1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright (c) 2013 The FreeBSD Foundation
5 * All rights reserved.
6 *
7 * This software was developed by Pawel Jakub Dawidek under sponsorship from
8 * the FreeBSD Foundation.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
34
35 #include <sys/types.h>
36 #include <sys/capsicum.h>
37 #include <sys/sysctl.h>
38 #include <sys/nv.h>
39
40 #include <assert.h>
41 #include <err.h>
42 #include <errno.h>
43 #include <netdb.h>
44 #include <stdio.h>
45 #include <stdlib.h>
46 #include <string.h>
47 #include <unistd.h>
48
49 #include <libcasper.h>
50
51 #include <casper/cap_sysctl.h>
52
53 /*
54 * We need some sysctls to perform the tests on.
55 * We remember their values and restore them afer the test is done.
56 */
57 #define SYSCTL0_PARENT "kern"
58 #define SYSCTL0_NAME "kern.sync_on_panic"
59 #define SYSCTL1_PARENT "debug"
60 #define SYSCTL1_NAME "debug.minidump"
61
62 static int ntest = 1;
63
64 #define CHECK(expr) do { \
65 if ((expr)) \
66 printf("ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \
67 else \
68 printf("not ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \
69 fflush(stdout); \
70 ntest++; \
71 } while (0)
72 #define CHECKX(expr) do { \
73 if ((expr)) { \
74 printf("ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \
75 } else { \
76 printf("not ok %d # %s:%u\n", ntest, __FILE__, __LINE__); \
77 exit(1); \
78 } \
79 fflush(stdout); \
80 ntest++; \
81 } while (0)
82
83 #define SYSCTL0_READ0 0x0001
84 #define SYSCTL0_READ1 0x0002
85 #define SYSCTL0_READ2 0x0004
86 #define SYSCTL0_WRITE 0x0008
87 #define SYSCTL0_READ_WRITE 0x0010
88 #define SYSCTL1_READ0 0x0020
89 #define SYSCTL1_READ1 0x0040
90 #define SYSCTL1_READ2 0x0080
91 #define SYSCTL1_WRITE 0x0100
92 #define SYSCTL1_READ_WRITE 0x0200
93
94 static unsigned int
runtest(cap_channel_t * capsysctl)95 runtest(cap_channel_t *capsysctl)
96 {
97 unsigned int result;
98 int oldvalue, newvalue;
99 size_t oldsize;
100
101 result = 0;
102
103 oldsize = sizeof(oldvalue);
104 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize,
105 NULL, 0) == 0) {
106 if (oldsize == sizeof(oldvalue))
107 result |= SYSCTL0_READ0;
108 }
109
110 newvalue = 123;
111 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, NULL, NULL, &newvalue,
112 sizeof(newvalue)) == 0) {
113 result |= SYSCTL0_WRITE;
114 }
115
116 if ((result & SYSCTL0_WRITE) != 0) {
117 oldsize = sizeof(oldvalue);
118 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue,
119 &oldsize, NULL, 0) == 0) {
120 if (oldsize == sizeof(oldvalue) && oldvalue == 123)
121 result |= SYSCTL0_READ1;
122 }
123 }
124
125 oldsize = sizeof(oldvalue);
126 newvalue = 4567;
127 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize,
128 &newvalue, sizeof(newvalue)) == 0) {
129 if (oldsize == sizeof(oldvalue) && oldvalue == 123)
130 result |= SYSCTL0_READ_WRITE;
131 }
132
133 if ((result & SYSCTL0_READ_WRITE) != 0) {
134 oldsize = sizeof(oldvalue);
135 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue,
136 &oldsize, NULL, 0) == 0) {
137 if (oldsize == sizeof(oldvalue) && oldvalue == 4567)
138 result |= SYSCTL0_READ2;
139 }
140 }
141
142 oldsize = sizeof(oldvalue);
143 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize,
144 NULL, 0) == 0) {
145 if (oldsize == sizeof(oldvalue))
146 result |= SYSCTL1_READ0;
147 }
148
149 newvalue = 506;
150 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, NULL, NULL, &newvalue,
151 sizeof(newvalue)) == 0) {
152 result |= SYSCTL1_WRITE;
153 }
154
155 if ((result & SYSCTL1_WRITE) != 0) {
156 oldsize = sizeof(oldvalue);
157 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue,
158 &oldsize, NULL, 0) == 0) {
159 if (oldsize == sizeof(oldvalue) && oldvalue == 506)
160 result |= SYSCTL1_READ1;
161 }
162 }
163
164 oldsize = sizeof(oldvalue);
165 newvalue = 7008;
166 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize,
167 &newvalue, sizeof(newvalue)) == 0) {
168 if (oldsize == sizeof(oldvalue) && oldvalue == 506)
169 result |= SYSCTL1_READ_WRITE;
170 }
171
172 if ((result & SYSCTL1_READ_WRITE) != 0) {
173 oldsize = sizeof(oldvalue);
174 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue,
175 &oldsize, NULL, 0) == 0) {
176 if (oldsize == sizeof(oldvalue) && oldvalue == 7008)
177 result |= SYSCTL1_READ2;
178 }
179 }
180
181 return (result);
182 }
183
184 static void
test_operation(cap_channel_t * origcapsysctl)185 test_operation(cap_channel_t *origcapsysctl)
186 {
187 cap_channel_t *capsysctl;
188 nvlist_t *limits;
189
190 /*
191 * Allow:
192 * SYSCTL0_PARENT/RDWR/RECURSIVE
193 * SYSCTL1_PARENT/RDWR/RECURSIVE
194 */
195
196 capsysctl = cap_clone(origcapsysctl);
197 CHECK(capsysctl != NULL);
198
199 limits = nvlist_create(0);
200 nvlist_add_number(limits, SYSCTL0_PARENT,
201 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
202 nvlist_add_number(limits, SYSCTL1_PARENT,
203 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
204 CHECK(cap_limit_set(capsysctl, limits) == 0);
205 limits = nvlist_create(0);
206 nvlist_add_number(limits, SYSCTL0_PARENT,
207 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
208 nvlist_add_number(limits, SYSCTL1_PARENT,
209 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
210 nvlist_add_number(limits, "foo.bar",
211 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
212 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
213 limits = nvlist_create(0);
214 nvlist_add_number(limits, "foo.bar",
215 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
216 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
217
218 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
219 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
220 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
221 SYSCTL1_READ_WRITE));
222
223 limits = nvlist_create(0);
224 nvlist_add_number(limits, SYSCTL0_NAME,
225 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
226 nvlist_add_number(limits, SYSCTL1_NAME,
227 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
228 CHECK(cap_limit_set(capsysctl, limits) == 0);
229
230 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
231 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
232 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
233 SYSCTL1_READ_WRITE));
234
235 limits = nvlist_create(0);
236 nvlist_add_number(limits, SYSCTL0_NAME,
237 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
238 nvlist_add_number(limits, SYSCTL1_NAME,
239 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
240 CHECK(cap_limit_set(capsysctl, limits) == 0);
241
242 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
243
244 limits = nvlist_create(0);
