Commit f31b7b9b authored by Meng Zhuo's avatar Meng Zhuo Committed by Tobias Klauser

syscall: skip test if unprivileged_userns_clone sysctl is missing

The original test (CL 166460) didn't check the existence of
/proc/sys/kernel/unprivileged_userns_clone and continue the test
if the file doesn't exist.

Fixes #32459

Change-Id: Iab4938252fcaded32b61e17edf68f966c2565582
Reviewed-on: https://go-review.googlesource.com/c/go/+/180877
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: default avatarTobias Klauser <tobias.klauser@gmail.com>
parent 064ce85c
...@@ -42,6 +42,15 @@ func skipInContainer(t *testing.T) { ...@@ -42,6 +42,15 @@ func skipInContainer(t *testing.T) {
} }
} }
func skipUnprivilegedUserClone(t *testing.T) {
// Skip the test if the sysctl that prevents unprivileged user
// from creating user namespaces is enabled.
data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
if errRead != nil || len(data) < 1 && data[0] == '0' {
t.Skip("kernel prohibits user namespace in unprivileged process")
}
}
// Check if we are in a chroot by checking if the inode of / is // Check if we are in a chroot by checking if the inode of / is
// different from 2 (there is no better test available to non-root on // different from 2 (there is no better test available to non-root on
// linux). // linux).
...@@ -72,10 +81,7 @@ func checkUserNS(t *testing.T) { ...@@ -72,10 +81,7 @@ func checkUserNS(t *testing.T) {
} }
// On some systems, there is a sysctl setting. // On some systems, there is a sysctl setting.
if os.Getuid() != 0 { if os.Getuid() != 0 {
data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone") skipUnprivilegedUserClone(t)
if errRead == nil && data[0] == '0' {
t.Skip("kernel prohibits user namespace in unprivileged process")
}
} }
// On Centos 7 make sure they set the kernel parameter user_namespace=1 // On Centos 7 make sure they set the kernel parameter user_namespace=1
// See issue 16283 and 20796. // See issue 16283 and 20796.
...@@ -582,12 +588,7 @@ func testAmbientCaps(t *testing.T, userns bool) { ...@@ -582,12 +588,7 @@ func testAmbientCaps(t *testing.T, userns bool) {
t.Skip("skipping test on Kubernetes-based builders; see Issue 12815") t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
} }
// Skip the test if the sysctl that prevents unprivileged user skipUnprivilegedUserClone(t)
// from creating user namespaces is enabled.
data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
if errRead == nil && data[0] == '0' {
t.Skip("kernel prohibits user namespace in unprivileged process")
}
// skip on android, due to lack of lookup support // skip on android, due to lack of lookup support
if runtime.GOOS == "android" { if runtime.GOOS == "android" {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment