Closed jstancek closed 7 years ago
Technically this test depends on Linux >= 4.7 / kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f; I only omitted the kernel version test because I thought the cap_userns policy test would suffice. It seems odd that RHEL is back-porting new class/permission definitions if they aren't also back-porting the corresponding kernel patches; I already encountered breakage due to this for the netlink_socket tests (fixed by e7e718ad2c1ed40755b06e1ba64399ab2b8f7bff). I am wondering whether we ought to add a kernel version test here too, since even if you turn on userns in RHEL7, I'm not sure you'll have that kernel commit.
RHEL7 [1] (and possibly other distros) disable CLONE_NEWUSER by default. This series adds a check to see if simple clone(CLONE_NEWUSER) works, if not cap_userns tests are skipped.
We didn't see this until RHEL7.4, because of following Makefile check, that skipped the test:
7.4 policy update now makes condition above true.
[1] http://rhelblog.redhat.com/2015/07/07/whats-next-for-containers-user-namespaces/ (comment 2)