Simplify & speed-up the check whether sandbox related shell tests can run.

--
MOS_MIGRATED_REVID=109683354

6 files changed, 46 insertions, 102 deletions

diff --git a/src/test/shell/bazel/bazel_sandboxing_cpp_test.sh b/src/test/shell/bazel/bazel_sandboxing_cpp_test.sh
index ccd650c43e..2c2710bf13 100755
--- a/src/test/shell/bazel/bazel_sandboxing_cpp_test.sh
+++ b/src/test/shell/bazel/bazel_sandboxing_cpp_test.sh
@@ -198,6 +198,8 @@ EOF
     || fail "could not find 'undeclared inclusion' error message in bazel output"
 }
 
-check_kernel_version
+# The test shouldn't fail if the environment doesn't support running it.
+check_supported_platform || exit 0
 check_sandbox_allowed || exit 0
+
 run_suite "sandbox"
diff --git a/src/test/shell/bazel/bazel_sandboxing_test.sh b/src/test/shell/bazel/bazel_sandboxing_test.sh
index 3ab5b744c2..31aa647ab0 100755
--- a/src/test/shell/bazel/bazel_sandboxing_test.sh
+++ b/src/test/shell/bazel/bazel_sandboxing_test.sh
@@ -364,6 +364,8 @@ EOF
   kill_nc
 }
 
-check_kernel_version
+# The test shouldn't fail if the environment doesn't support running it.
+check_supported_platform || exit 0
 check_sandbox_allowed || exit 0
+
 run_suite "sandbox"
diff --git a/src/test/shell/bazel/bazel_sandboxing_test_utils.sh b/src/test/shell/bazel/bazel_sandboxing_test_utils.sh
index 827dc35c3c..77e17f5928 100755
--- a/src/test/shell/bazel/bazel_sandboxing_test_utils.sh
+++ b/src/test/shell/bazel/bazel_sandboxing_test_utils.sh
@@ -15,41 +15,16 @@
 # limitations under the License.
 #
 
-# namespaces which are used by the sandbox were introduced in 3.8, so
-# test won't run on earlier kernels
-function check_kernel_version {
+function check_supported_platform {
   if [ "${PLATFORM-}" = "darwin" ]; then
     echo "Test will skip: sandbox is not yet supported on Darwin."
-    exit 0
-  fi
-  MAJOR=$(uname -r | sed 's/^\([0-9]*\)\.\([0-9]*\)\..*/\1/')
-  MINOR=$(uname -r | sed 's/^\([0-9]*\)\.\([0-9]*\)\..*/\2/')
-  if [ $MAJOR -lt 3 ]; then
-    echo "Test will skip: sandbox requires kernel >= 3.8; got $(uname -r)"
-    exit 0
-  fi
-  if [ $MAJOR -eq 3 ] && [ $MINOR -lt 8 ]; then
-    echo "Test will skip: sandbox requires kernel >= 3.8; got $(uname -r)"
-    exit 0
+    return 1
   fi
 }
 
-# Some CI systems might deactivate sandboxing
 function check_sandbox_allowed {
-  mkdir -p test
-  # Create a program that check if unshare(2) is allowed.
-  cat <<'EOF' > test/test.c
-#define _GNU_SOURCE
-#include <sched.h>
-int main() {
-  return unshare(CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER);
-}
-EOF
-  cat <<'EOF' >test/BUILD
-cc_test(name = "sandbox_enabled", srcs = ["test.c"], copts = ["-std=c99"])
-EOF
-  bazel test //test:sandbox_enabled || {
-    echo "Sandboxing disabled, skipping..."
+  $namespace_sandbox -C || {
+    echo "Sandboxing disabled or not supported on this system, skipping..."
     return 1
   }
 }
diff --git a/src/test/shell/bazel/namespace-runner_test.sh b/src/test/shell/bazel/namespace-runner_test.sh
index 3346d58cb2..da6857bda1 100755
--- a/src/test/shell/bazel/namespace-runner_test.sh
+++ b/src/test/shell/bazel/namespace-runner_test.sh
@@ -18,65 +18,25 @@
 #
 
 # Load test environment
-source $(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/test-setup.sh \
+src_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+source ${src_dir}/test-setup.sh \
   || { echo "test-setup.sh not found!" >&2; exit 1; }
+source ${src_dir}/bazel_sandboxing_test_utils.sh \
+  || { echo "bazel_sandboxing_test_utils.sh not found!" >&2; exit 1; }
 
