Commit 1c2d4da1 authored by Alberto Donizetti's avatar Alberto Donizetti Committed by Brad Fitzpatrick

syscall: skip non-root user namespace test if kernel forbids

The unprivileged_userns_clone sysctl prevents unpriviledged users from
creating namespaces, which the AmbientCaps test does. It's set to 0 by
default in a few Linux distributions (Debian and Arch, possibly
others), so we need to check it before running the test.

I've verified that setting

  echo 1 > /proc/sys/kernel/unprivileged_userns_clone

and then running the test *without this patch* makes it pass, which
proves that checking unprivileged_userns_clone is indeed sufficient.

Fixes #30698

Change-Id: Ib2079b5e714d7f2440ddf979c3e7cfda9a9c5005
Reviewed-on: https://go-review.googlesource.com/c/go/+/166460Reviewed-by: default avatarBrad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
parent e2dc41b4
...@@ -539,6 +539,13 @@ func testAmbientCaps(t *testing.T, userns bool) { ...@@ -539,6 +539,13 @@ func testAmbientCaps(t *testing.T, userns bool) {
t.Skip("skipping test on Kubernetes-based builders; see Issue 12815") t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
} }
// Skip the test if the sysctl that prevents unprivileged user
// from creating user namespaces is enabled.
data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
if errRead == nil && data[0] == '0' {
t.Skip("kernel prohibits user namespace in unprivileged process")
}
// skip on android, due to lack of lookup support // skip on android, due to lack of lookup support
if runtime.GOOS == "android" { if runtime.GOOS == "android" {
t.Skip("skipping test on android; see Issue 27327") t.Skip("skipping test on android; see Issue 27327")
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment