1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2013, 2018 The FreeBSD Foundation 5 * 6 * This software was developed by Pawel Jakub Dawidek under sponsorship from 7 * the FreeBSD Foundation. 8 * 9 * Portions of this software were developed by Mark Johnston 10 * under sponsorship from the FreeBSD Foundation. 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/types.h> 35 #include <sys/capsicum.h> 36 #include <sys/sysctl.h> 37 #include <sys/nv.h> 38 39 #include <assert.h> 40 #include <err.h> 41 #include <errno.h> 42 #include <netdb.h> 43 #include <stdio.h> 44 #include <stdlib.h> 45 #include <string.h> 46 #include <unistd.h> 47 48 #include <libcasper.h> 49 #include <casper/cap_sysctl.h> 50 51 #include <atf-c.h> 52 53 /* 54 * We need some sysctls to perform the tests on. 55 * We remember their values and restore them afer the test is done. 56 */ 57 #define SYSCTL0_PARENT "kern" 58 #define SYSCTL0_NAME "kern.sync_on_panic" 59 #define SYSCTL0_FILE "./sysctl0" 60 #define SYSCTL1_PARENT "debug" 61 #define SYSCTL1_NAME "debug.minidump" 62 #define SYSCTL1_FILE "./sysctl1" 63 64 #define SYSCTL0_READ0 0x0001 65 #define SYSCTL0_READ1 0x0002 66 #define SYSCTL0_READ2 0x0004 67 #define SYSCTL0_WRITE 0x0008 68 #define SYSCTL0_READ_WRITE 0x0010 69 #define SYSCTL1_READ0 0x0020 70 #define SYSCTL1_READ1 0x0040 71 #define SYSCTL1_READ2 0x0080 72 #define SYSCTL1_WRITE 0x0100 73 #define SYSCTL1_READ_WRITE 0x0200 74 75 static void 76 save_int_sysctl(const char *name, const char *file) 77 { 78 ssize_t n; 79 size_t sz; 80 int error, fd, val; 81 82 sz = sizeof(val); 83 error = sysctlbyname(name, &val, &sz, NULL, 0); 84 ATF_REQUIRE_MSG(error == 0, 85 "sysctlbyname(%s): %s", name, strerror(errno)); 86 87 fd = open(file, O_CREAT | O_WRONLY, 0600); 88 ATF_REQUIRE_MSG(fd >= 0, "open(%s): %s", file, strerror(errno)); 89 n = write(fd, &val, sz); 90 ATF_REQUIRE(n >= 0 && (size_t)n == sz); 91 error = close(fd); 92 ATF_REQUIRE(error == 0); 93 } 94 95 static void 96 restore_int_sysctl(const char *name, const char *file) 97 { 98 ssize_t n; 99 size_t sz; 100 int error, fd, val; 101 102 fd = open(file, O_RDONLY); 103 ATF_REQUIRE(fd >= 0); 104 sz = sizeof(val); 105 n = read(fd, &val, sz); 106 ATF_REQUIRE(n >= 0 && (size_t)n == sz); 107 error = unlink(file); 108 ATF_REQUIRE(error == 0); 109 error = close(fd); 110 ATF_REQUIRE(error == 0); 111 112 error = sysctlbyname(name, NULL, NULL, &val, sz); 113 ATF_REQUIRE_MSG(error == 0, 114 "sysctlbyname(%s): %s", name, strerror(errno)); 115 } 116 117 static cap_channel_t * 118 initcap(void) 119 { 120 cap_channel_t *capcas, *capsysctl; 121 122 save_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE); 123 save_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE); 124 125 capcas = cap_init(); 126 ATF_REQUIRE(capcas != NULL); 127 128 capsysctl = cap_service_open(capcas, "system.sysctl"); 129 ATF_REQUIRE(capsysctl != NULL); 130 131 cap_close(capcas); 132 133 return (capsysctl); 134 } 135 136 static void 137 cleanup(void) 138 { 139 140 restore_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE); 141 restore_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE); 142 } 143 144 static unsigned int 145 checkcaps(cap_channel_t *capsysctl) 146 { 147 unsigned int result; 148 size_t len0, len1, oldsize; 149 int error, mib0[2], mib1[2], oldvalue, newvalue; 150 151 result = 0; 152 153 len0 = nitems(mib0); 154 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len0) == 0); 155 len1 = nitems(mib1); 156 ATF_REQUIRE(sysctlnametomib(SYSCTL1_NAME, mib1, &len1) == 0); 157 158 oldsize = sizeof(oldvalue); 159 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 160 NULL, 0) == 0) { 161 if (oldsize == sizeof(oldvalue)) 162 result |= SYSCTL0_READ0; 163 } 164 error = cap_sysctl(capsysctl, mib0, len0, &oldvalue, &oldsize, NULL, 0); 165 if ((result & SYSCTL0_READ0) != 0) 166 ATF_REQUIRE(error == 0); 167 else 168 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 169 170 newvalue = 123; 171 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, NULL, NULL, &newvalue, 172 sizeof(newvalue)) == 0) { 173 result |= SYSCTL0_WRITE; 174 } 175 176 if ((result & SYSCTL0_WRITE) != 0) { 177 oldsize = sizeof(oldvalue); 178 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 179 &oldsize, NULL, 0) == 0) { 180 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 181 result |= SYSCTL0_READ1; 182 } 183 } 184 newvalue = 123; 185 error = cap_sysctl(capsysctl, mib0, len0, NULL, NULL, 186 &newvalue, sizeof(newvalue)); 187 if ((result & SYSCTL0_WRITE) != 0) 188 ATF_REQUIRE(error == 0); 189 else 190 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 191 192 oldsize = sizeof(oldvalue); 193 newvalue = 4567; 194 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 195 &newvalue, sizeof(newvalue)) == 0) { 196 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 197 result |= SYSCTL0_READ_WRITE; 198 } 199 200 if ((result & SYSCTL0_READ_WRITE) != 0) { 201 oldsize = sizeof(oldvalue); 202 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 203 &oldsize, NULL, 0) == 0) { 204 if (oldsize == sizeof(oldvalue) && oldvalue == 4567) 205 result |= SYSCTL0_READ2; 206 } 207 } 208 209 oldsize = sizeof(oldvalue); 210 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 211 NULL, 0) == 0) { 212 if (oldsize == sizeof(oldvalue)) 213 result |= SYSCTL1_READ0; 214 } 215 error = cap_sysctl(capsysctl, mib1, len1, &oldvalue, &oldsize, NULL, 0); 216 if ((result & SYSCTL1_READ0) != 0) 217 ATF_REQUIRE(error == 0); 218 else 219 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 220 221 newvalue = 506; 222 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, NULL, NULL, &newvalue, 223 sizeof(newvalue)) == 0) { 224 result |= SYSCTL1_WRITE; 225 } 226 227 if ((result & SYSCTL1_WRITE) != 0) { 228 newvalue = 506; 229 ATF_REQUIRE(cap_sysctl(capsysctl, mib1, len1, NULL, NULL, 230 &newvalue, sizeof(newvalue)) == 0); 231 232 oldsize = sizeof(oldvalue); 233 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 234 &oldsize, NULL, 0) == 0) { 235 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 236 result |= SYSCTL1_READ1; 237 } 238 } 239 newvalue = 506; 240 error = cap_sysctl(capsysctl, mib1, len1, NULL, NULL, 241 &newvalue, sizeof(newvalue)); 242 if ((result & SYSCTL1_WRITE) != 0) 243 ATF_REQUIRE(error == 0); 244 else 245 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 246 247 oldsize = sizeof(oldvalue); 248 newvalue = 7008; 249 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 250 &newvalue, sizeof(newvalue)) == 0) { 251 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 252 result |= SYSCTL1_READ_WRITE; 253 } 254 255 if ((result & SYSCTL1_READ_WRITE) != 0) { 256 oldsize = sizeof(oldvalue); 257 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 258 &oldsize, NULL, 0) == 0) { 259 if (oldsize == sizeof(oldvalue) && oldvalue == 7008) 260 result |= SYSCTL1_READ2; 261 } 262 } 263 264 return (result); 265 } 266 267 ATF_TC_WITH_CLEANUP(cap_sysctl__operation); 268 ATF_TC_HEAD(cap_sysctl__operation, tc) 269 { 270 } 271 ATF_TC_BODY(cap_sysctl__operation, tc) 272 { 273 cap_channel_t *capsysctl, *ocapsysctl; 274 void *limit; 275 276 ocapsysctl = initcap(); 277 278 /* 279 * Allow: 280 * SYSCTL0_PARENT/RDWR/RECURSIVE 281 * SYSCTL1_PARENT/RDWR/RECURSIVE 282 */ 283 284 capsysctl = cap_clone(ocapsysctl); 285 ATF_REQUIRE(capsysctl != NULL); 286 287 limit = cap_sysctl_limit_init(capsysctl); 288 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 289 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 290 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 291 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 292 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 293 294 limit = cap_sysctl_limit_init(capsysctl); 295 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 296 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 297 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 