1 /*- 2 * Copyright (c) 2013 The FreeBSD Foundation 3 * All rights reserved. 4 * 5 * This software was developed by Pawel Jakub Dawidek under sponsorship from 6 * the FreeBSD Foundation. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __FBSDID("$FreeBSD$"); 32 33 #include <sys/types.h> 34 #include <sys/capsicum.h> 35 #include <sys/sysctl.h> 36 #include <sys/nv.h> 37 38 #include <assert.h> 39 #include <err.h> 40 #include <errno.h> 41 #include <netdb.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <unistd.h> 46 47 #include <libcasper.h> 48 49 #include <casper/cap_sysctl.h> 50 51 /* 52 * We need some sysctls to perform the tests on. 53 * We remember their values and restore them afer the test is done. 54 */ 55 #define SYSCTL0_PARENT "kern" 56 #define SYSCTL0_NAME "kern.sync_on_panic" 57 #define SYSCTL1_PARENT "debug" 58 #define SYSCTL1_NAME "debug.minidump" 59 60 static int ntest = 1; 61 62 #define CHECK(expr) do { \ 63 if ((expr)) \ 64 printf("ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \ 65 else \ 66 printf("not ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \ 67 fflush(stdout); \ 68 ntest++; \ 69 } while (0) 70 #define CHECKX(expr) do { \ 71 if ((expr)) { \ 72 printf("ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \ 73 } else { \ 74 printf("not ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \ 75 exit(1); \ 76 } \ 77 fflush(stdout); \ 78 ntest++; \ 79 } while (0) 80 81 #define SYSCTL0_READ0 0x0001 82 #define SYSCTL0_READ1 0x0002 83 #define SYSCTL0_READ2 0x0004 84 #define SYSCTL0_WRITE 0x0008 85 #define SYSCTL0_READ_WRITE 0x0010 86 #define SYSCTL1_READ0 0x0020 87 #define SYSCTL1_READ1 0x0040 88 #define SYSCTL1_READ2 0x0080 89 #define SYSCTL1_WRITE 0x0100 90 #define SYSCTL1_READ_WRITE 0x0200 91 92 static unsigned int 93 runtest(cap_channel_t *capsysctl) 94 { 95 unsigned int result; 96 int oldvalue, newvalue; 97 size_t oldsize; 98 99 result = 0; 100 101 oldsize = sizeof(oldvalue); 102 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 103 NULL, 0) == 0) { 104 if (oldsize == sizeof(oldvalue)) 105 result |= SYSCTL0_READ0; 106 } 107 108 newvalue = 123; 109 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, NULL, NULL, &newvalue, 110 sizeof(newvalue)) == 0) { 111 result |= SYSCTL0_WRITE; 112 } 113 114 if ((result & SYSCTL0_WRITE) != 0) { 115 oldsize = sizeof(oldvalue); 116 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 117 &oldsize, NULL, 0) == 0) { 118 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 119 result |= SYSCTL0_READ1; 120 } 121 } 122 123 oldsize = sizeof(oldvalue); 124 newvalue = 4567; 125 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 126 &newvalue, sizeof(newvalue)) == 0) { 127 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 128 result |= SYSCTL0_READ_WRITE; 129 } 130 131 if ((result & SYSCTL0_READ_WRITE) != 0) { 132 oldsize = sizeof(oldvalue); 133 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 134 &oldsize, NULL, 0) == 0) { 135 if (oldsize == sizeof(oldvalue) && oldvalue == 4567) 136 result |= SYSCTL0_READ2; 137 } 138 } 139 140 oldsize = sizeof(oldvalue); 141 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 142 NULL, 0) == 0) { 143 if (oldsize == sizeof(oldvalue)) 144 result |= SYSCTL1_READ0; 145 } 146 147 newvalue = 506; 148 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, NULL, NULL, &newvalue, 149 sizeof(newvalue)) == 0) { 150 result |= SYSCTL1_WRITE; 151 } 152 153 if ((result & SYSCTL1_WRITE) != 0) { 154 oldsize = sizeof(oldvalue); 155 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 156 &oldsize, NULL, 0) == 0) { 157 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 158 result |= SYSCTL1_READ1; 159 } 160 } 161 162 oldsize = sizeof(oldvalue); 163 newvalue = 7008; 164 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 165 &newvalue, sizeof(newvalue)) == 0) { 166 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 167 result |= SYSCTL1_READ_WRITE; 168 } 169 170 if ((result & SYSCTL1_READ_WRITE) != 0) { 171 oldsize = sizeof(oldvalue); 172 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 173 &oldsize, NULL, 0) == 0) { 174 if (oldsize == sizeof(oldvalue) && oldvalue == 7008) 175 result |= SYSCTL1_READ2; 176 } 177 } 178 179 return (result); 180 } 181 182 static void 183 test_operation(cap_channel_t *origcapsysctl) 184 { 185 cap_channel_t *capsysctl; 186 nvlist_t *limits; 187 188 /* 189 * Allow: 190 * SYSCTL0_PARENT/RDWR/RECURSIVE 191 * SYSCTL1_PARENT/RDWR/RECURSIVE 192 */ 193 194 capsysctl = cap_clone(origcapsysctl); 195 CHECK(capsysctl != NULL); 196 197 limits = nvlist_create(0); 198 nvlist_add_number(limits, SYSCTL0_PARENT, 199 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 200 nvlist_add_number(limits, SYSCTL1_PARENT, 201 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 202 CHECK(cap_limit_set(capsysctl, limits) == 0); 203 limits = nvlist_create(0); 204 nvlist_add_number(limits, SYSCTL0_PARENT, 205 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 206 nvlist_add_number(limits, SYSCTL1_PARENT, 207 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 208 nvlist_add_number(limits, "foo.bar", 209 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 210 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 211 limits = nvlist_create(0); 212 nvlist_add_number(limits, "foo.bar", 213 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 214 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 215 216 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 217 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 218 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 219 SYSCTL1_READ_WRITE)); 220 221 limits = nvlist_create(0); 222 nvlist_add_number(limits, SYSCTL0_NAME, 223 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 224 nvlist_add_number(limits, SYSCTL1_NAME, 225 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 226 CHECK(cap_limit_set(capsysctl, limits) == 0); 227 228 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 229 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 230 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 231 SYSCTL1_READ_WRITE)); 232 233 limits = nvlist_create(0); 234 nvlist_add_number(limits, SYSCTL0_NAME, 235 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 236 nvlist_add_number(limits, SYSCTL1_NAME, 237 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 238 CHECK(cap_limit_set(capsysctl, limits) == 0); 239 240 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 241 242 limits = nvlist_create(0); 243 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 244 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 245 CHECK(cap_limit_set(capsysctl, limits) == 0); 246 247 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 248 249 limits = nvlist_create(0); 250 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 251 CHECK(cap_limit_set(capsysctl, limits) == 0); 252 253 CHECK(runtest(capsysctl) == SYSCTL0_READ0); 254 255 cap_close(capsysctl); 256 257 /* 258 * Allow: 259 * SYSCTL0_NAME/RDWR/RECURSIVE 260 * SYSCTL1_NAME/RDWR/RECURSIVE 261 */ 262 263 capsysctl = cap_clone(origcapsysctl); 264 CHECK(capsysctl != NULL); 265 266 limits = nvlist_create(0); 267 nvlist_add_number(limits, SYSCTL0_NAME, 268 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 269 nvlist_add_number(limits, SYSCTL1_NAME, 270 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 271 CHECK(cap_limit_set(capsysctl, limits) == 0); 272 limits = nvlist_create(0); 273 nvlist_add_number(limits, SYSCTL0_PARENT, 274 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 275 nvlist_add_number(limits, SYSCTL1_PARENT, 276 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 277 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 278 limits = nvlist_create(0); 279 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 280 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 281 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 282 limits = nvlist_create(0); 283 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 284 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 285 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 286 limits = nvlist_create(0); 287 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 288 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 289 290 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 291 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 292 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 293 SYSCTL1_READ_WRITE)); 294 295 cap_close(capsysctl); 296 297 /* 298 * Allow: 299 * SYSCTL0_PARENT/RDWR 300 * SYSCTL1_PARENT/RDWR 301 */ 302 303 capsysctl = cap_clone(origcapsysctl); 304 CHECK(capsysctl != NULL); 305 306 limits = nvlist_create(0); 307 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 308 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 309 CHECK(cap_limit_set(capsysctl, limits) == 0); 310 limits = nvlist_create(0); 311 nvlist_add_number(limits, SYSCTL0_PARENT, 312 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 313 nvlist_add_number(limits, SYSCTL1_PARENT, 314 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 315 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 316 limits = nvlist_create(0); 317 nvlist_add_number(limits, SYSCTL0_PARENT, 318 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 319 nvlist_add_number(limits, SYSCTL1_PARENT, 320 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 321 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 322 limits = nvlist_create(0); 323 nvlist_add_number(limits, SYSCTL0_PARENT, 324 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 325 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 326 327 CHECK(runtest(capsysctl) == 0); 328 329 cap_close(capsysctl); 330 331 /* 332 * Allow: 333 * SYSCTL0_NAME/RDWR 334 * SYSCTL1_NAME/RDWR 335 */ 336 337 capsysctl = cap_clone(origcapsysctl); 338 CHECK(capsysctl != NULL); 339 340 limits = nvlist_create(0); 341 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 342 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 343 CHECK(cap_limit_set(capsysctl, limits) == 0); 344 limits = nvlist_create(0); 345 nvlist_add_number(limits, SYSCTL0_PARENT, 346 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 347 nvlist_add_number(limits, SYSCTL1_PARENT, 348 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 349 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 350 limits = nvlist_create(0); 351 nvlist_add_number(limits, SYSCTL0_PARENT, 352 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 353 nvlist_add_number(limits, SYSCTL1_PARENT, 354 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 355 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 356 limits = nvlist_create(0); 357 nvlist_add_number(limits, SYSCTL1_PARENT, 358 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 359 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 360 361 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 362 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 363 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 364 SYSCTL1_READ_WRITE)); 365 366 cap_close(capsysctl); 367 368 /* 369 * Allow: 370 * SYSCTL0_PARENT/RDWR 371 * SYSCTL1_PARENT/RDWR/RECURSIVE 372 */ 373 374 capsysctl = cap_clone(origcapsysctl); 375 CHECK(capsysctl != NULL); 376 377 limits = nvlist_create(0); 378 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 379 nvlist_add_number(limits, SYSCTL1_PARENT, 380 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 381 CHECK(cap_limit_set(capsysctl, limits) == 0); 382 limits = nvlist_create(0); 383 nvlist_add_number(limits, SYSCTL0_PARENT, 384 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 385 nvlist_add_number(limits, SYSCTL1_PARENT, 386 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 387 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 388 limits = nvlist_create(0); 389 nvlist_add_number(limits, SYSCTL0_PARENT, 390 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 391 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 392 limits = nvlist_create(0); 393 nvlist_add_number(limits, SYSCTL0_PARENT, 394 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 395 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 396 limits = nvlist_create(0); 397 nvlist_add_number(limits, SYSCTL0_NAME, 398 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 399 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 400 401 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 402 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 403 404 cap_close(capsysctl); 405 406 /* 407 * Allow: 408 * SYSCTL0_NAME/RDWR 409 * SYSCTL1_NAME/RDWR/RECURSIVE 410 */ 411 412 capsysctl = cap_clone(origcapsysctl); 413 CHECK(capsysctl != NULL); 414 415 limits = nvlist_create(0); 416 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 417 nvlist_add_number(limits, SYSCTL1_NAME, 418 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 419 CHECK(cap_limit_set(capsysctl, limits) == 0); 420 limits = nvlist_create(0); 421 nvlist_add_number(limits, SYSCTL0_NAME, 422 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 423 nvlist_add_number(limits, SYSCTL1_NAME, 424 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 425 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 