From 9cfc15497581824f1c6ba2b9f9ee653d0be0bc5a Mon Sep 17 00:00:00 2001
From: Kevin Krakauer <krakauer@google.com>
Date: Fri, 26 Jun 2020 16:23:15 -0700
Subject: Require CAP_SYS_ADMIN in the root user namespace for TTY theft

PiperOrigin-RevId: 318563543
---
 test/syscalls/linux/pty_root.cc | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

(limited to 'test')

diff --git a/test/syscalls/linux/pty_root.cc b/test/syscalls/linux/pty_root.cc
index 14a4af980..1d7dbefdb 100644
--- a/test/syscalls/linux/pty_root.cc
+++ b/test/syscalls/linux/pty_root.cc
@@ -25,16 +25,26 @@
 namespace gvisor {
 namespace testing {
 
-// These tests should be run as root.
 namespace {
 
+// StealTTY tests whether privileged processes can steal controlling terminals.
+// If the stealing process has CAP_SYS_ADMIN in the root user namespace, the
+// test ensures that stealing works. If it has non-root CAP_SYS_ADMIN, it
+// ensures stealing fails.
 TEST(JobControlRootTest, StealTTY) {
   SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_SYS_ADMIN)));
 
-  // Make this a session leader, which also drops the controlling terminal.
-  // In the gVisor test environment, this test will be run as the session
-  // leader already (as the sentry init process).
+  bool true_root = true;
   if (!IsRunningOnGvisor()) {
+    // If running in Linux, we may only have CAP_SYS_ADMIN in a non-root user
+    // namespace (i.e. we are not truly root). We use init_module as a proxy for
+    // whether we are true root, as it returns EPERM immediately.
+    ASSERT_THAT(syscall(SYS_init_module, nullptr, 0, nullptr), SyscallFails());
+    true_root = errno != EPERM;
+
+    // Make this a session leader, which also drops the controlling terminal.
+    // In the gVisor test environment, this test will be run as the session
+    // leader already (as the sentry init process).
     ASSERT_THAT(setsid(), SyscallSucceeds());
   }
 
@@ -53,8 +63,8 @@ TEST(JobControlRootTest, StealTTY) {
     ASSERT_THAT(setsid(), SyscallSucceeds());
     // We shouldn't be able to steal the terminal with the wrong arg value.
     TEST_PCHECK(ioctl(slave.get(), TIOCSCTTY, 0));
-    // We should be able to steal it here.
-    TEST_PCHECK(!ioctl(slave.get(), TIOCSCTTY, 1));
+    // We should be able to steal it if we are true root.
+    TEST_PCHECK(true_root == !ioctl(slave.get(), TIOCSCTTY, 1));
     _exit(0);
   }
 
-- 
cgit v1.2.3