1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright (c) 2013, 2018 The FreeBSD Foundation
5 * All rights reserved.
6 *
7 * This software was developed by Pawel Jakub Dawidek under sponsorship from
8 * the FreeBSD Foundation.
9 *
10 * Portions of this software were developed by Mark Johnston
11 * under sponsorship from the FreeBSD Foundation.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD$");
37
38 #include <sys/types.h>
39 #include <sys/capsicum.h>
40 #include <sys/sysctl.h>
41 #include <sys/nv.h>
42
43 #include <assert.h>
44 #include <err.h>
45 #include <errno.h>
46 #include <netdb.h>
47 #include <stdio.h>
48 #include <stdlib.h>
49 #include <string.h>
50 #include <unistd.h>
51
52 #include <libcasper.h>
53 #include <casper/cap_sysctl.h>
54
55 #include <atf-c.h>
56
57 /*
58 * We need some sysctls to perform the tests on.
59 * We remember their values and restore them afer the test is done.
60 */
61 #define SYSCTL0_PARENT "kern"
62 #define SYSCTL0_NAME "kern.sync_on_panic"
63 #define SYSCTL0_FILE "./sysctl0"
64 #define SYSCTL1_PARENT "debug"
65 #define SYSCTL1_NAME "debug.minidump"
66 #define SYSCTL1_FILE "./sysctl1"
67
68 #define SYSCTL0_READ0 0x0001
69 #define SYSCTL0_READ1 0x0002
70 #define SYSCTL0_READ2 0x0004
71 #define SYSCTL0_WRITE 0x0008
72 #define SYSCTL0_READ_WRITE 0x0010
73 #define SYSCTL1_READ0 0x0020
74 #define SYSCTL1_READ1 0x0040
75 #define SYSCTL1_READ2 0x0080
76 #define SYSCTL1_WRITE 0x0100
77 #define SYSCTL1_READ_WRITE 0x0200
78
79 static void
save_int_sysctl(const char * name,const char * file)80 save_int_sysctl(const char *name, const char *file)
81 {
82 ssize_t n;
83 size_t sz;
84 int error, fd, val;
85
86 sz = sizeof(val);
87 error = sysctlbyname(name, &val, &sz, NULL, 0);
88 ATF_REQUIRE_MSG(error == 0,
89 "sysctlbyname(%s): %s", name, strerror(errno));
90
91 fd = open(file, O_CREAT | O_WRONLY, 0600);
92 ATF_REQUIRE_MSG(fd >= 0, "open(%s): %s", file, strerror(errno));
93 n = write(fd, &val, sz);
94 ATF_REQUIRE(n >= 0 && (size_t)n == sz);
95 error = close(fd);
96 ATF_REQUIRE(error == 0);
97 }
98
99 static void
restore_int_sysctl(const char * name,const char * file)100 restore_int_sysctl(const char *name, const char *file)
101 {
102 ssize_t n;
103 size_t sz;
104 int error, fd, val;
105
106 fd = open(file, O_RDONLY);
107 ATF_REQUIRE(fd >= 0);
108 sz = sizeof(val);
109 n = read(fd, &val, sz);
110 ATF_REQUIRE(n >= 0 && (size_t)n == sz);
111 error = unlink(file);
112 ATF_REQUIRE(error == 0);
113 error = close(fd);
114 ATF_REQUIRE(error == 0);
115
116 error = sysctlbyname(name, NULL, NULL, &val, sz);
117 ATF_REQUIRE_MSG(error == 0,
118 "sysctlbyname(%s): %s", name, strerror(errno));
119 }
120
121 static cap_channel_t *
initcap(void)122 initcap(void)
123 {
124 cap_channel_t *capcas, *capsysctl;
125
126 save_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE);
127 save_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE);
128
129 capcas = cap_init();
130 ATF_REQUIRE(capcas != NULL);
131
132 capsysctl = cap_service_open(capcas, "system.sysctl");
133 ATF_REQUIRE(capsysctl != NULL);
134
135 cap_close(capcas);
136
137 return (capsysctl);
138 }
139
140 static void
cleanup(void)141 cleanup(void)
142 {
143
144 restore_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE);
145 restore_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE);
146 }
147
148 static unsigned int
checkcaps(cap_channel_t * capsysctl)149 checkcaps(cap_channel_t *capsysctl)
150 {
151 unsigned int result;
152 size_t len0, len1, oldsize;
153 int error, mib0[2], mib1[2], oldvalue, newvalue;
154
155 result = 0;
156
157 len0 = nitems(mib0);
158 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len0) == 0);
159 len1 = nitems(mib1);
160 ATF_REQUIRE(sysctlnametomib(SYSCTL1_NAME, mib1, &len1) == 0);
161
162 oldsize = sizeof(oldvalue);
163 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize,
164 NULL, 0) == 0) {
165 if (oldsize == sizeof(oldvalue))
166 result |= SYSCTL0_READ0;
167 }
168 error = cap_sysctl(capsysctl, mib0, len0, &oldvalue, &oldsize, NULL, 0);
169 if ((result & SYSCTL0_READ0) != 0)
170 ATF_REQUIRE(error == 0);
171 else
172 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
173
174 newvalue = 123;
175 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, NULL, NULL, &newvalue,
176 sizeof(newvalue)) == 0) {
177 result |= SYSCTL0_WRITE;
178 }
179
180 if ((result & SYSCTL0_WRITE) != 0) {
181 oldsize = sizeof(oldvalue);
182 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue,
183 &oldsize, NULL, 0) == 0) {
184 if (oldsize == sizeof(oldvalue) && oldvalue == 123)
185 result |= SYSCTL0_READ1;
186 }
187 }
188 newvalue = 123;
189 error = cap_sysctl(capsysctl, mib0, len0, NULL, NULL,
190 &newvalue, sizeof(newvalue));
191 if ((result & SYSCTL0_WRITE) != 0)
192 ATF_REQUIRE(error == 0);
193 else
194 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
195
196 oldsize = sizeof(oldvalue);
197 newvalue = 4567;
198 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize,
199 &newvalue, sizeof(newvalue)) == 0) {
200 if (oldsize == sizeof(oldvalue) && oldvalue == 123)
201 result |= SYSCTL0_READ_WRITE;
202 }
203
204 if ((result & SYSCTL0_READ_WRITE) != 0) {
205 oldsize = sizeof(oldvalue);
206 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue,
207 &oldsize, NULL, 0) == 0) {
208 if (oldsize == sizeof(oldvalue) && oldvalue == 4567)
209 result |= SYSCTL0_READ2;
210 }
211 }
212
213 oldsize = sizeof(oldvalue);
214 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize,
215 NULL, 0) == 0) {
216 if (oldsize == sizeof(oldvalue))
217 result |= SYSCTL1_READ0;
218 }
219 error = cap_sysctl(capsysctl, mib1, len1, &oldvalue, &oldsize, NULL, 0);
220 if ((result & SYSCTL1_READ0) != 0)
221 ATF_REQUIRE(error == 0);
222 else
223 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
224
225 newvalue = 506;
226 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, NULL, NULL, &newvalue,
227 sizeof(newvalue)) == 0) {
228 result |= SYSCTL1_WRITE;
229 }
230
231 if ((result & SYSCTL1_WRITE) != 0) {
232 newvalue = 506;
233 ATF_REQUIRE(cap_sysctl(capsysctl, mib1, len1, NULL, NULL,
234 &newvalue, sizeof(newvalue)) == 0);
235
236 oldsize = sizeof(oldvalue);
237 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue,
238 &oldsize, NULL, 0) == 0) {
239 if (oldsize == sizeof(oldvalue) && oldvalue == 506)
240 result |= SYSCTL1_READ1;
241 }
242 }
243 newvalue = 506;
244 error = cap_sysctl(capsysctl, mib1, len1, NULL, NULL,
245 &newvalue, sizeof(newvalue));
246 if ((result & SYSCTL1_WRITE) != 0)
247 ATF_REQUIRE(error == 0);
248 else
249 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
250
251 oldsize = sizeof(oldvalue);
252 newvalue = 7008;
253 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize,
254 &newvalue, sizeof(newvalue)) == 0) {
255 if (oldsize == sizeof(oldvalue) && oldvalue == 506)
256 result |= SYSCTL1_READ_WRITE;
257 }
258
259 if ((result & SYSCTL1_READ_WRITE) != 0) {
260 oldsize = sizeof(oldvalue);
261 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue,
262 &oldsize, NULL, 0) == 0) {
263 if (oldsize == sizeof(oldvalue) && oldvalue == 7008)
264 result |= SYSCTL1_READ2;
265 }
266 }
267
268 return (result);
269 }
270
271 ATF_TC_WITH_CLEANUP(cap_sysctl__operation);
ATF_TC_HEAD(cap_sysctl__operation,tc)272 ATF_TC_HEAD(cap_sysctl__operation, tc)
273 {
274 }
ATF_TC_BODY(cap_sysctl__operation,tc)275 ATF_TC_BODY(cap_sysctl__operation, tc)
276 {
277 cap_channel_t *capsysctl, *ocapsysctl;
278 void *limit;
279
280 ocapsysctl = initcap();
281
282 /*
283 * Allow:
284 * SYSCTL0_PARENT/RDWR/RECURSIVE
285 * SYSCTL1_PARENT/RDWR/RECURSIVE
286 */
287
288 capsysctl = cap_clone(ocapsysctl);
289 ATF_REQUIRE(capsysctl != NULL);
290
291 limit = cap_sysctl_limit_init(capsysctl);
292 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
293 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
294 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
295 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
296 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
297
298 limit = cap_sysctl_limit_init(capsysctl);
299 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
300 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
301 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
302 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
303 (void)cap_sysctl_limit_name(limit, "foo.bar",
304 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
305 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
306
307 limit = cap_sysctl_limit_init(capsysctl);
308 (void)cap_sysctl_limit_name(limit, "foo.bar",
309 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
310 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
311
312 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
313 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
314 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
315 SYSCTL1_READ_WRITE));
316
317 limit = cap_sysctl_limit_init(capsysctl);
318 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
319 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
320 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
321 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
322 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
323
324 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
325 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
326 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
327 SYSCTL1_READ_WRITE));
328
329 limit = cap_sysctl_limit_init(capsysctl);
330 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
331 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
332 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
333 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
334 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
335
336 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
337
338 limit = cap_sysctl_limit_init(capsysctl);
339 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
340 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
341 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
342
343 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
344
345 limit = cap_sysctl_limit_init(capsysctl);
346 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
347 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
348
349 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0);
350
351 cap_close(capsysctl);
352
353 /*
354 * Allow:
355 * SYSCTL0_NAME/RDWR/RECURSIVE
356 * SYSCTL1_NAME/RDWR/RECURSIVE
357 */
358
359 capsysctl = cap_clone(ocapsysctl);
360 ATF_REQUIRE(capsysctl != NULL);
361
362 limit = cap_sysctl_limit_init(capsysctl);
363 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
364 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
365 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
366 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
367 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
368
369 limit = cap_sysctl_limit_init(capsysctl);
370 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
371 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
372 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
373 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
374 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
375 limit = cap_sysctl_limit_init(capsysctl);
376 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
377 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
378 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
379 limit = cap_sysctl_limit_init(capsysctl);
380 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
381 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
382 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
383 limit = cap_sysctl_limit_init(capsysctl);
384 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
385 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
386
387 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
388 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
389 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
390 SYSCTL1_READ_WRITE));
391
392 cap_close(capsysctl);
393
394 /*
395 * Allow:
396 * SYSCTL0_PARENT/RDWR
397 * SYSCTL1_PARENT/RDWR
398 */
399
400 capsysctl = cap_clone(ocapsysctl);
401 ATF_REQUIRE(capsysctl != NULL);
402
403 limit = cap_sysctl_limit_init(capsysctl);
404 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
405 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
406 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
407 limit = cap_sysctl_limit_init(capsysctl);
408 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
409 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
410 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
411 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
412 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
413 limit = cap_sysctl_limit_init(capsysctl);
414 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
415 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
416 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
417 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
418 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
419 limit = cap_sysctl_limit_init(capsysctl);
420 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
421 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
422 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
423
424 ATF_REQUIRE(checkcaps(capsysctl) == 0);
425
426 cap_close(capsysctl);
427
428 /*
429 * Allow:
430 * SYSCTL0_NAME/RDWR
431 * SYSCTL1_NAME/RDWR
432 */
433
434 capsysctl = cap_clone(ocapsysctl);
435 ATF_REQUIRE(capsysctl != NULL);
436
437 limit = cap_sysctl_limit_init(capsysctl);
438 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
439 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
440 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
441 limit = cap_sysctl_limit_init(capsysctl);
442 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
443 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
444 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
445 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
446 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
447 limit = cap_sysctl_limit_init(capsysctl);
448 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
449 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
450 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
451 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
452 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
453 limit = cap_sysctl_limit_init(capsysctl);
454 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
455 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
456 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
457
458 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
459 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
460 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
461 SYSCTL1_READ_WRITE));
462
463 cap_close(capsysctl);
464
465 /*
466 * Allow:
467 * SYSCTL0_PARENT/RDWR
468 * SYSCTL1_PARENT/RDWR/RECURSIVE
469 */
470
471 capsysctl = cap_clone(ocapsysctl);
472 ATF_REQUIRE(capsysctl != NULL);
473
474 limit = cap_sysctl_limit_init(capsysctl);
475 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
476 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
477 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
478 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
479 limit = cap_sysctl_limit_init(capsysctl);
480 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
481 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
482 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
483 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
484 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
485 limit = cap_sysctl_limit_init(capsysctl);
486 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
487 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
488 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
489 limit = cap_sysctl_limit_init(capsysctl);
490 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
491 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
492 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
493 limit = cap_sysctl_limit_init(capsysctl);
494 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
495 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
496 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
497
498 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
499 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
500
501 cap_close(capsysctl);
502
503 /*
504 * Allow:
505 * SYSCTL0_NAME/RDWR
506 * SYSCTL1_NAME/RDWR/RECURSIVE
507 */
508
509 capsysctl = cap_clone(ocapsysctl);
510 ATF_REQUIRE(capsysctl != NULL);
511
512 limit = cap_sysctl_limit_init(capsysctl);
513 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
514 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
515 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
516 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
517 limit = cap_sysctl_limit_init(capsysctl);
518 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
519 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
520 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
521 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
522 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
523 limit = cap_sysctl_limit_init(capsysctl);
524 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
525 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
526 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
527 limit = cap_sysctl_limit_init(capsysctl);
528 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
529 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
530 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
531
532 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
533 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
534 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
535 SYSCTL1_READ_WRITE));
536
537 cap_close(capsysctl);
538
539 /*
540 * Allow:
541 * SYSCTL0_PARENT/READ/RECURSIVE
542 * SYSCTL1_PARENT/READ/RECURSIVE
543 */
544
545 capsysctl = cap_clone(ocapsysctl);
546 ATF_REQUIRE(capsysctl != NULL);
547
548 limit = cap_sysctl_limit_init(capsysctl);
549 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
550 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
551 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
552 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
553 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
554 limit = cap_sysctl_limit_init(capsysctl);
555 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
556 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
557 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
558 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
559 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
560 limit = cap_sysctl_limit_init(capsysctl);
561 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
562 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
563 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
564 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
565 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
566 limit = cap_sysctl_limit_init(capsysctl);
567 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
568 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
569 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
570 limit = cap_sysctl_limit_init(capsysctl);
571 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
572 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
573 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
574 limit = cap_sysctl_limit_init(capsysctl);
575 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
576 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
577 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
578 limit = cap_sysctl_limit_init(capsysctl);
579 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
580 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
581 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
582 limit = cap_sysctl_limit_init(capsysctl);
583 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
584 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
585 limit = cap_sysctl_limit_init(capsysctl);
586 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
587 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
588
589 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
590
591 cap_close(capsysctl);
592
593 /*
594 * Allow:
595 * SYSCTL0_NAME/READ/RECURSIVE
596 * SYSCTL1_NAME/READ/RECURSIVE
597 */
598
599 capsysctl = cap_clone(ocapsysctl);
600 ATF_REQUIRE(capsysctl != NULL);
601
602 limit = cap_sysctl_limit_init(capsysctl);
603 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
604 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
605 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
606 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
607 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
608 limit = cap_sysctl_limit_init(capsysctl);
609 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
610 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
611 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
612 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
613 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
614 limit = cap_sysctl_limit_init(capsysctl);
615 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
616 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
617 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
618 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
619 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
620 limit = cap_sysctl_limit_init(capsysctl);
621 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
622 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
623 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
624 limit = cap_sysctl_limit_init(capsysctl);
625 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
626 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
627 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
628 limit = cap_sysctl_limit_init(capsysctl);
629 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
630 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
631 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
632 limit = cap_sysctl_limit_init(capsysctl);
633 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
634 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
635 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
636 limit = cap_sysctl_limit_init(capsysctl);
637 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
638 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
639 limit = cap_sysctl_limit_init(capsysctl);
640 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
641 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
642
643 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
644
645 cap_close(capsysctl);
646
647 /*
648 * Allow:
649 * SYSCTL0_PARENT/READ
650 * SYSCTL1_PARENT/READ
651 */
652
653 capsysctl = cap_clone(ocapsysctl);
654 ATF_REQUIRE(capsysctl != NULL);
655
656 limit = cap_sysctl_limit_init(capsysctl);
657 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
658 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
659 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
660 limit = cap_sysctl_limit_init(capsysctl);
661 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
662 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
663 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
664 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
665 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
666 limit = cap_sysctl_limit_init(capsysctl);
667 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
668 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
669 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
670 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
