Run packet socket tests on Fuchsia

+ Do not check for CAP_NET_RAW on Fuchsia Fuchsia does not support capabilities the same way Linux does. Instead emulate the check for CAP_NET_RAW by checking if a packet socket may be created. Bug: https://fxbug.dev/79016, https://fxbug.dev/81592 PiperOrigin-RevId: 390263666
author: Ghanan Gowripalan <ghanan@google.com> 2021-08-11 18:18:36 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-08-11 18:21:40 -0700
commit: d51bc877f40d2acbf5b83895f636186c87463ab1 (patch)
tree: a3dcf26bcd3f05994df22cd359b2b4ac6503da55 /test
parent: a50596874a4971167f97a05181363e91292a2885 (diff)
11 files changed, 173 insertions, 162 deletions
diff --git a/test/syscalls/linux/BUILD b/test/syscalls/linux/BUILD
index 960421466..01ee432cb 100644
--- a/test/syscalls/linux/BUILD
+++ b/test/syscalls/linux/BUILD
@@ -7,6 +7,8 @@ package(
 
 exports_files(
     [
+        "packet_socket.cc",
+        "packet_socket_raw.cc",
         "raw_socket.cc",
         "raw_socket_hdrincl.cc",
         "raw_socket_icmp.cc",
@@ -1446,6 +1448,7 @@ cc_binary(
     deps = [
         ":unix_domain_socket_test_util",
         "//test/util:capability_util",
+        "//test/util:cleanup",
         "//test/util:file_descriptor",
         "//test/util:socket_util",
         "@com_google_absl//absl/base:core_headers",
@@ -1464,6 +1467,7 @@ cc_binary(
     deps = [
         ":unix_domain_socket_test_util",
         "//test/util:capability_util",
+        "//test/util:cleanup",
         "//test/util:file_descriptor",
         "//test/util:socket_util",
         "@com_google_absl//absl/base:core_headers",
diff --git a/test/syscalls/linux/packet_socket.cc b/test/syscalls/linux/packet_socket.cc
index 98339277b..ca4ab0aad 100644
--- a/test/syscalls/linux/packet_socket.cc
+++ b/test/syscalls/linux/packet_socket.cc
@@ -14,13 +14,13 @@
 
 #include <arpa/inet.h>
 #include <ifaddrs.h>
-#include <linux/capability.h>
-#include <linux/if_arp.h>
-#include <linux/if_packet.h>
 #include <net/ethernet.h>
+#include <net/if.h>
+#include <net/if_arp.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/udp.h>
+#include <netpacket/packet.h>
 #include <poll.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
@@ -31,6 +31,7 @@
 #include "absl/base/internal/endian.h"
 #include "test/syscalls/linux/unix_domain_socket_test_util.h"
 #include "test/util/capability_util.h"
+#include "test/util/cleanup.h"
 #include "test/util/file_descriptor.h"
 #include "test/util/socket_util.h"
 #include "test/util/test_util.h"
@@ -85,7 +86,7 @@ void SendUDPMessage(int sock) {
 
 // Send an IP packet and make sure ETH_P_<something else> doesn't pick it up.
 TEST(BasicCookedPacketTest, WrongType) {
-  if (!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))) {
+  if (!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability())) {
     ASSERT_THAT(socket(AF_PACKET, SOCK_DGRAM, ETH_P_PUP),
                 SyscallFailsWithErrno(EPERM));
     GTEST_SKIP();
@@ -123,7 +124,7 @@ class CookedPacketTest : public ::testing::TestWithParam<int> {
 };
 
 void CookedPacketTest::SetUp() {
-  if (!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))) {
+  if (!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability())) {
     ASSERT_THAT(socket(AF_PACKET, SOCK_DGRAM, htons(GetParam())),
                 SyscallFailsWithErrno(EPERM));
     GTEST_SKIP();
@@ -149,7 +150,7 @@ void CookedPacketTest::SetUp() {
 
 void CookedPacketTest::TearDown() {
   // TearDown will be run even if we skip the test.
-  if (ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))) {
+  if (ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability())) {
     EXPECT_THAT(close(socket_), SyscallSucceeds());
   }
 }
diff --git a/test/syscalls/linux/packet_socket_raw.cc b/test/syscalls/linux/packet_socket_raw.cc
index 07beb8ba0..61714d1da 100644
--- a/test/syscalls/linux/packet_socket_raw.cc
+++ b/test/syscalls/linux/packet_socket_raw.cc
@@ -13,14 +13,13 @@
 // limitations under the License.
 
