1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2013 The FreeBSD Foundation 5 * 6 * This software was developed by Pawel Jakub Dawidek under sponsorship from 7 * the FreeBSD Foundation. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31 #include <sys/capsicum.h> 32 #include <sys/nv.h> 33 34 #include <arpa/inet.h> 35 #include <netinet/in.h> 36 37 #include <assert.h> 38 #include <err.h> 39 #include <errno.h> 40 #include <netdb.h> 41 #include <stdio.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <unistd.h> 45 46 #include <libcasper.h> 47 #include <casper/cap_dns.h> 48 49 #include <atf-c.h> 50 51 #define GETHOSTBYNAME 0x01 52 #define GETHOSTBYNAME2_AF_INET 0x02 53 #define GETHOSTBYNAME2_AF_INET6 0x04 54 #define GETHOSTBYADDR_AF_INET 0x08 55 #define GETHOSTBYADDR_AF_INET6 0x10 56 #define GETADDRINFO_AF_UNSPEC 0x20 57 #define GETADDRINFO_AF_INET 0x40 58 #define GETADDRINFO_AF_INET6 0x80 59 60 static bool 61 addrinfo_compare(struct addrinfo *ai0, struct addrinfo *ai1) 62 { 63 struct addrinfo *at0, *at1; 64 65 if (ai0 == NULL && ai1 == NULL) 66 return (true); 67 if (ai0 == NULL || ai1 == NULL) 68 return (false); 69 70 at0 = ai0; 71 at1 = ai1; 72 while (true) { 73 if ((at0->ai_flags == at1->ai_flags) && 74 (at0->ai_family == at1->ai_family) && 75 (at0->ai_socktype == at1->ai_socktype) && 76 (at0->ai_protocol == at1->ai_protocol) && 77 (at0->ai_addrlen == at1->ai_addrlen) && 78 (memcmp(at0->ai_addr, at1->ai_addr, 79 at0->ai_addrlen) == 0)) { 80 if (at0->ai_canonname != NULL && 81 at1->ai_canonname != NULL) { 82 if (strcmp(at0->ai_canonname, 83 at1->ai_canonname) != 0) { 84 return (false); 85 } 86 } 87 88 if (at0->ai_canonname == NULL && 89 at1->ai_canonname != NULL) { 90 return (false); 91 } 92 if (at0->ai_canonname != NULL && 93 at1->ai_canonname == NULL) { 94 return (false); 95 } 96 97 if (at0->ai_next == NULL && at1->ai_next == NULL) 98 return (true); 99 if (at0->ai_next == NULL || at1->ai_next == NULL) 100 return (false); 101 102 at0 = at0->ai_next; 103 at1 = at1->ai_next; 104 } else { 105 return (false); 106 } 107 } 108 109 /* NOTREACHED */ 110 fprintf(stderr, "Dead code reached in addrinfo_compare()\n"); 111 exit(1); 112 } 113 114 static bool 115 hostent_aliases_compare(char **aliases0, char **aliases1) 116 { 117 int i0, i1; 118 119 if (aliases0 == NULL && aliases1 == NULL) 120 return (true); 121 if (aliases0 == NULL || aliases1 == NULL) 122 return (false); 123 124 for (i0 = 0; aliases0[i0] != NULL; i0++) { 125 for (i1 = 0; aliases1[i1] != NULL; i1++) { 126 if (strcmp(aliases0[i0], aliases1[i1]) == 0) 127 break; 128 } 129 if (aliases1[i1] == NULL) 130 return (false); 131 } 132 133 return (true); 134 } 135 136 static bool 137 hostent_addr_list_compare(char **addr_list0, char **addr_list1, int length) 138 { 139 int i0, i1; 140 141 if (addr_list0 == NULL && addr_list1 == NULL) 142 return (true); 143 if (addr_list0 == NULL || addr_list1 == NULL) 144 return (false); 145 146 for (i0 = 0; addr_list0[i0] != NULL; i0++) { 147 for (i1 = 0; addr_list1[i1] != NULL; i1++) { 148 if (memcmp(addr_list0[i0], addr_list1[i1], length) == 0) 149 break; 150 } 151 if (addr_list1[i1] == NULL) 152 return (false); 153 } 154 155 return (true); 156 } 157 158 static bool 159 hostent_compare(const struct hostent *hp0, const struct hostent *hp1) 160 { 161 162 if (hp0 == NULL && hp1 != NULL) 163 return (true); 164 165 if (hp0 == NULL || hp1 == NULL) 166 return (false); 167 168 if (hp0->h_name != NULL || hp1->h_name != NULL) { 169 if (hp0->h_name == NULL || hp1->h_name == NULL) 170 return (false); 171 if (strcmp(hp0->h_name, hp1->h_name) != 0) 172 return (false); 173 } 174 175 if (!hostent_aliases_compare(hp0->h_aliases, hp1->h_aliases)) 176 return (false); 177 if (!hostent_aliases_compare(hp1->h_aliases, hp0->h_aliases)) 178 return (false); 179 180 if (hp0->h_addrtype != hp1->h_addrtype) 181 return (false); 182 183 if (hp0->h_length != hp1->h_length) 184 return (false); 185 186 if (!hostent_addr_list_compare(hp0->h_addr_list, hp1->h_addr_list, 187 hp0->h_length)) { 188 return (false); 189 } 190 if (!hostent_addr_list_compare(hp1->h_addr_list, hp0->h_addr_list, 191 hp0->h_length)) { 192 return (false); 193 } 194 195 return (true); 196 } 197 198 static void 199 runtest(cap_channel_t *capdns, unsigned int expected) 200 { 201 unsigned int result; 202 struct addrinfo *ais, *aic, hints, *hintsp; 203 struct hostent *hps, *hpc; 204 struct in_addr ip4; 205 struct in6_addr ip6; 206 int caperr, syserr; 207 208 result = 0; 209 210 hps = gethostbyname("example.com"); 211 if (hps == NULL) { 212 fprintf(stderr, "Unable to resolve %s IPv4.\n", "example.com"); 213 } else { 214 hpc = cap_gethostbyname(capdns, "example.com"); 215 if (hostent_compare(hps, hpc)) 216 result |= GETHOSTBYNAME; 217 } 218 219 hps = gethostbyname2("example.com", AF_INET); 220 if (hps == NULL) { 221 fprintf(stderr, "Unable to resolve %s IPv4.\n", "example.com"); 222 } else { 223 hpc = cap_gethostbyname2(capdns, "example.com", AF_INET); 224 if (hostent_compare(hps, hpc)) 225 result |= GETHOSTBYNAME2_AF_INET; 226 } 227 228 hps = gethostbyname2("example.com", AF_INET6); 229 if (hps == NULL) { 230 fprintf(stderr, "Unable to resolve %s IPv6.\n", "example.com"); 231 } else { 232 hpc = cap_gethostbyname2(capdns, "example.com", AF_INET6); 233 if (hostent_compare(hps, hpc)) 234 result |= GETHOSTBYNAME2_AF_INET6; 235 } 236 237 hints.ai_flags = 0; 238 hints.ai_family = AF_UNSPEC; 239 hints.ai_socktype = 0; 240 hints.ai_protocol = 0; 241 hints.ai_addrlen = 0; 242 hints.ai_addr = NULL; 243 hints.ai_canonname = NULL; 244 hints.ai_next = NULL; 245 246 hintsp = &hints; 247 248 syserr = getaddrinfo("freebsd.org", "25", hintsp, &ais); 249 if (syserr != 0) { 250 fprintf(stderr, 251 "Unable to issue [system] getaddrinfo() for AF_UNSPEC: %s\n", 252 gai_strerror(syserr)); 253 } else { 254 caperr = cap_getaddrinfo(capdns, "freebsd.org", "25", hintsp, 255 &aic); 256 if (caperr == 0) { 257 if (addrinfo_compare(ais, aic)) 258 result |= GETADDRINFO_AF_UNSPEC; 259 freeaddrinfo(ais); 260 freeaddrinfo(aic); 261 } 262 } 263 264 hints.ai_family = AF_INET; 265 syserr = getaddrinfo("freebsd.org", "25", hintsp, &ais); 266 if (syserr != 0) { 267 fprintf(stderr, 268 "Unable to issue [system] getaddrinfo() for AF_UNSPEC: %s\n", 269 gai_strerror(syserr)); 270 } else { 271 caperr = cap_getaddrinfo(capdns, "freebsd.org", "25", hintsp, 272 &aic); 273 if (caperr == 0) { 274 if (addrinfo_compare(ais, aic)) 275 result |= GETADDRINFO_AF_INET; 276 freeaddrinfo(ais); 277 freeaddrinfo(aic); 278 } 279 } 280 281 hints.ai_family = AF_INET6; 282 syserr = getaddrinfo("freebsd.org", "25", hintsp, &ais); 283 if (syserr != 0) { 284 fprintf(stderr, 285 "Unable to issue [system] getaddrinfo() for AF_UNSPEC: %s\n", 286 gai_strerror(syserr)); 287 } else { 288 caperr = cap_getaddrinfo(capdns, "freebsd.org", "25", hintsp, 289 &aic); 290 if (caperr == 0) { 291 if (addrinfo_compare(ais, aic)) 292 result |= GETADDRINFO_AF_INET6; 293 freeaddrinfo(ais); 294 freeaddrinfo(aic); 295 } 296 } 297 298 /* XXX: hardcoded addresses for "google-public-dns-a.google.com". */ 299 #define GOOGLE_DNS_IPV4 "8.8.8.8" 300 #define GOOGLE_DNS_IPV6 "2001:4860:4860::8888" 301 302 inet_pton(AF_INET, GOOGLE_DNS_IPV4, &ip4); 303 hps = gethostbyaddr(&ip4, sizeof(ip4), AF_INET); 304 if (hps == NULL) { 305 fprintf(stderr, "Unable to resolve %s.\n", GOOGLE_DNS_IPV4); 306 } else { 307 hpc = cap_gethostbyaddr(capdns, &ip4, sizeof(ip4), AF_INET); 308 if (hostent_compare(hps, hpc)) 309 result |= GETHOSTBYADDR_AF_INET; 310 } 311 312 inet_pton(AF_INET6, GOOGLE_DNS_IPV6, &ip6); 313 hps = gethostbyaddr(&ip6, sizeof(ip6), AF_INET6); 314 if (hps == NULL) { 315 fprintf(stderr, "Unable to resolve %s.\n", GOOGLE_DNS_IPV6); 316 } else { 317 hpc = cap_gethostbyaddr(capdns, &ip6, sizeof(ip6), AF_INET6); 318 if (hostent_compare(hps, hpc)) { 319 caperr = h_errno; 320 result |= GETHOSTBYADDR_AF_INET6; 321 } 322 } 323 324 ATF_REQUIRE_MSG(result == expected, 325 "expected 0x%x, got 0x%x", expected, result); 326 } 327 328 static cap_channel_t * 329 cap_dns_init(void) 330 { 331 cap_channel_t *capcas, *capdns; 332 333 capcas = cap_init(); 334 ATF_REQUIRE(capcas != NULL); 335 336 capdns = cap_service_open(capcas, "system.dns"); 337 ATF_REQUIRE(capdns != NULL); 338 339 cap_close(capcas); 340 341 return (capdns); 342 } 343 344 ATF_TC(dns_no_limits); 345 ATF_TC_HEAD(dns_no_limits, tc) 346 { 347 atf_tc_set_md_var(tc, "require.config", "allow_network_access"); 348 } 349 ATF_TC_BODY(dns_no_limits, tc) 350 { 351 cap_channel_t *capdns; 352 353 capdns = cap_dns_init(); 354 355 runtest(capdns, 356 (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETHOSTBYNAME2_AF_INET6 | 357 GETHOSTBYADDR_AF_INET | GETHOSTBYADDR_AF_INET6 | 358 GETADDRINFO_AF_UNSPEC | GETADDRINFO_AF_INET | 359 GETADDRINFO_AF_INET6)); 360 361 cap_close(capdns); 362 } 363 364 ATF_TC(dns_all_limits); 365 ATF_TC_HEAD(dns_all_limits, tc) 366 { 367 atf_tc_set_md_var(tc, "require.config", "allow_network_access"); 368 } 369 ATF_TC_BODY(dns_all_limits, tc) 370 { 371 cap_channel_t *capdns; 372 const char *types[2]; 373 int families[2]; 374 375 capdns = cap_dns_init(); 376 377 types[0] = "NAME2ADDR"; 378 types[1] = "ADDR2NAME"; 379 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 2) == 0); 380 families[0] = AF_INET; 381 families[1] = AF_INET6; 382 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 2) == 0); 383 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 384 cap_dns_family_limit(capdns, NULL, 0) == -1); 385 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 386 cap_dns_type_limit(capdns, NULL, 0) == -1); 387 388 runtest(capdns, 389 (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETHOSTBYNAME2_AF_INET6 | 390 GETHOSTBYADDR_AF_INET | GETHOSTBYADDR_AF_INET6 | 391 GETADDRINFO_AF_INET | GETADDRINFO_AF_INET6)); 392 393 cap_close(capdns); 394 } 395 396 ATF_TC(dns_name_limit); 