From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Thu, 14 Oct 2021 09:17:15 +0000 (+0200)
Subject: tests: expand capability tests
X-Git-Tag: lxc-5.0.0~74^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09f2a3ef8a8e5c494a0264e1827dc8cdb7658436;p=thirdparty%2Flxc.git

tests: expand capability tests

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/.gitignore b/.gitignore
index 0217d0b54..9f34f9b1e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -108,7 +108,7 @@ src/tests/lxc-test-cve-2019-5736
 src/tests/lxc-test-mount-injection
 src/tests/lxc-test-sys-mixed
 src/tests/lxc-test-rootfs-options
-src/tests/lxc-test-capabilities-allow
+src/tests/lxc-test-capabilities
 
 config/compile
 config/config.guess
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 6919601c8..48d39bcb4 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -1276,7 +1276,7 @@ lxc_test_rootfs_options_SOURCES += ../include/prlimit.c ../include/prlimit.h
 endif
 endif
 
-lxc_test_capabilities_allow_SOURCES = capabilities_allow.c \
+lxc_test_capabilities_SOURCES = capabilities.c \
 				      ../lxc/af_unix.c ../lxc/af_unix.h \
 				      ../lxc/caps.c ../lxc/caps.h \
 				      ../lxc/cgroups/cgfsng.c \
@@ -1323,37 +1323,37 @@ lxc_test_capabilities_allow_SOURCES = capabilities_allow.c \
 				      ../lxc/uuid.c ../lxc/uuid.h \
 				      $(LSM_SOURCES)
 if ENABLE_SECCOMP
-lxc_test_capabilities_allow_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h
+lxc_test_capabilities_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h
 endif
 
 if !HAVE_STRCHRNUL
-lxc_test_capabilities_allow_SOURCES += ../include/strchrnul.c ../include/strchrnul.h
+lxc_test_capabilities_SOURCES += ../include/strchrnul.c ../include/strchrnul.h
 endif
 
 if !HAVE_STRLCPY
-lxc_test_capabilities_allow_SOURCES += ../include/strlcpy.c ../include/strlcpy.h
+lxc_test_capabilities_SOURCES += ../include/strlcpy.c ../include/strlcpy.h
 endif
 
 if !HAVE_STRLCAT
-lxc_test_capabilities_allow_SOURCES += ../include/strlcat.c ../include/strlcat.h
+lxc_test_capabilities_SOURCES += ../include/strlcat.c ../include/strlcat.h
 endif
 
 if !HAVE_OPENPTY
-lxc_test_capabilities_allow_SOURCES += ../include/openpty.c ../include/openpty.h
+lxc_test_capabilities_SOURCES += ../include/openpty.c ../include/openpty.h
 endif
 
 if IS_BIONIC
-lxc_test_capabilities_allow_SOURCES += ../include/fexecve.c ../include/fexecve.h \
+lxc_test_capabilities_SOURCES += ../include/fexecve.c ../include/fexecve.h \
 		../include/lxcmntent.c ../include/lxcmntent.h
 endif
 
 if !HAVE_GETGRGID_R
-lxc_test_capabilities_allow_SOURCES += ../include/getgrgid_r.c ../include/getgrgid_r.h
+lxc_test_capabilities_SOURCES += ../include/getgrgid_r.c ../include/getgrgid_r.h
 endif
 
 if !HAVE_PRLIMIT
 if HAVE_PRLIMIT64
-lxc_test_capabilities_allow_SOURCES += ../include/prlimit.c ../include/prlimit.h
+lxc_test_capabilities_SOURCES += ../include/prlimit.c ../include/prlimit.h
 endif
 endif
 
@@ -1395,7 +1395,7 @@ bin_PROGRAMS = lxc-test-api-reboot \
 	       lxc-test-arch-parse \
 	       lxc-test-attach \
 	       lxc-test-basic \
-	       lxc-test-capabilities-allow \
+	       lxc-test-capabilities \
 	       lxc-test-cgpath \
 	       lxc-test-clonetest \
 	       lxc-test-concurrent \
@@ -1488,7 +1488,7 @@ endif
 
 EXTRA_DIST = arch_parse.c \
 	     basic.c \
-	     capabilities_allow.c \
+	     capabilities.c \
 	     cgpath.c \
 	     clonetest.c \
 	     concurrent.c \
diff --git a/src/tests/capabilities_allow.c b/src/tests/capabilities.c
similarity index 63%
rename from src/tests/capabilities_allow.c
rename to src/tests/capabilities.c
index 24b57ed78..25ae0b024 100644
--- a/src/tests/capabilities_allow.c
+++ b/src/tests/capabilities.c
@@ -65,26 +65,53 @@ static int capabilities_allow(void *payload)
 	return EXIT_SUCCESS;
 }
 
-int main(int argc, char *argv[])
+static int capabilities_deny(void *payload)
+{
+	int ret;
+	__u32 last_cap;
+
+	ret = lxc_caps_last_cap(&last_cap);
+	if (ret) {
+		lxc_error("%s\n", "Failed to retrieve last capability");
+		return EXIT_FAILURE;
+	}
+
+	for (__u32 cap = 0; cap <= last_cap; cap++) {
+		bool bret;
+
+		if (cap == CAP_MKNOD)
+			bret = cap_get_bound(cap) != CAP_SET;
+		else
+			bret = cap_get_bound(cap) == CAP_SET;
+		if (!bret) {
+			lxc_error("Capability %d unexpectedly raised or lowered\n", cap);
+			return EXIT_FAILURE;
+		}
+	}
+
+	return EXIT_SUCCESS;
+}
+
+static int run(int (*test)(void *), bool allow)
 {
 	__do_close int fd_log = -EBADF;
-	int fret = EXIT_FAILURE;
+	int fret = -1;
 	lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
 	int ret;
 	pid_t pid;
 	struct lxc_container *c;
 	struct lxc_log log;
-	char template[sizeof(P_tmpdir"/capabilities_allow_XXXXXX")];
+	char template[sizeof(P_tmpdir"/capabilities_XXXXXX")];
 
