os-autoinst · ricardobranco777 · Jan 2, 2026 · Jan 2, 2026 · Jan 2, 2026 · Jan 2, 2026
@@ -204,13 +204,15 @@ podman:
   # https://github.com/containers/podman/pull/27760 - test/system: remove apk from build
   # https://github.com/containers/podman/pull/27813 - test: Fix --hostuser octal UID test flakiness
   # https://github.com/containers/podman/pull/27826 - test: Fix PODMAN_BATS_LEAK_CHECK
+  # https://github.com/containers/podman/pull/27846 - test/e2e: Skip privileged container test if NoNewPrivs is set
   opensuse-Tumbleweed:
     GITHUB_PATCHES:
     - 26934
     - 27463
     - 27760
     - 27813
     - 27826
+    - 27846
   sle-16.1:
     GITHUB_PATCHES:
     - 25858
@@ -259,8 +261,12 @@ podman:
     - 27760
 podman-py:
   opensuse-Tumbleweed:
+  # Note on patches:
+  # https://github.com/opencontainers/runc/pull/5079 - integration: Skip test for new privileges if NoNewPrivs is set
 runc:
   opensuse-Tumbleweed:
+    GITHUB_PATCHES:
+    - 5079
   sle-16.1:
   sle-16.0:
   sle-15-SP7:

@@ -0,0 +1,26 @@
+From 7d76d0ca439cda14a9b046403b4deb8495a3e40e Mon Sep 17 00:00:00 2001
+From: Ricardo Branco <[email protected]>
+Date: Fri, 2 Jan 2026 17:22:05 +0100
+Subject: [PATCH] test/e2e: Skip privileged container test if NoNewPrivs is set
+
+Signed-off-by: Ricardo Branco <[email protected]>
+---
+ test/e2e/run_privileged_test.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go
+index 967168d123b..92c6371491d 100644
+--- a/test/e2e/run_privileged_test.go
++++ b/test/e2e/run_privileged_test.go
+@@ -143,6 +143,11 @@ var _ = Describe("Podman privileged container tests", func() {
+ 			Skip("Can't determine NoNewPrivs")
+ 		}
+
++		fields := strings.Fields(cap.OutputToString())
++		if fields[1] != "0" {
++			Skip("NoNewPrivs set")
++		}
++
+ 		session := podmanTest.Podman([]string{"run", BB, "grep", "NoNewPrivs", "/proc/self/status"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session).Should(ExitCleanly())
@@ -0,0 +1,25 @@
+From 763bec37489386c6b65f7659c3e9c9b486cd3bdb Mon Sep 17 00:00:00 2001
+From: Ricardo Branco <[email protected]>
+Date: Fri, 2 Jan 2026 16:59:23 +0100
+Subject: [PATCH] integration: Skip test for new privileges if NoNewPrivs is
+ set
+
+Signed-off-by: Ricardo Branco <[email protected]>
+---
+ tests/integration/capabilities.bats | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tests/integration/capabilities.bats b/tests/integration/capabilities.bats
+index 4b1c127e026..2cb8b3d5600 100644
+--- a/tests/integration/capabilities.bats
++++ b/tests/integration/capabilities.bats
+@@ -31,6 +31,9 @@ function teardown() {
+ }
+
+ @test "runc run with new privileges" {
++	if [ $(awk '/^NoNewPrivs:/ { print $2 }' /proc/self/status) -ne 0 ]; then
++		skip "requires unset NoNewPrivs"
++	fi
+ 	update_config '.process.noNewPrivileges = false'
+ 	runc run test_new_privileges
+ 	[ "$status" -eq 0 ]
@@ -302,19 +302,19 @@ EOF
     write_sut_file('/etc/systemd/system/tmp.mount.d/override.conf', $override_conf);
 }
 
+sub nonewprivs {
+    run_command "zypper ar -f https://download.opensuse.org/repositories/home:/kukuk:/no_new_privs/openSUSE_Tumbleweed/ no_new_privs";
+    run_command "zypper -n --gpg-auto-import-keys install --force-resolution --allow-vendor-change enable-no_new_privs";
+    run_command "systemctl enable --now polkit-agent-helper.socket || true";
+}
+
 sub setup_pkgs {
     my ($self, @pkgs) = @_;
 
     @commands = ("### RUN AS root");
 
     install_bats if get_var("BATS_PACKAGE");
 
-    if (script_run("test -f /etc/sudoers.d/usrlocal")) {
-        assert_script_run "mkdir -pm 0750 /etc/sudoers.d/";
-        assert_script_run "echo 'Defaults secure_path=\"/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin\"' > /etc/sudoers.d/usrlocal";
-        assert_script_run "echo '$testapi::username ALL=(ALL:ALL) NOPASSWD: ALL' > /etc/sudoers.d/nopasswd";
-    }
-
     enable_modules if is_sle("<16");
 
     if (get_var("TEST_REPOS", "")) {
@@ -375,6 +375,8 @@ EOF
 
     return if $rebooted;
 
+    nonewprivs if get_var("NONEWPRIVS");
+
     foreach my $pkg (split(/\s+/, get_var("TEST_PACKAGES", ""))) {
         run_command "zypper --gpg-auto-import-keys --no-gpg-checks -n install $pkg";
     }

@@ -75,7 +75,7 @@ sub run {
     select_serial_terminal;
 
     my @pkgs = qw(aardvark-dns apache2-utils buildah catatonit glibc-devel-static go1.24 gpg2 libgpgme-devel
-      libseccomp-devel make netavark openssl podman podman-remote python3-PyYAML skopeo socat sudo systemd-container xfsprogs);
+      libseccomp-devel make netavark openssl podman podman-remote python3-PyYAML skopeo socat systemd-container xfsprogs);
     push @pkgs, qw(criu libcriu2) if is_tumbleweed;
     push @pkgs, qw(netcat-openbsd) if is_sle("<16");
     # Needed for podman machine