 #include <arpa/inet.h>
-#include <linux/capability.h>
-#include <linux/filter.h>
-#include <linux/if_arp.h>
-#include <linux/if_packet.h>
 #include <net/ethernet.h>
+#include <net/if.h>
+#include <net/if_arp.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/udp.h>
+#include <netpacket/packet.h>
 #include <poll.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
@@ -32,6 +31,7 @@
 #include "absl/base/internal/endian.h"
 #include "test/syscalls/linux/unix_domain_socket_test_util.h"
 #include "test/util/capability_util.h"
+#include "test/util/cleanup.h"
 #include "test/util/file_descriptor.h"
 #include "test/util/socket_util.h"
 #include "test/util/test_util.h"
@@ -100,7 +100,7 @@ class RawPacketTest : public ::testing::TestWithParam<int> {
 };
 
 void RawPacketTest::SetUp() {
-  if (!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))) {
+  if (!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability())) {
     ASSERT_THAT(socket(AF_PACKET, SOCK_RAW, htons(GetParam())),
                 SyscallFailsWithErrno(EPERM));
     GTEST_SKIP();
@@ -150,7 +150,7 @@ void RawPacketTest::SetUp() {
 
 void RawPacketTest::TearDown() {
   // TearDown will be run even if we skip the test.
-  if (ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))) {
+  if (ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability())) {
     EXPECT_THAT(close(s_), SyscallSucceeds());
   }
 }
@@ -340,7 +340,7 @@ TEST_P(RawPacketTest, Send) {
 // Check that setting SO_RCVBUF below min is clamped to the minimum
 // receive buffer size.
 TEST_P(RawPacketTest, SetSocketRecvBufBelowMin) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   // Discover minimum receive buf size by trying to set it to zero.
   // See:
@@ -373,7 +373,7 @@ TEST_P(RawPacketTest, SetSocketRecvBufBelowMin) {
 // Check that setting SO_RCVBUF above max is clamped to the maximum
 // receive buffer size.
 TEST_P(RawPacketTest, SetSocketRecvBufAboveMax) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   // Discover max buf size by trying to set the largest possible buffer size.
   constexpr int kRcvBufSz = 0xffffffff;
@@ -400,7 +400,7 @@ TEST_P(RawPacketTest, SetSocketRecvBufAboveMax) {
 
 // Check that setting SO_RCVBUF min <= kRcvBufSz <= max is honored.
 TEST_P(RawPacketTest, SetSocketRecvBuf) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   int max = 0;
   int min = 0;
@@ -449,7 +449,7 @@ TEST_P(RawPacketTest, SetSocketRecvBuf) {
 // Check that setting SO_SNDBUF below min is clamped to the minimum
 // receive buffer size.
 TEST_P(RawPacketTest, SetSocketSendBufBelowMin) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   // Discover minimum buffer size by trying to set it to zero.
   constexpr int kSndBufSz = 0;
@@ -480,7 +480,7 @@ TEST_P(RawPacketTest, SetSocketSendBufBelowMin) {
 // Check that setting SO_SNDBUF above max is clamped to the maximum
 // send buffer size.
 TEST_P(RawPacketTest, SetSocketSendBufAboveMax) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   // Discover maximum buffer size by trying to set it to a large value.
   constexpr int kSndBufSz = 0xffffffff;
@@ -507,7 +507,7 @@ TEST_P(RawPacketTest, SetSocketSendBufAboveMax) {
 
 // Check that setting SO_SNDBUF min <= kSndBufSz <= max is honored.
 TEST_P(RawPacketTest, SetSocketSendBuf) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   int max = 0;
   int min = 0;
@@ -551,7 +551,7 @@ TEST_P(RawPacketTest, SetSocketSendBuf) {
 }
 
 TEST_P(RawPacketTest, GetSocketError) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   int val = 0;
   socklen_t val_len = sizeof(val);
@@ -561,7 +561,7 @@ TEST_P(RawPacketTest, GetSocketError) {
 }
 
 TEST_P(RawPacketTest, GetSocketErrorBind) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   {
     // Bind to the loopback device.
@@ -627,7 +627,7 @@ TEST_P(RawPacketTest, SetSocketDetachFilterNoInstalledFilter) {
 }
 
 TEST_P(RawPacketTest, GetSocketDetachFilter) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   int val = 0;
   socklen_t val_len = sizeof(val);
@@ -636,7 +636,7 @@ TEST_P(RawPacketTest, GetSocketDetachFilter) {
 }
 
 TEST_P(RawPacketTest, SetAndGetSocketLinger) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   int level = SOL_SOCKET;
   int type = SO_LINGER;
@@ -657,7 +657,7 @@ TEST_P(RawPacketTest, SetAndGetSocketLinger) {
 }
 
 TEST_P(RawPacketTest, GetSocketAcceptConn) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   int got = -1;
   socklen_t length = sizeof(got);
@@ -673,7 +673,7 @@ INSTANTIATE_TEST_SUITE_P(AllInetTests, RawPacketTest,
 class RawPacketMsgSizeTest : public ::testing::TestWithParam<TestAddress> {};
 
 TEST_P(RawPacketMsgSizeTest, SendTooLong) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   TestAddress addr = GetParam().WithPort(kPort);
 
@@ -690,8 +690,11 @@ TEST_P(RawPacketMsgSizeTest, SendTooLong) {
               SyscallFailsWithErrno(EMSGSIZE));
 }
 
