Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(607)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/services/credentials_unittest.cc

Issue 1041163003: Revert of Start all children in their own PID namespace. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/services/credentials.cc ('k') | sandbox/linux/services/namespace_sandbox.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/services/credentials.h" 5 #include "sandbox/linux/services/credentials.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <stdio.h> 9 #include <stdio.h>
10 #include <sys/capability.h> 10 #include <sys/capability.h>
(...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after
170 CHECK(!Credentials::MoveToNewUserNS()); 170 CHECK(!Credentials::MoveToNewUserNS());
171 } 171 }
172 172
173 SANDBOX_TEST(Credentials, SetCapabilities) { 173 SANDBOX_TEST(Credentials, SetCapabilities) {
174 // Probably missing kernel support. 174 // Probably missing kernel support.
175 if (!Credentials::MoveToNewUserNS()) 175 if (!Credentials::MoveToNewUserNS())
176 return; 176 return;
177 177
178 base::ScopedFD proc_fd(ProcUtil::OpenProc()); 178 base::ScopedFD proc_fd(ProcUtil::OpenProc());
179 179
180 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_ADMIN)); 180 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysAdmin));
181 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT)); 181 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysChroot));
182 182
183 std::vector<Credentials::Capability> caps; 183 const std::vector<LinuxCapability> caps = {LinuxCapability::kCapSysChroot};
184 caps.push_back(Credentials::Capability::SYS_CHROOT);
185 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); 184 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
186 185
187 CHECK(!Credentials::HasCapability(Credentials::Capability::SYS_ADMIN)); 186 CHECK(!Credentials::HasCapability(LinuxCapability::kCapSysAdmin));
188 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT)); 187 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysChroot));
189 188
190 const std::vector<Credentials::Capability> no_caps; 189 const std::vector<LinuxCapability> no_caps;
191 CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps)); 190 CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps));
192 CHECK(!Credentials::HasAnyCapability()); 191 CHECK(!Credentials::HasAnyCapability());
193 } 192 }
194 193
195 SANDBOX_TEST(Credentials, SetCapabilitiesAndChroot) { 194 SANDBOX_TEST(Credentials, SetCapabilitiesAndChroot) {
196 // Probably missing kernel support. 195 // Probably missing kernel support.
197 if (!Credentials::MoveToNewUserNS()) 196 if (!Credentials::MoveToNewUserNS())
198 return; 197 return;
199 198
200 base::ScopedFD proc_fd(ProcUtil::OpenProc()); 199 base::ScopedFD proc_fd(ProcUtil::OpenProc());
201 200
202 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT)); 201 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysChroot));
203 PCHECK(chroot("/") == 0); 202 PCHECK(chroot("/") == 0);
204 203
205 std::vector<Credentials::Capability> caps; 204 const std::vector<LinuxCapability> caps = {LinuxCapability::kCapSysChroot};
206 caps.push_back(Credentials::Capability::SYS_CHROOT);
207 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); 205 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
208 PCHECK(chroot("/") == 0); 206 PCHECK(chroot("/") == 0);
209 207
210 CHECK(Credentials::DropAllCapabilities()); 208 CHECK(Credentials::DropAllCapabilities());
211 PCHECK(chroot("/") == -1 && errno == EPERM); 209 PCHECK(chroot("/") == -1 && errno == EPERM);
212 } 210 }
213 211
214 SANDBOX_TEST(Credentials, SetCapabilitiesMatchesLibCap2) { 212 SANDBOX_TEST(Credentials, SetCapabilitiesMatchesLibCap2) {
215 // Probably missing kernel support. 213 // Probably missing kernel support.
216 if (!Credentials::MoveToNewUserNS()) 214 if (!Credentials::MoveToNewUserNS())
217 return; 215 return;
218 216
219 base::ScopedFD proc_fd(ProcUtil::OpenProc()); 217 base::ScopedFD proc_fd(ProcUtil::OpenProc());
220 218
221 std::vector<Credentials::Capability> caps; 219 const std::vector<LinuxCapability> caps = {LinuxCapability::kCapSysChroot};
222 caps.push_back(Credentials::Capability::SYS_CHROOT);
223 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); 220 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
224 221
225 ScopedCap actual_cap(cap_get_proc()); 222 ScopedCap actual_cap(cap_get_proc());
226 PCHECK(actual_cap != nullptr); 223 PCHECK(actual_cap != nullptr);
227 224
228 ScopedCap expected_cap(cap_init()); 225 ScopedCap expected_cap(cap_init());
229 PCHECK(expected_cap != nullptr); 226 PCHECK(expected_cap != nullptr);
230 227
231 const cap_value_t allowed_cap = CAP_SYS_CHROOT; 228 const cap_value_t allowed_cap = CAP_SYS_CHROOT;
232 for (const cap_flag_t flag : {CAP_EFFECTIVE, CAP_PERMITTED}) { 229 for (const cap_flag_t flag : {CAP_EFFECTIVE, CAP_PERMITTED}) {
233 PCHECK(cap_set_flag(expected_cap.get(), flag, 1, &allowed_cap, CAP_SET) == 230 PCHECK(cap_set_flag(expected_cap.get(), flag, 1, &allowed_cap, CAP_SET) ==
234 0); 231 0);
235 } 232 }
236 233
237 CHECK_EQ(0, cap_compare(expected_cap.get(), actual_cap.get())); 234 CHECK_EQ(0, cap_compare(expected_cap.get(), actual_cap.get()));
238 } 235 }
239 236
240 } // namespace. 237 } // namespace.
241 238
242 } // namespace sandbox. 239 } // namespace sandbox.
OLDNEW
« no previous file with comments | « sandbox/linux/services/credentials.cc ('k') | sandbox/linux/services/namespace_sandbox.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698