tests/int: test for CAP_DAC_OVERRIDE

This is a test case for issue reported as opencontainers#3715. In short, even if a
(non-root) user that the container is run as does not have execute
permission bit set for the executable, it should still work in case runc
has the CAP_DAC_OVERRIDE capability set.

Since the upstream golang is also broken (see [1]), let's skip this test
for Go 1.20 and 1.20.1 (and hope it'll be fixed in Go 1.20.2 as per [2].

[1] https://go.dev/issue/58552
[2] https://go-review.googlesource.com/c/go/+/469956

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

tests/integration/start_hello.bats

@@ -37,6 +37,37 @@ function teardown() {
 	[[ "${output}" == *"Hello"* ]]
 }
 
+# https://github.com/opencontainers/runc/issues/3715, https://go.dev/issue/58552
+@test "runc run as user with no exec bit but CAP_DAC_OVERRIDE set" {
+	# --user can't work in rootless containers that don't have idmap.
+	[ $EUID -ne 0 ] && requires rootless_idmap
+	case "$(__runc --version | grep '^go:')" in
+		"go: go1.20"|"go: go1.20.1")
+		skip "go 1.20[.1] is broken; see https://go.dev/issue/58552"
+		;;
+	esac
+
+	# Remove exec perm for everyone but owner (root).
+	chown 0 rootfs/bin/echo
+	chmod go-x rootfs/bin/echo
+
+	# Replace "uid": 0 with "uid": 1000 and do a similar thing for gid.
+	update_config '	  (.. | select(.uid? == 0)) .uid |= 1000
+			| (.. | select(.gid? == 0)) .gid |= 100'
+
+	# Sanity check: make sure we can't run the container w/o CAP_DAC_OVERRIDE.
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+
+	# Enable CAP_DAC_OVERRIDE.
+	update_config '	  .process.capabilities.bounding += ["CAP_DAC_OVERRIDE"]
+			| .process.capabilities.effective += ["CAP_DAC_OVERRIDE"]
+			| .process.capabilities.permitted += ["CAP_DAC_OVERRIDE"]'
+
+	runc run test_busybox
+	[ "$status" -eq 0 ]
+}
+
 @test "runc run with rootfs set to ." {
 	cp config.json rootfs/.
 	rm config.json