2 * Copyright (c) 2017 Jan Kokemüller
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD$");
29 #include <sys/param.h>
30 #include <sys/capsicum.h>
31 #include <sys/socket.h>
32 #include <sys/sysctl.h>
35 #include <netinet/in.h>
36 #include <arpa/inet.h>
45 #include "freebsd_test_suite/macros.h"
47 static int rootfd = -1;
49 /* circumvent bug 215690 */
51 open(const char *path, int flags, ...)
55 if (flags & O_CREAT) {
58 mode = (mode_t) va_arg(ap, int);
62 if (path && path[0] == '/' && rootfd >= 0) {
63 return (openat(rootfd, path + 1, flags, mode));
65 return (openat(AT_FDCWD, path, flags, mode));
72 ATF_REQUIRE_FEATURE("security_capabilities");
73 ATF_REQUIRE_FEATURE("security_capability_mode");
75 ATF_REQUIRE((rootfd = open("/", O_EXEC | O_CLOEXEC)) >= 0);
78 typedef int (*socket_fun)(int, const struct sockaddr *, socklen_t);
81 connectat_fdcwd(int s, const struct sockaddr *name, socklen_t namelen)
84 return (connectat(AT_FDCWD, s, name, namelen));
88 bindat_fdcwd(int s, const struct sockaddr *name, socklen_t namelen)
91 return (bindat(AT_FDCWD, s, name, namelen));
95 ATF_TC(bindat_connectat_1);
96 ATF_TC_HEAD(bindat_connectat_1, tc)
98 atf_tc_set_md_var(tc, "descr",
99 "Verify that connect/bind work in normal case");
103 check_1(socket_fun f, int s, const struct sockaddr_in *name)
106 ATF_REQUIRE((s = socket(AF_INET, SOCK_STREAM, 0)) >= 0);
107 ATF_REQUIRE_ERRNO(EAFNOSUPPORT,
108 f(s, (const struct sockaddr *)(name),
109 sizeof(struct sockaddr_in)) < 0);
112 ATF_TC_BODY(bindat_connectat_1, tc)
114 struct sockaddr_in sin;
116 memset(&sin, 0, sizeof(sin));
117 sin.sin_family = AF_INET;
118 sin.sin_port = htons(0);
119 sin.sin_addr.s_addr = htonl(0xE0000000);
121 check_1(bindat_fdcwd, 0, &sin);
122 check_1(bind, 0, &sin);
123 check_1(connectat_fdcwd, 0, &sin);
124 check_1(connect, 0, &sin);
128 ATF_TC(bindat_connectat_2);
129 ATF_TC_HEAD(bindat_connectat_2, tc)
131 atf_tc_set_md_var(tc, "descr",
132 "Verify that connect/bind are disabled in cap-mode");
136 check_2(socket_fun f, int s, const struct sockaddr_in *name)
139 ATF_REQUIRE_ERRNO(ECAPMODE,
140 f(s, (const struct sockaddr *)name,
141 sizeof(struct sockaddr_in)) < 0);
144 ATF_TC_BODY(bindat_connectat_2, tc)
147 struct sockaddr_in sin;
151 ATF_REQUIRE(cap_enter() >= 0);
153 /* note: sock is created _after_ cap_enter() and contains all rights */
154 ATF_REQUIRE((sock = socket(AF_INET, SOCK_STREAM, 0)) >= 0);
156 memset(&sin, 0, sizeof(sin));
157 sin.sin_family = AF_INET;
158 /* dummy port and multicast address (224.0.0.0) to distinguish two
160 * - ECAPMODE/ENOTCAPABLE --> call blocked by capsicum
161 * - EAFNOSUPPORT --> call went through to protocol layer
163 sin.sin_port = htons(0);
164 sin.sin_addr.s_addr = htonl(0xE0000000);
166 check_2(bindat_fdcwd, sock, &sin);
167 check_2(bind, sock, &sin);
168 check_2(connectat_fdcwd, sock, &sin);
169 check_2(connect, sock, &sin);
173 ATF_TC(bindat_connectat_3);
174 ATF_TC_HEAD(bindat_connectat_3, tc)
176 atf_tc_set_md_var(tc, "descr",
177 "Check that taking away CAP_BIND/CAP_CONNECT "
178 "sabotages bind/connect");
182 check_3(socket_fun f, int s, const struct sockaddr_in *name,
183 cap_rights_t *rights, cap_rights_t *sub_rights)
186 ATF_REQUIRE((s = socket(AF_INET, SOCK_STREAM, 0)) >= 0);
187 ATF_REQUIRE(cap_rights_limit(s, rights) >= 0);
188 ATF_REQUIRE_ERRNO(EAFNOSUPPORT,
189 f(s, (const struct sockaddr *)name,
190 sizeof(struct sockaddr_in)) < 0);
191 ATF_REQUIRE(cap_rights_limit(s,
192 cap_rights_remove(rights, sub_rights)) >= 0);
193 ATF_REQUIRE_ERRNO(ENOTCAPABLE,
194 f(s, (const struct sockaddr *)name,
195 sizeof(struct sockaddr_in)) < 0);
198 ATF_TC_BODY(bindat_connectat_3, tc)
200 struct sockaddr_in sin;
201 cap_rights_t rights, sub_rights;
205 memset(&sin, 0, sizeof(sin));
206 sin.sin_family = AF_INET;
207 sin.sin_port = htons(0);
208 sin.sin_addr.s_addr = htonl(0xE0000000);
210 check_3(bindat_fdcwd, 0, &sin,
211 cap_rights_init(&rights, CAP_SOCK_SERVER),
212 cap_rights_init(&sub_rights, CAP_BIND));
213 check_3(bind, 0, &sin,
214 cap_rights_init(&rights, CAP_SOCK_SERVER),
215 cap_rights_init(&sub_rights, CAP_BIND));
216 check_3(connectat_fdcwd, 0, &sin,
217 cap_rights_init(&rights, CAP_SOCK_CLIENT),
218 cap_rights_init(&sub_rights, CAP_CONNECT));
219 check_3(connect, 0, &sin,
220 cap_rights_init(&rights, CAP_SOCK_CLIENT),
221 cap_rights_init(&sub_rights, CAP_CONNECT));
228 ATF_TP_ADD_TC(tp, bindat_connectat_1);
229 ATF_TP_ADD_TC(tp, bindat_connectat_2);
230 ATF_TP_ADD_TC(tp, bindat_connectat_3);
232 return (atf_no_error());