245 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
246 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
247 CHECK(cap_limit_set(capsysctl, limits) == 0);
248
249 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
250
251 limits = nvlist_create(0);
252 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
253 CHECK(cap_limit_set(capsysctl, limits) == 0);
254
255 CHECK(runtest(capsysctl) == SYSCTL0_READ0);
256
257 cap_close(capsysctl);
258
259 /*
260 * Allow:
261 * SYSCTL0_NAME/RDWR/RECURSIVE
262 * SYSCTL1_NAME/RDWR/RECURSIVE
263 */
264
265 capsysctl = cap_clone(origcapsysctl);
266 CHECK(capsysctl != NULL);
267
268 limits = nvlist_create(0);
269 nvlist_add_number(limits, SYSCTL0_NAME,
270 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
271 nvlist_add_number(limits, SYSCTL1_NAME,
272 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
273 CHECK(cap_limit_set(capsysctl, limits) == 0);
274 limits = nvlist_create(0);
275 nvlist_add_number(limits, SYSCTL0_PARENT,
276 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
277 nvlist_add_number(limits, SYSCTL1_PARENT,
278 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
279 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
280 limits = nvlist_create(0);
281 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
282 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
283 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
284 limits = nvlist_create(0);
285 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
286 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
287 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
288 limits = nvlist_create(0);
289 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
290 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
291
292 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
293 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
294 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
295 SYSCTL1_READ_WRITE));
296
297 cap_close(capsysctl);
298
299 /*
300 * Allow:
301 * SYSCTL0_PARENT/RDWR
302 * SYSCTL1_PARENT/RDWR
303 */
304
305 capsysctl = cap_clone(origcapsysctl);
306 CHECK(capsysctl != NULL);
307
308 limits = nvlist_create(0);
309 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
310 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
311 CHECK(cap_limit_set(capsysctl, limits) == 0);
312 limits = nvlist_create(0);
313 nvlist_add_number(limits, SYSCTL0_PARENT,
314 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
315 nvlist_add_number(limits, SYSCTL1_PARENT,
316 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
317 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
318 limits = nvlist_create(0);
319 nvlist_add_number(limits, SYSCTL0_PARENT,
320 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
321 nvlist_add_number(limits, SYSCTL1_PARENT,
322 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
323 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
324 limits = nvlist_create(0);
325 nvlist_add_number(limits, SYSCTL0_PARENT,
326 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
327 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
328
329 CHECK(runtest(capsysctl) == 0);
330
331 cap_close(capsysctl);
332
333 /*
334 * Allow:
335 * SYSCTL0_NAME/RDWR
336 * SYSCTL1_NAME/RDWR
337 */
338
339 capsysctl = cap_clone(origcapsysctl);
340 CHECK(capsysctl != NULL);
341
342 limits = nvlist_create(0);
343 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
344 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
345 CHECK(cap_limit_set(capsysctl, limits) == 0);
346 limits = nvlist_create(0);
347 nvlist_add_number(limits, SYSCTL0_PARENT,
348 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
349 nvlist_add_number(limits, SYSCTL1_PARENT,
350 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
351 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
352 limits = nvlist_create(0);
353 nvlist_add_number(limits, SYSCTL0_PARENT,
354 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
355 nvlist_add_number(limits, SYSCTL1_PARENT,
356 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
357 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
358 limits = nvlist_create(0);
359 nvlist_add_number(limits, SYSCTL1_PARENT,
360 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
361 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
362
363 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
364 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
365 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
366 SYSCTL1_READ_WRITE));
367
368 cap_close(capsysctl);
369
370 /*
371 * Allow:
372 * SYSCTL0_PARENT/RDWR
373 * SYSCTL1_PARENT/RDWR/RECURSIVE
374 */
375
376 capsysctl = cap_clone(origcapsysctl);
377 CHECK(capsysctl != NULL);
378
379 limits = nvlist_create(0);
380 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
381 nvlist_add_number(limits, SYSCTL1_PARENT,
382 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
383 CHECK(cap_limit_set(capsysctl, limits) == 0);
384 limits = nvlist_create(0);
385 nvlist_add_number(limits, SYSCTL0_PARENT,
386 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
387 nvlist_add_number(limits, SYSCTL1_PARENT,
388 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
389 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
390 limits = nvlist_create(0);
391 nvlist_add_number(limits, SYSCTL0_PARENT,
392 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
393 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
394 limits = nvlist_create(0);
395 nvlist_add_number(limits, SYSCTL0_PARENT,
396 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
397 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
398 limits = nvlist_create(0);
399 nvlist_add_number(limits, SYSCTL0_NAME,
400 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
401 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
402
403 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
404 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
405
406 cap_close(capsysctl);
407
408 /*
409 * Allow:
410 * SYSCTL0_NAME/RDWR
411 * SYSCTL1_NAME/RDWR/RECURSIVE
412 */
413
414 capsysctl = cap_clone(origcapsysctl);
415 CHECK(capsysctl != NULL);
416
417 limits = nvlist_create(0);
418 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
419 nvlist_add_number(limits, SYSCTL1_NAME,
420 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
421 CHECK(cap_limit_set(capsysctl, limits) == 0);
422 limits = nvlist_create(0);
423 nvlist_add_number(limits, SYSCTL0_NAME,
424 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
425 nvlist_add_number(limits, SYSCTL1_NAME,
426 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
427 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
428 limits = nvlist_create(0);
429 nvlist_add_number(limits, SYSCTL0_NAME,
430 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
431 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
432 limits = nvlist_create(0);
433 nvlist_add_number(limits, SYSCTL0_NAME,
434 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
435 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
436
437 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
438 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
439 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
440 SYSCTL1_READ_WRITE));
441
442 cap_close(capsysctl);
443
444 /*
445 * Allow:
446 * SYSCTL0_PARENT/READ/RECURSIVE
447 * SYSCTL1_PARENT/READ/RECURSIVE
448 */
449
450 capsysctl = cap_clone(origcapsysctl);
451 CHECK(capsysctl != NULL);
452
453 limits = nvlist_create(0);
454 nvlist_add_number(limits, SYSCTL0_PARENT,
455 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
456 nvlist_add_number(limits, SYSCTL1_PARENT,
457 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
458 CHECK(cap_limit_set(capsysctl, limits) == 0);
459 limits = nvlist_create(0);
460 nvlist_add_number(limits, SYSCTL0_PARENT,
461 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
462 nvlist_add_number(limits, SYSCTL1_PARENT,
463 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
464 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
465 limits = nvlist_create(0);
466 nvlist_add_number(limits, SYSCTL0_PARENT,
467 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
468 nvlist_add_number(limits, SYSCTL1_PARENT,
469 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
470 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
471 limits = nvlist_create(0);
472 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
473 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
474 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
475 limits = nvlist_create(0);
476 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
477 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
478 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
479 limits = nvlist_create(0);
480 nvlist_add_number(limits, SYSCTL0_PARENT,
481 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
482 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
483 limits = nvlist_create(0);
484 nvlist_add_number(limits, SYSCTL1_PARENT,
485 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
486 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
487 limits = nvlist_create(0);
488 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
489 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
490 limits = nvlist_create(0);
491 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
492 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
493
494 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
495
496 cap_close(capsysctl);
497
498 /*
499 * Allow:
500 * SYSCTL0_NAME/READ/RECURSIVE
501 * SYSCTL1_NAME/READ/RECURSIVE
502 */
503
504 capsysctl = cap_clone(origcapsysctl);
505 CHECK(capsysctl != NULL);
506
507 limits = nvlist_create(0);
508 nvlist_add_number(limits, SYSCTL0_NAME,
509 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
510 nvlist_add_number(limits, SYSCTL1_NAME,
511 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
512 CHECK(cap_limit_set(capsysctl, limits) == 0);
513 limits = nvlist_create(0);
514 nvlist_add_number(limits, SYSCTL0_NAME,
515 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
516 nvlist_add_number(limits, SYSCTL1_NAME,
517 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
518 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
519 limits = nvlist_create(0);
520 nvlist_add_number(limits, SYSCTL0_NAME,
521 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
522 nvlist_add_number(limits, SYSCTL1_NAME,
523 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
524 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
525 limits = nvlist_create(0);
526 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
527 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
528 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
529 limits = nvlist_create(0);
530 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
531 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
532 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
533 limits = nvlist_create(0);
534 nvlist_add_number(limits, SYSCTL0_NAME,
535 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
536 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
537 limits = nvlist_create(0);
538 nvlist_add_number(limits, SYSCTL1_NAME,
539 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
540 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
541 limits = nvlist_create(0);
542 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
543 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
544 limits = nvlist_create(0);
545 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
546 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
547
548 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
549
550 cap_close(capsysctl);
551
552 /*
553 * Allow:
554 * SYSCTL0_PARENT/READ
555 * SYSCTL1_PARENT/READ
556 */
557
558 capsysctl = cap_clone(origcapsysctl);
559 CHECK(capsysctl != NULL);
560
561 limits = nvlist_create(0);
562 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
563 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ);
564 CHECK(cap_limit_set(capsysctl, limits) == 0);
565 limits = nvlist_create(0);
566 nvlist_add_number(limits, SYSCTL0_PARENT,
567 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
568 nvlist_add_number(limits, SYSCTL1_PARENT,
569 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
570 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
571 limits = nvlist_create(0);
572 nvlist_add_number(limits, SYSCTL0_PARENT,
573 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
574 nvlist_add_number(limits, SYSCTL1_PARENT,
575 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
576 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
577 limits = nvlist_create(0);
578 nvlist_add_number(limits, SYSCTL0_PARENT,
579 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
580 nvlist_add_number(limits, SYSCTL1_PARENT,
581 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
582 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
583 limits = nvlist_create(0);
584 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
585 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
586 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
587 limits = nvlist_create(0);
588 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
589 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
590 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
591 limits = nvlist_create(0);
592 nvlist_add_number(limits, SYSCTL0_PARENT,
593 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
594 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
595 limits = nvlist_create(0);
596 nvlist_add_number(limits, SYSCTL1_PARENT,
597 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
598 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
599 limits = nvlist_create(0);
600 nvlist_add_number(limits, SYSCTL0_PARENT,
601 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
602 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
603 limits = nvlist_create(0);
604 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
605 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
606 limits = nvlist_create(0);
607 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
608 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
609
610 CHECK(runtest(capsysctl) == 0);
611
612 cap_close(capsysctl);
613
614 /*
615 * Allow:
616 * SYSCTL0_NAME/READ
617 * SYSCTL1_NAME/READ
618 */
619
620 capsysctl = cap_clone(origcapsysctl);
621 CHECK(capsysctl != NULL);
622
623 limits = nvlist_create(0);
624 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
625 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ);
626 CHECK(cap_limit_set(capsysctl, limits) == 0);
627 limits = nvlist_create(0);
628 nvlist_add_number(limits, SYSCTL0_NAME,
629 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
630 nvlist_add_number(limits, SYSCTL1_NAME,
631 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
632 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
633 limits = nvlist_create(0);
634 nvlist_add_number(limits, SYSCTL0_NAME,
635 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
636 nvlist_add_number(limits, SYSCTL1_NAME,
637 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
638 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
639 limits = nvlist_create(0);
640 nvlist_add_number(limits, SYSCTL0_NAME,
641 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
642 nvlist_add_number(limits, SYSCTL1_NAME,
643 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
644 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
645 limits = nvlist_create(0);
646 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
647 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
648 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
649 limits = nvlist_create(0);
650 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
651 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
652 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
653 limits = nvlist_create(0);
654 nvlist_add_number(limits, SYSCTL0_NAME,
655 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
656 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
657 limits = nvlist_create(0);
658 nvlist_add_number(limits, SYSCTL1_NAME,
659 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
660 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
661 limits = nvlist_create(0);
662 nvlist_add_number(limits, SYSCTL0_NAME,
663 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
664 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
665 limits = nvlist_create(0);
666 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
667 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
668 limits = nvlist_create(0);
669 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
670 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
671
672 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
673
674 cap_close(capsysctl);
675
676 /*
677 * Allow:
678 * SYSCTL0_PARENT/READ
679 * SYSCTL1_PARENT/READ/RECURSIVE
680 */
681
682 capsysctl = cap_clone(origcapsysctl);
683 CHECK(capsysctl != NULL);
684
685 limits = nvlist_create(0);
686 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
687 nvlist_add_number(limits, SYSCTL1_PARENT,
688 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
689 CHECK(cap_limit_set(capsysctl, limits) == 0);
690 limits = nvlist_create(0);
691 nvlist_add_number(limits, SYSCTL0_PARENT,
692 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
693 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ);
694 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
695
696 CHECK(runtest(capsysctl) == SYSCTL1_READ0);
697
698 cap_close(capsysctl);
699
700 /*
701 * Allow:
702 * SYSCTL0_NAME/READ
703 * SYSCTL1_NAME/READ/RECURSIVE
704 */
705
706 capsysctl = cap_clone(origcapsysctl);
707 CHECK(capsysctl != NULL);
708
709 limits = nvlist_create(0);
710 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
711 nvlist_add_number(limits, SYSCTL1_NAME,
712 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
713 CHECK(cap_limit_set(capsysctl, limits) == 0);
714 limits = nvlist_create(0);
715 nvlist_add_number(limits, SYSCTL0_NAME,
716 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
717 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ);
718 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
719
720 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
721
722 cap_close(capsysctl);
723
724 /*
725 * Allow:
726 * SYSCTL0_PARENT/WRITE/RECURSIVE
727 * SYSCTL1_PARENT/WRITE/RECURSIVE
728 */
729
730 capsysctl = cap_clone(origcapsysctl);
731 CHECK(capsysctl != NULL);
732
733 limits = nvlist_create(0);
734 nvlist_add_number(limits, SYSCTL0_PARENT,
735 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
736 nvlist_add_number(limits, SYSCTL1_PARENT,
737 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
738 CHECK(cap_limit_set(capsysctl, limits) == 0);
739 limits = nvlist_create(0);
740 nvlist_add_number(limits, SYSCTL0_PARENT,
741 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
742 nvlist_add_number(limits, SYSCTL1_PARENT,
743 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
744 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
745 limits = nvlist_create(0);
746 nvlist_add_number(limits, SYSCTL0_PARENT,
747 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
748 nvlist_add_number(limits, SYSCTL1_PARENT,
749 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
750 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
751 limits = nvlist_create(0);
752 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
753 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
754 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
755 limits = nvlist_create(0);
756 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
757 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ);
758 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
