diff options
| author | Ian Lance Taylor <iant@golang.org> | 2015-06-19 13:48:06 -0700 |
|---|---|---|
| committer | Ian Lance Taylor <iant@golang.org> | 2015-06-20 00:52:38 +0000 |
| commit | 79d4d6eca47acc3b2dd0ec598b6a55c0bb0b1b31 (patch) | |
| tree | 106e1af7be534001b9ec59f2513654f0f58f493a /src/syscall/exec_linux_test.go | |
| parent | 2f2908bec31a5fa8b5031b362006baef020b9819 (diff) | |
| download | go-79d4d6eca47acc3b2dd0ec598b6a55c0bb0b1b31.tar.gz go-79d4d6eca47acc3b2dd0ec598b6a55c0bb0b1b31.zip | |
syscall: skip non-root user namespace test if kernel forbids
Some Linux kernels apparently have a sysctl that prohibits
nonprivileged processes from creating user namespaces. If we see a
failure for that reason, skip the test.
Fixes #11261.
Change-Id: I82dfcaf475eea4eaa387941373ce7165df4848ad
Reviewed-on: https://go-review.googlesource.com/11269
Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
Diffstat (limited to 'src/syscall/exec_linux_test.go')
| -rw-r--r-- | src/syscall/exec_linux_test.go | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go index 1f0a27d92e..60d2734f66 100644 --- a/src/syscall/exec_linux_test.go +++ b/src/syscall/exec_linux_test.go @@ -42,6 +42,14 @@ func testNEWUSERRemap(t *testing.T, uid, gid int, setgroups bool) { cmd := whoamiCmd(t, uid, gid, setgroups) out, err := cmd.CombinedOutput() if err != nil { + // On some systems, there is a sysctl setting. + if os.IsPermission(err) && os.Getuid() != 0 { + data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone") + if errRead == nil && data[0] == '0' { + t.Skip("kernel prohibits user namespace in unprivileged process") + } + } + t.Fatalf("Cmd failed with err %v, output: %s", err, out) } sout := strings.TrimSpace(string(out)) @@ -97,7 +105,7 @@ func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) { if err == nil { t.Skip("probably old kernel without security fix") } - if !strings.Contains(err.Error(), "operation not permitted") { + if !os.IsPermission(err) { t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail") } } |