test-seccomp: tighten privilege check before seccomp()

geteuid() without CAP_SYS_ADMIN is not enough to do unrestricted
seccomp(). Hence tighten the check.

See: #19746

diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
index b1f917eb54e2503f1dadeff43fdcd5a333355a13..4cca55c5bbb73fb6342fa4b78e49a3fb7b6c0b42 100644 (file)
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -15,6 +15,7 @@
 #endif
 
 #include "alloc-util.h"
+#include "capability-util.h"
 #include "fd-util.h"
 #include "fileio.h"
 #include "macro.h"
@@ -41,6 +42,10 @@
 #  define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
 #endif
 
+static bool have_seccomp_privs(void) {
+        return geteuid() == 0 && have_effective_cap(CAP_SYS_ADMIN) > 0; /* If we are root but CAP_SYS_ADMIN we can't do caps (unless we also do NNP) */
+}
+
 static void test_parse_syscall_and_errno(void) {
         _cleanup_free_ char *n = NULL;
         int e;
@@ -168,8 +173,8 @@ static void test_filter_sets(void) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping %s", __func__);
                 return;
         }
 
@@ -303,8 +308,8 @@ static void test_restrict_namespace(void) {
                 log_notice("Seccomp not available, skipping remaining tests in %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping remaining tests in %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping remaining tests in %s", __func__);
                 return;
         }
 
@@ -373,8 +378,8 @@ static void test_protect_sysctl(void) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping %s", __func__);
                 return;
         }
 
@@ -426,8 +431,8 @@ static void test_protect_syslog(void) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping %s", __func__);
                 return;
         }
 
@@ -468,8 +473,8 @@ static void test_restrict_address_families(void) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping %s", __func__);
                 return;
         }
 
@@ -557,8 +562,8 @@ static void test_restrict_realtime(void) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping %s", __func__);
                 return;
         }
 
@@ -604,8 +609,8 @@ static void test_memory_deny_write_execute_mmap(void) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping %s", __func__);
                 return;
         }
 #if HAVE_VALGRIND_VALGRIND_H
@@ -674,8 +679,8 @@ static void test_memory_deny_write_execute_shmat(void) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping %s", __func__);
                 return;
         }
 #if HAVE_VALGRIND_VALGRIND_H
@@ -739,8 +744,8 @@ static void test_restrict_archs(void) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping %s", __func__);
                 return;
         }
 
@@ -779,8 +784,8 @@ static void test_load_syscall_filter_set_raw(void) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping %s", __func__);
                 return;
         }
 
@@ -877,8 +882,8 @@ static void test_lock_personality(void) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping %s", __func__);
                 return;
         }
 
@@ -941,8 +946,8 @@ static void test_restrict_suid_sgid(void) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (geteuid() != 0) {
-                log_notice("Not root, skipping %s", __func__);
+        if (!have_seccomp_privs()) {
+                log_notice("Not privileged, skipping %s", __func__);
                 return;
         }