1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2013, 2018 The FreeBSD Foundation
5 * All rights reserved.
6 *
7 * This software was developed by Pawel Jakub Dawidek under sponsorship from
8 * the FreeBSD Foundation.
9 *
10 * Portions of this software were developed by Mark Johnston
11 * under sponsorship from the FreeBSD Foundation.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include <sys/types.h>
36 #include <sys/capsicum.h>
37 #include <sys/sysctl.h>
38 #include <sys/nv.h>
39
40 #include <assert.h>
41 #include <err.h>
42 #include <errno.h>
43 #include <netdb.h>
44 #include <stdio.h>
45 #include <stdlib.h>
46 #include <string.h>
47 #include <unistd.h>
48
49 #include <libcasper.h>
50 #include <casper/cap_sysctl.h>
51
52 #include <atf-c.h>
53
54 /*
55 * We need some sysctls to perform the tests on.
56 * We remember their values and restore them afer the test is done.
57 */
58 #define SYSCTL0_PARENT "kern"
59 #define SYSCTL0_NAME "kern.sync_on_panic"
60 #define SYSCTL0_FILE "./sysctl0"
61 #define SYSCTL1_PARENT "debug"
62 #define SYSCTL1_NAME "debug.minidump"
63 #define SYSCTL1_FILE "./sysctl1"
64
65 #define SYSCTL0_READ0 0x0001
66 #define SYSCTL0_READ1 0x0002
67 #define SYSCTL0_READ2 0x0004
68 #define SYSCTL0_WRITE 0x0008
69 #define SYSCTL0_READ_WRITE 0x0010
70 #define SYSCTL1_READ0 0x0020
71 #define SYSCTL1_READ1 0x0040
72 #define SYSCTL1_READ2 0x0080
73 #define SYSCTL1_WRITE 0x0100
74 #define SYSCTL1_READ_WRITE 0x0200
75
76 static void
save_int_sysctl(const char * name,const char * file)77 save_int_sysctl(const char *name, const char *file)
78 {
79 ssize_t n;
80 size_t sz;
81 int error, fd, val;
82
83 sz = sizeof(val);
84 error = sysctlbyname(name, &val, &sz, NULL, 0);
85 ATF_REQUIRE_MSG(error == 0,
86 "sysctlbyname(%s): %s", name, strerror(errno));
87
88 fd = open(file, O_CREAT | O_WRONLY, 0600);
89 ATF_REQUIRE_MSG(fd >= 0, "open(%s): %s", file, strerror(errno));
90 n = write(fd, &val, sz);
91 ATF_REQUIRE(n >= 0 && (size_t)n == sz);
92 error = close(fd);
93 ATF_REQUIRE(error == 0);
94 }
95
96 static void
restore_int_sysctl(const char * name,const char * file)97 restore_int_sysctl(const char *name, const char *file)
98 {
99 ssize_t n;
100 size_t sz;
101 int error, fd, val;
102
103 fd = open(file, O_RDONLY);
104 ATF_REQUIRE(fd >= 0);
105 sz = sizeof(val);
106 n = read(fd, &val, sz);
107 ATF_REQUIRE(n >= 0 && (size_t)n == sz);
108 error = unlink(file);
109 ATF_REQUIRE(error == 0);
110 error = close(fd);
111 ATF_REQUIRE(error == 0);
112
113 error = sysctlbyname(name, NULL, NULL, &val, sz);
114 ATF_REQUIRE_MSG(error == 0,
115 "sysctlbyname(%s): %s", name, strerror(errno));
116 }
117
118 static cap_channel_t *
initcap(void)119 initcap(void)
120 {
121 cap_channel_t *capcas, *capsysctl;
122
123 save_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE);
124 save_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE);
125
126 capcas = cap_init();
127 ATF_REQUIRE(capcas != NULL);
128
129 capsysctl = cap_service_open(capcas, "system.sysctl");
130 ATF_REQUIRE(capsysctl != NULL);
131
132 cap_close(capcas);
133
134 return (capsysctl);
135 }
136
137 static void
cleanup(void)138 cleanup(void)
139 {
140
141 restore_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE);
142 restore_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE);
143 }
144
145 static unsigned int
checkcaps(cap_channel_t * capsysctl)146 checkcaps(cap_channel_t *capsysctl)
147 {
148 unsigned int result;
149 size_t len0, len1, oldsize;
150 int error, mib0[2], mib1[2], oldvalue, newvalue;
151
152 result = 0;
153
154 len0 = nitems(mib0);
155 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len0) == 0);
156 len1 = nitems(mib1);
157 ATF_REQUIRE(sysctlnametomib(SYSCTL1_NAME, mib1, &len1) == 0);
158
159 oldsize = sizeof(oldvalue);
160 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize,
161 NULL, 0) == 0) {
162 if (oldsize == sizeof(oldvalue))
163 result |= SYSCTL0_READ0;
164 }
165 error = cap_sysctl(capsysctl, mib0, len0, &oldvalue, &oldsize, NULL, 0);
166 if ((result & SYSCTL0_READ0) != 0)
167 ATF_REQUIRE(error == 0);
168 else
169 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
170
171 newvalue = 123;
172 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, NULL, NULL, &newvalue,
173 sizeof(newvalue)) == 0) {
174 result |= SYSCTL0_WRITE;
175 }
176
177 if ((result & SYSCTL0_WRITE) != 0) {
178 oldsize = sizeof(oldvalue);
179 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue,
180 &oldsize, NULL, 0) == 0) {
181 if (oldsize == sizeof(oldvalue) && oldvalue == 123)
182 result |= SYSCTL0_READ1;
183 }
184 }
185 newvalue = 123;
186 error = cap_sysctl(capsysctl, mib0, len0, NULL, NULL,
187 &newvalue, sizeof(newvalue));
188 if ((result & SYSCTL0_WRITE) != 0)
189 ATF_REQUIRE(error == 0);
190 else
191 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
192
193 oldsize = sizeof(oldvalue);
194 newvalue = 4567;
195 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize,
196 &newvalue, sizeof(newvalue)) == 0) {
197 if (oldsize == sizeof(oldvalue) && oldvalue == 123)
198 result |= SYSCTL0_READ_WRITE;
199 }
200
201 if ((result & SYSCTL0_READ_WRITE) != 0) {
202 oldsize = sizeof(oldvalue);
203 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue,
204 &oldsize, NULL, 0) == 0) {
205 if (oldsize == sizeof(oldvalue) && oldvalue == 4567)
206 result |= SYSCTL0_READ2;
207 }
208 }
209
210 oldsize = sizeof(oldvalue);
211 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize,
212 NULL, 0) == 0) {
213 if (oldsize == sizeof(oldvalue))
214 result |= SYSCTL1_READ0;
215 }
216 error = cap_sysctl(capsysctl, mib1, len1, &oldvalue, &oldsize, NULL, 0);
217 if ((result & SYSCTL1_READ0) != 0)
218 ATF_REQUIRE(error == 0);
219 else
220 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
221
222 newvalue = 506;
223 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, NULL, NULL, &newvalue,
224 sizeof(newvalue)) == 0) {
225 result |= SYSCTL1_WRITE;
226 }
227
228 if ((result & SYSCTL1_WRITE) != 0) {
229 newvalue = 506;
230 ATF_REQUIRE(cap_sysctl(capsysctl, mib1, len1, NULL, NULL,
231 &newvalue, sizeof(newvalue)) == 0);
232
233 oldsize = sizeof(oldvalue);
234 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue,
235 &oldsize, NULL, 0) == 0) {
236 if (oldsize == sizeof(oldvalue) && oldvalue == 506)
237 result |= SYSCTL1_READ1;
238 }
239 }
240 newvalue = 506;
241 error = cap_sysctl(capsysctl, mib1, len1, NULL, NULL,
242 &newvalue, sizeof(newvalue));
243 if ((result & SYSCTL1_WRITE) != 0)
244 ATF_REQUIRE(error == 0);
245 else
246 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
247
248 oldsize = sizeof(oldvalue);
249 newvalue = 7008;
250 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize,
251 &newvalue, sizeof(newvalue)) == 0) {
252 if (oldsize == sizeof(oldvalue) && oldvalue == 506)
253 result |= SYSCTL1_READ_WRITE;
254 }
255
256 if ((result & SYSCTL1_READ_WRITE) != 0) {
257 oldsize = sizeof(oldvalue);
258 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue,
259 &oldsize, NULL, 0) == 0) {
260 if (oldsize == sizeof(oldvalue) && oldvalue == 7008)
261 result |= SYSCTL1_READ2;
262 }
263 }
264
265 return (result);
266 }
267
268 ATF_TC_WITH_CLEANUP(cap_sysctl__operation);
ATF_TC_HEAD(cap_sysctl__operation,tc)269 ATF_TC_HEAD(cap_sysctl__operation, tc)
270 {
271 }
ATF_TC_BODY(cap_sysctl__operation,tc)272 ATF_TC_BODY(cap_sysctl__operation, tc)
273 {
274 cap_channel_t *capsysctl, *ocapsysctl;
275 void *limit;
276
277 ocapsysctl = initcap();
278
279 /*
280 * Allow:
281 * SYSCTL0_PARENT/RDWR/RECURSIVE
282 * SYSCTL1_PARENT/RDWR/RECURSIVE
283 */
284
285 capsysctl = cap_clone(ocapsysctl);
286 ATF_REQUIRE(capsysctl != NULL);
287
288 limit = cap_sysctl_limit_init(capsysctl);
289 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
290 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
291 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
292 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
293 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
294
