fix command-create-pidfd test inside unprivileged docker containers

This commit is contained in:
Pietro Albini 2021-08-12 11:28:06 +02:00
parent 4e900176b6
commit 7a7d2d1779
No known key found for this signature in database
GPG key ID: CD76B35F7734769E

View file

@ -15,7 +15,18 @@ fn has_clone3() -> bool {
let err = (res == -1)
.then(|| Error::last_os_error())
.expect("probe syscall should not succeed");
err.raw_os_error() != Some(libc::ENOSYS)
// If the `clone3` syscall is not implemented in the current kernel version it should return an
// `ENOSYS` error. Docker also blocks the whole syscall inside unprivileged containers, and
// returns `EPERM` (instead of `ENOSYS`) when a program tries to invoke the syscall. Because of
// that we need to check for *both* `ENOSYS` and `EPERM`.
//
// Note that Docker's behavior is breaking other projects (notably glibc), so they're planning
// to update their filtering to return `ENOSYS` in a future release:
//
// https://github.com/moby/moby/issues/42680
//
err.raw_os_error() != Some(libc::ENOSYS) && err.raw_os_error() != Some(libc::EPERM)
}
fn main() {