET_SECUREBITS);
+ ret = prctl(PR_SET_SECUREBITS, ret | SECBIT_KEEP_CAPS);
+ if (ret == -1) {
+ tst_resm(TFAIL|TERRNO, "PR_SET_SECUREBITS failed\n");
+ tst_exit();
+ }
+ ret = prctl(PR_GET_KEEPCAPS);
+ if (!ret) {
+ tst_resm(TFAIL|TERRNO, "PR_SET_SECUREBITS did not set keepcaps\n");
+ tst_exit();
+ }
+ do_setuid(EXPECT_PRIVS); /* does not return */
+ default:
+ tst_resm(TFAIL, "should not reach here\n");
+ tst_exit();
+ }
+ tst_resm(TFAIL, "should not reach here\n");
+ tst_exit();
+}
diff --git a/testcases/kernel/security/securebits/run_securebits.sh b/testcases/kernel/security/securebits/run_securebits.sh
new file mode 100644
index 0000000..4d9e272
--- /dev/null
+++ b/testcases/kernel/security/securebits/run_securebits.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+echo "testing keepcaps"
+check_keepcaps 1
+tmp=$?
+if [ $tmp -ne 0 ]; then
+ exit_code=$tmp
+fi
+check_keepcaps 2
+tmp=$?
+if [ $tmp -ne 0 ]; then
+ exit_code=$tmp
+fi
+check_keepcaps 3
+tmp=$?
+if [ $tmp -ne 0 ]; then
+ exit_code=$tmp
+fi
+
+exit $exit_code
--
1.7.1
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [LTP] [PATCH] securebits: add secure_keepcaps testcases
2010-09-29 13:56 [LTP] [PATCH] securebits: add secure_keepcaps testcases Serge E. Hallyn
@ 2010-09-29 15:02 ` Subrata Modak
2010-10-04 7:13 ` Subrata Modak
2010-10-04 13:43 ` Garrett Cooper
1 sibling, 1 reply; 9+ messages in thread
From: Subrata Modak @ 2010-09-29 15:02 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: ltp-list
On Wed, 2010-09-29 at 08:56 -0500, Serge E. Hallyn wrote:
> This adds basic tests of the keepcaps securebits settings.
>
> Lots more securebits tests to come (see my email from one
> or 1.5 years ago, and, heck, write them if you have time :).
>
> Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Great, i get the following output on my machine:
# uname -a
Linux 2.6.35.4 #2 SMP Tue Sep 28 16:07:27 IST 2010 ppc64 ppc64 ppc64
GNU/Linux
# cat /etc/issue
Fedora release 13 (Goddard)
# ./runltp -f securebits
Running tests.......
<<<test_start>>>
tag=Securebits stime=1285772204
cmdline="run_securebits.sh"
contacts=""
analysis=exit
<<<test_output>>>
incrementing stop
testing keepcaps
keepcaps 1 TPASS : dropped privs as expected
keepcaps 1 TPASS : kept privs as expected
keepcaps 1 TPASS : kept privs as expected
<<<execution_status>>>
initiation_status="ok"
duration=0 termination_type=exited termination_id=0 corefile=no
cutime=0 cstime=0
<<<test_end>>>
INFO: ltp-pan reported all tests PASS
LTP Version: LTP-20100831
###############################################################"
Done executing testcases."
LTP Version: LTP-20100831
###############################################################"
Looks fine to be,i just need a little documentation file which would
say:
What securebits is all about (some pointers/links)? Any specific
configuration required to run these tests, etc ?
Regards--
Subrata
> ---
> m4/ltp-securebits.m4 | 24 +++
> runtest/securebits | 2 +
> testcases/kernel/security/Makefile | 5 +-
> testcases/kernel/security/securebits/Makefile | 28 ++++
> .../kernel/security/securebits/check_keepcaps.c | 161 ++++++++++++++++++++
> .../kernel/security/securebits/run_securebits.sh | 20 +++
> 6 files changed, 239 insertions(+), 1 deletions(-)
> create mode 100644 m4/ltp-securebits.m4
> create mode 100644 runtest/securebits
> create mode 100644 testcases/kernel/security/securebits/Makefile
> create mode 100644 testcases/kernel/security/securebits/check_keepcaps.c
> create mode 100644 testcases/kernel/security/securebits/run_securebits.sh
>
> diff --git a/m4/ltp-securebits.m4 b/m4/ltp-securebits.m4
> new file mode 100644
> index 0000000..6407eb8
> --- /dev/null
> +++ b/m4/ltp-securebits.m4
> @@ -0,0 +1,24 @@
> +dnl
> +dnl Copyright (c) Serge Hallyn (2010)
> +dnl
> +dnl This program is free software; you can redistribute it and/or modify
> +dnl it under the terms of the GNU General Public License as published by
> +dnl the Free Software Foundation; either version 2 of the License, or
> +dnl (at your option) any later version.
> +dnl
> +dnl This program is distributed in the hope that it will be useful,
> +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
> +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
> +dnl the GNU General Public License for more details.
> +dnl
> +dnl You should have received a copy of the GNU General Public License
> +dnl along with this program; if not, write to the Free Software
> +dnl Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> +dnl
> +
> +
> +AC_DEFUN([LTP_CHECK_SECUREBITS],
> +AC_CHECK_HEADERS(linux/securebits.h,[
> + LTP_SECUREBITS=yes
> +])
> +)
> diff --git a/runtest/securebits b/runtest/securebits
> new file mode 100644
> index 0000000..d78a66f
> --- /dev/null
> +++ b/runtest/securebits
> @@ -0,0 +1,2 @@
> +#DESCRIPTION:securebits tests
> +Securebits run_securebits.sh
> diff --git a/testcases/kernel/security/Makefile b/testcases/kernel/security/Makefile
> index 52b8d06..a877836 100644
> --- a/testcases/kernel/security/Makefile
> +++ b/testcases/kernel/security/Makefile
> @@ -27,11 +27,14 @@ include $(top_srcdir)/include/mk/env_pre.mk
> # For broken compilers and toolchains, like Montavista, that improperly detect
> # system headers when running autoconf -_-... bleh.
> ifeq ($(strip $(CAP_LIBS)),)
> -FILTER_OUT_DIRS := cap_bound filecaps
> +FILTER_OUT_DIRS := cap_bound filecaps securebits
> endif
> ifeq ($(HAVE_SETCAP),false)
> FILTER_OUT_DIRS += filecaps
> endif
> +ifeq ($(LTP_SECUREBITS),false)
> +FILTER_OUT_DIRS += securebits
> +endif
>
> # XXX (garrcoop): avoid compilation failures on RHEL 5.4, as reported by
> # Mitani-san, because of policy versioning issues...
