1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2013 The FreeBSD Foundation 5 * All rights reserved. 6 * 7 * This software was developed by Pawel Jakub Dawidek under sponsorship from 8 * the FreeBSD Foundation. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include <sys/types.h> 36 #include <sys/capsicum.h> 37 #include <sys/sysctl.h> 38 #include <sys/nv.h> 39 40 #include <assert.h> 41 #include <err.h> 42 #include <errno.h> 43 #include <netdb.h> 44 #include <stdio.h> 45 #include <stdlib.h> 46 #include <string.h> 47 #include <unistd.h> 48 49 #include <libcasper.h> 50 51 #include <casper/cap_sysctl.h> 52 53 /* 54 * We need some sysctls to perform the tests on. 55 * We remember their values and restore them afer the test is done. 56 */ 57 #define SYSCTL0_PARENT "kern" 58 #define SYSCTL0_NAME "kern.sync_on_panic" 59 #define SYSCTL1_PARENT "debug" 60 #define SYSCTL1_NAME "debug.minidump" 61 62 static int ntest = 1; 63 64 #define CHECK(expr) do { \ 65 if ((expr)) \ 66 printf("ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \ 67 else \ 68 printf("not ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \ 69 fflush(stdout); \ 70 ntest++; \ 71 } while (0) 72 #define CHECKX(expr) do { \ 73 if ((expr)) { \ 74 printf("ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \ 75 } else { \ 76 printf("not ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \ 77 exit(1); \ 78 } \ 79 fflush(stdout); \ 80 ntest++; \ 81 } while (0) 82 83 #define SYSCTL0_READ0 0x0001 84 #define SYSCTL0_READ1 0x0002 85 #define SYSCTL0_READ2 0x0004 86 #define SYSCTL0_WRITE 0x0008 87 #define SYSCTL0_READ_WRITE 0x0010 88 #define SYSCTL1_READ0 0x0020 89 #define SYSCTL1_READ1 0x0040 90 #define SYSCTL1_READ2 0x0080 91 #define SYSCTL1_WRITE 0x0100 92 #define SYSCTL1_READ_WRITE 0x0200 93 94 static unsigned int 95 runtest(cap_channel_t *capsysctl) 96 { 97 unsigned int result; 98 int oldvalue, newvalue; 99 size_t oldsize; 100 101 result = 0; 102 103 oldsize = sizeof(oldvalue); 104 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 105 NULL, 0) == 0) { 106 if (oldsize == sizeof(oldvalue)) 107 result |= SYSCTL0_READ0; 108 } 109 110 newvalue = 123; 111 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, NULL, NULL, &newvalue, 112 sizeof(newvalue)) == 0) { 113 result |= SYSCTL0_WRITE; 114 } 115 116 if ((result & SYSCTL0_WRITE) != 0) { 117 oldsize = sizeof(oldvalue); 118 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 119 &oldsize, NULL, 0) == 0) { 120 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 121 result |= SYSCTL0_READ1; 122 } 123 } 124 125 oldsize = sizeof(oldvalue); 126 newvalue = 4567; 127 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 128 &newvalue, sizeof(newvalue)) == 0) { 129 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 130 result |= SYSCTL0_READ_WRITE; 131 } 132 133 if ((result & SYSCTL0_READ_WRITE) != 0) { 134 oldsize = sizeof(oldvalue); 135 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 136 &oldsize, NULL, 0) == 0) { 137 if (oldsize == sizeof(oldvalue) && oldvalue == 4567) 138 result |= SYSCTL0_READ2; 139 } 140 } 141 142 oldsize = sizeof(oldvalue); 143 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 144 NULL, 0) == 0) { 145 if (oldsize == sizeof(oldvalue)) 146 result |= SYSCTL1_READ0; 147 } 148 149 newvalue = 506; 150 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, NULL, NULL, &newvalue, 151 sizeof(newvalue)) == 0) { 152 result |= SYSCTL1_WRITE; 153 } 154 155 if ((result & SYSCTL1_WRITE) != 0) { 156 oldsize = sizeof(oldvalue); 157 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 158 &oldsize, NULL, 0) == 0) { 159 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 160 result |= SYSCTL1_READ1; 161 } 162 } 163 164 oldsize = sizeof(oldvalue); 165 newvalue = 7008; 166 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 167 &newvalue, sizeof(newvalue)) == 0) { 168 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 169 result |= SYSCTL1_READ_WRITE; 170 } 171 172 if ((result & SYSCTL1_READ_WRITE) != 0) { 173 oldsize = sizeof(oldvalue); 174 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 175 &oldsize, NULL, 0) == 0) { 176 if (oldsize == sizeof(oldvalue) && oldvalue == 7008) 177 result |= SYSCTL1_READ2; 178 } 179 } 180 181 return (result); 182 } 183 184 static void 185 test_operation(cap_channel_t *origcapsysctl) 186 { 187 cap_channel_t *capsysctl; 188 nvlist_t *limits; 189 190 /* 191 * Allow: 192 * SYSCTL0_PARENT/RDWR/RECURSIVE 193 * SYSCTL1_PARENT/RDWR/RECURSIVE 194 */ 195 196 capsysctl = cap_clone(origcapsysctl); 197 CHECK(capsysctl != NULL); 198 199 limits = nvlist_create(0); 200 nvlist_add_number(limits, SYSCTL0_PARENT, 201 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 202 nvlist_add_number(limits, SYSCTL1_PARENT, 203 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 204 CHECK(cap_limit_set(capsysctl, limits) == 0); 205 limits = nvlist_create(0); 206 nvlist_add_number(limits, SYSCTL0_PARENT, 207 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 208 nvlist_add_number(limits, SYSCTL1_PARENT, 209 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 210 nvlist_add_number(limits, "foo.bar", 211 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 212 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 213 limits = nvlist_create(0); 214 nvlist_add_number(limits, "foo.bar", 215 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 216 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 217 218 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 219 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 220 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 221 SYSCTL1_READ_WRITE)); 222 223 limits = nvlist_create(0); 224 nvlist_add_number(limits, SYSCTL0_NAME, 225 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 226 nvlist_add_number(limits, SYSCTL1_NAME, 227 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 228 CHECK(cap_limit_set(capsysctl, limits) == 0); 229 230 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 231 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 232 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 233 SYSCTL1_READ_WRITE)); 234 235 limits = nvlist_create(0); 236 nvlist_add_number(limits, SYSCTL0_NAME, 237 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 238 nvlist_add_number(limits, SYSCTL1_NAME, 239 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 240 CHECK(cap_limit_set(capsysctl, limits) == 0); 241 242 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 243 244 limits = nvlist_create(0); 245 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 246 