1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2013, 2018 The FreeBSD Foundation 5 * All rights reserved. 6 * 7 * This software was developed by Pawel Jakub Dawidek under sponsorship from 8 * the FreeBSD Foundation. 9 * 10 * Portions of this software were developed by Mark Johnston 11 * under sponsorship from the FreeBSD Foundation. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #include <sys/cdefs.h> 36 #include <sys/types.h> 37 #include <sys/capsicum.h> 38 #include <sys/sysctl.h> 39 #include <sys/nv.h> 40 41 #include <assert.h> 42 #include <err.h> 43 #include <errno.h> 44 #include <netdb.h> 45 #include <stdio.h> 46 #include <stdlib.h> 47 #include <string.h> 48 #include <unistd.h> 49 50 #include <libcasper.h> 51 #include <casper/cap_sysctl.h> 52 53 #include <atf-c.h> 54 55 /* 56 * We need some sysctls to perform the tests on. 57 * We remember their values and restore them afer the test is done. 58 */ 59 #define SYSCTL0_PARENT "kern" 60 #define SYSCTL0_NAME "kern.sync_on_panic" 61 #define SYSCTL0_FILE "./sysctl0" 62 #define SYSCTL1_PARENT "debug" 63 #define SYSCTL1_NAME "debug.minidump" 64 #define SYSCTL1_FILE "./sysctl1" 65 66 #define SYSCTL0_READ0 0x0001 67 #define SYSCTL0_READ1 0x0002 68 #define SYSCTL0_READ2 0x0004 69 #define SYSCTL0_WRITE 0x0008 70 #define SYSCTL0_READ_WRITE 0x0010 71 #define SYSCTL1_READ0 0x0020 72 #define SYSCTL1_READ1 0x0040 73 #define SYSCTL1_READ2 0x0080 74 #define SYSCTL1_WRITE 0x0100 75 #define SYSCTL1_READ_WRITE 0x0200 76 77 static void 78 save_int_sysctl(const char *name, const char *file) 79 { 80 ssize_t n; 81 size_t sz; 82 int error, fd, val; 83 84 sz = sizeof(val); 85 error = sysctlbyname(name, &val, &sz, NULL, 0); 86 ATF_REQUIRE_MSG(error == 0, 87 "sysctlbyname(%s): %s", name, strerror(errno)); 88 89 fd = open(file, O_CREAT | O_WRONLY, 0600); 90 ATF_REQUIRE_MSG(fd >= 0, "open(%s): %s", file, strerror(errno)); 91 n = write(fd, &val, sz); 92 ATF_REQUIRE(n >= 0 && (size_t)n == sz); 93 error = close(fd); 94 ATF_REQUIRE(error == 0); 95 } 96 97 static void 98 restore_int_sysctl(const char *name, const char *file) 99 { 100 ssize_t n; 101 size_t sz; 102 int error, fd, val; 103 104 fd = open(file, O_RDONLY); 105 ATF_REQUIRE(fd >= 0); 106 sz = sizeof(val); 107 n = read(fd, &val, sz); 108 ATF_REQUIRE(n >= 0 && (size_t)n == sz); 109 error = unlink(file); 110 ATF_REQUIRE(error == 0); 111 error = close(fd); 112 ATF_REQUIRE(error == 0); 113 114 error = sysctlbyname(name, NULL, NULL, &val, sz); 115 ATF_REQUIRE_MSG(error == 0, 116 "sysctlbyname(%s): %s", name, strerror(errno)); 117 } 118 119 static cap_channel_t * 120 initcap(void) 121 { 122 cap_channel_t *capcas, *capsysctl; 123 124 save_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE); 125 save_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE); 126 127 capcas = cap_init(); 128 ATF_REQUIRE(capcas != NULL); 129 130 capsysctl = cap_service_open(capcas, "system.sysctl"); 131 ATF_REQUIRE(capsysctl != NULL); 132 133 cap_close(capcas); 134 135 return (capsysctl); 136 } 137 138 static void 139 cleanup(void) 140 { 141 142 restore_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE); 143 restore_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE); 144 } 145 146 static unsigned int 147 checkcaps(cap_channel_t *capsysctl) 148 { 149 unsigned int result; 150 size_t len0, len1, oldsize; 151 int error, mib0[2], mib1[2], oldvalue, newvalue; 152 153 result = 0; 154 155 len0 = nitems(mib0); 156 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len0) == 0); 157 len1 = nitems(mib1); 158 ATF_REQUIRE(sysctlnametomib(SYSCTL1_NAME, mib1, &len1) == 0); 159 160 oldsize = sizeof(oldvalue); 161 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 162 NULL, 0) == 0) { 163 if (oldsize == sizeof(oldvalue)) 164 result |= SYSCTL0_READ0; 165 } 166 error = cap_sysctl(capsysctl, mib0, len0, &oldvalue, &oldsize, NULL, 0); 167 if ((result & SYSCTL0_READ0) != 0) 168 ATF_REQUIRE(error == 0); 169 else 170 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 171 172 newvalue = 123; 173 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, NULL, NULL, &newvalue, 174 sizeof(newvalue)) == 0) { 175 result |= SYSCTL0_WRITE; 176 } 177 178 if ((result & SYSCTL0_WRITE) != 0) { 179 oldsize = sizeof(oldvalue); 180 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 181 &oldsize, NULL, 0) == 0) { 182 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 183 result |= SYSCTL0_READ1; 184 } 185 } 186 newvalue = 123; 187 error = cap_sysctl(capsysctl, mib0, len0, NULL, NULL, 188 &newvalue, sizeof(newvalue)); 189 if ((result & SYSCTL0_WRITE) != 0) 190 ATF_REQUIRE(error == 0); 191 else 192 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 193 194 oldsize = sizeof(oldvalue); 195 newvalue = 4567; 196 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 197 &newvalue, sizeof(newvalue)) == 0) { 198 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 199 result |= SYSCTL0_READ_WRITE; 200 } 201 202 if ((result & SYSCTL0_READ_WRITE) != 0) { 203 oldsize = sizeof(oldvalue); 204 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 205 &oldsize, NULL, 0) == 0) { 206 if (oldsize == sizeof(oldvalue) && oldvalue == 4567) 207 result |= SYSCTL0_READ2; 208 } 209 } 210 211 oldsize = sizeof(oldvalue); 212 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 213 NULL, 0) == 0) { 214 if (oldsize == sizeof(oldvalue)) 215 result |= SYSCTL1_READ0; 216 } 217 error = cap_sysctl(capsysctl, mib1, len1, &oldvalue, &oldsize, NULL, 0); 218 if ((result & SYSCTL1_READ0) != 0) 219 ATF_REQUIRE(error == 0); 220 else 221 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 222 223 newvalue = 506; 224 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, NULL, NULL, &newvalue, 225 sizeof(newvalue)) == 0) { 226 result |= SYSCTL1_WRITE; 227 } 228 229 if ((result & SYSCTL1_WRITE) != 0) { 230 newvalue = 506; 231 ATF_REQUIRE(cap_sysctl(capsysctl, mib1, len1, NULL, NULL, 232 &newvalue, sizeof(newvalue)) == 0); 233 234 oldsize = sizeof(oldvalue); 235 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 236 &oldsize, NULL, 0) == 0) { 237 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 238 result |= SYSCTL1_READ1; 239 } 240 } 241 newvalue = 506; 242 error = cap_sysctl(capsysctl, mib1, len1, NULL, NULL, 243 &newvalue, sizeof(newvalue)); 244 if ((result & SYSCTL1_WRITE) != 0) 245 ATF_REQUIRE(error == 0); 246 else 247 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 248 249 oldsize = sizeof(oldvalue); 250 newvalue = 7008; 251 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 252 &newvalue, sizeof(newvalue)) == 0) { 253 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 254 result |= SYSCTL1_READ_WRITE; 255 } 256 257 if ((result & SYSCTL1_READ_WRITE) != 0) { 258 oldsize = sizeof(oldvalue); 259 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 260 &oldsize, NULL, 0) == 0) { 261 if (oldsize == sizeof(oldvalue) && oldvalue == 7008) 262 result |= SYSCTL1_READ2; 263 } 264 } 265 266 return (result); 267 } 268 269 ATF_TC_WITH_CLEANUP(cap_sysctl__operation); 270 ATF_TC_HEAD(cap_sysctl__operation, tc) 271 { 272 } 273 ATF_TC_BODY(cap_sysctl__operation, tc) 274 { 275 cap_channel_t *capsysctl, *ocapsysctl; 276 void *limit; 277 278 ocapsysctl = initcap(); 279 280 /* 281 * Allow: 282 * SYSCTL0_PARENT/RDWR/RECURSIVE 283 * SYSCTL1_PARENT/RDWR/RECURSIVE 284 */ 285 286 capsysctl = cap_clone(ocapsysctl); 287 ATF_REQUIRE(capsysctl != NULL); 288 289 limit = cap_sysctl_limit_init(capsysctl); 290 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 291 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 292 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 293 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 294 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 295 296 limit = cap_sysctl_limit_init(capsysctl); 297 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 298 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 