397 ATF_TC_HEAD(dns_name_limit, tc) 398 { 399 atf_tc_set_md_var(tc, "require.config", "allow_network_access"); 400 } 401 ATF_TC_BODY(dns_name_limit, tc) 402 { 403 cap_channel_t *capdns; 404 const char *types[2]; 405 int families[2]; 406 407 capdns = cap_dns_init(); 408 409 types[0] = "NAME2ADDR"; 410 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 1) == 0); 411 types[1] = "ADDR2NAME"; 412 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 413 cap_dns_type_limit(capdns, types, 2) == -1); 414 types[0] = "ADDR2NAME"; 415 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 416 cap_dns_type_limit(capdns, types, 1) == -1); 417 families[0] = AF_INET; 418 families[1] = AF_INET6; 419 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 2) == 0); 420 421 runtest(capdns, 422 (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETHOSTBYNAME2_AF_INET6 | 423 GETADDRINFO_AF_INET | GETADDRINFO_AF_INET6)); 424 425 cap_close(capdns); 426 } 427 428 ATF_TC(dns_addr_limit); 429 ATF_TC_HEAD(dns_addr_limit, tc) 430 { 431 atf_tc_set_md_var(tc, "require.config", "allow_network_access"); 432 } 433 ATF_TC_BODY(dns_addr_limit, tc) 434 { 435 cap_channel_t *capdns; 436 const char *types[2]; 437 int families[2]; 438 439 capdns = cap_dns_init(); 440 441 types[0] = "ADDR2NAME"; 442 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 1) == 0); 443 types[1] = "NAME2ADDR"; 444 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 445 cap_dns_type_limit(capdns, types, 2) == -1); 446 types[0] = "NAME2ADDR"; 447 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 448 cap_dns_type_limit(capdns, types, 1) == -1); 449 families[0] = AF_INET; 450 families[1] = AF_INET6; 451 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 2) == 0); 452 453 runtest(capdns, 454 (GETHOSTBYADDR_AF_INET | GETHOSTBYADDR_AF_INET6)); 455 456 cap_close(capdns); 457 } 458 459 ATF_TC(dns_inet_limit); 460 ATF_TC_HEAD(dns_inet_limit, tc) 461 { 462 atf_tc_set_md_var(tc, "require.config", "allow_network_access"); 463 } 464 ATF_TC_BODY(dns_inet_limit, tc) 465 { 466 cap_channel_t *capdns; 467 const char *types[2]; 468 int families[2]; 469 470 capdns = cap_dns_init(); 471 472 types[0] = "NAME2ADDR"; 473 types[1] = "ADDR2NAME"; 474 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 2) == 0); 475 families[0] = AF_INET; 476 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 1) == 0); 477 families[1] = AF_INET6; 478 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 479 cap_dns_family_limit(capdns, families, 2) == -1); 480 families[0] = AF_INET6; 481 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 482 cap_dns_family_limit(capdns, families, 1) == -1); 483 484 runtest(capdns, 485 (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETHOSTBYADDR_AF_INET | 486 GETADDRINFO_AF_INET)); 487 488 cap_close(capdns); 489 } 490 491 ATF_TC(dns_inet6_limit); 492 ATF_TC_HEAD(dns_inet6_limit, tc) 493 { 494 atf_tc_set_md_var(tc, "require.config", "allow_network_access"); 495 } 496 ATF_TC_BODY(dns_inet6_limit, tc) 497 { 498 cap_channel_t *capdns; 499 const char *types[2]; 500 int families[2]; 501 502 capdns = cap_dns_init(); 503 504 types[0] = "NAME2ADDR"; 505 types[1] = "ADDR2NAME"; 506 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 2) == 0); 507 families[0] = AF_INET6; 508 