diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.gitignore b/.gitignore index dd63848..af0feb9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ /libcap-*.tar.gz +/libcap-*.tar.sign +/*.asc +/*.src.rpm diff --git a/capfaq-0.2.txt b/capfaq-0.2.txt deleted file mode 100644 index e3e272b..0000000 --- a/capfaq-0.2.txt +++ /dev/null @@ -1,264 +0,0 @@ -This is the Linux kernel capabilities FAQ - -Its history, to the extent that I am able to reconstruct it is that -v2.0 was posted to the Linux kernel list on 1999/04/02 by Boris -Tobotras. Thanks to Denis Ducamp for forwarding me a copy. - -Cheers - -Andrew - -Linux Capabilities FAQ 0.2 -========================== - -1) What is a capability? - -The name "capabilities" as used in the Linux kernel can be confusing. -First there are Capabilities as defined in computer science. A -capability is a token used by a process to prove that it is allowed to -do an operation on an object. The capability identifies the object -and the operations allowed on that object. A file descriptor is a -capability. You create the file descriptor with the "open" call and -request read or write permissions. Later, when doing a read or write -operation, the kernel uses the file descriptor as an index into a -data structure that indicates what operations are allowed. This is an -efficient way to check permissions. The necessary data structures are -created once during the "open" call. Later read and write calls only -have to do a table lookup. Operations on capabilities include copying -capabilities, transferring capabilities between processes, modifying a -capability, and revoking a capability. Modifying a capability can be -something like taking a read-write filedescriptor and making it -read-only. A capability often has a notion of an "owner" which is -able to invalidate all copies and derived versions of a capability. -Entire OSes are based on this "capability" model, with varying degrees -of purity. There are other ways of implementing capabilities than the -file descriptor model - traditionally special hardware has been used, -but modern systems also use the memory management unit of the CPU. - -Then there is something quite different called "POSIX capabilities" -which is what Linux uses. These capabilities are a partitioning of -the all powerful root privilege into a set of distinct privileges (but -look at securelevel emulation to find out that this isn't necessary -the whole truth). Users familiar with VMS or "Trusted" versions of -other UNIX variants will know this under the name "privileges". The -name "capabilities" comes from the now defunct POSIX draft 1003.1e -which used this name. - -2) So what is a "POSIX capability"? - -A process has three sets of bitmaps called the inheritable(I), -permitted(P), and effective(E) capabilities. Each capability is -implemented as a bit in each of these bitmaps which is either set or -unset. When a process tries to do a privileged operation, the -operating system will check the appropriate bit in the effective set -of the process (instead of checking whether the effective uid of the -process i 0 as is normally done). For example, when a process tries -to set the clock, the Linux kernel will check that the process has the -CAP_SYS_TIME bit (which is currently bit 25) set in its effective set. - -The permitted set of the process indicates the capabilities the -process can use. The process can have capabilities set in the -permitted set that are not in the effective set. This indicates that -the process has temporarily disabled this capability. A process is -allowed to set a bit in its effective set only if it is available in -the permitted set. The distinction between effective and permitted -exists so that processes can "bracket" operations that need privilege. - -The inheritable capabilities are the capabilities of the current -process that should be inherited by a program executed by the current -process. The permitted set of a process is masked against the -inheritable set during exec(). Nothing special happens during fork() -or clone(). Child processes and threads are given an exact copy of -the capabilities of the parent process. - -3) What about other entities in the system? Users, Groups, Files? - -Files have capabilities. Conceptually they have the same three -bitmaps that processes have, but to avoid confusion we call them by -other names. Only executable files have capabilities, libraries don't -have capabilities (yet). The three sets are called the allowed set, -the forced set, and the effective set. - -The allowed set indicates what capabilities the executable is allowed -to receive from an execing process. This means that during exec(), -the capabilities of the old process are first masked against a set -which indicates what the process gives away (the inheritable set of -the process), and then they are masked against a set which indicates -what capabilities the new process image is allowed to receive (the -allowed set of the executable). - -The forced set is a set of capabilities created out of thin air and -given to the process after execing the executable. The forced set is -similar in nature to the setuid feature. In fact, the setuid bit from -the filesystem is "read" as a full forced set by the kernel. - -The effective set indicates which bits in the permitted set of the new -process should be transferred to the effective set of the new process. -The effective set is best thought of as a "capability aware" set. It -should consist of only 1s if the executable is capability-dumb, or -only 0s if the executable is capability-smart. Since the effective -set consists of only 0s or only 1s, the filesystem can implement this -set using a single bit. - -NOTE: Filesystem support for capabilities is not part of Linux 2.2. - -Users and Groups don't have associated capabilities from the kernel's -point of view, but it is entirely reasonable to associate users or -groups with capabilities. By letting the "login" program set some -capabilities it is possible to make role users such as a backup user -that will have the CAP_DAC_READ_SEARCH capability and be able to do -backups. This could also be implemented as a PAM module, but nobody -has implemented one yet. - -4) What capabilities exist? - -The capabilities available in Linux are listed and documented in the -file /usr/src/linux/include/linux/capability.h. - -5) Are Linux capabilities hierarchical? - -No, you cannot make a "subcapability" out of a Linux capability as in -capability-based OSes. - -6) How can I use capabilities to make sure Mr. Evil Luser (eluser) -can't exploit my "suid" programs? - -This is the general outline of how this works given filesystem -capability support exists. First, you have a PAM module that sets the -inheritable capabilities of the login-shell of eluser. Then for all -"suid" programs on the system, you decide what capabilities they need -and set the _allowed_ set of the executable to that set of -capabilities. The capability rules - - new permitted = forced | (allowed & inheritable) - -means that you should be careful about setting forced capabilities on -executables. In a few cases, this can be useful though. For example -the login program needs to set the inheritable set of the new user and -therefore needs an almost full permitted set. So if you want eluser -to be able to run login and log in as a different user, you will have -to set some forced bits on that executable. - -7) What about passing capabilities between processes? - -Currently this is done by the system call "setcap" which can set the -capabilities of another process. This requires the CAP_SETPCAP -capability which you really only want to grant a _few_ processes. -CAP_SETPCAP was originally intended as a workaround to be able to -implement filesystem support for capabilities using a daemon outside -the kernel. - -There has been discussions about implementing socket-level capability -passing. This means that you can pass a capability over a socket. No -support for this exists in the official kernel yet. - -8) I see securelevel has been removed from 2.2 and are superceeded by -capabilities. How do I emulate securelevel using capabilities? - -The setcap system call can remove a capability from _all_ processes on -the system in one atomic operation. The setcap utility from the -libcap distribution will do this for you. The utility requires the -CAP_SETPCAP privilege to do this. The CAP_SETPCAP capability is not -enabled by default. - -libcap is available from -ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/ - -9) I noticed that the capability.h file lacks some capabilities that -are needed to fully emulate 2.0 securelevel. Is there a patch for -this? - -Actually yes - funny you should ask :-). The problem with 2.0 -securelevel is that they for example stop root from accessing block -devices. At the same time they restrict the use of iopl. These two -changes are fundamentally different. Blocking access to block devices -means restricting something that usually isn't restricted. -Restricting access to the use of iopl on the other hand means -restricting (blocking) access to something that is already blocked. -Emulating the parts of 2.0 securelevel that restricts things that are -normally not restricted means that the capabilites in the kernel has -to have a set of capabilities that are usually _on_ for a normal -process (note that this breaks the explanation that capabilities are a -partitioning of the root privileges). There is an experimental patch at - -ftp://ftp.guardian.no/pub/free/linux/capabilities/patch-cap-exp-1 - -which implements a set of capabilities with the "CAP_USER" prefix: - -cap_user_sock - allowed to use socket() -cap_user_dev - allowed to open char/block devices -cap_user_fifo - allowed to use pipes - -These should be enough to emulate 2.0 securelevel (tell me if we need -something more). - -10) Seems I need a CAP_SETPCAP capability that I don't have to make use -of capabilities. How do I enable this capability? - -Change the definition of CAP_INIT_EFF_SET and CAP_INIT_INH_SET to the -following in include/linux/capability.h: - -#define CAP_INIT_EFF_SET { ~0 } -#define CAP_INIT_INH_SET { ~0 } - -This will start init with a full capability set and not with -CAP_SETPCAP removed. - -11) How do I start a process with a limited set of capabilities? - -Get the libcap library and use the execcap utility. The following -example starts the update daemon with only the CAP_SYS_ADMIN -capability. - -execcap 'cap_sys_admin=eip' update - -12) How do I start a process with a limited set of capabilities under -another uid? - -Use the sucap utility which changes uid from root without loosing any -capabilities. Normally all capabilities are cleared when changing uid -from root. The sucap utility requires the CAP_SETPCAP capability. -The following example starts updated under uid updated and gid updated -with CAP_SYS_ADMIN raised in the Effective set. - -sucap updated updated execcap 'cap_sys_admin=eip' update - -[ Sucap is currently available from -ftp://ftp.guardian.no/pub/free/linux/capabilities/sucap.c. Put it in -the progs directory of libcap to compile.] - -13) What are the "capability rules" - -The capability rules are the rules used to set the capabilities of the -new process image after an exec. They work like this: - - pI' = pI - (***) pP' = fP | (fI & pI) - pE' = pP' & fE [NB. fE is 0 or ~0] - - I=Inheritable, P=Permitted, E=Effective // p=process, f=file - ' indicates post-exec(). - -Now to make sense of the equations think of fP as the Forced set of -the executable, and fI as the Allowed set of the executable. Notice -how the Inheritable set isn't touched at all during exec(). - -14) What are the laws for setting capability bits in the Inheritable, -Permitted, and Effective sets? - -Bits can be transferred from Permitted to either Effective or -Inheritable set. - -Bits can be removed from all sets. - -15) Where is the standard on which the Linux capabilities are based? - -There used to be a POSIX draft called POSIX.6 and later POSIX 1003.1e. -However after the committee had spent over 10 years, POSIX decided -that enough is enough and dropped the draft. There will therefore not -be a POSIX standard covering security anytime soon. This may lead to -that the POSIX draft is available for free, however. - --- - Best regards, -- Boris. - diff --git a/getpcaps.8 b/getpcaps.8 deleted file mode 100644 index 6bbf46a..0000000 --- a/getpcaps.8 +++ /dev/null @@ -1,23 +0,0 @@ -.\" Hey, EMACS: -*- nroff -*- -.TH GETPCAPS 8 "2001-05-29" -.\" Please adjust this date whenever revising the manpage. -.SH NAME -getpcaps \- display process capabilities -.SH SYNOPSIS -.B getpcaps -.IR pid ... -.SH DESCRIPTION -.B getpcaps -displays the capabilities on the processes indicated by the -.I pid -value(s) given on the commandline. The capabilities -are displayed in the -.BR cap_from_text (3) -format. -.SH SEE ALSO -.BR execcap (8). -.br -.SH AUTHOR -This manual page was written by Robert Bihlmeyer , -for the Debian GNU/Linux system (but may be used by others). - diff --git a/libcap-use-compiler-flag-options.patch b/libcap-use-compiler-flag-options.patch deleted file mode 100644 index 9728330..0000000 --- a/libcap-use-compiler-flag-options.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 7c13fa4e4c044941afd3b3766de71821cdc04397 Mon Sep 17 00:00:00 2001 -From: "H.J. Lu" -Date: Sun, 14 Feb 2021 14:06:49 -0800 -Subject: [PATCH] Update Make.Rules for Fedora RPM build - ---- - Make.Rules | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/Make.Rules b/Make.Rules -index ded9014..537cb6c 100644 ---- a/Make.Rules -+++ b/Make.Rules -@@ -56,10 +56,10 @@ IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include - - CC := $(CROSS_COMPILE)gcc - DEFINES := -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 --COPTS ?= -O2 -+COPTS ?= $(RPM_OPT_FLAGS) - CFLAGS ?= $(COPTS) $(DEFINES) - BUILD_CC ?= $(CC) --BUILD_COPTS ?= -O2 -+BUILD_COPTS ?= $(RPM_OPT_FLAGS) - BUILD_CFLAGS ?= $(BUILD_COPTS) $(DEFINES) $(IPATH) - AR := $(CROSS_COMPILE)ar - RANLIB := $(CROSS_COMPILE)ranlib -@@ -69,7 +69,7 @@ WARNINGS=-Wall -Wwrite-strings \ - -Wstrict-prototypes -Wmissing-prototypes \ - -Wnested-externs -Winline -Wshadow - LD=$(CC) -Wl,-x -shared --LDFLAGS ?= #-g -+LDFLAGS ?= $(RPM_LD_FLAGS) - LIBCAPLIB := -L$(topdir)/libcap -lcap - PSXLINKFLAGS := -lpthread -Wl,-wrap,pthread_create - LIBPSXLIB := -L$(topdir)/libcap -lpsx $(PSXLINKFLAGS) --- -2.29.2 diff --git a/libcap.spec b/libcap.spec index e93fa00..92aaa72 100644 --- a/libcap.spec +++ b/libcap.spec @@ -1,15 +1,22 @@ Name: libcap -Version: 2.48 -Release: 7%{?dist} +Version: 2.69 +Release: 1%{?dist} Summary: Library for getting and setting POSIX.1e capabilities URL: https://sites.google.com/site/fullycapable/ -License: BSD or GPLv2 +License: BSD-3-Clause OR GPL-2.0-only -Source: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/snapshot/%{name}-%{version}.tar.gz -Patch0: libcap-use-compiler-flag-options.patch +Source0: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz +Source1: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.sign +Source2: https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys/29EE848AE2CCF3F4.asc -BuildRequires: libattr-devel pam-devel perl-interpreter gcc +BuildRequires: pam-devel gcc BuildRequires: make +BuildRequires: glibc-static +BuildRequires: gnupg2 + +%ifarch aarch64 armv7hl i686 ppc64le s390x x86_64 +BuildRequires: golang >= 1.11 +%endif %description libcap is a library for getting and setting POSIX.1e (formerly POSIX 6) @@ -39,20 +46,27 @@ draft 15 capabilities. Install libcap-devel if you want to develop or compile applications using libcap. +%package -n captree +Summary: Capability inspection utility + +%description -n captree +The captree program was inspired by the utility pstree, but it uses the +libcap/cap (Go package) API to explore process runtime state and display +the capability status of processes and threads. + %prep +gzip -cd %{SOURCE0} | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=- %autosetup -p1 + %build -# libcap can not be build with _smp_mflags: -make prefix=%{_prefix} lib=%{_lib} LIBDIR=%{_libdir} SBINDIR=%{_sbindir} \ - INCDIR=%{_includedir} MANDIR=%{_mandir} PKGCONFIGDIR=%{_libdir}/pkgconfig/ +%make_build prefix=%{_prefix} lib=%{_lib} GO_BUILD_FLAGS="-ldflags=-linkmode=external" all + +%check +make test %install -make install RAISE_SETFCAP=no \ - DESTDIR=%{buildroot} \ - LIBDIR=%{_libdir} \ - SBINDIR=%{_sbindir} \ - PKGCONFIGDIR=%{_libdir}/pkgconfig/ +%make_install prefix=%{_prefix} lib=%{_lib} GO_BUILD_FLAGS="-ldflags=-linkmode=external" mkdir -p %{buildroot}/%{_mandir}/man{2,3,8} mv -f doc/*.3 %{buildroot}/%{_mandir}/man3/ @@ -63,11 +77,11 @@ chmod +x %{buildroot}/%{_libdir}/*.so.* %files %license License -%doc doc/capability.notes +%doc doc/capability.md %{_libdir}/*.so.* -%{_sbindir}/* -%{_mandir}/man1/* -%{_mandir}/man8/* +%{_sbindir}/{capsh,getcap,getpcaps,setcap} +%{_mandir}/man1/capsh.1* +%{_mandir}/man8/{getcap,getpcaps,setcap}.8* %{_libdir}/security/pam_cap.so %files static @@ -77,12 +91,19 @@ chmod +x %{buildroot}/%{_libdir}/*.so.* %files devel %{_includedir}/* %{_libdir}/*.so -%{_mandir}/man3/* -%{_libdir}/pkgconfig/libcap.pc -%{_libdir}/pkgconfig/libpsx.pc +%{_mandir}/man3/*.3* +%{_libdir}/pkgconfig/{libcap,libpsx}.pc +%files -n captree +%license License +%{_sbindir}/captree +%{_mandir}/man8/captree.8* %changelog +* Mon Nov 06 2023 Carlos Rodriguez-Fernandez - 2.69-1 +- Update to 2.69 (with contribs from Yanko Kaneti , and Andrew G. Morgan ) +- Update license to SPDX (by Anderson Toshiyuki Sasaki ) + * Thu Jul 20 2023 Fedora Release Engineering - 2.48-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild diff --git a/plans/main.fmf b/plans/main.fmf new file mode 100644 index 0000000..71d864c --- /dev/null +++ b/plans/main.fmf @@ -0,0 +1,5 @@ +summary: Basic smoke test for libcap +discover: + how: fmf +execute: + how: tmt diff --git a/tests/capsh-basic-functionality/Makefile b/tests/capsh-basic-functionality/Makefile deleted file mode 100644 index 49f35ed..0000000 --- a/tests/capsh-basic-functionality/Makefile +++ /dev/null @@ -1,64 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/libcap/Sanity/capsh-basic-functionality -# Description: tests basic functionality -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2017 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/libcap/Sanity/capsh-basic-functionality -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Karel Srot " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: tests basic functionality" >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 5m" >> $(METADATA) - @echo "RunFor: libcap" >> $(METADATA) - @echo "Requires: libcap" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/capsh-basic-functionality/PURPOSE b/tests/capsh-basic-functionality/PURPOSE deleted file mode 100644 index 810902f..0000000 --- a/tests/capsh-basic-functionality/PURPOSE +++ /dev/null @@ -1,3 +0,0 @@ -PURPOSE of /CoreOS/libcap/Sanity/capsh-basic-functionality -Description: tests basic functionality -Author: Karel Srot diff --git a/tests/capsh-basic-functionality/runtest.sh b/tests/capsh-basic-functionality/runtest.sh deleted file mode 100755 index 6102418..0000000 --- a/tests/capsh-basic-functionality/runtest.sh +++ /dev/null @@ -1,123 +0,0 @@ -#!/bin/bash -# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# runtest.sh of /CoreOS/libcap/Sanity/capsh-basic-functionality -# Description: tests basic functionality -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2017 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -# Include Beaker environment -. /usr/bin/rhts-environment.sh || exit 1 -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="libcap" - -rlJournalStart - rlPhaseStartSetup - rlAssertRpm $PACKAGE - rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "pushd $TmpDir" - rlRun "useradd -m libcap_tester" - rlPhaseEnd - - rlPhaseStartTest "Remove the listed capabilities from the prevailing bounding set" - rlRun -s "capsh --drop=cap_net_raw -- -c 'getpcaps \$\$'" - rlAssertGrep "Capabilities for" $rlRun_LOG - rlAssertNotGrep cap_net_raw $rlRun_LOG - rlRun -s "capsh --drop=cap_net_raw -- -c 'ping localhost -c 1'" 2,126 "Ping without cap_net_raw shoud fail" - rlAssertGrep "Operation not permitted" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Set the prevailing process capabilities" - rlRun -s "capsh --caps=cap_chown+p --print" - rlAssertGrep "Current: = cap_chown+p" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Set the inheritable set of capabilities" - rlRun -s "capsh --inh=cap_chown --print" - rlRun "grep 'Current: = ' $rlRun_LOG | grep 'cap_chown+eip'" - rlRun -s "capsh --inh=cap_chown -- -c 'getpcaps \$\$' 2>&1" - rlAssertGrep "cap_chown+eip" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Assume the identity of the user nobody" - USERID=`id -u nobody` - GROUPID=`id -g nobody` - rlRun -s "capsh --user=nobody -- -c 'id'" - rlAssertGrep "uid=$USERID(nobody) gid=$GROUPID(nobody) groups=$GROUPID(nobody)" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Force all uid values to equal to nobody" - rlRun -s "capsh --uid=$USERID -- -c 'id'" - rlAssertGrep "uid=$USERID(nobody) gid=0(root) groups=0(root)" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Force all gid values to equal to nobody" - rlRun -s "capsh --gid=$GROUPID -- -c 'id'" - rlAssertGrep "uid=0(root) gid=$GROUPID(nobody)" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Set the supplementary groups" - GROUP2ID=`id -g daemon` - rlRun -s "capsh --groups=${GROUPID},${GROUP2ID} -- -c id" - rlAssertGrep "uid=0(root) gid=0(root) groups=0(root),${GROUP2ID}(daemon),${GROUPID}(nobody)" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Permit the process to retain its capabilities after a setuid" - CURRENT=`capsh --print | grep 'Current:' | cut -d '+' -f 1` - rlRun -s "capsh --keep=0 --uid=$USERID --print" - rlAssertGrep 'Current: =$' $rlRun_LOG -E - rlRun -s "capsh --keep=1 --uid=$USERID --print" - rlAssertGrep "$CURRENT" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Decode capabilities" - rlRun "CODE=$( cat /proc/$$/status | awk '/CapEff/ { print $2 }' )" - rlRun "DECODE=$( capsh --decode=$CODE | cut -d '=' -f 2 )" - rlRun "capsh --print | grep 'Current: = $DECODE'" - rlPhaseEnd - - rlPhaseStartTest "Verify the existence of a capability on the system" - rlRun "capsh --supports=cap_net_raw" - rlRun -s "capsh --supports=cap_foo_bar" 1 - rlAssertGrep "cap\[cap_foo_bar\] not recognized by library" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Verify exit code for unsupported option" - rlRun "capsh --foo bar" 1 - rlPhaseEnd - - rlPhaseStartTest "Run as a regular user" - USERID=`id -u libcap_tester` - rlRun -s "su - libcap_tester -c 'capsh --print'" - rlAssertGrep "Current: =\$" $rlRun_LOG -E - rlAssertGrep "uid=$USERID(libcap_tester)" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartCleanup - rlRun "userdel -r libcap_tester" - rlRun "popd" - rlRun "rm -r $TmpDir" 0 "Removing tmp directory" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd diff --git a/tests/capsh/main.fmf b/tests/capsh/main.fmf new file mode 100644 index 0000000..28d19cd --- /dev/null +++ b/tests/capsh/main.fmf @@ -0,0 +1,2 @@ +summary: capsh tests +description: tests basic capsh functionality diff --git a/tests/capsh/test.sh b/tests/capsh/test.sh new file mode 100755 index 0000000..92a59d0 --- /dev/null +++ b/tests/capsh/test.sh @@ -0,0 +1,94 @@ +#!/bin/bash + +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +rlJournalStart + rlPhaseStartSetup + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "useradd -m libcap_tester" + rlPhaseEnd + + rlPhaseStartTest "Should remove capability" + rlRun -s "capsh --drop=cap_sys_admin -- -c 'getpcaps \$\$'" + rlAssertGrep "cap_sys_admin-ep" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Should prevent the use of removed capability" + rlRun -s "capsh --drop=cap_net_raw -- -c 'ping localhost -e 0 -c 1'" 2,126 "Ping without cap_net_raw shoud fail" + rlAssertGrep "Operation not permitted" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Should set the prevailing process capabilities" + rlRun -s "capsh --caps=cap_chown+p --print" + rlAssertGrep "^Current:.*cap_chown[+=][ei]?p[ei]?.