From fa104dec42d99d7801a9bee0b601831321fb50d0 Mon Sep 17 00:00:00 2001 From: immanuwell Date: Sun, 21 Jun 2026 21:11:35 +0400 Subject: [PATCH] test(shim): skip privileged tests without required permissions --- crates/shim/src/cgroup.rs | 29 +++++++++++++++++++++++++---- crates/shim/src/error.rs | 15 +++++++++++++++ crates/shim/src/mount_linux.rs | 16 ++++++++++++++-- 3 files changed, 54 insertions(+), 6 deletions(-) diff --git a/crates/shim/src/cgroup.rs b/crates/shim/src/cgroup.rs index c901ee81..288ba08f 100644 --- a/crates/shim/src/cgroup.rs +++ b/crates/shim/src/cgroup.rs @@ -350,10 +350,10 @@ pub fn update_resources(cgroup: &Cgroup, resources: &LinuxResources) -> Result<( #[cfg(test)] mod tests { - use std::path::PathBuf; + use std::{error::Error as _, path::PathBuf}; use cgroups_rs::{ - fs::{hierarchies, Cgroup}, + fs::{error::ErrorKind, hierarchies, Cgroup}, CgroupPid, }; @@ -362,16 +362,37 @@ mod tests { add_task_to_cgroup, adjust_oom_score, read_process_oom_score, OOM_SCORE_ADJ_MAX, }; + fn is_cgroup_permission_error(err: &cgroups_rs::fs::error::Error) -> bool { + *err.kind() == ErrorKind::FsError + && err + .source() + .and_then(|source| source.downcast_ref::()) + .is_some_and(|source| source.kind() == std::io::ErrorKind::PermissionDenied) + } + #[test] fn test_add_cgroup() { let path = "runc_shim_test_cgroup"; let h = hierarchies::auto(); // create cgroup path first - let cg = Cgroup::new(h, path).unwrap(); + let cg = match Cgroup::new(h, path) { + Ok(cg) => cg, + Err(err) if is_cgroup_permission_error(&err) => { + eprintln!("skipping test_add_cgroup: {err}"); + return; + } + Err(err) => panic!("failed to create cgroup for test: {err}"), + }; let pid = std::process::id(); - add_task_to_cgroup(path, pid).unwrap(); + if let Err(err) = add_task_to_cgroup(path, pid) { + if crate::error::is_permission_error(&err) { + eprintln!("skipping test_add_cgroup: {err}"); + return; + } + panic!("failed to add task to cgroup for test: {err}"); + } let cg_id = CgroupPid::from(pid as u64); assert!(cg.tasks().contains(&cg_id)); diff --git a/crates/shim/src/error.rs b/crates/shim/src/error.rs index 056fe5f7..e44dad61 100644 --- a/crates/shim/src/error.rs +++ b/crates/shim/src/error.rs @@ -89,6 +89,21 @@ pub enum Error { Unimplemented(String), } +#[cfg(all(test, target_os = "linux"))] +pub(crate) fn is_permission_error(err: &Error) -> bool { + match err { + Error::IoError { err, .. } => err.kind() == std::io::ErrorKind::PermissionDenied, + #[cfg(unix)] + Error::Nix(err) | Error::MountError { err, .. } => { + matches!(err, nix::errno::Errno::EACCES | nix::errno::Errno::EPERM) + } + Error::Other(msg) => { + msg.contains("Permission denied") || msg.contains("Operation not permitted") + } + _ => false, + } +} + impl From for ttrpc::Error { fn from(e: Error) -> Self { match e { diff --git a/crates/shim/src/mount_linux.rs b/crates/shim/src/mount_linux.rs index cf67c0d4..4a20095b 100644 --- a/crates/shim/src/mount_linux.rs +++ b/crates/shim/src/mount_linux.rs @@ -1139,7 +1139,13 @@ mod tests { ]; // mount target. let result = mount_rootfs(Some("overlay"), Some("overlay"), &options, &target); - assert!(result.is_ok()); + if let Err(err) = &result { + if crate::error::is_permission_error(err) { + eprintln!("skipping test_mount_rootfs_umount_recursive: {err}"); + return; + } + } + assert!(result.is_ok(), "{result:?}"); let mut mountinfo = get_mounts(Some(prefix_filter( target .path() @@ -1176,6 +1182,12 @@ mod tests { direct: true, }; let result = setup_loop(backing_file, params); - assert!(result.is_ok()); + if let Err(err) = &result { + if crate::error::is_permission_error(err) { + eprintln!("skipping test_setup_loop_dev: {err}"); + return; + } + } + assert!(result.is_ok(), "{result:?}"); } }