* [LTP] [PATCH V2] userns01: add capability verification @ 2015-07-01 4:22 Yuan Sun 2015-07-02 14:09 ` Jan Stancek 0 siblings, 1 reply; 11+ messages in thread From: Yuan Sun @ 2015-07-01 4:22 UTC (permalink / raw) To: jstancek; +Cc: ltp-list Signed-off-by: Yuan Sun <sunyuan3@huawei.com> --- testcases/kernel/containers/userns/Makefile | 2 +- testcases/kernel/containers/userns/userns01.c | 31 +++++++++++++++++++++------ 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/testcases/kernel/containers/userns/Makefile b/testcases/kernel/containers/userns/Makefile index 9f67216..8370bff 100644 --- a/testcases/kernel/containers/userns/Makefile +++ b/testcases/kernel/containers/userns/Makefile @@ -21,6 +21,6 @@ top_srcdir ?= ../../../.. include $(top_srcdir)/include/mk/testcases.mk include $(abs_srcdir)/../Makefile.inc -LDLIBS := -lclone -lltp +LDLIBS := -lclone -lltp $(CAP_LIBS) include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/containers/userns/userns01.c b/testcases/kernel/containers/userns/userns01.c index 9cada5e..a9012ac 100644 --- a/testcases/kernel/containers/userns/userns01.c +++ b/testcases/kernel/containers/userns/userns01.c @@ -15,7 +15,9 @@ * Verify that: * If a user ID has no mapping inside the namespace, user ID and group * ID will be the value defined in the file /proc/sys/kernel/overflowuid(65534) - * and /proc/sys/kernel/overflowgid(65534). + * and /proc/sys/kernel/overflowgid(65534). A child process has a full set + * of permitted and effective capabilities, even though the program was + * run from an unprivileged account. */ #define _GNU_SOURCE @@ -29,6 +31,12 @@ #include "test.h" #include "libclone.h" #include "userns_helper.h" +#include "config.h" +#if HAVE_SYS_CAPABILITY_H +#include <linux/types.h> +#include <sys/capability.h> +#endif + #define OVERFLOWUIDPATH "/proc/sys/kernel/overflowuid" #define OVERFLOWGIDPATH "/proc/sys/kernel/overflowgid" @@ -43,21 +51,30 @@ static long overflowgid; */ static int child_fn1(void *arg LTP_ATTRIBUTE_UNUSED) { - int exit_val; + int exit_val = 0; int uid, gid; +#ifdef HAVE_LIBCAP + cap_t caps, expectedcaps; +#endif uid = geteuid(); gid = getegid(); tst_resm(TINFO, "USERNS test is running in a new user namespace."); - if (uid == overflowuid && gid == overflowgid) { - printf("Got expected uid and gid\n"); - exit_val = 0; - } else { + + if (uid != overflowuid || gid != overflowgid) { printf("Got unexpected result of uid=%d gid=%d\n", uid, gid); exit_val = 1; } +#ifdef HAVE_LIBCAP + caps = cap_get_proc(); + expectedcaps = cap_from_text("=ep"); + if (cap_compare(caps, expectedcaps) != 0) + exit_val = 1; +#else + printf("System doesn't support capabilities.\n"); +#endif return exit_val; } @@ -96,3 +113,5 @@ int main(int argc, char *argv[]) tst_exit(); } + + -- 1.9.1 ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [LTP] [PATCH V2] userns01: add capability verification 2015-07-01 4:22 [LTP] [PATCH V2] userns01: add capability verification Yuan Sun @ 2015-07-02 14:09 ` Jan Stancek 2015-07-03 3:05 ` Yuan Sun 0 siblings, 1 reply; 11+ messages in thread From: Jan Stancek @ 2015-07-02 14:09 UTC (permalink / raw) To: Yuan Sun; +Cc: ltp-list ----- Original Message ----- > From: "Yuan Sun" <sunyuan3@huawei.com> > To: jstancek@redhat.com > Cc: ltp-list@lists.sourceforge.net > Sent: Wednesday, 1 July, 2015 6:22:45 AM > Subject: [PATCH V2] userns01: add capability verification > > Signed-off-by: Yuan Sun <sunyuan3@huawei.com> > --- > testcases/kernel/containers/userns/Makefile | 2 +- > testcases/kernel/containers/userns/userns01.c | 31 > +++++++++++++++++++++------ > 2 files changed, 26 insertions(+), 7 deletions(-) > > diff --git a/testcases/kernel/containers/userns/Makefile > b/testcases/kernel/containers/userns/Makefile > index 9f67216..8370bff 100644 > --- a/testcases/kernel/containers/userns/Makefile > +++ b/testcases/kernel/containers/userns/Makefile > @@ -21,6 +21,6 @@ top_srcdir ?