mirrors
/
tailscale
mirror of https://github.com/tailscale/tailscale.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

net/netns, misc tests: remove TestOnlySkipPrivilegedOps, argv checks 

The netns UID check is sufficient for now. We can do something else
later if/when needed.
This commit is contained in:
Brad Fitzpatrick 2020-05-31 14:35:30 -07:00
parent 7a410f9236
commit becce82246
6 changed files with 10 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
derp/derphttp/derphttp_test.go
View File

@ -15,14 +15,9 @@ import (
"time" "time"
"tailscale.com/derp" "tailscale.com/derp"
"tailscale.com/net/netns"
"tailscale.com/types/key" "tailscale.com/types/key"
) )
func init() {
netns.TestOnlySkipPrivilegedOps()
}
func TestSendRecv(t *testing.T) { func TestSendRecv(t *testing.T) {
const numClients = 3 const numClients = 3
var serverPrivateKey key.Private var serverPrivateKey key.Private

5
net/netcheck/netcheck_test.go
View File

@ -16,16 +16,11 @@ import (
"time" "time"
"tailscale.com/net/interfaces" "tailscale.com/net/interfaces"
"tailscale.com/net/netns"
"tailscale.com/net/stun" "tailscale.com/net/stun"
"tailscale.com/net/stun/stuntest" "tailscale.com/net/stun/stuntest"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
) )
func init() {
netns.TestOnlySkipPrivilegedOps()
}
func TestHairpinSTUN(t *testing.T) { func TestHairpinSTUN(t *testing.T) {
tx := stun.NewTxID() tx := stun.NewTxID()
c := &Client{ c := &Client{

15
net/netns/netns.go
View File

@ -11,13 +11,7 @@
// operating system, and perhaps even by version of the OS. // operating system, and perhaps even by version of the OS.
package netns package netns
import ( import "net"
"net"
"tailscale.com/syncs"
)
var skipPrivileged syncs.AtomicBool
// Listener returns a new net.Listener with its Control hook func // Listener returns a new net.Listener with its Control hook func
// initialized as necessary to run in logical network namespace that // initialized as necessary to run in logical network namespace that
@ -32,10 +26,3 @@ func Listener() *net.ListenConfig {
func Dialer() *net.Dialer { func Dialer() *net.Dialer {
return &net.Dialer{Control: control} return &net.Dialer{Control: control}
} }
// TestOnlySkipPrivilegedOps disables any behavior in this package
// that requires root or other elevated privileges. It's used only in
// tests, and using it definitely breaks some Tailscale functionality.
func TestOnlySkipPrivilegedOps() {
skipPrivileged.Set(true)
}

36
net/netns/netns_linux.go
View File

@ -6,11 +6,11 @@ package netns
import ( import (
"errors" "errors"
"flag"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"os" "os"
"os/exec" "os/exec"
"path/filepath"
"strings" "strings"
"sync" "sync"
"syscall" "syscall"
@ -72,30 +72,18 @@ func defaultRouteInterface() (string, error) {
// ignoreErrors returns true if we should ignore setsocketopt errors in // ignoreErrors returns true if we should ignore setsocketopt errors in
// this instance. // this instance.
func ignoreErrors() bool { func ignoreErrors() bool {
// If we're in a test, ignore errors. Assume the test knows
// what it's doing and will do its own skips or permission
// checks if it's setting up a world that needs netns to work.
// But by default, assume that tests don't need netns and it's
// harmless to ignore the sockopts failing.
if flag.CommandLine.Lookup("test.v") != nil {
return true
}
if os.Getuid() != 0 { if os.Getuid() != 0 {
// only root can manipulate these socket flags // only root can manipulate these socket flags
return true return true
} }
// TODO(apenwarr): this snooping around in the args is way too magic.
// It would be better to explicitly activate, or not, this dialer
// by passing it from the toplevel program.
v, _ := os.Executable()
switch filepath.Base(v) {
case "tailscale":
for _, arg := range os.Args {
if arg == "netcheck" {
return true
}
}
case "tailscaled":
for _, arg := range os.Args {
if arg == "-fake" || arg == "--fake" {
return true
}
}
}
return false return false
} }
@ -104,12 +92,6 @@ func ignoreErrors() bool {
// It's intentionally the same signature as net.Dialer.Control // It's intentionally the same signature as net.Dialer.Control
// and net.ListenConfig.Control. // and net.ListenConfig.Control.
func control(network, address string, c syscall.RawConn) error { func control(network, address string, c syscall.RawConn) error {
if skipPrivileged.Get() {
// We can't set socket marks without CAP_NET_ADMIN on linux,
// skip as requested.
return nil
}
var sockErr error var sockErr error
err := c.Control(func(fd uintptr) { err := c.Control(func(fd uintptr) {
if ipRuleAvailable() { if ipRuleAvailable() {

5
wgengine/magicsock/magicsock_test.go
View File

@ -26,7 +26,6 @@ import (
"tailscale.com/derp" "tailscale.com/derp"
"tailscale.com/derp/derphttp" "tailscale.com/derp/derphttp"
"tailscale.com/derp/derpmap" "tailscale.com/derp/derpmap"
"tailscale.com/net/netns"
"tailscale.com/net/stun/stuntest" "tailscale.com/net/stun/stuntest"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/tstest" "tailscale.com/tstest"
@ -36,10 +35,6 @@ import (
"tailscale.com/wgengine/tstun" "tailscale.com/wgengine/tstun"
) )
func init() {
netns.TestOnlySkipPrivilegedOps()
}
// WaitReady waits until the magicsock is entirely initialized and connected // WaitReady waits until the magicsock is entirely initialized and connected
// to its home DERP server. This is normally not necessary, since magicsock // to its home DERP server. This is normally not necessary, since magicsock
// is intended to be entirely asynchronous, but it helps eliminate race // is intended to be entirely asynchronous, but it helps eliminate race

5
wgengine/watchdog_test.go
View File

@ -11,15 +11,10 @@ import (
"testing" "testing"
"time" "time"
"tailscale.com/net/netns"
"tailscale.com/wgengine/router" "tailscale.com/wgengine/router"
"tailscale.com/wgengine/tstun" "tailscale.com/wgengine/tstun"
) )
func init() {
netns.TestOnlySkipPrivilegedOps()
}
func TestWatchdog(t *testing.T) { func TestWatchdog(t *testing.T) {
t.Parallel() t.Parallel()