From: Gautam Menghani <gautammenghani201@gmail.com>
To: keescook@chromium.org, shuah@kernel.org, brauner@kernel.org,
paul.walmsley@sifive.com, palmer@dabbelt.com,
aou@eecs.berkeley.edu, guoren@kernel.org
Cc: luto@amacapital.net, wad@chromium.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-riscv@lists.infradead.org, bpf@vger.kernel.org,
linux-csky@vger.kernel.org,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH] selftests/seccomp: Check CAP_SYS_ADMIN capability in the test mode_filter_without_nnp
Date: Mon, 22 Aug 2022 14:19:28 +0530 [thread overview]
Message-ID: <YwNDGAVrik3DvWZf@fedora> (raw)
In-Reply-To: <20220731092529.28760-1-gautammenghani201@gmail.com>
On Sun, Jul 31, 2022 at 02:55:29PM +0530, Gautam Menghani wrote:
> In the "mode_filter_without_nnp" test in seccomp_bpf, there is currently
> a TODO which asks to check the capability CAP_SYS_ADMIN instead of euid.
> This patch adds support to check if the calling process has the flag
> CAP_SYS_ADMIN, and also if this flag has CAP_EFFECTIVE set.
>
> Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index 136df5b76319..16b0edc520ef 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -392,6 +392,8 @@ TEST(mode_filter_without_nnp)
> .filter = filter,
> };
> long ret;
> + cap_t cap = cap_get_proc();
> + cap_flag_value_t is_cap_sys_admin = 0;
>
> ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
> ASSERT_LE(0, ret) {
> @@ -400,8 +402,8 @@ TEST(mode_filter_without_nnp)
> errno = 0;
> ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
> /* Succeeds with CAP_SYS_ADMIN, fails without */
> - /* TODO(wad) check caps not euid */
> - if (geteuid()) {
> + cap_get_flag(cap, CAP_SYS_ADMIN, CAP_EFFECTIVE, &is_cap_sys_admin);
> + if (!is_cap_sys_admin) {
> EXPECT_EQ(-1, ret);
> EXPECT_EQ(EACCES, errno);
> } else {
> --
> 2.34.1
>
Hi,
Please review the above patch and let me know if any changes are required.
Thanks,
Gautam
WARNING: multiple messages have this Message-ID (diff)
From: Gautam Menghani <gautammenghani201@gmail.com>
To: keescook@chromium.org, shuah@kernel.org, brauner@kernel.org,
paul.walmsley@sifive.com, palmer@dabbelt.com,
aou@eecs.berkeley.edu, guoren@kernel.org
Cc: wad@chromium.org, linux-kernel@vger.kernel.org,
linux-csky@vger.kernel.org, luto@amacapital.net,
linux-kselftest@vger.kernel.org, linux-riscv@lists.infradead.org,
linux-kernel-mentees@lists.linuxfoundation.org,
bpf@vger.kernel.org
Subject: Re: [PATCH] selftests/seccomp: Check CAP_SYS_ADMIN capability in the test mode_filter_without_nnp
Date: Mon, 22 Aug 2022 14:19:28 +0530 [thread overview]
Message-ID: <YwNDGAVrik3DvWZf@fedora> (raw)
In-Reply-To: <20220731092529.28760-1-gautammenghani201@gmail.com>
On Sun, Jul 31, 2022 at 02:55:29PM +0530, Gautam Menghani wrote:
> In the "mode_filter_without_nnp" test in seccomp_bpf, there is currently
> a TODO which asks to check the capability CAP_SYS_ADMIN instead of euid.
> This patch adds support to check if the calling process has the flag
> CAP_SYS_ADMIN, and also if this flag has CAP_EFFECTIVE set.
>
> Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index 136df5b76319..16b0edc520ef 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -392,6 +392,8 @@ TEST(mode_filter_without_nnp)
> .filter = filter,
> };
> long ret;
> + cap_t cap = cap_get_proc();
> + cap_flag_value_t is_cap_sys_admin = 0;
>
> ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
> ASSERT_LE(0, ret) {
> @@ -400,8 +402,8 @@ TEST(mode_filter_without_nnp)
> errno = 0;
> ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
> /* Succeeds with CAP_SYS_ADMIN, fails without */
> - /* TODO(wad) check caps not euid */
> - if (geteuid()) {
> + cap_get_flag(cap, CAP_SYS_ADMIN, CAP_EFFECTIVE, &is_cap_sys_admin);
> + if (!is_cap_sys_admin) {
> EXPECT_EQ(-1, ret);
> EXPECT_EQ(EACCES, errno);
> } else {
> --
> 2.34.1
>
Hi,
Please review the above patch and let me know if any changes are required.
Thanks,
Gautam
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
WARNING: multiple messages have this Message-ID (diff)
From: Gautam Menghani <gautammenghani201@gmail.com>
To: keescook@chromium.org, shuah@kernel.org, brauner@kernel.org,
paul.walmsley@sifive.com, palmer@dabbelt.com,
aou@eecs.berkeley.edu, guoren@kernel.org
Cc: luto@amacapital.net, wad@chromium.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-riscv@lists.infradead.org, bpf@vger.kernel.org,
linux-csky@vger.kernel.org,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH] selftests/seccomp: Check CAP_SYS_ADMIN capability in the test mode_filter_without_nnp
Date: Mon, 22 Aug 2022 14:19:28 +0530 [thread overview]
Message-ID: <YwNDGAVrik3DvWZf@fedora> (raw)
In-Reply-To: <20220731092529.28760-1-gautammenghani201@gmail.com>
On Sun, Jul 31, 2022 at 02:55:29PM +0530, Gautam Menghani wrote:
> In the "mode_filter_without_nnp" test in seccomp_bpf, there is currently
> a TODO which asks to check the capability CAP_SYS_ADMIN instead of euid.
> This patch adds support to check if the calling process has the flag
> CAP_SYS_ADMIN, and also if this flag has CAP_EFFECTIVE set.
>
> Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index 136df5b76319..16b0edc520ef 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -392,6 +392,8 @@ TEST(mode_filter_without_nnp)
> .filter = filter,
> };
> long ret;
> + cap_t cap = cap_get_proc();
> + cap_flag_value_t is_cap_sys_admin = 0;
>
> ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
> ASSERT_LE(0, ret) {
> @@ -400,8 +402,8 @@ TEST(mode_filter_without_nnp)
> errno = 0;
> ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
> /* Succeeds with CAP_SYS_ADMIN, fails without */
> - /* TODO(wad) check caps not euid */
> - if (geteuid()) {
> + cap_get_flag(cap, CAP_SYS_ADMIN, CAP_EFFECTIVE, &is_cap_sys_admin);
> + if (!is_cap_sys_admin) {
> EXPECT_EQ(-1, ret);
> EXPECT_EQ(EACCES, errno);
> } else {
> --
> 2.34.1
>
Hi,
Please review the above patch and let me know if any changes are required.
Thanks,
Gautam
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2022-08-22 8:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-31 9:25 [PATCH] selftests/seccomp: Check CAP_SYS_ADMIN capability in the test mode_filter_without_nnp Gautam Menghani
2022-07-31 9:25 ` Gautam Menghani
2022-07-31 9:25 ` Gautam Menghani
2022-08-22 8:49 ` Gautam Menghani [this message]
2022-08-22 8:49 ` Gautam Menghani
2022-08-22 8:49 ` Gautam Menghani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YwNDGAVrik3DvWZf@fedora \
--to=gautammenghani201@gmail.com \
--cc=aou@eecs.berkeley.edu \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=guoren@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-csky@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=luto@amacapital.net \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=shuah@kernel.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.