298 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 299 (void)cap_sysctl_limit_name(limit, "foo.bar", 300 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 301 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 302 303 limit = cap_sysctl_limit_init(capsysctl); 304 (void)cap_sysctl_limit_name(limit, "foo.bar", 305 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 306 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 307 308 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 309 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 310 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 311 SYSCTL1_READ_WRITE)); 312 313 limit = cap_sysctl_limit_init(capsysctl); 314 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 315 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 316 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 317 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 318 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 319 320 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 321 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 322 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 323 SYSCTL1_READ_WRITE)); 324 325 limit = cap_sysctl_limit_init(capsysctl); 326 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 327 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 328 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 329 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 330 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 331 332 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 333 334 limit = cap_sysctl_limit_init(capsysctl); 335 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 336 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 337 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 338 339 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 340 341 limit = cap_sysctl_limit_init(capsysctl); 342 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 343 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 344 345 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0); 346 347 cap_close(capsysctl); 348 349 /* 350 * Allow: 351 * SYSCTL0_NAME/RDWR/RECURSIVE 352 * SYSCTL1_NAME/RDWR/RECURSIVE 353 */ 354 355 capsysctl = cap_clone(ocapsysctl); 356 ATF_REQUIRE(capsysctl != NULL); 357 358 limit = cap_sysctl_limit_init(capsysctl); 359 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 360 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 361 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 362 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 363 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 364 365 limit = cap_sysctl_limit_init(capsysctl); 366 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 367 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 368 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 369 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 370 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 371 limit = cap_sysctl_limit_init(capsysctl); 372 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 373 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 374 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 375 limit = cap_sysctl_limit_init(capsysctl); 376 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 377 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 378 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 379 limit = cap_sysctl_limit_init(capsysctl); 380 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 381 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 382 383 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 384 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 385 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 386 SYSCTL1_READ_WRITE)); 387 388 cap_close(capsysctl); 389 390 /* 391 * Allow: 392 * SYSCTL0_PARENT/RDWR 393 * SYSCTL1_PARENT/RDWR 394 */ 395 396 capsysctl = cap_clone(ocapsysctl); 397 ATF_REQUIRE(capsysctl != NULL); 398 399 limit = cap_sysctl_limit_init(capsysctl); 400 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 401 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 402 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 403 limit = cap_sysctl_limit_init(capsysctl); 404 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 405 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 406 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 407 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 408 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 409 limit = cap_sysctl_limit_init(capsysctl); 410 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 411 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 412 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 413 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 414 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 415 limit = cap_sysctl_limit_init(capsysctl); 416 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 417 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 418 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 419 420 ATF_REQUIRE(checkcaps(capsysctl) == 0); 421 422 cap_close(capsysctl); 423 424 /* 425 * Allow: 426 * SYSCTL0_NAME/RDWR 427 * SYSCTL1_NAME/RDWR 428 */ 429 430 capsysctl = cap_clone(ocapsysctl); 431 ATF_REQUIRE(capsysctl != NULL); 432 433 limit = cap_sysctl_limit_init(capsysctl); 434 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 435 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 436 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 437 limit = cap_sysctl_limit_init(capsysctl); 438 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 439 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 440 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 441 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 442 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 443 limit = cap_sysctl_limit_init(capsysctl); 444 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 445 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 446 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 447 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 448 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 449 limit = cap_sysctl_limit_init(capsysctl); 450 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 451 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 452 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 453 454 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 455 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 456 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 457 SYSCTL1_READ_WRITE)); 458 459 cap_close(capsysctl); 460 461 /* 462 * Allow: 463 * SYSCTL0_PARENT/RDWR 464 * SYSCTL1_PARENT/RDWR/RECURSIVE 465 */ 466 467 capsysctl = cap_clone(ocapsysctl); 468 ATF_REQUIRE(capsysctl != NULL); 469 470 limit = cap_sysctl_limit_init(capsysctl); 471 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 472 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 473 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 474 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 475 limit = cap_sysctl_limit_init(capsysctl); 476 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 477 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 478 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 479 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 480 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 481 limit = cap_sysctl_limit_init(capsysctl); 482 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 483 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 484 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 485 limit = cap_sysctl_limit_init(capsysctl); 486 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 487 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 