diff options
author | Simon McVittie <smcv@collabora.com> | 2023-02-23 10:02:01 +0000 |
---|---|---|
committer | Simon McVittie <smcv@collabora.com> | 2023-02-23 12:19:38 +0000 |
commit | 2ba9a9af913ffdb319f9523074e4863849ba5065 (patch) | |
tree | 59c5b74b15b07e10e27371ac1e4a9afafc04b563 | |
parent | 140936fd73937b105051f978f9443c3b1c7253dc (diff) | |
download | bubblewrap-2ba9a9af913ffdb319f9523074e4863849ba5065.tar.gz |
tests: Try harder to evade --disable-userns
The worst-case scenario in terms of enforcing --disable-userns is that
we're retaining all capabilities, so test that too, to make sure that
the option is genuinely restricting even a privileged user.
Signed-off-by: Simon McVittie <smcv@collabora.com>
-rwxr-xr-x | tests/test-run.sh | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/test-run.sh b/tests/test-run.sh index 171e5d4..a90f0b1 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -132,6 +132,15 @@ else $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 2 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true" $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 100 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true" $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "! $BWRAP --unshare-user --dev-bind / / --assert-userns-disabled -- true" + + $BWRAP_RECURSE --dev-bind / / -- true + ! $BWRAP_RECURSE --assert-userns-disabled --dev-bind / / -- true + $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- true + ! $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- /proc/self/exe --dev-bind / / -- true + $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 2 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true" + $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 100 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true" + $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- sh -c "! $BWRAP --unshare-user --dev-bind / / --assert-userns-disabled -- true" + echo "ok - can disable nested userns" fi |