299 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 300 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 301 (void)cap_sysctl_limit_name(limit, "foo.bar", 302 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 303 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 304 305 limit = cap_sysctl_limit_init(capsysctl); 306 (void)cap_sysctl_limit_name(limit, "foo.bar", 307 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 308 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 309 310 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 311 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 312 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 313 SYSCTL1_READ_WRITE)); 314 315 limit = cap_sysctl_limit_init(capsysctl); 316 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 317 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 318 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 319 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 320 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 321 322 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 323 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 324 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 325 SYSCTL1_READ_WRITE)); 326 327 limit = cap_sysctl_limit_init(capsysctl); 328 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 329 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 330 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 331 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 332 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 333 334 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 335 336 limit = cap_sysctl_limit_init(capsysctl); 337 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 338 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 339 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 340 341 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 342 343 limit = cap_sysctl_limit_init(capsysctl); 344 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 345 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 346 347 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0); 348 349 cap_close(capsysctl); 350 351 /* 352 * Allow: 353 * SYSCTL0_NAME/RDWR/RECURSIVE 354 * SYSCTL1_NAME/RDWR/RECURSIVE 355 */ 356 357 capsysctl = cap_clone(ocapsysctl); 358 ATF_REQUIRE(capsysctl != NULL); 359 360 limit = cap_sysctl_limit_init(capsysctl); 361 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 362 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 363 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 364 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 365 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 366 367 limit = cap_sysctl_limit_init(capsysctl); 368 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 369 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 370 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 371 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 372 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 373 limit = cap_sysctl_limit_init(capsysctl); 374 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 375 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 376 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 377 limit = cap_sysctl_limit_init(capsysctl); 378 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 379 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 380 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 381 limit = cap_sysctl_limit_init(capsysctl); 382 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 383 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 384 385 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 386 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 387 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 388 SYSCTL1_READ_WRITE)); 389 390 cap_close(capsysctl); 391 392 /* 393 * Allow: 394 * SYSCTL0_PARENT/RDWR 395 * SYSCTL1_PARENT/RDWR 396 */ 397 398 capsysctl = cap_clone(ocapsysctl); 399 ATF_REQUIRE(capsysctl != NULL); 400 401 limit = cap_sysctl_limit_init(capsysctl); 402 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 403 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 404 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 405 limit = cap_sysctl_limit_init(capsysctl); 406 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 407 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 408 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 409 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 410 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 411 limit = cap_sysctl_limit_init(capsysctl); 412 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 413 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 414 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 415 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 416 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 417 limit = cap_sysctl_limit_init(capsysctl); 418 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 419 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 420 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 421 422 ATF_REQUIRE(checkcaps(capsysctl) == 0); 423 424 cap_close(capsysctl); 425 426 /* 427 * Allow: 428 * SYSCTL0_NAME/RDWR 429 * SYSCTL1_NAME/RDWR 430 */ 431 432 capsysctl = cap_clone(ocapsysctl); 433 ATF_REQUIRE(capsysctl != NULL); 434 435 limit = cap_sysctl_limit_init(capsysctl); 436 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 437 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 438 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 439 limit = cap_sysctl_limit_init(capsysctl); 440 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 441 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 442 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 443 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 444 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 445 limit = cap_sysctl_limit_init(capsysctl); 446 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 447 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 448 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 449 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 450 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 451 limit = cap_sysctl_limit_init(capsysctl); 452 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 453 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 454 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 455 456 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 457 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 458 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 459 SYSCTL1_READ_WRITE)); 460 461 cap_close(capsysctl); 462 463 /* 464 * Allow: 465 * SYSCTL0_PARENT/RDWR 466 * SYSCTL1_PARENT/RDWR/RECURSIVE 467 */ 468 469 capsysctl = cap_clone(ocapsysctl); 470 ATF_REQUIRE(capsysctl != NULL); 471 472 limit = cap_sysctl_limit_init(capsysctl); 473 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 474 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 475 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 476 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 477 limit = cap_sysctl_limit_init(capsysctl); 478 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 479 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 480 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 481 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 482 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 483 limit = cap_sysctl_limit_init(capsysctl); 484 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 485 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 486 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 487 limit = cap_sysctl_limit_init(capsysctl); 488 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 489 