> diff --git a/testcases/kernel/security/securebits/Makefile b/testcases/kernel/security/securebits/Makefile
> new file mode 100644
> index 0000000..a76f2e0
> --- /dev/null
> +++ b/testcases/kernel/security/securebits/Makefile
> @@ -0,0 +1,28 @@
> +################################################################################
> +## ##
> +## Copyright (c) International Business Machines Corp., 2009 ##
> +## ##
> +## This program is free software; you can redistribute it and#or modify ##
> +## it under the terms of the GNU General Public License as published by ##
> +## the Free Software Foundation; either version 2 of the License, or ## ## (at your option) any later version. ##
> +## ##
> +## This program is distributed in the hope that it will be useful, but ##
> +## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
> +## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ##
> +## for more details. ##
> +## ##
> +## You should have received a copy of the GNU General Public License ##
> +## along with this program; if not, write to the Free Software ##
> +## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ##
> +## ##
> +################################################################################
> +
> +top_srcdir ?= ../../../..
> +
> +include $(top_srcdir)/include/mk/testcases.mk
> +
> +LDLIBS += $(CAP_LIBS)
> +
> +INSTALL_TARGETS := *.sh
> +
> +include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git a/testcases/kernel/security/securebits/check_keepcaps.c b/testcases/kernel/security/securebits/check_keepcaps.c
> new file mode 100644
> index 0000000..e969ae4
> --- /dev/null
> +++ b/testcases/kernel/security/securebits/check_keepcaps.c
> @@ -0,0 +1,161 @@
> +#include <errno.h>
> +#include "config.h"
> +#if HAVE_SYS_CAPABILITY_H
> +#include <sys/capability.h>
> +#endif
> +#include <sys/prctl.h>
> +#include <linux/securebits.h>
> +#include <test.h>
> +
> +int errno;
> +
> +/* Tests:
> + 1. drop capabilities at setuid if KEEPCAPS is not set and
> + new user is nonroot
> + 2. keep capabilities if set and new user is nonroot
> + a. do with prctl(PR_SET_KEEPCAPS)
> + (call this test 2)
> + b. do with prctl(PR_SET_SECUREBITS, SECURE_KEEP_CAPS)
> + (call this test 3)
> + TODO: test that exec clears KEEPCAPS
> + (just create a simple executable that checks PR_GET_KEEPCAPS
> + results, and execute that as test 4 after doing PR_SET_KEEPCAPS).
> + TODO: all of the other securebits tests.
> + */
> +
> +char *TCID = "keepcaps";
> +int TST_TOTAL=1;
> +
> +#ifdef HAVE_LIBCAP
> +static int eff_caps_empty(cap_t c)
> +{
> + int i, ret, v, empty=1;
> +
> + for (i = 0; i < CAP_LAST_CAP; i++) {
> + ret = cap_get_flag(c, i, CAP_PERMITTED, &v);
> + if (ret || v)
> + empty = 0;
> + }
> +
> + return empty;
> +}
> +
> +static int am_privileged(void)
> +{
> + int am_privileged = 1;
> +
> + cap_t cap = cap_get_proc();
> + if (eff_caps_empty(cap))
> + am_privileged = 0;
> + cap_free(cap);
> +
> + return am_privileged;
> +}
> +#else
> +static int am_privileged(void)
> +{
> + tst_resm(TBROK, "libcap not installed.");
> + tst_exit();
> +}
> +#endif
> +
> +#define EXPECT_NOPRIVS 0
> +#define EXPECT_PRIVS 1
> +static void do_setuid(int expect_privs)
> +{
> + int ret;
> + int have_privs;
> +
> + ret = setuid(1000);
> + if (ret) {
> + tst_resm(TERRNO | TFAIL, "setuid failed");
> + tst_exit();
> + }
> +
> + have_privs = am_privileged();
> + if (have_privs && expect_privs == EXPECT_PRIVS) {
> + tst_resm(TPASS, "kept privs as expected");
> + tst_exit();
> + }
> + if (!have_privs && expect_privs == EXPECT_PRIVS) {
> + tst_resm(TFAIL, "expected to keep privs but did not");
> + tst_exit();
> + }
> + if (!have_privs && expect_privs == EXPECT_NOPRIVS) {
> + tst_resm(TPASS, "dropped privs as expected");
> + tst_exit();
> + }
> +
> + /* have_privs && EXPECT_NOPRIVS */
> + tst_resm(TFAIL, "expected to drop privs but did not");
> + tst_exit();
> +}
> +
> +static int am_root(void)
> +{
> + uid_t uid = getuid();
> + if (uid != 0)
> + return 0;
> + if (!am_privileged())
> + return 0;
> + return 1;
> +}
> +
> +int main(int argc, char *argv[])
> +{
> + int ret, whichtest;
> +
> + ret = prctl(PR_GET_KEEPCAPS);
> + if (ret) {
> + tst_resm(TBROK, "keepcaps was already set?\n");
> + tst_exit();
> + }
> + if (!am_root()) {
> + tst_resm(TBROK, "Run me as root and privileged\n");
> + tst_exit();
> + }
> +
> + if (argc < 2) {
> + tst_resm(TBROK, "Usage: %s <tescase_num>", argv[0]);
> + tst_exit();
> + }
> + whichtest = atoi(argv[1]);
> + if (whichtest < 1 || whichtest > 3) {
> + tst_resm(TFAIL, "Valid tests are 1-3\n");
> + tst_exit();
> + }
> + switch(whichtest) {
> + case 1:
> + do_setuid(EXPECT_NOPRIVS); /* does not return */
> + case 2:
> + ret = prctl(PR_SET_KEEPCAPS, 1);
> + if (ret == -1) {
> + tst_resm(TFAIL|TERRNO, "PR_SET_KEEPCAPS failed\n");
> + tst_exit();
> + }
> + ret = prctl(PR_GET_KEEPCAPS);
> + if (!ret) {
> + tst_resm(TFAIL|TERRNO, "PR_SET_KEEPCAPS did not set keepcaps\n");
> + tst_exit();
> + }
> + do_setuid(EXPECT_PRIVS); /* does not return */
> + case 3:
> + ret = prctl(PR_GET_SECUREBITS);
> + ret = prctl(PR_SET_SECUREBITS, ret | SECBIT_KEEP_CAPS);
> + if (ret == -1) {
> + tst_resm(TFAIL|TERRNO, "PR_SET_SECUREBITS failed\n");
> + tst_exit();
> + }
> + ret = prctl(PR_GET_KEEPCAPS);
> + if (!ret) {
> + tst_resm(TFAIL|TERRNO, "PR_SET_SECUREBITS did not set keepcaps\n");
> + tst_exit();
> + }
> + do_setuid(EXPECT_PRIVS); /* does not return */
> + default:
> + tst_resm(TFAIL, "should not reach here\n");
> + tst_exit();
> + }
> + tst_resm(TFAIL, "should not reach here\n");
> + tst_exit();
> +}
> diff --git a/testcases/kernel/security/securebits/run_securebits.sh b/testcases/kernel/security/securebits/run_securebits.sh
> new file mode 100644
> index 0000000..4d9e272
> --- /dev/null
> +++ b/testcases/kernel/security/securebits/run_securebits.sh
> @@ -0,0 +1,20 @@
> +#!/bin/sh
> +
> +echo "testing keepcaps"
> +check_keepcaps 1
> +tmp=$?
