[LTP] [PATCH] syscalls/prctl07.c: New test for prctl() with PR_CAP_AMBIENT

Cyril Hrubis chrubis@suse.cz
Tue Jul 9 13:20:46 CEST 2019 

Hi!
> Since Linux 4.3, PR_CAP_AMBIENT has been supported. We can read or change
> the ambient capability set of the calling thread by using the following
> option: PR_CAP_AMBIENT_RAISE, PR_CAP_AMBIENT_LOWER,PR_CAP_AMBIENT_IS_SET,
> PR_CAP_AMBIENT_CLEAR_ALL.
> 
> links:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5831905
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=32ae976
> 
> Signed-off-by: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
> ---
>  configure.ac                               |   2 +
>  include/lapi/prctl.h                       |   8 +
>  include/lapi/securebits.h                  |  15 ++
>  runtest/syscalls                           |   1 +
>  testcases/kernel/syscalls/prctl/.gitignore |   1 +
>  testcases/kernel/syscalls/prctl/Makefile   |   2 +
>  testcases/kernel/syscalls/prctl/prctl07.c  | 196 +++++++++++++++++++++
>  7 files changed, 225 insertions(+)
>  create mode 100644 include/lapi/securebits.h
>  create mode 100644 testcases/kernel/syscalls/prctl/prctl07.c
> 
> diff --git a/configure.ac b/configure.ac
> index f78db90ce..cf1e121bd 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -33,6 +33,7 @@ AC_PROG_YACC
>  AC_PREFIX_DEFAULT(/opt/ltp)
>  
>  AC_CHECK_HEADERS([ \
> +    cap-ng.h \
>      ifaddrs.h \
>      keyutils.h \
>      linux/can.h \
> @@ -47,6 +48,7 @@ AC_CHECK_HEADERS([ \
>      linux/module.h \
>      linux/netlink.h \
>      linux/seccomp.h \
> +    linux/securebits.h \
>      linux/userfaultfd.h \
>      mm.h \
>      netinet/sctp.h \
> diff --git a/include/lapi/prctl.h b/include/lapi/prctl.h
> index 54b3da20f..8ee492259 100644
> --- a/include/lapi/prctl.h
> +++ b/include/lapi/prctl.h
> @@ -29,4 +29,12 @@
>  # define PR_GET_NO_NEW_PRIVS 39
>  #endif
>  
> +#ifndef PR_CAP_AMBIENT
> +# define PR_CAP_AMBIENT             47
> +# define PR_CAP_AMBIENT_IS_SET      1
> +# define PR_CAP_AMBIENT_RAISE       2
> +# define PR_CAP_AMBIENT_LOWER       3
> +# define PR_CAP_AMBIENT_CLEAR_ALL   4
> +#endif
> +
>  #endif /* LAPI_PRCTL_H__ */
> diff --git a/include/lapi/securebits.h b/include/lapi/securebits.h
> new file mode 100644
> index 000000000..9c9216e13
> --- /dev/null
> +++ b/include/lapi/securebits.h
> @@ -0,0 +1,15 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
> + * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
> + */
> +#ifndef LAPI_SECUREBITS_H
> +#define LAPI_SECUREBITS_H
> +
> +# ifdef HAVE_LINUX_SECUREBITS_H
> +#  include <linux/securebits.h>
> +# endif /* HAVE_LINUX_SECUREBITS_H*/
> +# ifndef SECBIT_NO_CAP_AMBIENT_RAISE
> +#  define SECBIT_NO_CAP_AMBIENT_RAISE  6
> +# endif
> +#endif /* LAPI_SECUREBITS_H */
> diff --git a/runtest/syscalls b/runtest/syscalls
> index 742739c2c..4a03c5818 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -868,6 +868,7 @@ prctl03 prctl03
>  prctl04 prctl04
>  prctl05 prctl05
>  prctl06 prctl06
> +prctl07 prctl07
>  
>  pread01 pread01
>  pread01_64 pread01_64
> diff --git a/testcases/kernel/syscalls/prctl/.gitignore b/testcases/kernel/syscalls/prctl/.gitignore
> index f52f6f665..b913d1798 100644
> --- a/testcases/kernel/syscalls/prctl/.gitignore
> +++ b/testcases/kernel/syscalls/prctl/.gitignore
> @@ -4,3 +4,4 @@
>  /prctl04
>  /prctl05
>  /prctl06
> +/prctl07
> diff --git a/testcases/kernel/syscalls/prctl/Makefile b/testcases/kernel/syscalls/prctl/Makefile
> index bd617d806..6bb839a7d 100644
> --- a/testcases/kernel/syscalls/prctl/Makefile
> +++ b/testcases/kernel/syscalls/prctl/Makefile
> @@ -20,4 +20,6 @@ top_srcdir		?= ../../../..
>  
>  include $(top_srcdir)/include/mk/testcases.mk
>  
> +LDLIBS			+= -lcap-ng

This will break the compilation without the cap-ng library, we have to
check for the presence in the configure script.