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 490 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 491 limit = cap_sysctl_limit_init(capsysctl); 492 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 493 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 494 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 495 496 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 497 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 498 499 cap_close(capsysctl); 500 501 /* 502 * Allow: 503 * SYSCTL0_NAME/RDWR 504 * SYSCTL1_NAME/RDWR/RECURSIVE 505 */ 506 507 capsysctl = cap_clone(ocapsysctl); 508 ATF_REQUIRE(capsysctl != NULL); 509 510 limit = cap_sysctl_limit_init(capsysctl); 511 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 512 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 513 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 514 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 515 limit = cap_sysctl_limit_init(capsysctl); 516 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 517 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 518 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 519 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 520 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 521 limit = cap_sysctl_limit_init(capsysctl); 522 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 523 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 524 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 525 limit = cap_sysctl_limit_init(capsysctl); 526 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 527 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 528 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 529 530 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 531 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 532 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 533 SYSCTL1_READ_WRITE)); 534 535 cap_close(capsysctl); 536 537 /* 538 * Allow: 539 * SYSCTL0_PARENT/READ/RECURSIVE 540 * SYSCTL1_PARENT/READ/RECURSIVE 541 */ 542 543 capsysctl = cap_clone(ocapsysctl); 544 ATF_REQUIRE(capsysctl != NULL); 545 546 limit = cap_sysctl_limit_init(capsysctl); 547 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 548 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 549 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 550 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 551 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 552 limit = cap_sysctl_limit_init(capsysctl); 553 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 554 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 555 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 556 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 557 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 558 limit = cap_sysctl_limit_init(capsysctl); 559 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 560 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 561 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 562 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 563 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 564 limit = cap_sysctl_limit_init(capsysctl); 565 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 566 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 567 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 568 limit = cap_sysctl_limit_init(capsysctl); 569 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 570 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 571 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 572 limit = cap_sysctl_limit_init(capsysctl); 573 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 574 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 575 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 576 limit = cap_sysctl_limit_init(capsysctl); 577 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 578 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 579 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 580 limit = cap_sysctl_limit_init(capsysctl); 581 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 582 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 583 limit = cap_sysctl_limit_init(capsysctl); 584 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 585 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 586 587 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 588 589 cap_close(capsysctl); 590 591 /* 592 * Allow: 593 * SYSCTL0_NAME/READ/RECURSIVE 594 * SYSCTL1_NAME/READ/RECURSIVE 595 */ 596 597 capsysctl = cap_clone(ocapsysctl); 598 ATF_REQUIRE(capsysctl != NULL); 599 600 limit = cap_sysctl_limit_init(capsysctl); 601 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 602 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 603 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 604 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 605 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 606 limit = cap_sysctl_limit_init(capsysctl); 607 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 608 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 609 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 610 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 611 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 612 limit = cap_sysctl_limit_init(capsysctl); 613 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 614 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 615 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 616 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 617 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 618 limit = cap_sysctl_limit_init(capsysctl); 619 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 620 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 621 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 622 limit = cap_sysctl_limit_init(capsysctl); 623 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 624 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 625 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 626 limit = cap_sysctl_limit_init(capsysctl); 627 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 628 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 629 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 630 limit = cap_sysctl_limit_init(capsysctl); 631 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 632 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 633 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 634 limit = cap_sysctl_limit_init(capsysctl); 635 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 636 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 637 limit = cap_sysctl_limit_init(capsysctl); 638 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 639 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 640 641 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 642 643 cap_close(capsysctl); 644 645 /* 646 * Allow: 647 * SYSCTL0_PARENT/READ 648 * SYSCTL1_PARENT/READ 649 */ 650 651 capsysctl = cap_clone(ocapsysctl); 652 ATF_REQUIRE(capsysctl != NULL); 653 654 limit = cap_sysctl_limit_init(capsysctl); 655 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 656 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 657 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 658 limit = cap_sysctl_limit_init(capsysctl); 659 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 660 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 661 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 662 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 663 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 664 limit = cap_sysctl_limit_init(capsysctl); 665 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 666 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 667 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 668 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 