diff options
author | Dean Deng <deandeng@google.com> | 2020-06-18 22:00:56 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-06-18 22:02:07 -0700 |
commit | 408f3d2cd64cae6b2f76a940c76236e9841c095f (patch) | |
tree | 8307bea8b81bd29925aedade970b12e9707bcf12 /test | |
parent | 70c45e09cfd15abeebd640a9a2ddd214078db651 (diff) |
Fix vfs2 tmpfs link permission checks.
Updates #2923.
PiperOrigin-RevId: 317246916
Diffstat (limited to 'test')
-rw-r--r-- | test/syscalls/BUILD | 1 | ||||
-rw-r--r-- | test/syscalls/linux/link.cc | 15 | ||||
-rw-r--r-- | test/util/test_util.h | 1 |
3 files changed, 15 insertions, 2 deletions
diff --git a/test/syscalls/BUILD b/test/syscalls/BUILD index 1638a11c7..65a6a7f37 100644 --- a/test/syscalls/BUILD +++ b/test/syscalls/BUILD @@ -305,6 +305,7 @@ syscall_test( add_overlay = True, test = "//test/syscalls/linux:link_test", use_tmpfs = True, # gofer needs CAP_DAC_READ_SEARCH to use AT_EMPTY_PATH with linkat(2) + vfs2 = "True", ) syscall_test( diff --git a/test/syscalls/linux/link.cc b/test/syscalls/linux/link.cc index e74fa2ed5..544681168 100644 --- a/test/syscalls/linux/link.cc +++ b/test/syscalls/linux/link.cc @@ -79,8 +79,13 @@ TEST(LinkTest, PermissionDenied) { // Make the file "unsafe" to link by making it only readable, but not // writable. - const auto oldfile = + const auto unwriteable_file = ASSERT_NO_ERRNO_AND_VALUE(TempPath::CreateFileMode(0400)); + const std::string special_path = NewTempAbsPath(); + ASSERT_THAT(mkfifo(special_path.c_str(), 0666), SyscallSucceeds()); + const auto setuid_file = + ASSERT_NO_ERRNO_AND_VALUE(TempPath::CreateFileMode(0666 | S_ISUID)); + const std::string newname = NewTempAbsPath(); // Do setuid in a separate thread so that after finishing this test, the @@ -97,8 +102,14 @@ TEST(LinkTest, PermissionDenied) { EXPECT_THAT(syscall(SYS_setuid, absl::GetFlag(FLAGS_scratch_uid)), SyscallSucceeds()); - EXPECT_THAT(link(oldfile.path().c_str(), newname.c_str()), + EXPECT_THAT(link(unwriteable_file.path().c_str(), newname.c_str()), + SyscallFailsWithErrno(EPERM)); + EXPECT_THAT(link(special_path.c_str(), newname.c_str()), SyscallFailsWithErrno(EPERM)); + if (!IsRunningWithVFS1()) { + EXPECT_THAT(link(setuid_file.path().c_str(), newname.c_str()), + SyscallFailsWithErrno(EPERM)); + } }); } diff --git a/test/util/test_util.h b/test/util/test_util.h index 8e3245b27..e635827e6 100644 --- a/test/util/test_util.h +++ b/test/util/test_util.h @@ -220,6 +220,7 @@ constexpr char kKVM[] = "kvm"; bool IsRunningOnGvisor(); const std::string GvisorPlatform(); bool IsRunningWithHostinet(); +// TODO(gvisor.dev/issue/1624): Delete once VFS1 is gone. bool IsRunningWithVFS1(); #ifdef __linux__ |