1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2013, 2018 The FreeBSD Foundation
5 *
6 * This software was developed by Pawel Jakub Dawidek under sponsorship from
7 * the FreeBSD Foundation.
8 *
9 * Portions of this software were developed by Mark Johnston
10 * under sponsorship from the FreeBSD Foundation.
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <sys/types.h>
35 #include <sys/capsicum.h>
36 #include <sys/sysctl.h>
37 #include <sys/nv.h>
38
39 #include <assert.h>
40 #include <err.h>
41 #include <errno.h>
42 #include <netdb.h>
43 #include <stdio.h>
44 #include <stdlib.h>
45 #include <string.h>
46 #include <unistd.h>
47
48 #include <libcasper.h>
49 #include <casper/cap_sysctl.h>
50
51 #include <atf-c.h>
52
53 /*
54 * We need some sysctls to perform the tests on.
55 * We remember their values and restore them afer the test is done.
56 */
57 #define SYSCTL0_PARENT "kern"
58 #define SYSCTL0_NAME "kern.sync_on_panic"
59 #define SYSCTL0_FILE "./sysctl0"
60 #define SYSCTL1_PARENT "debug"
61 #define SYSCTL1_NAME "debug.minidump"
62 #define SYSCTL1_FILE "./sysctl1"
63
64 #define SYSCTL0_READ0 0x0001
65 #define SYSCTL0_READ1 0x0002
66 #define SYSCTL0_READ2 0x0004
67 #define SYSCTL0_WRITE 0x0008
68 #define SYSCTL0_READ_WRITE 0x0010
69 #define SYSCTL1_READ0 0x0020
70 #define SYSCTL1_READ1 0x0040
71 #define SYSCTL1_READ2 0x0080
72 #define SYSCTL1_WRITE 0x0100
73 #define SYSCTL1_READ_WRITE 0x0200
74
75 static void
save_int_sysctl(const char * name,const char * file)76 save_int_sysctl(const char *name, const char *file)
77 {
78 ssize_t n;
79 size_t sz;
80 int error, fd, val;
81
82 sz = sizeof(val);
83 error = sysctlbyname(name, &val, &sz, NULL, 0);
84 ATF_REQUIRE_MSG(error == 0,
85 "sysctlbyname(%s): %s", name, strerror(errno));
86
87 fd = open(file, O_CREAT | O_WRONLY, 0600);
88 ATF_REQUIRE_MSG(fd >= 0, "open(%s): %s", file, strerror(errno));
89 n = write(fd, &val, sz);
90 ATF_REQUIRE(n >= 0 && (size_t)n == sz);
91 error = close(fd);
92 ATF_REQUIRE(error == 0);
93 }
94
95 static void
restore_int_sysctl(const char * name,const char * file)96 restore_int_sysctl(const char *name, const char *file)
97 {
98 ssize_t n;
99 size_t sz;
100 int error, fd, val;
101
102 fd = open(file, O_RDONLY);
103 ATF_REQUIRE(fd >= 0);
104 sz = sizeof(val);
105 n = read(fd, &val, sz);
106 ATF_REQUIRE(n >= 0 && (size_t)n == sz);
107 error = unlink(file);
108 ATF_REQUIRE(error == 0);
109 error = close(fd);
110 ATF_REQUIRE(error == 0);
111
112 error = sysctlbyname(name, NULL, NULL, &val, sz);
113 ATF_REQUIRE_MSG(error == 0,
114 "sysctlbyname(%s): %s", name, strerror(errno));
115 }
116
117 static cap_channel_t *
initcap(void)118 initcap(void)
119 {
120 cap_channel_t *capcas, *capsysctl;
121
122 save_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE);
123 save_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE);
124
125 capcas = cap_init();
126 ATF_REQUIRE(capcas != NULL);
127
128 capsysctl = cap_service_open(capcas, "system.sysctl");
129 ATF_REQUIRE(capsysctl != NULL);
130
131 cap_close(capcas);
132
133 return (capsysctl);
134 }
135
136 static void
cleanup(void)137 cleanup(void)
138 {
139
140 restore_int_sysctl(SYSCTL0_NAME, SYSCTL0_FILE);
141 restore_int_sysctl(SYSCTL1_NAME, SYSCTL1_FILE);
142 }
143
144 static unsigned int
checkcaps(cap_channel_t * capsysctl)145 checkcaps(cap_channel_t *capsysctl)
146 {
147 unsigned int result;
148 size_t len0, len1, oldsize;
149 int error, mib0[2], mib1[2], oldvalue, newvalue;
150
151 result = 0;
152
153 len0 = nitems(mib0);
154 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len0) == 0);
155 len1 = nitems(mib1);
156 ATF_REQUIRE(sysctlnametomib(SYSCTL1_NAME, mib1, &len1) == 0);
157
158 oldsize = sizeof(oldvalue);
159 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize,
160 NULL, 0) == 0) {
161 if (oldsize == sizeof(oldvalue))
162 result |= SYSCTL0_READ0;
163 }
164 error = cap_sysctl(capsysctl, mib0, len0, &oldvalue, &oldsize, NULL, 0);
165 if ((result & SYSCTL0_READ0) != 0)
166 ATF_REQUIRE(error == 0);
167 else
168 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
169
170 newvalue = 123;
171 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, NULL, NULL, &newvalue,
172 sizeof(newvalue)) == 0) {
173 result |= SYSCTL0_WRITE;
174 }
175
176 if ((result & SYSCTL0_WRITE) != 0) {
177 oldsize = sizeof(oldvalue);
178 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue,
179 &oldsize, NULL, 0) == 0) {
180 if (oldsize == sizeof(oldvalue) && oldvalue == 123)
181 result |= SYSCTL0_READ1;
182 }
183 }
184 newvalue = 123;
185 error = cap_sysctl(capsysctl, mib0, len0, NULL, NULL,
186 &newvalue, sizeof(newvalue));
187 if ((result & SYSCTL0_WRITE) != 0)
188 ATF_REQUIRE(error == 0);
189 else
190 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
191
192 oldsize = sizeof(oldvalue);
193 newvalue = 4567;
194 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue, &oldsize,
195 &newvalue, sizeof(newvalue)) == 0) {
196 if (oldsize == sizeof(oldvalue) && oldvalue == 123)
197 result |= SYSCTL0_READ_WRITE;
198 }
199
200 if ((result & SYSCTL0_READ_WRITE) != 0) {
201 oldsize = sizeof(oldvalue);
202 if (cap_sysctlbyname(capsysctl, SYSCTL0_NAME, &oldvalue,
203 &oldsize, NULL, 0) == 0) {
204 if (oldsize == sizeof(oldvalue) && oldvalue == 4567)
205 result |= SYSCTL0_READ2;
206 }
207 }
208
209 oldsize = sizeof(oldvalue);
210 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize,
211 NULL, 0) == 0) {
212 if (oldsize == sizeof(oldvalue))
213 result |= SYSCTL1_READ0;
214 }
215 error = cap_sysctl(capsysctl, mib1, len1, &oldvalue, &oldsize, NULL, 0);
216 if ((result & SYSCTL1_READ0) != 0)
217 ATF_REQUIRE(error == 0);
218 else
219 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
220
221 newvalue = 506;
222 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, NULL, NULL, &newvalue,
223 sizeof(newvalue)) == 0) {
224 result |= SYSCTL1_WRITE;
225 }
226
227 if ((result & SYSCTL1_WRITE) != 0) {
228 newvalue = 506;
229 ATF_REQUIRE(cap_sysctl(capsysctl, mib1, len1, NULL, NULL,
230 &newvalue, sizeof(newvalue)) == 0);
231
232 oldsize = sizeof(oldvalue);
233 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue,
234 &oldsize, NULL, 0) == 0) {
235 if (oldsize == sizeof(oldvalue) && oldvalue == 506)
236 result |= SYSCTL1_READ1;
237 }
238 }
239 newvalue = 506;
240 error = cap_sysctl(capsysctl, mib1, len1, NULL, NULL,
241 &newvalue, sizeof(newvalue));
242 if ((result & SYSCTL1_WRITE) != 0)
243 ATF_REQUIRE(error == 0);
244 else
245 ATF_REQUIRE_ERRNO(ENOTCAPABLE, error != 0);
246
247 oldsize = sizeof(oldvalue);
248 newvalue = 7008;
249 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue, &oldsize,
250 &newvalue, sizeof(newvalue)) == 0) {
251 if (oldsize == sizeof(oldvalue) && oldvalue == 506)
252 result |= SYSCTL1_READ_WRITE;
253 }
254
255 if ((result & SYSCTL1_READ_WRITE) != 0) {
256 oldsize = sizeof(oldvalue);
257 if (cap_sysctlbyname(capsysctl, SYSCTL1_NAME, &oldvalue,
258 &oldsize, NULL, 0) == 0) {
259 if (oldsize == sizeof(oldvalue) && oldvalue == 7008)
260 result |= SYSCTL1_READ2;
261 }
262 }
263
264 return (result);
265 }
266
267 ATF_TC_WITH_CLEANUP(cap_sysctl__operation);
ATF_TC_HEAD(cap_sysctl__operation,tc)268 ATF_TC_HEAD(cap_sysctl__operation, tc)
269 {
270 }
ATF_TC_BODY(cap_sysctl__operation,tc)271 ATF_TC_BODY(cap_sysctl__operation, tc)
272 {
273 cap_channel_t *capsysctl, *ocapsysctl;
274 void *limit;
275
276 ocapsysctl = initcap();
277
278 /*
279 * Allow:
280 * SYSCTL0_PARENT/RDWR/RECURSIVE
281 * SYSCTL1_PARENT/RDWR/RECURSIVE
282 */
283
284 capsysctl = cap_clone(ocapsysctl);
285 ATF_REQUIRE(capsysctl != NULL);
286
287 limit = cap_sysctl_limit_init(capsysctl);
288 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
289 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
290 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
291 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
292 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
293
294 limit = cap_sysctl_limit_init(capsysctl);
295 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
