From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Thu, 14 Oct 2021 11:59:34 +0000 (+0200)
Subject: test: fix nested capability tests
X-Git-Tag: lxc-5.0.0~74^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8a0de7e7ccfda89cb016d1fe452cca04155808f8;p=thirdparty%2Flxc.git

test: fix nested capability tests

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/tests/capabilities.c b/src/tests/capabilities.c
index 25ae0b024..211c3ce42 100644
--- a/src/tests/capabilities.c
+++ b/src/tests/capabilities.c
@@ -38,20 +38,17 @@
 #include "utils.h"
 
 #if HAVE_LIBCAP
+__u32 *cap_bset_bits = NULL;
+__u32 last_cap = 0;
+
 static int capabilities_allow(void *payload)
 {
-	int ret;
-	__u32 last_cap;
-
-	ret = lxc_caps_last_cap(&last_cap);
-	if (ret) {
-		lxc_error("%s\n", "Failed to retrieve last capability");
-		return EXIT_FAILURE;
-	}
-
 	for (__u32 cap = 0; cap <= last_cap; cap++) {
 		bool bret;
 
+		if (!is_set(cap, cap_bset_bits))
+			continue;
+
 		if (cap == CAP_MKNOD)
 			bret = cap_get_bound(cap) == CAP_SET;
 		else
@@ -67,18 +64,12 @@ static int capabilities_allow(void *payload)
 
 static int capabilities_deny(void *payload)
 {
-	int ret;
-	__u32 last_cap;
-
-	ret = lxc_caps_last_cap(&last_cap);
-	if (ret) {
-		lxc_error("%s\n", "Failed to retrieve last capability");
-		return EXIT_FAILURE;
-	}
-
 	for (__u32 cap = 0; cap <= last_cap; cap++) {
 		bool bret;
 
+		if (!is_set(cap, cap_bset_bits))
+			continue;
+
 		if (cap == CAP_MKNOD)
 			bret = cap_get_bound(cap) != CAP_SET;
 		else
@@ -221,6 +212,33 @@ on_error_put:
 	return fret;
 }
 
+static void __attribute__((constructor)) capabilities_init(void)
+{
+	int ret;
+	__u32 nr_u32;
+
+	ret = lxc_caps_last_cap(&last_cap);
+	if (ret || last_cap > 200)
+		_exit(EXIT_FAILURE);
+
+	nr_u32 = BITS_TO_LONGS(last_cap);
+	cap_bset_bits = zalloc(nr_u32 * sizeof(__u32));
+	if (!cap_bset_bits)
+		_exit(EXIT_FAILURE);
+
+	for (__u32 cap_bit = 0; cap_bit <= last_cap; cap_bit++) {
+		if (prctl(PR_CAPBSET_READ, prctl_arg(cap_bit)) == 0)
+			continue;
+
+		set_bit(cap_bit, cap_bset_bits);
+	}
+}
+
+static void __attribute__((destructor)) capabilities_exit(void)
+{
+	free(cap_bset_bits);
+}
+
 int main(int argc, char *argv[])
 {
 	if (run(capabilities_allow, true))