1 /*-
2 * Copyright (c) 2020 Mariusz Zaborski <oshogbo@FreeBSD.org>
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
14 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
15 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
17 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
18 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
19 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
21 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
22 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
23 * POSSIBILITY OF SUCH DAMAGE.
24 */
25
26 #include <sys/param.h>
27 #include <sys/socket.h>
28 #include <netinet/in.h>
29 #include <arpa/inet.h>
30
31 #include <errno.h>
32 #include <netdb.h>
33
34 #include <atf-c.h>
35
36 #include <libcasper.h>
37 #include <casper/cap_net.h>
38
39 #define TEST_DOMAIN_0 "example.com"
40 #define TEST_DOMAIN_1 "freebsd.org"
41 #define TEST_IPV4 "1.1.1.1"
42 #define TEST_IPV6 "2001:4860:4860::8888"
43 #define TEST_BIND_IPV4 "127.0.0.1"
44 #define TEST_PORT 80
45 #define TEST_PORT_STR "80"
46
47 static cap_channel_t *
create_network_service(void)48 create_network_service(void)
49 {
50 cap_channel_t *capcas, *capnet;
51
52 capcas = cap_init();
53 ATF_REQUIRE(capcas != NULL);
54
55 capnet = cap_service_open(capcas, "system.net");
56 ATF_REQUIRE(capnet != NULL);
57
58 cap_close(capcas);
59 return (capnet);
60 }
61
62 static int
test_getnameinfo_v4(cap_channel_t * chan,int family,const char * ip)63 test_getnameinfo_v4(cap_channel_t *chan, int family, const char *ip)
64 {
65 struct sockaddr_in ipaddr;
66 char capfn[MAXHOSTNAMELEN];
67 char origfn[MAXHOSTNAMELEN];
68 int capret, sysret;
69
70 memset(&ipaddr, 0, sizeof(ipaddr));
71 ipaddr.sin_family = family;
72 inet_pton(family, ip, &ipaddr.sin_addr);
73
74 capret = cap_getnameinfo(chan, (struct sockaddr *)&ipaddr, sizeof(ipaddr),
75 capfn, sizeof(capfn), NULL, 0, NI_NAMEREQD);
76 if (capret != 0 && capret == ENOTCAPABLE)
77 return (ENOTCAPABLE);
78
79 sysret = getnameinfo((struct sockaddr *)&ipaddr, sizeof(ipaddr), origfn,
80 sizeof(origfn), NULL, 0, NI_NAMEREQD);
81 if (sysret != 0) {
82 atf_tc_skip("getnameinfo(%s) failed: %s",
83 ip, gai_strerror(sysret));
84 }
85 ATF_REQUIRE(capret == 0);
86 ATF_REQUIRE(strcmp(origfn, capfn) == 0);
87
88 return (0);
89 }
90
91 static int
test_getnameinfo_v6(cap_channel_t * chan,const char * ip)92 test_getnameinfo_v6(cap_channel_t *chan, const char *ip)
93 {
94 struct sockaddr_in6 ipaddr;
95 char capfn[MAXHOSTNAMELEN];
96 char origfn[MAXHOSTNAMELEN];
97 int capret, sysret;
98
99 memset(&ipaddr, 0, sizeof(ipaddr));
100 ipaddr.sin6_family = AF_INET6;
101 inet_pton(AF_INET6, ip, &ipaddr.sin6_addr);
102
103 capret = cap_getnameinfo(chan, (struct sockaddr *)&ipaddr, sizeof(ipaddr),
104 capfn, sizeof(capfn), NULL, 0, NI_NAMEREQD);
105 if (capret != 0 && capret == ENOTCAPABLE)
106 return (ENOTCAPABLE);
107
108 sysret = getnameinfo((struct sockaddr *)&ipaddr, sizeof(ipaddr), origfn,
109 sizeof(origfn), NULL, 0, NI_NAMEREQD);
110 if (sysret != 0) {
111 atf_tc_skip("getnameinfo(%s) failed: %s",
112 ip, gai_strerror(sysret));
113 }
114 ATF_REQUIRE(capret == 0);
115 ATF_REQUIRE(strcmp(origfn, capfn) == 0);
116
117 return (0);
118 }
119
120 static int
test_getnameinfo(cap_channel_t * chan,int family,const char * ip)121 test_getnameinfo(cap_channel_t *chan, int family, const char *ip)
122 {
123
124 if (family == AF_INET6) {
125 return (test_getnameinfo_v6(chan, ip));
126 }
127
128 return (test_getnameinfo_v4(chan, family, ip));
129 }
130
131 static int
test_gethostbyaddr_v4(cap_channel_t * chan,int family,const char * ip)132 test_gethostbyaddr_v4(cap_channel_t *chan, int family, const char *ip)
133 {
134 struct in_addr ipaddr;
135 struct hostent *caphp, *orighp;
136
137 memset(&ipaddr, 0, sizeof(ipaddr));
138 inet_pton(AF_INET, ip, &ipaddr);
139
140 caphp = cap_gethostbyaddr(chan, &ipaddr, sizeof(ipaddr), family);
141 if (caphp == NULL && h_errno == ENOTCAPABLE)
142 return (ENOTCAPABLE);
143
144 orighp = gethostbyaddr(&ipaddr, sizeof(ipaddr), family);
145 if (orighp == NULL)
146 atf_tc_skip("gethostbyaddr(%s) failed", ip);
147 ATF_REQUIRE(caphp != NULL);
148 ATF_REQUIRE(strcmp(orighp->h_name, caphp->h_name) == 0);
149
150 return (0);
151 }
152
153 static int
test_gethostbyaddr_v6(cap_channel_t * chan,const char * ip)154 test_gethostbyaddr_v6(cap_channel_t *chan, const char *ip)
155 {
156 struct in6_addr ipaddr;
157 struct hostent *caphp, *orighp;
158
159 memset(&ipaddr, 0, sizeof(ipaddr));
160 inet_pton(AF_INET6, ip, &ipaddr);
161
162 caphp = cap_gethostbyaddr(chan, &ipaddr, sizeof(ipaddr), AF_INET6);
163 if (caphp == NULL && h_errno == ENOTCAPABLE)
164 return (ENOTCAPABLE);
165
166 orighp = gethostbyaddr(&ipaddr, sizeof(ipaddr), AF_INET6);
167 if (orighp == NULL)
168 atf_tc_skip("gethostbyaddr(%s) failed", ip);
169 ATF_REQUIRE(caphp != NULL);
170 ATF_REQUIRE(strcmp(orighp->h_name, caphp->h_name) == 0);
171
172 return (0);
173 }
174
175 static int
test_gethostbyaddr(cap_channel_t * chan,int family,const char * ip)176 test_gethostbyaddr(cap_channel_t *chan, int family, const char *ip)
177 {
178
179 if (family == AF_INET6) {
180 return (test_gethostbyaddr_v6(chan, ip));
181 } else {
182 return (test_gethostbyaddr_v4(chan, family, ip));
183 }
184 }
185
186 static int
test_getaddrinfo(cap_channel_t * chan,int family,const char * domain,const char * servname)187 test_getaddrinfo(cap_channel_t *chan, int family, const char *domain,
188 const char *servname)
189 {
190 struct addrinfo hints, *capres, *origres, *res0, *res1;
191 bool found;
192 int capret, sysret;
193
194 memset(&hints, 0, sizeof(hints));
195 hints.ai_family = family;
196 hints.ai_socktype = SOCK_STREAM;
197
198 capret = cap_getaddrinfo(chan, domain, servname, &hints, &capres);
199 if (capret != 0 && capret == ENOTCAPABLE)
200 return (capret);
201
202 sysret = getaddrinfo(domain, servname, &hints, &origres);
203 if (sysret != 0)
204 atf_tc_skip("getaddrinfo(%s) failed: %s",
205 domain, gai_strerror(sysret));
206 ATF_REQUIRE(capret == 0);
207
208 for (res0 = capres; res0 != NULL; res0 = res0->ai_next) {
209 found = false;
210 for (res1 = origres; res1 != NULL; res1 = res1->ai_next) {
211 if (res1->ai_addrlen == res0->ai_addrlen &&
212 memcmp(res1->ai_addr, res0->ai_addr,
213 res0->ai_addrlen) == 0) {
214 found = true;
215 break;
216 }
217 }
218 ATF_REQUIRE(found);
219 }
220
221 freeaddrinfo(capres);