> +if [ $tmp -ne 0 ]; then
> + exit_code=$tmp
> +fi
> +check_keepcaps 2
> +tmp=$?
> +if [ $tmp -ne 0 ]; then
> + exit_code=$tmp
> +fi
> +check_keepcaps 3
> +tmp=$?
> +if [ $tmp -ne 0 ]; then
> + exit_code=$tmp
> +fi
> +
> +exit $exit_code
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [LTP] [PATCH] securebits: add secure_keepcaps testcases
2010-09-29 15:02 ` Subrata Modak
@ 2010-10-04 7:13 ` Subrata Modak
2010-10-04 13:04 ` Serge E. Hallyn
0 siblings, 1 reply; 9+ messages in thread
From: Subrata Modak @ 2010-10-04 7:13 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: ltp-list
On Wed, 2010-09-29 at 20:32 +0530, Subrata Modak wrote:
> On Wed, 2010-09-29 at 08:56 -0500, Serge E. Hallyn wrote:
> > This adds basic tests of the keepcaps securebits settings.
> >
> > Lots more securebits tests to come (see my email from one
> > or 1.5 years ago, and, heck, write them if you have time :).
> >
> > Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
>
> Great, i get the following output on my machine:
>
> # uname -a
> Linux 2.6.35.4 #2 SMP Tue Sep 28 16:07:27 IST 2010 ppc64 ppc64 ppc64
> GNU/Linux
>
> # cat /etc/issue
> Fedora release 13 (Goddard)
>
> # ./runltp -f securebits
>
> Running tests.......
> <<<test_start>>>
> tag=Securebits stime=1285772204
> cmdline="run_securebits.sh"
> contacts=""
> analysis=exit
> <<<test_output>>>
> incrementing stop
> testing keepcaps
> keepcaps 1 TPASS : dropped privs as expected
> keepcaps 1 TPASS : kept privs as expected
> keepcaps 1 TPASS : kept privs as expected
> <<<execution_status>>>
> initiation_status="ok"
> duration=0 termination_type=exited termination_id=0 corefile=no
> cutime=0 cstime=0
> <<<test_end>>>
> INFO: ltp-pan reported all tests PASS
> LTP Version: LTP-20100831
>
> ###############################################################"
>
> Done executing testcases."
> LTP Version: LTP-20100831
> ###############################################################"
>
> Looks fine to be,i just need a little documentation file which would
> say:
> What securebits is all about (some pointers/links)? Any specific
> configuration required to run these tests, etc ?
Serge,
Can you also provide me this ?
Regards--
Subrata
>
> Regards--
> Subrata
>
> > ---
> > m4/ltp-securebits.m4 | 24 +++
> > runtest/securebits | 2 +
> > testcases/kernel/security/Makefile | 5 +-
> > testcases/kernel/security/securebits/Makefile | 28 ++++
> > .../kernel/security/securebits/check_keepcaps.c | 161 ++++++++++++++++++++
> > .../kernel/security/securebits/run_securebits.sh | 20 +++
> > 6 files changed, 239 insertions(+), 1 deletions(-)
> > create mode 100644 m4/ltp-securebits.m4
> > create mode 100644 runtest/securebits
> > create mode 100644 testcases/kernel/security/securebits/Makefile
> > create mode 100644 testcases/kernel/security/securebits/check_keepcaps.c
> > create mode 100644 testcases/kernel/security/securebits/run_securebits.sh
> >
> > diff --git a/m4/ltp-securebits.m4 b/m4/ltp-securebits.m4
> > new file mode 100644
> > index 0000000..6407eb8
> > --- /dev/null
> > +++ b/m4/ltp-securebits.m4
> > @@ -0,0 +1,24 @@
> > +dnl
> > +dnl Copyright (c) Serge Hallyn (2010)
> > +dnl
> > +dnl This program is free software; you can redistribute it and/or modify
> > +dnl it under the terms of the GNU General Public License as published by
> > +dnl the Free Software Foundation; either version 2 of the License, or
> > +dnl (at your option) any later version.
> > +dnl
> > +dnl This program is distributed in the hope that it will be useful,
> > +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
> > +dnl the GNU General Public License for more details.
> > +dnl
> > +dnl You should have received a copy of the GNU General Public License
> > +dnl along with this program; if not, write to the Free Software
> > +dnl Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> > +dnl
> > +
> > +
> > +AC_DEFUN([LTP_CHECK_SECUREBITS],
> > +AC_CHECK_HEADERS(linux/securebits.h,[
> > + LTP_SECUREBITS=yes
> > +])
> > +)
> > diff --git a/runtest/securebits b/runtest/securebits
> > new file mode 100644
> > index 0000000..d78a66f
> > --- /dev/null
> > +++ b/runtest/securebits
> > @@ -0,0 +1,2 @@
> > +#DESCRIPTION:securebits tests
> > +Securebits run_securebits.sh
> > diff --git a/testcases/kernel/security/Makefile b/testcases/kernel/security/Makefile
> > index 52b8d06..a877836 100644
> > --- a/testcases/kernel/security/Makefile
> > +++ b/testcases/kernel/security/Makefile
> > @@ -27,11 +27,14 @@ include $(top_srcdir)/include/mk/env_pre.mk
> > # For broken compilers and toolchains, like Montavista, that improperly detect
> > # system headers when running autoconf -_-... bleh.
> > ifeq ($(strip $(CAP_LIBS)),)
> > -FILTER_OUT_DIRS := cap_bound filecaps
> > +FILTER_OUT_DIRS := cap_bound filecaps securebits
> > endif
> > ifeq ($(HAVE_SETCAP),false)
> > FILTER_OUT_DIRS += filecaps
> > endif
> > +ifeq ($(LTP_SECUREBITS),false)
> > +FILTER_OUT_DIRS += securebits
> > +endif
> >
> > # XXX (garrcoop): avoid compilation failures on RHEL 5.4, as reported by
> > # Mitani-san, because of policy versioning issues...
