1 // Copyright 2015 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "sandbox/linux/services/namespace_utils.h" 6 7 #include <errno.h> 8 #include <sched.h> 9 #include <sys/types.h> 10 #include <sys/wait.h> 11 12 #include "base/logging.h" 13 #include "base/posix/eintr_wrapper.h" 14 #include "base/process/launch.h" 15 #include "sandbox/linux/services/credentials.h" 16 #include "sandbox/linux/tests/unit_tests.h" 17 #include "testing/gtest/include/gtest/gtest.h" 18 19 namespace sandbox { 20 21 namespace { 22 23 SANDBOX_TEST(NamespaceUtils, KernelSupportsUnprivilegedNamespace) { 24 const bool can_create_user_ns = Credentials::CanCreateProcessInNewUserNS(); 25 const bool supports_user_ns = 26 NamespaceUtils::KernelSupportsUnprivilegedNamespace(CLONE_NEWUSER); 27 // can_create_user_ns implies supports_user_ns, but the converse is not 28 // necessarily true, as creating a user namespace can fail for various 29 // reasons. 30 if (can_create_user_ns) { 31 SANDBOX_ASSERT(supports_user_ns); 32 } 33 } 34 35 SANDBOX_TEST(NamespaceUtils, WriteToIdMapFile) { 36 if (!Credentials::CanCreateProcessInNewUserNS()) { 37 return; 38 } 39 40 const uid_t uid = getuid(); 41 const gid_t gid = getgid(); 42 43 const bool supports_deny_setgroups = 44 NamespaceUtils::KernelSupportsDenySetgroups(); 45 46 const pid_t pid = 47 base::ForkWithFlags(CLONE_NEWUSER | SIGCHLD, nullptr, nullptr); 48 ASSERT_NE(-1, pid); 49 if (pid == 0) { 50 if (supports_deny_setgroups) { 51 RAW_CHECK(NamespaceUtils::DenySetgroups()); 52 } 53 54 RAW_CHECK(getuid() != uid); 55 RAW_CHECK(NamespaceUtils::WriteToIdMapFile("/proc/self/uid_map", uid)); 56 RAW_CHECK(getuid() == uid); 57 58 RAW_CHECK(getgid() != gid); 59 RAW_CHECK(NamespaceUtils::WriteToIdMapFile("/proc/self/gid_map", gid)); 60 RAW_CHECK(getgid() == gid); 61 62 _exit(0); 63 } 64 65 int status = 42; 66 SANDBOX_ASSERT_EQ(pid, HANDLE_EINTR(waitpid(pid, &status, 0))); 67 SANDBOX_ASSERT_EQ(0, status); 68 } 69 70 } // namespace. 71 72 } // namespace sandbox. 73