671 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
672 limit = cap_sysctl_limit_init(capsysctl);
673 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
674 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
675 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
676 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
677 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
678 limit = cap_sysctl_limit_init(capsysctl);
679 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
680 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
681 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
682 limit = cap_sysctl_limit_init(capsysctl);
683 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
684 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
685 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
686 limit = cap_sysctl_limit_init(capsysctl);
687 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
688 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
689 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
690 limit = cap_sysctl_limit_init(capsysctl);
691 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
692 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
693 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
694 limit = cap_sysctl_limit_init(capsysctl);
695 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
696 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
697 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
698 limit = cap_sysctl_limit_init(capsysctl);
699 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
700 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
701 limit = cap_sysctl_limit_init(capsysctl);
702 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
703 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
704
705 ATF_REQUIRE(checkcaps(capsysctl) == 0);
706
707 cap_close(capsysctl);
708
709 /*
710 * Allow:
711 * SYSCTL0_NAME/READ
712 * SYSCTL1_NAME/READ
713 */
714
715 capsysctl = cap_clone(ocapsysctl);
716 ATF_REQUIRE(capsysctl != NULL);
717
718 limit = cap_sysctl_limit_init(capsysctl);
719 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
720 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
721 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
722 limit = cap_sysctl_limit_init(capsysctl);
723 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
724 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
725 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
726 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
727 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
728 limit = cap_sysctl_limit_init(capsysctl);
729 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
730 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
731 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
732 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
733 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
734 limit = cap_sysctl_limit_init(capsysctl);
735 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
736 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
737 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
738 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
739 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
740 limit = cap_sysctl_limit_init(capsysctl);
741 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
742 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
743 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
744 limit = cap_sysctl_limit_init(capsysctl);
745 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
746 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
747 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
748 limit = cap_sysctl_limit_init(capsysctl);
749 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
750 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
751 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
752 limit = cap_sysctl_limit_init(capsysctl);
753 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
754 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
755 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
756 limit = cap_sysctl_limit_init(capsysctl);
757 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
758 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
759 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
760 limit = cap_sysctl_limit_init(capsysctl);
761 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
762 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
763 limit = cap_sysctl_limit_init(capsysctl);
764 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
765 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
766
767 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
768
769 cap_close(capsysctl);
770
771 /*
772 * Allow:
773 * SYSCTL0_PARENT/READ
774 * SYSCTL1_PARENT/READ/RECURSIVE
775 */
776
777 capsysctl = cap_clone(ocapsysctl);
778 ATF_REQUIRE(capsysctl != NULL);
779
780 limit = cap_sysctl_limit_init(capsysctl);
781 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
782 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
783 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
784 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
785 limit = cap_sysctl_limit_init(capsysctl);
786 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
787 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
788 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
789 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
790
791 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0);
792
793 cap_close(capsysctl);
794
795 /*
796 * Allow:
797 * SYSCTL0_NAME/READ
798 * SYSCTL1_NAME/READ/RECURSIVE
799 */
800
801 capsysctl = cap_clone(ocapsysctl);
802 ATF_REQUIRE(capsysctl != NULL);
803
804 limit = cap_sysctl_limit_init(capsysctl);
805 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
806 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
807 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
808 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
809 limit = cap_sysctl_limit_init(capsysctl);
810 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
811 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
812 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
813 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
814
815 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
816
817 cap_close(capsysctl);
818
819 /*
820 * Allow:
821 * SYSCTL0_PARENT/WRITE/RECURSIVE
822 * SYSCTL1_PARENT/WRITE/RECURSIVE
823 */
824
825 capsysctl = cap_clone(ocapsysctl);
826 ATF_REQUIRE(capsysctl != NULL);
827
828 limit = cap_sysctl_limit_init(capsysctl);
829 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
830 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
831 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
832 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
833 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
834 limit = cap_sysctl_limit_init(capsysctl);
835 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
836 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
837 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
838 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
839 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
840 limit = cap_sysctl_limit_init(capsysctl);
841 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
842 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
843 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
844 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
845 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
846 limit = cap_sysctl_limit_init(capsysctl);
847 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
848 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
849 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
850 limit = cap_sysctl_limit_init(capsysctl);
851 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
852 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
