Skip to content

Commit 7d00519

Browse files
author
Shuah Khan
committed
selftests: capabilities: convert the test to use TAP13 ksft framework
Convert the test to use TAP13 ksft framework for test output. Converting error paths using err() and errx() will be done in another patch to make it easier for review and change management. Signed-off-by: Shuah Khan <[email protected]>
1 parent 52888fe commit 7d00519

File tree

2 files changed

+62
-38
lines changed

2 files changed

+62
-38
lines changed

tools/testing/selftests/capabilities/test_execve.c

Lines changed: 52 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@
1818
#include <sys/prctl.h>
1919
#include <sys/stat.h>
2020

21+
#include "../kselftest.h"
22+
2123
#ifndef PR_CAP_AMBIENT
2224
#define PR_CAP_AMBIENT 47
2325
# define PR_CAP_AMBIENT_IS_SET 1
@@ -27,6 +29,7 @@
2729
#endif
2830

2931
static int nerrs;
32+
static pid_t mpid; /* main() pid is used to avoid duplicate test counts */
3033

3134
static void vmaybe_write_file(bool enoent_ok, char *filename, char *fmt, va_list ap)
3235
{
@@ -95,7 +98,7 @@ static bool create_and_enter_ns(uid_t inner_uid)
9598
*/
9699

97100
if (unshare(CLONE_NEWNS) == 0) {
98-
printf("[NOTE]\tUsing global UIDs for tests\n");
101+
ksft_print_msg("[NOTE]\tUsing global UIDs for tests\n");
99102
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) != 0)
100103
err(1, "PR_SET_KEEPCAPS");
101104
if (setresuid(inner_uid, inner_uid, -1) != 0)
@@ -111,7 +114,7 @@ static bool create_and_enter_ns(uid_t inner_uid)
111114

112115
have_outer_privilege = true;
113116
} else if (unshare(CLONE_NEWUSER | CLONE_NEWNS) == 0) {
114-
printf("[NOTE]\tUsing a user namespace for tests\n");
117+
ksft_print_msg("[NOTE]\tUsing a user namespace for tests\n");
115118
maybe_write_file("/proc/self/setgroups", "deny");
116119
write_file("/proc/self/uid_map", "%d %d 1", inner_uid, outer_uid);
117120
write_file("/proc/self/gid_map", "0 %d 1", outer_gid);
@@ -174,15 +177,16 @@ static bool fork_wait(void)
174177
int status;
175178
if (waitpid(child, &status, 0) != child ||
176179
!WIFEXITED(status)) {
177-
printf("[FAIL]\tChild died\n");
180+
ksft_print_msg("Child died\n");
178181
nerrs++;
179182
} else if (WEXITSTATUS(status) != 0) {
180-
printf("[FAIL]\tChild failed\n");
183+
ksft_print_msg("Child failed\n");
181184
nerrs++;
182185
} else {
183-
printf("[OK]\tChild succeeded\n");
186+
/* don't print this message for mpid */
187+
if (getpid() != mpid)
188+
ksft_test_result_pass("Passed\n");
184189
}
185-
186190
return false;
187191
} else {
188192
err(1, "fork");
@@ -255,57 +259,64 @@ static int do_tests(int uid, const char *our_path)
255259
err(1, "capng_apply");
256260

257261
if (uid == 0) {
258-
printf("[RUN]\tRoot => ep\n");
262+
ksft_print_msg("[RUN]\tRoot => ep\n");
259263
if (fork_wait())
260264
exec_validate_cap(true, true, false, false);
261265
} else {
262-
printf("[RUN]\tNon-root => no caps\n");
266+
ksft_print_msg("[RUN]\tNon-root => no caps\n");
263267
if (fork_wait())
264268
exec_validate_cap(false, false, false, false);
265269
}
266270

267-
printf("[OK]\tCheck cap_ambient manipulation rules\n");
271+
ksft_print_msg("Check cap_ambient manipulation rules\n");
268272

269273
/* We should not be able to add ambient caps yet. */
270274
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_BIND_SERVICE, 0, 0, 0) != -1 || errno != EPERM) {
271275
if (errno == EINVAL)
272-
printf("[FAIL]\tPR_CAP_AMBIENT_RAISE isn't supported\n");
276+
ksft_test_result_fail(
277+
"PR_CAP_AMBIENT_RAISE isn't supported\n");
273278
else
274-
printf("[FAIL]\tPR_CAP_AMBIENT_RAISE should have failed eith EPERM on a non-inheritable cap\n");
279+
ksft_test_result_fail(
280+
"PR_CAP_AMBIENT_RAISE should have failed eith EPERM on a non-inheritable cap\n");
275281
return 1;
276282
}
277-
printf("[OK]\tPR_CAP_AMBIENT_RAISE failed on non-inheritable cap\n");
283+
ksft_test_result_pass(
284+
"PR_CAP_AMBIENT_RAISE failed on non-inheritable cap\n");
278285

