Switch to root in userns when CAP_SYS_CHROOT is also missing

Some tests check current capabilities and re-run the tests as root inside userns if required capabibilities are missing. It was checking for CAP_SYS_ADMIN only, CAP_SYS_CHROOT is also required now. PiperOrigin-RevId: 214949226 Change-Id: Ic81363969fa76c04da408fae8ea7520653266312
author: Fabricio Voznika <fvoznika@google.com> 2018-09-28 09:43:13 -0700
committer: Shentubot <shentubot@google.com> 2018-09-28 09:44:13 -0700
commit: cf226d48ce8c49409049e03ed405366db9fc2a04 (patch)
tree: 293d892446f0b03179757ab8a45ae032ccb534aa /runsc/cmd
parent: 6779bd1187e2b0f8692ab8a16d8d1681f0e674c5 (diff)
2 files changed, 5 insertions, 2 deletions
diff --git a/runsc/cmd/capability.go b/runsc/cmd/capability.go
index affbb7ce3..0b18c5481 100644
--- a/runsc/cmd/capability.go
+++ b/runsc/cmd/capability.go
@@ -60,7 +60,11 @@ func applyCaps(caps *specs.LinuxCapabilities) error {
 		newCaps.Set(c, set...)
 	}
 
-	return newCaps.Apply(capability.CAPS | capability.BOUNDS | capability.AMBS)
+	if err := newCaps.Apply(capability.CAPS | capability.BOUNDS | capability.AMBS); err != nil {
+		return err
+	}
+	log.Infof("Capabilities applied: %+v", newCaps)
+	return nil
 }
 
 func getCaps(which capability.CapType, caps *specs.LinuxCapabilities) []string {
diff --git a/runsc/cmd/cmd.go b/runsc/cmd/cmd.go
index 44ebd7165..2937ae1c4 100644
--- a/runsc/cmd/cmd.go
+++ b/runsc/cmd/cmd.go
@@ -85,7 +85,6 @@ func setCapsAndCallSelf(args []string, caps *specs.LinuxCapabilities) error {
 		return err
 	}
 
-	log.Infof("Capabilities applied: %+v", caps)
 	log.Infof("Execve %q again, bye!", binPath)
 	syscall.Exec(binPath, args, []string{})
 	panic("unreachable")
author	Fabricio Voznika <fvoznika@google.com>	2018-09-28 09:43:13 -0700
committer	Shentubot <shentubot@google.com>	2018-09-28 09:44:13 -0700
commit	cf226d48ce8c49409049e03ed405366db9fc2a04 (patch)
tree	293d892446f0b03179757ab8a45ae032ccb534aa /runsc/cmd
parent	6779bd1187e2b0f8692ab8a16d8d1681f0e674c5 (diff)