net/netns, misc tests: remove TestOnlySkipPrivilegedOps, argv checks

The netns UID check is sufficient for now. We can do something else later if/when needed.
2020-05-31 14:35:30 -07:00 · 2020-05-31 14:35:30 -07:00 · becce82246
parent 7a410f9236
commit becce82246
6 changed files with 10 additions and 61 deletions
--- a/derp/derphttp/derphttp_test.go
+++ b/derp/derphttp/derphttp_test.go
@ -15,14 +15,9 @@ import (
 	"time"

 	"tailscale.com/derp"
-	"tailscale.com/net/netns"
 	"tailscale.com/types/key"
 )

-func init() {
-	netns.TestOnlySkipPrivilegedOps()
-}
-
 func TestSendRecv(t *testing.T) {
 	const numClients = 3
 	var serverPrivateKey key.Private
--- a/net/netcheck/netcheck_test.go
+++ b/net/netcheck/netcheck_test.go
@ -16,16 +16,11 @@ import (
 	"time"

 	"tailscale.com/net/interfaces"
-	"tailscale.com/net/netns"
 	"tailscale.com/net/stun"
 	"tailscale.com/net/stun/stuntest"
 	"tailscale.com/tailcfg"
 )

-func init() {
-	netns.TestOnlySkipPrivilegedOps()
-}
-
 func TestHairpinSTUN(t *testing.T) {
 	tx := stun.NewTxID()
 	c := &Client{
--- a/net/netns/netns.go
+++ b/net/netns/netns.go
@ -11,13 +11,7 @@
 // operating system, and perhaps even by version of the OS.
 package netns

-import (
-	"net"
-
-	"tailscale.com/syncs"
-)
-
-var skipPrivileged syncs.AtomicBool
+import "net"

 // Listener returns a new net.Listener with its Control hook func
 // initialized as necessary to run in logical network namespace that
@ -32,10 +26,3 @@ func Listener() *net.ListenConfig {
 func Dialer() *net.Dialer {
 	return &net.Dialer{Control: control}
 }
-
-// TestOnlySkipPrivilegedOps disables any behavior in this package
-// that requires root or other elevated privileges. It's used only in
-// tests, and using it definitely breaks some Tailscale functionality.
-func TestOnlySkipPrivilegedOps() {
-	skipPrivileged.Set(true)
-}
--- a/net/netns/netns_linux.go
+++ b/net/netns/netns_linux.go
@ -6,11 +6,11 @@ package netns

 import (
 	"errors"
+	"flag"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"os/exec"
-	"path/filepath"
 	"strings"
 	"sync"
 	"syscall"
@ -72,30 +72,18 @@ func defaultRouteInterface() (string, error) {
 // ignoreErrors returns true if we should ignore setsocketopt errors in
 // this instance.
 func ignoreErrors() bool {
+	// If we're in a test, ignore errors. Assume the test knows
+	// what it's doing and will do its own skips or permission
+	// checks if it's setting up a world that needs netns to work.
+	// But by default, assume that tests don't need netns and it's
+	// harmless to ignore the sockopts failing.
+	if flag.CommandLine.Lookup("test.v") != nil {
+		return true
+	}
 	if os.Getuid() != 0 {
 		// only root can manipulate these socket flags
 		return true
 	}
-
-	// TODO(apenwarr): this snooping around in the args is way too magic.
-	//  It would be better to explicitly activate, or not, this dialer
-	//  by passing it from the toplevel program.
-	v, _ := os.Executable()
-	switch filepath.Base(v) {
-	case "tailscale":
-		for _, arg := range os.Args {
-			if arg == "netcheck" {
-				return true
-			}
-		}
-	case "tailscaled":
-		for _, arg := range os.Args {
-			if arg == "-fake" || arg == "--fake" {
-				return true
-			}
-		}
-	}
-
 	return false
 }

@ -104,12 +92,6 @@ func ignoreErrors() bool {
 // It's intentionally the same signature as net.Dialer.Control
 // and net.ListenConfig.Control.
 func control(network, address string, c syscall.RawConn) error {
-	if skipPrivileged.Get() {
-		// We can't set socket marks without CAP_NET_ADMIN on linux,
-		// skip as requested.
-		return nil
-	}
-
 	var sockErr error
 	err := c.Control(func(fd uintptr) {
 		if ipRuleAvailable() {
--- a/wgengine/magicsock/magicsock_test.go
+++ b/wgengine/magicsock/magicsock_test.go
@ -26,7 +26,6 @@ import (
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/derp/derpmap"
-	"tailscale.com/net/netns"
 	"tailscale.com/net/stun/stuntest"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
@ -36,10 +35,6 @@ import (
 	"tailscale.com/wgengine/tstun"
 )

-func init() {
-	netns.TestOnlySkipPrivilegedOps()
-}
-
 // WaitReady waits until the magicsock is entirely initialized and connected
 // to its home DERP server. This is normally not necessary, since magicsock
 // is intended to be entirely asynchronous, but it helps eliminate race
--- a/wgengine/watchdog_test.go
+++ b/wgengine/watchdog_test.go
@ -11,15 +11,10 @@ import (
 	"testing"
 	"time"

-	"tailscale.com/net/netns"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/tstun"
 )

-func init() {
-	netns.TestOnlySkipPrivilegedOps()
-}
-
 func TestWatchdog(t *testing.T) {
 	t.Parallel()