488 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 489 limit = cap_sysctl_limit_init(capsysctl); 490 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 491 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 492 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 493 494 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 495 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 496 497 cap_close(capsysctl); 498 499 /* 500 * Allow: 501 * SYSCTL0_NAME/RDWR 502 * SYSCTL1_NAME/RDWR/RECURSIVE 503 */ 504 505 capsysctl = cap_clone(ocapsysctl); 506 ATF_REQUIRE(capsysctl != NULL); 507 508 limit = cap_sysctl_limit_init(capsysctl); 509 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 510 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 511 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 512 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 513 limit = cap_sysctl_limit_init(capsysctl); 514 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 515 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 516 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 517 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 518 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 519 limit = cap_sysctl_limit_init(capsysctl); 520 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 521 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 522 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 523 limit = cap_sysctl_limit_init(capsysctl); 524 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 525 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 526 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 527 528 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 529 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 530 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 531 SYSCTL1_READ_WRITE)); 532 533 cap_close(capsysctl); 534 535 /* 536 * Allow: 537 * SYSCTL0_PARENT/READ/RECURSIVE 538 * SYSCTL1_PARENT/READ/RECURSIVE 539 */ 540 541 capsysctl = cap_clone(ocapsysctl); 542 ATF_REQUIRE(capsysctl != NULL); 543 544 limit = cap_sysctl_limit_init(capsysctl); 545 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 546 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 547 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 548 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 549 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 550 limit = cap_sysctl_limit_init(capsysctl); 551 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 552 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 553 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 554 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 555 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 556 limit = cap_sysctl_limit_init(capsysctl); 557 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 558 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 559 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 560 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 561 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 562 limit = cap_sysctl_limit_init(capsysctl); 563 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 564 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 565 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 566 limit = cap_sysctl_limit_init(capsysctl); 567 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 568 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 569 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 570 limit = cap_sysctl_limit_init(capsysctl); 571 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 572 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 573 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 574 limit = cap_sysctl_limit_init(capsysctl); 575 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 576 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 577 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 578 limit = cap_sysctl_limit_init(capsysctl); 579 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 580 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 581 limit = cap_sysctl_limit_init(capsysctl); 582 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 583 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 584 585 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 586 587 cap_close(capsysctl); 588 589 /* 590 * Allow: 591 * SYSCTL0_NAME/READ/RECURSIVE 592 * SYSCTL1_NAME/READ/RECURSIVE 593 */ 594 595 capsysctl = cap_clone(ocapsysctl); 596 ATF_REQUIRE(capsysctl != NULL); 597 598 limit = cap_sysctl_limit_init(capsysctl); 599 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 600 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 601 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 602 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 603 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 604 limit = cap_sysctl_limit_init(capsysctl); 605 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 606 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 607 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 608 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 609 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 610 limit = cap_sysctl_limit_init(capsysctl); 611 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 612 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 613 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 614 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 615 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 616 limit = cap_sysctl_limit_init(capsysctl); 617 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 618 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 619 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 620 limit = cap_sysctl_limit_init(capsysctl); 621 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 622 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 623 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 624 limit = cap_sysctl_limit_init(capsysctl); 625 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 626 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 627 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 628 limit = cap_sysctl_limit_init(capsysctl); 629 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 630 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 631 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 632 limit = cap_sysctl_limit_init(capsysctl); 633 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 634 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 635 limit = cap_sysctl_limit_init(capsysctl); 636 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 637 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 638 639 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 640 641 cap_close(capsysctl); 642 643 /* 644 * Allow: 645 * SYSCTL0_PARENT/READ 646 * SYSCTL1_PARENT/READ 647 */ 648 649 capsysctl = cap_clone(ocapsysctl); 650 ATF_REQUIRE(capsysctl != NULL); 651 652 limit = cap_sysctl_limit_init(capsysctl); 653 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 654 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 655 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 656 limit = cap_sysctl_limit_init(capsysctl); 657 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 658 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 659 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 660 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 661 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 662 limit = cap_sysctl_limit_init(capsysctl); 663 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 664 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 665 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 666 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 667 