From: Simon McVittie <smcv@collabora.com>
Date: Thu, 23 Feb 2023 10:02:01 +0000
Subject: tests: Try harder to evade --disable-userns

The worst-case scenario in terms of enforcing --disable-userns is that
we're retaining all capabilities, so test that too, to make sure that
the option is genuinely restricting even a privileged user.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Forwarded: https://github.com/containers/bubblewrap/pull/554
---
 tests/test-run.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tests/test-run.sh b/tests/test-run.sh
index 171e5d4..a90f0b1 100755
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -132,6 +132,15 @@ else
     $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 2 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true"
     $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 100 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true"
     $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "! $BWRAP --unshare-user --dev-bind / / --assert-userns-disabled -- true"
+
+    $BWRAP_RECURSE --dev-bind / / -- true
+    ! $BWRAP_RECURSE --assert-userns-disabled --dev-bind / / -- true
+    $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- true
+    ! $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- /proc/self/exe --dev-bind / / -- true
+    $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 2 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true"
+    $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 100 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true"
+    $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- sh -c "! $BWRAP --unshare-user --dev-bind / / --assert-userns-disabled -- true"
+
     echo "ok - can disable nested userns"
 fi