freebsd-src/contrib/capsicum-test/README.md

# Capsicum User Space Tests

This directory holds unit tests for [Capsicum](http://www.cl.cam.ac.uk/research/security/capsicum/)
object-capabilities. The tests exercise the syscall interface to a Capsicum-enabled operating system,
currently either [FreeBSD >=10.x](http://www.freebsd.org) or a modified Linux kernel (the
[capsicum-linux](http://github.com/google/capsicum-linux) project).

The tests are written in C++11 and use the [Google Test](https://code.google.com/p/googletest/)
framework, with some additions to fork off particular tests (because a process that enters capability
mode cannot leave it again).

## Provenance

The original basis for these tests was:

 - [unit tests](https://github.com/freebsd/freebsd/tree/master/tools/regression/security/cap_test)
   written by Robert Watson and Jonathan Anderson for the original FreeBSD 9.x Capsicum implementation
 - [unit tests](http://git.chromium.org/gitweb/?p=chromiumos/third_party/kernel-capsicum.git;a=tree;f=tools/testing/capsicum_tests;hb=refs/heads/capsicum) written by Meredydd Luff for the original Capsicum-Linux port.

These tests were coalesced and moved into an independent repository to enable
comparative testing across multiple OSes, and then substantially extended.

## OS Configuration

### Linux

The following kernel configuration options are needed to run the tests:

 - `CONFIG_SECURITY_CAPSICUM`: enable the Capsicum framework
 - `CONFIG_PROCDESC`: enable Capsicum process-descriptor functionality
 - `CONFIG_DEBUG_FS`: enable debug filesystem
 - `CONFIG_IP_SCTP`: enable SCTP support

### FreeBSD (>= 10.x)

The following kernel configuration options are needed so that all tests can run:

  - `options P1003_1B_MQUEUE`: Enable POSIX message queues (or `kldload mqueuefs`)

## Other Dependencies

### Linux

The following additional development packages are needed to build the full test suite on Linux.

 - `libcaprights`: See below
 - `libcap-dev`: Provides headers for POSIX.1e capabilities.
 - `libsctp1`: Provides SCTP library functions.
 - `libsctp-dev`: Provides headers for SCTP library functions.


## Linux libcaprights

The Capsicum userspace library is held in the `libcaprights/` subdirectory.  Ideally, this
library should be built (with `./configure; make` or `dpkg-buildpackage -uc -us`) and
installed (with `make install` or `dpkg -i libcaprights*.deb`) so that the tests will
use behave like a normal Capsicum-aware application.

However, if no installed copy of the library is found, the `GNUmakefile` will attempt
to use the local `libcaprights/*.c` source; this requires `./configure` to have been
performed in the `libcaprights` subdirectory. The local code is also used for
cross-compiled builds of the test suite (e.g. `make ARCH=32` or `make ARCH=x32`).
Integrate capsicum-test into the FreeBSD test suite This change takes capsicum-test from upstream and applies some local changes to make the tests work on FreeBSD when executed via Kyua. The local modifications are as follows: 1. Make `OpenatTest.WithFlag` pass with the new dot-dot lookup behavior in FreeBSD 12.x+. 2. capsicum-test references a set of helper binaries: `mini-me`, `mini-me.noexec`, and `mini-me.setuid`, as part of the execve/fexecve tests, via execve, fexecve, and open. It achieves this upstream by assuming `mini-me` is in the current directory, however, in order for Kyua to execute `capsicum-test`, it needs to provide a full path to `mini-me`. In order to achieve this, I made `capsicum-test` cache the executable's path from argv[0] in main(..) and use the cached value to compute the path to `mini-me*` as part of the execve/fexecve testcases. 3. The capsicum-test test suite assumes that it's always being run on CAPABILITIES enabled kernels. However, there's a chance that the test will be run on a host without a CAPABILITIES enabled kernel, so we must check for the support before running the tests. The way to achieve this is to add the relevant `feature_present("security_capabilities")` check to SetupEnvironment::SetUp() and skip the tests when the support is not available. While here, add a check for `kern.trap_enotcap` being enabled. As noted by markj@ in https://github.com/google/capsicum-test/issues/23, this sysctl being enabled can trigger non-deterministic failures. Therefore, the tests should be skipped if this sysctl is enabled. All local changes have been submitted to the capsicum-test project (https://github.com/google/capsicum-test) and are in various stages of review. Please see the following pull requests for more details: 1. https://github.com/google/capsicum-test/pull/35 2. https://github.com/google/capsicum-test/pull/41 3. https://github.com/google/capsicum-test/pull/42 Reviewed by: asomers Discussed with: emaste, markj Approved by: emaste (mentor) MFC after: 2 months Differential Revision: https://reviews.freebsd.org/D19758 2019-04-01 21:24:50 +00:00			`# Capsicum User Space Tests`

