1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2013, 2018 The FreeBSD Foundation 5 * All rights reserved. 6 * 7 * This software was developed by Pawel Jakub Dawidek under sponsorship from 8 * the FreeBSD Foundation. 9 * 10 * Portions of this software were developed by Mark Johnston 11 * under sponsorship from the FreeBSD Foundation. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #include <sys/cdefs.h> 36 __FBSDID("$FreeBSD$"); 37 38 #include <sys/types.h> 39 #include <sys/capsicum.h> 40 #include <sys/sysctl.h> 41 #include <sys/nv.h> 42 43 #include <assert.h> 44 #include <err.h> 45 #include <errno.h> 46 #include <netdb.h> 47 #include <stdio.h> 48 #include <stdlib.h> 49 #include <string.h> 50 #include <unistd.h> 51 52 #include <libcasper.h> 53 #include <casper/cap_sysctl.h> 54 55 #include <atf-c.h> 56 57 /* 58 * We need some sysctls to perform the tests on. 59 * We remember their values and restore them afer the test is done. 60 */ 61 #define SYSCTL0_PARENT "kern" 62 #define SYSCTL0_NAME "kern.sync_on_panic" 63 #define SYSCTL0_FILE "./sysctl0" 64 #define SYSCTL1_PARENT "debug" 65 #define SYSCTL1_NAME "debug.minidump" 66 #define SYSCTL1_FILE "./sysctl1" 67 68 #define SYSCTL0_READ0 0x0001 69 #define SYSCTL0_READ1 0x0002 70 #define SYSCTL0_READ2 0x0004 71 #define SYSCTL0_WRITE 0x0008 72 #define SYSCTL0_READ_WRITE 0x0010 73 #define SYSCTL1_READ0 0x0020 74 #define SYSCTL1_READ1 0x0040 75 #define SYSCTL1_READ2 0x0080 76 #define SYSCTL1_WRITE 0x0100 77 #define SYSCTL1_READ_WRITE 0x0200 78 79 static void 80 save_int_sysctl(const char *name, const char *file) 81 { 82 ssize_t n; 83 size_t sz; 84 int error, fd, val; 85 86 sz = sizeof(val); 87 error = sysctlbyname(name, &val, &sz, NULL, 0); 88 ATF_REQUIRE_MSG(error == 0, 89 "sysctlbyname(%s): %s", name, strerror(errno)); 90 91 fd = open(file, O_CREAT | O_WRONLY, 0600); 92 ATF_REQUIRE_MSG(fd >= 0, "open(%s): %s", file, strerror(errno)); 93 n = write(fd, &val, sz); 94 ATF_REQUIRE(n >= 0 && (size_t)n == sz); 95 error = close(fd); 96 ATF_REQUIRE(error == 0); 97 } 98 99 static void 100 restore_int_sysctl(const char *name, const char *file) 101 { 102 ssize_t n; 103 size_t sz; 104 int error, fd, val; 105 106 fd = open(file, O_RDONLY); 107 ATF_REQUIRE(fd >= 0); 108 sz = sizeof(val); 109 n = read(fd, &val, sz); 110 ATF_REQUIRE(n >= 0 && (size_t)n == sz); 111 error = unlink(file); 112 ATF_REQUIRE(error == 0); 113 error = close(fd); 114 ATF_REQUIRE(error == 0); 115 116 error = sysctlbyname(name, NULL, NULL, &val, sz); 117 ATF_REQUIRE_MSG(error == 0, 118 "sysctlbyname(%s): %s", name, strerror(errno)); 119 } 120 121 static cap_channel_t * 122 initcap(void) 123 { 124 cap_channel_t *capcas, *capsysctl; 125 126 save_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE); 127 save_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE); 128 129 capcas = cap_init(); 130 ATF_REQUIRE(capcas != NULL); 131 132 capsysctl = cap_service_open(capcas, "system.sysctl"); 133 ATF_REQUIRE(capsysctl != NULL); 134 135 cap_close(capcas); 136 137 return (capsysctl); 138 } 139 140 static void 141 cleanup(void) 142 { 143 144 restore_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE); 145 restore_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE); 146 } 147 148 static unsigned int 149 checkcaps(cap_channel_t *capsysctl) 150 { 151 unsigned int result; 152 size_t len0, len1, oldsize; 153 int error, mib0[2], mib1[2], oldvalue, newvalue; 154 155 result = 0; 156 157 len0 = nitems(mib0); 158 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len0) == 0); 159 len1 = nitems(mib1); 160 ATF_REQUIRE(sysctlnametomib(SYSCTL1_NAME, mib1, &len1) == 0); 161 162 oldsize = sizeof(oldvalue); 163 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 164 NULL, 0) == 0) { 165 if (oldsize == sizeof(oldvalue)) 166 result |= SYSCTL0_READ0; 167 } 168 error = cap_sysctl(capsysctl, mib0, len0, &oldvalue, &oldsize, NULL, 0); 169 if ((result & SYSCTL0_READ0) != 0) 170 ATF_REQUIRE(error == 0); 171 else 172 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 173 174 newvalue = 123; 175 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, NULL, NULL, &newvalue, 176 sizeof(newvalue)) == 0) { 177 result |= SYSCTL0_WRITE; 178 } 179 180 if ((result & SYSCTL0_WRITE) != 0) { 181 oldsize = sizeof(oldvalue); 182 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 183 &oldsize, NULL, 0) == 0) { 184 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 185 result |= SYSCTL0_READ1; 186 } 187 } 188 newvalue = 123; 189 error = cap_sysctl(capsysctl, mib0, len0, NULL, NULL, 190 &newvalue, sizeof(newvalue)); 191 if ((result & SYSCTL0_WRITE) != 0) 192 ATF_REQUIRE(error == 0); 193 else 194 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 195 196 oldsize = sizeof(oldvalue); 197 newvalue = 4567; 198 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 199 &newvalue, sizeof(newvalue)) == 0) { 200 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 201 result |= SYSCTL0_READ_WRITE; 202 } 203 204 if ((result & SYSCTL0_READ_WRITE) != 0) { 205 oldsize = sizeof(oldvalue); 206 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 207 &oldsize, NULL, 0) == 0) { 208 if (oldsize == sizeof(oldvalue) && oldvalue == 4567) 209 result |= SYSCTL0_READ2; 210 } 211 } 212 213 oldsize = sizeof(oldvalue); 214 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 215 NULL, 0) == 0) { 216 if (oldsize == sizeof(oldvalue)) 217 result |= SYSCTL1_READ0; 218 } 219 error = cap_sysctl(capsysctl, mib1, len1, &oldvalue, &oldsize, NULL, 0); 220 if ((result & SYSCTL1_READ0) != 0) 221 ATF_REQUIRE(error == 0); 222 else 223 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 224 225 newvalue = 506; 226 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, NULL, NULL, &newvalue, 227 sizeof(newvalue)) == 0) { 228 result |= SYSCTL1_WRITE; 229 } 230 231 if ((result & SYSCTL1_WRITE) != 0) { 232 newvalue = 506; 233 ATF_REQUIRE(cap_sysctl(capsysctl, mib1, len1, NULL, NULL, 234 &newvalue, sizeof(newvalue)) == 0); 235 236 oldsize = sizeof(oldvalue); 237 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 238 &oldsize, NULL, 0) == 0) { 239 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 240 result |= SYSCTL1_READ1; 241 } 242 } 243 newvalue = 506; 244 error = cap_sysctl(capsysctl, mib1, len1, NULL, NULL, 245 &newvalue, sizeof(newvalue)); 246 if ((result & SYSCTL1_WRITE) != 0) 247 ATF_REQUIRE(error == 0); 248 else 249 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 250 251 oldsize = sizeof(oldvalue); 252 newvalue = 7008; 253 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 254 &newvalue, sizeof(newvalue)) == 0) { 255 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 256 result |= SYSCTL1_READ_WRITE; 257 } 258 259 if ((result & SYSCTL1_READ_WRITE) != 0) { 260 oldsize = sizeof(oldvalue); 261 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 262 &oldsize, NULL, 0) == 0) { 263 if (oldsize == sizeof(oldvalue) && oldvalue == 7008) 264 result |= SYSCTL1_READ2; 265 } 266 } 267 268 return (result); 269 } 270 271 ATF_TC_WITH_CLEANUP(cap_sysctl__operation); 272 ATF_TC_HEAD(cap_sysctl__operation, tc) 273 { 274 } 275 ATF_TC_BODY(cap_sysctl__operation, tc) 276 { 277 cap_channel_t *capsysctl, *ocapsysctl; 278 void *limit; 279 280 ocapsysctl = initcap(); 281 282 /* 283 * Allow: 284 * SYSCTL0_PARENT/RDWR/RECURSIVE 285 * SYSCTL1_PARENT/RDWR/RECURSIVE 286 */ 287 288 capsysctl = cap_clone(ocapsysctl); 289 ATF_REQUIRE(capsysctl != NULL); 290 291 limit = cap_sysctl_limit_init(capsysctl); 292 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 293 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 294 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 295 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 296 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 297 298 limit = cap_sysctl_limit_init(capsysctl); 299 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 300 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 301 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 302 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 303 (void)cap_sysctl_limit_name(limit, "foo.bar", 304 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 305 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 306 307 limit = cap_sysctl_limit_init(capsysctl); 308 (void)cap_sysctl_limit_name(limit, "foo.bar", 309 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 310 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 311 312 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 313 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 314 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 315 SYSCTL1_READ_WRITE)); 316 317 limit = cap_sysctl_limit_init(capsysctl); 318 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 319 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 320 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 321 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 322 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 323 324 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 325 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 326 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 327 SYSCTL1_READ_WRITE)); 328 329 limit = cap_sysctl_limit_init(capsysctl); 330 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 331 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 332 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 333 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 334 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 335 336 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 337 338 limit = cap_sysctl_limit_init(capsysctl); 339 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 340 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 341 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 342 343 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 344 345 limit = cap_sysctl_limit_init(capsysctl); 346 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 347 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 348 349 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0); 350 351 cap_close(capsysctl); 352 353 /* 354 * Allow: 355 * SYSCTL0_NAME/RDWR/RECURSIVE 356 * SYSCTL1_NAME/RDWR/RECURSIVE 357 */ 358 359 capsysctl = cap_clone(ocapsysctl); 360 ATF_REQUIRE(capsysctl != NULL); 361 362 limit = cap_sysctl_limit_init(capsysctl); 363 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 364 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 365 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 366 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 367 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 368 369 limit = cap_sysctl_limit_init(capsysctl); 370 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 371 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 372 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 373 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 374 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 375 limit = cap_sysctl_limit_init(capsysctl); 376 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 377 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 378 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 379 limit = cap_sysctl_limit_init(capsysctl); 380 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 381 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 382 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 383 limit = cap_sysctl_limit_init(capsysctl); 384 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 385 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 386 387 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 388 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 389 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 390 SYSCTL1_READ_WRITE)); 391 392 cap_close(capsysctl); 393 394 /* 395 * Allow: 396 * SYSCTL0_PARENT/RDWR 397 * SYSCTL1_PARENT/RDWR 398 */ 399 400 capsysctl = cap_clone(ocapsysctl); 401 ATF_REQUIRE(capsysctl != NULL); 402 403 limit = cap_sysctl_limit_init(capsysctl); 404 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 405 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 406 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 407 limit = cap_sysctl_limit_init(capsysctl); 408 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 409 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 410 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 411 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 412 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 413 limit = cap_sysctl_limit_init(capsysctl); 414 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 415 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 416 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 417 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 418 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 419 limit = cap_sysctl_limit_init(capsysctl); 420 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 421 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 422 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 423 424 ATF_REQUIRE(checkcaps(capsysctl) == 0); 425 426 cap_close(capsysctl); 427 428 /* 429 * Allow: 430 * SYSCTL0_NAME/RDWR 431 * SYSCTL1_NAME/RDWR 432 */ 433 434 capsysctl = cap_clone(ocapsysctl); 435 ATF_REQUIRE(capsysctl != NULL); 436 437 limit = cap_sysctl_limit_init(capsysctl); 438 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 439 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 440 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 441 limit = cap_sysctl_limit_init(capsysctl); 442 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 443 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 444 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 445 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 446 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 447 limit = cap_sysctl_limit_init(capsysctl); 448 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 449 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 450 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 451 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 452 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 453 limit = cap_sysctl_limit_init(capsysctl); 454 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 455 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 456 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 457 458 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 459 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 460 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 461 SYSCTL1_READ_WRITE)); 462 463 cap_close(capsysctl); 464 465 /* 466 * Allow: 467 * SYSCTL0_PARENT/RDWR 468 * SYSCTL1_PARENT/RDWR/RECURSIVE 469 */ 470 471 capsysctl = cap_clone(ocapsysctl); 472 ATF_REQUIRE(capsysctl != NULL); 473 474 limit = cap_sysctl_limit_init(capsysctl); 475 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 476 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 477 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 478 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 479 limit = cap_sysctl_limit_init(capsysctl); 480 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 481 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 482 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 483 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 484 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 485 limit = cap_sysctl_limit_init(capsysctl); 486 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 487 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 488 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 489 limit = cap_sysctl_limit_init(capsysctl); 490 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 491 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 492 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 493 limit = cap_sysctl_limit_init(capsysctl); 494 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 495 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 496 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 497 498 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 499 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 500 501 cap_close(capsysctl); 502 503 /* 504 * Allow: 505 * SYSCTL0_NAME/RDWR 506 * SYSCTL1_NAME/RDWR/RECURSIVE 507 */ 508 509 capsysctl = cap_clone(ocapsysctl); 510 ATF_REQUIRE(capsysctl != NULL); 511 512 limit = cap_sysctl_limit_init(capsysctl); 513 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 514 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 515 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 516 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 517 limit = cap_sysctl_limit_init(capsysctl); 518 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 519 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 520 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 521 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 522 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 523 limit = cap_sysctl_limit_init(capsysctl); 524 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 525 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 526 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 527 limit = cap_sysctl_limit_init(capsysctl); 528 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 529 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 530 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 531 532 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 533 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 534 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 535 SYSCTL1_READ_WRITE)); 536 537 cap_close(capsysctl); 538 539 /* 540 * Allow: 541 * SYSCTL0_PARENT/READ/RECURSIVE 542 * SYSCTL1_PARENT/READ/RECURSIVE 543 */ 544 545 capsysctl = cap_clone(ocapsysctl); 546 ATF_REQUIRE(capsysctl != NULL); 547 548 limit = cap_sysctl_limit_init(capsysctl); 549 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 550 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 551 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 552 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 553 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 554 limit = cap_sysctl_limit_init(capsysctl); 555 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 556 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 557 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 558 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 559 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 560 limit = cap_sysctl_limit_init(capsysctl); 561 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 562 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 563 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 564 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 565 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 566 limit = cap_sysctl_limit_init(capsysctl); 567 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 568 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 569 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 570 limit = cap_sysctl_limit_init(capsysctl); 571 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 572 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 573 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 574 limit = cap_sysctl_limit_init(capsysctl); 575 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 576 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 577 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 578 limit = cap_sysctl_limit_init(capsysctl); 579 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 580 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 581 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 582 limit = cap_sysctl_limit_init(capsysctl); 583 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 584 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 585 limit = cap_sysctl_limit_init(capsysctl); 586 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 587 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 588 589 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 590 591 cap_close(capsysctl); 592 593 /* 594 * Allow: 595 * SYSCTL0_NAME/READ/RECURSIVE 596 * SYSCTL1_NAME/READ/RECURSIVE 597 */ 598 599 capsysctl = cap_clone(ocapsysctl); 600 ATF_REQUIRE(capsysctl != NULL); 601 602 limit = cap_sysctl_limit_init(capsysctl); 603 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 604 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 605 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 606 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 607 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 608 limit = cap_sysctl_limit_init(capsysctl); 609 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 610 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 611 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 612 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 613 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 614 limit = cap_sysctl_limit_init(capsysctl); 615 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 616 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 617 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 618 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 619 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 620 limit = cap_sysctl_limit_init(capsysctl); 621 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 622 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 623 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 624 limit = cap_sysctl_limit_init(capsysctl); 625 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 626 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 627 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 628 limit = cap_sysctl_limit_init(capsysctl); 629 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 630 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 631 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 632 limit = cap_sysctl_limit_init(capsysctl); 633 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 634 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 635 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 636 limit = cap_sysctl_limit_init(capsysctl); 637 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 638 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 639 limit = cap_sysctl_limit_init(capsysctl); 640 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 641 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 642 643 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 644 645 cap_close(capsysctl); 646 647 /* 648 * Allow: 649 * SYSCTL0_PARENT/READ 650 * SYSCTL1_PARENT/READ 651 */ 652 653 capsysctl = cap_clone(ocapsysctl); 654 ATF_REQUIRE(capsysctl != NULL); 655 656 limit = cap_sysctl_limit_init(capsysctl); 657 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 658 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 659 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 660 limit = cap_sysctl_limit_init(capsysctl); 661 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 662 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 663 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 664 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 665 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 666 limit = cap_sysctl_limit_init(capsysctl); 667 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 668 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 669 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 670 