1 /*- 2 * Copyright (c) 2009-2011 Robert N. M. Watson 3 * Copyright (c) 2011 Jonathan Anderson 4 * Copyright (c) 2012 FreeBSD Foundation 5 * All rights reserved. 6 * 7 * Portions of this software were developed by Pawel Jakub Dawidek under 8 * sponsorship from the FreeBSD Foundation. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 /* 33 * Test whether various operations on capabilities are properly masked for 34 * various object types. 35 */ 36 37 #include <sys/cdefs.h> 38 __FBSDID("$FreeBSD$"); 39 40 #include <sys/param.h> 41 #include <sys/capability.h> 42 #include <sys/errno.h> 43 #include <sys/mman.h> 44 #include <sys/mount.h> 45 #include <sys/stat.h> 46 47 #include <err.h> 48 #include <fcntl.h> 49 #include <poll.h> 50 #include <stdint.h> 51 #include <stdio.h> 52 #include <stdlib.h> 53 #include <string.h> 54 #include <unistd.h> 55 56 #include "cap_test.h" 57 58 #define SYSCALL_FAIL(syscall, message) \ 59 FAIL("%s:\t%s (rights 0x%jx)", #syscall, message, rights) 60 61 /* 62 * Ensure that, if the capability had enough rights for the system call to 63 * pass, then it did. Otherwise, ensure that the errno is ENOTCAPABLE; 64 * capability restrictions should kick in before any other error logic. 65 */ 66 #define CHECK_RESULT(syscall, rights_needed, succeeded) do { \ 67 if ((rights & (rights_needed)) == (rights_needed)) { \ 68 if (succeeded) { \ 69 if (success == -1) \ 70 success = PASSED; \ 71 } else { \ 72 SYSCALL_FAIL(syscall, "failed"); \ 73 } \ 74 } else { \ 75 if (succeeded) { \ 76 FAILX("%s:\tsucceeded when it shouldn't have" \ 77 " (rights 0x%jx)", #syscall, \ 78 (uintmax_t)rights); \ 79 } else if (errno != ENOTCAPABLE) { \ 80 SYSCALL_FAIL(syscall, "errno != ENOTCAPABLE"); \ 81 } \ 82 } \ 83 errno = 0; \ 84 } while (0) 85 86 /* 87 * As above, but for the special mmap() case: unmap after successful mmap(). 88 */ 89 #define CHECK_MMAP_RESULT(rights_needed) do { \ 90 if ((rights & (rights_needed)) == (rights_needed)) { \ 91 if (p == MAP_FAILED) \ 92 SYSCALL_FAIL(mmap, "failed"); \ 93 else { \ 94 (void)munmap(p, getpagesize()); \ 95 if (success == -1) \ 96 success = PASSED; \ 97 } \ 98 } else { \ 99 if (p != MAP_FAILED) { \ 100 FAILX("%s:\tsucceeded when it shouldn't have" \ 101 " (rights 0x%jx)", "mmap", rights); \ 102 (void)munmap(p, getpagesize()); \ 103 } else if (errno != ENOTCAPABLE) \ 104 SYSCALL_FAIL(syscall, "errno != ENOTCAPABLE"); \ 105 } \ 106 errno = 0; \ 107 } while (0) 108 109 /* 110 * Given a file descriptor, create a capability with specific rights and 111 * make sure only those rights work. 112 */ 113 static int 114 