endif
endif
-lxc_test_capabilities_allow_SOURCES = capabilities_allow.c \
+lxc_test_capabilities_SOURCES = capabilities.c \
../lxc/af_unix.c ../lxc/af_unix.h \
../lxc/caps.c ../lxc/caps.h \
../lxc/cgroups/cgfsng.c \
../lxc/uuid.c ../lxc/uuid.h \
$(LSM_SOURCES)
if ENABLE_SECCOMP
-lxc_test_capabilities_allow_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h
+lxc_test_capabilities_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h
endif
if !HAVE_STRCHRNUL
-lxc_test_capabilities_allow_SOURCES += ../include/strchrnul.c ../include/strchrnul.h
+lxc_test_capabilities_SOURCES += ../include/strchrnul.c ../include/strchrnul.h
endif
if !HAVE_STRLCPY
-lxc_test_capabilities_allow_SOURCES += ../include/strlcpy.c ../include/strlcpy.h
+lxc_test_capabilities_SOURCES += ../include/strlcpy.c ../include/strlcpy.h
endif
if !HAVE_STRLCAT
-lxc_test_capabilities_allow_SOURCES += ../include/strlcat.c ../include/strlcat.h
+lxc_test_capabilities_SOURCES += ../include/strlcat.c ../include/strlcat.h
endif
if !HAVE_OPENPTY
-lxc_test_capabilities_allow_SOURCES += ../include/openpty.c ../include/openpty.h
+lxc_test_capabilities_SOURCES += ../include/openpty.c ../include/openpty.h
endif
if IS_BIONIC
-lxc_test_capabilities_allow_SOURCES += ../include/fexecve.c ../include/fexecve.h \
+lxc_test_capabilities_SOURCES += ../include/fexecve.c ../include/fexecve.h \
../include/lxcmntent.c ../include/lxcmntent.h
endif
if !HAVE_GETGRGID_R
-lxc_test_capabilities_allow_SOURCES += ../include/getgrgid_r.c ../include/getgrgid_r.h
+lxc_test_capabilities_SOURCES += ../include/getgrgid_r.c ../include/getgrgid_r.h
endif
if !HAVE_PRLIMIT
if HAVE_PRLIMIT64
-lxc_test_capabilities_allow_SOURCES += ../include/prlimit.c ../include/prlimit.h
+lxc_test_capabilities_SOURCES += ../include/prlimit.c ../include/prlimit.h
endif
endif
lxc-test-arch-parse \
lxc-test-attach \
lxc-test-basic \
- lxc-test-capabilities-allow \
+ lxc-test-capabilities \
lxc-test-cgpath \
lxc-test-clonetest \
lxc-test-concurrent \
EXTRA_DIST = arch_parse.c \
basic.c \
- capabilities_allow.c \
+ capabilities.c \
cgpath.c \
clonetest.c \
concurrent.c \
return EXIT_SUCCESS;
}
-int main(int argc, char *argv[])
+static int capabilities_deny(void *payload)
+{
+ int ret;
+ __u32 last_cap;
+
+ ret = lxc_caps_last_cap(&last_cap);
+ if (ret) {
+ lxc_error("%s\n", "Failed to retrieve last capability");
+ return EXIT_FAILURE;
+ }
+
+ for (__u32 cap = 0; cap <= last_cap; cap++) {
+ bool bret;
+
+ if (cap == CAP_MKNOD)
+ bret = cap_get_bound(cap) != CAP_SET;
+ else
+ bret = cap_get_bound(cap) == CAP_SET;
+ if (!bret) {
+ lxc_error("Capability %d unexpectedly raised or lowered\n", cap);
+ return EXIT_FAILURE;
+ }
+ }
+
+ return EXIT_SUCCESS;
+}
+
+static int run(int (*test)(void *), bool allow)
{
__do_close int fd_log = -EBADF;
- int fret = EXIT_FAILURE;
+ int fret = -1;
lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
int ret;
pid_t pid;
struct lxc_container *c;
struct lxc_log log;
- char template[sizeof(P_tmpdir"/capabilities_allow_XXXXXX")];
+ char template[sizeof(P_tmpdir"/capabilities_XXXXXX")];
- (void)strlcpy(template, P_tmpdir"/capabilities_allow_XXXXXX", sizeof(template));
+ (void)strlcpy(template, P_tmpdir"/capabilities_XXXXXX", sizeof(template));
fd_log = lxc_make_tmpfile(template, false);
if (fd_log < 0) {
- lxc_error("%s", "Failed to create temporary log file for container \"capabilities-allow\"");
- exit(fret);
+ lxc_error("%s", "Failed to create temporary log file for container \"capabilities\"");
