xref: /linux/tools/testing/selftests/capabilities/validate_cap.c (revision 7d005195e9eb6518017e02c1468e3de693cc7442)
1 #include <cap-ng.h>
2 #include <err.h>
3 #include <linux/capability.h>
4 #include <stdbool.h>
5 #include <string.h>
6 #include <stdio.h>
7 #include <sys/prctl.h>
8 #include <sys/auxv.h>
9 
10 #include "../kselftest.h"
11 
12 #ifndef PR_CAP_AMBIENT
13 #define PR_CAP_AMBIENT			47
14 # define PR_CAP_AMBIENT_IS_SET		1
15 # define PR_CAP_AMBIENT_RAISE		2
16 # define PR_CAP_AMBIENT_LOWER		3
17 # define PR_CAP_AMBIENT_CLEAR_ALL	4
18 #endif
19 
20 #if __GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 19)
21 # define HAVE_GETAUXVAL
22 #endif
23 
24 static bool bool_arg(char **argv, int i)
25 {
26 	if (!strcmp(argv[i], "0"))
27 		return false;
28 	else if (!strcmp(argv[i], "1"))
29 		return true;
30 	else
31 		errx(1, "wrong argv[%d]", i);
32 }
33 
34 int main(int argc, char **argv)
35 {
36 	const char *atsec = "";
37 
38 	/*
39 	 * Be careful just in case a setgid or setcapped copy of this
40 	 * helper gets out.
41 	 */
42 
43 	if (argc != 5)
44 		errx(1, "wrong argc");
45 
46 #ifdef HAVE_GETAUXVAL
47 	if (getauxval(AT_SECURE))
48 		atsec = " (AT_SECURE is set)";
49 	else
50 		atsec = " (AT_SECURE is not set)";
51 #endif
52 
53 	capng_get_caps_process();
54 
55 	if (capng_have_capability(CAPNG_EFFECTIVE, CAP_NET_BIND_SERVICE) != bool_arg(argv, 1)) {
56 		ksft_print_msg("Wrong effective state%s\n", atsec);
57 		return 1;
58 	}
59 
60 	if (capng_have_capability(CAPNG_PERMITTED, CAP_NET_BIND_SERVICE) != bool_arg(argv, 2)) {
61 		ksft_print_msg("Wrong permitted state%s\n", atsec);
62 		return 1;
63 	}
64 
65 	if (capng_have_capability(CAPNG_INHERITABLE, CAP_NET_BIND_SERVICE) != bool_arg(argv, 3)) {
66 		ksft_print_msg("Wrong inheritable state%s\n", atsec);
67 		return 1;
68 	}
69 
70 	if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_NET_BIND_SERVICE, 0, 0, 0) != bool_arg(argv, 4)) {
71 		ksft_print_msg("Wrong ambient state%s\n", atsec);
72 		return 1;
73 	}
74 
75 	ksft_print_msg("%s: Capabilities after execve were correct\n",
76 			"validate_cap:");
77 	return 0;
78 }
79