diff options
author | Luca Boccassi <bluca@debian.org> | 2024-05-21 02:43:24 +0200 |
---|---|---|
committer | Luca Boccassi <bluca@debian.org> | 2024-05-22 17:51:38 +0200 |
commit | 6ab21f20bd982bc1a9ece47dcffa1137a76cc48a (patch) | |
tree | 65f38191a7cbbe09dc8d8353211a10764982b27c /src/test/test-namespace.c | |
parent | lock-util: do not expect EACCES when it cannot happen (diff) | |
download | systemd-6ab21f20bd982bc1a9ece47dcffa1137a76cc48a.tar.xz systemd-6ab21f20bd982bc1a9ece47dcffa1137a76cc48a.zip |
test: do not fail network namespace test with permission issues
When running in LXC with AppArmor we'll most likely get an error when creating
a network namespace due to a kernel regression in < v6.2 affecting AppArmor,
resulting in denials. Like other tests, avoid failing in case of permission
issues and handle it gracefully.
Diffstat (limited to 'src/test/test-namespace.c')
-rw-r--r-- | src/test/test-namespace.c | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c index 65d08259d4..2a684ce096 100644 --- a/src/test/test-namespace.c +++ b/src/test/test-namespace.c @@ -1,6 +1,7 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #include <fcntl.h> +#include <sysexits.h> #include <sys/socket.h> #include <sys/stat.h> @@ -84,6 +85,7 @@ TEST(tmpdir) { static void test_shareable_ns(unsigned long nsflag) { _cleanup_close_pair_ int s[2] = EBADF_PAIR; + bool permission_denied = false; pid_t pid1, pid2, pid3; int r, n = 0; siginfo_t si; @@ -100,8 +102,8 @@ static void test_shareable_ns(unsigned long nsflag) { if (pid1 == 0) { r = setup_shareable_ns(s, nsflag); - assert_se(r >= 0); - _exit(r); + assert_se(r >= 0 || ERRNO_IS_NEG_PRIVILEGE(r)); + _exit(r >= 0 ? r : EX_NOPERM); } pid2 = fork(); @@ -109,8 +111,8 @@ static void test_shareable_ns(unsigned long nsflag) { if (pid2 == 0) { r = setup_shareable_ns(s, nsflag); - assert_se(r >= 0); - exit(r); + assert_se(r >= 0 || ERRNO_IS_NEG_PRIVILEGE(r)); + _exit(r >= 0 ? r : EX_NOPERM); } pid3 = fork(); @@ -118,24 +120,38 @@ static void test_shareable_ns(unsigned long nsflag) { if (pid3 == 0) { r = setup_shareable_ns(s, nsflag); - assert_se(r >= 0); - exit(r); + assert_se(r >= 0 || ERRNO_IS_NEG_PRIVILEGE(r)); + _exit(r >= 0 ? r : EX_NOPERM); } r = wait_for_terminate(pid1, &si); assert_se(r >= 0); assert_se(si.si_code == CLD_EXITED); - n += si.si_status; + if (si.si_status == EX_NOPERM) + permission_denied = true; + else + n += si.si_status; r = wait_for_terminate(pid2, &si); assert_se(r >= 0); assert_se(si.si_code == CLD_EXITED); - n += si.si_status; + if (si.si_status == EX_NOPERM) + permission_denied = true; + else + n += si.si_status; r = wait_for_terminate(pid3, &si); assert_se(r >= 0); assert_se(si.si_code == CLD_EXITED); - n += si.si_status; + if (si.si_status == EX_NOPERM) + permission_denied = true; + else + n += si.si_status; + + /* LSMs can cause setup_shareable_ns() to fail with permission denied, do not fail the test in that + * case (e.g.: LXC with AppArmor on kernel < v6.2). */ + if (permission_denied) + return (void) log_tests_skipped("insufficient privileges"); assert_se(n == 1); } |