1
// SPDX-License-Identifier: GPL-2.0
2
#include <cap-ng.h>
3
#include <linux/capability.h>
4
#include <stdbool.h>
5
#include <string.h>
6
#include <stdio.h>
7
#include <sys/prctl.h>
8
#include <sys/auxv.h>
9

10
#include "../kselftest.h"
11

12
#if __GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 19)
13
# define HAVE_GETAUXVAL
14
#endif
15

16
static bool bool_arg(char **argv, int i)
17
{
18
	if (!strcmp(argv[i], "0"))
19
		return false;
20
	else if (!strcmp(argv[i], "1"))
21
		return true;
22
	else {
23
		ksft_exit_fail_msg("wrong argv[%d]\n", i);
24
		return false;
25
	}
26
}
27

28
int main(int argc, char **argv)
29
{
30
	const char *atsec = "";
31
	int ret;
32

33
	/*
34
	 * Be careful just in case a setgid or setcapped copy of this
35
	 * helper gets out.
36
	 */
37

38
	if (argc != 5)
39
		ksft_exit_fail_msg("wrong argc\n");
40

41
#ifdef HAVE_GETAUXVAL
42
	if (getauxval(AT_SECURE))
43
		atsec = " (AT_SECURE is set)";
44
	else
45
		atsec = " (AT_SECURE is not set)";
46
#endif
47

48
	ret = capng_get_caps_process();
49
	if (ret == -1) {
50
		ksft_print_msg("capng_get_caps_process failed\n");
51
		return 1;
52
	}
53

54
	if (capng_have_capability(CAPNG_EFFECTIVE, CAP_NET_BIND_SERVICE) != bool_arg(argv, 1)) {
55
		ksft_print_msg("Wrong effective state%s\n", atsec);
56
		return 1;
57
	}
58

59
	if (capng_have_capability(CAPNG_PERMITTED, CAP_NET_BIND_SERVICE) != bool_arg(argv, 2)) {
60
		ksft_print_msg("Wrong permitted state%s\n", atsec);
61
		return 1;
62
	}
63

64
	if (capng_have_capability(CAPNG_INHERITABLE, CAP_NET_BIND_SERVICE) != bool_arg(argv, 3)) {
65
		ksft_print_msg("Wrong inheritable state%s\n", atsec);
66
		return 1;
67
	}
68

69
	if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_NET_BIND_SERVICE, 0, 0, 0) != bool_arg(argv, 4)) {
70
		ksft_print_msg("Wrong ambient state%s\n", atsec);
71
		return 1;
72
	}
73

74
	ksft_print_msg("%s: Capabilities after execve were correct\n",
75
			"validate_cap:");
76
	return 0;
77
}
78

79