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 247 CHECK(cap_limit_set(capsysctl, limits) == 0); 248 249 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 250 251 limits = nvlist_create(0); 252 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 253 CHECK(cap_limit_set(capsysctl, limits) == 0); 254 255 CHECK(runtest(capsysctl) == SYSCTL0_READ0); 256 257 cap_close(capsysctl); 258 259 /* 260 * Allow: 261 * SYSCTL0_NAME/RDWR/RECURSIVE 262 * SYSCTL1_NAME/RDWR/RECURSIVE 263 */ 264 265 capsysctl = cap_clone(origcapsysctl); 266 CHECK(capsysctl != NULL); 267 268 limits = nvlist_create(0); 269 nvlist_add_number(limits, SYSCTL0_NAME, 270 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 271 nvlist_add_number(limits, SYSCTL1_NAME, 272 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 273 CHECK(cap_limit_set(capsysctl, limits) == 0); 274 limits = nvlist_create(0); 275 nvlist_add_number(limits, SYSCTL0_PARENT, 276 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 277 nvlist_add_number(limits, SYSCTL1_PARENT, 278 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 279 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 280 limits = nvlist_create(0); 281 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 282 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 283 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 284 limits = nvlist_create(0); 285 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 286 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 287 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 288 limits = nvlist_create(0); 289 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 290 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 291 292 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 293 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 294 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 295 SYSCTL1_READ_WRITE)); 296 297 cap_close(capsysctl); 298 299 /* 300 * Allow: 301 * SYSCTL0_PARENT/RDWR 302 * SYSCTL1_PARENT/RDWR 303 */ 304 305 capsysctl = cap_clone(origcapsysctl); 306 CHECK(capsysctl != NULL); 307 308 limits = nvlist_create(0); 309 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 310 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 311 CHECK(cap_limit_set(capsysctl, limits) == 0); 312 limits = nvlist_create(0); 313 nvlist_add_number(limits, SYSCTL0_PARENT, 314 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 315 nvlist_add_number(limits, SYSCTL1_PARENT, 316 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 317 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 318 limits = nvlist_create(0); 319 nvlist_add_number(limits, SYSCTL0_PARENT, 320 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 321 nvlist_add_number(limits, SYSCTL1_PARENT, 322 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 323 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 324 limits = nvlist_create(0); 325 nvlist_add_number(limits, SYSCTL0_PARENT, 326 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 327 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 328 329 CHECK(runtest(capsysctl) == 0); 330 331 cap_close(capsysctl); 332 333 /* 334 * Allow: 335 * SYSCTL0_NAME/RDWR 336 * SYSCTL1_NAME/RDWR 337 */ 338 339 capsysctl = cap_clone(origcapsysctl); 340 CHECK(capsysctl != NULL); 341 342 limits = nvlist_create(0); 343 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 344 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 345 CHECK(cap_limit_set(capsysctl, limits) == 0); 346 limits = nvlist_create(0); 347 nvlist_add_number(limits, SYSCTL0_PARENT, 348 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 349 nvlist_add_number(limits, SYSCTL1_PARENT, 350 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 351 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 352 limits = nvlist_create(0); 353 nvlist_add_number(limits, SYSCTL0_PARENT, 354 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 355 nvlist_add_number(limits, SYSCTL1_PARENT, 356 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 357 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 358 limits = nvlist_create(0); 359 nvlist_add_number(limits, SYSCTL1_PARENT, 360 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 361 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 362 363 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 364 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 365 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 366 SYSCTL1_READ_WRITE)); 367 368 cap_close(capsysctl); 369 370 /* 371 * Allow: 372 * SYSCTL0_PARENT/RDWR 373 * SYSCTL1_PARENT/RDWR/RECURSIVE 374 */ 375 376 capsysctl = cap_clone(origcapsysctl); 377 CHECK(capsysctl != NULL); 378 379 limits = nvlist_create(0); 380 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 381 nvlist_add_number(limits, SYSCTL1_PARENT, 382 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 383 CHECK(cap_limit_set(capsysctl, limits) == 0); 384 limits = nvlist_create(0); 385 nvlist_add_number(limits, SYSCTL0_PARENT, 386 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 387 nvlist_add_number(limits, SYSCTL1_PARENT, 388 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 389 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 390 limits = nvlist_create(0); 391 nvlist_add_number(limits, SYSCTL0_PARENT, 392 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 393 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 394 limits = nvlist_create(0); 395 nvlist_add_number(limits, SYSCTL0_PARENT, 396 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 397 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 398 limits = nvlist_create(0); 399 nvlist_add_number(limits, SYSCTL0_NAME, 400 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 401 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 402 403 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 404 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 405 406 cap_close(capsysctl); 407 408 /* 409 * Allow: 410 * SYSCTL0_NAME/RDWR 411 * SYSCTL1_NAME/RDWR/RECURSIVE 412 */ 413 414 capsysctl = cap_clone(origcapsysctl); 415 CHECK(capsysctl != NULL); 416 417 limits = nvlist_create(0); 418 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 419 nvlist_add_number(limits, SYSCTL1_NAME, 420 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 421 CHECK(cap_limit_set(capsysctl, limits) == 0); 422 limits = nvlist_create(0); 423 nvlist_add_number(limits, SYSCTL0_NAME, 424 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 425 nvlist_add_number(limits, SYSCTL1_NAME, 426 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 427 