> > diff --git a/testcases/kernel/security/securebits/Makefile b/testcases/kernel/security/securebits/Makefile
> > new file mode 100644
> > index 0000000..a76f2e0
> > --- /dev/null
> > +++ b/testcases/kernel/security/securebits/Makefile
> > @@ -0,0 +1,28 @@
> > +################################################################################
> > +## ##
> > +## Copyright (c) International Business Machines Corp., 2009 ##
> > +## ##
> > +## This program is free software; you can redistribute it and#or modify ##
> > +## it under the terms of the GNU General Public License as published by ##
> > +## the Free Software Foundation; either version 2 of the License, or ## ## (at your option) any later version. ##
> > +## ##
> > +## This program is distributed in the hope that it will be useful, but ##
> > +## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
> > +## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ##
> > +## for more details. ##
> > +## ##
> > +## You should have received a copy of the GNU General Public License ##
> > +## along with this program; if not, write to the Free Software ##
> > +## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ##
> > +## ##
> > +################################################################################
> > +
> > +top_srcdir ?= ../../../..
> > +
> > +include $(top_srcdir)/include/mk/testcases.mk
> > +
> > +LDLIBS += $(CAP_LIBS)
> > +
> > +INSTALL_TARGETS := *.sh
> > +
> > +include $(top_srcdir)/include/mk/generic_leaf_target.mk
> > diff --git a/testcases/kernel/security/securebits/check_keepcaps.c b/testcases/kernel/security/securebits/check_keepcaps.c
> > new file mode 100644
> > index 0000000..e969ae4
> > --- /dev/null
> > +++ b/testcases/kernel/security/securebits/check_keepcaps.c
> > @@ -0,0 +1,161 @@
> > +#include <errno.h>
> > +#include "config.h"
> > +#if HAVE_SYS_CAPABILITY_H
> > +#include <sys/capability.h>
> > +#endif
> > +#include <sys/prctl.h>
> > +#include <linux/securebits.h>
> > +#include <test.h>
> > +
> > +int errno;
> > +
> > +/* Tests:
> > + 1. drop capabilities at setuid if KEEPCAPS is not set and
> > + new user is nonroot
> > + 2. keep capabilities if set and new user is nonroot
> > + a. do with prctl(PR_SET_KEEPCAPS)
> > + (call this test 2)
> > + b. do with prctl(PR_SET_SECUREBITS, SECURE_KEEP_CAPS)
> > + (call this test 3)
> > + TODO: test that exec clears KEEPCAPS
> > + (just create a simple executable that checks PR_GET_KEEPCAPS
> > + results, and execute that as test 4 after doing PR_SET_KEEPCAPS).
> > + TODO: all of the other securebits tests.
> > + */
> > +
> > +char *TCID = "keepcaps";
> > +int TST_TOTAL=1;
> > +
> > +#ifdef HAVE_LIBCAP
> > +static int eff_caps_empty(cap_t c)
> > +{
> > + int i, ret, v, empty=1;
> > +
> > + for (i = 0; i < CAP_LAST_CAP; i++) {
> > + ret = cap_get_flag(c, i, CAP_PERMITTED, &v);
> > + if (ret || v)
> > + empty = 0;
> > + }
> > +
> > + return empty;
> > +}
> > +
> > +static int am_privileged(void)
> > +{
> > + int am_privileged = 1;
> > +
> > + cap_t cap = cap_get_proc();
> > + if (eff_caps_empty(cap))
> > + am_privileged = 0;
> > + cap_free(cap);
> > +
> > + return am_privileged;
> > +}
> > +#else
> > +static int am_privileged(void)
> > +{
> > + tst_resm(TBROK, "libcap not installed.");
> > + tst_exit();
> > +}
> > +#endif
> > +
> > +#define EXPECT_NOPRIVS 0
> > +#define EXPECT_PRIVS 1
> > +static void do_setuid(int expect_privs)
> > +{
> > + int ret;
> > + int have_privs;
> > +
> > + ret = setuid(1000);
> > + if (ret) {
> > + tst_resm(TERRNO | TFAIL, "setuid failed");
> > + tst_exit();
> > + }
> > +
> > + have_privs = am_privileged();
> > + if (have_privs && expect_privs == EXPECT_PRIVS) {
> > + tst_resm(TPASS, "kept privs as expected");
> > + tst_exit();
> > + }
> > + if (!have_privs && expect_privs == EXPECT_PRIVS) {
> > + tst_resm(TFAIL, "expected to keep privs but did not");
> > + tst_exit();
> > + }
> > + if (!have_privs && expect_privs == EXPECT_NOPRIVS) {
> > + tst_resm(TPASS, "dropped privs as expected");
> > + tst_exit();
> > + }
> > +
> > + /* have_privs && EXPECT_NOPRIVS */
> > + tst_resm(TFAIL, "expected to drop privs but did not");
> > + tst_exit();
> > +}
> > +
> > +static int am_root(void)
> > +{
> > + uid_t uid = getuid();
> > + if (uid != 0)
> > + return 0;
> > + if (!am_privileged())
> > + return 0;
> > + return 1;
> > +}
> > +
> > +int main(int argc, char *argv[])
> > +{
> > + int ret, whichtest;
> > +
> > + ret = prctl(PR_GET_KEEPCAPS);
> > + if (ret) {
> > + tst_resm(TBROK, "keepcaps was already set?\n");
> > + tst_exit();
> > + }
> > + if (!am_root()) {
> > + tst_resm(TBROK, "Run me as root and privileged\n");
> > + tst_exit();
> > + }
> > +
> > + if (argc < 2) {
> > + tst_resm(TBROK, "Usage: %s <tescase_num>", argv[0]);
> > + tst_exit();
> > + }
> > + whichtest = atoi(argv[1]);
> > + if (whichtest < 1 || whichtest > 3) {
> > + tst_resm(TFAIL, "Valid tests are 1-3\n");
> > + tst_exit();
> > + }
> > + switch(whichtest) {
> > + case 1:
> > + do_setuid(EXPECT_NOPRIVS); /* does not return */
> > + case 2:
> > + ret = prctl(PR_SET_KEEPCAPS, 1);
> > + if (ret == -1) {
> > + tst_resm(TFAIL|TERRNO, "PR_SET_KEEPCAPS failed\n");
> > + tst_exit();
> > + }
> > + ret = prctl(PR_GET_KEEPCAPS);
> > + if (!ret) {
> > + tst_resm(TFAIL|TERRNO, "PR_SET_KEEPCAPS did not set keepcaps\n");
> > + tst_exit();
> > + }
> > + do_setuid(EXPECT_PRIVS); /* does not return */
> > + case 3:
> > + ret = prctl(PR_GET_SECUREBITS);
> > + ret = prctl(PR_SET_SECUREBITS, ret | SECBIT_KEEP_CAPS);
> > + if (ret == -1) {
> > + tst_resm(TFAIL|TERRNO, "PR_SET_SECUREBITS failed\n");
> > + tst_exit();
> > + }
> > + ret = prctl(PR_GET_KEEPCAPS);
> > + if (!ret) {
> > + tst_resm(TFAIL|TERRNO, "PR_SET_SECUREBITS did not set keepcaps\n");
> > + tst_exit();
> > + }
> > + do_setuid(EXPECT_PRIVS); /* does not return */
> > + default:
> > + tst_resm(TFAIL, "should not reach here\n");
> > + tst_exit();
> > + }
> > + tst_resm(TFAIL, "should not reach here\n");
> > + tst_exit();
> > +}
> > diff --git a/testcases/kernel/security/securebits/run_securebits.sh b/testcases/kernel/security/securebits/run_securebits.sh
> > new file mode 100644
> > index 0000000..4d9e272
> > --- /dev/null
> > +++ b/testcases/kernel/security/securebits/run_securebits.sh
> > @@ -0,0 +1,20 @@
> > +#!/bin/sh
> > +
> > +echo "testing keepcaps"
> > +check_keepcaps 1
> > +tmp=$?
