Commit Message
I need the two attached patches in order to get tst-ttyname to succeed
when running on Fedora as a non-root user.
info: entering chroot 1
info: testcase: basic smoketest
info: ttyname: PASS {name="/dev/pts/5", errno=0}
info: ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups,
"deny"): Operation not permitted
info: entering chroot 2
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups,
"deny"): Operation not permitted
error: 2 test failures
I get the same failure when running the test on
kernel-3.10.0-768.el7.x86_64 (there I tested as root).
This is on top of master with commit
ce003e5d4cd94c5380699b0dadeaaf825813afbe (support_become_root: Enable
file creation in user namespaces). The test failure was present before
I pushed that change.
Would you please double-check that they do not break the test on
whatever distributions you tested on and do not interfere with the test
objective?
Thanks,
Florian
Comments
On Fri, Nov 17, 2017 at 10:28:44PM +0100, Florian Weimer wrote:
> I need the two attached patches in order to get tst-ttyname to succeed when
> running on Fedora as a non-root user.
>
> info: entering chroot 1
> info: testcase: basic smoketest
> info: ttyname: PASS {name="/dev/pts/5", errno=0}
> info: ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups,
> "deny"): Operation not permitted
> info: entering chroot 2
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups,
> "deny"): Operation not permitted
> error: 2 test failures
>
> I get the same failure when running the test on kernel-3.10.0-768.el7.x86_64
> (there I tested as root).
This is all fine. However, I'm going to send a small patch for
setup_uid_gid_mapping. Unless I'm reading this wrong you still exit with a
failure when you fail to open the setgroups file. However, the setgroups "deny"
restriction and the corresponding file were only added in 3.19. Before that you
could simply write to gid_map. Sending a patch for this.
>
> This is on top of master with commit
> ce003e5d4cd94c5380699b0dadeaaf825813afbe (support_become_root: Enable file
> creation in user namespaces). The test failure was present before I pushed
> that change.
>
> Would you please double-check that they do not break the test on whatever
> distributions you tested on and do not interfere with the test objective?
>
> Thanks,
> Florian
On Fri, 17 Nov 2017 16:28:44 -0500,
Florian Weimer wrote:
> I need the two attached patches in order to get tst-ttyname to succeed
> when running on Fedora as a non-root user.
>
> info: entering chroot 1
> info: testcase: basic smoketest
> info: ttyname: PASS {name="/dev/pts/5", errno=0}
> info: ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups,
> "deny"): Operation not permitted
> info: entering chroot 2
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups,
> "deny"): Operation not permitted
> error: 2 test failures
>
> I get the same failure when running the test on
> kernel-3.10.0-768.el7.x86_64 (there I tested as root).
>
> This is on top of master with commit
> ce003e5d4cd94c5380699b0dadeaaf825813afbe (support_become_root: Enable
> file creation in user namespaces). The test failure was present
> before I pushed that change.
>
> Would you please double-check that they do not break the test on
> whatever distributions you tested on and do not interfere with the
> test objective?
I'm a bit confused why being mounted MS_SHARED caused writing to (but
not opening) /proc/self/setgroups to fail; and not some other issues.
But, I don't believe that this affects the test objectives, and I have
verified that it doesn't break the test here on Parabola.
(Sorry I didn't reply on Friday, I'm traveling.)
On 17/11/2017 19:28, Florian Weimer wrote:
> I need the two attached patches in order to get tst-ttyname to succeed when running on Fedora as a non-root user.
>
> info: entering chroot 1
> info: testcase: basic smoketest
> info: ttyname: PASS {name="/dev/pts/5", errno=0}
> info: ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
> info: entering chroot 2
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
> error: 2 test failures
>
> I get the same failure when running the test on kernel-3.10.0-768.el7.x86_64 (there I tested as root).
>
> This is on top of master with commit ce003e5d4cd94c5380699b0dadeaaf825813afbe (support_become_root: Enable file creation in user namespaces). The test failure was present before I pushed that change.
>
> Would you please double-check that they do not break the test on whatever distributions you tested on and do not interfere with the test objective?
>
> Thanks,
> Florian
I am still seeing failures on Ubuntu 16.04 (4.4.0-71-generic) on master:
info: entering chroot 1
info: testcase: basic smoketest
info: ttyname: PASS {name="/dev/pts/38", errno=0}
info: ttyname_r: PASS {name="/dev/pts/38", ret=0, errno=0}
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:285: mount ("devpts", "dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, "newinstance,ptmxmode=0666,mode=620") == 0: Invalid argument
info: entering chroot 2
info: testcase: basic smoketest
info: ttyname: PASS {name="/dev/pts/38", errno=0}
info: ttyname_r: PASS {name="/dev/pts/38", ret=0, errno=0}
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:357: mount ("devpts", "dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, "newinstance,ptmxmode=0666,mode=620") == 0: Invalid argument
I noted, at least on my environment, it requires running as a more privileged user
to avoid the above failure. Is it the expected behaviour? Should we move it to
xcheck and add the a possible requirement [1]?
[1] https://sourceware.org/glibc/wiki/Testing/Testsuite#Details_about_make_xcheck_specific_tests
On 11/23/2017 01:22 PM, Adhemerval Zanella wrote:
> I noted, at least on my environment, it requires running as a more privileged user
> to avoid the above failure. Is it the expected behaviour? Should we move it to
> xcheck and add the a possible requirement [1]?
There might be a magic incantation which makes this work with kernel 4.4
in this particular configuration. Can you use kernel tracing to figure
out where the EINVAL error comes from?
Thanks,
Florian
On 23/11/2017 10:27, Florian Weimer wrote:
> On 11/23/2017 01:22 PM, Adhemerval Zanella wrote:
>> I noted, at least on my environment, it requires running as a more privileged user
>> to avoid the above failure. Is it the expected behaviour? Should we move it to
>> xcheck and add the a possible requirement [1]?
>
> There might be a magic incantation which makes this work with kernel 4.4 in this particular configuration. Can you use kernel tracing to figure out where the EINVAL error comes from?
I will debug this a little more today.
Subject: [PATCH] tst-ttyname: Fix namespace setup for Fedora
To: libc-alpha@sourceware.org
On Fedora, the previous initialization sequence did not work and
resulted in failures like:
info: entering chroot 1
info: testcase: basic smoketest
info: ttyname: PASS {name="/dev/pts/5", errno=0}
info: ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
info: entering chroot 2
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
error: 2 test failures
2017-11-17 Florian Weimer <fweimer@redhat.com>
* sysdeps/unix/sysv/linux/tst-ttyname.c
(become_root_in_mount_ns): Remove.
(do_in_chroot_1): Call support_enter_mount_namespace.
(do_in_chroot_2): Likewise.
(do_test): Call support_become_root early.
@@ -78,65 +78,6 @@ proc_fd_readlink (const char *linkname)
return target;
}
-static void
-become_root_in_mount_ns (void)
-{
- uid_t orig_uid = getuid ();
- gid_t orig_gid = getgid ();
-
- support_become_root ();
-
- if (unshare (CLONE_NEWNS) < 0)
- FAIL_UNSUPPORTED ("could not enter new mount namespace");
-
- /* support_become_root might have put us in a new user namespace;
- most filesystems (including tmpfs) don't allow file or directory
- creation from a user namespace unless uid and gid maps are set,
- even if we have root privileges in the namespace (failing with
- EOVERFLOW, since the uid overflows the empty (0-length) uid map).
-
- Also, stat always reports that uid and gid maps are empty, so we
- have to try actually reading from them to check if they are
- empty. */
- int fd;
-
- if ((fd = open ("/proc/self/uid_map", O_RDWR, 0)) >= 0)
- {
- char buf;
- if (read (fd, &buf, 1) == 0)
- {
- char *str = xasprintf ("0 %ld 1\n", (long)orig_uid);
- if (write (fd, str, strlen (str)) < 0)
- FAIL_EXIT1 ("write (uid_map, \"%s\"): %m", str);
- free (str);
- }
- xclose (fd);
- }
-
- /* Setting the gid map has the additional complexity that we have to
- first turn off setgroups. */
- if ((fd = open ("/proc/self/setgroups", O_WRONLY, 0)) >= 0)
- {
- const char *str = "deny";
- if (write (fd, str, strlen (str)) < 0)
- FAIL_EXIT1 ("write (setroups, \"%s\"): %m", str);
- xclose (fd);
- }
-
- if ((fd = open ("/proc/self/gid_map", O_RDWR, 0)) >= 0)
- {
- char buf;
- if (read (fd, &buf, 1) == 0)
- {
- char *str = xasprintf ("0 %ld 1\n", (long)orig_gid);
- if (write (fd, str, strlen (str)) < 0)
- FAIL_EXIT1 ("write (gid_map, \"%s\"): %m", str);
- free (str);
- }
- xclose (fd);
- }
-}
-
/* plain ttyname runner */
struct result
@@ -328,7 +269,8 @@ do_in_chroot_1 (int (*cb)(const char *, int))
{
xclose (master);
- become_root_in_mount_ns ();
+ if (!support_enter_mount_namespace ())
+ FAIL_UNSUPPORTED ("could not enter new mount namespace");
VERIFY (mount ("tmpfs", chrootdir, "tmpfs", 0, "mode=755") == 0);
VERIFY (chdir (chrootdir) == 0);
@@ -395,7 +337,8 @@ do_in_chroot_2 (int (*cb)(const char *, int))
xclose (pid_pipe[0]);
xclose (exit_pipe[1]);
- become_root_in_mount_ns ();
+ if (!support_enter_mount_namespace ())
+ FAIL_UNSUPPORTED ("could not enter new mount namespace");
int slave = xopen (slavename, O_RDWR, 0);
if (!doit (slave, "basic smoketest",
@@ -611,6 +554,8 @@ run_chroot_tests (const char *slavename, int slave)
static int
do_test (void)
{
+ support_become_root ();
+
int ret1 = do_in_chroot_1 (run_chroot_tests);
if (ret1 == EXIT_UNSUPPORTED)
return ret1;