A child process has a full set of permitted and effective capabilities,
even though the program was run from an unprivileged account.
Signed-off-by: Yuan Sun <sunyu...@huawei.com>
---
testcases/kernel/containers/userns/Makefile | 2 +-
testcases/kernel/containers/userns/userns01.c | 18 ++++++++++++------
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/testcases/kernel/containers/userns/Makefile
b/testcases/kernel/containers/userns/Makefile
index 9f67216..20a0677 100644
--- a/testcases/kernel/containers/userns/Makefile
+++ b/testcases/kernel/containers/userns/Makefile
@@ -21,6 +21,6 @@ top_srcdir ?= ../../../..
include $(top_srcdir)/include/mk/testcases.mk
include $(abs_srcdir)/../Makefile.inc
-LDLIBS := -lclone -lltp
+LDLIBS := -lclone -lltp -lcap
include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/containers/userns/userns01.c
b/testcases/kernel/containers/userns/userns01.c
index 9cada5e..ca4815a 100644
--- a/testcases/kernel/containers/userns/userns01.c
+++ b/testcases/kernel/containers/userns/userns01.c
@@ -15,7 +15,9 @@
* Verify that:
* If a user ID has no mapping inside the namespace, user ID and group
* ID will be the value defined in the file /proc/sys/kernel/overflowuid(65534)
- * and /proc/sys/kernel/overflowgid(65534).
+ * and /proc/sys/kernel/overflowgid(65534). A child process has a full set
+ * of permitted and effective capabilities, even though the program was
+ * run from an unprivileged account.
*/
#define _GNU_SOURCE
@@ -29,6 +31,7 @@
#include "test.h"
#include "libclone.h"
#include "userns_helper.h"
+#include <sys/capability.h>
#define OVERFLOWUIDPATH "/proc/sys/kernel/overflowuid"
#define OVERFLOWGIDPATH "/proc/sys/kernel/overflowgid"
@@ -43,21 +46,24 @@ static long overflowgid;
*/
static int child_fn1(void *arg LTP_ATTRIBUTE_UNUSED)
{
- int exit_val;
+ int exit_val = 0;
int uid, gid;
+ cap_t caps;
uid = geteuid();
gid = getegid();
tst_resm(TINFO, "USERNS test is running in a new user namespace.");
- if (uid == overflowuid && gid == overflowgid) {
- printf("Got expected uid and gid\n");
- exit_val = 0;
- } else {
+
+ if (uid != overflowuid || gid != overflowgid) {
printf("Got unexpected result of uid=%d gid=%d\n", uid, gid);
exit_val = 1;
}
+ caps = cap_get_proc();
+ if (strcmp(cap_to_text(caps, NULL), "=ep") != 0)
+ exit_val = 1;
+
return exit_val;
}
--
1.9.1
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
