From 5181b54d45a7f7a1bd67396a8a9721ad512134fe Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Mon, 22 Jul 2019 11:15:52 +0200
Subject: executor: drop CAP_SYS_PTRACE with sandbox=none

We only drop CAP_SYS_PTRACE for sandbox=namespace,
but it can equally affect testing with sandbox=none.
Drop it for sandbox=none, add a test.
---
 sys/linux/test/caps | 5 +++++
 sys/linux/test/vusb | 1 +
 2 files changed, 6 insertions(+)
 create mode 100644 sys/linux/test/caps

(limited to 'sys/linux')

diff --git a/sys/linux/test/caps b/sys/linux/test/caps
new file mode 100644
index 000000000..f3ef3a9e0
--- /dev/null
+++ b/sys/linux/test/caps
@@ -0,0 +1,5 @@
+# Ensure that test processes don't have capabilities to do dangerious things,
+# see drop_caps function in executor for details.
+# requires: -sandbox=
+
+ptrace(0x10, 0x1)	# EPERM
diff --git a/sys/linux/test/vusb b/sys/linux/test/vusb
index 0593b4c83..16c7780f2 100644
--- a/sys/linux/test/vusb
+++ b/sys/linux/test/vusb
@@ -2,4 +2,5 @@
 
 # Temporary disabled because deserialization fails (run go test ./pkg/csource).
 #syz_usb_connect(0x0, 0x24, &(0x7f0000000000)={0x12, 0x1, 0x0, 0x97, 0xff, 0x82, 0x8, 0x2058, 0x1005, 0xc19b, 0x0, 0x0, 0x0, 0x1, [{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{0x9, 0x4, 0x8f, 0x0, 0x0, 0xbf, 0x57, 0x5a, 0x0, [], []}]}]}, 0x0)
+
 getpid()
-- 
cgit mrf-deployment