1 #!/bin/bash 2 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. 3 # Use of this source code is governed by a BSD-style license that can be 4 # found in the LICENSE file. 5 set -e 6 if [ "$(whoami)" != "root" ]; then 7 echo "Must be root for this test" >&2 8 exit 1 9 fi 10 NONROOT="$1" 11 12 export LANG=C 13 pid= 14 dir= 15 16 function start_sleeper() 17 { 18 dir=$(mktemp -d -t sleeper-XXXXXX) 19 mkfifo "$dir"/status 20 minijail0 -p -- ./inside-pidns.sh "$1" $NONROOT >"$dir"/status & 21 pid=$! 22 # Immediately forget about minijail process. We will find sleeper next. 23 disown $pid 24 # Wait for sleeper to start up. 25 read status < "$dir"/status 26 # Find sleeper pid. 27 while [ $(ps -p $pid -o comm=) != "sleeper" ]; do 28 pid=$(ps -ef | awk '{ if ($3 == '"$pid"') { print $2 }}') 29 if [ -z "$pid" ]; then 30 echo "Failed to locate pidns sleeper." >&2 31 exit 1 32 fi 33 done 34 } 35 36 function kill_sleeper() 37 { 38 kill $pid 39 rm -rf "$dir" 40 } 41 42 rc=0 43 44 # Validate that prctl(PR_SET_PTRACER, 0, ...) cannot be ptraced across pidns. 45 start_sleeper 0 46 OUT=$(su -c 'gdb -ex "attach '"$pid"'" -ex "quit" --batch' $NONROOT \ 47 </dev/null 2>&1) 48 prctl="prctl(PR_SET_PTRACER, 0, ...)" 49 if echo "$OUT" | grep -q 'Operation not permitted'; then 50 echo "ok: $prctl correctly not allowed ptrace" 51 else 52 echo "FAIL: $prctl unexpectedly allowed ptrace" 53 rc=1 54 fi 55 kill_sleeper 56 57 # Validate that prctl(PR_SET_PTRACER, -1, ...) can be ptraced across pidns. 58 start_sleeper -1 59 OUT=$(su -c 'gdb -ex "attach '"$pid"'" -ex "quit" --batch' $NONROOT \ 60 </dev/null 2>&1) 61 prctl="prctl(PR_SET_PTRACER, -1, ...)" 62 if echo "$OUT" | grep -q 'Quit anyway'; then 63 echo "ok: $prctl correctly allowed ptrace" 64 else 65 echo "FAIL: $prctl unexpectedly not allowed ptrace" 66 rc=1 67 fi 68 kill_sleeper 69 70 exit $rc 71
