| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <stdio.h> | 9 #include <stdio.h> |
| 10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
| 11 #include <sys/types.h> | 11 #include <sys/types.h> |
| 12 #include <unistd.h> | 12 #include <unistd.h> |
| 13 | 13 |
| 14 #include <vector> |
| 15 |
| 14 #include "base/files/file_path.h" | 16 #include "base/files/file_path.h" |
| 15 #include "base/files/file_util.h" | 17 #include "base/files/file_util.h" |
| 16 #include "base/files/scoped_file.h" | 18 #include "base/files/scoped_file.h" |
| 17 #include "base/logging.h" | 19 #include "base/logging.h" |
| 18 #include "base/memory/scoped_ptr.h" | 20 #include "base/memory/scoped_ptr.h" |
| 19 #include "sandbox/linux/services/proc_util.h" | 21 #include "sandbox/linux/services/proc_util.h" |
| 20 #include "sandbox/linux/tests/unit_tests.h" | 22 #include "sandbox/linux/tests/unit_tests.h" |
| 21 #include "testing/gtest/include/gtest/gtest.h" | 23 #include "testing/gtest/include/gtest/gtest.h" |
| 22 | 24 |
| 23 namespace sandbox { | 25 namespace sandbox { |
| (...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 154 if (!Credentials::MoveToNewUserNS()) return; | 156 if (!Credentials::MoveToNewUserNS()) return; |
| 155 CHECK(Credentials::DropFileSystemAccess(proc_fd.get())); | 157 CHECK(Credentials::DropFileSystemAccess(proc_fd.get())); |
| 156 CHECK(Credentials::DropAllCapabilities(proc_fd.get())); | 158 CHECK(Credentials::DropAllCapabilities(proc_fd.get())); |
| 157 | 159 |
| 158 // The kernel should now prevent us from regaining capabilities because we | 160 // The kernel should now prevent us from regaining capabilities because we |
| 159 // are in a chroot. | 161 // are in a chroot. |
| 160 CHECK(!Credentials::CanCreateProcessInNewUserNS()); | 162 CHECK(!Credentials::CanCreateProcessInNewUserNS()); |
| 161 CHECK(!Credentials::MoveToNewUserNS()); | 163 CHECK(!Credentials::MoveToNewUserNS()); |
| 162 } | 164 } |
| 163 | 165 |
| 166 SANDBOX_TEST(Credentials, SetCapabilities) { |
| 167 // Probably missing kernel support. |
| 168 if (!Credentials::MoveToNewUserNS()) return; |
| 169 |
| 170 base::ScopedFD proc_fd(ProcUtil::OpenProc()); |
| 171 |
| 172 CHECK(Credentials::HasCapability(CAP_SYS_ADMIN)); |
| 173 CHECK(Credentials::HasCapability(CAP_SYS_CHROOT)); |
| 174 |
| 175 const std::vector<cap_value_t> caps = {CAP_SYS_CHROOT}; |
| 176 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); |
| 177 |
| 178 CHECK(!Credentials::HasCapability(CAP_SYS_ADMIN)); |
| 179 CHECK(Credentials::HasCapability(CAP_SYS_CHROOT)); |
| 180 |
| 181 const std::vector<cap_value_t> no_caps; |
| 182 CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps)); |
| 183 CHECK(!Credentials::HasAnyCapability()); |
| 184 } |
| 185 |
| 164 } // namespace. | 186 } // namespace. |
| 165 | 187 |
| 166 } // namespace sandbox. | 188 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 997463002:
Add SetCapabilities for setting capabilities to an exact set. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master