-readonly WRAPPER="${bazel_data}/src/main/tools/namespace-sandbox"
 readonly OUT_DIR="${TEST_TMPDIR}/out"
 readonly OUT="${OUT_DIR}/outfile"
 readonly ERR="${OUT_DIR}/errfile"
 readonly SANDBOX_DIR="${OUT_DIR}/sandbox"
 
-WRAPPER_DEFAULT_OPTS="-S $SANDBOX_DIR"
+SANDBOX_DEFAULT_OPTS="-S $SANDBOX_DIR"
 for dir in /bin* /lib* /usr/bin* /usr/lib*; do
-  WRAPPER_DEFAULT_OPTS="$WRAPPER_DEFAULT_OPTS -M $dir"
+  SANDBOX_DEFAULT_OPTS="$SANDBOX_DEFAULT_OPTS -M $dir"
 done
 
-# namespaces which are used by the sandbox were introduced in 3.8, so
-# test won't run on earlier kernels
-function check_kernel_version {
-  if [ "${PLATFORM-}" = "darwin" ]; then
-    echo "Test will skip: sandbox is not yet supported on Darwin."
-    exit 0
-  fi
-  MAJOR=$(uname -r | sed 's/^\([0-9]*\)\.\([0-9]*\)\..*/\1/')
-  MINOR=$(uname -r | sed 's/^\([0-9]*\)\.\([0-9]*\)\..*/\2/')
-  if [ $MAJOR -lt 3 ]; then
-    echo "Test will skip: sandbox requires kernel >= 3.8; got $(uname -r)"
-    exit 0
-  fi
-  if [ $MAJOR -eq 3 ] && [ $MINOR -lt 8 ]; then
-    echo "Test will skip: sandbox requires kernel >= 3.8; got $(uname -r)"
-    exit 0
-  fi
-}
-
-# Some CI systems might deactivate sandboxing
-function check_sandbox_allowed {
-  mkdir -p test
-  # Create a program that check if unshare(2) is allowed.
-  cat <<'EOF' > test/test.c
-#define _GNU_SOURCE
-#include <sched.h>
-int main() {
-  return unshare(CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER | CLONE_NEWNET);
-}
-EOF
-  cat <<'EOF' >test/BUILD
-cc_test(name = "sandbox_enabled", srcs = ["test.c"], copts = ["-std=c99"])
-EOF
-  bazel test //test:sandbox_enabled || {
-    echo "Sandboxing disabled, skipping..."
-    return 1
-  }
-}
-
 function set_up {
   rm -rf $OUT_DIR
-  rm -rf $SANDBOX_DIR
-
-  mkdir -p $OUT_DIR
-  mkdir $SANDBOX_DIR
+  mkdir -p $SANDBOX_DIR
 }
 
 function assert_stdout() {
@@ -89,66 +49,66 @@ function assert_output() {
 }
 
 function test_basic_functionality() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -l $OUT -L $ERR -- /bin/echo hi there || fail
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -l $OUT -L $ERR -- /bin/echo hi there || fail
   assert_output "hi there" ""
 }
 
 function test_default_user_is_nobody() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -l $OUT -L $ERR -- /usr/bin/id || fail
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -l $OUT -L $ERR -- /usr/bin/id || fail
   assert_output "uid=65534 gid=65534 groups=65534" ""
 }
 
 function test_user_switched_to_root() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -r -l $OUT -L $ERR -- /usr/bin/id || fail
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -r -l $OUT -L $ERR -- /usr/bin/id || fail
   assert_contains "uid=0 gid=0" "$OUT"
 }
 
 function test_network_namespace() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -n -l $OUT -L $ERR  -- /bin/ip link ls || fail
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -n -l $OUT -L $ERR  -- /bin/ip link ls || fail
   assert_contains "LOOPBACK,UP" "$OUT"
 }
 
 function test_ping_loopback() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -n -r -l $OUT -L $ERR  -- /bin/ping -c 1 127.0.0.1 || fail
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -n -r -l $OUT -L $ERR  -- /bin/ping -c 1 127.0.0.1 || fail
   assert_contains "1 received" "$OUT"
 }
 
 function test_to_stderr() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -l $OUT -L $ERR -- /bin/bash -c "/bin/echo hi there >&2" || fail
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -l $OUT -L $ERR -- /bin/bash -c "/bin/echo hi there >&2" || fail
   assert_output "" "hi there"
 }
 
 function test_exit_code() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -l $OUT -L $ERR -- /bin/bash -c "exit 71" || code=$?
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -l $OUT -L $ERR -- /bin/bash -c "exit 71" || code=$?
   assert_equals 71 "$code"
 }
 
