You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/08/26 14:56:38 UTC

mesos git commit: Fixed a capabilities test failure on Fedora 23.

Repository: mesos
Updated Branches:
  refs/heads/master 27467c0f6 -> dbfbe6697


Fixed a capabilities test failure on Fedora 23.

Review: https://reviews.apache.org/r/51450


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/dbfbe669
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/dbfbe669
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/dbfbe669

Branch: refs/heads/master
Commit: dbfbe669797e62d08ca9dd94f0c26cea7e2a2300
Parents: 27467c0
Author: Jie Yu <yu...@gmail.com>
Authored: Thu Aug 25 21:45:54 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Aug 26 07:56:31 2016 -0700

----------------------------------------------------------------------
 src/tests/containerizer/capabilities_tests.cpp | 22 ++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/dbfbe669/src/tests/containerizer/capabilities_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/containerizer/capabilities_tests.cpp b/src/tests/containerizer/capabilities_tests.cpp
index ec75698..3ba4640 100644
--- a/src/tests/containerizer/capabilities_tests.cpp
+++ b/src/tests/containerizer/capabilities_tests.cpp
@@ -134,10 +134,26 @@ TEST_F(CapabilitiesTest, ROOT_PingWithNoNetRawCapsChangeUser)
 
 
 // This Test verifies that 'ping' would work with just the minimum
-// capability it requires ('NET_RAW').
-TEST_F(CapabilitiesTest, ROOT_PingWithJustNetRawCap)
+// capability it requires ('NET_RAW' and potentially 'NET_ADMIN').
+//
+// NOTE: Some Linux distributions install `ping` with `NET_RAW` and
+// `NET_ADMIN` in both the effective and permitted set in the file
+// capabilities. We only require `NET_RAW` for our tests, while
+// `NET_RAW` is needed for setting packet marks
+// (https://bugzilla.redhat.com/show_bug.cgi?id=802197). In such
+// distributions, setting 'NET_ADMIN' is required to bypass the
+// 'capability-dumb' check by the kernel. A 'capability-dump'
+// application is a traditional set-user-ID-root program that has been
+// switched to use file capabilities, but whose code has not been
+// modified to understand capabilities. For such applications, the
+// kernel checks if the process obtained all permitted capabilities
+// that were specified in the file permitted set during 'exec'.
+TEST_F(CapabilitiesTest, ROOT_PingWithJustNetRawSysAdminCap)
 {
-  Set<Capability> capabilities = {capabilities::NET_RAW};
+  Set<Capability> capabilities = {
+    capabilities::NET_RAW,
+    capabilities::NET_ADMIN
+  };
 
   Try<Subprocess> s = ping(capabilities, CAPS_TEST_UNPRIVILEGED_USER);
   ASSERT_SOME(s);