diff options
author | Fabricio Voznika <fvoznika@google.com> | 2018-09-28 09:43:13 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2018-09-28 09:44:13 -0700 |
commit | cf226d48ce8c49409049e03ed405366db9fc2a04 (patch) | |
tree | 293d892446f0b03179757ab8a45ae032ccb534aa /runsc/test | |
parent | 6779bd1187e2b0f8692ab8a16d8d1681f0e674c5 (diff) |
Switch to root in userns when CAP_SYS_CHROOT is also missing
Some tests check current capabilities and re-run the tests as root inside
userns if required capabibilities are missing. It was checking for
CAP_SYS_ADMIN only, CAP_SYS_CHROOT is also required now.
PiperOrigin-RevId: 214949226
Change-Id: Ic81363969fa76c04da408fae8ea7520653266312
Diffstat (limited to 'runsc/test')
-rw-r--r-- | runsc/test/testutil/BUILD | 1 | ||||
-rw-r--r-- | runsc/test/testutil/testutil.go | 11 |
2 files changed, 7 insertions, 5 deletions
diff --git a/runsc/test/testutil/BUILD b/runsc/test/testutil/BUILD index 03ab3c4ac..ca91e07ff 100644 --- a/runsc/test/testutil/BUILD +++ b/runsc/test/testutil/BUILD @@ -18,5 +18,6 @@ go_library( "//runsc/specutils", "@com_github_cenkalti_backoff//:go_default_library", "@com_github_opencontainers_runtime-spec//specs-go:go_default_library", + "@com_github_syndtr_gocapability//capability:go_default_library", ], ) diff --git a/runsc/test/testutil/testutil.go b/runsc/test/testutil/testutil.go index 37927f395..706db74a7 100644 --- a/runsc/test/testutil/testutil.go +++ b/runsc/test/testutil/testutil.go @@ -32,6 +32,7 @@ import ( "github.com/cenkalti/backoff" specs "github.com/opencontainers/runtime-spec/specs-go" + "github.com/syndtr/gocapability/capability" "gvisor.googlesource.com/gvisor/runsc/boot" "gvisor.googlesource.com/gvisor/runsc/specutils" ) @@ -234,12 +235,12 @@ func WaitForHTTP(port int, timeout time.Duration) error { return Poll(cb, timeout) } -// RunAsRoot ensures the test runs with CAP_SYS_ADMIN. If need it will create -// a new user namespace and reexecute the test as root inside of the namespace. -// This functionr returns when it's running as root. If it needs to create -// another process, it will exit from there and not return. +// RunAsRoot ensures the test runs with CAP_SYS_ADMIN and CAP_SYS_CHROOT. If +// need it will create a new user namespace and reexecute the test as root +// inside of the namespace. This functionr returns when it's running as root. If +// it needs to create another process, it will exit from there and not return. func RunAsRoot() { - if specutils.HasCapSysAdmin() { + if specutils.HasCapabilities(capability.CAP_SYS_ADMIN, capability.CAP_SYS_CHROOT) { return } |