222 freeaddrinfo(origres);
223 return (0);
224 }
225
226 static int
test_gethostbyname(cap_channel_t * chan,int family,const char * domain)227 test_gethostbyname(cap_channel_t *chan, int family, const char *domain)
228 {
229 struct hostent *caphp, *orighp;
230
231 caphp = cap_gethostbyname2(chan, domain, family);
232 if (caphp == NULL && h_errno == ENOTCAPABLE)
233 return (h_errno);
234
235 orighp = gethostbyname2(domain, family);
236 if (orighp == NULL)
237 atf_tc_skip("gethostbyname2(%s) failed", domain);
238
239 ATF_REQUIRE(caphp != NULL);
240 ATF_REQUIRE(strcmp(caphp->h_name, orighp->h_name) == 0);
241 return (0);
242 }
243
244 static int
test_bind(cap_channel_t * chan,const char * ip)245 test_bind(cap_channel_t *chan, const char *ip)
246 {
247 struct sockaddr_in ipv4;
248 int capfd, ret, serrno;
249
250 capfd = socket(AF_INET, SOCK_STREAM, 0);
251 ATF_REQUIRE(capfd > 0);
252
253 memset(&ipv4, 0, sizeof(ipv4));
254 ipv4.sin_family = AF_INET;
255 inet_pton(AF_INET, ip, &ipv4.sin_addr);
256
257 ret = cap_bind(chan, capfd, (struct sockaddr *)&ipv4, sizeof(ipv4));
258 serrno = errno;
259 close(capfd);
260
261 return (ret < 0 ? serrno : 0);
262 }
263
264 static int
test_connect(cap_channel_t * chan,const char * ip,unsigned short port)265 test_connect(cap_channel_t *chan, const char *ip, unsigned short port)
266 {
267 struct sockaddr_in ipv4;
268 int capfd, ret, serrno;
269
270 capfd = socket(AF_INET, SOCK_STREAM, 0);
271 ATF_REQUIRE(capfd >= 0);
272
273 memset(&ipv4, 0, sizeof(ipv4));
274 ipv4.sin_family = AF_INET;
275 ipv4.sin_port = htons(port);
276 inet_pton(AF_INET, ip, &ipv4.sin_addr);
277
278 ret = cap_connect(chan, capfd, (struct sockaddr *)&ipv4, sizeof(ipv4));
279 serrno = errno;
280 ATF_REQUIRE(close(capfd) == 0);
281
282 if (ret < 0 && serrno != ENOTCAPABLE) {
283 int sd;
284
285 /*
286 * If the connection failed, it might be because we can't reach
287 * the destination host. To check, try a plain connect() and
288 * see if it fails with the same error.
289 */
290 sd = socket(AF_INET, SOCK_STREAM, 0);
291 ATF_REQUIRE(sd >= 0);
292
293 memset(&ipv4, 0, sizeof(ipv4));
294 ipv4.sin_family = AF_INET;
295 ipv4.sin_port = htons(port);
296 inet_pton(AF_INET, ip, &ipv4.sin_addr);
297 ret = connect(sd, (struct sockaddr *)&ipv4, sizeof(ipv4));
298 ATF_REQUIRE(ret < 0);
299 ATF_REQUIRE_MSG(errno == serrno, "errno %d != serrno %d",
300 errno, serrno);
301 ATF_REQUIRE(close(sd) == 0);
302 atf_tc_skip("connect(%s:%d) failed: %s",
303 ip, port, strerror(serrno));
304 }
305
306 return (ret < 0 ? serrno : 0);
307 }
308
309 static void
test_extend_mode(cap_channel_t * capnet,int current)310 test_extend_mode(cap_channel_t *capnet, int current)
311 {
312 cap_net_limit_t *limit;
313 const int rights[] = {
314 CAPNET_ADDR2NAME,
315 CAPNET_NAME2ADDR,
316 CAPNET_DEPRECATED_ADDR2NAME,
317 CAPNET_DEPRECATED_NAME2ADDR,
318 CAPNET_CONNECT,
319 CAPNET_BIND,
320 CAPNET_CONNECTDNS
321 };
322 size_t i;
323
324 for (i = 0; i < nitems(rights); i++) {
325 if (current == rights[i])
326 continue;
327
328 limit = cap_net_limit_init(capnet, current | rights[i]);
329 ATF_REQUIRE(limit != NULL);
330 ATF_REQUIRE(cap_net_limit(limit) != 0);
331 }
332 }
333
334 ATF_TC(capnet__getnameinfo);
ATF_TC_HEAD(capnet__getnameinfo,tc)335 ATF_TC_HEAD(capnet__getnameinfo, tc)
336 {
337 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
338 }
ATF_TC_BODY(capnet__getnameinfo,tc)339 ATF_TC_BODY(capnet__getnameinfo, tc)
340 {
341 cap_channel_t *capnet;
342
343 capnet = create_network_service();
344
345 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) == 0);
346 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET6, TEST_IPV6) == 0);
347
348 cap_close(capnet);
349 }
350
351 ATF_TC(capnet__connect);
ATF_TC_HEAD(capnet__connect,tc)352 ATF_TC_HEAD(capnet__connect, tc)
353 {
354 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
355 }
ATF_TC_BODY(capnet__connect,tc)356 ATF_TC_BODY(capnet__connect, tc)
357 {
358 cap_channel_t *capnet;
359
360 capnet = create_network_service();
361
362 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 80) == 0);
363
364 cap_close(capnet);
365 }
366
367 ATF_TC(capnet__bind);
ATF_TC_HEAD(capnet__bind,tc)368 ATF_TC_HEAD(capnet__bind, tc)
369 {
370 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
371 }
ATF_TC_BODY(capnet__bind,tc)372 ATF_TC_BODY(capnet__bind, tc)
373 {
374 cap_channel_t *capnet;
375
376 capnet = create_network_service();
377
378 ATF_REQUIRE(test_bind(capnet, TEST_BIND_IPV4) == 0);
379
380 cap_close(capnet);
381 }
382
383 ATF_TC(capnet__getaddrinfo);
ATF_TC_HEAD(capnet__getaddrinfo,tc)384 ATF_TC_HEAD(capnet__getaddrinfo, tc)
385 {
386 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
387 }
ATF_TC_BODY(capnet__getaddrinfo,tc)388 ATF_TC_BODY(capnet__getaddrinfo, tc)
389 {
390 cap_channel_t *capnet;
391 struct addrinfo hints, *capres;
392
393 capnet = create_network_service();
394
395 memset(&hints, 0, sizeof(hints));
396 hints.ai_family = AF_INET;
397 hints.ai_socktype = SOCK_STREAM;
398
399 ATF_REQUIRE(cap_getaddrinfo(capnet, TEST_IPV4, "80", &hints, &capres) ==
400 0);
401
402 cap_close(capnet);
403 }
404
405 ATF_TC(capnet__gethostbyname);
ATF_TC_HEAD(capnet__gethostbyname,tc)406 ATF_TC_HEAD(capnet__gethostbyname, tc)
407 {
408 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
409 }
ATF_TC_BODY(capnet__gethostbyname,tc)410 ATF_TC_BODY(capnet__gethostbyname, tc)
411 {
412 cap_channel_t *capnet;
413
414 capnet = create_network_service();
415
416 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == 0);
417
418 cap_close(capnet);
419 }
420
421 ATF_TC(capnet__gethostbyaddr);
ATF_TC_HEAD(capnet__gethostbyaddr,tc)422 ATF_TC_HEAD(capnet__gethostbyaddr, tc)
423 {
424 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
425 }
ATF_TC_BODY(capnet__gethostbyaddr,tc)426 ATF_TC_BODY(capnet__gethostbyaddr, tc)
427 {
428 cap_channel_t *capnet;
429
430 capnet = create_network_service();
431
432 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) == 0);
433 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET6, TEST_IPV6) == 0);
434
435 cap_close(capnet);
436 }
437
438 ATF_TC(capnet__getnameinfo_buffer);
ATF_TC_HEAD(capnet__getnameinfo_buffer,tc)439 ATF_TC_HEAD(capnet__getnameinfo_buffer, tc)
440 {
441 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
442 }
ATF_TC_BODY(capnet__getnameinfo_buffer,tc)443 ATF_TC_BODY(capnet__getnameinfo_buffer, tc)
