2 * Copyright (c) 2013 The FreeBSD Foundation
5 * This software was developed by Pawel Jakub Dawidek under sponsorship from
6 * the FreeBSD Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
33 #include <sys/capsicum.h>
35 #include <arpa/inet.h>
36 #include <netinet/in.h>
47 #include <libcasper.h>
49 #include <casper/cap_dns.h>
53 #define CHECK(expr) do { \
55 printf("ok %d %s:%u\n", ntest, __FILE__, __LINE__); \
57 printf("not ok %d %s:%u\n", ntest, __FILE__, __LINE__); \
60 #define CHECKX(expr) do { \
62 printf("ok %d %s:%u\n", ntest, __FILE__, __LINE__); \
64 printf("not ok %d %s:%u\n", ntest, __FILE__, __LINE__); \
70 #define GETHOSTBYNAME 0x01
71 #define GETHOSTBYNAME2_AF_INET 0x02
72 #define GETHOSTBYNAME2_AF_INET6 0x04
73 #define GETHOSTBYADDR_AF_INET 0x08
74 #define GETHOSTBYADDR_AF_INET6 0x10
77 hostent_aliases_compare(char **aliases0, char **aliases1)
81 if (aliases0 == NULL && aliases1 == NULL)
83 if (aliases0 == NULL || aliases1 == NULL)
86 for (i0 = 0; aliases0[i0] != NULL; i0++) {
87 for (i1 = 0; aliases1[i1] != NULL; i1++) {
88 if (strcmp(aliases0[i0], aliases1[i1]) == 0)
91 if (aliases1[i1] == NULL)
99 hostent_addr_list_compare(char **addr_list0, char **addr_list1, int length)
103 if (addr_list0 == NULL && addr_list1 == NULL)
105 if (addr_list0 == NULL || addr_list1 == NULL)
108 for (i0 = 0; addr_list0[i0] != NULL; i0++) {
109 for (i1 = 0; addr_list1[i1] != NULL; i1++) {
110 if (memcmp(addr_list0[i0], addr_list1[i1], length) == 0)
113 if (addr_list1[i1] == NULL)
121 hostent_compare(const struct hostent *hp0, const struct hostent *hp1)
124 if (hp0 == NULL && hp1 != NULL)
127 if (hp0 == NULL || hp1 == NULL)
130 if (hp0->h_name != NULL || hp1->h_name != NULL) {
131 if (hp0->h_name == NULL || hp1->h_name == NULL)
133 if (strcmp(hp0->h_name, hp1->h_name) != 0)
137 if (!hostent_aliases_compare(hp0->h_aliases, hp1->h_aliases))
139 if (!hostent_aliases_compare(hp1->h_aliases, hp0->h_aliases))
142 if (hp0->h_addrtype != hp1->h_addrtype)
145 if (hp0->h_length != hp1->h_length)
148 if (!hostent_addr_list_compare(hp0->h_addr_list, hp1->h_addr_list,
152 if (!hostent_addr_list_compare(hp1->h_addr_list, hp0->h_addr_list,
161 runtest(cap_channel_t *capdns)
164 struct hostent *hps, *hpc;
170 hps = gethostbyname("example.com");
172 fprintf(stderr, "Unable to resolve %s IPv4.\n", "example.com");
173 hpc = cap_gethostbyname(capdns, "example.com");
174 if (hostent_compare(hps, hpc))
175 result |= GETHOSTBYNAME;
177 hps = gethostbyname2("example.com", AF_INET);
179 fprintf(stderr, "Unable to resolve %s IPv4.\n", "example.com");
180 hpc = cap_gethostbyname2(capdns, "example.com", AF_INET);
181 if (hostent_compare(hps, hpc))
182 result |= GETHOSTBYNAME2_AF_INET;
184 hps = gethostbyname2("example.com", AF_INET6);
186 fprintf(stderr, "Unable to resolve %s IPv6.\n", "example.com");
187 hpc = cap_gethostbyname2(capdns, "example.com", AF_INET6);
188 if (hostent_compare(hps, hpc))
189 result |= GETHOSTBYNAME2_AF_INET6;
192 * 8.8.178.135 is IPv4 address of freefall.freebsd.org
193 * as of 27 October 2013.
195 inet_pton(AF_INET, "8.8.178.135", &ip4);
196 hps = gethostbyaddr(&ip4, sizeof(ip4), AF_INET);
198 fprintf(stderr, "Unable to resolve %s.\n", "8.8.178.135");
199 hpc = cap_gethostbyaddr(capdns, &ip4, sizeof(ip4), AF_INET);
200 if (hostent_compare(hps, hpc))
201 result |= GETHOSTBYADDR_AF_INET;
204 * 2001:1900:2254:206c::16:87 is IPv6 address of freefall.freebsd.org
205 * as of 27 October 2013.
207 inet_pton(AF_INET6, "2001:1900:2254:206c::16:87", &ip6);
208 hps = gethostbyaddr(&ip6, sizeof(ip6), AF_INET6);
210 fprintf(stderr, "Unable to resolve %s.\n",
211 "2001:1900:2254:206c::16:87");
213 hpc = cap_gethostbyaddr(capdns, &ip6, sizeof(ip6), AF_INET6);
214 if (hostent_compare(hps, hpc))
215 result |= GETHOSTBYADDR_AF_INET6;
223 cap_channel_t *capcas, *capdns, *origcapdns;
224 const char *types[2];
230 CHECKX(capcas != NULL);
232 origcapdns = capdns = cap_service_open(capcas, "system.dns");
233 CHECKX(capdns != NULL);
239 CHECK(runtest(capdns) ==
240 (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETHOSTBYNAME2_AF_INET6 |
241 GETHOSTBYADDR_AF_INET | GETHOSTBYADDR_AF_INET6));
246 * family: AF_INET, AF_INET6
249 capdns = cap_clone(origcapdns);
250 CHECK(capdns != NULL);
254 CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
255 families[0] = AF_INET;
256 families[1] = AF_INET6;
257 CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
259 CHECK(runtest(capdns) ==
260 (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETHOSTBYNAME2_AF_INET6 |
261 GETHOSTBYADDR_AF_INET | GETHOSTBYADDR_AF_INET6));
268 * family: AF_INET, AF_INET6
271 capdns = cap_clone(origcapdns);
272 CHECK(capdns != NULL);
275 CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
277 CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
278 errno == ENOTCAPABLE);
280 CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
281 errno == ENOTCAPABLE);
282 families[0] = AF_INET;
283 families[1] = AF_INET6;
284 CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
286 CHECK(runtest(capdns) ==
287 (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETHOSTBYNAME2_AF_INET6));
294 * family: AF_INET, AF_INET6
297 capdns = cap_clone(origcapdns);
298 CHECK(capdns != NULL);
301 CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
303 CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
304 errno == ENOTCAPABLE);
306 CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
307 errno == ENOTCAPABLE);
308 families[0] = AF_INET;
309 families[1] = AF_INET6;
310 CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
312 CHECK(runtest(capdns) ==
313 (GETHOSTBYADDR_AF_INET | GETHOSTBYADDR_AF_INET6));
323 capdns = cap_clone(origcapdns);
324 CHECK(capdns != NULL);
328 CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
329 families[0] = AF_INET;
330 CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
331 families[1] = AF_INET6;
332 CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
333 errno == ENOTCAPABLE);
334 families[0] = AF_INET6;
335 CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
336 errno == ENOTCAPABLE);
338 CHECK(runtest(capdns) ==
339 (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETHOSTBYADDR_AF_INET));
349 capdns = cap_clone(origcapdns);
350 CHECK(capdns != NULL);
354 CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
355 families[0] = AF_INET6;
356 CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
357 families[1] = AF_INET;
358 CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
359 errno == ENOTCAPABLE);
360 families[0] = AF_INET;
361 CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
362 errno == ENOTCAPABLE);
364 CHECK(runtest(capdns) ==
365 (GETHOSTBYNAME2_AF_INET6 | GETHOSTBYADDR_AF_INET6));
369 /* Below we also test further limiting capability. */
377 capdns = cap_clone(origcapdns);
378 CHECK(capdns != NULL);
382 CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
383 families[0] = AF_INET;
384 families[1] = AF_INET6;
385 CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
387 CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
389 CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
390 errno == ENOTCAPABLE);
392 CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
393 errno == ENOTCAPABLE);
394 families[0] = AF_INET;
395 CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
396 families[1] = AF_INET6;
397 CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
398 errno == ENOTCAPABLE);
399 families[0] = AF_INET6;
400 CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
