From 788106dad12dd83763bb6ab1f1e4e57c75f73a14 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 30 Sep 2021 09:55:59 +0200
Subject: [PATCH 1/2] test: skip test on rootless cgroupsv1

skip the test "podman selinux: shared context in (some) namespaces" on
cgroupsv1 when running as rootless since the tests requires
--pid=container:.

If the container runtime cannot use cgroupsv1 and the container has no
pid namespace. then it is not possible to correctly terminate the
container.  Without a cgroup or a pid namespace, the runtime has no
control on what processes are in the container.

Closes: https://github.com/containers/podman/issues/11785

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 test/system/410-selinux.bats |  4 ++++
 test/system/helpers.bash     | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 5ee0e0715d..0f7c35c657 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -113,6 +113,10 @@ function check_label() {
 @test "podman selinux: shared context in (some) namespaces" {
     skip_if_no_selinux
 
+    # rootless users have no usable cgroups with cgroupsv1, so containers
+    # must use a pid namespace and not join an existing one.
+    skip_if_rootless_cgroupsv1
+
     run_podman run -d --name myctr $IMAGE top
     run_podman exec myctr cat -v /proc/self/attr/current
     context_c1="$output"
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 28ea924bb7..666735b0c2 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -428,6 +428,18 @@ function skip_if_cgroupsv1() {
     fi
 }
 
+######################
+#  skip_if_rootless_cgroupsv1  #  ...with an optional message
+######################
+function skip_if_rootless_cgroupsv1() {
+    if is_rootless; then
+        if ! is_cgroupsv2; then
+            local msg=$(_add_label_if_missing "$1" "rootless cgroupvs1")
+            skip "${msg:-not supported as rootless under cgroupsv1}"
+        fi
+    fi
+}
+
 ##################################
 #  skip_if_journald_unavailable  #  rhbz#1895105: rootless journald permissions
 ##################################

From 5c1b3e8d7256edf248c0a753ded611d5e6fab8c0 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 30 Sep 2021 13:59:46 +0200
Subject: [PATCH 2/2] test: use new helper

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 test/system/420-cgroups.bats | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/test/system/420-cgroups.bats b/test/system/420-cgroups.bats
index 89c81a7423..025a200129 100644
--- a/test/system/420-cgroups.bats
+++ b/test/system/420-cgroups.bats
@@ -8,9 +8,7 @@ load helpers
 @test "podman run, preserves initial --cgroup-manager" {
     skip_if_remote "podman-remote does not support --cgroup-manager"
 
-    if is_rootless && is_cgroupsv1; then
-        skip "not supported as rootless under cgroups v1"
-    fi
+    skip_if_rootless_cgroupsv1
 
     # Find out our default cgroup manager, and from that, get the non-default
     run_podman info --format '{{.Host.CgroupManager}}'