src/tests/lxc-test-mount-injection
src/tests/lxc-test-sys-mixed
src/tests/lxc-test-rootfs-options
-src/tests/lxc-test-capabilities-allow
+src/tests/lxc-test-capabilities
config/compile
config/config.guess
endif
endif
-lxc_test_capabilities_allow_SOURCES = capabilities_allow.c \
+lxc_test_capabilities_SOURCES = capabilities.c \
../lxc/af_unix.c ../lxc/af_unix.h \
../lxc/caps.c ../lxc/caps.h \
../lxc/cgroups/cgfsng.c \
../lxc/uuid.c ../lxc/uuid.h \
$(LSM_SOURCES)
if ENABLE_SECCOMP
-lxc_test_capabilities_allow_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h
+lxc_test_capabilities_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h
endif
if !HAVE_STRCHRNUL
-lxc_test_capabilities_allow_SOURCES += ../include/strchrnul.c ../include/strchrnul.h
+lxc_test_capabilities_SOURCES += ../include/strchrnul.c ../include/strchrnul.h
endif
if !HAVE_STRLCPY
-lxc_test_capabilities_allow_SOURCES += ../include/strlcpy.c ../include/strlcpy.h
+lxc_test_capabilities_SOURCES += ../include/strlcpy.c ../include/strlcpy.h
endif
if !HAVE_STRLCAT
-lxc_test_capabilities_allow_SOURCES += ../include/strlcat.c ../include/strlcat.h
+lxc_test_capabilities_SOURCES += ../include/strlcat.c ../include/strlcat.h
endif
if !HAVE_OPENPTY
-lxc_test_capabilities_allow_SOURCES += ../include/openpty.c ../include/openpty.h
+lxc_test_capabilities_SOURCES += ../include/openpty.c ../include/openpty.h
endif
if IS_BIONIC
-lxc_test_capabilities_allow_SOURCES += ../include/fexecve.c ../include/fexecve.h \
+lxc_test_capabilities_SOURCES += ../include/fexecve.c ../include/fexecve.h \
../include/lxcmntent.c ../include/lxcmntent.h
endif
if !HAVE_GETGRGID_R
-lxc_test_capabilities_allow_SOURCES += ../include/getgrgid_r.c ../include/getgrgid_r.h
+lxc_test_capabilities_SOURCES += ../include/getgrgid_r.c ../include/getgrgid_r.h
endif
if !HAVE_PRLIMIT
if HAVE_PRLIMIT64
-lxc_test_capabilities_allow_SOURCES += ../include/prlimit.c ../include/prlimit.h
+lxc_test_capabilities_SOURCES += ../include/prlimit.c ../include/prlimit.h
endif
endif
lxc-test-arch-parse \
lxc-test-attach \
lxc-test-basic \
- lxc-test-capabilities-allow \
+ lxc-test-capabilities \
lxc-test-cgpath \
lxc-test-clonetest \
lxc-test-concurrent \
EXTRA_DIST = arch_parse.c \
basic.c \
- capabilities_allow.c \
+ capabilities.c \
cgpath.c \
clonetest.c \
concurrent.c \
--- /dev/null
+/* liblxcapi
+ *
+ * Copyright © 2021 Christian Brauner <christian.brauner@ubuntu.com>.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include "lxccontainer.h"
+#include "attach_options.h"
+
+#include "caps.h"
+#include "lxctest.h"
+#include "utils.h"
+
+#if HAVE_LIBCAP
+static int capabilities_allow(void *payload)
+{
+ int ret;
+ __u32 last_cap;
+
+ ret = lxc_caps_last_cap(&last_cap);
+ if (ret) {
+ lxc_error("%s\n", "Failed to retrieve last capability");
+ return EXIT_FAILURE;
+ }
+
+ for (__u32 cap = 0; cap <= last_cap; cap++) {
+ bool bret;
+
+ if (cap == CAP_MKNOD)
+ bret = cap_get_bound(cap) == CAP_SET;
+ else
+ bret = cap_get_bound(cap) != CAP_SET;
+ if (!bret) {
+ lxc_error("Capability %d unexpectedly raised or lowered\n", cap);
+ return EXIT_FAILURE;
+ }
+ }
+
+ return EXIT_SUCCESS;
+}
+
+static int capabilities_deny(void *payload)
+{
+ int ret;
+ __u32 last_cap;
+
+ ret = lxc_caps_last_cap(&last_cap);
+ if (ret) {
+ lxc_error("%s\n", "Failed to retrieve last capability");
+ return EXIT_FAILURE;
+ }
+
+ for (__u32 cap = 0; cap <= last_cap; cap++) {
+ bool bret;
+
+ if (cap == CAP_MKNOD)
+ bret = cap_get_bound(cap) != CAP_SET;
+ else
+ bret = cap_get_bound(cap) == CAP_SET;
+ if (!bret) {
+ lxc_error("Capability %d unexpectedly raised or lowered\n", cap);
+ return EXIT_FAILURE;
+ }
+ }
+
+ return EXIT_SUCCESS;
+}
+
+static int run(int (*test)(void *), bool allow)
+{
+ __do_close int fd_log = -EBADF;
+ int fret = -1;
+ lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
+ int ret;
+ pid_t pid;
+ struct lxc_container *c;
+ struct lxc_log log;
+ char template[sizeof(P_tmpdir"/capabilities_XXXXXX")];
+
+ (void)strlcpy(template, P_tmpdir"/capabilities_XXXXXX", sizeof(template));
+
+ fd_log = lxc_make_tmpfile(template, false);
+ if (fd_log < 0) {
+ lxc_error("%s", "Failed to create temporary log file for container \"capabilities\"");
+ return fret;
+ }
+
+ log.name = "capabilities";
+ log.file = template;
+ log.level = "TRACE";
+ log.prefix = "capabilities";
+ log.quiet = false;
+ log.lxcpath = NULL;
+
+ if (lxc_log_init(&log))
+ return fret;
+
+ c = lxc_container_new("capabilities", NULL);
+ if (!c) {
+ lxc_error("%s\n", "Failed to create container \"capabilities\"");
+ return fret;
+ }
+
+ if (c->is_defined(c)) {
+ lxc_error("%s\n", "Container \"capabilities\" is defined");
+ goto on_error_put;
+ }
+
+ if (!c->createl(c, "busybox", NULL, NULL, 0, NULL)) {
+ lxc_error("%s\n", "Failed to create busybox container \"capabilities\"");
+ goto on_error_put;
+ }
+
+ if (!c->is_defined(c)) {
+ lxc_error("%s\n", "Container \"capabilities\" is not defined");
+ goto on_error_destroy;
+ }
+
+ if (!c->clear_config_item(c, "lxc.cap.drop")) {
+ lxc_error("%s\n", "Failed to clear config item \"lxc.cap.drop\"");
+ goto on_error_destroy;
+ }
+
+ if (!c->clear_config_item(c, "lxc.cap.keep")) {
+ lxc_error("%s\n", "Failed to clear config item \"lxc.cap.drop\"");
+ goto on_error_destroy;
+ }
+
+ if (allow) {
+ if (!c->set_config_item(c, "lxc.cap.keep", "mknod")) {
+ lxc_error("%s\n", "Failed to set config item \"lxc.cap.keep=mknod\"");
+ goto on_error_destroy;
+ }
+ } else {
+ if (!c->set_config_item(c, "lxc.cap.drop", "mknod")) {
+ lxc_error("%s\n", "Failed to set config item \"lxc.cap.drop=mknod\"");
+ goto on_error_destroy;
+ }
+ }
+
+ if (!c->want_daemonize(c, true)) {
+ lxc_error("%s\n", "Failed to mark container \"capabilities\" daemonized");
+ goto on_error_destroy;
+ }
+
+ if (!c->startl(c, 0, NULL)) {
+ lxc_error("%s\n", "Failed to start container \"capabilities\" daemonized");
+ goto on_error_destroy;
+ }
+
+ ret = c->attach(c, test, NULL, &attach_options, &pid);
+ if (ret < 0) {
+ lxc_error("%s\n", "Failed to run function in container \"capabilities\"");
+ goto on_error_stop;
+ }
+
+ ret = wait_for_pid(pid);
+ if (ret) {
+ lxc_error("%s\n", "Function \"capabilities\" failed");
+ goto on_error_stop;
+ }
+
+ fret = 0;
+
+on_error_stop:
+ if (c->is_running(c) && !c->stop(c))
+ lxc_error("%s\n", "Failed to stop container \"capabilities\"");
+
+on_error_destroy:
+ if (!c->destroy(c))
+ lxc_error("%s\n", "Failed to destroy container \"capabilities\"");
+
+on_error_put:
+ lxc_container_put(c);
+
+ if (fret == EXIT_SUCCESS) {
+ lxc_debug("All capability %s tests passed\n", allow ? "allow" : "deny");
+ } else {
+ int fd;
+
+ fd = open(template, O_RDONLY);
+ if (fd >= 0) {
+ char buf[4096];
+ ssize_t buflen;
+ while ((buflen = read(fd, buf, 1024)) > 0) {
+ buflen = write(STDERR_FILENO, buf, buflen);
+ if (buflen <= 0)
+ break;
+ }
+ close(fd);
+ }
+ }
+ (void)unlink(template);
+
+ return fret;
+}
+
+int main(int argc, char *argv[])
+{
+ if (run(capabilities_allow, true))
+ exit(EXIT_FAILURE);
+
+ if (run(capabilities_deny, false))
+ exit(EXIT_FAILURE);
+
+ exit(EXIT_SUCCESS);
+}
+
+#else /* !HAVE_LIBCAP */
+
+int main(int argc, char *argv[])
+{
+ lxc_debug("%s\n", "Capabilities not supported. Skipping.");
+ exit(EXIT_SUCCESS);
+}
+#endif
+++ /dev/null
-/* liblxcapi
- *
- * Copyright © 2021 Christian Brauner <christian.brauner@ubuntu.com>.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2, as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "config.h"
-
-#include <errno.h>
-#include <fcntl.h>
-#include <inttypes.h>
-#include <signal.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-
-#include "lxccontainer.h"
-#include "attach_options.h"
-
-#include "caps.h"
-#include "lxctest.h"
-#include "utils.h"
-
-#if HAVE_LIBCAP
-static int capabilities_allow(void *payload)
-{
- int ret;
- __u32 last_cap;
-
- ret = lxc_caps_last_cap(&last_cap);
- if (ret) {
- lxc_error("%s\n", "Failed to retrieve last capability");
- return EXIT_FAILURE;
- }
-
- for (__u32 cap = 0; cap <= last_cap; cap++) {
- bool bret;
-
- if (cap == CAP_MKNOD)
- bret = cap_get_bound(cap) == CAP_SET;
- else
- bret = cap_get_bound(cap) != CAP_SET;
- if (!bret) {
- lxc_error("Capability %d unexpectedly raised or lowered\n", cap);
- return EXIT_FAILURE;
- }
- }
-
- return EXIT_SUCCESS;
-}
-
-int main(int argc, char *argv[])
-{
- __do_close int fd_log = -EBADF;
- int fret = EXIT_FAILURE;
- lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
- int ret;
- pid_t pid;
- struct lxc_container *c;
- struct lxc_log log;
- char template[sizeof(P_tmpdir"/capabilities_allow_XXXXXX")];
-
- (void)strlcpy(template, P_tmpdir"/capabilities_allow_XXXXXX", sizeof(template));
-
- fd_log = lxc_make_tmpfile(template, false);
- if (fd_log < 0) {
- lxc_error("%s", "Failed to create temporary log file for container \"capabilities-allow\"");
- exit(fret);
- }
-
- log.name = "capabilities-allow";
- log.file = template;
- log.level = "TRACE";
- log.prefix = "capabilities";
- log.quiet = false;
- log.lxcpath = NULL;
-
- if (lxc_log_init(&log))
- exit(fret);
-
- c = lxc_container_new("capabilities-allow", NULL);
- if (!c) {
- lxc_error("%s\n", "Failed to create container \"capabilities-allow\"");
- exit(fret);
- }
-
- if (c->is_defined(c)) {
- lxc_error("%s\n", "Container \"capabilities-allow\" is defined");
- goto on_error_put;
- }
-
- if (!c->createl(c, "busybox", NULL, NULL, 0, NULL)) {
- lxc_error("%s\n", "Failed to create busybox container \"capabilities-allow\"");
- goto on_error_put;
- }
-
- if (!c->is_defined(c)) {
- lxc_error("%s\n", "Container \"capabilities-allow\" is not defined");
- goto on_error_destroy;
- }
-
- if (!c->clear_config_item(c, "lxc.cap.drop")) {
- lxc_error("%s\n", "Failed to clear config item \"lxc.cap.drop\"");
- goto on_error_destroy;
- }
-
- if (!c->clear_config_item(c, "lxc.cap.keep")) {
- lxc_error("%s\n", "Failed to clear config item \"lxc.cap.drop\"");
- goto on_error_destroy;
- }
-
- if (!c->set_config_item(c, "lxc.cap.keep", "mknod")) {
- lxc_error("%s\n", "Failed to set config item \"lxc.cap.keep=mknod\"");
- goto on_error_destroy;
- }
-
- if (!c->want_daemonize(c, true)) {
- lxc_error("%s\n", "Failed to mark container \"capabilities-allow\" daemonized");
- goto on_error_destroy;
- }
-
- if (!c->startl(c, 0, NULL)) {
- lxc_error("%s\n", "Failed to start container \"capabilities-allow\" daemonized");
- goto on_error_destroy;
- }
-
- ret = c->attach(c, capabilities_allow, NULL, &attach_options, &pid);
- if (ret < 0) {
- lxc_error("%s\n", "Failed to run function in container \"capabilities-allow\"");
- goto on_error_stop;
- }
-
- ret = wait_for_pid(pid);
- if (ret) {
- lxc_error("%s\n", "Function \"capabilities-allow\" failed");
- goto on_error_stop;
- }
-
- fret = 0;
-
-on_error_stop:
- if (c->is_running(c) && !c->stop(c))
- lxc_error("%s\n", "Failed to stop container \"capabilities-allow\"");
-
-on_error_destroy:
- if (!c->destroy(c))
- lxc_error("%s\n", "Failed to destroy container \"capabilities-allow\"");
-
-on_error_put:
- lxc_container_put(c);
-
- if (fret == EXIT_SUCCESS) {
- lxc_debug("%s\n", "All capability allow tests passed");
- } else {
- int fd;
-
- fd = open(template, O_RDONLY);
- if (fd >= 0) {
- char buf[4096];
- ssize_t buflen;
- while ((buflen = read(fd, buf, 1024)) > 0) {
- buflen = write(STDERR_FILENO, buf, buflen);
- if (buflen <= 0)
- break;
- }
- close(fd);
- }
- }
- (void)unlink(template);
-
- exit(fret);
-}
-
-#else /* !HAVE_LIBCAP */
-
-int main(int argc, char *argv[])
-{
- lxc_debug("%s\n", "Capabilities not supported. Skipping.");
- exit(EXIT_SUCCESS);
-}
-#endif