669 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 670 limit = cap_sysctl_limit_init(capsysctl); 671 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 672 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 673 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 674 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 675 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 676 limit = cap_sysctl_limit_init(capsysctl); 677 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 678 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 679 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 680 limit = cap_sysctl_limit_init(capsysctl); 681 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 682 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 683 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 684 limit = cap_sysctl_limit_init(capsysctl); 685 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 686 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 687 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 688 limit = cap_sysctl_limit_init(capsysctl); 689 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 690 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 691 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 692 limit = cap_sysctl_limit_init(capsysctl); 693 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 694 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 695 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 696 limit = cap_sysctl_limit_init(capsysctl); 697 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 698 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 699 limit = cap_sysctl_limit_init(capsysctl); 700 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 701 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 702 703 ATF_REQUIRE(checkcaps(capsysctl) == 0); 704 705 cap_close(capsysctl); 706 707 /* 708 * Allow: 709 * SYSCTL0_NAME/READ 710 * SYSCTL1_NAME/READ 711 */ 712 713 capsysctl = cap_clone(ocapsysctl); 714 ATF_REQUIRE(capsysctl != NULL); 715 716 limit = cap_sysctl_limit_init(capsysctl); 717 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 718 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 719 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 720 limit = cap_sysctl_limit_init(capsysctl); 721 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 722 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 723 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 724 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 725 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 726 limit = cap_sysctl_limit_init(capsysctl); 727 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 728 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 729 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 730 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 731 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 732 limit = cap_sysctl_limit_init(capsysctl); 733 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 734 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 735 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 736 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 737 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 738 limit = cap_sysctl_limit_init(capsysctl); 739 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 740 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 741 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 742 limit = cap_sysctl_limit_init(capsysctl); 743 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 744 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 745 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 746 limit = cap_sysctl_limit_init(capsysctl); 747 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 748 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 749 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 750 limit = cap_sysctl_limit_init(capsysctl); 751 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 752 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 753 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 754 limit = cap_sysctl_limit_init(capsysctl); 755 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 756 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 757 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 758 limit = cap_sysctl_limit_init(capsysctl); 759 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 760 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 761 limit = cap_sysctl_limit_init(capsysctl); 762 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 763 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 764 765 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 766 767 cap_close(capsysctl); 768 769 /* 770 * Allow: 771 * SYSCTL0_PARENT/READ 772 * SYSCTL1_PARENT/READ/RECURSIVE 773 */ 774 775 capsysctl = cap_clone(ocapsysctl); 776 ATF_REQUIRE(capsysctl != NULL); 777 778 limit = cap_sysctl_limit_init(capsysctl); 779 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 780 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 781 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 782 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 783 limit = cap_sysctl_limit_init(capsysctl); 784 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 785 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 786 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 787 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 788 789 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 790 791 cap_close(capsysctl); 792 793 /* 794 * Allow: 795 * SYSCTL0_NAME/READ 796 * SYSCTL1_NAME/READ/RECURSIVE 797 */ 798 799 capsysctl = cap_clone(ocapsysctl); 800 ATF_REQUIRE(capsysctl != NULL); 801 802 limit = cap_sysctl_limit_init(capsysctl); 803 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 804 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 805 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 806 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 807 limit = cap_sysctl_limit_init(capsysctl); 808 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 809 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 810 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 811 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 812 813 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 814 815 cap_close(capsysctl); 816 817 /* 818 * Allow: 819 * SYSCTL0_PARENT/WRITE/RECURSIVE 820 * SYSCTL1_PARENT/WRITE/RECURSIVE 821 */ 822 823 capsysctl = cap_clone(ocapsysctl); 824 ATF_REQUIRE(capsysctl != NULL); 825 826 limit = cap_sysctl_limit_init(capsysctl); 827 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 828 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 829 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 830 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 831 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 832 limit = cap_sysctl_limit_init(capsysctl); 833 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 834 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 835 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 836 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 837 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 838 limit = cap_sysctl_limit_init(capsysctl); 839 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 840 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 841 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 842 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 843 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 844 limit = cap_sysctl_limit_init(capsysctl); 845 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 846 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 847 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 