+// TODO(https://fxbug.dev/76957): Run this test on Fuchsia once splice is
+// available.
+#ifndef __Fuchsia__
 TEST_P(RawPacketMsgSizeTest, SpliceTooLong) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HavePacketSocketCapability()));
 
   const char buf[65536] = {};
   int fds[2];
@@ -718,6 +721,7 @@ TEST_P(RawPacketMsgSizeTest, SpliceTooLong) {
     EXPECT_THAT(n, SyscallSucceedsWithValue(sizeof(buf)));
   }
 }
+#endif  // __Fuchsia__
 
 INSTANTIATE_TEST_SUITE_P(AllRawPacketMsgSizeTest, RawPacketMsgSizeTest,
                          ::testing::Values(V4Loopback(), V6Loopback()));
diff --git a/test/syscalls/linux/raw_socket.cc b/test/syscalls/linux/raw_socket.cc
index 4e69e389b..66f0e6ca4 100644
--- a/test/syscalls/linux/raw_socket.cc
+++ b/test/syscalls/linux/raw_socket.cc
@@ -97,7 +97,7 @@ class RawSocketTest : public ::testing::TestWithParam<std::tuple<int, int>> {
 };
 
 void RawSocketTest::SetUp() {
-  if (!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))) {
+  if (!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability())) {
     ASSERT_THAT(socket(Family(), SOCK_RAW, Protocol()),
                 SyscallFailsWithErrno(EPERM));
     GTEST_SKIP();
@@ -121,7 +121,7 @@ void RawSocketTest::SetUp() {
 
 void RawSocketTest::TearDown() {
   // TearDown will be run even if we skip the test.
-  if (ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))) {
+  if (ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability())) {
     EXPECT_THAT(close(s_), SyscallSucceeds());
   }
 }
@@ -130,7 +130,7 @@ void RawSocketTest::TearDown() {
 // BasicRawSocket::Setup creates the first one, so we only have to create one
 // more here.
 TEST_P(RawSocketTest, MultipleCreation) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   int s2;
   ASSERT_THAT(s2 = socket(Family(), SOCK_RAW, Protocol()), SyscallSucceeds());
@@ -140,7 +140,7 @@ TEST_P(RawSocketTest, MultipleCreation) {
 
 // Test that shutting down an unconnected socket fails.
 TEST_P(RawSocketTest, FailShutdownWithoutConnect) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   ASSERT_THAT(shutdown(s_, SHUT_WR), SyscallFailsWithErrno(ENOTCONN));
   ASSERT_THAT(shutdown(s_, SHUT_RD), SyscallFailsWithErrno(ENOTCONN));
@@ -148,7 +148,7 @@ TEST_P(RawSocketTest, FailShutdownWithoutConnect) {
 
 // Shutdown is a no-op for raw sockets (and datagram sockets in general).
 TEST_P(RawSocketTest, ShutdownWriteNoop) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   ASSERT_THAT(
       connect(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
@@ -163,7 +163,7 @@ TEST_P(RawSocketTest, ShutdownWriteNoop) {
 
 // Shutdown is a no-op for raw sockets (and datagram sockets in general).
 TEST_P(RawSocketTest, ShutdownReadNoop) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   ASSERT_THAT(
       connect(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
@@ -180,14 +180,14 @@ TEST_P(RawSocketTest, ShutdownReadNoop) {
 
 // Test that listen() fails.
 TEST_P(RawSocketTest, FailListen) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   ASSERT_THAT(listen(s_, 1), SyscallFailsWithErrno(ENOTSUP));
 }
 
 // Test that accept() fails.
 TEST_P(RawSocketTest, FailAccept) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   struct sockaddr saddr;
   socklen_t addrlen;
@@ -195,7 +195,7 @@ TEST_P(RawSocketTest, FailAccept) {
 }
 
 TEST_P(RawSocketTest, BindThenGetSockName) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   struct sockaddr* addr = reinterpret_cast<struct sockaddr*>(&addr_);
   ASSERT_THAT(bind(s_, addr, AddrLen()), SyscallSucceeds());
@@ -219,7 +219,7 @@ TEST_P(RawSocketTest, BindThenGetSockName) {
 }
 
 TEST_P(RawSocketTest, ConnectThenGetSockName) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   struct sockaddr* addr = reinterpret_cast<struct sockaddr*>(&addr_);
   ASSERT_THAT(connect(s_, addr, AddrLen()), SyscallSucceeds());
@@ -244,7 +244,7 @@ TEST_P(RawSocketTest, ConnectThenGetSockName) {
 
 // Test that getpeername() returns nothing before connect().
 TEST_P(RawSocketTest, FailGetPeerNameBeforeConnect) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   struct sockaddr saddr;
   socklen_t addrlen = sizeof(saddr);
@@ -254,7 +254,7 @@ TEST_P(RawSocketTest, FailGetPeerNameBeforeConnect) {
 
