[LTP] [PATCH v2] syscalls/prctl07: New test for prctl() with PR_CAP_AMBIENT
Yang Xu
xuyang2018.jy@cn.fujitsu.com
Fri Jul 12 11:54:35 CEST 2019
Since Linux 4.3, PR_CAP_AMBIENT has been supported. We can read or change
the ambient capability set of the calling thread by using the following
option: PR_CAP_AMBIENT_RAISE, PR_CAP_AMBIENT_LOWER,PR_CAP_AMBIENT_IS_SET,
PR_CAP_AMBIENT_CLEAR_ALL.
Signed-off-by: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
---
configure.ac | 1 +
include/lapi/prctl.h | 8 +
include/lapi/securebits.h | 15 ++
runtest/syscalls | 1 +
testcases/kernel/syscalls/prctl/.gitignore | 1 +
testcases/kernel/syscalls/prctl/Makefile | 2 +
testcases/kernel/syscalls/prctl/prctl07.c | 194 +++++++++++++++++++++
7 files changed, 222 insertions(+)
create mode 100644 include/lapi/securebits.h
create mode 100644 testcases/kernel/syscalls/prctl/prctl07.c
diff --git a/configure.ac b/configure.ac
index f78db90ce..56291fc2f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -47,6 +47,7 @@ AC_CHECK_HEADERS([ \
linux/module.h \
linux/netlink.h \
linux/seccomp.h \
+ linux/securebits.h \
linux/userfaultfd.h \
mm.h \
netinet/sctp.h \
diff --git a/include/lapi/prctl.h b/include/lapi/prctl.h
index 54b3da20f..8ee492259 100644
--- a/include/lapi/prctl.h
+++ b/include/lapi/prctl.h
@@ -29,4 +29,12 @@
# define PR_GET_NO_NEW_PRIVS 39
#endif
+#ifndef PR_CAP_AMBIENT
+# define PR_CAP_AMBIENT 47
+# define PR_CAP_AMBIENT_IS_SET 1
+# define PR_CAP_AMBIENT_RAISE 2
+# define PR_CAP_AMBIENT_LOWER 3
+# define PR_CAP_AMBIENT_CLEAR_ALL 4
+#endif
+
#endif /* LAPI_PRCTL_H__ */
diff --git a/include/lapi/securebits.h b/include/lapi/securebits.h
new file mode 100644
index 000000000..9c9216e13
--- /dev/null
+++ b/include/lapi/securebits.h
@@ -0,0 +1,15 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
+ * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
+ */
+#ifndef LAPI_SECUREBITS_H
+#define LAPI_SECUREBITS_H
+
+# ifdef HAVE_LINUX_SECUREBITS_H
+# include <linux/securebits.h>
+# endif /* HAVE_LINUX_SECUREBITS_H*/
+# ifndef SECBIT_NO_CAP_AMBIENT_RAISE
+# define SECBIT_NO_CAP_AMBIENT_RAISE 6
+# endif
+#endif /* LAPI_SECUREBITS_H */
diff --git a/runtest/syscalls b/runtest/syscalls
index ef7af41b5..c35add35f 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -866,6 +866,7 @@ prctl03 prctl03
prctl04 prctl04
prctl05 prctl05
prctl06 prctl06
+prctl07 prctl07
pread01 pread01
pread01_64 pread01_64
diff --git a/testcases/kernel/syscalls/prctl/.gitignore b/testcases/kernel/syscalls/prctl/.gitignore
index ee994086f..2178db366 100644
--- a/testcases/kernel/syscalls/prctl/.gitignore
+++ b/testcases/kernel/syscalls/prctl/.gitignore
@@ -5,3 +5,4 @@
/prctl05
/prctl06
/prctl06_execve
+/prctl07
diff --git a/testcases/kernel/syscalls/prctl/Makefile b/testcases/kernel/syscalls/prctl/Makefile
index bd617d806..1399122e8 100644
--- a/testcases/kernel/syscalls/prctl/Makefile
+++ b/testcases/kernel/syscalls/prctl/Makefile
@@ -20,4 +20,6 @@ top_srcdir ?= ../../../..
include $(top_srcdir)/include/mk/testcases.mk
+LDLIBS += $(CAP_LIBS)
+
include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/syscalls/prctl/prctl07.c b/testcases/kernel/syscalls/prctl/prctl07.c
new file mode 100644
index 000000000..bbb9161dd
--- /dev/null
+++ b/testcases/kernel/syscalls/prctl/prctl07.c
@@ -0,0 +1,194 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
+ * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
+ *
+ * Test the PR_CAP_AMBIENT of prctl(2).