296 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
297 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
298 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
299 (void)cap_sysctl_limit_name(limit, "foo.bar",
300 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
301 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
302
303 limit = cap_sysctl_limit_init(capsysctl);
304 (void)cap_sysctl_limit_name(limit, "foo.bar",
305 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
306 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
307
308 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
309 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
310 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
311 SYSCTL1_READ_WRITE));
312
313 limit = cap_sysctl_limit_init(capsysctl);
314 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
315 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
316 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
317 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
318 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
319
320 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
321 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
322 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
323 SYSCTL1_READ_WRITE));
324
325 limit = cap_sysctl_limit_init(capsysctl);
326 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
327 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
328 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
329 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
330 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
331
332 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
333
334 limit = cap_sysctl_limit_init(capsysctl);
335 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
336 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
337 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
338
339 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
340
341 limit = cap_sysctl_limit_init(capsysctl);
342 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
343 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
344
345 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0);
346
347 cap_close(capsysctl);
348
349 /*
350 * Allow:
351 * SYSCTL0_NAME/RDWR/RECURSIVE
352 * SYSCTL1_NAME/RDWR/RECURSIVE
353 */
354
355 capsysctl = cap_clone(ocapsysctl);
356 ATF_REQUIRE(capsysctl != NULL);
357
358 limit = cap_sysctl_limit_init(capsysctl);
359 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
360 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
361 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
362 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
363 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
364
365 limit = cap_sysctl_limit_init(capsysctl);
366 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
367 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
368 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
369 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
370 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
371 limit = cap_sysctl_limit_init(capsysctl);
372 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
373 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
374 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
375 limit = cap_sysctl_limit_init(capsysctl);
376 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
377 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
378 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
379 limit = cap_sysctl_limit_init(capsysctl);
380 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
381 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
382
383 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
384 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
385 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
386 SYSCTL1_READ_WRITE));
387
388 cap_close(capsysctl);
389
390 /*
391 * Allow:
392 * SYSCTL0_PARENT/RDWR
393 * SYSCTL1_PARENT/RDWR
394 */
395
396 capsysctl = cap_clone(ocapsysctl);
397 ATF_REQUIRE(capsysctl != NULL);
398
399 limit = cap_sysctl_limit_init(capsysctl);
400 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
401 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
402 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
403 limit = cap_sysctl_limit_init(capsysctl);
404 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
405 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
406 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
407 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
408 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
409 limit = cap_sysctl_limit_init(capsysctl);
410 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
411 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
412 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
413 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
414 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
415 limit = cap_sysctl_limit_init(capsysctl);
416 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
417 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
418 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
419
420 ATF_REQUIRE(checkcaps(capsysctl) == 0);
421
422 cap_close(capsysctl);
423
424 /*
425 * Allow:
426 * SYSCTL0_NAME/RDWR
427 * SYSCTL1_NAME/RDWR
428 */
429
430 capsysctl = cap_clone(ocapsysctl);
431 ATF_REQUIRE(capsysctl != NULL);
432
433 limit = cap_sysctl_limit_init(capsysctl);
434 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
435 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
436 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
437 limit = cap_sysctl_limit_init(capsysctl);
438 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
439 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
440 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
441 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
442 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
443 limit = cap_sysctl_limit_init(capsysctl);
444 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
445 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
446 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
447 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
448 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
449 limit = cap_sysctl_limit_init(capsysctl);
450 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
451 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
452 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
453
454 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
455 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
456 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
457 SYSCTL1_READ_WRITE));
458
459 cap_close(capsysctl);
460
461 /*
462 * Allow:
463 * SYSCTL0_PARENT/RDWR
464 * SYSCTL1_PARENT/RDWR/RECURSIVE
465 */
466
467 capsysctl = cap_clone(ocapsysctl);
468 ATF_REQUIRE(capsysctl != NULL);
469
470 limit = cap_sysctl_limit_init(capsysctl);
471 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
472 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
473 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
474 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
475 limit = cap_sysctl_limit_init(capsysctl);
476 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
477 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
478 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
479 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
480 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
481 limit = cap_sysctl_limit_init(capsysctl);
482 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
483 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
484 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
485 limit = cap_sysctl_limit_init(capsysctl);
486 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
487 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
