sandbox/linux/services/namespace_utils_unittest.cc

   1 // Copyright 2015 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/linux/services/namespace_utils.h"
   6
   7 #include <errno.h>
   8 #include <sched.h>
   9 #include <sys/types.h>
  10 #include <sys/wait.h>
  11
  12 #include "base/logging.h"
  13 #include "base/posix/eintr_wrapper.h"
  14 #include "base/process/launch.h"
  15 #include "sandbox/linux/services/credentials.h"
  16 #include "sandbox/linux/tests/unit_tests.h"
  17 #include "testing/gtest/include/gtest/gtest.h"
  18
  19 namespace sandbox {
  20
  21 namespace {
  22
  23 SANDBOX_TEST(NamespaceUtils, KernelSupportsUnprivilegedNamespace) {
  24   const bool can_create_user_ns = Credentials::CanCreateProcessInNewUserNS();
  25   const bool supports_user_ns =
  26       NamespaceUtils::KernelSupportsUnprivilegedNamespace(CLONE_NEWUSER);
  27   // can_create_user_ns implies supports_user_ns, but the converse is not
  28   // necessarily true, as creating a user namespace can fail for various
  29   // reasons.
  30   if (can_create_user_ns) {
  31     SANDBOX_ASSERT(supports_user_ns);
  32   }
  33 }
  34
  35 SANDBOX_TEST(NamespaceUtils, WriteToIdMapFile) {
  36   if (!Credentials::CanCreateProcessInNewUserNS()) {
  37     return;
  38   }
  39
  40   const uid_t uid = getuid();
  41   const gid_t gid = getgid();
  42
  43   const bool supports_deny_setgroups =
  44       NamespaceUtils::KernelSupportsDenySetgroups();
  45
  46   const pid_t pid =
  47       base::ForkWithFlags(CLONE_NEWUSER | SIGCHLD, nullptr, nullptr);
  48   ASSERT_NE(-1, pid);
  49   if (pid == 0) {
  50     if (supports_deny_setgroups) {
  51       RAW_CHECK(NamespaceUtils::DenySetgroups());
  52     }
  53
  54     RAW_CHECK(getuid() != uid);
  55     RAW_CHECK(NamespaceUtils::WriteToIdMapFile("/proc/self/uid_map", uid));
  56     RAW_CHECK(getuid() == uid);
  57
  58     RAW_CHECK(getgid() != gid);
  59     RAW_CHECK(NamespaceUtils::WriteToIdMapFile("/proc/self/gid_map", gid));
  60     RAW_CHECK(getgid() == gid);
  61
  62     _exit(0);
  63   }
  64
  65   int status = 42;
  66   SANDBOX_ASSERT_EQ(pid, HANDLE_EINTR(waitpid(pid, &status, 0)));
  67   SANDBOX_ASSERT_EQ(0, status);
  68 }
  69
  70 }  // namespace.
  71
  72 }  // namespace sandbox.