1/*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2013, 2018 The FreeBSD Foundation 5 * All rights reserved. 6 * 7 * This software was developed by Pawel Jakub Dawidek under sponsorship from 8 * the FreeBSD Foundation. 9 * 10 * Portions of this software were developed by Mark Johnston 11 * under sponsorship from the FreeBSD Foundation. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35#include <sys/types.h> 36#include <sys/capsicum.h> 37#include <sys/sysctl.h> 38#include <sys/nv.h> 39 40#include <assert.h> 41#include <err.h> 42#include <errno.h> 43#include <netdb.h> 44#include <stdio.h> 45#include <stdlib.h> 46#include <string.h> 47#include <unistd.h> 48 49#include <libcasper.h> 50#include <casper/cap_sysctl.h> 51 52#include <atf-c.h> 53 54/* 55 * We need some sysctls to perform the tests on. 56 * We remember their values and restore them afer the test is done. 57 */ 58#define SYSCTL0_PARENT "kern" 59#define SYSCTL0_NAME "kern.sync_on_panic" 60#define SYSCTL0_FILE "./sysctl0" 61#define SYSCTL1_PARENT "debug" 62#define SYSCTL1_NAME "debug.minidump" 63#define SYSCTL1_FILE "./sysctl1" 64 65#define SYSCTL0_READ0 0x0001 66#define SYSCTL0_READ1 0x0002 67#define SYSCTL0_READ2 0x0004 68#define SYSCTL0_WRITE 0x0008 69#define SYSCTL0_READ_WRITE 0x0010 70#define SYSCTL1_READ0 0x0020 71#define SYSCTL1_READ1 0x0040 72#define SYSCTL1_READ2 0x0080 73#define SYSCTL1_WRITE 0x0100 74#define SYSCTL1_READ_WRITE 0x0200 75 76static void 77save_int_sysctl(const char *name, const char *file) 78{ 79 ssize_t n; 80 size_t sz; 81 int error, fd, val; 82 83 sz = sizeof(val); 84 error = sysctlbyname(name, &val, &sz, NULL, 0); 85 ATF_REQUIRE_MSG(error == 0, 86 "sysctlbyname(%s): %s", name, strerror(errno)); 87 88 fd = open(file, O_CREAT | O_WRONLY, 0600); 89 ATF_REQUIRE_MSG(fd >= 0, "open(%s): %s", file, strerror(errno)); 90 n = write(fd, &val, sz); 91 ATF_REQUIRE(n >= 0 && (size_t)n == sz); 92 error = close(fd); 93 ATF_REQUIRE(error == 0); 94} 95 96static void 97restore_int_sysctl(const char *name, const char *file) 98{ 99 ssize_t n; 100 size_t sz; 101 int error, fd, val; 102 103 fd = open(file, O_RDONLY); 104 ATF_REQUIRE(fd >= 0); 105 sz = sizeof(val); 106 n = read(fd, &val, sz); 107 ATF_REQUIRE(n >= 0 && (size_t)n == sz); 108 error = unlink(file); 109 ATF_REQUIRE(error == 0); 110 error = close(fd); 111 ATF_REQUIRE(error == 0); 112 113 error = sysctlbyname(name, NULL, NULL, &val, sz); 114 ATF_REQUIRE_MSG(error == 0, 115 "sysctlbyname(%s): %s", name, strerror(errno)); 116} 117 118static cap_channel_t * 119initcap(void) 120{ 121 cap_channel_t *capcas, *capsysctl; 122 123 save_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE); 124 save_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE); 125 126 capcas = cap_init(); 127 ATF_REQUIRE(capcas != NULL); 128 129 capsysctl = cap_service_open(capcas, "system.sysctl"); 130 ATF_REQUIRE(capsysctl != NULL); 131 132 cap_close(capcas); 133 134 return (capsysctl); 135} 136 137static void 138cleanup(void) 139{ 140 141 restore_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE); 142 restore_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE); 143} 144 145static unsigned int 146checkcaps(cap_channel_t *capsysctl) 147{ 148 unsigned int result; 149 size_t len0, len1, oldsize; 150 int error, mib0[2], mib1[2], oldvalue, newvalue; 151 152 result = 0; 153 154 len0 = nitems(mib0); 155 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len0) == 0); 156 len1 = nitems(mib1); 157 ATF_REQUIRE(sysctlnametomib(SYSCTL1_NAME, mib1, &len1) == 0); 158 159 oldsize = sizeof(oldvalue); 160 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 161 NULL, 0) == 0) { 162 if (oldsize == sizeof(oldvalue)) 163 result |= SYSCTL0_READ0; 164 } 165 error = cap_sysctl(capsysctl, mib0, len0, &oldvalue, &oldsize, NULL, 0); 166 if ((result & SYSCTL0_READ0) != 0) 167 ATF_REQUIRE(error == 0); 168 else 169 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 170 171 newvalue = 123; 172 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, NULL, NULL, &newvalue, 173 sizeof(newvalue)) == 0) { 174 result |= SYSCTL0_WRITE; 175 } 176 177 if ((result & SYSCTL0_WRITE) != 0) { 178 oldsize = sizeof(oldvalue); 179 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 180 &oldsize, NULL, 0) == 0) { 181 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 182 result |= SYSCTL0_READ1; 183 } 184 } 185 newvalue = 123; 186 error = cap_sysctl(capsysctl, mib0, len0, NULL, NULL, 187 &newvalue, sizeof(newvalue)); 188 if ((result & SYSCTL0_WRITE) != 0) 189 ATF_REQUIRE(error == 0); 190 else 191 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 192 193 oldsize = sizeof(oldvalue); 194 newvalue = 4567; 195 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize, 196 &newvalue, sizeof(newvalue)) == 0) { 197 if (oldsize == sizeof(oldvalue) && oldvalue == 123) 198 result |= SYSCTL0_READ_WRITE; 199 } 200 201 if ((result & SYSCTL0_READ_WRITE) != 0) { 202 oldsize = sizeof(oldvalue); 203 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, 204 &oldsize, NULL, 0) == 0) { 205 if (oldsize == sizeof(oldvalue) && oldvalue == 4567) 206 result |= SYSCTL0_READ2; 207 } 208 } 209 210 oldsize = sizeof(oldvalue); 211 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 212 NULL, 0) == 0) { 213 if (oldsize == sizeof(oldvalue)) 214 result |= SYSCTL1_READ0; 215 } 216 error = cap_sysctl(capsysctl, mib1, len1, &oldvalue, &oldsize, NULL, 0); 217 if ((result & SYSCTL1_READ0) != 0) 218 ATF_REQUIRE(error == 0); 219 else 220 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 221 222 newvalue = 506; 223 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, NULL, NULL, &newvalue, 224 sizeof(newvalue)) == 0) { 225 result |= SYSCTL1_WRITE; 226 } 227 228 if ((result & SYSCTL1_WRITE) != 0) { 229 newvalue = 506; 230 ATF_REQUIRE(cap_sysctl(capsysctl, mib1, len1, NULL, NULL, 231 &newvalue, sizeof(newvalue)) == 0); 232 233 oldsize = sizeof(oldvalue); 234 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 235 &oldsize, NULL, 0) == 0) { 236 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 237 result |= SYSCTL1_READ1; 238 } 239 } 240 newvalue = 506; 241 error = cap_sysctl(capsysctl, mib1, len1, NULL, NULL, 242 &newvalue, sizeof(newvalue)); 243 if ((result & SYSCTL1_WRITE) != 0) 244 ATF_REQUIRE(error == 0); 245 else 246 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0); 247 248 oldsize = sizeof(oldvalue); 249 newvalue = 7008; 250 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize, 251 &newvalue, sizeof(newvalue)) == 0) { 252 if (oldsize == sizeof(oldvalue) && oldvalue == 506) 253 result |= SYSCTL1_READ_WRITE; 254 } 255 256 if ((result & SYSCTL1_READ_WRITE) != 0) { 257 oldsize = sizeof(oldvalue); 258 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, 259 &oldsize, NULL, 0) == 0) { 260 if (oldsize == sizeof(oldvalue) && oldvalue == 7008) 261 result |= SYSCTL1_READ2; 262 } 263 } 264 265 return (result); 266} 267 268ATF_TC_WITH_CLEANUP(cap_sysctl__operation); 269ATF_TC_HEAD(cap_sysctl__operation, tc) 270{ 271} 272ATF_TC_BODY(cap_sysctl__operation, tc) 273{ 274 cap_channel_t *capsysctl, *ocapsysctl; 275 void *limit; 276 277 ocapsysctl = initcap(); 278 279 /* 280 * Allow: 281 * SYSCTL0_PARENT/RDWR/RECURSIVE 282 * SYSCTL1_PARENT/RDWR/RECURSIVE 283 */ 284 285 capsysctl = cap_clone(ocapsysctl); 286 ATF_REQUIRE(capsysctl != NULL); 287 288 limit = cap_sysctl_limit_init(capsysctl); 289 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 290 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 291 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 292 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 293 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 294 295 limit = cap_sysctl_limit_init(capsysctl); 296 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 297 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 298 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 