488 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
489 limit = cap_sysctl_limit_init(capsysctl);
490 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
491 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
492 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
493
494 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
495 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
496
497 cap_close(capsysctl);
498
499 /*
500 * Allow:
501 * SYSCTL0_NAME/RDWR
502 * SYSCTL1_NAME/RDWR/RECURSIVE
503 */
504
505 capsysctl = cap_clone(ocapsysctl);
506 ATF_REQUIRE(capsysctl != NULL);
507
508 limit = cap_sysctl_limit_init(capsysctl);
509 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
510 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
511 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
512 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
513 limit = cap_sysctl_limit_init(capsysctl);
514 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
515 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
516 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
517 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
518 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
519 limit = cap_sysctl_limit_init(capsysctl);
520 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
521 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
522 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
523 limit = cap_sysctl_limit_init(capsysctl);
524 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
525 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
526 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
527
528 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
529 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
530 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
531 SYSCTL1_READ_WRITE));
532
533 cap_close(capsysctl);
534
535 /*
536 * Allow:
537 * SYSCTL0_PARENT/READ/RECURSIVE
538 * SYSCTL1_PARENT/READ/RECURSIVE
539 */
540
541 capsysctl = cap_clone(ocapsysctl);
542 ATF_REQUIRE(capsysctl != NULL);
543
544 limit = cap_sysctl_limit_init(capsysctl);
545 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
546 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
547 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
548 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
549 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
550 limit = cap_sysctl_limit_init(capsysctl);
551 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
552 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
553 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
554 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
555 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
556 limit = cap_sysctl_limit_init(capsysctl);
557 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
558 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
559 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
560 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
561 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
562 limit = cap_sysctl_limit_init(capsysctl);
563 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
564 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
565 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
566 limit = cap_sysctl_limit_init(capsysctl);
567 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
568 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
569 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
570 limit = cap_sysctl_limit_init(capsysctl);
571 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
572 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
573 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
574 limit = cap_sysctl_limit_init(capsysctl);
575 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
576 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
577 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
578 limit = cap_sysctl_limit_init(capsysctl);
579 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
580 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
581 limit = cap_sysctl_limit_init(capsysctl);
582 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
583 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
584
585 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
586
587 cap_close(capsysctl);
588
589 /*
590 * Allow:
591 * SYSCTL0_NAME/READ/RECURSIVE
592 * SYSCTL1_NAME/READ/RECURSIVE
593 */
594
595 capsysctl = cap_clone(ocapsysctl);
596 ATF_REQUIRE(capsysctl != NULL);
597
598 limit = cap_sysctl_limit_init(capsysctl);
599 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
600 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
601 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
602 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
603 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
604 limit = cap_sysctl_limit_init(capsysctl);
605 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
606 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
607 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
608 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
609 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
610 limit = cap_sysctl_limit_init(capsysctl);
611 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
612 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
613 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
614 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
615 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
616 limit = cap_sysctl_limit_init(capsysctl);
617 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
618 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
619 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
620 limit = cap_sysctl_limit_init(capsysctl);
621 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
622 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
623 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
624 limit = cap_sysctl_limit_init(capsysctl);
625 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
626 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
627 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
628 limit = cap_sysctl_limit_init(capsysctl);
629 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
630 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
631 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
632 limit = cap_sysctl_limit_init(capsysctl);
633 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
634 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
635 limit = cap_sysctl_limit_init(capsysctl);
636 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
637 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
638
639 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
640
641 cap_close(capsysctl);
642
643 /*
644 * Allow:
645 * SYSCTL0_PARENT/READ
646 * SYSCTL1_PARENT/READ
647 */
648
649 capsysctl = cap_clone(ocapsysctl);
650 ATF_REQUIRE(capsysctl != NULL);
651
652 limit = cap_sysctl_limit_init(capsysctl);
653 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
654 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
655 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
656 limit = cap_sysctl_limit_init(capsysctl);
657 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
658 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
659 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
660 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
661 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
662 limit = cap_sysctl_limit_init(capsysctl);
663 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
664 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
665 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
666 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
667 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
668 limit = cap_sysctl_limit_init(capsysctl);
669 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
