Skip to content

fix(sandbox): skip fork-exec socket ambiguity test on SELinux#1449

Open
derekwaynecarr wants to merge 1 commit into
NVIDIA:mainfrom
derekwaynecarr:fix/proxy-fork-socket-test-flake
Open

fix(sandbox): skip fork-exec socket ambiguity test on SELinux#1449
derekwaynecarr wants to merge 1 commit into
NVIDIA:mainfrom
derekwaynecarr:fix/proxy-fork-socket-test-flake

Conversation

@derekwaynecarr
Copy link
Copy Markdown
Collaborator

@derekwaynecarr derekwaynecarr commented May 19, 2026

Summary

Exec'ing /bin/sleep (SELinux label bin_t) from a user_home_t test binary causes /proc//exe readlink to return ENOENT on SELinux-enforcing hosts due to the cross-domain boundary. Skip the test at runtime when getenforce reports Enforcing.

Also adds a ChildGuard drop guard for safe child cleanup on panic and increases the exec-detection deadline from 2s to 5s.

Related Issue

Changes

Testing

  • [x ] mise run pre-commit passes
  • [ x] Unit tests added/updated
  • E2E tests added/updated (if applicable)

Checklist

  • [ x] Follows Conventional Commits
  • [ x] Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@derekwaynecarr derekwaynecarr requested review from a team, maxamillion and mrunalp as code owners May 19, 2026 13:54
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 19, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@derekwaynecarr
Copy link
Copy Markdown
Collaborator Author

derekwaynecarr commented May 19, 2026

/ok to test b8f9c2b

@derekwaynecarr
fix(sandbox): skip fork-exec socket ambiguity test on SELinux-enforci…
4f5a7e0 
…ng hosts

Exec'ing /bin/sleep (SELinux label bin_t) from a user_home_t test binary
causes /proc/<pid>/exe readlink to return ENOENT on SELinux-enforcing
hosts due to the cross-domain boundary. Skip the test at runtime when
getenforce reports Enforcing.

Also adds a ChildGuard drop guard for safe child cleanup on panic and
increases the exec-detection deadline from 2s to 5s.

Signed-off-by: Derek Carr <decarr@redhat.com>
@derekwaynecarr derekwaynecarr force-pushed the fix/proxy-fork-socket-test-flake branch from b8f9c2b to 4f5a7e0 Compare May 19, 2026 16:20
@derekwaynecarr
Copy link
Copy Markdown
Collaborator Author

derekwaynecarr commented May 19, 2026

/ok to test 4f5a7e0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@derekwaynecarr