1/******************************************************************************/ 2/* */ 3/* Copyright (c) International Business Machines Corp., 2007, 2008 */ 4/* */ 5/* This program is free software; you can redistribute it and/or modify */ 6/* it under the terms of the GNU General Public License as published by */ 7/* the Free Software Foundation; either version 2 of the License, or */ 8/* (at your option) any later version. */ 9/* */ 10/* This program is distributed in the hope that it will be useful, */ 11/* but WITHOUT ANY WARRANTY; without even the implied warranty of */ 12/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See */ 13/* the GNU General Public License for more details. */ 14/* */ 15/* You should have received a copy of the GNU General Public License */ 16/* along with this program; if not, write to the Free Software */ 17/* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ 18/* */ 19/******************************************************************************/ 20/* 21 * File: exec_with_inh.c 22 * Author: Serge Hallyn 23 * Make sure that CAP_SYS_ADMIN is in pI 24 * drop CAP_SYS_ADMIN from bounding set 25 * Then exec "check_pe 1" 26 * check_pe will return PASS if it has CAP_SYS_ADMIN in pE. 27 */ 28 29#include <errno.h> 30#include "config.h" 31#if HAVE_SYS_CAPABILITY_H 32#include <linux/types.h> 33#include <sys/capability.h> 34#endif 35#include <sys/prctl.h> 36#include "test.h" 37 38char *TCID = "exec_with_inh"; 39int TST_TOTAL = 1; 40 41int main(int argc, char *argv[]) 42{ 43#if HAVE_SYS_CAPABILITY_H 44#ifdef HAVE_LIBCAP 45 int ret = 1; 46 cap_flag_value_t f; 47 cap_t cur = 0; 48 49 /* Make sure CAP_SYS_ADMIN is in pI */ 50 cur = cap_from_text("all=eip"); 51 if (!cur) { 52 tst_brkm(TBROK, 53 NULL, 54 "Failed to create cap_sys_admin+i cap_t (errno %d)\n", 55 errno); 56 } 57 ret = cap_set_proc(cur); 58 if (ret) { 59 tst_brkm(TBROK, 60 NULL, 61 "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n", 62 ret, errno); 63 } 64 cap_free(cur); 65 cur = cap_get_proc(); 66 ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f); 67 if (ret || f != CAP_SET) { 68 tst_brkm(TBROK, NULL, "Failed to add CAP_SYS_ADMIN to pI\n"); 69 } 70 cap_free(cur); 71 72 /* drop the capability from bounding set */ 73 ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN); 74 if (ret) { 75 tst_resm(TFAIL, 76 "Failed to drop CAP_SYS_ADMIN from bounding set.\n"); 77 tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno); 78 tst_exit(); 79 } 80 81 /* execute "check_pe 1" */ 82 execl("check_pe", "check_pe", "1", NULL); 83 tst_resm(TBROK, "Failed to execute check_pe (errno %d)\n", errno); 84#else /* HAVE_LIBCAP */ 85 tst_resm(TCONF, "System doesn't have POSIX capabilities."); 86#endif 87#else /* HAVE_SYS_CAPABILITY_H */ 88 tst_resm(TCONF, "System doesn't have sys/capability.h."); 89#endif 90 tst_exit(); 91} 92