*" $rlRun_LOG -E + rlPhaseEnd + + rlPhaseStartTest "Should set the inheritable set of capabilities" + rlRun -s "capsh --inh=cap_chown --print" + rlAssertGrep "^Current:.*cap_chown[+=][ep]?i[ep]?.*" $rlRun_LOG -E + rlPhaseEnd + + rlPhaseStartTest "Should set and show the inheritable set of capabilities" + rlRun -s "capsh --inh=cap_chown -- -c 'getpcaps \$\$' 2>&1" + rlAssertGrep ".*cap_chown[+=][ep]?i[ep]?.*" $rlRun_LOG -E + rlPhaseEnd + + rlPhaseStartTest "Should assume the identity of the user nobody" + USERID=`id -u nobody` + GROUPID=`id -g nobody` + rlRun -s "capsh --user=nobody -- -c 'id'" + rlAssertGrep "uid=$USERID(nobody) gid=$GROUPID(nobody) groups=$GROUPID(nobody)" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Should assume the nobody identity with uid" + USERID=`id -u nobody` + rlRun -s "capsh --uid=$USERID -- -c 'id'" + rlAssertGrep "uid=$USERID(nobody) gid=0(root) groups=0(root)" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Should assume guid of nobody" + GROUPID=`id -g nobody` + rlRun -s "capsh --gid=$GROUPID -- -c 'id'" + rlAssertGrep "uid=0(root) gid=$GROUPID(nobody)" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Should assume the supplementary groups" + GROUPID=`id -g nobody` + GROUP2ID=`id -g daemon` + rlRun -s "capsh --groups=${GROUPID},${GROUP2ID} -- -c id" + rlAssertGrep "uid=0(root) gid=0(root) groups=0(root),${GROUP2ID}(daemon),${GROUPID}(nobody)" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Should decode capabilities" + rlRun "CODE=$( cat /proc/$$/status | awk '/CapEff/ { print $2 }' )" + rlRun "DECODE=$( capsh --decode=$CODE | cut -d '=' -f 2 )" + rlRun "capsh --print | grep \"$DECODE\"" + rlPhaseEnd + + rlPhaseStartTest "Should detect the existence of a capability on the system" + rlRun "capsh --supports=cap_net_raw" + rlPhaseEnd + + rlPhaseStartTest "Should detect the absence of a capability on the system" + rlRun -s "capsh --supports=cap_foo_bar" 1 + rlAssertGrep "cap\[cap_foo_bar\] not recognized by library" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Should error for unsupported option" + rlRun "capsh --foo bar" 1 + rlPhaseEnd + + rlPhaseStartTest "Should run as a regular user" + USERID=`id -u libcap_tester` + rlRun -s "su - libcap_tester -c 'capsh --print'" + rlAssertGrep "Current: =\$" $rlRun_LOG -E + rlAssertGrep "uid=$USERID(libcap_tester)" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "userdel -r libcap_tester" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalEnd diff --git a/tests/getcap-setcap/main.fmf b/tests/getcap-setcap/main.fmf new file mode 100644 index 0000000..bce9fcd --- /dev/null +++ b/tests/getcap-setcap/main.fmf @@ -0,0 +1,2 @@ +summary: setcap and getcap tests +description: tests setcap and getcap basic functionality diff --git a/tests/getcap-setcap/test.sh b/tests/getcap-setcap/test.sh new file mode 100755 index 0000000..8384cbb --- /dev/null +++ b/tests/getcap-setcap/test.sh @@ -0,0 +1,98 @@ +#!/bin/bash +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +rlJournalStart + rlPhaseStartSetup + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlPhaseEnd + + rlPhaseStartTest "Should set and get capabilities on multiple files" + rlRun "touch test-file-0" + rlRun "touch test-file-1" + rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-file-1" + rlRun -s "getcap test-file-0 test-file-1" + rlAssertGrep "test-file-0.*cap_net_admin[+=]p" $rlRun_LOG -E + rlAssertGrep "test-file-1.*cap_net_raw[+=]ei" $rlRun_LOG -E + rlRun "rm -f test-file-0 test-file-1" + rlPhaseEnd + + rlPhaseStartTest "Should set capabilities via stdin" + rlRun "touch test-file-0" + rlRun "echo -e 'cap_net_raw+p\ncap_net_admin+p' > input" + rlRun -s "setcap - test-file-0 < input" + rlAssertGrep "Please" $rlRun_LOG + rlRun -s "getcap test-file-0" + rlAssertGrep "cap_net_admin,cap_net_raw[+=]p" $rlRun_LOG -E + rlRun "rm -f test-file-0" + rlPhaseEnd + + rlPhaseStartTest "Should set capabilities quietly via stdin" + rlRun "touch test-file-0" + rlRun "echo -e 'cap_net_raw+p' > input" + rlRun -s "setcap -q - test-file-0 < input" + rlAssertNotGrep "Please" $rlRun_LOG + rlRun -s "getcap test-file-0" + rlAssertGrep "cap_net_raw[+=]p" $rlRun_LOG -E + rlRun "rm -f test-file-0" + rlPhaseEnd + + rlPhaseStartTest "Should remove capabilities" + rlRun "touch test-file-0" + rlRun "setcap cap_net_admin+p test-file-0" + rlRun "setcap -r test-file-0" + rlRun -s "getcap test-file-0" + rlAssertNotGrep "cap_net_admin" $rlRun_LOG + rlRun "rm -f test-file-0" + rlPhaseEnd + + rlPhaseStartTest "Should list capabilities recursively" + rlRun "touch test-file-0" + rlRun "mkdir test-dir-1" + rlRun "touch test-dir-1/test-file-1" + rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-dir-1/test-file-1" + rlRun -s "getcap -r *" + rlAssertGrep "^test-file-0.*cap_net_admin[+=]p\$" $rlRun_LOG -E + rlAssertGrep "^test-dir-1/test-file-1.*cap_net_raw[+=]ei\$" $rlRun_LOG -E + rlRun "rm -f test-file-0" + rlRun "rm -rf test-dir-1" + rlPhaseEnd + + rlPhaseStartTest "listing capabilities verbosely" + rlRun "touch test-file-0" + rlRun "mkdir test-dir-1" + rlRun "touch test-dir-1/test-file-1" + rlRun "touch test-dir-1/test-file-2" + rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-dir-1/test-file-1" + rlRun -s "getcap -v -r *" + rlAssertGrep "^test-file-0.*cap_net_admin[+=]p\$" $rlRun_LOG -E + rlAssertGrep "^test-dir-1/test-file-1.*cap_net_raw[+=]ei\$" $rlRun_LOG -E + rlAssertGrep "^test-dir-1/test-file-2\$" $rlRun_LOG -E + rlRun "rm -f test-file-0" + rlRun "rm -rf test-dir-1" + rlPhaseEnd + + rlPhaseStartTest "Should setcap print help" + rlRun -s "setcap -h" + rlAssertGrep "usage" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Should getcap print help" + rlRun -s "getcap -h" + rlAssertGrep "usage" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "setcap should exit with 1 on invalid arguments" + rlRun -s "setcap foo bar" 1 + rlAssertGrep "Invalid" $rlRun_LOG -i + rlPhaseEnd + rlPhaseStartTest "getcap should exit with 1 on invalid arguments" + rlRun -s "getcap -f oo" 1 + rlAssertGrep "Invalid" $rlRun_LOG -i + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalEnd diff --git a/tests/libcap-devel/main.fmf b/tests/libcap-devel/main.fmf new file mode 100644 index 0000000..3381c96 --- /dev/null +++ b/tests/libcap-devel/main.fmf @@ -0,0 +1,2 @@ +summary: libcap-devel tests +description: tests libcap-devel functionality diff --git a/tests/sanity-tests/test-libcap.c b/tests/libcap-devel/test-libcap.c similarity index 100% rename from tests/sanity-tests/test-libcap.c rename to tests/libcap-devel/test-libcap.c diff --git a/tests/libcap-devel/test.sh b/tests/libcap-devel/test.sh new file mode 100755 index 0000000..3c4fd93 --- /dev/null +++ b/tests/libcap-devel/test.sh @@ -0,0 +1,17 @@ +#!