 // Test that getpeername() returns something after connect().
 TEST_P(RawSocketTest, GetPeerName) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   ASSERT_THAT(
       connect(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
@@ -268,7 +268,7 @@ TEST_P(RawSocketTest, GetPeerName) {
 
 // Test that the socket is writable immediately.
 TEST_P(RawSocketTest, PollWritableImmediately) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   struct pollfd pfd = {};
   pfd.fd = s_;
@@ -278,7 +278,7 @@ TEST_P(RawSocketTest, PollWritableImmediately) {
 
 // Test that the socket isn't readable before receiving anything.
 TEST_P(RawSocketTest, PollNotReadableInitially) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   // Try to receive data with MSG_DONTWAIT, which returns immediately if there's
   // nothing to be read.
@@ -289,7 +289,7 @@ TEST_P(RawSocketTest, PollNotReadableInitially) {
 
 // Test that the socket becomes readable once something is written to it.
 TEST_P(RawSocketTest, PollTriggeredOnWrite) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   // Write something so that there's data to be read.
   // Arbitrary.
@@ -304,7 +304,7 @@ TEST_P(RawSocketTest, PollTriggeredOnWrite) {
 
 // Test that we can connect() to a valid IP (loopback).
 TEST_P(RawSocketTest, ConnectToLoopback) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   ASSERT_THAT(
       connect(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
@@ -313,7 +313,7 @@ TEST_P(RawSocketTest, ConnectToLoopback) {
 
 // Test that calling send() without connect() fails.
 TEST_P(RawSocketTest, SendWithoutConnectFails) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   // Arbitrary.
   constexpr char kBuf[] = "Endgame was good";
@@ -323,7 +323,7 @@ TEST_P(RawSocketTest, SendWithoutConnectFails) {
 
 // Wildcard Bind.
 TEST_P(RawSocketTest, BindToWildcard) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
   struct sockaddr_storage addr;
   addr = {};
 
@@ -344,16 +344,15 @@ TEST_P(RawSocketTest, BindToWildcard) {
 
 // Bind to localhost.
 TEST_P(RawSocketTest, BindToLocalhost) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
-  ASSERT_THAT(
-      bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
-      SyscallSucceeds());
+  ASSERT_THAT(bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
+              SyscallSucceeds());
 }
 
 // Bind to a different address.
 TEST_P(RawSocketTest, BindToInvalid) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   struct sockaddr_storage bind_addr = addr_;
   if (Family() == AF_INET) {
@@ -365,13 +364,14 @@ TEST_P(RawSocketTest, BindToInvalid) {
     memset(&sin6->sin6_addr.s6_addr, 0, sizeof(sin6->sin6_addr.s6_addr));
     sin6->sin6_addr.s6_addr[0] = 1;  // 1: - An address that we can't bind to.
   }
-  ASSERT_THAT(bind(s_, reinterpret_cast<struct sockaddr*>(&bind_addr),
-                   AddrLen()), SyscallFailsWithErrno(EADDRNOTAVAIL));
+  ASSERT_THAT(
+      bind(s_, reinterpret_cast<struct sockaddr*>(&bind_addr), AddrLen()),
+      SyscallFailsWithErrno(EADDRNOTAVAIL));
 }
 
 // Send and receive an packet.
 TEST_P(RawSocketTest, SendAndReceive) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   // Arbitrary.
   constexpr char kBuf[] = "TB12";
@@ -386,7 +386,7 @@ TEST_P(RawSocketTest, SendAndReceive) {
 // We should be able to create multiple raw sockets for the same protocol and
 // receive the same packet on both.
 TEST_P(RawSocketTest, MultipleSocketReceive) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   int s2;
   ASSERT_THAT(s2 = socket(Family(), SOCK_RAW, Protocol()), SyscallSucceeds());
@@ -401,11 +401,11 @@ TEST_P(RawSocketTest, MultipleSocketReceive) {
 
   // Receive it on socket 2.
   std::vector<char> recv_buf2(sizeof(kBuf) + HdrLen());
-  ASSERT_NO_FATAL_FAILURE(ReceiveBufFrom(s2, recv_buf2.data(),
-                                         recv_buf2.size()));
+  ASSERT_NO_FATAL_FAILURE(
+      ReceiveBufFrom(s2, recv_buf2.data(), recv_buf2.size()));
 
-  EXPECT_EQ(memcmp(recv_buf1.data() + HdrLen(),
-                   recv_buf2.data() + HdrLen(), sizeof(kBuf)),
+  EXPECT_EQ(memcmp(recv_buf1.data() + HdrLen(), recv_buf2.data() + HdrLen(),
+                   sizeof(kBuf)),
             0);
 
   ASSERT_THAT(close(s2), SyscallSucceeds());
@@ -413,7 +413,7 @@ TEST_P(RawSocketTest, MultipleSocketReceive) {
 
