From 237d9d0228cfed6d2e08b41b888d30aac5ab89e3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 8 May 2024 18:03:54 +0200 Subject: [PATCH] tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative This expects PermissionError: [Errno 1] Operation not permitted, but it seems that setxattr() for security.NTACL works on gitlab runners without being root. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- python/samba/tests/ntacls.py | 2 +- selftest/flapping.d/gitlab-setxattr-security | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 selftest/flapping.d/gitlab-setxattr-security diff --git a/python/samba/tests/ntacls.py b/python/samba/tests/ntacls.py index 0b7963d902e..6e2adda6a0d 100644 --- a/python/samba/tests/ntacls.py +++ b/python/samba/tests/ntacls.py @@ -83,5 +83,5 @@ class NtaclsTests(TestCaseInTempDir): lp = LoadParm() open(self.tempf, 'w').write("empty") lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb")) - self.assertRaises(Exception, setntacl, lp, self.tempf, NTACL_SDDL, + self.assertRaises(PermissionError, setntacl, lp, self.tempf, NTACL_SDDL, DOMAIN_SID, self.session_info, "native") diff --git a/selftest/flapping.d/gitlab-setxattr-security b/selftest/flapping.d/gitlab-setxattr-security new file mode 100644 index 00000000000..d7d24032450 --- /dev/null +++ b/selftest/flapping.d/gitlab-setxattr-security @@ -0,0 +1,18 @@ +# gitlab runners with kernel 5.15.109+ +# allow setxattr() on security.NTACL +# +# It's not clear in detail why there's a difference +# between various systems, one reason could be that +# with selinux inode_owner_or_capable() is used to check +# setxattr() permissions: +# it checks for the fileowner too, as well as CAP_FOWNER. +# Otherwise cap_inode_setxattr() is used, which checks for +# CAP_SYS_ADMIN. +# +# But the kernel doesn't have selinux only apparmor... +# +# test_setntacl_forcenative expects +# PermissionError: [Errno 1] Operation not permitted +# +# So for now we allow this to fail... +^samba.tests.ntacls.samba.tests.ntacls.NtaclsTests.test_setntacl_forcenative.none