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 668 limit = cap_sysctl_limit_init(capsysctl); 669 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 670 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 671 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 672 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 673 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 674 limit = cap_sysctl_limit_init(capsysctl); 675 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 676 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 677 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 678 limit = cap_sysctl_limit_init(capsysctl); 679 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 680 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 681 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 682 limit = cap_sysctl_limit_init(capsysctl); 683 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 684 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 685 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 686 limit = cap_sysctl_limit_init(capsysctl); 687 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 688 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 689 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 690 limit = cap_sysctl_limit_init(capsysctl); 691 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 692 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 693 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 694 limit = cap_sysctl_limit_init(capsysctl); 695 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 696 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 697 limit = cap_sysctl_limit_init(capsysctl); 698 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 699 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 700 701 ATF_REQUIRE(checkcaps(capsysctl) == 0); 702 703 cap_close(capsysctl); 704 705 /* 706 * Allow: 707 * SYSCTL0_NAME/READ 708 * SYSCTL1_NAME/READ 709 */ 710 711 capsysctl = cap_clone(ocapsysctl); 712 ATF_REQUIRE(capsysctl != NULL); 713 714 limit = cap_sysctl_limit_init(capsysctl); 715 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 716 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 717 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 718 limit = cap_sysctl_limit_init(capsysctl); 719 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 720 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 721 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 722 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 723 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 724 limit = cap_sysctl_limit_init(capsysctl); 725 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 726 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 727 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 728 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 729 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 730 limit = cap_sysctl_limit_init(capsysctl); 731 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 732 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 733 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 734 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 735 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 736 limit = cap_sysctl_limit_init(capsysctl); 737 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 738 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 739 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 740 limit = cap_sysctl_limit_init(capsysctl); 741 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 742 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 743 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 744 limit = cap_sysctl_limit_init(capsysctl); 745 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 746 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 747 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 748 limit = cap_sysctl_limit_init(capsysctl); 749 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 750 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 751 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 752 limit = cap_sysctl_limit_init(capsysctl); 753 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 754 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 755 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 756 limit = cap_sysctl_limit_init(capsysctl); 757 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 758 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 759 limit = cap_sysctl_limit_init(capsysctl); 760 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 761 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 762 763 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 764 765 cap_close(capsysctl); 766 767 /* 768 * Allow: 769 * SYSCTL0_PARENT/READ 770 * SYSCTL1_PARENT/READ/RECURSIVE 771 */ 772 773 capsysctl = cap_clone(ocapsysctl); 774 ATF_REQUIRE(capsysctl != NULL); 775 776 limit = cap_sysctl_limit_init(capsysctl); 777 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 778 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 779 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 780 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 781 limit = cap_sysctl_limit_init(capsysctl); 782 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 783 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 784 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 785 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 786 787 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 788 789 cap_close(capsysctl); 790 791 /* 792 * Allow: 793 * SYSCTL0_NAME/READ 794 * SYSCTL1_NAME/READ/RECURSIVE 795 */ 796 797 capsysctl = cap_clone(ocapsysctl); 798 ATF_REQUIRE(capsysctl != NULL); 799 800 limit = cap_sysctl_limit_init(capsysctl); 801 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 802 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 803 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 804 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 805 limit = cap_sysctl_limit_init(capsysctl); 806 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 807 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 808 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 809 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 810 811 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 812 813 cap_close(capsysctl); 814 815 /* 816 * Allow: 817 * SYSCTL0_PARENT/WRITE/RECURSIVE 818 * SYSCTL1_PARENT/WRITE/RECURSIVE 819 */ 820 821 capsysctl = cap_clone(ocapsysctl); 822 ATF_REQUIRE(capsysctl != NULL); 823 824 limit = cap_sysctl_limit_init(capsysctl); 825 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 826 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 827 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 828 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 829 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 830 limit = cap_sysctl_limit_init(capsysctl); 831 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 832 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 833 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 834 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 835 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 836 limit = cap_sysctl_limit_init(capsysctl); 837 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 838 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 839 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 840 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 841 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 842 limit = cap_sysctl_limit_init(capsysctl); 843 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 844 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 845 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 846 limit = cap_sysctl_limit_init(capsysctl); 