853 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
854 limit = cap_sysctl_limit_init(capsysctl);
855 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
856 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
857 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
858 limit = cap_sysctl_limit_init(capsysctl);
859 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
860 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
861 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
862 limit = cap_sysctl_limit_init(capsysctl);
863 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
864 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
865 limit = cap_sysctl_limit_init(capsysctl);
866 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
867 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
868
869 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
870
871 cap_close(capsysctl);
872
873 /*
874 * Allow:
875 * SYSCTL0_NAME/WRITE/RECURSIVE
876 * SYSCTL1_NAME/WRITE/RECURSIVE
877 */
878
879 capsysctl = cap_clone(ocapsysctl);
880 ATF_REQUIRE(capsysctl != NULL);
881
882 limit = cap_sysctl_limit_init(capsysctl);
883 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
884 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
885 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
886 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
887 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
888 limit = cap_sysctl_limit_init(capsysctl);
889 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
890 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
891 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
892 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
893 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
894 limit = cap_sysctl_limit_init(capsysctl);
895 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
896 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
897 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
898 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
899 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
900 limit = cap_sysctl_limit_init(capsysctl);
901 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
902 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
903 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
904 limit = cap_sysctl_limit_init(capsysctl);
905 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
906 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
907 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
908 limit = cap_sysctl_limit_init(capsysctl);
909 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
910 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
911 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
912 limit = cap_sysctl_limit_init(capsysctl);
913 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
914 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
915 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
916 limit = cap_sysctl_limit_init(capsysctl);
917 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
918 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
919 limit = cap_sysctl_limit_init(capsysctl);
920 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
921 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
922
923 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
924
925 cap_close(capsysctl);
926
927 /*
928 * Allow:
929 * SYSCTL0_PARENT/WRITE
930 * SYSCTL1_PARENT/WRITE
931 */
932
933 capsysctl = cap_clone(ocapsysctl);
934 ATF_REQUIRE(capsysctl != NULL);
935
936 limit = cap_sysctl_limit_init(capsysctl);
937 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
938 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
939 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
940 limit = cap_sysctl_limit_init(capsysctl);
941 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
942 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
943 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
944 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
945 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
946 limit = cap_sysctl_limit_init(capsysctl);
947 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
948 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
949 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
950 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
951 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
952 limit = cap_sysctl_limit_init(capsysctl);
953 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
954 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
955 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
956 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
957 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
958 limit = cap_sysctl_limit_init(capsysctl);
959 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
960 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
961 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
962 limit = cap_sysctl_limit_init(capsysctl);
963 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
964 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
965 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
966 limit = cap_sysctl_limit_init(capsysctl);
967 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
968 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
969 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
970 limit = cap_sysctl_limit_init(capsysctl);
971 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
972 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
973 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
974 limit = cap_sysctl_limit_init(capsysctl);
975 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
976 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
977 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
978 limit = cap_sysctl_limit_init(capsysctl);
979 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
980 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
981 limit = cap_sysctl_limit_init(capsysctl);
982 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
983 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
984
985 ATF_REQUIRE(checkcaps(capsysctl) == 0);
986
987 cap_close(capsysctl);
988
989 /*
990 * Allow:
991 * SYSCTL0_NAME/WRITE
992 * SYSCTL1_NAME/WRITE
993 */
994
995 capsysctl = cap_clone(ocapsysctl);
996 ATF_REQUIRE(capsysctl != NULL);
997
998 limit = cap_sysctl_limit_init(capsysctl);
999 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1000 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1001 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1002 limit = cap_sysctl_limit_init(capsysctl);
1003 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1004 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1005 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1006 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1007 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1008 limit = cap_sysctl_limit_init(capsysctl);
1009 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1010 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1011 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1012 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1013 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1014 limit = cap_sysctl_limit_init(capsysctl);
1015 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1016 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1017 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1018 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1019 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1020 limit = cap_sysctl_limit_init(capsysctl);
1021 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
1022 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1023 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1024 limit = cap_sysctl_limit_init(capsysctl);