426 limits = nvlist_create(0); 427 nvlist_add_number(limits, SYSCTL0_NAME, 428 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 429 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 430 limits = nvlist_create(0); 431 nvlist_add_number(limits, SYSCTL0_NAME, 432 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 433 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 434 435 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 436 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 437 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 438 SYSCTL1_READ_WRITE)); 439 440 cap_close(capsysctl); 441 442 /* 443 * Allow: 444 * SYSCTL0_PARENT/READ/RECURSIVE 445 * SYSCTL1_PARENT/READ/RECURSIVE 446 */ 447 448 capsysctl = cap_clone(origcapsysctl); 449 CHECK(capsysctl != NULL); 450 451 limits = nvlist_create(0); 452 nvlist_add_number(limits, SYSCTL0_PARENT, 453 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 454 nvlist_add_number(limits, SYSCTL1_PARENT, 455 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 456 CHECK(cap_limit_set(capsysctl, limits) == 0); 457 limits = nvlist_create(0); 458 nvlist_add_number(limits, SYSCTL0_PARENT, 459 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 460 nvlist_add_number(limits, SYSCTL1_PARENT, 461 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 462 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 463 limits = nvlist_create(0); 464 nvlist_add_number(limits, SYSCTL0_PARENT, 465 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 466 nvlist_add_number(limits, SYSCTL1_PARENT, 467 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 468 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 469 limits = nvlist_create(0); 470 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 471 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 472 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 473 limits = nvlist_create(0); 474 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 475 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 476 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 477 limits = nvlist_create(0); 478 nvlist_add_number(limits, SYSCTL0_PARENT, 479 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 480 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 481 limits = nvlist_create(0); 482 nvlist_add_number(limits, SYSCTL1_PARENT, 483 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 484 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 485 limits = nvlist_create(0); 486 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 487 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 488 limits = nvlist_create(0); 489 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 490 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 491 492 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 493 494 cap_close(capsysctl); 495 496 /* 497 * Allow: 498 * SYSCTL0_NAME/READ/RECURSIVE 499 * SYSCTL1_NAME/READ/RECURSIVE 500 */ 501 502 capsysctl = cap_clone(origcapsysctl); 503 CHECK(capsysctl != NULL); 504 505 limits = nvlist_create(0); 506 nvlist_add_number(limits, SYSCTL0_NAME, 507 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 508 nvlist_add_number(limits, SYSCTL1_NAME, 509 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 510 CHECK(cap_limit_set(capsysctl, limits) == 0); 511 limits = nvlist_create(0); 512 nvlist_add_number(limits, SYSCTL0_NAME, 513 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 514 nvlist_add_number(limits, SYSCTL1_NAME, 515 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 516 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 517 limits = nvlist_create(0); 518 nvlist_add_number(limits, SYSCTL0_NAME, 519 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 520 nvlist_add_number(limits, SYSCTL1_NAME, 521 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 522 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 523 limits = nvlist_create(0); 524 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 525 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 526 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 527 limits = nvlist_create(0); 528 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 529 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 530 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 531 limits = nvlist_create(0); 532 nvlist_add_number(limits, SYSCTL0_NAME, 533 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 534 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 535 limits = nvlist_create(0); 536 nvlist_add_number(limits, SYSCTL1_NAME, 537 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 538 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 539 limits = nvlist_create(0); 540 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 541 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 542 limits = nvlist_create(0); 543 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 544 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 545 546 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 547 548 cap_close(capsysctl); 549 550 /* 551 * Allow: 552 * SYSCTL0_PARENT/READ 553 * SYSCTL1_PARENT/READ 554 */ 555 556 capsysctl = cap_clone(origcapsysctl); 557 CHECK(capsysctl != NULL); 558 559 limits = nvlist_create(0); 560 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 561 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 562 CHECK(cap_limit_set(capsysctl, limits) == 0); 563 limits = nvlist_create(0); 564 nvlist_add_number(limits, SYSCTL0_PARENT, 565 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 566 nvlist_add_number(limits, SYSCTL1_PARENT, 567 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 568 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 569 limits = nvlist_create(0); 570 nvlist_add_number(limits, SYSCTL0_PARENT, 571 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 572 nvlist_add_number(limits, SYSCTL1_PARENT, 573 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 574 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 575 limits = nvlist_create(0); 576 nvlist_add_number(limits, SYSCTL0_PARENT, 577 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 578 nvlist_add_number(limits, SYSCTL1_PARENT, 579 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 580 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 581 limits = nvlist_create(0); 582 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 583 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 584 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 585 limits = nvlist_create(0); 586 