1 /*- 2 * Copyright (c) 2013 The FreeBSD Foundation 3 * All rights reserved. 4 * 5 * This software was developed by Pawel Jakub Dawidek under sponsorship from 6 * the FreeBSD Foundation. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __FBSDID("$FreeBSD$"); 32 33 #include <sys/types.h> 34 #include <sys/capsicum.h> 35 #include <sys/sysctl.h> 36 #include <sys/nv.h> 37 38 #include <assert.h> 39 #include <err.h> 40 #include <errno.h> 41 #include <netdb.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <unistd.h> 46 47 #include <libcasper.h> 48 49 #include <casper/cap_sysctl.h> 50 51 /* 52 * We need some sysctls to perform the tests on. 53 * We remember their values and restore them afer the test is done. 54 */ 55 #define SYSCTL0_PARENT "kern" 56 #define SYSCTL0_NAME "kern.sync_on_panic" 57 #define SYSCTL1_PARENT "debug" 58 #define SYSCTL1_NAME "debug.minidump" 59 60 static int ntest = 1; 61 62 #define CHECK(expr) do { \ 63 if ((expr)) \ 64 printf("ok %d %s:%u\n", ntest, __FILE__, __LINE__); \ 65 else \ 66 printf("not ok %d %s:%u\n", ntest, __FILE__, __LINE__); \ 67 ntest++; \ 68 } while (0) 69 #define CHECKX(expr) do { \ 70 if ((expr)) { \ 71 printf("ok %d %s:%u\n", ntest, __FILE__, __LINE__); \ 72 } else { \ 73 printf("not ok %d %s:%u\n", ntest, __FILE__, __LINE__); \ 74 exit(1); \ 75 } \ 76 ntest++; \ 77 } while (0) 78 79 #define SYSCTL0_READ0 0x0001 80 #define SYSCTL0_READ1 0x0002 81 #define SYSCTL0_READ2 0x0004 82 #define SYSCTL0_WRITE 0x0008 83 #define SYSCTL0_READ_WRITE 0x0010 84 #define SYSCTL1_READ0 0x0020 85 #define SYSCTL1_READ1 0x0040 86 #define SYSCTL1_READ2 0x0080 87 #define SYSCTL1_WRITE 0x0100 88 #define SYSCTL1_READ_WRITE 0x0200 89 90 static unsigned int 91 runtest(cap_channel_t *capsysctl) 92 { 93 unsigned int result; 94 int oldvalue, newvalue; 95 size_t oldsize; 96 97 result = 0; 98 99 oldsize = sizeof(oldvalue); 100 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 101 NULL, 0) == 0) { 102 if (oldsize == sizeof(oldvalue)) 103 result |= SYSCTL0_READ0; 104 } 105 106 newvalue = 123; 107 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, NULL, NULL, &newvalue, 108 sizeof(newvalue)) == 0) { 109 result |= SYSCTL0_WRITE; 110 } 111 112 if ((result & SYSCTL0_WRITE) != 0) { 113 oldsize = sizeof(oldvalue); 114 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 115 &oldsize, NULL, 0) == 0) { 116 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 117 result |= SYSCTL0_READ1; 118 } 119 } 120 121 oldsize = sizeof(oldvalue); 122 newvalue = 4567; 123 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 124 &newvalue, sizeof(newvalue)) == 0) { 125 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 126 result |= SYSCTL0_READ_WRITE; 127 } 128 129 if ((result & SYSCTL0_READ_WRITE) != 0) { 130 oldsize = sizeof(oldvalue); 131 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 132 &oldsize, NULL, 0) == 0) { 133 if (oldsize == sizeof(oldvalue) && oldvalue == 4567) 134 result |= SYSCTL0_READ2; 135 } 136 } 137 138 oldsize = sizeof(oldvalue); 139 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 140 NULL, 0) == 0) { 141 if (oldsize == sizeof(oldvalue)) 142 result |= SYSCTL1_READ0; 143 } 144 145 newvalue = 506; 146 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, NULL, NULL, &newvalue, 147 sizeof(newvalue)) == 0) { 148 result |= SYSCTL1_WRITE; 149 } 150 151 if ((result & SYSCTL1_WRITE) != 0) { 152 oldsize = sizeof(oldvalue); 153 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 154 &oldsize, NULL, 0) == 0) { 155 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 156 result |= SYSCTL1_READ1; 157 } 158 } 159 160 oldsize = sizeof(oldvalue); 161 newvalue = 7008; 162 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 163 &newvalue, sizeof(newvalue)) == 0) { 164 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 165 result |= SYSCTL1_READ_WRITE; 166 } 167 168 if ((result & SYSCTL1_READ_WRITE) != 0) { 169 oldsize = sizeof(oldvalue); 170 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 171 &oldsize, NULL, 0) == 0) { 172 if (oldsize == sizeof(oldvalue) && oldvalue == 7008) 173 result |= SYSCTL1_READ2; 174 } 175 } 176 177 return (result); 178 } 179 180 static void 181 test_operation(cap_channel_t *origcapsysctl) 182 { 183 cap_channel_t *capsysctl; 184 nvlist_t *limits; 185 186 /* 187 * Allow: 188 * SYSCTL0_PARENT/RDWR/RECURSIVE 189 * SYSCTL1_PARENT/RDWR/RECURSIVE 190 */ 191 192 capsysctl = cap_clone(origcapsysctl); 193 CHECK(capsysctl != NULL); 194 195 limits = nvlist_create(0); 196 nvlist_add_number(limits, SYSCTL0_PARENT, 197 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 198 nvlist_add_number(limits, SYSCTL1_PARENT, 199 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 200 CHECK(cap_limit_set(capsysctl, limits) == 0); 201 limits = nvlist_create(0); 202 nvlist_add_number(limits, SYSCTL0_PARENT, 203 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 204 nvlist_add_number(limits, SYSCTL1_PARENT, 205 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 206 nvlist_add_number(limits, "foo.bar", 207 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 208 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 209 limits = nvlist_create(0); 210 nvlist_add_number(limits, "foo.bar", 211 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 212 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 213 214 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 215 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 216 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 217 SYSCTL1_READ_WRITE)); 218 219 limits = nvlist_create(0); 220 nvlist_add_number(limits, SYSCTL0_NAME, 221 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 222 nvlist_add_number(limits, SYSCTL1_NAME, 223 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 224 CHECK(cap_limit_set(capsysctl, limits) == 0); 225 226 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 227 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 228 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 229 SYSCTL1_READ_WRITE)); 230 231 limits = nvlist_create(0); 232 nvlist_add_number(limits, SYSCTL0_NAME, 233 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 234 nvlist_add_number(limits, SYSCTL1_NAME, 235 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 236 CHECK(cap_limit_set(capsysctl, limits) == 0); 237 238 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 239 240 limits = nvlist_create(0); 241 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 242 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 243 CHECK(cap_limit_set(capsysctl, limits) == 0); 244 245 