299 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 300 (void)cap_sysctl_limit_name(limit, "foo.bar", 301 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 302 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 303 304 limit = cap_sysctl_limit_init(capsysctl); 305 (void)cap_sysctl_limit_name(limit, "foo.bar", 306 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 307 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 308 309 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 310 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 311 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 312 SYSCTL1_READ_WRITE)); 313 314 limit = cap_sysctl_limit_init(capsysctl); 315 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 316 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 317 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 318 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 319 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 320 321 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 322 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 323 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 324 SYSCTL1_READ_WRITE)); 325 326 limit = cap_sysctl_limit_init(capsysctl); 327 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 328 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 329 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 330 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 331 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 332 333 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 334 335 limit = cap_sysctl_limit_init(capsysctl); 336 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 337 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 338 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 339 340 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 341 342 limit = cap_sysctl_limit_init(capsysctl); 343 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 344 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 345 346 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0); 347 348 cap_close(capsysctl); 349 350 /* 351 * Allow: 352 * SYSCTL0_NAME/RDWR/RECURSIVE 353 * SYSCTL1_NAME/RDWR/RECURSIVE 354 */ 355 356 capsysctl = cap_clone(ocapsysctl); 357 ATF_REQUIRE(capsysctl != NULL); 358 359 limit = cap_sysctl_limit_init(capsysctl); 360 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 361 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 362 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 363 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 364 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 365 366 limit = cap_sysctl_limit_init(capsysctl); 367 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 368 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 369 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 370 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 371 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 372 limit = cap_sysctl_limit_init(capsysctl); 373 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 374 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 375 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 376 limit = cap_sysctl_limit_init(capsysctl); 377 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 378 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 379 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 380 limit = cap_sysctl_limit_init(capsysctl); 381 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 382 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 383 384 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 385 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 386 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 387 SYSCTL1_READ_WRITE)); 388 389 cap_close(capsysctl); 390 391 /* 392 * Allow: 393 * SYSCTL0_PARENT/RDWR 394 * SYSCTL1_PARENT/RDWR 395 */ 396 397 capsysctl = cap_clone(ocapsysctl); 398 ATF_REQUIRE(capsysctl != NULL); 399 400 limit = cap_sysctl_limit_init(capsysctl); 401 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 402 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 403 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 404 limit = cap_sysctl_limit_init(capsysctl); 405 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 406 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 407 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 408 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 409 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 410 limit = cap_sysctl_limit_init(capsysctl); 411 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 412 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 413 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 414 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 415 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 416 limit = cap_sysctl_limit_init(capsysctl); 417 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 418 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 419 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 420 421 ATF_REQUIRE(checkcaps(capsysctl) == 0); 422 423 cap_close(capsysctl); 424 425 /* 426 * Allow: 427 * SYSCTL0_NAME/RDWR 428 * SYSCTL1_NAME/RDWR 429 */ 430 431 capsysctl = cap_clone(ocapsysctl); 432 ATF_REQUIRE(capsysctl != NULL); 433 434 limit = cap_sysctl_limit_init(capsysctl); 435 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 436 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 437 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 438 limit = cap_sysctl_limit_init(capsysctl); 439 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 440 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 441 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 442 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 443 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 444 limit = cap_sysctl_limit_init(capsysctl); 445 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 446 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 447 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 448 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 449 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 450 limit = cap_sysctl_limit_init(capsysctl); 451 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 452 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 453 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 454 455 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 456 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 457 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 458 SYSCTL1_READ_WRITE)); 459 460 cap_close(capsysctl); 461 462 /* 463 * Allow: 464 * SYSCTL0_PARENT/RDWR 465 * SYSCTL1_PARENT/RDWR/RECURSIVE 466 */ 467 468 capsysctl = cap_clone(ocapsysctl); 469 ATF_REQUIRE(capsysctl != NULL); 470 471 limit = cap_sysctl_limit_init(capsysctl); 472 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 473 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 474 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 475 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 476 limit = cap_sysctl_limit_init(capsysctl); 477 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 478 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 479 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 480 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 481 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 482 limit = cap_sysctl_limit_init(capsysctl); 483 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 484 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 485 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 486 limit = cap_sysctl_limit_init(capsysctl); 487 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 488 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 489 