759 limits = nvlist_create(0);
760 nvlist_add_number(limits, SYSCTL0_PARENT,
761 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
762 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
763 limits = nvlist_create(0);
764 nvlist_add_number(limits, SYSCTL1_PARENT,
765 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
766 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
767 limits = nvlist_create(0);
768 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
769 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
770 limits = nvlist_create(0);
771 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
772 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
773
774 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
775
776 cap_close(capsysctl);
777
778 /*
779 * Allow:
780 * SYSCTL0_NAME/WRITE/RECURSIVE
781 * SYSCTL1_NAME/WRITE/RECURSIVE
782 */
783
784 capsysctl = cap_clone(origcapsysctl);
785 CHECK(capsysctl != NULL);
786
787 limits = nvlist_create(0);
788 nvlist_add_number(limits, SYSCTL0_NAME,
789 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
790 nvlist_add_number(limits, SYSCTL1_NAME,
791 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
792 CHECK(cap_limit_set(capsysctl, limits) == 0);
793 limits = nvlist_create(0);
794 nvlist_add_number(limits, SYSCTL0_NAME,
795 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
796 nvlist_add_number(limits, SYSCTL1_NAME,
797 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
798 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
799 limits = nvlist_create(0);
800 nvlist_add_number(limits, SYSCTL0_NAME,
801 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
802 nvlist_add_number(limits, SYSCTL1_NAME,
803 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
804 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
805 limits = nvlist_create(0);
806 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
807 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
808 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
809 limits = nvlist_create(0);
810 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
811 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ);
812 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
813 limits = nvlist_create(0);
814 nvlist_add_number(limits, SYSCTL0_NAME,
815 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
816 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
817 limits = nvlist_create(0);
818 nvlist_add_number(limits, SYSCTL1_NAME,
819 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
820 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
821 limits = nvlist_create(0);
822 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
823 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
824 limits = nvlist_create(0);
825 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
826 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
827
828 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
829
830 cap_close(capsysctl);
831
832 /*
833 * Allow:
834 * SYSCTL0_PARENT/WRITE
835 * SYSCTL1_PARENT/WRITE
836 */
837
838 capsysctl = cap_clone(origcapsysctl);
839 CHECK(capsysctl != NULL);
840
841 limits = nvlist_create(0);
842 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
843 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
844 CHECK(cap_limit_set(capsysctl, limits) == 0);
845 limits = nvlist_create(0);
846 nvlist_add_number(limits, SYSCTL0_PARENT,
847 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
848 nvlist_add_number(limits, SYSCTL1_PARENT,
849 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
850 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
851 limits = nvlist_create(0);
852 nvlist_add_number(limits, SYSCTL0_PARENT,
853 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
854 nvlist_add_number(limits, SYSCTL1_PARENT,
855 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
856 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
857 limits = nvlist_create(0);
858 nvlist_add_number(limits, SYSCTL0_PARENT,
859 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
860 nvlist_add_number(limits, SYSCTL1_PARENT,
861 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
862 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
863 limits = nvlist_create(0);
864 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
865 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
866 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
867 limits = nvlist_create(0);
868 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
869 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ);
870 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
871 limits = nvlist_create(0);
872 nvlist_add_number(limits, SYSCTL0_PARENT,
873 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
874 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
875 limits = nvlist_create(0);
876 nvlist_add_number(limits, SYSCTL1_PARENT,
877 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
878 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
879 limits = nvlist_create(0);
880 nvlist_add_number(limits, SYSCTL0_PARENT,
881 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
882 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
883 limits = nvlist_create(0);
884 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
885 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
886 limits = nvlist_create(0);
887 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
888 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
889
890 CHECK(runtest(capsysctl) == 0);
891
892 cap_close(capsysctl);
893
894 /*
895 * Allow:
896 * SYSCTL0_NAME/WRITE
897 * SYSCTL1_NAME/WRITE
898 */
899
900 capsysctl = cap_clone(origcapsysctl);
901 CHECK(capsysctl != NULL);
902
903 limits = nvlist_create(0);
904 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
905 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
906 CHECK(cap_limit_set(capsysctl, limits) == 0);
907 limits = nvlist_create(0);
908 nvlist_add_number(limits, SYSCTL0_NAME,
909 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
910 nvlist_add_number(limits, SYSCTL1_NAME,
911 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
912 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
913 limits = nvlist_create(0);
914 nvlist_add_number(limits, SYSCTL0_NAME,
915 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
916 nvlist_add_number(limits, SYSCTL1_NAME,
917 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
918 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
919 limits = nvlist_create(0);
920 nvlist_add_number(limits, SYSCTL0_NAME,