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 428 limits = nvlist_create(0); 429 nvlist_add_number(limits, SYSCTL0_NAME, 430 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 431 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 432 limits = nvlist_create(0); 433 nvlist_add_number(limits, SYSCTL0_NAME, 434 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 435 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 436 437 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 438 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 439 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 440 SYSCTL1_READ_WRITE)); 441 442 cap_close(capsysctl); 443 444 /* 445 * Allow: 446 * SYSCTL0_PARENT/READ/RECURSIVE 447 * SYSCTL1_PARENT/READ/RECURSIVE 448 */ 449 450 capsysctl = cap_clone(origcapsysctl); 451 CHECK(capsysctl != NULL); 452 453 limits = nvlist_create(0); 454 nvlist_add_number(limits, SYSCTL0_PARENT, 455 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 456 nvlist_add_number(limits, SYSCTL1_PARENT, 457 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 458 CHECK(cap_limit_set(capsysctl, limits) == 0); 459 limits = nvlist_create(0); 460 nvlist_add_number(limits, SYSCTL0_PARENT, 461 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 462 nvlist_add_number(limits, SYSCTL1_PARENT, 463 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 464 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 465 limits = nvlist_create(0); 466 nvlist_add_number(limits, SYSCTL0_PARENT, 467 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 468 nvlist_add_number(limits, SYSCTL1_PARENT, 469 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 470 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 471 limits = nvlist_create(0); 472 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 473 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 474 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 475 limits = nvlist_create(0); 476 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 477 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 478 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 479 limits = nvlist_create(0); 480 nvlist_add_number(limits, SYSCTL0_PARENT, 481 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 482 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 483 limits = nvlist_create(0); 484 nvlist_add_number(limits, SYSCTL1_PARENT, 485 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 486 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 487 limits = nvlist_create(0); 488 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 489 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 490 limits = nvlist_create(0); 491 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 492 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 493 494 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 495 496 cap_close(capsysctl); 497 498 /* 499 * Allow: 500 * SYSCTL0_NAME/READ/RECURSIVE 501 * SYSCTL1_NAME/READ/RECURSIVE 502 */ 503 504 capsysctl = cap_clone(origcapsysctl); 505 CHECK(capsysctl != NULL); 506 507 limits = nvlist_create(0); 508 nvlist_add_number(limits, SYSCTL0_NAME, 509 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 510 nvlist_add_number(limits, SYSCTL1_NAME, 511 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 512 CHECK(cap_limit_set(capsysctl, limits) == 0); 513 limits = nvlist_create(0); 514 nvlist_add_number(limits, SYSCTL0_NAME, 515 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 516 nvlist_add_number(limits, SYSCTL1_NAME, 517 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 518 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 519 limits = nvlist_create(0); 520 nvlist_add_number(limits, SYSCTL0_NAME, 521 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 522 nvlist_add_number(limits, SYSCTL1_NAME, 523 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 524 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 525 limits = nvlist_create(0); 526 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 527 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 528 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 529 limits = nvlist_create(0); 530 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 531 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 532 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 533 limits = nvlist_create(0); 534 nvlist_add_number(limits, SYSCTL0_NAME, 535 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 536 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 537 limits = nvlist_create(0); 538 nvlist_add_number(limits, SYSCTL1_NAME, 539 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 540 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 541 limits = nvlist_create(0); 542 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 543 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 544 limits = nvlist_create(0); 545 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 546 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 547 548 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 549 550 cap_close(capsysctl); 551 552 /* 553 * Allow: 554 * SYSCTL0_PARENT/READ 555 * SYSCTL1_PARENT/READ 556 */ 557 558 capsysctl = cap_clone(origcapsysctl); 559 CHECK(capsysctl != NULL); 560 561 limits = nvlist_create(0); 562 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 563 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 564 CHECK(cap_limit_set(capsysctl, limits) == 0); 565 limits = nvlist_create(0); 566 nvlist_add_number(limits, SYSCTL0_PARENT, 567 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 568 nvlist_add_number(limits, SYSCTL1_PARENT, 569 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 570 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 571 limits = nvlist_create(0); 572 nvlist_add_number(limits, SYSCTL0_PARENT, 573 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 574 nvlist_add_number(limits, SYSCTL1_PARENT, 575 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 576 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 577 limits = nvlist_create(0); 578 nvlist_add_number(limits, SYSCTL0_PARENT, 579 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 580 nvlist_add_number(limits, SYSCTL1_PARENT, 581 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 582 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 583 limits = nvlist_create(0); 584 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 585 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 586 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 587 limits = nvlist_create(0); 588 