Add SetCapabilities for setting capabilities to an exact set.

sandbox/linux/services/credentials_unittest.cc

Index: sandbox/linux/services/credentials_unittest.cc
diff --git a/sandbox/linux/services/credentials_unittest.cc b/sandbox/linux/services/credentials_unittest.cc
index 2884e740afef10e3aca7daf1b7cafa1f893bc118..9a743d5f5099776a6f5d9652dec95ea20e17ebf3 100644
--- a/sandbox/linux/services/credentials_unittest.cc
+++ b/sandbox/linux/services/credentials_unittest.cc
@@ -11,12 +11,16 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include <vector>
+
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/files/scoped_file.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "sandbox/linux/services/proc_util.h"
+#include "sandbox/linux/services/syscall_wrappers.h"
+#include "sandbox/linux/system_headers/capability.h"
 #include "sandbox/linux/tests/unit_tests.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -48,12 +52,6 @@ SANDBOX_TEST(Credentials, DropAllCaps) {
   CHECK(!Credentials::HasAnyCapability());
 }
 
-SANDBOX_TEST(Credentials, GetCurrentCapString) {
-  CHECK(Credentials::DropAllCapabilities());
-  const char kNoCapabilityText[] = "=";
-  CHECK(*Credentials::GetCurrentCapString() == kNoCapabilityText);
-}
-
 SANDBOX_TEST(Credentials, MoveToNewUserNS) {
   CHECK(Credentials::DropAllCapabilities());
   bool moved_to_new_ns = Credentials::MoveToNewUserNS();
@@ -161,6 +159,26 @@ SANDBOX_TEST(Credentials, DISABLE_ON_ASAN(CannotRegainPrivileges)) {
   CHECK(!Credentials::MoveToNewUserNS());
 }
 
+SANDBOX_TEST(Credentials, SetCapabilities) {

[jln (very slow on Chromium), 2015/03/12 19:24:15]

This test is very limited since we're only testing against our own
implementation.

Could you add a test like above that drops all caps except chroot and then tries
to chroot?

[rickyz (no longer on Chrome), 2015/03/12 23:36:01]

Done.

+  // Probably missing kernel support.
+  if (!Credentials::MoveToNewUserNS()) return;
+
+  base::ScopedFD proc_fd(ProcUtil::OpenProc());
+
+  CHECK(Credentials::HasCapability(CAP_SYS_ADMIN));
+  CHECK(Credentials::HasCapability(CAP_SYS_CHROOT));
+
+  const std::vector<int> caps = {CAP_SYS_CHROOT};
+  CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
+
+  CHECK(!Credentials::HasCapability(CAP_SYS_ADMIN));
+  CHECK(Credentials::HasCapability(CAP_SYS_CHROOT));
+
+  const std::vector<int> no_caps;
+  CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps));
+  CHECK(!Credentials::HasAnyCapability());
+}
+
 }  // namespace.

[jln (very slow on Chromium), 2015/03/12 19:24:15]

For paranoia, what would you think of keeping libcap around for non-problematic
builds and use it in unit tests to cross-check our implementation?

[rickyz (no longer on Chrome), 2015/03/12 23:36:01]

Good idea, done.

 
 }  // namespace sandbox.