-	(void)strlcpy(template, P_tmpdir"/capabilities_allow_XXXXXX", sizeof(template));
+	(void)strlcpy(template, P_tmpdir"/capabilities_XXXXXX", sizeof(template));
 
 	fd_log = lxc_make_tmpfile(template, false);
 	if (fd_log < 0) {
-		lxc_error("%s", "Failed to create temporary log file for container \"capabilities-allow\"");
-		exit(fret);
+		lxc_error("%s", "Failed to create temporary log file for container \"capabilities\"");
+		return fret;
 	}
 
-	log.name = "capabilities-allow";
+	log.name = "capabilities";
 	log.file = template;
 	log.level = "TRACE";
 	log.prefix = "capabilities";
@@ -92,26 +119,26 @@ int main(int argc, char *argv[])
 	log.lxcpath = NULL;
 
 	if (lxc_log_init(&log))
-		exit(fret);
+		return fret;
 
-	c = lxc_container_new("capabilities-allow", NULL);
+	c = lxc_container_new("capabilities", NULL);
 	if (!c) {
-		lxc_error("%s\n", "Failed to create container \"capabilities-allow\"");
-		exit(fret);
+		lxc_error("%s\n", "Failed to create container \"capabilities\"");
+		return fret;
 	}
 
 	if (c->is_defined(c)) {
-		lxc_error("%s\n", "Container \"capabilities-allow\" is defined");
+		lxc_error("%s\n", "Container \"capabilities\" is defined");
 		goto on_error_put;
 	}
 
 	if (!c->createl(c, "busybox", NULL, NULL, 0, NULL)) {
-		lxc_error("%s\n", "Failed to create busybox container \"capabilities-allow\"");
+		lxc_error("%s\n", "Failed to create busybox container \"capabilities\"");
 		goto on_error_put;
 	}
 
 	if (!c->is_defined(c)) {
-		lxc_error("%s\n", "Container \"capabilities-allow\" is not defined");
+		lxc_error("%s\n", "Container \"capabilities\" is not defined");
 		goto on_error_destroy;
 	}
 
@@ -125,30 +152,37 @@ int main(int argc, char *argv[])
 		goto on_error_destroy;
 	}
 
-	if (!c->set_config_item(c, "lxc.cap.keep", "mknod")) {
-		lxc_error("%s\n", "Failed to set config item \"lxc.cap.keep=mknod\"");
-		goto on_error_destroy;
+	if (allow) {
+		if (!c->set_config_item(c, "lxc.cap.keep", "mknod")) {
+			lxc_error("%s\n", "Failed to set config item \"lxc.cap.keep=mknod\"");
+			goto on_error_destroy;
+		}
+	} else {
+		if (!c->set_config_item(c, "lxc.cap.drop", "mknod")) {
+			lxc_error("%s\n", "Failed to set config item \"lxc.cap.drop=mknod\"");
+			goto on_error_destroy;
+		}
 	}
 
 	if (!c->want_daemonize(c, true)) {
-		lxc_error("%s\n", "Failed to mark container \"capabilities-allow\" daemonized");
+		lxc_error("%s\n", "Failed to mark container \"capabilities\" daemonized");
 		goto on_error_destroy;
 	}
 
 	if (!c->startl(c, 0, NULL)) {
-		lxc_error("%s\n", "Failed to start container \"capabilities-allow\" daemonized");
+		lxc_error("%s\n", "Failed to start container \"capabilities\" daemonized");
 		goto on_error_destroy;
 	}
 
-	ret = c->attach(c, capabilities_allow, NULL, &attach_options, &pid);
+	ret = c->attach(c, test, NULL, &attach_options, &pid);
 	if (ret < 0) {
-		lxc_error("%s\n", "Failed to run function in container \"capabilities-allow\"");
+		lxc_error("%s\n", "Failed to run function in container \"capabilities\"");
 		goto on_error_stop;
 	}
 
 	ret = wait_for_pid(pid);
 	if (ret) {
-		lxc_error("%s\n", "Function \"capabilities-allow\" failed");
+		lxc_error("%s\n", "Function \"capabilities\" failed");
 		goto on_error_stop;
 	}
 
@@ -156,17 +190,17 @@ int main(int argc, char *argv[])
 
 on_error_stop:
 	if (c->is_running(c) && !c->stop(c))
-		lxc_error("%s\n", "Failed to stop container \"capabilities-allow\"");
+		lxc_error("%s\n", "Failed to stop container \"capabilities\"");
 
 on_error_destroy:
 	if (!c->destroy(c))
-		lxc_error("%s\n", "Failed to destroy container \"capabilities-allow\"");
+		lxc_error("%s\n", "Failed to destroy container \"capabilities\"");
 
 on_error_put:
 	lxc_container_put(c);
 
 	if (fret == EXIT_SUCCESS) {
-		lxc_debug("%s\n", "All capability allow tests passed");
+		lxc_debug("All capability %s tests passed\n", allow ? "allow" : "deny");
 	} else {
 		int fd;
 
@@ -184,7 +218,18 @@ on_error_put:
 	}
 	(void)unlink(template);
 
-	exit(fret);
+	return fret;
+}
+
+int main(int argc, char *argv[])
+{
+	if (run(capabilities_allow, true))
+		exit(EXIT_FAILURE);
+
+	if (run(capabilities_deny, false))
+		exit(EXIT_FAILURE);
+
+	exit(EXIT_SUCCESS);
 }
 
 #else /* !HAVE_LIBCAP */