From: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
To: ltp@lists.linux.it
Subject: [LTP] [RFC PATCH 1/1] capability: Introduce capability API
Date: Thu, 22 Aug 2019 13:56:33 +0800 [thread overview]
Message-ID: <5D5E2E91.1060805@cn.fujitsu.com> (raw)
In-Reply-To: <CAEemH2czBk5KKgFB0_4bWtnwdnJdq0sJNmo=q3_u1UipEhaOJw@mail.gmail.com>
? 2019/08/15 15:10, Li Wang ??:
> On Thu, Aug 8, 2019 at 11:39 PM Richard Palethorpe<rpalethorpe@suse.com> wrote:
>> ---
>> include/tst_capability.h | 56 +++++++++++++++++++++++++++++
>> include/tst_test.h | 6 ++++
>> lib/tst_capability.c | 78 ++++++++++++++++++++++++++++++++++++++++
>> lib/tst_test.c | 3 ++
>> 4 files changed, 143 insertions(+)
>> create mode 100644 include/tst_capability.h
>> create mode 100644 lib/tst_capability.c
>>
>> diff --git a/include/tst_capability.h b/include/tst_capability.h
>> new file mode 100644
>> index 000000000..6342b667e
>> --- /dev/null
>> +++ b/include/tst_capability.h
>> @@ -0,0 +1,56 @@
>> +/* SPDX-License-Identifier: GPL-2.0-or-later */
>> +/*
>> + * Copyright (c) 2019 Richard Palethorpe<rpalethorpe@suse.com>
>> + */
>> +/**
>> + * @file tst_capability.h
>> + *
>> + * Limited capability operations without libcap.
>> + */
>> +
>> +#include<stdint.h>
>> +
>> +#include "lapi/syscalls.h"
>> +
>> +#ifndef TST_CAPABILITY_H
>> +#define TST_CAPABILITY_H
>> +
>> +#ifndef CAP_SYS_ADMIN
>> +# define CAP_SYS_ADMIN 21
>> +#endif
>> +
>> +#ifndef CAP_TO_MASK
>> +# define CAP_TO_MASK(x) (1<< ((x)& 31))
>> +#endif
>> +
>> +#define TST_DROP 1
>> +#define TST_REQUIRE 1<< 1
>> +
>> +#define TST_CAP(action, capability) {action, capability, #capability}
>> +
>> +struct tst_cap_user_header {
>> + uint32_t version;
>> + int pid;
>> +};
>> +
>> +struct tst_cap_user_data {
>> + uint32_t effective;
>> + uint32_t permitted;
>> + uint32_t inheritable;
>> +};
>> +
>> +struct tst_cap {
>> + uint32_t action;
>> + uint32_t id;
>> + char *name;
>> +};
>> +
>> +int tst_capget(struct tst_cap_user_header *hdr,
>> + struct tst_cap_user_data *data);
>> +int tst_capset(struct tst_cap_user_header *hdr,
>> + const struct tst_cap_user_data *data);
>> +
>> +void tst_cap_action(struct tst_cap *cap);
>> +void tst_cap_setup(struct tst_cap *cap);
>> +
>> +#endif
>> diff --git a/include/tst_test.h b/include/tst_test.h
>> index cdeaf6ad0..84acf2c59 100644
>> --- a/include/tst_test.h
>> +++ b/include/tst_test.h
>> @@ -36,6 +36,7 @@
>> #include "tst_sys_conf.h"
>> #include "tst_coredump.h"
>> #include "tst_buffers.h"
>> +#include "tst_capability.h"
>>
>> /*
>> * Reports testcase result.
>> @@ -206,6 +207,11 @@ struct tst_test {
>> * NULL-terminated array to be allocated buffers.
