1 #include <cap-ng.h> 2 #include <err.h> 3 #include <linux/capability.h> 4 #include <stdbool.h> 5 #include <string.h> 6 #include <stdio.h> 7 #include <sys/prctl.h> 8 #include <sys/auxv.h> 9 10 #include "../kselftest.h" 11 12 #ifndef PR_CAP_AMBIENT 13 #define PR_CAP_AMBIENT 47 14 # define PR_CAP_AMBIENT_IS_SET 1 15 # define PR_CAP_AMBIENT_RAISE 2 16 # define PR_CAP_AMBIENT_LOWER 3 17 # define PR_CAP_AMBIENT_CLEAR_ALL 4 18 #endif 19 20 #if __GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 19) 21 # define HAVE_GETAUXVAL 22 #endif 23 24 static bool bool_arg(char **argv, int i) 25 { 26 if (!strcmp(argv[i], "0")) 27 return false; 28 else if (!strcmp(argv[i], "1")) 29 return true; 30 else 31 errx(1, "wrong argv[%d]", i); 32 } 33 34 int main(int argc, char **argv) 35 { 36 const char *atsec = ""; 37 38 /* 39 * Be careful just in case a setgid or setcapped copy of this 40 * helper gets out. 41 */ 42 43 if (argc != 5) 44 errx(1, "wrong argc"); 45 46 #ifdef HAVE_GETAUXVAL 47 if (getauxval(AT_SECURE)) 48 atsec = " (AT_SECURE is set)"; 49 else 50 atsec = " (AT_SECURE is not set)"; 51 #endif 52 53 capng_get_caps_process(); 54 55 if (capng_have_capability(CAPNG_EFFECTIVE, CAP_NET_BIND_SERVICE) != bool_arg(argv, 1)) { 56 ksft_print_msg("Wrong effective state%s\n", atsec); 57 return 1; 58 } 59 60 if (capng_have_capability(CAPNG_PERMITTED, CAP_NET_BIND_SERVICE) != bool_arg(argv, 2)) { 61 ksft_print_msg("Wrong permitted state%s\n", atsec); 62 return 1; 63 } 64 65 if (capng_have_capability(CAPNG_INHERITABLE, CAP_NET_BIND_SERVICE) != bool_arg(argv, 3)) { 66 ksft_print_msg("Wrong inheritable state%s\n", atsec); 67 return 1; 68 } 69 70 if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_NET_BIND_SERVICE, 0, 0, 0) != bool_arg(argv, 4)) { 71 ksft_print_msg("Wrong ambient state%s\n", atsec); 72 return 1; 73 } 74 75 ksft_print_msg("%s: Capabilities after execve were correct\n", 76 "validate_cap:"); 77 return 0; 78 } 79