848 limit = cap_sysctl_limit_init(capsysctl); 849 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 850 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 851 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 852 limit = cap_sysctl_limit_init(capsysctl); 853 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 854 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 855 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 856 limit = cap_sysctl_limit_init(capsysctl); 857 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 858 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 859 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 860 limit = cap_sysctl_limit_init(capsysctl); 861 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 862 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 863 limit = cap_sysctl_limit_init(capsysctl); 864 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 865 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 866 867 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 868 869 cap_close(capsysctl); 870 871 /* 872 * Allow: 873 * SYSCTL0_NAME/WRITE/RECURSIVE 874 * SYSCTL1_NAME/WRITE/RECURSIVE 875 */ 876 877 capsysctl = cap_clone(ocapsysctl); 878 ATF_REQUIRE(capsysctl != NULL); 879 880 limit = cap_sysctl_limit_init(capsysctl); 881 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 882 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 883 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 884 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 885 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 886 limit = cap_sysctl_limit_init(capsysctl); 887 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 888 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 889 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 890 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 891 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 892 limit = cap_sysctl_limit_init(capsysctl); 893 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 894 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 895 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 896 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 897 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 898 limit = cap_sysctl_limit_init(capsysctl); 899 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 900 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 901 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 902 limit = cap_sysctl_limit_init(capsysctl); 903 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 904 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 905 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 906 limit = cap_sysctl_limit_init(capsysctl); 907 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 908 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 909 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 910 limit = cap_sysctl_limit_init(capsysctl); 911 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 912 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 913 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 914 limit = cap_sysctl_limit_init(capsysctl); 915 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 916 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 917 limit = cap_sysctl_limit_init(capsysctl); 918 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 919 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 920 921 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 922 923 cap_close(capsysctl); 924 925 /* 926 * Allow: 927 * SYSCTL0_PARENT/WRITE 928 * SYSCTL1_PARENT/WRITE 929 */ 930 931 capsysctl = cap_clone(ocapsysctl); 932 ATF_REQUIRE(capsysctl != NULL); 933 934 limit = cap_sysctl_limit_init(capsysctl); 935 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 936 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 937 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 938 limit = cap_sysctl_limit_init(capsysctl); 939 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 940 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 941 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 942 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 943 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 944 limit = cap_sysctl_limit_init(capsysctl); 945 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 946 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 947 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 948 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 949 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 950 limit = cap_sysctl_limit_init(capsysctl); 951 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 952 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 953 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 954 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 955 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 956 limit = cap_sysctl_limit_init(capsysctl); 957 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 958 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 959 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 960 limit = cap_sysctl_limit_init(capsysctl); 961 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 962 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 963 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 964 limit = cap_sysctl_limit_init(capsysctl); 965 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 966 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 967 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 968 limit = cap_sysctl_limit_init(capsysctl); 969 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 970 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 971 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 972 limit = cap_sysctl_limit_init(capsysctl); 973 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 974 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 975 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 976 limit = cap_sysctl_limit_init(capsysctl); 977 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 978 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 979 limit = cap_sysctl_limit_init(capsysctl); 980 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 981 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 982 983 ATF_REQUIRE(checkcaps(capsysctl) == 0); 984 985 cap_close(capsysctl); 986 987 /* 988 * Allow: 989 * SYSCTL0_NAME/WRITE 990 * SYSCTL1_NAME/WRITE 991 */ 992 993 capsysctl = cap_clone(ocapsysctl); 994 ATF_REQUIRE(capsysctl != NULL); 995 996 limit = cap_sysctl_limit_init(capsysctl); 997 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 998 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 999 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1000 limit = cap_sysctl_limit_init(capsysctl); 1001 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1002 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1003 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1004 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1005 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1006 limit = cap_sysctl_limit_init(capsysctl); 1007 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1008 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1009 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1010 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1011 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1012 limit = cap_sysctl_limit_init(capsysctl); 1013 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1014 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1015 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1016 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1017 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1018 limit = cap_sysctl_limit_init(capsysctl); 