executor: drop CAP_SYS_PTRACE with sandbox=none

We only drop CAP_SYS_PTRACE for sandbox=namespace, but it can equally affect testing with sandbox=none. Drop it for sandbox=none, add a test.
author: Dmitry Vyukov <dvyukov@google.com> 2019-07-22 11:15:52 +0200
committer: Dmitry Vyukov <dvyukov@google.com> 2019-07-22 11:51:53 +0200
commit: 5181b54d45a7f7a1bd67396a8a9721ad512134fe (patch)
tree: 8b7c8704b3e6368ac6f62f6b534c117e5fc54b7e /sys/linux
parent: e530ec1befe3153020d601f5066939d984d790ac (diff)
2 files changed, 6 insertions, 0 deletions
diff --git a/sys/linux/test/caps b/sys/linux/test/caps
new file mode 100644
index 000000000..f3ef3a9e0
--- /dev/null
+++ b/sys/linux/test/caps
@@ -0,0 +1,5 @@
+# Ensure that test processes don't have capabilities to do dangerious things,
+# see drop_caps function in executor for details.
+# requires: -sandbox=
+
+ptrace(0x10, 0x1)	# EPERM
diff --git a/sys/linux/test/vusb b/sys/linux/test/vusb
index 0593b4c83..16c7780f2 100644
--- a/sys/linux/test/vusb
+++ b/sys/linux/test/vusb
@@ -2,4 +2,5 @@
 
 # Temporary disabled because deserialization fails (run go test ./pkg/csource).
 #syz_usb_connect(0x0, 0x24, &(0x7f0000000000)={0x12, 0x1, 0x0, 0x97, 0xff, 0x82, 0x8, 0x2058, 0x1005, 0xc19b, 0x0, 0x0, 0x0, 0x1, [{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{0x9, 0x4, 0x8f, 0x0, 0x0, 0xbf, 0x57, 0x5a, 0x0, [], []}]}]}, 0x0)
+
 getpid()
author	Dmitry Vyukov <dvyukov@google.com>	2019-07-22 11:15:52 +0200
committer	Dmitry Vyukov <dvyukov@google.com>	2019-07-22 11:51:53 +0200
commit	5181b54d45a7f7a1bd67396a8a9721ad512134fe (patch)
tree	8b7c8704b3e6368ac6f62f6b534c117e5fc54b7e /sys/linux
parent	e530ec1befe3153020d601f5066939d984d790ac (diff)