Skip to content

Commit

Permalink
functional-tests: skip tests if the kernel restricts unprivileged use…
Browse files Browse the repository at this point in the history
…r namespaces
  • Loading branch information
Mic92 committed Dec 14, 2024
1 parent 9f2b925 commit 00e32c1
Show file tree
Hide file tree
Showing 12 changed files with 22 additions and 6 deletions.
1 change: 1 addition & 0 deletions tests/functional/build-remote-trustless-should-fail-0.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ TODO_NixOS
restartDaemon

requireSandboxSupport
requiresUnprivilegedUserNamespaces
[[ $busybox =~ busybox ]] || skipTest "no busybox"

unset NIX_STORE_DIR
Expand Down
1 change: 1 addition & 0 deletions tests/functional/build-remote-trustless.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
# shellcheck disable=SC2154

requireSandboxSupport
requiresUnprivilegedUserNamespaces
[[ "$busybox" =~ busybox ]] || skipTest "no busybox"

unset NIX_STORE_DIR
Expand Down
2 changes: 2 additions & 0 deletions tests/functional/build-remote.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
: "${file?must be defined by caller (remote building test case using this)}"

requireSandboxSupport
requiresUnprivilegedUserNamespaces
[[ "${busybox-}" =~ busybox ]] || skipTest "no busybox"

# Avoid store dir being inside sandbox build-dir
Expand All @@ -27,6 +28,7 @@ builders=(
chmod -R +w "$TEST_ROOT/machine"* || true
rm -rf "$TEST_ROOT/machine"* || true


# Note: ssh://localhost bypasses ssh, directly invoking nix-store as a
# child process. This allows us to test LegacySSHStore::buildDerivation().
# ssh-ng://... likewise allows us to test RemoteStore::buildDerivation().
Expand Down
1 change: 1 addition & 0 deletions tests/functional/chroot-store.sh
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ EOF
cp simple.nix shell.nix simple.builder.sh "${config_nix}" "$flakeDir/"

TODO_NixOS
requiresUnprivilegedUserNamespaces

outPath=$(nix build --print-out-paths --no-link --sandbox-paths '/nix? /bin? /lib? /lib64? /usr?' --store "$TEST_ROOT/x" path:"$flakeDir")

Expand Down
11 changes: 11 additions & 0 deletions tests/functional/common/functions.sh
Original file line number Diff line number Diff line change
Expand Up @@ -345,4 +345,15 @@ count() {

trap onError ERR

requiresUnprivilegedUserNamespaces() {
if [[ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]] && [[ $(< /proc/sys/kernel/apparmor_restrict_unprivileged_userns) -eq 1 ]]; then
skipTest "Unprivileged user namespaces are disabled. Run 'sudo sysctl -w /proc/sys/kernel/apparmor_restrict_unprivileged_userns=0' to disable."
fi
}

execUnshare () {
requiresUnprivilegedUserNamespaces
exec unshare --mount --map-root-user "$SHELL" "$@"
}

fi # COMMON_FUNCTIONS_SH_SOURCED
1 change: 1 addition & 0 deletions tests/functional/linux-sandbox.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ TODO_NixOS
clearStore

requireSandboxSupport
requiresUnprivilegedUserNamespaces

# Note: we need to bind-mount $SHELL into the chroot. Currently we
# only support the case where $SHELL is in the Nix store, because
Expand Down
2 changes: 1 addition & 1 deletion tests/functional/local-overlay-store/bad-uris.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ TODO_NixOS

for i in "${storesBad[@]}"; do
echo $i
unshare --mount --map-root-user bash <<EOF
execUnshare <<EOF
source common.sh
setupStoreDirs
mountOverlayfs
Expand Down
4 changes: 0 additions & 4 deletions tests/functional/local-overlay-store/common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -94,10 +94,6 @@ initLowerStore () {
pathInLowerStore=$(nix-store --store "$storeA" --realise $drvPath)
}

execUnshare () {
exec unshare --mount --map-root-user "$SHELL" "$@"
}

addTextToStore() {
storeDir=$1; shift
filename=$1; shift
Expand Down
1 change: 1 addition & 0 deletions tests/functional/nested-sandboxing.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ source common.sh
TODO_NixOS

requireSandboxSupport
requiresUnprivilegedUserNamespaces

start="$TEST_ROOT/start"
mkdir -p "$start"
Expand Down
1 change: 1 addition & 0 deletions tests/functional/nested-sandboxing/command.sh
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ goodStoreUrl () {
# whether this test is being run in a derivation as part of the nix build or
# being manually run by a developer outside a derivation
runNixBuild () {

local storeFun=$1
local altitude=$2
nix-build \
Expand Down
1 change: 1 addition & 0 deletions tests/functional/shell.sh
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ if isDaemonNewer "2.20.0pre20231220"; then
fi

requireSandboxSupport
requiresUnprivilegedUserNamespaces

chmod -R u+w "$TEST_ROOT/store0" || true
rm -rf "$TEST_ROOT/store0"
Expand Down
2 changes: 1 addition & 1 deletion tests/functional/supplementary-groups.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ needLocalStore "The test uses --store always so we would just be bypassing the d

TODO_NixOS

unshare --mount --map-root-user -- bash -e -x <<EOF
execUnshare <<EOF
source common.sh
# Avoid store dir being inside sandbox build-dir
Expand Down

0 comments on commit 00e32c1

Please sign in to comment.