| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/services/namespace_sandbox.h" | 5 #include "sandbox/linux/services/namespace_sandbox.h" |
| 6 | 6 |
| 7 #include <sys/types.h> | 7 #include <sys/types.h> |
| 8 #include <sys/wait.h> | 8 #include <sys/wait.h> |
| 9 #include <unistd.h> | 9 #include <unistd.h> |
| 10 | 10 |
| (...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 111 int exit_code = kDummyExitCode; | 111 int exit_code = kDummyExitCode; |
| 112 CHECK(process.WaitForExit(&exit_code)); | 112 CHECK(process.WaitForExit(&exit_code)); |
| 113 CHECK_EQ(0, exit_code); | 113 CHECK_EQ(0, exit_code); |
| 114 return 0; | 114 return 0; |
| 115 } | 115 } |
| 116 | 116 |
| 117 TEST_F(NamespaceSandboxTest, NestedNamespaceSandbox) { | 117 TEST_F(NamespaceSandboxTest, NestedNamespaceSandbox) { |
| 118 TestProc("NestedNamespaceSandbox"); | 118 TestProc("NestedNamespaceSandbox"); |
| 119 } | 119 } |
| 120 | 120 |
| 121 const int kNormalExitCode = 0; |
| 122 const int kSignalTerminationExitCode = 255; |
| 123 |
| 124 // Ensure that CHECK(false) is distinguishable from _exit(kNormalExitCode). |
| 125 // Allowing noise since CHECK(false) will write a stack trace to stderr. |
| 126 SANDBOX_TEST_ALLOW_NOISE(ForkInNewPidNamespace, CheckDoesNotReturnZero) { |
| 127 CHECK(sandbox::Credentials::MoveToNewUserNS()); |
| 128 const pid_t pid = NamespaceSandbox::ForkInNewPidNamespace( |
| 129 /*drop_capabilities_in_child=*/true); |
| 130 CHECK_GE(pid, 0); |
| 131 |
| 132 if (pid == 0) { |
| 133 CHECK(false); |
| 134 _exit(kNormalExitCode); |
| 135 } |
| 136 |
| 137 int status; |
| 138 PCHECK(waitpid(pid, &status, 0) == pid); |
| 139 if (WIFEXITED(status)) { |
| 140 CHECK_NE(kNormalExitCode, WEXITSTATUS(status)); |
| 141 } |
| 142 } |
| 143 |
| 144 SANDBOX_TEST(ForkInNewPidNamespace, BasicUsage) { |
| 145 if (!Credentials::CanCreateProcessInNewUserNS()) { |
| 146 return; |
| 147 } |
| 148 |
| 149 CHECK(sandbox::Credentials::MoveToNewUserNS()); |
| 150 const pid_t pid = NamespaceSandbox::ForkInNewPidNamespace( |
| 151 /*drop_capabilities_in_child=*/true); |
| 152 CHECK_GE(pid, 0); |
| 153 |
| 154 if (pid == 0) { |
| 155 CHECK_EQ(1, getpid()); |
| 156 CHECK(!Credentials::HasAnyCapability()); |
| 157 _exit(kNormalExitCode); |
| 158 } |
| 159 |
| 160 int status; |
| 161 PCHECK(waitpid(pid, &status, 0) == pid); |
| 162 CHECK(WIFEXITED(status)); |
| 163 CHECK_EQ(kNormalExitCode, WEXITSTATUS(status)); |
| 164 } |
| 165 |
| 166 SANDBOX_TEST(ForkInNewPidNamespace, ExitWithSignal) { |
| 167 if (!Credentials::CanCreateProcessInNewUserNS()) { |
| 168 return; |
| 169 } |
| 170 |
| 171 CHECK(sandbox::Credentials::MoveToNewUserNS()); |
| 172 const pid_t pid = NamespaceSandbox::ForkInNewPidNamespace( |
| 173 /*drop_capabilities_in_child=*/true); |
| 174 CHECK_GE(pid, 0); |
| 175 |
| 176 if (pid == 0) { |
| 177 CHECK_EQ(1, getpid()); |
| 178 CHECK(!Credentials::HasAnyCapability()); |
| 179 NamespaceSandbox::InstallTerminationSignalHandler( |
| 180 SIGTERM, kSignalTerminationExitCode); |
| 181 while (true) { |
| 182 raise(SIGTERM); |
| 183 } |
| 184 } |
| 185 |
| 186 int status; |
| 187 PCHECK(waitpid(pid, &status, 0) == pid); |
| 188 CHECK(WIFEXITED(status)); |
| 189 CHECK_EQ(kSignalTerminationExitCode, WEXITSTATUS(status)); |
| 190 } |
| 191 |
| 121 } // namespace | 192 } // namespace |
| 122 | 193 |
| 123 } // namespace sandbox | 194 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 868233011:
Start all children in their own PID namespace. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master