selftests/landlock: Fix capability for net_test

author Mickaël Salaün <mic@digikod.net>

Thu, 25 Jan 2024 15:32:29 +0000 (16:32 +0100)

committer Mickaël Salaün <mic@digikod.net>

Fri, 2 Feb 2024 09:32:09 +0000 (10:32 +0100)
author Mickaël Salaün <mic@digikod.net>
Thu, 25 Jan 2024 15:32:29 +0000 (16:32 +0100)
committer Mickaël Salaün <mic@digikod.net>
Fri, 2 Feb 2024 09:32:09 +0000 (10:32 +0100)
diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h

index 5b79758cae627593c68b9fd465451efcf7b75f9f..e64bbdf0e86eac8bf1751ee287508aca1a7ed27c 100644 (file)
--- a/tools/testing/selftests/landlock/common.h
+++ b/tools/testing/selftests/landlock/common.h
@@ -9,6 +9,7 @@
  
  #include <errno.h>
  #include <linux/landlock.h>
+#include <linux/securebits.h>
  #include <sys/capability.h>
  #include <sys/socket.h>
  #include <sys/syscall.h>
@@ -115,11 +116,16 @@ static void _init_caps(struct __test_metadata *const _metadata, bool drop_all)
                 /* clang-format off */
                 CAP_DAC_OVERRIDE,
                 CAP_MKNOD,
+               CAP_NET_ADMIN,
+               CAP_NET_BIND_SERVICE,
                 CAP_SYS_ADMIN,
                 CAP_SYS_CHROOT,
-               CAP_NET_BIND_SERVICE,
                 /* clang-format on */
         };
+       const unsigned int noroot = SECBIT_NOROOT | SECBIT_NOROOT_LOCKED;
+
+       if ((cap_get_secbits() & noroot) != noroot)
+               EXPECT_EQ(0, cap_set_secbits(noroot));
  
         cap_p = cap_get_proc();
         EXPECT_NE(NULL, cap_p)
@@ -137,6 +143,8 @@ static void _init_caps(struct __test_metadata *const _metadata, bool drop_all)
                         TH_LOG("Failed to cap_set_flag: %s", strerror(errno));
                 }
         }
+
+       /* Automatically resets ambient capabilities. */
         EXPECT_NE(-1, cap_set_proc(cap_p))
         {
                 TH_LOG("Failed to cap_set_proc: %s", strerror(errno));
@@ -145,6 +153,9 @@ static void _init_caps(struct __test_metadata *const _metadata, bool drop_all)
         {
                 TH_LOG("Failed to cap_free: %s", strerror(errno));
         }
+
+       /* Quickly checks that ambient capabilities are cleared. */
+       EXPECT_NE(-1, cap_get_ambient(caps[0]));
  }
  
  /* We cannot put such helpers in a library because of kselftest_harness.h . */
@@ -158,8 +169,9 @@ static void __maybe_unused drop_caps(struct __test_metadata *const _metadata)
         _init_caps(_metadata, true);
  }
  
-static void _effective_cap(struct __test_metadata *const _metadata,
-                          const cap_value_t caps, const cap_flag_value_t value)
+static void _change_cap(struct __test_metadata *const _metadata,
+                       const cap_flag_t flag, const cap_value_t cap,
+                       const cap_flag_value_t value)
  {
         cap_t cap_p;
  
@@ -168,7 +180,7 @@ static void _effective_cap(struct __test_metadata *const _metadata,
         {
                 TH_LOG("Failed to cap_get_proc: %s", strerror(errno));
         }
-       EXPECT_NE(-1, cap_set_flag(cap_p, CAP_EFFECTIVE, 1, &caps, value))
+       EXPECT_NE(-1, cap_set_flag(cap_p, flag, 1, &cap, value))
         {
                 TH_LOG("Failed to cap_set_flag: %s", strerror(errno));
         }
@@ -183,15 +195,35 @@ static void _effective_cap(struct __test_metadata *const _metadata,
  }
  
  static void __maybe_unused set_cap(struct __test_metadata *const _metadata,
-                                  const cap_value_t caps)
+                                  const cap_value_t cap)
  {
-       _effective_cap(_metadata, caps, CAP_SET);
+       _change_cap(_metadata, CAP_EFFECTIVE, cap, CAP_SET);
  }
  
  static void __maybe_unused clear_cap(struct __test_metadata *const _metadata,
-                                    const cap_value_t caps)
+                                    const cap_value_t cap)
+{
+       _change_cap(_metadata, CAP_EFFECTIVE, cap, CAP_CLEAR);
+}
+
+static void __maybe_unused
+set_ambient_cap(struct __test_metadata *const _metadata, const cap_value_t cap)
+{
+       _change_cap(_metadata, CAP_INHERITABLE, cap, CAP_SET);
+
+       EXPECT_NE(-1, cap_set_ambient(cap, CAP_SET))
+       {
+               TH_LOG("Failed to set ambient capability %d: %s", cap,
+                      strerror(errno));
+       }
+}
+
+static void __maybe_unused clear_ambient_cap(
+       struct __test_metadata *const _metadata, const cap_value_t cap)
  {
-       _effective_cap(_metadata, caps, CAP_CLEAR);
+       EXPECT_EQ(1, cap_get_ambient(cap));
+       _change_cap(_metadata, CAP_INHERITABLE, cap, CAP_CLEAR);
+       EXPECT_EQ(0, cap_get_ambient(cap));
  }
  
  /* Receives an FD from a UNIX socket. Returns the received FD, or -errno. */
diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c

index efcde123af1f24050bca1d62ce7c8bd15540664a..936cfc879f1d2c419195338a8af04c095fe770f8 100644 (file)
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -107,8 +107,11 @@ static void setup_loopback(struct __test_metadata *const _metadata)
  {
         set_cap(_metadata, CAP_SYS_ADMIN);
         ASSERT_EQ(0, unshare(CLONE_NEWNET));
-       ASSERT_EQ(0, system("ip link set dev lo up"));
         clear_cap(_metadata, CAP_SYS_ADMIN);
+
+       set_ambient_cap(_metadata, CAP_NET_ADMIN);
+       ASSERT_EQ(0, system("ip link set dev lo up"));
+       clear_ambient_cap(_metadata, CAP_NET_ADMIN);
  }
  
  static bool is_restricted(const struct protocol_variant *const prot,
author	Mickaël Salaün <mic@digikod.net>
	Thu, 25 Jan 2024 15:32:29 +0000 (16:32 +0100)
committer	Mickaël Salaün <mic@digikod.net>
	Fri, 2 Feb 2024 09:32:09 +0000 (10:32 +0100)
tools/testing/selftests/landlock/common.h		patch \| blob \| history
tools/testing/selftests/landlock/net_test.c		patch \| blob \| history