Menu
▾
▴
[Ltp-commits] [Git] ltp updated.
|
From: Rishi k. K R. <ris...@li...> - 2010-03-22 06:36:28
|
The branch, next, has been updated
via 6e3dd83d9f575d98d76b8b3f642ad6e8793dbdfc (commit)
from c700433fe26d24b975bf241668a9701548e6c21d (commit)
- Log -----------------------------------------------------------------
commit 6e3dd83d9f575d98d76b8b3f642ad6e8793dbdfc
Author: Rishikesh K Rajak <ris...@li...>
Date: Mon Mar 22 12:04:09 2010 +0530
Here's an attempt at fixing up and simplifying the autoconf for
detecting libcap and prctl support. After this, make autotools
etc work fine on my f12 system, and runltp -f cap_bounds passes.
the filecaps tests refuse to run claiming to be unable to find
setcap, which I'll worry about next week.
(I'm sure there is an AC_ macro for finding a command)
And second patch :
Remove the run-time checks and just have autoconf check for
libcap and setcap presence.
After this, filecaps tests compile, install, and pass on f10 at least.
Signed-off-by: Serge E. Hallyn <se...@us...>
Signed-off-by: Rishikesh K Rajak <ris...@li...>
-----------------------------------------------------------------------
Summary of changes:
configure.ac | 1 +
m4/ltp-cap.m4 | 17 +----
testcases/kernel/security/Makefile | 3 +
testcases/kernel/security/cap_bound/cap_bounds_r.c | 44 +++++++-------
.../kernel/security/cap_bound/cap_bounds_rw.c | 58 ++++++++++-------
.../security/cap_bound/cap_bset_inh_bounds.c | 61 ++++---------------
testcases/kernel/security/cap_bound/check_pe.c | 20 ++----
testcases/kernel/security/cap_bound/dummy.c | 26 +++-----
.../kernel/security/cap_bound/exec_with_inh.c | 34 ++--------
.../kernel/security/cap_bound/exec_without_inh.c | 35 ++---------
.../kernel/security/filecaps/check_simple_capset.c | 11 +---
.../kernel/security/filecaps/checkforfilecaps.sh | 40 ------------
.../kernel/security/filecaps/checkforlibcap.sh | 66 --------------------
testcases/kernel/security/filecaps/filecapstest.sh | 16 +-----
testcases/kernel/security/filecaps/inh_capped.c | 12 +---
testcases/kernel/security/filecaps/print_caps.c | 2 +-
.../kernel/security/filecaps/verify_caps_exec.c | 21 +-----
17 files changed, 112 insertions(+), 355 deletions(-)
delete mode 100755 testcases/kernel/security/filecaps/checkforfilecaps.sh
delete mode 100755 testcases/kernel/security/filecaps/checkforlibcap.sh
diff --git a/configure.ac b/configure.ac
index 8a2ebe2..3dd9829 100644
--- a/configure.ac
+++ b/configure.ac
@@ -61,6 +61,7 @@ AC_CONFIG_SUBDIRS([ \
])
LTP_CHECK_CAPABILITY_SUPPORT
+LTP_CHECK_PRCTL_SUPPORT
LTP_CHECK_CRYPTO
LTP_CHECK_LINUX_PTRACE
LTP_CHECK_SELINUX
diff --git a/m4/ltp-cap.m4 b/m4/ltp-cap.m4
index 5f8d969..caa436f 100644
--- a/m4/ltp-cap.m4
+++ b/m4/ltp-cap.m4
@@ -23,21 +23,12 @@ dnl LTP_CHECK_CAPABILITY_SUPPORT
dnl ----------------------------
dnl
AC_DEFUN([LTP_CHECK_CAPABILITY_SUPPORT],[
+AH_TEMPLATE(HAVE_LIBCAP,
+[Define to 1 if you have libcap-2 installed.])
