Menu
▾
▴
Re: [LTP] [PATCH V2] userns01: add capability verification
|
From: Yuan S. <sun...@hu...> - 2015-07-03 09:14:46
|
Hi Jan,
The following link is unaccessible because HuaWei's network
security strategy.
Could you please attach the test.c file for me?
http://fpaste.org/239445/35909330/
Thanks.
Yuan
On 2015/7/3 15:43, Jan Stancek wrote:
>
>
>
> ----- Original Message -----
>> From: "Yuan Sun" <sun...@hu...>
>> To: "Jan Stancek" <jst...@re...>
>> Cc: ltp...@li...
>> Sent: Friday, 3 July, 2015 5:05:39 AM
>> Subject: Re: [PATCH V2] userns01: add capability verification
>>
>> Hi Jan,
>> Interesting. It works well in my environment.
>> What's your environment?
> I'm on RHEL7.1 with 4.0.4 kernel.
>
> Can you please run the following C program: http://fpaste.org/239445/35909330/
> and send me the output?
>
> This is what I get:
>
> # gcc test.c -lcap
> # ./a.out
> ffffffff 0000003f
> ffffffff ffffffff
> cap_compare: 3
>
> Regards,
> Jan
>
>> log:
>> root@p1:/tmp/ltp/testcases/kernel/containers/userns# ./userns01
>> user_namespace1 0 TINFO : USERNS test is running in a new user
>> namespace.
>> user_namespace1 1 TPASS : uid and gid are right
>> root@p1:/tmp/ltp/testcases/kernel/containers/userns#
>> root@p1:/tmp/ltp/testcases/kernel/containers/userns# uname -a
>> Linux p1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014
>> x86_64 x86_64 x86_64 GNU/Linux
>> root@p1:/tmp/ltp/testcases/kernel/containers/userns# cat /etc/issue
>> Ubuntu 14.04.1 LTS \n \l
>>
>> root@p1:/tmp/ltp/testcases/kernel/containers/userns# file /bin/ls
>> /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
>> dynamically linked (uses shared libs), for GNU/Linux 2.6.24,
>> BuildID[sha1]=64d095bc6589dd4bfbf1c6d62ae985385965461b, stripped
>>
>> Thanks.
>> Yuan
>>
>> On 2015/7/2 22:09, Jan Stancek wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Yuan Sun" <sun...@hu...>
>>>> To: jst...@re...
>>>> Cc: ltp...@li...
>>>> Sent: Wednesday, 1 July, 2015 6:22:45 AM
>>>> Subject: [PATCH V2] userns01: add capability verification
>>>>
>>>> Signed-off-by: Yuan Sun <sun...@hu...>
>>>> ---
>>>> testcases/kernel/containers/userns/Makefile | 2 +-
>>>> testcases/kernel/containers/userns/userns01.c | 31
>>>> +++++++++++++++++++++------
>>>> 2 files changed, 26 insertions(+), 7 deletions(-)
>>>>
>>>> diff --git a/testcases/kernel/containers/userns/Makefile
>>>> b/testcases/kernel/containers/userns/Makefile
>>>> index 9f67216..8370bff 100644
>>>> --- a/testcases/kernel/containers/userns/Makefile
>>>> +++ b/testcases/kernel/containers/userns/Makefile
>>>> @@ -21,6 +21,6 @@ top_srcdir ?= ../../../..
>>>> include $(top_srcdir)/include/mk/testcases.mk
>>>> include $(abs_srcdir)/../Makefile.inc
>>>>
>>>> -LDLIBS := -lclone -lltp
>>>> +LDLIBS := -lclone -lltp $(CAP_LIBS)
>>>>
>>>> include $(top_srcdir)/include/mk/generic_leaf_target.mk
>>>> diff --git a/testcases/kernel/containers/userns/userns01.c
>>>> b/testcases/kernel/containers/userns/userns01.c
>>>> index 9cada5e..a9012ac 100644
>>>> --- a/testcases/kernel/containers/userns/userns01.c
>>>> +++ b/testcases/kernel/containers/userns/userns01.c
>>>> @@ -15,7 +15,9 @@
>>>> * Verify that:
>>>> * If a user ID has no mapping inside the namespace, user ID and group
>>>> * ID will be the value defined in the file
>>>> /proc/sys/kernel/overflowuid(65534)
>>>> - * and /proc/sys/kernel/overflowgid(65534).
>>>> + * and /proc/sys/kernel/overflowgid(65534). A child process has a full
>>>> set
>>>> + * of permitted and effective capabilities, even though the program was
>>>> + * run from an unprivileged account.
>>>> */
>>>>
>>>> #define _GNU_SOURCE
>>>> @@ -29,6 +31,12 @@
>>>> #include "test.h"
>>>> #include "libclone.h"
>>>> #include "userns_helper.h"
>>>> +#include "config.h"
>>>> +#if HAVE_SYS_CAPABILITY_H
>>>> +#include <linux/types.h>
>>>> +#include <sys/capability.h>
>>>> +#endif
>>>> +
>>>> #define OVERFLOWUIDPATH "/proc/sys/kernel/overflowuid"
>>>> #define OVERFLOWGIDPATH "/proc/sys/kernel/overflowgid"
>>>>
>>>> @@ -43,21 +51,30 @@ static long overflowgid;
>>>> */
>>>> static int child_fn1(void *arg LTP_ATTRIBUTE_UNUSED)
>>>> {
>>>> - int exit_val;
>>>> + int exit_val = 0;
>>>> int uid, gid;
>>>> +#ifdef HAVE_LIBCAP
>>>> + cap_t caps, expectedcaps;
>>>> +#endif
>>>>
>>>> uid = geteuid();
>>>> gid = getegid();
>>>>
>>>> tst_resm(TINFO, "USERNS test is running in a new user namespace.");
>>>> - if (uid == overflowuid && gid == overflowgid) {
>>>> - printf("Got expected uid and gid\n");
>>>> - exit_val = 0;
>>>> - } else {
>>>> +
>>>> + if (uid != overflowuid || gid != overflowgid) {
>>>> printf("Got unexpected result of uid=%d gid=%d\n", uid, gid);
>>>> exit_val = 1;
>>>> }
>>>>
>>>> +#ifdef HAVE_LIBCAP
>>>> + caps = cap_get_proc();
>>>> + expectedcaps = cap_from_text("=ep");
>>>> + if (cap_compare(caps, expectedcaps) != 0)
>>> Does this work for you? I'm getting failures.
>>> It seems that cap_from_text sets all bits in the set,
>>> not just those capabilities that are <= CAP_LAST_CAP
>>> and the comparison compares all bits.
>>>
>>> Regards,
>>> Jan
>>>
>>>> + exit_val = 1;
>>>> +#else
>>>> + printf("System doesn't support capabilities.\n");
>>>> +#endif
>>>> return exit_val;
>>>> }
>>>>
>>>> @@ -96,3 +113,5 @@ int main(int argc, char *argv[])
>>>> tst_exit();
>>>> }
>>>>
>>>> +
>>>> +
>>>> --
>>>> 1.9.1
>>>>
>>>>
>>> .
>>>
>>
> .
>
|