cybersecurity · intermediate · ~15 min · safe pentest lab
Practice deny-by-default allow/deny-list checking on attacker-influenced string input: exact-match comparison, NULL/empty handling, and rejecting near-miss inputs (prefixes, suffixes, wrong case) — the core discipline behind auditing container capability grants.
When a Docker/Kubernetes container is granted certain Linux capabilities, an attacker who lands code inside it can escalate straight to root on the host. Capabilities like CAP_SYS_ADMIN (the "new root"), CAP_DAC_OVERRIDE, CAP_SETUID/CAP_SETGID, CAP_SYS_PTRACE, and CAP_SYS_MODULE are classic breakout enablers.
You are writing an audit helper that scans a container's --cap-add list (a fixed array baked into the test harness) and flags each entry that is high-risk. The asset is the host; the threat is a privileged breakout via an over-broad capability grant. The insecure assumption you must avoid is treating any capability name that merely looks like a known one as dangerous (or safe) — matching must be exact, case-sensitive, and deny-by-default.
Implement:
int is_dangerous_cap(const char *cap);
Return 1 iff cap exactly names one of the six high-risk capabilities in the fixed list, otherwise 0. A NULL pointer must return 0 — never dereference it. Do not partial-match, do not lowercase-fold, and do not read past the string.
Given the harness array caps:
is_dangerous_cap(caps[0]) -> 1is_dangerous_cap(caps[6]) -> 0A single C string cap (may be NULL) holding a capability name such as "CAP_SYS_ADMIN". The harness supplies values from a fixed in-memory array; no I/O.
int: 1 if cap is one of the six high-risk capabilities, else 0.
C11, standard headers only (provided by the harness). No dynamic allocation, no global mutable state, no I/O. Must not dereference NULL. Matching is exact and case-sensitive. The high-risk list is fixed: CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SETUID, CAP_SETGID, CAP_SYS_PTRACE, CAP_SYS_MODULE.
int is_dangerous_cap(const char *cap){
/* TODO: return 1 only for the fixed high-risk capability list, else 0;
NULL must return 0. Replace this insecure stub. */
(void)cap;
return -1;
}
Dereferencing cap before the NULL check; using strncmp with a fixed length so prefixes falsely match; case-insensitive comparison that treats lowercase names as dangerous; substring search (strstr) that matches superstrings; forgetting one or more of the six names; returning a truthy value other than 0/1 that the harness's exact comparison rejects.
NULL pointer -> 0; empty string "" -> 0; a prefix of a dangerous name ("CAP_SYS_ADMI") -> 0; a superstring ("CAP_SYS_ADMINX") -> 0; wrong case ("cap_sys_admin") -> 0; an unrelated but legitimate low-risk cap ("CAP_NET_BIND_SERVICE", "CAP_CHOWN") -> 0; each of the six exact names -> 1.
Solve this exercise in the browser editor — compile and run against the test harness, no setup required.