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 589 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 590 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 591 limits = nvlist_create(0); 592 nvlist_add_number(limits, SYSCTL0_PARENT, 593 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 594 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 595 limits = nvlist_create(0); 596 nvlist_add_number(limits, SYSCTL1_PARENT, 597 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 598 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 599 limits = nvlist_create(0); 600 nvlist_add_number(limits, SYSCTL0_PARENT, 601 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 602 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 603 limits = nvlist_create(0); 604 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 605 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 606 limits = nvlist_create(0); 607 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 608 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 609 610 CHECK(runtest(capsysctl) == 0); 611 612 cap_close(capsysctl); 613 614 /* 615 * Allow: 616 * SYSCTL0_NAME/READ 617 * SYSCTL1_NAME/READ 618 */ 619 620 capsysctl = cap_clone(origcapsysctl); 621 CHECK(capsysctl != NULL); 622 623 limits = nvlist_create(0); 624 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 625 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 626 CHECK(cap_limit_set(capsysctl, limits) == 0); 627 limits = nvlist_create(0); 628 nvlist_add_number(limits, SYSCTL0_NAME, 629 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 630 nvlist_add_number(limits, SYSCTL1_NAME, 631 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 632 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 633 limits = nvlist_create(0); 634 nvlist_add_number(limits, SYSCTL0_NAME, 635 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 636 nvlist_add_number(limits, SYSCTL1_NAME, 637 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 638 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 639 limits = nvlist_create(0); 640 nvlist_add_number(limits, SYSCTL0_NAME, 641 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 642 nvlist_add_number(limits, SYSCTL1_NAME, 643 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 644 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 645 limits = nvlist_create(0); 646 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 647 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 648 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 649 limits = nvlist_create(0); 650 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 651 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 652 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 653 limits = nvlist_create(0); 654 nvlist_add_number(limits, SYSCTL0_NAME, 655 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 656 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 657 limits = nvlist_create(0); 658 nvlist_add_number(limits, SYSCTL1_NAME, 659 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 660 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 661 limits = nvlist_create(0); 662 nvlist_add_number(limits, SYSCTL0_NAME, 663 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 664 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 665 limits = nvlist_create(0); 666 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 667 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 668 limits = nvlist_create(0); 669 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 670 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 671 672 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 673 674 cap_close(capsysctl); 675 676 /* 677 * Allow: 678 * SYSCTL0_PARENT/READ 679 * SYSCTL1_PARENT/READ/RECURSIVE 680 */ 681 682 capsysctl = cap_clone(origcapsysctl); 683 CHECK(capsysctl != NULL); 684 685 limits = nvlist_create(0); 686 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 687 nvlist_add_number(limits, SYSCTL1_PARENT, 688 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 689 CHECK(cap_limit_set(capsysctl, limits) == 0); 690 limits = nvlist_create(0); 691 nvlist_add_number(limits, SYSCTL0_PARENT, 692 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 693 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 694 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 695 696 CHECK(runtest(capsysctl) == SYSCTL1_READ0); 697 698 cap_close(capsysctl); 699 700 /* 701 * Allow: 702 * SYSCTL0_NAME/READ 703 * SYSCTL1_NAME/READ/RECURSIVE 704 */ 705 706 capsysctl = cap_clone(origcapsysctl); 707 CHECK(capsysctl != NULL); 708 709 limits = nvlist_create(0); 710 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 711 nvlist_add_number(limits, SYSCTL1_NAME, 712 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 713 CHECK(cap_limit_set(capsysctl, limits) == 0); 714 limits = nvlist_create(0); 715 nvlist_add_number(limits, SYSCTL0_NAME, 716 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 717 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 718 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 719 720 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 721 722 cap_close(capsysctl); 723 724 /* 725 * Allow: 726 * SYSCTL0_PARENT/WRITE/RECURSIVE 727 * SYSCTL1_PARENT/WRITE/RECURSIVE 728 */ 729 730 capsysctl = cap_clone(origcapsysctl); 731 CHECK(capsysctl != NULL); 732 733 limits = nvlist_create(0); 734 nvlist_add_number(limits, SYSCTL0_PARENT, 735 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 736 nvlist_add_number(limits, SYSCTL1_PARENT, 737 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 738 CHECK(cap_limit_set(capsysctl, limits) == 0); 739 limits = nvlist_create(0); 740 nvlist_add_number(limits, SYSCTL0_PARENT, 741 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 742 nvlist_add_number(limits, SYSCTL1_PARENT, 743 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 744 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 745 limits = nvlist_create(0); 746 nvlist_add_number(limits, SYSCTL0_PARENT, 747 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 748 nvlist_add_number(limits, SYSCTL1_PARENT, 749 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 750 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 751 limits = nvlist_create(0); 752 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 753 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 754 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 755 limits = nvlist_create(0); 756 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 757 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 