Require CAP_SYS_PTRACE for certain tests

process_vm_readv requires it, and I'm not exactly sure which other
things do too.

Author: asomers

test/sys/test_ptrace.rs

@@ -12,6 +12,7 @@ use std::mem;
 fn test_ptrace() {
     // Just make sure ptrace can be called at all, for now.
     // FIXME: qemu-user doesn't implement ptrace on all arches, so permit ENOSYS
+    require_capability!(CAP_SYS_PTRACE);
     let err = ptrace::attach(getpid()).unwrap_err();
     assert!(err == Error::Sys(Errno::EPERM) || err == Error::Sys(Errno::EINVAL) ||
             err == Error::Sys(Errno::ENOSYS));
@@ -21,6 +22,7 @@ fn test_ptrace() {
 #[test]
 #[cfg(any(target_os = "android", target_os = "linux"))]
 fn test_ptrace_setoptions() {
+    require_capability!(CAP_SYS_PTRACE);
     let err = ptrace::setoptions(getpid(), Options::PTRACE_O_TRACESYSGOOD).unwrap_err();
     assert!(err != Error::UnsupportedOperation);
 }
@@ -29,6 +31,7 @@ fn test_ptrace_setoptions() {
 #[test]
 #[cfg(any(target_os = "android", target_os = "linux"))]
 fn test_ptrace_getevent() {
+    require_capability!(CAP_SYS_PTRACE);
     let err = ptrace::getevent(getpid()).unwrap_err();
     assert!(err != Error::UnsupportedOperation);
 }
@@ -37,6 +40,7 @@ fn test_ptrace_getevent() {
 #[test]
 #[cfg(any(target_os = "android", target_os = "linux"))]
 fn test_ptrace_getsiginfo() {
+    require_capability!(CAP_SYS_PTRACE);
     if let Err(Error::UnsupportedOperation) = ptrace::getsiginfo(getpid()) {
         panic!("ptrace_getsiginfo returns Error::UnsupportedOperation!");
     }
@@ -46,6 +50,7 @@ fn test_ptrace_getsiginfo() {
 #[test]
 #[cfg(any(target_os = "android", target_os = "linux"))]
 fn test_ptrace_setsiginfo() {
+    require_capability!(CAP_SYS_PTRACE);
     let siginfo = unsafe { mem::zeroed() };
     if let Err(Error::UnsupportedOperation) = ptrace::setsiginfo(getpid(), &siginfo) {
         panic!("ptrace_setsiginfo returns Error::UnsupportedOperation!");
@@ -61,6 +66,8 @@ fn test_ptrace_cont() {
     use nix::unistd::fork;
     use nix::unistd::ForkResult::*;
 
+    require_capability!(CAP_SYS_PTRACE);
+
     let _m = ::FORK_MTX.lock().expect("Mutex got poisoned by another test");
 
     // FIXME: qemu-user doesn't implement ptrace on all architectures

test/sys/test_uio.rs

@@ -200,6 +200,7 @@ fn test_process_vm_readv() {
     use nix::sys::signal::*;
     use nix::sys::wait::*;
 
+    require_capability!(CAP_SYS_PTRACE);
     let _ = ::FORK_MTX.lock().expect("Mutex got poisoned by another test");
 
     // Pre-allocate memory in the child, since allocation isn't safe

test/sys/test_wait.rs

@@ -94,6 +94,7 @@ mod ptrace {
 
     #[test]
     fn test_wait_ptrace() {
+        require_capability!(CAP_SYS_PTRACE);
         let _m = ::FORK_MTX.lock().expect("Mutex got poisoned by another test");
 
         match fork().expect("Error: Fork Failed") {

test/test.rs

@@ -15,18 +15,28 @@ extern crate rand;
 extern crate sysctl;
 extern crate tempfile;
 
-#[cfg(any(target_os = "android", target_os = "linux"))]
-macro_rules! require_capability {
-    ($capname:ident) => {
-        use ::caps::{Capability, CapSet, has_cap};
-        use ::std::io::{self, Write};
+cfg_if! {
+    if #[cfg(any(target_os = "android", target_os = "linux"))] {
+        macro_rules! require_capability {
+            ($capname:ident) => {
+                use ::caps::{Capability, CapSet, has_cap};
+                use ::std::io::{self, Write};
 
-        if !has_cap(None, CapSet::Effective, Capability::$capname).unwrap() {
-            let stderr = io::stderr();
-            let mut handle = stderr.lock();
-            writeln!(handle, "Insufficient capabilities. Skipping test.")
-                .unwrap();
-            return;
+                if !has_cap(None, CapSet::Effective, Capability::$capname)
+                    .unwrap()
+                {
+                    let stderr = io::stderr();
+                    let mut handle = stderr.lock();
+                    writeln!(handle,
+                        "Insufficient capabilities. Skipping test.")
+                        .unwrap();
+                    return;
+                }
+            }
+        }
+    } else {
+        macro_rules! require_capability {
+            ($capname:ident) => {}
         }
     }
 }