8ac5aef8f3
This change takes capsicum-test from upstream and applies some local changes to make the
tests work on FreeBSD when executed via Kyua.
The local modifications are as follows:
1. Make `OpenatTest.WithFlag` pass with the new dot-dot lookup behavior in FreeBSD 12.x+.
2. capsicum-test references a set of helper binaries: `mini-me`, `mini-me.noexec`, and
`mini-me.setuid`, as part of the execve/fexecve tests, via execve, fexecve, and open.
It achieves this upstream by assuming `mini-me*` is in the current directory, however,
in order for Kyua to execute `capsicum-test`, it needs to provide a full path to
`mini-me*`. In order to achieve this, I made `capsicum-test` cache the executable's
path from argv[0] in main(..) and use the cached value to compute the path to
`mini-me*` as part of the execve/fexecve testcases.
3. The capsicum-test test suite assumes that it's always being run on CAPABILITIES enabled
kernels. However, there's a chance that the test will be run on a host without a
CAPABILITIES enabled kernel, so we must check for the support before running the tests.
The way to achieve this is to add the relevant `feature_present("security_capabilities")`
check to SetupEnvironment::SetUp() and skip the tests when the support is not available.
While here, add a check for `kern.trap_enotcap` being enabled. As noted by markj@ in
https://github.com/google/capsicum-test/issues/23, this sysctl being enabled can trigger
non-deterministic failures. Therefore, the tests should be skipped if this sysctl is
enabled.
All local changes have been submitted to the capsicum-test project
(https://github.com/google/capsicum-test) and are in various stages of review.
Please see the following pull requests for more details:
1. https://github.com/google/capsicum-test/pull/35
2. https://github.com/google/capsicum-test/pull/41
3. https://github.com/google/capsicum-test/pull/42
Reviewed by: asomers
Discussed with: emaste, markj
Approved by: emaste (mentor)
MFC after: 2 months
Differential Revision: https://reviews.freebsd.org/D19758
189 lines
5.5 KiB
C++
189 lines
5.5 KiB
C++
// Tests involving 2 capability file descriptors.
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <fcntl.h>
|
|
|
|
#include "capsicum.h"
|
|
#include "syscalls.h"
|
|
#include "capsicum-test.h"
|
|
|
|
TEST(CapabilityPair, sendfile) {
|
|
int in_fd = open(TmpFile("cap_sendfile_in"), O_CREAT|O_RDWR, 0644);
|
|
EXPECT_OK(write(in_fd, "1234", 4));
|
|
// Output fd for sendfile must be a stream socket in FreeBSD.
|
|
int sock_fds[2];
|
|
EXPECT_OK(socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fds));
|
|
|
|
cap_rights_t r_rs;
|
|
cap_rights_init(&r_rs, CAP_READ, CAP_SEEK);
|
|
cap_rights_t r_ws;
|
|
cap_rights_init(&r_ws, CAP_WRITE, CAP_SEEK);
|
|
|
|
int cap_in_ro = dup(in_fd);
|
|
EXPECT_OK(cap_in_ro);
|
|
EXPECT_OK(cap_rights_limit(cap_in_ro, &r_rs));
|
|
int cap_in_wo = dup(in_fd);
|
|
EXPECT_OK(cap_in_wo);
|
|
EXPECT_OK(cap_rights_limit(cap_in_wo, &r_ws));
|
|
int cap_out_ro = dup(sock_fds[0]);
|
|
EXPECT_OK(cap_out_ro);
|
|
EXPECT_OK(cap_rights_limit(cap_out_ro, &r_rs));
|
|
int cap_out_wo = dup(sock_fds[0]);
|
|
EXPECT_OK(cap_out_wo);
|
|
EXPECT_OK(cap_rights_limit(cap_out_wo, &r_ws));
|
|
|
|
off_t offset = 0;
|
|
EXPECT_NOTCAPABLE(sendfile_(cap_out_ro, cap_in_ro, &offset, 4));
|
|
EXPECT_NOTCAPABLE(sendfile_(cap_out_wo, cap_in_wo, &offset, 4));
|
|
EXPECT_OK(sendfile_(cap_out_wo, cap_in_ro, &offset, 4));
|
|
|
|
close(cap_in_ro);
|
|
close(cap_in_wo);
|
|
close(cap_out_ro);
|
|
close(cap_out_wo);
|
|
close(in_fd);
|
|
close(sock_fds[0]);
|
|
close(sock_fds[1]);
|
|
unlink(TmpFile("cap_sendfile_in"));
|
|
}
|
|
|
|
#ifdef HAVE_TEE
|
|
TEST(CapabilityPair, tee) {
|
|
int pipe1_fds[2];
|
|
EXPECT_OK(pipe2(pipe1_fds, O_NONBLOCK));
|
|
int pipe2_fds[2];
|
|
EXPECT_OK(pipe2(pipe2_fds, O_NONBLOCK));
|
|
|
|
// Put some data into pipe1.
