summaryrefslogtreecommitdiff
path: root/src/syscall/exec_linux_test.go
diff options
context:
space:
mode:
authorAlberto Donizetti <alb.donizetti@gmail.com>2019-03-09 18:01:26 +0100
committerBrad Fitzpatrick <bradfitz@golang.org>2019-03-10 21:01:02 +0000
commit1c2d4da10f6edf9a83fb0cffaaf9f631f462d26b (patch)
tree471a5b73aff9ce44a672fa717648d706b74f1f69 /src/syscall/exec_linux_test.go
parente2dc41b4909400341ec12058261206bb842cc2e0 (diff)
downloadgo-git-1c2d4da10f6edf9a83fb0cffaaf9f631f462d26b.tar.gz
syscall: skip non-root user namespace test if kernel forbids
The unprivileged_userns_clone sysctl prevents unpriviledged users from creating namespaces, which the AmbientCaps test does. It's set to 0 by default in a few Linux distributions (Debian and Arch, possibly others), so we need to check it before running the test. I've verified that setting echo 1 > /proc/sys/kernel/unprivileged_userns_clone and then running the test *without this patch* makes it pass, which proves that checking unprivileged_userns_clone is indeed sufficient. Fixes #30698 Change-Id: Ib2079b5e714d7f2440ddf979c3e7cfda9a9c5005 Reviewed-on: https://go-review.googlesource.com/c/go/+/166460 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
Diffstat (limited to 'src/syscall/exec_linux_test.go')
-rw-r--r--src/syscall/exec_linux_test.go7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go
index dc16a9d9fe..826487b676 100644
--- a/src/syscall/exec_linux_test.go
+++ b/src/syscall/exec_linux_test.go
@@ -539,6 +539,13 @@ func testAmbientCaps(t *testing.T, userns bool) {
t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
}
+ // Skip the test if the sysctl that prevents unprivileged user
+ // from creating user namespaces is enabled.
+ data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
+ if errRead == nil && data[0] == '0' {
+ t.Skip("kernel prohibits user namespace in unprivileged process")
+ }
+
// skip on android, due to lack of lookup support
if runtime.GOOS == "android" {
t.Skip("skipping test on android; see Issue 27327")