Merge pull request #1149 from cyphar/fix-sysctl-validation

validator: unbreak sysctl net.* validation

libcontainer/configs/validate/validator.go

@@ -125,13 +125,15 @@ func (v *ConfigValidator) sysctl(config *configs.Config) error {
 			}
 		}
 		if strings.HasPrefix(s, "net.") {
-			if !config.Namespaces.Contains(configs.NEWNET) {
-				return fmt.Errorf("sysctl %q is not allowed in the hosts network namespace", s)
-			}
-			if path := config.Namespaces.PathOf(configs.NEWNET); path != "" {
-				if err := checkHostNs(s, path); err != nil {
-					return err
+			if config.Namespaces.Contains(configs.NEWNET) {
+				if path := config.Namespaces.PathOf(configs.NEWNET); path != "" {
+					if err := checkHostNs(s, path); err != nil {
+						return err
+					}
 				}
+				continue
+			} else {
+				return fmt.Errorf("sysctl %q is not allowed in the hosts network namespace", s)
 			}
 		}
 		return fmt.Errorf("sysctl %q is not in a separate kernel namespace", s)

libcontainer/configs/validate/validator_test.go

@@ -202,6 +202,35 @@ func TestValidateSysctl(t *testing.T) {
 	}
 }
 
+func TestValidateValidSysctl(t *testing.T) {
+	sysctl := map[string]string{
+		"fs.mqueue.ctl": "ctl",
+		"net.ctl":       "ctl",
+		"kernel.msgmax": "ctl",
+	}
+
+	for k, v := range sysctl {
+		config := &configs.Config{
+			Rootfs: "/var",
+			Sysctl: map[string]string{k: v},
+			Namespaces: []configs.Namespace{
+				{
+					Type: configs.NEWNET,
+				},
+				{
+					Type: configs.NEWIPC,
+				},
+			},
+		}
+
+		validator := validate.New()
+		err := validator.Validate(config)
+		if err != nil {
+			t.Errorf("Expected error to not occur with {%s=%s} but got: %q", k, v, err)
+		}
+	}
+}
+
 func TestValidateSysctlWithSameNs(t *testing.T) {
 	config := &configs.Config{
 		Rootfs: "/var",