Bug 250178

Summary: Failing test case: sys.capsicum.functional.Capability__NoBypassDAC
Product: Base System Reporter: Li-Wen Hsu <lwhsu>
Component: testsAssignee: freebsd-testing (Nobody) <testing>
Status: Open ---    
Severity: Affects Only Me CC: emaste
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   

Description Li-Wen Hsu freebsd_committer 2020-10-07 09:47:53 UTC
This test case was skipped before because it was not running with root.

https://ci.freebsd.org/job/FreeBSD-head-amd64-test/16739/testReport/junit/sys.capsicum/functional/Capability__NoBypassDAC/

/usr/src/contrib/capsicum-test/procdesc.cc:538: Failure
Expected equality of these values:
  -1
  kill(pid, 9)
    Which is: 0
/usr/src/contrib/capsicum-test/procdesc.cc:539: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 2
/usr/src/contrib/capsicum-test/procdesc.cc:540: Failure
Value of: state == 'R' || state == 'S'
  Actual: false
Expected: true
 pid 22844 in state Z
/usr/src/contrib/capsicum-test/procdesc.cc:522: Failure
Expected equality of these values:
  0
  rc
    Which is: 1
Comment 1 Li-Wen Hsu freebsd_committer 2020-10-07 09:49:07 UTC
(In reply to Li-Wen Hsu from comment #0)
The stderr in comment #0 is wrong, this is the correct one:

/usr/src/contrib/capsicum-test/capability-fd.cc:1296: Failure
Expected equality of these values:
  -1
  rc
    Which is: 0
/usr/src/contrib/capsicum-test/capability-fd.cc:1297: Failure
Expected equality of these values:
  1
  (* __error())
    Which is: 2
/usr/src/contrib/capsicum-test/capability-fd.cc:1303: Failure
Expected equality of these values:
  0
  ((status) >> 8)
    Which is: 1
/usr/src/contrib/capsicum-test/capability-fd.cc:1306: Failure
Expected equality of these values:
  (mode_t)(0100000|0644)
    Which is: 33188
  info.st_mode
    Which is: 33206
Comment 2 commit-hook freebsd_committer 2020-10-07 09:54:00 UTC
A commit references this bug:

Author: lwhsu
Date: Wed Oct  7 09:53:25 UTC 2020
New revision: 366512
URL: https://svnweb.freebsd.org/changeset/base/366512

Log:
  Temporarily skip failing test cases in CI:

  sys.capsicum.functional.Capability__NoBypassDAC
  sys.capsicum.functional.Pdfork__OtherUserForked

  PR:		250178, 250179
  Sponsored by:	The FreeBSD Foundation

Changes:
  head/tests/sys/capsicum/functional.sh
Comment 3 Ed Maste freebsd_committer 2020-10-13 23:12:06 UTC
  1281  TEST(Capability, NoBypassDAC) {
  1282    REQUIRE_ROOT();
  1283    int fd = open(TmpFile("cap_root_owned"), O_RDONLY|O_CREAT, 0644);
  1284    EXPECT_OK(fd);
  1285    cap_rights_t rights;
  1286    cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FCHMOD, CAP_FSTAT);
  1287    EXPECT_OK(cap_rights_limit(fd, &rights));
  1288
  1289    pid_t child = fork();
  1290    if (child == 0) {
  1291      // Child: change uid to a lesser being
  1292      setuid(other_uid);
  1293      // Attempt to fchmod the file, and fail.
  1294      // Having CAP_FCHMOD doesn't bypass the need to comply with DAC policy.
  1295      int rc = fchmod(fd, 0666);
  1296      EXPECT_EQ(-1, rc);
  1297      EXPECT_EQ(EPERM, errno);
  1298      exit(HasFailure());
  1299    }
  1300    int status;
  1301    EXPECT_EQ(child, waitpid(child, &status, 0));
  1302    EXPECT_TRUE(WIFEXITED(status)) << "0x" << std::hex << status;
  1303    EXPECT_EQ(0, WEXITSTATUS(status));
  1304    struct stat info;
  1305    EXPECT_OK(fstat(fd, &info));
  1306    EXPECT_EQ((mode_t)(S_IFREG|0644), info.st_mode);
  1307    close(fd);
  1308    unlink(TmpFile("cap_root_owned"));
  1309  }