diff options
| author | Nick Rosbrook <enr0n@ubuntu.com> | 2024-03-04 21:43:57 +0100 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2024-03-05 12:15:49 +0100 |
| commit | 70aece819311f7ab76abdf473bc8f316c5bc58c6 (patch) | |
| tree | 16ad86ed61b05069f202dd888c6b73a7cdb9e650 /src | |
| parent | Fixing bad link to Debian packages tests (diff) | |
| download | systemd-70aece819311f7ab76abdf473bc8f316c5bc58c6.tar.xz systemd-70aece819311f7ab76abdf473bc8f316c5bc58c6.zip | |
test: check for kernel.apparmor_restrict_unprivileged_userns
Some tests in test-execute are already skipped if we do not have
unprivileged user namespaces. Extend this check to look for an apparmor
specific sysctl indicating that unprivileged userns creation is
restricted.
Diffstat (limited to 'src')
| -rw-r--r-- | src/test/test-execute.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/test/test-execute.c b/src/test/test-execute.c index 148e44b13d..6a574b495f 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -28,6 +28,7 @@ #include "signal-util.h" #include "static-destruct.h" #include "stat-util.h" +#include "sysctl-util.h" #include "tests.h" #include "tmpfile-util.h" #include "unit.h" @@ -218,10 +219,30 @@ static void start_parent_slices(Unit *unit) { } } +static bool apparmor_restrict_unprivileged_userns(void) { + _cleanup_free_ char *v = NULL; + int r; + + /* If kernel.apparmor_restrict_unprivileged_userns=1, then we cannot + * use unprivileged user namespaces. */ + r = sysctl_read("kernel/apparmor_restrict_unprivileged_userns", &v); + if (r < 0) { + if (r != -ENOENT) + log_debug_errno(r, "Failed to read kernel.apparmor_restrict_unprivileged_userns sysctl, ignoring: %m"); + + return false; + } + + return streq(v, "1"); +} + static bool have_userns_privileges(void) { pid_t pid; int r; + if (apparmor_restrict_unprivileged_userns()) + return false; + r = safe_fork("(sd-test-check-userns)", FORK_RESET_SIGNALS | FORK_CLOSE_ALL_FDS | |