295 limit = cap_sysctl_limit_init(capsysctl);
296 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
297 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
298 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
299 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
300 (void)cap_sysctl_limit_name(limit, "foo.bar",
301 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
302 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
303
304 limit = cap_sysctl_limit_init(capsysctl);
305 (void)cap_sysctl_limit_name(limit, "foo.bar",
306 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
307 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
308
309 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
310 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
311 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
312 SYSCTL1_READ_WRITE));
313
314 limit = cap_sysctl_limit_init(capsysctl);
315 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
316 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
317 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
318 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
319 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
320
321 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
322 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
323 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
324 SYSCTL1_READ_WRITE));
325
326 limit = cap_sysctl_limit_init(capsysctl);
327 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
328 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
329 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
330 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
331 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
332
333 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
334
335 limit = cap_sysctl_limit_init(capsysctl);
336 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
337 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
338 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
339
340 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
341
342 limit = cap_sysctl_limit_init(capsysctl);
343 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
344 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
345
346 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0);
347
348 cap_close(capsysctl);
349
350 /*
351 * Allow:
352 * SYSCTL0_NAME/RDWR/RECURSIVE
353 * SYSCTL1_NAME/RDWR/RECURSIVE
354 */
355
356 capsysctl = cap_clone(ocapsysctl);
357 ATF_REQUIRE(capsysctl != NULL);
358
359 limit = cap_sysctl_limit_init(capsysctl);
360 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
361 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
362 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
363 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
364 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
365
366 limit = cap_sysctl_limit_init(capsysctl);
367 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
368 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
369 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
370 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
371 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
372 limit = cap_sysctl_limit_init(capsysctl);
373 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
374 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
375 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
376 limit = cap_sysctl_limit_init(capsysctl);
377 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
378 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
379 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
380 limit = cap_sysctl_limit_init(capsysctl);
381 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
382 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
383
384 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
385 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
386 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
387 SYSCTL1_READ_WRITE));
388
389 cap_close(capsysctl);
390
391 /*
392 * Allow:
393 * SYSCTL0_PARENT/RDWR
394 * SYSCTL1_PARENT/RDWR
395 */
396
397 capsysctl = cap_clone(ocapsysctl);
398 ATF_REQUIRE(capsysctl != NULL);
399
400 limit = cap_sysctl_limit_init(capsysctl);
401 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
402 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
403 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
404 limit = cap_sysctl_limit_init(capsysctl);
405 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
406 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
407 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
408 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
409 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
410 limit = cap_sysctl_limit_init(capsysctl);
411 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
412 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
413 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
414 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
415 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
416 limit = cap_sysctl_limit_init(capsysctl);
417 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
418 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
419 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
420
421 ATF_REQUIRE(checkcaps(capsysctl) == 0);
422
423 cap_close(capsysctl);
424
425 /*
426 * Allow:
427 * SYSCTL0_NAME/RDWR
428 * SYSCTL1_NAME/RDWR
429 */
430
431 capsysctl = cap_clone(ocapsysctl);
432 ATF_REQUIRE(capsysctl != NULL);
433
434 limit = cap_sysctl_limit_init(capsysctl);
435 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
436 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
437 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
438 limit = cap_sysctl_limit_init(capsysctl);
439 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
440 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
441 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
442 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
443 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
444 limit = cap_sysctl_limit_init(capsysctl);
445 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
446 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
447 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
448 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
449 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
450 limit = cap_sysctl_limit_init(capsysctl);
451 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
452 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
453 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
454
455 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
456 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
457 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
458 SYSCTL1_READ_WRITE));
459
460 cap_close(capsysctl);
461
462 /*
463 * Allow:
464 * SYSCTL0_PARENT/RDWR
465 * SYSCTL1_PARENT/RDWR/RECURSIVE
466 */
467
468 capsysctl = cap_clone(ocapsysctl);
469 ATF_REQUIRE(capsysctl != NULL);
470
471 limit = cap_sysctl_limit_init(capsysctl);
472 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
473 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
474 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
475 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
476 limit = cap_sysctl_limit_init(capsysctl);
477 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
478 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
479 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
480 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
481 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
482 limit = cap_sysctl_limit_init(capsysctl);
483 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
484 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
485 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
486 limit = cap_sysctl_limit_init(capsysctl);