1025 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1026 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1027 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1028 limit = cap_sysctl_limit_init(capsysctl);
1029 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1030 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1031 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1032 limit = cap_sysctl_limit_init(capsysctl);
1033 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1034 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1035 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1036 limit = cap_sysctl_limit_init(capsysctl);
1037 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1038 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1039 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1040 limit = cap_sysctl_limit_init(capsysctl);
1041 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1042 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1043 limit = cap_sysctl_limit_init(capsysctl);
1044 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1045 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1046
1047 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
1048
1049 cap_close(capsysctl);
1050
1051 /*
1052 * Allow:
1053 * SYSCTL0_PARENT/WRITE
1054 * SYSCTL1_PARENT/WRITE/RECURSIVE
1055 */
1056
1057 capsysctl = cap_clone(ocapsysctl);
1058 ATF_REQUIRE(capsysctl != NULL);
1059
1060 limit = cap_sysctl_limit_init(capsysctl);
1061 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1062 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1063 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1064 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1065 limit = cap_sysctl_limit_init(capsysctl);
1066 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1067 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1068 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1069 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1070
1071 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1072
1073 cap_close(capsysctl);
1074
1075 /*
1076 * Allow:
1077 * SYSCTL0_NAME/WRITE
1078 * SYSCTL1_NAME/WRITE/RECURSIVE
1079 */
1080
1081 capsysctl = cap_clone(ocapsysctl);
1082 ATF_REQUIRE(capsysctl != NULL);
1083
1084 limit = cap_sysctl_limit_init(capsysctl);
1085 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1086 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1087 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1088 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1089 limit = cap_sysctl_limit_init(capsysctl);
1090 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1091 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1092 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1093 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1094
1095 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
1096
1097 cap_close(capsysctl);
1098
1099 /*
1100 * Allow:
1101 * SYSCTL0_PARENT/READ/RECURSIVE
1102 * SYSCTL1_PARENT/WRITE/RECURSIVE
1103 */
1104
1105 capsysctl = cap_clone(ocapsysctl);
1106 ATF_REQUIRE(capsysctl != NULL);
1107
1108 limit = cap_sysctl_limit_init(capsysctl);
1109 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1110 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1111 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1112 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1113 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1114
1115 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1116
1117 cap_close(capsysctl);
1118
1119 /*
1120 * Allow:
1121 * SYSCTL0_NAME/READ/RECURSIVE
1122 * SYSCTL1_NAME/WRITE/RECURSIVE
1123 */
1124
1125 capsysctl = cap_clone(ocapsysctl);
1126 ATF_REQUIRE(capsysctl != NULL);
1127
1128 limit = cap_sysctl_limit_init(capsysctl);
1129 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1130 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1131 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1132 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1133 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1134
1135 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1136
1137 cap_close(capsysctl);
1138
1139 /*
1140 * Allow:
1141 * SYSCTL0_PARENT/READ
1142 * SYSCTL1_PARENT/WRITE
1143 */
1144
1145 capsysctl = cap_clone(ocapsysctl);
1146 ATF_REQUIRE(capsysctl != NULL);
1147
1148 limit = cap_sysctl_limit_init(capsysctl);
1149 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1150 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1151 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1152
1153 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1154
1155 cap_close(capsysctl);
1156
1157 /*
1158 * Allow:
1159 * SYSCTL0_NAME/READ
1160 * SYSCTL1_NAME/WRITE
1161 */
1162
1163 capsysctl = cap_clone(ocapsysctl);
1164 ATF_REQUIRE(capsysctl != NULL);
1165
1166 limit = cap_sysctl_limit_init(capsysctl);
1167 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1168 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1169 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1170
1171 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1172
1173 cap_close(capsysctl);
1174
1175 /*
1176 * Allow:
1177 * SYSCTL0_PARENT/READ
1178 * SYSCTL1_PARENT/WRITE/RECURSIVE
1179 */
1180
1181 capsysctl = cap_clone(ocapsysctl);
1182 ATF_REQUIRE(capsysctl != NULL);
1183
1184 limit = cap_sysctl_limit_init(capsysctl);
1185 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1186 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1187 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1188 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1189
1190 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1191
1192 cap_close(capsysctl);
1193
1194 /*
1195 * Allow:
1196 * SYSCTL0_NAME/READ
1197 * SYSCTL1_NAME/WRITE/RECURSIVE
1198 */
1199
1200 capsysctl = cap_clone(ocapsysctl);
1201 ATF_REQUIRE(capsysctl != NULL);
1202
1203 limit = cap_sysctl_limit_init(capsysctl);
1204 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1205 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1206 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1207 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1208
1209 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1210
1211 cap_close(capsysctl);
1212 }
ATF_TC_CLEANUP(cap_sysctl__operation,tc)1213 ATF_TC_CLEANUP(cap_sysctl__operation, tc)
1214 {
1215 cleanup();
1216 }
1217
1218 ATF_TC_WITH_CLEANUP(cap_sysctl__names);
ATF_TC_HEAD(cap_sysctl__names,tc)1219 ATF_TC_HEAD(cap_sysctl__names, tc)
1220 {
1221 }
ATF_TC_BODY(cap_sysctl__names,tc)1222 ATF_TC_BODY(cap_sysctl__names, tc)
1223 {
1224 cap_channel_t *capsysctl, *ocapsysctl;
1225 void *limit;
1226
1227 ocapsysctl = initcap();
1228
1229 /*
1230 * Allow:
1231 * SYSCTL0_PARENT/READ/RECURSIVE
1232 */
1233
1234 capsysctl = cap_clone(ocapsysctl);
1235 ATF_REQUIRE(capsysctl != NULL);
1236
1237 limit = cap_sysctl_limit_init(capsysctl);
1238 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1239 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1240 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1241 limit = cap_sysctl_limit_init(capsysctl);
1242 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1243 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1244 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1245 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1246 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1247 limit = cap_sysctl_limit_init(capsysctl);
1248 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1249 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1250 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1251 limit = cap_sysctl_limit_init(capsysctl);
1252 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1253 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1254 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1255 limit = cap_sysctl_limit_init(capsysctl);