> > +if [ $tmp -ne 0 ]; then
> > + exit_code=$tmp
> > +fi
> > +check_keepcaps 2
> > +tmp=$?
> > +if [ $tmp -ne 0 ]; then
> > + exit_code=$tmp
> > +fi
> > +check_keepcaps 3
> > +tmp=$?
> > +if [ $tmp -ne 0 ]; then
> > + exit_code=$tmp
> > +fi
> > +
> > +exit $exit_code
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Ltp-list mailing list
> Ltp-list@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ltp-list
------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [LTP] [PATCH] securebits: add secure_keepcaps testcases
2010-10-04 7:13 ` Subrata Modak
@ 2010-10-04 13:04 ` Serge E. Hallyn
2010-10-13 7:19 ` Subrata Modak
0 siblings, 1 reply; 9+ messages in thread
From: Serge E. Hallyn @ 2010-10-04 13:04 UTC (permalink / raw)
To: Subrata Modak; +Cc: ltp-list
Quoting Subrata Modak (subrata@linux.vnet.ibm.com):
> > Looks fine to be,i just need a little documentation file which would
> > say:
> > What securebits is all about (some pointers/links)? Any specific
> > configuration required to run these tests, etc ?
>
> Serge,
>
> Can you also provide me this ?
I don't know where you'd want that documentation file, but for contents
I think it should just read:
====
For more information on securebits, see the capabilities.7 manpage,
specifically the section entitled
The "securebits" flags: establishing a capabilities-only environment
To run these tests there are no kernel configuration requirements, but
your kernel must be at least Linux 2.6.32-rc7, and you must have a
/usr/include/linux/securebits.h which defines SECBIT_NOROOT. You also
need the libcap v2 development libraries installed.
====
thanks,
-serge
------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LTP] [PATCH] securebits: add secure_keepcaps testcases
2010-10-04 13:04 ` Serge E. Hallyn
@ 2010-10-13 7:19 ` Subrata Modak
0 siblings, 0 replies; 9+ messages in thread
From: Subrata Modak @ 2010-10-13 7:19 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: ltp-list
On Mon, 2010-10-04 at 08:04 -0500, Serge E. Hallyn wrote:
> Quoting Subrata Modak (subrata@linux.vnet.ibm.com):
> > > Looks fine to be,i just need a little documentation file which would
> > > say:
> > > What securebits is all about (some pointers/links)? Any specific
> > > configuration required to run these tests, etc ?
> >
> > Serge,
> >
> > Can you also provide me this ?
>
> I don't know where you'd want that documentation file, but for contents
> I think it should just read:
>
> ====
> For more information on securebits, see the capabilities.7 manpage,
> specifically the section entitled
>
> The "securebits" flags: establishing a capabilities-only environment
>
> To run these tests there are no kernel configuration requirements, but
> your kernel must be at least Linux 2.6.32-rc7, and you must have a
> /usr/include/linux/securebits.h which defines SECBIT_NOROOT. You also
> need the libcap v2 development libraries installed.
> ====
Thanks. I added this documentation and the tests to LTP. Sorry for being
late.
Regards--
Subrata
>
> thanks,
> -serge
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LTP] [PATCH] securebits: add secure_keepcaps testcases
2010-09-29 13:56 [LTP] [PATCH] securebits: add secure_keepcaps testcases Serge E. Hallyn
2010-09-29 15:02 ` Subrata Modak
@ 2010-10-04 13:43 ` Garrett Cooper
2010-10-04 14:06 ` Serge E. Hallyn
1 sibling, 1 reply; 9+ messages in thread
From: Garrett Cooper @ 2010-10-04 13:43 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: ltp-list, Subrata Modak1
Hi Serge,
Some comments about your provided code.
Thanks!
-Garrett
On Wed, Sep 29, 2010 at 6:56 AM, Serge E. Hallyn <serge@hallyn.com> wrote:
> This adds basic tests of the keepcaps securebits settings.
>
> Lots more securebits tests to come (see my email from one
> or 1.5 years ago, and, heck, write them if you have time :).
>
> Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
> ---
> m4/ltp-securebits.m4 | 24 +++
> runtest/securebits | 2 +
> testcases/kernel/security/Makefile | 5 +-
> testcases/kernel/security/securebits/Makefile | 28 ++++
> .../kernel/security/securebits/check_keepcaps.c | 161 ++++++++++++++++++++
> .../kernel/security/securebits/run_securebits.sh | 20 +++
> 6 files changed, 239 insertions(+), 1 deletions(-)
> create mode 100644 m4/ltp-securebits.m4
> create mode 100644 runtest/securebits
> create mode 100644 testcases/kernel/security/securebits/Makefile
> create mode 100644 testcases/kernel/security/securebits/check_keepcaps.c
> create mode 100644 testcases/kernel/security/securebits/run_securebits.sh
>
> diff --git a/m4/ltp-securebits.m4 b/m4/ltp-securebits.m4
> new file mode 100644
> index 0000000..6407eb8
> --- /dev/null
> +++ b/m4/ltp-securebits.m4
> @@ -0,0 +1,24 @@
> +dnl
> +dnl Copyright (c) Serge Hallyn (2010)
> +dnl
> +dnl This program is free software; you can redistribute it and/or modify
> +dnl it under the terms of the GNU General Public License as published by
> +dnl the Free Software Foundation; either version 2 of the License, or
> +dnl (at your option) any later version.
> +dnl
> +dnl This program is distributed in the hope that it will be useful,
> +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
> +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
> +dnl the GNU General Public License for more details.
