From: Yuan S. <sun...@hu...> - 2015-07-03 09:14:46
|
Hi Jan, The following link is unaccessible because HuaWei's network security strategy. Could you please attach the test.c file for me? http://fpaste.org/239445/35909330/ Thanks. Yuan On 2015/7/3 15:43, Jan Stancek wrote: > > > > ----- Original Message ----- >> From: "Yuan Sun" <sun...@hu...> >> To: "Jan Stancek" <jst...@re...> >> Cc: ltp...@li... >> Sent: Friday, 3 July, 2015 5:05:39 AM >> Subject: Re: [PATCH V2] userns01: add capability verification >> >> Hi Jan, >> Interesting. It works well in my environment. >> What's your environment? > I'm on RHEL7.1 with 4.0.4 kernel. > > Can you please run the following C program: http://fpaste.org/239445/35909330/ > and send me the output? > > This is what I get: > > # gcc test.c -lcap > # ./a.out > ffffffff 0000003f > ffffffff ffffffff > cap_compare: 3 > > Regards, > Jan > >> log: >> root@p1:/tmp/ltp/testcases/kernel/containers/userns# ./userns01 >> user_namespace1 0 TINFO : USERNS test is running in a new user >> namespace. >> user_namespace1 1 TPASS : uid and gid are right >> root@p1:/tmp/ltp/testcases/kernel/containers/userns# >> root@p1:/tmp/ltp/testcases/kernel/containers/userns# uname -a >> Linux p1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 >> x86_64 x86_64 x86_64 GNU/Linux >> root@p1:/tmp/ltp/testcases/kernel/containers/userns# cat /etc/issue >> Ubuntu 14.04.1 LTS \n \l >> >> root@p1:/tmp/ltp/testcases/kernel/containers/userns# file /bin/ls >> /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), >> dynamically linked (uses shared libs), for GNU/Linux 2.6.24, >> BuildID[sha1]=64d095bc6589dd4bfbf1c6d62ae985385965461b, stripped >> >> Thanks. >> Yuan >> >> On 2015/7/2 22:09, Jan Stancek wrote: >>> >>> >>> ----- Original Message ----- >>>> From: "Yuan Sun" <sun...@hu...> >>>> To: jst...@re... >>>> Cc: ltp...@li... >>>> Sent: Wednesday, 1 July, 2015 6:22:45 AM >>>> Subject: [PATCH V2] userns01: add capability verification >>>> >>>> Signed-off-by: Yuan Sun <sun...@hu...> >>>> --- >>>> testcases/kernel/containers/userns/Makefile | 2 +- >>>> testcases/kernel/containers/userns/userns01.c | 31 >>>> +++++++++++++++++++++------ >>>> 2 files changed, 26 insertions(+), 7 deletions(-) >>>> >>>> diff --git a/testcases/kernel/containers/userns/Makefile >>>> b/testcases/kernel/containers/userns/Makefile >>>> index 9f67216..8370bff 100644 >>>> --- a/testcases/kernel/containers/userns/Makefile >>>> +++ b/testcases/kernel/containers/userns/Makefile >>>> @@ -21,6 +21,6 @@ top_srcdir ?= ../../../.. >>>> include $(top_srcdir)/include/mk/testcases.mk >>>> include $(abs_srcdir)/../Makefile.inc >>>> >>>> -LDLIBS := -lclone -lltp >>>> +LDLIBS := -lclone -lltp $(CAP_LIBS) >>>> >>>> include $(top_srcdir)/include/mk/generic_leaf_target.mk >>>> diff --git a/testcases/kernel/containers/userns/userns01.c >>>> b/testcases/kernel/containers/userns/userns01.c >>>> index 9cada5e..a9012ac 100644 >>>> --- a/testcases/kernel/containers/userns/userns01.c >>>> +++ b/testcases/kernel/containers/userns/userns01.c >>>> @@ -15,7 +15,9 @@ >>>> * Verify that: >>>> * If a user ID has no mapping inside the namespace, user ID and group >>>> * ID will be the value defined in the file >>>> /proc/sys/kernel/overflowuid(65534) >>>> - * and /proc/sys/kernel/overflowgid(65534). >>>> + * and /proc/sys/kernel/overflowgid(65534). A child process has a full >>>> set >>>> + * of permitted and effective capabilities, even though the program was >>>> + * run from an unprivileged account. >>>> */ >>>> >>>> #define _GNU_SOURCE >>>> @@ -29,6 +31,12 @@ >>>> #include "test.h" >>>> #include "libclone.h" >>>> #include "userns_helper.h" >>>> +#include "config.h" >>>> +#if HAVE_SYS_CAPABILITY_H >>>> +#include <linux/types.h> >>>> +#include <sys/capability.h> >>>> +#endif >>>> + >>>> #define OVERFLOWUIDPATH "/proc/sys/kernel/overflowuid" >>>> #define OVERFLOWGIDPATH "/proc/sys/kernel/overflowgid" >>>> >>>> @@ -43,21 +51,30 @@ static long overflowgid; >>>> */ >>>> static int child_fn1(void *arg LTP_ATTRIBUTE_UNUSED) >>>> { >>>> - int exit_val; >>>> + int exit_val = 0; >>>> int uid, gid; >>>> +#ifdef HAVE_LIBCAP >>>> + cap_t caps, expectedcaps; >>>> +#endif >>>> >>>> uid = geteuid(); >>>> gid = getegid(); >>>> >>>> tst_resm(TINFO, "USERNS test is running in a new user namespace."); >>>> - if (uid == overflowuid && gid == overflowgid) { >>>> - printf("Got expected uid and gid\n"); >>>> - exit_val = 0; >>>> - } else { >>>> + >>>> + if (uid != overflowuid || gid != overflowgid) { >>>> printf("Got unexpected result of uid=%d gid=%d\n", uid, gid); >>>> exit_val = 1; >>>> } >>>> >>>> +#ifdef HAVE_LIBCAP >>>> + caps = cap_get_proc(); >>>> + expectedcaps = cap_from_text("=ep"); >>>> + if (cap_compare(caps, expectedcaps) != 0) >>> Does this work for you? I'm getting failures. >>> It seems that cap_from_text sets all bits in the set, >>> not just those capabilities that are <= CAP_LAST_CAP >>> and the comparison compares all bits. >>> >>> Regards, >>> Jan >>> >>>> + exit_val = 1; >>>> +#else >>>> + printf("System doesn't support capabilities.\n"); >>>> +#endif >>>> return exit_val; >>>> } >>>> >>>> @@ -96,3 +113,5 @@ int main(int argc, char *argv[]) >>>> tst_exit(); >>>> } >>>> >>>> + >>>> + >>>> -- >>>> 1.9.1 >>>> >>>> >>> . >>> >> > . > |