444 {
445 cap_channel_t *chan;
446 struct sockaddr_in sin;
447 int ret;
448 struct {
449 char host[sizeof(TEST_IPV4)];
450 char host_canary;
451 char serv[sizeof(TEST_PORT_STR)];
452 char serv_canary;
453 } buffers;
454
455 memset(&sin, 0, sizeof(sin));
456 sin.sin_family = AF_INET;
457 sin.sin_port = htons(TEST_PORT);
458 ret = inet_pton(AF_INET, TEST_IPV4, &sin.sin_addr);
459 ATF_REQUIRE_EQ(1, ret);
460
461 memset(&buffers, '!', sizeof(buffers));
462
463 chan = create_network_service();
464 ret = cap_getnameinfo(chan, (struct sockaddr *)&sin, sizeof(sin),
465 buffers.host, sizeof(buffers.host),
466 buffers.serv, sizeof(buffers.serv),
467 NI_NUMERICHOST | NI_NUMERICSERV);
468 ATF_REQUIRE_EQ_MSG(0, ret, "%d", ret);
469
470 // Verify that cap_getnameinfo worked with minimally sized buffers.
471 ATF_CHECK_EQ(0, strcmp(TEST_IPV4, buffers.host));
472 ATF_CHECK_EQ(0, strcmp(TEST_PORT_STR, buffers.serv));
473
474 // Verify that cap_getnameinfo did not overflow the buffers.
475 ATF_CHECK_EQ('!', buffers.host_canary);
476 ATF_CHECK_EQ('!', buffers.serv_canary);
477
478 cap_close(chan);
479 }
480
481 ATF_TC(capnet__limits_addr2name_mode);
ATF_TC_HEAD(capnet__limits_addr2name_mode,tc)482 ATF_TC_HEAD(capnet__limits_addr2name_mode, tc)
483 {
484 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
485 }
ATF_TC_BODY(capnet__limits_addr2name_mode,tc)486 ATF_TC_BODY(capnet__limits_addr2name_mode, tc)
487 {
488 cap_channel_t *capnet;
489 cap_net_limit_t *limit;
490
491 capnet = create_network_service();
492
493 /* LIMIT */
494 limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
495 ATF_REQUIRE(limit != NULL);
496 ATF_REQUIRE(cap_net_limit(limit) == 0);
497
498 /* ALLOWED */
499 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) == 0);
500
501 /* DISALLOWED */
502 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) ==
503 ENOTCAPABLE);
504 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) ==
505 ENOTCAPABLE);
506 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
507 ENOTCAPABLE);
508 ATF_REQUIRE(test_bind(capnet, TEST_BIND_IPV4) == ENOTCAPABLE);
509 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 80) == ENOTCAPABLE);
510
511 test_extend_mode(capnet, CAPNET_ADDR2NAME);
512
513 cap_close(capnet);
514 }
515
516 ATF_TC(capnet__limits_addr2name_family);
ATF_TC_HEAD(capnet__limits_addr2name_family,tc)517 ATF_TC_HEAD(capnet__limits_addr2name_family, tc)
518 {
519 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
520 }
ATF_TC_BODY(capnet__limits_addr2name_family,tc)521 ATF_TC_BODY(capnet__limits_addr2name_family, tc)
522 {
523 cap_channel_t *capnet;
524 cap_net_limit_t *limit;
525 int family[] = { AF_INET6, AF_INET };
526
527 capnet = create_network_service();
528
529 /* Limit to AF_INET6 and AF_INET. */
530 limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
531 ATF_REQUIRE(limit != NULL);
532 cap_net_limit_addr2name_family(limit, family, nitems(family));
533 ATF_REQUIRE(cap_net_limit(limit) == 0);
534
535 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) == 0);
536 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET6, TEST_IPV6) == 0);
537
538 /* Limit to AF_INET6 and AF_INET. */
539 limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
540 ATF_REQUIRE(limit != NULL);
541 cap_net_limit_addr2name_family(limit, &family[0], 1);
542 cap_net_limit_addr2name_family(limit, &family[1], 1);
543 ATF_REQUIRE(cap_net_limit(limit) == 0);
544
545 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) == 0);
546 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET6, TEST_IPV6) == 0);
547
548 /* Limit to AF_INET6. */
549 limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
550 ATF_REQUIRE(limit != NULL);
551 cap_net_limit_addr2name_family(limit, family, 1);
552 ATF_REQUIRE(cap_net_limit(limit) == 0);
553
554 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) ==
555 ENOTCAPABLE);
556 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET6, TEST_IPV6) == 0);
557
558 /* Unable to set empty limits. Empty limits means full access. */
559 limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
560 ATF_REQUIRE(cap_net_limit(limit) != 0);
561
562 cap_close(capnet);
563 }
564
565 ATF_TC(capnet__limits_addr2name);
ATF_TC_HEAD(capnet__limits_addr2name,tc)566 ATF_TC_HEAD(capnet__limits_addr2name, tc)
567 {
568 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
569 }
ATF_TC_BODY(capnet__limits_addr2name,tc)570 ATF_TC_BODY(capnet__limits_addr2name, tc)
571 {
572 cap_channel_t *capnet;
573 cap_net_limit_t *limit;
574 struct sockaddr_in ipaddrv4;
575 struct sockaddr_in6 ipaddrv6;
576
577 capnet = create_network_service();
578
579 /* Limit to TEST_IPV4 and TEST_IPV6. */
580 memset(&ipaddrv4, 0, sizeof(ipaddrv4));
581 memset(&ipaddrv6, 0, sizeof(ipaddrv6));
582
583 ipaddrv4.sin_family = AF_INET;
584 inet_pton(AF_INET, TEST_IPV4, &ipaddrv4.sin_addr);
585
586 ipaddrv6.sin6_family = AF_INET6;
587 inet_pton(AF_INET6, TEST_IPV6, &ipaddrv6.sin6_addr);
588
589 limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
590 ATF_REQUIRE(limit != NULL);
591
592 cap_net_limit_addr2name(limit, (struct sockaddr *)&ipaddrv4,
593 sizeof(ipaddrv4));
594 cap_net_limit_addr2name(limit, (struct sockaddr *)&ipaddrv6,
595 sizeof(ipaddrv6));
596 ATF_REQUIRE(cap_net_limit(limit) == 0);
597
598 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) == 0);
599 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET6, TEST_IPV6) == 0);
600 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, "127.0.0.1") ==
601 ENOTCAPABLE);
602
603 /* Limit to AF_INET. */
604 limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
605 ATF_REQUIRE(limit != NULL);
606 cap_net_limit_addr2name(limit, (struct sockaddr *)&ipaddrv4,
607 sizeof(ipaddrv4));
608 ATF_REQUIRE(cap_net_limit(limit) == 0);
609
610 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) == 0);
611 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET6, TEST_IPV6) ==
612 ENOTCAPABLE);
613 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, "127.0.0.1") ==
614 ENOTCAPABLE);
615
616 /* Unable to set empty limits. Empty limits means full access. */
617 limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
618 ATF_REQUIRE(cap_net_limit(limit) != 0);
619
620 cap_close(capnet);
621 }
622
623 ATF_TC(capnet__limits_deprecated_addr2name_mode);
ATF_TC_HEAD(capnet__limits_deprecated_addr2name_mode,tc)624 ATF_TC_HEAD(capnet__limits_deprecated_addr2name_mode, tc)