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 1) == 0); 509 families[1] = AF_INET; 510 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 511 cap_dns_family_limit(capdns, families, 2) == -1); 512 families[0] = AF_INET; 513 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 514 cap_dns_family_limit(capdns, families, 1) == -1); 515 516 runtest(capdns, 517 (GETHOSTBYNAME2_AF_INET6 | GETHOSTBYADDR_AF_INET6 | 518 GETADDRINFO_AF_INET6)); 519 520 cap_close(capdns); 521 } 522 523 ATF_TC(dns_name_inet_limit); 524 ATF_TC_HEAD(dns_name_inet_limit, tc) 525 { 526 atf_tc_set_md_var(tc, "require.config", "allow_network_access"); 527 } 528 ATF_TC_BODY(dns_name_inet_limit, tc) 529 { 530 cap_channel_t *capdns; 531 const char *types[2]; 532 int families[2]; 533 534 capdns = cap_dns_init(); 535 536 types[0] = "NAME2ADDR"; 537 types[1] = "ADDR2NAME"; 538 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 2) == 0); 539 families[0] = AF_INET; 540 families[1] = AF_INET6; 541 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 2) == 0); 542 types[0] = "NAME2ADDR"; 543 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 1) == 0); 544 types[1] = "ADDR2NAME"; 545 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 546 cap_dns_type_limit(capdns, types, 2) == -1); 547 types[0] = "ADDR2NAME"; 548 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 549 cap_dns_type_limit(capdns, types, 1) == -1); 550 families[0] = AF_INET; 551 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 1) == 0); 552 families[1] = AF_INET6; 553 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 554 cap_dns_family_limit(capdns, families, 2) == -1); 555 families[0] = AF_INET6; 556 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 557 cap_dns_family_limit(capdns, families, 1) == -1); 558 559 runtest(capdns, 560 (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETADDRINFO_AF_INET)); 561 562 cap_close(capdns); 563 } 564 565 ATF_TC(dns_name_inet6_limit); 566 ATF_TC_HEAD(dns_name_inet6_limit, tc) 567 { 568 atf_tc_set_md_var(tc, "require.config", "allow_network_access"); 569 } 570 ATF_TC_BODY(dns_name_inet6_limit, tc) 571 { 572 cap_channel_t *capdns; 573 const char *types[2]; 574 int families[2]; 575 576 capdns = cap_dns_init(); 577 578 types[0] = "NAME2ADDR"; 579 types[1] = "ADDR2NAME"; 580 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 2) == 0); 581 families[0] = AF_INET6; 582 families[1] = AF_INET; 583 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 2) == 0); 584 types[0] = "NAME2ADDR"; 585 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 1) == 0); 586 types[1] = "ADDR2NAME"; 587 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 588 cap_dns_type_limit(capdns, types, 2) == -1); 589 types[0] = "ADDR2NAME"; 590 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 591 cap_dns_type_limit(capdns, types, 1) == -1); 592 families[0] = AF_INET6; 593 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 1) == 0); 594 families[1] = AF_INET; 595 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 596 cap_dns_family_limit(capdns, families, 2) == -1); 597 families[0] = AF_INET; 598 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 599 cap_dns_family_limit(capdns, families, 1) == -1); 600 601 runtest(capdns, 602 (GETHOSTBYNAME2_AF_INET6 | GETADDRINFO_AF_INET6)); 603 604 cap_close(capdns); 605 } 606 607 ATF_TC(dns_addr_inet_limit); 608 ATF_TC_HEAD(dns_addr_inet_limit, tc) 609 { 610 atf_tc_set_md_var(tc, "require.config", "allow_network_access"); 611 } 612 ATF_TC_BODY(dns_addr_inet_limit, tc) 613 { 614 cap_channel_t *capdns; 615 const char *types[2]; 616 int families[2]; 617 618 capdns = cap_dns_init(); 619 620 types[0] = "NAME2ADDR"; 621 types[1] = "ADDR2NAME"; 622 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 2) == 0); 623 families[0] = AF_INET; 624 families[1] = AF_INET6; 625 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 2) == 0); 626 types[0] = "ADDR2NAME"; 627 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 1) == 0); 628 types[1] = "NAME2ADDR"; 629 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 630 cap_dns_type_limit(capdns, types, 2) == -1); 631 types[0] = "NAME2ADDR"; 632 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 633 cap_dns_type_limit(capdns, types, 1) == -1); 634 families[0] = AF_INET; 635 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 1) == 0); 636 families[1] = AF_INET6; 637 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 638 cap_dns_family_limit(capdns, families, 2) == -1); 639 families[0] = AF_INET6; 640 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 641 cap_dns_family_limit(capdns, families, 1) == -1); 642 643 runtest(capdns, GETHOSTBYADDR_AF_INET); 644 645 cap_close(capdns); 646 } 647 648 ATF_TC(dns_addr_inet6_limit); 649 ATF_TC_HEAD(dns_addr_inet6_limit, tc) 650 { 651 atf_tc_set_md_var(tc, "require.config", "allow_network_access"); 652 } 653 ATF_TC_BODY(dns_addr_inet6_limit, tc) 654 { 655 cap_channel_t *capdns; 656 const char *types[2]; 657 int families[2]; 658 659 capdns = cap_dns_init(); 660 661 types[0] = "NAME2ADDR"; 662 types[1] = "ADDR2NAME"; 663 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 2) == 0); 664 families[0] = AF_INET6; 665 families[1] = AF_INET; 666 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 2) == 0); 667 types[0] = "ADDR2NAME"; 668 ATF_REQUIRE(cap_dns_type_limit(capdns, types, 1) == 0); 669 types[1] = "NAME2ADDR"; 670 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 671 cap_dns_type_limit(capdns, types, 2) == -1); 672 types[0] = "NAME2ADDR"; 673 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 674 cap_dns_type_limit(capdns, types, 1) == -1); 675 families[0] = AF_INET6; 676 ATF_REQUIRE(cap_dns_family_limit(capdns, families, 1) == 0); 677 families[1] = AF_INET; 678 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 679 cap_dns_family_limit(capdns, families, 2) == -1); 680 families[0] = AF_INET; 681 ATF_REQUIRE_ERRNO(ENOTCAPABLE, 682 cap_dns_family_limit(capdns, families, 1) == -1); 683 684 runtest(capdns, GETHOSTBYADDR_AF_INET6); 685 686 cap_close(capdns); 687 } 688 689 ATF_TP_ADD_TCS(tp) 690 { 691 ATF_TP_ADD_TC(tp, dns_no_limits); 692 ATF_TP_ADD_TC(tp, dns_all_limits); 693 ATF_TP_ADD_TC(tp, dns_name_limit); 694 ATF_TP_ADD_TC(tp, dns_addr_limit); 695 ATF_TP_ADD_TC(tp, dns_inet_limit); 696 ATF_TP_ADD_TC(tp, dns_inet6_limit); 697 ATF_TP_ADD_TC(tp, dns_name_inet_limit); 698 ATF_TP_ADD_TC(tp, dns_name_inet6_limit); 699 ATF_TP_ADD_TC(tp, dns_addr_inet_limit); 700 ATF_TP_ADD_TC(tp, dns_addr_inet6_limit); 701 702 return atf_no_error(); 703 } 704