487 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
488 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
489 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
490 limit = cap_sysctl_limit_init(capsysctl);
491 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
492 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
493 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
494
495 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
496 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
497
498 cap_close(capsysctl);
499
500 /*
501 * Allow:
502 * SYSCTL0_NAME/RDWR
503 * SYSCTL1_NAME/RDWR/RECURSIVE
504 */
505
506 capsysctl = cap_clone(ocapsysctl);
507 ATF_REQUIRE(capsysctl != NULL);
508
509 limit = cap_sysctl_limit_init(capsysctl);
510 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
511 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
512 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
513 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
514 limit = cap_sysctl_limit_init(capsysctl);
515 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
516 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
517 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
518 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
519 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
520 limit = cap_sysctl_limit_init(capsysctl);
521 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
522 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
523 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
524 limit = cap_sysctl_limit_init(capsysctl);
525 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
526 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
527 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
528
529 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
530 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
531 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
532 SYSCTL1_READ_WRITE));
533
534 cap_close(capsysctl);
535
536 /*
537 * Allow:
538 * SYSCTL0_PARENT/READ/RECURSIVE
539 * SYSCTL1_PARENT/READ/RECURSIVE
540 */
541
542 capsysctl = cap_clone(ocapsysctl);
543 ATF_REQUIRE(capsysctl != NULL);
544
545 limit = cap_sysctl_limit_init(capsysctl);
546 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
547 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
548 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
549 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
550 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
551 limit = cap_sysctl_limit_init(capsysctl);
552 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
553 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
554 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
555 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
556 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
557 limit = cap_sysctl_limit_init(capsysctl);
558 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
559 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
560 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
561 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
562 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
563 limit = cap_sysctl_limit_init(capsysctl);
564 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
565 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
566 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
567 limit = cap_sysctl_limit_init(capsysctl);
568 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
569 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
570 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
571 limit = cap_sysctl_limit_init(capsysctl);
572 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
573 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
574 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
575 limit = cap_sysctl_limit_init(capsysctl);
576 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
577 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
578 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
579 limit = cap_sysctl_limit_init(capsysctl);
580 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
581 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
582 limit = cap_sysctl_limit_init(capsysctl);
583 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
584 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
585
586 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
587
588 cap_close(capsysctl);
589
590 /*
591 * Allow:
592 * SYSCTL0_NAME/READ/RECURSIVE
593 * SYSCTL1_NAME/READ/RECURSIVE
594 */
595
596 capsysctl = cap_clone(ocapsysctl);
597 ATF_REQUIRE(capsysctl != NULL);
598
599 limit = cap_sysctl_limit_init(capsysctl);
600 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
601 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
602 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
603 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
604 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
605 limit = cap_sysctl_limit_init(capsysctl);
606 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
607 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
608 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
609 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
610 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
611 limit = cap_sysctl_limit_init(capsysctl);
612 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
613 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
614 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
615 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
616 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
617 limit = cap_sysctl_limit_init(capsysctl);
618 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
619 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
620 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
621 limit = cap_sysctl_limit_init(capsysctl);
622 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
623 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
624 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
625 limit = cap_sysctl_limit_init(capsysctl);
626 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
627 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
628 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
629 limit = cap_sysctl_limit_init(capsysctl);
630 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
631 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
632 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
633 limit = cap_sysctl_limit_init(capsysctl);
634 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
635 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
636 limit = cap_sysctl_limit_init(capsysctl);
637 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
638 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
639
640 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
641
642 cap_close(capsysctl);
643
644 /*
645 * Allow:
646 * SYSCTL0_PARENT/READ
647 * SYSCTL1_PARENT/READ
648 */
649
650 capsysctl = cap_clone(ocapsysctl);
651 ATF_REQUIRE(capsysctl != NULL);
652
653 limit = cap_sysctl_limit_init(capsysctl);
654 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
655 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
656 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
657 limit = cap_sysctl_limit_init(capsysctl);
658 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
659 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
660 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
661 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
662 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
663 limit = cap_sysctl_limit_init(capsysctl);
664 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
665 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
666 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
667 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
668 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
