mirror of
https://github.com/systemd/systemd
synced 2024-09-06 16:56:43 +00:00
test: check for kernel.apparmor_restrict_unprivileged_userns
Some tests in test-execute are already skipped if we do not have unprivileged user namespaces. Extend this check to look for an apparmor specific sysctl indicating that unprivileged userns creation is restricted.
This commit is contained in:
parent
7360be92ad
commit
70aece8193
|
@ -28,6 +28,7 @@
|
|||
#include "signal-util.h"
|
||||
#include "static-destruct.h"
|
||||
#include "stat-util.h"
|
||||
#include "sysctl-util.h"
|
||||
#include "tests.h"
|
||||
#include "tmpfile-util.h"
|
||||
#include "unit.h"
|
||||
|
@ -218,10 +219,30 @@ static void start_parent_slices(Unit *unit) {
|
|||
}
|
||||
}
|
||||
|
||||
static bool apparmor_restrict_unprivileged_userns(void) {
|
||||
_cleanup_free_ char *v = NULL;
|
||||
int r;
|
||||
|
||||
/* If kernel.apparmor_restrict_unprivileged_userns=1, then we cannot
|
||||
* use unprivileged user namespaces. */
|
||||
r = sysctl_read("kernel/apparmor_restrict_unprivileged_userns", &v);
|
||||
if (r < 0) {
|
||||
if (r != -ENOENT)
|
||||
log_debug_errno(r, "Failed to read kernel.apparmor_restrict_unprivileged_userns sysctl, ignoring: %m");
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
return streq(v, "1");
|
||||
}
|
||||
|
||||
static bool have_userns_privileges(void) {
|
||||
pid_t pid;
|
||||
int r;
|
||||
|
||||
if (apparmor_restrict_unprivileged_userns())
|
||||
return false;
|
||||
|
||||
r = safe_fork("(sd-test-check-userns)",
|
||||
FORK_RESET_SIGNALS |
|
||||
FORK_CLOSE_ALL_FDS |
|
||||
|
|
Loading…
Reference in a new issue