From: Yuan Sun <sunyuan3@huawei.com>
To: Jan Stancek <jstancek@redhat.com>
Cc: ltp-list@lists.sourceforge.net
Subject: Re: [LTP] [PATCH V2] userns01: add capability verification
Date: Fri, 3 Jul 2015 17:13:37 +0800 [thread overview]
Message-ID: <55965241.5020206@huawei.com> (raw)
In-Reply-To: <1526251635.12159899.1435909417100.JavaMail.zimbra@redhat.com>
Hi Jan,
The following link is unaccessible because HuaWei's network
security strategy.
Could you please attach the test.c file for me?
http://fpaste.org/239445/35909330/
Thanks.
Yuan
On 2015/7/3 15:43, Jan Stancek wrote:
>
>
>
> ----- Original Message -----
>> From: "Yuan Sun" <sunyuan3@huawei.com>
>> To: "Jan Stancek" <jstancek@redhat.com>
>> Cc: ltp-list@lists.sourceforge.net
>> Sent: Friday, 3 July, 2015 5:05:39 AM
>> Subject: Re: [PATCH V2] userns01: add capability verification
>>
>> Hi Jan,
>> Interesting. It works well in my environment.
>> What's your environment?
> I'm on RHEL7.1 with 4.0.4 kernel.
>
> Can you please run the following C program: http://fpaste.org/239445/35909330/
> and send me the output?
>
> This is what I get:
>
> # gcc test.c -lcap
> # ./a.out
> ffffffff 0000003f
> ffffffff ffffffff
> cap_compare: 3
>
> Regards,
> Jan
>
>> log:
>> root@p1:/tmp/ltp/testcases/kernel/containers/userns# ./userns01
>> user_namespace1 0 TINFO : USERNS test is running in a new user
>> namespace.
>> user_namespace1 1 TPASS : uid and gid are right
>> root@p1:/tmp/ltp/testcases/kernel/containers/userns#
>> root@p1:/tmp/ltp/testcases/kernel/containers/userns# uname -a
>> Linux p1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014
>> x86_64 x86_64 x86_64 GNU/Linux
>> root@p1:/tmp/ltp/testcases/kernel/containers/userns# cat /etc/issue
>> Ubuntu 14.04.1 LTS \n \l
>>
>> root@p1:/tmp/ltp/testcases/kernel/containers/userns# file /bin/ls
>> /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
>> dynamically linked (uses shared libs), for GNU/Linux 2.6.24,
>> BuildID[sha1]=64d095bc6589dd4bfbf1c6d62ae985385965461b, stripped
>>
>> Thanks.
>> Yuan
>>
>> On 2015/7/2 22:09, Jan Stancek wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Yuan Sun" <sunyuan3@huawei.com>
>>>> To: jstancek@redhat.com
>>>> Cc: ltp-list@lists.sourceforge.net
>>>> Sent: Wednesday, 1 July, 2015 6:22:45 AM
>>>> Subject: [PATCH V2] userns01: add capability verification
>>>>
>>>> Signed-off-by: Yuan Sun <sunyuan3@huawei.com>
>>>> ---
>>>> testcases/kernel/containers/userns/Makefile | 2 +-
>>>> testcases/kernel/containers/userns/userns01.c | 31
>>>> +++++++++++++++++++++------
>>>> 2 files changed, 26 insertions(+), 7 deletions(-)
>>>>
>>>> diff --git a/testcases/kernel/containers/userns/Makefile
>>>> b/testcases/kernel/containers/userns/Makefile
>>>> index 9f67216..8370bff 100644
>>>> --- a/testcases/kernel/containers/userns/Makefile
>>>> +++ b/testcases/kernel/containers/userns/Makefile
>>>> @@ -21,6 +21,6 @@ top_srcdir ?= ../../../..
>>>> include $(top_srcdir)/include/mk/testcases.mk
>>>> include $(abs_srcdir)/../Makefile.inc
>>>>
>>>> -LDLIBS := -lclone -lltp
>>>> +LDLIBS := -lclone -lltp $(CAP_LIBS)
>>>>
>>>> include $(top_srcdir)/include/mk/generic_leaf_target.mk
>>>> diff --git a/testcases/kernel/containers/userns/userns01.c
>>>> b/testcases/kernel/containers/userns/userns01.c
>>>> index 9cada5e..a9012ac 100644
>>>> --- a/testcases/kernel/containers/userns/userns01.c
>>>> +++ b/testcases/kernel/containers/userns/userns01.c
>>>> @@ -15,7 +15,9 @@
>>>> * Verify that:
>>>> * If a user ID has no mapping inside the namespace, user ID and group
>>>> * ID will be the value defined in the file
>>>> /proc/sys/kernel/overflowuid(65534)
>>>> - * and /proc/sys/kernel/overflowgid(65534).
>>>> + * and /proc/sys/kernel/overflowgid(65534). A child process has a full
>>>> set
>>>> + * of permitted and effective capabilities, even though the program was
>>>> + * run from an unprivileged account.
>>>> */
>>>>
>>>> #define _GNU_SOURCE
>>>> @@ -29,6 +31,12 @@
>>>> #include "test.h"
>>>> #include "libclone.h"
>>>> #include "userns_helper.h"
>>>> +#include "config.h"
>>>> +#if HAVE_SYS_CAPABILITY_H
>>>> +#include <linux/types.h>
>>>> +#include <sys/capability.h>
>>>> +#endif
>>>> +
>>>> #define OVERFLOWUIDPATH "/proc/sys/kernel/overflowuid"
>>>> #define OVERFLOWGIDPATH "/proc/sys/kernel/overflowgid"
>>>>
>>>> @@ -43,21 +51,30 @@ static long overflowgid;
>>>> */
>>>> static int child_fn1(void *arg LTP_ATTRIBUTE_UNUSED)
>>>> {
>>>> - int exit_val;
>>>> + int exit_val = 0;
>>>> int uid, gid;
>>>> +#ifdef HAVE_LIBCAP
>>>> + cap_t caps, expectedcaps;
>>>> +#endif
>>>>
>>>> uid = geteuid();
>>>> gid = getegid();
>>>>
>>>> tst_resm(TINFO, "USERNS test is running in a new user namespace.");
>>>> - if (uid == overflowuid && gid == overflowgid) {
>>>> - printf("Got expected uid and gid\n");
>>>> - exit_val = 0;
>>>> - } else {
>>>> +
>>>> + if (uid != overflowuid || gid != overflowgid) {
>>>> printf("Got unexpected result of uid=%d gid=%d\n", uid, gid);
>>>> exit_val = 1;
>>>> }
>>>>
>>>> +#ifdef HAVE_LIBCAP
>>>> + caps = cap_get_proc();
>>>> + expectedcaps = cap_from_text("=ep");
>>>> + if (cap_compare(caps, expectedcaps) != 0)
>>> Does this work for you? I'm getting failures.
>>> It seems that cap_from_text sets all bits in the set,
>>> not just those capabilities that are <= CAP_LAST_CAP
>>> and the comparison compares all bits.
>>>
>>> Regards,
>>> Jan
>>>
>>>> + exit_val = 1;
>>>> +#else
>>>> + printf("System doesn't support capabilities.\n");
>>>> +#endif
>>>> return exit_val;
>>>> }
>>>>
>>>> @@ -96,3 +113,5 @@ int main(int argc, char *argv[])
>>>> tst_exit();
>>>> }
>>>>
>>>> +
>>>> +
>>>> --
>>>> 1.9.1
>>>>
>>>>
>>> .
>>>
>>
> .
>
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
next prev parent reply other threads:[~2015-07-03 9:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-01 4:22 [LTP] [PATCH V2] userns01: add capability verification Yuan Sun
2015-07-02 14:09 ` Jan Stancek
2015-07-03 3:05 ` Yuan Sun
2015-07-03 7:43 ` Jan Stancek
2015-07-03 9:13 ` Yuan Sun [this message]
2015-07-03 9:18 ` Jan Stancek
2015-07-03 9:24 ` Yuan Sun
2015-07-03 9:32 ` Jan Stancek
2015-07-03 9:37 ` Yuan Sun
2015-07-03 10:27 ` Jan Stancek
2015-07-03 10:51 ` Jan Stancek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55965241.5020206@huawei.com \
--to=sunyuan3@huawei.com \
--cc=jstancek@redhat.com \
--cc=ltp-list@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox