p4u1/docker-cli
0
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
26,157 Commits 2 Branches 295 Tags
ca5f5427a88cedfc6e519f493909a22cd057ac8f
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Michael Holzheu ca5f5427a8 TestRunSeccompUnconfinedCloneUserns: Check for unprivileged_userns_clone 
On Ubuntu and Debian there is a sysctl which allows to block
clone(CLONE_NEWUSER) via "sysctl kernel.unprivileged_userns_clone=0"
for unprivileged users that do not have CAP_SYS_ADMIN.

See: https://lists.ubuntu.com/archives/kernel-team/2016-January/067926.html

The DockerSuite.TestRunSeccompUnconfinedCloneUserns testcase fails if
"kernel.unprivileged_userns_clone" is set to 0:

 docker_cli_run_unix_test.go:1040:
    c.Fatalf("expected clone userns with --security-opt seccomp=unconfined
              to succeed, got %s: %v", out, err)
 ... Error: expected clone userns with --security-opt seccomp=unconfined
              to succeed, got clone failed: Operation not permitted
 : exit status 1

So add a check and skip the testcase if kernel.unprivileged_userns_clone is 0.

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Upstream-commit: 87e4e3af68741afcebf11499d1dcbc91b655b349
Component: engine
2016-07-29 12:16:03 -04:00
components/engine
TestRunSeccompUnconfinedCloneUserns: Check for unprivileged_userns_clone
2016-07-29 12:16:03 -04:00
Description
No description provided
310 MiB
Languages
Go 92%
Shell 5.5%
Dockerfile 1.1%
Go-Checksums 0.9%
Makefile 0.3%
Other 0.2%