847 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 848 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 849 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 850 limit = cap_sysctl_limit_init(capsysctl); 851 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 852 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 853 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 854 limit = cap_sysctl_limit_init(capsysctl); 855 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 856 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 857 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 858 limit = cap_sysctl_limit_init(capsysctl); 859 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 860 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 861 limit = cap_sysctl_limit_init(capsysctl); 862 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 863 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 864 865 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 866 867 cap_close(capsysctl); 868 869 /* 870 * Allow: 871 * SYSCTL0_NAME/WRITE/RECURSIVE 872 * SYSCTL1_NAME/WRITE/RECURSIVE 873 */ 874 875 capsysctl = cap_clone(ocapsysctl); 876 ATF_REQUIRE(capsysctl != NULL); 877 878 limit = cap_sysctl_limit_init(capsysctl); 879 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 880 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 881 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 882 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 883 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 884 limit = cap_sysctl_limit_init(capsysctl); 885 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 886 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 887 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 888 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 889 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 890 limit = cap_sysctl_limit_init(capsysctl); 891 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 892 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 893 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 894 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 895 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 896 limit = cap_sysctl_limit_init(capsysctl); 897 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 898 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 899 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 900 limit = cap_sysctl_limit_init(capsysctl); 901 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 902 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 903 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 904 limit = cap_sysctl_limit_init(capsysctl); 905 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 906 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 907 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 908 limit = cap_sysctl_limit_init(capsysctl); 909 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 910 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 911 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 912 limit = cap_sysctl_limit_init(capsysctl); 913 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 914 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 915 limit = cap_sysctl_limit_init(capsysctl); 916 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 917 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 918 919 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 920 921 cap_close(capsysctl); 922 923 /* 924 * Allow: 925 * SYSCTL0_PARENT/WRITE 926 * SYSCTL1_PARENT/WRITE 927 */ 928 929 capsysctl = cap_clone(ocapsysctl); 930 ATF_REQUIRE(capsysctl != NULL); 931 932 limit = cap_sysctl_limit_init(capsysctl); 933 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 934 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 935 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 936 limit = cap_sysctl_limit_init(capsysctl); 937 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 938 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 939 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 940 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 941 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 942 limit = cap_sysctl_limit_init(capsysctl); 943 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 944 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 945 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 946 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 947 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 948 limit = cap_sysctl_limit_init(capsysctl); 949 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 950 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 951 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 952 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 953 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 954 limit = cap_sysctl_limit_init(capsysctl); 955 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 956 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 957 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 958 limit = cap_sysctl_limit_init(capsysctl); 959 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 960 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 961 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 962 limit = cap_sysctl_limit_init(capsysctl); 963 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 964 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 965 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 966 limit = cap_sysctl_limit_init(capsysctl); 967 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 968 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 969 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 970 limit = cap_sysctl_limit_init(capsysctl); 971 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 972 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 973 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 974 limit = cap_sysctl_limit_init(capsysctl); 975 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 976 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 977 limit = cap_sysctl_limit_init(capsysctl); 978 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 979 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 980 981 ATF_REQUIRE(checkcaps(capsysctl) == 0); 982 983 cap_close(capsysctl); 984 985 /* 986 * Allow: 987 * SYSCTL0_NAME/WRITE 988 * SYSCTL1_NAME/WRITE 989 */ 990 991 capsysctl = cap_clone(ocapsysctl); 992 ATF_REQUIRE(capsysctl != NULL); 993 994 limit = cap_sysctl_limit_init(capsysctl); 995 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 996 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 997 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 998 limit = cap_sysctl_limit_init(capsysctl); 999 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1000 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1001 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1002 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1003 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1004 limit = cap_sysctl_limit_init(capsysctl); 1005 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1006 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1007 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1008 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1009 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1010 limit = cap_sysctl_limit_init(capsysctl); 1011 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1012 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1013 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1014 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1015 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1016 limit = cap_sysctl_limit_init(capsysctl); 1017 