 function test_signal_death() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -l $OUT -L $ERR -- /bin/bash -c 'kill -ABRT $$' || code=$?
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -l $OUT -L $ERR -- /bin/bash -c 'kill -ABRT $$' || code=$?
   assert_equals 134 "$code" # SIGNAL_BASE + SIGABRT = 128 + 6
 }
 
 function test_signal_catcher() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -T 2 -t 3 -l $OUT -L $ERR -- /bin/bash -c \
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -T 2 -t 3 -l $OUT -L $ERR -- /bin/bash -c \
     'trap "echo later; exit 0" SIGINT SIGTERM SIGALRM; sleep 1000' || code=$?
   assert_equals 142 "$code" # SIGNAL_BASE + SIGALRM = 128 + 14
   assert_stdout "later"
 }
 
 function test_basic_timeout() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -T 3 -t 3 -l $OUT -L $ERR -- /bin/bash -c "echo before; sleep 1000; echo after" && fail
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -T 3 -t 3 -l $OUT -L $ERR -- /bin/bash -c "echo before; sleep 1000; echo after" && fail
   assert_output "before" ""
 }
 
 function test_timeout_grace() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -T 2 -t 3 -l $OUT -L $ERR -- /bin/bash -c \
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -T 2 -t 3 -l $OUT -L $ERR -- /bin/bash -c \
     'trap "echo -n before; sleep 1; echo -n after; exit 0" SIGINT SIGTERM SIGALRM; sleep 1000' || code=$?
   assert_equals 142 "$code" # SIGNAL_BASE + SIGALRM = 128 + 14
   assert_stdout "beforeafter"
 }
 
 function test_timeout_kill() {
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -T 2 -t 3 -l $OUT -L $ERR -- /bin/bash -c \
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -T 2 -t 3 -l $OUT -L $ERR -- /bin/bash -c \
     'trap "echo before; sleep 1000; echo after; exit 0" SIGINT SIGTERM SIGALRM; sleep 1000' || code=$?
   assert_equals 142 "$code" # SIGNAL_BASE + SIGALRM = 128 + 14
   assert_stdout "before"
@@ -156,11 +116,13 @@ function test_timeout_kill() {
 
 function test_debug_logging() {
   touch ${TEST_TMPDIR}/testfile
-  $WRAPPER $WRAPPER_DEFAULT_OPTS -D -M ${TEST_TMPDIR}/testfile -m /tmp/sandboxed_testfile -l $OUT -L $ERR -- /bin/true || code=$?
+  $namespace_sandbox $SANDBOX_DEFAULT_OPTS -D -M ${TEST_TMPDIR}/testfile -m /tmp/sandboxed_testfile -l $OUT -L $ERR -- /bin/true || code=$?
   assert_contains "mount: /usr/bin\$" "$ERR"
   assert_contains "mount: ${TEST_TMPDIR}/testfile -> <sandbox>/tmp/sandboxed_testfile\$" "$ERR"
 }
 
-check_kernel_version
+# The test shouldn't fail if the environment doesn't support running it.
+check_supported_platform || exit 0
 check_sandbox_allowed || exit 0
+
 run_suite "namespace-runner"
diff --git a/src/test/shell/bazel/process-wrapper_test.sh b/src/test/shell/bazel/process-wrapper_test.sh
index 628d780647..490e8acf62 100755
--- a/src/test/shell/bazel/process-wrapper_test.sh
+++ b/src/test/shell/bazel/process-wrapper_test.sh
@@ -22,7 +22,6 @@
 source $(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/testenv.sh \
   || { echo "testenv.sh not found!" >&2; exit 1; }
 
-readonly WRAPPER="${bazel_data}/src/main/tools/process-wrapper"
 readonly OUT_DIR="${TEST_TMPDIR}/out"
 readonly OUT="${OUT_DIR}/outfile"
 readonly ERR="${OUT_DIR}/errfile"
@@ -42,43 +41,43 @@ function assert_output() {
 }
 
 function test_basic_functionality() {
-  $WRAPPER -1 0 $OUT $ERR /bin/echo hi there &> $TEST_log || fail
+  $process_wrapper -1 0 $OUT $ERR /bin/echo hi there &> $TEST_log || fail
   assert_output "hi there" ""
 }
 
 function test_to_stderr() {
-  $WRAPPER -1 0 $OUT $ERR /bin/bash -c "/bin/echo hi there >&2" &> $TEST_log || fail
+  $process_wrapper -1 0 $OUT $ERR /bin/bash -c "/bin/echo hi there >&2" &> $TEST_log || fail
   assert_output "" "hi there"
 }
 
