(t *testing.T)
| 322 | } |
| 323 | |
| 324 | func TestProcessCaps(t *testing.T) { |
| 325 | if testing.Short() { |
| 326 | return |
| 327 | } |
| 328 | |
| 329 | config := newTemplateConfig(t, nil) |
| 330 | container, err := newContainer(t, config) |
| 331 | ok(t, err) |
| 332 | defer destroyContainer(container) |
| 333 | |
| 334 | var stdout strings.Builder |
| 335 | pconfig := libcontainer.Process{ |
| 336 | Cwd: "/", |
| 337 | Args: []string{"sh", "-c", "cat /proc/self/status"}, |
| 338 | Env: standardEnvironment, |
| 339 | Stdin: nil, |
| 340 | Stdout: &stdout, |
| 341 | Stderr: new(strings.Builder), |
| 342 | Capabilities: &configs.Capabilities{}, |
| 343 | Init: true, |
| 344 | } |
| 345 | pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN") |
| 346 | pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN") |
| 347 | pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN") |
| 348 | err = container.Run(&pconfig) |
| 349 | ok(t, err) |
| 350 | |
| 351 | // Wait for process |
| 352 | waitProcess(&pconfig, t) |
| 353 | |
| 354 | outputStatus := stdout.String() |
| 355 | |
| 356 | lines := strings.Split(outputStatus, "\n") |
| 357 | |
| 358 | effectiveCapsLine := "" |
| 359 | for _, l := range lines { |
| 360 | line := strings.TrimSpace(l) |
| 361 | if strings.Contains(line, "CapEff:") { |
| 362 | effectiveCapsLine = line |
| 363 | break |
| 364 | } |
| 365 | } |
| 366 | |
| 367 | if effectiveCapsLine == "" { |
| 368 | t.Fatal("Couldn't find effective caps: ", outputStatus) |
| 369 | } |
| 370 | |
| 371 | parts := strings.Split(effectiveCapsLine, ":") |
| 372 | effectiveCapsStr := strings.TrimSpace(parts[1]) |
| 373 | |
| 374 | effectiveCaps, err := strconv.ParseUint(effectiveCapsStr, 16, 64) |
| 375 | if err != nil { |
| 376 | t.Fatal("Could not parse effective caps", err) |
| 377 | } |
| 378 | |
| 379 | const netAdminMask = 1 << unix.CAP_NET_ADMIN |
| 380 | if effectiveCaps&netAdminMask != netAdminMask { |
| 381 | t.Fatal("CAP_NET_ADMIN is not set as expected") |
nothing calls this directly
no test coverage detected
searching dependent graphs…