github.com/cloudfoundry-attic/garden-linux@v0.333.2-candidate/integration/helpers/capcheck/capcheck_linux_test.go (about) 1 package main_test 2 3 import ( 4 "fmt" 5 "os/exec" 6 7 "os" 8 9 . "github.com/onsi/ginkgo" 10 . "github.com/onsi/gomega" 11 "github.com/onsi/gomega/gbytes" 12 "github.com/onsi/gomega/gexec" 13 ) 14 15 var _ = Describe("capcheck", func() { 16 BeforeEach(func() { 17 if os.Getuid() != 0 { 18 Skip("must be run as root") 19 } 20 }) 21 22 describeCapability := func(cap string, expectedError string) { 23 Describe("probe "+cap, func() { 24 Context("when a process does have "+cap, func() { // assumes tests are run as root 25 It("succeeds", func() { 26 session, err := gexec.Start(exec.Command("capsh", "--", "-c", fmt.Sprintf("%s %s", capabilityTestBin, cap)), GinkgoWriter, GinkgoWriter) 27 Expect(err).NotTo(HaveOccurred()) 28 Eventually(session).Should(gexec.Exit(0)) 29 }) 30 }) 31 32 Context("when a process does not have "+cap, func() { 33 It("logs an error and returns a bad exit status code", func() { 34 session, err := gexec.Start(exec.Command("capsh", "--drop="+cap, "--", "-c", fmt.Sprintf("%s %s", capabilityTestBin, cap)), GinkgoWriter, GinkgoWriter) 35 Expect(err).NotTo(HaveOccurred()) 36 Eventually(session).Should(gbytes.Say(expectedError)) 37 Eventually(session).Should(gexec.Exit(1)) 38 }) 39 }) 40 }) 41 } 42 43 caps := []struct { 44 Cap string 45 ExpectedError string 46 }{ 47 {"CAP_MKNOD", "Operation not permitted"}, 48 {"CAP_NET_BIND_SERVICE", "Failed to create listener: listen tcp :21: bind: permission denied"}, 49 {"CAP_SYS_ADMIN", "Failed to create a bind mount: operation not permitted"}, 50 } 51 52 for _, cap := range caps { 53 describeCapability(cap.Cap, cap.ExpectedError) 54 } 55 })