From: Alberto Donizetti Date: Sat, 9 Mar 2019 17:01:26 +0000 (+0100) Subject: syscall: skip non-root user namespace test if kernel forbids X-Git-Tag: go1.13beta1~1112 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=1c2d4da10f6edf9a83fb0cffaaf9f631f462d26b;p=gostls13.git syscall: skip non-root user namespace test if kernel forbids The unprivileged_userns_clone sysctl prevents unpriviledged users from creating namespaces, which the AmbientCaps test does. It's set to 0 by default in a few Linux distributions (Debian and Arch, possibly others), so we need to check it before running the test. I've verified that setting echo 1 > /proc/sys/kernel/unprivileged_userns_clone and then running the test *without this patch* makes it pass, which proves that checking unprivileged_userns_clone is indeed sufficient. Fixes #30698 Change-Id: Ib2079b5e714d7f2440ddf979c3e7cfda9a9c5005 Reviewed-on: https://go-review.googlesource.com/c/go/+/166460 Reviewed-by: Brad Fitzpatrick Run-TryBot: Brad Fitzpatrick TryBot-Result: Gobot Gobot --- diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go index dc16a9d9fe..826487b676 100644 --- a/src/syscall/exec_linux_test.go +++ b/src/syscall/exec_linux_test.go @@ -539,6 +539,13 @@ func testAmbientCaps(t *testing.T, userns bool) { t.Skip("skipping test on Kubernetes-based builders; see Issue 12815") } + // Skip the test if the sysctl that prevents unprivileged user + // from creating user namespaces is enabled. + data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone") + if errRead == nil && data[0] == '0' { + t.Skip("kernel prohibits user namespace in unprivileged process") + } + // skip on android, due to lack of lookup support if runtime.GOOS == "android" { t.Skip("skipping test on android; see Issue 27327")