AC_CHECK_HEADERS(sys/capability.h,[
- AC_CHECK_HEADERS(attr/xattr.h)
LTP_CAPABILITY_SUPPORT=yes
- AC_CHECK_LIB(cap,cap_free,[
- AC_CHECK_LIB(cap,cap_from_text,[
- AC_CHECK_LIB(cap,cap_set_proc,[
- AC_CHECK_LIB(cap,cap_compare,[
- CAP_LIBS="-lcap"
- ])
- ])
- ])
- ])
- AC_CHECK_DECLS([CAP_BSET_DROP, CAP_BSET_READ, PR_CAPBSET_READ, cap_compare, cap_free, cap_from_text, cap_get_proc, cap_set_file, cap_set_flag, cap_set_proc, cap_to_text],[],[],[dnl
-#include <sys/capability.h>
-]) dnl AC_CHECK_DECLS
+ AC_CHECK_LIB(cap,cap_compare,[AC_DEFINE(HAVE_LIBCAP) CAP_LIBS="-lcap"], [CAP_LIBS=""])
+ AC_CHECK_PROG(HAVE_SETCAP,setcap,setcap,false)
])]
AC_SUBST(CAP_LIBS)
)
diff --git a/testcases/kernel/security/Makefile b/testcases/kernel/security/Makefile
index a23ce8f..52b8d06 100644
--- a/testcases/kernel/security/Makefile
+++ b/testcases/kernel/security/Makefile
@@ -29,6 +29,9 @@ include $(top_srcdir)/include/mk/env_pre.mk
ifeq ($(strip $(CAP_LIBS)),)
FILTER_OUT_DIRS := cap_bound filecaps
endif
+ifeq ($(HAVE_SETCAP),false)
+FILTER_OUT_DIRS += filecaps
+endif
# XXX (garrcoop): avoid compilation failures on RHEL 5.4, as reported by
# Mitani-san, because of policy versioning issues...
diff --git a/testcases/kernel/security/cap_bound/cap_bounds_r.c b/testcases/kernel/security/cap_bound/cap_bounds_r.c
index 917d889..0b1c5b3 100644
--- a/testcases/kernel/security/cap_bound/cap_bounds_r.c
+++ b/testcases/kernel/security/cap_bound/cap_bounds_r.c
@@ -32,21 +32,6 @@
#include <sys/prctl.h>
#include <test.h>
-#ifndef CAP_LAST_CAP
-#warning out-of-date capability.h does not define CAP_LAST_CAP
-#define CAP_LAST_CAP 28 /* be ultra-conservative */
-#endif
-
-#ifndef CAP_BSET_READ
-#warning CAP_BSET_READ not defined
-#define CAP_BSET_READ 23
-#endif
-
-#ifndef CAP_BSET_DROP
-#warning CAP_BSET_DROP not defined
-#define CAP_BSET_DROP 24
-#endif
-
char *TCID = "cap_bounds_r";
int TST_TOTAL=1;
@@ -59,17 +44,27 @@ int main(int argc, char *argv[])
int i;
for (i=0; i<=CAP_LAST_CAP; i++) {
- ret = prctl(CAP_BSET_READ, i);
+#if HAVE_DECL_PR_CAPBSET_READ
+ ret = prctl(PR_CAPBSET_READ, i);
+#else
+ errno = ENOSYS;
+ ret = -1;
+#endif
if (ret != 1) {
- tst_resm(TFAIL, "prctl(CAP_BSET_READ, %d) returned %d\n", i, ret);
+ tst_resm(TFAIL, "prctl(PR_CAPBSET_READ, %d) returned %d\n", i, ret);
if (ret == -1)
tst_resm(TINFO, "errno was %d\n", errno);
tst_exit();
}
}
- ret = prctl(CAP_BSET_READ, -1);
+#if HAVE_DECL_PR_CAPBSET_READ
+ ret = prctl(PR_CAPBSET_READ, -1);
+#else
+ errno = ENOSYS;
+ ret = -1;
+#endif
if (ret != -1) {
- tst_resm(TFAIL, "prctl(CAP_BSET_READ, -1) returned %d\n", -1, ret);
+ tst_resm(TFAIL, "prctl(PR_CAPBSET_READ, -1) returned %d\n", ret);
tst_exit();
}
@@ -79,13 +74,18 @@ int main(int argc, char *argv[])
* testing... So let's take an insanely high value */
#define INSANE 63
#define max(x,y) (x > y ? x : y)
- ret = prctl(CAP_BSET_READ, max(INSANE,CAP_LAST_CAP+1));
+#if HAVE_DECL_PR_CAPBSET_READ
+ ret = prctl(PR_CAPBSET_READ, max(INSANE,CAP_LAST_CAP+1));
+#else
+ errno = ENOSYS;
+ ret = -1;
+#endif
if (ret != -1) {
- tst_resm(TFAIL, "prctl(CAP_BSET_READ, %d) returned %d\n", CAP_LAST_CAP+1, ret);
+ tst_resm(TFAIL, "prctl(PR_CAPBSET_READ, %d) returned %d\n", CAP_LAST_CAP+1, ret);
tst_resm(TINFO, " %d is CAP_LAST_CAP+1 and should not exist\n", CAP_LAST_CAP+1);
tst_exit();
}
- tst_resm(TPASS, "CAP_BSET_READ tests passed\n");
+ tst_resm(TPASS, "PR_CAPBSET_READ tests passed\n");
#else
tst_resm(TCONF, "System doesn't have POSIX capabilities.");
#endif
diff --git a/testcases/kernel/security/cap_bound/cap_bounds_rw.c b/testcases/kernel/security/cap_bound/cap_bounds_rw.c
index 9129c4e..827a305 100644
--- a/testcases/kernel/security/cap_bound/cap_bounds_rw.c
+++ b/testcases/kernel/security/cap_bound/cap_bounds_rw.c
@@ -31,21 +31,6 @@
#include <sys/prctl.h>
#include <test.h>
-#ifndef CAP_LAST_CAP
-#warning out-of-date capability.h does not define CAP_LAST_CAP
-#define CAP_LAST_CAP 28 /* be ultra-conservative */
-#endif
-
-#ifndef CAP_BSET_READ
-#warning CAP_BSET_READ not defined
-#define CAP_BSET_READ 23
-#endif
-
-#ifndef CAP_BSET_DROP
-#warning CAP_BSET_DROP not defined
-#define CAP_BSET_DROP 24
-#endif
-
char *TCID = "cap_bounds_rw";
int TST_TOTAL=1;
@@ -57,7 +42,12 @@ int check_remaining_caps(int lastdropped)
int ret;
for (i=0; i <= lastdropped; i++) {
- ret = prctl(CAP_BSET_READ, i);
+#if HAVE_DECL_PR_CAPBSET_READ
+ ret = prctl(PR_CAPBSET_READ, i);
+#else
+ errno = ENOSYS;
+ ret = -1;
+#endif
if (ret == -1) {
tst_resm(TBROK, "Failed to read bounding set during sanity check\n");
tst_exit();
@@ -68,7 +58,12 @@ int check_remaining_caps(int lastdropped)
}
}
for (; i<=CAP_LAST_CAP; i++) {
- ret = prctl(CAP_BSET_READ, i);
+#if HAVE_DECL_PR_CAPBSET_READ
+ ret = prctl(PR_CAPBSET_READ, i);
+#else
+ errno = ENOSYS;
+ ret = -1;
+#endif
if (ret == -1) {
tst_resm(TBROK, "Failed to read bounding set during sanity check\n");
tst_exit();
@@ -86,9 +81,14 @@ int main(int argc, char *argv[])
int ret = 1;
int i;
- ret = prctl(CAP_BSET_DROP, -1);
+#if HAVE_DECL_PR_CAPBSET_DROP
+ ret = prctl(PR_CAPBSET_READ, -1);
+#else
+ errno = ENOSYS;
+ ret = -1;
+#endif
if (ret != -1) {
- tst_resm(TFAIL, "prctl(CAP_BSET_DROP, -1) returned %d\n", ret);
+ tst_resm(TFAIL, "prctl(PR_CAPBSET_DROP, -1) returned %d\n", ret);
tst_exit();
}
/* Ideally I'd check CAP_LAST_CAP+1, but userspace
@@ -97,16 +97,26 @@ int main(int argc, char *argv[])
* testing... So let's take an insanely high value */
#define INSANE 63
#define max(x,y) (x > y ? x : y)
- ret = prctl(CAP_BSET_DROP, max(INSANE,CAP_LAST_CAP+1));
+#if HAVE_DECL_PR_CAPBSET_DROP
+ ret = prctl(PR_CAPBSET_DROP, max(INSANE,CAP_LAST_CAP+1));
+#else
+ errno = ENOSYS;
+ ret = -1;
+#endif
if (ret != -1) {
- tst_resm(TFAIL, "prctl(CAP_BSET_DROP, %d) returned %d\n", max(INSANE, CAP_LAST_CAP+1), ret);
+ tst_resm(TFAIL, "prctl(PR_CAPBSET_DROP, %d) returned %d\n", max(INSANE, CAP_LAST_CAP+1), ret);
tst_resm(TINFO, " %d is should not exist\n", max(INSANE, CAP_LAST_CAP+1));
tst_exit();
}
for (i=0; i<=CAP_LAST_CAP; i++) {
- ret = prctl(CAP_BSET_DROP, i);
+#if HAVE_DECL_PR_CAPBSET_DROP
+ ret = prctl(PR_CAPBSET_DROP, i);
+#else
+ errno = ENOSYS;
+ ret = -1;
+#endif
if (ret != 0) {
- tst_resm(TFAIL, "prctl(CAP_BSET_DROP, %d) returned %d\n", i, ret);
+ tst_resm(TFAIL, "prctl(PR_CAPBSET_DROP, %d) returned %d\n", i, ret);
if (ret == -1)
tst_resm(TINFO, "errno was %d\n", errno);
tst_exit();
@@ -122,6 +132,6 @@ int main(int argc, char *argv[])
tst_exit();
}
}
- tst_resm(TPASS, "CAP_BSET_DROP tests passed\n");
+ tst_resm(TPASS, "PR_CAPBSET_DROP tests passed\n");
tst_exit();
}
diff --git a/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c b/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c
index 894e0a5..c6c34c0 100644
--- a/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c
+++ b/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c
@@ -39,9 +39,11 @@ int TST_TOTAL=2;
int errno;
+#if HAVE_SYS_CAPABILITY_H
+#if HAVE_DECL_PR_CAPBSET_READ && HAVE_DECL_PR_CAPBSET_DROP
+#ifdef HAVE_LIBCAP
int main(int argc, char *argv[])
{
-#if HAVE_SYS_CAPABILITY_H
int ret = 1;
cap_value_t v[1];
cap_flag_value_t f;
@@ -49,12 +51,7 @@ int main(int argc, char *argv[])
/* We pick a random capability... let's use CAP_SYS_ADMIN */
/* make sure we have the capability now */
-#if HAVE_DECL_CAP_BSET_READ
- ret = prctl(CAP_BSET_READ, CAP_SYS_ADMIN);
-#else
- errno = ENOSYS;
- ret = -1;
-#endif
+ ret = prctl(PR_CAPBSET_READ, CAP_SYS_ADMIN);