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 246 247 limits = nvlist_create(0); 248 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 249 CHECK(cap_limit_set(capsysctl, limits) == 0); 250 251 CHECK(runtest(capsysctl) == SYSCTL0_READ0); 252 253 cap_close(capsysctl); 254 255 /* 256 * Allow: 257 * SYSCTL0_NAME/RDWR/RECURSIVE 258 * SYSCTL1_NAME/RDWR/RECURSIVE 259 */ 260 261 capsysctl = cap_clone(origcapsysctl); 262 CHECK(capsysctl != NULL); 263 264 limits = nvlist_create(0); 265 nvlist_add_number(limits, SYSCTL0_NAME, 266 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 267 nvlist_add_number(limits, SYSCTL1_NAME, 268 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 269 CHECK(cap_limit_set(capsysctl, limits) == 0); 270 limits = nvlist_create(0); 271 nvlist_add_number(limits, SYSCTL0_PARENT, 272 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 273 nvlist_add_number(limits, SYSCTL1_PARENT, 274 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 275 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 276 limits = nvlist_create(0); 277 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 278 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 279 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 280 limits = nvlist_create(0); 281 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 282 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 283 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 284 limits = nvlist_create(0); 285 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 286 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 287 288 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 289 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 290 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 291 SYSCTL1_READ_WRITE)); 292 293 cap_close(capsysctl); 294 295 /* 296 * Allow: 297 * SYSCTL0_PARENT/RDWR 298 * SYSCTL1_PARENT/RDWR 299 */ 300 301 capsysctl = cap_clone(origcapsysctl); 302 CHECK(capsysctl != NULL); 303 304 limits = nvlist_create(0); 305 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 306 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 307 CHECK(cap_limit_set(capsysctl, limits) == 0); 308 limits = nvlist_create(0); 309 nvlist_add_number(limits, SYSCTL0_PARENT, 310 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 311 nvlist_add_number(limits, SYSCTL1_PARENT, 312 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 313 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 314 limits = nvlist_create(0); 315 nvlist_add_number(limits, SYSCTL0_PARENT, 316 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 317 nvlist_add_number(limits, SYSCTL1_PARENT, 318 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 319 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 320 limits = nvlist_create(0); 321 nvlist_add_number(limits, SYSCTL0_PARENT, 322 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 323 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 324 325 CHECK(runtest(capsysctl) == 0); 326 327 cap_close(capsysctl); 328 329 /* 330 * Allow: 331 * SYSCTL0_NAME/RDWR 332 * SYSCTL1_NAME/RDWR 333 */ 334 335 capsysctl = cap_clone(origcapsysctl); 336 CHECK(capsysctl != NULL); 337 338 limits = nvlist_create(0); 339 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 340 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 341 CHECK(cap_limit_set(capsysctl, limits) == 0); 342 limits = nvlist_create(0); 343 nvlist_add_number(limits, SYSCTL0_PARENT, 344 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 345 nvlist_add_number(limits, SYSCTL1_PARENT, 346 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 347 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 348 limits = nvlist_create(0); 349 nvlist_add_number(limits, SYSCTL0_PARENT, 350 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 351 nvlist_add_number(limits, SYSCTL1_PARENT, 352 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 353 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 354 limits = nvlist_create(0); 355 nvlist_add_number(limits, SYSCTL1_PARENT, 356 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 357 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 358 359 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 360 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 361 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 362 SYSCTL1_READ_WRITE)); 363 364 cap_close(capsysctl); 365 366 /* 367 * Allow: 368 * SYSCTL0_PARENT/RDWR 369 * SYSCTL1_PARENT/RDWR/RECURSIVE 370 */ 371 372 capsysctl = cap_clone(origcapsysctl); 373 CHECK(capsysctl != NULL); 374 375 limits = nvlist_create(0); 376 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 377 nvlist_add_number(limits, SYSCTL1_PARENT, 378 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 379 CHECK(cap_limit_set(capsysctl, limits) == 0); 380 limits = nvlist_create(0); 381 nvlist_add_number(limits, SYSCTL0_PARENT, 382 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 383 nvlist_add_number(limits, SYSCTL1_PARENT, 384 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 385 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 386 limits = nvlist_create(0); 387 nvlist_add_number(limits, SYSCTL0_PARENT, 388 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 389 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 390 limits = nvlist_create(0); 391 nvlist_add_number(limits, SYSCTL0_PARENT, 392 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 393 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 394 limits = nvlist_create(0); 395 nvlist_add_number(limits, SYSCTL0_NAME, 396 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 397 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 398 399 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 400 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 401 402 cap_close(capsysctl); 403 404 /* 405 * Allow: 406 * SYSCTL0_NAME/RDWR 407 * SYSCTL1_NAME/RDWR/RECURSIVE 408 */ 409 410 capsysctl = cap_clone(origcapsysctl); 411 CHECK(capsysctl != NULL); 412 413 limits = nvlist_create(0); 414 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 415 nvlist_add_number(limits, SYSCTL1_NAME, 416 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 417 CHECK(cap_limit_set(capsysctl, limits) == 0); 418 limits = nvlist_create(0); 419 nvlist_add_number(limits, SYSCTL0_NAME, 420 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 421 nvlist_add_number(limits, SYSCTL1_NAME, 422 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 423 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 424 limits = nvlist_create(0); 425 