Test ambient capabilities in Minijail |
||||
Issue description
Maybe something like:
#include <fstream>
#include <iostream>
#include <string>
int main() {
std::ifstream status("/proc/self/status");
std::string line;
while (std::getline(status, line)) {
if (line.find("CapEff") == 0) {
std::cout << line << std::endl;
}
}
return 0;
}
EOF
$ sudo ./captest
CapEff: 0000003fffffffff
$ sudo ./minijail0 -T static -c 1fffffffff ./captest
Can't run statically-linked binaries with capabilities (-c) \
without also setting ambient capabilities. Try passing --ambient
$ sudo ./minijail0 -T static -c 1fffffffff --ambient ./captest
CapEff: 0000001fffffffff
,
Apr 13 2018
,
Apr 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/3f54b0cb0ab31311b91d6301d4ddf3267a703efe commit 3f54b0cb0ab31311b91d6301d4ddf3267a703efe Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Fri Apr 13 20:25:20 2018 security_Minijail0: Test capabilities in the static case. Now that we have support for ambient caps, capabilities work with static binaries. Test that. Also shorten an error message for clarity. BUG= chromium:738546 TEST=Passes on caroline. TEST=Fails on caroline if --ambient is not added to the test. Change-Id: Ie1bfd1047d36d3c2f68010adc3fc8acb43505761 Reviewed-on: https://chromium-review.googlesource.com/1010518 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> [modify] https://crrev.com/3f54b0cb0ab31311b91d6301d4ddf3267a703efe/client/site_tests/security_Minijail0/src/test-caps [modify] https://crrev.com/3f54b0cb0ab31311b91d6301d4ddf3267a703efe/client/site_tests/security_Minijail0/security_Minijail0.py
,
Apr 13 2018
,
Jun 21 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by jorgelo@chromium.org
, Jul 5 2017