wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-06-24 22:11:15 +02:00
Code Activity

functional-tests: skip tests if the kernel restricts unprivileged user namespaces

Browse source 
Update tests/functional/common/functions.sh

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
This commit is contained in:
Jörg Thalheim 2024-12-14 12:55:45 +01:00
parent f1187cb696
commit da7f7ba810
12 changed files with 22 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

1
tests/functional/build-remote-trustless-should-fail-0.sh
View file

@ -8,6 +8,7 @@ TODO_NixOS
restartDaemon restartDaemon
requireSandboxSupport requireSandboxSupport
requiresUnprivilegedUserNamespaces
[[ $busybox =~ busybox ]] || skipTest "no busybox" [[ $busybox =~ busybox ]] || skipTest "no busybox"
unset NIX_STORE_DIR unset NIX_STORE_DIR

1
tests/functional/build-remote-trustless.sh
View file

@ -5,6 +5,7 @@
# shellcheck disable=SC2154 # shellcheck disable=SC2154
requireSandboxSupport requireSandboxSupport
requiresUnprivilegedUserNamespaces
[[ "$busybox" =~ busybox ]] || skipTest "no busybox" [[ "$busybox" =~ busybox ]] || skipTest "no busybox"
unset NIX_STORE_DIR unset NIX_STORE_DIR

2
tests/functional/build-remote.sh
View file

@ -3,6 +3,7 @@
: "${file?must be defined by caller (remote building test case using this)}" : "${file?must be defined by caller (remote building test case using this)}"
requireSandboxSupport requireSandboxSupport
requiresUnprivilegedUserNamespaces
[[ "${busybox-}" =~ busybox ]] || skipTest "no busybox" [[ "${busybox-}" =~ busybox ]] || skipTest "no busybox"
# Avoid store dir being inside sandbox build-dir # Avoid store dir being inside sandbox build-dir
@ -27,6 +28,7 @@ builders=(
chmod -R +w "$TEST_ROOT/machine"* || true chmod -R +w "$TEST_ROOT/machine"* || true
rm -rf "$TEST_ROOT/machine"* || true rm -rf "$TEST_ROOT/machine"* || true
# Note: ssh://localhost bypasses ssh, directly invoking nix-store as a # Note: ssh://localhost bypasses ssh, directly invoking nix-store as a
# child process. This allows us to test LegacySSHStore::buildDerivation(). # child process. This allows us to test LegacySSHStore::buildDerivation().
# ssh-ng://... likewise allows us to test RemoteStore::buildDerivation(). # ssh-ng://... likewise allows us to test RemoteStore::buildDerivation().

1
tests/functional/chroot-store.sh
View file

@ -40,6 +40,7 @@ EOF
cp simple.nix shell.nix simple.builder.sh "${config_nix}" "$flakeDir/" cp simple.nix shell.nix simple.builder.sh "${config_nix}" "$flakeDir/"
TODO_NixOS TODO_NixOS
requiresUnprivilegedUserNamespaces
outPath=$(nix build --print-out-paths --no-link --sandbox-paths '/nix? /bin? /lib? /lib64? /usr?' --store "$TEST_ROOT/x" path:"$flakeDir") outPath=$(nix build --print-out-paths --no-link --sandbox-paths '/nix? /bin? /lib? /lib64? /usr?' --store "$TEST_ROOT/x" path:"$flakeDir")

11
tests/functional/common/functions.sh
View file

@ -345,4 +345,15 @@ count() {
trap onError ERR trap onError ERR
requiresUnprivilegedUserNamespaces() {
if [[ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]] && [[ $(< /proc/sys/kernel/apparmor_restrict_unprivileged_userns) -eq 1 ]]; then
skipTest "Unprivileged user namespaces are disabled. Run 'sudo sysctl -w /proc/sys/kernel/apparmor_restrict_unprivileged_userns=0' to allow, and run these tests."
fi
}
execUnshare () {
requiresUnprivilegedUserNamespaces
exec unshare --mount --map-root-user "$SHELL" "$@"
}
fi # COMMON_FUNCTIONS_SH_SOURCED fi # COMMON_FUNCTIONS_SH_SOURCED

1
tests/functional/linux-sandbox.sh
View file

@ -9,6 +9,7 @@ TODO_NixOS
clearStore clearStore
requireSandboxSupport requireSandboxSupport
requiresUnprivilegedUserNamespaces
# Note: we need to bind-mount $SHELL into the chroot. Currently we # Note: we need to bind-mount $SHELL into the chroot. Currently we
# only support the case where $SHELL is in the Nix store, because # only support the case where $SHELL is in the Nix store, because

2
tests/functional/local-overlay-store/bad-uris.sh
View file

@ -19,7 +19,7 @@ TODO_NixOS
for i in "${storesBad[@]}"; do for i in "${storesBad[@]}"; do
echo $i echo $i
unshare --mount --map-root-user bash <<EOF execUnshare <<EOF
source common.sh source common.sh
setupStoreDirs setupStoreDirs
mountOverlayfs mountOverlayfs

4
tests/functional/local-overlay-store/common.sh
View file

@ -94,10 +94,6 @@ initLowerStore () {
pathInLowerStore=$(nix-store --store "$storeA" --realise $drvPath) pathInLowerStore=$(nix-store --store "$storeA" --realise $drvPath)
} }
execUnshare () {
exec unshare --mount --map-root-user "$SHELL" "$@"
}
addTextToStore() { addTextToStore() {
storeDir=$1; shift storeDir=$1; shift
filename=$1; shift filename=$1; shift

1
tests/functional/nested-sandboxing.sh
View file

@ -7,6 +7,7 @@ source common.sh
TODO_NixOS TODO_NixOS
requireSandboxSupport requireSandboxSupport
requiresUnprivilegedUserNamespaces
start="$TEST_ROOT/start" start="$TEST_ROOT/start"
mkdir -p "$start" mkdir -p "$start"

1
tests/functional/nested-sandboxing/command.sh
View file

@ -18,6 +18,7 @@ goodStoreUrl () {
# whether this test is being run in a derivation as part of the nix build or # whether this test is being run in a derivation as part of the nix build or
# being manually run by a developer outside a derivation # being manually run by a developer outside a derivation
runNixBuild () { runNixBuild () {
local storeFun=$1 local storeFun=$1
local altitude=$2 local altitude=$2
nix-build \ nix-build \

1
tests/functional/shell.sh
View file

@ -52,6 +52,7 @@ if isDaemonNewer "2.20.0pre20231220"; then
fi fi
requireSandboxSupport requireSandboxSupport
requiresUnprivilegedUserNamespaces
chmod -R u+w "$TEST_ROOT/store0" || true chmod -R u+w "$TEST_ROOT/store0" || true
rm -rf "$TEST_ROOT/store0" rm -rf "$TEST_ROOT/store0"

2
tests/functional/supplementary-groups.sh
View file

@ -9,7 +9,7 @@ needLocalStore "The test uses --store always so we would just be bypassing the d
TODO_NixOS TODO_NixOS
unshare --mount --map-root-user -- bash -e -x <<EOF execUnshare <<EOF
source common.sh source common.sh
# Avoid store dir being inside sandbox build-dir # Avoid store dir being inside sandbox build-dir