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1018 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1019 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1020 limit = cap_sysctl_limit_init(capsysctl); 1021 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1022 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1023 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1024 limit = cap_sysctl_limit_init(capsysctl); 1025 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1026 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1027 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1028 limit = cap_sysctl_limit_init(capsysctl); 1029 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1030 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1031 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1032 limit = cap_sysctl_limit_init(capsysctl); 1033 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1034 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1035 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1036 limit = cap_sysctl_limit_init(capsysctl); 1037 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1038 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1039 limit = cap_sysctl_limit_init(capsysctl); 1040 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1041 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1042 1043 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 1044 1045 cap_close(capsysctl); 1046 1047 /* 1048 * Allow: 1049 * SYSCTL0_PARENT/WRITE 1050 * SYSCTL1_PARENT/WRITE/RECURSIVE 1051 */ 1052 1053 capsysctl = cap_clone(ocapsysctl); 1054 ATF_REQUIRE(capsysctl != NULL); 1055 1056 limit = cap_sysctl_limit_init(capsysctl); 1057 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1058 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1059 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1060 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1061 limit = cap_sysctl_limit_init(capsysctl); 1062 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1063 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1064 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1065 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1066 1067 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1068 1069 cap_close(capsysctl); 1070 1071 /* 1072 * Allow: 1073 * SYSCTL0_NAME/WRITE 1074 * SYSCTL1_NAME/WRITE/RECURSIVE 1075 */ 1076 1077 capsysctl = cap_clone(ocapsysctl); 1078 ATF_REQUIRE(capsysctl != NULL); 1079 1080 limit = cap_sysctl_limit_init(capsysctl); 1081 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1082 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1083 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1084 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1085 limit = cap_sysctl_limit_init(capsysctl); 1086 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1087 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1088 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1089 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1090 1091 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 1092 1093 cap_close(capsysctl); 1094 1095 /* 1096 * Allow: 1097 * SYSCTL0_PARENT/READ/RECURSIVE 1098 * SYSCTL1_PARENT/WRITE/RECURSIVE 1099 */ 1100 1101 capsysctl = cap_clone(ocapsysctl); 1102 ATF_REQUIRE(capsysctl != NULL); 1103 1104 limit = cap_sysctl_limit_init(capsysctl); 1105 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1106 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1107 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1108 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1109 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1110 1111 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1112 1113 cap_close(capsysctl); 1114 1115 /* 1116 * Allow: 1117 * SYSCTL0_NAME/READ/RECURSIVE 1118 * SYSCTL1_NAME/WRITE/RECURSIVE 1119 */ 1120 1121 capsysctl = cap_clone(ocapsysctl); 1122 ATF_REQUIRE(capsysctl != NULL); 1123 1124 limit = cap_sysctl_limit_init(capsysctl); 1125 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1126 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1127 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1128 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1129 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1130 1131 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1132 1133 cap_close(capsysctl); 1134 1135 /* 1136 * Allow: 1137 * SYSCTL0_PARENT/READ 1138 * SYSCTL1_PARENT/WRITE 1139 */ 1140 1141 capsysctl = cap_clone(ocapsysctl); 1142 ATF_REQUIRE(capsysctl != NULL); 1143 1144 limit = cap_sysctl_limit_init(capsysctl); 1145 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1146 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1147 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1148 1149 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1150 1151 cap_close(capsysctl); 1152 1153 /* 1154 * Allow: 1155 * SYSCTL0_NAME/READ 1156 * SYSCTL1_NAME/WRITE 1157 */ 1158 1159 capsysctl = cap_clone(ocapsysctl); 1160 ATF_REQUIRE(capsysctl != NULL); 1161 1162 limit = cap_sysctl_limit_init(capsysctl); 1163 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1164 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1165 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1166 1167 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1168 1169 cap_close(capsysctl); 1170 1171 /* 1172 * Allow: 1173 * SYSCTL0_PARENT/READ 1174 * SYSCTL1_PARENT/WRITE/RECURSIVE 1175 */ 1176 1177 capsysctl = cap_clone(ocapsysctl); 1178 ATF_REQUIRE(capsysctl != NULL); 1179 1180 limit = cap_sysctl_limit_init(capsysctl); 1181 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1182 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1183 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1184 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1185 1186 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1187 1188 cap_close(capsysctl); 1189 1190 /* 1191 * Allow: 1192 * SYSCTL0_NAME/READ 1193 * SYSCTL1_NAME/WRITE/RECURSIVE 1194 */ 1195 1196 capsysctl = cap_clone(ocapsysctl); 1197 ATF_REQUIRE(capsysctl != NULL); 1198 1199 limit = cap_sysctl_limit_init(capsysctl); 1200 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1201 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1202 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1203 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1204 1205 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1206 1207 cap_close(capsysctl); 1208 } 1209 ATF_TC_CLEANUP(cap_sysctl__operation, tc) 1210 { 1211 cleanup(); 1212 } 1213 1214 ATF_TC_WITH_CLEANUP(cap_sysctl__names); 1215 ATF_TC_HEAD(cap_sysctl__names, tc) 1216 { 1217 } 1218 ATF_TC_BODY(cap_sysctl__names, tc) 1219 { 1220 cap_channel_t *capsysctl, *ocapsysctl; 1221 void *limit; 1222 1223 ocapsysctl = initcap(); 1224 1225 /* 1226 * Allow: 1227 * SYSCTL0_PARENT/READ/RECURSIVE 1228 */ 1229 1230 capsysctl = cap_clone(ocapsysctl); 1231 ATF_REQUIRE(capsysctl != NULL); 1232 1233 limit = cap_sysctl_limit_init(capsysctl); 1234 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1235 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1236 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1237 limit = cap_sysctl_limit_init(capsysctl); 1238 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1239 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1240 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1241 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1242 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1243 limit = cap_sysctl_limit_init(capsysctl); 1244 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1245 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1246 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1247 limit = cap_sysctl_limit_init(capsysctl); 1248 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1249 