758 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 759 limits = nvlist_create(0); 760 nvlist_add_number(limits, SYSCTL0_PARENT, 761 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 762 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 763 limits = nvlist_create(0); 764 nvlist_add_number(limits, SYSCTL1_PARENT, 765 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 766 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 767 limits = nvlist_create(0); 768 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 769 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 770 limits = nvlist_create(0); 771 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 772 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 773 774 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 775 776 cap_close(capsysctl); 777 778 /* 779 * Allow: 780 * SYSCTL0_NAME/WRITE/RECURSIVE 781 * SYSCTL1_NAME/WRITE/RECURSIVE 782 */ 783 784 capsysctl = cap_clone(origcapsysctl); 785 CHECK(capsysctl != NULL); 786 787 limits = nvlist_create(0); 788 nvlist_add_number(limits, SYSCTL0_NAME, 789 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 790 nvlist_add_number(limits, SYSCTL1_NAME, 791 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 792 CHECK(cap_limit_set(capsysctl, limits) == 0); 793 limits = nvlist_create(0); 794 nvlist_add_number(limits, SYSCTL0_NAME, 795 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 796 nvlist_add_number(limits, SYSCTL1_NAME, 797 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 798 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 799 limits = nvlist_create(0); 800 nvlist_add_number(limits, SYSCTL0_NAME, 801 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 802 nvlist_add_number(limits, SYSCTL1_NAME, 803 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 804 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 805 limits = nvlist_create(0); 806 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 807 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 808 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 809 limits = nvlist_create(0); 810 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 811 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 812 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 813 limits = nvlist_create(0); 814 nvlist_add_number(limits, SYSCTL0_NAME, 815 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 816 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 817 limits = nvlist_create(0); 818 nvlist_add_number(limits, SYSCTL1_NAME, 819 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 820 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 821 limits = nvlist_create(0); 822 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 823 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 824 limits = nvlist_create(0); 825 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 826 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 827 828 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 829 830 cap_close(capsysctl); 831 832 /* 833 * Allow: 834 * SYSCTL0_PARENT/WRITE 835 * SYSCTL1_PARENT/WRITE 836 */ 837 838 capsysctl = cap_clone(origcapsysctl); 839 CHECK(capsysctl != NULL); 840 841 limits = nvlist_create(0); 842 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 843 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 844 CHECK(cap_limit_set(capsysctl, limits) == 0); 845 limits = nvlist_create(0); 846 nvlist_add_number(limits, SYSCTL0_PARENT, 847 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 848 nvlist_add_number(limits, SYSCTL1_PARENT, 849 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 850 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 851 limits = nvlist_create(0); 852 nvlist_add_number(limits, SYSCTL0_PARENT, 853 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 854 nvlist_add_number(limits, SYSCTL1_PARENT, 855 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 856 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 857 limits = nvlist_create(0); 858 nvlist_add_number(limits, SYSCTL0_PARENT, 859 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 860 nvlist_add_number(limits, SYSCTL1_PARENT, 861 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 862 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 863 limits = nvlist_create(0); 864 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 865 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 866 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 867 limits = nvlist_create(0); 868 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 869 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 870 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 871 limits = nvlist_create(0); 872 nvlist_add_number(limits, SYSCTL0_PARENT, 873 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 874 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 875 limits = nvlist_create(0); 876 nvlist_add_number(limits, SYSCTL1_PARENT, 877 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 878 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 879 limits = nvlist_create(0); 880 nvlist_add_number(limits, SYSCTL0_PARENT, 881 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 882 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 883 limits = nvlist_create(0); 884 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 885 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 886 limits = nvlist_create(0); 887 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 888 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 889 890 CHECK(runtest(capsysctl) == 0); 891 892 cap_close(capsysctl); 893 894 /* 895 * Allow: 896 * SYSCTL0_NAME/WRITE 897 * SYSCTL1_NAME/WRITE 898 */ 899 900 capsysctl = cap_clone(origcapsysctl); 901 CHECK(capsysctl != NULL); 902 903 limits = nvlist_create(0); 904 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 905 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 906 CHECK(cap_limit_set(capsysctl, limits) == 0); 907 limits = nvlist_create(0); 908 nvlist_add_number(limits, SYSCTL0_NAME, 909 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 910 nvlist_add_number(limits, SYSCTL1_NAME, 911 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 912 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 913 limits = nvlist_create(0); 914 nvlist_add_number(limits, SYSCTL0_NAME, 915 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 916 nvlist_add_number(limits, SYSCTL1_NAME, 917 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 918 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 