def test_filecaps_to_from_text() -> None:
for filecaps in [
pyprctl.FileCaps(permitted=set(),
inheritable=set(),
effective=False,
rootid=None),
pyprctl.FileCaps(permitted=set(pyprctl.Cap),
inheritable=set(),
effective=False,
rootid=None),
pyprctl.FileCaps(
permitted=set(pyprctl.Cap),
inheritable={pyprctl.Cap.CHOWN, pyprctl.Cap.SYS_CHROOT},
effective=False,
rootid=None,
),
pyprctl.FileCaps(
permitted=set(pyprctl.Cap),
inheritable=set(pyprctl.Cap) -
{pyprctl.Cap.CHOWN, pyprctl.Cap.SYS_CHROOT},
effective=True,
rootid=None,
),
]:
print(repr(filecaps))
print(repr(pyprctl.FileCaps.from_text(str(filecaps))))
print(str(filecaps))
print(pyprctl.FileCaps.from_text(str(filecaps)))
assert pyprctl.FileCaps.from_text(str(filecaps)) == filecaps
def test_filecaps_from_text() -> None:
empty_state = pyprctl.FileCaps(effective=False,
permitted=set(),
inheritable=set(),
rootid=None)
assert pyprctl.FileCaps.from_text("") == empty_state
assert pyprctl.FileCaps.from_text("=") == empty_state
assert pyprctl.FileCaps.from_text("all=eip") == pyprctl.FileCaps(
effective=True,
permitted=ALL_CAPS_SET,
inheritable=ALL_CAPS_SET,
rootid=None)
assert pyprctl.FileCaps.from_text("all=ip") == pyprctl.FileCaps(
effective=False,
permitted=ALL_CAPS_SET,
inheritable=ALL_CAPS_SET,
rootid=None)
with pytest.raises(
ValueError,
match="non-empty effective set that is not equal to permitted set"
):
pyprctl.FileCaps.from_text("all=eip cap_chown-p")
with pytest.raises(
ValueError,
match="non-empty effective set that is not equal to permitted set"
):
pyprctl.FileCaps.from_text("all=eip cap_chown-e")
with pytest.raises(
ValueError,
match="non-empty effective set that is not equal to permitted set"
):
pyprctl.FileCaps.from_text("cap_chown+p cap_sys_chroot+e")
with pytest.raises(
ValueError,
match="non-empty effective set that is not equal to permitted set"
):
pyprctl.FileCaps.from_text("cap_chown+ep cap_sys_chroot+p")
with pytest.raises(
ValueError,
match="non-empty effective set that is not equal to permitted set"
):
pyprctl.FileCaps.from_text("cap_chown+ep cap_sys_chroot+e")
def test_filecaps_into_data() -> None:
assert (
pyprctl.FileCaps(
effective=True,
permitted={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
inheritable={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
rootid=None,
)._into_data()
== b"\x01\x00\x00\x02\x020\x00\x00\x020\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
)
assert (
pyprctl.FileCaps(
effective=True,
permitted={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
inheritable={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
rootid=1000,
)._into_data()
== b"\x01\x00\x00\x03\x020\x00\x00\x020\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
b"\xe8\x03\x00\x00"
)
def test_filecaps_to_text() -> None:
assert (str(
pyprctl.FileCaps(effective=False,
permitted=set(),
inheritable=set(),
rootid=None)) == "=")
assert (str(
pyprctl.FileCaps(effective=False,
permitted=ALL_CAPS_SET,
inheritable=set(),
rootid=None)) == "=p")
assert (str(
pyprctl.FileCaps(effective=False,
permitted=ALL_CAPS_SET,
inheritable=ALL_CAPS_SET,
rootid=0)) == "=ip")
assert (str(
pyprctl.FileCaps(effective=True,
permitted=ALL_CAPS_SET,
inheritable=ALL_CAPS_SET,
rootid=None)) == "=eip")
assert (str(
pyprctl.FileCaps(effective=True,
permitted=ALL_CAPS_SET,
inheritable=set(),
rootid=None)) == "=ep")
assert (str(
pyprctl.FileCaps(effective=True,
permitted=set(),
