| #!/bin/bash |
| # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| set -e |
| if [ "$(whoami)" != "root" ]; then |
| echo "Must be root for this test" >&2 |
| exit 1 |
| fi |
| NONROOT="$1" |
| |
| export LANG=C |
| pid= |
| dir= |
| |
| function start_sleeper() |
| { |
| dir=$(mktemp -d -t sleeper-XXXXXX) |
| mkfifo "$dir"/status |
| minijail0 -p -- ./inside-pidns.sh "$1" $NONROOT >"$dir"/status & |
| pid=$! |
| # Immediately forget about minijail process. We will find sleeper next. |
| disown $pid |
| # Wait for sleeper to start up. |
| read status < "$dir"/status |
| # Find sleeper pid. |
| while [ $(ps -p $pid -o comm=) != "sleeper" ]; do |
| pid=$(ps -ef | awk '{ if ($3 == '"$pid"') { print $2 }}') |
| if [ -z "$pid" ]; then |
| echo "Failed to locate pidns sleeper." >&2 |
| exit 1 |
| fi |
| done |
| } |
| |
| function kill_sleeper() |
| { |
| kill $pid |
| rm -rf "$dir" |
| } |
| |
| rc=0 |
| |
| # Validate that prctl(PR_SET_PTRACER, 0, ...) cannot be ptraced across pidns. |
| start_sleeper 0 |
| OUT=$(su -c 'gdb -ex "attach '"$pid"'" -ex "quit" --batch' $NONROOT \ |
| </dev/null 2>&1) |
| prctl="prctl(PR_SET_PTRACER, 0, ...)" |
| if echo "$OUT" | grep -q 'Operation not permitted'; then |
| echo "ok: $prctl correctly not allowed ptrace" |
| else |
| echo "FAIL: $prctl unexpectedly allowed ptrace" |
| rc=1 |
| fi |
| kill_sleeper |
| |
| # Validate that prctl(PR_SET_PTRACER, -1, ...) can be ptraced across pidns. |
| start_sleeper -1 |
| OUT=$(su -c 'gdb -ex "attach '"$pid"'" -ex "quit" --batch' $NONROOT \ |
| </dev/null 2>&1) |
| prctl="prctl(PR_SET_PTRACER, -1, ...)" |
| if echo "$OUT" | grep -q 'Quit anyway'; then |
| echo "ok: $prctl correctly allowed ptrace" |
| else |
| echo "FAIL: $prctl unexpectedly not allowed ptrace" |
| rc=1 |
| fi |
| kill_sleeper |
| |
| exit $rc |