if (ret != 1) {
tst_resm(TBROK, "Not starting with CAP_SYS_ADMIN\n");
tst_exit();
@@ -66,47 +63,23 @@ int main(int argc, char *argv[])
tst_resm(TBROK, "Failed to create cap_sys_admin+i cap_t (errno %d)\n", errno);
tst_exit();
}
-#if HAVE_DECL_CAP_SET_PROC
ret = cap_set_proc(cur);
-#else
- errno = ENOSYS;
- ret = -1;
-#endif
if (ret) {
tst_resm(TBROK, "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n",
ret, errno);
tst_exit();
}
-#if HAVE_DECL_CAP_FREE
cap_free(cur);
-#endif
-#if HAVE_DECL_CAP_GET_FLAG
-#if HAVE_DECL_CAP_GET_PROC
cur = cap_get_proc();
ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
-#else
- errno = ENOSYS;
- ret = -1;
-#endif
-#else
- errno = ENOSYS;
- ret = -1;
-#endif
if (ret || f != CAP_SET) {
tst_resm(TBROK, "Failed to add CAP_SYS_ADMIN to pI\n");
tst_exit();
}
-#if HAVE_DECL_CAP_FREE
cap_free(cur);
-#endif
/* drop the capability from bounding set */
-#if HAVE_DECL_CAP_BSET_DROP
- ret = prctl(CAP_BSET_DROP, CAP_SYS_ADMIN);
-#else
- errno = ENOSYS;
- ret = -1;
-#endif
+ ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN);
if (ret) {
tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n");
tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno);
@@ -114,18 +87,8 @@ int main(int argc, char *argv[])
}
/* test 1: is CAP_SYS_ADMIN still in pI? */
-#if HAVE_DECL_CAP_GET_FLAG
-#if HAVE_DECL_CAP_GET_PROC
cur = cap_get_proc();
ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
-#else
- errno = ENOSYS;
- ret = -1;
-#endif
-#else
- errno = ENOSYS;
- ret = -1;
-#endif
if (ret || f != CAP_SET) {
tst_resm(TFAIL, "CAP_SYS_ADMIN not in pI after dropping from bounding set\n");
tst_exit();
@@ -144,24 +107,24 @@ int main(int argc, char *argv[])
tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from pI\n");
tst_exit();
}
-#if HAVE_DECL_CAP_FREE
cap_free(tmpcap);
-#endif
/* test 2: can we put it back in pI? */
-#if HAVE_DECL_CAP_SET_PROC
ret = cap_set_proc(cur);
-#endif
if (ret == 0) { /* success means pI was not bounded by X */
tst_resm(TFAIL, "Managed to put CAP_SYS_ADMIN back into pI though not in X\n");
tst_exit();
}
-#if HAVE_DECL_CAP_FREE
cap_free(cur);
-#endif
tst_resm(TPASS, "Couldn't put CAP_SYS_ADMIN back into pI when not in bounding set\n");
-#else
+#else /* HAVE_LIBCAP */
tst_resm(TCONF, "System doesn't have POSIX capabilities.");
#endif
+#else /* HAVE_DECL_PR_CAPBSET_READ && HAVE_DECL_PR_CAPBSET_DROP */
+ tst_resm(TCONF, "System doesn't have CAPBSET prctls.");
+#endif
+#else /* HAVE_SYS_CAPABILITY_H */
+ tst_resm(TCONF, "System doesn't have sys/capability.h.");
+#endif
tst_exit();
}
diff --git a/testcases/kernel/security/cap_bound/check_pe.c b/testcases/kernel/security/cap_bound/check_pe.c
index 2e0451a..f621e70 100644
--- a/testcases/kernel/security/cap_bound/check_pe.c
+++ b/testcases/kernel/security/cap_bound/check_pe.c
@@ -40,9 +40,10 @@ int TST_TOTAL=1;
int errno;
+#if HAVE_SYS_CAPABILITY_H
+#ifdef HAVE_LIBCAP
int main(int argc, char *argv[])
{
-#if HAVE_SYS_CAPABILITY_H
int ret = 1;
cap_flag_value_t f;
cap_t cur;
@@ -58,26 +59,14 @@ int main(int argc, char *argv[])
tst_exit();
}
-#if HAVE_DECL_CAP_GET_FLAG
-#if HAVE_DECL_CAP_GET_PROC
cur = cap_get_proc();
ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_EFFECTIVE, &f);
-#else
- ret = -1;
- errno = ENOSYS;
-#endif
-#else
- ret = -1;
- errno = ENOSYS;
-#endif
if (ret) {
tst_resm(TBROK, "cap_get_flag failed (errno %d)\n", errno);
tst_exit();
}
-#if HAVE_DECL_CAP_FREE
cap_free(cur);
-#endif
if (n == 1) {
if (f == CAP_SET) {
tst_resm(TPASS, "cap is in pE\n");
@@ -91,8 +80,11 @@ int main(int argc, char *argv[])
tst_exit();
}
tst_resm(TFAIL, "Cap is in pE\n");
-#else
+#else /* libcap */
tst_resm(TCONF, "System doesn't have POSIX capabilities.");
#endif
