From 6da5d7de78dd6b98d42cbe177975887907ea6dc2 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 2 Jun 2021 21:38:44 +0200 Subject: [PATCH] test-seccomp: tighten privilege check before seccomp() geteuid() without CAP_SYS_ADMIN is not enough to do unrestricted seccomp(). Hence tighten the check. See: #19746 --- src/test/test-seccomp.c | 53 ++++++++++++++++++++++------------------- 1 file changed, 29 insertions(+), 24 deletions(-) diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index b1f917eb54e..4cca55c5bbb 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -15,6 +15,7 @@ #endif #include "alloc-util.h" +#include "capability-util.h" #include "fd-util.h" #include "fileio.h" #include "macro.h" @@ -41,6 +42,10 @@ # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0 #endif +static bool have_seccomp_privs(void) { + return geteuid() == 0 && have_effective_cap(CAP_SYS_ADMIN) > 0; /* If we are root but CAP_SYS_ADMIN we can't do caps (unless we also do NNP) */ +} + static void test_parse_syscall_and_errno(void) { _cleanup_free_ char *n = NULL; int e; @@ -168,8 +173,8 @@ static void test_filter_sets(void) { log_notice("Seccomp not available, skipping %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping %s", __func__); return; } @@ -303,8 +308,8 @@ static void test_restrict_namespace(void) { log_notice("Seccomp not available, skipping remaining tests in %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping remaining tests in %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping remaining tests in %s", __func__); return; } @@ -373,8 +378,8 @@ static void test_protect_sysctl(void) { log_notice("Seccomp not available, skipping %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping %s", __func__); return; } @@ -426,8 +431,8 @@ static void test_protect_syslog(void) { log_notice("Seccomp not available, skipping %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping %s", __func__); return; } @@ -468,8 +473,8 @@ static void test_restrict_address_families(void) { log_notice("Seccomp not available, skipping %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping %s", __func__); return; } @@ -557,8 +562,8 @@ static void test_restrict_realtime(void) { log_notice("Seccomp not available, skipping %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping %s", __func__); return; } @@ -604,8 +609,8 @@ static void test_memory_deny_write_execute_mmap(void) { log_notice("Seccomp not available, skipping %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping %s", __func__); return; } #if HAVE_VALGRIND_VALGRIND_H @@ -674,8 +679,8 @@ static void test_memory_deny_write_execute_shmat(void) { log_notice("Seccomp not available, skipping %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping %s", __func__); return; } #if HAVE_VALGRIND_VALGRIND_H @@ -739,8 +744,8 @@ static void test_restrict_archs(void) { log_notice("Seccomp not available, skipping %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping %s", __func__); return; } @@ -779,8 +784,8 @@ static void test_load_syscall_filter_set_raw(void) { log_notice("Seccomp not available, skipping %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping %s", __func__); return; } @@ -877,8 +882,8 @@ static void test_lock_personality(void) { log_notice("Seccomp not available, skipping %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping %s", __func__); return; } @@ -941,8 +946,8 @@ static void test_restrict_suid_sgid(void) { log_notice("Seccomp not available, skipping %s", __func__); return; } - if (geteuid() != 0) { - log_notice("Not root, skipping %s", __func__); + if (!have_seccomp_privs()) { + log_notice("Not privileged, skipping %s", __func__); return; } -- 2.47.3