try_file_ops(int filefd, int dirfd, cap_rights_t rights) 115 { 116 struct stat sb; 117 struct statfs sf; 118 cap_rights_t erights; 119 int fd_cap, fd_capcap, dfd_cap; 120 ssize_t ssize, ssize2; 121 off_t off; 122 void *p; 123 char ch; 124 int ret, is_nfs; 125 struct pollfd pollfd; 126 int success = -1; 127 128 REQUIRE(fstatfs(filefd, &sf)); 129 is_nfs = (strcmp("nfs", sf.f_fstypename) == 0); 130 131 REQUIRE(fd_cap = cap_new(filefd, rights)); 132 CHECK(cap_getrights(fd_cap, &erights) == 0); 133 CHECK(rights == erights); 134 REQUIRE(fd_capcap = cap_new(fd_cap, rights)); 135 CHECK(cap_getrights(fd_capcap, &erights) == 0); 136 CHECK(rights == erights); 137 CHECK(fd_capcap != fd_cap); 138 REQUIRE(dfd_cap = cap_new(dirfd, rights)); 139 CHECK(cap_getrights(dfd_cap, &erights) == 0); 140 CHECK(rights == erights); 141 142 ssize = read(fd_cap, &ch, sizeof(ch)); 143 CHECK_RESULT(read, CAP_READ, ssize >= 0); 144 145 ssize = write(fd_cap, &ch, sizeof(ch)); 146 CHECK_RESULT(write, CAP_WRITE, ssize >= 0); 147 148 off = lseek(fd_cap, 0, SEEK_SET); 149 CHECK_RESULT(lseek, CAP_SEEK, off >= 0); 150 151 ssize = pread(fd_cap, &ch, sizeof(ch), 0); 152 ssize2 = pread(fd_cap, &ch, sizeof(ch), 0); 153 CHECK_RESULT(pread, CAP_PREAD, ssize >= 0); 154 CHECK(ssize == ssize2); 155 156 ssize = pwrite(fd_cap, &ch, sizeof(ch), 0); 157 CHECK_RESULT(pwrite, CAP_PWRITE, ssize >= 0); 158 159 p = mmap(NULL, getpagesize(), PROT_NONE, MAP_SHARED, fd_cap, 0); 160 CHECK_MMAP_RESULT(CAP_MMAP); 161 162 p = mmap(NULL, getpagesize(), PROT_READ, MAP_SHARED, fd_cap, 0); 163 CHECK_MMAP_RESULT(CAP_MMAP_R); 164 165 p = mmap(NULL, getpagesize(), PROT_WRITE, MAP_SHARED, fd_cap, 0); 166 CHECK_MMAP_RESULT(CAP_MMAP_W); 167 168 p = mmap(NULL, getpagesize(), PROT_EXEC, MAP_SHARED, fd_cap, 0); 169 CHECK_MMAP_RESULT(CAP_MMAP_X); 170 171 p = mmap(NULL, getpagesize(), PROT_READ | PROT_WRITE, MAP_SHARED, 172 fd_cap, 0); 173 CHECK_MMAP_RESULT(CAP_MMAP_RW); 174 175 p = mmap(NULL, getpagesize(), PROT_READ | PROT_EXEC, MAP_SHARED, 176 fd_cap, 0); 177 CHECK_MMAP_RESULT(CAP_MMAP_RX); 178 179 p = mmap(NULL, getpagesize(), PROT_EXEC | PROT_WRITE, MAP_SHARED, 180 fd_cap, 0); 181 CHECK_MMAP_RESULT(CAP_MMAP_WX); 182 183 p = mmap(NULL, getpagesize(), PROT_READ | PROT_WRITE | PROT_EXEC, 184 MAP_SHARED, fd_cap, 0); 185 CHECK_MMAP_RESULT(CAP_MMAP_RWX); 186 187 ret = openat(dfd_cap, "cap_create", O_CREAT | O_RDONLY, 0600); 188 CHECK_RESULT(openat(O_CREATE | O_RDONLY), 189 CAP_CREATE | CAP_READ | CAP_LOOKUP, ret >= 0); 190 CHECK(ret == -1 || close(ret) == 0); 191 CHECK(ret == -1 || unlinkat(dirfd, "cap_create", 0) == 0); 