Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(decl/proc-chain): add user and capabilities support
Add the capability to specify the user and the linux capabilities a process in the process chain can be run with. Capabilities can only be specified for the leaf process. Omitting capabilities is equivalent to specify 'all=iep'. Each process in the chain runs with real user/group ID equals to 0 (root). Specifying a user sets the effective and the saved set-user/group-ID to the corresponding user/group IDs. If a user specified in the chain doesn't exist, it is created before running the test and deleted after test execution. The securebit SECBBIT_NOROOT is enabled before creating any child process: this is done in order to prevent the kernel from ignoring the specified capabilities when the real user ID is zero (see 'Capabilities and execution of programs by root' in capabilities(7)). Users who wish to run the before and after script or creating a 'process' test resource must take into account to provide at least CAP_SETPCAP in its permitted and effective set. Signed-off-by: Leonardo Di Giovanna <[email protected]> Co-authored-by: Aldo Lacuku <[email protected]>
- Loading branch information