OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <fcntl.h> | 8 #include <fcntl.h> |
9 #include <stdio.h> | 9 #include <stdio.h> |
10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
11 #include <sys/types.h> | 11 #include <sys/types.h> |
12 #include <unistd.h> | 12 #include <unistd.h> |
13 | 13 |
| 14 #include <vector> |
| 15 |
14 #include "base/files/file_path.h" | 16 #include "base/files/file_path.h" |
15 #include "base/files/file_util.h" | 17 #include "base/files/file_util.h" |
16 #include "base/files/scoped_file.h" | 18 #include "base/files/scoped_file.h" |
17 #include "base/logging.h" | 19 #include "base/logging.h" |
18 #include "base/memory/scoped_ptr.h" | 20 #include "base/memory/scoped_ptr.h" |
19 #include "sandbox/linux/services/proc_util.h" | 21 #include "sandbox/linux/services/proc_util.h" |
20 #include "sandbox/linux/tests/unit_tests.h" | 22 #include "sandbox/linux/tests/unit_tests.h" |
21 #include "testing/gtest/include/gtest/gtest.h" | 23 #include "testing/gtest/include/gtest/gtest.h" |
22 | 24 |
23 namespace sandbox { | 25 namespace sandbox { |
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
154 if (!Credentials::MoveToNewUserNS()) return; | 156 if (!Credentials::MoveToNewUserNS()) return; |
155 CHECK(Credentials::DropFileSystemAccess(proc_fd.get())); | 157 CHECK(Credentials::DropFileSystemAccess(proc_fd.get())); |
156 CHECK(Credentials::DropAllCapabilities(proc_fd.get())); | 158 CHECK(Credentials::DropAllCapabilities(proc_fd.get())); |
157 | 159 |
158 // The kernel should now prevent us from regaining capabilities because we | 160 // The kernel should now prevent us from regaining capabilities because we |
159 // are in a chroot. | 161 // are in a chroot. |
160 CHECK(!Credentials::CanCreateProcessInNewUserNS()); | 162 CHECK(!Credentials::CanCreateProcessInNewUserNS()); |
161 CHECK(!Credentials::MoveToNewUserNS()); | 163 CHECK(!Credentials::MoveToNewUserNS()); |
162 } | 164 } |
163 | 165 |
| 166 SANDBOX_TEST(Credentials, SetCapabilities) { |
| 167 // Probably missing kernel support. |
| 168 if (!Credentials::MoveToNewUserNS()) return; |
| 169 |
| 170 base::ScopedFD proc_fd(ProcUtil::OpenProc()); |
| 171 |
| 172 CHECK(Credentials::HasCapability(CAP_SYS_ADMIN)); |
| 173 CHECK(Credentials::HasCapability(CAP_SYS_CHROOT)); |
| 174 |
| 175 const std::vector<cap_value_t> caps = {CAP_SYS_CHROOT}; |
| 176 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); |
| 177 |
| 178 CHECK(!Credentials::HasCapability(CAP_SYS_ADMIN)); |
| 179 CHECK(Credentials::HasCapability(CAP_SYS_CHROOT)); |
| 180 |
| 181 const std::vector<cap_value_t> no_caps; |
| 182 CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps)); |
| 183 CHECK(!Credentials::HasAnyCapability()); |
| 184 } |
| 185 |
164 } // namespace. | 186 } // namespace. |
165 | 187 |
166 } // namespace sandbox. | 188 } // namespace sandbox. |
OLD | NEW |