Skip to content

Commit a347500

Browse files
blucabluca
committed
test: do not fail network namespace test with permission issues
When running in LXC with AppArmor we'll most likely get an error when creating a network namespace due to a kernel regression in < v6.2 affecting AppArmor, resulting in denials. Like other tests, avoid failing in case of permission issues and handle it gracefully. (cherry picked from commit 6ab21f2) (cherry picked from commit ff35460) (cherry picked from commit c3aa100)
1 parent 0e46897 commit a347500

File tree

1 file changed

+25
-9
lines changed

1 file changed

+25
-9
lines changed

src/test/test-namespace.c

Lines changed: 25 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
/* SPDX-License-Identifier: LGPL-2.1-or-later */
22

33
#include <fcntl.h>
4+
#include <sysexits.h>
45
#include <sys/socket.h>
56
#include <sys/stat.h>
67

@@ -84,6 +85,7 @@ TEST(tmpdir) {
8485

8586
static void test_shareable_ns(unsigned long nsflag) {
8687
_cleanup_close_pair_ int s[2] = PIPE_EBADF;
88+
bool permission_denied = false;
8789
pid_t pid1, pid2, pid3;
8890
int r, n = 0;
8991
siginfo_t si;
@@ -100,42 +102,56 @@ static void test_shareable_ns(unsigned long nsflag) {
100102

101103
if (pid1 == 0) {
102104
r = setup_shareable_ns(s, nsflag);
103-
assert_se(r >= 0);
104-
_exit(r);
105+
assert_se(r >= 0 || ERRNO_IS_PRIVILEGE(r));
106+
_exit(r >= 0 ? r : EX_NOPERM);
105107
}
106108

107109
pid2 = fork();
108110
assert_se(pid2 >= 0);
109111

110112
if (pid2 == 0) {
111113
r = setup_shareable_ns(s, nsflag);
112-
assert_se(r >= 0);
113-
exit(r);
114+
assert_se(r >= 0 || ERRNO_IS_PRIVILEGE(r));
115+
_exit(r >= 0 ? r : EX_NOPERM);
114116
}
115117

116118
pid3 = fork();
117119
assert_se(pid3 >= 0);
118120

119121
if (pid3 == 0) {
120122
r = setup_shareable_ns(s, nsflag);
121-
assert_se(r >= 0);
122-
exit(r);
123+
assert_se(r >= 0 || ERRNO_IS_PRIVILEGE(r));
124+
_exit(r >= 0 ? r : EX_NOPERM);
123125
}
124126

125127
r = wait_for_terminate(pid1, &si);
126128
assert_se(r >= 0);
127129
assert_se(si.si_code == CLD_EXITED);
128-
n += si.si_status;
130+
if (si.si_status == EX_NOPERM)
131+
permission_denied = true;
132+
else
133+
n += si.si_status;
129134

130135
r = wait_for_terminate(pid2, &si);
131136
assert_se(r >= 0);
132137
assert_se(si.si_code == CLD_EXITED);
133-
n += si.si_status;
138+
if (si.si_status == EX_NOPERM)
139+
permission_denied = true;
140+
else
141+
n += si.si_status;
134142

135143
r = wait_for_terminate(pid3, &si);
136144
assert_se(r >= 0);
137145
assert_se(si.si_code == CLD_EXITED);
138-
n += si.si_status;
146+
if (si.si_status == EX_NOPERM)
147+
permission_denied = true;
148+
else
149+
n += si.si_status;
150+
151+
/* LSMs can cause setup_shareable_ns() to fail with permission denied, do not fail the test in that
152+
* case (e.g.: LXC with AppArmor on kernel < v6.2). */
153+
if (permission_denied)
154+
return (void) log_tests_skipped("insufficient privileges");
139155

140156
assert_se(n == 1);
141157
}

0 commit comments

Comments
 (0)