[mirror_lxc.git] / src / tests / lxc-test-no-new-privs

#!/bin/bash

# lxc: linux Container library

# Authors:
# Christian Brauner <christian.brauner@mailbox.org>
#
# This is a test script for PR_SET_NO_NEW_PRIVS

# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.

# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

set -eux

DONE=0
cleanup() {
	cd /
	lxc-destroy -n c1 -f || true
	if [ $DONE -eq 0 ]; then
		echo "FAIL"
		exit 1
	fi
	echo "PASS"
}

trap cleanup EXIT SIGHUP SIGINT SIGTERM

mkdir -p /etc/lxc/
cat > /etc/lxc/default.conf << EOF
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
EOF

ARCH=i386
if type dpkg >/dev/null 2>&1; then
	ARCH=$(dpkg --print-architecture)
fi

lxc-create -t download -n c1 -- -d ubuntu -r xenial -a $ARCH
echo "lxc.no_new_privs = 1" >> /var/lib/lxc/c1/config

lxc-start -n c1
p1=$(lxc-info -n c1 -p -H)
[ "$p1" != "-1" ] || { echo "Failed to start container c1 (run $count)"; false; }
sleep 5s
lxc-attach -n c1 --clear-env -- apt update -y
lxc-attach -n c1 --clear-env -- apt install -y gcc make

# Here documents don't seem to like sudo -i.
lxc-attach -n c1 --clear-env -- /bin/bash -c "cat <<EOF > /nnptest.c
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main(int argc, char *argv[])
{
      printf(\"%d\n\", geteuid());
}
EOF"
lxc-attach -n c1 --clear-env -- cat /nnptest.c
lxc-attach -n c1 --clear-env -- make -C / nnptest
lxc-attach -n c1 --clear-env -- chmod u+s /nnptest

# Check that lxc-attach obeys PR_SET_NO_NEW_PRIVS when it is set.
NNP_EUID=$(lxc-attach -n c1 --clear-env -- sudo -u ubuntu /nnptest)
if [ "$NNP_EUID" -ne 1000 ]; then
	exit 1
fi
lxc-stop -n c1 -k

# Check that lxc-attach obeys PR_SET_NO_NEW_PRIVS when it is not set.
sed -i 's/lxc.no_new_privs = 1/lxc.no_new_privs = 0/' /var/lib/lxc/c1/config
lxc-start -n c1
NNP_EUID=$(lxc-attach -n c1 --clear-env -- sudo -u ubuntu /nnptest)
if [ "$NNP_EUID" -ne 0 ]; then
	exit 1
fi
lxc-stop -n c1 -k

# Check that lxc-execute and lxc-start obey PR_SET_NO_NEW_PRIVS when it is set.
NNP_EUID=$(lxc-execute -n c1 -- sudo -u ubuntu /nnptest)
if [ "$NNP_EUID" -ne 0 ]; then
	exit 1
fi

# Check that lxc-execute and lxc-start obey PR_SET_NO_NEW_PRIVS when it is not set.
sed -i 's/lxc.no_new_privs = 0/lxc.no_new_privs = 1/' /var/lib/lxc/c1/config
NNP_EUID=$(lxc-execute -n c1 -- sudo -u ubuntu /nnptest)
if [ "$NNP_EUID" -ne 1000 ]; then
	exit 1
fi

DONE=1
Commit	Line	Data
bca94305 CB	1	#!/bin/bash
	2
	3	# lxc: linux Container library
	4
	5	# Authors:
	6	# Christian Brauner <christian.brauner@mailbox.org>
	7	#
	8	# This is a test script for PR_SET_NO_NEW_PRIVS
	9
	10	# This library is free software; you can redistribute it and/or
	11	# modify it under the terms of the GNU Lesser General Public
	12	# License as published by the Free Software Foundation; either
	13	# version 2.1 of the License, or (at your option) any later version.
	14
	15	# This library is distributed in the hope that it will be useful,
	16	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	# Lesser General Public License for more details.
	19
	20	# You should have received a copy of the GNU Lesser General Public
	21	# License along with this library; if not, write to the Free Software
	22	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
	23
	24	set -eux
	25
	26	DONE=0
	27	cleanup() {
	28	cd /
	29	lxc-destroy -n c1 -f \|\| true
	30	if [ $DONE -eq 0 ]; then
	31	echo "FAIL"
	32	exit 1
	33	fi
	34	echo "PASS"
	35	}
	36
	37	trap cleanup EXIT SIGHUP SIGINT SIGTERM
	38
	39	mkdir -p /etc/lxc/
	40	cat > /etc/lxc/default.conf << EOF
7fa3f2e9	41	lxc.net.0.type = veth
7fa3f2e9	42	lxc.net.0.link = lxcbr0
bca94305 CB	43	EOF
	44
	45	ARCH=i386
	46	if type dpkg >/dev/null 2>&1; then
	47	ARCH=$(dpkg --print-architecture)
	48	fi
	49
	50	lxc-create -t download -n c1 -- -d ubuntu -r xenial -a $ARCH
	51	echo "lxc.no_new_privs = 1" >> /var/lib/lxc/c1/config
	52
	53	lxc-start -n c1
	54	p1=$(lxc-info -n c1 -p -H)
	55	[ "$p1" != "-1" ] \|\| { echo "Failed to start container c1 (run $count)"; false; }
	56	sleep 5s
	57	lxc-attach -n c1 --clear-env -- apt update -y
	58	lxc-attach -n c1 --clear-env -- apt install -y gcc make
	59
	60	# Here documents don't seem to like sudo -i.
	61	lxc-attach -n c1 --clear-env -- /bin/bash -c "cat <<EOF > /nnptest.c
	62	#include <stdio.h>
	63	#include <unistd.h>
	64	#include <sys/types.h>
	65
	66	int main(int argc, char *argv[])
	67	{
	68	printf(\"%d\n\", geteuid());
	69	}
	70	EOF"
	71	lxc-attach -n c1 --clear-env -- cat /nnptest.c
	72	lxc-attach -n c1 --clear-env -- make -C / nnptest
	73	lxc-attach -n c1 --clear-env -- chmod u+s /nnptest
	74
	75	# Check that lxc-attach obeys PR_SET_NO_NEW_PRIVS when it is set.
	76	NNP_EUID=$(lxc-attach -n c1 --clear-env -- sudo -u ubuntu /nnptest)
	77	if [ "$NNP_EUID" -ne 1000 ]; then
	78	exit 1
	79	fi
	80	lxc-stop -n c1 -k
	81
	82	# Check that lxc-attach obeys PR_SET_NO_NEW_PRIVS when it is not set.
	83	sed -i 's/lxc.no_new_privs = 1/lxc.no_new_privs = 0/' /var/lib/lxc/c1/config
	84	lxc-start -n c1
	85	NNP_EUID=$(lxc-attach -n c1 --clear-env -- sudo -u ubuntu /nnptest)
	86	if [ "$NNP_EUID" -ne 0 ]; then
	87	exit 1
	88	fi
	89	lxc-stop -n c1 -k
	90
	91	# Check that lxc-execute and lxc-start obey PR_SET_NO_NEW_PRIVS when it is set.
	92	NNP_EUID=$(lxc-execute -n c1 -- sudo -u ubuntu /nnptest)
	93	if [ "$NNP_EUID" -ne 0 ]; then
	94	exit 1
	95	fi
	96
	97	# Check that lxc-execute and lxc-start obey PR_SET_NO_NEW_PRIVS when it is not set.
	98	sed -i 's/lxc.no_new_privs = 0/lxc.no_new_privs = 1/' /var/lib/lxc/c1/config
	99	NNP_EUID=$(lxc-execute -n c1 -- sudo -u ubuntu /nnptest)
	100	if [ "$NNP_EUID" -ne 1000 ]; then
	101	exit 1
	102	fi
	103
	104	DONE=1