625 {
626 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
627 }
ATF_TC_BODY(capnet__limits_deprecated_addr2name_mode,tc)628 ATF_TC_BODY(capnet__limits_deprecated_addr2name_mode, tc)
629 {
630 cap_channel_t *capnet;
631 cap_net_limit_t *limit;
632
633 capnet = create_network_service();
634
635 /* LIMIT */
636 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_ADDR2NAME);
637 ATF_REQUIRE(limit != NULL);
638 ATF_REQUIRE(cap_net_limit(limit) == 0);
639
640 /* ALLOWED */
641 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) == 0);
642
643 /* DISALLOWED */
644 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) ==
645 ENOTCAPABLE);
646 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) ==
647 ENOTCAPABLE);
648 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
649 ENOTCAPABLE);
650 ATF_REQUIRE(test_bind(capnet, TEST_BIND_IPV4) == ENOTCAPABLE);
651 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 80) == ENOTCAPABLE);
652
653 cap_close(capnet);
654 }
655
656 ATF_TC(capnet__limits_deprecated_addr2name_family);
ATF_TC_HEAD(capnet__limits_deprecated_addr2name_family,tc)657 ATF_TC_HEAD(capnet__limits_deprecated_addr2name_family, tc)
658 {
659 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
660 }
ATF_TC_BODY(capnet__limits_deprecated_addr2name_family,tc)661 ATF_TC_BODY(capnet__limits_deprecated_addr2name_family, tc)
662 {
663 cap_channel_t *capnet;
664 cap_net_limit_t *limit;
665 int family[] = { AF_INET6, AF_INET };
666
667 capnet = create_network_service();
668
669 /* Limit to AF_INET6 and AF_INET. */
670 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_ADDR2NAME);
671 ATF_REQUIRE(limit != NULL);
672 cap_net_limit_addr2name_family(limit, family, nitems(family));
673 ATF_REQUIRE(cap_net_limit(limit) == 0);
674
675 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) == 0);
676 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET6, TEST_IPV6) == 0);
677 ATF_REQUIRE(test_gethostbyaddr(capnet, PF_LINK, TEST_IPV4) ==
678 ENOTCAPABLE);
679
680 /* Limit to AF_INET6 and AF_INET. */
681 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_ADDR2NAME);
682 ATF_REQUIRE(limit != NULL);
683 cap_net_limit_addr2name_family(limit, &family[0], 1);
684 cap_net_limit_addr2name_family(limit, &family[1], 1);
685 ATF_REQUIRE(cap_net_limit(limit) == 0);
686
687 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) == 0);
688 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET6, TEST_IPV6) == 0);
689 ATF_REQUIRE(test_gethostbyaddr(capnet, PF_LINK, TEST_IPV4) ==
690 ENOTCAPABLE);
691
692 /* Limit to AF_INET6. */
693 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_ADDR2NAME);
694 ATF_REQUIRE(limit != NULL);
695 cap_net_limit_addr2name_family(limit, family, 1);
696 ATF_REQUIRE(cap_net_limit(limit) == 0);
697
698 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) ==
699 ENOTCAPABLE);
700 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET6, TEST_IPV6) == 0);
701 ATF_REQUIRE(test_gethostbyaddr(capnet, PF_LINK, TEST_IPV4) ==
702 ENOTCAPABLE);
703
704 /* Unable to set empty limits. Empty limits means full access. */
705 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_ADDR2NAME);
706 ATF_REQUIRE(cap_net_limit(limit) != 0);
707
708 cap_close(capnet);
709 }
710
711 ATF_TC(capnet__limits_deprecated_addr2name);
ATF_TC_HEAD(capnet__limits_deprecated_addr2name,tc)712 ATF_TC_HEAD(capnet__limits_deprecated_addr2name, tc)
713 {
714 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
715 }
ATF_TC_BODY(capnet__limits_deprecated_addr2name,tc)716 ATF_TC_BODY(capnet__limits_deprecated_addr2name, tc)
717 {
718 cap_channel_t *capnet;
719 cap_net_limit_t *limit;
720 struct in_addr ipaddrv4;
721 struct in6_addr ipaddrv6;
722
723 capnet = create_network_service();
724
725 /* Limit to TEST_IPV4 and TEST_IPV6. */
726 memset(&ipaddrv4, 0, sizeof(ipaddrv4));
727 memset(&ipaddrv6, 0, sizeof(ipaddrv6));
728
729 inet_pton(AF_INET, TEST_IPV4, &ipaddrv4);
730 inet_pton(AF_INET6, TEST_IPV6, &ipaddrv6);
731
732 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_ADDR2NAME);
733 ATF_REQUIRE(limit != NULL);
734
735 cap_net_limit_addr2name(limit, (struct sockaddr *)&ipaddrv4,
736 sizeof(ipaddrv4));
737 cap_net_limit_addr2name(limit, (struct sockaddr *)&ipaddrv6,
738 sizeof(ipaddrv6));
739 ATF_REQUIRE(cap_net_limit(limit) == 0);
740
741 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) == 0);
742 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET6, TEST_IPV6) == 0);
743 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, "127.0.0.1") ==
744 ENOTCAPABLE);
745
746 /* Limit to AF_INET. */
747 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_ADDR2NAME);
748 ATF_REQUIRE(limit != NULL);
749 cap_net_limit_addr2name(limit, (struct sockaddr *)&ipaddrv4,
750 sizeof(ipaddrv4));
751 ATF_REQUIRE(cap_net_limit(limit) == 0);
752
753 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) == 0);
754 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET6, TEST_IPV6) ==
755 ENOTCAPABLE);
756 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, "127.0.0.1") ==
757 ENOTCAPABLE);
758
759 /* Unable to set empty limits. Empty limits means full access. */
760 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_ADDR2NAME);
761 ATF_REQUIRE(cap_net_limit(limit) != 0);
762
763 cap_close(capnet);
764 }
765
766
767 ATF_TC(capnet__limits_name2addr_mode);
ATF_TC_HEAD(capnet__limits_name2addr_mode,tc)768 ATF_TC_HEAD(capnet__limits_name2addr_mode, tc)
769 {
770 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
771 }
ATF_TC_BODY(capnet__limits_name2addr_mode,tc)772 ATF_TC_BODY(capnet__limits_name2addr_mode, tc)
773 {
774 cap_channel_t *capnet;
775 cap_net_limit_t *limit;
776
777 capnet = create_network_service();
778
779 /* LIMIT */
780 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
781 ATF_REQUIRE(limit != NULL);
782 ATF_REQUIRE(cap_net_limit(limit) == 0);
783
784 /* ALLOWED */
785 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
786 0);
787
788 /* DISALLOWED */
789 ATF_REQUIRE(
790 test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == ENOTCAPABLE);
791 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) ==
792 ENOTCAPABLE);
793 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) ==
794 ENOTCAPABLE);
795 ATF_REQUIRE(test_bind(capnet, TEST_BIND_IPV4) == ENOTCAPABLE);
796 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 80) == ENOTCAPABLE);
797
798 test_extend_mode(capnet, CAPNET_ADDR2NAME);
799
800 cap_close(capnet);
801 }
802
803 ATF_TC(capnet__limits_name2addr_hosts);
ATF_TC_HEAD(capnet__limits_name2addr_hosts,tc)804 ATF_TC_HEAD(capnet__limits_name2addr_hosts, tc)
805 {
806 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
807 }
ATF_TC_BODY(capnet__limits_name2addr_hosts,tc)808 ATF_TC_BODY(capnet__limits_name2addr_hosts, tc)
809 {
810 cap_channel_t *capnet;
811 cap_net_limit_t *limit;
812
813 capnet = create_network_service();
814
815 /* Limit to TEST_DOMAIN_0 and localhost only. */
816 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
817 ATF_REQUIRE(limit != NULL);
818 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
819 cap_net_limit_name2addr(limit, "localhost", NULL);
820 ATF_REQUIRE(cap_net_limit(limit) == 0);
821
822 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
823 0);
824 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, "localhost", NULL) == 0);
825 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_1, NULL) ==
826 ENOTCAPABLE);
827
828 /* Limit to TEST_DOMAIN_0 only. */
829 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
830 ATF_REQUIRE(limit != NULL);
831 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
832 ATF_REQUIRE(cap_net_limit(limit) == 0);
833
834 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, "localhost", NULL) ==
835 ENOTCAPABLE);
836 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_1, NULL) ==
837 ENOTCAPABLE);
838 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
839 0);
840
841 /* Unable to set empty limits. Empty limits means full access. */
842 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
843 ATF_REQUIRE(cap_net_limit(limit) != 0);
844
845 /* Try to extend the limit. */
846 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
847 ATF_REQUIRE(limit != NULL);
848 cap_net_limit_name2addr(limit, TEST_DOMAIN_1, NULL);
849 ATF_REQUIRE(cap_net_limit(limit) != 0);
850
851 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
852 ATF_REQUIRE(limit != NULL);
853 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
854 cap_net_limit_name2addr(limit, TEST_DOMAIN_1, NULL);
855 ATF_REQUIRE(cap_net_limit(limit) != 0);
856
857 cap_close(capnet);
858 }
859
860 ATF_TC(capnet__limits_name2addr_hosts_servnames_strict);
ATF_TC_HEAD(capnet__limits_name2addr_hosts_servnames_strict,tc)861 ATF_TC_HEAD(capnet__limits_name2addr_hosts_servnames_strict, tc)
862 {
863 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
864 }
ATF_TC_BODY(capnet__limits_name2addr_hosts_servnames_strict,tc)865 ATF_TC_BODY(capnet__limits_name2addr_hosts_servnames_strict, tc)
866 {
867 cap_channel_t *capnet;
868 cap_net_limit_t *limit;
869
870 capnet = create_network_service();
871
872 /*
873 * Limit to TEST_DOMAIN_0 and HTTP service.
874 */
875 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
876 ATF_REQUIRE(limit != NULL);
877 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, "http");
878 ATF_REQUIRE(cap_net_limit(limit) == 0);
879
880 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, "http") ==
881 0);
882 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
883 ENOTCAPABLE);
884 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, "snmp") ==
885 ENOTCAPABLE);
886 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_1, "http") ==
887 ENOTCAPABLE);
888
889 /* Unable to set empty limits. Empty limits means full access. */
890 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
891 ATF_REQUIRE(cap_net_limit(limit) != 0);
892
893 cap_close(capnet);
894 }
895
896 ATF_TC(capnet__limits_name2addr_hosts_servnames_mix);
ATF_TC_HEAD(capnet__limits_name2addr_hosts_servnames_mix,tc)897 ATF_TC_HEAD(capnet__limits_name2addr_hosts_servnames_mix, tc)
898 {
899 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
900 }
ATF_TC_BODY(capnet__limits_name2addr_hosts_servnames_mix,tc)901 ATF_TC_BODY(capnet__limits_name2addr_hosts_servnames_mix, tc)
902 {
903 cap_channel_t *capnet;
904 cap_net_limit_t *limit;
905
906 capnet = create_network_service();
907
908 /*
909 * Limit to TEST_DOMAIN_0 and any servnamex, and any domain with
910 * servname HTTP.
911 */
912 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
913 ATF_REQUIRE(limit != NULL);
914 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
915 cap_net_limit_name2addr(limit, NULL, "http");
916 ATF_REQUIRE(cap_net_limit(limit) == 0);
917
918 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, "http") ==
919 0);
920 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
921 0);
922 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_1, "http") ==
923 0);
924 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
925 0);
926 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_1, "snmp") ==
927 ENOTCAPABLE);
928
929 /* Limit to HTTP servname only. */
930 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
931 ATF_REQUIRE(limit != NULL);
932 cap_net_limit_name2addr(limit, NULL, "http");
933 ATF_REQUIRE(cap_net_limit(limit) == 0);
934
935 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, "http") ==
936 0);
937 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
938 ENOTCAPABLE);
939 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_1, "http") ==
940 0);
941 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
942 ENOTCAPABLE);
943 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_1, "snmp") ==
944 ENOTCAPABLE);
945
946 /* Unable to set empty limits. Empty limits means full access. */
947 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
948 ATF_REQUIRE(cap_net_limit(limit) != 0);
949
950 cap_close(capnet);
951 }
952
953 ATF_TC(capnet__limits_name2addr_family);
ATF_TC_HEAD(capnet__limits_name2addr_family,tc)954 ATF_TC_HEAD(capnet__limits_name2addr_family, tc)
955 {
956 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
957 }
ATF_TC_BODY(capnet__limits_name2addr_family,tc)958 ATF_TC_BODY(capnet__limits_name2addr_family, tc)
959 {
960 cap_channel_t *capnet;
961 cap_net_limit_t *limit;
962 int family[] = { AF_INET6, AF_INET };
963
964 capnet = create_network_service();
965
966 /* Limit to AF_INET and AF_INET6. */
967 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
968 ATF_REQUIRE(limit != NULL);
969 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
970 cap_net_limit_name2addr_family(limit, family, nitems(family));