+#else /* capability_h */
+ tst_resm(TCONF, "System doesn't have sys/capability.h");
+#endif
tst_exit();
}
diff --git a/testcases/kernel/security/cap_bound/dummy.c b/testcases/kernel/security/cap_bound/dummy.c
index ad65007..e882940 100644
--- a/testcases/kernel/security/cap_bound/dummy.c
+++ b/testcases/kernel/security/cap_bound/dummy.c
@@ -5,31 +5,21 @@
#include <sys/capability.h>
#endif
-#define END \
- printf("System doesn't support POSIX capabilities.\n"); \
- return 1
-
int main()
{
#if HAVE_SYS_CAPABILITY_H
+#ifdef HAVE_LIBCAP
cap_t cur;
-#if HAVE_DECL_CAP_SET_PROC
-#if HAVE_DECL_CAP_FROM_TEXT
cur = cap_from_text("all=eip");
cap_set_proc(cur);
-#else
- END;
-#endif
-#else
- END;
-#endif
-#if HAVE_DECL_CAP_FREE
cap_free(cur);
-#else
- END;
+ return 0;
+#else /* libcap */
+ printf("System doesn't support POSIX capabilities.\n");
+ return 1;
#endif
-#else
- END;
+#else /* capability_h */
+ printf("System doesn't support sys/capability.h\n");
+ return 1;
#endif
- return 0;
}
diff --git a/testcases/kernel/security/cap_bound/exec_with_inh.c b/testcases/kernel/security/cap_bound/exec_with_inh.c
index 21c60fd..123f665 100644
--- a/testcases/kernel/security/cap_bound/exec_with_inh.c
+++ b/testcases/kernel/security/cap_bound/exec_with_inh.c
@@ -42,59 +42,34 @@ int errno;
int main(int argc, char *argv[])
{
#if HAVE_SYS_CAPABILITY_H
+#ifdef HAVE_LIBCAP
int ret = 1;
cap_flag_value_t f;
cap_t cur = 0;
/* Make sure CAP_SYS_ADMIN is in pI */
-#if HAVE_DECL_CAP_FROM_TEXT
cur = cap_from_text("all=eip");
-#endif
if (!cur) {
tst_resm(TBROK, "Failed to create cap_sys_admin+i cap_t (errno %d)\n", errno);
tst_exit();
}
-#if HAVE_DECL_CAP_SET_PROC
ret = cap_set_proc(cur);
-#else
- ret = -1;
- errno = ENOSYS;
-#endif
if (ret) {
tst_resm(TBROK, "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n",
ret, errno);
tst_exit();
}
-#if HAVE_DECL_CAP_FREE
cap_free(cur);
-#endif
-#if HAVE_DECL_CAP_GET_FLAG
-#if HAVE_DECL_CAP_GET_PROC
cur = cap_get_proc();
ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
-#else
- ret = -1;
- errno = ENOSYS;
-#endif
-#else
- ret = -1;
- errno = ENOSYS;
-#endif
if (ret || f != CAP_SET) {
tst_resm(TBROK, "Failed to add CAP_SYS_ADMIN to pI\n");
tst_exit();
}
-#if HAVE_DECL_CAP_FREE
cap_free(cur);
-#endif
/* drop the capability from bounding set */
-#if HAVE_DECL_CAP_BSET_DROP
- ret = prctl(CAP_BSET_DROP, CAP_SYS_ADMIN);
-#else
- errno = ENOSYS;
- ret = -1;
-#endif
+ ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN);
if (ret) {
tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n");
tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno);
@@ -104,8 +79,11 @@ int main(int argc, char *argv[])
/* execute "check_pe 1" */
execl("check_pe", "check_pe", "1", NULL);
tst_resm(TBROK, "Failed to execute check_pe (errno %d)\n", errno);
-#else
+#else /* HAVE_LIBCAP */
tst_resm(TCONF, "System doesn't have POSIX capabilities.");
#endif
+#else /* HAVE_SYS_CAPABILITY_H */
+ tst_resm(TCONF, "System doesn't have sys/capability.h.");
+#endif
tst_exit();
}
diff --git a/testcases/kernel/security/cap_bound/exec_without_inh.c b/testcases/kernel/security/cap_bound/exec_without_inh.c
index 81216f3..df3c4d9 100644
--- a/testcases/kernel/security/cap_bound/exec_without_inh.c
+++ b/testcases/kernel/security/cap_bound/exec_without_inh.c
@@ -42,39 +42,20 @@ int errno;
int main(int argc, char *argv[])
{
#if HAVE_SYS_CAPABILITY_H
+#ifdef HAVE_LIBCAP
int ret = 1;
cap_flag_value_t f;
cap_value_t v[1];
cap_t cur;
/* Make sure CAP_SYS_ADMIN is not in pI */
-#if HAVE_DECL_CAP_GET_FLAG
-#if HAVE_DECL_CAP_GET_PROC
cur = cap_get_proc();
ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
-#else
- ret = -1;
- errno = ENOSYS;
-#endif
-#else
- ret = -1;
- errno = ENOSYS;
-#endif
if (f == CAP_SET) {
v[0] = CAP_SYS_ADMIN;
-#if HAVE_DECL_CAP_SET_FLAG
ret = cap_set_flag(cur, CAP_INHERITABLE, 1, v, CAP_CLEAR);
-#else
- ret = -1;
- errno = ENOSYS;
-#endif
-#if HAVE_DECL_CAP_SET_PROC
if (!ret)
ret = cap_set_proc(cur);
-#else
- ret = -1;
- errno = ENOSYS;
-#endif
if (ret) {
tst_resm(TBROK, "Failed to drop cap_sys_admin from pI\n");
tst_exit();
@@ -83,17 +64,10 @@ int main(int argc, char *argv[])
tst_brkm(TBROK | TERRNO, tst_exit, "Failed to add \
CAP_SYS_ADMIN to pI");
}
-#if HAVE_DECL_CAP_FREE
cap_free(cur);
-#endif
/* drop the capability from bounding set */
-#if HAVE_DECL_CAP_BSET_DROP
- ret = prctl(CAP_BSET_DROP, CAP_SYS_ADMIN);
-#else
- errno = ENOSYS;
- ret = -1;
-#endif
+ ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN);
if (ret) {
tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n");
tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno);
@@ -103,8 +77,11 @@ int main(int argc, char *argv[])
/* execute "check_pe 0" */
execl("check_pe", "check_pe", "0", NULL);
tst_resm(TBROK, "Failed to execute check_pe (errno %d)\n", errno);
-#else
+#else /* libcap */
tst_resm(TCONF, "System doesn't have POSIX capabilities.");
#endif
+#else /* capability_h */
+ tst_resm(TCONF, "System doesn't have sys/capability.h.");
+#endif
tst_exit();
}
diff --git a/testcases/kernel/security/filecaps/check_simple_capset.c b/testcases/kernel/security/filecaps/check_simple_capset.c
index 7851e01..6c7790d 100644
--- a/testcases/kernel/security/filecaps/check_simple_capset.c
+++ b/testcases/kernel/security/filecaps/check_simple_capset.c
@@ -27,28 +27,21 @@
int main()
{
-#if HAVE_SYS_CAPABILITY_H
+#ifdef HAVE_LIBCAP
cap_t caps, caps2;
int ret;
-#if HAVE_DECL_CAP_FROM_TEXT && HAVE_DECL_CAP_SET_PROC && HAVE_DECL_CAP_COMPARE
caps = cap_from_text("cap_setpcap+ep");
caps2 = cap_from_text("cap_setpcap+ep");
ret = cap_set_proc(caps);
ret = cap_compare(caps, caps2);
-#else
- printf("System doesn't support full POSIX capabilities.\n");
- return 1;
-#endif
printf("Caps were %sthe same\n", ret ? "not " : "");
-#if HAVE_DECL_CAP_FREE
cap_free(caps);
cap_free(caps2);
-#endif
return ret;
#else
- printf("System doesn't support POSIX capabilities.\n");
+ printf("System doesn't support full POSIX capabilities.\n");
return 1;
#endif
}
diff --git a/testcases/kernel/security/filecaps/checkforfilecaps.sh b/testcases/kernel/security/filecaps/checkforfilecaps.sh
deleted file mode 100755
index 757d409..0000000
--- a/testcases/kernel/security/filecaps/checkforfilecaps.sh
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/sh
-################################################################################
-## ##
-## Copyright (c) International Business Machines Corp., 2008 ##
-## ##
-## This program is free software; you can redistribute it and#or modify ##
-## it under the terms of the GNU General Public License as published by ##
-## the Free Software Foundation; either version 2 of the License, or ##
-## (at your option) any later version. ##
-## ##
-## This program is distributed in the hope that it will be useful, but ##
-## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
-## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ##
-## for more details. ##
-## ##
-## You should have received a copy of the GNU General Public License ##
-## along with this program; if not, write to the Free Software ##
-## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ##
-## ##
-################################################################################
-
-if ! check_simple_capset; then
- echo Posix capabilities not compiled into the kernel. Please
- echo modprobe capability or recompile your kernel with
- echo CONFIG_SECURITY_CAPABILITIES=y.
- exit 1
-fi
-
-touch testme
-setcap cap_sys_admin=ip testme
-ret=$?
-rm -f testme
-if [ $ret -ne 0 ]; then
- echo File capabilities not compiled into kernel. Please
- echo make sure your kernel is compiled with
- echo CONFIG_SECURITY_FILE_CAPABILITIES=y.
- exit 1
-fi
-
-exit 0
diff --git a/testcases/kernel/security/filecaps/checkforlibcap.sh b/testcases/kernel/security/filecaps/checkforlibcap.sh
deleted file mode 100755
index cc7642e..0000000
--- a/testcases/kernel/security/filecaps/checkforlibcap.sh
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/bin/sh
-################################################################################
-## ##
-## Copyright (c) International Business Machines Corp., 2008 ##
-## ##
-## This program is free software; you can redistribute it and#or modify ##
-## it under the terms of the GNU General Public License as published by ##
-## the Free Software Foundation; either version 2 of the License, or ##
-## (at your option) any later version. ##
-## ##
-## This program is distributed in the hope that it will be useful, but ##
-## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
-## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ##
-## for more details. ##
-## ##
-## You should have received a copy of the GNU General Public License ##
-## along with this program; if not, write to the Free Software ##
-## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ##
-## ##
-################################################################################
-
-if [ "x$CC" = "x" ]; then
- export CC=gcc
-fi
-yesno=0
-if [ "$1" = "yesno" ]; then
- yesno=1
-fi
-
-SETCAP=`which setcap`
-if [ -z "${SETCAP}" ]; then
- ret=1
-else
- ret=0
-fi
-
-if [ $ret -eq 0 ]; then
- #also test for -lcap
- $CC -o check_simple_capset check_simple_capset.c -lcap \
- 2>/dev/null
-
- ret=$?
-fi
-
-if [ $ret -eq 0 ]; then
- #also test for xattr
- $CC -o check_xattr check_xattr.c
- ret=$?
- if [ $ret -ne 0 ]; then
- echo "Please install xattr headers"
- fi
-fi
-
-if [ $ret -ne 0 ]; then
- if [ $yesno -eq 1 ]; then
- echo no
- else
- exit 1
- fi
-else
- if [ $yesno -eq 1 ]; then
- echo yes
- else
- exit 0
- fi
-fi
diff --git a/testcases/kernel/security/filecaps/filecapstest.sh b/testcases/kernel/security/filecaps/filecapstest.sh
index 149cbc1..9025b58 100755
--- a/testcases/kernel/security/filecaps/filecapstest.sh
+++ b/testcases/kernel/security/filecaps/filecapstest.sh
@@ -19,22 +19,8 @@
## ##
################################################################################
-checkforlibcap.sh
-ret=$?
-if [ $ret -ne 0 ]; then
- echo "Filecaps 0 CONF : System doesn't support execution of the test"
- echo setcap not installed. Please install libcap-2.11 or newer from
- echo ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2
- exit 0
-fi
-checkforfilecaps.sh
-ret=$?