279286
capng_update(CAPNG_ADD, CAPNG_INHERITABLE, CAP_NET_RAW);
280287
capng_update(CAPNG_DROP, CAPNG_PERMITTED, CAP_NET_RAW);
281288
capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_NET_RAW);
282289
if (capng_apply(CAPNG_SELECT_CAPS) != 0)
283290
err(1, "capng_apply");
284291
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_RAW, 0, 0, 0) != -1 || errno != EPERM) {
285-
printf("[FAIL]\tPR_CAP_AMBIENT_RAISE should have failed on a non-permitted cap\n");
292+
ksft_test_result_fail(
293+
"PR_CAP_AMBIENT_RAISE should have failed on a non-permitted cap\n");
286294
return 1;
287295
}
288-
printf("[OK]\tPR_CAP_AMBIENT_RAISE failed on non-permitted cap\n");
296+
ksft_test_result_pass(
297+
"PR_CAP_AMBIENT_RAISE failed on non-permitted cap\n");
289298

290299
capng_update(CAPNG_ADD, CAPNG_INHERITABLE, CAP_NET_BIND_SERVICE);
291300
if (capng_apply(CAPNG_SELECT_CAPS) != 0)
292301
err(1, "capng_apply");
293302
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_BIND_SERVICE, 0, 0, 0) != 0) {
294-
printf("[FAIL]\tPR_CAP_AMBIENT_RAISE should have succeeded\n");
303+
ksft_test_result_fail(
304+
"PR_CAP_AMBIENT_RAISE should have succeeded\n");
295305
return 1;
296306
}
297-
printf("[OK]\tPR_CAP_AMBIENT_RAISE worked\n");
307+
ksft_test_result_pass("PR_CAP_AMBIENT_RAISE worked\n");
298308

299309
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_NET_BIND_SERVICE, 0, 0, 0) != 1) {
300-
printf("[FAIL]\tPR_CAP_AMBIENT_IS_SET is broken\n");
310+
ksft_test_result_fail("PR_CAP_AMBIENT_IS_SET is broken\n");
301311
return 1;
302312
}
303313

304314
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0, 0) != 0)
305315
err(1, "PR_CAP_AMBIENT_CLEAR_ALL");
306316

307317
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_NET_BIND_SERVICE, 0, 0, 0) != 0) {
308-
printf("[FAIL]\tPR_CAP_AMBIENT_CLEAR_ALL didn't work\n");
318+
ksft_test_result_fail(
319+
"PR_CAP_AMBIENT_CLEAR_ALL didn't work\n");
309320
return 1;
310321
}
311322

@@ -317,75 +328,76 @@ static int do_tests(int uid, const char *our_path)
317328
err(1, "capng_apply");
318329

319330
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_NET_BIND_SERVICE, 0, 0, 0) != 0) {
320-
printf("[FAIL]\tDropping I should have dropped A\n");
331+
ksft_test_result_fail("Dropping I should have dropped A\n");
321332
return 1;
322333
}
323334

324-
printf("[OK]\tBasic manipulation appears to work\n");
335+
ksft_test_result_pass("Basic manipulation appears to work\n");
325336

326337
capng_update(CAPNG_ADD, CAPNG_INHERITABLE, CAP_NET_BIND_SERVICE);
327338
if (capng_apply(CAPNG_SELECT_CAPS) != 0)
328339
err(1, "capng_apply");
329340
if (uid == 0) {
330-
printf("[RUN]\tRoot +i => eip\n");
341+
ksft_print_msg("[RUN]\tRoot +i => eip\n");
331342
if (fork_wait())
332343
exec_validate_cap(true, true, true, false);
333344
} else {
334-
printf("[RUN]\tNon-root +i => i\n");
345+
ksft_print_msg("[RUN]\tNon-root +i => i\n");
335346
if (fork_wait())
336347
exec_validate_cap(false, false, true, false);
337348
}
338349

339350
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_BIND_SERVICE, 0, 0, 0) != 0)
340351
err(1, "PR_CAP_AMBIENT_RAISE");
341352

342-
printf("[RUN]\tUID %d +ia => eipa\n", uid);
353+
ksft_print_msg("[RUN]\tUID %d +ia => eipa\n", uid);
343354
if (fork_wait())
344355
exec_validate_cap(true, true, true, true);
345356

346357
/* The remaining tests need real privilege */
347358

348359
if (!have_outer_privilege) {
349-
printf("[SKIP]\tSUID/SGID tests (needs privilege)\n");
360+
ksft_test_result_skip("SUID/SGID tests (needs privilege)\n");
350361
goto done;
351362
}
352363

353364
if (uid == 0) {
354-
printf("[RUN]\tRoot +ia, suidroot => eipa\n");
365+
ksft_print_msg("[RUN]\tRoot +ia, suidroot => eipa\n");
355366
if (fork_wait())
356367
exec_other_validate_cap("./validate_cap_suidroot",
357368
true, true, true, true);
358369

359-
printf("[RUN]\tRoot +ia, suidnonroot => ip\n");
370+
ksft_print_msg("[RUN]\tRoot +ia, suidnonroot => ip\n");
360371
if (fork_wait())
361372
exec_other_validate_cap("./validate_cap_suidnonroot",
362373
false, true, true, false);
363374

