tests: add test for lxc.cap.keep

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

.gitignore

@@ -108,6 +108,7 @@ src/tests/lxc-test-cve-2019-5736
 src/tests/lxc-test-mount-injection
 src/tests/lxc-test-sys-mixed
 src/tests/lxc-test-rootfs-options
+src/tests/lxc-test-capabilities-allow
 
 config/compile
 config/config.guess

src/tests/Makefile.am

@@ -1276,6 +1276,87 @@ lxc_test_rootfs_options_SOURCES += ../include/prlimit.c ../include/prlimit.h
 endif
 endif
 
+lxc_test_capabilities_allow_SOURCES = capabilities_allow.c \
+				      ../lxc/af_unix.c ../lxc/af_unix.h \
+				      ../lxc/caps.c ../lxc/caps.h \
+				      ../lxc/cgroups/cgfsng.c \
+				      ../lxc/cgroups/cgroup.c ../lxc/cgroups/cgroup.h \
+				      ../lxc/cgroups/cgroup2_devices.c ../lxc/cgroups/cgroup2_devices.h \
+				      ../lxc/cgroups/cgroup_utils.c ../lxc/cgroups/cgroup_utils.h \
+				      ../lxc/commands.c ../lxc/commands.h \
+				      ../lxc/commands_utils.c ../lxc/commands_utils.h \
+				      ../lxc/conf.c ../lxc/conf.h \
+				      ../lxc/confile.c ../lxc/confile.h \
+				      ../lxc/confile_utils.c ../lxc/confile_utils.h \
+				      ../lxc/error.c ../lxc/error.h \
+				      ../lxc/file_utils.c ../lxc/file_utils.h \
+				      ../include/netns_ifaddrs.c ../include/netns_ifaddrs.h \
+				      ../lxc/initutils.c ../lxc/initutils.h \
+				      ../lxc/log.c ../lxc/log.h \
+				      ../lxc/lxclock.c ../lxc/lxclock.h \
+				      ../lxc/mainloop.c ../lxc/mainloop.h \
+				      ../lxc/monitor.c ../lxc/monitor.h \
+				      ../lxc/mount_utils.c ../lxc/mount_utils.h \
+				      ../lxc/namespace.c ../lxc/namespace.h \
+				      ../lxc/network.c ../lxc/network.h \
+				      ../lxc/nl.c ../lxc/nl.h \
+				      ../lxc/parse.c ../lxc/parse.h \
+				      ../lxc/process_utils.c ../lxc/process_utils.h \
+				      ../lxc/ringbuf.c ../lxc/ringbuf.h \
+				      ../lxc/start.c ../lxc/start.h \
+				      ../lxc/state.c ../lxc/state.h \
+				      ../lxc/storage/btrfs.c ../lxc/storage/btrfs.h \
+				      ../lxc/storage/dir.c ../lxc/storage/dir.h \
+				      ../lxc/storage/loop.c ../lxc/storage/loop.h \
+				      ../lxc/storage/lvm.c ../lxc/storage/lvm.h \
+				      ../lxc/storage/nbd.c ../lxc/storage/nbd.h \
+				      ../lxc/storage/overlay.c ../lxc/storage/overlay.h \
+				      ../lxc/storage/rbd.c ../lxc/storage/rbd.h \
+				      ../lxc/storage/rsync.c ../lxc/storage/rsync.h \
+				      ../lxc/storage/storage.c ../lxc/storage/storage.h \
+				      ../lxc/storage/storage_utils.c ../lxc/storage/storage_utils.h \
+				      ../lxc/storage/zfs.c ../lxc/storage/zfs.h \
+				      ../lxc/sync.c ../lxc/sync.h \
+				      ../lxc/string_utils.c ../lxc/string_utils.h \
+				      ../lxc/terminal.c ../lxc/terminal.h \
+				      ../lxc/utils.c ../lxc/utils.h \
+				      ../lxc/uuid.c ../lxc/uuid.h \
+				      $(LSM_SOURCES)
+if ENABLE_SECCOMP
+lxc_test_capabilities_allow_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h
+endif
+
+if !HAVE_STRCHRNUL
+lxc_test_capabilities_allow_SOURCES += ../include/strchrnul.c ../include/strchrnul.h
+endif
+
+if !HAVE_STRLCPY
+lxc_test_capabilities_allow_SOURCES += ../include/strlcpy.c ../include/strlcpy.h
+endif
+
+if !HAVE_STRLCAT
+lxc_test_capabilities_allow_SOURCES += ../include/strlcat.c ../include/strlcat.h
+endif
+
+if !HAVE_OPENPTY
+lxc_test_capabilities_allow_SOURCES += ../include/openpty.c ../include/openpty.h
+endif
+
+if IS_BIONIC
+lxc_test_capabilities_allow_SOURCES += ../include/fexecve.c ../include/fexecve.h \
+		../include/lxcmntent.c ../include/lxcmntent.h
+endif
+
+if !HAVE_GETGRGID_R
+lxc_test_capabilities_allow_SOURCES += ../include/getgrgid_r.c ../include/getgrgid_r.h
+endif
+
+if !HAVE_PRLIMIT
+if HAVE_PRLIMIT64
+lxc_test_capabilities_allow_SOURCES += ../include/prlimit.c ../include/prlimit.h
+endif
+endif
+
 AM_CFLAGS += -DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \
 	     -DLXCPATH=\"$(LXCPATH)\" \
 	     -DLXC_GLOBAL_CONF=\"$(LXC_GLOBAL_CONF)\" \
@@ -1314,6 +1395,7 @@ bin_PROGRAMS = lxc-test-api-reboot \
 	       lxc-test-arch-parse \
 	       lxc-test-attach \
 	       lxc-test-basic \
+	       lxc-test-capabilities-allow \
 	       lxc-test-cgpath \
 	       lxc-test-clonetest \
 	       lxc-test-concurrent \
@@ -1406,6 +1488,7 @@ endif
 
 EXTRA_DIST = arch_parse.c \
 	     basic.c \
+	     capabilities_allow.c \
 	     cgpath.c \
 	     clonetest.c \
 	     concurrent.c \

src/tests/capabilities_allow.c

@@ -0,0 +1,191 @@
+/* liblxcapi
+ *
+ * Copyright © 2021 Christian Brauner <christian.brauner@ubuntu.com>.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include "lxccontainer.h"
+#include "attach_options.h"
+
+#include "caps.h"
+#include "lxctest.h"
+#include "utils.h"
+
+#if HAVE_LIBCAP
+static int capabilities_allow(void *payload)
+{
+	int last_cap;
+
+	last_cap = lxc_caps_last_cap();
+	for (int cap = 0; cap <= last_cap; cap++) {
+		bool bret;
+
+		if (cap == CAP_MKNOD)
+			bret = cap_get_bound(cap) == CAP_SET;
+		else
+			bret = cap_get_bound(cap) != CAP_SET;
+		if (!bret) {
+			lxc_error("Capability %d unexpectedly raised or lowered\n", cap);
+			return EXIT_FAILURE;
+		}
+	}
+
+	return EXIT_SUCCESS;
+}
+
+int main(int argc, char *argv[])
+{
+	__do_close int fd_log = -EBADF;
+	int fret = EXIT_FAILURE;
+	lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
+	int ret;
+	pid_t pid;
+	struct lxc_container *c;
+	struct lxc_log log;
+	char template[sizeof(P_tmpdir"/capabilities_allow_XXXXXX")];
+
+	(void)strlcpy(template, P_tmpdir"/capabilities_allow_XXXXXX", sizeof(template));
+
+	fd_log = lxc_make_tmpfile(template, false);
+	if (fd_log < 0) {
+		lxc_error("%s", "Failed to create temporary log file for container \"capabilities-allow\"");
+		exit(fret);
+	}
+
+	log.name = "capabilities-allow";
+	log.file = template;
+	log.level = "TRACE";
+	log.prefix = "capabilities";
+	log.quiet = false;
+	log.lxcpath = NULL;
+
+	if (lxc_log_init(&log))
+		exit(fret);
+
+	c = lxc_container_new("capabilities-allow", NULL);
+	if (!c) {
+		lxc_error("%s\n", "Failed to create container \"capabilities-allow\"");
+		exit(fret);
+	}
+
+	if (c->is_defined(c)) {
+		lxc_error("%s\n", "Container \"capabilities-allow\" is defined");
+		goto on_error_put;
+	}
+
+	if (!c->createl(c, "busybox", NULL, NULL, 0, NULL)) {
+		lxc_error("%s\n", "Failed to create busybox container \"capabilities-allow\"");
+		goto on_error_put;
+	}
+
+	if (!c->is_defined(c)) {
+		lxc_error("%s\n", "Container \"capabilities-allow\" is not defined");
+		goto on_error_destroy;
+	}
+
+	if (!c->clear_config_item(c, "lxc.cap.drop")) {
+		lxc_error("%s\n", "Failed to clear config item \"lxc.cap.drop\"");
+		goto on_error_destroy;
+	}
+
+	if (!c->clear_config_item(c, "lxc.cap.keep")) {
+		lxc_error("%s\n", "Failed to clear config item \"lxc.cap.drop\"");
+		goto on_error_destroy;
+	}
+
+	if (!c->set_config_item(c, "lxc.cap.keep", "mknod")) {
+		lxc_error("%s\n", "Failed to set config item \"lxc.cap.keep=mknod\"");
+		goto on_error_destroy;
+	}
+
+	if (!c->want_daemonize(c, true)) {
+		lxc_error("%s\n", "Failed to mark container \"capabilities-allow\" daemonized");
+		goto on_error_destroy;
+	}
+
+	if (!c->startl(c, 0, NULL)) {
+		lxc_error("%s\n", "Failed to start container \"capabilities-allow\" daemonized");
+		goto on_error_destroy;
+	}
+
+	ret = c->attach(c, capabilities_allow, NULL, &attach_options, &pid);
+	if (ret < 0) {
+		lxc_error("%s\n", "Failed to run function in container \"capabilities-allow\"");
+		goto on_error_stop;
+	}
+
+	ret = wait_for_pid(pid);
+	if (ret) {
+		lxc_error("%s\n", "Function \"capabilities-allow\" failed");
+		goto on_error_stop;
+	}
+
+	fret = 0;
+
+on_error_stop:
+	if (c->is_running(c) && !c->stop(c))
+		lxc_error("%s\n", "Failed to stop container \"capabilities-allow\"");
+
+on_error_destroy:
+	if (!c->destroy(c))
+		lxc_error("%s\n", "Failed to destroy container \"capabilities-allow\"");
+
+on_error_put:
+	lxc_container_put(c);
+
+	if (fret == EXIT_SUCCESS) {
+		lxc_debug("%s\n", "All capability allow tests passed");
+	} else {
+		int fd;
+
+		fd = open(template, O_RDONLY);
+		if (fd >= 0) {
+			char buf[4096];
+			ssize_t buflen;
+			while ((buflen = read(fd, buf, 1024)) > 0) {
+				buflen = write(STDERR_FILENO, buf, buflen);
+				if (buflen <= 0)
+					break;
+			}
+			close(fd);
+		}
+	}
+	(void)unlink(template);
+
+	exit(fret);
+}
+
+#else /* !HAVE_LIBCAP */
+
+int main(int argc, char *argv[])
+{
+	lxc_debug("%s\n", "Capabilities not supported. Skipping.");
+	exit(EXIT_SUCCESS);
+}
+#endif