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 671 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 672 limit = cap_sysctl_limit_init(capsysctl); 673 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 674 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 675 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 676 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 677 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 678 limit = cap_sysctl_limit_init(capsysctl); 679 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 680 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 681 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 682 limit = cap_sysctl_limit_init(capsysctl); 683 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 684 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 685 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 686 limit = cap_sysctl_limit_init(capsysctl); 687 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 688 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 689 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 690 limit = cap_sysctl_limit_init(capsysctl); 691 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 692 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 693 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 694 limit = cap_sysctl_limit_init(capsysctl); 695 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 696 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 697 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 698 limit = cap_sysctl_limit_init(capsysctl); 699 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 700 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 701 limit = cap_sysctl_limit_init(capsysctl); 702 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 703 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 704 705 ATF_REQUIRE(checkcaps(capsysctl) == 0); 706 707 cap_close(capsysctl); 708 709 /* 710 * Allow: 711 * SYSCTL0_NAME/READ 712 * SYSCTL1_NAME/READ 713 */ 714 715 capsysctl = cap_clone(ocapsysctl); 716 ATF_REQUIRE(capsysctl != NULL); 717 718 limit = cap_sysctl_limit_init(capsysctl); 719 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 720 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 721 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 722 limit = cap_sysctl_limit_init(capsysctl); 723 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 724 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 725 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 726 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 727 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 728 limit = cap_sysctl_limit_init(capsysctl); 729 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 730 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 731 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 732 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 733 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 734 limit = cap_sysctl_limit_init(capsysctl); 735 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 736 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 737 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 738 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 739 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 740 limit = cap_sysctl_limit_init(capsysctl); 741 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 742 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 743 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 744 limit = cap_sysctl_limit_init(capsysctl); 745 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 746 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 747 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 748 limit = cap_sysctl_limit_init(capsysctl); 749 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 750 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 751 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 752 limit = cap_sysctl_limit_init(capsysctl); 753 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 754 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 755 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 756 limit = cap_sysctl_limit_init(capsysctl); 757 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 758 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 759 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 760 limit = cap_sysctl_limit_init(capsysctl); 761 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 762 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 763 limit = cap_sysctl_limit_init(capsysctl); 764 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 765 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 766 767 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 768 769 cap_close(capsysctl); 770 771 /* 772 * Allow: 773 * SYSCTL0_PARENT/READ 774 * SYSCTL1_PARENT/READ/RECURSIVE 775 */ 776 777 capsysctl = cap_clone(ocapsysctl); 778 ATF_REQUIRE(capsysctl != NULL); 779 780 limit = cap_sysctl_limit_init(capsysctl); 781 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 782 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 783 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 784 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 785 limit = cap_sysctl_limit_init(capsysctl); 786 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 787 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 788 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 789 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 790 791 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 792 793 cap_close(capsysctl); 794 795 /* 796 * Allow: 797 * SYSCTL0_NAME/READ 798 * SYSCTL1_NAME/READ/RECURSIVE 799 */ 800 801 capsysctl = cap_clone(ocapsysctl); 802 ATF_REQUIRE(capsysctl != NULL); 803 804 limit = cap_sysctl_limit_init(capsysctl); 805 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 806 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 807 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 808 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 809 limit = cap_sysctl_limit_init(capsysctl); 810 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 811 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 812 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 813 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 814 815 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 816 817 cap_close(capsysctl); 818 819 /* 820 * Allow: 821 * SYSCTL0_PARENT/WRITE/RECURSIVE 822 * SYSCTL1_PARENT/WRITE/RECURSIVE 823 */ 824 825 capsysctl = cap_clone(ocapsysctl); 826 ATF_REQUIRE(capsysctl != NULL); 827 828 limit = cap_sysctl_limit_init(capsysctl); 829 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 830 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 831 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 832 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 833 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 834 limit = cap_sysctl_limit_init(capsysctl); 835 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 836 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 837 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 838 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 839 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 840 limit = cap_sysctl_limit_init(capsysctl); 841 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 842 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 843 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 844 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 845 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 846 limit = cap_sysctl_limit_init(capsysctl); 847 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 848 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 849 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 850 limit = cap_sysctl_limit_init(capsysctl); 851 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 852 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 853 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 854 limit = cap_sysctl_limit_init(capsysctl); 855 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 856 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 857 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 858 limit = cap_sysctl_limit_init(capsysctl); 859 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 860 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 861 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 862 limit = cap_sysctl_limit_init(capsysctl); 863 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 864 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 865 limit = cap_sysctl_limit_init(capsysctl); 866 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 867 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 868 869 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 870 871 cap_close(capsysctl); 872 873 /* 874 * Allow: 875 * SYSCTL0_NAME/WRITE/RECURSIVE 876 * SYSCTL1_NAME/WRITE/RECURSIVE 877 */ 878 879 capsysctl = cap_clone(ocapsysctl); 880 ATF_REQUIRE(capsysctl != NULL); 881 882 limit = cap_sysctl_limit_init(capsysctl); 883 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 884 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 885 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 886 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 887 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 888 limit = cap_sysctl_limit_init(capsysctl); 889 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 890 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 891 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 892 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 893 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 894 limit = cap_sysctl_limit_init(capsysctl); 895 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 896 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 897 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 898 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 899 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 900 limit = cap_sysctl_limit_init(capsysctl); 901 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 902 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 903 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 904 limit = cap_sysctl_limit_init(capsysctl); 905 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 906 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 907 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 908 limit = cap_sysctl_limit_init(capsysctl); 909 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 910 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 911 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 912 limit = cap_sysctl_limit_init(capsysctl); 913 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 914 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 915 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 916 limit = cap_sysctl_limit_init(capsysctl); 917 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 918 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 919 limit = cap_sysctl_limit_init(capsysctl); 920 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 921 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 922 923 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 924 925 cap_close(capsysctl); 926 927 /* 928 * Allow: 929 * SYSCTL0_PARENT/WRITE 930 * SYSCTL1_PARENT/WRITE 931 */ 932 933 capsysctl = cap_clone(ocapsysctl); 934 ATF_REQUIRE(capsysctl != NULL); 935 936 limit = cap_sysctl_limit_init(capsysctl); 937 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 938 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 939 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 940 limit = cap_sysctl_limit_init(capsysctl); 941 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 942 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 943 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 944 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 945 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 946 limit = cap_sysctl_limit_init(capsysctl); 947 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 948 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 949 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 950 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 951 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 952 limit = cap_sysctl_limit_init(capsysctl); 953 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 954 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 955 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 956 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 957 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 958 limit = cap_sysctl_limit_init(capsysctl); 959 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 960 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 961 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 962 limit = cap_sysctl_limit_init(capsysctl); 963 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 964 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 965 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 966 limit = cap_sysctl_limit_init(capsysctl); 967 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 968 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 969 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 970 limit = cap_sysctl_limit_init(capsysctl); 971 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 972 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 973 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 974 limit = cap_sysctl_limit_init(capsysctl); 975 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 976 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 977 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 978 limit = cap_sysctl_limit_init(capsysctl); 979 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 980 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 981 limit = cap_sysctl_limit_init(capsysctl); 982 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 983 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 984 985 ATF_REQUIRE(checkcaps(capsysctl) == 0); 986 987 cap_close(capsysctl); 988 989 /* 990 * Allow: 991 * SYSCTL0_NAME/WRITE 992 * SYSCTL1_NAME/WRITE 993 */ 994 995 capsysctl = cap_clone(ocapsysctl); 996 ATF_REQUIRE(capsysctl != NULL); 997 998 limit = cap_sysctl_limit_init(capsysctl); 999 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1000 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1001 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1002 limit = cap_sysctl_limit_init(capsysctl); 1003 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1004 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1005 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1006 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1007 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1008 limit = cap_sysctl_limit_init(capsysctl); 1009 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1010 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1011 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1012 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1013 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1014 limit = cap_sysctl_limit_init(capsysctl); 1015 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1016 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1017 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1018 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1019 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1020 limit = cap_sysctl_limit_init(capsysctl); 1021 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1022 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1023 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1024 limit = cap_sysctl_limit_init(capsysctl); 1025 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1026 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1027 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1028 limit = cap_sysctl_limit_init(capsysctl); 1029 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1030 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1031 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1032 limit = cap_sysctl_limit_init(capsysctl); 1033 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1034 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1035 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1036 limit = cap_sysctl_limit_init(capsysctl); 1037 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1038 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1039 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1040 limit = cap_sysctl_limit_init(capsysctl); 1041 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1042 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1043 limit = cap_sysctl_limit_init(capsysctl); 1044 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1045 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1046 1047 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 1048 1049 cap_close(capsysctl); 1050 1051 /* 1052 * Allow: 1053 * SYSCTL0_PARENT/WRITE 1054 * SYSCTL1_PARENT/WRITE/RECURSIVE 1055 */ 1056 1057 capsysctl = cap_clone(ocapsysctl); 1058 ATF_REQUIRE(capsysctl != NULL); 1059 1060 limit = cap_sysctl_limit_init(capsysctl); 1061 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1062 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1063 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1064 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1065 limit = cap_sysctl_limit_init(capsysctl); 1066 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1067 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1068 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1069 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1070 1071 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1072 1073 cap_close(capsysctl); 1074 1075 /* 1076 * Allow: 1077 * SYSCTL0_NAME/WRITE 1078 * SYSCTL1_NAME/WRITE/RECURSIVE 1079 */ 1080 1081 capsysctl = cap_clone(ocapsysctl); 1082 ATF_REQUIRE(capsysctl != NULL); 1083 1084 limit = cap_sysctl_limit_init(capsysctl); 1085 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1086 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1087 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1088 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1089 limit = cap_sysctl_limit_init(capsysctl); 1090 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1091 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1092 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1093 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1094 1095 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 1096 1097 cap_close(capsysctl); 1098 1099 /* 1100 * Allow: 1101 * SYSCTL0_PARENT/READ/RECURSIVE 1102 * SYSCTL1_PARENT/WRITE/RECURSIVE 1103 */ 1104 1105 capsysctl = cap_clone(ocapsysctl); 1106 ATF_REQUIRE(capsysctl != NULL); 1107 1108 limit = cap_sysctl_limit_init(capsysctl); 1109 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1110 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1111 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1112 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1113 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1114 1115 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1116 1117 cap_close(capsysctl); 1118 1119 /* 1120 * Allow: 1121 * SYSCTL0_NAME/READ/RECURSIVE 1122 * SYSCTL1_NAME/WRITE/RECURSIVE 1123 */ 1124 1125 capsysctl = cap_clone(ocapsysctl); 1126 ATF_REQUIRE(capsysctl != NULL); 1127 1128 limit = cap_sysctl_limit_init(capsysctl); 1129 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1130 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1131 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1132 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1133 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1134 1135 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1136 1137 cap_close(capsysctl); 1138 1139 /* 1140 * Allow: 1141 * SYSCTL0_PARENT/READ 1142 * SYSCTL1_PARENT/WRITE 1143 */ 1144 1145 capsysctl = cap_clone(ocapsysctl); 1146 ATF_REQUIRE(capsysctl != NULL); 1147 1148 limit = cap_sysctl_limit_init(capsysctl); 1149 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1150 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1151 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1152 1153 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1154 1155 cap_close(capsysctl); 1156 1157 /* 1158 * Allow: 1159 * SYSCTL0_NAME/READ 1160 * SYSCTL1_NAME/WRITE 1161 */ 1162 1163 capsysctl = cap_clone(ocapsysctl); 1164 ATF_REQUIRE(capsysctl != NULL); 1165 1166 limit = cap_sysctl_limit_init(capsysctl); 1167 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1168 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1169 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1170 1171 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1172 1173 cap_close(capsysctl); 1174 1175 /* 1176 * Allow: 1177 * SYSCTL0_PARENT/READ 1178 * SYSCTL1_PARENT/WRITE/RECURSIVE 1179 */ 1180 1181 capsysctl = cap_clone(ocapsysctl); 1182 ATF_REQUIRE(capsysctl != NULL); 1183 1184 limit = cap_sysctl_limit_init(capsysctl); 1185 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1186 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1187 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1188 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1189 1190 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1191 1192 cap_close(capsysctl); 1193 1194 /* 1195 * Allow: 1196 * SYSCTL0_NAME/READ 1197 * SYSCTL1_NAME/WRITE/RECURSIVE 1198 */ 1199 1200 capsysctl = cap_clone(ocapsysctl); 1201 ATF_REQUIRE(capsysctl != NULL); 1202 1203 limit = cap_sysctl_limit_init(capsysctl); 1204 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1205 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1206 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1207 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1208 1209 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1210 1211 cap_close(capsysctl); 1212 } 1213 ATF_TC_CLEANUP(cap_sysctl__operation, tc) 1214 { 1215 cleanup(); 1216 } 1217 1218 ATF_TC_WITH_CLEANUP(cap_sysctl__names); 1219 ATF_TC_HEAD(cap_sysctl__names, tc) 1220 { 1221 } 1222 ATF_TC_BODY(cap_sysctl__names, tc) 1223 { 1224 cap_channel_t *capsysctl, *ocapsysctl; 1225 void *limit; 1226 1227 ocapsysctl = initcap(); 1228 1229 /* 1230 * Allow: 1231 * SYSCTL0_PARENT/READ/RECURSIVE 1232 */ 1233 1234 capsysctl = cap_clone(ocapsysctl); 1235 ATF_REQUIRE(capsysctl != NULL); 1236 1237 limit = cap_sysctl_limit_init(capsysctl); 1238 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1239 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1240 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1241 limit = cap_sysctl_limit_init(capsysctl); 1242 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1243 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1244 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1245 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1246 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1247 limit = cap_sysctl_limit_init(capsysctl); 1248 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1249 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1250 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1251 limit = cap_sysctl_limit_init(capsysctl); 1252 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1253 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1254 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1255 limit = cap_sysctl_limit_init(capsysctl); 1256 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1257 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1258 1259 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0); 1260 1261 cap_close(capsysctl); 1262 1263 /* 1264 * Allow: 1265 * SYSCTL1_NAME/READ/RECURSIVE 1266 */ 1267 1268 capsysctl = cap_clone(ocapsysctl); 1269 ATF_REQUIRE(capsysctl != NULL); 1270 1271 limit = cap_sysctl_limit_init(capsysctl); 1272 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1273 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1274 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1275 limit = cap_sysctl_limit_init(capsysctl); 1276 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1277 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1278 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1279 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1280 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1281 limit = cap_sysctl_limit_init(capsysctl); 1282 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1283 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1284 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1285 limit = cap_sysctl_limit_init(capsysctl); 1286 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1287 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1288 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1289 limit = cap_sysctl_limit_init(capsysctl); 1290 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1291 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1292 1293 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 1294 1295 cap_close(capsysctl); 1296 1297 /* 1298 * Allow: 1299 * SYSCTL0_PARENT/WRITE/RECURSIVE 1300 */ 1301 1302 capsysctl = cap_clone(ocapsysctl); 1303 ATF_REQUIRE(capsysctl != NULL); 1304 1305 limit = cap_sysctl_limit_init(capsysctl); 1306 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1307 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1308 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1309 limit = cap_sysctl_limit_init(capsysctl); 1310 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1311 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1312 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1313 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1314 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1315 limit = cap_sysctl_limit_init(capsysctl); 1316 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1317 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1318 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1319 limit = cap_sysctl_limit_init(capsysctl); 1320 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1321 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1322 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1323 limit = cap_sysctl_limit_init(capsysctl); 1324 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1325 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1326 1327 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_WRITE); 1328 1329 cap_close(capsysctl); 1330 1331 /* 1332 * Allow: 1333 * SYSCTL1_NAME/WRITE/RECURSIVE 1334 */ 1335 1336 capsysctl = cap_clone(ocapsysctl); 1337 ATF_REQUIRE(capsysctl != NULL); 1338 1339 limit = cap_sysctl_limit_init(capsysctl); 1340 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1341 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1342 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1343 limit = cap_sysctl_limit_init(capsysctl); 1344 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1345 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1346 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1347 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1348 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1349 limit = cap_sysctl_limit_init(capsysctl); 1350 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1351 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1352 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1353 limit = cap_sysctl_limit_init(capsysctl); 1354 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1355 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1356 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1357 limit = cap_sysctl_limit_init(capsysctl); 1358 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1359 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1360 1361 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1362 1363 cap_close(capsysctl); 1364 1365 /* 1366 * Allow: 1367 * SYSCTL0_PARENT/RDWR/RECURSIVE 1368 */ 1369 1370 capsysctl = cap_clone(ocapsysctl); 1371 ATF_REQUIRE(capsysctl != NULL); 1372 1373 limit = cap_sysctl_limit_init(capsysctl); 1374 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1375 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1376 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1377 limit = cap_sysctl_limit_init(capsysctl); 1378 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1379 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1380 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1381 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1382 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1383 limit = cap_sysctl_limit_init(capsysctl); 1384 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1385 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1386 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1387 limit = cap_sysctl_limit_init(capsysctl); 1388 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1389 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1390 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1391 limit = cap_sysctl_limit_init(capsysctl); 1392 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1393 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1394 1395 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 1396 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE)); 1397 1398 cap_close(capsysctl); 1399 1400 /* 1401 * Allow: 1402 * SYSCTL1_NAME/RDWR/RECURSIVE 1403 */ 1404 1405 capsysctl = cap_clone(ocapsysctl); 1406 ATF_REQUIRE(capsysctl != NULL); 1407 1408 limit = cap_sysctl_limit_init(capsysctl); 1409 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1410 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1411 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1412 limit = cap_sysctl_limit_init(capsysctl); 1413 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1414 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1415 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1416 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1417 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1418 limit = cap_sysctl_limit_init(capsysctl); 1419 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1420 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1421 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1422 limit = cap_sysctl_limit_init(capsysctl); 1423 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1424 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1425 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1426 limit = cap_sysctl_limit_init(capsysctl); 1427 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1428 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1429 1430 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1431 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1432 1433 cap_close(capsysctl); 1434 1435 /* 1436 * Allow: 1437 * SYSCTL0_PARENT/READ 1438 */ 1439 1440 capsysctl = cap_clone(ocapsysctl); 1441 ATF_REQUIRE(capsysctl != NULL); 1442 1443 limit = cap_sysctl_limit_init(capsysctl); 1444 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1445 