Compare commits
10 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
a0bcf8dd16 | ||
|
0476c6eb3a | ||
|
34559e0319 | ||
|
75bb5af48b | ||
|
e6e70f005a | ||
|
3d19cbc8ff | ||
|
3978f4ec3e | ||
|
bf07aacd92 | ||
|
57896f99c5 | ||
|
57d7f730dc |
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@ -0,0 +1 @@
|
|||||||
|
1
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1,3 @@
|
|||||||
/libcap-*.tar.gz
|
/libcap-*.tar.gz
|
||||||
|
/libcap-*.tar.sign
|
||||||
|
/*.src.rpm
|
||||||
|
105
29EE848AE2CCF3F4.asc
Normal file
105
29EE848AE2CCF3F4.asc
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
pub rsa4096 2011-10-07 [SC]
|
||||||
|
38A644698C69787344E954CE29EE848AE2CCF3F4
|
||||||
|
uid Andrew G. Morgan <morgan@kernel.org>
|
||||||
|
uid Andrew G. Morgan (Work Address) <agm@google.com>
|
||||||
|
sub rsa4096 2011-10-07 [E]
|
||||||
|
E8BBFE9EBCE94FB48D2F98FC61B996743B143E89
|
||||||
|
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBE6OiBIBEADpdtUxC8Fmhn5UK6UCZdU7mFgZwN8U9cabFUPfUIkMqXULhCD0
|
||||||
|
hG2/amuiiUoLollPjOopNqk4cc8LcZfszOdBFAYj7MeWzNySVw4KkWrVCEH/bZ0Q
|
||||||
|
QzZH2qmoMT5CIrtcNxCAvukYsZLhyZYO0HdfuE05mVhVjtX9Btfxr7Ndvb7L4MRS
|
||||||
|
3Qb6+nHTgfn/Oow92/koIWvi0YvskKdZypeU888TQL99E8xdgL2n2Ip3xYwBHRR2
|
||||||
|
GPb5MGOuEItF3tJ0kkILW5mzkJq/iLzRphzKjdF76I9QVRP8dZ+uWHPubWePm/5c
|
||||||
|
1H9lnlw00ZZ/ucQvSwTesUYk2aKkxzgm6X8fCdJXBLGgW5K6CkynpjN3qJ9KpcNY
|
||||||
|
H55smUgp8BaiWuoHe4pLvuBhnN2wiYOe2j9UvGX1OaRstMXFx7YbBvkGgdoZthUe
|
||||||
|
VPGAa4K+dnI2oy4wukzl/unAKrlMCBRsRoW2qjy3TDSXqwJhd34ilHzrdAdchrh/
|
||||||
|
acBfbBtRzVlcDTnGltDNMuRTXzujaY9C3B0L2E+Jfrds8WcM8ASO4mHwJUTMrBwM
|
||||||
|
b5sFSG+/X9Ufg/c2G086HQ7xMERUA5oz66P5ReHCph8WHQN2L5vtZwL7//hZB9hn
|
||||||
|
G0K1210YEDXpFPijpis/54MKUSkWEFOLjUbiSPbwEfb79A00CcHojQQinwARAQAB
|
||||||
|
tCRBbmRyZXcgRy4gTW9yZ2FuIDxtb3JnYW5Aa2VybmVsLm9yZz6JAhwEEAECAAYF
|
||||||
|
Ak6YnFgACgkQINBOWnE2YKdO8Q//fwzZuxAacpWE2wByvuwM7hiYOtzxX9tSsaMA
|
||||||
|
NaYtxb8rYwM5YtkjCaBnWoyJ8de7L82HJff/GnxVpw0CWm5Dyj9Pvs/VAIvC4+75
|
||||||
|
+5cs6YWQIhIV5NbmD92lKFni2xNcBomzttB1CexjemtmXQIwm0i06HBbfg8Nkv3l
|
||||||
|
WnZlHHzgOffnkodR56rJCOq75wTPZPmx9WP87bDW2B5ZwzGs4jcBEP8qz4J5agVk
|
||||||
|
97OrYrhy2RrtD6a4f3/VYJq12mvJ/lImgEwNoLsZfMZ6B6wpCvfmx80z1dE/VOmG
|
||||||
|
YKpDPhU5v6y0gQm/UOpz0tzgRJw7CYRK3mbM/Ctnc4n6y0UpbVAmAStRvnlM1DgL
|
||||||
|
3nuuh3EJ6s1r2m2l1SRT09va+lK6s1GARMD+6tmQE7+89DwwSB0lJtWCHRGP/M8W
|
||||||
|
ePdqRAVz3xTkqbRMgcnuvpL6qPveK1Qzv2MxUomB7A8QDxzKzQAIugzm5E1irfmZ
|
||||||
|
jg54/8R2bo0uIp8PS6wx8RD7TYHxGpe4cEAkBr/5/5TfMaTDbrx/f/XqRm/89Mx9
|
||||||
|
04TLVyMqVDcsXAgd+fIGtv/e8cBVMDIRsE9aZQsSOil168Q8qYrJbYRcWmEGaM4d
|
||||||
|
KCGYhEPE7ZaZK4jxshSwfiirozCoAmkTmvOt4E0s2HlljjLPDecAlvoFvn2bSS3Z
|
||||||
|
8coir4CJAjsEEwECACUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOmRGP
|
||||||
|
AhkBAAoJECnuhIrizPP0wK0P/RMvjmzeXbgoa36cBDvDKReAiC56Au4qGXkNah39
|
||||||
|
84tNPT1hVUKCiwiUmULoNJbEI4qFJTtwsMi5QzE+daCA7t+ALJiC+PKiKFG1LDz7
|
||||||
|
mxfhmBeS3XcYuqZdjyKrATUFr0SHbsJxtRCslawGD2gKczLknFeBXL0997TfJS9i
|
||||||
|
pLibqCtmvyryHn4EbZfoJqcpj/RBN/izVGHNYI8BsZpO5F6z7vXoncDL0dKh65nd
|
||||||
|
GaIbhVDUPsDBvzg3i+EzhB51hYTTNKK0QpWbmsXfJBnvztinfLUsnO9HV8aRaygO
|
||||||
|
I/DAKAtT7YPXORA1oFYtx69bzulqC+TXUmeV8YW8bETH4xHM9mQb0oNLPibR2nK2
|
||||||
|
FSDiLp0/eEM5vgzfPVUX7WzBJUPsf0ah/e1yrXqudGUUZ0R+3VMOdxMryZBKLymk
|
||||||
|
zyvu6a5DcLarqAt8y9ciRH67HKNnE1gvHf5K2Q37gwSecwmXCjpMlbVJnIarLKBc
|
||||||
|
VRcYKtxgPxCv6483I8heSKF7PB/IFBmzT1cX7lhln9+62Ks/0Gs0pA0iNLaD+POP
|
||||||
|
iqWrAwZsFvKjD9PDaCBDFRWjFqZLyJMsMi1qmP8jWsdQqPdUskQC0ftvw3Z6Siyy
|
||||||
|
rriSAzglCjmmAcfdt+w4b/EO4SzSZUnd/ApkHkZx1Lbta15WKxGi7S8/5zNdaK72
|
||||||
|
1nUdiQIzBBABCAAdFiEEIHnICkX+vZuglRryyyMS4ez3P1cFAl0PDA8ACgkQyyMS
|
||||||
|
4ez3P1eHXg//ceYbw0RGvvkpBn41t2D2OEDnowyAqgdrByFoub4mam3lxjKZob6F
|
||||||
|
nIVcp0aY6TTOW0Peo0ZMigLh2DkEpF0JZrtTu5Om2tZpn+16d2c9ThROEasTERqI
|
||||||
|
AnUHMmpXupRZDSdHJTSD+HdlBSvO9Ve2vtIv/F9AW8pIQqZby3rJeFwsaQl9GUuw
|
||||||
|
T6teyBG5GZVFLDvNM2r64moTGvxsZdOEz/2KSZNMONEIFWYJPbBtaKZjlNJebh+i
|
||||||
|
YwOda6YqGwmyBpudtMtyHUT5gXBIaaMfKW40CxxTesOuV7YWg52ZkJe8tsURnIUi
|
||||||
|
55wCaLnNM+bsqjRIDZ5tAvCqTCj+T5hg6uJbmWOhCHW4VMp3PKEgmajMSZVAfzcW
|
||||||
|
iryAT/xol531qwer+3LRRS21qha3lfAJNaDy6rTHBqeDXyo7oeBQwoFIJFA5w9Ia
|
||||||
|
DVRfWXiKnHjsma0CEg1JXXnL1eb2Bzh8qInUQEgm92B/w2tJgNDDNPIDQDlbWgQw
|
||||||
|
24Wzx5QGOfr4CJM3WMhSdUEn8jyyFj+GmCfCAtRTEPhGIf4op6rZfH5Q8O0UJ865
|
||||||
|
iIvshNNLoWtkVx2MTU4juXsz666Vq+HFzyIw2xPeabVIKVzF25+vbTTRQIhohuU9
|
||||||
|
FV36IqXOGGwYAlnu8/2NFDWbUIhaCaB0N2AeVH8kQcO9L0OEHB0MJy+0MEFuZHJl
|
||||||
|
dyBHLiBNb3JnYW4gKFdvcmsgQWRkcmVzcykgPGFnbUBnb29nbGUuY29tPokCOAQT
|
||||||
|
AQIAIgUCTpUPggIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQKe6EiuLM
|
||||||
|
8/TM2hAAwOPHeKi+9/SukBgW+8Cg9vOERdwnjX9P6lrFY4mbxISDt9edQeBd5PBb
|
||||||
|
dEk8ins+C5y0+iC8pBX7sZxTkNyDXcNk7icytKy8iewtCR94NVT/OXYy4cU60Eyk
|
||||||
|
OnqIZxTCNLRthu+XTd8+Ptlcgwv4js5LI16hn+fbO0j1SIgEei+wepmpibh3tU6L
|
||||||
|
idWPVj8ZqT32zDdwu9TCr1/eLyKg3PKeoFPuMD4ZYVp5Um4as4IEEGC4i7QSSDjY
|
||||||
|
0BnYBHfbBA/l4S2VICrwiX1FnN7BrW/viWgM0k6X6Rbn+NArq0aPYD2+VOpXMdQO
|
||||||
|
Y9n2foOzuHfCjaDeDNhfVy4zeylb1SwDxdQM1jbI0VgML0iwAjT27Xw3t/z2Kwb/
|
||||||
|
JiHkxmknPZ/Htx5we3BJW6RMYcOxqgdNcyV+NCZVTl585FklroHHRORpILB5x6be
|
||||||
|
r7c5x2BbxfA9aKT/la/wHd0mikwfUzDelGGKu1N3r/zzE3IuQlK2m0ENm9uq8Hac
|
||||||
|
yZKKqCHSY96yWfC5vEnn/gVs/3OUs3vOnj1FkcoOX/wQxJcYKOYbpRPFbojdikp1
|
||||||
|
zj7IR3X39RS3GpA59uAW+Vxt6xDkgu8s7NmJ2RLvLS/iL2tkF78cTLd4bzPizl2W
|
||||||
|
gGulIG8rJLCpa65IOfe0yrDgHPYF7cWC1gDhOc3LuyFwVHYEwWiJAjMEEAEIAB0W
|
||||||
|
IQQgecgKRf69m6CVGvLLIxLh7Pc/VwUCXQ8MGwAKCRDLIxLh7Pc/V0F9EACHKNqF
|
||||||
|
l5xXDHe/0nlZ+J/OFRNIE8ObZAxQLaPfK3gRkFn/SbKQzkzB84X2il7A/W221Lzi
|
||||||
|
me5eTFPhTX3RxUcoSQdrtCCov5gCeuiUbhuJ28zuJxslxLE8bhnmNfpLmFFGtbMI
|
||||||
|
kXq+y0uqc08Yj8frPXKgx7KvOoovpm0X/igiAkiuKLhbq8xIwaIN0NL4slFlx+ZP
|
||||||
|
Ed0KA6qOvlLr0T/lLVptAeMrzfi2gqY1utSqE5IVrbtU6Kptw3zfURsGFFIaKjIr
|
||||||
|
hzu25Cdpg/NxYGqo2GqD0lZ+OeWSy0WI5sxCSDqr0to9lvsJGv2Nc06ixIjH7vG2
|
||||||
|
Hc/cC0QyHdBM6GwaLmUH9hrcSCLR5kxTzAW0Cf6lrAZUL36Ivl5l+zoLdJqSgZLY
|
||||||
|
YXqMdQf75Y5TRFzry5pWRef3ba4/sgui89W11Uccdq/pGe4OKo0I/vq3bv35/3cZ
|
||||||
|
aMGjj3x6v67kk8GWbKg6CPBnzb1dY7VDA5RWOt2lPZr4omUNFwRpxAfZADUz2Q4S
|
||||||
|
tMQVE018SSH1i6G9EB8KVQEBeD4qgaWs1z9sqA7K5wlBzGarTa2RspH0GMmYwxBY
|
||||||
|
hXtYpKm/47Dkg8j3N01VVwky0XGPFHCVgFbeXGknL1O3thOGs5XPO05jtBcbYI1u
|
||||||
|
vvK+h/CNn1yuTG13BSG4pgRF1Sy6CFLHme0d/rkCDQROjogSARAAtLny8nlyr8fy
|
||||||
|
YGAocQz0S47a99n/X0Vmgwo1trJsCXWbOrpztznY8IFRK/dRnRHiMwBxWQ4CvdUk
|
||||||
|
2p0MweUiOjpEN7bUm92jeFXMr0hpQKf+O4DMExHS4hxLwArnKFuAk2ejRQGXBcEo
|
||||||
|
Mv11LiUwuzFbWdXqMsA1TbuA+WvEBnFUYM/6xNiJeRIUIiGydhG1yaw8HrNWLHnh
|
||||||
|
hcOfT6z5AO69hZZiJacp9pU/+jnep/M42p4J17x81+ESpJeladwR0Qxc0qxOyWid
|
||||||
|
N7oO5hSiBEwU6lYQjdQ23pa7tN1o90P9jyN2nFBEdBu2D/mi4DV/+VXUYHNEy3uN
|
||||||
|
hmmLGwMoPVWiZveRmG74+ne7MVyxwb9EIF3IenS4T65ee1dlZvaoMxUlUe8htEK0
|
||||||
|
ChrQZOfITs9MyjUwoTiLUVo3kQeMli9HJEQXPRjHqkkZ7W65LhkEVnHSPHWtttRS
|
||||||
|
DkuZYtze+he142GzDSQA3dF2zy/tLpBb5CA29ITcQTspgV7AuV8YQqDZ4XWHsR9A
|
||||||
|
m5334N83EXk2oouqxl7mKUB0Vg6tujNCBSRn6A3CUaA29w/MyTg4z6Yw6HD3il1J
|
||||||
|
8PcWEoOzqlUoPd8tA5pcZCcKngkXndpXgsZCgoCgvx9WNU+LUrHBfhC3TLLsI7iG
|
||||||
|
O1JvLghkesKTARF3O2hS3xAhfGZxn8MAEQEAAYkCHwQYAQIACQUCTo6IEgIbDAAK
|
||||||
|
CRAp7oSK4szz9HSYD/9hmEsJuSgAGwx/OPweYuDGkA25ajDAu59LpzTbjB/yOU1r
|
||||||
|
DVUu3cMH+UEyaEGlhbneGvHF2DsEC9il/8fVL4eaE9EWpopIonYndBE91+YiGHPT
|
||||||
|
oiyKcdp0KuQMwm2ENAiEf/qErrB2NLna4wfZUx5lzvEOEk3cNPmNz2ERyMPXIeei
|
||||||
|
Q9VKp3MzopWhvBItAyIzzuydKKvJAKzDoTOEL4w60slAphj8rVCsW45k2AurWUH7
|
||||||
|
VFM8ezXunieLeygCGb+YJZAet6yVXD3UwnNcWCGQ+xKSPuyKrn4xKG0N5gzxnGIh
|
||||||
|
/S/7IOjRaNR5X+pfWd6YzN9qURUfiXmuLSPRHK4Flfam4gMMHul9wL6XBayFo2NU
|
||||||
|
PBaxg4U9ACAgSJxgCTNPCKwnovecOsRmIESKtT1F3hbZRRgRGj/TDepJQNfHSyk/
|
||||||
|
ZQfuoJggBMQLJKzGII42rb0W90QLMk0SyCzeb3LO3yyNiKpluNpJsl2IqdBJE5t1
|
||||||
|
LxhKDnju6JlFyPcGJnP/doTuDTjjL0V+guPAGVbuq0g2hku+ZlJwjMStNwHPWxei
|
||||||
|
fuDJbQVIp0xZbI5djdHC8hVJX+d09J5eq0PlgMEidc4F+Vv+mmGJl0GiNfhmTaAC
|
||||||
|
SRzbI25/bhvj2xhx8A2LEOuU/+nzYgQzPcFpawiUP1wBnTqi+maxKx5/9ifyrw==
|
||||||
|
=6WX5
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
264
capfaq-0.2.txt
264
capfaq-0.2.txt
@ -1,264 +0,0 @@
|
|||||||
This is the Linux kernel capabilities FAQ
|
|
||||||
|
|
||||||
Its history, to the extent that I am able to reconstruct it is that
|
|
||||||
v2.0 was posted to the Linux kernel list on 1999/04/02 by Boris
|
|
||||||
Tobotras. Thanks to Denis Ducamp for forwarding me a copy.
|
|
||||||
|
|
||||||
Cheers
|
|
||||||
|
|
||||||
Andrew
|
|
||||||
|
|
||||||
Linux Capabilities FAQ 0.2
|
|
||||||
==========================
|
|
||||||
|
|
||||||
1) What is a capability?
|
|
||||||
|
|
||||||
The name "capabilities" as used in the Linux kernel can be confusing.
|
|
||||||
First there are Capabilities as defined in computer science. A
|
|
||||||
capability is a token used by a process to prove that it is allowed to
|
|
||||||
do an operation on an object. The capability identifies the object
|
|
||||||
and the operations allowed on that object. A file descriptor is a
|
|
||||||
capability. You create the file descriptor with the "open" call and
|
|
||||||
request read or write permissions. Later, when doing a read or write
|
|
||||||
operation, the kernel uses the file descriptor as an index into a
|
|
||||||
data structure that indicates what operations are allowed. This is an
|
|
||||||
efficient way to check permissions. The necessary data structures are
|
|
||||||
created once during the "open" call. Later read and write calls only
|
|
||||||
have to do a table lookup. Operations on capabilities include copying
|
|
||||||
capabilities, transferring capabilities between processes, modifying a
|
|
||||||
capability, and revoking a capability. Modifying a capability can be
|
|
||||||
something like taking a read-write filedescriptor and making it
|
|
||||||
read-only. A capability often has a notion of an "owner" which is
|
|
||||||
able to invalidate all copies and derived versions of a capability.
|
|
||||||
Entire OSes are based on this "capability" model, with varying degrees
|
|
||||||
of purity. There are other ways of implementing capabilities than the
|
|
||||||
file descriptor model - traditionally special hardware has been used,
|
|
||||||
but modern systems also use the memory management unit of the CPU.
|
|
||||||
|
|
||||||
Then there is something quite different called "POSIX capabilities"
|
|
||||||
which is what Linux uses. These capabilities are a partitioning of
|
|
||||||
the all powerful root privilege into a set of distinct privileges (but
|
|
||||||
look at securelevel emulation to find out that this isn't necessary
|
|
||||||
the whole truth). Users familiar with VMS or "Trusted" versions of
|
|
||||||
other UNIX variants will know this under the name "privileges". The
|
|
||||||
name "capabilities" comes from the now defunct POSIX draft 1003.1e
|
|
||||||
which used this name.