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 490 limit = cap_sysctl_limit_init(capsysctl); 491 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 492 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 493 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 494 495 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 496 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 497 498 cap_close(capsysctl); 499 500 /* 501 * Allow: 502 * SYSCTL0_NAME/RDWR 503 * SYSCTL1_NAME/RDWR/RECURSIVE 504 */ 505 506 capsysctl = cap_clone(ocapsysctl); 507 ATF_REQUIRE(capsysctl != NULL); 508 509 limit = cap_sysctl_limit_init(capsysctl); 510 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 511 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 512 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 513 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 514 limit = cap_sysctl_limit_init(capsysctl); 515 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 516 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 517 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 518 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 519 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 520 limit = cap_sysctl_limit_init(capsysctl); 521 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 522 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 523 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 524 limit = cap_sysctl_limit_init(capsysctl); 525 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 526 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 527 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 528 529 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 530 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 531 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 532 SYSCTL1_READ_WRITE)); 533 534 cap_close(capsysctl); 535 536 /* 537 * Allow: 538 * SYSCTL0_PARENT/READ/RECURSIVE 539 * SYSCTL1_PARENT/READ/RECURSIVE 540 */ 541 542 capsysctl = cap_clone(ocapsysctl); 543 ATF_REQUIRE(capsysctl != NULL); 544 545 limit = cap_sysctl_limit_init(capsysctl); 546 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 547 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 548 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 549 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 550 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 551 limit = cap_sysctl_limit_init(capsysctl); 552 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 553 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 554 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 555 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 556 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 557 limit = cap_sysctl_limit_init(capsysctl); 558 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 559 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 560 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 561 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 562 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 563 limit = cap_sysctl_limit_init(capsysctl); 564 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 565 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 566 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 567 limit = cap_sysctl_limit_init(capsysctl); 568 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 569 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 570 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 571 limit = cap_sysctl_limit_init(capsysctl); 572 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 573 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 574 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 575 limit = cap_sysctl_limit_init(capsysctl); 576 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 577 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 578 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 579 limit = cap_sysctl_limit_init(capsysctl); 580 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 581 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 582 limit = cap_sysctl_limit_init(capsysctl); 583 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 584 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 585 586 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 587 588 cap_close(capsysctl); 589 590 /* 591 * Allow: 592 * SYSCTL0_NAME/READ/RECURSIVE 593 * SYSCTL1_NAME/READ/RECURSIVE 594 */ 595 596 capsysctl = cap_clone(ocapsysctl); 597 ATF_REQUIRE(capsysctl != NULL); 598 599 limit = cap_sysctl_limit_init(capsysctl); 600 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 601 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 602 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 603 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 604 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 605 limit = cap_sysctl_limit_init(capsysctl); 606 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 607 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 608 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 609 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 610 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 611 limit = cap_sysctl_limit_init(capsysctl); 612 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 613 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 614 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 615 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 616 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 617 limit = cap_sysctl_limit_init(capsysctl); 618 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 619 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 620 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 621 limit = cap_sysctl_limit_init(capsysctl); 622 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 623 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 624 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 625 limit = cap_sysctl_limit_init(capsysctl); 626 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 627 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 628 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 629 limit = cap_sysctl_limit_init(capsysctl); 630 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 631 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 632 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 633 limit = cap_sysctl_limit_init(capsysctl); 634 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 635 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 636 limit = cap_sysctl_limit_init(capsysctl); 637 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 638 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 639 640 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 641 642 cap_close(capsysctl); 643 644 /* 645 * Allow: 646 * SYSCTL0_PARENT/READ 647 * SYSCTL1_PARENT/READ 648 */ 649 650 capsysctl = cap_clone(ocapsysctl); 651 ATF_REQUIRE(capsysctl != NULL); 652 653 limit = cap_sysctl_limit_init(capsysctl); 654 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 655 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 656 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 657 limit = cap_sysctl_limit_init(capsysctl); 658 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 659 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 660 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 661 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 662 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 663 limit = cap_sysctl_limit_init(capsysctl); 664 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 665 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 666 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 667 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 668 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 669 limit = cap_sysctl_limit_init(capsysctl); 670 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 671 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 672 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 673 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 674 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 675 limit = cap_sysctl_limit_init(capsysctl); 676 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 677 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 678 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 679 limit = cap_sysctl_limit_init(capsysctl); 680 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 681 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 682 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 683 limit = cap_sysctl_limit_init(capsysctl); 684 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 685 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 686 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 687 limit = cap_sysctl_limit_init(capsysctl); 688 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 689 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 690 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 691 limit = cap_sysctl_limit_init(capsysctl); 692 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 693 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 694 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 695 limit = cap_sysctl_limit_init(capsysctl); 696 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 697 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 698 limit = cap_sysctl_limit_init(capsysctl); 699 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 700 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 701 702 ATF_REQUIRE(checkcaps(capsysctl) == 0); 703 704 cap_close(capsysctl); 705 706 /* 707 * Allow: 708 * SYSCTL0_NAME/READ 709 * SYSCTL1_NAME/READ 710 */ 711 712 capsysctl = cap_clone(ocapsysctl); 713 ATF_REQUIRE(capsysctl != NULL); 714 715 limit = cap_sysctl_limit_init(capsysctl); 716 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 717 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 718 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 719 limit = cap_sysctl_limit_init(capsysctl); 720 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 721 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 722 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 723 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 724 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 725 limit = cap_sysctl_limit_init(capsysctl); 726 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 727 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 728 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 729 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 730 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 731 limit = cap_sysctl_limit_init(capsysctl); 732 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 733 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 734 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 735 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 736 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 737 limit = cap_sysctl_limit_init(capsysctl); 738 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 739 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 740 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 741 limit = cap_sysctl_limit_init(capsysctl); 742 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 743 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 744 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 745 limit = cap_sysctl_limit_init(capsysctl); 746 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 747 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 748 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 749 limit = cap_sysctl_limit_init(capsysctl); 750 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 751 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 752 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 753 limit = cap_sysctl_limit_init(capsysctl); 754 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 755 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 756 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 757 limit = cap_sysctl_limit_init(capsysctl); 758 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 759 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 760 limit = cap_sysctl_limit_init(capsysctl); 761 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 762 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 763 764 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 765 766 cap_close(capsysctl); 767 768 /* 769 * Allow: 770 * SYSCTL0_PARENT/READ 771 * SYSCTL1_PARENT/READ/RECURSIVE 772 */ 773 774 capsysctl = cap_clone(ocapsysctl); 775 ATF_REQUIRE(capsysctl != NULL); 776 777 limit = cap_sysctl_limit_init(capsysctl); 778 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 779 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 780 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 781 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 782 limit = cap_sysctl_limit_init(capsysctl); 783 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 784 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 785 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 786 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 787 788 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 789 790 cap_close(capsysctl); 791 792 /* 793 * Allow: 794 * SYSCTL0_NAME/READ 795 * SYSCTL1_NAME/READ/RECURSIVE 796 */ 797 798 capsysctl = cap_clone(ocapsysctl); 799 ATF_REQUIRE(capsysctl != NULL); 800 801 limit = cap_sysctl_limit_init(capsysctl); 802 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 803 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 804 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 805 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 806 limit = cap_sysctl_limit_init(capsysctl); 807 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 808 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 809 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 810 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 811 812 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0)); 813 814 cap_close(capsysctl); 815 816 /* 817 * Allow: 818 * SYSCTL0_PARENT/WRITE/RECURSIVE 819 * SYSCTL1_PARENT/WRITE/RECURSIVE 820 */ 821 822 capsysctl = cap_clone(ocapsysctl); 823 ATF_REQUIRE(capsysctl != NULL); 824 825 limit = cap_sysctl_limit_init(capsysctl); 826 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 827 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 828 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 829 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 830 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 831 limit = cap_sysctl_limit_init(capsysctl); 832 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 833 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 834 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 835 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 836 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 837 limit = cap_sysctl_limit_init(capsysctl); 838 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 839 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 840 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 841 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 842 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 843 limit = cap_sysctl_limit_init(capsysctl); 844 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 845 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 846 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 847 limit = cap_sysctl_limit_init(capsysctl); 