669 limit = cap_sysctl_limit_init(capsysctl);
670 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
671 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
672 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
673 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
674 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
675 limit = cap_sysctl_limit_init(capsysctl);
676 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
677 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
678 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
679 limit = cap_sysctl_limit_init(capsysctl);
680 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
681 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
682 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
683 limit = cap_sysctl_limit_init(capsysctl);
684 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
685 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
686 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
687 limit = cap_sysctl_limit_init(capsysctl);
688 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
689 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
690 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
691 limit = cap_sysctl_limit_init(capsysctl);
692 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
693 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
694 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
695 limit = cap_sysctl_limit_init(capsysctl);
696 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
697 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
698 limit = cap_sysctl_limit_init(capsysctl);
699 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
700 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
701
702 ATF_REQUIRE(checkcaps(capsysctl) == 0);
703
704 cap_close(capsysctl);
705
706 /*
707 * Allow:
708 * SYSCTL0_NAME/READ
709 * SYSCTL1_NAME/READ
710 */
711
712 capsysctl = cap_clone(ocapsysctl);
713 ATF_REQUIRE(capsysctl != NULL);
714
715 limit = cap_sysctl_limit_init(capsysctl);
716 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
717 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
718 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
719 limit = cap_sysctl_limit_init(capsysctl);
720 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
721 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
722 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
723 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
724 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
725 limit = cap_sysctl_limit_init(capsysctl);
726 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
727 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
728 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
729 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
730 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
731 limit = cap_sysctl_limit_init(capsysctl);
732 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
733 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
734 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
735 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
736 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
737 limit = cap_sysctl_limit_init(capsysctl);
738 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
739 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
740 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
741 limit = cap_sysctl_limit_init(capsysctl);
742 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
743 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
744 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
745 limit = cap_sysctl_limit_init(capsysctl);
746 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
747 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
748 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
749 limit = cap_sysctl_limit_init(capsysctl);
750 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
751 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
752 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
753 limit = cap_sysctl_limit_init(capsysctl);
754 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
755 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
756 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
757 limit = cap_sysctl_limit_init(capsysctl);
758 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
759 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
760 limit = cap_sysctl_limit_init(capsysctl);
761 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
762 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
763
764 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
765
766 cap_close(capsysctl);
767
768 /*
769 * Allow:
770 * SYSCTL0_PARENT/READ
771 * SYSCTL1_PARENT/READ/RECURSIVE
772 */
773
774 capsysctl = cap_clone(ocapsysctl);
775 ATF_REQUIRE(capsysctl != NULL);
776
777 limit = cap_sysctl_limit_init(capsysctl);
778 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
779 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
780 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
781 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
782 limit = cap_sysctl_limit_init(capsysctl);
783 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
784 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
785 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
786 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
787
788 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0);
789
790 cap_close(capsysctl);
791
792 /*
793 * Allow:
794 * SYSCTL0_NAME/READ
795 * SYSCTL1_NAME/READ/RECURSIVE
796 */
797
798 capsysctl = cap_clone(ocapsysctl);
799 ATF_REQUIRE(capsysctl != NULL);
800
801 limit = cap_sysctl_limit_init(capsysctl);
802 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
803 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
804 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
805 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
806 limit = cap_sysctl_limit_init(capsysctl);
807 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
808 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
809 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
810 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
811
812 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
813
814 cap_close(capsysctl);
815
816 /*
817 * Allow:
818 * SYSCTL0_PARENT/WRITE/RECURSIVE
819 * SYSCTL1_PARENT/WRITE/RECURSIVE
820 */
821
822 capsysctl = cap_clone(ocapsysctl);
823 ATF_REQUIRE(capsysctl != NULL);
824
825 limit = cap_sysctl_limit_init(capsysctl);
826 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
827 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
828 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
829 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
830 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
831 limit = cap_sysctl_limit_init(capsysctl);
832 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
833 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
834 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
835 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
836 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
837 limit = cap_sysctl_limit_init(capsysctl);
838 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
839 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
840 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
841 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
842 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
843 limit = cap_sysctl_limit_init(capsysctl);
844 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
845 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
846 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
847 limit = cap_sysctl_limit_init(capsysctl);
848 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
849 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