-if [ $ret -ne 0 ]; then
- echo "Filecaps 0 CONF : File capabilities not available"
- exit 0
-fi
-
echo "Running in:"
+rm -f print_caps
cp $LTPROOT/testcases/bin/print_caps .
mkfifo caps_fifo
chmod 777 caps_fifo
diff --git a/testcases/kernel/security/filecaps/inh_capped.c b/testcases/kernel/security/filecaps/inh_capped.c
index 513fcb9..794e8b1 100644
--- a/testcases/kernel/security/filecaps/inh_capped.c
+++ b/testcases/kernel/security/filecaps/inh_capped.c
@@ -34,21 +34,17 @@
char *TCID = "filecaps";
int TST_TOTAL=1;
+#ifdef HAVE_LIBCAP
void debug_print_caps(char *when)
{
-#ifdef DEBUG
char buf[2000];
tst_resm(TINFO, "%s", when);
-#if HAVE_DECL_SET_CAP_TO_TEXT
snprintf(buf, 2000, "%s", cap_to_text(cap_get_proc(), NULL));
-#endif
tst_resm(TINFO, "%s", buf);
-#endif
}
int set_caps_from_text(char *capstr)
{
-#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_SET_CAP_SET_PROC && HAVE_DECL_SET_CAP_FREE
cap_t caps = cap_from_text(capstr);
int ret;
@@ -59,14 +55,12 @@ int set_caps_from_text(char *capstr)
ret = cap_set_proc(caps);
cap_free(caps);
return ret;
-#else
- return -1;
-#endif
}
+#endif
int main()
{
-#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_SET_CAPS_FROM_TEXT
+#ifdef HAVE_LIBCAP
int ret;
debug_print_caps("start");
diff --git a/testcases/kernel/security/filecaps/print_caps.c b/testcases/kernel/security/filecaps/print_caps.c
index 188856e..f0e9bce 100644
--- a/testcases/kernel/security/filecaps/print_caps.c
+++ b/testcases/kernel/security/filecaps/print_caps.c
@@ -40,7 +40,7 @@
int main(int argc, char *argv[])
{
-#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_GET_PROC && HAVE_DECL_CAP_TO_TEXT
+#ifdef HAVE_LIBCAP
cap_t cap = cap_get_proc();
int fd;
int seqno = 0;
diff --git a/testcases/kernel/security/filecaps/verify_caps_exec.c b/testcases/kernel/security/filecaps/verify_caps_exec.c
index 16fcc0f..5250007 100644
--- a/testcases/kernel/security/filecaps/verify_caps_exec.c
+++ b/testcases/kernel/security/filecaps/verify_caps_exec.c
@@ -60,20 +60,18 @@ void usage(char *me)
#define DROP_PERMS 0
#define KEEP_PERMS 1
+#ifdef HAVE_LIBCAP
void print_my_caps()
{
-#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_GET_PROC && HAVE_DECL_CAP_TO_TEXT
cap_t cap = cap_get_proc();
char *txt = cap_to_text(cap, NULL);
tst_resm(TINFO, "\ncaps are %s\n", txt);
cap_free(cap);
cap_free(txt);
-#endif
}
int drop_root(int keep_perms)
{
-#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_FROM_TEXT && HAVE_DECL_CAP_SET_PROC
int ret;
if (keep_perms)
@@ -89,15 +87,11 @@ int drop_root(int keep_perms)
cap_set_proc(cap);
cap_free(cap);
}
-#else
- tst_resm(TCONF, "System doesn't have full POSIX capabilities support.\n");
-#endif
tst_exit();
}
int perms_test(void)
{
-#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_SET_FILE
int ret;
cap_t cap;
@@ -118,9 +112,6 @@ int perms_test(void)
cap_free(cap);
return ret;
-#else
- return -1;
-#endif
}
#define FIFOFILE "caps_fifo"
@@ -160,7 +151,6 @@ void read_from_fifo(char *buf)
close(fd);
}
-#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_CAP_COMPARE && HAVE_DECL_CAP_FREE && HAVE_DECL_CAP_TO_TEXT
int fork_drop_and_exec(int keepperms, cap_t expected_caps)
{
@@ -219,12 +209,9 @@ int fork_drop_and_exec(int keepperms, cap_t expected_caps)
}
return ret;
}
-#endif
int caps_actually_set_test(void)
{
-
-#if HAVE_SYS_CAPABILITY_H && HAVE_DECL_PR_CAPBSET_READ
int whichcap, finalret = 0, ret;
cap_t fcap, pcap, cap_fullpi;
cap_value_t capvalue[1];
@@ -399,17 +386,15 @@ int caps_actually_set_test(void)
cap_free(cap_fullpi);
return finalret;
-#else
- return -1;
-#endif
}
+#endif
int main(int argc, char *argv[])
{
+#ifdef HAVE_LIBCAP
if (argc < 2)
usage(argv[0]);
-#if HAVE_SYS_CAPABILITY_H
int ret = 0;
switch(atoi(argv[1])) {
hooks/post-receive
--
ltp
|
