Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(16)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/services/credentials_unittest.cc

Issue 835623005: Remove the open directory fd check. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Respond to comments. Created 5 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/services/credentials.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/services/credentials.h" 5 #include "sandbox/linux/services/credentials.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <stdio.h> 9 #include <stdio.h>
10 #include <sys/stat.h> 10 #include <sys/stat.h>
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after
65 65
66 SANDBOX_TEST(Credentials, GetCurrentCapString) { 66 SANDBOX_TEST(Credentials, GetCurrentCapString) {
67 Credentials creds; 67 Credentials creds;
68 CHECK(creds.DropAllCapabilities()); 68 CHECK(creds.DropAllCapabilities());
69 const char kNoCapabilityText[] = "="; 69 const char kNoCapabilityText[] = "=";
70 CHECK(*creds.GetCurrentCapString() == kNoCapabilityText); 70 CHECK(*creds.GetCurrentCapString() == kNoCapabilityText);
71 } 71 }
72 72
73 SANDBOX_TEST(Credentials, MoveToNewUserNS) { 73 SANDBOX_TEST(Credentials, MoveToNewUserNS) {
74 Credentials creds; 74 Credentials creds;
75 creds.DropAllCapabilities(); 75 CHECK(creds.DropAllCapabilities());
76 bool moved_to_new_ns = creds.MoveToNewUserNS(); 76 bool moved_to_new_ns = creds.MoveToNewUserNS();
77 fprintf(stdout, 77 fprintf(stdout,
78 "Unprivileged CLONE_NEWUSER supported: %s\n", 78 "Unprivileged CLONE_NEWUSER supported: %s\n",
79 moved_to_new_ns ? "true." : "false."); 79 moved_to_new_ns ? "true." : "false.");
80 fflush(stdout); 80 fflush(stdout);
81 if (!moved_to_new_ns) { 81 if (!moved_to_new_ns) {
82 fprintf(stdout, "This kernel does not support unprivileged namespaces. " 82 fprintf(stdout, "This kernel does not support unprivileged namespaces. "
83 "USERNS tests will succeed without running.\n"); 83 "USERNS tests will succeed without running.\n");
84 fflush(stdout); 84 fflush(stdout);
85 return; 85 return;
86 } 86 }
87 CHECK(creds.HasAnyCapability()); 87 CHECK(creds.HasAnyCapability());
88 creds.DropAllCapabilities(); 88 CHECK(creds.DropAllCapabilities());
89 CHECK(!creds.HasAnyCapability()); 89 CHECK(!creds.HasAnyCapability());
90 } 90 }
91 91
92 SANDBOX_TEST(Credentials, SupportsUserNS) { 92 SANDBOX_TEST(Credentials, SupportsUserNS) {
93 Credentials creds; 93 Credentials creds;
94 creds.DropAllCapabilities(); 94 CHECK(creds.DropAllCapabilities());
95 bool user_ns_supported = Credentials::SupportsNewUserNS(); 95 bool user_ns_supported = Credentials::SupportsNewUserNS();
96 bool moved_to_new_ns = creds.MoveToNewUserNS(); 96 bool moved_to_new_ns = creds.MoveToNewUserNS();
97 CHECK_EQ(user_ns_supported, moved_to_new_ns); 97 CHECK_EQ(user_ns_supported, moved_to_new_ns);
98 } 98 }
99 99
100 SANDBOX_TEST(Credentials, UidIsPreserved) { 100 SANDBOX_TEST(Credentials, UidIsPreserved) {
101 Credentials creds; 101 Credentials creds;
102 creds.DropAllCapabilities(); 102 CHECK(creds.DropAllCapabilities());
103 uid_t old_ruid, old_euid, old_suid; 103 uid_t old_ruid, old_euid, old_suid;
104 gid_t old_rgid, old_egid, old_sgid; 104 gid_t old_rgid, old_egid, old_sgid;
105 PCHECK(0 == getresuid(&old_ruid, &old_euid, &old_suid)); 105 PCHECK(0 == getresuid(&old_ruid, &old_euid, &old_suid));
106 PCHECK(0 == getresgid(&old_rgid, &old_egid, &old_sgid)); 106 PCHECK(0 == getresgid(&old_rgid, &old_egid, &old_sgid));
107 // Probably missing kernel support. 107 // Probably missing kernel support.
108 if (!creds.MoveToNewUserNS()) return; 108 if (!creds.MoveToNewUserNS()) return;
109 uid_t new_ruid, new_euid, new_suid; 109 uid_t new_ruid, new_euid, new_suid;
110 PCHECK(0 == getresuid(&new_ruid, &new_euid, &new_suid)); 110 PCHECK(0 == getresuid(&new_ruid, &new_euid, &new_suid));
111 CHECK(old_ruid == new_ruid); 111 CHECK(old_ruid == new_ruid);
112 CHECK(old_euid == new_euid); 112 CHECK(old_euid == new_euid);
(...skipping 15 matching lines...) Expand all
128 return false; 128 return false;
129 } 129 }
130 return true; 130 return true;
131 } 131 }
132 132
133 SANDBOX_TEST(Credentials, NestedUserNS) { 133 SANDBOX_TEST(Credentials, NestedUserNS) {
134 Credentials creds; 134 Credentials creds;
135 CHECK(creds.DropAllCapabilities()); 135 CHECK(creds.DropAllCapabilities());
136 // Probably missing kernel support. 136 // Probably missing kernel support.
137 if (!creds.MoveToNewUserNS()) return; 137 if (!creds.MoveToNewUserNS()) return;
138 creds.DropAllCapabilities(); 138 CHECK(creds.DropAllCapabilities());
139 // As of 3.12, the kernel has a limit of 32. See create_user_ns(). 139 // As of 3.12, the kernel has a limit of 32. See create_user_ns().
140 const int kNestLevel = 10; 140 const int kNestLevel = 10;
141 for (int i = 0; i < kNestLevel; ++i) { 141 for (int i = 0; i < kNestLevel; ++i) {
142 CHECK(NewUserNSCycle(&creds)) << "Creating new user NS failed at iteration " 142 CHECK(NewUserNSCycle(&creds)) << "Creating new user NS failed at iteration "
143 << i << "."; 143 << i << ".";
144 } 144 }
145 } 145 }
146 146
147 // Test the WorkingDirectoryIsRoot() helper. 147 // Test the WorkingDirectoryIsRoot() helper.
148 TEST(Credentials, CanDetectRoot) { 148 TEST(Credentials, CanDetectRoot) {
(...skipping 28 matching lines...) Expand all
177 177
178 // The kernel should now prevent us from regaining capabilities because we 178 // The kernel should now prevent us from regaining capabilities because we
179 // are in a chroot. 179 // are in a chroot.
180 CHECK(!Credentials::SupportsNewUserNS()); 180 CHECK(!Credentials::SupportsNewUserNS());
181 CHECK(!creds.MoveToNewUserNS()); 181 CHECK(!creds.MoveToNewUserNS());
182 } 182 }
183 183
184 } // namespace. 184 } // namespace.
185 185
186 } // namespace sandbox. 186 } // namespace sandbox.
OLDNEW
« no previous file with comments | « sandbox/linux/services/credentials.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698