summaryrefslogtreecommitdiff
path: root/libgo/go/syscall/exec_linux_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'libgo/go/syscall/exec_linux_test.go')
-rw-r--r--libgo/go/syscall/exec_linux_test.go56
1 files changed, 23 insertions, 33 deletions
diff --git a/libgo/go/syscall/exec_linux_test.go b/libgo/go/syscall/exec_linux_test.go
index 7bd39100632..1a44f04c8c1 100644
--- a/libgo/go/syscall/exec_linux_test.go
+++ b/libgo/go/syscall/exec_linux_test.go
@@ -34,6 +34,14 @@ func isLXC() bool {
}
func skipInContainer(t *testing.T) {
+ // TODO: the callers of this func are using this func to skip
+ // tests when running as some sort of "fake root" that's uid 0
+ // but lacks certain Linux capabilities. Most of the Go builds
+ // run in privileged containers, though, where root is much
+ // closer (if not identical) to the real root. We should test
+ // for what we need exactly (which capabilities are active?),
+ // instead of just assuming "docker == bad". Then we'd get more test
+ // coverage on a bunch of builders too.
if isDocker() {
t.Skip("skip this test in Docker container")
}
@@ -42,6 +50,18 @@ func skipInContainer(t *testing.T) {
}
}
+func skipNoUserNamespaces(t *testing.T) {
+ if _, err := os.Stat("/proc/self/ns/user"); err != nil {
+ if os.IsNotExist(err) {
+ t.Skip("kernel doesn't support user namespaces")
+ }
+ if os.IsPermission(err) {
+ t.Skip("unable to test user namespaces due to permissions")
+ }
+ t.Fatalf("Failed to stat /proc/self/ns/user: %v", err)
+ }
+}
+
func skipUnprivilegedUserClone(t *testing.T) {
// Skip the test if the sysctl that prevents unprivileged user
// from creating user namespaces is enabled.
@@ -64,15 +84,7 @@ func isChrooted(t *testing.T) bool {
func checkUserNS(t *testing.T) {
skipInContainer(t)
- if _, err := os.Stat("/proc/self/ns/user"); err != nil {
- if os.IsNotExist(err) {
- t.Skip("kernel doesn't support user namespaces")
- }
- if os.IsPermission(err) {
- t.Skip("unable to test user namespaces due to permissions")
- }
- t.Fatalf("Failed to stat /proc/self/ns/user: %v", err)
- }
+ skipNoUserNamespaces(t)
if isChrooted(t) {
// create_user_ns in the kernel (see
// https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/user_namespace.c)
@@ -305,6 +317,7 @@ func TestGroupCleanupUserNamespace(t *testing.T) {
"uid=0(root) gid=0(root) groups=0(root),65534(nogroup)",
"uid=0(root) gid=0(root) groups=0(root),65534",
"uid=0(root) gid=0(root) groups=0(root),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody)", // Alpine; see https://golang.org/issue/19938
+ "uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", // CentOS with SELinux context, see https://golang.org/issue/34547
}
for _, e := range expected {
if strOut == e {
@@ -336,14 +349,6 @@ func TestUnshareMountNameSpace(t *testing.T) {
t.Skip("kernel prohibits unshare in unprivileged process, unless using user namespace")
}
- // When running under the Go continuous build, skip tests for
- // now when under Kubernetes. (where things are root but not quite)
- // Both of these are our own environment variables.
- // See Issue 12815.
- if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" {
- t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
- }
-
d, err := ioutil.TempDir("", "unshare")
if err != nil {
t.Fatalf("tempdir: %v", err)
@@ -386,14 +391,6 @@ func TestUnshareMountNameSpaceChroot(t *testing.T) {
t.Skip("kernel prohibits unshare in unprivileged process, unless using user namespace")
}
- // When running under the Go continuous build, skip tests for
- // now when under Kubernetes. (where things are root but not quite)
- // Both of these are our own environment variables.
- // See Issue 12815.
- if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" {
- t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
- }
-
d, err := ioutil.TempDir("", "unshare")
if err != nil {
t.Fatalf("tempdir: %v", err)
@@ -573,6 +570,7 @@ func TestAmbientCaps(t *testing.T) {
}
func TestAmbientCapsUserns(t *testing.T) {
+ checkUserNS(t)
testAmbientCaps(t, true)
}
@@ -580,14 +578,6 @@ func testAmbientCaps(t *testing.T, userns bool) {
skipInContainer(t)
mustSupportAmbientCaps(t)
- // When running under the Go continuous build, skip tests for
- // now when under Kubernetes. (where things are root but not quite)
- // Both of these are our own environment variables.
- // See Issue 12815.
- if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" {
- t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
- }
-
skipUnprivilegedUserClone(t)
// skip on android, due to lack of lookup support