 // Test that connect sends packets to the right place.
 TEST_P(RawSocketTest, SendAndReceiveViaConnect) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   ASSERT_THAT(
       connect(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
@@ -432,11 +432,10 @@ TEST_P(RawSocketTest, SendAndReceiveViaConnect) {
 
 // Bind to localhost, then send and receive packets.
 TEST_P(RawSocketTest, BindSendAndReceive) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
-  ASSERT_THAT(
-      bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
-      SyscallSucceeds());
+  ASSERT_THAT(bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
+              SyscallSucceeds());
 
   // Arbitrary.
   constexpr char kBuf[] = "DR16";
@@ -450,11 +449,10 @@ TEST_P(RawSocketTest, BindSendAndReceive) {
 
 // Bind and connect to localhost and send/receive packets.
 TEST_P(RawSocketTest, BindConnectSendAndReceive) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
-  ASSERT_THAT(
-      bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
-      SyscallSucceeds());
+  ASSERT_THAT(bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
+              SyscallSucceeds());
   ASSERT_THAT(
       connect(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
       SyscallSucceeds());
@@ -472,7 +470,7 @@ TEST_P(RawSocketTest, BindConnectSendAndReceive) {
 // Check that setting SO_RCVBUF below min is clamped to the minimum
 // receive buffer size.
 TEST_P(RawSocketTest, SetSocketRecvBufBelowMin) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   // Discover minimum receive buf size by trying to set it to zero.
   // See:
@@ -505,7 +503,7 @@ TEST_P(RawSocketTest, SetSocketRecvBufBelowMin) {
 // Check that setting SO_RCVBUF above max is clamped to the maximum
 // receive buffer size.
 TEST_P(RawSocketTest, SetSocketRecvBufAboveMax) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   // Discover max buf size by trying to set the largest possible buffer size.
   constexpr int kRcvBufSz = 0xffffffff;
@@ -532,7 +530,7 @@ TEST_P(RawSocketTest, SetSocketRecvBufAboveMax) {
 
 // Check that setting SO_RCVBUF min <= kRcvBufSz <= max is honored.
 TEST_P(RawSocketTest, SetSocketRecvBuf) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   int max = 0;
   int min = 0;
@@ -582,7 +580,7 @@ TEST_P(RawSocketTest, SetSocketRecvBuf) {
 // Check that setting SO_SNDBUF below min is clamped to the minimum
 // receive buffer size.
 TEST_P(RawSocketTest, SetSocketSendBufBelowMin) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   // Discover minimum buffer size by trying to set it to zero.
   constexpr int kSndBufSz = 0;
@@ -613,7 +611,7 @@ TEST_P(RawSocketTest, SetSocketSendBufBelowMin) {
 // Check that setting SO_SNDBUF above max is clamped to the maximum
 // send buffer size.
 TEST_P(RawSocketTest, SetSocketSendBufAboveMax) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   // Discover maximum buffer size by trying to set it to a large value.
   constexpr int kSndBufSz = 0xffffffff;
@@ -640,7 +638,7 @@ TEST_P(RawSocketTest, SetSocketSendBufAboveMax) {
 
 // Check that setting SO_SNDBUF min <= kSndBufSz <= max is honored.
 TEST_P(RawSocketTest, SetSocketSendBuf) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   int max = 0;
   int min = 0;
@@ -686,11 +684,10 @@ TEST_P(RawSocketTest, SetSocketSendBuf) {
 // Test that receive buffer limits are not enforced when the recv buffer is
 // empty.
 TEST_P(RawSocketTest, RecvBufLimitsEmptyRecvBuffer) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
-  ASSERT_THAT(
-      bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
-      SyscallSucceeds());
+  ASSERT_THAT(bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
+              SyscallSucceeds());
   ASSERT_THAT(
       connect(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
       SyscallSucceeds());
@@ -717,9 +714,7 @@ TEST_P(RawSocketTest, RecvBufLimitsEmptyRecvBuffer) {
     // Receive the packet and make sure it's identical.
     std::vector<char> recv_buf(buf.size() + HdrLen());
     ASSERT_NO_FATAL_FAILURE(ReceiveBuf(recv_buf.data(), recv_buf.size()));
-    EXPECT_EQ(
-        memcmp(recv_buf.data() + HdrLen(), buf.data(), buf.size()),
-        0);
+    EXPECT_EQ(memcmp(recv_buf.data() + HdrLen(), buf.data(), buf.size()), 0);
   }
 
   {
@@ -732,9 +727,7 @@ TEST_P(RawSocketTest, RecvBufLimitsEmptyRecvBuffer) {
     // Receive the packet and make sure it's identical.
     std::vector<char> recv_buf(buf.size() + HdrLen());
     ASSERT_NO_FATAL_FAILURE(ReceiveBuf(recv_buf.data(), recv_buf.size()));
-    EXPECT_EQ(
-        memcmp(recv_buf.data() + HdrLen(), buf.data(), buf.size()),
-        0);
+    EXPECT_EQ(memcmp(recv_buf.data() + HdrLen(), buf.data(), buf.size()), 0);
   }
 }
 
@@ -748,11 +741,10 @@ TEST_P(RawSocketTest, RecvBufLimits) {
   if (Protocol() == IPPROTO_TCP) {
     return;
   }
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
-  ASSERT_THAT(
-      bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
-      SyscallSucceeds());
+  ASSERT_THAT(bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
+              SyscallSucceeds());
   ASSERT_THAT(
       connect(s_, reinterpret_cast<struct sockaddr*>(&addr_), AddrLen()),
       SyscallSucceeds());
@@ -812,9 +804,7 @@ TEST_P(RawSocketTest, RecvBufLimits) {
       // Receive the packet and make sure it's identical.
       std::vector<char> recv_buf(buf.size() + HdrLen());
       ASSERT_NO_FATAL_FAILURE(ReceiveBuf(recv_buf.data(), recv_buf.size()));
-      EXPECT_EQ(memcmp(recv_buf.data() + HdrLen(), buf.data(),
-                       buf.size()),
-                0);
+      EXPECT_EQ(memcmp(recv_buf.data() + HdrLen(), buf.data(), buf.size()), 0);
     }
 
     // Assert that the last packet is dropped because the receive buffer should
@@ -883,7 +873,7 @@ TEST_P(RawSocketTest, GetSocketDetachFilter) {
 
 // AF_INET6+SOCK_RAW+IPPROTO_RAW sockets can be created, but not written to.
 TEST(RawSocketTest, IPv6ProtoRaw) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   int sock;
   ASSERT_THAT(sock = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW),
@@ -900,7 +890,7 @@ TEST(RawSocketTest, IPv6ProtoRaw) {
 }
 
 TEST(RawSocketTest, IPv6SendMsg) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   int sock;
   ASSERT_THAT(sock = socket(AF_INET6, SOCK_RAW, IPPROTO_TCP),
@@ -928,7 +918,7 @@ TEST(RawSocketTest, IPv6SendMsg) {
 }
 
 TEST_P(RawSocketTest, ConnectOnIPv6Socket) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   int sock;
   ASSERT_THAT(sock = socket(AF_INET6, SOCK_RAW, IPPROTO_TCP),
diff --git a/test/syscalls/linux/raw_socket_hdrincl.cc b/test/syscalls/linux/raw_socket_hdrincl.cc
index e54d781c9..d45bd07bc 100644
--- a/test/syscalls/linux/raw_socket_hdrincl.cc
+++ b/test/syscalls/linux/raw_socket_hdrincl.cc
@@ -62,7 +62,7 @@ class RawHDRINCL : public ::testing::Test {
 };
 
 void RawHDRINCL::SetUp() {
-  if (!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))) {
+  if (!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability())) {
     ASSERT_THAT(socket(AF_INET, SOCK_RAW, IPPROTO_RAW),
                 SyscallFailsWithErrno(EPERM));
     GTEST_SKIP();
@@ -80,7 +80,7 @@ void RawHDRINCL::SetUp() {
 
 void RawHDRINCL::TearDown() {
   // TearDown will be run even if we skip the test.
-  if (ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))) {
+  if (ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability())) {
     EXPECT_THAT(close(socket_), SyscallSucceeds());
   }
 }
diff --git a/test/syscalls/linux/raw_socket_icmp.cc b/test/syscalls/linux/raw_socket_icmp.cc
index 80a524273..3f9717284 100644
--- a/test/syscalls/linux/raw_socket_icmp.cc
+++ b/test/syscalls/linux/raw_socket_icmp.cc
@@ -76,7 +76,7 @@ class RawSocketICMPTest : public ::testing::Test {
 };
 
 void RawSocketICMPTest::SetUp() {
-  if (!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))) {
+  if (!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability())) {
     ASSERT_THAT(socket(AF_INET, SOCK_RAW, IPPROTO_ICMP),
                 SyscallFailsWithErrno(EPERM));
     GTEST_SKIP();
@@ -94,7 +94,7 @@ void RawSocketICMPTest::SetUp() {
 
 void RawSocketICMPTest::TearDown() {
   // TearDown will be run even if we skip the test.
-  if (ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))) {
+  if (ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability())) {
     EXPECT_THAT(close(s_), SyscallSucceeds());
   }
 }
@@ -102,7 +102,7 @@ void RawSocketICMPTest::TearDown() {
 // We'll only read an echo in this case, as the kernel won't respond to the
 // malformed ICMP checksum.
 TEST_F(RawSocketICMPTest, SendAndReceiveBadChecksum) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   // Prepare and send an ICMP packet. Use arbitrary junk for checksum, sequence,
   // and ID. None of that should matter for raw sockets - the kernel should
@@ -131,7 +131,7 @@ TEST_F(RawSocketICMPTest, SendAndReceiveBadChecksum) {
 
