add bwrapping on all other scripts/*.test except those that make Internet connections, and remove test for setuid bit, as some systems are configured to not require setuid/CAP_NET_ADMIN for CLONE_NEWNET.

2020-09-12 00:20:38 -05:00 · 2020-09-12 00:20:38 -05:00 · 51046d45d3
commit 51046d45d3
parent 1e9971f64c
11 changed files with 101 additions and 49 deletions
--- a/scripts/crl-revoked.test
+++ b/scripts/crl-revoked.test
@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash

 #crl.test

+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 revocation_code="-361"
 exit_code=1
 counter=0
--- a/scripts/ocsp-stapling-with-ca-as-responder.test
+++ b/scripts/ocsp-stapling-with-ca-as-responder.test
@ -2,19 +2,13 @@

 # ocsp-stapling-with-ca-as-responder.test

-# if we can, isolate the network namespace to eliminate port collisions
+# if we can, isolate the network namespace to eliminate port collisions.
 if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
    bwrap_path="$(command -v bwrap)"
-    if [[ -z "$bwrap_path" ]]; then
-	echo "couldn't find bwrap -- not isolating network namespace."
-    elif [[ ! -u "$bwrap_path" ]]; then
-	echo "$bwrap_path isn't setuid -- not isolating network namespace."
-    else
-	echo "isolating network namespace..."
-	export AM_BWRAPPED=yes
-	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
-	unset AM_BWRAPPED
-	echo "not isolating network namespace."
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
    fi
 fi

--- a/scripts/ocsp-stapling.test
+++ b/scripts/ocsp-stapling.test
@ -3,22 +3,6 @@
 # ocsp-stapling.test
 # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST

-# if we can, isolate the network namespace to eliminate port collisions
-if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
-    bwrap_path="$(command -v bwrap)"
-    if [[ -z "$bwrap_path" ]]; then
-	echo "couldn't find bwrap -- not isolating network namespace."
-    elif [[ ! -u "$bwrap_path" ]]; then
-	echo "$bwrap_path isn't setuid -- not isolating network namespace."
-    else
-	echo "isolating network namespace..."
-	export AM_BWRAPPED=yes
-	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
-	unset AM_BWRAPPED
-	echo "not isolating network namespace."
-    fi
-fi
-
 if [[ -z "${RETRIES_REMAINING-}" ]]; then
    export RETRIES_REMAINING=2
 fi
--- a/scripts/ocsp-stapling2.test
+++ b/scripts/ocsp-stapling2.test
@ -3,19 +3,13 @@
 # ocsp-stapling2.test
 # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2

-# if we can, isolate the network namespace to eliminate port collisions
+# if we can, isolate the network namespace to eliminate port collisions.
 if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
    bwrap_path="$(command -v bwrap)"
-    if [[ -z "$bwrap_path" ]]; then
-	echo "couldn't find bwrap -- not isolating network namespace."
-    elif [[ ! -u "$bwrap_path" ]]; then
-	echo "$bwrap_path isn't setuid -- not isolating network namespace."
-    else
-	echo "isolating network namespace..."
-	export AM_BWRAPPED=yes
-	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
-	unset AM_BWRAPPED
-	echo "not isolating network namespace."
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
    fi
 fi

--- a/scripts/openssl.test
+++ b/scripts/openssl.test
@ -1,14 +1,24 @@
-#!/bin/sh
+#!/bin/bash

 #openssl.test

-if test -n "$WOLFSSL_OPENSSL_TEST"; then
-    echo "WOLFSSL_OPENSSL_TEST set, running test..."
-else
+if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
    echo "WOLFSSL_OPENSSL_TEST NOT set, won't run"
    exit 0
 fi

+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
+echo "WOLFSSL_OPENSSL_TEST set, running test..."
+
 # need a unique port since may run the same time as testsuite
 generate_port() {
    port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
--- a/scripts/pkcallbacks.test
+++ b/scripts/pkcallbacks.test
@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash

 #pkcallbacks.test

+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 exit_code=1
 counter=0
 # need a unique resume port since may run the same time as testsuite
--- a/scripts/psk.test
+++ b/scripts/psk.test
@ -1,8 +1,18 @@
-#!/bin/sh
+#!/bin/bash

 # psk.test
 # copyright wolfSSL 2016

+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # getting unique port is modeled after resume.test script
 # need a unique port since may run the same time as testsuite
 # use server port zero hack to get one
--- a/scripts/resume.test
+++ b/scripts/resume.test
@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash

 #resume.test

+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # need a unique resume port since may run the same time as testsuite
 # use server port zero hack to get one
 resume_string="reused"
--- a/scripts/sniffer-testsuite.test
+++ b/scripts/sniffer-testsuite.test
@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash

 #sniffer-testsuite.test

+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # ./configure --enable-sniffer [--enable-session-ticket]
 # Resumption tests require "--enable-session-ticket"

--- a/scripts/tls13.test
+++ b/scripts/tls13.test
@ -1,8 +1,18 @@
-#!/bin/sh
+#!/bin/bash

 # tls13.test
 # copyright wolfSSL 2016

+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # getting unique port is modeled after resume.test script
 # need a unique port since may run the same time as testsuite
 # use server port zero hack to get one
--- a/scripts/trusted_peer.test
+++ b/scripts/trusted_peer.test
@ -1,8 +1,18 @@
-#!/bin/sh
+#!/bin/bash

 # trusted_peer.test
 # copyright wolfSSL 2016

+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # getting unique port is modeled after resume.test script
 # need a unique port since may run the same time as testsuite
 # use server port zero hack to get one