From patchwork Mon May 13 07:26:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yang Xu X-Patchwork-Id: 1098696 X-Patchwork-Delegate: petr.vorel@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=cn.fujitsu.com Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 452XTH2n0gz9s4V for ; Mon, 13 May 2019 17:27:31 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 7431C294ABC for ; Mon, 13 May 2019 09:27:28 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-2.smtp.seeweb.it (in-2.smtp.seeweb.it [217.194.8.2]) by picard.linux.it (Postfix) with ESMTP id DDEF9294A36 for ; Mon, 13 May 2019 09:27:26 +0200 (CEST) Received: from heian.cn.fujitsu.com (mail.cn.fujitsu.com [183.91.158.132]) by in-2.smtp.seeweb.it (Postfix) with ESMTP id 493C3600C10 for ; Mon, 13 May 2019 09:27:22 +0200 (CEST) X-IronPort-AV: E=Sophos;i="5.60,464,1549900800"; d="scan'208";a="62714616" Received: from unknown (HELO cn.fujitsu.com) ([10.167.33.5]) by heian.cn.fujitsu.com with ESMTP; 13 May 2019 15:27:18 +0800 Received: from G08CNEXCHPEKD03.g08.fujitsu.local (unknown [10.167.33.85]) by cn.fujitsu.com (Postfix) with ESMTP id 66FFD4CDB77A for ; Mon, 13 May 2019 15:27:18 +0800 (CST) Received: from localhost.localdomain (10.167.215.30) by G08CNEXCHPEKD03.g08.fujitsu.local (10.167.33.89) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 13 May 2019 15:27:20 +0800 From: Yang Xu To: Date: Mon, 13 May 2019 15:26:32 +0800 Message-ID: <1557732392-7049-1-git-send-email-xuyang2018.jy@cn.fujitsu.com> X-Mailer: git-send-email 1.8.3.1 MIME-Version: 1.0 X-Originating-IP: [10.167.215.30] X-yoursite-MailScanner-ID: 66FFD4CDB77A.A401F X-yoursite-MailScanner: Found to be clean X-yoursite-MailScanner-From: xuyang2018.jy@cn.fujitsu.com X-Spam-Status: No, score=0.0 required=7.0 tests=none autolearn=disabled version=3.4.0 X-Virus-Scanned: clamav-milter 0.99.2 at in-2.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-2.smtp.seeweb.it Subject: [LTP] [PATCH] ltp-cap.m4: add libcap version detection && fix compiler error X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Current ltp-cap.m4 defines cap_libs when libcap has cap_compare function. This function was introduced by libcap-2. It is only used for the two places, and another places work fines with libcap-1. So add libcap version detection. If you use the following function or macro, you must use libcap-2(HAVE_LIBCAP_V2): cap_compare cap_get_file cap_set_file cap_get_fd cap_set_fd CAP_LAST_CAP This patch also fixes possible compiler error on old distros without PR_CAPBSET_READ/PR_CAPBSET_DROP flag, the following case: cap_bound/exec_with_inh.c cap_bound/exec_without_inh.c filecaps/verify_caps_exec.c Signed-off-by: Yang Xu --- m4/ltp-cap.m4 | 35 +++++++------------ testcases/kernel/containers/userns/userns01.c | 4 +-- testcases/kernel/containers/userns/userns06.c | 2 +- .../containers/userns/userns06_capcheck.c | 4 +-- .../kernel/security/cap_bound/cap_bounds_r.c | 2 +- .../kernel/security/cap_bound/cap_bounds_rw.c | 4 +-- .../security/cap_bound/cap_bset_inh_bounds.c | 4 +-- .../kernel/security/cap_bound/check_pe.c | 2 +- .../kernel/security/cap_bound/exec_with_inh.c | 9 +++-- .../security/cap_bound/exec_without_inh.c | 6 +++- .../security/filecaps/check_simple_capset.c | 2 +- .../kernel/security/filecaps/inh_capped.c | 4 +-- .../kernel/security/filecaps/print_caps.c | 2 +- .../security/filecaps/verify_caps_exec.c | 9 +++-- .../security/securebits/check_keepcaps.c | 2 +- .../kernel/syscalls/pivot_root/pivot_root01.c | 6 ++-- 16 files changed, 50 insertions(+), 47 deletions(-) diff --git a/m4/ltp-cap.m4 b/m4/ltp-cap.m4 index 834ab36f7..51e85e234 100644 --- a/m4/ltp-cap.m4 +++ b/m4/ltp-cap.m4 @@ -1,37 +1,26 @@ -dnl +dnl SPDX-License-Identifier: GPL-2.0-or-later dnl Copyright (c) Cisco Systems Inc., 2009 dnl Copyright (c) Linux Test Project, 2010 -dnl -dnl This program is free software; you can redistribute it and/or modify -dnl it under the terms of the GNU General Public License as published by -dnl the Free Software Foundation; either version 2 of the License, or -dnl (at your option) any later version. -dnl -dnl This program is distributed in the hope that it will be useful, -dnl but WITHOUT ANY WARRANTY; without even the implied warranty of -dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See -dnl the GNU General Public License for more details. -dnl -dnl You should have received a copy of the GNU General Public License -dnl along with this program; if not, write to the Free Software -dnl Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +dnl Copyright (c) Fujitsu, 2019 dnl dnl Author: Ngie Cooper -dnl +dnl Author: Yang Xu -dnl -dnl LTP_CHECK_CAPABILITY_SUPPORT -dnl ---------------------------- -dnl AC_DEFUN([LTP_CHECK_CAPABILITY_SUPPORT],[ -AH_TEMPLATE(HAVE_LIBCAP, +AH_TEMPLATE(HAVE_LIBCAP_V1, +[Define to 1 if you have libcap-1 installed.]) +AH_TEMPLATE(HAVE_LIBCAP_V2, [Define to 1 if you have libcap-2 installed.]) AC_CHECK_HEADERS([sys/capability.h],[capability_header_prefix="sys"]) if test "x$capability_header_prefix" != x; then - AC_CHECK_LIB(cap,cap_compare,[cap_libs="-lcap"]) + AC_CHECK_LIB(cap,cap_set_flag,[cap_libs="-lcap"]) + AC_CHECK_LIB(cap,cap_compare,[cap_version="2"]) fi if test "x$cap_libs" != x; then - AC_DEFINE(HAVE_LIBCAP) + AC_DEFINE(HAVE_LIBCAP_V1) +fi +if test "x$cap_version" != x; then + AC_DEFINE(HAVE_LIBCAP_V2) fi AC_SUBST(CAP_LIBS,$cap_libs) ]) diff --git a/testcases/kernel/containers/userns/userns01.c b/testcases/kernel/containers/userns/userns01.c index 1c8cf570d..cb1c9c4a4 100644 --- a/testcases/kernel/containers/userns/userns01.c +++ b/testcases/kernel/containers/userns/userns01.c @@ -51,7 +51,7 @@ static int child_fn1(void *arg LTP_ATTRIBUTE_UNUSED) { int exit_val = 0; int uid, gid; -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V1 cap_t caps; int i, last_cap; cap_flag_value_t flag_val; @@ -67,7 +67,7 @@ static int child_fn1(void *arg LTP_ATTRIBUTE_UNUSED) exit_val = 1; } -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V1 caps = cap_get_proc(); SAFE_FILE_SCANF(NULL, "/proc/sys/kernel/cap_last_cap", "%d", &last_cap); for (i = 0; i <= last_cap; i++) { diff --git a/testcases/kernel/containers/userns/userns06.c b/testcases/kernel/containers/userns/userns06.c index 23f6da4d0..7aa10409a 100644 --- a/testcases/kernel/containers/userns/userns06.c +++ b/testcases/kernel/containers/userns/userns06.c @@ -111,7 +111,7 @@ int main(int argc, char *argv[]) int fd; tst_parse_opts(argc, argv, NULL, NULL); -#ifndef HAVE_LIBCAP +#ifndef HAVE_LIBCAP_V1 tst_brkm(TCONF, NULL, "System is missing libcap."); #endif setup(); diff --git a/testcases/kernel/containers/userns/userns06_capcheck.c b/testcases/kernel/containers/userns/userns06_capcheck.c index 31f7e0a25..434cebeb7 100644 --- a/testcases/kernel/containers/userns/userns06_capcheck.c +++ b/testcases/kernel/containers/userns/userns06_capcheck.c @@ -39,7 +39,7 @@ int TST_TOTAL = 1; int main(int argc, char *argv[]) { -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V1 cap_t caps; int i, last_cap; cap_flag_value_t flag_val; @@ -47,7 +47,7 @@ int main(int argc, char *argv[]) #endif tst_parse_opts(argc, argv, NULL, NULL); -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V1 if (strcmp("privileged", argv[1])) expected_flag = 0; diff --git a/testcases/kernel/security/cap_bound/cap_bounds_r.c b/testcases/kernel/security/cap_bound/cap_bounds_r.c index d7c2bf0ae..1bf3ac1f8 100644 --- a/testcases/kernel/security/cap_bound/cap_bounds_r.c +++ b/testcases/kernel/security/cap_bound/cap_bounds_r.c @@ -41,7 +41,7 @@ int TST_TOTAL = 1; int main(void) { -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V2 int ret = 1; int i; int cap_last_cap = CAP_LAST_CAP; diff --git a/testcases/kernel/security/cap_bound/cap_bounds_rw.c b/testcases/kernel/security/cap_bound/cap_bounds_rw.c index f715c703d..39293b9fb 100644 --- a/testcases/kernel/security/cap_bound/cap_bounds_rw.c +++ b/testcases/kernel/security/cap_bound/cap_bounds_rw.c @@ -63,7 +63,7 @@ int check_remaining_caps(int lastdropped) return i; } } -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V2 for (; i <= cap_last_cap; i++) { #if HAVE_DECL_PR_CAPBSET_READ ret = prctl(PR_CAPBSET_READ, i); @@ -92,7 +92,7 @@ int main(void) int ret = 1; int i; -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V2 cap_last_cap = CAP_LAST_CAP; if (access(PROC_CAP_LAST, R_OK) == 0) { SAFE_FILE_SCANF(NULL, PROC_CAP_LAST, "%d", &cap_last_cap); diff --git a/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c b/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c index feb7fbd3f..cf12c0364 100644 --- a/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c +++ b/testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c @@ -42,7 +42,7 @@ int main(int argc, char *argv[]) { #if HAVE_SYS_CAPABILITY_H #if HAVE_DECL_PR_CAPBSET_READ && HAVE_DECL_PR_CAPBSET_DROP -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V1 int ret = 1; cap_value_t v[1]; cap_flag_value_t f; @@ -122,7 +122,7 @@ int main(int argc, char *argv[]) tst_resm(TPASS, "Couldn't put CAP_SYS_ADMIN back into pI when not in bounding set\n"); -#else /* HAVE_LIBCAP */ +#else /* HAVE_LIBCAP_V1*/ tst_resm(TCONF, "System doesn't have POSIX capabilities."); #endif #else /* HAVE_DECL_PR_CAPBSET_READ && HAVE_DECL_PR_CAPBSET_DROP */ diff --git a/testcases/kernel/security/cap_bound/check_pe.c b/testcases/kernel/security/cap_bound/check_pe.c index c4453ecf8..b8c0a5aa1 100644 --- a/testcases/kernel/security/cap_bound/check_pe.c +++ b/testcases/kernel/security/cap_bound/check_pe.c @@ -42,7 +42,7 @@ int TST_TOTAL = 1; int main(int argc, char *argv[]) { #ifdef HAVE_SYS_CAPABILITY_H -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V1 int ret = 1; cap_flag_value_t f; cap_t cur; diff --git a/testcases/kernel/security/cap_bound/exec_with_inh.c b/testcases/kernel/security/cap_bound/exec_with_inh.c index dd9ddb574..00eea7d88 100644 --- a/testcases/kernel/security/cap_bound/exec_with_inh.c +++ b/testcases/kernel/security/cap_bound/exec_with_inh.c @@ -41,7 +41,8 @@ int TST_TOTAL = 1; int main(int argc, char *argv[]) { #if HAVE_SYS_CAPABILITY_H -#ifdef HAVE_LIBCAP +#if HAVE_DECL_PR_CAPBSET_DROP +#ifdef HAVE_LIBCAP_V1 int ret = 1; cap_flag_value_t f; cap_t cur = 0; @@ -81,9 +82,13 @@ int main(int argc, char *argv[]) /* execute "check_pe 1" */ execl("check_pe", "check_pe", "1", NULL); tst_resm(TBROK, "Failed to execute check_pe (errno %d)\n", errno); -#else /* HAVE_LIBCAP */ +#else /* HAVE_LIBCAP_V1 */ tst_resm(TCONF, "System doesn't have POSIX capabilities."); #endif +#else /* HAVE_DECL_PR_CAPBSET_DROP */ + tst_resm(TCONF, "System doesn't have CAPBSET prctls"); +#endif + #else /* HAVE_SYS_CAPABILITY_H */ tst_resm(TCONF, "System doesn't have sys/capability.h."); #endif diff --git a/testcases/kernel/security/cap_bound/exec_without_inh.c b/testcases/kernel/security/cap_bound/exec_without_inh.c index 29b31238a..05b2eb27f 100644 --- a/testcases/kernel/security/cap_bound/exec_without_inh.c +++ b/testcases/kernel/security/cap_bound/exec_without_inh.c @@ -41,7 +41,8 @@ int TST_TOTAL = 1; int main(int argc, char *argv[]) { #if HAVE_SYS_CAPABILITY_H -#ifdef HAVE_LIBCAP +#if HAVE_DECL_PR_CAPBSET_DROP +#ifdef HAVE_LIBCAP_V1 int ret = 1; cap_flag_value_t f; cap_value_t v[1]; @@ -81,6 +82,9 @@ int main(int argc, char *argv[]) #else /* libcap */ tst_resm(TCONF, "System doesn't have POSIX capabilities."); #endif +#else /* HAVE_DECL_PR_CAPBSET_DROP */ + tst_resm(TCONF, "System doesn't have CAPBSET prctls"); +#endif #else /* capability_h */ tst_resm(TCONF, "System doesn't have sys/capability.h."); #endif diff --git a/testcases/kernel/security/filecaps/check_simple_capset.c b/testcases/kernel/security/filecaps/check_simple_capset.c index 81a75babd..3e78ddc65 100644 --- a/testcases/kernel/security/filecaps/check_simple_capset.c +++ b/testcases/kernel/security/filecaps/check_simple_capset.c @@ -27,7 +27,7 @@ int main(void) { -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V2 cap_t caps, caps2; int ret; diff --git a/testcases/kernel/security/filecaps/inh_capped.c b/testcases/kernel/security/filecaps/inh_capped.c index 4bbe184aa..3ee59c5bd 100644 --- a/testcases/kernel/security/filecaps/inh_capped.c +++ b/testcases/kernel/security/filecaps/inh_capped.c @@ -35,7 +35,7 @@ char *TCID = "filecaps"; int TST_TOTAL = 1; -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V1 void debug_print_caps(char *when) { char buf[2000]; @@ -61,7 +61,7 @@ int set_caps_from_text(char *capstr) int main(void) { -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V1 int ret; debug_print_caps("start"); diff --git a/testcases/kernel/security/filecaps/print_caps.c b/testcases/kernel/security/filecaps/print_caps.c index 26fe55c53..a8dccdbc2 100644 --- a/testcases/kernel/security/filecaps/print_caps.c +++ b/testcases/kernel/security/filecaps/print_caps.c @@ -41,7 +41,7 @@ int main(int argc, char *argv[]) { -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V1 cap_t cap = cap_get_proc(); int fd; int seqno = 0; diff --git a/testcases/kernel/security/filecaps/verify_caps_exec.c b/testcases/kernel/security/filecaps/verify_caps_exec.c index 090ac5c90..187257cf9 100644 --- a/testcases/kernel/security/filecaps/verify_caps_exec.c +++ b/testcases/kernel/security/filecaps/verify_caps_exec.c @@ -62,7 +62,7 @@ static void usage(const char *me) #define DROP_PERMS 0 #define KEEP_PERMS 1 -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V2 static void print_my_caps(void) { cap_t cap = cap_get_proc(); @@ -226,11 +226,16 @@ static int caps_actually_set_test(void) int num_caps; for (num_caps = 0;; num_caps++) { +#if HAVE_DECL_PR_CAPBSET_READ ret = prctl(PR_CAPBSET_READ, num_caps); /* * Break from the loop in this manner to avoid incrementing, * then having to decrement value. */ +#else + tst_resm(TCONF, "System doesn't have CAPBSET prctls"); + ret = -1; +#endif if (ret == -1) break; } @@ -393,7 +398,7 @@ static int caps_actually_set_test(void) int main(int argc, char *argv[]) { -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V2 if (argc < 2) usage(argv[0]); diff --git a/testcases/kernel/security/securebits/check_keepcaps.c b/testcases/kernel/security/securebits/check_keepcaps.c index b49d07078..064e831ed 100644 --- a/testcases/kernel/security/securebits/check_keepcaps.c +++ b/testcases/kernel/security/securebits/check_keepcaps.c @@ -28,7 +28,7 @@ char *TCID = "keepcaps"; int TST_TOTAL = 1; -#if (HAVE_LINUX_SECUREBITS_H && HAVE_LIBCAP) +#if (HAVE_LINUX_SECUREBITS_H && HAVE_LIBCAP_V1) #include static int eff_caps_empty(cap_t c) diff --git a/testcases/kernel/syscalls/pivot_root/pivot_root01.c b/testcases/kernel/syscalls/pivot_root/pivot_root01.c index 2e8a7ff24..7002c070a 100644 --- a/testcases/kernel/syscalls/pivot_root/pivot_root01.c +++ b/testcases/kernel/syscalls/pivot_root/pivot_root01.c @@ -18,7 +18,7 @@ #ifdef HAVE_UNSHARE -#ifdef HAVE_LIBCAP +#ifdef HAVE_SYS_CAPABILITY_H #include #endif @@ -74,7 +74,7 @@ static const struct test_case { {NO_CAP_SYS_ADMIN, EPERM}, }; -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V1 static void drop_cap_sys_admin(void) { cap_value_t cap_value[] = { CAP_SYS_ADMIN }; @@ -140,7 +140,7 @@ static void run(unsigned int test_case) } if (test_cases[test_case].test_case == NO_CAP_SYS_ADMIN) { -#ifdef HAVE_LIBCAP +#ifdef HAVE_LIBCAP_V1 drop_cap_sys_admin(); #else tst_res(TCONF,