diff mbox series

test-container: gracefully handle AppArmor containment

Message ID 20240201120104.143973-1-simon.chopin@canonical.com
State Superseded
Headers
Series test-container: gracefully handle AppArmor containment |

Checks

Context Check Description
redhat-pt-bot/TryBot-apply_patch success Patch applied to master at the time it was sent
redhat-pt-bot/TryBot-32bit success Build for i686
linaro-tcwg-bot/tcwg_glibc_build--master-arm success Testing passed
linaro-tcwg-bot/tcwg_glibc_check--master-arm success Testing passed
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 success Testing passed
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 success Testing passed

Commit Message

Simon Chopin Feb. 1, 2024, 12:01 p.m. UTC 
  Recent AppArmor containment allows restricting unprivileged user
namespaces, which is enabled by default on recent Ubuntu systems.

When that happens, the affected tests will now be considered unsupported
rather than simply failing.

Further information:

* https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
* https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
---
 support/test-container.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)


base-commit: 42cc619dfbc44e263239c2de870bae11ad65810a

Comments

Xi Ruoyao Feb. 1, 2024, 12:20 p.m. UTC | #1 
On Thu, 2024-02-01 at 13:01 +0100, Simon Chopin wrote:
> Recent AppArmor containment allows restricting unprivileged user
> namespaces, which is enabled by default on recent Ubuntu systems.
> 
> When that happens, the affected tests will now be considered unsupported
> rather than simply failing.
> 
> Further information:
> 
> * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
> * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
> 
> Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
> ---
>  support/test-container.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/support/test-container.c b/support/test-container.c
> index adf2b30215..a04ae07807 100644
> --- a/support/test-container.c
> +++ b/support/test-container.c
> @@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns)
>      { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
>      /* ALT Linux has an alternate way of doing the same.  */
>      { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
> +    /* AppArmor can also disable unprivileged user namespaces */
> +    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
> +    { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 },

Why are you duplicating this entry?
Simon Chopin Feb. 6, 2024, 11:01 a.m. UTC | #2 
Hi,

On jeu. 01 févr. 2024 20:20:09, Xi Ruoyao wrote:
> On Thu, 2024-02-01 at 13:01 +0100, Simon Chopin wrote:
> > Recent AppArmor containment allows restricting unprivileged user
> > namespaces, which is enabled by default on recent Ubuntu systems.
> >
> > When that happens, the affected tests will now be considered unsupported
> > rather than simply failing.
> >
> > Further information:
> >
> > * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
> > * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
> >
> > Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
> > ---
> >  support/test-container.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/support/test-container.c b/support/test-container.c
> > index adf2b30215..a04ae07807 100644
> > --- a/support/test-container.c
> > +++ b/support/test-container.c
> > @@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns)
> >      { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
> >      /* ALT Linux has an alternate way of doing the same.  */
> >      { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
> > +    /* AppArmor can also disable unprivileged user namespaces */
> > +    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
> > +    { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 },
>
> Why are you duplicating this entry?

My mistake. This is fixed in the second revision of the patch.

Thanks!
diff mbox series

Patch

diff --git a/support/test-container.c b/support/test-container.c
index adf2b30215..a04ae07807 100644
--- a/support/test-container.c
+++ b/support/test-container.c
@@ -682,6 +682,9 @@  check_for_unshare_hints (int require_pidns)
     { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
     /* ALT Linux has an alternate way of doing the same.  */
     { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
+    /* AppArmor can also disable unprivileged user namespaces */
+    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
+    { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 },
     /* Linux kernel >= 4.9 has a configurable limit on the number of
        each namespace.  Some distros set the limit to zero to disable the
        corresponding namespace as a "security policy".  */
@@ -1108,10 +1111,11 @@  main (int argc, char **argv)
     {
       /* Older kernels may not support all the options, or security
 	 policy may block this call.  */
-      if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+      if (errno == EINVAL || errno == EPERM
+          || errno == ENOSPC || errno == EACCES)
 	{
 	  int saved_errno = errno;
-	  if (errno == EPERM || errno == ENOSPC)
+	  if (errno == EPERM || errno == ENOSPC || errno == EACCES)
 	    check_for_unshare_hints (require_pidns);
 	  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
 	}