diff options
author | Simon McVittie <smcv@collabora.com> | 2022-12-12 19:47:15 +0000 |
---|---|---|
committer | Alexander Larsson <alexander.larsson@gmail.com> | 2023-01-04 09:47:04 +0100 |
commit | 41fd02ad147907cedf88a7f7488ac18667adc919 (patch) | |
tree | bf81542b8ea0aac5e46c8eb79adf2b614f552a21 | |
parent | b5f672355b916e6e59dad5ec9ca55aa90afe8a90 (diff) | |
download | bubblewrap-41fd02ad147907cedf88a7f7488ac18667adc919.tar.gz |
test-run: Filter out no-new-privs in capsh output
Older versions of capsh would only show the capabilities, which we
expect not to change when we don't drop capabilities; but newer
versions also display whether the NO_NEW_PRIVS bit is set, and we *do*
expect to change that.
Resolves: https://github.com/containers/bubblewrap/issues/544
Signed-off-by: Simon McVittie <smcv@collabora.com>
-rwxr-xr-x | tests/test-run.sh | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/tests/test-run.sh b/tests/test-run.sh index 585fbf4..979480e 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -153,10 +153,11 @@ if ! ${is_uidzero}; then done echo "ok - we have no caps as uid != 0" else - capsh --print > caps.orig + capsh --print | sed -e 's/no-new-privs=0/no-new-privs=1/' > caps.expected + for OPT in "" "--as-pid-1"; do $RUN $OPT --unshare-pid capsh --print >caps.test - diff -u caps.orig caps.test + diff -u caps.expected caps.test done # And test that we can drop all, as well as specific caps $RUN $OPT --cap-drop ALL --unshare-pid capsh --print >caps.test |