Index: sandbox/linux/services/credentials_unittest.cc |
diff --git a/sandbox/linux/services/credentials_unittest.cc b/sandbox/linux/services/credentials_unittest.cc |
index 9160bf7a1ca1b0ac09703b063a215d4369d83f2c..9b792aa8c555990fc2d5bb536189f29b88b3e6fd 100644 |
--- a/sandbox/linux/services/credentials_unittest.cc |
+++ b/sandbox/linux/services/credentials_unittest.cc |
@@ -112,11 +112,12 @@ SANDBOX_TEST(Credentials, GetCurrentCapString) { |
SANDBOX_TEST(Credentials, MoveToNewUserNS) { |
Credentials creds; |
creds.DropAllCapabilities(); |
- bool userns_supported = creds.MoveToNewUserNS(); |
- fprintf(stdout, "Unprivileged CLONE_NEWUSER supported: %s\n", |
- userns_supported ? "true." : "false."); |
+ bool moved_to_new_ns = creds.MoveToNewUserNS(); |
+ fprintf(stdout, |
+ "Unprivileged CLONE_NEWUSER supported: %s\n", |
+ moved_to_new_ns ? "true." : "false."); |
fflush(stdout); |
- if (!userns_supported) { |
+ if (!moved_to_new_ns) { |
fprintf(stdout, "This kernel does not support unprivileged namespaces. " |
"USERNS tests will succeed without running.\n"); |
fflush(stdout); |
@@ -127,6 +128,14 @@ SANDBOX_TEST(Credentials, MoveToNewUserNS) { |
CHECK(!creds.HasAnyCapability()); |
} |
+SANDBOX_TEST(Credentials, SupportsUserNS) { |
+ Credentials creds; |
+ creds.DropAllCapabilities(); |
+ bool user_ns_supported = Credentials::SupportsNewUserNS(); |
+ bool moved_to_new_ns = creds.MoveToNewUserNS(); |
+ CHECK_EQ(user_ns_supported, moved_to_new_ns); |
+} |
+ |
SANDBOX_TEST(Credentials, UidIsPreserved) { |
Credentials creds; |
creds.DropAllCapabilities(); |
@@ -207,6 +216,7 @@ SANDBOX_TEST(Credentials, CannotRegainPrivileges) { |
// The kernel should now prevent us from regaining capabilities because we |
// are in a chroot. |
+ CHECK(!Credentials::SupportsNewUserNS()); |
CHECK(!creds.MoveToNewUserNS()); |
} |