Debian does not allow unprivileged user namespace clones by default,
so update the test to enable it when running the test to avoid requiring
sys_admin permission to the capability class during the cap_userns tests.
The current test is specifically exercising the sys_admin check in the
separate cap_userns class used for capability checks against non-init
user namespaces.
Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
---
tests/cap_userns/test | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/tests/cap_userns/test b/tests/cap_userns/test
index 9eafba6..917da00 100755
--- a/tests/cap_userns/test
+++ b/tests/cap_userns/test
@@ -6,6 +6,10 @@ BEGIN {
$basedir = $0;
$basedir =~ s|(.*)/[^/]*|$1|;
+ if ( -e '/proc/sys/kernel/unprivileged_userns_clone' ) {
+ system(
+ "echo 1 > /proc/sys/kernel/unprivileged_userns_clone 2> /dev/null");
+ }
if ( system("$basedir/userns_child_exec -t -U > /dev/null 2>&1") == 0 ) {
plan tests => 2;
}
@@ -27,3 +31,7 @@ $result = system(
"runcon -t test_no_cap_userns_t -- $basedir/userns_child_exec -p -m -U -M '0 0 1' -G '0 0 1' -- true 2>&1"
);
ok($result);
+
+if ( -e '/proc/sys/kernel/unprivileged_userns_clone' ) {
+ system("echo 0 > /proc/sys/kernel/unprivileged_userns_clone 2> /dev/null");
+}
--
2.23.1
