diff options
-rw-r--r-- | test/sys/test_socket.rs | 8 | ||||
-rw-r--r-- | test/test.rs | 29 | ||||
-rw-r--r-- | test/test_unistd.rs | 25 |
3 files changed, 54 insertions, 8 deletions
diff --git a/test/sys/test_socket.rs b/test/sys/test_socket.rs index d4c4738e..106428b9 100644 --- a/test/sys/test_socket.rs +++ b/test/sys/test_socket.rs @@ -244,6 +244,10 @@ pub fn test_af_alg_cipher() { ControlMessage, MsgFlags}; use nix::sys::socket::sockopt::AlgSetKey; + // Travis's seccomp profile blocks AF_ALG + // https://docs.docker.com/engine/security/seccomp/ + skip_if_seccomp!(test_af_alg_cipher); + let alg_type = "skcipher"; let alg_name = "ctr(aes)"; // 256-bits secret key @@ -308,6 +312,10 @@ pub fn test_af_alg_aead() { ControlMessage, MsgFlags}; use nix::sys::socket::sockopt::{AlgSetKey, AlgSetAeadAuthSize}; + // Travis's seccomp profile blocks AF_ALG + // https://docs.docker.com/engine/security/seccomp/ + skip_if_seccomp!(test_af_alg_aead); + let auth_size = 4usize; let assoc_size = 16u32; diff --git a/test/test.rs b/test/test.rs index f0d45dc2..24260500 100644 --- a/test/test.rs +++ b/test/test.rs @@ -73,6 +73,35 @@ macro_rules! skip_if_not_root { }; } +cfg_if! { + if #[cfg(any(target_os = "android", target_os = "linux"))] { + macro_rules! skip_if_seccomp { + ($name:expr) => { + if let Ok(s) = std::fs::read_to_string("/proc/self/status") { + for l in s.lines() { + let mut fields = l.split_whitespace(); + if fields.next() == Some("Seccomp:") && + fields.next() != Some("0") + { + use ::std::io::Write; + let stderr = ::std::io::stderr(); + let mut handle = stderr.lock(); + writeln!(handle, + "{} cannot be run in Seccomp mode. Skipping test.", + stringify!($name)).unwrap(); + return; + } + } + } + } + } + } else { + macro_rules! skip_if_seccomp { + ($name:expr) => {} + } + } +} + mod sys; mod test_dir; mod test_fcntl; diff --git a/test/test_unistd.rs b/test/test_unistd.rs index e1e03f3f..21aaa0fc 100644 --- a/test/test_unistd.rs +++ b/test/test_unistd.rs @@ -184,7 +184,13 @@ macro_rules! execve_test_factory( ($test_name:ident, $syscall:ident, $exe: expr $(, $pathname:expr, $flags:expr)*) => ( #[test] fn $test_name() { - let _m = ::FORK_MTX.lock().expect("Mutex got poisoned by another test"); + if "execveat" == stringify!($syscall) { + // Though undocumented, Docker's default seccomp profile seems to + // block this syscall. https://github.com/nix-rust/nix/issues/1122 + skip_if_seccomp!($test_name); + } + + let m = ::FORK_MTX.lock().expect("Mutex got poisoned by another test"); // The `exec`d process will write to `writer`, and we'll read that // data from `reader`. let (reader, writer) = pipe().unwrap(); @@ -194,12 +200,9 @@ macro_rules! execve_test_factory( // The tests make sure not to do that, though. match fork().unwrap() { Child => { - // Close stdout. - close(1).unwrap(); // Make `writer` be the stdout of the new process. - dup(writer).unwrap(); - // exec! - $syscall( + dup2(writer, 1).unwrap(); + let r = $syscall( $exe, $(&CString::new($pathname).unwrap(), )* &[CString::new(b"".as_ref()).unwrap(), @@ -208,11 +211,17 @@ macro_rules! execve_test_factory( .as_ref()).unwrap()], &[CString::new(b"foo=bar".as_ref()).unwrap(), CString::new(b"baz=quux".as_ref()).unwrap()] - $(, $flags)*).unwrap(); + $(, $flags)*); + let _ = std::io::stderr() + .write_all(format!("{:?}", r).as_bytes()); + // Should only get here in event of error + unsafe{ _exit(1) }; }, Parent { child } => { // Wait for the child to exit. - waitpid(child, None).unwrap(); + let ws = waitpid(child, None); + drop(m); + assert_eq!(ws, Ok(WaitStatus::Exited(child, 0))); // Read 1024 bytes. let mut buf = [0u8; 1024]; read(reader, &mut buf).unwrap(); |