> +dnl
> +dnl You should have received a copy of the GNU General Public License
> +dnl along with this program; if not, write to the Free Software
> +dnl Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> +dnl
> +
> +
> +AC_DEFUN([LTP_CHECK_SECUREBITS],
> +AC_CHECK_HEADERS(linux/securebits.h,[
> + LTP_SECUREBITS=yes
> +])
> +)
Some checks should probably be added for versioning as well as symbols
that get passed to prctl(2) (I'm not sure if checking for the symbols
that get passed to prctl(2) here is the correct way to go about things
though).
> diff --git a/runtest/securebits b/runtest/securebits
> new file mode 100644
> index 0000000..d78a66f
> --- /dev/null
> +++ b/runtest/securebits
> @@ -0,0 +1,2 @@
> +#DESCRIPTION:securebits tests
> +Securebits run_securebits.sh
> diff --git a/testcases/kernel/security/Makefile b/testcases/kernel/security/Makefile
> index 52b8d06..a877836 100644
> --- a/testcases/kernel/security/Makefile
> +++ b/testcases/kernel/security/Makefile
> @@ -27,11 +27,14 @@ include $(top_srcdir)/include/mk/env_pre.mk
> # For broken compilers and toolchains, like Montavista, that improperly detect
> # system headers when running autoconf -_-... bleh.
> ifeq ($(strip $(CAP_LIBS)),)
> -FILTER_OUT_DIRS := cap_bound filecaps
> +FILTER_OUT_DIRS := cap_bound filecaps securebits
> endif
> ifeq ($(HAVE_SETCAP),false)
> FILTER_OUT_DIRS += filecaps
> endif
> +ifeq ($(LTP_SECUREBITS),false)
> +FILTER_OUT_DIRS += securebits
> +endif
>
> # XXX (garrcoop): avoid compilation failures on RHEL 5.4, as reported by
> # Mitani-san, because of policy versioning issues...
> diff --git a/testcases/kernel/security/securebits/Makefile b/testcases/kernel/security/securebits/Makefile
> new file mode 100644
> index 0000000..a76f2e0
> --- /dev/null
> +++ b/testcases/kernel/security/securebits/Makefile
> @@ -0,0 +1,28 @@
> +################################################################################
> +## ##
> +## Copyright (c) International Business Machines Corp., 2009 ##
> +## ##
> +## This program is free software; you can redistribute it and#or modify ##
> +## it under the terms of the GNU General Public License as published by ##
> +## the Free Software Foundation; either version 2 of the License, or ## ## (at your option) any later version. ##
> +## ##
> +## This program is distributed in the hope that it will be useful, but ##
> +## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
> +## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ##
> +## for more details. ##
> +## ##
> +## You should have received a copy of the GNU General Public License ##
> +## along with this program; if not, write to the Free Software ##
> +## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ##
> +## ##
> +################################################################################
> +
> +top_srcdir ?= ../../../..
> +
> +include $(top_srcdir)/include/mk/testcases.mk
> +
> +LDLIBS += $(CAP_LIBS)
> +
> +INSTALL_TARGETS := *.sh
> +
> +include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git a/testcases/kernel/security/securebits/check_keepcaps.c b/testcases/kernel/security/securebits/check_keepcaps.c
> new file mode 100644
> index 0000000..e969ae4
> --- /dev/null
> +++ b/testcases/kernel/security/securebits/check_keepcaps.c
> @@ -0,0 +1,161 @@
> +#include <errno.h>
> +#include "config.h"
> +#if HAVE_SYS_CAPABILITY_H
> +#include <sys/capability.h>
> +#endif
> +#include <sys/prctl.h>
> +#include <linux/securebits.h>
> +#include <test.h>
> +
> +int errno;
> +
> +/* Tests:
> + 1. drop capabilities at setuid if KEEPCAPS is not set and
> + new user is nonroot
> + 2. keep capabilities if set and new user is nonroot
> + a. do with prctl(PR_SET_KEEPCAPS)
> + (call this test 2)
> + b. do with prctl(PR_SET_SECUREBITS, SECURE_KEEP_CAPS)
> + (call this test 3)
> + TODO: test that exec clears KEEPCAPS
> + (just create a simple executable that checks PR_GET_KEEPCAPS
> + results, and execute that as test 4 after doing PR_SET_KEEPCAPS).
> + TODO: all of the other securebits tests.
> + */
> +
> +char *TCID = "keepcaps";
> +int TST_TOTAL=1;
> +
> +#ifdef HAVE_LIBCAP
> +static int eff_caps_empty(cap_t c)
> +{
> + int i, ret, v, empty=1;
> +
> + for (i = 0; i < CAP_LAST_CAP; i++) {
> + ret = cap_get_flag(c, i, CAP_PERMITTED, &v);
> + if (ret || v)
> + empty = 0;
> + }
> +
> + return empty;
> +}
> +
> +static int am_privileged(void)
> +{
> + int am_privileged = 1;
> +
> + cap_t cap = cap_get_proc();
> + if (eff_caps_empty(cap))
> + am_privileged = 0;
> + cap_free(cap);
> +
> + return am_privileged;
> +}
> +#else
> +static int am_privileged(void)
> +{
> + tst_resm(TBROK, "libcap not installed.");
> + tst_exit();
> +}
> +#endif
> +
> +#define EXPECT_NOPRIVS 0
> +#define EXPECT_PRIVS 1
> +static void do_setuid(int expect_privs)
> +{
> + int ret;
> + int have_privs;
> +
> + ret = setuid(1000);
> + if (ret) {
> + tst_resm(TERRNO | TFAIL, "setuid failed");
> + tst_exit();
> + }
> +
> + have_privs = am_privileged();
> + if (have_privs && expect_privs == EXPECT_PRIVS) {
> + tst_resm(TPASS, "kept privs as expected");
> + tst_exit();
> + }
> + if (!have_privs && expect_privs == EXPECT_PRIVS) {
> + tst_resm(TFAIL, "expected to keep privs but did not");
> + tst_exit();
> + }
> + if (!have_privs && expect_privs == EXPECT_NOPRIVS) {
> + tst_resm(TPASS, "dropped privs as expected");
> + tst_exit();
> + }
> +
> + /* have_privs && EXPECT_NOPRIVS */
> + tst_resm(TFAIL, "expected to drop privs but did not");
> + tst_exit();
> +}
> +
> +static int am_root(void)
> +{
> + uid_t uid = getuid();
> + if (uid != 0)
> + return 0;
> + if (!am_privileged())
> + return 0;
> + return 1;
> +}
> +
> +int main(int argc, char *argv[])
> +{
> + int ret, whichtest;
> +
> + ret = prctl(PR_GET_KEEPCAPS);
> + if (ret) {
> + tst_resm(TBROK, "keepcaps was already set?\n");
> + tst_exit();
> + }
> + if (!am_root()) {
> + tst_resm(TBROK, "Run me as root and privileged\n");
> + tst_exit();
> + }
> +
> + if (argc < 2) {
> + tst_resm(TBROK, "Usage: %s <tescase_num>", argv[0]);
> + tst_exit();
> + }
> + whichtest = atoi(argv[1]);
> + if (whichtest < 1 || whichtest > 3) {
> + tst_resm(TFAIL, "Valid tests are 1-3\n");
> + tst_exit();
> + }
> + switch(whichtest) {
> + case 1:
> + do_setuid(EXPECT_NOPRIVS); /* does not return */
> + case 2:
> + ret = prctl(PR_SET_KEEPCAPS, 1);
> + if (ret == -1) {
> + tst_resm(TFAIL|TERRNO, "PR_SET_KEEPCAPS failed\n");
> + tst_exit();
> + }
> + ret = prctl(PR_GET_KEEPCAPS);
> + if (!ret) {
> + tst_resm(TFAIL|TERRNO, "PR_SET_KEEPCAPS did not set keepcaps\n");
> + tst_exit();
> + }
> + do_setuid(EXPECT_PRIVS); /* does not return */
> + case 3:
> + ret = prctl(PR_GET_SECUREBITS);
What if this call fails?
