[Libguestfs] [libnbd PATCH v2 09/23] tests: Require cap_sys_admin where root is required

[Martin Kletzander]

Some tests check for root privileges, but do not check if they have the
appropriate capabilities for all the tasks they are going to perform.  Not being
sure which ones are the proper ones all these currently check for cap_sys_admin,
although the code is made so that it can check for any capability that is
requested.

Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
---
 tests/functions.sh.in                 | 29 +++++++++++++++++++++++++++
 copy/copy-block-to-nbd.sh             |  1 +
 copy/copy-nbd-to-block.sh             |  1 +
 copy/copy-nbd-to-small-block-error.sh |  1 +
 4 files changed, 32 insertions(+)

diff --git a/tests/functions.sh.in b/tests/functions.sh.in
index 6f18f06238d5..3472f49b84e3 100644
--- a/tests/functions.sh.in
+++ b/tests/functions.sh.in
@@ -128,6 +128,35 @@ requires_fuse ()
     requires fusermount3 --version
 }
 
+# requires_caps
+#
+# Check for linux capabilities.  Parameters are in the form of "cap_name", e.g.
+#   requires_caps cap_net_admin cap_chown
+#
+# This should be coupled with requires_root as it will not fail when capsh
+# utility from libcapng is not installed or the capabilities are not found in
+# /proc/<pid>/status (to future-proof this against non-Linux platforms).
+requires_caps ()
+{
+    test -r /proc/$$/status || return 0
+    type capsh 2>/dev/null >&2 || return 0
+
+    local cap_eff
+    local cap_str
+
+    cap_eff="$(sed -n 's/CapEff:\s*\([^0-9a-fA-F]*\)/\1/p' /proc/$$/status)"
+    test -z "$cap_eff" && return 0
+
+    cap_str=$(capsh --decode="$cap_eff")
+    while test "$#" -gt 0; do
+        if [[ ! "$cap_str" =~ [,=]$1(,|$) ]]; then
+            echo "$0: test skipped because of missing capability: $1"
+            exit 77
+        fi
+        shift
+    done
+}
+
 # Tests that run under check-root should use this.
 requires_root ()
 {
diff --git a/copy/copy-block-to-nbd.sh b/copy/copy-block-to-nbd.sh
index f29af6eb16b0..00d45427e967 100755
--- a/copy/copy-block-to-nbd.sh
+++ b/copy/copy-block-to-nbd.sh
@@ -22,6 +22,7 @@ set -e
 set -x
 
 requires_root
+requires_caps cap_sys_admin
 requires nbdkit --exit-with-parent --version
 requires test -r /sys/module/nbd
 requires nbd-client --version
diff --git a/copy/copy-nbd-to-block.sh b/copy/copy-nbd-to-block.sh
index 4924af991586..b3e6402c38a6 100755
--- a/copy/copy-nbd-to-block.sh
+++ b/copy/copy-nbd-to-block.sh
@@ -22,6 +22,7 @@ set -e
 set -x
 
 requires_root
+requires_caps cap_sys_admin
 requires nbdkit --exit-with-parent --version
 requires test -r /sys/module/nbd
 requires nbd-client --version
diff --git a/copy/copy-nbd-to-small-block-error.sh b/copy/copy-nbd-to-small-block-error.sh
index 5a3953a3b0ad..ef5da9a0df62 100755
--- a/copy/copy-nbd-to-small-block-error.sh
+++ b/copy/copy-nbd-to-small-block-error.sh
@@ -22,6 +22,7 @@ set -e
 set -x
 
 requires_root
+requires_caps cap_sys_admin
 requires nbdkit --exit-with-parent --version
 requires test -r /sys/module/nbd
 requires nbd-client --version
-- 
2.32.0