nvlist_add_number(limits, SYSCTL0_NAME, 426 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 427 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 428 limits = nvlist_create(0); 429 nvlist_add_number(limits, SYSCTL0_NAME, 430 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 431 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 432 433 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 434 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 435 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 436 SYSCTL1_READ_WRITE)); 437 438 cap_close(capsysctl); 439 440 /* 441 * Allow: 442 * SYSCTL0_PARENT/READ/RECURSIVE 443 * SYSCTL1_PARENT/READ/RECURSIVE 444 */ 445 446 capsysctl = cap_clone(origcapsysctl); 447 CHECK(capsysctl != NULL); 448 449 limits = nvlist_create(0); 450 nvlist_add_number(limits, SYSCTL0_PARENT, 451 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 452 nvlist_add_number(limits, SYSCTL1_PARENT, 453 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 454 CHECK(cap_limit_set(capsysctl, limits) == 0); 455 limits = nvlist_create(0); 456 nvlist_add_number(limits, SYSCTL0_PARENT, 457 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 458 nvlist_add_number(limits, SYSCTL1_PARENT, 459 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 460 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 461 limits = nvlist_create(0); 462 nvlist_add_number(limits, SYSCTL0_PARENT, 463 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 464 nvlist_add_number(limits, SYSCTL1_PARENT, 465 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 466 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 467 limits = nvlist_create(0); 468 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 469 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 470 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 471 limits = nvlist_create(0); 472 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 473 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 474 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 475 limits = nvlist_create(0); 476 nvlist_add_number(limits, SYSCTL0_PARENT, 477 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 478 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 479 limits = nvlist_create(0); 480 nvlist_add_number(limits, SYSCTL1_PARENT, 481 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 482 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 483 limits = nvlist_create(0); 484 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 485 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 486 limits = nvlist_create(0); 487 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 488 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 489 490 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 491 492 cap_close(capsysctl); 493 494 /* 495 * Allow: 496 * SYSCTL0_NAME/READ/RECURSIVE 497 * SYSCTL1_NAME/READ/RECURSIVE 498 */ 499 500 capsysctl = cap_clone(origcapsysctl); 501 CHECK(capsysctl != NULL); 502 503 limits = nvlist_create(0); 504 nvlist_add_number(limits, SYSCTL0_NAME, 505 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 506 nvlist_add_number(limits, SYSCTL1_NAME, 507 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 508 CHECK(cap_limit_set(capsysctl, limits) == 0); 509 limits = nvlist_create(0); 510 nvlist_add_number(limits, SYSCTL0_NAME, 511 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 512 nvlist_add_number(limits, SYSCTL1_NAME, 513 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 514 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 515 limits = nvlist_create(0); 516 nvlist_add_number(limits, SYSCTL0_NAME, 517 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 518 nvlist_add_number(limits, SYSCTL1_NAME, 519 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 520 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 521 limits = nvlist_create(0); 522 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 523 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 524 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 525 limits = nvlist_create(0); 526 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 527 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 528 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 529 limits = nvlist_create(0); 530 nvlist_add_number(limits, SYSCTL0_NAME, 531 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 532 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 533 limits = nvlist_create(0); 534 nvlist_add_number(limits, SYSCTL1_NAME, 535 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 536 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 537 limits = nvlist_create(0); 538 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 539 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 540 limits = nvlist_create(0); 541 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 542 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 543 544 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 545 546 cap_close(capsysctl); 547 548 /* 549 * Allow: 550 * SYSCTL0_PARENT/READ 551 * SYSCTL1_PARENT/READ 552 */ 553 554 capsysctl = cap_clone(origcapsysctl); 555 CHECK(capsysctl != NULL); 556 557 limits = nvlist_create(0); 558 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 559 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 560 CHECK(cap_limit_set(capsysctl, limits) == 0); 561 limits = nvlist_create(0); 562 nvlist_add_number(limits, SYSCTL0_PARENT, 563 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 564 nvlist_add_number(limits, SYSCTL1_PARENT, 565 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 566 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 567 limits = nvlist_create(0); 568 nvlist_add_number(limits, SYSCTL0_PARENT, 569 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 570 nvlist_add_number(limits, SYSCTL1_PARENT, 571 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 572 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 573 limits = nvlist_create(0); 574 nvlist_add_number(limits, SYSCTL0_PARENT, 575 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 576 nvlist_add_number(limits, SYSCTL1_PARENT, 577 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 578 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 579 limits = nvlist_create(0); 580 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 581 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 582 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 583 limits = nvlist_create(0); 584 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 585 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 586 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 587 limits = nvlist_create(0); 588 nvlist_add_number(limits, SYSCTL0_PARENT, 589 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 590 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 591 limits = nvlist_create(0); 592 nvlist_add_number(limits, SYSCTL1_PARENT, 593 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 594 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 595 limits = nvlist_create(0); 596 nvlist_add_number(limits, SYSCTL0_PARENT, 597 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 598 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 599 limits = nvlist_create(0); 600 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 601 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 602 limits = nvlist_create(0); 603 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 604 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 605 606 CHECK(runtest(capsysctl) == 0); 607 608 cap_close(capsysctl); 609 610 /* 611 * Allow: 612 * SYSCTL0_NAME/READ 613 * SYSCTL1_NAME/READ 614 */ 615 616 capsysctl = cap_clone(origcapsysctl); 617 CHECK(capsysctl != NULL); 618 619 limits = nvlist_create(0); 620 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 621 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 622 CHECK(cap_limit_set(capsysctl, limits) == 0); 623 limits = nvlist_create(0); 624 nvlist_add_number(limits, SYSCTL0_NAME, 625 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 626 nvlist_add_number(limits, SYSCTL1_NAME, 627 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 628 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 629 limits = nvlist_create(0); 630 nvlist_add_number(limits, SYSCTL0_NAME, 631 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 632 nvlist_add_number(limits, SYSCTL1_NAME, 633 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 634 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 635 limits = nvlist_create(0); 636 nvlist_add_number(limits, SYSCTL0_NAME, 637 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 638 nvlist_add_number(limits, SYSCTL1_NAME, 639 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 640 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 641 limits = nvlist_create(0); 642 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 643 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 644 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 645 limits = nvlist_create(0); 646 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 647 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 648 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 649 limits = nvlist_create(0); 650 nvlist_add_number(limits, SYSCTL0_NAME, 651 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 652 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 653 limits = nvlist_create(0); 654 nvlist_add_number(limits, SYSCTL1_NAME, 655 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 656 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 657 limits = nvlist_create(0); 658 nvlist_add_number(limits, SYSCTL0_NAME, 659 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 660 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 661 limits = nvlist_create(0); 662 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 663 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 664 limits = nvlist_create(0); 665 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 666 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 667 668 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 669 670 cap_close(capsysctl); 671 672 /* 673 * Allow: 674 * SYSCTL0_PARENT/READ 675 * SYSCTL1_PARENT/READ/RECURSIVE 676 */ 677 678 capsysctl = cap_clone(origcapsysctl); 679 CHECK(capsysctl != NULL); 680 681 limits = nvlist_create(0); 682 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 683 nvlist_add_number(limits, SYSCTL1_PARENT, 684 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 685 CHECK(cap_limit_set(capsysctl, limits) == 0); 686 limits = nvlist_create(0); 687 nvlist_add_number(limits, SYSCTL0_PARENT, 688 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 689 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 690 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 691 692 CHECK(runtest(capsysctl) == SYSCTL1_READ0); 693 694 cap_close(capsysctl); 695 696 /* 697 * Allow: 698 * SYSCTL0_NAME/READ 699 * SYSCTL1_NAME/READ/RECURSIVE 700 */ 701 702 capsysctl = cap_clone(origcapsysctl); 703 CHECK(capsysctl != NULL); 704 705 limits = nvlist_create(0); 706 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 707 nvlist_add_number(limits, SYSCTL1_NAME, 708 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 709 CHECK(cap_limit_set(capsysctl, limits) == 0); 710 limits = nvlist_create(0); 711 nvlist_add_number(limits, SYSCTL0_NAME, 712 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 713 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 714 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 715 716 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 717 718 cap_close(capsysctl); 719 720 /* 721 * Allow: 722 * SYSCTL0_PARENT/WRITE/RECURSIVE 723 * SYSCTL1_PARENT/WRITE/RECURSIVE 724 */ 725 726 capsysctl = cap_clone(origcapsysctl); 727 CHECK(capsysctl != NULL); 728 729 limits = nvlist_create(0); 730 nvlist_add_number(limits, SYSCTL0_PARENT, 731 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 732 nvlist_add_number(limits, SYSCTL1_PARENT, 733 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 734 CHECK(cap_limit_set(capsysctl, limits) == 0); 735 limits = nvlist_create(0); 736 nvlist_add_number(limits, SYSCTL0_PARENT, 737 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 738 nvlist_add_number(limits, SYSCTL1_PARENT, 739 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 740 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 741 limits = nvlist_create(0); 742 nvlist_add_number(limits, SYSCTL0_PARENT, 743 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 744 nvlist_add_number(limits, SYSCTL1_PARENT, 745 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 746 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 747 limits = nvlist_create(0); 748 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 749 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 750 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 751 limits = nvlist_create(0); 752 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 753 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 754 