Message ID | 20220731092529.28760-1-gautammenghani201@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | fc1e3980044f0f812252f5f164a8350376d62eb7 |
Headers | show |
Series | selftests/seccomp: Check CAP_SYS_ADMIN capability in the test mode_filter_without_nnp | expand |
On Sun, Jul 31, 2022 at 02:55:29PM +0530, Gautam Menghani wrote: > In the "mode_filter_without_nnp" test in seccomp_bpf, there is currently > a TODO which asks to check the capability CAP_SYS_ADMIN instead of euid. > This patch adds support to check if the calling process has the flag > CAP_SYS_ADMIN, and also if this flag has CAP_EFFECTIVE set. > > Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com> > --- > tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c > index 136df5b76319..16b0edc520ef 100644 > --- a/tools/testing/selftests/seccomp/seccomp_bpf.c > +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c > @@ -392,6 +392,8 @@ TEST(mode_filter_without_nnp) > .filter = filter, > }; > long ret; > + cap_t cap = cap_get_proc(); > + cap_flag_value_t is_cap_sys_admin = 0; > > ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0); > ASSERT_LE(0, ret) { > @@ -400,8 +402,8 @@ TEST(mode_filter_without_nnp) > errno = 0; > ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); > /* Succeeds with CAP_SYS_ADMIN, fails without */ > - /* TODO(wad) check caps not euid */ > - if (geteuid()) { > + cap_get_flag(cap, CAP_SYS_ADMIN, CAP_EFFECTIVE, &is_cap_sys_admin); > + if (!is_cap_sys_admin) { > EXPECT_EQ(-1, ret); > EXPECT_EQ(EACCES, errno); > } else { > -- > 2.34.1 > Hi, Please review the above patch and let me know if any changes are required. Thanks, Gautam
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 136df5b76319..16b0edc520ef 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -392,6 +392,8 @@ TEST(mode_filter_without_nnp) .filter = filter, }; long ret; + cap_t cap = cap_get_proc(); + cap_flag_value_t is_cap_sys_admin = 0; ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0); ASSERT_LE(0, ret) { @@ -400,8 +402,8 @@ TEST(mode_filter_without_nnp) errno = 0; ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); /* Succeeds with CAP_SYS_ADMIN, fails without */ - /* TODO(wad) check caps not euid */ - if (geteuid()) { + cap_get_flag(cap, CAP_SYS_ADMIN, CAP_EFFECTIVE, &is_cap_sys_admin); + if (!is_cap_sys_admin) { EXPECT_EQ(-1, ret); EXPECT_EQ(EACCES, errno); } else {
In the "mode_filter_without_nnp" test in seccomp_bpf, there is currently a TODO which asks to check the capability CAP_SYS_ADMIN instead of euid. This patch adds support to check if the calling process has the flag CAP_SYS_ADMIN, and also if this flag has CAP_EFFECTIVE set. Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com> --- tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)