TestRunSeccompUnconfinedCloneUserns: Check for unprivileged_userns_clone

On Ubuntu and Debian there is a sysctl which allows to block clone(CLONE_NEWUSER) via "sysctl kernel.unprivileged_userns_clone=0" for unprivileged users that do not have CAP_SYS_ADMIN. See: https://lists.ubuntu.com/archives/kernel-team/2016-January/067926.html The DockerSuite.TestRunSeccompUnconfinedCloneUserns testcase fails if "kernel.unprivileged_userns_clone" is set to 0: docker_cli_run_unix_test.go:1040: c.Fatalf("expected clone userns with --security-opt seccomp=unconfined to succeed, got %s: %v", out, err) ... Error: expected clone userns with --security-opt seccomp=unconfined to succeed, got clone failed: Operation not permitted : exit status 1 So add a check and skip the testcase if kernel.unprivileged_userns_clone is 0. Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2025-12-07 19:42:23 +03:00 · 2016-07-29 09:11:07 -04:00
parent 3b7ea4d8c3
commit 87e4e3af68
2 changed files with 14 additions and 1 deletions
--- a/integration-cli/docker_cli_run_unix_test.go
+++ b/integration-cli/docker_cli_run_unix_test.go
@@ -1032,7 +1032,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {
 // TestRunSeccompUnconfinedCloneUserns checks that
 // 'docker run --security-opt seccomp=unconfined syscall-test' allows creating a userns.
 func (s *DockerSuite) TestRunSeccompUnconfinedCloneUserns(c *check.C) {
-	testRequires(c, SameHostDaemon, seccompEnabled, UserNamespaceInKernel, NotUserNamespace)
+	testRequires(c, SameHostDaemon, seccompEnabled, UserNamespaceInKernel, NotUserNamespace, unprivilegedUsernsClone)

 	// make sure running w privileged is ok
 	runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "syscall-test", "userns-test", "id")