 // Send and receive an ICMP packet.
 TEST_F(RawSocketICMPTest, SendAndReceive) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   // Prepare and send an ICMP packet. Use arbitrary junk for sequence and ID.
   // None of that should matter for raw sockets - the kernel should still give
@@ -151,7 +151,7 @@ TEST_F(RawSocketICMPTest, SendAndReceive) {
 // We should be able to create multiple raw sockets for the same protocol and
 // receive the same packet on both.
 TEST_F(RawSocketICMPTest, MultipleSocketReceive) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   FileDescriptor s2 =
       ASSERT_NO_ERRNO_AND_VALUE(Socket(AF_INET, SOCK_RAW, IPPROTO_ICMP));
@@ -214,7 +214,7 @@ TEST_F(RawSocketICMPTest, MultipleSocketReceive) {
 // A raw ICMP socket and ping socket should both receive the ICMP packets
 // intended for the ping socket.
 TEST_F(RawSocketICMPTest, RawAndPingSockets) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   FileDescriptor ping_sock =
       ASSERT_NO_ERRNO_AND_VALUE(Socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP));
@@ -264,7 +264,7 @@ TEST_F(RawSocketICMPTest, RawAndPingSockets) {
 // while a ping socket should not. Neither should be able to receieve a short
 // malformed packet.
 TEST_F(RawSocketICMPTest, ShortEchoRawAndPingSockets) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   FileDescriptor ping_sock =
       ASSERT_NO_ERRNO_AND_VALUE(Socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP));
@@ -305,7 +305,7 @@ TEST_F(RawSocketICMPTest, ShortEchoRawAndPingSockets) {
 // while ping socket should not.
 // Neither should be able to receieve a short malformed packet.
 TEST_F(RawSocketICMPTest, ShortEchoReplyRawAndPingSockets) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   FileDescriptor ping_sock =
       ASSERT_NO_ERRNO_AND_VALUE(Socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP));
@@ -344,7 +344,7 @@ TEST_F(RawSocketICMPTest, ShortEchoReplyRawAndPingSockets) {
 
 // Test that connect() sends packets to the right place.
 TEST_F(RawSocketICMPTest, SendAndReceiveViaConnect) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   ASSERT_THAT(
       connect(s_, reinterpret_cast<struct sockaddr*>(&addr_), sizeof(addr_)),
@@ -368,7 +368,7 @@ TEST_F(RawSocketICMPTest, SendAndReceiveViaConnect) {
 
 // Bind to localhost, then send and receive packets.
 TEST_F(RawSocketICMPTest, BindSendAndReceive) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   ASSERT_THAT(
       bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), sizeof(addr_)),
@@ -391,7 +391,7 @@ TEST_F(RawSocketICMPTest, BindSendAndReceive) {
 
 // Bind and connect to localhost and send/receive packets.
 TEST_F(RawSocketICMPTest, BindConnectSendAndReceive) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   ASSERT_THAT(
       bind(s_, reinterpret_cast<struct sockaddr*>(&addr_), sizeof(addr_)),
@@ -417,7 +417,7 @@ TEST_F(RawSocketICMPTest, BindConnectSendAndReceive) {
 
 // Set and get SO_LINGER.
 TEST_F(RawSocketICMPTest, SetAndGetSocketLinger) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   int level = SOL_SOCKET;
   int type = SO_LINGER;
@@ -439,7 +439,7 @@ TEST_F(RawSocketICMPTest, SetAndGetSocketLinger) {
 
 // Test getsockopt for SO_ACCEPTCONN.
 TEST_F(RawSocketICMPTest, GetSocketAcceptConn) {
-  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
 
   int got = -1;
   socklen_t length = sizeof(got);
diff --git a/test/util/BUILD b/test/util/BUILD
index 3211546f5..b92af1c27 100644
--- a/test/util/BUILD
+++ b/test/util/BUILD
@@ -14,7 +14,6 @@ cc_library(
     ],
     hdrs = [
         "capability_util.h",
-        "fuchsia_capability_util.h",
         "linux_capability_util.h",
     ],
     deps = [
diff --git a/test/util/capability_util.h b/test/util/capability_util.h
index f5d622e2d..318a43feb 100644
--- a/test/util/capability_util.h
+++ b/test/util/capability_util.h
@@ -18,11 +18,29 @@
 #define GVISOR_TEST_UTIL_CAPABILITY_UTIL_H_
 
 #if defined(__Fuchsia__)
-#include "test/util/fuchsia_capability_util.h"
+// Nothing to include.
 #elif defined(__linux__)
 #include "test/util/linux_capability_util.h"
 #else
 #error "Unhandled platform"
 #endif
 
