From a538e4e8bbd2cc9c6f2c0bb25c26a8838ebf0c87 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 24 Sep 2021 21:55:14 +0200 Subject: [PATCH 1/5] tests: disable exec_additional_gids when rootless Signed-off-by: Giuseppe Scrivano --- tests/test_exec.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/test_exec.py b/tests/test_exec.py index bc53233be9..66e67dfa10 100755 --- a/tests/test_exec.py +++ b/tests/test_exec.py @@ -62,6 +62,8 @@ def test_exec_detach_not_exists(): return test_exec_not_exists_helper(False) def test_exec_additional_gids(): + if is_rootless(): + return 77 conf = base_config() conf['process']['args'] = ['/init', 'pause'] add_all_namespaces(conf) From b0d64b65b5cbaae47b1ef55da418fde509ed6fbd Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 24 Sep 2021 22:04:46 +0200 Subject: [PATCH 2/5] tests: skip caps tests if rootless they use an ID != 0 that could be not available. Signed-off-by: Giuseppe Scrivano --- tests/test_capabilities.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/test_capabilities.py b/tests/test_capabilities.py index 2ca68eabc6..fec8a0392d 100755 --- a/tests/test_capabilities.py +++ b/tests/test_capabilities.py @@ -126,18 +126,28 @@ def test_some_caps_permitted(): return helper_test_some_caps(0, ["permitted"], 'CapPrm') def test_some_caps_effective_non_root(): + if is_rootless(): + return 77 return helper_test_some_caps(1000, ["effective", "permitted", "inheritable", "ambient"], 'CapEff') def test_some_caps_bounding_non_root(): + if is_rootless(): + return 77 return helper_test_some_caps(1000, ["bounding"], 'CapBnd') def test_some_caps_inheritable_non_root(): + if is_rootless(): + return 77 return helper_test_some_caps(1000, ["inheritable"], 'CapInh') def test_some_caps_ambient_non_root(): + if is_rootless(): + return 77 return helper_test_some_caps(1000, ["ambient", "permitted", "inheritable"], 'CapAmb') def test_some_caps_permitted_non_root(): + if is_rootless(): + return 77 return helper_test_some_caps(1000, ["ambient", "permitted", "inheritable"], 'CapPrm') From 7260dc8de3c54632116933b6dde91a925d082921 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 24 Sep 2021 21:19:39 +0200 Subject: [PATCH 3/5] tests: fix number of tests Signed-off-by: Giuseppe Scrivano --- tests/tests_libcrun_utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/tests_libcrun_utils.c b/tests/tests_libcrun_utils.c index 359d2be037..35dc0a6362 100644 --- a/tests/tests_libcrun_utils.c +++ b/tests/tests_libcrun_utils.c @@ -387,7 +387,11 @@ int main () { int id = 1; +#ifdef HAVE_SYSTEMD + printf ("1..8\n"); +#else printf ("1..7\n"); +#endif RUN_TEST (test_crun_path_exists); RUN_TEST (test_write_read_file); RUN_TEST (test_run_process); From 0d64e1d2a4ab5ef9b17349d3852c400fe3fa624d Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 24 Sep 2021 21:19:58 +0200 Subject: [PATCH 4/5] linux: fix fix-test-mount-symlink-not-existing test commit ee3531124a134df9cb92679001c599f9d0979749 introduced the regression. It also caused the e2e CRI-O tests to fail. Signed-off-by: Giuseppe Scrivano --- src/libcrun/utils.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c index 697696afbc..726f091149 100644 --- a/src/libcrun/utils.c +++ b/src/libcrun/utils.c @@ -394,10 +394,10 @@ safe_openat (int dirfd, const char *rootfs, size_t rootfs_len, const char *path, } static ssize_t -safe_readlinkat (int dfd, const char *dirpath, const char *name, char **buffer, ssize_t hint, libcrun_error_t *err) +safe_readlinkat (int dfd, const char *name, char **buffer, ssize_t hint, libcrun_error_t *err) { - cleanup_free char *tmp_buf = NULL; ssize_t buf_size = hint > 0 ? hint + 1 : 512; + cleanup_free char *tmp_buf = NULL; ssize_t size; do @@ -410,7 +410,7 @@ safe_readlinkat (int dfd, const char *dirpath, const char *name, char **buffer, size = readlinkat (dfd, name, tmp_buf, buf_size); if (UNLIKELY (size < 0)) - return crun_make_error (err, errno, "readlink `%s/%s`", dirpath, name); + return crun_make_error (err, errno, "readlink `%s`", name); } while (size == buf_size); /* Always NUL terminate the buffer. */ @@ -490,7 +490,7 @@ crun_safe_ensure_at (bool do_open, bool dir, int dirfd, const char *dirpath, { cleanup_free char *resolved_path = NULL; - ret = safe_readlinkat (dirfd, dirpath, cur, &resolved_path, 0, err); + ret = safe_readlinkat (cwd, cur, &resolved_path, 0, err); if (LIKELY (ret >= 0)) { return crun_safe_ensure_at (do_open, dir, dirfd, @@ -1925,7 +1925,7 @@ copy_recursive_fd_to_fd (int srcdirfd, int dfd, const char *srcname, const char break; case S_IFLNK: - ret = safe_readlinkat (dirfd (dsrcfd), srcname, de->d_name, &target_buf, st_size, err); + ret = safe_readlinkat (dirfd (dsrcfd), de->d_name, &target_buf, st_size, err); if (UNLIKELY (ret < 0)) return ret; From d99bb51499f7d924e4764e7eea5ead2b4ad69602 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 24 Sep 2021 21:39:01 +0200 Subject: [PATCH 5/5] .github: report make check failures Signed-off-by: Giuseppe Scrivano --- .github/workflows/test.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index bff10c8b67..4844e622ac 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -95,17 +95,18 @@ jobs: make ;; check) - ./configure --disable-dl CFLAGS='-fsanitize=address -fsanitize=undefined -fsanitize=null -fsanitize=return -fsanitize=bounds -fsanitize=bool -fsanitize=enum -fsanitize=builtin' + ./configure --disable-dl make make syntax-check echo run tests as root + # check that the working dir is clean + git describe --broken --dirty --all | grep -qv dirty + sudo make check ASAN_OPTIONS=detect_leaks=false || cat test-suite.log echo run tests as rootless - mkdir /tmp/runroot && make check XDG_RUNTIME_DIR=/tmp/runroot ASAN_OPTIONS=detect_leaks=false || cat test-suite.log + make check ASAN_OPTIONS=detect_leaks=false || (cat test-suite.log; exit 1) echo run tests as rootless in a user namespace - mkdir /tmp/runroot && unshare -r make check XDG_RUNTIME_DIR=/tmp/runroot ASAN_OPTIONS=detect_leaks=false || cat test-suite.log - # check that the working dir is clean - git describe --broken --dirty --all | grep -qv dirty + unshare -r make check ASAN_OPTIONS=detect_leaks=false || (cat test-suite.log; exit 1) ;; podman) sudo docker build -t crun-podman tests/podman