2 This file is part of systemd
4 Copyright 2014 Ronny Chevalier
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 #include <sys/types.h>
22 #include <sys/capability.h>
23 #include <sys/socket.h>
24 #include <netinet/in.h>
28 #include "capability.h"
32 static uid_t test_uid = -1;
33 static gid_t test_gid = -1;
34 // We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage
35 static uint64_t test_flags = 1ULL << CAP_DAC_OVERRIDE;
37 static void fork_test(void (*test_func)(void)) {
48 assert_se(waitpid(pid, &status, 0) > 0);
49 assert_se(WIFEXITED(status) && WEXITSTATUS(status) == 0);
53 static void show_capabilities(void) {
57 caps = cap_get_proc();
60 text = cap_to_text(caps, NULL);
63 log_info("Capabilities:%s", text);
68 static int setup_tests(void) {
69 struct passwd *nobody;
71 nobody = getpwnam("nobody");
73 log_error("Could not find nobody user: %m");
74 return -EXIT_TEST_SKIP;
76 test_uid = nobody->pw_uid;
77 test_gid = nobody->pw_gid;
82 static void test_drop_privileges_keep_net_raw(void) {
85 sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
89 assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_NET_RAW)) >= 0);
90 assert_se(getuid() == test_uid);
91 assert_se(getgid() == test_gid);
94 sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
99 static void test_drop_privileges_dontkeep_net_raw(void) {
102 sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
103 assert_se(sock >= 0);
106 assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0);
107 assert_se(getuid() == test_uid);
108 assert_se(getgid() == test_gid);
111 sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
115 static void test_drop_privileges_fail(void) {
116 assert_se(drop_privileges(test_uid, test_gid, test_flags) >= 0);
117 assert_se(getuid() == test_uid);
118 assert_se(getgid() == test_gid);
120 assert_se(drop_privileges(test_uid, test_gid, test_flags) < 0);
121 assert_se(drop_privileges(0, 0, test_flags) < 0);
124 static void test_drop_privileges(void) {
125 fork_test(test_drop_privileges_keep_net_raw);
126 fork_test(test_drop_privileges_dontkeep_net_raw);
127 fork_test(test_drop_privileges_fail);
130 static void test_have_effective_cap(void) {
131 assert_se(have_effective_cap(CAP_KILL));
132 assert_se(have_effective_cap(CAP_CHOWN));
134 assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_KILL)) >= 0);
135 assert_se(getuid() == test_uid);
136 assert_se(getgid() == test_gid);
138 assert_se(have_effective_cap(CAP_KILL));
139 assert_se(!have_effective_cap(CAP_CHOWN));
142 int main(int argc, char *argv[]) {
145 log_parse_environment();
149 return EXIT_TEST_SKIP;
157 test_drop_privileges();
158 fork_test(test_have_effective_cap);