			`This directory holds unit tests for [Capsicum](http://www.cl.cam.ac.uk/research/security/capsicum/)`
			`object-capabilities. The tests exercise the syscall interface to a Capsicum-enabled operating system,`
			`currently either [FreeBSD >=10.x](http://www.freebsd.org) or a modified Linux kernel (the`
			`[capsicum-linux](http://github.com/google/capsicum-linux) project).`

Merge commit 'd0e943077d94e6266ece9856789c5d5313676e38' 2021-04-12 15:29:47 +00:00			`The tests are written in C++11 and use the [Google Test](https://code.google.com/p/googletest/)`
Integrate capsicum-test into the FreeBSD test suite This change takes capsicum-test from upstream and applies some local changes to make the tests work on FreeBSD when executed via Kyua. The local modifications are as follows: 1. Make `OpenatTest.WithFlag` pass with the new dot-dot lookup behavior in FreeBSD 12.x+. 2. capsicum-test references a set of helper binaries: `mini-me`, `mini-me.noexec`, and `mini-me.setuid`, as part of the execve/fexecve tests, via execve, fexecve, and open. It achieves this upstream by assuming `mini-me` is in the current directory, however, in order for Kyua to execute `capsicum-test`, it needs to provide a full path to `mini-me`. In order to achieve this, I made `capsicum-test` cache the executable's path from argv[0] in main(..) and use the cached value to compute the path to `mini-me*` as part of the execve/fexecve testcases. 3. The capsicum-test test suite assumes that it's always being run on CAPABILITIES enabled kernels. However, there's a chance that the test will be run on a host without a CAPABILITIES enabled kernel, so we must check for the support before running the tests. The way to achieve this is to add the relevant `feature_present("security_capabilities")` check to SetupEnvironment::SetUp() and skip the tests when the support is not available. While here, add a check for `kern.trap_enotcap` being enabled. As noted by markj@ in https://github.com/google/capsicum-test/issues/23, this sysctl being enabled can trigger non-deterministic failures. Therefore, the tests should be skipped if this sysctl is enabled. All local changes have been submitted to the capsicum-test project (https://github.com/google/capsicum-test) and are in various stages of review. Please see the following pull requests for more details: 1. https://github.com/google/capsicum-test/pull/35 2. https://github.com/google/capsicum-test/pull/41 3. https://github.com/google/capsicum-test/pull/42 Reviewed by: asomers Discussed with: emaste, markj Approved by: emaste (mentor) MFC after: 2 months Differential Revision: https://reviews.freebsd.org/D19758 2019-04-01 21:24:50 +00:00			`framework, with some additions to fork off particular tests (because a process that enters capability`
			`mode cannot leave it again).`

			`## Provenance`

			`The original basis for these tests was:`

			`- [unit tests](https://github.com/freebsd/freebsd/tree/master/tools/regression/security/cap_test)`
			`written by Robert Watson and Jonathan Anderson for the original FreeBSD 9.x Capsicum implementation`
			`- [unit tests](http://git.chromium.org/gitweb/?p=chromiumos/third_party/kernel-capsicum.git;a=tree;f=tools/testing/capsicum_tests;hb=refs/heads/capsicum) written by Meredydd Luff for the original Capsicum-Linux port.`

			`These tests were coalesced and moved into an independent repository to enable`
			`comparative testing across multiple OSes, and then substantially extended.`

			`## OS Configuration`

			`### Linux`

			`The following kernel configuration options are needed to run the tests:`

			- `CONFIG_SECURITY_CAPSICUM`: enable the Capsicum framework
			- `CONFIG_PROCDESC`: enable Capsicum process-descriptor functionality
			- `CONFIG_DEBUG_FS`: enable debug filesystem
			- `CONFIG_IP_SCTP`: enable SCTP support

			`### FreeBSD (>= 10.x)`

			`The following kernel configuration options are needed so that all tests can run:`

			- `options P1003_1B_MQUEUE`: Enable POSIX message queues (or `kldload mqueuefs`)

			`## Other Dependencies`

			`### Linux`

			`The following additional development packages are needed to build the full test suite on Linux.`

			- `libcaprights`: See below
			- `libcap-dev`: Provides headers for POSIX.1e capabilities.
			- `libsctp1`: Provides SCTP library functions.
			- `libsctp-dev`: Provides headers for SCTP library functions.


			`## Linux libcaprights`

			The Capsicum userspace library is held in the `libcaprights/` subdirectory. Ideally, this
			library should be built (with `./configure; make` or `dpkg-buildpackage -uc -us`) and
			installed (with `make install` or `dpkg -i libcaprights*.deb`) so that the tests will
			`use behave like a normal Capsicum-aware application.`

			However, if no installed copy of the library is found, the `GNUmakefile` will attempt
			to use the local `libcaprights/*.c` source; this requires `./configure` to have been
			performed in the `libcaprights` subdirectory. The local code is also used for
			cross-compiled builds of the test suite (e.g. `make ARCH=32` or `make ARCH=x32`).