test/e2e: Skip privileged container test if NoNewPrivs is set #27846
Conversation
|
No change needed for bats: |
|
LGTM. If you end up pushing again, i would love a better commit description on why this is needed for your test environment. No objections here however. |
| fields := strings.Fields(cap.OutputToString()) | ||
| if fields[1] != "0" { | ||
| Skip("NoNewPrivs set") | ||
| } |
There was a problem hiding this comment.
instead of relying of thew output format at all would it not be much cheaper and safer to just query the bool directly instead of the much more expensive fork/execec of grep.
untested:
i, err := unix.PrctlRetInt(unix.PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0)
Expect(err).ToNot(HaveOccurred(), "check for NoNewPrivs")
if i == 1 {
Skip("NoNewPrivs already set")
}
There was a problem hiding this comment.
instead of relying of thew output format at all would it not be much cheaper and safer to just query the bool directly instead of the much more expensive fork/execec of grep.
It is indeed cheaper but the code is cleaner as is as we're running the same command on the host and the container.
untested:
i, err := unix.PrctlRetInt(unix.PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0)
This snippet alone works. Does it make sense to modify the PR to change the approach?
Will it compile on non-Linux systems?
There was a problem hiding this comment.
It doesn't compile on FreeBSD 15-STABLE with go1.25.5 & golang.org/x/sys v0.39.0
./testit.go:9:17: undefined: unix.PrctlRetInt
./testit.go:9:34: undefined: unix.PR_GET_NO_NEW_PRIVS
package main
import (
"fmt"
"golang.org/x/sys/unix"
)
func main() {
val, _ := unix.PrctlRetInt(unix.PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0)
fmt.Printf("%v\n", val)
}
There was a problem hiding this comment.
I mean most of these test never work anywhere else but linux so I don't think it would matter in practise.
I get your point about consistency, I am certainly ok with your current approach as well. Though looking at the test cases below I am unsatisfied with what they check since they never check for the actual 0 or 1 value. They just check that the values differ meaning this would still pass if we flip the options meaning which is not good.
So I think it would be nice if you could convert the test check below as well to strings.Fields() and then match "1"/"0" respectively.
There was a problem hiding this comment.
Fixed.
Verification run: https://openqa-assets.opensuse.org/tests/5586444/file/podman_e2e-localintegration.txt
There was a problem hiding this comment.
CI failed on FreeBSD cross:
https://github.com/containers/podman/pull/27846/checks?check_run_id=59723323831
test/e2e/config.go:1: : # github.com/containers/podman/v6/test/e2e [github.com/containers/podman/v6/test/e2e.test]
test/e2e/run_privileged_test.go:142:20: undefined: unix.PrctlRetInt
test/e2e/run_privileged_test.go:142:37: undefined: unix.PR_GET_NO_NEW_PRIVS (typecheck)
There was a problem hiding this comment.
Going back to grep...
There was a problem hiding this comment.
Verification run: https://openqa.opensuse.org/tests/5586529
ricardobranco777
force-pushed
the
no_new_privs
branch
from
7d76d0c to
d09acb6
Compare
On systems with NoNewPrivs set, this test fails. https://www.thkukuk.de/blog/no_new_privs/ Signed-off-by: Ricardo Branco <[email protected]>
ricardobranco777
force-pushed
the
no_new_privs
branch
from
d09acb6 to
6d28009
Compare
3 participants
Skip privileged container test if NoNewPrivs is set.
Otherwise the test for https://www.thkukuk.de/blog/no_new_privs/ will fail:
https://openqa.opensuse.org/tests/5575293
Checklist
Ensure you have completed the following checklist for your pull request to be reviewed:
commits. (
git commit -s). (If needed, usegit commit -s --amend). The author email must matchthe sign-off email address. See CONTRIBUTING.md
for more information.
Fixes: #00000in commit message (if applicable)make validatepr(format/lint checks)Noneif no user-facing changes)Does this PR introduce a user-facing change?