From 41fd02ad147907cedf88a7f7488ac18667adc919 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 12 Dec 2022 19:47:15 +0000
Subject: test-run: Filter out no-new-privs in capsh output

Older versions of capsh would only show the capabilities, which we
expect not to change when we don't drop capabilities; but newer
versions also display whether the NO_NEW_PRIVS bit is set, and we *do*
expect to change that.

Resolves: https://github.com/containers/bubblewrap/issues/544
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 tests/test-run.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/test-run.sh b/tests/test-run.sh
index 585fbf4..979480e 100755
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -153,10 +153,11 @@ if ! ${is_uidzero}; then
     done
     echo "ok - we have no caps as uid != 0"
 else
-    capsh --print > caps.orig
+    capsh --print | sed -e 's/no-new-privs=0/no-new-privs=1/' > caps.expected
+
     for OPT in "" "--as-pid-1"; do
         $RUN $OPT --unshare-pid capsh --print >caps.test
-        diff -u caps.orig caps.test
+        diff -u caps.expected caps.test
     done
     # And test that we can drop all, as well as specific caps
     $RUN $OPT --cap-drop ALL --unshare-pid capsh --print >caps.test
-- 
cgit v1.2.1