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 587 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 588 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 589 limits = nvlist_create(0); 590 nvlist_add_number(limits, SYSCTL0_PARENT, 591 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 592 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 593 limits = nvlist_create(0); 594 nvlist_add_number(limits, SYSCTL1_PARENT, 595 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 596 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 597 limits = nvlist_create(0); 598 nvlist_add_number(limits, SYSCTL0_PARENT, 599 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 600 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 601 limits = nvlist_create(0); 602 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 603 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 604 limits = nvlist_create(0); 605 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 606 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 607 608 CHECK(runtest(capsysctl) == 0); 609 610 cap_close(capsysctl); 611 612 /* 613 * Allow: 614 * SYSCTL0_NAME/READ 615 * SYSCTL1_NAME/READ 616 */ 617 618 capsysctl = cap_clone(origcapsysctl); 619 CHECK(capsysctl != NULL); 620 621 limits = nvlist_create(0); 622 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 623 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 624 CHECK(cap_limit_set(capsysctl, limits) == 0); 625 limits = nvlist_create(0); 626 nvlist_add_number(limits, SYSCTL0_NAME, 627 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 628 nvlist_add_number(limits, SYSCTL1_NAME, 629 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 630 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 631 limits = nvlist_create(0); 632 nvlist_add_number(limits, SYSCTL0_NAME, 633 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 634 nvlist_add_number(limits, SYSCTL1_NAME, 635 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 636 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 637 limits = nvlist_create(0); 638 nvlist_add_number(limits, SYSCTL0_NAME, 639 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 640 nvlist_add_number(limits, SYSCTL1_NAME, 641 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 642 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 643 limits = nvlist_create(0); 644 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 645 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 646 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 647 limits = nvlist_create(0); 648 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 649 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 650 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 651 limits = nvlist_create(0); 652 nvlist_add_number(limits, SYSCTL0_NAME, 653 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 654 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 655 limits = nvlist_create(0); 656 nvlist_add_number(limits, SYSCTL1_NAME, 657 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 658 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 659 limits = nvlist_create(0); 660 nvlist_add_number(limits, SYSCTL0_NAME, 661 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 662 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 663 limits = nvlist_create(0); 664 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 665 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 666 limits = nvlist_create(0); 667 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 668 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 669 670 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 671 672 cap_close(capsysctl); 673 674 /* 675 * Allow: 676 * SYSCTL0_PARENT/READ 677 * SYSCTL1_PARENT/READ/RECURSIVE 678 */ 679 680 capsysctl = cap_clone(origcapsysctl); 681 CHECK(capsysctl != NULL); 682 683 limits = nvlist_create(0); 684 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 685 nvlist_add_number(limits, SYSCTL1_PARENT, 686 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 687 CHECK(cap_limit_set(capsysctl, limits) == 0); 688 limits = nvlist_create(0); 689 nvlist_add_number(limits, SYSCTL0_PARENT, 690 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 691 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 692 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 693 694 CHECK(runtest(capsysctl) == SYSCTL1_READ0); 695 696 cap_close(capsysctl); 697 698 /* 699 * Allow: 700 * SYSCTL0_NAME/READ 701 * SYSCTL1_NAME/READ/RECURSIVE 702 */ 703 704 capsysctl = cap_clone(origcapsysctl); 705 CHECK(capsysctl != NULL); 706 707 limits = nvlist_create(0); 708 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 709 nvlist_add_number(limits, SYSCTL1_NAME, 710 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 711 CHECK(cap_limit_set(capsysctl, limits) == 0); 712 limits = nvlist_create(0); 713 nvlist_add_number(limits, SYSCTL0_NAME, 714 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 715 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 716 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 717 718 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 719 720 cap_close(capsysctl); 721 722 /* 723 * Allow: 724 * SYSCTL0_PARENT/WRITE/RECURSIVE 725 * SYSCTL1_PARENT/WRITE/RECURSIVE 726 */ 727 728 capsysctl = cap_clone(origcapsysctl); 729 CHECK(capsysctl != NULL); 730 731 limits = nvlist_create(0); 732 nvlist_add_number(limits, SYSCTL0_PARENT, 733 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 734 nvlist_add_number(limits, SYSCTL1_PARENT, 735 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 736 CHECK(cap_limit_set(capsysctl, limits) == 0); 737 limits = nvlist_create(0); 738 nvlist_add_number(limits, SYSCTL0_PARENT, 739 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 740 nvlist_add_number(limits, SYSCTL1_PARENT, 741 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 742 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 743 limits = nvlist_create(0); 744 nvlist_add_number(limits, SYSCTL0_PARENT, 745 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 746 nvlist_add_number(limits, SYSCTL1_PARENT, 747 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 748 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 749 limits = nvlist_create(0); 750 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 751 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 752 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 753 limits = nvlist_create(0); 754 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 755 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 