|
|
unsigned char buffer[4] = {1, 2, 3, 4};
|
|
EXPECT_OK(write(pipe1_fds[1], buffer, 4));
|
|
|
|
cap_rights_t r_ro;
|
|
cap_rights_init(&r_ro, CAP_READ);
|
|
cap_rights_t r_wo;
|
|
cap_rights_init(&r_wo, CAP_WRITE);
|
|
cap_rights_t r_rw;
|
|
cap_rights_init(&r_rw, CAP_READ, CAP_WRITE);
|
|
|
|
// Various attempts to tee into pipe2.
|
|
int cap_in_wo = dup(pipe1_fds[0]);
|
|
EXPECT_OK(cap_in_wo);
|
|
EXPECT_OK(cap_rights_limit(cap_in_wo, &r_wo));
|
|
int cap_in_rw = dup(pipe1_fds[0]);
|
|
EXPECT_OK(cap_in_rw);
|
|
EXPECT_OK(cap_rights_limit(cap_in_rw, &r_rw));
|
|
int cap_out_ro = dup(pipe2_fds[1]);
|
|
EXPECT_OK(cap_out_ro);
|
|
EXPECT_OK(cap_rights_limit(cap_out_ro, &r_ro));
|
|
int cap_out_rw = dup(pipe2_fds[1]);
|
|
EXPECT_OK(cap_out_rw);
|
|
EXPECT_OK(cap_rights_limit(cap_out_rw, &r_rw));
|
|
|
|
EXPECT_NOTCAPABLE(tee(cap_in_wo, cap_out_rw, 4, SPLICE_F_NONBLOCK));
|
|
EXPECT_NOTCAPABLE(tee(cap_in_rw, cap_out_ro, 4, SPLICE_F_NONBLOCK));
|
|
EXPECT_OK(tee(cap_in_rw, cap_out_rw, 4, SPLICE_F_NONBLOCK));
|
|
|
|
close(cap_in_wo);
|
|
close(cap_in_rw);
|
|
close(cap_out_ro);
|
|
close(cap_out_rw);
|
|
close(pipe1_fds[0]);
|
|
close(pipe1_fds[1]);
|
|
close(pipe2_fds[0]);
|
|
close(pipe2_fds[1]);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_SPLICE
|
|
TEST(CapabilityPair, splice) {
|
|
int pipe1_fds[2];
|
|
EXPECT_OK(pipe2(pipe1_fds, O_NONBLOCK));
|
|
int pipe2_fds[2];
|
|
EXPECT_OK(pipe2(pipe2_fds, O_NONBLOCK));
|
|
|
|
// Put some data into pipe1.
|
|
unsigned char buffer[4] = {1, 2, 3, 4};
|
|
EXPECT_OK(write(pipe1_fds[1], buffer, 4));
|
|
|
|
cap_rights_t r_ro;
|
|
cap_rights_init(&r_ro, CAP_READ);
|
|
cap_rights_t r_wo;
|
|
cap_rights_init(&r_wo, CAP_WRITE);
|
|
cap_rights_t r_rs;
|
|
cap_rights_init(&r_rs, CAP_READ, CAP_SEEK);
|
|
cap_rights_t r_ws;
|
|
cap_rights_init(&r_ws, CAP_WRITE, CAP_SEEK);
|
|
|
|
// Various attempts to splice.
