From 913f8f4748a902842e84f23e00adcddeead4a7a9 Mon Sep 17 00:00:00 2001
From: Alan Somers <asomers@gmail.com>
Date: Sun, 26 May 2019 17:47:49 -0600
Subject: Fix the is_so_mark_functional test in Linux containers

It's not sufficient to check for root privileges.  In a container, the
euid may be root even though the user lacks some capabilities.  Replace
this test's root check with a check for the CAP_NET_ADMIN capability
instead.
---
 test/sys/test_sockopt.rs | 21 +++++++++++++++++++++
 test/test.rs             |  2 ++
 2 files changed, 23 insertions(+)

(limited to 'test')

diff --git a/test/sys/test_sockopt.rs b/test/sys/test_sockopt.rs
index efe2c56b..5dcdfc02 100644
--- a/test/sys/test_sockopt.rs
+++ b/test/sys/test_sockopt.rs
@@ -1,6 +1,27 @@
 use rand::{thread_rng, Rng};
 use nix::sys::socket::{socket, sockopt, getsockopt, setsockopt, AddressFamily, SockType, SockFlag, SockProtocol};
 
+#[cfg(target_os = "linux")]
+#[test]
+fn is_so_mark_functional() {
+    use ::caps::{Capability, CapSet, has_cap};
+    use ::std::io::{self, Write};
+    use nix::sys::socket::sockopt;
+
+    if !has_cap(None, CapSet::Effective, Capability::CAP_NET_ADMIN).unwrap() {
+        let stderr = io::stderr();
+        let mut handle = stderr.lock();
+        writeln!(handle, "SO_MARK requires CAP_NET_ADMIN. Skipping test.")
+            .unwrap();
+        return;
+    }
+
+    let s = socket(AddressFamily::Inet, SockType::Stream, SockFlag::empty(), None).unwrap();
+    setsockopt(s, sockopt::Mark, &1337).unwrap();
+    let mark = getsockopt(s, sockopt::Mark).unwrap();
+    assert_eq!(mark, 1337);
+}
+
 #[test]
 fn test_so_buf() {
     let fd = socket(AddressFamily::Inet, SockType::Datagram, SockFlag::empty(), SockProtocol::Udp)
diff --git a/test/test.rs b/test/test.rs
index a91b6348..c7b9c013 100644
--- a/test/test.rs
+++ b/test/test.rs
@@ -1,4 +1,6 @@
 extern crate bytes;
+#[cfg(target_os = "linux")]
+extern crate caps;
 #[macro_use]
 extern crate cfg_if;
 #[macro_use]
-- 
cgit v1.2.3