add bwrapping on all other scripts/*.test except those that make Internet connections, and remove test for setuid bit, as some systems are configured to not require setuid/CAP_NET_ADMIN for CLONE_NEWNET.

scripts/crl-revoked.test

@@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash
 
 #crl.test
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 revocation_code="-361"
 exit_code=1
 counter=0

scripts/ocsp-stapling-with-ca-as-responder.test

@@ -2,19 +2,13 @@
 
 # ocsp-stapling-with-ca-as-responder.test
 
-# if we can, isolate the network namespace to eliminate port collisions
+# if we can, isolate the network namespace to eliminate port collisions.
 if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
     bwrap_path="$(command -v bwrap)"
-    if [[ -z "$bwrap_path" ]]; then
-	echo "couldn't find bwrap -- not isolating network namespace."
-    elif [[ ! -u "$bwrap_path" ]]; then
-	echo "$bwrap_path isn't setuid -- not isolating network namespace."
-    else
-	echo "isolating network namespace..."
-	export AM_BWRAPPED=yes
-	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
-	unset AM_BWRAPPED
-	echo "not isolating network namespace."
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
     fi
 fi
 

scripts/ocsp-stapling.test

@@ -3,22 +3,6 @@
 # ocsp-stapling.test
 # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST
 
-# if we can, isolate the network namespace to eliminate port collisions
-if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
-    bwrap_path="$(command -v bwrap)"
-    if [[ -z "$bwrap_path" ]]; then
-	echo "couldn't find bwrap -- not isolating network namespace."
-    elif [[ ! -u "$bwrap_path" ]]; then
-	echo "$bwrap_path isn't setuid -- not isolating network namespace."
-    else
-	echo "isolating network namespace..."
-	export AM_BWRAPPED=yes
-	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
-	unset AM_BWRAPPED
-	echo "not isolating network namespace."
-    fi
-fi
-
 if [[ -z "${RETRIES_REMAINING-}" ]]; then
     export RETRIES_REMAINING=2
 fi

scripts/ocsp-stapling2.test

@@ -3,19 +3,13 @@
 # ocsp-stapling2.test
 # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2
 
-# if we can, isolate the network namespace to eliminate port collisions
+# if we can, isolate the network namespace to eliminate port collisions.
 if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
     bwrap_path="$(command -v bwrap)"
-    if [[ -z "$bwrap_path" ]]; then
-	echo "couldn't find bwrap -- not isolating network namespace."
-    elif [[ ! -u "$bwrap_path" ]]; then
-	echo "$bwrap_path isn't setuid -- not isolating network namespace."
-    else
-	echo "isolating network namespace..."
-	export AM_BWRAPPED=yes
-	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
-	unset AM_BWRAPPED
-	echo "not isolating network namespace."
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
     fi
 fi
 

scripts/openssl.test

@@ -1,14 +1,24 @@
-#!/bin/sh
+#!/bin/bash
 
 #openssl.test
 
-if test -n "$WOLFSSL_OPENSSL_TEST"; then
-    echo "WOLFSSL_OPENSSL_TEST set, running test..."
-else
+if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
     echo "WOLFSSL_OPENSSL_TEST NOT set, won't run"
     exit 0
 fi
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
+echo "WOLFSSL_OPENSSL_TEST set, running test..."
+
 # need a unique port since may run the same time as testsuite
 generate_port() {
     port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))

scripts/pkcallbacks.test

@@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash
 
 #pkcallbacks.test
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 exit_code=1
 counter=0
 # need a unique resume port since may run the same time as testsuite

scripts/psk.test

@@ -1,8 +1,18 @@
-#!/bin/sh
+#!/bin/bash
 
 # psk.test
 # copyright wolfSSL 2016
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # getting unique port is modeled after resume.test script
 # need a unique port since may run the same time as testsuite
 # use server port zero hack to get one

scripts/resume.test

@@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash
 
 #resume.test
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # need a unique resume port since may run the same time as testsuite
 # use server port zero hack to get one
 resume_string="reused"

scripts/sniffer-testsuite.test

@@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash
 
 #sniffer-testsuite.test
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # ./configure --enable-sniffer [--enable-session-ticket]
 # Resumption tests require "--enable-session-ticket"
 

scripts/tls13.test

@@ -1,8 +1,18 @@
-#!/bin/sh
+#!/bin/bash
 
 # tls13.test
 # copyright wolfSSL 2016
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # getting unique port is modeled after resume.test script
 # need a unique port since may run the same time as testsuite
 # use server port zero hack to get one

scripts/trusted_peer.test

@@ -1,8 +1,18 @@
-#!/bin/sh
+#!/bin/bash
 
 # trusted_peer.test
 # copyright wolfSSL 2016
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # getting unique port is modeled after resume.test script
 # need a unique port since may run the same time as testsuite
 # use server port zero hack to get one