921 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
922 nvlist_add_number(limits, SYSCTL1_NAME,
923 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
924 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
925 limits = nvlist_create(0);
926 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
927 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
928 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
929 limits = nvlist_create(0);
930 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
931 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ);
932 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
933 limits = nvlist_create(0);
934 nvlist_add_number(limits, SYSCTL0_NAME,
935 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
936 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
937 limits = nvlist_create(0);
938 nvlist_add_number(limits, SYSCTL1_NAME,
939 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
940 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
941 limits = nvlist_create(0);
942 nvlist_add_number(limits, SYSCTL0_NAME,
943 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
944 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
945 limits = nvlist_create(0);
946 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
947 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
948 limits = nvlist_create(0);
949 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
950 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
951
952 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
953
954 cap_close(capsysctl);
955
956 /*
957 * Allow:
958 * SYSCTL0_PARENT/WRITE
959 * SYSCTL1_PARENT/WRITE/RECURSIVE
960 */
961
962 capsysctl = cap_clone(origcapsysctl);
963 CHECK(capsysctl != NULL);
964
965 limits = nvlist_create(0);
966 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
967 nvlist_add_number(limits, SYSCTL1_PARENT,
968 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
969 CHECK(cap_limit_set(capsysctl, limits) == 0);
970 limits = nvlist_create(0);
971 nvlist_add_number(limits, SYSCTL0_PARENT,
972 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
973 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
974 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
975
976 CHECK(runtest(capsysctl) == SYSCTL1_WRITE);
977
978 cap_close(capsysctl);
979
980 /*
981 * Allow:
982 * SYSCTL0_NAME/WRITE
983 * SYSCTL1_NAME/WRITE/RECURSIVE
984 */
985
986 capsysctl = cap_clone(origcapsysctl);
987 CHECK(capsysctl != NULL);
988
989 limits = nvlist_create(0);
990 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
991 nvlist_add_number(limits, SYSCTL1_NAME,
992 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
993 CHECK(cap_limit_set(capsysctl, limits) == 0);
994 limits = nvlist_create(0);
995 nvlist_add_number(limits, SYSCTL0_NAME,
996 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
997 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
998 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
999
1000 CHECK(runtest(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
1001
1002 cap_close(capsysctl);
1003
1004 /*
1005 * Allow:
1006 * SYSCTL0_PARENT/READ/RECURSIVE
1007 * SYSCTL1_PARENT/WRITE/RECURSIVE
1008 */
1009
1010 capsysctl = cap_clone(origcapsysctl);
1011 CHECK(capsysctl != NULL);
1012
1013 limits = nvlist_create(0);
1014 nvlist_add_number(limits, SYSCTL0_PARENT,
1015 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1016 nvlist_add_number(limits, SYSCTL1_PARENT,
1017 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1018 CHECK(cap_limit_set(capsysctl, limits) == 0);
1019
1020 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1021
1022 cap_close(capsysctl);
1023
1024 /*
1025 * Allow:
1026 * SYSCTL0_NAME/READ/RECURSIVE
1027 * SYSCTL1_NAME/WRITE/RECURSIVE
1028 */
1029
1030 capsysctl = cap_clone(origcapsysctl);
1031 CHECK(capsysctl != NULL);
1032
1033 limits = nvlist_create(0);
1034 nvlist_add_number(limits, SYSCTL0_NAME,
1035 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1036 nvlist_add_number(limits, SYSCTL1_NAME,
1037 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1038 CHECK(cap_limit_set(capsysctl, limits) == 0);
1039
1040 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1041
1042 cap_close(capsysctl);
1043
1044 /*
1045 * Allow:
1046 * SYSCTL0_PARENT/READ
1047 * SYSCTL1_PARENT/WRITE
1048 */
1049
1050 capsysctl = cap_clone(origcapsysctl);
1051 CHECK(capsysctl != NULL);
1052
1053 limits = nvlist_create(0);
1054 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1055 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1056 CHECK(cap_limit_set(capsysctl, limits) == 0);
1057
1058 CHECK(runtest(capsysctl) == 0);
1059
1060 cap_close(capsysctl);
1061
1062 /*
1063 * Allow:
1064 * SYSCTL0_NAME/READ
1065 * SYSCTL1_NAME/WRITE
1066 */
1067
1068 capsysctl = cap_clone(origcapsysctl);
1069 CHECK(capsysctl != NULL);
1070
1071 limits = nvlist_create(0);
1072 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
1073 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1074 CHECK(cap_limit_set(capsysctl, limits) == 0);
1075
1076 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1077
1078 cap_close(capsysctl);
1079
1080 /*
1081 * Allow:
1082 * SYSCTL0_PARENT/READ
1083 * SYSCTL1_PARENT/WRITE/RECURSIVE
1084 */
1085
1086 capsysctl = cap_clone(origcapsysctl);
1087 CHECK(capsysctl != NULL);
1088
1089 limits = nvlist_create(0);
1090 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1091 nvlist_add_number(limits, SYSCTL1_PARENT,
1092 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1093 CHECK(cap_limit_set(capsysctl, limits) == 0);
1094
1095 CHECK(runtest(capsysctl) == SYSCTL1_WRITE);
1096
1097 cap_close(capsysctl);
1098
1099 /*
1100 * Allow:
1101 * SYSCTL0_NAME/READ
1102 * SYSCTL1_NAME/WRITE/RECURSIVE
1103 */
1104
1105 capsysctl = cap_clone(origcapsysctl);
1106 CHECK(capsysctl != NULL);
1107
1108 limits = nvlist_create(0);
1109 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
1110 nvlist_add_number(limits, SYSCTL1_NAME,
1111 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1112 CHECK(cap_limit_set(capsysctl, limits) == 0);
1113
1114 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1115
1116 cap_close(capsysctl);
1117 }
1118
1119 static void
test_names(cap_channel_t * origcapsysctl)1120 test_names(cap_channel_t *origcapsysctl)
1121 {
1122 cap_channel_t *capsysctl;
1123 nvlist_t *limits;
1124
1125 /*
1126 * Allow:
1127 * SYSCTL0_PARENT/READ/RECURSIVE
1128 */
1129
1130 capsysctl = cap_clone(origcapsysctl);
1131 CHECK(capsysctl != NULL);
1132
1133 limits = nvlist_create(0);
1134 nvlist_add_number(limits, SYSCTL0_PARENT,
1135 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1136 CHECK(cap_limit_set(capsysctl, limits) == 0);
1137 limits = nvlist_create(0);
1138 nvlist_add_number(limits, SYSCTL0_PARENT,
1139 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1140 nvlist_add_number(limits, SYSCTL1_PARENT,
1141 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1142 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1143 limits = nvlist_create(0);
1144 nvlist_add_number(limits, SYSCTL1_PARENT,
1145 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1146 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1147 limits = nvlist_create(0);
1148 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1149 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1150 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1151 limits = nvlist_create(0);
1152 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1153 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1154
1155 CHECK(runtest(capsysctl) == SYSCTL0_READ0);
1156
1157 cap_close(capsysctl);
1158
1159 /*
1160 * Allow:
1161 * SYSCTL1_NAME/READ/RECURSIVE
1162 */
1163
1164 capsysctl = cap_clone(origcapsysctl);
1165 CHECK(capsysctl != NULL);
1166
1167 limits = nvlist_create(0);
1168 nvlist_add_number(limits, SYSCTL1_NAME,
1169 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1170 CHECK(cap_limit_set(capsysctl, limits) == 0);
1171 limits = nvlist_create(0);
1172 nvlist_add_number(limits, SYSCTL0_NAME,
1173 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1174 nvlist_add_number(limits, SYSCTL1_NAME,
1175 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1176 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1177 limits = nvlist_create(0);
1178 nvlist_add_number(limits, SYSCTL0_NAME,
1179 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1180 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1181 limits = nvlist_create(0);
1182 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
1183 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ);
1184 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1185 limits = nvlist_create(0);
1186 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
1187 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1188
1189 CHECK(runtest(capsysctl) == SYSCTL1_READ0);
1190
1191 cap_close(capsysctl);
1192
1193 /*
1194 * Allow:
1195 * SYSCTL0_PARENT/WRITE/RECURSIVE
1196 */
1197
1198 capsysctl = cap_clone(origcapsysctl);
1199 CHECK(capsysctl != NULL);
1200
1201 limits = nvlist_create(0);
1202 nvlist_add_number(limits, SYSCTL0_PARENT,
1203 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1204 CHECK(cap_limit_set(capsysctl, limits) == 0);
1205 limits = nvlist_create(0);
1206 nvlist_add_number(limits, SYSCTL0_PARENT,
1207 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1208 nvlist_add_number(limits, SYSCTL1_PARENT,
1209 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1210 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1211 limits = nvlist_create(0);
1212 nvlist_add_number(limits, SYSCTL1_PARENT,
1213 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1214 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1215 limits = nvlist_create(0);
1216 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1217 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1218 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1219 limits = nvlist_create(0);
1220 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1221 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1222
1223 CHECK(runtest(capsysctl) == SYSCTL0_WRITE);
1224
1225 cap_close(capsysctl);
1226
1227 /*
1228 * Allow:
1229 * SYSCTL1_NAME/WRITE/RECURSIVE
1230 */
1231
1232 capsysctl = cap_clone(origcapsysctl);
1233 CHECK(capsysctl != NULL);
1234
1235 limits = nvlist_create(0);
1236 nvlist_add_number(limits, SYSCTL1_NAME,
1237 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1238 CHECK(cap_limit_set(capsysctl, limits) == 0);
1239 limits = nvlist_create(0);
1240 nvlist_add_number(limits, SYSCTL0_NAME,
1241 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1242 nvlist_add_number(limits, SYSCTL1_NAME,
1243 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1244 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1245 limits = nvlist_create(0);
1246 nvlist_add_number(limits, SYSCTL0_NAME,
1247 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1248 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1249 limits = nvlist_create(0);
1250 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1251 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1252 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1253 limits = nvlist_create(0);
1254 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1255 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1256
1257 CHECK(runtest(capsysctl) == SYSCTL1_WRITE);
1258
1259 cap_close(capsysctl);
1260
1261 /*
1262 * Allow:
1263 * SYSCTL0_PARENT/RDWR/RECURSIVE
1264 */
1265
1266 capsysctl = cap_clone(origcapsysctl);
1267 CHECK(capsysctl != NULL);
1268
1269 limits = nvlist_create(0);
1270 nvlist_add_number(limits, SYSCTL0_PARENT,
1271 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1272 CHECK(cap_limit_set(capsysctl, limits) == 0);
1273 limits = nvlist_create(0);
1274 nvlist_add_number(limits, SYSCTL0_PARENT,
1275 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1276 nvlist_add_number(limits, SYSCTL1_PARENT,
1277 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1278 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1279 limits = nvlist_create(0);
1280 nvlist_add_number(limits, SYSCTL1_PARENT,
1281 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1282 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1283 limits = nvlist_create(0);
1284 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1285 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1286 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1287 limits = nvlist_create(0);
1288 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1289 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1290
1291 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
1292 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE));
1293
1294 cap_close(capsysctl);
1295
1296 /*
1297 * Allow:
1298 * SYSCTL1_NAME/RDWR/RECURSIVE
1299 */
1300
1301 capsysctl = cap_clone(origcapsysctl);
1302 CHECK(capsysctl != NULL);
1303
1304 limits = nvlist_create(0);
1305 nvlist_add_number(limits, SYSCTL1_NAME,
1306 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1307 CHECK(cap_limit_set(capsysctl, limits) == 0);
1308 limits = nvlist_create(0);
1309 nvlist_add_number(limits, SYSCTL0_NAME,
1310 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1311 nvlist_add_number(limits, SYSCTL1_NAME,
