validate_cap.c (1844B)
1// SPDX-License-Identifier: GPL-2.0 2#include <cap-ng.h> 3#include <linux/capability.h> 4#include <stdbool.h> 5#include <string.h> 6#include <stdio.h> 7#include <sys/prctl.h> 8#include <sys/auxv.h> 9 10#include "../kselftest.h" 11 12#ifndef PR_CAP_AMBIENT 13#define PR_CAP_AMBIENT 47 14# define PR_CAP_AMBIENT_IS_SET 1 15# define PR_CAP_AMBIENT_RAISE 2 16# define PR_CAP_AMBIENT_LOWER 3 17# define PR_CAP_AMBIENT_CLEAR_ALL 4 18#endif 19 20#if __GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 19) 21# define HAVE_GETAUXVAL 22#endif 23 24static bool bool_arg(char **argv, int i) 25{ 26 if (!strcmp(argv[i], "0")) 27 return false; 28 else if (!strcmp(argv[i], "1")) 29 return true; 30 else { 31 ksft_exit_fail_msg("wrong argv[%d]\n", i); 32 return false; 33 } 34} 35 36int main(int argc, char **argv) 37{ 38 const char *atsec = ""; 39 40 /* 41 * Be careful just in case a setgid or setcapped copy of this 42 * helper gets out. 43 */ 44 45 if (argc != 5) 46 ksft_exit_fail_msg("wrong argc\n"); 47 48#ifdef HAVE_GETAUXVAL 49 if (getauxval(AT_SECURE)) 50 atsec = " (AT_SECURE is set)"; 51 else 52 atsec = " (AT_SECURE is not set)"; 53#endif 54 55 capng_get_caps_process(); 56 57 if (capng_have_capability(CAPNG_EFFECTIVE, CAP_NET_BIND_SERVICE) != bool_arg(argv, 1)) { 58 ksft_print_msg("Wrong effective state%s\n", atsec); 59 return 1; 60 } 61 62 if (capng_have_capability(CAPNG_PERMITTED, CAP_NET_BIND_SERVICE) != bool_arg(argv, 2)) { 63 ksft_print_msg("Wrong permitted state%s\n", atsec); 64 return 1; 65 } 66 67 if (capng_have_capability(CAPNG_INHERITABLE, CAP_NET_BIND_SERVICE) != bool_arg(argv, 3)) { 68 ksft_print_msg("Wrong inheritable state%s\n", atsec); 69 return 1; 70 } 71 72 if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_NET_BIND_SERVICE, 0, 0, 0) != bool_arg(argv, 4)) { 73 ksft_print_msg("Wrong ambient state%s\n", atsec); 74 return 1; 75 } 76 77 ksft_print_msg("%s: Capabilities after execve were correct\n", 78 "validate_cap:"); 79 return 0; 80}