756 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 757 limits = nvlist_create(0); 758 nvlist_add_number(limits, SYSCTL0_PARENT, 759 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 760 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 761 limits = nvlist_create(0); 762 nvlist_add_number(limits, SYSCTL1_PARENT, 763 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 764 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 765 limits = nvlist_create(0); 766 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 767 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 768 limits = nvlist_create(0); 769 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 770 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 771 772 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 773 774 cap_close(capsysctl); 775 776 /* 777 * Allow: 778 * SYSCTL0_NAME/WRITE/RECURSIVE 779 * SYSCTL1_NAME/WRITE/RECURSIVE 780 */ 781 782 capsysctl = cap_clone(origcapsysctl); 783 CHECK(capsysctl != NULL); 784 785 limits = nvlist_create(0); 786 nvlist_add_number(limits, SYSCTL0_NAME, 787 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 788 nvlist_add_number(limits, SYSCTL1_NAME, 789 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 790 CHECK(cap_limit_set(capsysctl, limits) == 0); 791 limits = nvlist_create(0); 792 nvlist_add_number(limits, SYSCTL0_NAME, 793 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 794 nvlist_add_number(limits, SYSCTL1_NAME, 795 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 796 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 797 limits = nvlist_create(0); 798 nvlist_add_number(limits, SYSCTL0_NAME, 799 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 800 nvlist_add_number(limits, SYSCTL1_NAME, 801 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 802 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 803 limits = nvlist_create(0); 804 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 805 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 806 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 807 limits = nvlist_create(0); 808 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 809 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 810 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 811 limits = nvlist_create(0); 812 nvlist_add_number(limits, SYSCTL0_NAME, 813 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 814 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 815 limits = nvlist_create(0); 816 nvlist_add_number(limits, SYSCTL1_NAME, 817 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 818 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 819 limits = nvlist_create(0); 820 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 821 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 822 limits = nvlist_create(0); 823 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 824 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 825 826 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 827 828 cap_close(capsysctl); 829 830 /* 831 * Allow: 832 * SYSCTL0_PARENT/WRITE 833 * SYSCTL1_PARENT/WRITE 834 */ 835 836 capsysctl = cap_clone(origcapsysctl); 837 CHECK(capsysctl != NULL); 838 839 limits = nvlist_create(0); 840 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 841 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 842 CHECK(cap_limit_set(capsysctl, limits) == 0); 843 limits = nvlist_create(0); 844 nvlist_add_number(limits, SYSCTL0_PARENT, 845 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 846 nvlist_add_number(limits, SYSCTL1_PARENT, 847 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 848 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 849 limits = nvlist_create(0); 850 nvlist_add_number(limits, SYSCTL0_PARENT, 851 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 852 nvlist_add_number(limits, SYSCTL1_PARENT, 853 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 854 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 855 limits = nvlist_create(0); 856 nvlist_add_number(limits, SYSCTL0_PARENT, 857 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 858 nvlist_add_number(limits, SYSCTL1_PARENT, 859 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 860 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 861 limits = nvlist_create(0); 862 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 863 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 864 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 865 limits = nvlist_create(0); 866 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 867 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 868 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 869 limits = nvlist_create(0); 870 nvlist_add_number(limits, SYSCTL0_PARENT, 871 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 872 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 873 limits = nvlist_create(0); 874 nvlist_add_number(limits, SYSCTL1_PARENT, 875 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 876 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 877 limits = nvlist_create(0); 878 nvlist_add_number(limits, SYSCTL0_PARENT, 879 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 880 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 881 limits = nvlist_create(0); 882 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 883 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 884 limits = nvlist_create(0); 885 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 886 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 887 888 CHECK(runtest(capsysctl) == 0); 889 890 cap_close(capsysctl); 891 892 /* 893 * Allow: 894 * SYSCTL0_NAME/WRITE 895 * SYSCTL1_NAME/WRITE 896 */ 897 898 capsysctl = cap_clone(origcapsysctl); 899 CHECK(capsysctl != NULL); 900 901 limits = nvlist_create(0); 902 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 903 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 904 CHECK(cap_limit_set(capsysctl, limits) == 0); 905 limits = nvlist_create(0); 906 nvlist_add_number(limits, SYSCTL0_NAME, 907 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 908 nvlist_add_number(limits, SYSCTL1_NAME, 909 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 910 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 911 limits = nvlist_create(0); 912 nvlist_add_number(limits, SYSCTL0_NAME, 913 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 914 nvlist_add_number(limits, SYSCTL1_NAME, 915 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 916 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 917 