See for example m4/ltp-cap.m4 where we define a variable that is then
used Makefiles e.g. in syscalls/pivot_root/Makefile.

Also LTP depends on libcap already, so maybe it would be better to use
the libcap instead of cap-ng in order to keep the number of libraries we
depend on as small as possible.

>  include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git a/testcases/kernel/syscalls/prctl/prctl07.c b/testcases/kernel/syscalls/prctl/prctl07.c
> new file mode 100644
> index 000000000..a7c8596a3
> --- /dev/null
> +++ b/testcases/kernel/syscalls/prctl/prctl07.c
> @@ -0,0 +1,196 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
> + * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
> + *
> + * Test the PR_CAP_AMBIENT of prctl(2).
> + * Reads or changes the ambient capability set of the calling thread,
> + * according to the value of arg2, which must be one of the following:
> + * 1)PR_CAP_AMBIENT_RAISE:
> + * The capability specified in arg3 is added to the ambient set.
> + * The specified capability must already be present in both pE and pI.
> + * If we set SECBIT_NO_CAP_AMBIENT_RAISE bit, raise option will be rejected
> + * and retrun EPERM. We also raise a CAP twice.
> + * 2)PR_CAP_AMBIENT_LOWER:
> + * The capability specified in arg3 is removed from the ambient set.
> + * Even though this cap is not in set, it also should return 0.
> + * 3)PR_CAP_AMBIENT_IS_SET:
> + * Returns 1 if the capability in arg3 is in the ambient set and 0 if it
> + * is not.
> + * 4)PR_CAP_AMBIENT_CLEAR_ALL:
> + * All capabilities will be removed from the ambient set. This operation
> + * requires setting arg3 to zero.
> + */
> +
> +#include <sys/prctl.h>
> +#include <string.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <sys/capability.h>
> +#include <linux/capability.h>
> +#include "config.h"
> +#if HAVE_CAP_NG_H
> +#include <cap-ng.h>
> +#endif
> +#include "lapi/syscalls.h"
> +#include "lapi/prctl.h"
> +#include "lapi/securebits.h"
> +#include "tst_test.h"
> +
> +#if HAVE_CAP_NG_H
> +static void check_proc_capamb(char *message, char *path, int flag)
> +{
> +	unsigned int cap_num;
> +	char CapAmb[20];
> +
> +	SAFE_FILE_LINES_SCANF(path, "CapAmb:%s", CapAmb);
> +	cap_num = atoi(CapAmb);
> +	if (flag == 2) {
> +		if (cap_num == 0)
> +			tst_res(TPASS,
> +				"%s, %s CapAmb has been clear as %d",
> +				message, path, cap_num);
> +		else
> +			tst_res(TFAIL,
> +				"%s, %s CapAmb has been clear expect 0, got %d",
> +				message, path, cap_num);
> +		return;
> +	}
> +
> +	if (cap_num ==  400)
> +		tst_res(flag ? TPASS : TFAIL,
> +			"%s, CapAmb in %s has CAP_NET_BIND_SERVICE",
> +			message, path);
> +	else
> +		tst_res(flag ? TFAIL : TPASS,
> +			"%s, CapAmb in %s doesn't have CAP_NET_BIND_SERVICE",
> +			message, path);
> +}
> +
> +static void check_cap_raise(unsigned int cap, char *message, int fail_flag)
> +{
> +	TEST(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0, 0));
> +	switch (fail_flag) {
> +	case 0:
> +	if (TST_RET == 0)
> +		tst_res(TPASS, "PR_CAP_AMBIENT_RAISE %s succeeded", message);
> +	else
> +		tst_res(TFAIL, "PR_CAP_AMBIENT_RAISE %s failed unexpectedly",
> +			message);
> +	break;
> +	case 1:
> +	if (TST_RET == 0)
> +		tst_res(TFAIL,
> +			"PR_CAP_AMBIENT_RAISE succeeded unexpectedly %s",
> +			message);
> +	else if (TST_ERR == EPERM)
> +		tst_res(TPASS,
> +			"PR_CAP_AMBIENT_RAISE failed with EPERM %s", message);
> +	else
> +		tst_res(TFAIL | TERRNO,
> +			"PR_CAP_AMBIENT_RAISE failed %s", message);
> +	break;
> +	}
> +}
> +
> +static void check_cap_is_set(unsigned int cap, char *message, int val)
> +{
> +	TEST(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, cap, 0, 0, 0));
> +	if (TST_RET == 1)
> +		tst_res(val ? TPASS : TFAIL,
> +			"PR_CAP_AMBIENT_IS_SET %s in AmbientCap", message);
> +	else if (TST_RET == 0)
> +		tst_res(val ? TFAIL : TPASS,
> +			"PR_CAP_AMBIENT_IS_SET %s not in AmbientCap", message);
> +	else
> +		tst_res(TFAIL | TERRNO, "PR_CAP_AMBIENT_IS_SET failed");
> +}
> +
> +static void check_cap_lower(unsigned int cap, char *message)
> +{
> +	TEST(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, cap, 0, 0, 0));
> +	if (TST_RET == -1)
> +		tst_res(TFAIL | TERRNO,
> +			"PR_CAP_AMBIENT_LOWER %s failed", message);
> +	else
> +		tst_res(TPASS, "PR_CAP_AMBIENT_LOWER %s succeeded", message);
> +}
> +#endif
> +
> +static void verify_prctl(void)
> +{
> +#if HAVE_CAP_NG_H
> +	pid_t pid;
> +	char path[50];
> +
> +	pid = getpid();
> +	sprintf(path, "/proc/%d/status", pid);
			^
                       Why not just /proc/self/status ?