1019 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1020 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1021 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1022 limit = cap_sysctl_limit_init(capsysctl); 1023 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1024 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1025 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1026 limit = cap_sysctl_limit_init(capsysctl); 1027 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1028 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1029 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1030 limit = cap_sysctl_limit_init(capsysctl); 1031 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1032 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1033 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1034 limit = cap_sysctl_limit_init(capsysctl); 1035 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1036 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1037 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1038 limit = cap_sysctl_limit_init(capsysctl); 1039 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1040 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1041 limit = cap_sysctl_limit_init(capsysctl); 1042 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1043 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1044 1045 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 1046 1047 cap_close(capsysctl); 1048 1049 /* 1050 * Allow: 1051 * SYSCTL0_PARENT/WRITE 1052 * SYSCTL1_PARENT/WRITE/RECURSIVE 1053 */ 1054 1055 capsysctl = cap_clone(ocapsysctl); 1056 ATF_REQUIRE(capsysctl != NULL); 1057 1058 limit = cap_sysctl_limit_init(capsysctl); 1059 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1060 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1061 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1062 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1063 limit = cap_sysctl_limit_init(capsysctl); 1064 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1065 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1066 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1067 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1068 1069 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1070 1071 cap_close(capsysctl); 1072 1073 /* 1074 * Allow: 1075 * SYSCTL0_NAME/WRITE 1076 * SYSCTL1_NAME/WRITE/RECURSIVE 1077 */ 1078 1079 capsysctl = cap_clone(ocapsysctl); 1080 ATF_REQUIRE(capsysctl != NULL); 1081 1082 limit = cap_sysctl_limit_init(capsysctl); 1083 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1084 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1085 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1086 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1087 limit = cap_sysctl_limit_init(capsysctl); 1088 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1089 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1090 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1091 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1092 1093 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 1094 1095 cap_close(capsysctl); 1096 1097 /* 1098 * Allow: 1099 * SYSCTL0_PARENT/READ/RECURSIVE 1100 * SYSCTL1_PARENT/WRITE/RECURSIVE 1101 */ 1102 1103 capsysctl = cap_clone(ocapsysctl); 1104 ATF_REQUIRE(capsysctl != NULL); 1105 1106 limit = cap_sysctl_limit_init(capsysctl); 1107 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1108 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1109 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1110 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1111 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1112 1113 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1114 1115 cap_close(capsysctl); 1116 1117 /* 1118 * Allow: 1119 * SYSCTL0_NAME/READ/RECURSIVE 1120 * SYSCTL1_NAME/WRITE/RECURSIVE 1121 */ 1122 1123 capsysctl = cap_clone(ocapsysctl); 1124 ATF_REQUIRE(capsysctl != NULL); 1125 1126 limit = cap_sysctl_limit_init(capsysctl); 1127 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1128 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1129 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1130 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1131 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1132 1133 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1134 1135 cap_close(capsysctl); 1136 1137 /* 1138 * Allow: 1139 * SYSCTL0_PARENT/READ 1140 * SYSCTL1_PARENT/WRITE 1141 */ 1142 1143 capsysctl = cap_clone(ocapsysctl); 1144 ATF_REQUIRE(capsysctl != NULL); 1145 1146 limit = cap_sysctl_limit_init(capsysctl); 1147 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1148 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1149 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1150 1151 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1152 1153 cap_close(capsysctl); 1154 1155 /* 1156 * Allow: 1157 * SYSCTL0_NAME/READ 1158 * SYSCTL1_NAME/WRITE 1159 */ 1160 1161 capsysctl = cap_clone(ocapsysctl); 1162 ATF_REQUIRE(capsysctl != NULL); 1163 1164 limit = cap_sysctl_limit_init(capsysctl); 1165 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1166 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1167 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1168 1169 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1170 1171 cap_close(capsysctl); 1172 1173 /* 1174 * Allow: 1175 * SYSCTL0_PARENT/READ 1176 * SYSCTL1_PARENT/WRITE/RECURSIVE 1177 */ 1178 1179 capsysctl = cap_clone(ocapsysctl); 1180 ATF_REQUIRE(capsysctl != NULL); 1181 1182 limit = cap_sysctl_limit_init(capsysctl); 1183 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1184 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1185 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1186 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1187 1188 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1189 1190 cap_close(capsysctl); 1191 1192 /* 1193 * Allow: 1194 * SYSCTL0_NAME/READ 1195 * SYSCTL1_NAME/WRITE/RECURSIVE 1196 */ 1197 1198 capsysctl = cap_clone(ocapsysctl); 1199 ATF_REQUIRE(capsysctl != NULL); 1200 1201 limit = cap_sysctl_limit_init(capsysctl); 1202 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1203 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1204 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1205 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1206 1207 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1208 1209 cap_close(capsysctl); 1210 } 1211 ATF_TC_CLEANUP(cap_sysctl__operation, tc) 1212 { 1213 cleanup(); 1214 } 1215 1216 ATF_TC_WITH_CLEANUP(cap_sysctl__names); 1217 ATF_TC_HEAD(cap_sysctl__names, tc) 1218 { 1219 } 1220 ATF_TC_BODY(cap_sysctl__names, tc) 1221 { 1222 cap_channel_t *capsysctl, *ocapsysctl; 1223 void *limit; 1224 1225 ocapsysctl = initcap(); 1226 1227 /* 1228 * Allow: 1229 * SYSCTL0_PARENT/READ/RECURSIVE 1230 */ 1231 1232 capsysctl = cap_clone(ocapsysctl); 1233 ATF_REQUIRE(capsysctl != NULL); 1234 1235 limit = cap_sysctl_limit_init(capsysctl); 1236 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1237 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1238 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1239 limit = cap_sysctl_limit_init(capsysctl); 1240 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1241 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1242 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1243 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1244 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1245 limit = cap_sysctl_limit_init(capsysctl); 1246 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1247 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1248 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1249 limit = cap_sysctl_limit_init(capsysctl); 1250 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1251 