|
|
int cap_in_wo = dup(pipe1_fds[0]);
|
|
EXPECT_OK(cap_in_wo);
|
|
EXPECT_OK(cap_rights_limit(cap_in_wo, &r_wo));
|
|
int cap_in_ro = dup(pipe1_fds[0]);
|
|
EXPECT_OK(cap_in_ro);
|
|
EXPECT_OK(cap_rights_limit(cap_in_ro, &r_ro));
|
|
int cap_in_ro_seek = dup(pipe1_fds[0]);
|
|
EXPECT_OK(cap_in_ro_seek);
|
|
EXPECT_OK(cap_rights_limit(cap_in_ro_seek, &r_rs));
|
|
int cap_out_wo = dup(pipe2_fds[1]);
|
|
EXPECT_OK(cap_out_wo);
|
|
EXPECT_OK(cap_rights_limit(cap_out_wo, &r_wo));
|
|
int cap_out_ro = dup(pipe2_fds[1]);
|
|
EXPECT_OK(cap_out_ro);
|
|
EXPECT_OK(cap_rights_limit(cap_out_ro, &r_ro));
|
|
int cap_out_wo_seek = dup(pipe2_fds[1]);
|
|
EXPECT_OK(cap_out_wo_seek);
|
|
EXPECT_OK(cap_rights_limit(cap_out_wo_seek, &r_ws));
|
|
|
|
EXPECT_NOTCAPABLE(splice(cap_in_ro, NULL, cap_out_wo_seek, NULL, 4, SPLICE_F_NONBLOCK));
|
|
EXPECT_NOTCAPABLE(splice(cap_in_wo, NULL, cap_out_wo_seek, NULL, 4, SPLICE_F_NONBLOCK));
|
|
EXPECT_NOTCAPABLE(splice(cap_in_ro_seek, NULL, cap_out_ro, NULL, 4, SPLICE_F_NONBLOCK));
|
|
EXPECT_NOTCAPABLE(splice(cap_in_ro_seek, NULL, cap_out_wo, NULL, 4, SPLICE_F_NONBLOCK));
|
|
EXPECT_OK(splice(cap_in_ro_seek, NULL, cap_out_wo_seek, NULL, 4, SPLICE_F_NONBLOCK));
|
|
|
|
close(cap_in_wo);
|
|
close(cap_in_ro);
|
|
close(cap_in_ro_seek);
|
|
close(cap_out_wo);
|
|
close(cap_out_ro);
|
|
close(cap_out_wo_seek);
|
|
close(pipe1_fds[0]);
|
|
close(pipe1_fds[1]);
|
|
close(pipe2_fds[0]);
|
|
close(pipe2_fds[1]);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_VMSPLICE
|
|
// Although it only involves a single file descriptor, test vmsplice(2) here too.
|
|
TEST(CapabilityPair, vmsplice) {
|
|
int pipe_fds[2];
|
|
EXPECT_OK(pipe2(pipe_fds, O_NONBLOCK));
|
|
|
|
cap_rights_t r_ro;
|
|
cap_rights_init(&r_ro, CAP_READ);
|
|
cap_rights_t r_rw;
|
|
cap_rights_init(&r_rw, CAP_READ, CAP_WRITE);
|
|
|
|
int cap_ro = dup(pipe_fds[1]);
|
|
EXPECT_OK(cap_ro);
|
|
EXPECT_OK(cap_rights_limit(cap_ro, &r_ro));
|
|
int cap_rw = dup(pipe_fds[1]);
|
|
EXPECT_OK(cap_rw);
|
|
EXPECT_OK(cap_rights_limit(cap_rw, &r_rw));
|
|
|
|
unsigned char buffer[4] = {1, 2, 3, 4};
|
|
struct iovec iov;
|
|
memset(&iov, 0, sizeof(iov));
|
|
iov.iov_base = buffer;
|
|
iov.iov_len = sizeof(buffer);
|
|
|
|
EXPECT_NOTCAPABLE(vmsplice(cap_ro, &iov, 1, SPLICE_F_NONBLOCK));
|
|
EXPECT_OK(vmsplice(cap_rw, &iov, 1, SPLICE_F_NONBLOCK));
|
|
|
|
close(cap_ro);
|
|
close(cap_rw);
|
|
close(pipe_fds[0]);
|
|
close(pipe_fds[1]);
|
|
}
|
|
#endif
|