From 7e4ce4980b93e404b44152ee1a424773b5eba527 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 30 Nov 2023 15:10:23 +0000
Subject: [PATCH] ci: disable non-root in user namespace test in container

Signed-off-by: Adrian Reber <areber@redhat.com>
---
 scripts/ci/prepare-for-fedora-rawhide.sh |  1 +
 scripts/ci/run-ci-tests.sh               | 11 ++++++++---
 scripts/ci/vagrant.sh                    |  4 ++++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/scripts/ci/prepare-for-fedora-rawhide.sh b/scripts/ci/prepare-for-fedora-rawhide.sh
index e31814a955..d812c5faa5 100755
--- a/scripts/ci/prepare-for-fedora-rawhide.sh
+++ b/scripts/ci/prepare-for-fedora-rawhide.sh
@@ -18,6 +18,7 @@ dnf install -y \
 	libnet-devel \
 	libnl3-devel \
 	libbsd-devel \
+	libselinux-utils \
 	make \
 	procps-ng \
 	protobuf-c-devel \
diff --git a/scripts/ci/run-ci-tests.sh b/scripts/ci/run-ci-tests.sh
index e05ead6683..ef7e869e03 100755
--- a/scripts/ci/run-ci-tests.sh
+++ b/scripts/ci/run-ci-tests.sh
@@ -288,11 +288,16 @@ ip net add test
 
 # Rootless tests
 # Check if cap_checkpoint_restore is supported and also if unshare -c is supported.
-if capsh --supports=cap_checkpoint_restore && unshare -c /bin/true; then
+#
+# Do not run this test in a container (see https://github.com/checkpoint-restore/criu/issues/2312).
+# This is a temporary workaround until fixed in the kernel.
+# The kernel currently does not show correct device and inode numbers in /proc/pid/maps
+# for stackable file systems.
+if capsh --supports=cap_checkpoint_restore && unshare -c /bin/true && [ ! -e /run/.containerenv ]; then
 	make -C test/zdtm/ cleanout
 	rm -rf test/dump
 	setcap cap_checkpoint_restore,cap_sys_ptrace+eip criu/criu
-	if [ -d /sys/fs/selinux ]; then
+	if [ -d /sys/fs/selinux ] && command -v getenforce &>/dev/null; then
 		# Note: selinux in Enforcing mode prevents us from calling clone3() or writing to ns_last_pid on restore; hence set to Permissive for the test and then set back.
 		selinuxmode=$(getenforce)
 		setenforce Permissive
@@ -301,7 +306,7 @@ if capsh --supports=cap_checkpoint_restore && unshare -c /bin/true; then
 	# under those conditions. Note that the "... && true" part is necessary; we need at least one statement after the tests so that bash can reap zombies in the user namespace,
 	# otherwise it will exec the last statement and get replaced and nobody will be left to reap our zombies.
 	sudo --user=#65534 --group=#65534 unshare -Ucfpm --mount-proc -- bash -c "./test/zdtm.py run -t zdtm/static/maps00 -f h --rootless && true"
-	if [ -d /sys/fs/selinux ]; then
+	if [ -d /sys/fs/selinux ] && command -v getenforce &>/dev/null; then
 		setenforce "$selinuxmode"
 	fi
 	setcap -r criu/criu
diff --git a/scripts/ci/vagrant.sh b/scripts/ci/vagrant.sh
index c0c8e88c1d..c8cf0be744 100755
--- a/scripts/ci/vagrant.sh
+++ b/scripts/ci/vagrant.sh
@@ -70,6 +70,10 @@ fedora-rawhide() {
 	#
 	ssh default 'sudo dnf remove -y crun || true'
 	ssh default sudo dnf install -y podman runc
+	# Some tests in the container need selinux to be disabled.
+	# In the container it is not possible to change the state of selinux.
+	# Let's just disable it for this test run completely.
+	ssh default 'sudo setenforce Permissive'
 	ssh default 'cd /vagrant; tar xf criu.tar; cd criu; sudo -E make -C scripts/ci fedora-rawhide CONTAINER_RUNTIME=podman BUILD_OPTIONS="--security-opt seccomp=unconfined"'
 }