Merge pull request #25224 from michael-holzheu/PR-TestRunSeccompUnconfinedCloneUserns-check

TestRunSeccompUnconfinedCloneUserns: Check for unprivileged_userns_clone
2022-11-09 12:21:53 -05:00 · 2016-07-31 17:03:36 +01:00 · 2016-07-31 17:03:36 +01:00 · b38c25ad41
commit b38c25ad41
parent 4640c19a88 87e4e3af68
2 changed files with 14 additions and 1 deletions
--- a/integration-cli/docker_cli_run_unix_test.go
+++ b/integration-cli/docker_cli_run_unix_test.go
@ -1032,7 +1032,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {
 // TestRunSeccompUnconfinedCloneUserns checks that
 // 'docker run --security-opt seccomp=unconfined syscall-test' allows creating a userns.
 func (s *DockerSuite) TestRunSeccompUnconfinedCloneUserns(c *check.C) {
-	testRequires(c, SameHostDaemon, seccompEnabled, UserNamespaceInKernel, NotUserNamespace)
+	testRequires(c, SameHostDaemon, seccompEnabled, UserNamespaceInKernel, NotUserNamespace, unprivilegedUsernsClone)

 	// make sure running w privileged is ok
 	runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "syscall-test", "userns-test", "id")
--- a/integration-cli/requirements_unix.go
+++ b/integration-cli/requirements_unix.go
@ -3,6 +3,9 @@
 package main

 import (
+	"io/ioutil"
+	"strings"
+
 	"github.com/docker/docker/pkg/sysinfo"
 )

@ -99,6 +102,16 @@ var (
 		},
 		"Test requires that bridge-nf-call-ip6tables support be enabled in the daemon.",
 	}
+	unprivilegedUsernsClone = testRequirement{
+		func() bool {
+			content, err := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
+			if err == nil && strings.Contains(string(content), "0") {
+				return false
+			}
+			return true
+		},
+		"Test cannot be run with 'sysctl kernel.unprivileged_userns_clone' = 0",
+	}
 )

 func init() {