 function test_exit_code() {
   local code=0
-  $WRAPPER -1 0 $OUT $ERR /bin/bash -c "exit 71" &> $TEST_log || code=$?
+  $process_wrapper -1 0 $OUT $ERR /bin/bash -c "exit 71" &> $TEST_log || code=$?
   assert_equals 71 "$code"
 }
 
 function test_signal_death() {
   local code=0
-  $WRAPPER -1 0 $OUT $ERR /bin/bash -c 'kill -ABRT $$' &> $TEST_log || code=$?
+  $process_wrapper -1 0 $OUT $ERR /bin/bash -c 'kill -ABRT $$' &> $TEST_log || code=$?
   assert_equals 134 "$code" # SIGNAL_BASE + SIGABRT = 128 + 6
 }
 
 function test_signal_catcher() {
   local code=0
-  $WRAPPER 1 2 $OUT $ERR /bin/bash -c \
+  $process_wrapper 1 2 $OUT $ERR /bin/bash -c \
     'trap "echo later; exit 0" SIGINT SIGTERM SIGALRM; sleep 10' &> $TEST_log || code=$?
   assert_equals 142 "$code" # SIGNAL_BASE + SIGALRM = 128 + 14
   assert_stdout "later"
 }
 
 function test_basic_timeout() {
-  $WRAPPER 1 2 $OUT $ERR /bin/bash -c "echo before; sleep 10; echo after" &> $TEST_log && fail
+  $process_wrapper 1 2 $OUT $ERR /bin/bash -c "echo before; sleep 10; echo after" &> $TEST_log && fail
   assert_stdout "before"
 }
 
 function test_timeout_grace() {
   local code=0
-  $WRAPPER 1 2 $OUT $ERR /bin/bash -c \
+  $process_wrapper 1 2 $OUT $ERR /bin/bash -c \
     'trap "echo -n before; sleep 1; echo after; exit 0" SIGINT SIGTERM SIGALRM; sleep 10' \
     &> $TEST_log || code=$?
   assert_equals 142 "$code" # SIGNAL_BASE + SIGALRM = 128 + 14
@@ -87,7 +86,7 @@ function test_timeout_grace() {
 
 function test_timeout_kill() {
   local code=0
-  $WRAPPER 1 2 $OUT $ERR /bin/bash -c \
+  $process_wrapper 1 2 $OUT $ERR /bin/bash -c \
     'trap "echo before; sleep 10; echo after; exit 0" SIGINT SIGTERM SIGALRM; sleep 10' \
     &> $TEST_log || code=$?
   assert_equals 142 "$code" # SIGNAL_BASE + SIGALRM = 128 + 14
@@ -96,7 +95,7 @@ function test_timeout_kill() {
 
 function test_execvp_error_message() {
   local code=0
-  $WRAPPER -1 0 $OUT $ERR /bin/notexisting &> $TEST_log || code=$?
+  $process_wrapper -1 0 $OUT $ERR /bin/notexisting &> $TEST_log || code=$?
   assert_equals 1 "$code"
   assert_contains "execvp(\"/bin/notexisting\", ...): No such file or directory" "$ERR"
 }
diff --git a/src/test/shell/bazel/testenv.sh b/src/test/shell/bazel/testenv.sh
index 7f2fc6514d..eb5e3e136d 100755
--- a/src/test/shell/bazel/testenv.sh
+++ b/src/test/shell/bazel/testenv.sh
@@ -44,6 +44,10 @@ singlejar_path="${TEST_SRCDIR}/src/java_tools/singlejar/SingleJar_deploy.jar"
 genclass_path="${TEST_SRCDIR}/src/java_tools/buildjar/java/com/google/devtools/build/buildjar/genclass/GenClass_deploy.jar"
 ijar_path="${TEST_SRCDIR}/third_party/ijar/ijar"
 
+# Sandbox tools
+process_wrapper="${TEST_SRCDIR}/src/main/tools/process-wrapper"
+namespace_sandbox="${TEST_SRCDIR}/src/main/tools/namespace-sandbox"
+
 # Android tooling
 aargenerator_path="${TEST_SRCDIR}/src/tools/android/java/com/google/devtools/build/android/AarGeneratorAction_deploy.jar"
 androidresourceprocessor_path="${TEST_SRCDIR}/src/tools/android/java/com/google/devtools/build/android/AndroidResourceProcessingAction_deploy.jar"