+ * Reads or changes the ambient capability set of the calling thread,
+ * according to the value of arg2, which must be one of the following:
+ * 1)PR_CAP_AMBIENT_RAISE:
+ * The capability specified in arg3 is added to the ambient set.
+ * The specified capability must already be present in both pE and pI.
+ * If we set SECBIT_NO_CAP_AMBIENT_RAISE bit, raise option will be rejected
+ * and retrun EPERM. We also raise a CAP twice.
+ * 2)PR_CAP_AMBIENT_LOWER:
+ * The capability specified in arg3 is removed from the ambient set.
+ * Even though this cap is not in set, it also should return 0.
+ * 3)PR_CAP_AMBIENT_IS_SET:
+ * Returns 1 if the capability in arg3 is in the ambient set and 0 if it
+ * is not.
+ * 4)PR_CAP_AMBIENT_CLEAR_ALL:
+ * All capabilities will be removed from the ambient set. This operation
+ * requires setting arg3 to zero.
+ */
+
+#include <sys/prctl.h>
+#include <stdlib.h>
+#include "config.h"
+#ifdef HAVE_LIBCAP
+#include <sys/capability.h>
+#endif
+#include "lapi/syscalls.h"
+#include "lapi/prctl.h"
+#include "lapi/securebits.h"
+#include "tst_test.h"
+
+static void check_proc_capamb(char *message, int flag)
+{
+ unsigned int cap_num;
+ char CapAmb[20];
+ char path[50];
+
+ strcpy(path, "/proc/self/status");
+ SAFE_FILE_LINES_SCANF(path, "CapAmb:%s", CapAmb);
+ cap_num = atoi(CapAmb);
+ if (flag == 2) {
+ if (cap_num == 0)
+ tst_res(TPASS,
+ "%s, %s CapAmb has been clear as %d",
+ message, path, cap_num);
+ else
+ tst_res(TFAIL,
+ "%s, %s CapAmb has been clear expect 0, got %d",
+ message, path, cap_num);
+ return;
+ }
+ /*1 << CAP_NET_BIND_SERVICE*/
+ if (cap_num == 400)
+ tst_res(flag ? TPASS : TFAIL,
+ "%s, CapAmb in %s has CAP_NET_BIND_SERVICE",
+ message, path);
+ else
+ tst_res(flag ? TFAIL : TPASS,
+ "%s, CapAmb in %s doesn't have CAP_NET_BIND_SERVICE",
+ message, path);
+}
+
+static void check_cap_raise(unsigned int cap, char *message, int fail_flag)
+{
+ TEST(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0, 0));
+ switch (fail_flag) {
+ case 0:
+ if (TST_RET == 0)
+ tst_res(TPASS, "PR_CAP_AMBIENT_RAISE %s succeeded", message);
+ else
+ tst_res(TFAIL, "PR_CAP_AMBIENT_RAISE %s failed unexpectedly",
+ message);
+ break;
+ case 1:
+ if (TST_RET == 0)
+ tst_res(TFAIL,
+ "PR_CAP_AMBIENT_RAISE succeeded unexpectedly %s",
+ message);
+ else if (TST_ERR == EPERM)
+ tst_res(TPASS,
+ "PR_CAP_AMBIENT_RAISE failed with EPERM %s", message);
+ else
+ tst_res(TFAIL | TERRNO,
+ "PR_CAP_AMBIENT_RAISE failed %s", message);
+ break;
+ }
+}
+
+static void check_cap_is_set(unsigned int cap, char *message, int val)
+{
+ TEST(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, cap, 0, 0, 0));
+ if (TST_RET == 1)
+ tst_res(val ? TPASS : TFAIL,
+ "PR_CAP_AMBIENT_IS_SET %s in AmbientCap", message);
+ else if (TST_RET == 0)
+ tst_res(val ? TFAIL : TPASS,
+ "PR_CAP_AMBIENT_IS_SET %s not in AmbientCap", message);
+ else
+ tst_res(TFAIL | TERRNO, "PR_CAP_AMBIENT_IS_SET failed");
+}
+
+static void check_cap_lower(unsigned int cap, char *message)
+{
+ TEST(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, cap, 0, 0, 0));
+ if (TST_RET == -1)
+ tst_res(TFAIL | TERRNO,
+ "PR_CAP_AMBIENT_LOWER %s failed", message);
+ else
+ tst_res(TPASS, "PR_CAP_AMBIENT_LOWER %s succeeded", message);
+}
+
+static void verify_prctl(void)
+{
+#ifdef HAVE_LIBCAP
+ cap_t caps = cap_init();
+
+ cap_value_t caplist[3] = {CAP_NET_RAW, CAP_NET_BIND_SERVICE, CAP_SETPCAP};
+ unsigned int numcaps = 3;
+
+ cap_set_flag(caps, CAP_EFFECTIVE, numcaps, caplist, CAP_SET);
+ cap_set_flag(caps, CAP_INHERITABLE, numcaps, caplist, CAP_SET);
+ cap_set_flag(caps, CAP_PERMITTED, numcaps, caplist, CAP_SET);
+ cap_set_proc(caps);
+
+ check_proc_capamb("At the beginning", 0);
+
+ cap_clear_flag(caps, CAP_INHERITABLE);
+ cap_set_proc(caps);
+ check_cap_raise(CAP_NET_BIND_SERVICE, "on non-inheritable cap", 1);
+
+ cap_set_flag(caps, CAP_INHERITABLE, numcaps, caplist, CAP_SET);
+ cap_clear_flag(caps, CAP_PERMITTED);
+ cap_set_proc(caps);
+ check_cap_raise(CAP_NET_RAW, "on non-permitted cap", 1);
+
+ cap_set_flag(caps, CAP_PERMITTED, numcaps, caplist, CAP_SET);
+ cap_set_proc(caps);
+ prctl(PR_SET_SECUREBITS, SECBIT_NO_CAP_AMBIENT_RAISE);
+ check_cap_raise(CAP_NET_BIND_SERVICE, "because of NO_RAISE_SECBIT set", 1);
+ prctl(PR_SET_SECUREBITS, 0);
+
+ check_cap_raise(CAP_NET_BIND_SERVICE, "CAP_NET_BIND_SERVICE", 0);
+ /*Even this cap has been in ambient set, raise succeeds and return 0*/
+ check_cap_raise(CAP_NET_BIND_SERVICE, "CAP_NET_BIND_SERIVCE twice", 0);
+
+ check_proc_capamb("After PR_CAP_AMBIENT_RAISE", 1);
+
+ check_cap_is_set(CAP_NET_BIND_SERVICE, "CAP_NET_BIND_SERVICE was", 1);
+ check_cap_is_set(CAP_NET_RAW, "CAP_NET_RAW was", 0);
+ /*move a cap what was not in ambient set, it also return 0*/
+ check_cap_lower(CAP_NET_RAW, "CAP_NET_RAW(it wasn't in ambient set)");
+ check_cap_lower(CAP_NET_BIND_SERVICE, "CAP_NET_BIND_SERVICE(it was in ambient set)");
+ check_proc_capamb("After PR_CAP_AMBIENT_LORWER", 0);
+
+ prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_BIND_SERVICE, 0, 0, 0);
+ tst_res(TINFO, "raise cap for clear");
+ TEST(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0, 0));
+ if (TST_RET == 0)
+ tst_res(TPASS, "PR_CAP_AMBIENT_CLEAR ALL succeeded");
+ else
+ tst_res(TFAIL | TERRNO, "PR_AMBIENT_CLEAR_ALL failed");
+
+ check_proc_capamb("After PR_CAP_AMBIENT_CLEAN_ALL", 2);
+
+ cap_free(caps);
+#else
+ tst_res(TCONF, "System doesn't have POSIX capabilities support");
+#endif
+}
+
+static void setup(void)
+{
+ TEST(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0, 0));
+ if (TST_RET == 0) {
+ tst_res(TINFO, "kernel supports PR_CAP_AMBIENT");
+ return;
+ }
+
+ if (TST_ERR == EINVAL)
+ tst_brk(TCONF, "kernel doesn't support PR_CAP_AMBIENT");
+
+ tst_brk(TBROK | TERRNO,
+ "current environment doesn't permit PR_CAP_AMBIENT");
+}
+
+static struct tst_test test = {
+ .setup = setup,
+ .test_all = verify_prctl,
+ .needs_root = 1,
+};
--
2.18.1
More information about the ltp
mailing list