+ return fret;
}
- log.name = "capabilities-allow";
+ log.name = "capabilities";
log.file = template;
log.level = "TRACE";
log.prefix = "capabilities";
log.lxcpath = NULL;
if (lxc_log_init(&log))
- exit(fret);
+ return fret;
- c = lxc_container_new("capabilities-allow", NULL);
+ c = lxc_container_new("capabilities", NULL);
if (!c) {
- lxc_error("%s\n", "Failed to create container \"capabilities-allow\"");
- exit(fret);
+ lxc_error("%s\n", "Failed to create container \"capabilities\"");
+ return fret;
}
if (c->is_defined(c)) {
- lxc_error("%s\n", "Container \"capabilities-allow\" is defined");
+ lxc_error("%s\n", "Container \"capabilities\" is defined");
goto on_error_put;
}
if (!c->createl(c, "busybox", NULL, NULL, 0, NULL)) {
- lxc_error("%s\n", "Failed to create busybox container \"capabilities-allow\"");
+ lxc_error("%s\n", "Failed to create busybox container \"capabilities\"");
goto on_error_put;
}
if (!c->is_defined(c)) {
- lxc_error("%s\n", "Container \"capabilities-allow\" is not defined");
+ lxc_error("%s\n", "Container \"capabilities\" is not defined");
goto on_error_destroy;
}
goto on_error_destroy;
}
- if (!c->set_config_item(c, "lxc.cap.keep", "mknod")) {
- lxc_error("%s\n", "Failed to set config item \"lxc.cap.keep=mknod\"");
- goto on_error_destroy;
+ if (allow) {
+ if (!c->set_config_item(c, "lxc.cap.keep", "mknod")) {
+ lxc_error("%s\n", "Failed to set config item \"lxc.cap.keep=mknod\"");
+ goto on_error_destroy;
+ }
+ } else {
+ if (!c->set_config_item(c, "lxc.cap.drop", "mknod")) {
+ lxc_error("%s\n", "Failed to set config item \"lxc.cap.drop=mknod\"");
+ goto on_error_destroy;
+ }
}
if (!c->want_daemonize(c, true)) {
- lxc_error("%s\n", "Failed to mark container \"capabilities-allow\" daemonized");
+ lxc_error("%s\n", "Failed to mark container \"capabilities\" daemonized");
goto on_error_destroy;
}
if (!c->startl(c, 0, NULL)) {
- lxc_error("%s\n", "Failed to start container \"capabilities-allow\" daemonized");
+ lxc_error("%s\n", "Failed to start container \"capabilities\" daemonized");
goto on_error_destroy;
}
- ret = c->attach(c, capabilities_allow, NULL, &attach_options, &pid);
+ ret = c->attach(c, test, NULL, &attach_options, &pid);
if (ret < 0) {
- lxc_error("%s\n", "Failed to run function in container \"capabilities-allow\"");
+ lxc_error("%s\n", "Failed to run function in container \"capabilities\"");
goto on_error_stop;
}
ret = wait_for_pid(pid);
if (ret) {
- lxc_error("%s\n", "Function \"capabilities-allow\" failed");
+ lxc_error("%s\n", "Function \"capabilities\" failed");
goto on_error_stop;
}
on_error_stop:
if (c->is_running(c) && !c->stop(c))
- lxc_error("%s\n", "Failed to stop container \"capabilities-allow\"");
+ lxc_error("%s\n", "Failed to stop container \"capabilities\"");
on_error_destroy:
if (!c->destroy(c))
- lxc_error("%s\n", "Failed to destroy container \"capabilities-allow\"");
+ lxc_error("%s\n", "Failed to destroy container \"capabilities\"");
on_error_put:
lxc_container_put(c);
if (fret == EXIT_SUCCESS) {
- lxc_debug("%s\n", "All capability allow tests passed");
+ lxc_debug("All capability %s tests passed\n", allow ? "allow" : "deny");
} else {
int fd;
}
(void)unlink(template);
- exit(fret);
+ return fret;
+}
+
+int main(int argc, char *argv[])
+{
+ if (run(capabilities_allow, true))
+ exit(EXIT_FAILURE);
+
+ if (run(capabilities_deny, false))
+ exit(EXIT_FAILURE);
+
+ exit(EXIT_SUCCESS);
}
#else /* !HAVE_LIBCAP */
projects / thirdparty / lxc.git / commitdiff
