OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <fcntl.h> | 8 #include <fcntl.h> |
9 #include <stdio.h> | 9 #include <stdio.h> |
10 #include <sys/capability.h> | 10 #include <sys/capability.h> |
(...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
170 CHECK(!Credentials::MoveToNewUserNS()); | 170 CHECK(!Credentials::MoveToNewUserNS()); |
171 } | 171 } |
172 | 172 |
173 SANDBOX_TEST(Credentials, SetCapabilities) { | 173 SANDBOX_TEST(Credentials, SetCapabilities) { |
174 // Probably missing kernel support. | 174 // Probably missing kernel support. |
175 if (!Credentials::MoveToNewUserNS()) | 175 if (!Credentials::MoveToNewUserNS()) |
176 return; | 176 return; |
177 | 177 |
178 base::ScopedFD proc_fd(ProcUtil::OpenProc()); | 178 base::ScopedFD proc_fd(ProcUtil::OpenProc()); |
179 | 179 |
180 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_ADMIN)); | 180 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysAdmin)); |
181 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT)); | 181 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysChroot)); |
182 | 182 |
183 std::vector<Credentials::Capability> caps; | 183 const std::vector<LinuxCapability> caps = {LinuxCapability::kCapSysChroot}; |
184 caps.push_back(Credentials::Capability::SYS_CHROOT); | |
185 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); | 184 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); |
186 | 185 |
187 CHECK(!Credentials::HasCapability(Credentials::Capability::SYS_ADMIN)); | 186 CHECK(!Credentials::HasCapability(LinuxCapability::kCapSysAdmin)); |
188 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT)); | 187 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysChroot)); |
189 | 188 |
190 const std::vector<Credentials::Capability> no_caps; | 189 const std::vector<LinuxCapability> no_caps; |
191 CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps)); | 190 CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps)); |
192 CHECK(!Credentials::HasAnyCapability()); | 191 CHECK(!Credentials::HasAnyCapability()); |
193 } | 192 } |
194 | 193 |
195 SANDBOX_TEST(Credentials, SetCapabilitiesAndChroot) { | 194 SANDBOX_TEST(Credentials, SetCapabilitiesAndChroot) { |
196 // Probably missing kernel support. | 195 // Probably missing kernel support. |
197 if (!Credentials::MoveToNewUserNS()) | 196 if (!Credentials::MoveToNewUserNS()) |
198 return; | 197 return; |
199 | 198 |
200 base::ScopedFD proc_fd(ProcUtil::OpenProc()); | 199 base::ScopedFD proc_fd(ProcUtil::OpenProc()); |
201 | 200 |
202 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT)); | 201 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysChroot)); |
203 PCHECK(chroot("/") == 0); | 202 PCHECK(chroot("/") == 0); |
204 | 203 |
205 std::vector<Credentials::Capability> caps; | 204 const std::vector<LinuxCapability> caps = {LinuxCapability::kCapSysChroot}; |
206 caps.push_back(Credentials::Capability::SYS_CHROOT); | |
207 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); | 205 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); |
208 PCHECK(chroot("/") == 0); | 206 PCHECK(chroot("/") == 0); |
209 | 207 |
210 CHECK(Credentials::DropAllCapabilities()); | 208 CHECK(Credentials::DropAllCapabilities()); |
211 PCHECK(chroot("/") == -1 && errno == EPERM); | 209 PCHECK(chroot("/") == -1 && errno == EPERM); |
212 } | 210 } |
213 | 211 |
214 SANDBOX_TEST(Credentials, SetCapabilitiesMatchesLibCap2) { | 212 SANDBOX_TEST(Credentials, SetCapabilitiesMatchesLibCap2) { |
215 // Probably missing kernel support. | 213 // Probably missing kernel support. |
216 if (!Credentials::MoveToNewUserNS()) | 214 if (!Credentials::MoveToNewUserNS()) |
217 return; | 215 return; |
218 | 216 |
219 base::ScopedFD proc_fd(ProcUtil::OpenProc()); | 217 base::ScopedFD proc_fd(ProcUtil::OpenProc()); |
220 | 218 |
221 std::vector<Credentials::Capability> caps; | 219 const std::vector<LinuxCapability> caps = {LinuxCapability::kCapSysChroot}; |
222 caps.push_back(Credentials::Capability::SYS_CHROOT); | |
223 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); | 220 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); |
224 | 221 |
225 ScopedCap actual_cap(cap_get_proc()); | 222 ScopedCap actual_cap(cap_get_proc()); |
226 PCHECK(actual_cap != nullptr); | 223 PCHECK(actual_cap != nullptr); |
227 | 224 |
228 ScopedCap expected_cap(cap_init()); | 225 ScopedCap expected_cap(cap_init()); |
229 PCHECK(expected_cap != nullptr); | 226 PCHECK(expected_cap != nullptr); |
230 | 227 |
231 const cap_value_t allowed_cap = CAP_SYS_CHROOT; | 228 const cap_value_t allowed_cap = CAP_SYS_CHROOT; |
232 for (const cap_flag_t flag : {CAP_EFFECTIVE, CAP_PERMITTED}) { | 229 for (const cap_flag_t flag : {CAP_EFFECTIVE, CAP_PERMITTED}) { |
233 PCHECK(cap_set_flag(expected_cap.get(), flag, 1, &allowed_cap, CAP_SET) == | 230 PCHECK(cap_set_flag(expected_cap.get(), flag, 1, &allowed_cap, CAP_SET) == |
234 0); | 231 0); |
235 } | 232 } |
236 | 233 |
237 CHECK_EQ(0, cap_compare(expected_cap.get(), actual_cap.get())); | 234 CHECK_EQ(0, cap_compare(expected_cap.get(), actual_cap.get())); |
238 } | 235 } |
239 | 236 |
240 } // namespace. | 237 } // namespace. |
241 | 238 |
242 } // namespace sandbox. | 239 } // namespace sandbox. |
OLD | NEW |