Index: sandbox/linux/services/credentials_unittest.cc |
diff --git a/sandbox/linux/services/credentials_unittest.cc b/sandbox/linux/services/credentials_unittest.cc |
index 2884e740afef10e3aca7daf1b7cafa1f893bc118..9a743d5f5099776a6f5d9652dec95ea20e17ebf3 100644 |
--- a/sandbox/linux/services/credentials_unittest.cc |
+++ b/sandbox/linux/services/credentials_unittest.cc |
@@ -11,12 +11,16 @@ |
#include <sys/types.h> |
#include <unistd.h> |
+#include <vector> |
+ |
#include "base/files/file_path.h" |
#include "base/files/file_util.h" |
#include "base/files/scoped_file.h" |
#include "base/logging.h" |
#include "base/memory/scoped_ptr.h" |
#include "sandbox/linux/services/proc_util.h" |
+#include "sandbox/linux/services/syscall_wrappers.h" |
+#include "sandbox/linux/system_headers/capability.h" |
#include "sandbox/linux/tests/unit_tests.h" |
#include "testing/gtest/include/gtest/gtest.h" |
@@ -48,12 +52,6 @@ SANDBOX_TEST(Credentials, DropAllCaps) { |
CHECK(!Credentials::HasAnyCapability()); |
} |
-SANDBOX_TEST(Credentials, GetCurrentCapString) { |
- CHECK(Credentials::DropAllCapabilities()); |
- const char kNoCapabilityText[] = "="; |
- CHECK(*Credentials::GetCurrentCapString() == kNoCapabilityText); |
-} |
- |
SANDBOX_TEST(Credentials, MoveToNewUserNS) { |
CHECK(Credentials::DropAllCapabilities()); |
bool moved_to_new_ns = Credentials::MoveToNewUserNS(); |
@@ -161,6 +159,26 @@ SANDBOX_TEST(Credentials, DISABLE_ON_ASAN(CannotRegainPrivileges)) { |
CHECK(!Credentials::MoveToNewUserNS()); |
} |
+SANDBOX_TEST(Credentials, SetCapabilities) { |
jln (very slow on Chromium)
2015/03/12 19:24:15
This test is very limited since we're only testing
rickyz (no longer on Chrome)
2015/03/12 23:36:01
Done.
|
+ // Probably missing kernel support. |
+ if (!Credentials::MoveToNewUserNS()) return; |
+ |
+ base::ScopedFD proc_fd(ProcUtil::OpenProc()); |
+ |
+ CHECK(Credentials::HasCapability(CAP_SYS_ADMIN)); |
+ CHECK(Credentials::HasCapability(CAP_SYS_CHROOT)); |
+ |
+ const std::vector<int> caps = {CAP_SYS_CHROOT}; |
+ CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); |
+ |
+ CHECK(!Credentials::HasCapability(CAP_SYS_ADMIN)); |
+ CHECK(Credentials::HasCapability(CAP_SYS_CHROOT)); |
+ |
+ const std::vector<int> no_caps; |
+ CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps)); |
+ CHECK(!Credentials::HasAnyCapability()); |
+} |
+ |
} // namespace. |
jln (very slow on Chromium)
2015/03/12 19:24:15
For paranoia, what would you think of keeping libc
rickyz (no longer on Chrome)
2015/03/12 23:36:01
Good idea, done.
|
} // namespace sandbox. |