diff options
| author | Ismo Puustinen <ismo.puustinen@intel.com> | 2016-01-05 13:34:41 +0200 | 
|---|---|---|
| committer | Ismo Puustinen <ismo.puustinen@intel.com> | 2016-01-12 12:14:50 +0200 | 
| commit | 70d7aea5c7270764ee71d6828e76402001afed13 (patch) | |
| tree | 57c25dddc2f558e19cebda3a5ec4a2eb9f6600b0 /src | |
| parent | 755d4b67a471ed1a3472b8536cb51315d4e4e3c1 (diff) | |
tests: test ambient capabilities.
The ambient capability tests are only run if the kernel has support for
ambient capabilities.
Diffstat (limited to 'src')
| -rw-r--r-- | src/test/test-capability.c | 68 | ||||
| -rw-r--r-- | src/test/test-execute.c | 16 | 
2 files changed, 82 insertions, 2 deletions
| diff --git a/src/test/test-capability.c b/src/test/test-capability.c index fc8d3ffe0d..629bb63c81 100644 --- a/src/test/test-capability.c +++ b/src/test/test-capability.c @@ -20,6 +20,7 @@  #include <netinet/in.h>  #include <pwd.h>  #include <sys/capability.h> +#include <sys/prctl.h>  #include <sys/socket.h>  #include <sys/wait.h>  #include <unistd.h> @@ -66,8 +67,9 @@ static void show_capabilities(void) {          cap_free(text);  } -static int setup_tests(void) { +static int setup_tests(bool *run_ambient) {          struct passwd *nobody; +        int r;          nobody = getpwnam("nobody");          if (!nobody) { @@ -77,6 +79,18 @@ static int setup_tests(void) {          test_uid = nobody->pw_uid;          test_gid = nobody->pw_gid; +        *run_ambient = false; + +        r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); + +        /* There's support for PR_CAP_AMBIENT if the prctl() call +         * succeeded or error code was something else than EINVAL. The +         * EINVAL check should be good enough to rule out false +         * positives. */ + +        if (r >= 0 || errno != EINVAL) +                *run_ambient = true; +          return 0;  } @@ -140,8 +154,53 @@ static void test_have_effective_cap(void) {          assert_se(!have_effective_cap(CAP_CHOWN));  } +static void test_update_inherited_set(void) { +        cap_t caps; +        uint64_t set = 0; +        cap_flag_value_t fv; + +        caps = cap_get_proc(); +        assert_se(caps); +        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); +        assert(fv == CAP_CLEAR); + +        set = (UINT64_C(1) << CAP_CHOWN); + +        assert_se(!capability_update_inherited_set(caps, set)); +        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); +        assert(fv == CAP_SET); + +        cap_free(caps); +} + +static void test_set_ambient_caps(void) { +        cap_t caps; +        uint64_t set = 0; +        cap_flag_value_t fv; + +        caps = cap_get_proc(); +        assert_se(caps); +        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); +        assert(fv == CAP_CLEAR); +        cap_free(caps); + +        assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0); + +        set = (UINT64_C(1) << CAP_CHOWN); + +        assert_se(!capability_ambient_set_apply(set, true)); + +        caps = cap_get_proc(); +        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); +        assert(fv == CAP_SET); +        cap_free(caps); + +        assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1); +} +  int main(int argc, char *argv[]) {          int r; +        bool run_ambient;          log_parse_environment();          log_open(); @@ -149,14 +208,19 @@ int main(int argc, char *argv[]) {          if (getuid() != 0)                  return EXIT_TEST_SKIP; -        r = setup_tests(); +        r = setup_tests(&run_ambient);          if (r < 0)                  return -r;          show_capabilities();          test_drop_privileges(); +        test_update_inherited_set(); +          fork_test(test_have_effective_cap); +        if (run_ambient) +                fork_test(test_set_ambient_caps); +          return 0;  } diff --git a/src/test/test-execute.c b/src/test/test-execute.c index 753afadb0a..92857cb5e2 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -20,6 +20,7 @@  #include <grp.h>  #include <pwd.h>  #include <stdio.h> +#include <sys/prctl.h>  #include <sys/types.h>  #include "fileio.h" @@ -224,6 +225,20 @@ static void test_exec_capabilityboundingset(Manager *m) {          test(m, "exec-capabilityboundingset-invert.service", 0, CLD_EXITED);  } +static void test_exec_capabilityambientset(Manager *m) { +        int r; + +        /* Check if the kernel has support for ambient capabilities. Run +         * the tests only if that's the case. Clearing all ambient +         * capabilities is fine, since we are expecting them to be unset +         * in the first place for the tests. */ +        r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); +        if (r >= 0 || errno != EINVAL) { +                test(m, "exec-capabilityambientset.service", 0, CLD_EXITED); +                test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED); +        } +} +  static void test_exec_privatenetwork(Manager *m) {          int r; @@ -266,6 +281,7 @@ int main(int argc, char *argv[]) {                  test_exec_umask,                  test_exec_runtimedirectory,                  test_exec_capabilityboundingset, +                test_exec_capabilityambientset,                  test_exec_oomscoreadjust,                  test_exec_ioschedulingclass,                  NULL, | 