limits = nvlist_create(0); 918 nvlist_add_number(limits, SYSCTL0_NAME, 919 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 920 nvlist_add_number(limits, SYSCTL1_NAME, 921 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 922 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 923 limits = nvlist_create(0); 924 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 925 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 926 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 927 limits = nvlist_create(0); 928 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 929 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 930 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 931 limits = nvlist_create(0); 932 nvlist_add_number(limits, SYSCTL0_NAME, 933 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 934 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 935 limits = nvlist_create(0); 936 nvlist_add_number(limits, SYSCTL1_NAME, 937 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 938 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 939 limits = nvlist_create(0); 940 nvlist_add_number(limits, SYSCTL0_NAME, 941 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 942 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 943 limits = nvlist_create(0); 944 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 945 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 946 limits = nvlist_create(0); 947 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 948 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 949 950 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 951 952 cap_close(capsysctl); 953 954 /* 955 * Allow: 956 * SYSCTL0_PARENT/WRITE 957 * SYSCTL1_PARENT/WRITE/RECURSIVE 958 */ 959 960 capsysctl = cap_clone(origcapsysctl); 961 CHECK(capsysctl != NULL); 962 963 limits = nvlist_create(0); 964 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 965 nvlist_add_number(limits, SYSCTL1_PARENT, 966 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 967 CHECK(cap_limit_set(capsysctl, limits) == 0); 968 limits = nvlist_create(0); 969 nvlist_add_number(limits, SYSCTL0_PARENT, 970 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 971 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 972 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 973 974 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 975 976 cap_close(capsysctl); 977 978 /* 979 * Allow: 980 * SYSCTL0_NAME/WRITE 981 * SYSCTL1_NAME/WRITE/RECURSIVE 982 */ 983 984 capsysctl = cap_clone(origcapsysctl); 985 CHECK(capsysctl != NULL); 986 987 limits = nvlist_create(0); 988 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 989 nvlist_add_number(limits, SYSCTL1_NAME, 990 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 991 CHECK(cap_limit_set(capsysctl, limits) == 0); 992 limits = nvlist_create(0); 993 nvlist_add_number(limits, SYSCTL0_NAME, 994 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 995 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 996 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 997 998 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 999 1000 cap_close(capsysctl); 1001 1002 /* 1003 * Allow: 1004 * SYSCTL0_PARENT/READ/RECURSIVE 1005 * SYSCTL1_PARENT/WRITE/RECURSIVE 1006 */ 1007 1008 capsysctl = cap_clone(origcapsysctl); 1009 CHECK(capsysctl != NULL); 1010 1011 limits = nvlist_create(0); 1012 nvlist_add_number(limits, SYSCTL0_PARENT, 1013 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1014 nvlist_add_number(limits, SYSCTL1_PARENT, 1015 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1016 CHECK(cap_limit_set(capsysctl, limits) == 0); 1017 1018 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1019 1020 cap_close(capsysctl); 1021 1022 /* 1023 * Allow: 1024 * SYSCTL0_NAME/READ/RECURSIVE 1025 * SYSCTL1_NAME/WRITE/RECURSIVE 1026 */ 1027 1028 capsysctl = cap_clone(origcapsysctl); 1029 CHECK(capsysctl != NULL); 1030 1031 limits = nvlist_create(0); 1032 nvlist_add_number(limits, SYSCTL0_NAME, 1033 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1034 nvlist_add_number(limits, SYSCTL1_NAME, 1035 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1036 CHECK(cap_limit_set(capsysctl, limits) == 0); 1037 1038 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1039 1040 cap_close(capsysctl); 1041 1042 /* 1043 * Allow: 1044 * SYSCTL0_PARENT/READ 1045 * SYSCTL1_PARENT/WRITE 1046 */ 1047 1048 capsysctl = cap_clone(origcapsysctl); 1049 CHECK(capsysctl != NULL); 1050 1051 limits = nvlist_create(0); 1052 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1053 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1054 CHECK(cap_limit_set(capsysctl, limits) == 0); 1055 1056 CHECK(runtest(capsysctl) == 0); 1057 1058 cap_close(capsysctl); 1059 1060 /* 1061 * Allow: 1062 * SYSCTL0_NAME/READ 1063 * SYSCTL1_NAME/WRITE 1064 */ 1065 1066 capsysctl = cap_clone(origcapsysctl); 1067 CHECK(capsysctl != NULL); 1068 1069 limits = nvlist_create(0); 1070 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1071 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1072 CHECK(cap_limit_set(capsysctl, limits) == 0); 1073 1074 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1075 1076 cap_close(capsysctl); 1077 1078 /* 1079 * Allow: 1080 * SYSCTL0_PARENT/READ 1081 * SYSCTL1_PARENT/WRITE/RECURSIVE 1082 */ 1083 1084 capsysctl = cap_clone(origcapsysctl); 1085 CHECK(capsysctl != NULL); 1086 1087 limits = nvlist_create(0); 1088 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1089 nvlist_add_number(limits, SYSCTL1_PARENT, 1090 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1091 CHECK(cap_limit_set(capsysctl, limits) == 0); 1092 1093 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 1094 1095 cap_close(capsysctl); 1096 1097 /* 1098 * Allow: 1099 * SYSCTL0_NAME/READ 1100 * SYSCTL1_NAME/WRITE/RECURSIVE 1101 */ 1102 1103 capsysctl = cap_clone(origcapsysctl); 1104 CHECK(capsysctl != NULL); 1105 1106 limits = nvlist_create(0); 1107 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1108 nvlist_add_number(limits, SYSCTL1_NAME, 1109 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1110 CHECK(cap_limit_set(capsysctl, limits) == 0); 1111 1112 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1113 1114 cap_close(capsysctl); 1115 } 1116 1117 static void 1118 test_names(cap_channel_t *origcapsysctl) 1119 { 1120 cap_channel_t *capsysctl; 1121 nvlist_t *limits; 1122 1123 /* 1124 * Allow: 1125 * SYSCTL0_PARENT/READ/RECURSIVE 1126 */ 1127 1128 capsysctl = cap_clone(origcapsysctl); 1129 CHECK(capsysctl != NULL); 1130 1131 limits = nvlist_create(0); 1132 nvlist_add_number(limits, SYSCTL0_PARENT, 1133 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1134 CHECK(cap_limit_set(capsysctl, limits) == 0); 1135 limits = nvlist_create(0); 1136 nvlist_add_number(limits, SYSCTL0_PARENT, 1137 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1138 nvlist_add_number(limits, SYSCTL1_PARENT, 1139 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1140 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1141 limits = nvlist_create(0); 1142 nvlist_add_number(limits, SYSCTL1_PARENT, 1143 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1144 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1145 limits = nvlist_create(0); 1146 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1147 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1148 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1149 limits = nvlist_create(0); 1150 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1151 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1152 1153 CHECK(runtest(capsysctl) == SYSCTL0_READ0); 1154 1155 cap_close(capsysctl); 1156 1157 /* 1158 * Allow: 1159 * SYSCTL1_NAME/READ/RECURSIVE 1160 */ 1161 1162 capsysctl = cap_clone(origcapsysctl); 1163 CHECK(capsysctl != NULL); 1164 1165 limits = nvlist_create(0); 1166 nvlist_add_number(limits, SYSCTL1_NAME, 1167 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1168 CHECK(cap_limit_set(capsysctl, limits) == 0); 1169 limits = nvlist_create(0); 1170 nvlist_add_number(limits, SYSCTL0_NAME, 1171 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1172 nvlist_add_number(limits, SYSCTL1_NAME, 1173 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1174 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1175 limits = nvlist_create(0); 1176 nvlist_add_number(limits, SYSCTL0_NAME, 1177 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1178 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1179 limits = nvlist_create(0); 1180 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1181 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1182 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1183 limits = nvlist_create(0); 1184 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1185 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1186 1187 CHECK(runtest(capsysctl) == SYSCTL1_READ0); 1188 1189 cap_close(capsysctl); 1190 1191 /* 1192 * Allow: 1193 * SYSCTL0_PARENT/WRITE/RECURSIVE 1194 */ 1195 1196 capsysctl = cap_clone(origcapsysctl); 1197 CHECK(capsysctl != NULL); 1198 1199 limits = nvlist_create(0); 1200 nvlist_add_number(limits, SYSCTL0_PARENT, 1201 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1202 CHECK(cap_limit_set(capsysctl, limits) == 0); 1203 limits = nvlist_create(0); 1204 nvlist_add_number(limits, SYSCTL0_PARENT, 1205 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1206 nvlist_add_number(limits, SYSCTL1_PARENT, 1207 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1208 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1209 limits = nvlist_create(0); 1210 nvlist_add_number(limits, SYSCTL1_PARENT, 1211 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1212 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1213 limits = nvlist_create(0); 1214 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1215 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1216 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1217 limits = nvlist_create(0); 1218 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1219 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1220 1221 CHECK(runtest(capsysctl) == SYSCTL0_WRITE); 1222 1223 cap_close(capsysctl); 1224 1225 /* 1226 * Allow: 1227 * SYSCTL1_NAME/WRITE/RECURSIVE 1228 */ 1229 1230 capsysctl = cap_clone(origcapsysctl); 1231 CHECK(capsysctl != NULL); 1232 1233 limits = nvlist_create(0); 1234 nvlist_add_number(limits, SYSCTL1_NAME, 1235 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1236 CHECK(cap_limit_set(capsysctl, limits) == 0); 1237 limits = nvlist_create(0); 1238 nvlist_add_number(limits, SYSCTL0_NAME, 1239 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1240 nvlist_add_number(limits, SYSCTL1_NAME, 1241 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1242 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1243 limits = nvlist_create(0); 1244 nvlist_add_number(limits, SYSCTL0_NAME, 1245 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1246 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1247 limits = nvlist_create(0); 1248 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1249 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1250 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1251 limits = nvlist_create(0); 1252 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1253 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1254 1255 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 1256 1257 cap_close(capsysctl); 1258 1259 /* 1260 * Allow: 1261 * SYSCTL0_PARENT/RDWR/RECURSIVE 1262 */ 1263 1264 capsysctl = cap_clone(origcapsysctl); 1265 CHECK(capsysctl != NULL); 1266 1267 limits = nvlist_create(0); 1268 nvlist_add_number(limits, SYSCTL0_PARENT, 1269 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1270 CHECK(cap_limit_set(capsysctl, limits) == 0); 1271 limits = nvlist_create(0); 1272 nvlist_add_number(limits, SYSCTL0_PARENT, 1273 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1274 nvlist_add_number(limits, SYSCTL1_PARENT, 1275 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1276 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1277 limits = nvlist_create(0); 1278 nvlist_add_number(limits, SYSCTL1_PARENT, 1279 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1280 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1281 limits = nvlist_create(0); 1282 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1283 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1284 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1285 limits = nvlist_create(0); 1286 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1287 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1288 1289 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 1290 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE)); 1291 1292 cap_close(capsysctl); 1293 1294 /* 1295 * Allow: 1296 * SYSCTL1_NAME/RDWR/RECURSIVE 1297 */ 1298 1299 capsysctl = cap_clone(origcapsysctl); 1300 CHECK(capsysctl != NULL); 1301 1302 limits = nvlist_create(0); 1303 nvlist_add_number(limits, SYSCTL1_NAME, 1304 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1305 CHECK(cap_limit_set(capsysctl, limits) == 0); 1306 limits = nvlist_create(0); 1307 nvlist_add_number(limits, SYSCTL0_NAME, 1308 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1309 nvlist_add_number(limits, SYSCTL1_NAME, 1310 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1311 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1312 limits = nvlist_create(0); 1313 nvlist_add_number(limits, SYSCTL0_NAME, 1314 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1315 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1316 limits = nvlist_create(0); 1317 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1318 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1319 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1320 limits = nvlist_create(0); 1321 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1322 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1323 1324 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1325 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1326 1327 cap_close(capsysctl); 1328 1329 /* 1330 * Allow: 1331 * SYSCTL0_PARENT/READ 1332 */ 1333 1334 capsysctl = cap_clone(origcapsysctl); 1335 CHECK(capsysctl != NULL); 1336 1337 limits = nvlist_create(0); 1338 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1339 CHECK(cap_limit_set(capsysctl, limits) == 0); 1340 limits = nvlist_create(0); 1341 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1342 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1343 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1344 limits = nvlist_create(0); 1345 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1346 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1347 1348 CHECK(runtest(capsysctl) == 0); 1349 1350 cap_close(capsysctl); 1351 1352 /* 1353 * Allow: 1354 * SYSCTL1_NAME/READ 1355 */ 1356 1357 capsysctl = cap_clone(origcapsysctl); 1358 CHECK(capsysctl != NULL); 1359 1360 limits = nvlist_create(0); 1361 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1362 CHECK(cap_limit_set(capsysctl, limits) == 0); 1363 limits = nvlist_create(0); 1364 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1365 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1366 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1367 limits = nvlist_create(0); 1368 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1369 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1370 1371 CHECK(runtest(capsysctl) == SYSCTL1_READ0); 1372 1373 cap_close(capsysctl); 1374 1375 /* 1376 * Allow: 1377 * SYSCTL0_PARENT/WRITE 1378 */ 1379 1380 capsysctl = cap_clone(origcapsysctl); 1381 CHECK(capsysctl != NULL); 1382 1383 limits = nvlist_create(0); 1384 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1385 CHECK(cap_limit_set(capsysctl, limits) == 0); 1386 limits = nvlist_create(0); 1387 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1388 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1389 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1390 limits = nvlist_create(0); 1391 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1392 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1393 1394 CHECK(runtest(capsysctl) == 0); 1395 1396 cap_close(capsysctl); 1397 1398 /* 1399 * Allow: 1400 * SYSCTL1_NAME/WRITE 1401 */ 1402 1403 capsysctl = cap_clone(origcapsysctl); 1404 CHECK(capsysctl != NULL); 1405 1406 limits = nvlist_create(0); 1407 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1408 CHECK(cap_limit_set(capsysctl, limits) == 0); 1409 limits = nvlist_create(0); 1410 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1411 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1412 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1413 limits = nvlist_create(0); 1414 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1415 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1416 1417 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 1418 1419 cap_close(capsysctl); 1420 1421 /* 1422 * Allow: 1423 * SYSCTL0_PARENT/RDWR 1424 */ 1425 1426 capsysctl = cap_clone(origcapsysctl); 1427 CHECK(capsysctl != NULL); 1428 1429 limits = nvlist_create(0); 1430 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1431 CHECK(cap_limit_set(capsysctl, limits) == 0); 1432 limits = nvlist_create(0); 1433 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1434 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1435 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1436 limits = nvlist_create(0); 1437 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1438 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1439 1440 CHECK(runtest(capsysctl) == 0); 1441 1442 cap_close(capsysctl); 1443 1444 /* 1445 * Allow: 1446 * SYSCTL1_NAME/RDWR 1447 */ 1448 1449 capsysctl = cap_clone(origcapsysctl); 1450 CHECK(capsysctl != NULL); 1451 1452 limits = nvlist_create(0); 1453 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1454 CHECK(cap_limit_set(capsysctl, limits) == 0); 1455 limits = nvlist_create(0); 1456 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1457 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1458 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1459 limits = nvlist_create(0); 1460 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1461 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1462 1463 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1464 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1465 1466 cap_close(capsysctl); 1467 } 1468 1469 int 1470 main(void) 1471 { 1472 cap_channel_t *capcas, *capsysctl; 1473 int scvalue0, scvalue1; 1474 size_t scsize; 1475 1476 printf("1..256\n"); 1477 fflush(stdout); 1478 1479 scsize = sizeof(scvalue0); 1480 CHECKX(sysctlbyname(SYSCTL0_NAME, &scvalue0, &scsize, NULL, 0) == 0); 1481 CHECKX(scsize == sizeof(scvalue0)); 1482 scsize = sizeof(scvalue1); 1483 CHECKX(sysctlbyname(SYSCTL1_NAME, &scvalue1, &scsize, NULL, 0) == 0); 1484 CHECKX(scsize == sizeof(scvalue1)); 1485 1486 capcas = cap_init(); 1487 CHECKX(capcas != NULL); 1488 1489 capsysctl = cap_service_open(capcas, "system.sysctl"); 1490 CHECKX(capsysctl != NULL); 1491 1492 cap_close(capcas); 1493 1494 /* No limits set. */ 1495 1496 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 1497 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 1498 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 1499 SYSCTL1_READ_WRITE)); 1500 1501 test_operation(capsysctl); 1502 1503 test_names(capsysctl); 1504 1505 cap_close(capsysctl); 1506 1507 CHECK(sysctlbyname(SYSCTL0_NAME, NULL, NULL, &scvalue0, 1508 sizeof(scvalue0)) == 0); 1509 CHECK(sysctlbyname(SYSCTL1_NAME, NULL, NULL, &scvalue1, 1510 sizeof(scvalue1)) == 0); 1511 1512 exit(0); 1513 } 1514