validation/linux_rootfs_propagation: fix

This code calls g.SetupPrivileged because validateRootfsPropagation
needs to perform mounts. In fact, setting CAP_SYS_ADMIN and removing
the generated seccomp profile (which does not enable mount/umount) is
sufficient.

Using the whole g.SetupPrivileged problematic when running tests
inside Docker running on a machine with new Linux kernels. The problem
is Docker does not (yet) know about recently added capabilities
(specifically, CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE,
brought in via commit 8e1a3b5), and thus runs a --privileged container
without those. This code, though, tries to set them all, relying on the
value of last capability to /proc/sys/kernel/cap_last_cap.  This results
in an error setting new capabilities, and thus the test errors out.

While at it, make the test name more descriptive, adding the propagation
that we're testing.

NOTE the same problem exists in validation/process_capabilities, and
needs to be addressed separately.

Fixes: 8e1a3b5
Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

validation/linux_rootfs_propagation/linux_rootfs_propagation.go

@@ -10,9 +10,13 @@ func testLinuxRootPropagation(t *tap.T, propMode string) error {
 	if err != nil {
 		util.Fatal(err)
 	}
-	g.SetupPrivileged(true)
+	// Test case validateRootfsPropagation needs CAP_SYS_ADMIN to perform mounts.
+	g.AddProcessCapability("CAP_SYS_ADMIN")
+	// The generated seccomp profile does not enable mount/umount/umount2 syscalls.
+	g.Config.Linux.Seccomp = nil
+
 	g.SetLinuxRootPropagation(propMode)
-	g.AddAnnotation("TestName", "check root propagation")
+	g.AddAnnotation("TestName", "check root propagation: "+propMode)
 	return util.RuntimeInsideValidate(g, t, nil)
 }