850 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
851 limit = cap_sysctl_limit_init(capsysctl);
852 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
853 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
854 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
855 limit = cap_sysctl_limit_init(capsysctl);
856 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
857 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
858 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
859 limit = cap_sysctl_limit_init(capsysctl);
860 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
861 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
862 limit = cap_sysctl_limit_init(capsysctl);
863 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
864 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
865
866 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
867
868 cap_close(capsysctl);
869
870 /*
871 * Allow:
872 * SYSCTL0_NAME/WRITE/RECURSIVE
873 * SYSCTL1_NAME/WRITE/RECURSIVE
874 */
875
876 capsysctl = cap_clone(ocapsysctl);
877 ATF_REQUIRE(capsysctl != NULL);
878
879 limit = cap_sysctl_limit_init(capsysctl);
880 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
881 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
882 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
883 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
884 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
885 limit = cap_sysctl_limit_init(capsysctl);
886 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
887 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
888 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
889 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
890 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
891 limit = cap_sysctl_limit_init(capsysctl);
892 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
893 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
894 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
895 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
896 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
897 limit = cap_sysctl_limit_init(capsysctl);
898 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
899 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
900 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
901 limit = cap_sysctl_limit_init(capsysctl);
902 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
903 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
904 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
905 limit = cap_sysctl_limit_init(capsysctl);
906 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
907 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
908 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
909 limit = cap_sysctl_limit_init(capsysctl);
910 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
911 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
912 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
913 limit = cap_sysctl_limit_init(capsysctl);
914 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
915 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
916 limit = cap_sysctl_limit_init(capsysctl);
917 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
918 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
919
920 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
921
922 cap_close(capsysctl);
923
924 /*
925 * Allow:
926 * SYSCTL0_PARENT/WRITE
927 * SYSCTL1_PARENT/WRITE
928 */
929
930 capsysctl = cap_clone(ocapsysctl);
931 ATF_REQUIRE(capsysctl != NULL);
932
933 limit = cap_sysctl_limit_init(capsysctl);
934 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
935 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
936 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
937 limit = cap_sysctl_limit_init(capsysctl);
938 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
939 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
940 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
941 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
942 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
943 limit = cap_sysctl_limit_init(capsysctl);
944 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
945 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
946 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
947 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
948 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
949 limit = cap_sysctl_limit_init(capsysctl);
950 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
951 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
952 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
953 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
954 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
955 limit = cap_sysctl_limit_init(capsysctl);
956 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
957 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
958 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
959 limit = cap_sysctl_limit_init(capsysctl);
960 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
961 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
962 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
963 limit = cap_sysctl_limit_init(capsysctl);
964 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
965 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
966 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
967 limit = cap_sysctl_limit_init(capsysctl);
968 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
969 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
970 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
971 limit = cap_sysctl_limit_init(capsysctl);
972 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
973 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
974 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
975 limit = cap_sysctl_limit_init(capsysctl);
976 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
977 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
978 limit = cap_sysctl_limit_init(capsysctl);
979 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
980 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
981
982 ATF_REQUIRE(checkcaps(capsysctl) == 0);
983
984 cap_close(capsysctl);
985
986 /*
987 * Allow:
988 * SYSCTL0_NAME/WRITE
989 * SYSCTL1_NAME/WRITE
990 */
991
992 capsysctl = cap_clone(ocapsysctl);
993 ATF_REQUIRE(capsysctl != NULL);
994
995 limit = cap_sysctl_limit_init(capsysctl);
996 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
997 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
998 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
999 limit = cap_sysctl_limit_init(capsysctl);
1000 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1001 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1002 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1003 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1004 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1005 limit = cap_sysctl_limit_init(capsysctl);
1006 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1007 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1008 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1009 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1010 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1011 limit = cap_sysctl_limit_init(capsysctl);
1012 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1013 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1014 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1015 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1016 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1017 limit = cap_sysctl_limit_init(capsysctl);
1018 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
1019 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1020 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1021 limit = cap_sysctl_limit_init(capsysctl);