1256 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1257 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1258
1259 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0);
1260
1261 cap_close(capsysctl);
1262
1263 /*
1264 * Allow:
1265 * SYSCTL1_NAME/READ/RECURSIVE
1266 */
1267
1268 capsysctl = cap_clone(ocapsysctl);
1269 ATF_REQUIRE(capsysctl != NULL);
1270
1271 limit = cap_sysctl_limit_init(capsysctl);
1272 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1273 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1274 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1275 limit = cap_sysctl_limit_init(capsysctl);
1276 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1277 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1278 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1279 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1280 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1281 limit = cap_sysctl_limit_init(capsysctl);
1282 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1283 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1284 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1285 limit = cap_sysctl_limit_init(capsysctl);
1286 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1287 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1288 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1289 limit = cap_sysctl_limit_init(capsysctl);
1290 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1291 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1292
1293 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0);
1294
1295 cap_close(capsysctl);
1296
1297 /*
1298 * Allow:
1299 * SYSCTL0_PARENT/WRITE/RECURSIVE
1300 */
1301
1302 capsysctl = cap_clone(ocapsysctl);
1303 ATF_REQUIRE(capsysctl != NULL);
1304
1305 limit = cap_sysctl_limit_init(capsysctl);
1306 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1307 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1308 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1309 limit = cap_sysctl_limit_init(capsysctl);
1310 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1311 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1312 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1313 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1314 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1315 limit = cap_sysctl_limit_init(capsysctl);
1316 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1317 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1318 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1319 limit = cap_sysctl_limit_init(capsysctl);
1320 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1321 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1322 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1323 limit = cap_sysctl_limit_init(capsysctl);
1324 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1325 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1326
1327 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_WRITE);
1328
1329 cap_close(capsysctl);
1330
1331 /*
1332 * Allow:
1333 * SYSCTL1_NAME/WRITE/RECURSIVE
1334 */
1335
1336 capsysctl = cap_clone(ocapsysctl);
1337 ATF_REQUIRE(capsysctl != NULL);
1338
1339 limit = cap_sysctl_limit_init(capsysctl);
1340 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1341 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1342 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1343 limit = cap_sysctl_limit_init(capsysctl);
1344 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1345 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1346 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1347 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1348 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1349 limit = cap_sysctl_limit_init(capsysctl);
1350 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1351 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1352 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1353 limit = cap_sysctl_limit_init(capsysctl);
1354 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1355 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1356 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1357 limit = cap_sysctl_limit_init(capsysctl);
1358 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1359 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1360
1361 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1362
1363 cap_close(capsysctl);
1364
1365 /*
1366 * Allow:
1367 * SYSCTL0_PARENT/RDWR/RECURSIVE
1368 */
1369
1370 capsysctl = cap_clone(ocapsysctl);
1371 ATF_REQUIRE(capsysctl != NULL);
1372
1373 limit = cap_sysctl_limit_init(capsysctl);
1374 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1375 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1376 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1377 limit = cap_sysctl_limit_init(capsysctl);
1378 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1379 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1380 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1381 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1382 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1383 limit = cap_sysctl_limit_init(capsysctl);
1384 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1385 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1386 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1387 limit = cap_sysctl_limit_init(capsysctl);
1388 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1389 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1390 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1391 limit = cap_sysctl_limit_init(capsysctl);
1392 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1393 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1394
1395 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
1396 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE));
1397
1398 cap_close(capsysctl);
1399
1400 /*
1401 * Allow:
1402 * SYSCTL1_NAME/RDWR/RECURSIVE
1403 */
1404
1405 capsysctl = cap_clone(ocapsysctl);
1406 ATF_REQUIRE(capsysctl != NULL);
1407
1408 limit = cap_sysctl_limit_init(capsysctl);
1409 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1410 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1411 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1412 limit = cap_sysctl_limit_init(capsysctl);
1413 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1414 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1415 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1416 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1417 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1418 limit = cap_sysctl_limit_init(capsysctl);
1419 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1420 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1421 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1422 limit = cap_sysctl_limit_init(capsysctl);
1423 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1424 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1425 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1426 limit = cap_sysctl_limit_init(capsysctl);
1427 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1428 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1429
1430 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
1431 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
1432
1433 cap_close(capsysctl);
1434
1435 /*
1436 * Allow:
1437 * SYSCTL0_PARENT/READ
1438 */
1439
1440 capsysctl = cap_clone(ocapsysctl);
1441 ATF_REQUIRE(capsysctl != NULL);
1442
1443 limit = cap_sysctl_limit_init(capsysctl);
1444 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1445 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1446 limit = cap_sysctl_limit_init(capsysctl);
1447 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1448 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1449 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1450 limit = cap_sysctl_limit_init(capsysctl);
