Add SetCapabilities for setting capabilities to an exact set.

sandbox/linux/services/credentials_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/services/credentials.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
 
+#include <vector>
+
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/files/scoped_file.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "sandbox/linux/services/proc_util.h"
+#include "sandbox/linux/services/syscall_wrappers.h"
+#include "sandbox/linux/system_headers/capability.h"
 #include "sandbox/linux/tests/unit_tests.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace sandbox {
 
 namespace {
 
 bool WorkingDirectoryIsRoot() {
   char current_dir[PATH_MAX];
   char* cwd = getcwd(current_dir, sizeof(current_dir));
@@ skipping 11 matching lines @@
   CHECK_EQ(current.st_uid, parrent.st_uid);
   CHECK_EQ(current.st_gid, parrent.st_gid);
   return true;
 }
 
 SANDBOX_TEST(Credentials, DropAllCaps) {
   CHECK(Credentials::DropAllCapabilities());
   CHECK(!Credentials::HasAnyCapability());
 }
 
-SANDBOX_TEST(Credentials, GetCurrentCapString) {
-  CHECK(Credentials::DropAllCapabilities());
-  const char kNoCapabilityText[] = "=";
-  CHECK(*Credentials::GetCurrentCapString() == kNoCapabilityText);
-}
-
 SANDBOX_TEST(Credentials, MoveToNewUserNS) {
   CHECK(Credentials::DropAllCapabilities());
   bool moved_to_new_ns = Credentials::MoveToNewUserNS();
   fprintf(stdout,
           "Unprivileged CLONE_NEWUSER supported: %s\n",
           moved_to_new_ns ? "true." : "false.");
   fflush(stdout);
   if (!moved_to_new_ns) {
     fprintf(stdout, "This kernel does not support unprivileged namespaces. "
             "USERNS tests will succeed without running.\n");
@@ skipping 87 matching lines @@
   if (!Credentials::MoveToNewUserNS()) return;
   CHECK(Credentials::DropFileSystemAccess(proc_fd.get()));
   CHECK(Credentials::DropAllCapabilities(proc_fd.get()));
 
   // The kernel should now prevent us from regaining capabilities because we
   // are in a chroot.
   CHECK(!Credentials::CanCreateProcessInNewUserNS());
   CHECK(!Credentials::MoveToNewUserNS());
 }
 
+SANDBOX_TEST(Credentials, SetCapabilities) {

[jln (very slow on Chromium), 2015/03/12 19:24:15]

This test is very limited since we're only testing against our own
implementation.

Could you add a test like above that drops all caps except chroot and then tries
to chroot?

[rickyz (no longer on Chrome), 2015/03/12 23:36:01]

Done.

+  // Probably missing kernel support.
+  if (!Credentials::MoveToNewUserNS()) return;
+
+  base::ScopedFD proc_fd(ProcUtil::OpenProc());
+
+  CHECK(Credentials::HasCapability(CAP_SYS_ADMIN));
+  CHECK(Credentials::HasCapability(CAP_SYS_CHROOT));
+
+  const std::vector<int> caps = {CAP_SYS_CHROOT};
+  CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
+
+  CHECK(!Credentials::HasCapability(CAP_SYS_ADMIN));
+  CHECK(Credentials::HasCapability(CAP_SYS_CHROOT));
+
+  const std::vector<int> no_caps;
+  CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps));
+  CHECK(!Credentials::HasAnyCapability());
+}
+
 }  // namespace.

[jln (very slow on Chromium), 2015/03/12 19:24:15]

For paranoia, what would you think of keeping libcap around for non-problematic
builds and use it in unit tests to cross-check our implementation?

[rickyz (no longer on Chrome), 2015/03/12 23:36:01]

Good idea, done.

 
 }  // namespace sandbox.