670 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
671 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
672 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
673 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
674 limit = cap_sysctl_limit_init(capsysctl);
675 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
676 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
677 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
678 limit = cap_sysctl_limit_init(capsysctl);
679 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
680 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
681 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
682 limit = cap_sysctl_limit_init(capsysctl);
683 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
684 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
685 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
686 limit = cap_sysctl_limit_init(capsysctl);
687 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
688 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
689 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
690 limit = cap_sysctl_limit_init(capsysctl);
691 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
692 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
693 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
694 limit = cap_sysctl_limit_init(capsysctl);
695 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
696 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
697 limit = cap_sysctl_limit_init(capsysctl);
698 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
699 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
700
701 ATF_REQUIRE(checkcaps(capsysctl) == 0);
702
703 cap_close(capsysctl);
704
705 /*
706 * Allow:
707 * SYSCTL0_NAME/READ
708 * SYSCTL1_NAME/READ
709 */
710
711 capsysctl = cap_clone(ocapsysctl);
712 ATF_REQUIRE(capsysctl != NULL);
713
714 limit = cap_sysctl_limit_init(capsysctl);
715 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
716 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
717 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
718 limit = cap_sysctl_limit_init(capsysctl);
719 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
720 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
721 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
722 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
723 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
724 limit = cap_sysctl_limit_init(capsysctl);
725 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
726 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
727 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
728 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
729 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
730 limit = cap_sysctl_limit_init(capsysctl);
731 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
732 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
733 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
734 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
735 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
736 limit = cap_sysctl_limit_init(capsysctl);
737 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
738 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
739 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
740 limit = cap_sysctl_limit_init(capsysctl);
741 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
742 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
743 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
744 limit = cap_sysctl_limit_init(capsysctl);
745 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
746 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
747 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
748 limit = cap_sysctl_limit_init(capsysctl);
749 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
750 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
751 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
752 limit = cap_sysctl_limit_init(capsysctl);
753 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
754 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
755 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
756 limit = cap_sysctl_limit_init(capsysctl);
757 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
758 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
759 limit = cap_sysctl_limit_init(capsysctl);
760 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
761 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
762
763 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
764
765 cap_close(capsysctl);
766
767 /*
768 * Allow:
769 * SYSCTL0_PARENT/READ
770 * SYSCTL1_PARENT/READ/RECURSIVE
771 */
772
773 capsysctl = cap_clone(ocapsysctl);
774 ATF_REQUIRE(capsysctl != NULL);
775
776 limit = cap_sysctl_limit_init(capsysctl);
777 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
778 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
779 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
780 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
781 limit = cap_sysctl_limit_init(capsysctl);
782 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
783 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
784 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
785 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
786
787 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0);
788
789 cap_close(capsysctl);
790
791 /*
792 * Allow:
793 * SYSCTL0_NAME/READ
794 * SYSCTL1_NAME/READ/RECURSIVE
795 */
796
797 capsysctl = cap_clone(ocapsysctl);
798 ATF_REQUIRE(capsysctl != NULL);
799
800 limit = cap_sysctl_limit_init(capsysctl);
801 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
802 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
803 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
804 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
805 limit = cap_sysctl_limit_init(capsysctl);
806 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
807 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
808 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
809 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
810
811 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_READ0));
812
813 cap_close(capsysctl);
814
815 /*
816 * Allow:
817 * SYSCTL0_PARENT/WRITE/RECURSIVE
818 * SYSCTL1_PARENT/WRITE/RECURSIVE
819 */
820
821 capsysctl = cap_clone(ocapsysctl);
822 ATF_REQUIRE(capsysctl != NULL);
823
824 limit = cap_sysctl_limit_init(capsysctl);
825 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
826 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
827 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
828 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
829 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
830 limit = cap_sysctl_limit_init(capsysctl);
831 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
832 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
833 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
834 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
835 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
836 limit = cap_sysctl_limit_init(capsysctl);
837 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
838 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
839 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
840 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
841 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
842 limit = cap_sysctl_limit_init(capsysctl);
843 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
844 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
845 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
846 limit = cap_sysctl_limit_init(capsysctl);
847 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
848 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
849 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
850 limit = cap_sysctl_limit_init(capsysctl);
851 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