= ../../../.. > include $(top_srcdir)/include/mk/testcases.mk > include $(abs_srcdir)/../Makefile.inc > > -LDLIBS := -lclone -lltp > +LDLIBS := -lclone -lltp $(CAP_LIBS) > > include $(top_srcdir)/include/mk/generic_leaf_target.mk > diff --git a/testcases/kernel/containers/userns/userns01.c > b/testcases/kernel/containers/userns/userns01.c > index 9cada5e..a9012ac 100644 > --- a/testcases/kernel/containers/userns/userns01.c > +++ b/testcases/kernel/containers/userns/userns01.c > @@ -15,7 +15,9 @@ > * Verify that: > * If a user ID has no mapping inside the namespace, user ID and group > * ID will be the value defined in the file > /proc/sys/kernel/overflowuid(65534) > - * and /proc/sys/kernel/overflowgid(65534). > + * and /proc/sys/kernel/overflowgid(65534). A child process has a full set > + * of permitted and effective capabilities, even though the program was > + * run from an unprivileged account. > */ > > #define _GNU_SOURCE > @@ -29,6 +31,12 @@ > #include "test.h" > #include "libclone.h" > #include "userns_helper.h" > +#include "config.h" > +#if HAVE_SYS_CAPABILITY_H > +#include <linux/types.h> > +#include <sys/capability.h> > +#endif > + > #define OVERFLOWUIDPATH "/proc/sys/kernel/overflowuid" > #define OVERFLOWGIDPATH "/proc/sys/kernel/overflowgid" > > @@ -43,21 +51,30 @@ static long overflowgid; > */ > static int child_fn1(void *arg LTP_ATTRIBUTE_UNUSED) > { > - int exit_val; > + int exit_val = 0; > int uid, gid; > +#ifdef HAVE_LIBCAP > + cap_t caps, expectedcaps; > +#endif > > uid = geteuid(); > gid = getegid(); > > tst_resm(TINFO, "USERNS test is running in a new user namespace."); > - if (uid == overflowuid && gid == overflowgid) { > - printf("Got expected uid and gid\n"); > - exit_val = 0; > - } else { > + > + if (uid != overflowuid || gid != overflowgid) { > printf("Got unexpected result of uid=%d gid=%d\n", uid, gid); > exit_val = 1; > } > > +#ifdef HAVE_LIBCAP > + caps = cap_get_proc(); > + expectedcaps = cap_from_text("=ep"); > + if (cap_compare(caps, expectedcaps) != 0) Does this work for you? I'm getting failures. It seems that cap_from_text sets all bits in the set, not just those capabilities that are <= CAP_LAST_CAP and the comparison compares all bits. Regards, Jan > + exit_val = 1; > +#else > + printf("System doesn't support capabilities.\n"); > +#endif > return exit_val; > } > > @@ -96,3 +113,5 @@ int main(int argc, char *argv[]) > tst_exit(); > } > > + > + > -- > 1.9.1 > > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LTP] [PATCH V2] userns01: add capability verification 2015-07-02 14:09 ` Jan Stancek @ 2015-07-03 3:05 ` Yuan Sun 2015-07-03 7:43 ` Jan Stancek 0 siblings, 1 reply; 11+ messages in thread From: Yuan Sun @ 2015-07-03 3:05 UTC (permalink / raw) To: Jan Stancek; +Cc: ltp-list Hi Jan, Interesting. It works well in my environment. What's your environment? log: root@p1:/tmp/ltp/testcases/kernel/containers/userns# ./userns01 user_namespace1 0 TINFO : USERNS test is running in a new user namespace. user_namespace1 1 TPASS : uid and gid are right root@p1:/tmp/ltp/testcases/kernel/containers/userns# root@p1:/tmp/ltp/testcases/kernel/containers/userns# uname -a Linux p1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux root@p1:/tmp/ltp/testcases/kernel/containers/userns# cat /etc/issue Ubuntu 14.04.1 LTS \n \l root@p1:/tmp/ltp/testcases/kernel/containers/userns# file /bin/ls /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=64d095bc6589dd4bfbf1c6d62ae985385965461b, stripped Thanks. Yuan On 2015/7/2 22:09, Jan Stancek wrote: > > > > ----- Original Message ----- >> From: "Yuan Sun" <sunyuan3@huawei.com> >> To: jstancek@redhat.com >> Cc: ltp-list@lists.sourceforge.net >> Sent: Wednesday, 1 July, 2015 6:22:45 AM >> Subject: [PATCH V2] userns01: add capability verification >> >> Signed-off-by: Yuan Sun <sunyuan3@huawei.com> >> --- >> testcases/kernel/containers/userns/Makefile | 2 +- >> testcases/kernel/containers/userns/userns01.c | 31 >> +++++++++++++++++++++------ >> 2 files changed, 26 insertions(+), 7 deletions(-) >> >> diff --git a/testcases/kernel/containers/userns/Makefile >> b/testcases/kernel/containers/userns/Makefile >> index 9f67216..8370bff 100644 >> --- a/testcases/kernel/containers/userns/Makefile >> +++ b/testcases/kernel/containers/userns/Makefile >> @@ -21,6 +21,6 @@ top_srcdir ?