1022 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1023 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1024 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1025 limit = cap_sysctl_limit_init(capsysctl);
1026 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1027 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1028 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1029 limit = cap_sysctl_limit_init(capsysctl);
1030 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1031 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1032 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1033 limit = cap_sysctl_limit_init(capsysctl);
1034 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1035 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1036 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1037 limit = cap_sysctl_limit_init(capsysctl);
1038 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1039 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1040 limit = cap_sysctl_limit_init(capsysctl);
1041 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1042 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1043
1044 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
1045
1046 cap_close(capsysctl);
1047
1048 /*
1049 * Allow:
1050 * SYSCTL0_PARENT/WRITE
1051 * SYSCTL1_PARENT/WRITE/RECURSIVE
1052 */
1053
1054 capsysctl = cap_clone(ocapsysctl);
1055 ATF_REQUIRE(capsysctl != NULL);
1056
1057 limit = cap_sysctl_limit_init(capsysctl);
1058 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1059 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1060 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1061 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1062 limit = cap_sysctl_limit_init(capsysctl);
1063 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1064 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1065 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1066 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1067
1068 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1069
1070 cap_close(capsysctl);
1071
1072 /*
1073 * Allow:
1074 * SYSCTL0_NAME/WRITE
1075 * SYSCTL1_NAME/WRITE/RECURSIVE
1076 */
1077
1078 capsysctl = cap_clone(ocapsysctl);
1079 ATF_REQUIRE(capsysctl != NULL);
1080
1081 limit = cap_sysctl_limit_init(capsysctl);
1082 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1083 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1084 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1085 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1086 limit = cap_sysctl_limit_init(capsysctl);
1087 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1088 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1089 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1090 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1091
1092 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
1093
1094 cap_close(capsysctl);
1095
1096 /*
1097 * Allow:
1098 * SYSCTL0_PARENT/READ/RECURSIVE
1099 * SYSCTL1_PARENT/WRITE/RECURSIVE
1100 */
1101
1102 capsysctl = cap_clone(ocapsysctl);
1103 ATF_REQUIRE(capsysctl != NULL);
1104
1105 limit = cap_sysctl_limit_init(capsysctl);
1106 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1107 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1108 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1109 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1110 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1111
1112 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1113
1114 cap_close(capsysctl);
1115
1116 /*
1117 * Allow:
1118 * SYSCTL0_NAME/READ/RECURSIVE
1119 * SYSCTL1_NAME/WRITE/RECURSIVE
1120 */
1121
1122 capsysctl = cap_clone(ocapsysctl);
1123 ATF_REQUIRE(capsysctl != NULL);
1124
1125 limit = cap_sysctl_limit_init(capsysctl);
1126 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1127 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1128 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1129 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1130 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1131
1132 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1133
1134 cap_close(capsysctl);
1135
1136 /*
1137 * Allow:
1138 * SYSCTL0_PARENT/READ
1139 * SYSCTL1_PARENT/WRITE
1140 */
1141
1142 capsysctl = cap_clone(ocapsysctl);
1143 ATF_REQUIRE(capsysctl != NULL);
1144
1145 limit = cap_sysctl_limit_init(capsysctl);
1146 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1147 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1148 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1149
1150 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1151
1152 cap_close(capsysctl);
1153
1154 /*
1155 * Allow:
1156 * SYSCTL0_NAME/READ
1157 * SYSCTL1_NAME/WRITE
1158 */
1159
1160 capsysctl = cap_clone(ocapsysctl);
1161 ATF_REQUIRE(capsysctl != NULL);
1162
1163 limit = cap_sysctl_limit_init(capsysctl);
1164 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1165 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1166 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1167
1168 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1169
1170 cap_close(capsysctl);
1171
1172 /*
1173 * Allow:
1174 * SYSCTL0_PARENT/READ
1175 * SYSCTL1_PARENT/WRITE/RECURSIVE
1176 */
1177
1178 capsysctl = cap_clone(ocapsysctl);
1179 ATF_REQUIRE(capsysctl != NULL);
1180
1181 limit = cap_sysctl_limit_init(capsysctl);
1182 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1183 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1184 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1185 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1186
1187 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1188
1189 cap_close(capsysctl);
1190
1191 /*
1192 * Allow:
1193 * SYSCTL0_NAME/READ
1194 * SYSCTL1_NAME/WRITE/RECURSIVE
1195 */
1196
1197 capsysctl = cap_clone(ocapsysctl);
1198 ATF_REQUIRE(capsysctl != NULL);
1199
1200 limit = cap_sysctl_limit_init(capsysctl);
1201 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1202 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1203 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1204 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1205
1206 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1207
1208 cap_close(capsysctl);
1209 }
ATF_TC_CLEANUP(cap_sysctl__operation,tc)1210 ATF_TC_CLEANUP(cap_sysctl__operation, tc)
1211 {
1212 cleanup();
1213 }
1214
1215 ATF_TC_WITH_CLEANUP(cap_sysctl__names);
ATF_TC_HEAD(cap_sysctl__names,tc)1216 ATF_TC_HEAD(cap_sysctl__names, tc)
1217 {
1218 }
ATF_TC_BODY(cap_sysctl__names,tc)1219 ATF_TC_BODY(cap_sysctl__names, tc)
1220 {
1221 cap_channel_t *capsysctl, *ocapsysctl;
1222 void *limit;
1223
1224 ocapsysctl = initcap();
1225
1226 /*
1227 * Allow:
1228 * SYSCTL0_PARENT/READ/RECURSIVE
1229 */
1230
1231 capsysctl = cap_clone(ocapsysctl);
1232 ATF_REQUIRE(capsysctl != NULL);
1233
1234 limit = cap_sysctl_limit_init(capsysctl);
1235 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1236 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1237 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1238 limit = cap_sysctl_limit_init(capsysctl);
1239 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1240 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1241 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1242 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1243 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1244 limit = cap_sysctl_limit_init(capsysctl);
1245 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1246 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1247 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1248 limit = cap_sysctl_limit_init(capsysctl);
1249 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1250 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1251 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1252 limit = cap_sysctl_limit_init(capsysctl);