852 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
853 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
854 limit = cap_sysctl_limit_init(capsysctl);
855 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
856 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
857 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
858 limit = cap_sysctl_limit_init(capsysctl);
859 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
860 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
861 limit = cap_sysctl_limit_init(capsysctl);
862 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
863 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
864
865 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
866
867 cap_close(capsysctl);
868
869 /*
870 * Allow:
871 * SYSCTL0_NAME/WRITE/RECURSIVE
872 * SYSCTL1_NAME/WRITE/RECURSIVE
873 */
874
875 capsysctl = cap_clone(ocapsysctl);
876 ATF_REQUIRE(capsysctl != NULL);
877
878 limit = cap_sysctl_limit_init(capsysctl);
879 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
880 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
881 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
882 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
883 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
884 limit = cap_sysctl_limit_init(capsysctl);
885 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
886 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
887 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
888 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
889 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
890 limit = cap_sysctl_limit_init(capsysctl);
891 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
892 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
893 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
894 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
895 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
896 limit = cap_sysctl_limit_init(capsysctl);
897 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
898 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
899 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
900 limit = cap_sysctl_limit_init(capsysctl);
901 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
902 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
903 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
904 limit = cap_sysctl_limit_init(capsysctl);
905 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
906 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
907 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
908 limit = cap_sysctl_limit_init(capsysctl);
909 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
910 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
911 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
912 limit = cap_sysctl_limit_init(capsysctl);
913 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
914 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
915 limit = cap_sysctl_limit_init(capsysctl);
916 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
917 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
918
919 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
920
921 cap_close(capsysctl);
922
923 /*
924 * Allow:
925 * SYSCTL0_PARENT/WRITE
926 * SYSCTL1_PARENT/WRITE
927 */
928
929 capsysctl = cap_clone(ocapsysctl);
930 ATF_REQUIRE(capsysctl != NULL);
931
932 limit = cap_sysctl_limit_init(capsysctl);
933 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
934 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
935 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
936 limit = cap_sysctl_limit_init(capsysctl);
937 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
938 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
939 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
940 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
941 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
942 limit = cap_sysctl_limit_init(capsysctl);
943 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
944 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
945 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
946 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
947 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
948 limit = cap_sysctl_limit_init(capsysctl);
949 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
950 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
951 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
952 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
953 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
954 limit = cap_sysctl_limit_init(capsysctl);
955 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
956 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
957 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
958 limit = cap_sysctl_limit_init(capsysctl);
959 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
960 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
961 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
962 limit = cap_sysctl_limit_init(capsysctl);
963 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
964 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
965 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
966 limit = cap_sysctl_limit_init(capsysctl);
967 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
968 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
969 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
970 limit = cap_sysctl_limit_init(capsysctl);
971 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
972 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
973 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
974 limit = cap_sysctl_limit_init(capsysctl);
975 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
976 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
977 limit = cap_sysctl_limit_init(capsysctl);
978 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
979 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
980
981 ATF_REQUIRE(checkcaps(capsysctl) == 0);
982
983 cap_close(capsysctl);
984
985 /*
986 * Allow:
987 * SYSCTL0_NAME/WRITE
988 * SYSCTL1_NAME/WRITE
989 */
990
991 capsysctl = cap_clone(ocapsysctl);
992 ATF_REQUIRE(capsysctl != NULL);
993
994 limit = cap_sysctl_limit_init(capsysctl);
995 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
996 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
997 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
998 limit = cap_sysctl_limit_init(capsysctl);
999 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1000 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1001 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1002 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1003 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1004 limit = cap_sysctl_limit_init(capsysctl);
1005 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1006 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1007 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1008 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1009 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1010 limit = cap_sysctl_limit_init(capsysctl);
1011 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1012 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1013 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1014 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1015 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1016 limit = cap_sysctl_limit_init(capsysctl);
1017 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
1018 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1019 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1020 limit = cap_sysctl_limit_init(capsysctl);
1021 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1022 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1023 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1024 limit = cap_sysctl_limit_init(capsysctl);
1025 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1026 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1027 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1028 limit = cap_sysctl_limit_init(capsysctl);
1029 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1030 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1031 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1032 limit = cap_sysctl_limit_init(capsysctl);
1033 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1034 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1035 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1036 limit = cap_sysctl_limit_init(capsysctl);
1037 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1038 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1039 limit = cap_sysctl_limit_init(capsysctl);
1040 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1041 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1042
1043 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
1044
1045 cap_close(capsysctl);
1046
1047 /*
1048 * Allow:
1049 * SYSCTL0_PARENT/WRITE
1050 * SYSCTL1_PARENT/WRITE/RECURSIVE
1051 */
1052
1053 capsysctl = cap_clone(ocapsysctl);
1054 ATF_REQUIRE(capsysctl != NULL);
1055
1056 limit = cap_sysctl_limit_init(capsysctl);
1057 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1058 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1059 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1060 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1061 limit = cap_sysctl_limit_init(capsysctl);
1062 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1063 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1064 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1065 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1066
1067 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1068
1069 cap_close(capsysctl);
1070
1071 /*
1072 * Allow:
1073 * SYSCTL0_NAME/WRITE
1074 * SYSCTL1_NAME/WRITE/RECURSIVE
1075 */
1076
1077 capsysctl = cap_clone(ocapsysctl);
1078 ATF_REQUIRE(capsysctl != NULL);
1079
1080 limit = cap_sysctl_limit_init(capsysctl);
1081 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1082 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1083 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1084 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1085 limit = cap_sysctl_limit_init(capsysctl);
1086 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1087 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1088 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1089 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1090
1091 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_WRITE | SYSCTL1_WRITE));
1092
1093 cap_close(capsysctl);
1094
1095 /*
1096 * Allow:
1097 * SYSCTL0_PARENT/READ/RECURSIVE
1098 * SYSCTL1_PARENT/WRITE/RECURSIVE
1099 */
1100
1101 capsysctl = cap_clone(ocapsysctl);
1102 ATF_REQUIRE(capsysctl != NULL);
1103
1104 limit = cap_sysctl_limit_init(capsysctl);
1105 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1106 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1107 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1108 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1109 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1110
1111 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1112
1113 cap_close(capsysctl);
1114
1115 /*
1116 * Allow:
1117 * SYSCTL0_NAME/READ/RECURSIVE
1118 * SYSCTL1_NAME/WRITE/RECURSIVE
1119 */
1120
1121 capsysctl = cap_clone(ocapsysctl);
1122 ATF_REQUIRE(capsysctl != NULL);
1123
1124 limit = cap_sysctl_limit_init(capsysctl);
1125 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1126 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1127 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1128 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1129 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1130
1131 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1132
1133 cap_close(capsysctl);
1134
1135 /*
1136 * Allow:
1137 * SYSCTL0_PARENT/READ
1138 * SYSCTL1_PARENT/WRITE
1139 */
1140
1141 capsysctl = cap_clone(ocapsysctl);
1142 ATF_REQUIRE(capsysctl != NULL);
1143
1144 limit = cap_sysctl_limit_init(capsysctl);
1145 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1146 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1147 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1148
1149 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1150
1151 cap_close(capsysctl);
1152
1153 /*
1154 * Allow:
1155 * SYSCTL0_NAME/READ
1156 * SYSCTL1_NAME/WRITE
1157 */
1158
1159 capsysctl = cap_clone(ocapsysctl);
1160 ATF_REQUIRE(capsysctl != NULL);
1161
1162 limit = cap_sysctl_limit_init(capsysctl);
1163 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1164 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1165 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1166
1167 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1168
1169 cap_close(capsysctl);
1170
1171 /*
1172 * Allow:
1173 * SYSCTL0_PARENT/READ
1174 * SYSCTL1_PARENT/WRITE/RECURSIVE
1175 */
1176
1177 capsysctl = cap_clone(ocapsysctl);
1178 ATF_REQUIRE(capsysctl != NULL);
1179
1180 limit = cap_sysctl_limit_init(capsysctl);
1181 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1182 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1183 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1184 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1185
1186 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1187
1188 cap_close(capsysctl);
1189
1190 /*
1191 * Allow:
1192 * SYSCTL0_NAME/READ
1193 * SYSCTL1_NAME/WRITE/RECURSIVE
1194 */
1195
1196 capsysctl = cap_clone(ocapsysctl);
1197 ATF_REQUIRE(capsysctl != NULL);
1198
1199 limit = cap_sysctl_limit_init(capsysctl);
1200 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1201 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1202 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1203 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1204
1205 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL1_WRITE));
1206
1207 cap_close(capsysctl);
1208 }
ATF_TC_CLEANUP(cap_sysctl__operation,tc)1209 ATF_TC_CLEANUP(cap_sysctl__operation, tc)
1210 {
1211 cleanup();
1212 }
1213
1214 ATF_TC_WITH_CLEANUP(cap_sysctl__names);
ATF_TC_HEAD(cap_sysctl__names,tc)1215 ATF_TC_HEAD(cap_sysctl__names, tc)
1216 {
1217 }
ATF_TC_BODY(cap_sysctl__names,tc)1218 ATF_TC_BODY(cap_sysctl__names, tc)
1219 {
1220 cap_channel_t *capsysctl, *ocapsysctl;
1221 void *limit;
1222
1223 ocapsysctl = initcap();
1224
1225 /*
1226 * Allow:
1227 * SYSCTL0_PARENT/READ/RECURSIVE
1228 */
1229
1230 capsysctl = cap_clone(ocapsysctl);
1231 ATF_REQUIRE(capsysctl != NULL);
1232
1233 limit = cap_sysctl_limit_init(capsysctl);
1234 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1235 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1236 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1237 limit = cap_sysctl_limit_init(capsysctl);
1238 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1239 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1240 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1241 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1242 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1243 limit = cap_sysctl_limit_init(capsysctl);
1244 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1245 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1246 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1247 limit = cap_sysctl_limit_init(capsysctl);
1248 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1249 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1250 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1251 limit = cap_sysctl_limit_init(capsysctl);
1252 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1253 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1254
1255 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_READ0);
1256
1257 cap_close(capsysctl);
1258
1259 /*
1260 * Allow:
1261 * SYSCTL1_NAME/READ/RECURSIVE
1262 */
1263
1264 capsysctl = cap_clone(ocapsysctl);
1265 ATF_REQUIRE(capsysctl != NULL);
1266
1267 limit = cap_sysctl_limit_init(capsysctl);
1268 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1269 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1270 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1271 limit = cap_sysctl_limit_init(capsysctl);
1272 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1273 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1274 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1275 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1276 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1277 limit = cap_sysctl_limit_init(capsysctl);
1278 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1279 CAP_SYSCTL_READ | CAP_SYSCTL_RECURSIVE);
1280 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1281 limit = cap_sysctl_limit_init(capsysctl);
1282 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1283 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1284 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1285 limit = cap_sysctl_limit_init(capsysctl);
1286 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1287 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1288
1289 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0);
1290
1291 cap_close(capsysctl);
1292
1293 /*
1294 * Allow:
1295 * SYSCTL0_PARENT/WRITE/RECURSIVE
1296 */
1297
1298 capsysctl = cap_clone(ocapsysctl);
1299 ATF_REQUIRE(capsysctl != NULL);
1300
1301 limit = cap_sysctl_limit_init(capsysctl);
1302 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1303 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1304 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1305 limit = cap_sysctl_limit_init(capsysctl);
1306 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1307 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1308 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1309 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1310 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1311 limit = cap_sysctl_limit_init(capsysctl);
1312 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1313 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1314 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1315 limit = cap_sysctl_limit_init(capsysctl);
1316 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1317 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1318 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1319 limit = cap_sysctl_limit_init(capsysctl);
1320 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1321 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1322
1323 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL0_WRITE);
1324
1325 cap_close(capsysctl);
1326
1327 /*
1328 * Allow:
1329 * SYSCTL1_NAME/WRITE/RECURSIVE
1330 */
1331
1332 capsysctl = cap_clone(ocapsysctl);
1333 ATF_REQUIRE(capsysctl != NULL);
1334
1335 limit = cap_sysctl_limit_init(capsysctl);
1336 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1337 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1338 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1339 limit = cap_sysctl_limit_init(capsysctl);
1340 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1341 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1342 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1343 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1344 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1345 limit = cap_sysctl_limit_init(capsysctl);
1346 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1347 CAP_SYSCTL_WRITE | CAP_SYSCTL_RECURSIVE);
1348 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1349 limit = cap_sysctl_limit_init(capsysctl);
1350 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1351 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1352 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1353 limit = cap_sysctl_limit_init(capsysctl);
1354 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1355 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1356
1357 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1358
1359 cap_close(capsysctl);
1360
1361 /*
1362 * Allow:
1363 * SYSCTL0_PARENT/RDWR/RECURSIVE
1364 */
1365
1366 capsysctl = cap_clone(ocapsysctl);
1367 ATF_REQUIRE(capsysctl != NULL);
1368
1369 limit = cap_sysctl_limit_init(capsysctl);
1370 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1371 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1372 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1373 limit = cap_sysctl_limit_init(capsysctl);
1374 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT,
1375 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1376 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1377 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1378 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1379 limit = cap_sysctl_limit_init(capsysctl);
1380 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT,
1381 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1382 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1383 limit = cap_sysctl_limit_init(capsysctl);
1384 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1385 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1386 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1387 limit = cap_sysctl_limit_init(capsysctl);
1388 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1389 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1390
1391 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL0_READ0 | SYSCTL0_READ1 |
1392 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE));
1393
1394 cap_close(capsysctl);
1395
1396 /*
1397 * Allow:
1398 * SYSCTL1_NAME/RDWR/RECURSIVE
1399 */
1400
1401 capsysctl = cap_clone(ocapsysctl);
1402 ATF_REQUIRE(capsysctl != NULL);
1403
1404 limit = cap_sysctl_limit_init(capsysctl);
1405 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1406 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1407 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1408 limit = cap_sysctl_limit_init(capsysctl);
1409 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1410 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1411 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME,
1412 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1413 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1414 limit = cap_sysctl_limit_init(capsysctl);
1415 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME,
1416 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1417 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1418 limit = cap_sysctl_limit_init(capsysctl);
1419 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1420 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1421 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1422 limit = cap_sysctl_limit_init(capsysctl);
1423 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1424 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1425
1426 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
1427 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
1428
1429 cap_close(capsysctl);
1430
1431 /*
1432 * Allow:
1433 * SYSCTL0_PARENT/READ
1434 */
1435
1436 capsysctl = cap_clone(ocapsysctl);
1437 ATF_REQUIRE(capsysctl != NULL);
1438
1439 limit = cap_sysctl_limit_init(capsysctl);
1440 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1441 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1442 limit = cap_sysctl_limit_init(capsysctl);
1443 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_READ);
1444 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1445 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1446 limit = cap_sysctl_limit_init(capsysctl);
1447 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_READ);
1448 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1449
1450 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1451
1452 cap_close(capsysctl);
1453
1454 /*
1455 * Allow:
1456 * SYSCTL1_NAME/READ
1457 */
1458
1459 capsysctl = cap_clone(ocapsysctl);
1460 ATF_REQUIRE(capsysctl != NULL);
1461
1462 limit = cap_sysctl_limit_init(capsysctl);
1463 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1464 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1465 limit = cap_sysctl_limit_init(capsysctl);
1466 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1467 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_READ);
1468 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1469 limit = cap_sysctl_limit_init(capsysctl);
1470 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_READ);
1471 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1472
1473 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_READ0);
1474
1475 cap_close(capsysctl);
1476
1477 /*
1478 * Allow:
1479 * SYSCTL0_PARENT/WRITE
1480 */
1481
1482 capsysctl = cap_clone(ocapsysctl);
1483 ATF_REQUIRE(capsysctl != NULL);
1484
1485 limit = cap_sysctl_limit_init(capsysctl);
1486 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1487 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1488 limit = cap_sysctl_limit_init(capsysctl);
1489 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_WRITE);
1490 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1491 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1492 limit = cap_sysctl_limit_init(capsysctl);
1493 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_WRITE);
1494 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1495
1496 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1497
1498 cap_close(capsysctl);
1499
1500 /*
1501 * Allow:
1502 * SYSCTL1_NAME/WRITE
1503 */
1504
1505 capsysctl = cap_clone(ocapsysctl);
1506 ATF_REQUIRE(capsysctl != NULL);
1507
1508 limit = cap_sysctl_limit_init(capsysctl);
1509 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1510 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1511 limit = cap_sysctl_limit_init(capsysctl);
1512 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1513 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_WRITE);
1514 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1515 limit = cap_sysctl_limit_init(capsysctl);
1516 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_WRITE);
1517 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1518
1519 ATF_REQUIRE(checkcaps(capsysctl) == SYSCTL1_WRITE);
1520
1521 cap_close(capsysctl);
1522
1523 /*
1524 * Allow:
1525 * SYSCTL0_PARENT/RDWR
1526 */
1527
1528 capsysctl = cap_clone(ocapsysctl);
1529 ATF_REQUIRE(capsysctl != NULL);
1530
1531 limit = cap_sysctl_limit_init(capsysctl);
1532 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
1533 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1534 limit = cap_sysctl_limit_init(capsysctl);
1535 (void)cap_sysctl_limit_name(limit, SYSCTL0_PARENT, CAP_SYSCTL_RDWR);
1536 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
1537 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1538 limit = cap_sysctl_limit_init(capsysctl);
1539 (void)cap_sysctl_limit_name(limit, SYSCTL1_PARENT, CAP_SYSCTL_RDWR);
1540 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1541
1542 ATF_REQUIRE(checkcaps(capsysctl) == 0);
1543
1544 cap_close(capsysctl);
1545
1546 /*
1547 * Allow:
1548 * SYSCTL1_NAME/RDWR
1549 */
1550
1551 capsysctl = cap_clone(ocapsysctl);
1552 ATF_REQUIRE(capsysctl != NULL);
1553
1554 limit = cap_sysctl_limit_init(capsysctl);
1555 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1556 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1557 limit = cap_sysctl_limit_init(capsysctl);
1558 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
1559 (void)cap_sysctl_limit_name(limit, SYSCTL1_NAME, CAP_SYSCTL_RDWR);
1560 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1561 limit = cap_sysctl_limit_init(capsysctl);
1562 (void)cap_sysctl_limit_name(limit, SYSCTL0_NAME, CAP_SYSCTL_RDWR);
1563 ATF_REQUIRE(cap_sysctl_limit(limit) == -1 && errno == ENOTCAPABLE);
1564
1565 ATF_REQUIRE(checkcaps(capsysctl) == (SYSCTL1_READ0 | SYSCTL1_READ1 |
1566 SYSCTL1_READ2 | SYSCTL1_WRITE | SYSCTL1_READ_WRITE));
1567
1568 cap_close(capsysctl);
1569 }
ATF_TC_CLEANUP(cap_sysctl__names,tc)1570 ATF_TC_CLEANUP(cap_sysctl__names, tc)
1571 {
1572 cleanup();
1573 }
1574
1575 ATF_TC_WITH_CLEANUP(cap_sysctl__no_limits);
ATF_TC_HEAD(cap_sysctl__no_limits,tc)1576 ATF_TC_HEAD(cap_sysctl__no_limits, tc)
1577 {
1578 }
ATF_TC_BODY(cap_sysctl__no_limits,tc)1579 ATF_TC_BODY(cap_sysctl__no_limits, tc)
1580 {
1581 cap_channel_t *capsysctl;
1582
1583 capsysctl = initcap();
1584
1585 ATF_REQUIRE_EQ(checkcaps(capsysctl), (SYSCTL0_READ0 | SYSCTL0_READ1 |
1586 SYSCTL0_READ2 | SYSCTL0_WRITE | SYSCTL0_READ_WRITE |
1587 SYSCTL1_READ0 | SYSCTL1_READ1 | SYSCTL1_READ2 | SYSCTL1_WRITE |
1588 SYSCTL1_READ_WRITE));
1589 }
ATF_TC_CLEANUP(cap_sysctl__no_limits,tc)1590 ATF_TC_CLEANUP(cap_sysctl__no_limits, tc)
1591 {
1592 cleanup();
1593 }
1594
1595 ATF_TC_WITH_CLEANUP(cap_sysctl__recursive_limits);
ATF_TC_HEAD(cap_sysctl__recursive_limits,tc)1596 ATF_TC_HEAD(cap_sysctl__recursive_limits, tc)
1597 {
1598 }
ATF_TC_BODY(cap_sysctl__recursive_limits,tc)1599 ATF_TC_BODY(cap_sysctl__recursive_limits, tc)
1600 {
1601 cap_channel_t *capsysctl, *ocapsysctl;
1602 void *limit;
1603 size_t len;
1604 int mib[2], val = 420;
1605
1606 len = nitems(mib);
1607 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib, &len) == 0);
1608
1609 ocapsysctl = initcap();
1610
1611 /*
1612 * Make sure that we match entire components.
1613 */
1614 capsysctl = cap_clone(ocapsysctl);
1615 ATF_REQUIRE(capsysctl != NULL);
1616
1617 limit = cap_sysctl_limit_init(capsysctl);
1618 (void)cap_sysctl_limit_name(limit, "ker",
1619 CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE);
1620 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1621
1622 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME,
1623 NULL, NULL, &val, sizeof(val)));
1624 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len,
1625 NULL, NULL, &val, sizeof(val)));
1626
1627 cap_close(capsysctl);
1628
1629 /*
1630 * Verify that we check for CAP_SYSCTL_RECURSIVE.
1631 */
1632 capsysctl = cap_clone(ocapsysctl);
1633 ATF_REQUIRE(capsysctl != NULL);
1634
1635 limit = cap_sysctl_limit_init(capsysctl);
1636 (void)cap_sysctl_limit_name(limit, "kern", CAP_SYSCTL_RDWR);
1637 ATF_REQUIRE(cap_sysctl_limit(limit) == 0);
1638
1639 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctlbyname(capsysctl, SYSCTL0_NAME,
1640 NULL, NULL, &val, sizeof(val)));
1641 ATF_REQUIRE_ERRNO(ENOTCAPABLE, cap_sysctl(capsysctl, mib, len,
1642 NULL, NULL, &val, sizeof(val)));
1643
1644 cap_close(capsysctl);
1645 }
ATF_TC_CLEANUP(cap_sysctl__recursive_limits,tc)1646 ATF_TC_CLEANUP(cap_sysctl__recursive_limits, tc)
1647 {
1648 cleanup();
1649 }
1650
1651 ATF_TC_WITH_CLEANUP(cap_sysctl__just_size);
ATF_TC_HEAD(cap_sysctl__just_size,tc)1652 ATF_TC_HEAD(cap_sysctl__just_size, tc)
1653 {
1654 }
ATF_TC_BODY(cap_sysctl__just_size,tc)1655 ATF_TC_BODY(cap_sysctl__just_size, tc)
1656 {
1657 cap_channel_t *capsysctl;
1658 size_t len;
1659 int mib0[2];
1660
1661 capsysctl = initcap();
1662
1663 len = nitems(mib0);
1664 ATF_REQUIRE(sysctlnametomib(SYSCTL0_NAME, mib0, &len) == 0);
1665
1666 ATF_REQUIRE(cap_sysctlbyname(capsysctl, SYSCTL0_NAME,
1667 NULL, &len, NULL, 0) == 0);
1668 ATF_REQUIRE(len == sizeof(int));
1669 ATF_REQUIRE(cap_sysctl(capsysctl, mib0, nitems(mib0),
1670 NULL, &len, NULL, 0) == 0);
1671 ATF_REQUIRE(len == sizeof(int));
1672
1673 cap_close(capsysctl);
1674 }
ATF_TC_CLEANUP(cap_sysctl__just_size,tc)1675 ATF_TC_CLEANUP(cap_sysctl__just_size, tc)
1676 {
1677 cleanup();
1678 }
1679
ATF_TP_ADD_TCS(tp)1680 ATF_TP_ADD_TCS(tp)
1681 {
1682 ATF_TP_ADD_TC(tp, cap_sysctl__operation);
1683 ATF_TP_ADD_TC(tp, cap_sysctl__names);
1684 ATF_TP_ADD_TC(tp, cap_sysctl__no_limits);
1685 ATF_TP_ADD_TC(tp, cap_sysctl__recursive_limits);
1686 ATF_TP_ADD_TC(tp, cap_sysctl__just_size);
1687
1688 return (atf_no_error());
1689 }
1690