diff options
Diffstat (limited to 'libgo/go/syscall/exec_linux_test.go')
-rw-r--r-- | libgo/go/syscall/exec_linux_test.go | 56 |
1 files changed, 23 insertions, 33 deletions
diff --git a/libgo/go/syscall/exec_linux_test.go b/libgo/go/syscall/exec_linux_test.go index 7bd39100632..1a44f04c8c1 100644 --- a/libgo/go/syscall/exec_linux_test.go +++ b/libgo/go/syscall/exec_linux_test.go @@ -34,6 +34,14 @@ func isLXC() bool { } func skipInContainer(t *testing.T) { + // TODO: the callers of this func are using this func to skip + // tests when running as some sort of "fake root" that's uid 0 + // but lacks certain Linux capabilities. Most of the Go builds + // run in privileged containers, though, where root is much + // closer (if not identical) to the real root. We should test + // for what we need exactly (which capabilities are active?), + // instead of just assuming "docker == bad". Then we'd get more test + // coverage on a bunch of builders too. if isDocker() { t.Skip("skip this test in Docker container") } @@ -42,6 +50,18 @@ func skipInContainer(t *testing.T) { } } +func skipNoUserNamespaces(t *testing.T) { + if _, err := os.Stat("/proc/self/ns/user"); err != nil { + if os.IsNotExist(err) { + t.Skip("kernel doesn't support user namespaces") + } + if os.IsPermission(err) { + t.Skip("unable to test user namespaces due to permissions") + } + t.Fatalf("Failed to stat /proc/self/ns/user: %v", err) + } +} + func skipUnprivilegedUserClone(t *testing.T) { // Skip the test if the sysctl that prevents unprivileged user // from creating user namespaces is enabled. @@ -64,15 +84,7 @@ func isChrooted(t *testing.T) bool { func checkUserNS(t *testing.T) { skipInContainer(t) - if _, err := os.Stat("/proc/self/ns/user"); err != nil { - if os.IsNotExist(err) { - t.Skip("kernel doesn't support user namespaces") - } - if os.IsPermission(err) { - t.Skip("unable to test user namespaces due to permissions") - } - t.Fatalf("Failed to stat /proc/self/ns/user: %v", err) - } + skipNoUserNamespaces(t) if isChrooted(t) { // create_user_ns in the kernel (see // https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/user_namespace.c) @@ -305,6 +317,7 @@ func TestGroupCleanupUserNamespace(t *testing.T) { "uid=0(root) gid=0(root) groups=0(root),65534(nogroup)", "uid=0(root) gid=0(root) groups=0(root),65534", "uid=0(root) gid=0(root) groups=0(root),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody)", // Alpine; see https://golang.org/issue/19938 + "uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", // CentOS with SELinux context, see https://golang.org/issue/34547 } for _, e := range expected { if strOut == e { @@ -336,14 +349,6 @@ func TestUnshareMountNameSpace(t *testing.T) { t.Skip("kernel prohibits unshare in unprivileged process, unless using user namespace") } - // When running under the Go continuous build, skip tests for - // now when under Kubernetes. (where things are root but not quite) - // Both of these are our own environment variables. - // See Issue 12815. - if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" { - t.Skip("skipping test on Kubernetes-based builders; see Issue 12815") - } - d, err := ioutil.TempDir("", "unshare") if err != nil { t.Fatalf("tempdir: %v", err) @@ -386,14 +391,6 @@ func TestUnshareMountNameSpaceChroot(t *testing.T) { t.Skip("kernel prohibits unshare in unprivileged process, unless using user namespace") } - // When running under the Go continuous build, skip tests for - // now when under Kubernetes. (where things are root but not quite) - // Both of these are our own environment variables. - // See Issue 12815. - if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" { - t.Skip("skipping test on Kubernetes-based builders; see Issue 12815") - } - d, err := ioutil.TempDir("", "unshare") if err != nil { t.Fatalf("tempdir: %v", err) @@ -573,6 +570,7 @@ func TestAmbientCaps(t *testing.T) { } func TestAmbientCapsUserns(t *testing.T) { + checkUserNS(t) testAmbientCaps(t, true) } @@ -580,14 +578,6 @@ func testAmbientCaps(t *testing.T, userns bool) { skipInContainer(t) mustSupportAmbientCaps(t) - // When running under the Go continuous build, skip tests for - // now when under Kubernetes. (where things are root but not quite) - // Both of these are our own environment variables. - // See Issue 12815. - if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" { - t.Skip("skipping test on Kubernetes-based builders; see Issue 12815") - } - skipUnprivilegedUserClone(t) // skip on android, due to lack of lookup support |