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 755 limits = nvlist_create(0); 756 nvlist_add_number(limits, SYSCTL0_PARENT, 757 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 758 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 759 limits = nvlist_create(0); 760 nvlist_add_number(limits, SYSCTL1_PARENT, 761 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 762 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 763 limits = nvlist_create(0); 764 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 765 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 766 limits = nvlist_create(0); 767 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 768 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 769 770 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 771 772 cap_close(capsysctl); 773 774 /* 775 * Allow: 776 * SYSCTL0_NAME/WRITE/RECURSIVE 777 * SYSCTL1_NAME/WRITE/RECURSIVE 778 */ 779 780 capsysctl = cap_clone(origcapsysctl); 781 CHECK(capsysctl != NULL); 782 783 limits = nvlist_create(0); 784 nvlist_add_number(limits, SYSCTL0_NAME, 785 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 786 nvlist_add_number(limits, SYSCTL1_NAME, 787 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 788 CHECK(cap_limit_set(capsysctl, limits) == 0); 789 limits = nvlist_create(0); 790 nvlist_add_number(limits, SYSCTL0_NAME, 791 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 792 nvlist_add_number(limits, SYSCTL1_NAME, 793 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 794 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 795 limits = nvlist_create(0); 796 nvlist_add_number(limits, SYSCTL0_NAME, 797 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 798 nvlist_add_number(limits, SYSCTL1_NAME, 799 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 800 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 801 limits = nvlist_create(0); 802 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 803 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 804 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 805 limits = nvlist_create(0); 806 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 807 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 808 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 809 limits = nvlist_create(0); 810 nvlist_add_number(limits, SYSCTL0_NAME, 811 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 812 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 813 limits = nvlist_create(0); 814 nvlist_add_number(limits, SYSCTL1_NAME, 815 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 816 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 817 limits = nvlist_create(0); 818 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 819 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 820 limits = nvlist_create(0); 821 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 822 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 823 824 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 825 826 cap_close(capsysctl); 827 828 /* 829 * Allow: 830 * SYSCTL0_PARENT/WRITE 831 * SYSCTL1_PARENT/WRITE 832 */ 833 834 capsysctl = cap_clone(origcapsysctl); 835 CHECK(capsysctl != NULL); 836 837 limits = nvlist_create(0); 838 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 839 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 840 CHECK(cap_limit_set(capsysctl, limits) == 0); 841 limits = nvlist_create(0); 842 nvlist_add_number(limits, SYSCTL0_PARENT, 843 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 844 nvlist_add_number(limits, SYSCTL1_PARENT, 845 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 846 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 847 limits = nvlist_create(0); 848 nvlist_add_number(limits, SYSCTL0_PARENT, 849 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 850 nvlist_add_number(limits, SYSCTL1_PARENT, 851 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 852 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 853 limits = nvlist_create(0); 854 nvlist_add_number(limits, SYSCTL0_PARENT, 855 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 856 nvlist_add_number(limits, SYSCTL1_PARENT, 857 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 858 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 859 limits = nvlist_create(0); 860 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 861 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 862 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 863 limits = nvlist_create(0); 864 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 865 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 866 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 867 limits = nvlist_create(0); 868 nvlist_add_number(limits, SYSCTL0_PARENT, 869 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 870 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 871 limits = nvlist_create(0); 872 nvlist_add_number(limits, SYSCTL1_PARENT, 873 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 874 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 875 limits = nvlist_create(0); 876 nvlist_add_number(limits, SYSCTL0_PARENT, 877 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 878 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 879 limits = nvlist_create(0); 880 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 881 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 882 limits = nvlist_create(0); 883 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 884 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 885 886 CHECK(runtest(capsysctl) == 0); 887 888 cap_close(capsysctl); 889 890 /* 891 * Allow: 892 * SYSCTL0_NAME/WRITE 893 * SYSCTL1_NAME/WRITE 894 */ 895 896 capsysctl = cap_clone(origcapsysctl); 897 CHECK(capsysctl != NULL); 898 899 limits = nvlist_create(0); 900 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 901 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 902 CHECK(cap_limit_set(capsysctl, limits) == 0); 903 limits = nvlist_create(0); 904 nvlist_add_number(limits, SYSCTL0_NAME, 905 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 906 nvlist_add_number(limits, SYSCTL1_NAME, 907 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 908 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 909 limits = nvlist_create(0); 910 nvlist_add_number(limits, SYSCTL0_NAME, 911 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 912 nvlist_add_number(limits, SYSCTL1_NAME, 913 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 914 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 915 limits = nvlist_create(0); 916 nvlist_add_number(limits, SYSCTL0_NAME, 917 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 918 nvlist_add_number(limits, SYSCTL1_NAME, 919 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 920 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 921 limits = nvlist_create(0); 922 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 923 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 924 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 925 limits = nvlist_create(0); 926 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 927 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 928 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 929 limits = nvlist_create(0); 930 nvlist_add_number(limits, SYSCTL0_NAME, 931 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 932 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 933 limits = nvlist_create(0); 934 nvlist_add_number(limits, SYSCTL1_NAME, 935 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 936 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 937 limits = nvlist_create(0); 938 nvlist_add_number(limits, SYSCTL0_NAME, 939 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 940 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 941 limits = nvlist_create(0); 942 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 943 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 944 limits = nvlist_create(0); 945 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 946 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 947 948 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 949 950 cap_close(capsysctl); 951 952 /* 953 * Allow: 954 * SYSCTL0_PARENT/WRITE 955 * SYSCTL1_PARENT/WRITE/RECURSIVE 956 */ 957 958 capsysctl = cap_clone(origcapsysctl); 959 CHECK(capsysctl != NULL); 960 961 limits = nvlist_create(0); 962 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 963 nvlist_add_number(limits, SYSCTL1_PARENT, 964 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 965 CHECK(cap_limit_set(capsysctl, limits) == 0); 966 limits = nvlist_create(0); 967 nvlist_add_number(limits, SYSCTL0_PARENT, 968 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 969 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 970 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 971 972 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 973 974 cap_close(capsysctl); 975 976 /* 977 * Allow: 978 * SYSCTL0_NAME/WRITE 979 * SYSCTL1_NAME/WRITE/RECURSIVE 980 */ 981 982 capsysctl = cap_clone(origcapsysctl); 983 CHECK(capsysctl != NULL); 984 985 limits = nvlist_create(0); 986 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 987 nvlist_add_number(limits, SYSCTL1_NAME, 988 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 989 CHECK(cap_limit_set(capsysctl, limits) == 0); 990 limits = nvlist_create(0); 991 nvlist_add_number(limits, SYSCTL0_NAME, 992 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 993 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 994 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 995 996 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 997 998 cap_close(capsysctl); 999 1000 /* 1001 * Allow: 1002 * SYSCTL0_PARENT/READ/RECURSIVE 1003 * SYSCTL1_PARENT/WRITE/RECURSIVE 1004 */ 1005 1006 capsysctl = cap_clone(origcapsysctl); 1007 CHECK(capsysctl != NULL); 1008 1009 limits = nvlist_create(0); 1010 nvlist_add_number(limits, SYSCTL0_PARENT, 1011 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1012 nvlist_add_number(limits, SYSCTL1_PARENT, 1013 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1014 CHECK(cap_limit_set(capsysctl, limits) == 0); 1015 1016 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1017 1018 cap_close(capsysctl); 1019 1020 /* 1021 * Allow: 1022 * SYSCTL0_NAME/READ/RECURSIVE 1023 * SYSCTL1_NAME/WRITE/RECURSIVE 1024 */ 1025 1026 capsysctl = cap_clone(origcapsysctl); 1027 CHECK(capsysctl != NULL); 1028 1029 limits = nvlist_create(0); 1030 nvlist_add_number(limits, SYSCTL0_NAME, 1031 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1032 nvlist_add_number(limits, SYSCTL1_NAME, 1033 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1034 CHECK(cap_limit_set(capsysctl, limits) == 0); 1035 1036 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1037 1038 cap_close(capsysctl); 1039 1040 /* 1041 * Allow: 1042 * SYSCTL0_PARENT/READ 1043 * SYSCTL1_PARENT/WRITE 1044 */ 1045 1046 capsysctl = cap_clone(origcapsysctl); 1047 CHECK(capsysctl != NULL); 1048 1049 limits = nvlist_create(0); 1050 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1051 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1052 CHECK(cap_limit_set(capsysctl, limits) == 0); 1053 1054 CHECK(runtest(capsysctl) == 0); 1055 1056 cap_close(capsysctl); 1057 1058 /* 1059 * Allow: 1060 * SYSCTL0_NAME/READ 1061 * SYSCTL1_NAME/WRITE 1062 */ 1063 1064 capsysctl = cap_clone(origcapsysctl); 1065 CHECK(capsysctl != NULL); 1066 1067 limits = nvlist_create(0); 1068 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1069 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1070 CHECK(cap_limit_set(capsysctl, limits) == 0); 1071 1072 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1073 1074 cap_close(capsysctl); 1075 1076 /* 1077 * Allow: 1078 * SYSCTL0_PARENT/READ 1079 * SYSCTL1_PARENT/WRITE/RECURSIVE 1080 */ 1081 1082 capsysctl = cap_clone(origcapsysctl); 1083 CHECK(capsysctl != NULL); 1084 1085 limits = nvlist_create(0); 1086 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1087 nvlist_add_number(limits, SYSCTL1_PARENT, 1088 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1089 CHECK(cap_limit_set(capsysctl, limits) == 0); 1090 1091 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 1092 1093 cap_close(capsysctl); 1094 1095 /* 1096 * Allow: 1097 * SYSCTL0_NAME/READ 1098 * SYSCTL1_NAME/WRITE/RECURSIVE 1099 */ 1100 1101 capsysctl = cap_clone(origcapsysctl); 1102 CHECK(capsysctl != NULL); 1103 1104 limits = nvlist_create(0); 1105 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1106 nvlist_add_number(limits, SYSCTL1_NAME, 1107 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1108 CHECK(cap_limit_set(capsysctl, limits) == 0); 1109 1110 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1111 1112 cap_close(capsysctl); 1113 } 1114 1115 static void 1116 test_names(cap_channel_t *origcapsysctl) 1117 { 1118 cap_channel_t *capsysctl; 1119 nvlist_t *limits; 1120 1121 /* 1122 * Allow: 1123 * SYSCTL0_PARENT/READ/RECURSIVE 1124 */ 1125 1126 capsysctl = cap_clone(origcapsysctl); 1127 CHECK(capsysctl != NULL); 1128 1129 limits = nvlist_create(0); 1130 nvlist_add_number(limits, SYSCTL0_PARENT, 1131 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1132 CHECK(cap_limit_set(capsysctl, limits) == 0); 1133 limits = nvlist_create(0); 1134 nvlist_add_number(limits, SYSCTL0_PARENT, 1135 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1136 nvlist_add_number(limits, SYSCTL1_PARENT, 1137 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1138 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1139 limits = nvlist_create(0); 1140 nvlist_add_number(limits, SYSCTL1_PARENT, 1141 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1142 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1143 limits = nvlist_create(0); 1144 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1145 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1146 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1147 limits = nvlist_create(0); 1148 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1149 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1150 1151 CHECK(runtest(capsysctl) == SYSCTL0_READ0); 1152 1153 cap_close(capsysctl); 1154 1155 /* 1156 * Allow: 1157 * SYSCTL1_NAME/READ/RECURSIVE 1158 */ 1159 1160 capsysctl = cap_clone(origcapsysctl); 1161 CHECK(capsysctl != NULL); 1162 1163 limits = nvlist_create(0); 1164 nvlist_add_number(limits, SYSCTL1_NAME, 1165 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1166 CHECK(cap_limit_set(capsysctl, limits) == 0); 1167 limits = nvlist_create(0); 1168 nvlist_add_number(limits, SYSCTL0_NAME, 1169 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1170 nvlist_add_number(limits, SYSCTL1_NAME, 1171 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1172 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1173 limits = nvlist_create(0); 1174 nvlist_add_number(limits, SYSCTL0_NAME, 1175 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1176 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1177 limits = nvlist_create(0); 1178 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1179 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1180 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1181 limits = nvlist_create(0); 1182 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1183 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1184 1185 CHECK(runtest(capsysctl) == SYSCTL1_READ0); 1186 1187 cap_close(capsysctl); 1188 1189 /* 1190 * Allow: 1191 * SYSCTL0_PARENT/WRITE/RECURSIVE 1192 */ 1193 1194 capsysctl = cap_clone(origcapsysctl); 1195 CHECK(capsysctl != NULL); 1196 1197 limits = nvlist_create(0); 1198 nvlist_add_number(limits, SYSCTL0_PARENT, 1199 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1200 CHECK(cap_limit_set(capsysctl, limits) == 0); 1201 limits = nvlist_create(0); 1202 nvlist_add_number(limits, SYSCTL0_PARENT, 1203 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1204 nvlist_add_number(limits, SYSCTL1_PARENT, 1205 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1206 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1207 limits = nvlist_create(0); 1208 nvlist_add_number(limits, SYSCTL1_PARENT, 1209 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1210 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1211 limits = nvlist_create(0); 1212 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1213 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1214 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1215 limits = nvlist_create(0); 1216 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1217 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1218 1219 CHECK(runtest(capsysctl) == SYSCTL0_WRITE); 1220 1221 cap_close(capsysctl); 1222 1223 /* 1224 * Allow: 1225 * SYSCTL1_NAME/WRITE/RECURSIVE 1226 */ 1227 1228 capsysctl = cap_clone(origcapsysctl); 1229 CHECK(capsysctl != NULL); 1230 1231 limits = nvlist_create(0); 1232 nvlist_add_number(limits, SYSCTL1_NAME, 1233 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1234 CHECK(cap_limit_set(capsysctl, limits) == 0); 1235 limits = nvlist_create(0); 1236 nvlist_add_number(limits, SYSCTL0_NAME, 1237 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1238 nvlist_add_number(limits, SYSCTL1_NAME, 1239 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1240 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1241 limits = nvlist_create(0); 1242 nvlist_add_number(limits, SYSCTL0_NAME, 1243 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1244 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1245 limits = nvlist_create(0); 1246 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1247 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1248 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1249 limits = nvlist_create(0); 1250 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1251 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1252 1253 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 1254 1255 cap_close(capsysctl); 1256 1257 /* 1258 * Allow: 1259 * SYSCTL0_PARENT/RDWR/RECURSIVE 1260 */ 1261 1262 capsysctl = cap_clone(origcapsysctl); 1263 CHECK(capsysctl != NULL); 1264 1265 limits = nvlist_create(0); 1266 nvlist_add_number(limits, SYSCTL0_PARENT, 1267 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1268 CHECK(cap_limit_set(capsysctl, limits) == 0); 1269 limits = nvlist_create(0); 1270 nvlist_add_number(limits, SYSCTL0_PARENT, 1271 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1272 nvlist_add_number(limits, SYSCTL1_PARENT, 1273 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1274 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1275 limits = nvlist_create(0); 1276 nvlist_add_number(limits, SYSCTL1_PARENT, 1277 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1278 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1279 limits = nvlist_create(0); 1280 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1281 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1282 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1283 limits = nvlist_create(0); 1284 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1285 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1286 1287 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 1288 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE)); 1289 1290 cap_close(capsysctl); 1291 1292 /* 1293 * Allow: 1294 * SYSCTL1_NAME/RDWR/RECURSIVE 1295 */ 1296 1297 capsysctl = cap_clone(origcapsysctl); 1298 CHECK(capsysctl != NULL); 1299 1300 limits = nvlist_create(0); 1301 nvlist_add_number(limits, SYSCTL1_NAME, 1302 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1303 CHECK(cap_limit_set(capsysctl, limits) == 0); 