1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative

This expects PermissionError: [Errno 1] Operation not permitted,
but it seems that setxattr() for security.NTACL works on gitlab
runners without being root.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 237d9d0228)
This commit is contained in:
Stefan Metzmacher 2024-05-08 18:03:54 +02:00
parent 1b21c09d51
commit dfcbd88504
2 changed files with 19 additions and 1 deletions

View File

@ -83,5 +83,5 @@ class NtaclsTests(TestCaseInTempDir):
lp = LoadParm()
open(self.tempf, 'w').write("empty")
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
self.assertRaises(Exception, setntacl, lp, self.tempf, NTACL_SDDL,
self.assertRaises(PermissionError, setntacl, lp, self.tempf, NTACL_SDDL,
DOMAIN_SID, self.session_info, "native")

View File

@ -0,0 +1,18 @@
# gitlab runners with kernel 5.15.109+
# allow setxattr() on security.NTACL
#
# It's not clear in detail why there's a difference
# between various systems, one reason could be that
# with selinux inode_owner_or_capable() is used to check
# setxattr() permissions:
# it checks for the fileowner too, as well as CAP_FOWNER.
# Otherwise cap_inode_setxattr() is used, which checks for
# CAP_SYS_ADMIN.
#
# But the kernel doesn't have selinux only apparmor...
#
# test_setntacl_forcenative expects
# PermissionError: [Errno 1] Operation not permitted
#
# So for now we allow this to fail...
^samba.tests.ntacls.samba.tests.ntacls.NtaclsTests.test_setntacl_forcenative.none