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1446 limit = cap_sysctl_limit_init(capsysctl); 1447 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1448 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1449 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1450 limit = cap_sysctl_limit_init(capsysctl); 1451 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1452 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1453 1454 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1455 1456 cap_close(capsysctl); 1457 1458 /* 1459 * Allow: 1460 * SYSCTL1_NAME/READ 1461 */ 1462 1463 capsysctl = cap_clone(ocapsysctl); 1464 ATF_REQUIRE(capsysctl != NULL); 1465 1466 limit = cap_sysctl_limit_init(capsysctl); 1467 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1468 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1469 limit = cap_sysctl_limit_init(capsysctl); 1470 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1471 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1472 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1473 limit = cap_sysctl_limit_init(capsysctl); 1474 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1475 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1476 1477 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 1478 1479 cap_close(capsysctl); 1480 1481 /* 1482 * Allow: 1483 * SYSCTL0_PARENT/WRITE 1484 */ 1485 1486 capsysctl = cap_clone(ocapsysctl); 1487 ATF_REQUIRE(capsysctl != NULL); 1488 1489 limit = cap_sysctl_limit_init(capsysctl); 1490 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1491 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1492 limit = cap_sysctl_limit_init(capsysctl); 1493 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1494 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1495 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1496 limit = cap_sysctl_limit_init(capsysctl); 1497 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1498 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1499 1500 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1501 1502 cap_close(capsysctl); 1503 1504 /* 1505 * Allow: 1506 * SYSCTL1_NAME/WRITE 1507 */ 1508 1509 capsysctl = cap_clone(ocapsysctl); 1510 ATF_REQUIRE(capsysctl != NULL); 1511 1512 limit = cap_sysctl_limit_init(capsysctl); 1513 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1514 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1515 limit = cap_sysctl_limit_init(capsysctl); 1516 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1517 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1518 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1519 limit = cap_sysctl_limit_init(capsysctl); 1520 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1521 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1522 1523 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1524 1525 cap_close(capsysctl); 1526 1527 /* 1528 * Allow: 1529 * SYSCTL0_PARENT/RDWR 1530 */ 1531 1532 capsysctl = cap_clone(ocapsysctl); 1533 ATF_REQUIRE(capsysctl != NULL); 1534 1535 limit = cap_sysctl_limit_init(capsysctl); 1536 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1537 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1538 limit = cap_sysctl_limit_init(capsysctl); 1539 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1540 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1541 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1542 limit = cap_sysctl_limit_init(capsysctl); 1543 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1544 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1545 1546 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1547 1548 cap_close(capsysctl); 1549 1550 /* 1551 * Allow: 1552 * SYSCTL1_NAME/RDWR 1553 */ 1554 1555 capsysctl = cap_clone(ocapsysctl); 1556 ATF_REQUIRE(capsysctl != NULL); 1557 1558 limit = cap_sysctl_limit_init(capsysctl); 1559 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1560 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1561 limit = cap_sysctl_limit_init(capsysctl); 1562 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1563 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1564 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1565 limit = cap_sysctl_limit_init(capsysctl); 1566 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1567 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1568 1569 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1570 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1571 1572 cap_close(capsysctl); 1573 } 1574 ATF_TC_CLEANUP(cap_sysctl__names, tc) 1575 { 1576 cleanup(); 1577 } 1578 1579 ATF_TC_WITH_CLEANUP(cap_sysctl__no_limits); 1580 ATF_TC_HEAD(cap_sysctl__no_limits, tc) 1581 { 1582 } 1583 ATF_TC_BODY(cap_sysctl__no_limits, tc) 1584 { 1585 cap_channel_t *capsysctl; 1586 1587 capsysctl = initcap(); 1588 1589 ATF_REQUIRE_EQ(checkcaps(capsysctl), (SYSCTL0_READ0 | SYSCTL0_READ1 | 1590 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 1591 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 1592 SYSCTL1_READ_WRITE)); 1593 } 1594 ATF_TC_CLEANUP(cap_sysctl__no_limits, tc) 1595 { 1596 cleanup(); 1597 } 1598 1599 ATF_TC_WITH_CLEANUP(cap_sysctl__recursive_limits); 1600 ATF_TC_HEAD(cap_sysctl__recursive_limits, tc) 1601 { 1602 } 1603 ATF_TC_BODY(cap_sysctl__recursive_limits, tc) 1604 { 1605 cap_channel_t *capsysctl, *ocapsysctl; 1606 void *limit; 1607 size_t len; 1608 int mib[2], val = 420; 1609 1610 len = nitems(mib); 1611 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib, &len) == 0); 1612 1613 ocapsysctl = initcap(); 1614 1615 /* 1616 * Make sure that we match entire components. 1617 */ 1618 capsysctl = cap_clone(ocapsysctl); 1619 ATF_REQUIRE(capsysctl != NULL); 1620 1621 limit = cap_sysctl_limit_init(capsysctl); 1622 (void)cap_sysctl_limit_name(limit, "ker", 1623 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1624 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1625 1626 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1627 NULL, NULL, &val, sizeof(val))); 1628 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len, 1629 NULL, NULL, &val, sizeof(val))); 1630 1631 cap_close(capsysctl); 1632 1633 /* 1634 * Verify that we check for CAP_SYSCTL_RECURSIVE. 1635 */ 1636 capsysctl = cap_clone(ocapsysctl); 1637 ATF_REQUIRE(capsysctl != NULL); 1638 1639 limit = cap_sysctl_limit_init(capsysctl); 1640 (void)cap_sysctl_limit_name(limit, "kern", CAP_SYSCTL_RDWR); 1641 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1642 1643 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1644 NULL, NULL, &val, sizeof(val))); 1645 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len, 1646 NULL, NULL, &val, sizeof(val))); 1647 1648 cap_close(capsysctl); 1649 } 1650 ATF_TC_CLEANUP(cap_sysctl__recursive_limits, tc) 1651 { 1652 cleanup(); 1653 } 1654 1655 ATF_TC_WITH_CLEANUP(cap_sysctl__just_size); 1656 ATF_TC_HEAD(cap_sysctl__just_size, tc) 1657 { 1658 } 1659 ATF_TC_BODY(cap_sysctl__just_size, tc) 1660 { 1661 cap_channel_t *capsysctl; 1662 size_t len; 1663 int mib0[2]; 1664 1665 capsysctl = initcap(); 1666 1667 len = nitems(mib0); 1668 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len) == 0); 1669 1670 ATF_REQUIRE(cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1671 NULL, &len, NULL, 0) == 0); 1672 ATF_REQUIRE(len == sizeof(int)); 1673 ATF_REQUIRE(cap_sysctl(capsysctl, mib0, nitems(mib0), 1674 NULL, &len, NULL, 0) == 0); 1675 ATF_REQUIRE(len == sizeof(int)); 1676 1677 cap_close(capsysctl); 1678 } 1679 ATF_TC_CLEANUP(cap_sysctl__just_size, tc) 1680 { 1681 cleanup(); 1682 } 1683 1684 ATF_TP_ADD_TCS(tp) 1685 { 1686 ATF_TP_ADD_TC(tp, cap_sysctl__operation); 1687 ATF_TP_ADD_TC(tp, cap_sysctl__names); 1688 ATF_TP_ADD_TC(tp, cap_sysctl__no_limits); 1689 ATF_TP_ADD_TC(tp, cap_sysctl__recursive_limits); 1690 ATF_TP_ADD_TC(tp, cap_sysctl__just_size); 1691 1692 return (atf_no_error()); 1693 } 1694