+namespace gvisor {
+namespace testing {
+
+// HaveRawIPSocketCapability returns whether or not the process has access to
+// raw IP sockets.
+//
+// Returns an error when raw IP socket access cannot be determined.
+PosixErrorOr<bool> HaveRawIPSocketCapability();
+
+// HavePacketSocketCapability returns whether or not the process has access to
+// packet sockets.
+//
+// Returns an error when packet socket access cannot be determined.
+PosixErrorOr<bool> HavePacketSocketCapability();
+
+}  // namespace testing
+}  // namespace gvisor
+
 #endif  // GVISOR_TEST_UTIL_CAPABILITY_UTIL_H_
diff --git a/test/util/fuchsia_capability_util.cc b/test/util/fuchsia_capability_util.cc
index 43f60f20f..bbe8643e7 100644
--- a/test/util/fuchsia_capability_util.cc
+++ b/test/util/fuchsia_capability_util.cc
@@ -14,8 +14,7 @@
 
 #ifdef __Fuchsia__
 
-#include "test/util/fuchsia_capability_util.h"
-
+#include <netinet/if_ether.h>
 #include <netinet/in.h>
 #include <sys/socket.h>
 
@@ -24,19 +23,48 @@
 namespace gvisor {
 namespace testing {
 
-PosixErrorOr<bool> HaveCapability(int cap) {
-  if (cap == CAP_NET_RAW) {
-    auto s = Socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
-    if (s.ok()) {
-      return true;
-    }
-    if (s.error().errno_value() == EPERM) {
-      return false;
-    }
-    return s.error();
+// On Linux, access to raw IP and packet socket is controlled by a single
+// capability (CAP_NET_RAW). However on Fuchsia, access to raw IP and packet
+// sockets are controlled by separate capabilities/protocols.
+
+namespace {
+
+PosixErrorOr<bool> HaveSocketCapability(int domain, int type, int protocol) {
+  // Fuchsia does not have a platform supported way to check the protocols made
+  // available to a sandbox. As a workaround, simply try to create the specified
+  // socket and assume no access if we get a no permissions error.
+  auto s = Socket(domain, type, protocol);
+  if (s.ok()) {
+    return true;
   }
+  if (s.error().errno_value() == EPERM) {
+    return false;
+  }
+  return s.error();
+}
+
+}  // namespace
+
+PosixErrorOr<bool> HaveRawIPSocketCapability() {
+  static PosixErrorOr<bool> result(false);
+  static std::once_flag once;
+
+  std::call_once(once, [&]() {
+    result = HaveSocketCapability(AF_INET, SOCK_RAW, IPPROTO_UDP);
+  });
+
+  return result;
+}
+
+PosixErrorOr<bool> HavePacketSocketCapability() {
+  static PosixErrorOr<bool> result(false);
+  static std::once_flag once;
+
+  std::call_once(once, [&]() {
+    result = HaveSocketCapability(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+  });
 
-  return false;
+  return result;
 }
 
 }  // namespace testing
diff --git a/test/util/fuchsia_capability_util.h b/test/util/fuchsia_capability_util.h
deleted file mode 100644
index 87657d7e8..000000000
--- a/test/util/fuchsia_capability_util.h
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright 2021 The gVisor Authors.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Utilities for testing capabilities on Fuchsia.
-
-#ifndef GVISOR_TEST_UTIL_FUCHSIA_CAPABILITY_UTIL_H_
-#define GVISOR_TEST_UTIL_FUCHSIA_CAPABILITY_UTIL_H_
-
-#ifdef __Fuchsia__
-
-#include "test/util/posix_error.h"
-
-#ifdef CAP_NET_RAW
-#error "Fuchsia should not define CAP_NET_RAW"
-#endif  // CAP_NET_RAW
-#define CAP_NET_RAW 0
-
-namespace gvisor {
-namespace testing {
-
-// HaveCapability returns true if the process has the specified EFFECTIVE
-// capability.
-PosixErrorOr<bool> HaveCapability(int cap);
-
-}  // namespace testing
-}  // namespace gvisor
-
-#endif  // __Fuchsia__
-
-#endif  // GVISOR_TEST_UTIL_FUCHSIA_CAPABILITY_UTIL_H_
diff --git a/test/util/linux_capability_util.cc b/test/util/linux_capability_util.cc
index 958eb96f9..7218aa4ac 100644
--- a/test/util/linux_capability_util.cc
+++ b/test/util/linux_capability_util.cc
@@ -32,6 +32,14 @@
 namespace gvisor {
 namespace testing {
 
+PosixErrorOr<bool> HaveRawIPSocketCapability() {
+  return HaveCapability(CAP_NET_RAW);
+}
+
+PosixErrorOr<bool> HavePacketSocketCapability() {
+  return HaveCapability(CAP_NET_RAW);
+}
+
 PosixErrorOr<bool> CanCreateUserNamespace() {
   // The most reliable way to determine if userns creation is possible is by
   // trying to create one; see below.
author	Ghanan Gowripalan <ghanan@google.com>	2021-08-11 18:18:36 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-08-11 18:21:40 -0700
commit	d51bc877f40d2acbf5b83895f636186c87463ab1 (patch)
tree	a3dcf26bcd3f05994df22cd359b2b4ac6503da55 /test
parent	a50596874a4971167f97a05181363e91292a2885 (diff)