OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <fcntl.h> | 8 #include <fcntl.h> |
9 #include <stdio.h> | 9 #include <stdio.h> |
10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
105 SANDBOX_TEST(Credentials, GetCurrentCapString) { | 105 SANDBOX_TEST(Credentials, GetCurrentCapString) { |
106 Credentials creds; | 106 Credentials creds; |
107 CHECK(creds.DropAllCapabilities()); | 107 CHECK(creds.DropAllCapabilities()); |
108 const char kNoCapabilityText[] = "="; | 108 const char kNoCapabilityText[] = "="; |
109 CHECK(*creds.GetCurrentCapString() == kNoCapabilityText); | 109 CHECK(*creds.GetCurrentCapString() == kNoCapabilityText); |
110 } | 110 } |
111 | 111 |
112 SANDBOX_TEST(Credentials, MoveToNewUserNS) { | 112 SANDBOX_TEST(Credentials, MoveToNewUserNS) { |
113 Credentials creds; | 113 Credentials creds; |
114 creds.DropAllCapabilities(); | 114 creds.DropAllCapabilities(); |
115 bool userns_supported = creds.MoveToNewUserNS(); | 115 bool moved_to_new_ns = creds.MoveToNewUserNS(); |
116 fprintf(stdout, "Unprivileged CLONE_NEWUSER supported: %s\n", | 116 fprintf(stdout, |
117 userns_supported ? "true." : "false."); | 117 "Unprivileged CLONE_NEWUSER supported: %s\n", |
| 118 moved_to_new_ns ? "true." : "false."); |
118 fflush(stdout); | 119 fflush(stdout); |
119 if (!userns_supported) { | 120 if (!moved_to_new_ns) { |
120 fprintf(stdout, "This kernel does not support unprivileged namespaces. " | 121 fprintf(stdout, "This kernel does not support unprivileged namespaces. " |
121 "USERNS tests will succeed without running.\n"); | 122 "USERNS tests will succeed without running.\n"); |
122 fflush(stdout); | 123 fflush(stdout); |
123 return; | 124 return; |
124 } | 125 } |
125 CHECK(creds.HasAnyCapability()); | 126 CHECK(creds.HasAnyCapability()); |
126 creds.DropAllCapabilities(); | 127 creds.DropAllCapabilities(); |
127 CHECK(!creds.HasAnyCapability()); | 128 CHECK(!creds.HasAnyCapability()); |
128 } | 129 } |
129 | 130 |
| 131 SANDBOX_TEST(Credentials, SupportsUserNS) { |
| 132 Credentials creds; |
| 133 creds.DropAllCapabilities(); |
| 134 bool user_ns_supported = Credentials::SupportsNewUserNS(); |
| 135 bool moved_to_new_ns = creds.MoveToNewUserNS(); |
| 136 CHECK_EQ(user_ns_supported, moved_to_new_ns); |
| 137 } |
| 138 |
130 SANDBOX_TEST(Credentials, UidIsPreserved) { | 139 SANDBOX_TEST(Credentials, UidIsPreserved) { |
131 Credentials creds; | 140 Credentials creds; |
132 creds.DropAllCapabilities(); | 141 creds.DropAllCapabilities(); |
133 uid_t old_ruid, old_euid, old_suid; | 142 uid_t old_ruid, old_euid, old_suid; |
134 gid_t old_rgid, old_egid, old_sgid; | 143 gid_t old_rgid, old_egid, old_sgid; |
135 PCHECK(0 == getresuid(&old_ruid, &old_euid, &old_suid)); | 144 PCHECK(0 == getresuid(&old_ruid, &old_euid, &old_suid)); |
136 PCHECK(0 == getresgid(&old_rgid, &old_egid, &old_sgid)); | 145 PCHECK(0 == getresgid(&old_rgid, &old_egid, &old_sgid)); |
137 // Probably missing kernel support. | 146 // Probably missing kernel support. |
138 if (!creds.MoveToNewUserNS()) return; | 147 if (!creds.MoveToNewUserNS()) return; |
139 uid_t new_ruid, new_euid, new_suid; | 148 uid_t new_ruid, new_euid, new_suid; |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
200 SANDBOX_TEST(Credentials, CannotRegainPrivileges) { | 209 SANDBOX_TEST(Credentials, CannotRegainPrivileges) { |
201 Credentials creds; | 210 Credentials creds; |
202 CHECK(creds.DropAllCapabilities()); | 211 CHECK(creds.DropAllCapabilities()); |
203 // Probably missing kernel support. | 212 // Probably missing kernel support. |
204 if (!creds.MoveToNewUserNS()) return; | 213 if (!creds.MoveToNewUserNS()) return; |
205 CHECK(creds.DropFileSystemAccess()); | 214 CHECK(creds.DropFileSystemAccess()); |
206 CHECK(creds.DropAllCapabilities()); | 215 CHECK(creds.DropAllCapabilities()); |
207 | 216 |
208 // The kernel should now prevent us from regaining capabilities because we | 217 // The kernel should now prevent us from regaining capabilities because we |
209 // are in a chroot. | 218 // are in a chroot. |
| 219 CHECK(!Credentials::SupportsNewUserNS()); |
210 CHECK(!creds.MoveToNewUserNS()); | 220 CHECK(!creds.MoveToNewUserNS()); |
211 } | 221 } |
212 | 222 |
213 } // namespace. | 223 } // namespace. |
214 | 224 |
215 } // namespace sandbox. | 225 } // namespace sandbox. |
OLD | NEW |