Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1009)

Unified Diff: sandbox/linux/services/credentials_unittest.cc

Issue 997463002: Add SetCapabilities for setting capabilities to an exact set. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Respond to comments. Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: sandbox/linux/services/credentials_unittest.cc
diff --git a/sandbox/linux/services/credentials_unittest.cc b/sandbox/linux/services/credentials_unittest.cc
index 2884e740afef10e3aca7daf1b7cafa1f893bc118..dc085fbc672f6b943ed67f21aa5a99a806a0b09a 100644
--- a/sandbox/linux/services/credentials_unittest.cc
+++ b/sandbox/linux/services/credentials_unittest.cc
@@ -11,6 +11,8 @@
#include <sys/types.h>
#include <unistd.h>
+#include <vector>
+
#include "base/files/file_path.h"
#include "base/files/file_util.h"
#include "base/files/scoped_file.h"
@@ -161,6 +163,26 @@ SANDBOX_TEST(Credentials, DISABLE_ON_ASAN(CannotRegainPrivileges)) {
CHECK(!Credentials::MoveToNewUserNS());
}
+SANDBOX_TEST(Credentials, SetCapabilities) {
+ // Probably missing kernel support.
+ if (!Credentials::MoveToNewUserNS()) return;
+
+ base::ScopedFD proc_fd(ProcUtil::OpenProc());
+
+ CHECK(Credentials::HasCapability(CAP_SYS_ADMIN));
+ CHECK(Credentials::HasCapability(CAP_SYS_CHROOT));
+
+ const std::vector<cap_value_t> caps = {CAP_SYS_CHROOT};
+ CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
+
+ CHECK(!Credentials::HasCapability(CAP_SYS_ADMIN));
+ CHECK(Credentials::HasCapability(CAP_SYS_CHROOT));
+
+ const std::vector<cap_value_t> no_caps;
+ CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps));
+ CHECK(!Credentials::HasAnyCapability());
+}
+
} // namespace.
} // namespace sandbox.
« sandbox/linux/services/credentials.cc ('K') | « sandbox/linux/services/credentials.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698