Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(425)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/services/credentials_unittest.cc

Issue 182453004: Linux Sandbox: add Credentials::SupportsNewUserNS() (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Save errno. Created 6 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « sandbox/linux/services/credentials.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/services/credentials.h" 5 #include "sandbox/linux/services/credentials.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <stdio.h> 9 #include <stdio.h>
10 #include <sys/stat.h> 10 #include <sys/stat.h>
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after
105 SANDBOX_TEST(Credentials, GetCurrentCapString) { 105 SANDBOX_TEST(Credentials, GetCurrentCapString) {
106 Credentials creds; 106 Credentials creds;
107 CHECK(creds.DropAllCapabilities()); 107 CHECK(creds.DropAllCapabilities());
108 const char kNoCapabilityText[] = "="; 108 const char kNoCapabilityText[] = "=";
109 CHECK(*creds.GetCurrentCapString() == kNoCapabilityText); 109 CHECK(*creds.GetCurrentCapString() == kNoCapabilityText);
110 } 110 }
111 111
112 SANDBOX_TEST(Credentials, MoveToNewUserNS) { 112 SANDBOX_TEST(Credentials, MoveToNewUserNS) {
113 Credentials creds; 113 Credentials creds;
114 creds.DropAllCapabilities(); 114 creds.DropAllCapabilities();
115 bool userns_supported = creds.MoveToNewUserNS(); 115 bool moved_to_new_ns = creds.MoveToNewUserNS();
116 fprintf(stdout, "Unprivileged CLONE_NEWUSER supported: %s\n", 116 fprintf(stdout,
117 userns_supported ? "true." : "false."); 117 "Unprivileged CLONE_NEWUSER supported: %s\n",
118 moved_to_new_ns ? "true." : "false.");
118 fflush(stdout); 119 fflush(stdout);
119 if (!userns_supported) { 120 if (!moved_to_new_ns) {
120 fprintf(stdout, "This kernel does not support unprivileged namespaces. " 121 fprintf(stdout, "This kernel does not support unprivileged namespaces. "
121 "USERNS tests will succeed without running.\n"); 122 "USERNS tests will succeed without running.\n");
122 fflush(stdout); 123 fflush(stdout);
123 return; 124 return;
124 } 125 }
125 CHECK(creds.HasAnyCapability()); 126 CHECK(creds.HasAnyCapability());
126 creds.DropAllCapabilities(); 127 creds.DropAllCapabilities();
127 CHECK(!creds.HasAnyCapability()); 128 CHECK(!creds.HasAnyCapability());
128 } 129 }
129 130
131 SANDBOX_TEST(Credentials, SupportsUserNS) {
132 Credentials creds;
133 creds.DropAllCapabilities();
134 bool user_ns_supported = Credentials::SupportsNewUserNS();
135 bool moved_to_new_ns = creds.MoveToNewUserNS();
136 CHECK_EQ(user_ns_supported, moved_to_new_ns);
137 }
138
130 SANDBOX_TEST(Credentials, UidIsPreserved) { 139 SANDBOX_TEST(Credentials, UidIsPreserved) {
131 Credentials creds; 140 Credentials creds;
132 creds.DropAllCapabilities(); 141 creds.DropAllCapabilities();
133 uid_t old_ruid, old_euid, old_suid; 142 uid_t old_ruid, old_euid, old_suid;
134 gid_t old_rgid, old_egid, old_sgid; 143 gid_t old_rgid, old_egid, old_sgid;
135 PCHECK(0 == getresuid(&old_ruid, &old_euid, &old_suid)); 144 PCHECK(0 == getresuid(&old_ruid, &old_euid, &old_suid));
136 PCHECK(0 == getresgid(&old_rgid, &old_egid, &old_sgid)); 145 PCHECK(0 == getresgid(&old_rgid, &old_egid, &old_sgid));
137 // Probably missing kernel support. 146 // Probably missing kernel support.
138 if (!creds.MoveToNewUserNS()) return; 147 if (!creds.MoveToNewUserNS()) return;
139 uid_t new_ruid, new_euid, new_suid; 148 uid_t new_ruid, new_euid, new_suid;
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after
200 SANDBOX_TEST(Credentials, CannotRegainPrivileges) { 209 SANDBOX_TEST(Credentials, CannotRegainPrivileges) {
201 Credentials creds; 210 Credentials creds;
202 CHECK(creds.DropAllCapabilities()); 211 CHECK(creds.DropAllCapabilities());
203 // Probably missing kernel support. 212 // Probably missing kernel support.
204 if (!creds.MoveToNewUserNS()) return; 213 if (!creds.MoveToNewUserNS()) return;
205 CHECK(creds.DropFileSystemAccess()); 214 CHECK(creds.DropFileSystemAccess());
206 CHECK(creds.DropAllCapabilities()); 215 CHECK(creds.DropAllCapabilities());
207 216
208 // The kernel should now prevent us from regaining capabilities because we 217 // The kernel should now prevent us from regaining capabilities because we
209 // are in a chroot. 218 // are in a chroot.
219 CHECK(!Credentials::SupportsNewUserNS());
210 CHECK(!creds.MoveToNewUserNS()); 220 CHECK(!creds.MoveToNewUserNS());
211 } 221 }
212 222
213 } // namespace. 223 } // namespace.
214 224
215 } // namespace sandbox. 225 } // namespace sandbox.
OLDNEW
« no previous file with comments | « sandbox/linux/services/credentials.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698