diff options
| author | Lennart Poettering <lennart@poettering.net> | 2023-02-22 13:05:44 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2023-02-22 23:45:40 +0100 |
| commit | a649419aae0f24990186eaec5a11bbc169ff8c7d (patch) | |
| tree | 008f4e19a2de3f1d33e5bc86c7ee98de2b7db657 /src/test/test-capability.c | |
| parent | 66c1e440c70345751181f335210eaf8195e958d5 (diff) | |
| download | systemd-a649419aae0f24990186eaec5a11bbc169ff8c7d.tar.gz | |
capability-util: add new capability_get_ambient() helper
Diffstat (limited to 'src/test/test-capability.c')
| -rw-r--r-- | src/test/test-capability.c | 55 |
1 files changed, 54 insertions, 1 deletions
diff --git a/src/test/test-capability.c b/src/test/test-capability.c index dbb258c7d2..e989065f49 100644 --- a/src/test/test-capability.c +++ b/src/test/test-capability.c @@ -17,6 +17,7 @@ #include "macro.h" #include "missing_prctl.h" #include "parse-util.h" +#include "process-util.h" #include "string-util.h" #include "tests.h" @@ -247,10 +248,60 @@ static void test_ensure_cap_64bit(void) { assert_cc(CAP_LAST_CAP <= 63); } +static void test_capability_get_ambient(void) { + uint64_t c; + int r; + + assert_se(capability_get_ambient(&c) >= 0); + + r = safe_fork("(getambient)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_WAIT|FORK_LOG, NULL); + assert_se(r >= 0); + + if (r == 0) { + int x, y; + /* child */ + assert_se(capability_get_ambient(&c) >= 0); + + x = capability_ambient_set_apply( + (UINT64_C(1) << CAP_MKNOD)| + (UINT64_C(1) << CAP_LINUX_IMMUTABLE), + /* also_inherit= */ true); + assert_se(x >= 0 || ERRNO_IS_PRIVILEGE(x)); + + assert_se(capability_get_ambient(&c) >= 0); + assert_se(x < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_MKNOD)); + assert_se(x < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)); + assert_se(x < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_SETPCAP)); + + y = capability_bounding_set_drop( + ((UINT64_C(1) << CAP_LINUX_IMMUTABLE)| + (UINT64_C(1) << CAP_SETPCAP)), + /* right_now= */ true); + assert_se(y >= 0 || ERRNO_IS_PRIVILEGE(y)); + + assert_se(capability_get_ambient(&c) >= 0); + assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_MKNOD)); + assert_se(x < 0 || y < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)); + assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_SETPCAP)); + + y = capability_bounding_set_drop( + (UINT64_C(1) << CAP_SETPCAP), + /* right_now= */ true); + assert_se(y >= 0 || ERRNO_IS_PRIVILEGE(y)); + + assert_se(capability_get_ambient(&c) >= 0); + assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_MKNOD)); + assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)); + assert_se(x < 0 || y < 0 || !FLAGS_SET(c, UINT64_C(1) << CAP_SETPCAP)); + + _exit(EXIT_SUCCESS); + } +} + int main(int argc, char *argv[]) { bool run_ambient; - test_setup_logging(LOG_INFO); + test_setup_logging(LOG_DEBUG); test_ensure_cap_64bit(); @@ -275,5 +326,7 @@ int main(int argc, char *argv[]) { if (run_ambient) fork_test(test_apply_ambient_caps); + test_capability_get_ambient(); + return 0; } |