919 limits = nvlist_create(0); 920 nvlist_add_number(limits, SYSCTL0_NAME, 921 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 922 nvlist_add_number(limits, SYSCTL1_NAME, 923 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 924 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 925 limits = nvlist_create(0); 926 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 927 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 928 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 929 limits = nvlist_create(0); 930 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 931 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 932 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 933 limits = nvlist_create(0); 934 nvlist_add_number(limits, SYSCTL0_NAME, 935 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 936 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 937 limits = nvlist_create(0); 938 nvlist_add_number(limits, SYSCTL1_NAME, 939 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 940 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 941 limits = nvlist_create(0); 942 nvlist_add_number(limits, SYSCTL0_NAME, 943 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 944 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 945 limits = nvlist_create(0); 946 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 947 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 948 limits = nvlist_create(0); 949 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 950 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 951 952 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 953 954 cap_close(capsysctl); 955 956 /* 957 * Allow: 958 * SYSCTL0_PARENT/WRITE 959 * SYSCTL1_PARENT/WRITE/RECURSIVE 960 */ 961 962 capsysctl = cap_clone(origcapsysctl); 963 CHECK(capsysctl != NULL); 964 965 limits = nvlist_create(0); 966 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 967 nvlist_add_number(limits, SYSCTL1_PARENT, 968 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 969 CHECK(cap_limit_set(capsysctl, limits) == 0); 970 limits = nvlist_create(0); 971 nvlist_add_number(limits, SYSCTL0_PARENT, 972 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 973 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 974 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 975 976 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 977 978 cap_close(capsysctl); 979 980 /* 981 * Allow: 982 * SYSCTL0_NAME/WRITE 983 * SYSCTL1_NAME/WRITE/RECURSIVE 984 */ 985 986 capsysctl = cap_clone(origcapsysctl); 987 CHECK(capsysctl != NULL); 988 989 limits = nvlist_create(0); 990 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 991 nvlist_add_number(limits, SYSCTL1_NAME, 992 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 993 CHECK(cap_limit_set(capsysctl, limits) == 0); 994 limits = nvlist_create(0); 995 nvlist_add_number(limits, SYSCTL0_NAME, 996 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 997 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 998 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 999 1000 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 1001 1002 cap_close(capsysctl); 1003 1004 /* 1005 * Allow: 1006 * SYSCTL0_PARENT/READ/RECURSIVE 1007 * SYSCTL1_PARENT/WRITE/RECURSIVE 1008 */ 1009 1010 capsysctl = cap_clone(origcapsysctl); 1011 CHECK(capsysctl != NULL); 1012 1013 limits = nvlist_create(0); 1014 nvlist_add_number(limits, SYSCTL0_PARENT, 1015 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1016 nvlist_add_number(limits, SYSCTL1_PARENT, 1017 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1018 CHECK(cap_limit_set(capsysctl, limits) == 0); 1019 1020 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1021 1022 cap_close(capsysctl); 1023 1024 /* 1025 * Allow: 1026 * SYSCTL0_NAME/READ/RECURSIVE 1027 * SYSCTL1_NAME/WRITE/RECURSIVE 1028 */ 1029 1030 capsysctl = cap_clone(origcapsysctl); 1031 CHECK(capsysctl != NULL); 1032 1033 limits = nvlist_create(0); 1034 nvlist_add_number(limits, SYSCTL0_NAME, 1035 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1036 nvlist_add_number(limits, SYSCTL1_NAME, 1037 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1038 CHECK(cap_limit_set(capsysctl, limits) == 0); 1039 1040 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1041 1042 cap_close(capsysctl); 1043 1044 /* 1045 * Allow: 1046 * SYSCTL0_PARENT/READ 1047 * SYSCTL1_PARENT/WRITE 1048 */ 1049 1050 capsysctl = cap_clone(origcapsysctl); 1051 CHECK(capsysctl != NULL); 1052 1053 limits = nvlist_create(0); 1054 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1055 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1056 CHECK(cap_limit_set(capsysctl, limits) == 0); 1057 1058 CHECK(runtest(capsysctl) == 0); 1059 1060 cap_close(capsysctl); 1061 1062 /* 1063 * Allow: 1064 * SYSCTL0_NAME/READ 1065 * SYSCTL1_NAME/WRITE 1066 */ 1067 1068 capsysctl = cap_clone(origcapsysctl); 1069 CHECK(capsysctl != NULL); 1070 1071 limits = nvlist_create(0); 1072 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1073 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1074 CHECK(cap_limit_set(capsysctl, limits) == 0); 1075 1076 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1077 1078 cap_close(capsysctl); 1079 1080 /* 1081 * Allow: 1082 * SYSCTL0_PARENT/READ 1083 * SYSCTL1_PARENT/WRITE/RECURSIVE 1084 */ 1085 1086 capsysctl = cap_clone(origcapsysctl); 1087 CHECK(capsysctl != NULL); 1088 1089 limits = nvlist_create(0); 1090 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1091 nvlist_add_number(limits, SYSCTL1_PARENT, 1092 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1093 CHECK(cap_limit_set(capsysctl, limits) == 0); 1094 1095 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 1096 1097 cap_close(capsysctl); 1098 1099 /* 1100 * Allow: 1101 * SYSCTL0_NAME/READ 1102 * SYSCTL1_NAME/WRITE/RECURSIVE 1103 */ 1104 1105 capsysctl = cap_clone(origcapsysctl); 1106 CHECK(capsysctl != NULL); 1107 1108 limits = nvlist_create(0); 1109 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1110 nvlist_add_number(limits, SYSCTL1_NAME, 1111 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1112 CHECK(cap_limit_set(capsysctl, limits) == 0); 1113 1114 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1115 1116 cap_close(capsysctl); 1117 } 1118 1119 static void 1120 test_names(cap_channel_t *origcapsysctl) 1121 { 1122 cap_channel_t *capsysctl; 1123 nvlist_t *limits; 1124 1125 /* 1126 * Allow: 1127 * SYSCTL0_PARENT/READ/RECURSIVE 1128 */ 1129 1130 capsysctl = cap_clone(origcapsysctl); 1131 CHECK(capsysctl != NULL); 1132 1133 limits = nvlist_create(0); 