1312 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1313 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1314 limits = nvlist_create(0);
1315 nvlist_add_number(limits, SYSCTL0_NAME,
1316 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1317 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1318 limits = nvlist_create(0);
1319 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
1320 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ);
1321 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1322 limits = nvlist_create(0);
1323 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
1324 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1325
1326 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
1327 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
1328
1329 cap_close(capsysctl);
1330
1331 /*
1332 * Allow:
1333 * SYSCTL0_PARENT/READ
1334 */
1335
1336 capsysctl = cap_clone(origcapsysctl);
1337 CHECK(capsysctl != NULL);
1338
1339 limits = nvlist_create(0);
1340 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1341 CHECK(cap_limit_set(capsysctl, limits) == 0);
1342 limits = nvlist_create(0);
1343 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1344 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1345 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1346 limits = nvlist_create(0);
1347 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1348 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1349
1350 CHECK(runtest(capsysctl) == 0);
1351
1352 cap_close(capsysctl);
1353
1354 /*
1355 * Allow:
1356 * SYSCTL1_NAME/READ
1357 */
1358
1359 capsysctl = cap_clone(origcapsysctl);
1360 CHECK(capsysctl != NULL);
1361
1362 limits = nvlist_create(0);
1363 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ);
1364 CHECK(cap_limit_set(capsysctl, limits) == 0);
1365 limits = nvlist_create(0);
1366 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
1367 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_READ);
1368 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1369 limits = nvlist_create(0);
1370 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_READ);
1371 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1372
1373 CHECK(runtest(capsysctl) == SYSCTL1_READ0);
1374
1375 cap_close(capsysctl);
1376
1377 /*
1378 * Allow:
1379 * SYSCTL0_PARENT/WRITE
1380 */
1381
1382 capsysctl = cap_clone(origcapsysctl);
1383 CHECK(capsysctl != NULL);
1384
1385 limits = nvlist_create(0);
1386 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1387 CHECK(cap_limit_set(capsysctl, limits) == 0);
1388 limits = nvlist_create(0);
1389 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1390 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1391 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1392 limits = nvlist_create(0);
1393 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1394 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1395
1396 CHECK(runtest(capsysctl) == 0);
1397
1398 cap_close(capsysctl);
1399
1400 /*
1401 * Allow:
1402 * SYSCTL1_NAME/WRITE
1403 */
1404
1405 capsysctl = cap_clone(origcapsysctl);
1406 CHECK(capsysctl != NULL);
1407
1408 limits = nvlist_create(0);
1409 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1410 CHECK(cap_limit_set(capsysctl, limits) == 0);
1411 limits = nvlist_create(0);
1412 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1413 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1414 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1415 limits = nvlist_create(0);
1416 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1417 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1418
1419 CHECK(runtest(capsysctl) == SYSCTL1_WRITE);
1420
1421 cap_close(capsysctl);
1422
1423 /*
1424 * Allow:
1425 * SYSCTL0_PARENT/RDWR
1426 */
1427
1428 capsysctl = cap_clone(origcapsysctl);
1429 CHECK(capsysctl != NULL);
1430
1431 limits = nvlist_create(0);
1432 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
1433 CHECK(cap_limit_set(capsysctl, limits) == 0);
1434 limits = nvlist_create(0);
1435 nvlist_add_number(limits, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
1436 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
1437 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1438 limits = nvlist_create(0);
1439 nvlist_add_number(limits, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
1440 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1441
1442 CHECK(runtest(capsysctl) == 0);
1443
1444 cap_close(capsysctl);
1445
1446 /*
1447 * Allow:
1448 * SYSCTL1_NAME/RDWR
1449 */
1450
1451 capsysctl = cap_clone(origcapsysctl);
1452 CHECK(capsysctl != NULL);
1453
1454 limits = nvlist_create(0);
1455 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1456 CHECK(cap_limit_set(capsysctl, limits) == 0);
1457 limits = nvlist_create(0);
1458 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
1459 nvlist_add_number(limits, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1460 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1461 limits = nvlist_create(0);
1462 nvlist_add_number(limits, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
1463 CHECK(cap_limit_set(capsysctl, limits) == -1 && errno == ENOTCAPABLE);
1464
1465 CHECK(runtest(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
1466 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
1467
1468 cap_close(capsysctl);
1469 }
1470
1471 int
main(void)1472 main(void)
1473 {
1474 cap_channel_t *capcas, *capsysctl;
1475 int scvalue0, scvalue1;
1476 size_t scsize;
1477
1478 printf("1..256\n");
1479 fflush(stdout);
1480
1481 scsize = sizeof(scvalue0);
1482 CHECKX(sysctlbyname(SYSCTL0_NAME, &scvalue0, &scsize, NULL, 0) == 0);
1483 CHECKX(scsize == sizeof(scvalue0));
1484 scsize = sizeof(scvalue1);
1485 CHECKX(sysctlbyname(SYSCTL1_NAME, &scvalue1, &scsize, NULL, 0) == 0);
1486 CHECKX(scsize == sizeof(scvalue1));
1487
1488 capcas = cap_init();
1489 CHECKX(capcas != NULL);
1490
1491 capsysctl = cap_service_open(capcas, "system.sysctl");
1492 CHECKX(capsysctl != NULL);
1493
1494 cap_close(capcas);
1495
1496 /* No limits set. */
1497
1498 CHECK(runtest(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
1499 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
1500 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
1501 SYSCTL1_READ_WRITE));
1502
1503 test_operation(capsysctl);
1504
1505 test_names(capsysctl);
1506
1507 cap_close(capsysctl);
1508
1509 CHECK(sysctlbyname(SYSCTL0_NAME, NULL, NULL, &scvalue0,
1510 sizeof(scvalue0)) == 0);
1511 CHECK(sysctlbyname(SYSCTL1_NAME, NULL, NULL, &scvalue1,
1512 sizeof(scvalue1)) == 0);
1513
1514 exit(0);
1515 }
1516