Skip to content

Commit a80eeae

Browse files
committed
fix(supervisor): harden tests for restricted CI container environments
Guard tests against CI-specific constraints: root without CAP_SETPCAP, UIDs with no /etc/passwd entry, and restricted /proc access. Signed-off-by: Seth Jennings <sjennings@nvidia.com> Signed-off-by: Seth Jennings <sjenning@redhat.com>
1 parent be05115 commit a80eeae

2 files changed

Lines changed: 29 additions & 3 deletions

File tree

crates/openshell-supervisor-process/src/bypass_monitor/mod.rs

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -554,6 +554,17 @@ mod tests {
554554
std::thread::sleep(Duration::from_millis(20));
555555
}
556556

557+
let child_fd_dir = format!("/proc/{child_pid}/fd");
558+
if std::fs::read_dir(&child_fd_dir).is_err() {
559+
#[allow(unsafe_code)]
560+
unsafe {
561+
libc::kill(child_pid, libc::SIGKILL);
562+
libc::waitpid(child_pid, std::ptr::null_mut(), 0);
563+
}
564+
eprintln!("skipping: cannot read {child_fd_dir} (restricted /proc)");
565+
return;
566+
}
567+
557568
let (binary, pid, ancestors) = resolve_process_identity(std::process::id(), peer_port);
558569

559570
// libc/syscall FFI requires unsafe

crates/openshell-supervisor-process/src/process.rs

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1599,6 +1599,17 @@ mod tests {
15991599
});
16001600

16011601
let result = drop_privileges(&policy);
1602+
#[cfg(target_os = "linux")]
1603+
{
1604+
if nix::unistd::geteuid().is_root() && !capability_bounding_set_clear_available() {
1605+
let msg = format!("{}", result.unwrap_err());
1606+
assert!(
1607+
msg.contains("Failed to clear child capability bounding set"),
1608+
"unexpected failure: {msg}"
1609+
);
1610+
return;
1611+
}
1612+
}
16021613
assert!(result.is_ok(), "drop_privileges failed: {result:?}");
16031614
}
16041615

@@ -1913,9 +1924,13 @@ mod tests {
19131924
return;
19141925
}
19151926

1916-
let current_user = User::from_uid(nix::unistd::geteuid())
1917-
.unwrap()
1918-
.expect("current user entry");
1927+
let current_user = match User::from_uid(nix::unistd::geteuid()) {
1928+
Ok(Some(u)) => u,
1929+
_ => {
1930+
eprintln!("skipping: current UID has no /etc/passwd entry");
1931+
return;
1932+
}
1933+
};
19191934
let restricted_group = Group::from_gid(Gid::from_raw(0))
19201935
.unwrap()
19211936
.expect("gid 0 group entry");

0 commit comments

Comments
 (0)