1253 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1254 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1255
1256 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0);
1257
1258 cap_close(capsysctl);
1259
1260 /*
1261 * Allow:
1262 * SYSCTL1_NAME/READ/RECURSIVE
1263 */
1264
1265 capsysctl = cap_clone(ocapsysctl);
1266 ATF_REQUIRE(capsysctl != NULL);
1267
1268 limit = cap_sysctl_limit_init(capsysctl);
1269 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1270 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1271 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1272 limit = cap_sysctl_limit_init(capsysctl);
1273 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1274 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1275 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1276 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1277 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1278 limit = cap_sysctl_limit_init(capsysctl);
1279 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1280 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1281 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1282 limit = cap_sysctl_limit_init(capsysctl);
1283 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1284 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1285 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1286 limit = cap_sysctl_limit_init(capsysctl);
1287 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1288 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1289
1290 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0);
1291
1292 cap_close(capsysctl);
1293
1294 /*
1295 * Allow:
1296 * SYSCTL0_PARENT/WRITE/RECURSIVE
1297 */
1298
1299 capsysctl = cap_clone(ocapsysctl);
1300 ATF_REQUIRE(capsysctl != NULL);
1301
1302 limit = cap_sysctl_limit_init(capsysctl);
1303 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1304 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1305 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1306 limit = cap_sysctl_limit_init(capsysctl);
1307 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1308 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1309 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1310 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1311 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1312 limit = cap_sysctl_limit_init(capsysctl);
1313 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1314 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1315 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1316 limit = cap_sysctl_limit_init(capsysctl);
1317 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1318 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1319 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1320 limit = cap_sysctl_limit_init(capsysctl);
1321 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1322 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1323
1324 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_WRITE);
1325
1326 cap_close(capsysctl);
1327
1328 /*
1329 * Allow:
1330 * SYSCTL1_NAME/WRITE/RECURSIVE
1331 */
1332
1333 capsysctl = cap_clone(ocapsysctl);
1334 ATF_REQUIRE(capsysctl != NULL);
1335
1336 limit = cap_sysctl_limit_init(capsysctl);
1337 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1338 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1339 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1340 limit = cap_sysctl_limit_init(capsysctl);
1341 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1342 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1343 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1344 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1345 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1346 limit = cap_sysctl_limit_init(capsysctl);
1347 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1348 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1349 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1350 limit = cap_sysctl_limit_init(capsysctl);
1351 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1352 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1353 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1354 limit = cap_sysctl_limit_init(capsysctl);
1355 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1356 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1357
1358 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1359
1360 cap_close(capsysctl);
1361
1362 /*
1363 * Allow:
1364 * SYSCTL0_PARENT/RDWR/RECURSIVE
1365 */
1366
1367 capsysctl = cap_clone(ocapsysctl);
1368 ATF_REQUIRE(capsysctl != NULL);
1369
1370 limit = cap_sysctl_limit_init(capsysctl);
1371 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1372 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1373 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1374 limit = cap_sysctl_limit_init(capsysctl);
1375 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1376 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1377 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1378 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1379 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1380 limit = cap_sysctl_limit_init(capsysctl);
1381 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1382 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1383 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1384 limit = cap_sysctl_limit_init(capsysctl);
1385 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1386 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1387 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1388 limit = cap_sysctl_limit_init(capsysctl);
1389 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1390 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1391
1392 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
1393 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE));
1394
1395 cap_close(capsysctl);
1396
1397 /*
1398 * Allow:
1399 * SYSCTL1_NAME/RDWR/RECURSIVE
1400 */
1401
1402 capsysctl = cap_clone(ocapsysctl);
1403 ATF_REQUIRE(capsysctl != NULL);
1404
1405 limit = cap_sysctl_limit_init(capsysctl);
1406 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1407 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1408 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1409 limit = cap_sysctl_limit_init(capsysctl);
1410 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1411 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1412 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1413 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1414 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1415 limit = cap_sysctl_limit_init(capsysctl);
1416 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1417 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1418 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1419 limit = cap_sysctl_limit_init(capsysctl);
1420 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1421 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1422 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1423 limit = cap_sysctl_limit_init(capsysctl);
1424 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1425 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1426
1427 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
1428 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
1429
1430 cap_close(capsysctl);
1431
1432 /*
1433 * Allow:
1434 * SYSCTL0_PARENT/READ
1435 */
1436
1437 capsysctl = cap_clone(ocapsysctl);
1438 ATF_REQUIRE(capsysctl != NULL);
1439
1440 limit = cap_sysctl_limit_init(capsysctl);
1441 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1442 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1443 limit = cap_sysctl_limit_init(capsysctl);
1444 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1445 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1446 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1447 limit = cap_sysctl_limit_init(capsysctl);
1448 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1449 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1450
1451 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1452
1453 cap_close(capsysctl);
1454
1455 /*
1456 * Allow:
1457 * SYSCTL1_NAME/READ
1458 */
1459
1460 capsysctl = cap_clone(ocapsysctl);
1461 ATF_REQUIRE(capsysctl != NULL);
1462
1463 limit = cap_sysctl_limit_init(capsysctl);
1464 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1465 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1466 limit = cap_sysctl_limit_init(capsysctl);
1467 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1468 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1469 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1470 limit = cap_sysctl_limit_init(capsysctl);
1471 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1472 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1473
1474 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0);
1475
1476 cap_close(capsysctl);
1477
1478 /*
1479 * Allow:
1480 * SYSCTL0_PARENT/WRITE
1481 */
1482
1483 capsysctl = cap_clone(ocapsysctl);
1484 ATF_REQUIRE(capsysctl != NULL);
1485
1486 limit = cap_sysctl_limit_init(capsysctl);
1487 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1488 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1489 limit = cap_sysctl_limit_init(capsysctl);
1490 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1491 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1492 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1493 limit = cap_sysctl_limit_init(capsysctl);
1494 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1495 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1496
1497 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1498
1499 cap_close(capsysctl);
1500
1501 /*
1502 * Allow:
1503 * SYSCTL1_NAME/WRITE
1504 */
1505
1506 capsysctl = cap_clone(ocapsysctl);
1507 ATF_REQUIRE(capsysctl != NULL);
1508
1509 limit = cap_sysctl_limit_init(capsysctl);
1510 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1511 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1512 limit = cap_sysctl_limit_init(capsysctl);
1513 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1514 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1515 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1516 limit = cap_sysctl_limit_init(capsysctl);
1517 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1518 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1519
1520 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1521
1522 cap_close(capsysctl);
1523
1524 /*
1525 * Allow:
1526 * SYSCTL0_PARENT/RDWR
1527 */
1528
1529 capsysctl = cap_clone(ocapsysctl);
1530 ATF_REQUIRE(capsysctl != NULL);
1531
1532 limit = cap_sysctl_limit_init(capsysctl);
1533 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
1534 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1535 limit = cap_sysctl_limit_init(capsysctl);
1536 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
1537 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
1538 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1539 limit = cap_sysctl_limit_init(capsysctl);
1540 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
1541 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1542
1543 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1544
1545 cap_close(capsysctl);
1546
1547 /*
1548 * Allow:
1549 * SYSCTL1_NAME/RDWR
1550 */
1551
1552 capsysctl = cap_clone(ocapsysctl);
1553 ATF_REQUIRE(capsysctl != NULL);
1554
1555 limit = cap_sysctl_limit_init(capsysctl);
1556 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1557 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1558 limit = cap_sysctl_limit_init(capsysctl);
1559 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
1560 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1561 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1562 limit = cap_sysctl_limit_init(capsysctl);
1563 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
1564 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1565
1566 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
1567 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
1568
1569 cap_close(capsysctl);
1570 }
ATF_TC_CLEANUP(cap_sysctl__names,tc)1571 ATF_TC_CLEANUP(cap_sysctl__names, tc)
1572 {
1573 cleanup();
1574 }
1575
1576 ATF_TC_WITH_CLEANUP(cap_sysctl__no_limits);
ATF_TC_HEAD(cap_sysctl__no_limits,tc)1577 ATF_TC_HEAD(cap_sysctl__no_limits, tc)
1578 {
1579 }
ATF_TC_BODY(cap_sysctl__no_limits,tc)1580 ATF_TC_BODY(cap_sysctl__no_limits, tc)
1581 {
1582 cap_channel_t *capsysctl;
1583
1584 capsysctl = initcap();
1585
1586 ATF_REQUIRE_EQ(checkcaps(capsysctl), (SYSCTL0_READ0 | SYSCTL0_READ1 |
1587 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
1588 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
1589 SYSCTL1_READ_WRITE));
1590 }
ATF_TC_CLEANUP(cap_sysctl__no_limits,tc)1591 ATF_TC_CLEANUP(cap_sysctl__no_limits, tc)
1592 {
1593 cleanup();
1594 }
1595
1596 ATF_TC_WITH_CLEANUP(cap_sysctl__recursive_limits);
ATF_TC_HEAD(cap_sysctl__recursive_limits,tc)1597 ATF_TC_HEAD(cap_sysctl__recursive_limits, tc)
1598 {
1599 }
ATF_TC_BODY(cap_sysctl__recursive_limits,tc)1600 ATF_TC_BODY(cap_sysctl__recursive_limits, tc)
1601 {
1602 cap_channel_t *capsysctl, *ocapsysctl;
1603 void *limit;
1604 size_t len;
1605 int mib[2], val = 420;
1606
1607 len = nitems(mib);
1608 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib, &len) == 0);
1609
1610 ocapsysctl = initcap();
1611
1612 /*
1613 * Make sure that we match entire components.
1614 */
1615 capsysctl = cap_clone(ocapsysctl);
1616 ATF_REQUIRE(capsysctl != NULL);
1617
1618 limit = cap_sysctl_limit_init(capsysctl);
1619 (void)cap_sysctl_limit_name(limit, "ker",
1620 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1621 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1622
1623 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME,
1624 NULL, NULL, &val, sizeof(val)));
1625 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len,
1626 NULL, NULL, &val, sizeof(val)));
1627
1628 cap_close(capsysctl);
1629
1630 /*
1631 * Verify that we check for CAP_SYSCTL_RECURSIVE.
1632 */
1633 capsysctl = cap_clone(ocapsysctl);
1634 ATF_REQUIRE(capsysctl != NULL);
1635
1636 limit = cap_sysctl_limit_init(capsysctl);
1637 (void)cap_sysctl_limit_name(limit, "kern", CAP_SYSCTL_RDWR);
1638 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1639
1640 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME,
1641 NULL, NULL, &val, sizeof(val)));
1642 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len,
1643 NULL, NULL, &val, sizeof(val)));
1644
1645 cap_close(capsysctl);
1646 }
ATF_TC_CLEANUP(cap_sysctl__recursive_limits,tc)1647 ATF_TC_CLEANUP(cap_sysctl__recursive_limits, tc)
1648 {
1649 cleanup();
1650 }
1651
1652 ATF_TC_WITH_CLEANUP(cap_sysctl__just_size);
ATF_TC_HEAD(cap_sysctl__just_size,tc)1653 ATF_TC_HEAD(cap_sysctl__just_size, tc)
1654 {
1655 }
ATF_TC_BODY(cap_sysctl__just_size,tc)1656 ATF_TC_BODY(cap_sysctl__just_size, tc)
1657 {
1658 cap_channel_t *capsysctl;
1659 size_t len;
1660 int mib0[2];
1661
1662 capsysctl = initcap();
1663
1664 len = nitems(mib0);
1665 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len) == 0);
1666
1667 ATF_REQUIRE(cap_sysctlbyname(capsysctl, SYSCTL0_NAME,
1668 NULL, &len, NULL, 0) == 0);
1669 ATF_REQUIRE(len == sizeof(int));
1670 ATF_REQUIRE(cap_sysctl(capsysctl, mib0, nitems(mib0),
1671 NULL, &len, NULL, 0) == 0);
1672 ATF_REQUIRE(len == sizeof(int));
1673
1674 cap_close(capsysctl);
1675 }
ATF_TC_CLEANUP(cap_sysctl__just_size,tc)1676 ATF_TC_CLEANUP(cap_sysctl__just_size, tc)
1677 {
1678 cleanup();
1679 }
1680
ATF_TP_ADD_TCS(tp)1681 ATF_TP_ADD_TCS(tp)
1682 {
1683 ATF_TP_ADD_TC(tp, cap_sysctl__operation);
1684 ATF_TP_ADD_TC(tp, cap_sysctl__names);
1685 ATF_TP_ADD_TC(tp, cap_sysctl__no_limits);
1686 ATF_TP_ADD_TC(tp, cap_sysctl__recursive_limits);
1687 ATF_TP_ADD_TC(tp, cap_sysctl__just_size);
1688
1689 return (atf_no_error());
1690 }
1691