401 errno == ENOTCAPABLE);
403 CHECK(runtest(capdns) == (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET));
413 capdns = cap_clone(origcapdns);
414 CHECK(capdns != NULL);
418 CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
419 families[0] = AF_INET;
420 families[1] = AF_INET6;
421 CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
423 CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
425 CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
426 errno == ENOTCAPABLE);
428 CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
429 errno == ENOTCAPABLE);
430 families[0] = AF_INET6;
431 CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
432 families[1] = AF_INET;
433 CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
434 errno == ENOTCAPABLE);
435 families[0] = AF_INET;
436 CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
437 errno == ENOTCAPABLE);
439 CHECK(runtest(capdns) == GETHOSTBYNAME2_AF_INET6);
449 capdns = cap_clone(origcapdns);
450 CHECK(capdns != NULL);
454 CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
455 families[0] = AF_INET;
456 families[1] = AF_INET6;
457 CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
459 CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
461 CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
462 errno == ENOTCAPABLE);
464 CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
465 errno == ENOTCAPABLE);
466 families[0] = AF_INET;
467 CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
468 families[1] = AF_INET6;
469 CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
470 errno == ENOTCAPABLE);
471 families[0] = AF_INET6;
472 CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
473 errno == ENOTCAPABLE);
475 CHECK(runtest(capdns) == GETHOSTBYADDR_AF_INET);
485 capdns = cap_clone(origcapdns);
486 CHECK(capdns != NULL);
490 CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
491 families[0] = AF_INET;
492 families[1] = AF_INET6;
493 CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
495 CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
497 CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
498 errno == ENOTCAPABLE);
500 CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
501 errno == ENOTCAPABLE);
502 families[0] = AF_INET6;
503 CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
504 families[1] = AF_INET;
505 CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
506 errno == ENOTCAPABLE);
507 families[0] = AF_INET;
508 CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
509 errno == ENOTCAPABLE);
511 CHECK(runtest(capdns) == GETHOSTBYADDR_AF_INET6);
515 /* Trying to rise the limits. */
517 capdns = cap_clone(origcapdns);
518 CHECK(capdns != NULL);
521 CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
522 families[0] = AF_INET;
523 CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
527 CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
528 errno == ENOTCAPABLE);
529 families[0] = AF_INET;
530 families[1] = AF_INET6;
531 CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
532 errno == ENOTCAPABLE);
535 CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
536 errno == ENOTCAPABLE);
537 families[0] = AF_INET6;
538 CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
539 errno == ENOTCAPABLE);
541 CHECK(cap_dns_type_limit(capdns, NULL, 0) == -1 &&
542 errno == ENOTCAPABLE);
543 CHECK(cap_dns_family_limit(capdns, NULL, 0) == -1 &&
544 errno == ENOTCAPABLE);
546 /* Do the limits still hold? */
547 CHECK(runtest(capdns) == (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET));
551 capdns = cap_clone(origcapdns);
552 CHECK(capdns != NULL);
555 CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
556 families[0] = AF_INET6;
557 CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
561 CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
562 errno == ENOTCAPABLE);
563 families[0] = AF_INET;
564 families[1] = AF_INET6;
565 CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
566 errno == ENOTCAPABLE);
569 CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
570 errno == ENOTCAPABLE);
571 families[0] = AF_INET;
572 CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
573 errno == ENOTCAPABLE);
575 CHECK(cap_dns_type_limit(capdns, NULL, 0) == -1 &&
576 errno == ENOTCAPABLE);
577 CHECK(cap_dns_family_limit(capdns, NULL, 0) == -1 &&
578 errno == ENOTCAPABLE);
580 /* Do the limits still hold? */
581 CHECK(runtest(capdns) == GETHOSTBYADDR_AF_INET6);
585 cap_close(origcapdns);