> +	check_proc_capamb("At the beginning", path, 0);
> +
> +	capng_get_caps_process();
> +	capng_update(CAPNG_DROP, CAPNG_INHERITABLE, CAP_NET_BIND_SERVICE);
> +	if (capng_apply(CAPNG_SELECT_CAPS) != 0)
> +		return;

> +	check_cap_raise(CAP_NET_BIND_SERVICE, "on non-inheritable cap", 1);
> +
> +	capng_update(CAPNG_ADD, CAPNG_INHERITABLE, CAP_NET_RAW);
> +	capng_update(CAPNG_DROP, CAPNG_PERMITTED, CAP_NET_RAW);
> +	capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_NET_RAW);
> +	if (capng_apply(CAPNG_SELECT_CAPS) != 0)
> +		return;
> +	check_cap_raise(CAP_NET_RAW, "on non-permitted cap", 1);
> +
> +	capng_update(CAPNG_ADD, CAPNG_INHERITABLE, CAP_NET_BIND_SERVICE);
> +	if (capng_apply(CAPNG_SELECT_CAPS) != 0)
> +		return;
> +	prctl(PR_SET_SECUREBITS, SECBIT_NO_CAP_AMBIENT_RAISE);
> +	check_cap_raise(CAP_NET_BIND_SERVICE, "because of NO_RAISE_SECBIT set", 1);
> +	prctl(PR_SET_SECUREBITS, 0);
> +
> +	check_cap_raise(CAP_NET_BIND_SERVICE, "CAP_NET_BIND_SERVICE", 0);
> +	/*Even this cap has been in ambient set, raise succeeds and return 0*/
> +	check_cap_raise(CAP_NET_BIND_SERVICE, "CAP_NET_BIND_SERIVCE twice", 0);
> +
> +	check_proc_capamb("After PR_CAP_AMBIENT_RAISE", path, 1);
> +
> +	check_cap_is_set(CAP_NET_BIND_SERVICE, "CAP_NET_BIND_SERVICE was", 1);
> +	check_cap_is_set(CAP_NET_RAW, "CAP_NET_RAW was", 0);
> +	/*move a cap what was not in ambient set, it also return 0*/
> +	check_cap_lower(CAP_NET_RAW, "CAP_NET_RAW(it wasn't in ambient set)");
> +	check_cap_lower(CAP_NET_BIND_SERVICE, "CAP_NET_BIND_SERVICE(it was in ambient set)");
> +	check_proc_capamb("After PR_CAP_AMBIENT_LORWER", path, 0);
> +
> +	prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_BIND_SERVICE, 0, 0, 0);
> +	tst_res(TINFO, "raise cap for clear");
> +	TEST(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0, 0));
> +	if (TST_RET == 0)
> +		tst_res(TPASS, "PR_CAP_AMBIENT_CLEAR ALL succeeded");
> +	else
> +		tst_res(TFAIL | TERRNO, "PR_AMBIENT_CLEAR_ALL failed");
> +
> +	check_proc_capamb("After PR_CAP_AMBIENT_CLEAN_ALL", path, 2);
> +#else
> +	tst_res(TCONF, "system doesn't have cap-ng library");
> +#endif
> +}
> +
> +static void setup(void)
> +{
> +	TEST(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0, 0));
> +	if (TST_RET == 0) {
> +		tst_res(TINFO, "kernel supports PR_CAP_AMBIENT");
> +		return;
> +	}
> +
> +	if (TST_ERR == EINVAL)
> +		tst_brk(TCONF, "kernel doesn't support PR_CAP_AMBIENT");
> +
> +	tst_brk(TBROK | TERRNO,
> +		"current environment doesn't permit PR_CAP_AMBIENT");
> +}
> +
> +static struct tst_test test = {
> +	.setup = setup,
> +	.test_all = verify_prctl,
> +	.needs_root = 1,
> +};
> -- 
> 2.18.1
> 
> 
> 
> 
> -- 
> Mailing list info: https://lists.linux.it/listinfo/ltp

-- 
Cyril Hrubis
chrubis@suse.cz

More information about the ltp mailing list