Skip to content

Commit

Permalink
functional-tests: skip tests if the kernel restricts unprivileged use…
Browse files Browse the repository at this point in the history
…r namespaces

Update tests/functional/common/functions.sh

Co-authored-by: Robert Hensing <[email protected]>
(cherry picked from commit da7f7ba)

# Conflicts:
#	tests/functional/common/vars-and-functions.sh
#	tests/functional/supplementary-groups.sh
  • Loading branch information
Mic92 authored and mergify[bot] committed Jan 10, 2025
1 parent e0c8b0f commit 7ff238e
Show file tree
Hide file tree
Showing 12 changed files with 29 additions and 5 deletions.
1 change: 1 addition & 0 deletions tests/functional/build-remote-trustless-should-fail-0.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ TODO_NixOS
restartDaemon

requireSandboxSupport
requiresUnprivilegedUserNamespaces
[[ $busybox =~ busybox ]] || skipTest "no busybox"

unset NIX_STORE_DIR
Expand Down
1 change: 1 addition & 0 deletions tests/functional/build-remote-trustless.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
# shellcheck disable=SC2154

requireSandboxSupport
requiresUnprivilegedUserNamespaces
[[ "$busybox" =~ busybox ]] || skipTest "no busybox"

unset NIX_STORE_DIR
Expand Down
2 changes: 2 additions & 0 deletions tests/functional/build-remote.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
: "${file?must be defined by caller (remote building test case using this)}"

requireSandboxSupport
requiresUnprivilegedUserNamespaces
[[ "${busybox-}" =~ busybox ]] || skipTest "no busybox"

# Avoid store dir being inside sandbox build-dir
Expand All @@ -27,6 +28,7 @@ builders=(
chmod -R +w "$TEST_ROOT/machine"* || true
rm -rf "$TEST_ROOT/machine"* || true


# Note: ssh://localhost bypasses ssh, directly invoking nix-store as a
# child process. This allows us to test LegacySSHStore::buildDerivation().
# ssh-ng://... likewise allows us to test RemoteStore::buildDerivation().
Expand Down
1 change: 1 addition & 0 deletions tests/functional/chroot-store.sh
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ EOF
cp simple.nix shell.nix simple.builder.sh config.nix "$flakeDir/"

TODO_NixOS
requiresUnprivilegedUserNamespaces

outPath=$(nix build --print-out-paths --no-link --sandbox-paths '/nix? /bin? /lib? /lib64? /usr?' --store "$TEST_ROOT/x" path:"$flakeDir")

Expand Down
15 changes: 15 additions & 0 deletions tests/functional/common/vars-and-functions.sh
Original file line number Diff line number Diff line change
Expand Up @@ -405,4 +405,19 @@ count() {

trap onError ERR

<<<<<<< HEAD:tests/functional/common/vars-and-functions.sh
fi # COMMON_VARS_AND_FUNCTIONS_SH_SOURCED
=======
requiresUnprivilegedUserNamespaces() {
if [[ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]] && [[ $(< /proc/sys/kernel/apparmor_restrict_unprivileged_userns) -eq 1 ]]; then
skipTest "Unprivileged user namespaces are disabled. Run 'sudo sysctl -w /proc/sys/kernel/apparmor_restrict_unprivileged_userns=0' to allow, and run these tests."
fi
}

execUnshare () {
requiresUnprivilegedUserNamespaces
exec unshare --mount --map-root-user "$SHELL" "$@"
}

fi # COMMON_FUNCTIONS_SH_SOURCED
>>>>>>> da7f7ba81 (functional-tests: skip tests if the kernel restricts unprivileged user namespaces):tests/functional/common/functions.sh
1 change: 1 addition & 0 deletions tests/functional/linux-sandbox.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ TODO_NixOS
clearStore

requireSandboxSupport
requiresUnprivilegedUserNamespaces

# Note: we need to bind-mount $SHELL into the chroot. Currently we
# only support the case where $SHELL is in the Nix store, because
Expand Down
2 changes: 1 addition & 1 deletion tests/functional/local-overlay-store/bad-uris.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ TODO_NixOS

for i in "${storesBad[@]}"; do
echo $i
unshare --mount --map-root-user bash <<EOF
execUnshare <<EOF
source common.sh
setupStoreDirs
mountOverlayfs
Expand Down
4 changes: 0 additions & 4 deletions tests/functional/local-overlay-store/common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -93,10 +93,6 @@ initLowerStore () {
pathInLowerStore=$(nix-store --store "$storeA" --realise $drvPath)
}

execUnshare () {
exec unshare --mount --map-root-user "$SHELL" "$@"
}

addTextToStore() {
storeDir=$1; shift
filename=$1; shift
Expand Down
1 change: 1 addition & 0 deletions tests/functional/nested-sandboxing.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ source common.sh
TODO_NixOS

requireSandboxSupport
requiresUnprivilegedUserNamespaces

source ./nested-sandboxing/command.sh

Expand Down
1 change: 1 addition & 0 deletions tests/functional/nested-sandboxing/command.sh
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ goodStoreUrl () {
# whether this test is being run in a derivation as part of the nix build or
# being manually run by a developer outside a derivation
runNixBuild () {

local storeFun=$1
local altitude=$2
nix-build \
Expand Down
1 change: 1 addition & 0 deletions tests/functional/shell.sh
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ if isDaemonNewer "2.20.0pre20231220"; then
fi

requireSandboxSupport
requiresUnprivilegedUserNamespaces

chmod -R u+w $TEST_ROOT/store0 || true
rm -rf $TEST_ROOT/store0
Expand Down
4 changes: 4 additions & 0 deletions tests/functional/supplementary-groups.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,11 @@ needLocalStore "The test uses --store always so we would just be bypassing the d

TODO_NixOS

<<<<<<< HEAD
unshare --mount --map-root-user bash <<EOF
=======
execUnshare <<EOF
>>>>>>> da7f7ba81 (functional-tests: skip tests if the kernel restricts unprivileged user namespaces)
source common.sh
# Avoid store dir being inside sandbox build-dir
Expand Down

0 comments on commit 7ff238e

Please sign in to comment.