|
|
||||||
|
|
||||||
2) So what is a "POSIX capability"?
|
|
||||||
|
|
||||||
A process has three sets of bitmaps called the inheritable(I),
|
|
||||||
permitted(P), and effective(E) capabilities. Each capability is
|
|
||||||
implemented as a bit in each of these bitmaps which is either set or
|
|
||||||
unset. When a process tries to do a privileged operation, the
|
|
||||||
operating system will check the appropriate bit in the effective set
|
|
||||||
of the process (instead of checking whether the effective uid of the
|
|
||||||
process i 0 as is normally done). For example, when a process tries
|
|
||||||
to set the clock, the Linux kernel will check that the process has the
|
|
||||||
CAP_SYS_TIME bit (which is currently bit 25) set in its effective set.
|
|
||||||
|
|
||||||
The permitted set of the process indicates the capabilities the
|
|
||||||
process can use. The process can have capabilities set in the
|
|
||||||
permitted set that are not in the effective set. This indicates that
|
|
||||||
the process has temporarily disabled this capability. A process is
|
|
||||||
allowed to set a bit in its effective set only if it is available in
|
|
||||||
the permitted set. The distinction between effective and permitted
|
|
||||||
exists so that processes can "bracket" operations that need privilege.
|
|
||||||
|
|
||||||
The inheritable capabilities are the capabilities of the current
|
|
||||||
process that should be inherited by a program executed by the current
|
|
||||||
process. The permitted set of a process is masked against the
|
|
||||||
inheritable set during exec(). Nothing special happens during fork()
|
|
||||||
or clone(). Child processes and threads are given an exact copy of
|
|
||||||
the capabilities of the parent process.
|
|
||||||
|
|
||||||
3) What about other entities in the system? Users, Groups, Files?
|
|
||||||
|
|
||||||
Files have capabilities. Conceptually they have the same three
|
|
||||||
bitmaps that processes have, but to avoid confusion we call them by
|
|
||||||
other names. Only executable files have capabilities, libraries don't
|
|
||||||
have capabilities (yet). The three sets are called the allowed set,
|
|
||||||
the forced set, and the effective set.
|
|
||||||
|
|
||||||
The allowed set indicates what capabilities the executable is allowed
|
|
||||||
to receive from an execing process. This means that during exec(),
|
|
||||||
the capabilities of the old process are first masked against a set
|
|
||||||
which indicates what the process gives away (the inheritable set of
|
|
||||||
the process), and then they are masked against a set which indicates
|
|
||||||
what capabilities the new process image is allowed to receive (the
|
|
||||||
allowed set of the executable).
|
|
||||||
|
|
||||||
The forced set is a set of capabilities created out of thin air and
|
|
||||||
given to the process after execing the executable. The forced set is
|
|
||||||
similar in nature to the setuid feature. In fact, the setuid bit from
|
|
||||||
the filesystem is "read" as a full forced set by the kernel.
|
|
||||||
|
|
||||||
The effective set indicates which bits in the permitted set of the new
|
|
||||||
process should be transferred to the effective set of the new process.
|
|
||||||
The effective set is best thought of as a "capability aware" set. It
|
|
||||||
should consist of only 1s if the executable is capability-dumb, or
|
|
||||||
only 0s if the executable is capability-smart. Since the effective
|
|
||||||
set consists of only 0s or only 1s, the filesystem can implement this
|
|
||||||
set using a single bit.
|
|
||||||
|
|
||||||
NOTE: Filesystem support for capabilities is not part of Linux 2.2.
|
|
||||||
|
|
||||||
Users and Groups don't have associated capabilities from the kernel's
|
|
||||||
point of view, but it is entirely reasonable to associate users or
|
|
||||||
groups with capabilities. By letting the "login" program set some
|
|
||||||
capabilities it is possible to make role users such as a backup user
|
|
||||||
that will have the CAP_DAC_READ_SEARCH capability and be able to do
|
|
||||||
backups. This could also be implemented as a PAM module, but nobody
|
|
||||||
has implemented one yet.
|
|
||||||
|
|
||||||
4) What capabilities exist?
|
|
||||||
|
|
||||||
The capabilities available in Linux are listed and documented in the
|
|
||||||
file /usr/src/linux/include/linux/capability.h.
|
|
||||||
|
|
||||||
5) Are Linux capabilities hierarchical?
|
|
||||||
|
|
||||||
No, you cannot make a "subcapability" out of a Linux capability as in
|
|
||||||
capability-based OSes.
|
|
||||||
|
|
||||||
6) How can I use capabilities to make sure Mr. Evil Luser (eluser)
|
|
||||||
can't exploit my "suid" programs?
|
|
||||||
|
|
||||||
This is the general outline of how this works given filesystem
|
|
||||||
capability support exists. First, you have a PAM module that sets the
|
|
||||||
inheritable capabilities of the login-shell of eluser. Then for all
|
|
||||||
"suid" programs on the system, you decide what capabilities they need
|
|
||||||
and set the _allowed_ set of the executable to that set of
|
|
||||||
capabilities. The capability rules
|
|
||||||
|
|
||||||
new permitted = forced | (allowed & inheritable)
|
|
||||||
|
|
||||||
means that you should be careful about setting forced capabilities on
|
|
||||||
executables. In a few cases, this can be useful though. For example
|
|
||||||
the login program needs to set the inheritable set of the new user and
|
|
||||||
therefore needs an almost full permitted set. So if you want eluser
|
|
||||||
to be able to run login and log in as a different user, you will have
|
|
||||||
to set some forced bits on that executable.
|
|
||||||
|
|
||||||
7) What about passing capabilities between processes?
|
|
||||||
|
|
||||||
Currently this is done by the system call "setcap" which can set the
|
|
||||||
capabilities of another process. This requires the CAP_SETPCAP
|
|
||||||
capability which you really only want to grant a _few_ processes.
|
|
||||||
CAP_SETPCAP was originally intended as a workaround to be able to
|
|
||||||
implement filesystem support for capabilities using a daemon outside
|
|
||||||
the kernel.
|
|
||||||
|
|
||||||
There has been discussions about implementing socket-level capability
|
|
||||||
passing. This means that you can pass a capability over a socket. No
|
|
||||||
support for this exists in the official kernel yet.
|
|
||||||
|
|
||||||
8) I see securelevel has been removed from 2.2 and are superceeded by
|
|
||||||
capabilities. How do I emulate securelevel using capabilities?
|
|
||||||
|
|
||||||
The setcap system call can remove a capability from _all_ processes on
|
|
||||||
the system in one atomic operation. The setcap utility from the
|
|
||||||
libcap distribution will do this for you. The utility requires the
|
|
||||||
CAP_SETPCAP privilege to do this. The CAP_SETPCAP capability is not
|
|
||||||
enabled by default.
|
|
||||||
|
|
||||||
libcap is available from
|
|
||||||
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/
|
|
||||||
|
|
||||||
9) I noticed that the capability.h file lacks some capabilities that
|
|
||||||
are needed to fully emulate 2.0 securelevel. Is there a patch for
|
|
||||||
this?
|
|
||||||
|
|
||||||
Actually yes - funny you should ask :-). The problem with 2.0
|
|
||||||
securelevel is that they for example stop root from accessing block
|
|
||||||
devices. At the same time they restrict the use of iopl. These two
|
|
||||||
changes are fundamentally different. Blocking access to block devices
|
|
||||||
means restricting something that usually isn't restricted.
|
|
||||||
Restricting access to the use of iopl on the other hand means
|
|
||||||
restricting (blocking) access to something that is already blocked.
|
|
||||||
Emulating the parts of 2.0 securelevel that restricts things that are
|
|
||||||
normally not restricted means that the capabilites in the kernel has
|
|
||||||
to have a set of capabilities that are usually _on_ for a normal
|
|
||||||
process (note that this breaks the explanation that capabilities are a
|
|
||||||
partitioning of the root privileges). There is an experimental patch at
|
|
||||||
|
|
||||||
ftp://ftp.guardian.no/pub/free/linux/capabilities/patch-cap-exp-1
|
|
||||||
|
|
||||||
which implements a set of capabilities with the "CAP_USER" prefix:
|
|
||||||
|
|
||||||
cap_user_sock - allowed to use socket()
|
|
||||||
cap_user_dev - allowed to open char/block devices
|
|
||||||
cap_user_fifo - allowed to use pipes
|
|
||||||
|
|
||||||
These should be enough to emulate 2.0 securelevel (tell me if we need
|
|
||||||
something more).
|
|
||||||
|
|
||||||
10) Seems I need a CAP_SETPCAP capability that I don't have to make use
|
|
||||||
of capabilities. How do I enable this capability?
|
|
||||||
|
|
||||||
Change the definition of CAP_INIT_EFF_SET and CAP_INIT_INH_SET to the
|
|
||||||
following in include/linux/capability.h:
|
|
||||||
|
|
||||||
#define CAP_INIT_EFF_SET { ~0 }
|
|
||||||
#define CAP_INIT_INH_SET { ~0 }
|
|
||||||
|
|
||||||
This will start init with a full capability set and not with
|
|
||||||
CAP_SETPCAP removed.
|
|
||||||
|
|
||||||
11) How do I start a process with a limited set of capabilities?
|
|
||||||
|
|
||||||
Get the libcap library and use the execcap utility. The following
|
|
||||||
example starts the update daemon with only the CAP_SYS_ADMIN
|
|
||||||
capability.
|
|
||||||
|
|
||||||
execcap 'cap_sys_admin=eip' update
|
|
||||||
|
|
||||||
12) How do I start a process with a limited set of capabilities under
|
|
||||||
another uid?
|
|
||||||
|
|
||||||
Use the sucap utility which changes uid from root without loosing any
|
|
||||||
capabilities. Normally all capabilities are cleared when changing uid
|
|
||||||
from root. The sucap utility requires the CAP_SETPCAP capability.
|
|
||||||
The following example starts updated under uid updated and gid updated
|
|
||||||
with CAP_SYS_ADMIN raised in the Effective set.
|
|
||||||
|
|
||||||
sucap updated updated execcap 'cap_sys_admin=eip' update
|
|
||||||
|
|
||||||
[ Sucap is currently available from
|
|
||||||
ftp://ftp.guardian.no/pub/free/linux/capabilities/sucap.c. Put it in
|
|
||||||
the progs directory of libcap to compile.]
|
|
||||||
|
|
||||||
13) What are the "capability rules"
|
|
||||||
|
|
||||||
The capability rules are the rules used to set the capabilities of the
|
|
||||||
new process image after an exec. They work like this:
|
|
||||||
|
|
||||||
pI' = pI
|
|
||||||
(***) pP' = fP | (fI & pI)
|
|
||||||
pE' = pP' & fE [NB. fE is 0 or ~0]
|
|
||||||
|
|
||||||
I=Inheritable, P=Permitted, E=Effective // p=process, f=file
|
|
||||||
' indicates post-exec().
|
|
||||||
|
|
||||||
Now to make sense of the equations think of fP as the Forced set of
|
|
||||||
the executable, and fI as the Allowed set of the executable. Notice
|
|
||||||
how the Inheritable set isn't touched at all during exec().
|
|
||||||
|
|
||||||
14) What are the laws for setting capability bits in the Inheritable,
|
|
||||||
Permitted, and Effective sets?
|
|
||||||
|
|
||||||
Bits can be transferred from Permitted to either Effective or
|
|
||||||
Inheritable set.
|
|
||||||
|
|
||||||
Bits can be removed from all sets.
|
|
||||||
|
|
||||||
15) Where is the standard on which the Linux capabilities are based?
|
|
||||||
|
|
||||||
There used to be a POSIX draft called POSIX.6 and later POSIX 1003.1e.
|
|
||||||
However after the committee had spent over 10 years, POSIX decided
|
|
||||||
that enough is enough and dropped the draft. There will therefore not
|
|
||||||
be a POSIX standard covering security anytime soon. This may lead to
|
|
||||||
that the POSIX draft is available for free, however.
|
|
||||||
|
|
||||||
--
|
|
||||||
Best regards, -- Boris.
|
|
||||||
|
|
17
gating.yaml
17
gating.yaml
@ -2,6 +2,19 @@
|
|||||||
product_versions:
|
product_versions:
|
||||||
- fedora-*
|
- fedora-*
|
||||||
decision_context: bodhi_update_push_testing
|
decision_context: bodhi_update_push_testing
|
||||||
|
subject_type: koji_build
|
||||||
rules:
|
rules:
|
||||||
- !PassingTestCaseRule {test_case_name: dist.depcheck}
|
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpmdeplint.functional}
|
||||||
- !PassingTestCaseRule {test_case_name: dist.abicheck}
|
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpminspect.static-analysis}
|
||||||
|
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.installability.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- fedora-*
|
||||||
|
decision_context: bodhi_update_push_stable
|
||||||
|
subject_type: koji_build
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpmdeplint.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpminspect.static-analysis}
|
||||||
|
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.installability.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
||||||
|
23
getpcaps.8
23
getpcaps.8
@ -1,23 +0,0 @@
|
|||||||
.\" Hey, EMACS: -*- nroff -*-
|
|
||||||
.TH GETPCAPS 8 "2001-05-29"
|
|
||||||
.\" Please adjust this date whenever revising the manpage.
|
|
||||||
.SH NAME
|
|
||||||
getpcaps \- display process capabilities
|
|
||||||
.SH SYNOPSIS
|
|
||||||
.B getpcaps
|
|
||||||
.IR pid ...
|
|
||||||
.SH DESCRIPTION
|
|
||||||
.B getpcaps
|
|
||||||
displays the capabilities on the processes indicated by the
|
|
||||||
.I pid
|
|
||||||
value(s) given on the commandline. The capabilities
|
|
||||||
are displayed in the
|
|
||||||
.BR cap_from_text (3)
|
|
||||||
format.
|
|
||||||
.SH SEE ALSO
|
|
||||||
.BR execcap (8).
|
|
||||||
.br
|
|
||||||
.SH AUTHOR
|
|
||||||
This manual page was written by Robert Bihlmeyer <robbe@debian.org>,
|
|
||||||
for the Debian GNU/Linux system (but may be used by others).
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
From 7c13fa4e4c044941afd3b3766de71821cdc04397 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "H.J. Lu" <hjl.tools@gmail.com>
|
|
||||||
Date: Sun, 14 Feb 2021 14:06:49 -0800
|
|
||||||
Subject: [PATCH] Update Make.Rules for Fedora RPM build
|
|
||||||
|
|
||||||
---
|
|
||||||
Make.Rules | 6 +++---
|
|
||||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Make.Rules b/Make.Rules
|
|
||||||
index ded9014..537cb6c 100644
|
|
||||||
--- a/Make.Rules
|
|
||||||
+++ b/Make.Rules
|
|
||||||
@@ -56,10 +56,10 @@ IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include
|
|
||||||
|
|
||||||
CC := $(CROSS_COMPILE)gcc
|
|
||||||
DEFINES := -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
|
|
||||||
-COPTS ?= -O2
|
|
||||||
+COPTS ?= $(RPM_OPT_FLAGS)
|
|
||||||
CFLAGS ?= $(COPTS) $(DEFINES)
|
|
||||||
BUILD_CC ?= $(CC)
|
|
||||||
-BUILD_COPTS ?= -O2
|
|
||||||
+BUILD_COPTS ?= $(RPM_OPT_FLAGS)
|
|
||||||
BUILD_CFLAGS ?= $(BUILD_COPTS) $(DEFINES) $(IPATH)
|
|
||||||
AR := $(CROSS_COMPILE)ar
|
|
||||||
RANLIB := $(CROSS_COMPILE)ranlib
|
|
||||||
@@ -69,7 +69,7 @@ WARNINGS=-Wall -Wwrite-strings \
|
|
||||||
-Wstrict-prototypes -Wmissing-prototypes \
|
|
||||||
-Wnested-externs -Winline -Wshadow
|
|
||||||
LD=$(CC) -Wl,-x -shared
|
|
||||||
-LDFLAGS ?= #-g
|
|
||||||
+LDFLAGS ?= $(RPM_LD_FLAGS)
|
|
||||||
LIBCAPLIB := -L$(topdir)/libcap -lcap
|
|
||||||
PSXLINKFLAGS := -lpthread -Wl,-wrap,pthread_create
|
|
||||||
LIBPSXLIB := -L$(topdir)/libcap -lpsx $(PSXLINKFLAGS)
|
|
||||||
--
|
|
||||||
2.29.2
|
|
2
libcap.rpmlintrc
Normal file
2
libcap.rpmlintrc
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
addFilter('.*static-library-without-debuginfo.*')
|
||||||
|
addFilter('.*pam-unauthorized-module.*')
|
92
libcap.spec
92
libcap.spec
@ -1,15 +1,22 @@
|
|||||||
Name: libcap
|
Name: libcap
|
||||||
Version: 2.48
|
Version: 2.69
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: Library for getting and setting POSIX.1e capabilities
|
Summary: Library for getting and setting POSIX.1e capabilities
|
||||||
URL: https://sites.google.com/site/fullycapable/
|
URL: https://sites.google.com/site/fullycapable/
|
||||||
License: BSD or GPLv2
|
License: BSD-3-Clause OR GPL-2.0-only
|
||||||
|
|
||||||
Source: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/snapshot/%{name}-%{version}.tar.gz
|
Source0: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz
|
||||||
Patch0: libcap-use-compiler-flag-options.patch
|
Source1: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.sign
|
||||||
|
Source2: https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys/29EE848AE2CCF3F4.asc
|
||||||
|
|
||||||
BuildRequires: libattr-devel pam-devel perl-interpreter gcc
|
BuildRequires: pam-devel gcc
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
|
BuildRequires: glibc-static
|
||||||
|
BuildRequires: gnupg2
|
||||||
|
|
||||||
|
%ifarch aarch64 armv7hl i686 ppc64le s390x x86_64
|
||||||
|
BuildRequires: golang >= 1.11
|
||||||
|
%endif
|
||||||
|
|
||||||
%description
|
%description
|
||||||
libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
|
libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
|
||||||
@ -39,20 +46,27 @@ draft 15 capabilities.
|
|||||||
Install libcap-devel if you want to develop or compile applications using
|
Install libcap-devel if you want to develop or compile applications using
|
||||||
libcap.
|
libcap.
|
||||||
|
|
||||||
|
%package -n captree
|
||||||
|
Summary: Capability inspection utility
|
||||||
|
|
||||||
|
%description -n captree
|
||||||
|
The captree program was inspired by the utility pstree, but it uses the
|
||||||
|
libcap/cap (Go package) API to explore process runtime state and display
|
||||||
|
the capability status of processes and threads.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
|
gzip -cd %{SOURCE0} | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=-
|
||||||
%autosetup -p1
|
%autosetup -p1
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# libcap can not be build with _smp_mflags:
|
%make_build prefix=%{_prefix} lib=%{_lib} GO_BUILD_FLAGS="-ldflags=-linkmode=external" all
|
||||||
make prefix=%{_prefix} lib=%{_lib} LIBDIR=%{_libdir} SBINDIR=%{_sbindir} \
|
|
||||||
INCDIR=%{_includedir} MANDIR=%{_mandir} PKGCONFIGDIR=%{_libdir}/pkgconfig/
|
%check
|
||||||
|
make test
|
||||||
|
|
||||||
%install
|
%install
|
||||||
make install RAISE_SETFCAP=no \
|
%make_install prefix=%{_prefix} lib=%{_lib} GO_BUILD_FLAGS="-ldflags=-linkmode=external"
|
||||||
DESTDIR=%{buildroot} \
|
|
||||||
LIBDIR=%{_libdir} \
|
|
||||||
SBINDIR=%{_sbindir} \
|
|
||||||
PKGCONFIGDIR=%{_libdir}/pkgconfig/
|
|
||||||
|
|
||||||
mkdir -p %{buildroot}/%{_mandir}/man{2,3,8}
|
mkdir -p %{buildroot}/%{_mandir}/man{2,3,8}
|
||||||
mv -f doc/*.3 %{buildroot}/%{_mandir}/man3/
|
mv -f doc/*.3 %{buildroot}/%{_mandir}/man3/
|
||||||
@ -63,11 +77,12 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
|
|||||||
|
|
||||||
%files
|
%files
|
||||||
%license License
|
%license License
|
||||||
%doc doc/capability.notes
|
%doc doc/capability.md
|
||||||
%{_libdir}/*.so.*
|
%{_libdir}/libcap.so.2{,.*}
|
||||||
%{_sbindir}/*
|
%{_libdir}/libpsx.so.2{,.*}
|
||||||
%{_mandir}/man1/*
|
%{_sbindir}/{capsh,getcap,getpcaps,setcap}
|
||||||
%{_mandir}/man8/*
|
%{_mandir}/man1/capsh.1*
|
||||||
|
%{_mandir}/man8/{getcap,getpcaps,setcap}.8*
|
||||||
%{_libdir}/security/pam_cap.so
|
%{_libdir}/security/pam_cap.so
|
||||||
|
|
||||||
%files static
|
%files static
|
||||||
@ -75,14 +90,43 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
|
|||||||
%{_libdir}/libpsx.a
|
%{_libdir}/libpsx.a
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
%{_includedir}/*
|
%{_includedir}/sys/capability.h
|
||||||
%{_libdir}/*.so
|
%{_includedir}/sys/psx_syscall.h
|
||||||
%{_mandir}/man3/*
|
%{_libdir}/libcap.so
|
||||||
%{_libdir}/pkgconfig/libcap.pc
|
%{_libdir}/libpsx.so
|
||||||
%{_libdir}/pkgconfig/libpsx.pc
|
%{_mandir}/man3/cap*.3*
|
||||||
|
%{_mandir}/man3/libcap.3*
|
||||||
|
%{_mandir}/man3/libpsx.3*
|
||||||
|
%{_mandir}/man3/psx_*.3*
|
||||||
|
%{_mandir}/man3/__psx_syscall.3*
|
||||||
|
%{_libdir}/pkgconfig/{libcap,libpsx}.pc
|
||||||
|
|
||||||
|
%files -n captree
|
||||||
|
%license License
|
||||||
|
%{_sbindir}/captree
|
||||||
|
%{_mandir}/man8/captree.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 06 2023 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 2.69-1
|
||||||
|
- Update to 2.69 (with contribs from Yanko Kaneti <yaneti@declera.com>, and Andrew G. Morgan <morgan@kernel.org>)
|
||||||
|
- Update license to SPDX (by Anderson Toshiyuki Sasaki <ansasaki@redhat.com>)
|
||||||
|
- Make file lists more explicit to avoid accidental ABI changes (Dominik Mierzejewski <dominik@greysector.net>)
|
||||||
|
|
||||||
|
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-7
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||||
|
|
||||||
* Sun Feb 14 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 2.48-2
|
* Sun Feb 14 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 2.48-2
|
||||||
- Rebase distro flags patch
|
- Rebase distro flags patch
|
||||||
|
|
||||||
|
5
plans/main.fmf
Normal file
5
plans/main.fmf
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
summary: Basic smoke test for libcap
|
||||||
|
discover:
|
||||||
|
how: fmf
|
||||||
|
execute:
|
||||||
|
how: tmt
|
3
sources
3
sources
@ -1 +1,2 @@
|
|||||||
SHA512 (libcap-2.48.tar.gz) = 90ac6e46531e4893b78b14171537c6dfd06cf617af9e90f38ea0ce4b50161451528aefff41dbe983719e76582cf39f8d7d432f99756e976f62403d5bc3c209c8
|
SHA512 (libcap-2.69.tar.gz) = 75ee0fe8e1ac835f29cb76d233f731dcf126b73eed5229a130bbe4308a42441934d4e9cefeaaab45f774de2ed6859c752fbbfb9908e792f2f9f3d0f841e01aee
|
||||||
|
SHA512 (libcap-2.69.tar.sign) = 00f323444463b020c999f6fab255a61bd719f8d0ec1b619352e4f1b13407acee9a8e176861e5b408f64a871dc4095c6a26af541c3a0d4efca364c2d4b3679d30
|
||||||
|
@ -1,64 +0,0 @@
|
|||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/libcap/Sanity/capsh-basic-functionality
|
|
||||||
# Description: tests basic functionality
|
|
||||||
# Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
export TEST=/CoreOS/libcap/Sanity/capsh-basic-functionality
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
|
|
||||||
BUILT_FILES=
|
|
||||||
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
||||||
|
|
||||||
.PHONY: all install download clean
|
|
||||||
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
test -x runtest.sh || chmod a+x runtest.sh
|
|
||||||
|
|
||||||
clean:
|
|
||||||
rm -f *~ $(BUILT_FILES)
|
|
||||||
|
|
||||||
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Karel Srot <ksrot@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: tests basic functionality" >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 5m" >> $(METADATA)
|
|
||||||
@echo "RunFor: libcap" >> $(METADATA)
|
|
||||||
@echo "Requires: libcap" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA)
|
|
||||||
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,3 +0,0 @@
|
|||||||
PURPOSE of /CoreOS/libcap/Sanity/capsh-basic-functionality
|
|
||||||
Description: tests basic functionality
|
|
||||||
Author: Karel Srot <ksrot@redhat.com>
|
|
@ -1,123 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# runtest.sh of /CoreOS/libcap/Sanity/capsh-basic-functionality
|
|
||||||
# Description: tests basic functionality
|
|
||||||
# Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
# Include Beaker environment
|
|
||||||
. /usr/bin/rhts-environment.sh || exit 1
|
|
||||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
|
||||||
|
|
||||||
PACKAGE="libcap"
|
|
||||||
|
|
||||||
rlJournalStart
|
|
||||||
rlPhaseStartSetup
|
|
||||||
rlAssertRpm $PACKAGE
|
|
||||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
|
||||||
rlRun "pushd $TmpDir"
|
|
||||||
rlRun "useradd -m libcap_tester"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Remove the listed capabilities from the prevailing bounding set"
|
|
||||||
rlRun -s "capsh --drop=cap_net_raw -- -c 'getpcaps \$\$'"
|
|
||||||
rlAssertGrep "Capabilities for" $rlRun_LOG
|
|
||||||
rlAssertNotGrep cap_net_raw $rlRun_LOG
|
|
||||||
rlRun -s "capsh --drop=cap_net_raw -- -c 'ping localhost -c 1'" 2,126 "Ping without cap_net_raw shoud fail"
|
|
||||||
rlAssertGrep "Operation not permitted" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Set the prevailing process capabilities"
|
|
||||||
rlRun -s "capsh --caps=cap_chown+p --print"
|
|
||||||
rlAssertGrep "Current: = cap_chown+p" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Set the inheritable set of capabilities"
|
|
||||||
rlRun -s "capsh --inh=cap_chown --print"
|
|
||||||
rlRun "grep 'Current: = ' $rlRun_LOG | grep 'cap_chown+eip'"
|
|
||||||
rlRun -s "capsh --inh=cap_chown -- -c 'getpcaps \$\$' 2>&1"
|
|
||||||
rlAssertGrep "cap_chown+eip" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Assume the identity of the user nobody"
|
|
||||||
USERID=`id -u nobody`
|
|
||||||
GROUPID=`id -g nobody`
|
|
||||||
rlRun -s "capsh --user=nobody -- -c 'id'"
|
|
||||||
rlAssertGrep "uid=$USERID(nobody) gid=$GROUPID(nobody) groups=$GROUPID(nobody)" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Force all uid values to equal to nobody"
|
|
||||||
rlRun -s "capsh --uid=$USERID -- -c 'id'"
|
|
||||||
rlAssertGrep "uid=$USERID(nobody) gid=0(root) groups=0(root)" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Force all gid values to equal to nobody"
|
|
||||||
rlRun -s "capsh --gid=$GROUPID -- -c 'id'"
|
|
||||||
rlAssertGrep "uid=0(root) gid=$GROUPID(nobody)" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Set the supplementary groups"
|
|
||||||
GROUP2ID=`id -g daemon`
|
|
||||||
rlRun -s "capsh --groups=${GROUPID},${GROUP2ID} -- -c id"
|
|
||||||
rlAssertGrep "uid=0(root) gid=0(root) groups=0(root),${GROUP2ID}(daemon),${GROUPID}(nobody)" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Permit the process to retain its capabilities after a setuid"
|
|
||||||
CURRENT=`capsh --print | grep 'Current:' | cut -d '+' -f 1`
|
|
||||||
rlRun -s "capsh --keep=0 --uid=$USERID --print"
|
|
||||||
rlAssertGrep 'Current: =$' $rlRun_LOG -E
|
|
||||||
rlRun -s "capsh --keep=1 --uid=$USERID --print"
|
|
||||||
rlAssertGrep "$CURRENT" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Decode capabilities"
|
|
||||||
rlRun "CODE=$( cat /proc/$$/status | awk '/CapEff/ { print $2 }' )"
|
|
||||||
rlRun "DECODE=$( capsh --decode=$CODE | cut -d '=' -f 2 )"
|
|
||||||
rlRun "capsh --print | grep 'Current: = $DECODE'"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Verify the existence of a capability on the system"
|
|
||||||
rlRun "capsh --supports=cap_net_raw"
|
|
||||||
rlRun -s "capsh --supports=cap_foo_bar" 1
|
|
||||||
rlAssertGrep "cap\[cap_foo_bar\] not recognized by library" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Verify exit code for unsupported option"
|
|
||||||
rlRun "capsh --foo bar" 1
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Run as a regular user"
|
|
||||||
USERID=`id -u libcap_tester`
|
|
||||||
rlRun -s "su - libcap_tester -c 'capsh --print'"
|
|
||||||
rlAssertGrep "Current: =\$" $rlRun_LOG -E
|
|
||||||
rlAssertGrep "uid=$USERID(libcap_tester)" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
|
||||||
rlRun "userdel -r libcap_tester"
|
|
||||||
rlRun "popd"
|
|
||||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
|
||||||
rlPhaseEnd
|
|
||||||
rlJournalPrintText
|
|
||||||
rlJournalEnd
|
|
2
tests/capsh/main.fmf
Normal file
2
tests/capsh/main.fmf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
summary: capsh tests
|
||||||
|
description: tests basic capsh functionality
|
94
tests/capsh/test.sh
Executable file
94
tests/capsh/test.sh
Executable file
@ -0,0 +1,94 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlRun "useradd -m libcap_tester"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should remove capability"
|
||||||
|
rlRun -s "capsh --drop=cap_sys_admin -- -c 'getpcaps \$\$'"
|
||||||
|
rlAssertGrep "cap_sys_admin-ep" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should prevent the use of removed capability"
|
||||||
|
rlRun -s "capsh --drop=cap_net_raw -- -c 'ping localhost -e 0 -c 1'" 2,126 "Ping without cap_net_raw shoud fail"
|
||||||
|
rlAssertGrep "Operation not permitted" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should set the prevailing process capabilities"
|
||||||
|
rlRun -s "capsh --caps=cap_chown+p --print"
|
||||||
|
rlAssertGrep "^Current:.*cap_chown[+=][ei]?p[ei]?.*" $rlRun_LOG -E
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should set the inheritable set of capabilities"
|
||||||
|
rlRun -s "capsh --inh=cap_chown --print"
|
||||||
|
rlAssertGrep "^Current:.*cap_chown[+=][ep]?i[ep]?.*" $rlRun_LOG -E
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should set and show the inheritable set of capabilities"
|
||||||
|
rlRun -s "capsh --inh=cap_chown -- -c 'getpcaps \$\$' 2>&1"
|
||||||
|
rlAssertGrep ".*cap_chown[+=][ep]?i[ep]?.*" $rlRun_LOG -E
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should assume the identity of the user nobody"
|
||||||
|
USERID=`id -u nobody`
|
||||||
|
GROUPID=`id -g nobody`
|
||||||
|
rlRun -s "capsh --user=nobody -- -c 'id'"
|
||||||
|
rlAssertGrep "uid=$USERID(nobody) gid=$GROUPID(nobody) groups=$GROUPID(nobody)" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should assume the nobody identity with uid"
|
||||||
|
USERID=`id -u nobody`
|
||||||
|
rlRun -s "capsh --uid=$USERID -- -c 'id'"
|
||||||
|
rlAssertGrep "uid=$USERID(nobody) gid=0(root) groups=0(root)" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should assume guid of nobody"
|
||||||
|
GROUPID=`id -g nobody`
|
||||||
|
rlRun -s "capsh --gid=$GROUPID -- -c 'id'"
|
||||||
|
rlAssertGrep "uid=0(root) gid=$GROUPID(nobody)" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should assume the supplementary groups"
|
||||||
|
GROUPID=`id -g nobody`
|
||||||
|
GROUP2ID=`id -g daemon`
|
||||||
|
rlRun -s "capsh --groups=${GROUPID},${GROUP2ID} -- -c id"
|
||||||
|
rlAssertGrep "uid=0(root) gid=0(root) groups=0(root),${GROUP2ID}(daemon),${GROUPID}(nobody)" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should decode capabilities"
|
||||||
|
rlRun "CODE=$( cat /proc/$$/status | awk '/CapEff/ { print $2 }' )"
|
||||||
|
rlRun "DECODE=$( capsh --decode=$CODE | cut -d '=' -f 2 )"
|
||||||
|
rlRun "capsh --print | grep \"$DECODE\""
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should detect the existence of a capability on the system"
|
||||||
|
rlRun "capsh --supports=cap_net_raw"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should detect the absence of a capability on the system"
|
||||||
|
rlRun -s "capsh --supports=cap_foo_bar" 1
|
||||||
|
rlAssertGrep "cap\[cap_foo_bar\] not recognized by library" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should error for unsupported option"
|
||||||
|
rlRun "capsh --foo bar" 1
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should run as a regular user"
|
||||||
|
USERID=`id -u libcap_tester`
|
||||||
|
rlRun -s "su - libcap_tester -c 'capsh --print'"
|
||||||
|
rlAssertGrep "Current: =\$" $rlRun_LOG -E
|
||||||
|
rlAssertGrep "uid=$USERID(libcap_tester)" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "userdel -r libcap_tester"
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalEnd
|
2
tests/getcap-setcap/main.fmf
Normal file
2
tests/getcap-setcap/main.fmf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
summary: setcap and getcap tests
|
||||||
|
description: tests setcap and getcap basic functionality
|
98
tests/getcap-setcap/test.sh
Executable file
98
tests/getcap-setcap/test.sh
Executable file
@ -0,0 +1,98 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should set and get capabilities on multiple files"
|
||||||
|
rlRun "touch test-file-0"
|
||||||
|
rlRun "touch test-file-1"
|
||||||
|
rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-file-1"
|
||||||
|
rlRun -s "getcap test-file-0 test-file-1"
|
||||||
|
rlAssertGrep "test-file-0.*cap_net_admin[+=]p" $rlRun_LOG -E
|
||||||
|
rlAssertGrep "test-file-1.*cap_net_raw[+=]ei" $rlRun_LOG -E
|
||||||
|
rlRun "rm -f test-file-0 test-file-1"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should set capabilities via stdin"
|
||||||
|
rlRun "touch test-file-0"
|
||||||
|
rlRun "echo -e 'cap_net_raw+p\ncap_net_admin+p' > input"
|
||||||
|
rlRun -s "setcap - test-file-0 < input"
|
||||||
|
rlAssertGrep "Please" $rlRun_LOG
|
||||||
|
rlRun -s "getcap test-file-0"
|
||||||
|
rlAssertGrep "cap_net_admin,cap_net_raw[+=]p" $rlRun_LOG -E
|
||||||
|
rlRun "rm -f test-file-0"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should set capabilities quietly via stdin"
|
||||||
|
rlRun "touch test-file-0"
|
||||||
|
rlRun "echo -e 'cap_net_raw+p' > input"
|
||||||
|
rlRun -s "setcap -q - test-file-0 < input"
|
||||||
|
rlAssertNotGrep "Please" $rlRun_LOG
|
||||||
|
rlRun -s "getcap test-file-0"
|
||||||
|
rlAssertGrep "cap_net_raw[+=]p" $rlRun_LOG -E
|
||||||
|
rlRun "rm -f test-file-0"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should remove capabilities"
|
||||||
|
rlRun "touch test-file-0"
|
||||||
|
rlRun "setcap cap_net_admin+p test-file-0"
|
||||||
|
rlRun "setcap -r test-file-0"
|
||||||
|
rlRun -s "getcap test-file-0"
|
||||||
|
rlAssertNotGrep "cap_net_admin" $rlRun_LOG
|
||||||
|
rlRun "rm -f test-file-0"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should list capabilities recursively"
|
||||||
|
rlRun "touch test-file-0"
|
||||||
|
rlRun "mkdir test-dir-1"
|
||||||
|
rlRun "touch test-dir-1/test-file-1"
|
||||||
|
rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-dir-1/test-file-1"
|
||||||
|
rlRun -s "getcap -r *"
|
||||||
|
rlAssertGrep "^test-file-0.*cap_net_admin[+=]p\$" $rlRun_LOG -E
|
||||||
|
rlAssertGrep "^test-dir-1/test-file-1.*cap_net_raw[+=]ei\$" $rlRun_LOG -E
|
||||||
|
rlRun "rm -f test-file-0"
|
||||||
|
rlRun "rm -rf test-dir-1"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "listing capabilities verbosely"
|
||||||
|
rlRun "touch test-file-0"
|
||||||
|
rlRun "mkdir test-dir-1"
|
||||||
|
rlRun "touch test-dir-1/test-file-1"
|
||||||
|
rlRun "touch test-dir-1/test-file-2"
|
||||||
|
rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-dir-1/test-file-1"
|
||||||
|
rlRun -s "getcap -v -r *"
|
||||||
|
rlAssertGrep "^test-file-0.*cap_net_admin[+=]p\$" $rlRun_LOG -E
|
||||||
|
rlAssertGrep "^test-dir-1/test-file-1.*cap_net_raw[+=]ei\$" $rlRun_LOG -E
|
||||||
|
rlAssertGrep "^test-dir-1/test-file-2\$" $rlRun_LOG -E
|
||||||
|
rlRun "rm -f test-file-0"
|
||||||
|
rlRun "rm -rf test-dir-1"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should setcap print help"
|
||||||
|
rlRun -s "setcap -h"
|
||||||
|
rlAssertGrep "usage" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should getcap print help"
|
||||||
|
rlRun -s "getcap -h"
|
||||||
|
rlAssertGrep "usage" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "setcap should exit with 1 on invalid arguments"
|
||||||
|
rlRun -s "setcap foo bar" 1
|
||||||
|
rlAssertGrep "Invalid" $rlRun_LOG -i
|
||||||
|
rlPhaseEnd
|
||||||
|
rlPhaseStartTest "getcap should exit with 1 on invalid arguments"
|
||||||
|
rlRun -s "getcap -f oo" 1
|
||||||
|
rlAssertGrep "Invalid" $rlRun_LOG -i
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalEnd
|
2
tests/libcap-devel/main.fmf
Normal file
2
tests/libcap-devel/main.fmf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
summary: libcap-devel tests
|
||||||
|
description: tests libcap-devel functionality
|
17
tests/libcap-devel/test.sh
Executable file
17
tests/libcap-devel/test.sh
Executable file
@ -0,0 +1,17 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlRun "gcc -lcap -lcmocka -Wall -g3 -o test-libcap test-libcap.c"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "./test-libcap"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "rm test-libcap"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalEnd
|
9
tests/main.fmf
Normal file
9
tests/main.fmf
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
test: ./test.sh
|
||||||
|
framework: beakerlib
|
||||||
|
require:
|
||||||
|
- libcap
|
||||||
|
- libcap-devel
|
||||||
|
- libcmocka
|
||||||
|
- libcmocka-devel
|
||||||
|
- gcc
|
||||||
|
- iputils
|
2
tests/manpages/main.fmf
Normal file
2
tests/manpages/main.fmf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
summary: man pages install smoke tests
|
||||||
|
description: verify that the man pages are installed correctly
|
21
tests/manpages/test.sh
Executable file
21
tests/manpages/test.sh
Executable file
@ -0,0 +1,21 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
expected_manpages=(
|
||||||
|
'capsh(1)'
|
||||||
|
'libcap(3)' # there are many more but if these are present then it verifies it because of the glob install
|
||||||
|
'libpsx(3)'
|
||||||
|
'getcap(8)'
|
||||||
|
'getpcaps(8)'
|
||||||
|
'setcap(8)'
|
||||||
|
'captree(8)'
|
||||||
|
|
||||||
|
)
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
for page in "${expected_manpages[@]}"; do
|
||||||
|
rlPhaseStartTest "test ${page}"
|
||||||
|
rlRun "man --pager=cat '${page}'"
|
||||||
|
rlPhaseEnd
|
||||||
|
done
|
||||||
|
rlJournalEnd
|
@ -1,64 +0,0 @@
|
|||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/libcap/Sanity/pam_cap-so-sanity-test
|
|
||||||
# Description: basic functionality test for pam_cap.so module
|
|
||||||
# Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
export TEST=/CoreOS/libcap/Sanity/pam_cap-so-sanity-test
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
|
|
||||||
BUILT_FILES=
|
|
||||||
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
||||||
|
|
||||||
.PHONY: all install download clean
|
|
||||||
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
test -x runtest.sh || chmod a+x runtest.sh
|
|
||||||
|
|
||||||
clean:
|
|
||||||
rm -f *~ $(BUILT_FILES)
|
|
||||||
|
|
||||||
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Karel Srot <ksrot@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: basic functionality test for pam_cap.so module" >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 5m" >> $(METADATA)
|
|
||||||
@echo "RunFor: libcap" >> $(METADATA)
|
|
||||||
@echo "Requires: libcap" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
|
||||||
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,5 +0,0 @@
|
|||||||
PURPOSE of /CoreOS/libcap/Sanity/pam_cap-so-sanity-test
|
|
||||||
Description: basic functionality test for pam_cap.so module
|
|
||||||
Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
|
|
||||||
Test if a test user can be granted capabilities via pam_cap.so module.
|
|
@ -1,63 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# runtest.sh of /CoreOS/libcap/Sanity/pam_cap-so-sanity-test
|
|
||||||
# Description: basic functionality test for pam_cap.so module
|
|
||||||
# Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
# Include Beaker environment
|
|
||||||
. /usr/bin/rhts-environment.sh || exit 1
|
|
||||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
|
||||||
|
|
||||||
PACKAGE="libcap"
|
|
||||||
|
|
||||||
rlJournalStart
|
|
||||||
rlPhaseStartSetup
|
|
||||||
rlAssertRpm $PACKAGE
|
|
||||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
|
||||||
rlRun "pushd $TmpDir"
|
|
||||||
rlRun "useradd -m pam_cap_user"
|
|
||||||
rlRun "useradd -m pam_cap_user2"
|
|
||||||
rlFileBackup /etc/pam.d/su
|
|
||||||
[ -f /etc/security/capability.conf ] && rlFileBackup /etc/security/capability.conf
|
|
||||||
rlRun "echo -e 'cap_net_raw pam_cap_user\nnone *' > /etc/security/capability.conf"
|
|
||||||
rlRun "sed '1 s/^/auth required pam_cap.so/' -i /etc/pam.d/su" 0 "Configure pam_cap.so in /etc/pam.d/su"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest
|
|
||||||
rlRun "su - pam_cap_user -c 'getpcaps \$\$' &> user1.log"
|
|
||||||
rlAssertGrep "Capabilities for.* = cap_net_raw" user1.log -E
|
|
||||||
rlRun "su - pam_cap_user2 -c 'getpcaps \$\$' &> user2.log"
|
|
||||||
rlAssertNotGrep "cap_net_raw" user2.log
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
|
||||||
rlRun "userdel -r pam_cap_user"
|
|
||||||
rlRun "userdel -r pam_cap_user2"
|
|
||||||
rlFileRestore
|
|
||||||
rlRun "popd"
|
|
||||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
|
||||||
rlPhaseEnd
|
|
||||||
rlJournalPrintText
|
|
||||||
rlJournalEnd
|
|
2
tests/pam_cap/main.fmf
Normal file
2
tests/pam_cap/main.fmf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
summary: pam_cap.so tests
|
||||||
|
description: tests pam_cap.so functionality
|
32
tests/pam_cap/test.sh
Executable file
32
tests/pam_cap/test.sh
Executable file
@ -0,0 +1,32 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlRun "useradd -m pam_cap_user"
|
||||||
|
rlRun "useradd -m pam_cap_user2"
|
||||||
|
rlFileBackup /etc/pam.d/su
|
||||||
|
[ -f /etc/security/capability.conf ] && rlFileBackup /etc/security/capability.conf
|
||||||
|
rlRun "echo -e 'cap_net_raw pam_cap_user\nnone *' > /etc/security/capability.conf"
|
||||||
|
rlRun "sed '1 s/^/auth required pam_cap.so/' -i /etc/pam.d/su" 0 "Configure pam_cap.so in /etc/pam.d/su"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Should given pam_cap_user the cap_net_raw capability"
|
||||||
|
rlRun -s "su - pam_cap_user -c 'getpcaps \$\$'"
|
||||||
|
rlAssertGrep ".*cap_net_raw[+=].*" $rlRun_LOG -E
|
||||||
|
rlPhaseEnd
|
||||||
|
rlPhaseStartTest "The user pam_cap_user2 should not have the cap_net_raw capability"
|
||||||
|
rlRun -s "su - pam_cap_user2 -c 'getpcaps \$\$'"
|
||||||
|
rlAssertNotGrep "cap_net_raw" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "userdel -r pam_cap_user"
|
||||||
|
rlRun "userdel -r pam_cap_user2"
|
||||||
|
rlFileRestore
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalEnd
|
@ -1,65 +0,0 @@
|
|||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition
|
|
||||||
# Description: Test for BZ#1425490 (Missing libcap.pc)
|
|
||||||
# Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
export TEST=/CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
|
|
||||||
BUILT_FILES=
|
|
||||||
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
||||||
|
|
||||||
.PHONY: all install download clean
|
|
||||||
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
test -x runtest.sh || chmod a+x runtest.sh
|
|
||||||
|
|
||||||
clean:
|
|
||||||
rm -f *~ $(BUILT_FILES)
|
|
||||||
|
|
||||||
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Karel Srot <ksrot@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: Test for BZ#1425490 (Missing libcap.pc)" >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 5m" >> $(METADATA)
|
|
||||||
@echo "RunFor: libcap" >> $(METADATA)
|
|
||||||
@echo "Requires: libcap libcap-devel pkgconfig" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
@echo "Bug: 1425490" >> $(METADATA)
|
|
||||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA)
|
|
||||||
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,7 +0,0 @@
|
|||||||
PURPOSE of /CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition
|
|
||||||
Description: Test for BZ#1425490 (Missing libcap.pc)
|
|
||||||
Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
Bug summary: Missing libcap.pc
|
|
||||||
Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1425490
|
|
||||||
|
|
||||||
Checking the presence and sanity of the libcap.pc file.
|
|
@ -1,62 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# runtest.sh of /CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition
|
|
||||||
# Description: Test for BZ#1425490 (Missing libcap.pc)
|
|
||||||
# Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
# Include Beaker environment
|
|
||||||
. /usr/bin/rhts-environment.sh || exit 1
|
|
||||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
|
||||||
|
|
||||||
PACKAGE="libcap"
|
|
||||||
|
|
||||||
rlJournalStart
|
|
||||||
rlPhaseStartSetup
|
|
||||||
rlAssertRpm $PACKAGE
|
|
||||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
|
||||||
rlRun "pushd $TmpDir"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest
|
|
||||||
rlRun "rpm -ql libcap-devel | grep libcap.pc" 0 "There must be libcap.pc"
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
PCFILE=$(rpm -ql libcap-devel | grep libcap.pc)
|
|
||||||
rlRun "pkg-config --libs libcap | grep -- '-lcap'"
|
|
||||||
VER=$(awk '/Version:/ { print $2 }' $PCFILE | tail -1)
|
|
||||||
rlRun "pkg-config --modversion libcap | grep $VER"
|
|
||||||
rlRun -s "pkg-config --print-variables libcap"
|
|
||||||
rlAssertGrep "^prefix" $rlRun_LOG
|
|
||||||
rlAssertGrep "^exec_prefix" $rlRun_LOG
|
|
||||||
rlAssertGrep "^libdir" $rlRun_LOG
|
|
||||||
rlAssertGrep "^includedir" $rlRun_LOG
|
|
||||||
fi
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
|
||||||
rlRun "popd"
|
|
||||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
|
||||||
rlPhaseEnd
|
|
||||||
rlJournalPrintText
|
|
||||||
rlJournalEnd
|
|
2
tests/pkg-configs/main.fmf
Normal file
2
tests/pkg-configs/main.fmf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
summary: validates pkg-configs presence.
|
||||||
|
description: ensures libcap.pc and libpsx.pc are installed
|
44
tests/pkg-configs/test.sh
Executable file
44
tests/pkg-configs/test.sh
Executable file
@ -0,0 +1,44 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "libcap pkg-config should be present and valid"
|
||||||
|
rlRun "rpm -ql libcap-devel | grep libcap.pc" 0 "There must be libcap.pc"
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
PCFILE=$(rpm -ql libcap-devel | grep libcap.pc)
|
||||||
|
rlRun "pkg-config --libs libcap | grep -- '-lcap'"
|
||||||
|
VER=$(awk '/Version:/ { print $2 }' $PCFILE | tail -1)
|
||||||
|
rlRun "pkg-config --modversion libcap | grep $VER"
|
||||||
|
rlRun -s "pkg-config --print-variables libcap"
|
||||||
|
rlAssertGrep "^prefix" $rlRun_LOG
|
||||||
|
rlAssertGrep "^exec_prefix" $rlRun_LOG
|
||||||
|
rlAssertGrep "^libdir" $rlRun_LOG
|
||||||
|
rlAssertGrep "^includedir" $rlRun_LOG
|
||||||
|
fi
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "libcap pkg-config should be present and valid"
|
||||||
|
rlRun "rpm -ql libcap-devel | grep libpsx.pc" 0 "There must be libpsx.pc"
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
PCFILE=$(rpm -ql libcap-devel | grep libpsx.pc)
|
||||||
|
rlRun "pkg-config --libs libpsx | grep -- '-lpsx -lpthread -Wl,-wrap,pthread_create'"
|
||||||
|
VER=$(awk '/Version:/ { print $2 }' $PCFILE | tail -1)
|
||||||
|
rlRun "pkg-config --modversion libpsx | grep $VER"
|
||||||
|
rlRun -s "pkg-config --print-variables libpsx"
|
||||||
|
rlAssertGrep "^prefix" $rlRun_LOG
|
||||||
|
rlAssertGrep "^exec_prefix" $rlRun_LOG
|
||||||
|
rlAssertGrep "^libdir" $rlRun_LOG
|
||||||
|
rlAssertGrep "^includedir" $rlRun_LOG
|
||||||
|
fi
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalEnd
|
@ -1,46 +0,0 @@
|
|||||||
# SPDX-License-Identifier: LGPL-2.1+
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/libcap
|
|
||||||
# Description: Test if libcap working ok
|
|
||||||
# Author: Susant Sahani<susant@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
export TEST=/CoreOS/libcap
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
|
|
||||||
OBJS = test-libcap.c
|
|
||||||
CFLAG = -Wall -g3
|
|
||||||
CC = gcc
|
|
||||||
LIBS = -lcap -lcmocka
|
|
||||||
|
|
||||||
test-libcap:${OBJ}
|
|
||||||
${CC} ${CFLAGS} ${INCLUDES} -o $@ ${OBJS} ${LIBS}
|
|
||||||
|
|
||||||
run: test-libcap
|
|
||||||
./runtest.sh
|
|
||||||
clean:
|
|
||||||
-rm -f *~ test-libcap
|
|
||||||
|
|
||||||
.c.o:
|
|
||||||
${CC} ${CFLAGS} ${INCLUDES} -c $<
|
|
||||||
|
|
||||||
CC = gcc
|
|
||||||
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Susant Sahani<susant@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: Test libcap works ok" >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 5m" >> $(METADATA)
|
|
||||||
@echo "RunFor: libcap" >> $(METADATA)
|
|
||||||
@echo "Requires: libcap libcap-devel" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
@echo "Releases: -Fedora 29" >> $(METADATA)
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,34 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# SPDX-License-Identifier: LGPL-2.1+
|
|
||||||
# ~~~
|
|
||||||
# runtest.sh of libcap
|
|
||||||
# Description: Tests for libcap
|
|
||||||
#
|
|
||||||
# Author: Susant Sahani <susant@redhat.com>
|
|
||||||
# Copyright (c) 2018 Red Hat, Inc.
|
|
||||||
# ~~~
|
|
||||||
|
|
||||||
# Include Beaker environment
|
|
||||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
|
||||||
|
|
||||||
PACKAGE="libcap"
|
|
||||||
|
|
||||||
rlJournalStart
|
|
||||||
rlPhaseStartSetup
|
|
||||||
rlAssertRpm $PACKAGE
|
|
||||||
rlRun "cp test-libcap /usr/bin/"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest
|
|
||||||
rlLog "Starting libcap tests ..."
|
|
||||||
rlRun "/usr/bin/test-libcap"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
|
||||||
rlRun "rm /usr/bin/test-libcap"
|
|
||||||
rlLog "libcap tests done"
|
|
||||||
rlPhaseEnd
|
|
||||||
rlJournalPrintText
|
|
||||||
rlJournalEnd
|
|
||||||
|
|
||||||
rlGetTestState
|
|
@ -1,64 +0,0 @@
|
|||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/libcap/Sanity/setcap-getcap-basic-functionality
|
|
||||||
# Description: test basic functionality
|
|
||||||
# Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
export TEST=/CoreOS/libcap/Sanity/setcap-getcap-basic-functionality
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
|
|
||||||
BUILT_FILES=
|
|
||||||
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
||||||
|
|
||||||
.PHONY: all install download clean
|
|
||||||
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
test -x runtest.sh || chmod a+x runtest.sh
|
|
||||||
|
|
||||||
clean:
|
|
||||||
rm -f *~ $(BUILT_FILES)
|
|
||||||
|
|
||||||
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Karel Srot <ksrot@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: test basic functionality" >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 5m" >> $(METADATA)
|
|
||||||
@echo "RunFor: libcap" >> $(METADATA)
|
|
||||||
@echo "Requires: libcap" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
|
||||||
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,3 +0,0 @@
|
|||||||
PURPOSE of /CoreOS/libcap/Sanity/setcap-getcap-basic-functionality
|
|
||||||
Description: test basic functionality
|
|
||||||
Author: Karel Srot <ksrot@redhat.com>
|
|
@ -1,98 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# runtest.sh of /CoreOS/libcap/Sanity/setcap-getcap-basic-functionality
|
|
||||||
# Description: test basic functionality
|
|
||||||
# Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
# Include Beaker environment
|
|
||||||
. /usr/bin/rhts-environment.sh || exit 1
|
|
||||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
|
||||||
|
|
||||||
PACKAGE="libcap"
|
|
||||||
|
|
||||||
rlJournalStart
|
|
||||||
rlPhaseStartSetup
|
|
||||||
rlAssertRpm $PACKAGE
|
|
||||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
|
||||||
rlRun "pushd $TmpDir"
|
|
||||||
rlRun "mkdir mydir && touch file1 mydir/file2 mydir/file3"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "set and get capabilities"
|
|
||||||
rlRun "setcap cap_net_admin+p file1 cap_net_raw+ei mydir/file2"
|
|
||||||
rlRun -s "getcap file1 mydir/file2"
|
|
||||||
rlAssertGrep "file1 = cap_net_admin+p" $rlRun_LOG
|
|
||||||
rlAssertGrep "mydir/file2 = cap_net_raw+ei" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "set capabilities via stdin"
|
|
||||||
rlRun "echo -e 'cap_net_raw+p\ncap_net_admin+p' > input"
|
|
||||||
rlRun -s "setcap - mydir/file3 < input"
|
|
||||||
rlAssertGrep "Please enter caps for file \[empty line to end\]:" $rlRun_LOG
|
|
||||||
rlRun "getcap mydir/file3 | grep 'mydir/file3 = cap_net_admin,cap_net_raw+p'"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "set capabilities quietly via stdin"
|
|
||||||
rlRun "echo -e 'cap_net_raw+p' > input"
|
|
||||||
rlRun -s "setcap -q - mydir/file3 < input"
|
|
||||||
rlAssertNotGrep "Please enter caps for file" $rlRun_LOG
|
|
||||||
rlRun "getcap mydir/file3 | grep 'mydir/file3 = cap_net_raw+p'"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "remove capabilities"
|
|
||||||
rlRun "setcap -r mydir/file3"
|
|
||||||
rlRun "getcap | grep file3" 1 "There should be no capabilities listed for file1"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "listing capabilities recursively"
|
|
||||||
rlRun -s "getcap -r *"
|
|
||||||
rlAssertGrep "file1 = cap_net_admin+p" $rlRun_LOG
|
|
||||||
rlAssertGrep "mydir/file2 = cap_net_raw+ei" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "listing capabilities verbosely"
|
|
||||||
rlRun -s "getcap -v mydir/*"
|
|
||||||
rlAssertGrep "mydir/file2 = cap_net_raw+ei" $rlRun_LOG
|
|
||||||
rlAssertGrep "mydir/file3\$" $rlRun_LOG -E
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "print help"
|
|
||||||
rlRun "setcap -h | grep 'usage: setcap'" 1
|
|
||||||
rlRun "getcap -h | grep 'usage: getcap'" 1
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "exit with 1 on error"
|
|
||||||
rlRun -s "setcap foo bar" 1
|
|
||||||
rlAssertGrep "fatal error: Invalid argument" $rlRun_LOG
|
|
||||||
rlRun -s "getcap -f oo" 1
|
|
||||||
rlAssertGrep "getcap: invalid option -- 'f'" $rlRun_LOG
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
|
||||||
rlRun "popd"
|
|
||||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
|
||||||
rlPhaseEnd
|
|
||||||
rlJournalPrintText
|
|
||||||
rlJournalEnd
|
|
@ -1,28 +0,0 @@
|
|||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- role: standard-test-beakerlib
|
|
||||||
tags:
|
|
||||||
- classic
|
|
||||||
- container
|
|
||||||
tests:
|
|
||||||
- sanity-tests
|
|
||||||
- pam_cap-so-sanity-test
|
|
||||||
- setcap-getcap-basic-functionality
|
|
||||||
required_packages:
|
|
||||||
- libcap # libcap package required for all tests
|
|
||||||
- libcap-devel
|
|
||||||
- libcmocka
|
|
||||||
- libcmocka-devel
|
|
||||||
- gcc
|
|
||||||
- iputils # ping command required for capsh-basic-functionality
|
|
||||||
|
|
||||||
# Tests that run in atomic
|
|
||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- role: standard-test-beakerlib
|
|
||||||
tags:
|
|
||||||
- atomic
|
|
||||||
tests:
|
|
||||||
- capsh-basic-functionality
|
|
||||||
- pam_cap-so-sanity-test
|
|
||||||
- setcap-getcap-basic-functionality
|
|
Loading…
Reference in New Issue
Block a user