>> */
>> struct tst_buffers *bufs;
>> +
>> + /*
>> + * NULL-terminated array of capability settings
>> + */
>> + struct tst_cap *caps;
>> };
>>
>> /*
>> diff --git a/lib/tst_capability.c b/lib/tst_capability.c
>> new file mode 100644
>> index 000000000..d229491ae
>> --- /dev/null
>> +++ b/lib/tst_capability.c
>> @@ -0,0 +1,78 @@
>> +/* SPDX-License-Identifier: GPL-2.0-or-later */
>> +/*
>> + * Copyright (c) 2019 Richard Palethorpe<rpalethorpe@suse.com>
>> + */
>> +
>> +#define TST_NO_DEFAULT_MAIN
>> +#include "tst_test.h"
>> +#include "tst_capability.h"
>> +
>> +int tst_capget(struct tst_cap_user_header *hdr,
>> + struct tst_cap_user_data *data)
>> +{
>> + return tst_syscall(__NR_capget, hdr, data);
>> +}
>> +
>> +int tst_capset(struct tst_cap_user_header *hdr,
>> + const struct tst_cap_user_data *data)
>> +{
>> + return tst_syscall(__NR_capset, hdr, data);
>> +}
>> +
>> +void tst_cap_action(struct tst_cap *cap)
>> +{
>> + struct tst_cap_user_header hdr = {
>> + .version = 0x20080522,
>> + .pid = tst_syscall(__NR_gettid),
>> + };
>> + struct tst_cap_user_data cur = { 0 };
>> + struct tst_cap_user_data new = { 0 };
>> + uint32_t mask = CAP_TO_MASK(cap->id);
>> + uint32_t act = cap->action;
>> +
>> + if (tst_capget(&hdr,&cur))
>> + tst_brk(TBROK | TTERRNO, "tst_capget()");
>> +
>> + new = cur;
>> +
>> + switch (act) {
>> + case TST_DROP:
>> + if (cur.effective& mask) {
>> + tst_res(TINFO, "Dropping %s(%d)",
>> + cap->name, cap->id);
>> + new.effective&= ~mask;
>> + new.permitted&= ~mask;
>> + new.inheritable&= ~mask;
>> + }
>> + break;
>> + case TST_REQUIRE:
>> + if (cur.permitted ^ mask) {
>> + tst_brk(TCONF, "Need %s(%d)",
>> + cap->name, cap->id);
>> + } else if (cur.effective ^ mask) {
>> + tst_res(TINFO, "Permitting %s(%d)",
>> + cap->name, cap->id);
>> + new.effective |= mask;
>> + new.inheritable |= mask;
>> + }
>> + break;
>> + default:
>> + tst_brk(TBROK, "Unrecognised action %d", cap->action);
>> + }
>> +
>> + if (cur.effective != new.effective) {
>> + if (tst_capset(&hdr,&new))
>> + tst_brk(TBROK | TERRNO, "tst_capset(%s)", cap->name);
> It does not work for this simple cap_test.c, did I miss anything?
>
> # whoami
> root
>
> # ./cap_test
> tst_test.c:1111: INFO: Timeout per run is 0h 05m 00s
> tst_capability.c:42: INFO: Dropping CAP_SYS_ADMIN(21)
> tst_capability.c:65: BROK: tst_capset(CAP_SYS_ADMIN): EPERM
>
Hi Li
I have tried it and have the same failure. The _LINUX_CAPABILITY_VERSION_3 seem not support on my system causes fail.
If I use _LINUX_CAPABILITY_VERSION_1, cap_test will pass. I am still looking into _LINUX_CAPABILITY_VERSION_3 dependence.
> # ./cap_test
> tst_test.c:1111: INFO: Timeout per run is 0h 05m 00s
> tst_capability.c:51: CONF: Need CAP_SYS_ADMIN(21)
>
> # cat cap_test.c
> #include "tst_test.h"
> #include "linux/capability.h"
>
> static void do_test(void)
> {
> tst_res(TPASS, "Hello");
> }
>
> static struct tst_test test = {
> .test_all = do_test,
> .needs_root = 1,
> .caps = (struct tst_cap []) {
> // TST_CAP(TST_DROP, CAP_SYS_ADMIN),
> TST_CAP(TST_REQUIRE, CAP_SYS_ADMIN),
> {},
> },
> };
>
next prev parent reply other threads:[~2019-08-22 5:56 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 15:38 [LTP] [RFC PATCH 0/1] tst API for dropping or requiring capabilities Richard Palethorpe
2019-08-08 15:38 ` [LTP] [RFC PATCH 1/1] capability: Introduce capability API Richard Palethorpe
2019-08-09 12:27 ` Cyril Hrubis
2019-08-09 14:42 ` Jan Stancek
2019-08-21 11:43 ` Richard Palethorpe
2019-08-15 7:10 ` Li Wang
2019-08-21 11:56 ` Richard Palethorpe
2019-08-22 5:56 ` Yang Xu [this message]
2019-08-22 8:41 ` Yang Xu
2019-08-22 9:35 ` Richard Palethorpe
2019-08-22 14:17 ` [LTP] [PATCH v2 1/2] " Richard Palethorpe
2019-08-22 14:17 ` [LTP] [PATCH v2 2/2] capability: library tests Richard Palethorpe
2019-08-23 4:33 ` Yang Xu
2019-08-23 4:24 ` [LTP] [PATCH v2 1/2] capability: Introduce capability API Yang Xu
2019-08-23 8:37 ` Richard Palethorpe
2019-08-09 12:18 ` [LTP] [RFC PATCH 0/1] tst API for dropping or requiring capabilities Cyril Hrubis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5D5E2E91.1060805@cn.fujitsu.com \
--to=xuyang2018.jy@cn.fujitsu.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox