Make raw sockets a toggleable feature disabled by default.

PiperOrigin-RevId: 245511019
Change-Id: Ia9562a301b46458988a6a1f0bbd5f07cbfcb0615

3 files changed, 44 insertions, 8 deletions

diff --git a/runsc/test/integration/BUILD b/runsc/test/integration/BUILD
index 779d30ec9..0c4e4fa80 100644
--- a/runsc/test/integration/BUILD
+++ b/runsc/test/integration/BUILD
@@ -15,7 +15,10 @@ go_test(
         "manual",
         "local",
     ],
-    deps = ["//runsc/test/testutil"],
+    deps = [
+        "//pkg/abi/linux",
+        "//runsc/test/testutil",
+    ],
 )
 
 go_library(
diff --git a/runsc/test/integration/exec_test.go b/runsc/test/integration/exec_test.go
index fac8337f4..d87957e2d 100644
--- a/runsc/test/integration/exec_test.go
+++ b/runsc/test/integration/exec_test.go
@@ -27,10 +27,13 @@
 package integration
 
 import (
+	"fmt"
+	"strconv"
 	"syscall"
 	"testing"
 	"time"
 
+	"gvisor.googlesource.com/gvisor/pkg/abi/linux"
 	"gvisor.googlesource.com/gvisor/runsc/test/testutil"
 )
 
@@ -46,11 +49,28 @@ func TestExecCapabilities(t *testing.T) {
 	}
 	defer d.CleanUp()
 
-	want, err := d.WaitForOutput("CapEff:\t[0-9a-f]+\n", 5*time.Second)
+	matches, err := d.WaitForOutputSubmatch("CapEff:\t([0-9a-f]+)\n", 5*time.Second)
 	if err != nil {
-		t.Fatalf("WaitForOutput() timeout: %v", err)
+		t.Fatalf("WaitForOutputSubmatch() timeout: %v", err)
 	}
-	t.Log("Root capabilities:", want)
+	if len(matches) != 2 {
+		t.Fatalf("There should be a match for the whole line and the capability bitmask")
+	}
+	capString := matches[1]
+	t.Log("Root capabilities:", capString)
+
+	// CAP_NET_RAW was in the capability set for the container, but was
+	// removed. However, `exec` does not remove it. Verify that it's not
+	// set in the container, then re-add it for comparison.
+	caps, err := strconv.ParseUint(capString, 16, 64)
+	if err != nil {
+		t.Fatalf("failed to convert capabilities %q: %v", capString, err)
+	}
+	if caps&(1<<uint64(linux.CAP_NET_RAW)) != 0 {
+		t.Fatalf("CAP_NET_RAW should be filtered, but is set in the container: %x", caps)
+	}
+	caps |= 1 << uint64(linux.CAP_NET_RAW)
+	want := fmt.Sprintf("CapEff:\t%016x\n", caps)
 
 	// Now check that exec'd process capabilities match the root.
 	got, err := d.Exec("grep", "CapEff:", "/proc/self/status")
diff --git a/runsc/test/testutil/docker.go b/runsc/test/testutil/docker.go
index bce609061..b651319ed 100644
--- a/runsc/test/testutil/docker.go
+++ b/runsc/test/testutil/docker.go
@@ -334,19 +334,32 @@ func (d *Docker) Wait(timeout time.Duration) (syscall.WaitStatus, error) {
 // WaitForOutput calls 'docker logs' to retrieve containers output and searches
 // for the given pattern.
 func (d *Docker) WaitForOutput(pattern string, timeout time.Duration) (string, error) {
+	matches, err := d.WaitForOutputSubmatch(pattern, timeout)
+	if err != nil {
+		return "", err
+	}
+	if len(matches) == 0 {
+		return "", nil
+	}
+	return matches[0], nil
+}
+
+// WaitForOutputSubmatch calls 'docker logs' to retrieve containers output and
+// searches for the given pattern. It returns any regexp submatches as well.
+func (d *Docker) WaitForOutputSubmatch(pattern string, timeout time.Duration) ([]string, error) {
 	re := regexp.MustCompile(pattern)
 	var out string
 	for exp := time.Now().Add(timeout); time.Now().Before(exp); {
 		var err error
 		out, err = d.Logs()
 		if err != nil {
-			return "", err
+			return nil, err
 		}
-		if match := re.FindString(out); match != "" {
+		if matches := re.FindStringSubmatch(out); matches != nil {
 			// Success!
-			return match, nil
+			return matches, nil
 		}
 		time.Sleep(100 * time.Millisecond)
 	}
-	return "", fmt.Errorf("timeout waiting for output %q: %s", re.String(), out)
+	return nil, fmt.Errorf("timeout waiting for output %q: %s", re.String(), out)
 }