| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <stdio.h> | 9 #include <stdio.h> |
| 10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
| (...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 116 CHECK(Credentials::DropAllCapabilities()); | 116 CHECK(Credentials::DropAllCapabilities()); |
| 117 // As of 3.12, the kernel has a limit of 32. See create_user_ns(). | 117 // As of 3.12, the kernel has a limit of 32. See create_user_ns(). |
| 118 const int kNestLevel = 10; | 118 const int kNestLevel = 10; |
| 119 for (int i = 0; i < kNestLevel; ++i) { | 119 for (int i = 0; i < kNestLevel; ++i) { |
| 120 CHECK(NewUserNSCycle()) << "Creating new user NS failed at iteration " | 120 CHECK(NewUserNSCycle()) << "Creating new user NS failed at iteration " |
| 121 << i << "."; | 121 << i << "."; |
| 122 } | 122 } |
| 123 } | 123 } |
| 124 | 124 |
| 125 // Test the WorkingDirectoryIsRoot() helper. | 125 // Test the WorkingDirectoryIsRoot() helper. |
| 126 TEST(Credentials, CanDetectRoot) { | 126 SANDBOX_TEST(Credentials, CanDetectRoot) { |
| 127 ASSERT_EQ(0, chdir("/proc/")); | 127 PCHECK(0 == chdir("/proc/")); |
| 128 ASSERT_FALSE(WorkingDirectoryIsRoot()); | 128 CHECK(!WorkingDirectoryIsRoot()); |
| 129 ASSERT_EQ(0, chdir("/")); | 129 PCHECK(0 == chdir("/")); |
| 130 ASSERT_TRUE(WorkingDirectoryIsRoot()); | 130 CHECK(WorkingDirectoryIsRoot()); |
| 131 } | 131 } |
| 132 | 132 |
| 133 // Disabled on ASAN because of crbug.com/451603. | 133 // Disabled on ASAN because of crbug.com/451603. |
| 134 SANDBOX_TEST(Credentials, DISABLE_ON_ASAN(DropFileSystemAccessIsSafe)) { | 134 SANDBOX_TEST(Credentials, DISABLE_ON_ASAN(DropFileSystemAccessIsSafe)) { |
| 135 CHECK(Credentials::DropAllCapabilities()); | 135 CHECK(Credentials::DropAllCapabilities()); |
| 136 // Probably missing kernel support. | 136 // Probably missing kernel support. |
| 137 if (!Credentials::MoveToNewUserNS()) return; | 137 if (!Credentials::MoveToNewUserNS()) return; |
| 138 CHECK(Credentials::DropFileSystemAccess()); | 138 CHECK(Credentials::DropFileSystemAccess()); |
| 139 CHECK(!base::DirectoryExists(base::FilePath("/proc"))); | 139 CHECK(!base::DirectoryExists(base::FilePath("/proc"))); |
| 140 CHECK(WorkingDirectoryIsRoot()); | 140 CHECK(WorkingDirectoryIsRoot()); |
| (...skipping 14 matching lines...) Expand all Loading... |
| 155 | 155 |
| 156 // The kernel should now prevent us from regaining capabilities because we | 156 // The kernel should now prevent us from regaining capabilities because we |
| 157 // are in a chroot. | 157 // are in a chroot. |
| 158 CHECK(!Credentials::CanCreateProcessInNewUserNS()); | 158 CHECK(!Credentials::CanCreateProcessInNewUserNS()); |
| 159 CHECK(!Credentials::MoveToNewUserNS()); | 159 CHECK(!Credentials::MoveToNewUserNS()); |
| 160 } | 160 } |
| 161 | 161 |
| 162 } // namespace. | 162 } // namespace. |
| 163 | 163 |
| 164 } // namespace sandbox. | 164 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 903273002:
Update from https://crrev.com/315085 (Closed)
Base URL: git@github.com:domokit/mojo.git@master