/bin/bash +. /usr/share/beakerlib/beakerlib.sh || exit 1 + + +rlJournalStart + rlPhaseStartSetup + rlRun "gcc -lcap -lcmocka -Wall -g3 -o test-libcap test-libcap.c" + rlPhaseEnd + + rlPhaseStartTest + rlRun "./test-libcap" + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "rm test-libcap" + rlPhaseEnd +rlJournalEnd diff --git a/tests/main.fmf b/tests/main.fmf new file mode 100644 index 0000000..c7122a2 --- /dev/null +++ b/tests/main.fmf @@ -0,0 +1,9 @@ +test: ./test.sh +framework: beakerlib +require: + - libcap + - libcap-devel + - libcmocka + - libcmocka-devel + - gcc + - iputils diff --git a/tests/manpages/main.fmf b/tests/manpages/main.fmf new file mode 100644 index 0000000..3a97d78 --- /dev/null +++ b/tests/manpages/main.fmf @@ -0,0 +1,2 @@ +summary: man pages install smoke tests +description: verify that the man pages are installed correctly diff --git a/tests/manpages/test.sh b/tests/manpages/test.sh new file mode 100755 index 0000000..b4afd94 --- /dev/null +++ b/tests/manpages/test.sh @@ -0,0 +1,21 @@ +#!/bin/bash +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +expected_manpages=( + 'capsh(1)' + 'libcap(3)' # there are many more but if these are present then it verifies it because of the glob install + 'libpsx(3)' + 'getcap(8)' + 'getpcaps(8)' + 'setcap(8)' + 'captree(8)' + +) + +rlJournalStart + for page in "${expected_manpages[@]}"; do + rlPhaseStartTest "test ${page}" + rlRun "man --pager=cat '${page}'" + rlPhaseEnd + done +rlJournalEnd diff --git a/tests/pam_cap-so-sanity-test/Makefile b/tests/pam_cap-so-sanity-test/Makefile deleted file mode 100644 index 3f30e80..0000000 --- a/tests/pam_cap-so-sanity-test/Makefile +++ /dev/null @@ -1,64 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/libcap/Sanity/pam_cap-so-sanity-test -# Description: basic functionality test for pam_cap.so module -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2017 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/libcap/Sanity/pam_cap-so-sanity-test -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Karel Srot " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: basic functionality test for pam_cap.so module" >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 5m" >> $(METADATA) - @echo "RunFor: libcap" >> $(METADATA) - @echo "Requires: libcap" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/pam_cap-so-sanity-test/PURPOSE b/tests/pam_cap-so-sanity-test/PURPOSE deleted file mode 100644 index 9edc2b0..0000000 --- a/tests/pam_cap-so-sanity-test/PURPOSE +++ /dev/null @@ -1,5 +0,0 @@ -PURPOSE of /CoreOS/libcap/Sanity/pam_cap-so-sanity-test -Description: basic functionality test for pam_cap.so module -Author: Karel Srot - -Test if a test user can be granted capabilities via pam_cap.so module. diff --git a/tests/pam_cap-so-sanity-test/runtest.sh b/tests/pam_cap-so-sanity-test/runtest.sh deleted file mode 100755 index be93b30..0000000 --- a/tests/pam_cap-so-sanity-test/runtest.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash -# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# runtest.sh of /CoreOS/libcap/Sanity/pam_cap-so-sanity-test -# Description: basic functionality test for pam_cap.so module -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2017 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -# Include Beaker environment -. /usr/bin/rhts-environment.sh || exit 1 -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="libcap" - -rlJournalStart - rlPhaseStartSetup - rlAssertRpm $PACKAGE - rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "pushd $TmpDir" - rlRun "useradd -m pam_cap_user" - rlRun "useradd -m pam_cap_user2" - rlFileBackup /etc/pam.d/su - [ -f /etc/security/capability.conf ] && rlFileBackup /etc/security/capability.conf - rlRun "echo -e 'cap_net_raw pam_cap_user\nnone *' > /etc/security/capability.conf" - rlRun "sed '1 s/^/auth required pam_cap.so/' -i /etc/pam.d/su" 0 "Configure pam_cap.so in /etc/pam.d/su" - rlPhaseEnd - - rlPhaseStartTest - rlRun "su - pam_cap_user -c 'getpcaps \$\$' &> user1.log" - rlAssertGrep "Capabilities for.* = cap_net_raw" user1.log -E - rlRun "su - pam_cap_user2 -c 'getpcaps \$\$' &> user2.log" - rlAssertNotGrep "cap_net_raw" user2.log - rlPhaseEnd - - rlPhaseStartCleanup - rlRun "userdel -r pam_cap_user" - rlRun "userdel -r pam_cap_user2" - rlFileRestore - rlRun "popd" - rlRun "rm -r $TmpDir" 0 "Removing tmp directory" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd diff --git a/tests/pam_cap/main.fmf b/tests/pam_cap/main.fmf new file mode 100644 index 0000000..15277dc --- /dev/null +++ b/tests/pam_cap/main.fmf @@ -0,0 +1,2 @@ +summary: pam_cap.so tests +description: tests pam_cap.so functionality diff --git a/tests/pam_cap/test.sh b/tests/pam_cap/test.sh new file mode 100755 index 0000000..035edd9 --- /dev/null +++ b/tests/pam_cap/test.sh @@ -0,0 +1,32 @@ +#!/bin/bash +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +rlJournalStart + rlPhaseStartSetup + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "useradd -m pam_cap_user" + rlRun "useradd -m pam_cap_user2" + rlFileBackup /etc/pam.d/su + [ -f /etc/security/capability.conf ] && rlFileBackup /etc/security/capability.conf + rlRun "echo -e 'cap_net_raw pam_cap_user\nnone *' > /etc/security/capability.conf" + rlRun "sed '1 s/^/auth required pam_cap.so/' -i /etc/pam.d/su" 0 "Configure pam_cap.so in /etc/pam.d/su" + rlPhaseEnd + + rlPhaseStartTest "Should given pam_cap_user the cap_net_raw capability" + rlRun -s "su - pam_cap_user -c 'getpcaps \$\$'" + rlAssertGrep ".*cap_net_raw[+=].*" $rlRun_LOG -E + rlPhaseEnd + rlPhaseStartTest "The user pam_cap_user2 should not have the cap_net_raw capability" + rlRun -s "su - pam_cap_user2 -c 'getpcaps \$\$'" + rlAssertNotGrep "cap_net_raw" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "userdel -r pam_cap_user" + rlRun "userdel -r pam_cap_user2" + rlFileRestore + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalEnd diff --git a/tests/pkg-config-libcap-pc-addition/Makefile b/tests/pkg-config-libcap-pc-addition/Makefile deleted file mode 100644 index 57b4cd6..0000000 --- a/tests/pkg-config-libcap-pc-addition/Makefile +++ /dev/null @@ -1,65 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition -# Description: Test for BZ#1425490 (Missing libcap.pc) -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2017 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Karel Srot " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: Test for BZ#1425490 (Missing libcap.pc)" >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 5m" >> $(METADATA) - @echo "RunFor: libcap" >> $(METADATA) - @echo "Requires: libcap libcap-devel pkgconfig" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - @echo "Bug: 1425490" >> $(METADATA) - @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/pkg-config-libcap-pc-addition/PURPOSE b/tests/pkg-config-libcap-pc-addition/PURPOSE deleted file mode 100644 index 68dbb0b..0000000 --- a/tests/pkg-config-libcap-pc-addition/PURPOSE +++ /dev/null @@ -1,7 +0,0 @@ -PURPOSE of /CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition -Description: Test for BZ#1425490 (Missing libcap.pc) -Author: Karel Srot -Bug summary: Missing libcap.pc -Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1425490 - -Checking the presence and sanity of the libcap.pc file. diff --git a/tests/pkg-config-libcap-pc-addition/runtest.sh b/tests/pkg-config-libcap-pc-addition/runtest.sh deleted file mode 100755 index b63ad04..0000000 --- a/tests/pkg-config-libcap-pc-addition/runtest.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/bash -# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# runtest.sh of /CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition -# Description: Test for BZ#1425490 (Missing libcap.pc) -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2017 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -# Include Beaker environment -. /usr/bin/rhts-environment.sh || exit 1 -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="libcap" - -rlJournalStart - rlPhaseStartSetup - rlAssertRpm $PACKAGE - rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "pushd $TmpDir" - rlPhaseEnd - - rlPhaseStartTest - rlRun "rpm -ql libcap-devel | grep libcap.pc" 0 "There must be libcap.pc" - if [ $? -eq 0 ]; then - PCFILE=$(rpm -ql libcap-devel | grep libcap.pc) - rlRun "pkg-config --libs libcap | grep -- '-lcap'" - VER=$(awk '/Version:/ { print $2 }' $PCFILE | tail -1) - rlRun "pkg-config --modversion libcap | grep $VER" - rlRun -s "pkg-config --print-variables libcap" - rlAssertGrep "^prefix" $rlRun_LOG - rlAssertGrep "^exec_prefix" $rlRun_LOG - rlAssertGrep "^libdir" $rlRun_LOG - rlAssertGrep "^includedir" $rlRun_LOG - fi - rlPhaseEnd - - rlPhaseStartCleanup - rlRun "popd" - rlRun "rm -r $TmpDir" 0 "Removing tmp directory" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd diff --git a/tests/pkg-configs/main.fmf b/tests/pkg-configs/main.fmf new file mode 100644 index 0000000..fca923f --- /dev/null +++ b/tests/pkg-configs/main.fmf @@ -0,0 +1,2 @@ +summary: validates pkg-configs presence. +description: ensures libcap.pc and libpsx.pc are installed diff --git a/tests/pkg-configs/test.sh b/tests/pkg-configs/test.sh new file mode 100755 index 0000000..45f98a4 --- /dev/null +++ b/tests/pkg-configs/test.sh @@ -0,0 +1,44 @@ +#!/bin/bash +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +rlJournalStart + rlPhaseStartSetup + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlPhaseEnd + + rlPhaseStartTest "libcap pkg-config should be present and valid" + rlRun "rpm -ql libcap-devel | grep libcap.pc" 0 "There must be libcap.pc" + if [ $? -eq 0 ]; then + PCFILE=$(rpm -ql libcap-devel | grep libcap.pc) + rlRun "pkg-config --libs libcap | grep -- '-lcap'" + VER=$(awk '/Version:/ { print $2 }' $PCFILE | tail -1) + rlRun "pkg-config --modversion libcap | grep $VER" + rlRun -s "pkg-config --print-variables libcap" + rlAssertGrep "^prefix" $rlRun_LOG + rlAssertGrep "^exec_prefix" $rlRun_LOG + rlAssertGrep "^libdir" $rlRun_LOG + rlAssertGrep "^includedir" $rlRun_LOG + fi + rlPhaseEnd + + rlPhaseStartTest "libcap pkg-config should be present and valid" + rlRun "rpm -ql libcap-devel | grep libpsx.pc" 0 "There must be libpsx.pc" + if [ $? -eq 0 ]; then + PCFILE=$(rpm -ql libcap-devel | grep libpsx.pc) + rlRun "pkg-config --libs libpsx | grep -- '-lpsx -lpthread -Wl,-wrap,pthread_create'" + VER=$(awk '/Version:/ { print $2 }' $PCFILE | tail -1) + rlRun "pkg-config --modversion libpsx | grep $VER" + rlRun -s "pkg-config --print-variables libpsx" + rlAssertGrep "^prefix" $rlRun_LOG + rlAssertGrep "^exec_prefix" $rlRun_LOG + rlAssertGrep "^libdir" $rlRun_LOG + rlAssertGrep "^includedir" $rlRun_LOG + fi + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalEnd diff --git a/tests/sanity-tests/Makefile b/tests/sanity-tests/Makefile deleted file mode 100644 index 9e75815..0000000 --- a/tests/sanity-tests/Makefile +++ /dev/null @@ -1,46 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1+ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/libcap -# Description: Test if libcap working ok -# Author: Susant Sahani -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -export TEST=/CoreOS/libcap -export TESTVERSION=1.0 - -OBJS = test-libcap.c -CFLAG = -Wall -g3 -CC = gcc -LIBS = -lcap -lcmocka - -test-libcap:${OBJ} - ${CC} ${CFLAGS} ${INCLUDES} -o $@ ${OBJS} ${LIBS} - -run: test-libcap - ./runtest.sh -clean: - -rm -f *~ test-libcap - -.c.o: - ${CC} ${CFLAGS} ${INCLUDES} -c $< - -CC = gcc - -include /usr/share/rhts/lib/rhts-make.include -$(METADATA): Makefile - @echo "Owner: Susant Sahani" > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: Test libcap works ok" >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 5m" >> $(METADATA) - @echo "RunFor: libcap" >> $(METADATA) - @echo "Requires: libcap libcap-devel" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - @echo "Releases: -Fedora 29" >> $(METADATA) - rhts-lint $(METADATA) diff --git a/tests/sanity-tests/runtest.sh b/tests/sanity-tests/runtest.sh deleted file mode 100755 index 17d83e3..0000000 --- a/tests/sanity-tests/runtest.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: LGPL-2.1+ -# ~~~ -# runtest.sh of libcap -# Description: Tests for libcap -# -# Author: Susant Sahani -# Copyright (c) 2018 Red Hat, Inc. -# ~~~ - -# Include Beaker environment -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="libcap" - -rlJournalStart - rlPhaseStartSetup - rlAssertRpm $PACKAGE - rlRun "cp test-libcap /usr/bin/" - rlPhaseEnd - - rlPhaseStartTest - rlLog "Starting libcap tests ..." - rlRun "/usr/bin/test-libcap" - rlPhaseEnd - - rlPhaseStartCleanup - rlRun "rm /usr/bin/test-libcap" - rlLog "libcap tests done" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd - -rlGetTestState diff --git a/tests/setcap-getcap-basic-functionality/Makefile b/tests/setcap-getcap-basic-functionality/Makefile deleted file mode 100644 index 02ce5d5..0000000 --- a/tests/setcap-getcap-basic-functionality/Makefile +++ /dev/null @@ -1,64 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/libcap/Sanity/setcap-getcap-basic-functionality -# Description: test basic functionality -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2017 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/libcap/Sanity/setcap-getcap-basic-functionality -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Karel Srot " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: test basic functionality" >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 5m" >> $(METADATA) - @echo "RunFor: libcap" >> $(METADATA) - @echo "Requires: libcap" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/setcap-getcap-basic-functionality/PURPOSE b/tests/setcap-getcap-basic-functionality/PURPOSE deleted file mode 100644 index a6ea33d..0000000 --- a/tests/setcap-getcap-basic-functionality/PURPOSE +++ /dev/null @@ -1,3 +0,0 @@ -PURPOSE of /CoreOS/libcap/Sanity/setcap-getcap-basic-functionality -Description: test basic functionality -Author: Karel Srot diff --git a/tests/setcap-getcap-basic-functionality/runtest.sh b/tests/setcap-getcap-basic-functionality/runtest.sh deleted file mode 100755 index 3639367..0000000 --- a/tests/setcap-getcap-basic-functionality/runtest.sh +++ /dev/null @@ -1,98 +0,0 @@ -#!/bin/bash -# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# runtest.sh of /CoreOS/libcap/Sanity/setcap-getcap-basic-functionality -# Description: test basic functionality -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2017 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -# Include Beaker environment -. /usr/bin/rhts-environment.sh || exit 1 -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="libcap" - -rlJournalStart - rlPhaseStartSetup - rlAssertRpm $PACKAGE - rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "pushd $TmpDir" - rlRun "mkdir mydir && touch file1 mydir/file2 mydir/file3" - rlPhaseEnd - - rlPhaseStartTest "set and get capabilities" - rlRun "setcap cap_net_admin+p file1 cap_net_raw+ei mydir/file2" - rlRun -s "getcap file1 mydir/file2" - rlAssertGrep "file1 = cap_net_admin+p" $rlRun_LOG - rlAssertGrep "mydir/file2 = cap_net_raw+ei" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "set capabilities via stdin" - rlRun "echo -e 'cap_net_raw+p\ncap_net_admin+p' > input" - rlRun -s "setcap - mydir/file3 < input" - rlAssertGrep "Please enter caps for file \[empty line to end\]:" $rlRun_LOG - rlRun "getcap mydir/file3 | grep 'mydir/file3 = cap_net_admin,cap_net_raw+p'" - rlPhaseEnd - - rlPhaseStartTest "set capabilities quietly via stdin" - rlRun "echo -e 'cap_net_raw+p' > input" - rlRun -s "setcap -q - mydir/file3 < input" - rlAssertNotGrep "Please enter caps for file" $rlRun_LOG - rlRun "getcap mydir/file3 | grep 'mydir/file3 = cap_net_raw+p'" - rlPhaseEnd - - rlPhaseStartTest "remove capabilities" - rlRun "setcap -r mydir/file3" - rlRun "getcap | grep file3" 1 "There should be no capabilities listed for file1" - rlPhaseEnd - - rlPhaseStartTest "listing capabilities recursively" - rlRun -s "getcap -r *" - rlAssertGrep "file1 = cap_net_admin+p" $rlRun_LOG - rlAssertGrep "mydir/file2 = cap_net_raw+ei" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "listing capabilities verbosely" - rlRun -s "getcap -v mydir/*" - rlAssertGrep "mydir/file2 = cap_net_raw+ei" $rlRun_LOG - rlAssertGrep "mydir/file3\$" $rlRun_LOG -E - rlPhaseEnd - - rlPhaseStartTest "print help" - rlRun "setcap -h | grep 'usage: setcap'" 1 - rlRun "getcap -h | grep 'usage: getcap'" 1 - rlPhaseEnd - - rlPhaseStartTest "exit with 1 on error" - rlRun -s "setcap foo bar" 1 - rlAssertGrep "fatal error: Invalid argument" $rlRun_LOG - rlRun -s "getcap -f oo" 1 - rlAssertGrep "getcap: invalid option -- 'f'" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartCleanup - rlRun "popd" - rlRun "rm -r $TmpDir" 0 "Removing tmp directory" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd diff --git a/tests/tests.yml b/tests/tests.yml deleted file mode 100644 index fbbca7f..0000000 --- a/tests/tests.yml +++ /dev/null @@ -1,28 +0,0 @@ -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - classic - - container - tests: - - sanity-tests - - pam_cap-so-sanity-test - - setcap-getcap-basic-functionality - required_packages: - - libcap # libcap package required for all tests - - libcap-devel - - libcmocka - - libcmocka-devel - - gcc - - iputils # ping command required for capsh-basic-functionality - -# Tests that run in atomic -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - atomic - tests: - - capsh-basic-functionality - - pam_cap-so-sanity-test - - setcap-getcap-basic-functionality