1134 nvlist_add_number(limits, SYSCTL0_PARENT, 1135 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1136 CHECK(cap_limit_set(capsysctl, limits) == 0); 1137 limits = nvlist_create(0); 1138 nvlist_add_number(limits, SYSCTL0_PARENT, 1139 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1140 nvlist_add_number(limits, SYSCTL1_PARENT, 1141 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1142 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1143 limits = nvlist_create(0); 1144 nvlist_add_number(limits, SYSCTL1_PARENT, 1145 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1146 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1147 limits = nvlist_create(0); 1148 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1149 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1150 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1151 limits = nvlist_create(0); 1152 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1153 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1154 1155 CHECK(runtest(capsysctl) == SYSCTL0_READ0); 1156 1157 cap_close(capsysctl); 1158 1159 /* 1160 * Allow: 1161 * SYSCTL1_NAME/READ/RECURSIVE 1162 */ 1163 1164 capsysctl = cap_clone(origcapsysctl); 1165 CHECK(capsysctl != NULL); 1166 1167 limits = nvlist_create(0); 1168 nvlist_add_number(limits, SYSCTL1_NAME, 1169 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1170 CHECK(cap_limit_set(capsysctl, limits) == 0); 1171 limits = nvlist_create(0); 1172 nvlist_add_number(limits, SYSCTL0_NAME, 1173 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1174 nvlist_add_number(limits, SYSCTL1_NAME, 1175 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1176 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1177 limits = nvlist_create(0); 1178 nvlist_add_number(limits, SYSCTL0_NAME, 1179 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1180 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1181 limits = nvlist_create(0); 1182 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1183 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1184 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1185 limits = nvlist_create(0); 1186 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1187 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1188 1189 CHECK(runtest(capsysctl) == SYSCTL1_READ0); 1190 1191 cap_close(capsysctl); 1192 1193 /* 1194 * Allow: 1195 * SYSCTL0_PARENT/WRITE/RECURSIVE 1196 */ 1197 1198 capsysctl = cap_clone(origcapsysctl); 1199 CHECK(capsysctl != NULL); 1200 1201 limits = nvlist_create(0); 1202 nvlist_add_number(limits, SYSCTL0_PARENT, 1203 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1204 CHECK(cap_limit_set(capsysctl, limits) == 0); 1205 limits = nvlist_create(0); 1206 nvlist_add_number(limits, SYSCTL0_PARENT, 1207 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1208 nvlist_add_number(limits, SYSCTL1_PARENT, 1209 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1210 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1211 limits = nvlist_create(0); 1212 nvlist_add_number(limits, SYSCTL1_PARENT, 1213 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1214 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1215 limits = nvlist_create(0); 1216 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1217 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1218 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1219 limits = nvlist_create(0); 1220 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1221 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1222 1223 CHECK(runtest(capsysctl) == SYSCTL0_WRITE); 1224 1225 cap_close(capsysctl); 1226 1227 /* 1228 * Allow: 1229 * SYSCTL1_NAME/WRITE/RECURSIVE 1230 */ 1231 1232 capsysctl = cap_clone(origcapsysctl); 1233 CHECK(capsysctl != NULL); 1234 1235 limits = nvlist_create(0); 1236 nvlist_add_number(limits, SYSCTL1_NAME, 1237 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1238 CHECK(cap_limit_set(capsysctl, limits) == 0); 1239 limits = nvlist_create(0); 1240 nvlist_add_number(limits, SYSCTL0_NAME, 1241 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1242 nvlist_add_number(limits, SYSCTL1_NAME, 1243 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1244 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1245 limits = nvlist_create(0); 1246 nvlist_add_number(limits, SYSCTL0_NAME, 1247 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1248 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1249 limits = nvlist_create(0); 1250 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1251 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1252 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1253 limits = nvlist_create(0); 1254 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1255 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1256 1257 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 1258 1259 cap_close(capsysctl); 1260 1261 /* 1262 * Allow: 1263 * SYSCTL0_PARENT/RDWR/RECURSIVE 1264 */ 1265 1266 capsysctl = cap_clone(origcapsysctl); 1267 CHECK(capsysctl != NULL); 1268 1269 limits = nvlist_create(0); 1270 nvlist_add_number(limits, SYSCTL0_PARENT, 1271 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1272 CHECK(cap_limit_set(capsysctl, limits) == 0); 1273 limits = nvlist_create(0); 1274 nvlist_add_number(limits, SYSCTL0_PARENT, 1275 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1276 nvlist_add_number(limits, SYSCTL1_PARENT, 1277 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1278 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1279 limits = nvlist_create(0); 1280 nvlist_add_number(limits, SYSCTL1_PARENT, 1281 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1282 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1283 limits = nvlist_create(0); 1284 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1285 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1286 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1287 limits = nvlist_create(0); 1288 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1289 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1290 1291 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 1292 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE)); 1293 1294 cap_close(capsysctl); 1295 1296 /* 1297 * Allow: 1298 * SYSCTL1_NAME/RDWR/RECURSIVE 1299 */ 1300 1301 capsysctl = cap_clone(origcapsysctl); 1302 CHECK(capsysctl != NULL); 1303 1304 limits = nvlist_create(0); 1305 nvlist_add_number(limits, SYSCTL1_NAME, 1306 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1307 CHECK(cap_limit_set(capsysctl, limits) == 0); 1308 limits = nvlist_create(0); 1309 nvlist_add_number(limits, SYSCTL0_NAME, 1310 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1311 nvlist_add_number(limits, SYSCTL1_NAME, 1312 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1313 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1314 limits = nvlist_create(0); 1315 nvlist_add_number(limits, SYSCTL0_NAME, 1316 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1317 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1318 limits = nvlist_create(0); 1319 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1320 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1321 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1322 limits = nvlist_create(0); 1323 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1324 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1325 1326 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1327 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1328 1329 cap_close(capsysctl); 1330 1331 /* 1332 * Allow: 1333 * SYSCTL0_PARENT/READ 1334 */ 1335 1336 capsysctl = cap_clone(origcapsysctl); 1337 CHECK(capsysctl != NULL); 1338 1339 limits = nvlist_create(0); 1340 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1341 CHECK(cap_limit_set(capsysctl, limits) == 0); 1342 limits = nvlist_create(0); 1343 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1344 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1345 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1346 limits = nvlist_create(0); 1347 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1348 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1349 1350 CHECK(runtest(capsysctl) == 0); 1351 1352 cap_close(capsysctl); 1353 1354 /* 1355 * Allow: 1356 * SYSCTL1_NAME/READ 1357 */ 1358 1359 capsysctl = cap_clone(origcapsysctl); 1360 CHECK(capsysctl != NULL); 1361 1362 limits = nvlist_create(0); 1363 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1364 CHECK(cap_limit_set(capsysctl, limits) == 0); 1365 limits = nvlist_create(0); 1366 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1367 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ); 1368 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1369 limits = nvlist_create(0); 1370 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ); 1371 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1372 1373 CHECK(runtest(capsysctl) == SYSCTL1_READ0); 1374 1375 cap_close(capsysctl); 1376 1377 /* 1378 * Allow: 1379 * SYSCTL0_PARENT/WRITE 1380 */ 1381 1382 capsysctl = cap_clone(origcapsysctl); 1383 CHECK(capsysctl != NULL); 1384 1385 limits = nvlist_create(0); 1386 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1387 CHECK(cap_limit_set(capsysctl, limits) == 0); 1388 limits = nvlist_create(0); 1389 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1390 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1391 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1392 limits = nvlist_create(0); 1393 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1394 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1395 1396 CHECK(runtest(capsysctl) == 0); 1397 1398 cap_close(capsysctl); 1399 1400 /* 1401 * Allow: 1402 * SYSCTL1_NAME/WRITE 1403 */ 1404 1405 capsysctl = cap_clone(origcapsysctl); 1406 CHECK(capsysctl != NULL); 1407 1408 limits = nvlist_create(0); 1409 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1410 CHECK(cap_limit_set(capsysctl, limits) == 0); 1411 limits = nvlist_create(0); 1412 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1413 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1414 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1415 limits = nvlist_create(0); 1416 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1417 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1418 1419 CHECK(runtest(capsysctl) == SYSCTL1_WRITE); 1420 1421 cap_close(capsysctl); 1422 1423 /* 1424 * Allow: 1425 * SYSCTL0_PARENT/RDWR 1426 */ 1427 1428 capsysctl = cap_clone(origcapsysctl); 1429 CHECK(capsysctl != NULL); 1430 1431 limits = nvlist_create(0); 1432 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1433 CHECK(cap_limit_set(capsysctl, limits) == 0); 1434 limits = nvlist_create(0); 1435 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1436 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1437 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1438 limits = nvlist_create(0); 1439 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1440 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1441 1442 CHECK(runtest(capsysctl) == 0); 1443 1444 cap_close(capsysctl); 1445 1446 /* 1447 * Allow: 1448 * SYSCTL1_NAME/RDWR 1449 */ 1450 1451 capsysctl = cap_clone(origcapsysctl); 1452 CHECK(capsysctl != NULL); 1453 1454 limits = nvlist_create(0); 1455 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1456 CHECK(cap_limit_set(capsysctl, limits) == 0); 1457 limits = nvlist_create(0); 1458 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1459 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1460 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1461 limits = nvlist_create(0); 1462 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1463 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE); 1464 1465 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1466 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1467 1468 cap_close(capsysctl); 1469 } 1470 1471 int 1472 main(void) 1473 { 1474 cap_channel_t *capcas, *capsysctl; 1475 int scvalue0, scvalue1; 1476 size_t scsize; 1477 1478 printf("1..256\n"); 1479 fflush(stdout); 1480 1481 scsize = sizeof(scvalue0); 1482 CHECKX(sysctlbyname(SYSCTL0_NAME, &scvalue0, &scsize, NULL, 0) == 0); 1483 CHECKX(scsize == sizeof(scvalue0)); 1484 scsize = sizeof(scvalue1); 1485 CHECKX(sysctlbyname(SYSCTL1_NAME, &scvalue1, &scsize, NULL, 0) == 0); 1486 CHECKX(scsize == sizeof(scvalue1)); 1487 1488 capcas = cap_init(); 1489 CHECKX(capcas != NULL); 1490 1491 capsysctl = cap_service_open(capcas, "system.sysctl"); 1492 CHECKX(capsysctl != NULL); 1493 1494 cap_close(capcas); 1495 1496 /* No limits set. */ 1497 1498 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 1499 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 1500 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 1501 SYSCTL1_READ_WRITE)); 1502 1503 test_operation(capsysctl); 1504 1505 test_names(capsysctl); 1506 1507 cap_close(capsysctl); 1508 1509 CHECK(sysctlbyname(SYSCTL0_NAME, NULL, NULL, &scvalue0, 1510 sizeof(scvalue0)) == 0); 1511 CHECK(sysctlbyname(SYSCTL1_NAME, NULL, NULL, &scvalue1, 1512 sizeof(scvalue1)) == 0); 1513 1514 exit(0); 1515 } 1516