inheritable=ALL_CAPS_SET,
rootid=None)) == "=i")
def test_filecaps_from_data() -> None:
with pytest.raises(ValueError, match="too short"):
pyprctl.FileCaps._from_data(b"")
with pytest.raises(ValueError, match="too short"):
pyprctl.FileCaps._from_data(b"\x00\x00\x00")
with pytest.raises(ValueError, match="Invalid capability version"):
pyprctl.FileCaps._from_data(b"\x00\x00\x00\x00")
# Version 1
assert pyprctl.FileCaps._from_data(
b"\x00\x00\x00\x01\x01\x00\x00\x00\x01\x00\x00\x00"
) == pyprctl.FileCaps(
effective=False,
permitted={pyprctl.Cap.CHOWN},
inheritable={pyprctl.Cap.CHOWN},
rootid=None,
)
# Version 2 (real example, from Wireshark's /usr/bin/dumpcap)
assert pyprctl.FileCaps._from_data(
b"\x01\x00\x00\x02\x020\x00\x00\x020\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
) == pyprctl.FileCaps(
effective=True,
permitted={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
inheritable={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
rootid=None,
)
# Version 3
assert pyprctl.FileCaps._from_data(
b"\x01\x00\x00\x03\x020\x00\x00\x020\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
b"\xe8\x03\x00\x00"
) == pyprctl.FileCaps(
effective=True,
permitted={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
inheritable={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
rootid=1000,
)
def test_filecaps_copy() -> None:
for fcaps in [
pyprctl.FileCaps(
effective=False,
permitted={pyprctl.Cap.CHOWN},
inheritable={pyprctl.Cap.SYS_CHROOT},
rootid=None,
),
pyprctl.FileCaps(
effective=True,
permitted={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
inheritable={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
rootid=None,
),
pyprctl.FileCaps(
effective=True,
permitted={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
inheritable={pyprctl.Cap.DAC_OVERRIDE, pyprctl.Cap.NET_ADMIN, pyprctl.Cap.NET_RAW},
rootid=1000,
),
]:
assert fcaps.copy() == fcaps
def test_filecaps_error() -> None:
with pytest.raises(FileNotFoundError):
pyprctl.FileCaps.get_for_file("/NOEXIST")
with pytest.raises(OSError, match="No data"):
pyprctl.FileCaps.get_for_file(os.path.realpath("/bin/sh"))
with pytest.raises(FileNotFoundError):
pyprctl.FileCaps(effective=False, permitted=set(), inheritable=set()).set_for_file(
"/NOEXIST"
)
with pytest.raises(FileNotFoundError):
pyprctl.FileCaps.remove_for_file("/NOEXIST")
def test_filecaps_get_ping() -> None:
ping_exe = shutil.which("ping")
if ping_exe is None:
pytest.skip("'ping' is not installed")
ping_exe = os.path.realpath(ping_exe)
try:
fcaps = pyprctl.FileCaps.get_for_file(ping_exe)
except OSError as ex:
if ex.errno == errno.ENODATA:
pytest.skip("{} does not have file capabilities attached".format(ping_exe))
else:
raise
assert fcaps == pyprctl.FileCaps(
effective=True, permitted={pyprctl.Cap.NET_RAW}, inheritable=set()
)
def test_filecaps_get_newuidmap() -> None:
newuidmap_exe = shutil.which("newuidmap")
if newuidmap_exe is None:
pytest.skip("'newuidmap' is not installed")
newuidmap_exe = os.path.realpath(newuidmap_exe)
if os.stat(newuidmap_exe).st_mode & stat.S_ISUID:
pytest.skip("{} is a set-UID executable".format(newuidmap_exe))
fcaps = pyprctl.FileCaps.get_for_file(newuidmap_exe)
with open(newuidmap_exe) as file:
assert pyprctl.FileCaps.get_for_file(file.fileno()) == fcaps
assert fcaps == pyprctl.FileCaps(
effective=True, permitted={pyprctl.Cap.SETUID}, inheritable=set()
)