> + ret = prctl(PR_SET_SECUREBITS, ret | SECBIT_KEEP_CAPS);
> + if (ret == -1) {
> + tst_resm(TFAIL|TERRNO, "PR_SET_SECUREBITS failed\n");
> + tst_exit();
> + }
> + ret = prctl(PR_GET_KEEPCAPS);
> + if (!ret) {
> + tst_resm(TFAIL|TERRNO, "PR_SET_SECUREBITS did not set keepcaps\n");
> + tst_exit();
> + }
> + do_setuid(EXPECT_PRIVS); /* does not return */
> + default:
> + tst_resm(TFAIL, "should not reach here\n");
> + tst_exit();
> + }
> + tst_resm(TFAIL, "should not reach here\n");
> + tst_exit();
> +}
> diff --git a/testcases/kernel/security/securebits/run_securebits.sh b/testcases/kernel/security/securebits/run_securebits.sh
> new file mode 100644
> index 0000000..4d9e272
> --- /dev/null
> +++ b/testcases/kernel/security/securebits/run_securebits.sh
> @@ -0,0 +1,20 @@
> +#!/bin/sh
> +
> +echo "testing keepcaps"
> +check_keepcaps 1
> +tmp=$?
> +if [ $tmp -ne 0 ]; then
> + exit_code=$tmp
> +fi
> +check_keepcaps 2
> +tmp=$?
> +if [ $tmp -ne 0 ]; then
> + exit_code=$tmp
> +fi
> +check_keepcaps 3
> +tmp=$?
> +if [ $tmp -ne 0 ]; then
> + exit_code=$tmp
> +fi
> +
> +exit $exit_code
What if (for instance) test 1 fails, and tests 2 or 3 pass?
------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [LTP] [PATCH] securebits: add secure_keepcaps testcases
2010-10-04 13:43 ` Garrett Cooper
@ 2010-10-04 14:06 ` Serge E. Hallyn
2010-10-04 14:24 ` Garrett Cooper
0 siblings, 1 reply; 9+ messages in thread
From: Serge E. Hallyn @ 2010-10-04 14:06 UTC (permalink / raw)
To: Garrett Cooper; +Cc: ltp-list, Subrata Modak1
Quoting Garrett Cooper (yanegomi@gmail.com):
> Hi Serge,
> Some comments about your provided code.
Thanks.
> > +AC_DEFUN([LTP_CHECK_SECUREBITS],
> > +AC_CHECK_HEADERS(linux/securebits.h,[
> > + LTP_SECUREBITS=yes
> > +])
> > +)
>
> Some checks should probably be added for versioning as well as symbols
> that get passed to prctl(2) (I'm not sure if checking for the symbols
> that get passed to prctl(2) here is the correct way to go about things
> though).
Not sure how we would check the versioning, bc there is no versioning
info in the interface.
...
> > + case 3:
> > + ret = prctl(PR_GET_SECUREBITS);
>
> What if this call fails?
It doesn't pass or fail. The return value is simply the current
securebits.
> > + ret = prctl(PR_SET_SECUREBITS, ret | SECBIT_KEEP_CAPS);
> > + if (ret == -1) {
> > + tst_resm(TFAIL|TERRNO, "PR_SET_SECUREBITS failed\n");
> > + tst_exit();
> > + }
> > +#!/bin/sh
> > +
> > +echo "testing keepcaps"
> > +check_keepcaps 1
> > +tmp=$?
> > +if [ $tmp -ne 0 ]; then
> > + exit_code=$tmp
> > +fi
> > +check_keepcaps 2
> > +tmp=$?
> > +if [ $tmp -ne 0 ]; then
> > + exit_code=$tmp
> > +fi
> > +check_keepcaps 3
> > +tmp=$?
> > +if [ $tmp -ne 0 ]; then
> > + exit_code=$tmp
> > +fi
> > +
> > +exit $exit_code
>
> What if (for instance) test 1 fails, and tests 2 or 3 pass?
Yeah, I didn't do that right, and maybe it would be best
to just shortcut on the first failure anyway.
thanks,
-serge
------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [LTP] [PATCH] securebits: add secure_keepcaps testcases
2010-10-04 14:06 ` Serge E. Hallyn
@ 2010-10-04 14:24 ` Garrett Cooper
2010-10-04 14:43 ` Serge E. Hallyn
0 siblings, 1 reply; 9+ messages in thread
From: Garrett Cooper @ 2010-10-04 14:24 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: ltp-list, Subrata Modak1
On Mon, Oct 4, 2010 at 7:06 AM, Serge E. Hallyn
<serge.hallyn@canonical.com> wrote:
> Quoting Garrett Cooper (yanegomi@gmail.com):
>> Hi Serge,
>> Some comments about your provided code.
>
> Thanks.
>
>> > +AC_DEFUN([LTP_CHECK_SECUREBITS],
>> > +AC_CHECK_HEADERS(linux/securebits.h,[
>> > + LTP_SECUREBITS=yes
>> > +])
>> > +)
>>
>> Some checks should probably be added for versioning as well as symbols
>> that get passed to prctl(2) (I'm not sure if checking for the symbols
>> that get passed to prctl(2) here is the correct way to go about things
>> though).
>
> Not sure how we would check the versioning, bc there is no versioning
> info in the interface.
Just checking for the symbols used with an autoconf test would be ok,
because according to the kernel.org manpage [1] some of these symbols
have only existed for the past year or two (and thus someone like
Mitani-san will come on the list and say that RHEL 4.x or 5.x compiles
are broken by the new test :)).
> ...
>
>> > + case 3:
>> > + ret = prctl(PR_GET_SECUREBITS);
>>
>> What if this call fails?
>
> It doesn't pass or fail. The return value is simply the current
> securebits.
According to the manpage [1], this syscall can fail.
>> > + ret = prctl(PR_SET_SECUREBITS, ret | SECBIT_KEEP_CAPS);
>> > + if (ret == -1) {
>> > + tst_resm(TFAIL|TERRNO, "PR_SET_SECUREBITS failed\n");
>> > + tst_exit();
>> > + }
>
>> > +#!/bin/sh
>> > +
>> > +echo "testing keepcaps"
>> > +check_keepcaps 1
>> > +tmp=$?
>> > +if [ $tmp -ne 0 ]; then
>> > + exit_code=$tmp
>> > +fi
>> > +check_keepcaps 2
>> > +tmp=$?
>> > +if [ $tmp -ne 0 ]; then
>> > + exit_code=$tmp
>> > +fi
>> > +check_keepcaps 3
>> > +tmp=$?
>> > +if [ $tmp -ne 0 ]; then
>> > + exit_code=$tmp
>> > +fi
>> > +
>> > +exit $exit_code
>>
>> What if (for instance) test 1 fails, and tests 2 or 3 pass?
>
> Yeah, I didn't do that right, and maybe it would be best
> to just shortcut on the first failure anyway.
That's what I thought. The only thing you lose is coverage potentially
if one of the tests is broken :/.
Thanks!
-Garrett
[1] http://www.kernel.org/doc/man-pages/online/pages/man2/prctl.2.html
------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [LTP] [PATCH] securebits: add secure_keepcaps testcases
2010-10-04 14:24 ` Garrett Cooper
@ 2010-10-04 14:43 ` Serge E. Hallyn
0 siblings, 0 replies; 9+ messages in thread
From: Serge E. Hallyn @ 2010-10-04 14:43 UTC (permalink / raw)
To: Garrett Cooper; +Cc: Subrata Modak1, ltp-list
Quoting Garrett Cooper (yanegomi@gmail.com):
> On Mon, Oct 4, 2010 at 7:06 AM, Serge E. Hallyn
> <serge.hallyn@canonical.com> wrote:
> > Quoting Garrett Cooper (yanegomi@gmail.com):
> >> Hi Serge,
> >> Some comments about your provided code.
> >
> > Thanks.
> >
> >> > +AC_DEFUN([LTP_CHECK_SECUREBITS],
> >> > +AC_CHECK_HEADERS(linux/securebits.h,[
> >> > + LTP_SECUREBITS=yes
> >> > +])
> >> > +)
> >>
> >> Some checks should probably be added for versioning as well as symbols
> >> that get passed to prctl(2) (I'm not sure if checking for the symbols
> >> that get passed to prctl(2) here is the correct way to go about things
> >> though).
> >
> > Not sure how we would check the versioning, bc there is no versioning
> > info in the interface.
>
> Just checking for the symbols used with an autoconf test would be ok,
> because according to the kernel.org manpage [1] some of these symbols
> have only existed for the past year or two
Right, but before that the header file wouldn't have existed. The
symbols appeared with the header file's creation.
Of course someone can shoot himself in the foot with older kernel on
newer userspace. I don't mind doing the extra checks, it'll just take
me a few weeks to get the chance. The tests aren't going to go stale
in the meantime, so no big whoop.
> (and thus someone like
> Mitani-san will come on the list and say that RHEL 4.x or 5.x compiles
> are broken by the new test :)).
My theory is that this test will suffice for older RHEL :) but
not for more experimental chaps, I guess.
> > ...
> >
> >> > + case 3:
> >> > + ret = prctl(PR_GET_SECUREBITS);
> >>
> >> What if this call fails?
> >
> > It doesn't pass or fail. The return value is simply the current
> > securebits.
>
> According to the manpage [1], this syscall can fail.
I don't actually see where the syscall says it can fail (it says that
for CAPBSET_READ, but not for GET_SECUREBITS. So it can only fail
if the capability module's prctl() isn't called. I know of no ways
that can happen with current upstream, bc smack, selinux, apparmor
and tomoyo all do not define security_prctl(), which means that the
capability one will be called.
But there's really nothing preventing that situation in the future.
In which case right now we'll cache the error when SET_SECUREBITS
either returns -ENOSYS or returns an error bc of invalid bits.
In any case, an extra check won't hurt. I just felt the need to
double-check my original thinking :)
> >> > + ret = prctl(PR_SET_SECUREBITS, ret | SECBIT_KEEP_CAPS);
> >> > + if (ret == -1) {
> >> > + tst_resm(TFAIL|TERRNO, "PR_SET_SECUREBITS failed\n");
> >> > + tst_exit();
> >> > + }
> >
> >> > +#!/bin/sh
> >> > +
> >> > +echo "testing keepcaps"
> >> > +check_keepcaps 1
> >> > +tmp=$?
> >> > +if [ $tmp -ne 0 ]; then
> >> > + exit_code=$tmp
> >> > +fi
> >> > +check_keepcaps 2
> >> > +tmp=$?
> >> > +if [ $tmp -ne 0 ]; then
> >> > + exit_code=$tmp
> >> > +fi
> >> > +check_keepcaps 3
> >> > +tmp=$?
> >> > +if [ $tmp -ne 0 ]; then
> >> > + exit_code=$tmp
> >> > +fi
> >> > +
> >> > +exit $exit_code
> >>
> >> What if (for instance) test 1 fails, and tests 2 or 3 pass?
> >
> > Yeah, I didn't do that right, and maybe it would be best
> > to just shortcut on the first failure anyway.
>
> That's what I thought. The only thing you lose is coverage potentially
> if one of the tests is broken :/.
Yup, which is probably fine - if any one of these breaks, it'll
be a huge deal imo.
-serge
------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2010-10-13 7:19 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-29 13:56 [LTP] [PATCH] securebits: add secure_keepcaps testcases Serge E. Hallyn
2010-09-29 15:02 ` Subrata Modak
2010-10-04 7:13 ` Subrata Modak
2010-10-04 13:04 ` Serge E. Hallyn
2010-10-13 7:19 ` Subrata Modak
2010-10-04 13:43 ` Garrett Cooper
2010-10-04 14:06 ` Serge E. Hallyn
2010-10-04 14:24 ` Garrett Cooper
2010-10-04 14:43 ` Serge E. Hallyn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox