Google Git
Sign in
android / platform / cts / 84e7dd1^! / .
commit84e7dd1576bf8303b4525620611eda3d21a90b12[log] [tgz]
authorNick Kralevich <nnk@google.com>Fri May 10 16:39:56 2013 -0700
committerNick Kralevich <nnk@google.com>Mon May 13 10:29:32 2013 -0700
tree70b07cd40961ad75e78018fd252f624dd1b3d27f
parent1696f8096748faee641ebb0f5abe942d6063e463 [diff]
SecurityFeaturesTest: Verify PR_CAPBSET_DROP

Verify that all capabilities from the capabilities
bounding set have been dropped via prctl(PR_CAPBSET_DROP).

Change-Id: I508a9086753eca1eb749c3161e608e80cf359f36

diff --git a/tests/jni/android_os_cts_OSFeatures.cpp b/tests/jni/android_os_cts_OSFeatures.cpp
index 2df6414..4ee8454 100644
--- a/tests/jni/android_os_cts_OSFeatures.cpp
+++ b/tests/jni/android_os_cts_OSFeatures.cpp

@@ -22,9 +22,16 @@
     return prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
 }
 
+jint android_os_cts_OSFeatures_prctlCapBsetRead(JNIEnv* env, jobject thiz, jint i)
+{
+    return prctl(PR_CAPBSET_READ, i, 0, 0, 0);
+}
+
 static JNINativeMethod gMethods[] = {
     {  "getNoNewPrivs", "()I",
             (void *) android_os_cts_OSFeatures_getNoNewPrivs  },
+    {  "prctlCapBsetRead", "(I)I",
+            (void *) android_os_cts_OSFeatures_prctlCapBsetRead },
 };
 
 int register_android_os_cts_OSFeatures(JNIEnv* env)

diff --git a/tests/src/android/os/cts/OSFeatures.java b/tests/src/android/os/cts/OSFeatures.java
index a8d08a6..fd30f58 100644
--- a/tests/src/android/os/cts/OSFeatures.java
+++ b/tests/src/android/os/cts/OSFeatures.java

@@ -22,4 +22,5 @@
     }
 
     public static native int getNoNewPrivs();
+    public static native int prctlCapBsetRead(int i);
 }

diff --git a/tests/tests/os/src/android/os/cts/SecurityFeaturesTest.java b/tests/tests/os/src/android/os/cts/SecurityFeaturesTest.java
index f1744a0..6a02974 100644
--- a/tests/tests/os/src/android/os/cts/SecurityFeaturesTest.java
+++ b/tests/tests/os/src/android/os/cts/SecurityFeaturesTest.java

@@ -27,4 +27,26 @@
         // if newPrivs == 1,  then new kernel with PR_SET_NO_NEW_PRIVS enabled (GOOD)
         assertTrue(newPrivs != 0);
     }
+
+    /**
+     * Iterate over all possible capabilities, testing to make sure each capability
+     * has been removed from the app's capability bounding set.
+     */
+    public void testPrCapbsetEmpty() {
+        int i = 0;
+        while (true) {
+            int result = OSFeatures.prctlCapBsetRead(i);
+            if (result == -1) {
+                // The kernel has told us that the capability we're inquiring about
+                // doesn't exist. Capabilities are assigned sequentially and
+                // and monotonically increase with each kernel release, so if we
+                // see -1, we know we've examined every capability the kernel
+                // knows about.
+                break;
+            }
+            assertEquals("capability " + i + " is still in the bounding set",
+                         0, result);
+            i++;
+        }
+    }
 }