Lines Matching refs:Credentials
5 #include "sandbox/linux/services/credentials.h"
64 SANDBOX_TEST(Credentials, DropAllCaps) {
65 CHECK(Credentials::DropAllCapabilities());
66 CHECK(!Credentials::HasAnyCapability());
69 SANDBOX_TEST(Credentials, MoveToNewUserNS) {
70 CHECK(Credentials::DropAllCapabilities());
71 bool moved_to_new_ns = Credentials::MoveToNewUserNS();
82 CHECK(Credentials::HasAnyCapability());
83 CHECK(Credentials::DropAllCapabilities());
84 CHECK(!Credentials::HasAnyCapability());
87 SANDBOX_TEST(Credentials, CanCreateProcessInNewUserNS) {
88 CHECK(Credentials::DropAllCapabilities());
89 bool user_ns_supported = Credentials::CanCreateProcessInNewUserNS();
90 bool moved_to_new_ns = Credentials::MoveToNewUserNS();
94 SANDBOX_TEST(Credentials, UidIsPreserved) {
95 CHECK(Credentials::DropAllCapabilities());
101 if (!Credentials::MoveToNewUserNS()) return;
116 if (!Credentials::MoveToNewUserNS() ||
117 !Credentials::HasAnyCapability() ||
118 !Credentials::DropAllCapabilities() ||
119 Credentials::HasAnyCapability()) {
125 SANDBOX_TEST(Credentials, NestedUserNS) {
126 CHECK(Credentials::DropAllCapabilities());
128 if (!Credentials::MoveToNewUserNS()) return;
129 CHECK(Credentials::DropAllCapabilities());
139 SANDBOX_TEST(Credentials, CanDetectRoot) {
147 SANDBOX_TEST(Credentials, DISABLE_ON_ASAN(DropFileSystemAccessIsSafe)) {
148 CHECK(Credentials::DropAllCapabilities());
150 if (!Credentials::MoveToNewUserNS()) return;
151 CHECK(Credentials::DropFileSystemAccess(ProcUtil::OpenProc().get()));
162 SANDBOX_TEST(Credentials, DISABLE_ON_ASAN(CannotRegainPrivileges)) {
164 CHECK(Credentials::DropAllCapabilities(proc_fd.get()));
166 if (!Credentials::MoveToNewUserNS()) return;
167 CHECK(Credentials::DropFileSystemAccess(proc_fd.get()));
168 CHECK(Credentials::DropAllCapabilities(proc_fd.get()));
172 CHECK(!Credentials::CanCreateProcessInNewUserNS());
173 CHECK(!Credentials::MoveToNewUserNS());
176 SANDBOX_TEST(Credentials, SetCapabilities) {
178 if (!Credentials::MoveToNewUserNS())
183 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_ADMIN));
184 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT));
186 std::vector<Credentials::Capability> caps;
187 caps.push_back(Credentials::Capability::SYS_CHROOT);
188 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
190 CHECK(!Credentials::HasCapability(Credentials::Capability::SYS_ADMIN));
191 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT));
193 const std::vector<Credentials::Capability> no_caps;
194 CHECK(Credentials::SetCapabilities(proc_fd.get(), no_caps));
195 CHECK(!Credentials::HasAnyCapability());
198 SANDBOX_TEST(Credentials, SetCapabilitiesAndChroot) {
200 if (!Credentials::MoveToNewUserNS())
205 CHECK(Credentials::HasCapability(Credentials::Capability::SYS_CHROOT));
208 std::vector<Credentials::Capability> caps;
209 caps.push_back(Credentials::Capability::SYS_CHROOT);
210 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
213 CHECK(Credentials::DropAllCapabilities());
217 SANDBOX_TEST(Credentials, SetCapabilitiesMatchesLibCap2) {
219 if (!Credentials::MoveToNewUserNS())
224 std::vector<Credentials::Capability> caps;
225 caps.push_back(Credentials::Capability::SYS_CHROOT);
226 CHECK(Credentials::SetCapabilities(proc_fd.get(), caps));
249 SANDBOX_TEST(Credentials, DISABLE_ON_ASAN(DropFileSystemAccessPreservesTLS)) {
251 if (!Credentials::MoveToNewUserNS()) return;
252 CHECK(Credentials::DropFileSystemAccess(ProcUtil::OpenProc().get()));
