[Libct] [PATCH 7/8] tests: check capabilities and process ids
Andrey Vagin
avagin at openvz.org
Wed Nov 5 01:40:24 PST 2014
Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
test/Makefile | 3 ++-
test/ct_caps.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
test/ct_create.c | 11 +++++++++++
3 files changed, 70 insertions(+), 1 deletion(-)
create mode 100644 test/ct_caps.c
diff --git a/test/Makefile b/test/Makefile
index 75ba96b..89b1547 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -2,7 +2,8 @@ TESTS = ct_create ct_enter ct_proc ct_root ct_root_enter \
ct_create_exec ct_cgroup_basic ct_net_host \
ct_net_veth ct_private_subdir \
ct_ext_mount ct_private_subdir_ns \
- ct_cgroup_sub ct_service ct_kill_nons ct_pid_enter ct_userns
+ ct_cgroup_sub ct_service ct_kill_nons ct_pid_enter \
+ ct_userns ct_caps
PIGS = file_piggy
diff --git a/test/ct_caps.c b/test/ct_caps.c
new file mode 100644
index 0000000..a23e771
--- /dev/null
+++ b/test/ct_caps.c
@@ -0,0 +1,57 @@
+/*
+ * Test empty "container" creation
+ */
+#include <libct.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <linux/capability.h>
+#include "test.h"
+
+#define TEST_CAPS 0x1234
+
+extern int capget(cap_user_header_t header, const cap_user_data_t data);
+extern int capset(cap_user_header_t header, const cap_user_data_t data);
+
+static int set_ct_alive(void *a)
+{
+ struct __user_cap_header_struct hdr = {_LINUX_CAPABILITY_VERSION_3, 0};
+ struct __user_cap_data_struct data[2];
+
+ memset(&data, 0, sizeof(data));
+
+ if (capget(&hdr, data))
+ return -1;
+
+ if (data[0].effective != TEST_CAPS)
+ return 1;
+
+ *(int *)a = 1;
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ int *ct_alive;
+ libct_session_t s;
+ ct_handler_t ct;
+ ct_process_desc_t p;
+
+ ct_alive = mmap(NULL, 4096, PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_ANON, 0, 0);
+ *ct_alive = 0;
+
+ s = libct_session_open_local();
+ ct = libct_container_create(s, "test");
+ p = libct_process_desc_create(s);
+ libct_process_desc_set_caps(p, TEST_CAPS, CAPS_ALLCAPS);
+ libct_container_spawn_cb(ct, p, set_ct_alive, ct_alive);
+ libct_container_wait(ct);
+ libct_container_destroy(ct);
+ libct_session_close(s);
+
+ if (!*ct_alive)
+ return fail("Container is not alive");
+ else
+ return pass("Container is alive");
+}
diff --git a/test/ct_create.c b/test/ct_create.c
index 1042ded..457aeb0 100644
--- a/test/ct_create.c
+++ b/test/ct_create.c
@@ -1,13 +1,22 @@
/*
* Test empty "container" creation
*/
+#include <unistd.h>
+#include <sys/types.h>
#include <libct.h>
#include <stdio.h>
#include <sys/mman.h>
#include "test.h"
+#define UID 31451
+#define GID 92653
+
static int set_ct_alive(void *a)
{
+ if (getuid() != UID)
+ return -1;
+ if (getgid() != GID)
+ return -1;
*(int *)a = 1;
return 0;
}
@@ -26,6 +35,8 @@ int main(int argc, char **argv)
s = libct_session_open_local();
ct = libct_container_create(s, "test");
p = libct_process_desc_create(s);
+ libct_process_desc_setuid(p, UID);
+ libct_process_desc_setgid(p, GID);
libct_container_spawn_cb(ct, p, set_ct_alive, ct_alive);
libct_container_wait(ct);
libct_container_destroy(ct);
--
1.9.1
More information about the Libct
mailing list