Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

capability: test improvements #170

Merged
merged 2 commits into from
Oct 11, 2024
Merged

capability: test improvements #170

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
00bf7ca
capability: improve test helper
kolyshkin Oct 10, 2024
2addde0
capability: improve TestAmbientCapSet
kolyshkin Oct 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 20 additions & 26 deletions capability/capability_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ const (
maxLastCap = CAP_CHECKPOINT_RESTORE
)

func requirePCapSet(t *testing.T) {
func requirePCapSet(t testing.TB) {
t.Helper()
pid, err := NewPid2(0)
if err != nil {
t.Fatal(err)
Expand Down Expand Up @@ -111,49 +112,42 @@ func TestAmbientCapSet(t *testing.T) {
}
requirePCapSet(t)

capBounding := []Cap{CAP_KILL, CAP_CHOWN, CAP_SYSLOG}
capPermitted := []Cap{CAP_KILL, CAP_CHOWN}
capEffective := []Cap{CAP_KILL}
capInheritable := []Cap{CAP_KILL, CAP_CHOWN}
capAmbient := []Cap{CAP_KILL, CAP_CHOWN}

pid, err := NewPid2(0)
if err != nil {
t.Fatal(err)
}
pid.Set(BOUNDING, capBounding...)
pid.Set(PERMITTED, capPermitted...)
pid.Set(EFFECTIVE, capEffective...)
pid.Set(INHERITABLE, capInheritable...)
pid.Set(AMBIENT, capAmbient...)
if err = pid.Apply(CAPS | BOUNDING | AMBIENT); err != nil {

list := []Cap{CAP_KILL, CAP_CHOWN, CAP_SYS_CHROOT}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From docker to kubernetes, they always fill each type cap sets with the same cap bits, I think maybe it's wrong. So I want to test cap sets with different caps, this is my thought.
But anyway, it's not worth to be different in this test.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I understand that (what I don't understand is why they do it that way -- for example, why drop bounding capabilities at all; but that is way out of scope for this PR).

pid.Set(CAPS|AMBIENT, list...)
if err = pid.Apply(CAPS | AMBIENT); err != nil {
t.Fatal(err)
}

// Restore the cap set data from current process
// Check if ambient caps were applied.
if err = pid.Load(); err != nil {
t.Fatal(err)
}
for _, cap := range capAmbient {
if !pid.Get(AMBIENT, cap) {
t.Fatalf("expected ambient cap(%d) to be set but it's not", cap)
for _, cap := range list {
want := true
if got := pid.Get(AMBIENT, cap); want != got {
t.Errorf("Get(AMBIENT, %s): want %v, got %v", cap, want, got)
}
}

// Remove a ambient cap, to check `PR_CAP_AMBIENT_CLEAR_ALL` work.
pid.Clear(AMBIENT)
pid.Set(AMBIENT, capAmbient[0])
if err = pid.Apply(CAPS | BOUNDING | AMBIENT); err != nil {
// Unset a single ambient cap, to check `PR_CAP_AMBIENT_CLEAR_ALL` work.
const unsetIdx = 1
pid.Unset(AMBIENT, list[unsetIdx])
if err = pid.Apply(AMBIENT); err != nil {
t.Fatal(err)
}

if err = pid.Load(); err != nil {
t.Fatal(err)
}
if !pid.Get(AMBIENT, capAmbient[0]) {
t.Fatalf("expected ambient cap(%d) to be set but it's not", capAmbient[0])
}
if pid.Get(AMBIENT, capAmbient[1]) {
t.Fatalf("expected ambient cap(%d) not to be set but it has been set", capAmbient[1])
for i, cap := range list {
want := i != unsetIdx
if got := pid.Get(AMBIENT, cap); want != got {
t.Errorf("Get(AMBIENT, %s): want %v, got %v", cap, want, got)
}
}
}