src/tests/capabilities.c

   1 /* liblxcapi
   2  *
   3  * Copyright © 2021 Christian Brauner <christian.brauner@ubuntu.com>.
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License along
  15  * with this program; if not, write to the Free Software Foundation, Inc.,
  16  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  17  */
  18
  19 #include "config.h"
  20
  21 #include <errno.h>
  22 #include <fcntl.h>
  23 #include <inttypes.h>
  24 #include <signal.h>
  25 #include <stdio.h>
  26 #include <stdlib.h>
  27 #include <string.h>
  28 #include <unistd.h>
  29 #include <sys/stat.h>
  30 #include <sys/types.h>
  31 #include <sys/wait.h>
  32
  33 #include "lxccontainer.h"
  34 #include "attach_options.h"
  35
  36 #include "caps.h"
  37 #include "lxctest.h"
  38 #include "utils.h"
  39
  40 #if HAVE_LIBCAP
  41 __u32 *cap_bset_bits = NULL;
  42 __u32 last_cap = 0;
  43
  44 static int capabilities_allow(void *payload)
  45 {
  46         for (__u32 cap = 0; cap <= last_cap; cap++) {
  47                 bool bret;
  48
  49                 if (!is_set(cap, cap_bset_bits))
  50                         continue;
  51
  52                 if (cap == CAP_MKNOD)
  53                         bret = cap_get_bound(cap) == CAP_SET;
  54                 else
  55                         bret = cap_get_bound(cap) != CAP_SET;
  56                 if (!bret) {
  57                         lxc_error("Capability %d unexpectedly raised or lowered\n", cap);
  58                         return EXIT_FAILURE;
  59                 }
  60         }
  61
  62         return EXIT_SUCCESS;
  63 }
  64
  65 static int capabilities_deny(void *payload)
  66 {
  67         for (__u32 cap = 0; cap <= last_cap; cap++) {
  68                 bool bret;
  69
  70                 if (!is_set(cap, cap_bset_bits))
  71                         continue;
  72
  73                 if (cap == CAP_MKNOD)
  74                         bret = cap_get_bound(cap) != CAP_SET;
  75                 else
  76                         bret = cap_get_bound(cap) == CAP_SET;
  77                 if (!bret) {
  78                         lxc_error("Capability %d unexpectedly raised or lowered\n", cap);
  79                         return EXIT_FAILURE;
  80                 }
  81         }
  82
  83         return EXIT_SUCCESS;
  84 }
  85
  86 static int run(int (*test)(void *), bool allow)
  87 {
  88         int fd_log = -EBADF, fret = -1;
  89         lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
  90         int ret;
  91         pid_t pid;
  92         struct lxc_container *c;
  93         struct lxc_log log;
  94         char template[sizeof(P_tmpdir"/capabilities_XXXXXX")];
  95
  96         (void)strlcpy(template, P_tmpdir"/capabilities_XXXXXX", sizeof(template));
  97
  98         fd_log = lxc_make_tmpfile(template, false);
  99         if (fd_log < 0) {
 100                 lxc_error("%s", "Failed to create temporary log file for container \"capabilities\"");
 101                 return fret;
 102         }
 103
 104         log.name = "capabilities";
 105         log.file = template;
 106         log.level = "TRACE";
 107         log.prefix = "capabilities";
 108         log.quiet = false;
 109         log.lxcpath = NULL;
 110
 111         if (lxc_log_init(&log))
 112                 return fret;
 113
 114         c = lxc_container_new("capabilities", NULL);
 115         if (!c) {
 116                 lxc_error("%s\n", "Failed to create container \"capabilities\"");
 117                 return fret;
 118         }
 119
 120         if (c->is_defined(c)) {
 121                 lxc_error("%s\n", "Container \"capabilities\" is defined");
 122                 goto on_error_put;
 123         }
 124
 125         if (!c->createl(c, "busybox", NULL, NULL, 0, NULL)) {
 126                 lxc_error("%s\n", "Failed to create busybox container \"capabilities\"");
 127                 goto on_error_put;
 128         }
 129
 130         if (!c->is_defined(c)) {
 131                 lxc_error("%s\n", "Container \"capabilities\" is not defined");
 132                 goto on_error_destroy;
 133         }
 134
 135         if (!c->clear_config_item(c, "lxc.cap.drop")) {
 136                 lxc_error("%s\n", "Failed to clear config item \"lxc.cap.drop\"");
 137                 goto on_error_destroy;
 138         }
 139
 140         if (!c->clear_config_item(c, "lxc.cap.keep")) {
 141                 lxc_error("%s\n", "Failed to clear config item \"lxc.cap.drop\"");
 142                 goto on_error_destroy;
 143         }
 144
 145         if (allow) {
 146                 if (!c->set_config_item(c, "lxc.cap.keep", "mknod")) {
 147                         lxc_error("%s\n", "Failed to set config item \"lxc.cap.keep=mknod\"");
 148                         goto on_error_destroy;
 149                 }
 150         } else {
 151                 if (!c->set_config_item(c, "lxc.cap.drop", "mknod")) {
 152                         lxc_error("%s\n", "Failed to set config item \"lxc.cap.drop=mknod\"");
 153                         goto on_error_destroy;
 154                 }
 155         }
 156
 157         if (!c->want_daemonize(c, true)) {
 158                 lxc_error("%s\n", "Failed to mark container \"capabilities\" daemonized");
 159                 goto on_error_destroy;
 160         }
 161
 162         if (!c->startl(c, 0, NULL)) {
 163                 lxc_error("%s\n", "Failed to start container \"capabilities\" daemonized");
 164                 goto on_error_destroy;
 165         }
 166
 167         ret = c->attach(c, test, NULL, &attach_options, &pid);
 168         if (ret < 0) {
 169                 lxc_error("%s\n", "Failed to run function in container \"capabilities\"");
 170                 goto on_error_stop;
 171         }
 172
 173         ret = wait_for_pid(pid);
 174         if (ret) {
 175                 lxc_error("%s\n", "Function \"capabilities\" failed");
 176                 goto on_error_stop;
 177         }
 178
 179         fret = 0;
 180
 181 on_error_stop:
 182         if (c->is_running(c) && !c->stop(c))
 183                 lxc_error("%s\n", "Failed to stop container \"capabilities\"");
 184
 185 on_error_destroy:
 186         if (!c->destroy(c))
 187                 lxc_error("%s\n", "Failed to destroy container \"capabilities\"");
 188
 189 on_error_put:
 190         lxc_container_put(c);
 191
 192         if (fret == EXIT_SUCCESS) {
 193                 lxc_debug("All capability %s tests passed\n", allow ? "allow" : "deny");
 194         } else {
 195                 int fd;
 196
 197                 fd = open(template, O_RDONLY);
 198                 if (fd >= 0) {
 199                         char buf[4096];
 200                         ssize_t buflen;
 201                         while ((buflen = read(fd, buf, 1024)) > 0) {
 202                                 buflen = write(STDERR_FILENO, buf, buflen);
 203                                 if (buflen <= 0)
 204                                         break;
 205                         }
 206                         close(fd);
 207                 }
 208         }
 209         (void)unlink(template);
 210
 211         return fret;
 212 }
 213
 214 static void __attribute__((constructor)) capabilities_init(void)
 215 {
 216         int ret;
 217         __u32 nr_u32;
 218
 219         ret = lxc_caps_last_cap(&last_cap);
 220         if (ret || last_cap > 200)
 221                 _exit(EXIT_FAILURE);
 222
 223         nr_u32 = BITS_TO_LONGS(last_cap);
 224         cap_bset_bits = zalloc(nr_u32 * sizeof(__u32));
 225         if (!cap_bset_bits)
 226                 _exit(EXIT_FAILURE);
 227
 228         for (__u32 cap_bit = 0; cap_bit <= last_cap; cap_bit++) {
 229                 if (prctl(PR_CAPBSET_READ, prctl_arg(cap_bit)) == 0)
 230                         continue;
 231
 232                 set_bit(cap_bit, cap_bset_bits);
 233         }
 234 }
 235
 236 static void __attribute__((destructor)) capabilities_exit(void)
 237 {
 238         free(cap_bset_bits);
 239 }
 240
 241 int main(int argc, char *argv[])
 242 {
 243         if (run(capabilities_allow, true))
 244                 exit(EXIT_FAILURE);
 245
 246         if (run(capabilities_deny, false))
 247                 exit(EXIT_FAILURE);
 248
 249         exit(EXIT_SUCCESS);
 250 }
 251
 252 #else /* !HAVE_LIBCAP */
 253
 254 int main(int argc, char *argv[])
 255 {
 256         lxc_debug("%s\n", "Capabilities not supported. Skipping.");
 257         exit(EXIT_SUCCESS);
 258 }
 259 #endif