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1252 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1253 limit = cap_sysctl_limit_init(capsysctl); 1254 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1255 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1256 1257 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0); 1258 1259 cap_close(capsysctl); 1260 1261 /* 1262 * Allow: 1263 * SYSCTL1_NAME/READ/RECURSIVE 1264 */ 1265 1266 capsysctl = cap_clone(ocapsysctl); 1267 ATF_REQUIRE(capsysctl != NULL); 1268 1269 limit = cap_sysctl_limit_init(capsysctl); 1270 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1271 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1272 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1273 limit = cap_sysctl_limit_init(capsysctl); 1274 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1275 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1276 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1277 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1278 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1279 limit = cap_sysctl_limit_init(capsysctl); 1280 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1281 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1282 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1283 limit = cap_sysctl_limit_init(capsysctl); 1284 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1285 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1286 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1287 limit = cap_sysctl_limit_init(capsysctl); 1288 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1289 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1290 1291 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 1292 1293 cap_close(capsysctl); 1294 1295 /* 1296 * Allow: 1297 * SYSCTL0_PARENT/WRITE/RECURSIVE 1298 */ 1299 1300 capsysctl = cap_clone(ocapsysctl); 1301 ATF_REQUIRE(capsysctl != NULL); 1302 1303 limit = cap_sysctl_limit_init(capsysctl); 1304 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1305 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1306 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1307 limit = cap_sysctl_limit_init(capsysctl); 1308 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1309 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1310 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1311 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1312 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1313 limit = cap_sysctl_limit_init(capsysctl); 1314 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1315 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1316 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1317 limit = cap_sysctl_limit_init(capsysctl); 1318 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1319 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1320 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1321 limit = cap_sysctl_limit_init(capsysctl); 1322 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1323 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1324 1325 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_WRITE); 1326 1327 cap_close(capsysctl); 1328 1329 /* 1330 * Allow: 1331 * SYSCTL1_NAME/WRITE/RECURSIVE 1332 */ 1333 1334 capsysctl = cap_clone(ocapsysctl); 1335 ATF_REQUIRE(capsysctl != NULL); 1336 1337 limit = cap_sysctl_limit_init(capsysctl); 1338 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1339 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1340 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1341 limit = cap_sysctl_limit_init(capsysctl); 1342 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1343 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1344 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1345 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1346 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1347 limit = cap_sysctl_limit_init(capsysctl); 1348 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1349 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1350 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1351 limit = cap_sysctl_limit_init(capsysctl); 1352 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1353 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1354 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1355 limit = cap_sysctl_limit_init(capsysctl); 1356 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1357 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1358 1359 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1360 1361 cap_close(capsysctl); 1362 1363 /* 1364 * Allow: 1365 * SYSCTL0_PARENT/RDWR/RECURSIVE 1366 */ 1367 1368 capsysctl = cap_clone(ocapsysctl); 1369 ATF_REQUIRE(capsysctl != NULL); 1370 1371 limit = cap_sysctl_limit_init(capsysctl); 1372 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1373 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1374 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1375 limit = cap_sysctl_limit_init(capsysctl); 1376 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1377 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1378 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1379 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1380 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1381 limit = cap_sysctl_limit_init(capsysctl); 1382 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1383 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1384 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1385 limit = cap_sysctl_limit_init(capsysctl); 1386 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1387 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1388 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1389 limit = cap_sysctl_limit_init(capsysctl); 1390 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1391 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1392 1393 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 1394 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE)); 1395 1396 cap_close(capsysctl); 1397 1398 /* 1399 * Allow: 1400 * SYSCTL1_NAME/RDWR/RECURSIVE 1401 */ 1402 1403 capsysctl = cap_clone(ocapsysctl); 1404 ATF_REQUIRE(capsysctl != NULL); 1405 1406 limit = cap_sysctl_limit_init(capsysctl); 1407 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1408 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1409 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1410 limit = cap_sysctl_limit_init(capsysctl); 1411 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1412 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1413 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1414 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1415 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1416 limit = cap_sysctl_limit_init(capsysctl); 1417 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1418 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1419 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1420 limit = cap_sysctl_limit_init(capsysctl); 1421 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1422 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1423 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1424 limit = cap_sysctl_limit_init(capsysctl); 1425 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1426 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1427 1428 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1429 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1430 1431 cap_close(capsysctl); 1432 1433 /* 1434 * Allow: 1435 * SYSCTL0_PARENT/READ 1436 */ 1437 1438 capsysctl = cap_clone(ocapsysctl); 1439 ATF_REQUIRE(capsysctl != NULL); 1440 1441 limit = cap_sysctl_limit_init(capsysctl); 1442 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1443 