From 00bf7ca97a53563ffb0b00c5eb72b7616310a0f4 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 10 Oct 2024 10:37:48 -0700 Subject: [PATCH 1/2] capability: improve test helper 1. Use testing.TB so it can also be used from a benchmark. 2. Add a call to t.Helper. Signed-off-by: Kir Kolyshkin --- capability/capability_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/capability/capability_test.go b/capability/capability_test.go index 73575566..86d1dead 100644 --- a/capability/capability_test.go +++ b/capability/capability_test.go @@ -23,7 +23,8 @@ const ( maxLastCap = CAP_CHECKPOINT_RESTORE ) -func requirePCapSet(t *testing.T) { +func requirePCapSet(t testing.TB) { + t.Helper() pid, err := NewPid2(0) if err != nil { t.Fatal(err) From 2addde0aaad3e13d2cbb9539db9ef6e1d0f8853c Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 10 Oct 2024 10:39:45 -0700 Subject: [PATCH 2/2] capability: improve TestAmbientCapSet - do not manipulate bounding set, it is not needed; - use a single list; add one more capability to it; - set Permitted/Inheritable/Effective at once; - use Unset to unset a capability; - use loop for the last check. Signed-off-by: Kir Kolyshkin --- capability/capability_test.go | 43 +++++++++++++++-------------------- 1 file changed, 18 insertions(+), 25 deletions(-) diff --git a/capability/capability_test.go b/capability/capability_test.go index 86d1dead..81b27e5d 100644 --- a/capability/capability_test.go +++ b/capability/capability_test.go @@ -112,49 +112,42 @@ func TestAmbientCapSet(t *testing.T) { } requirePCapSet(t) - capBounding := []Cap{CAP_KILL, CAP_CHOWN, CAP_SYSLOG} - capPermitted := []Cap{CAP_KILL, CAP_CHOWN} - capEffective := []Cap{CAP_KILL} - capInheritable := []Cap{CAP_KILL, CAP_CHOWN} - capAmbient := []Cap{CAP_KILL, CAP_CHOWN} - pid, err := NewPid2(0) if err != nil { t.Fatal(err) } - pid.Set(BOUNDING, capBounding...) - pid.Set(PERMITTED, capPermitted...) - pid.Set(EFFECTIVE, capEffective...) - pid.Set(INHERITABLE, capInheritable...) - pid.Set(AMBIENT, capAmbient...) - if err = pid.Apply(CAPS | BOUNDING | AMBIENT); err != nil { + + list := []Cap{CAP_KILL, CAP_CHOWN, CAP_SYS_CHROOT} + pid.Set(CAPS|AMBIENT, list...) + if err = pid.Apply(CAPS | AMBIENT); err != nil { t.Fatal(err) } - // Restore the cap set data from current process + // Check if ambient caps were applied. if err = pid.Load(); err != nil { t.Fatal(err) } - for _, cap := range capAmbient { - if !pid.Get(AMBIENT, cap) { - t.Fatalf("expected ambient cap(%d) to be set but it's not", cap) + for _, cap := range list { + want := true + if got := pid.Get(AMBIENT, cap); want != got { + t.Errorf("Get(AMBIENT, %s): want %v, got %v", cap, want, got) } } - // Remove a ambient cap, to check `PR_CAP_AMBIENT_CLEAR_ALL` work. - pid.Clear(AMBIENT) - pid.Set(AMBIENT, capAmbient[0]) - if err = pid.Apply(CAPS | BOUNDING | AMBIENT); err != nil { + // Unset a single ambient cap, to check `PR_CAP_AMBIENT_CLEAR_ALL` work. + const unsetIdx = 1 + pid.Unset(AMBIENT, list[unsetIdx]) + if err = pid.Apply(AMBIENT); err != nil { t.Fatal(err) } if err = pid.Load(); err != nil { t.Fatal(err) } - if !pid.Get(AMBIENT, capAmbient[0]) { - t.Fatalf("expected ambient cap(%d) to be set but it's not", capAmbient[0]) - } - if pid.Get(AMBIENT, capAmbient[1]) { - t.Fatalf("expected ambient cap(%d) not to be set but it has been set", capAmbient[1]) + for i, cap := range list { + want := i != unsetIdx + if got := pid.Get(AMBIENT, cap); want != got { + t.Errorf("Get(AMBIENT, %s): want %v, got %v", cap, want, got) + } } }