1451 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1452 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1453
1454 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1455
1456 cap_close(capsysctl);
1457
1458 /*
1459 * Allow:
1460 * SYSCTL1_NAME/READ
1461 */
1462
1463 capsysctl = cap_clone(ocapsysctl);
1464 ATF_REQUIRE(capsysctl != NULL);
1465
1466 limit = cap_sysctl_limit_init(capsysctl);
1467 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1468 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1469 limit = cap_sysctl_limit_init(capsysctl);
1470 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1471 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1472 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1473 limit = cap_sysctl_limit_init(capsysctl);
1474 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1475 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1476
1477 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0);
1478
1479 cap_close(capsysctl);
1480
1481 /*
1482 * Allow:
1483 * SYSCTL0_PARENT/WRITE
1484 */
1485
1486 capsysctl = cap_clone(ocapsysctl);
1487 ATF_REQUIRE(capsysctl != NULL);
1488
1489 limit = cap_sysctl_limit_init(capsysctl);
1490 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1491 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1492 limit = cap_sysctl_limit_init(capsysctl);
1493 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1494 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1495 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1496 limit = cap_sysctl_limit_init(capsysctl);
1497 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1498 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1499
1500 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1501
1502 cap_close(capsysctl);
1503
1504 /*
1505 * Allow:
1506 * SYSCTL1_NAME/WRITE
1507 */
1508
1509 capsysctl = cap_clone(ocapsysctl);
1510 ATF_REQUIRE(capsysctl != NULL);
1511
1512 limit = cap_sysctl_limit_init(capsysctl);
1513 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1514 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1515 limit = cap_sysctl_limit_init(capsysctl);
1516 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1517 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1518 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1519 limit = cap_sysctl_limit_init(capsysctl);
1520 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1521 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1522
1523 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1524
1525 cap_close(capsysctl);
1526
1527 /*
1528 * Allow:
1529 * SYSCTL0_PARENT/RDWR
1530 */
1531
1532 capsysctl = cap_clone(ocapsysctl);
1533 ATF_REQUIRE(capsysctl != NULL);
1534
1535 limit = cap_sysctl_limit_init(capsysctl);
1536 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
1537 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1538 limit = cap_sysctl_limit_init(capsysctl);
1539 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
1540 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
1541 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1542 limit = cap_sysctl_limit_init(capsysctl);
1543 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
1544 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1545
1546 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1547
1548 cap_close(capsysctl);
1549
1550 /*
1551 * Allow:
1552 * SYSCTL1_NAME/RDWR
1553 */
1554
1555 capsysctl = cap_clone(ocapsysctl);
1556 ATF_REQUIRE(capsysctl != NULL);
1557
1558 limit = cap_sysctl_limit_init(capsysctl);
1559 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1560 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1561 limit = cap_sysctl_limit_init(capsysctl);
1562 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
1563 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1564 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1565 limit = cap_sysctl_limit_init(capsysctl);
1566 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
1567 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1568
1569 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
1570 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
1571
1572 cap_close(capsysctl);
1573 }
ATF_TC_CLEANUP(cap_sysctl__names,tc)1574 ATF_TC_CLEANUP(cap_sysctl__names, tc)
1575 {
1576 cleanup();
1577 }
1578
1579 ATF_TC_WITH_CLEANUP(cap_sysctl__no_limits);
ATF_TC_HEAD(cap_sysctl__no_limits,tc)1580 ATF_TC_HEAD(cap_sysctl__no_limits, tc)
1581 {
1582 }
ATF_TC_BODY(cap_sysctl__no_limits,tc)1583 ATF_TC_BODY(cap_sysctl__no_limits, tc)
1584 {
1585 cap_channel_t *capsysctl;
1586
1587 capsysctl = initcap();
1588
1589 ATF_REQUIRE_EQ(checkcaps(capsysctl), (SYSCTL0_READ0 | SYSCTL0_READ1 |
1590 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
1591 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
1592 SYSCTL1_READ_WRITE));
1593 }
ATF_TC_CLEANUP(cap_sysctl__no_limits,tc)1594 ATF_TC_CLEANUP(cap_sysctl__no_limits, tc)
1595 {
1596 cleanup();
1597 }
1598
1599 ATF_TC_WITH_CLEANUP(cap_sysctl__recursive_limits);
ATF_TC_HEAD(cap_sysctl__recursive_limits,tc)1600 ATF_TC_HEAD(cap_sysctl__recursive_limits, tc)
1601 {
1602 }
ATF_TC_BODY(cap_sysctl__recursive_limits,tc)1603 ATF_TC_BODY(cap_sysctl__recursive_limits, tc)
1604 {
1605 cap_channel_t *capsysctl, *ocapsysctl;
1606 void *limit;
1607 size_t len;
1608 int mib[2], val = 420;
1609
1610 len = nitems(mib);
1611 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib, &len) == 0);
1612
1613 ocapsysctl = initcap();
1614
1615 /*
1616 * Make sure that we match entire components.
1617 */
1618 capsysctl = cap_clone(ocapsysctl);
1619 ATF_REQUIRE(capsysctl != NULL);
1620
1621 limit = cap_sysctl_limit_init(capsysctl);
1622 (void)cap_sysctl_limit_name(limit, "ker",
1623 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1624 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1625
1626 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME,
1627 NULL, NULL, &val, sizeof(val)));
1628 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len,
1629 NULL, NULL, &val, sizeof(val)));
1630
1631 cap_close(capsysctl);
1632
1633 /*
1634 * Verify that we check for CAP_SYSCTL_RECURSIVE.
1635 */
1636 capsysctl = cap_clone(ocapsysctl);
1637 ATF_REQUIRE(capsysctl != NULL);
1638
1639 limit = cap_sysctl_limit_init(capsysctl);
1640 (void)cap_sysctl_limit_name(limit, "kern", CAP_SYSCTL_RDWR);
1641 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1642
1643 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME,
1644 NULL, NULL, &val, sizeof(val)));
1645 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len,
1646 NULL, NULL, &val, sizeof(val)));
1647
1648 cap_close(capsysctl);
1649 }
ATF_TC_CLEANUP(cap_sysctl__recursive_limits,tc)1650 ATF_TC_CLEANUP(cap_sysctl__recursive_limits, tc)
1651 {
1652 cleanup();
1653 }
1654
1655 ATF_TC_WITH_CLEANUP(cap_sysctl__just_size);
ATF_TC_HEAD(cap_sysctl__just_size,tc)1656 ATF_TC_HEAD(cap_sysctl__just_size, tc)
1657 {
1658 }
ATF_TC_BODY(cap_sysctl__just_size,tc)1659 ATF_TC_BODY(cap_sysctl__just_size, tc)
1660 {
1661 cap_channel_t *capsysctl;
1662 size_t len;
1663 int mib0[2];
1664
1665 capsysctl = initcap();
1666
1667 len = nitems(mib0);
1668 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len) == 0);
1669
1670 ATF_REQUIRE(cap_sysctlbyname(capsysctl, SYSCTL0_NAME,
1671 NULL, &len, NULL, 0) == 0);
1672 ATF_REQUIRE(len == sizeof(int));
1673 ATF_REQUIRE(cap_sysctl(capsysctl, mib0, nitems(mib0),
1674 NULL, &len, NULL, 0) == 0);
1675 ATF_REQUIRE(len == sizeof(int));
1676
1677 cap_close(capsysctl);
1678 }
ATF_TC_CLEANUP(cap_sysctl__just_size,tc)1679 ATF_TC_CLEANUP(cap_sysctl__just_size, tc)
1680 {
1681 cleanup();
1682 }
1683
ATF_TP_ADD_TCS(tp)1684 ATF_TP_ADD_TCS(tp)
1685 {
1686 ATF_TP_ADD_TC(tp, cap_sysctl__operation);
1687 ATF_TP_ADD_TC(tp, cap_sysctl__names);
1688 ATF_TP_ADD_TC(tp, cap_sysctl__no_limits);
1689 ATF_TP_ADD_TC(tp, cap_sysctl__recursive_limits);
1690 ATF_TP_ADD_TC(tp, cap_sysctl__just_size);
1691
1692 return (atf_no_error());
1693 }
1694