1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "sandbox/linux/services/namespace_utils.h"
6 
7 #include <errno.h>
8 #include <sched.h>
9 #include <sys/types.h>
10 #include <sys/wait.h>
11 
12 #include "base/logging.h"
13 #include "base/posix/eintr_wrapper.h"
14 #include "base/process/launch.h"
15 #include "sandbox/linux/services/credentials.h"
16 #include "sandbox/linux/tests/unit_tests.h"
17 #include "testing/gtest/include/gtest/gtest.h"
18 
19 namespace sandbox {
20 
21 namespace {
22 
SANDBOX_TEST(NamespaceUtils,KernelSupportsUnprivilegedNamespace)23 SANDBOX_TEST(NamespaceUtils, KernelSupportsUnprivilegedNamespace) {
24   const bool can_create_user_ns = Credentials::CanCreateProcessInNewUserNS();
25   const bool supports_user_ns =
26       NamespaceUtils::KernelSupportsUnprivilegedNamespace(CLONE_NEWUSER);
27   // can_create_user_ns implies supports_user_ns, but the converse is not
28   // necessarily true, as creating a user namespace can fail for various
29   // reasons.
30   if (can_create_user_ns) {
31     SANDBOX_ASSERT(supports_user_ns);
32   }
33 }
34 
SANDBOX_TEST(NamespaceUtils,WriteToIdMapFile)35 SANDBOX_TEST(NamespaceUtils, WriteToIdMapFile) {
36   if (!Credentials::CanCreateProcessInNewUserNS()) {
37     return;
38   }
39 
40   const uid_t uid = getuid();
41   const gid_t gid = getgid();
42 
43   const bool supports_deny_setgroups =
44       NamespaceUtils::KernelSupportsDenySetgroups();
45 
46   const pid_t pid =
47       base::ForkWithFlags(CLONE_NEWUSER | SIGCHLD, nullptr, nullptr);
48   ASSERT_NE(-1, pid);
49   if (pid == 0) {
50     if (supports_deny_setgroups) {
51       RAW_CHECK(NamespaceUtils::DenySetgroups());
52     }
53 
54     RAW_CHECK(getuid() != uid);
55     RAW_CHECK(NamespaceUtils::WriteToIdMapFile("/proc/self/uid_map", uid));
56     RAW_CHECK(getuid() == uid);
57 
58     RAW_CHECK(getgid() != gid);
59     RAW_CHECK(NamespaceUtils::WriteToIdMapFile("/proc/self/gid_map", gid));
60     RAW_CHECK(getgid() == gid);
61 
62     _exit(0);
63   }
64 
65   int status = 42;
66   SANDBOX_ASSERT_EQ(pid, HANDLE_EINTR(waitpid(pid, &status, 0)));
67   SANDBOX_ASSERT_EQ(0, status);
68 }
69 
70 }  // namespace.
71 
72 }  // namespace sandbox.
73