]>
Commit | Line | Data |
---|---|---|
bca94305 CB |
1 | #!/bin/bash |
2 | ||
3 | # lxc: linux Container library | |
4 | ||
5 | # Authors: | |
6 | # Christian Brauner <christian.brauner@mailbox.org> | |
7 | # | |
8 | # This is a test script for PR_SET_NO_NEW_PRIVS | |
9 | ||
10 | # This library is free software; you can redistribute it and/or | |
11 | # modify it under the terms of the GNU Lesser General Public | |
12 | # License as published by the Free Software Foundation; either | |
13 | # version 2.1 of the License, or (at your option) any later version. | |
14 | ||
15 | # This library is distributed in the hope that it will be useful, | |
16 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | # Lesser General Public License for more details. | |
19 | ||
20 | # You should have received a copy of the GNU Lesser General Public | |
21 | # License along with this library; if not, write to the Free Software | |
22 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
23 | ||
24 | set -eux | |
25 | ||
26 | DONE=0 | |
27 | cleanup() { | |
28 | cd / | |
29 | lxc-destroy -n c1 -f || true | |
30 | if [ $DONE -eq 0 ]; then | |
31 | echo "FAIL" | |
32 | exit 1 | |
33 | fi | |
34 | echo "PASS" | |
35 | } | |
36 | ||
37 | trap cleanup EXIT SIGHUP SIGINT SIGTERM | |
38 | ||
39 | mkdir -p /etc/lxc/ | |
40 | cat > /etc/lxc/default.conf << EOF | |
7fa3f2e9 | 41 | lxc.net.0.type = veth |
42 | lxc.net.0.link = lxcbr0 | |
bca94305 CB |
43 | EOF |
44 | ||
45 | ARCH=i386 | |
46 | if type dpkg >/dev/null 2>&1; then | |
47 | ARCH=$(dpkg --print-architecture) | |
48 | fi | |
49 | ||
50 | lxc-create -t download -n c1 -- -d ubuntu -r xenial -a $ARCH | |
51 | echo "lxc.no_new_privs = 1" >> /var/lib/lxc/c1/config | |
52 | ||
53 | lxc-start -n c1 | |
54 | p1=$(lxc-info -n c1 -p -H) | |
55 | [ "$p1" != "-1" ] || { echo "Failed to start container c1 (run $count)"; false; } | |
56 | sleep 5s | |
57 | lxc-attach -n c1 --clear-env -- apt update -y | |
58 | lxc-attach -n c1 --clear-env -- apt install -y gcc make | |
59 | ||
60 | # Here documents don't seem to like sudo -i. | |
61 | lxc-attach -n c1 --clear-env -- /bin/bash -c "cat <<EOF > /nnptest.c | |
62 | #include <stdio.h> | |
63 | #include <unistd.h> | |
64 | #include <sys/types.h> | |
65 | ||
66 | int main(int argc, char *argv[]) | |
67 | { | |
68 | printf(\"%d\n\", geteuid()); | |
69 | } | |
70 | EOF" | |
71 | lxc-attach -n c1 --clear-env -- cat /nnptest.c | |
72 | lxc-attach -n c1 --clear-env -- make -C / nnptest | |
73 | lxc-attach -n c1 --clear-env -- chmod u+s /nnptest | |
74 | ||
75 | # Check that lxc-attach obeys PR_SET_NO_NEW_PRIVS when it is set. | |
76 | NNP_EUID=$(lxc-attach -n c1 --clear-env -- sudo -u ubuntu /nnptest) | |
77 | if [ "$NNP_EUID" -ne 1000 ]; then | |
78 | exit 1 | |
79 | fi | |
80 | lxc-stop -n c1 -k | |
81 | ||
82 | # Check that lxc-attach obeys PR_SET_NO_NEW_PRIVS when it is not set. | |
83 | sed -i 's/lxc.no_new_privs = 1/lxc.no_new_privs = 0/' /var/lib/lxc/c1/config | |
84 | lxc-start -n c1 | |
85 | NNP_EUID=$(lxc-attach -n c1 --clear-env -- sudo -u ubuntu /nnptest) | |
86 | if [ "$NNP_EUID" -ne 0 ]; then | |
87 | exit 1 | |
88 | fi | |
89 | lxc-stop -n c1 -k | |
90 | ||
91 | # Check that lxc-execute and lxc-start obey PR_SET_NO_NEW_PRIVS when it is set. | |
92 | NNP_EUID=$(lxc-execute -n c1 -- sudo -u ubuntu /nnptest) | |
93 | if [ "$NNP_EUID" -ne 0 ]; then | |
94 | exit 1 | |
95 | fi | |
96 | ||
97 | # Check that lxc-execute and lxc-start obey PR_SET_NO_NEW_PRIVS when it is not set. | |
98 | sed -i 's/lxc.no_new_privs = 0/lxc.no_new_privs = 1/' /var/lib/lxc/c1/config | |
99 | NNP_EUID=$(lxc-execute -n c1 -- sudo -u ubuntu /nnptest) | |
100 | if [ "$NNP_EUID" -ne 1000 ]; then | |
101 | exit 1 | |
102 | fi | |
103 | ||
104 | DONE=1 |