= ../../../.. >> include $(top_srcdir)/include/mk/testcases.mk >> include $(abs_srcdir)/../Makefile.inc >> >> -LDLIBS := -lclone -lltp >> +LDLIBS := -lclone -lltp $(CAP_LIBS) >> >> include $(top_srcdir)/include/mk/generic_leaf_target.mk >> diff --git a/testcases/kernel/containers/userns/userns01.c >> b/testcases/kernel/containers/userns/userns01.c >> index 9cada5e..a9012ac 100644 >> --- a/testcases/kernel/containers/userns/userns01.c >> +++ b/testcases/kernel/containers/userns/userns01.c >> @@ -15,7 +15,9 @@ >> * Verify that: >> * If a user ID has no mapping inside the namespace, user ID and group >> * ID will be the value defined in the file >> /proc/sys/kernel/overflowuid(65534) >> - * and /proc/sys/kernel/overflowgid(65534). >> + * and /proc/sys/kernel/overflowgid(65534). A child process has a full set >> + * of permitted and effective capabilities, even though the program was >> + * run from an unprivileged account. >> */ >> >> #define _GNU_SOURCE >> @@ -29,6 +31,12 @@ >> #include "test.h" >> #include "libclone.h" >> #include "userns_helper.h" >> +#include "config.h" >> +#if HAVE_SYS_CAPABILITY_H >> +#include <linux/types.h> >> +#include <sys/capability.h> >> +#endif >> + >> #define OVERFLOWUIDPATH "/proc/sys/kernel/overflowuid" >> #define OVERFLOWGIDPATH "/proc/sys/kernel/overflowgid" >> >> @@ -43,21 +51,30 @@ static long overflowgid; >> */ >> static int child_fn1(void *arg LTP_ATTRIBUTE_UNUSED) >> { >> - int exit_val; >> + int exit_val = 0; >> int uid, gid; >> +#ifdef HAVE_LIBCAP >> + cap_t caps, expectedcaps; >> +#endif >> >> uid = geteuid(); >> gid = getegid(); >> >> tst_resm(TINFO, "USERNS test is running in a new user namespace."); >> - if (uid == overflowuid && gid == overflowgid) { >> - printf("Got expected uid and gid\n"); >> - exit_val = 0; >> - } else { >> + >> + if (uid != overflowuid || gid != overflowgid) { >> printf("Got unexpected result of uid=%d gid=%d\n", uid, gid); >> exit_val = 1; >> } >> >> +#ifdef HAVE_LIBCAP >> + caps = cap_get_proc(); >> + expectedcaps = cap_from_text("=ep"); >> + if (cap_compare(caps, expectedcaps) != 0) > Does this work for you? I'm getting failures. > It seems that cap_from_text sets all bits in the set, > not just those capabilities that are <= CAP_LAST_CAP > and the comparison compares all bits. > > Regards, > Jan > >> + exit_val = 1; >> +#else >> + printf("System doesn't support capabilities.\n"); >> +#endif >> return exit_val; >> } >> >> @@ -96,3 +113,5 @@ int main(int argc, char *argv[]) >> tst_exit(); >> } >> >> + >> + >> -- >> 1.9.1 >> >> > . > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LTP] [PATCH V2] userns01: add capability verification 2015-07-03 3:05 ` Yuan Sun @ 2015-07-03 7:43 ` Jan Stancek 2015-07-03 9:13 ` Yuan Sun 0 siblings, 1 reply; 11+ messages in thread From: Jan Stancek @ 2015-07-03 7:43 UTC (permalink / raw) To: Yuan Sun; +Cc: ltp-list ----- Original Message ----- > From: "Yuan Sun" <sunyuan3@huawei.com> > To: "Jan Stancek" <jstancek@redhat.com> > Cc: ltp-list@lists.sourceforge.net > Sent: Friday, 3 July, 2015 5:05:39 AM > Subject: Re: [PATCH V2] userns01: add capability verification > > Hi Jan, > Interesting. It works well in my environment. > What's your environment? I'm on RHEL7.1 with 4.0.4 kernel. Can you please run the following C program: http://fpaste.org/239445/35909330/ and send me the output? This is what I get: # gcc test.c -lcap # ./a.out ffffffff 0000003f ffffffff ffffffff cap_compare: 3 Regards, Jan > > log: > root@p1:/tmp/ltp/testcases/kernel/containers/userns# ./userns01 > user_namespace1 0 TINFO : USERNS test is running in a new user > namespace. > user_namespace1 1 TPASS : uid and gid are right > root@p1:/tmp/ltp/testcases/kernel/containers/userns# > root@p1:/tmp/ltp/testcases/kernel/containers/userns# uname -a > Linux p1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 > x86_64 x86_64 x86_64 GNU/Linux > root@p1:/tmp/ltp/testcases/kernel/containers/userns# cat /etc/issue > Ubuntu 14.04.1 LTS \n \l > > root@p1:/tmp/ltp/testcases/kernel/containers/userns# file /bin/ls > /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), > dynamically linked (uses shared libs), for GNU/Linux 2.6.24, > BuildID[sha1]=64d095bc6589dd4bfbf1c6d62ae985385965461b, stripped > > Thanks. > Yuan > > On 2015/7/2 22:09, Jan Stancek wrote: > > > > > > > > ----- Original Message ----- > >> From: "Yuan Sun" <sunyuan3@huawei.com> > >> To: jstancek@redhat.com > >> Cc: ltp-list@lists.sourceforge.net > >> Sent: Wednesday, 1 July, 2015 6:22:45 AM > >> Subject: [PATCH V2] userns01: add capability verification > >> > >> Signed-off-by: Yuan Sun <sunyuan3@huawei.com> > >> --- > >> testcases/kernel/containers/userns/Makefile | 2 +- > >> testcases/kernel/containers/userns/userns01.c | 31 > >> +++++++++++++++++++++------ > >> 2 files changed, 26 insertions(+), 7 deletions(-) > >> > >> diff --git a/testcases/kernel/containers/userns/Makefile > >> b/testcases/kernel/containers/userns/Makefile > >> index 9f67216..8370bff 100644 > >> --- a/testcases/kernel/containers/userns/Makefile > >> +++ b/testcases/kernel/containers/userns/Makefile > >> @@ -21,6 +21,6 @@ top_srcdir ?= ../../../.. > >> include $(top_srcdir)/include/mk/testcases.mk > >> include $(abs_srcdir)/../Makefile.inc > >> > >> -LDLIBS := -lclone -lltp > >> +LDLIBS := -lclone -lltp $(CAP_LIBS) > >> > >> include $(top_srcdir)/include/mk/generic_leaf_target.mk > >> diff --git a/testcases/kernel/containers/userns/userns01.c > >> b/testcases/kernel/containers/userns/userns01.c > >> index 9cada5e..a9012ac 100644 > >> --- a/testcases/kernel/containers/userns/userns01.c > >> +++ b/testcases/kernel/containers/userns/userns01.c > >> @@ -15,7 +15,9 @@ > >> * Verify that: > >> * If a user ID has no mapping inside the namespace, user ID and group > >> * ID will be the value defined in the file > >> /proc/sys/kernel/overflowuid(65534) > >> - * and /proc/sys/kernel/overflowgid(65534). > >> + * and /proc/sys/kernel/overflowgid(65534). A child process has a full > >> set > >> + * of permitted and effective capabilities, even though the program was > >> + * run from an unprivileged account. > >> */ > >> > >> #define _GNU_SOURCE > >> @@ -29,6 +31,12 @@ > >> #include "test.h" > >> #include "libclone.h" > >> #include "userns_helper.h" > >> +#include "config.h" > >> +#if HAVE_SYS_CAPABILITY_H > >> +#include <linux/types.h> > >> +#include <sys/capability.h> > >> +#endif > >> + > >> #define OVERFLOWUIDPATH "/proc/sys/kernel/overflowuid" > >> #define OVERFLOWGIDPATH "/proc/sys/kernel/overflowgid" > >> > >> @@ -43,21 +51,30 @@ static long overflowgid; > >> */ > >> static int child_fn1(void *arg LTP_ATTRIBUTE_UNUSED) > >> { > >> - int exit_val; > >> + int exit_val = 0; > >> int uid, gid; > >> +#ifdef HAVE_LIBCAP > >> + cap_t caps, expectedcaps; > >> +#endif > >> > >> uid = geteuid(); > >> gid = getegid(); > >> > >> tst_resm(TINFO, "USERNS test is running in a new user namespace."); > >> - if (uid == overflowuid && gid == overflowgid) { > >> - printf("Got expected uid and gid\n"); > >> - exit_val = 0; > >> - } else { > >> + > >> + if (uid != overflowuid || gid != overflowgid) { > >> printf("Got unexpected result of uid=%d gid=%d\n", uid, gid); > >> exit_val = 1; > >> } > >> > >> +#ifdef HAVE_LIBCAP > >> + caps = cap_get_proc(); > >> + expectedcaps = cap_from_text("=ep"); > >> + if (cap_compare(caps, expectedcaps) != 0) > > Does this work for you? I'm getting failures. > > It seems that cap_from_text sets all bits in the set, > > not just those capabilities that are <= CAP_LAST_CAP > > and the comparison compares all bits. > > > > Regards, > > Jan > > > >> + exit_val = 1; > >> +#else > >> + printf("System doesn't support capabilities.\n"); > >> +#endif > >> return exit_val; > >> } > >> > >> @@ -96,3 +113,5 @@ int main(int argc, char *argv[]) > >> tst_exit(); > >> } > >> > >> + > >> + > >> -- > >> 1.9.1 > >> > >> > > . > > > > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LTP] [PATCH V2] userns01: add capability verification 2015-07-03 7:43 ` Jan Stancek @ 2015-07-03 9:13 ` Yuan Sun 2015-07-03 9:18 ` Jan Stancek 0 siblings, 1 reply; 11+ messages in thread From: Yuan Sun @ 2015-07-03 9:13 UTC (permalink / raw) To: Jan Stancek; +Cc: ltp-list Hi Jan, The following link is unaccessible because HuaWei's network security strategy. Could you please attach the test.c file for me? http://fpaste.org/239445/35909330/ Thanks. Yuan On 2015/7/3 15:43, Jan Stancek wrote: > > > > ----- Original Message ----- >> From: "Yuan Sun" <sunyuan3@huawei.com> >> To: "Jan Stancek" <jstancek@redhat.com> >> Cc: ltp-list@lists.sourceforge.net >> Sent: Friday, 3 July, 2015 5:05:39 AM >> Subject: Re: [PATCH V2] userns01: add capability verification >> >> Hi Jan, >> Interesting. It works well in my environment. >> What's your environment? > I'm on RHEL7.1 with 4.0.4 kernel. > > Can you please run the following C program: http://fpaste.org/239445/35909330/ > and send me the output? > > This is what I get: > > # gcc test.c -lcap > # ./a.out > ffffffff 0000003f > ffffffff ffffffff > cap_compare: 3 > > Regards, > Jan > >> log: >> root@p1:/tmp/ltp/testcases/kernel/containers/userns# ./userns01 >> user_namespace1 0 TINFO : USERNS test is running in a new user >> namespace. >> user_namespace1 1 TPASS : uid and gid are right >> root@p1:/tmp/ltp/testcases/kernel/containers/userns# >> root@p1:/tmp/ltp/testcases/kernel/containers/userns# uname -a >> Linux p1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 >> x86_64 x86_64 x86_64 GNU/Linux >> root@p1:/tmp/ltp/testcases/kernel/containers/userns# cat /etc/issue >> Ubuntu 14.04.1 LTS \n \l >> >> root@p1:/tmp/ltp/testcases/kernel/containers/userns# file /bin/ls >> /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), >> dynamically linked (uses shared libs), for GNU/Linux 2.6.24, >> BuildID[sha1]=64d095bc6589dd4bfbf1c6d62ae985385965461b, stripped >> >> Thanks. >> Yuan >> >> On 2015/7/2 22:09, Jan Stancek wrote: >>> >>> >>> ----- Original Message ----- >>>> From: "Yuan Sun" <sunyuan3@huawei.com> >>>> To: jstancek@redhat.com >>>> Cc: ltp-list@lists.sourceforge.net >>>> Sent: Wednesday, 1 July, 2015 6:22:45 AM >>>> Subject: [PATCH V2] userns01: add capability verification >>>> >>>> Signed-off-by: Yuan Sun <sunyuan3@huawei.com> >>>> --- >>>> testcases/kernel/containers/userns/Makefile | 2 +- >>>> testcases/kernel/containers/userns/userns01.c | 31 >>>> +++++++++++++++++++++------ >>>> 2 files changed, 26 insertions(+), 7 deletions(-) >>>> >>>> diff --git a/testcases/kernel/containers/userns/Makefile >>>> b/testcases/kernel/containers/userns/Makefile >>>> index 9f67216..8370bff 100644 >>>> --- a/testcases/kernel/containers/userns/Makefile >>>> +++ b/testcases/kernel/containers/userns/Makefile >>>> @@ -21,6 +21,6 @@ top_srcdir ?= ../../../.. >>>> include $(top_srcdir)/include/mk/testcases.mk >>>> include $(abs_srcdir)/../Makefile.inc >>>> >>>> -LDLIBS := -lclone -lltp >>>> +LDLIBS := -lclone -lltp $(CAP_LIBS) >>>> >>>> include $(top_srcdir)/include/mk/generic_leaf_target.mk >>>> diff --git a/testcases/kernel/containers/userns/userns01.c >>>> b/testcases/kernel/containers/userns/userns01.c >>>> index 9cada5e..a9012ac 100644 >>>> --- a/testcases/kernel/containers/userns/userns01.c >>>> +++ b/testcases/kernel/containers/userns/userns01.c >>>> @@ -15,7 +15,9 @@ >>>> * Verify that: >>>> * If a user ID has no mapping inside the namespace, user ID and group >>>> * ID will be the value defined in the file >>>> /proc/sys/kernel/overflowuid(65534) >>>> - * and /proc/sys/kernel/overflowgid(65534). >>>> + * and /proc/sys/kernel/overflowgid(65534). A child process has a full >>>> set >>>> + * of permitted and effective capabilities, even though the program was >>>> + * run from an unprivileged account. >>>> */ >>>> >>>> #define _GNU_SOURCE >>>> @@ -29,6 +31,12 @@ >>>> #include "test.h" >>>> #include "libclone.h" >>>> #include "userns_helper.h" >>>> +#include "config.h" >>>> +#if HAVE_SYS_CAPABILITY_H >>>> +#include <linux/types.h> >>>> +#include <sys/capability.h> >>>> +#endif >>>> + >>>> #define OVERFLOWUIDPATH "/proc/sys/kernel/overflowuid" >>>> #define OVERFLOWGIDPATH "/proc/sys/kernel/overflowgid" >>>> >>>> @@ -43,21 +51,30 @@ static long overflowgid; >>>> */ >>>> static int child_fn1(void *arg LTP_ATTRIBUTE_UNUSED) >>>> { >>>> - int exit_val; >>>> + int exit_val = 0; >>>> int uid, gid; >>>> +#ifdef HAVE_LIBCAP >>>> + cap_t caps, expectedcaps; >>>> +#endif >>>> >>>> uid = geteuid(); >>>> gid = getegid(); >>>> >>>> tst_resm(TINFO, "USERNS test is running in a new user namespace."); >>>> - if (uid == overflowuid && gid == overflowgid) { >>>> - printf("Got expected uid and gid\n"); >>>> - exit_val = 0; >>>> - } else { >>>> + >>>> + if (uid != overflowuid || gid != overflowgid) { >>>> printf("Got unexpected result of uid=%d gid=%d\n", uid, gid); >>>> exit_val = 1; >>>> } >>>> >>>> +#ifdef HAVE_LIBCAP >>>> + caps = cap_get_proc(); >>>> + expectedcaps = cap_from_text("=ep"); >>>> + if (cap_compare(caps, expectedcaps) != 0) >>> Does this work for you? I'm getting failures. >>> It seems that cap_from_text sets all bits in the set, >>> not just those capabilities that are <= CAP_LAST_CAP >>> and the comparison compares all bits. >>> >>> Regards, >>> Jan >>> >>>> + exit_val = 1; >>>> +#else >>>> + printf("System doesn't support capabilities.\n"); >>>> +#endif >>>> return exit_val; >>>> } >>>> >>>> @@ -96,3 +113,5 @@ int main(int argc, char *argv[]) >>>> tst_exit(); >>>> } >>>> >>>> + >>>> + >>>> -- >>>> 1.9.1 >>>> >>>> >>> . >>> >> > . > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LTP] [PATCH V2] userns01: add capability verification 2015-07-03 9:13 ` Yuan Sun @ 2015-07-03 9:18 ` Jan Stancek 2015-07-03 9:24 ` Yuan Sun 0 siblings, 1 reply; 11+ messages in thread From: Jan Stancek @ 2015-07-03 9:18 UTC (permalink / raw) To: Yuan Sun; +Cc: ltp-list [-- Attachment #1: Type: text/plain, Size: 320 bytes --] On Fri, Jul 03, 2015 at 05:13:37PM +0800, Yuan Sun wrote: > Hi Jan, > The following link is unaccessible because HuaWei's network > security strategy. > Could you please attach the test.c file for me? > http://fpaste.org/239445/35909330/ Was afraid my web email client would mangle it. Attached. Regards, Jan [-- Attachment #2: test.c --] [-- Type: text/plain, Size: 1094 bytes --] #include <linux/types.h> #include <sys/capability.h> #include <stdio.h> #define NUMBER_OF_CAP_SETS 3 #if defined(_LINUX_CAPABILITY_VERSION_3) # if (_LINUX_CAPABILITY_VERSION_3 != 0x20080522) # error Kernel <linux/capability.h> v3 does not match library # error file "libcap.h" --> fix and recompile libcap # else # define _LIBCAP_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 # define _LIBCAP_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 # endif #endif struct _cap_struct { struct __user_cap_header_struct head; union { struct __user_cap_data_struct set; __u32 flat[NUMBER_OF_CAP_SETS]; } u[_LIBCAP_CAPABILITY_U32S]; }; int main(void) { cap_t caps, expectedcaps; int i; caps = cap_get_proc(); expectedcaps = cap_from_text("=ep"); for (i = 0; i < _LIBCAP_CAPABILITY_U32S; i++) printf("%08x ", caps->u[i].flat[CAP_EFFECTIVE]); printf("\n"); for (i = 0; i < _LIBCAP_CAPABILITY_U32S; i++) printf("%08x ", expectedcaps->u[i].flat[CAP_EFFECTIVE]); printf("\n"); printf("cap_compare: %d\n", cap_compare(caps, expectedcaps)); return 0; } [-- Attachment #3: Type: text/plain, Size: 351 bytes --] ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ [-- Attachment #4: Type: text/plain, Size: 155 bytes --] _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LTP] [PATCH V2] userns01: add capability verification 2015-07-03 9:18 ` Jan Stancek @ 2015-07-03 9:24 ` Yuan Sun 2015-07-03 9:32 ` Jan Stancek 0 siblings, 1 reply; 11+ messages in thread From: Yuan Sun @ 2015-07-03 9:24 UTC (permalink / raw) To: Jan Stancek; +Cc: ltp-list Interesting. Log is as follow. I will have a research. log: root@ubuntu:/tmp/tt# gcc test.c -lcap root@ubuntu:/tmp/tt# ls a.out test.c root@ubuntu:/tmp/tt# ./a.out ffffffff ffffffff ffffffff ffffffff cap_compare: 0 On 2015/7/3 17:18, Jan Stancek wrote: > On Fri, Jul 03, 2015 at 05:13:37PM +0800, Yuan Sun wrote: >> Hi Jan, >> The following link is unaccessible because HuaWei's network >> security strategy. >> Could you please attach the test.c file for me? >> http://fpaste.org/239445/35909330/ > Was afraid my web email client would mangle it. Attached. > > Regards, > Jan > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LTP] [PATCH V2] userns01: add capability verification 2015-07-03 9:24 ` Yuan Sun @ 2015-07-03 9:32 ` Jan Stancek 2015-07-03 9:37 ` Yuan Sun 0 siblings, 1 reply; 11+ messages in thread From: Jan Stancek @ 2015-07-03 9:32 UTC (permalink / raw) To: Yuan Sun; +Cc: ltp-list ----- Original Message ----- > From: "Yuan Sun" <sunyuan3@huawei.com> > To: "Jan Stancek" <jstancek@redhat.com> > Cc: ltp-list@lists.sourceforge.net > Sent: Friday, 3 July, 2015 11:24:11 AM > Subject: Re: [PATCH V2] userns01: add capability verification > > > Interesting. Log is as follow. I will have a research. > > log: > root@ubuntu:/tmp/tt# gcc test.c -lcap > root@ubuntu:/tmp/tt# ls > a.out test.c > root@ubuntu:/tmp/tt# ./a.out > ffffffff ffffffff > ffffffff ffffffff > cap_compare: 0 How about if you run this as root: # cat /proc/self/status | grep CapEff CapEff: 0000003fffffffff > > > On 2015/7/3 17:18, Jan Stancek wrote: > > On Fri, Jul 03, 2015 at 05:13:37PM +0800, Yuan Sun wrote: > >> Hi Jan, > >> The following link is unaccessible because HuaWei's network > >> security strategy. > >> Could you please attach the test.c file for me? > >> http://fpaste.org/239445/35909330/ > > Was afraid my web email client would mangle it. Attached. > > > > Regards, > > Jan > > > > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LTP] [PATCH V2] userns01: add capability verification 2015-07-03 9:32 ` Jan Stancek @ 2015-07-03 9:37 ` Yuan Sun 2015-07-03 10:27 ` Jan Stancek 0 siblings, 1 reply; 11+ messages in thread From: Yuan Sun @ 2015-07-03 9:37 UTC (permalink / raw) To: Jan Stancek; +Cc: ltp-list Log is as follow. I am not clear if new feature is added. log: root@ubuntu:~# cat /proc/self/status | grep CapEff CapEff: 0000001fffffffff On 2015/7/3 17:32, Jan Stancek wrote: > > > > ----- Original Message ----- >> From: "Yuan Sun" <sunyuan3@huawei.com> >> To: "Jan Stancek" <jstancek@redhat.com> >> Cc: ltp-list@lists.sourceforge.net >> Sent: Friday, 3 July, 2015 11:24:11 AM >> Subject: Re: [PATCH V2] userns01: add capability verification >> >> >> Interesting. Log is as follow. I will have a research. >> >> log: >> root@ubuntu:/tmp/tt# gcc test.c -lcap >> root@ubuntu:/tmp/tt# ls >> a.out test.c >> root@ubuntu:/tmp/tt# ./a.out >> ffffffff ffffffff >> ffffffff ffffffff >> cap_compare: 0 > How about if you run this as root: > > # cat /proc/self/status | grep CapEff > CapEff: 0000003fffffffff > > > >> >> On 2015/7/3 17:18, Jan Stancek wrote: >>> On Fri, Jul 03, 2015 at 05:13:37PM +0800, Yuan Sun wrote: >>>> Hi Jan, >>>> The following link is unaccessible because HuaWei's network >>>> security strategy. >>>> Could you please attach the test.c file for me? >>>> http://fpaste.org/239445/35909330/ >>> Was afraid my web email client would mangle it. Attached. >>> >>> Regards, >>> Jan >>> >> > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LTP] [PATCH V2] userns01: add capability verification 2015-07-03 9:37 ` Yuan Sun @ 2015-07-03 10:27 ` Jan Stancek 2015-07-03 10:51 ` Jan Stancek 0 siblings, 1 reply; 11+ messages in thread From: Jan Stancek @ 2015-07-03 10:27 UTC (permalink / raw) To: Yuan Sun; +Cc: ltp-list ----- Original Message ----- > From: "Yuan Sun" <sunyuan3@huawei.com> > To: "Jan Stancek" <jstancek@redhat.com> > Cc: ltp-list@lists.sourceforge.net > Sent: Friday, 3 July, 2015 11:37:45 AM > Subject: Re: [PATCH V2] userns01: add capability verification > > > Log is as follow. I am not clear if new feature is added. I have installed "ubuntu-15.04-server-amd64.iso" and I get the same failure: root@ubuntu:~# apt-cache show libcap2 | grep Vers Version: 1:2.24-6 root@ubuntu:~# uname -r 3.19.0-15-generic root@ubuntu:~# cat /proc/self/status | grep Eff CapEff: 0000003fffffffff root@ubuntu:~# ./a.out ffffffff 0000003f ffffffff ffffffff cap_compare: 3 Regards, Jan ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LTP] [PATCH V2] userns01: add capability verification 2015-07-03 10:27 ` Jan Stancek @ 2015-07-03 10:51 ` Jan Stancek 0 siblings, 0 replies; 11+ messages in thread From: Jan Stancek @ 2015-07-03 10:51 UTC (permalink / raw) To: Yuan Sun; +Cc: ltp-list ----- Original Message ----- > From: "Jan Stancek" <jstancek@redhat.com> > To: "Yuan Sun" <sunyuan3@huawei.com> > Cc: ltp-list@lists.sourceforge.net > Sent: Friday, 3 July, 2015 12:27:49 PM > Subject: Re: [LTP] [PATCH V2] userns01: add capability verification > > > > > > ----- Original Message ----- > > From: "Yuan Sun" <sunyuan3@huawei.com> > > To: "Jan Stancek" <jstancek@redhat.com> > > Cc: ltp-list@lists.sourceforge.net > > Sent: Friday, 3 July, 2015 11:37:45 AM > > Subject: Re: [PATCH V2] userns01: add capability verification > > > > > > Log is as follow. I am not clear if new feature is added. > > I have installed "ubuntu-15.04-server-amd64.iso" and I get > the same failure: > > root@ubuntu:~# apt-cache show libcap2 | grep Vers > Version: 1:2.24-6 > > root@ubuntu:~# uname -r > 3.19.0-15-generic > > root@ubuntu:~# cat /proc/self/status | grep Eff > CapEff: 0000003fffffffff > > root@ubuntu:~# ./a.out > ffffffff 0000003f > ffffffff ffffffff > cap_compare: 3 Since this doesn't work on multiple distros, I'm thinking about this as alternative (plus checking ret code from cap_get_flag): int i, last_cap; cap_flag_value_t flag_val; SAFE_FILE_SCANF(NULL, "/proc/sys/kernel/cap_last_cap", "%d", &last_cap); for (i = 0; i <= last_cap; i++) { cap_get_flag(caps, i, CAP_EFFECTIVE, &flag_val); if (flag_val == 0) break; cap_get_flag(caps, i, CAP_PERMITTED, &flag_val); if (flag_val == 0) break; } if (flag_val == 0) { printf("unexpected effective/permitted caps\n"); exit_val = 1; } > > Regards, > Jan > > ------------------------------------------------------------------------------ > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > _______________________________________________ > Ltp-list mailing list > Ltp-list@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/ltp-list > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2015-07-03 10:51 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-07-01 4:22 [LTP] [PATCH V2] userns01: add capability verification Yuan Sun 2015-07-02 14:09 ` Jan Stancek 2015-07-03 3:05 ` Yuan Sun 2015-07-03 7:43 ` Jan Stancek 2015-07-03 9:13 ` Yuan Sun 2015-07-03 9:18 ` Jan Stancek 2015-07-03 9:24 ` Yuan Sun 2015-07-03 9:32 ` Jan Stancek 2015-07-03 9:37 ` Yuan Sun 2015-07-03 10:27 ` Jan Stancek 2015-07-03 10:51 ` Jan Stancek
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox