Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(180)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/services/credentials_unittest.cc

Issue 868233011: Start all children in their own PID namespace. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: More comments. Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/services/credentials.cc ('k') | sandbox/linux/services/namespace_sandbox.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/services/credentials.h" 5 #include "sandbox/linux/services/credentials.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <stdio.h> 9 #include <stdio.h>
10 #include <sys/capability.h> 10 #include <sys/capability.h>
(...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after
170 CHECK(!Credentials::MoveToNewUserNS()); 170 CHECK(!Credentials::MoveToNewUserNS());
171 } 171 }
172 172
173 SANDBOX_TEST(Credentials, SetCapabilities) { 173 SANDBOX_TEST(Credentials, SetCapabilities) {
174 // Probably missing kernel support. 174 // Probably missing kernel support.
175 if (!Credentials::MoveToNewUserNS()) 175 if (!Credentials::MoveToNewUserNS())
176 return; 176 return;
177 177
178 base::ScopedFD proc_fd(ProcUtil::OpenProc()); 178 base::ScopedFD proc_fd(ProcUtil::OpenProc());
179 179
180 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysAdmin)); 180 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_ADMIN));
181 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysChroot)); 181 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT));
182 182
183 const std::vector<LinuxCapability> caps = {LinuxCapability::kCapSysChroot}; 183 std::vector<Credentials::Capability> caps;
184 caps.push_back(Credentials::Capability::SYS_CHROOT);
184 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); 185 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
185 186
186 CHECK(!Credentials::HasCapability(LinuxCapability::kCapSysAdmin)); 187 CHECK(!Credentials::HasCapability(Credentials::Capability::SYS_ADMIN));
187 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysChroot)); 188 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT));
188 189
189 const std::vector<LinuxCapability> no_caps; 190 const std::vector<Credentials::Capability> no_caps;
190 CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps)); 191 CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps));
191 CHECK(!Credentials::HasAnyCapability()); 192 CHECK(!Credentials::HasAnyCapability());
192 } 193 }
193 194
194 SANDBOX_TEST(Credentials, SetCapabilitiesAndChroot) { 195 SANDBOX_TEST(Credentials, SetCapabilitiesAndChroot) {
195 // Probably missing kernel support. 196 // Probably missing kernel support.
196 if (!Credentials::MoveToNewUserNS()) 197 if (!Credentials::MoveToNewUserNS())
197 return; 198 return;
198 199
199 base::ScopedFD proc_fd(ProcUtil::OpenProc()); 200 base::ScopedFD proc_fd(ProcUtil::OpenProc());
200 201
201 CHECK(Credentials::HasCapability(LinuxCapability::kCapSysChroot)); 202 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT));
202 PCHECK(chroot("/") == 0); 203 PCHECK(chroot("/") == 0);
203 204
204 const std::vector<LinuxCapability> caps = {LinuxCapability::kCapSysChroot}; 205 std::vector<Credentials::Capability> caps;
206 caps.push_back(Credentials::Capability::SYS_CHROOT);
205 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); 207 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
206 PCHECK(chroot("/") == 0); 208 PCHECK(chroot("/") == 0);
207 209
208 CHECK(Credentials::DropAllCapabilities()); 210 CHECK(Credentials::DropAllCapabilities());
209 PCHECK(chroot("/") == -1 && errno == EPERM); 211 PCHECK(chroot("/") == -1 && errno == EPERM);
210 } 212 }
211 213
212 SANDBOX_TEST(Credentials, SetCapabilitiesMatchesLibCap2) { 214 SANDBOX_TEST(Credentials, SetCapabilitiesMatchesLibCap2) {
213 // Probably missing kernel support. 215 // Probably missing kernel support.
214 if (!Credentials::MoveToNewUserNS()) 216 if (!Credentials::MoveToNewUserNS())
215 return; 217 return;
216 218
217 base::ScopedFD proc_fd(ProcUtil::OpenProc()); 219 base::ScopedFD proc_fd(ProcUtil::OpenProc());
218 220
219 const std::vector<LinuxCapability> caps = {LinuxCapability::kCapSysChroot}; 221 std::vector<Credentials::Capability> caps;
222 caps.push_back(Credentials::Capability::SYS_CHROOT);
220 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); 223 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
221 224
222 ScopedCap actual_cap(cap_get_proc()); 225 ScopedCap actual_cap(cap_get_proc());
223 PCHECK(actual_cap != nullptr); 226 PCHECK(actual_cap != nullptr);
224 227
225 ScopedCap expected_cap(cap_init()); 228 ScopedCap expected_cap(cap_init());
226 PCHECK(expected_cap != nullptr); 229 PCHECK(expected_cap != nullptr);
227 230
228 const cap_value_t allowed_cap = CAP_SYS_CHROOT; 231 const cap_value_t allowed_cap = CAP_SYS_CHROOT;
229 for (const cap_flag_t flag : {CAP_EFFECTIVE, CAP_PERMITTED}) { 232 for (const cap_flag_t flag : {CAP_EFFECTIVE, CAP_PERMITTED}) {
230 PCHECK(cap_set_flag(expected_cap.get(), flag, 1, &allowed_cap, CAP_SET) == 233 PCHECK(cap_set_flag(expected_cap.get(), flag, 1, &allowed_cap, CAP_SET) ==
231 0); 234 0);
232 } 235 }
233 236
234 CHECK_EQ(0, cap_compare(expected_cap.get(), actual_cap.get())); 237 CHECK_EQ(0, cap_compare(expected_cap.get(), actual_cap.get()));
235 } 238 }
236 239
237 } // namespace. 240 } // namespace.
238 241
239 } // namespace sandbox. 242 } // namespace sandbox.
OLDNEW
« no previous file with comments | « sandbox/linux/services/credentials.cc ('k') | sandbox/linux/services/namespace_sandbox.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698