Index: sandbox/linux/services/credentials_unittest.cc |
diff --git a/sandbox/linux/services/credentials_unittest.cc b/sandbox/linux/services/credentials_unittest.cc |
index 2884e740afef10e3aca7daf1b7cafa1f893bc118..dc085fbc672f6b943ed67f21aa5a99a806a0b09a 100644 |
--- a/sandbox/linux/services/credentials_unittest.cc |
+++ b/sandbox/linux/services/credentials_unittest.cc |
@@ -11,6 +11,8 @@ |
#include <sys/types.h> |
#include <unistd.h> |
+#include <vector> |
+ |
#include "base/files/file_path.h" |
#include "base/files/file_util.h" |
#include "base/files/scoped_file.h" |
@@ -161,6 +163,26 @@ SANDBOX_TEST(Credentials, DISABLE_ON_ASAN(CannotRegainPrivileges)) { |
CHECK(!Credentials::MoveToNewUserNS()); |
} |
+SANDBOX_TEST(Credentials, SetCapabilities) { |
+ // Probably missing kernel support. |
+ if (!Credentials::MoveToNewUserNS()) return; |
+ |
+ base::ScopedFD proc_fd(ProcUtil::OpenProc()); |
+ |
+ CHECK(Credentials::HasCapability(CAP_SYS_ADMIN)); |
+ CHECK(Credentials::HasCapability(CAP_SYS_CHROOT)); |
+ |
+ const std::vector<cap_value_t> caps = {CAP_SYS_CHROOT}; |
+ CHECK(Credentials::SetCapabilities(proc_fd.get(), caps)); |
+ |
+ CHECK(!Credentials::HasCapability(CAP_SYS_ADMIN)); |
+ CHECK(Credentials::HasCapability(CAP_SYS_CHROOT)); |
+ |
+ const std::vector<cap_value_t> no_caps; |
+ CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps)); |
+ CHECK(!Credentials::HasAnyCapability()); |
+} |
+ |
} // namespace. |
} // namespace sandbox. |