Re: [PATCH v4 1/2] capabilities: Ambient capabilities

Fri, 17 Jul 2015 13:42:07 -0700 

Here is a test program that can be used to verify the functionality.


------ ambient_test.c -----------------------


/*
 * Test program for the ambient capabilities. This program spawns a shell
 * that allows running processes with a defined set of capabilities.
 *
 * (C) 2015 Christoph Lameter <[email protected]>
 * Released under: GPL v3 or later.
 *
 *
 * Compile using:
 *
 *      gcc -o ambient_test ambient_test.o -lcap-ng
 *
 * This program must have the following capabilities to run properly:
 * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE
 *
 * A command to equip the binary with the right caps is:
 *
 *      setcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test
 *
 *
 * To get a shell with additional caps that can be inherited by other processes:
 *
 *      ./ambient_test /bin/bash
 *
 *
 * Verifying that it works:
 *
 * From the bash spawed by ambient_test run
 *
 *      cat /proc/$$/status
 *
 * and have a look at the capabilities.
 */

#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <cap-ng.h>
#include <sys/prctl.h>
#include <linux/capability.h>

/*
 * Definitions from the kernel header files. These are going to be removed
 * when the /usr/include files have these defined.
 */
#define PR_CAP_AMBIENT 47
#define PR_CAP_AMBIENT_IS_SET 1
#define PR_CAP_AMBIENT_RAISE 2
#define PR_CAP_AMBIENT_LOWER 3
#define PR_CAP_AMBIENT_CLEAR_ALL 4

static void set_ambient_cap(int cap)
{
        int rc;

        capng_get_caps_process();
        rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);
        if (rc) {
                printf("Cannot add inheritable cap\n");
                exit(2);
        }
        capng_apply(CAPNG_SELECT_CAPS);

        /* Note the two 0s at the end. Kernel checks for these */
        if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {
                perror("Cannot set cap");
                exit(1);
        }
}

int main(int argc, char **argv)
{
        int rc;

        set_ambient_cap(CAP_NET_RAW);
        set_ambient_cap(CAP_NET_ADMIN);
        set_ambient_cap(CAP_SYS_NICE);

        printf("Ambient_test forking shell\n");
        if (execv(argv[1], argv + 1))
                perror("Cannot exec");

        return 0;
}


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to