364-
printf("[RUN]\tRoot +ia, sgidroot => eipa\n");
375+
ksft_print_msg("[RUN]\tRoot +ia, sgidroot => eipa\n");
365376
if (fork_wait())
366377
exec_other_validate_cap("./validate_cap_sgidroot",
367378
true, true, true, true);
368379

369380
if (fork_wait()) {
370-
printf("[RUN]\tRoot, gid != 0, +ia, sgidroot => eip\n");
381+
ksft_print_msg(
382+
"[RUN]\tRoot, gid != 0, +ia, sgidroot => eip\n");
371383
if (setresgid(1, 1, 1) != 0)
372384
err(1, "setresgid");
373385
exec_other_validate_cap("./validate_cap_sgidroot",
374386
true, true, true, false);
375387
}
376388

377-
printf("[RUN]\tRoot +ia, sgidnonroot => eip\n");
389+
ksft_print_msg("[RUN]\tRoot +ia, sgidnonroot => eip\n");
378390
if (fork_wait())
379391
exec_other_validate_cap("./validate_cap_sgidnonroot",
380392
true, true, true, false);
381393
} else {
382-
printf("[RUN]\tNon-root +ia, sgidnonroot => i\n");
394+
ksft_print_msg("[RUN]\tNon-root +ia, sgidnonroot => i\n");
383395
if (fork_wait())
384396
exec_other_validate_cap("./validate_cap_sgidnonroot",
385397
false, false, true, false);
386398

387399
if (fork_wait()) {
388-
printf("[RUN]\tNon-root +ia, sgidroot => i\n");
400+
ksft_print_msg("[RUN]\tNon-root +ia, sgidroot => i\n");
389401
if (setresgid(1, 1, 1) != 0)
390402
err(1, "setresgid");
391403
exec_other_validate_cap("./validate_cap_sgidroot",
@@ -394,13 +406,16 @@ static int do_tests(int uid, const char *our_path)
394406
}
395407

396408
done:
409+
ksft_print_cnts();
397410
return nerrs ? 1 : 0;
398411
}
399412

400413
int main(int argc, char **argv)
401414
{
402415
char *tmp1, *tmp2, *our_path;
403416

417+
ksft_print_header();
418+
404419
/* Find our path */
405420
tmp1 = strdup(argv[0]);
406421
if (!tmp1)
@@ -411,13 +426,17 @@ int main(int argc, char **argv)
411426
err(1, "strdup");
412427
free(tmp1);
413428

429+
mpid = getpid();
430+
414431
if (fork_wait()) {
415-
printf("[RUN]\t+++ Tests with uid == 0 +++\n");
432+
ksft_print_msg("[RUN]\t+++ Tests with uid == 0 +++\n");
416433
return do_tests(0, our_path);
417434
}
418435

436+
ksft_print_msg("==================================================\n");
437+
419438
if (fork_wait()) {
420-
printf("[RUN]\t+++ Tests with uid != 0 +++\n");
439+
ksft_print_msg("[RUN]\t+++ Tests with uid != 0 +++\n");
421440
return do_tests(1, our_path);
422441
}
423442

tools/testing/selftests/capabilities/validate_cap.c

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@
77
#include <sys/prctl.h>
88
#include <sys/auxv.h>
99

10+
#include "../kselftest.h"
11+
1012
#ifndef PR_CAP_AMBIENT
1113
#define PR_CAP_AMBIENT 47
1214
# define PR_CAP_AMBIENT_IS_SET 1
@@ -51,23 +53,26 @@ int main(int argc, char **argv)
5153
capng_get_caps_process();
5254

5355
if (capng_have_capability(CAPNG_EFFECTIVE, CAP_NET_BIND_SERVICE) != bool_arg(argv, 1)) {
54-
printf("[FAIL]\tWrong effective state%s\n", atsec);
56+
ksft_print_msg("Wrong effective state%s\n", atsec);
5557
return 1;
5658
}
59+
5760
if (capng_have_capability(CAPNG_PERMITTED, CAP_NET_BIND_SERVICE) != bool_arg(argv, 2)) {
58-
printf("[FAIL]\tWrong permitted state%s\n", atsec);
61+
ksft_print_msg("Wrong permitted state%s\n", atsec);
5962
return 1;
6063
}
64+
6165
if (capng_have_capability(CAPNG_INHERITABLE, CAP_NET_BIND_SERVICE) != bool_arg(argv, 3)) {
62-
printf("[FAIL]\tWrong inheritable state%s\n", atsec);
66+
ksft_print_msg("Wrong inheritable state%s\n", atsec);
6367
return 1;
6468
}
6569

6670
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_NET_BIND_SERVICE, 0, 0, 0) != bool_arg(argv, 4)) {
67-
printf("[FAIL]\tWrong ambient state%s\n", atsec);
71+
ksft_print_msg("Wrong ambient state%s\n", atsec);
6872
return 1;
6973
}
7074

71-
printf("[OK]\tCapabilities after execve were correct\n");
75+
ksft_print_msg("%s: Capabilities after execve were correct\n",
76+
"validate_cap:");
7277
return 0;
7378
}

0 commit comments

Comments
 (0)