go
/
gvisor
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Open a temp directory before changing capabilities and user ID-s 

In cl/302130790, we started using a temp directory which is provided by bazel.

By default, a test process has enough permissions to open it, but there is not
any guarantee that it still will be able to do this after changing credentials.

PiperOrigin-RevId: 302702337
This commit is contained in:
Andrei Vagin 2020-03-24 10:57:24 -07:00 committed by gVisor bot
parent 7e4073af12
commit f97858011f
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
test/syscalls/linux/sticky.cc
View File

@ -42,8 +42,9 @@ TEST(StickyTest, StickyBitPermDenied) {
auto dir = ASSERT_NO_ERRNO_AND_VALUE(TempPath::CreateDir());
EXPECT_THAT(chmod(dir.path().c_str(), 0777 | S_ISVTX), SyscallSucceeds());
std::string path = JoinPath(dir.path(), "NewDir");
ASSERT_THAT(mkdir(path.c_str(), 0755), SyscallSucceeds());
const FileDescriptor dirfd =
ASSERT_NO_ERRNO_AND_VALUE(Open(dir.path(), O_DIRECTORY));
ASSERT_THAT(mkdirat(dirfd.get(), "NewDir", 0755), SyscallSucceeds());
// Drop privileges and change IDs only in child thread, or else this parent
// thread won't be able to open some log files after the test ends.
@ -61,7 +62,8 @@ TEST(StickyTest, StickyBitPermDenied) {
syscall(SYS_setresuid, -1, absl::GetFlag(FLAGS_scratch_uid), -1),
SyscallSucceeds());
EXPECT_THAT(rmdir(path.c_str()), SyscallFailsWithErrno(EPERM));
EXPECT_THAT(unlinkat(dirfd.get(), "NewDir", AT_REMOVEDIR),
SyscallFailsWithErrno(EPERM));
});
}
@ -96,8 +98,9 @@ TEST(StickyTest, StickyBitCapFOWNER) {
auto dir = ASSERT_NO_ERRNO_AND_VALUE(TempPath::CreateDir());
EXPECT_THAT(chmod(dir.path().c_str(), 0777 | S_ISVTX), SyscallSucceeds());
std::string path = JoinPath(dir.path(), "NewDir");
ASSERT_THAT(mkdir(path.c_str(), 0755), SyscallSucceeds());
const FileDescriptor dirfd =
ASSERT_NO_ERRNO_AND_VALUE(Open(dir.path(), O_DIRECTORY));
ASSERT_THAT(mkdirat(dirfd.get(), "NewDir", 0755), SyscallSucceeds());
// Drop privileges and change IDs only in child thread, or else this parent
// thread won't be able to open some log files after the test ends.
@ -114,7 +117,8 @@ TEST(StickyTest, StickyBitCapFOWNER) {
SyscallSucceeds());
EXPECT_NO_ERRNO(SetCapability(CAP_FOWNER, true));
EXPECT_THAT(rmdir(path.c_str()), SyscallSucceeds());
EXPECT_THAT(unlinkat(dirfd.get(), "NewDir", AT_REMOVEDIR),
SyscallSucceeds());
});
}
} // namespace