971 ATF_REQUIRE(cap_net_limit(limit) == 0);
972
973 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
974 0);
975 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET6, TEST_DOMAIN_0, NULL) ==
976 0);
977 ATF_REQUIRE(test_getaddrinfo(capnet, PF_LINK, TEST_DOMAIN_0, NULL) ==
978 ENOTCAPABLE);
979
980 /* Limit to AF_INET and AF_INET6. */
981 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
982 ATF_REQUIRE(limit != NULL);
983 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
984 cap_net_limit_name2addr_family(limit, &family[0], 1);
985 cap_net_limit_name2addr_family(limit, &family[1], 1);
986 ATF_REQUIRE(cap_net_limit(limit) == 0);
987
988 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
989 0);
990 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET6, TEST_DOMAIN_0, NULL) ==
991 0);
992 ATF_REQUIRE(test_getaddrinfo(capnet, PF_LINK, TEST_DOMAIN_0, NULL) ==
993 ENOTCAPABLE);
994
995 /* Limit to AF_INET6 only. */
996 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
997 ATF_REQUIRE(limit != NULL);
998 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
999 cap_net_limit_name2addr_family(limit, family, 1);
1000 ATF_REQUIRE(cap_net_limit(limit) == 0);
1001
1002 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
1003 ENOTCAPABLE);
1004 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET6, TEST_DOMAIN_0, NULL) ==
1005 0);
1006 ATF_REQUIRE(test_getaddrinfo(capnet, PF_LINK, TEST_DOMAIN_0, NULL) ==
1007 ENOTCAPABLE);
1008
1009 /* Unable to set empty limits. Empty limits means full access. */
1010 limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR);
1011 ATF_REQUIRE(cap_net_limit(limit) != 0);
1012
1013 cap_close(capnet);
1014 }
1015
1016 ATF_TC(capnet__limits_deprecated_name2addr_mode);
ATF_TC_HEAD(capnet__limits_deprecated_name2addr_mode,tc)1017 ATF_TC_HEAD(capnet__limits_deprecated_name2addr_mode, tc)
1018 {
1019 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
1020 }
ATF_TC_BODY(capnet__limits_deprecated_name2addr_mode,tc)1021 ATF_TC_BODY(capnet__limits_deprecated_name2addr_mode, tc)
1022 {
1023 cap_channel_t *capnet;
1024 cap_net_limit_t *limit;
1025
1026 capnet = create_network_service();
1027
1028 /* LIMIT */
1029 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_NAME2ADDR);
1030 ATF_REQUIRE(limit != NULL);
1031 ATF_REQUIRE(cap_net_limit(limit) == 0);
1032
1033 /* ALLOWED */
1034 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == 0);
1035
1036 /* DISALLOWED */
1037 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) ==
1038 ENOTCAPABLE);
1039 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) ==
1040 ENOTCAPABLE);
1041 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
1042 ENOTCAPABLE);
1043 ATF_REQUIRE(test_bind(capnet, TEST_BIND_IPV4) == ENOTCAPABLE);
1044 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 80) == ENOTCAPABLE);
1045
1046 test_extend_mode(capnet, CAPNET_ADDR2NAME);
1047
1048 cap_close(capnet);
1049 }
1050
1051 ATF_TC(capnet__limits_deprecated_name2addr_hosts);
ATF_TC_HEAD(capnet__limits_deprecated_name2addr_hosts,tc)1052 ATF_TC_HEAD(capnet__limits_deprecated_name2addr_hosts, tc)
1053 {
1054 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
1055 }
ATF_TC_BODY(capnet__limits_deprecated_name2addr_hosts,tc)1056 ATF_TC_BODY(capnet__limits_deprecated_name2addr_hosts, tc)
1057 {
1058 cap_channel_t *capnet;
1059 cap_net_limit_t *limit;
1060
1061 capnet = create_network_service();
1062
1063 /* Limit to TEST_DOMAIN_0 and localhost only. */
1064 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_NAME2ADDR);
1065 ATF_REQUIRE(limit != NULL);
1066 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
1067 cap_net_limit_name2addr(limit, "localhost", NULL);
1068 ATF_REQUIRE(cap_net_limit(limit) == 0);
1069
1070 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == 0);
1071 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET, "localhost") == 0);
1072 ATF_REQUIRE(
1073 test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_1) == ENOTCAPABLE);
1074
1075 /* Limit to TEST_DOMAIN_0 only. */
1076 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_NAME2ADDR);
1077 ATF_REQUIRE(limit != NULL);
1078 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
1079 ATF_REQUIRE(cap_net_limit(limit) == 0);
1080
1081 ATF_REQUIRE(
1082 test_gethostbyname(capnet, AF_INET, "localhost") == ENOTCAPABLE);
1083 ATF_REQUIRE(
1084 test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_1) == ENOTCAPABLE);
1085 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == 0);
1086
1087 /* Unable to set empty limits. Empty limits means full access. */
1088 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_NAME2ADDR);
1089 ATF_REQUIRE(cap_net_limit(limit) != 0);
1090
1091 cap_close(capnet);
1092 }
1093
1094 ATF_TC(capnet__limits_deprecated_name2addr_family);
ATF_TC_HEAD(capnet__limits_deprecated_name2addr_family,tc)1095 ATF_TC_HEAD(capnet__limits_deprecated_name2addr_family, tc)
1096 {
1097 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
1098 }
ATF_TC_BODY(capnet__limits_deprecated_name2addr_family,tc)1099 ATF_TC_BODY(capnet__limits_deprecated_name2addr_family, tc)
1100 {
1101 cap_channel_t *capnet;
1102 cap_net_limit_t *limit;
1103 int family[] = { AF_INET6, AF_INET };
1104
1105 capnet = create_network_service();
1106
1107 /* Limit to AF_INET and AF_INET6. */
1108 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_NAME2ADDR);
1109 ATF_REQUIRE(limit != NULL);
1110 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
1111 cap_net_limit_name2addr_family(limit, family, nitems(family));
1112 ATF_REQUIRE(cap_net_limit(limit) == 0);
1113
1114 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == 0);
1115 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET6, TEST_DOMAIN_0) == 0);
1116 ATF_REQUIRE(
1117 test_gethostbyname(capnet, PF_LINK, TEST_DOMAIN_0) == ENOTCAPABLE);
1118
1119 /* Limit to AF_INET and AF_INET6. */
1120 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_NAME2ADDR);
1121 ATF_REQUIRE(limit != NULL);
1122 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
1123 cap_net_limit_name2addr_family(limit, &family[0], 1);
1124 cap_net_limit_name2addr_family(limit, &family[1], 1);
1125 ATF_REQUIRE(cap_net_limit(limit) == 0);
1126
1127 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == 0);
1128 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET6, TEST_DOMAIN_0) == 0);
1129 ATF_REQUIRE(
1130 test_gethostbyname(capnet, PF_LINK, TEST_DOMAIN_0) == ENOTCAPABLE);
1131
1132 /* Limit to AF_INET6 only. */
1133 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_NAME2ADDR);
1134 ATF_REQUIRE(limit != NULL);
1135 cap_net_limit_name2addr(limit, TEST_DOMAIN_0, NULL);
1136 cap_net_limit_name2addr_family(limit, family, 1);
1137 ATF_REQUIRE(cap_net_limit(limit) == 0);
1138
1139 ATF_REQUIRE(
1140 test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == ENOTCAPABLE);
1141 ATF_REQUIRE(test_gethostbyname(capnet, AF_INET6, TEST_DOMAIN_0) == 0);
1142 ATF_REQUIRE(
1143 test_gethostbyname(capnet, PF_LINK, TEST_DOMAIN_0) == ENOTCAPABLE);
1144
1145 /* Unable to set empty limits. Empty limits means full access. */
1146 limit = cap_net_limit_init(capnet, CAPNET_DEPRECATED_NAME2ADDR);
1147 ATF_REQUIRE(cap_net_limit(limit) != 0);
1148
1149 cap_close(capnet);
1150 }
1151
1152 ATF_TC(capnet__limits_bind_mode);
ATF_TC_HEAD(capnet__limits_bind_mode,tc)1153 ATF_TC_HEAD(capnet__limits_bind_mode, tc)
1154 {
1155 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
1156 }
ATF_TC_BODY(capnet__limits_bind_mode,tc)1157 ATF_TC_BODY(capnet__limits_bind_mode, tc)
1158 {
1159 cap_channel_t *capnet;
1160 cap_net_limit_t *limit;
1161
1162 capnet = create_network_service();
1163
1164 /* LIMIT */
1165 limit = cap_net_limit_init(capnet, CAPNET_BIND);
1166 ATF_REQUIRE(limit != NULL);
1167 ATF_REQUIRE(cap_net_limit(limit) == 0);
1168
1169 /* ALLOWED */
1170 ATF_REQUIRE(test_bind(capnet, TEST_BIND_IPV4) == 0);
1171
1172 /* DISALLOWED */
1173 ATF_REQUIRE(
1174 test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == ENOTCAPABLE);
1175 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) ==
1176 ENOTCAPABLE);
1177 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) ==
1178 ENOTCAPABLE);
1179 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
1180 ENOTCAPABLE);
1181 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 80) == ENOTCAPABLE);
1182
1183 test_extend_mode(capnet, CAPNET_ADDR2NAME);
1184
1185 cap_close(capnet);
1186 }
1187
1188 ATF_TC(capnet__limits_bind);
ATF_TC_HEAD(capnet__limits_bind,tc)1189 ATF_TC_HEAD(capnet__limits_bind, tc)
1190 {
1191 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
1192 }
ATF_TC_BODY(capnet__limits_bind,tc)1193 ATF_TC_BODY(capnet__limits_bind, tc)
1194 {
1195 cap_channel_t *capnet;
1196 cap_net_limit_t *limit;
1197 struct sockaddr_in ipv4;
1198
1199 capnet = create_network_service();
1200
1201 limit = cap_net_limit_init(capnet, CAPNET_BIND);
1202 ATF_REQUIRE(limit != NULL);
1203
1204 memset(&ipv4, 0, sizeof(ipv4));
1205 ipv4.sin_family = AF_INET;
1206 inet_pton(AF_INET, TEST_BIND_IPV4, &ipv4.sin_addr);
1207
1208 cap_net_limit_bind(limit, (struct sockaddr *)&ipv4, sizeof(ipv4));
1209 ATF_REQUIRE(cap_net_limit(limit) == 0);
1210
1211 ATF_REQUIRE(test_bind(capnet, TEST_BIND_IPV4) == 0);
1212 ATF_REQUIRE(test_bind(capnet, "127.0.0.2") == ENOTCAPABLE);
1213
1214 cap_close(capnet);
1215 }
1216
1217 ATF_TC(capnet__limits_connect_mode);
ATF_TC_HEAD(capnet__limits_connect_mode,tc)1218 ATF_TC_HEAD(capnet__limits_connect_mode, tc)
1219 {
1220 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
1221 }
ATF_TC_BODY(capnet__limits_connect_mode,tc)1222 ATF_TC_BODY(capnet__limits_connect_mode, tc)
1223 {
1224 cap_channel_t *capnet;
1225 cap_net_limit_t *limit;
1226
1227 capnet = create_network_service();
1228
1229 /* LIMIT */
1230 limit = cap_net_limit_init(capnet, CAPNET_CONNECT);
1231 ATF_REQUIRE(limit != NULL);
1232 ATF_REQUIRE(cap_net_limit(limit) == 0);
1233
1234 /* ALLOWED */
1235 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 80) == 0);
1236
1237 /* DISALLOWED */
1238 ATF_REQUIRE(
1239 test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == ENOTCAPABLE);
1240 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) ==
1241 ENOTCAPABLE);
1242 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) ==
1243 ENOTCAPABLE);
1244 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
1245 ENOTCAPABLE);
1246 ATF_REQUIRE(test_bind(capnet, TEST_BIND_IPV4) == ENOTCAPABLE);
1247
1248 test_extend_mode(capnet, CAPNET_ADDR2NAME);
1249
1250 cap_close(capnet);
1251 }
1252
1253 ATF_TC(capnet__limits_connect_dns_mode);
ATF_TC_HEAD(capnet__limits_connect_dns_mode,tc)1254 ATF_TC_HEAD(capnet__limits_connect_dns_mode, tc)
1255 {
1256 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
1257 }
ATF_TC_BODY(capnet__limits_connect_dns_mode,tc)1258 ATF_TC_BODY(capnet__limits_connect_dns_mode, tc)
1259 {
1260 cap_channel_t *capnet;
1261 cap_net_limit_t *limit;
1262
1263 capnet = create_network_service();
1264
1265 /* LIMIT */
1266 limit = cap_net_limit_init(capnet, CAPNET_CONNECT | CAPNET_CONNECTDNS);
1267 ATF_REQUIRE(limit != NULL);
1268 ATF_REQUIRE(cap_net_limit(limit) == 0);
1269
1270 /* ALLOWED */
1271 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 80) == 0);
1272
1273 /* DISALLOWED */
1274 ATF_REQUIRE(
1275 test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == ENOTCAPABLE);
1276 ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) ==
1277 ENOTCAPABLE);
1278 ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) ==
1279 ENOTCAPABLE);
1280 ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) ==
1281 ENOTCAPABLE);
1282 ATF_REQUIRE(test_bind(capnet, TEST_BIND_IPV4) == ENOTCAPABLE);
1283
1284 test_extend_mode(capnet, CAPNET_ADDR2NAME);
1285
1286 cap_close(capnet);
1287 }
1288
1289 ATF_TC(capnet__limits_connect);
ATF_TC_HEAD(capnet__limits_connect,tc)1290 ATF_TC_HEAD(capnet__limits_connect, tc)
1291 {
1292 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
1293 }
ATF_TC_BODY(capnet__limits_connect,tc)1294 ATF_TC_BODY(capnet__limits_connect, tc)
1295 {
1296 cap_channel_t *capnet;
1297 cap_net_limit_t *limit;
1298 struct sockaddr_in ipv4;
1299
1300 capnet = create_network_service();
1301
1302 /* Limit only to TEST_IPV4 on port 80 and 443. */
1303 limit = cap_net_limit_init(capnet, CAPNET_CONNECT);
1304 ATF_REQUIRE(limit != NULL);
1305 memset(&ipv4, 0, sizeof(ipv4));
1306 ipv4.sin_family = AF_INET;
1307 ipv4.sin_port = htons(80);
1308 inet_pton(AF_INET, TEST_IPV4, &ipv4.sin_addr);
1309 cap_net_limit_connect(limit, (struct sockaddr *)&ipv4, sizeof(ipv4));
1310
1311 ipv4.sin_port = htons(443);
1312 cap_net_limit_connect(limit, (struct sockaddr *)&ipv4, sizeof(ipv4));
1313 ATF_REQUIRE(cap_net_limit(limit) == 0);
1314
1315 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 80) == 0);
1316 ATF_REQUIRE(test_connect(capnet, "8.8.8.8", 80) == ENOTCAPABLE);
1317 ATF_REQUIRE(test_connect(capnet, "8.8.8.8", 433) == ENOTCAPABLE);
1318 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 443) == 0);
1319
1320 /* Limit only to TEST_IPV4 on port 443. */
1321 limit = cap_net_limit_init(capnet, CAPNET_CONNECT);
1322 cap_net_limit_connect(limit, (struct sockaddr *)&ipv4, sizeof(ipv4));
1323 ATF_REQUIRE(cap_net_limit(limit) == 0);
1324
1325 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 433) == ENOTCAPABLE);
1326 ATF_REQUIRE(test_connect(capnet, "8.8.8.8", 80) == ENOTCAPABLE);
1327 ATF_REQUIRE(test_connect(capnet, "8.8.8.8", 433) == ENOTCAPABLE);
1328 ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 443) == 0);
1329
1330 /* Unable to set empty limits. Empty limits means full access. */
1331 limit = cap_net_limit_init(capnet, CAPNET_CONNECT);
1332 ATF_REQUIRE(cap_net_limit(limit) != 0);
1333
1334 cap_close(capnet);
1335 }
1336
1337 ATF_TC(capnet__limits_connecttodns);
ATF_TC_HEAD(capnet__limits_connecttodns,tc)1338 ATF_TC_HEAD(capnet__limits_connecttodns, tc)
1339 {
1340 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
1341 }
ATF_TC_BODY(capnet__limits_connecttodns,tc)1342 ATF_TC_BODY(capnet__limits_connecttodns, tc)
1343 {
1344 cap_channel_t *capnet;
1345 cap_net_limit_t *limit;
1346 struct addrinfo hints, *capres, *res;
1347 int family[] = { AF_INET };
1348 int error;
1349
1350 capnet = create_network_service();
1351
1352 limit = cap_net_limit_init(capnet, CAPNET_CONNECTDNS |
1353 CAPNET_NAME2ADDR);
1354 ATF_REQUIRE(limit != NULL);
1355 cap_net_limit_name2addr(limit, TEST_IPV4, "80");
1356 cap_net_limit_name2addr_family(limit, family, 1);
1357 ATF_REQUIRE(cap_net_limit(limit) == 0);
1358
1359 memset(&hints, 0, sizeof(hints));
1360 hints.ai_family = AF_INET;
1361 hints.ai_socktype = SOCK_STREAM;
1362
1363 ATF_REQUIRE(test_connect(capnet, "8.8.8.8", 433) == ENOTCAPABLE);
1364 ATF_REQUIRE(cap_getaddrinfo(capnet, TEST_IPV4, "80", &hints, &capres) ==
1365 0);
1366 ATF_REQUIRE(test_connect(capnet, "8.8.8.8", 433) == ENOTCAPABLE);
1367
1368 for (res = capres; res != NULL; res = res->ai_next) {
1369 int s;
1370
1371 ATF_REQUIRE(res->ai_family == AF_INET);
1372 ATF_REQUIRE(res->ai_socktype == SOCK_STREAM);
1373
1374 s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
1375 ATF_REQUIRE(s >= 0);
1376
1377 error = cap_connect(capnet, s, res->ai_addr,
1378 res->ai_addrlen);
1379 if (error != 0 && errno != ENOTCAPABLE)
1380 atf_tc_skip("unable to connect: %s", strerror(errno));
1381 ATF_REQUIRE(error == 0);
1382 ATF_REQUIRE(close(s) == 0);
1383 }
1384
1385 freeaddrinfo(capres);
1386 cap_close(capnet);
1387 }
1388
1389
1390 ATF_TC(capnet__limits_deprecated_connecttodns);
ATF_TC_HEAD(capnet__limits_deprecated_connecttodns,tc)1391 ATF_TC_HEAD(capnet__limits_deprecated_connecttodns, tc)
1392 {
1393 atf_tc_set_md_var(tc, "require.config", "allow_network_access");
1394 }
ATF_TC_BODY(capnet__limits_deprecated_connecttodns,tc)1395 ATF_TC_BODY(capnet__limits_deprecated_connecttodns, tc)
1396 {
1397 cap_channel_t *capnet;
1398 cap_net_limit_t *limit;
1399 struct hostent *caphp;
1400 struct in_addr ipaddr;
1401 struct sockaddr_in connaddr;
1402 int family[] = { AF_INET };
1403 int error, i;
1404
1405 capnet = create_network_service();
1406
1407 limit = cap_net_limit_init(capnet, CAPNET_CONNECTDNS |
1408 CAPNET_DEPRECATED_NAME2ADDR);
1409 ATF_REQUIRE(limit != NULL);
1410 cap_net_limit_name2addr(limit, TEST_IPV4, NULL);
1411 cap_net_limit_name2addr_family(limit, family, 1);
1412 ATF_REQUIRE(cap_net_limit(limit) == 0);
1413
1414 memset(&ipaddr, 0, sizeof(ipaddr));
1415 inet_pton(AF_INET, TEST_IPV4, &ipaddr);
1416
1417 ATF_REQUIRE(test_connect(capnet, "8.8.8.8", 433) == ENOTCAPABLE);
1418 caphp = cap_gethostbyname2(capnet, TEST_IPV4, AF_INET);
1419 ATF_REQUIRE(caphp != NULL);
1420 ATF_REQUIRE(caphp->h_addrtype == AF_INET);
1421 ATF_REQUIRE(test_connect(capnet, "8.8.8.8", 433) == ENOTCAPABLE);
1422
1423 for (i = 0; caphp->h_addr_list[i] != NULL; i++) {
1424 int s;
1425
1426 s = socket(AF_INET, SOCK_STREAM, 0);
1427 ATF_REQUIRE(s >= 0);
1428
1429 memset(&connaddr, 0, sizeof(connaddr));
1430 connaddr.sin_family = AF_INET;
1431 memcpy((char *)&connaddr.sin_addr.s_addr,
1432 (char *)caphp->h_addr_list[i], caphp->h_length);
1433 connaddr.sin_port = htons(80);
1434
1435 error = cap_connect(capnet, s, (struct sockaddr *)&connaddr,
1436 sizeof(connaddr));
1437 if (error != 0 && errno != ENOTCAPABLE)
1438 atf_tc_skip("unable to connect: %s", strerror(errno));
1439 ATF_REQUIRE(error == 0);
1440 ATF_REQUIRE(close(s) == 0);
1441 }
1442
1443 cap_close(capnet);
1444 }
1445
ATF_TP_ADD_TCS(tp)1446 ATF_TP_ADD_TCS(tp)
1447 {
1448
1449 ATF_TP_ADD_TC(tp, capnet__connect);
1450 ATF_TP_ADD_TC(tp, capnet__bind);
1451 ATF_TP_ADD_TC(tp, capnet__getnameinfo);
1452 ATF_TP_ADD_TC(tp, capnet__getaddrinfo);
1453 ATF_TP_ADD_TC(tp, capnet__gethostbyname);
1454 ATF_TP_ADD_TC(tp, capnet__gethostbyaddr);
1455
1456 ATF_TP_ADD_TC(tp, capnet__getnameinfo_buffer);
1457
1458 ATF_TP_ADD_TC(tp, capnet__limits_addr2name_mode);
1459 ATF_TP_ADD_TC(tp, capnet__limits_addr2name_family);
1460 ATF_TP_ADD_TC(tp, capnet__limits_addr2name);
1461
1462 ATF_TP_ADD_TC(tp, capnet__limits_deprecated_addr2name_mode);
1463 ATF_TP_ADD_TC(tp, capnet__limits_deprecated_addr2name_family);
1464 ATF_TP_ADD_TC(tp, capnet__limits_deprecated_addr2name);
1465
1466 ATF_TP_ADD_TC(tp, capnet__limits_name2addr_mode);
1467 ATF_TP_ADD_TC(tp, capnet__limits_name2addr_hosts);
1468 ATF_TP_ADD_TC(tp, capnet__limits_name2addr_hosts_servnames_strict);
1469 ATF_TP_ADD_TC(tp, capnet__limits_name2addr_hosts_servnames_mix);
1470 ATF_TP_ADD_TC(tp, capnet__limits_name2addr_family);
1471
1472 ATF_TP_ADD_TC(tp, capnet__limits_deprecated_name2addr_mode);
1473 ATF_TP_ADD_TC(tp, capnet__limits_deprecated_name2addr_hosts);
1474 ATF_TP_ADD_TC(tp, capnet__limits_deprecated_name2addr_family);
1475
1476 ATF_TP_ADD_TC(tp, capnet__limits_bind_mode);
1477 ATF_TP_ADD_TC(tp, capnet__limits_bind);
1478
1479 ATF_TP_ADD_TC(tp, capnet__limits_connect_mode);
1480 ATF_TP_ADD_TC(tp, capnet__limits_connect_dns_mode);
1481 ATF_TP_ADD_TC(tp, capnet__limits_connect);
1482
1483 ATF_TP_ADD_TC(tp, capnet__limits_connecttodns);
1484 ATF_TP_ADD_TC(tp, capnet__limits_deprecated_connecttodns);
1485
1486 return (atf_no_error());
1487 }
1488