1/******************************************************************************/
2/*                                                                            */
3/* Copyright (c) International Business Machines  Corp., 2007, 2008           */
4/*                                                                            */
5/* This program is free software;  you can redistribute it and/or modify      */
6/* it under the terms of the GNU General Public License as published by       */
7/* the Free Software Foundation; either version 2 of the License, or          */
8/* (at your option) any later version.                                        */
9/*                                                                            */
10/* This program is distributed in the hope that it will be useful,            */
11/* but WITHOUT ANY WARRANTY;  without even the implied warranty of            */
12/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See                  */
13/* the GNU General Public License for more details.                           */
14/*                                                                            */
15/* You should have received a copy of the GNU General Public License          */
16/* along with this program;  if not, write to the Free Software               */
17/* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA    */
18/*                                                                            */
19/******************************************************************************/
20/*
21 * File: exec_with_inh.c
22 * Author: Serge Hallyn
23 * Make sure that CAP_SYS_ADMIN is in pI
24 * drop CAP_SYS_ADMIN from bounding set
25 * Then exec "check_pe 1"
26 * check_pe will return PASS if it has CAP_SYS_ADMIN in pE.
27 */
28
29#include <errno.h>
30#include "config.h"
31#if HAVE_SYS_CAPABILITY_H
32#include <linux/types.h>
33#include <sys/capability.h>
34#endif
35#include <sys/prctl.h>
36#include "test.h"
37
38char *TCID = "exec_with_inh";
39int TST_TOTAL = 1;
40
41int main(int argc, char *argv[])
42{
43#if HAVE_SYS_CAPABILITY_H
44#ifdef HAVE_LIBCAP
45	int ret = 1;
46	cap_flag_value_t f;
47	cap_t cur = 0;
48
49	/* Make sure CAP_SYS_ADMIN is in pI */
50	cur = cap_from_text("all=eip");
51	if (!cur) {
52		tst_brkm(TBROK,
53			 NULL,
54			 "Failed to create cap_sys_admin+i cap_t (errno %d)\n",
55			 errno);
56	}
57	ret = cap_set_proc(cur);
58	if (ret) {
59		tst_brkm(TBROK,
60			 NULL,
61			 "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n",
62			 ret, errno);
63	}
64	cap_free(cur);
65	cur = cap_get_proc();
66	ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
67	if (ret || f != CAP_SET) {
68		tst_brkm(TBROK, NULL, "Failed to add CAP_SYS_ADMIN to pI\n");
69	}
70	cap_free(cur);
71
72	/* drop the capability from bounding set */
73	ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN);
74	if (ret) {
75		tst_resm(TFAIL,
76			 "Failed to drop CAP_SYS_ADMIN from bounding set.\n");
77		tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno);
78		tst_exit();
79	}
80
81	/* execute "check_pe 1" */
82	execl("check_pe", "check_pe", "1", NULL);
83	tst_resm(TBROK, "Failed to execute check_pe (errno %d)\n", errno);
84#else /* HAVE_LIBCAP */
85	tst_resm(TCONF, "System doesn't have POSIX capabilities.");
86#endif
87#else /* HAVE_SYS_CAPABILITY_H */
88	tst_resm(TCONF, "System doesn't have sys/capability.h.");
89#endif
90	tst_exit();
91}
92