192 ret = openat(dfd_cap, "cap_create", O_CREAT | O_WRONLY | O_APPEND, 193 0600); 194 CHECK_RESULT(openat(O_CREATE | O_WRONLY | O_APPEND), 195 CAP_CREATE | CAP_WRITE | CAP_LOOKUP, ret >= 0); 196 CHECK(ret == -1 || close(ret) == 0); 197 CHECK(ret == -1 || unlinkat(dirfd, "cap_create", 0) == 0); 198 ret = openat(dfd_cap, "cap_create", O_CREAT | O_RDWR | O_APPEND, 0600); 199 CHECK_RESULT(openat(O_CREATE | O_RDWR | O_APPEND), 200 CAP_CREATE | CAP_READ | CAP_WRITE | CAP_LOOKUP, ret >= 0); 201 CHECK(ret == -1 || close(ret) == 0); 202 CHECK(ret == -1 || unlinkat(dirfd, "cap_create", 0) == 0); 203 204 ret = fsync(fd_cap); 205 CHECK_RESULT(fsync, CAP_FSYNC, ret == 0); 206 207 ret = openat(dirfd, "cap_fsync", O_CREAT, 0600); 208 CHECK(ret >= 0); 209 CHECK(close(ret) == 0); 210 ret = openat(dfd_cap, "cap_fsync", O_FSYNC | O_RDONLY); 211 CHECK_RESULT(openat(O_FSYNC | O_RDONLY), 212 CAP_FSYNC | CAP_READ | CAP_LOOKUP, ret >= 0); 213 CHECK(ret == -1 || close(ret) == 0); 214 ret = openat(dfd_cap, "cap_fsync", O_FSYNC | O_WRONLY | O_APPEND); 215 CHECK_RESULT(openat(O_FSYNC | O_WRONLY | O_APPEND), 216 CAP_FSYNC | CAP_WRITE | CAP_LOOKUP, ret >= 0); 217 CHECK(ret == -1 || close(ret) == 0); 218 ret = openat(dfd_cap, "cap_fsync", O_FSYNC | O_RDWR | O_APPEND); 219 CHECK_RESULT(openat(O_FSYNC | O_RDWR | O_APPEND), 220 CAP_FSYNC | CAP_READ | CAP_WRITE | CAP_LOOKUP, ret >= 0); 221 CHECK(ret == -1 || close(ret) == 0); 222 ret = openat(dfd_cap, "cap_fsync", O_SYNC | O_RDONLY); 223 CHECK_RESULT(openat(O_SYNC | O_RDONLY), 224 CAP_FSYNC | CAP_READ | CAP_LOOKUP, ret >= 0); 225 CHECK(ret == -1 || close(ret) == 0); 226 ret = openat(dfd_cap, "cap_fsync", O_SYNC | O_WRONLY | O_APPEND); 227 CHECK_RESULT(openat(O_SYNC | O_WRONLY | O_APPEND), 228 CAP_FSYNC | CAP_WRITE | CAP_LOOKUP, ret >= 0); 229 CHECK(ret == -1 || close(ret) == 0); 230 ret = openat(dfd_cap, "cap_fsync", O_SYNC | O_RDWR | O_APPEND); 231 CHECK_RESULT(openat(O_SYNC | O_RDWR | O_APPEND), 232 CAP_FSYNC | CAP_READ | CAP_WRITE | CAP_LOOKUP, ret >= 0); 233 CHECK(ret == -1 || close(ret) == 0); 234 CHECK(unlinkat(dirfd, "cap_fsync", 0) == 0); 235 236 ret = ftruncate(fd_cap, 0); 237 CHECK_RESULT(ftruncate, CAP_FTRUNCATE, ret == 0); 238 239 ret = openat(dirfd, "cap_ftruncate", O_CREAT, 0600); 240 CHECK(ret >= 0); 241 CHECK(close(ret) == 0); 242 ret = openat(dfd_cap, "cap_ftruncate", O_TRUNC | O_RDONLY); 243 CHECK_RESULT(openat(O_TRUNC | O_RDONLY), 244 CAP_FTRUNCATE | CAP_READ | CAP_LOOKUP, ret >= 0); 245 CHECK(ret == -1 || close(ret) == 0); 246 ret = openat(dfd_cap, "cap_ftruncate", O_TRUNC | O_WRONLY); 247 CHECK_RESULT(openat(O_TRUNC | O_WRONLY), 248 CAP_FTRUNCATE | CAP_WRITE | CAP_LOOKUP, ret >= 0); 249 CHECK(ret == -1 || close(ret) == 0); 250 ret = openat(dfd_cap, "cap_ftruncate", O_TRUNC | O_RDWR); 251 CHECK_RESULT(openat(O_TRUNC | O_RDWR), 252 CAP_FTRUNCATE | CAP_READ | CAP_WRITE | CAP_LOOKUP, ret >= 0); 253 CHECK(ret == -1 || close(ret) == 0); 254 CHECK(unlinkat(dirfd, "cap_ftruncate", 0) == 0); 255 256 ret = openat(dfd_cap, "cap_create", O_CREAT | O_WRONLY, 0600); 257 CHECK_RESULT(openat(O_CREATE | O_WRONLY), 258 CAP_CREATE | CAP_WRITE | CAP_SEEK | CAP_LOOKUP, ret >= 0); 259 CHECK(ret == -1 || close(ret) == 0); 260 CHECK(ret == -1 || unlinkat(dirfd, "cap_create", 0) == 0); 261 ret = openat(dfd_cap, "cap_create", O_CREAT | O_RDWR, 0600); 262 CHECK_RESULT(openat(O_CREATE | O_RDWR), 263 CAP_CREATE | CAP_READ | CAP_WRITE | CAP_SEEK | CAP_LOOKUP, 264 ret >= 0); 265 CHECK(ret == -1 || close(ret) == 0); 266 CHECK(ret == -1 || unlinkat(dirfd, "cap_create", 0) == 0); 267 268 ret = openat(dirfd, "cap_fsync", O_CREAT, 0600); 269 CHECK(ret >= 0); 270 CHECK(close(ret) == 0); 271 ret = openat(dfd_cap, "cap_fsync", O_FSYNC | O_WRONLY); 272 CHECK_RESULT(openat(O_FSYNC | O_WRONLY), 273 CAP_FSYNC | CAP_WRITE | CAP_SEEK | CAP_LOOKUP, ret >= 0); 274 CHECK(ret == -1 || close(ret) == 0); 275 ret = openat(dfd_cap, "cap_fsync", O_FSYNC | O_RDWR); 276 CHECK_RESULT(openat(O_FSYNC | O_RDWR), 277 CAP_FSYNC | CAP_READ | CAP_WRITE | CAP_SEEK | CAP_LOOKUP, ret >= 0); 278 CHECK(ret == -1 || close(ret) == 0); 279 ret = openat(dfd_cap, "cap_fsync", O_SYNC | O_WRONLY); 280 CHECK_RESULT(openat(O_SYNC | O_WRONLY), 281 CAP_FSYNC | CAP_WRITE | CAP_SEEK | CAP_LOOKUP, ret >= 0); 282 CHECK(ret == -1 || close(ret) == 0); 283 ret = openat(dfd_cap, "cap_fsync", O_SYNC | O_RDWR); 284 CHECK_RESULT(openat(O_SYNC | O_RDWR), 285 CAP_FSYNC | CAP_READ | CAP_WRITE | CAP_SEEK | CAP_LOOKUP, ret >= 0); 286 CHECK(ret == -1 || close(ret) == 0); 287 CHECK(unlinkat(dirfd, "cap_fsync", 0) == 0); 288 289 /* 290 * Note: this is not expected to work over NFS. 291 */ 292 ret = fchflags(fd_cap, UF_NODUMP); 293 CHECK_RESULT(fchflags, CAP_FCHFLAGS, 294 ret == 0 || (is_nfs && errno == EOPNOTSUPP)); 295 296 #ifdef TODO /* No such syscalls yet. */ 297 ret = openat(dirfd, "cap_fchflagsat", O_CREAT, 0600); 298 CHECK(ret >= 0); 299 CHECK(close(ret) == 0); 300 ret = fchflagsat(dfd_cap, "cap_fchflagsat", UF_NODUMP, 0); 301 CHECK_RESULT(fchflagsat, CAP_FCHFLAGSAT | CAP_LOOKUP, ret == 0); 302 CHECK(unlinkat(dirfd, "cap_fchflagsat", 0) == 0); 303 #endif 304 305 ret = fchown(fd_cap, -1, -1); 306 CHECK_RESULT(fchown, CAP_FCHOWN, ret == 0); 307 308 ret = openat(dirfd, "cap_fchownat", O_CREAT, 0600); 309 CHECK(ret >= 0); 310 CHECK(close(ret) == 0); 311 ret = fchownat(dfd_cap, "cap_fchownat", -1, -1, 0); 312 CHECK_RESULT(fchownat, CAP_FCHOWN | CAP_LOOKUP, ret == 0); 313 CHECK(unlinkat(dirfd, "cap_fchownat", 0) == 0); 314 315 ret = fchmod(fd_cap, 0644); 316 CHECK_RESULT(fchmod, CAP_FCHMOD, ret == 0); 317 318 ret = openat(dirfd, "cap_fchmodat", O_CREAT, 0600); 319 CHECK(ret >= 0); 320 CHECK(close(ret) == 0); 321 ret = fchmodat(dfd_cap, "cap_fchmodat", 0600, 0); 322 CHECK_RESULT(fchmodat, CAP_FCHMOD | CAP_LOOKUP, ret == 0); 323 CHECK(unlinkat(dirfd, "cap_fchmodat", 0) == 0); 324 325 ret = fcntl(fd_cap, F_GETFL); 326 CHECK_RESULT(fcntl(F_GETFL), CAP_FCNTL, ret >= 0); 327 ret = fcntl(fd_cap, F_SETFL, ret); 328 CHECK_RESULT(fcntl(F_SETFL), CAP_FCNTL, ret == 0); 329 330 /* XXX flock */ 331 332 ret = fstat(fd_cap, &sb); 333 CHECK_RESULT(fstat, CAP_FSTAT, ret == 0); 334 335 ret = openat(dirfd, "cap_fstatat", O_CREAT, 0600); 336 CHECK(ret >= 0); 337 CHECK(close(ret) == 0); 338 ret = fstatat(dfd_cap, "cap_fstatat", &sb, 0); 339 CHECK_RESULT(fstatat, CAP_FSTAT | CAP_LOOKUP, ret == 0); 340 CHECK(unlinkat(dirfd, "cap_fstatat", 0) == 0); 341 342 ret = fstatfs(fd_cap, &sf); 343 CHECK_RESULT(fstatfs, CAP_FSTATFS, ret == 0); 344 345 ret = fpathconf(fd_cap, _PC_NAME_MAX); 346 CHECK_RESULT(fpathconf, CAP_FPATHCONF, ret >= 0); 347 348 ret = futimes(fd_cap, NULL); 349 CHECK_RESULT(futimes, CAP_FUTIMES, ret == 0); 350 351 ret = openat(dirfd, "cap_futimesat", O_CREAT, 0600); 352 CHECK(ret >= 0); 353 CHECK(close(ret) == 0); 354 ret = futimesat(dfd_cap, "cap_futimesat", NULL); 355 CHECK_RESULT(futimesat, CAP_FUTIMES | CAP_LOOKUP, ret == 0); 356 CHECK(unlinkat(dirfd, "cap_futimesat", 0) == 0); 357 358 ret = openat(dirfd, "cap_linkat_src", O_CREAT, 0600); 359 CHECK(ret >= 0); 360 CHECK(close(ret) == 0); 361 ret = linkat(dirfd, "cap_linkat_src", dfd_cap, "cap_linkat_dst", 0); 362 CHECK_RESULT(linkat, CAP_LINKAT | CAP_LOOKUP, ret == 0); 363 CHECK(unlinkat(dirfd, "cap_linkat_src", 0) == 0); 364 CHECK(ret == -1 || unlinkat(dirfd, "cap_linkat_dst", 0) == 0); 365 366 ret = mkdirat(dfd_cap, "cap_mkdirat", 0700); 367 CHECK_RESULT(mkdirat, CAP_MKDIRAT | CAP_LOOKUP, ret == 0); 368 CHECK(ret == -1 || unlinkat(dirfd, "cap_mkdirat", AT_REMOVEDIR) == 0); 369 370 ret = mkfifoat(dfd_cap, "cap_mkfifoat", 0600); 371 CHECK_RESULT(mkfifoat, CAP_MKFIFOAT | CAP_LOOKUP, ret == 0); 372 CHECK(ret == -1 || unlinkat(dirfd, "cap_mkfifoat", 0) == 0); 373 374 ret = mknodat(dfd_cap, "cap_mknodat", S_IFCHR | 0600, 0); 375 CHECK_RESULT(mknodat, CAP_MKNODAT | CAP_LOOKUP, ret == 0); 376 CHECK(ret == -1 || unlinkat(dirfd, "cap_mknodat", 0) == 0); 377 378 /* TODO: renameat(2) */ 379 380 ret = symlinkat("test", dfd_cap, "cap_symlinkat"); 381 CHECK_RESULT(symlinkat, CAP_SYMLINKAT | CAP_LOOKUP, ret == 0); 382 CHECK(ret == -1 || unlinkat(dirfd, "cap_symlinkat", 0) == 0); 383 384 ret = openat(dirfd, "cap_unlinkat", O_CREAT, 0600); 385 CHECK(ret >= 0); 386 CHECK(close(ret) == 0); 387 ret = unlinkat(dfd_cap, "cap_unlinkat", 0); 388 CHECK_RESULT(unlinkat, CAP_UNLINKAT | CAP_LOOKUP, ret == 0); 389 CHECK(ret == 0 || unlinkat(dirfd, "cap_unlinkat", 0) == 0); 390 ret = mkdirat(dirfd, "cap_unlinkat", 0700); 391 CHECK(ret == 0); 392 ret = unlinkat(dfd_cap, "cap_unlinkat", AT_REMOVEDIR); 393 CHECK_RESULT(unlinkat, CAP_UNLINKAT | CAP_LOOKUP, ret == 0); 394 CHECK(ret == 0 || unlinkat(dirfd, "cap_unlinkat", AT_REMOVEDIR) == 0); 395 396 pollfd.fd = fd_cap; 397 pollfd.events = POLLIN | POLLERR | POLLHUP; 398 pollfd.revents = 0; 399 400 ret = poll(&pollfd, 1, 0); 401 if (rights & CAP_POLL_EVENT) 402 CHECK((pollfd.revents & POLLNVAL) == 0); 403 else 404 CHECK((pollfd.revents & POLLNVAL) != 0); 405 406 /* XXX: select, kqueue */ 407 408 close(fd_cap); 409 close(fd_capcap); 410 411 if (success == -1) { 412 fprintf(stderr, "No tests for rights 0x%jx.\n", 413 (uintmax_t)rights); 414 success = FAILED; 415 } 416 return (success); 417 } 418 419 #define TRY(rights) \ 420 do { \ 421 if (success == PASSED) \ 422 success = try_file_ops(filefd, dirfd, (rights)); \ 423 else \ 424 /* We've already failed, but try the test anyway. */ \ 425 try_file_ops(filefd, dirfd, (rights)); \ 426 } while (0) 427 428 #define KEEP_ERRNO(...) do { \ 429 int _saved_errno = errno; \ 430 __VA_ARGS__; \ 431 errno = _saved_errno; \ 432 } while (0); 433 434 int 435 test_capabilities(void) 436 { 437 int filefd, dirfd, tmpfd; 438 int success = PASSED; 439 char file[] = "/tmp/cap_test.XXXXXXXXXX"; 440 char dir[] = "/tmp/cap_test.XXXXXXXXXX"; 441 442 filefd = mkstemp(file); 443 if (filefd < 0) 444 err(-1, "mkstemp"); 445 if (mkdtemp(dir) == NULL) { 446 KEEP_ERRNO(unlink(file)); 447 err(-1, "mkdtemp"); 448 } 449 dirfd = open(dir, O_RDONLY | O_DIRECTORY); 450 if (dirfd == -1) { 451 KEEP_ERRNO(unlink(file)); 452 KEEP_ERRNO(rmdir(dir)); 453 err(-1, "open"); 454 } 455 tmpfd = open("/tmp", O_RDONLY | O_DIRECTORY); 456 if (tmpfd == -1) { 457 KEEP_ERRNO(unlink(file)); 458 KEEP_ERRNO(rmdir(dir)); 459 err(-1, "open"); 460 } 461 462 if (cap_enter() == -1) { 463 KEEP_ERRNO(unlink(file)); 464 KEEP_ERRNO(rmdir(dir)); 465 err(-1, "cap_enter"); 466 } 467 468 TRY(CAP_READ); 469 TRY(CAP_WRITE); 470 TRY(CAP_SEEK); 471 TRY(CAP_PREAD); 472 TRY(CAP_PWRITE); 473 TRY(CAP_READ | CAP_WRITE); 474 TRY(CAP_PREAD | CAP_PWRITE); 475 TRY(CAP_MMAP); 476 TRY(CAP_MMAP_R); 477 TRY(CAP_MMAP_W); 478 TRY(CAP_MMAP_X); 479 TRY(CAP_MMAP_RW); 480 TRY(CAP_MMAP_RX); 481 TRY(CAP_MMAP_WX); 482 TRY(CAP_MMAP_RWX); 483 TRY(CAP_CREATE | CAP_READ | CAP_LOOKUP); 484 TRY(CAP_CREATE | CAP_WRITE | CAP_LOOKUP); 485 TRY(CAP_CREATE | CAP_READ | CAP_WRITE | CAP_LOOKUP); 486 #ifdef TODO 487 TRY(CAP_FEXECVE); 488 #endif 489 TRY(CAP_FSYNC); 490 TRY(CAP_FSYNC | CAP_READ | CAP_LOOKUP); 491 TRY(CAP_FSYNC | CAP_WRITE | CAP_LOOKUP); 492 TRY(CAP_FSYNC | CAP_READ | CAP_WRITE | CAP_LOOKUP); 493 TRY(CAP_FTRUNCATE); 494 TRY(CAP_FTRUNCATE | CAP_READ | CAP_LOOKUP); 495 TRY(CAP_FTRUNCATE | CAP_WRITE | CAP_LOOKUP); 496 TRY(CAP_FTRUNCATE | CAP_READ | CAP_WRITE | CAP_LOOKUP); 497 #ifdef TODO 498 TRY(CAP_FCHDIR); 499 #endif 500 TRY(CAP_FCHFLAGS); 501 TRY(CAP_FCHOWN); 502 TRY(CAP_FCHOWN | CAP_LOOKUP); 503 TRY(CAP_FCHMOD | CAP_LOOKUP); 504 TRY(CAP_FCNTL); 505 #ifdef TODO 506 TRY(CAP_FLOCK); 507 #endif 508 TRY(CAP_FPATHCONF); 509 #ifdef TODO 510 TRY(CAP_FSCK); 511 #endif 512 TRY(CAP_FSTAT | CAP_LOOKUP); 513 TRY(CAP_FSTATFS); 514 TRY(CAP_FUTIMES | CAP_LOOKUP); 515 TRY(CAP_LINKAT | CAP_LOOKUP); 516 TRY(CAP_MKDIRAT | CAP_LOOKUP); 517 TRY(CAP_MKFIFOAT | CAP_LOOKUP); 518 TRY(CAP_MKNODAT | CAP_LOOKUP); 519 TRY(CAP_SYMLINKAT | CAP_LOOKUP); 520 TRY(CAP_UNLINKAT | CAP_LOOKUP); 521 /* Rename needs CAP_RENAMEAT on source directory and CAP_LINKAT on destination directory. */ 522 TRY(CAP_RENAMEAT | CAP_UNLINKAT | CAP_LOOKUP); 523 #ifdef TODO 524 TRY(CAP_LOOKUP); 525 TRY(CAP_EXTATTR_DELETE); 526 TRY(CAP_EXTATTR_GET); 527 TRY(CAP_EXTATTR_LIST); 528 TRY(CAP_EXTATTR_SET); 529 TRY(CAP_ACL_CHECK); 530 TRY(CAP_ACL_DELETE); 531 TRY(CAP_ACL_GET); 532 TRY(CAP_ACL_SET); 533 TRY(CAP_ACCEPT); 534 TRY(CAP_BIND); 535 TRY(CAP_CONNECT); 536 TRY(CAP_GETPEERNAME); 537 TRY(CAP_GETSOCKNAME); 538 TRY(CAP_GETSOCKOPT); 539 TRY(CAP_LISTEN); 540 TRY(CAP_PEELOFF); 541 TRY(CAP_RECV); 542 TRY(CAP_SEND); 543 TRY(CAP_SETSOCKOPT); 544 TRY(CAP_SHUTDOWN); 545 TRY(CAP_MAC_GET); 546 TRY(CAP_MAC_SET); 547 TRY(CAP_SEM_GETVALUE); 548 TRY(CAP_SEM_POST); 549 TRY(CAP_SEM_WAIT); 550 TRY(CAP_POST_EVENT); 551 TRY(CAP_POLL_EVENT); 552 TRY(CAP_IOCTL); 553 TRY(CAP_TTYHOOK); 554 TRY(CAP_PDGETPID); 555 TRY(CAP_PDWAIT); 556 TRY(CAP_PDKILL); 557 #endif 558 559 (void)unlinkat(tmpfd, file + strlen("/tmp/"), 0); 560 (void)unlinkat(tmpfd, dir + strlen("/tmp/"), AT_REMOVEDIR); 561 562 return (success); 563 } 564