You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/08/26 14:56:38 UTC
mesos git commit: Fixed a capabilities test failure on Fedora 23.
Repository: mesos
Updated Branches:
refs/heads/master 27467c0f6 -> dbfbe6697
Fixed a capabilities test failure on Fedora 23.
Review: https://reviews.apache.org/r/51450
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/dbfbe669
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/dbfbe669
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/dbfbe669
Branch: refs/heads/master
Commit: dbfbe669797e62d08ca9dd94f0c26cea7e2a2300
Parents: 27467c0
Author: Jie Yu <yu...@gmail.com>
Authored: Thu Aug 25 21:45:54 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Aug 26 07:56:31 2016 -0700
----------------------------------------------------------------------
src/tests/containerizer/capabilities_tests.cpp | 22 ++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/dbfbe669/src/tests/containerizer/capabilities_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/containerizer/capabilities_tests.cpp b/src/tests/containerizer/capabilities_tests.cpp
index ec75698..3ba4640 100644
--- a/src/tests/containerizer/capabilities_tests.cpp
+++ b/src/tests/containerizer/capabilities_tests.cpp
@@ -134,10 +134,26 @@ TEST_F(CapabilitiesTest, ROOT_PingWithNoNetRawCapsChangeUser)
// This Test verifies that 'ping' would work with just the minimum
-// capability it requires ('NET_RAW').
-TEST_F(CapabilitiesTest, ROOT_PingWithJustNetRawCap)
+// capability it requires ('NET_RAW' and potentially 'NET_ADMIN').
+//
+// NOTE: Some Linux distributions install `ping` with `NET_RAW` and
+// `NET_ADMIN` in both the effective and permitted set in the file
+// capabilities. We only require `NET_RAW` for our tests, while
+// `NET_RAW` is needed for setting packet marks
+// (https://bugzilla.redhat.com/show_bug.cgi?id=802197). In such
+// distributions, setting 'NET_ADMIN' is required to bypass the
+// 'capability-dumb' check by the kernel. A 'capability-dump'
+// application is a traditional set-user-ID-root program that has been
+// switched to use file capabilities, but whose code has not been
+// modified to understand capabilities. For such applications, the
+// kernel checks if the process obtained all permitted capabilities
+// that were specified in the file permitted set during 'exec'.
+TEST_F(CapabilitiesTest, ROOT_PingWithJustNetRawSysAdminCap)
{
- Set<Capability> capabilities = {capabilities::NET_RAW};
+ Set<Capability> capabilities = {
+ capabilities::NET_RAW,
+ capabilities::NET_ADMIN
+ };
Try<Subprocess> s = ping(capabilities, CAPS_TEST_UNPRIVILEGED_USER);
ASSERT_SOME(s);