848 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 849 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 850 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 851 limit = cap_sysctl_limit_init(capsysctl); 852 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 853 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 854 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 855 limit = cap_sysctl_limit_init(capsysctl); 856 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 857 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 858 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 859 limit = cap_sysctl_limit_init(capsysctl); 860 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 861 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 862 limit = cap_sysctl_limit_init(capsysctl); 863 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 864 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 865 866 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 867 868 cap_close(capsysctl); 869 870 /* 871 * Allow: 872 * SYSCTL0_NAME/WRITE/RECURSIVE 873 * SYSCTL1_NAME/WRITE/RECURSIVE 874 */ 875 876 capsysctl = cap_clone(ocapsysctl); 877 ATF_REQUIRE(capsysctl != NULL); 878 879 limit = cap_sysctl_limit_init(capsysctl); 880 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 881 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 882 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 883 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 884 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 885 limit = cap_sysctl_limit_init(capsysctl); 886 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 887 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 888 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 889 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 890 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 891 limit = cap_sysctl_limit_init(capsysctl); 892 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 893 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 894 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 895 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 896 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 897 limit = cap_sysctl_limit_init(capsysctl); 898 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 899 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 900 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 901 limit = cap_sysctl_limit_init(capsysctl); 902 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 903 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 904 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 905 limit = cap_sysctl_limit_init(capsysctl); 906 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 907 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 908 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 909 limit = cap_sysctl_limit_init(capsysctl); 910 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 911 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 912 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 913 limit = cap_sysctl_limit_init(capsysctl); 914 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 915 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 916 limit = cap_sysctl_limit_init(capsysctl); 917 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 918 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 919 920 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 921 922 cap_close(capsysctl); 923 924 /* 925 * Allow: 926 * SYSCTL0_PARENT/WRITE 927 * SYSCTL1_PARENT/WRITE 928 */ 929 930 capsysctl = cap_clone(ocapsysctl); 931 ATF_REQUIRE(capsysctl != NULL); 932 933 limit = cap_sysctl_limit_init(capsysctl); 934 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 935 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 936 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 937 limit = cap_sysctl_limit_init(capsysctl); 938 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 939 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 940 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 941 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 942 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 943 limit = cap_sysctl_limit_init(capsysctl); 944 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 945 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 946 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 947 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 948 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 949 limit = cap_sysctl_limit_init(capsysctl); 950 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 951 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 952 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 953 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 954 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 955 limit = cap_sysctl_limit_init(capsysctl); 956 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 957 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 958 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 959 limit = cap_sysctl_limit_init(capsysctl); 960 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 961 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 962 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 963 limit = cap_sysctl_limit_init(capsysctl); 964 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 965 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 966 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 967 limit = cap_sysctl_limit_init(capsysctl); 968 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 969 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 970 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 971 limit = cap_sysctl_limit_init(capsysctl); 972 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 973 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 974 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 975 limit = cap_sysctl_limit_init(capsysctl); 976 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 977 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 978 limit = cap_sysctl_limit_init(capsysctl); 979 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 980 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 981 982 ATF_REQUIRE(checkcaps(capsysctl) == 0); 983 984 cap_close(capsysctl); 985 986 /* 987 * Allow: 988 * SYSCTL0_NAME/WRITE 989 * SYSCTL1_NAME/WRITE 990 */ 991 992 capsysctl = cap_clone(ocapsysctl); 993 ATF_REQUIRE(capsysctl != NULL); 994 995 limit = cap_sysctl_limit_init(capsysctl); 996 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 997 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 998 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 999 limit = cap_sysctl_limit_init(capsysctl); 1000 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1001 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1002 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1003 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1004 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1005 limit = cap_sysctl_limit_init(capsysctl); 1006 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1007 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1008 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1009 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1010 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1011 limit = cap_sysctl_limit_init(capsysctl); 1012 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1013 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1014 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1015 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1016 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1017 limit = cap_sysctl_limit_init(capsysctl); 1018 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1019 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1020 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1021 limit = cap_sysctl_limit_init(capsysctl); 1022 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1023 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1024 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1025 limit = cap_sysctl_limit_init(capsysctl); 1026 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1027 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1028 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1029 limit = cap_sysctl_limit_init(capsysctl); 1030 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1031 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1032 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1033 limit = cap_sysctl_limit_init(capsysctl); 1034 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1035 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1036 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1037 limit = cap_sysctl_limit_init(capsysctl); 1038 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1039 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1040 limit = cap_sysctl_limit_init(capsysctl); 1041 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1042 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1043 1044 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 1045 1046 cap_close(capsysctl); 1047 1048 /* 1049 * Allow: 1050 * SYSCTL0_PARENT/WRITE 1051 * SYSCTL1_PARENT/WRITE/RECURSIVE 1052 */ 1053 1054 capsysctl = cap_clone(ocapsysctl); 1055 ATF_REQUIRE(capsysctl != NULL); 1056 1057 limit = cap_sysctl_limit_init(capsysctl); 1058 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1059 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1060 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1061 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1062 limit = cap_sysctl_limit_init(capsysctl); 1063 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1064 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1065 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1066 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1067 1068 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1069 1070 cap_close(capsysctl); 1071 1072 /* 1073 * Allow: 1074 * SYSCTL0_NAME/WRITE 1075 * SYSCTL1_NAME/WRITE/RECURSIVE 1076 */ 1077 1078 capsysctl = cap_clone(ocapsysctl); 1079 ATF_REQUIRE(capsysctl != NULL); 1080 1081 limit = cap_sysctl_limit_init(capsysctl); 1082 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1083 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1084 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1085 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1086 limit = cap_sysctl_limit_init(capsysctl); 1087 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1088 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1089 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1090 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1091 1092 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE)); 1093 1094 cap_close(capsysctl); 1095 1096 /* 1097 * Allow: 1098 * SYSCTL0_PARENT/READ/RECURSIVE 1099 * SYSCTL1_PARENT/WRITE/RECURSIVE 1100 */ 1101 1102 capsysctl = cap_clone(ocapsysctl); 1103 ATF_REQUIRE(capsysctl != NULL); 1104 1105 limit = cap_sysctl_limit_init(capsysctl); 1106 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1107 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1108 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1109 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1110 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1111 1112 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1113 1114 cap_close(capsysctl); 1115 1116 /* 1117 * Allow: 1118 * SYSCTL0_NAME/READ/RECURSIVE 1119 * SYSCTL1_NAME/WRITE/RECURSIVE 1120 */ 1121 1122 capsysctl = cap_clone(ocapsysctl); 1123 ATF_REQUIRE(capsysctl != NULL); 1124 1125 limit = cap_sysctl_limit_init(capsysctl); 1126 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1127 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1128 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1129 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1130 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1131 1132 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1133 1134 cap_close(capsysctl); 1135 1136 /* 1137 * Allow: 1138 * SYSCTL0_PARENT/READ 1139 * SYSCTL1_PARENT/WRITE 1140 */ 1141 1142 capsysctl = cap_clone(ocapsysctl); 1143 ATF_REQUIRE(capsysctl != NULL); 1144 1145 limit = cap_sysctl_limit_init(capsysctl); 1146 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1147 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1148 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1149 1150 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1151 1152 cap_close(capsysctl); 1153 1154 /* 1155 * Allow: 1156 * SYSCTL0_NAME/READ 1157 * SYSCTL1_NAME/WRITE 1158 */ 1159 1160 capsysctl = cap_clone(ocapsysctl); 1161 ATF_REQUIRE(capsysctl != NULL); 1162 1163 limit = cap_sysctl_limit_init(capsysctl); 1164 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1165 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1166 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1167 1168 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1169 1170 cap_close(capsysctl); 1171 1172 /* 1173 * Allow: 1174 * SYSCTL0_PARENT/READ 1175 * SYSCTL1_PARENT/WRITE/RECURSIVE 1176 */ 1177 1178 capsysctl = cap_clone(ocapsysctl); 1179 ATF_REQUIRE(capsysctl != NULL); 1180 1181 limit = cap_sysctl_limit_init(capsysctl); 1182 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1183 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1184 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1185 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1186 1187 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1188 1189 cap_close(capsysctl); 1190 1191 /* 1192 * Allow: 1193 * SYSCTL0_NAME/READ 1194 * SYSCTL1_NAME/WRITE/RECURSIVE 1195 */ 1196 1197 capsysctl = cap_clone(ocapsysctl); 1198 ATF_REQUIRE(capsysctl != NULL); 1199 1200 limit = cap_sysctl_limit_init(capsysctl); 1201 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1202 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1203 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1204 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1205 1206 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE)); 1207 1208 cap_close(capsysctl); 1209} 1210ATF_TC_CLEANUP(cap_sysctl__operation, tc) 1211{ 1212 cleanup(); 1213} 1214 1215ATF_TC_WITH_CLEANUP(cap_sysctl__names); 1216ATF_TC_HEAD(cap_sysctl__names, tc) 1217{ 1218} 1219ATF_TC_BODY(cap_sysctl__names, tc) 1220{ 1221 cap_channel_t *capsysctl, *ocapsysctl; 1222 void *limit; 1223 1224 ocapsysctl = initcap(); 1225 1226 /* 1227 * Allow: 1228 * SYSCTL0_PARENT/READ/RECURSIVE 1229 */ 1230 1231 capsysctl = cap_clone(ocapsysctl); 1232 ATF_REQUIRE(capsysctl != NULL); 1233 1234 limit = cap_sysctl_limit_init(capsysctl); 1235 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1236 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1237 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1238 limit = cap_sysctl_limit_init(capsysctl); 1239 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1240 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1241 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1242 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1243 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1244 limit = cap_sysctl_limit_init(capsysctl); 1245 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1246 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1247 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1248 limit = cap_sysctl_limit_init(capsysctl); 1249 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1250 