1304 limits = nvlist_create(0); 1305 nvlist_add_number(limits, SYSCTL0_NAME, 1306 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1307 nvlist_add_number(limits, SYSCTL1_NAME, 1308 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1309 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1310 limits = nvlist_create(0); 1311 nvlist_add_number(limits, SYSCTL0_NAME, 1312 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1313 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1314 limits = nvlist_create(0); 1315 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1316 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1317 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1318 limits = nvlist_create(0); 1319 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1320 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1321 1322 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1323 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1324 1325 cap_close(capsysctl); 1326 1327 /* 1328 * Allow: 1329 * SYSCTL0_PARENT/READ 1330 */ 1331 1332 capsysctl = cap_clone(origcapsysctl); 1333 CHECK(capsysctl != NULL); 1334 1335 limits = nvlist_create(0); 1336 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1337 CHECK(cap_limit_set(capsysctl, limits) == 0); 1338 limits = nvlist_create(0); 1339 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1340 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1341 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1342 limits = nvlist_create(0); 1343 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1344 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1345 1346 CHECK(runtest(capsysctl) == 0); 1347 1348 cap_close(capsysctl); 1349 1350 /* 1351 * Allow: 1352 * SYSCTL1_NAME/READ 1353 */ 1354 1355 capsysctl = cap_clone(origcapsysctl); 1356 CHECK(capsysctl != NULL); 1357 1358 limits = nvlist_create(0); 1359 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1360 CHECK(cap_limit_set(capsysctl, limits) == 0); 1361 limits = nvlist_create(0); 1362 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1363 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1364 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1365 limits = nvlist_create(0); 1366 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1367 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1368 1369 CHECK(runtest(capsysctl) == SYSCTL1_READ0); 1370 1371 cap_close(capsysctl); 1372 1373 /* 1374 * Allow: 1375 * SYSCTL0_PARENT/WRITE 1376 */ 1377 1378 capsysctl = cap_clone(origcapsysctl); 1379 CHECK(capsysctl != NULL); 1380 1381 limits = nvlist_create(0); 1382 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1383 CHECK(cap_limit_set(capsysctl, limits) == 0); 1384 limits = nvlist_create(0); 1385 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1386 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1387 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1388 limits = nvlist_create(0); 1389 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1390 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1391 1392 CHECK(runtest(capsysctl) == 0); 1393 1394 cap_close(capsysctl); 1395 1396 /* 1397 * Allow: 1398 * SYSCTL1_NAME/WRITE 1399 */ 1400 1401 capsysctl = cap_clone(origcapsysctl); 1402 CHECK(capsysctl != NULL); 1403 1404 limits = nvlist_create(0); 1405 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1406 CHECK(cap_limit_set(capsysctl, limits) == 0); 1407 limits = nvlist_create(0); 1408 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1409 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1410 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1411 limits = nvlist_create(0); 1412 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1413 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1414 1415 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 1416 1417 cap_close(capsysctl); 1418 1419 /* 1420 * Allow: 1421 * SYSCTL0_PARENT/RDWR 1422 */ 1423 1424 capsysctl = cap_clone(origcapsysctl); 1425 CHECK(capsysctl != NULL); 1426 1427 limits = nvlist_create(0); 1428 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1429 CHECK(cap_limit_set(capsysctl, limits) == 0); 1430 limits = nvlist_create(0); 1431 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1432 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1433 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1434 limits = nvlist_create(0); 1435 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1436 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1437 1438 CHECK(runtest(capsysctl) == 0); 1439 1440 cap_close(capsysctl); 1441 1442 /* 1443 * Allow: 1444 * SYSCTL1_NAME/RDWR 1445 */ 1446 1447 capsysctl = cap_clone(origcapsysctl); 1448 CHECK(capsysctl != NULL); 1449 1450 limits = nvlist_create(0); 1451 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1452 CHECK(cap_limit_set(capsysctl, limits) == 0); 1453 limits = nvlist_create(0); 1454 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1455 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1456 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1457 limits = nvlist_create(0); 1458 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1459 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1460 1461 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1462 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1463 1464 cap_close(capsysctl); 1465 } 1466 1467 int 1468 main(void) 1469 { 1470 cap_channel_t *capcas, *capsysctl; 1471 int scvalue0, scvalue1; 1472 size_t scsize; 1473 1474 printf("1..256\n"); 1475 1476 scsize = sizeof(scvalue0); 1477 CHECKX(sysctlbyname(SYSCTL0_NAME, &scvalue0, &scsize, NULL, 0) == 0); 1478 CHECKX(scsize == sizeof(scvalue0)); 1479 scsize = sizeof(scvalue1); 1480 CHECKX(sysctlbyname(SYSCTL1_NAME, &scvalue1, &scsize, NULL, 0) == 0); 1481 CHECKX(scsize == sizeof(scvalue1)); 1482 1483 capcas = cap_init(); 1484 CHECKX(capcas != NULL); 1485 1486 capsysctl = cap_service_open(capcas, "system.sysctl"); 1487 CHECKX(capsysctl != NULL); 1488 1489 cap_close(capcas); 1490 1491 /* No limits set. */ 1492 1493 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 1494 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 1495 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 1496 SYSCTL1_READ_WRITE)); 1497 1498 test_operation(capsysctl); 1499 1500 test_names(capsysctl); 1501 1502 cap_close(capsysctl); 1503 1504 CHECK(sysctlbyname(SYSCTL0_NAME, NULL, NULL, &scvalue0, 1505 sizeof(scvalue0)) == 0); 1506 CHECK(sysctlbyname(SYSCTL1_NAME, NULL, NULL, &scvalue1, 1507 sizeof(scvalue1)) == 0); 1508 1509 exit(0); 1510 } 1511