Now, with good reason... It tooks me enough hours today to figure out why the tests crash the host(as described in #929662, running out of pids).
The bug is not from upstream. Previously a file was removed from upstream tarball, named engine/pkg/chrootarchive/archive_test.go, which has an important init func: func init() { reexec.Init() } All tests that rely on reexec need this func. The tests added by CVE-2018-15664 need it as well. Without this, the tests cause fork bomb. Well, after adding this func back, the tests run and the host doesn't crash. However the tests still can't pass in schroot, the log says: === RUN TestUntarWithMaliciousSymlinks --- FAIL: TestUntarWithMaliciousSymlinks (0.00s) archive_unix_test.go:64: assertion failed: expected error to contain "open /safe/host-file: no such file or directory", got Error processing tar file(exit status 1): Error creating mount namespace before pivot: operation not permitted === RUN TestTarWithMaliciousSymlinks === RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root/safe_host-file === RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root/safe/_host-file === RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root/safe_ === RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root/safe/_ === RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root_safe/host-file === RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root_/safe/host-file === RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root_ --- FAIL: TestTarWithMaliciousSymlinks (0.05s) archive_unix_test.go:91: /tmp/TestTarWithMaliciousSymlinks515541462 --- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root/safe_host-file (0.01s) archive_unix_test.go:156: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1 --- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root/safe/_host-file (0.00s) archive_unix_test.go:156: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1 --- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root/safe_ (0.01s) archive_unix_test.go:156: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1 --- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root/safe/_ (0.01s) archive_unix_test.go:156: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1 --- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root_safe/host-file (0.00s) archive_unix_test.go:156: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1 --- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root_/safe/host-file (0.01s) archive_unix_test.go:156: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1 --- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks515541462/root_ (0.00s) archive_unix_test.go:156: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1 FAIL FAIL github.com/docker/docker/pkg/chrootarchive 0.057s Short version: these tests need privileged permission. -- Shengjing Zhu
signature.asc
Description: PGP signature