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1251 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1252 limit = cap_sysctl_limit_init(capsysctl); 1253 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1254 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1255 1256 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0); 1257 1258 cap_close(capsysctl); 1259 1260 /* 1261 * Allow: 1262 * SYSCTL1_NAME/READ/RECURSIVE 1263 */ 1264 1265 capsysctl = cap_clone(ocapsysctl); 1266 ATF_REQUIRE(capsysctl != NULL); 1267 1268 limit = cap_sysctl_limit_init(capsysctl); 1269 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1270 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1271 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1272 limit = cap_sysctl_limit_init(capsysctl); 1273 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1274 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1275 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1276 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1277 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1278 limit = cap_sysctl_limit_init(capsysctl); 1279 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1280 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE); 1281 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1282 limit = cap_sysctl_limit_init(capsysctl); 1283 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1284 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1285 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1286 limit = cap_sysctl_limit_init(capsysctl); 1287 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1288 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1289 1290 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 1291 1292 cap_close(capsysctl); 1293 1294 /* 1295 * Allow: 1296 * SYSCTL0_PARENT/WRITE/RECURSIVE 1297 */ 1298 1299 capsysctl = cap_clone(ocapsysctl); 1300 ATF_REQUIRE(capsysctl != NULL); 1301 1302 limit = cap_sysctl_limit_init(capsysctl); 1303 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1304 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1305 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1306 limit = cap_sysctl_limit_init(capsysctl); 1307 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1308 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1309 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1310 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1311 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1312 limit = cap_sysctl_limit_init(capsysctl); 1313 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1314 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1315 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1316 limit = cap_sysctl_limit_init(capsysctl); 1317 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1318 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1319 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1320 limit = cap_sysctl_limit_init(capsysctl); 1321 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1322 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1323 1324 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_WRITE); 1325 1326 cap_close(capsysctl); 1327 1328 /* 1329 * Allow: 1330 * SYSCTL1_NAME/WRITE/RECURSIVE 1331 */ 1332 1333 capsysctl = cap_clone(ocapsysctl); 1334 ATF_REQUIRE(capsysctl != NULL); 1335 1336 limit = cap_sysctl_limit_init(capsysctl); 1337 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1338 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1339 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1340 limit = cap_sysctl_limit_init(capsysctl); 1341 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1342 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1343 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1344 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1345 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1346 limit = cap_sysctl_limit_init(capsysctl); 1347 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1348 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE); 1349 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1350 limit = cap_sysctl_limit_init(capsysctl); 1351 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1352 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1353 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1354 limit = cap_sysctl_limit_init(capsysctl); 1355 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1356 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1357 1358 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1359 1360 cap_close(capsysctl); 1361 1362 /* 1363 * Allow: 1364 * SYSCTL0_PARENT/RDWR/RECURSIVE 1365 */ 1366 1367 capsysctl = cap_clone(ocapsysctl); 1368 ATF_REQUIRE(capsysctl != NULL); 1369 1370 limit = cap_sysctl_limit_init(capsysctl); 1371 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1372 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1373 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1374 limit = cap_sysctl_limit_init(capsysctl); 1375 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, 1376 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1377 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1378 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1379 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1380 limit = cap_sysctl_limit_init(capsysctl); 1381 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, 1382 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1383 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1384 limit = cap_sysctl_limit_init(capsysctl); 1385 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1386 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1387 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1388 limit = cap_sysctl_limit_init(capsysctl); 1389 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1390 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1391 1392 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 | 1393 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE)); 1394 1395 cap_close(capsysctl); 1396 1397 /* 1398 * Allow: 1399 * SYSCTL1_NAME/RDWR/RECURSIVE 1400 */ 1401 1402 capsysctl = cap_clone(ocapsysctl); 1403 ATF_REQUIRE(capsysctl != NULL); 1404 1405 limit = cap_sysctl_limit_init(capsysctl); 1406 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1407 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1408 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1409 limit = cap_sysctl_limit_init(capsysctl); 1410 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1411 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1412 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, 1413 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1414 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1415 limit = cap_sysctl_limit_init(capsysctl); 1416 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, 1417 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1418 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1419 limit = cap_sysctl_limit_init(capsysctl); 1420 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1421 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1422 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1423 limit = cap_sysctl_limit_init(capsysctl); 1424 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1425 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1426 1427 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1428 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1429 1430 cap_close(capsysctl); 1431 1432 /* 1433 * Allow: 1434 * SYSCTL0_PARENT/READ 1435 */ 1436 1437 capsysctl = cap_clone(ocapsysctl); 1438 ATF_REQUIRE(capsysctl != NULL); 1439 1440 limit = cap_sysctl_limit_init(capsysctl); 1441 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1442 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1443 limit = cap_sysctl_limit_init(capsysctl); 1444 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ); 1445 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1446 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1447 limit = cap_sysctl_limit_init(capsysctl); 1448 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ); 1449 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1450 1451 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1452 1453 cap_close(capsysctl); 1454 1455 /* 1456 * Allow: 1457 * SYSCTL1_NAME/READ 1458 */ 1459 1460 capsysctl = cap_clone(ocapsysctl); 1461 ATF_REQUIRE(capsysctl != NULL); 1462 1463 limit = cap_sysctl_limit_init(capsysctl); 1464 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1465 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1466 limit = cap_sysctl_limit_init(capsysctl); 1467 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1468 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ); 1469 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1470 limit = cap_sysctl_limit_init(capsysctl); 1471 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ); 1472 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1473 1474 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0); 1475 1476 cap_close(capsysctl); 1477 1478 /* 1479 * Allow: 1480 * SYSCTL0_PARENT/WRITE 1481 */ 1482 1483 capsysctl = cap_clone(ocapsysctl); 1484 ATF_REQUIRE(capsysctl != NULL); 1485 1486 limit = cap_sysctl_limit_init(capsysctl); 1487 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1488 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1489 limit = cap_sysctl_limit_init(capsysctl); 1490 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE); 1491 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1492 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1493 limit = cap_sysctl_limit_init(capsysctl); 1494 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE); 1495 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1496 1497 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1498 1499 cap_close(capsysctl); 1500 1501 /* 1502 * Allow: 1503 * SYSCTL1_NAME/WRITE 1504 */ 1505 1506 capsysctl = cap_clone(ocapsysctl); 1507 ATF_REQUIRE(capsysctl != NULL); 1508 1509 limit = cap_sysctl_limit_init(capsysctl); 1510 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1511 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1512 limit = cap_sysctl_limit_init(capsysctl); 1513 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1514 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE); 1515 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1516 limit = cap_sysctl_limit_init(capsysctl); 1517 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE); 1518 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1519 1520 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE); 1521 1522 cap_close(capsysctl); 1523 1524 /* 1525 * Allow: 1526 * SYSCTL0_PARENT/RDWR 1527 */ 1528 1529 capsysctl = cap_clone(ocapsysctl); 1530 ATF_REQUIRE(capsysctl != NULL); 1531 1532 limit = cap_sysctl_limit_init(capsysctl); 1533 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1534 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1535 limit = cap_sysctl_limit_init(capsysctl); 1536 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR); 1537 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1538 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1539 limit = cap_sysctl_limit_init(capsysctl); 1540 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR); 1541 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1542 1543 ATF_REQUIRE(checkcaps(capsysctl) == 0); 1544 1545 cap_close(capsysctl); 1546 1547 /* 1548 * Allow: 1549 * SYSCTL1_NAME/RDWR 1550 */ 1551 1552 capsysctl = cap_clone(ocapsysctl); 1553 ATF_REQUIRE(capsysctl != NULL); 1554 1555 limit = cap_sysctl_limit_init(capsysctl); 1556 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1557 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1558 limit = cap_sysctl_limit_init(capsysctl); 1559 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1560 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR); 1561 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1562 limit = cap_sysctl_limit_init(capsysctl); 1563 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR); 1564 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE); 1565 1566 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 | 1567 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE)); 1568 1569 cap_close(capsysctl); 1570} 1571ATF_TC_CLEANUP(cap_sysctl__names, tc) 1572{ 1573 cleanup(); 1574} 1575 1576ATF_TC_WITH_CLEANUP(cap_sysctl__no_limits); 1577ATF_TC_HEAD(cap_sysctl__no_limits, tc) 1578{ 1579} 1580ATF_TC_BODY(cap_sysctl__no_limits, tc) 1581{ 1582 cap_channel_t *capsysctl; 1583 1584 capsysctl = initcap(); 1585 1586 ATF_REQUIRE_EQ(checkcaps(capsysctl), (SYSCTL0_READ0 | SYSCTL0_READ1 | 1587 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE | 1588 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE | 1589 SYSCTL1_READ_WRITE)); 1590} 1591ATF_TC_CLEANUP(cap_sysctl__no_limits, tc) 1592{ 1593 cleanup(); 1594} 1595 1596ATF_TC_WITH_CLEANUP(cap_sysctl__recursive_limits); 1597ATF_TC_HEAD(cap_sysctl__recursive_limits, tc) 1598{ 1599} 1600ATF_TC_BODY(cap_sysctl__recursive_limits, tc) 1601{ 1602 cap_channel_t *capsysctl, *ocapsysctl; 1603 void *limit; 1604 size_t len; 1605 int mib[2], val = 420; 1606 1607 len = nitems(mib); 1608 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib, &len) == 0); 1609 1610 ocapsysctl = initcap(); 1611 1612 /* 1613 * Make sure that we match entire components. 1614 */ 1615 capsysctl = cap_clone(ocapsysctl); 1616 ATF_REQUIRE(capsysctl != NULL); 1617 1618 limit = cap_sysctl_limit_init(capsysctl); 1619 (void)cap_sysctl_limit_name(limit, "ker", 1620 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE); 1621 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1622 1623 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1624 NULL, NULL, &val, sizeof(val))); 1625 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len, 1626 NULL, NULL, &val, sizeof(val))); 1627 1628 cap_close(capsysctl); 1629 1630 /* 1631 * Verify that we check for CAP_SYSCTL_RECURSIVE. 1632 */ 1633 capsysctl = cap_clone(ocapsysctl); 1634 ATF_REQUIRE(capsysctl != NULL); 1635 1636 limit = cap_sysctl_limit_init(capsysctl); 1637 (void)cap_sysctl_limit_name(limit, "kern", CAP_SYSCTL_RDWR); 1638 ATF_REQUIRE(cap_sysctl_limit(limit) == 0); 1639 1640 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1641 NULL, NULL, &val, sizeof(val))); 1642 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len, 1643 NULL, NULL, &val, sizeof(val))); 1644 1645 cap_close(capsysctl); 1646} 1647ATF_TC_CLEANUP(cap_sysctl__recursive_limits, tc) 1648{ 1649 cleanup(); 1650} 1651 1652ATF_TC_WITH_CLEANUP(cap_sysctl__just_size); 1653ATF_TC_HEAD(cap_sysctl__just_size, tc) 1654{ 1655} 1656ATF_TC_BODY(cap_sysctl__just_size, tc) 1657{ 1658 cap_channel_t *capsysctl; 1659 size_t len; 1660 int mib0[2]; 1661 1662 capsysctl = initcap(); 1663 1664 len = nitems(mib0); 1665 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len) == 0); 1666 1667 ATF_REQUIRE(cap_sysctlbyname(capsysctl, SYSCTL0_NAME, 1668 NULL, &len, NULL, 0) == 0); 1669 ATF_REQUIRE(len == sizeof(int)); 1670 ATF_REQUIRE(cap_sysctl(capsysctl, mib0, nitems(mib0), 1671 NULL, &len, NULL, 0) == 0); 1672 ATF_REQUIRE(len == sizeof(int)); 1673 1674 cap_close(capsysctl); 1675} 1676ATF_TC_CLEANUP(cap_sysctl__just_size, tc) 1677{ 1678 cleanup(); 1679} 1680 1681ATF_TP_ADD_TCS(tp) 1682{ 1683 ATF_TP_ADD_TC(tp, cap_sysctl__operation); 1684 ATF_TP_ADD_TC(tp, cap_sysctl__names); 1685 ATF_TP_ADD_TC(tp, cap_sysctl__no_limits); 1686 ATF_TP_ADD_TC(tp, cap_sysctl__recursive_limits); 1687 ATF_TP_ADD_TC(tp, cap_sysctl__just_size); 1688 1689 return (atf_no_error()); 1690} 1691