syscall: skip non-root user namespace test if kernel forbids

Some Linux kernels apparently have a sysctl that prohibits
nonprivileged processes from creating user namespaces.  If we see a
failure for that reason, skip the test.

Fixes #11261.

Change-Id: I82dfcaf475eea4eaa387941373ce7165df4848ad
Reviewed-on: https://go-review.googlesource.com/11269
Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>

diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go
index 1f0a27d92e98edd9a1289ca040aa1dbb623c2f1a..60d2734f66a8b0485bd8e77c4cabec10e546826f 100644 (file)
--- a/src/syscall/exec_linux_test.go
+++ b/src/syscall/exec_linux_test.go
@@ -42,6 +42,14 @@ func testNEWUSERRemap(t *testing.T, uid, gid int, setgroups bool) {
        cmd := whoamiCmd(t, uid, gid, setgroups)
        out, err := cmd.CombinedOutput()
        if err != nil {
+               // On some systems, there is a sysctl setting.
+               if os.IsPermission(err) && os.Getuid() != 0 {
+                       data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
+                       if errRead == nil && data[0] == '0' {
+                               t.Skip("kernel prohibits user namespace in unprivileged process")
+                       }
+               }
+
                t.Fatalf("Cmd failed with err %v, output: %s", err, out)
        }
        sout := strings.TrimSpace(string(out))
@@ -97,7 +105,7 @@ func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) {
        if err == nil {
                t.Skip("probably old kernel without security fix")
        }
-       if !strings.Contains(err.Error(), "operation not permitted") {
+       if !os.IsPermission(err) {
                t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail")
        }
 }