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1250 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1251 limit = cap_sysctl_limit_init(capsysctl); 1252 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1253 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1254 1255 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0); 1256 1257 cap_close(capsysctl); 1258 1259 /* 1260 * Allow: 1261 * SYSCTL1_NAME/READ/RECURSIVE 1262 */ 1263 1264 capsysctl = cap_clone(ocapsysctl); 1265 ATF_REQUIRE(capsysctl != NULL); 1266 1267 limit = cap_sysctl_limit_init(capsysctl); 1268 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1269 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1270 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1271 limit = cap_sysctl_limit_init(capsysctl); 1272 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1273 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1274 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1275 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1276 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1277 limit = cap_sysctl_limit_init(capsysctl); 1278 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1279 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1280 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1281 limit = cap_sysctl_limit_init(capsysctl); 1282 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1283 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1284 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1285 limit = cap_sysctl_limit_init(capsysctl); 1286 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1287 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1288 1289 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 1290 1291 cap_close(capsysctl); 1292 1293 /* 1294 * Allow: 1295 * SYSCTL0_PARENT/WRITE/RECURSIVE 1296 */ 1297 1298 capsysctl = cap_clone(ocapsysctl); 1299 ATF_REQUIRE(capsysctl != NULL); 1300 1301 limit = cap_sysctl_limit_init(capsysctl); 1302 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1303 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1304 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1305 limit = cap_sysctl_limit_init(capsysctl); 1306 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1307 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1308 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1309 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1310 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1311 limit = cap_sysctl_limit_init(capsysctl); 1312 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1313 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1314 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1315 limit = cap_sysctl_limit_init(capsysctl); 1316 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1317 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1318 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1319 limit = cap_sysctl_limit_init(capsysctl); 1320 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1321 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1322 1323 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_WRITE); 1324 1325 cap_close(capsysctl); 1326 1327 /* 1328 * Allow: 1329 * SYSCTL1_NAME/WRITE/RECURSIVE 1330 */ 1331 1332 capsysctl = cap_clone(ocapsysctl); 1333 ATF_REQUIRE(capsysctl != NULL); 1334 1335 limit = cap_sysctl_limit_init(capsysctl); 1336 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1337 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1338 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1339 limit = cap_sysctl_limit_init(capsysctl); 1340 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1341 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1342 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1343 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1344 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1345 limit = cap_sysctl_limit_init(capsysctl); 1346 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1347 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1348 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1349 limit = cap_sysctl_limit_init(capsysctl); 1350 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1351 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1352 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1353 limit = cap_sysctl_limit_init(capsysctl); 1354 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1355 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1356 1357 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1358 1359 cap_close(capsysctl); 1360 1361 /* 1362 * Allow: 1363 * SYSCTL0_PARENT/RDWR/RECURSIVE 1364 */ 1365 1366 capsysctl = cap_clone(ocapsysctl); 1367 ATF_REQUIRE(capsysctl != NULL); 1368 1369 limit = cap_sysctl_limit_init(capsysctl); 1370 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1371 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1372 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1373 limit = cap_sysctl_limit_init(capsysctl); 1374 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1375 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1376 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1377 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1378 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1379 limit = cap_sysctl_limit_init(capsysctl); 1380 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1381 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1382 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1383 limit = cap_sysctl_limit_init(capsysctl); 1384 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1385 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1386 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1387 limit = cap_sysctl_limit_init(capsysctl); 1388 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1389 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1390 1391 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 1392 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE)); 1393 1394 cap_close(capsysctl); 1395 1396 /* 1397 * Allow: 1398 * SYSCTL1_NAME/RDWR/RECURSIVE 1399 */ 1400 1401 capsysctl = cap_clone(ocapsysctl); 1402 ATF_REQUIRE(capsysctl != NULL); 1403 1404 limit = cap_sysctl_limit_init(capsysctl); 1405 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1406 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1407 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1408 limit = cap_sysctl_limit_init(capsysctl); 1409 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1410 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1411 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1412 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1413 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1414 limit = cap_sysctl_limit_init(capsysctl); 1415 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1416 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1417 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1418 limit = cap_sysctl_limit_init(capsysctl); 1419 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1420 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1421 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1422 limit = cap_sysctl_limit_init(capsysctl); 1423 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1424 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1425 1426 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1427 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1428 1429 cap_close(capsysctl); 1430 1431 /* 1432 * Allow: 1433 * SYSCTL0_PARENT/READ 1434 */ 1435 1436 capsysctl = cap_clone(ocapsysctl); 1437 ATF_REQUIRE(capsysctl != NULL); 1438 1439 limit = cap_sysctl_limit_init(capsysctl); 1440 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1441 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1442 limit = cap_sysctl_limit_init(capsysctl); 1443 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1444 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1445 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1446 limit = cap_sysctl_limit_init(capsysctl); 1447 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1448 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1449 1450 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1451 1452 cap_close(capsysctl); 1453 1454 /* 1455 * Allow: 1456 * SYSCTL1_NAME/READ 1457 */ 1458 1459 capsysctl = cap_clone(ocapsysctl); 1460 ATF_REQUIRE(capsysctl != NULL); 1461 1462 limit = cap_sysctl_limit_init(capsysctl); 1463 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1464 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1465 limit = cap_sysctl_limit_init(capsysctl); 1466 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1467 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1468 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1469 limit = cap_sysctl_limit_init(capsysctl); 1470 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1471 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1472 1473 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 1474 1475 cap_close(capsysctl); 1476 1477 /* 1478 * Allow: 1479 * SYSCTL0_PARENT/WRITE 1480 */ 1481 1482 capsysctl = cap_clone(ocapsysctl); 1483 ATF_REQUIRE(capsysctl != NULL); 1484 1485 limit = cap_sysctl_limit_init(capsysctl); 1486 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1487 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1488 limit = cap_sysctl_limit_init(capsysctl); 1489 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1490 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1491 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1492 limit = cap_sysctl_limit_init(capsysctl); 1493 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1494 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1495 1496 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1497 1498 cap_close(capsysctl); 1499 1500 /* 1501 * Allow: 1502 * SYSCTL1_NAME/WRITE 1503 */ 1504 1505 capsysctl = cap_clone(ocapsysctl); 1506 ATF_REQUIRE(capsysctl != NULL); 1507 1508 limit = cap_sysctl_limit_init(capsysctl); 1509 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1510 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1511 limit = cap_sysctl_limit_init(capsysctl); 1512 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1513 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1514 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1515 limit = cap_sysctl_limit_init(capsysctl); 1516 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1517 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1518 1519 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1520 1521 cap_close(capsysctl); 1522 1523 /* 1524 * Allow: 1525 * SYSCTL0_PARENT/RDWR 1526 */ 1527 1528 capsysctl = cap_clone(ocapsysctl); 1529 ATF_REQUIRE(capsysctl != NULL); 1530 1531 limit = cap_sysctl_limit_init(capsysctl); 1532 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1533 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1534 limit = cap_sysctl_limit_init(capsysctl); 1535 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1536 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1537 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1538 limit = cap_sysctl_limit_init(capsysctl); 1539 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1540 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1541 1542 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1543 1544 cap_close(capsysctl); 1545 1546 /* 1547 * Allow: 1548 * SYSCTL1_NAME/RDWR 1549 */ 1550 1551 capsysctl = cap_clone(ocapsysctl); 1552 ATF_REQUIRE(capsysctl != NULL); 1553 1554 limit = cap_sysctl_limit_init(capsysctl); 1555 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1556 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1557 limit = cap_sysctl_limit_init(capsysctl); 1558 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1559 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1560 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1561 limit = cap_sysctl_limit_init(capsysctl); 1562 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1563 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1564 1565 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1566 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1567 1568 cap_close(capsysctl); 1569 } 1570 ATF_TC_CLEANUP(cap_sysctl__names, tc) 1571 { 1572 cleanup(); 1573 } 1574 1575 ATF_TC_WITH_CLEANUP(cap_sysctl__no_limits); 1576 ATF_TC_HEAD(cap_sysctl__no_limits, tc) 1577 { 1578 } 1579 ATF_TC_BODY(cap_sysctl__no_limits, tc) 1580 { 1581 cap_channel_t *capsysctl; 1582 1583 capsysctl = initcap(); 1584 1585 ATF_REQUIRE_EQ(checkcaps(capsysctl), (SYSCTL0_READ0 | SYSCTL0_READ1 | 1586 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 1587 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 1588 SYSCTL1_READ_WRITE)); 1589 } 1590 ATF_TC_CLEANUP(cap_sysctl__no_limits, tc) 1591 { 1592 cleanup(); 1593 } 1594 1595 ATF_TC_WITH_CLEANUP(cap_sysctl__recursive_limits); 1596 ATF_TC_HEAD(cap_sysctl__recursive_limits, tc) 1597 { 1598 } 1599 ATF_TC_BODY(cap_sysctl__recursive_limits, tc) 1600 { 1601 cap_channel_t *capsysctl, *ocapsysctl; 1602 void *limit; 1603 size_t len; 1604 int mib[2], val = 420; 1605 1606 len = nitems(mib); 1607 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib, &len) == 0); 1608 1609 ocapsysctl = initcap(); 1610 1611 /* 1612 * Make sure that we match entire components. 1613 */ 1614 capsysctl = cap_clone(ocapsysctl); 1615 ATF_REQUIRE(capsysctl != NULL); 1616 1617 limit = cap_sysctl_limit_init(capsysctl); 1618 (void)cap_sysctl_limit_name(limit, "ker", 1619 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1620 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1621 1622 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1623 NULL, NULL, &val, sizeof(val))); 1624 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len, 1625 NULL, NULL, &val, sizeof(val))); 1626 1627 cap_close(capsysctl); 1628 1629 /* 1630 * Verify that we check for CAP_SYSCTL_RECURSIVE. 1631 */ 1632 capsysctl = cap_clone(ocapsysctl); 1633 ATF_REQUIRE(capsysctl != NULL); 1634 1635 limit = cap_sysctl_limit_init(capsysctl); 1636 (void)cap_sysctl_limit_name(limit, "kern", CAP_SYSCTL_RDWR); 1637 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1638 1639 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1640 NULL, NULL, &val, sizeof(val))); 1641 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len, 1642 NULL, NULL, &val, sizeof(val))); 1643 1644 cap_close(capsysctl); 1645 } 1646 ATF_TC_CLEANUP(cap_sysctl__recursive_limits, tc) 1647 { 1648 cleanup(); 1649 } 1650 1651 ATF_TC_WITH_CLEANUP(cap_sysctl__just_size); 1652 ATF_TC_HEAD(cap_sysctl__just_size, tc) 1653 { 1654 } 1655 ATF_TC_BODY(cap_sysctl__just_size, tc) 1656 { 1657 cap_channel_t *capsysctl; 1658 size_t len; 1659 int mib0[2]; 1660 1661 capsysctl = initcap(); 1662 1663 len = nitems(mib0); 1664 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len) == 0); 1665 1666 ATF_REQUIRE(cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1667 NULL, &len, NULL, 0) == 0); 1668 ATF_REQUIRE(len == sizeof(int)); 1669 ATF_REQUIRE(cap_sysctl(capsysctl, mib0, nitems(mib0), 1670 NULL, &len, NULL, 0) == 0); 1671 ATF_REQUIRE(len == sizeof(int)); 1672 1673 cap_close(capsysctl); 1674 } 1675 ATF_TC_CLEANUP(cap_sysctl__just_size, tc) 1676 { 1677 cleanup(); 1678 } 1679 1680 ATF_TP_ADD_TCS(tp) 1681 { 1682 ATF_TP_ADD_TC(tp, cap_sysctl__operation); 1683 ATF_TP_ADD_TC(tp, cap_sysctl__names); 1684 ATF_TP_ADD_TC(tp, cap_sysctl__no_limits); 1685 ATF_TP_ADD_TC(tp, cap_sysctl__recursive_limits); 1686 ATF_TP_ADD_TC(tp, cap_sysctl__just_size); 1687 1688 return (atf_no_error()); 1689 } 1690