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1444 limit = cap_sysctl_limit_init(capsysctl); 1445 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1446 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1447 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1448 limit = cap_sysctl_limit_init(capsysctl); 1449 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1450 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1451 1452 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1453 1454 cap_close(capsysctl); 1455 1456 /* 1457 * Allow: 1458 * SYSCTL1_NAME/READ 1459 */ 1460 1461 capsysctl = cap_clone(ocapsysctl); 1462 ATF_REQUIRE(capsysctl != NULL); 1463 1464 limit = cap_sysctl_limit_init(capsysctl); 1465 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1466 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1467 limit = cap_sysctl_limit_init(capsysctl); 1468 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1469 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1470 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1471 limit = cap_sysctl_limit_init(capsysctl); 1472 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1473 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1474 1475 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 1476 1477 cap_close(capsysctl); 1478 1479 /* 1480 * Allow: 1481 * SYSCTL0_PARENT/WRITE 1482 */ 1483 1484 capsysctl = cap_clone(ocapsysctl); 1485 ATF_REQUIRE(capsysctl != NULL); 1486 1487 limit = cap_sysctl_limit_init(capsysctl); 1488 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1489 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1490 limit = cap_sysctl_limit_init(capsysctl); 1491 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1492 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1493 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1494 limit = cap_sysctl_limit_init(capsysctl); 1495 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1496 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1497 1498 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1499 1500 cap_close(capsysctl); 1501 1502 /* 1503 * Allow: 1504 * SYSCTL1_NAME/WRITE 1505 */ 1506 1507 capsysctl = cap_clone(ocapsysctl); 1508 ATF_REQUIRE(capsysctl != NULL); 1509 1510 limit = cap_sysctl_limit_init(capsysctl); 1511 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1512 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1513 limit = cap_sysctl_limit_init(capsysctl); 1514 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1515 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1516 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1517 limit = cap_sysctl_limit_init(capsysctl); 1518 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1519 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1520 1521 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1522 1523 cap_close(capsysctl); 1524 1525 /* 1526 * Allow: 1527 * SYSCTL0_PARENT/RDWR 1528 */ 1529 1530 capsysctl = cap_clone(ocapsysctl); 1531 ATF_REQUIRE(capsysctl != NULL); 1532 1533 limit = cap_sysctl_limit_init(capsysctl); 1534 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1535 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1536 limit = cap_sysctl_limit_init(capsysctl); 1537 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1538 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1539 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1540 limit = cap_sysctl_limit_init(capsysctl); 1541 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1542 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1543 1544 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1545 1546 cap_close(capsysctl); 1547 1548 /* 1549 * Allow: 1550 * SYSCTL1_NAME/RDWR 1551 */ 1552 1553 capsysctl = cap_clone(ocapsysctl); 1554 ATF_REQUIRE(capsysctl != NULL); 1555 1556 limit = cap_sysctl_limit_init(capsysctl); 1557 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1558 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1559 limit = cap_sysctl_limit_init(capsysctl); 1560 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1561 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1562 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1563 limit = cap_sysctl_limit_init(capsysctl); 1564 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1565 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1566 1567 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1568 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1569 1570 cap_close(capsysctl); 1571 } 1572 ATF_TC_CLEANUP(cap_sysctl__names, tc) 1573 { 1574 cleanup(); 1575 } 1576 1577 ATF_TC_WITH_CLEANUP(cap_sysctl__no_limits); 1578 ATF_TC_HEAD(cap_sysctl__no_limits, tc) 1579 { 1580 } 1581 ATF_TC_BODY(cap_sysctl__no_limits, tc) 1582 { 1583 cap_channel_t *capsysctl; 1584 1585 capsysctl = initcap(); 1586 1587 ATF_REQUIRE_EQ(checkcaps(capsysctl), (SYSCTL0_READ0 | SYSCTL0_READ1 | 1588 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 1589 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 1590 SYSCTL1_READ_WRITE)); 1591 } 1592 ATF_TC_CLEANUP(cap_sysctl__no_limits, tc) 1593 { 1594 cleanup(); 1595 } 1596 1597 ATF_TC_WITH_CLEANUP(cap_sysctl__recursive_limits); 1598 ATF_TC_HEAD(cap_sysctl__recursive_limits, tc) 1599 { 1600 } 1601 ATF_TC_BODY(cap_sysctl__recursive_limits, tc) 1602 { 1603 cap_channel_t *capsysctl, *ocapsysctl; 1604 void *limit; 1605 size_t len; 1606 int mib[2], val = 420; 1607 1608 len = nitems(mib); 1609 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib, &len) == 0); 1610 1611 ocapsysctl = initcap(); 1612 1613 /* 1614 * Make sure that we match entire components. 1615 */ 1616 capsysctl = cap_clone(ocapsysctl); 1617 ATF_REQUIRE(capsysctl != NULL); 1618 1619 limit = cap_sysctl_limit_init(capsysctl); 1620 (void)cap_sysctl_limit_name(limit, "ker", 1621 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1622 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1623 1624 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1625 NULL, NULL, &val, sizeof(val))); 1626 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len, 1627 NULL, NULL, &val, sizeof(val))); 1628 1629 cap_close(capsysctl); 1630 1631 /* 1632 * Verify that we check for CAP_SYSCTL_RECURSIVE. 1633 */ 1634 capsysctl = cap_clone(ocapsysctl); 1635 ATF_REQUIRE(capsysctl != NULL); 1636 1637 limit = cap_sysctl_limit_init(capsysctl); 1638 (void)cap_sysctl_limit_name(limit, "kern", CAP_SYSCTL_RDWR); 1639 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1640 1641 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1642 NULL, NULL, &val, sizeof(val))); 1643 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len, 1644 NULL, NULL, &val, sizeof(val))); 1645 1646 cap_close(capsysctl); 1647 } 1648 ATF_TC_CLEANUP(cap_sysctl__recursive_limits, tc) 1649 { 1650 cleanup(); 1651 } 1652 1653 ATF_TC_WITH_CLEANUP(cap_sysctl__just_size); 1654 ATF_TC_HEAD(cap_sysctl__just_size, tc) 1655 { 1656 } 1657 ATF_TC_BODY(cap_sysctl__just_size, tc) 1658 { 1659 cap_channel_t *capsysctl; 1660 size_t len; 1661 int mib0[2]; 1662 1663 capsysctl = initcap(); 1664 1665 len = nitems(mib0); 1666 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len) == 0); 1667 1668 ATF_REQUIRE(cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1669 NULL, &len, NULL, 0) == 0); 1670 ATF_REQUIRE(len == sizeof(int)); 1671 ATF_REQUIRE(cap_sysctl(capsysctl, mib0, nitems(mib0), 1672 NULL, &len, NULL, 0) == 0); 1673 ATF_REQUIRE(len == sizeof(int)); 1674 1675 cap_close(capsysctl); 1676 } 1677 ATF_TC_CLEANUP(cap_sysctl__just_size, tc) 1678 { 1679 cleanup(); 1680 } 1681 1682 ATF_TP_ADD_TCS(tp) 1683 { 1684 ATF_TP_ADD_TC(tp, cap_sysctl__operation); 1685 ATF_TP_ADD_TC(tp, cap_sysctl__names); 1686 ATF_TP_ADD_TC(tp, cap_sysctl__no_limits); 1687 ATF_TP_ADD_TC(tp, cap_sysctl__recursive_limits); 1688 ATF_TP_ADD_TC(tp, cap_sysctl__just_size); 1689 1690 return (atf_no_error()); 1691 } 1692