test-container: gracefully handle AppArmor containment
Checks
Context |
Check |
Description |
redhat-pt-bot/TryBot-apply_patch |
success
|
Patch applied to master at the time it was sent
|
redhat-pt-bot/TryBot-32bit |
success
|
Build for i686
|
linaro-tcwg-bot/tcwg_glibc_build--master-arm |
success
|
Testing passed
|
linaro-tcwg-bot/tcwg_glibc_check--master-arm |
success
|
Testing passed
|
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 |
success
|
Testing passed
|
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 |
success
|
Testing passed
|
Commit Message
Recent AppArmor containment allows restricting unprivileged user
namespaces, which is enabled by default on recent Ubuntu systems.
When that happens, the affected tests will now be considered unsupported
rather than simply failing.
Further information:
* https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
* https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
---
support/test-container.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
base-commit: 42cc619dfbc44e263239c2de870bae11ad65810a
Comments
On Thu, 2024-02-01 at 13:01 +0100, Simon Chopin wrote:
> Recent AppArmor containment allows restricting unprivileged user
> namespaces, which is enabled by default on recent Ubuntu systems.
>
> When that happens, the affected tests will now be considered unsupported
> rather than simply failing.
>
> Further information:
>
> * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
> * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
>
> Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
> ---
> support/test-container.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/support/test-container.c b/support/test-container.c
> index adf2b30215..a04ae07807 100644
> --- a/support/test-container.c
> +++ b/support/test-container.c
> @@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns)
> { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
> /* ALT Linux has an alternate way of doing the same. */
> { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
> + /* AppArmor can also disable unprivileged user namespaces */
> + { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
> + { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 },
Why are you duplicating this entry?
Hi,
On jeu. 01 févr. 2024 20:20:09, Xi Ruoyao wrote:
> On Thu, 2024-02-01 at 13:01 +0100, Simon Chopin wrote:
> > Recent AppArmor containment allows restricting unprivileged user
> > namespaces, which is enabled by default on recent Ubuntu systems.
> >
> > When that happens, the affected tests will now be considered unsupported
> > rather than simply failing.
> >
> > Further information:
> >
> > * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
> > * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
> >
> > Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
> > ---
> > support/test-container.c | 8 ++++++--
> > 1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/support/test-container.c b/support/test-container.c
> > index adf2b30215..a04ae07807 100644
> > --- a/support/test-container.c
> > +++ b/support/test-container.c
> > @@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns)
> > { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
> > /* ALT Linux has an alternate way of doing the same. */
> > { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
> > + /* AppArmor can also disable unprivileged user namespaces */
> > + { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
> > + { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 },
>
> Why are you duplicating this entry?
My mistake. This is fixed in the second revision of the patch.
Thanks!
@@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns)
{ "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
/* ALT Linux has an alternate way of doing the same. */
{ "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
+ /* AppArmor can also disable unprivileged user namespaces */
+ { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
+ { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 },
/* Linux kernel >= 4.9 has a configurable limit on the number of
each namespace. Some distros set the limit to zero to disable the
corresponding namespace as a "security policy". */
@@ -1108,10 +1111,11 @@ main (int argc, char **argv)
{
/* Older kernels may not support all the options, or security
policy may block this call. */
- if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+ if (errno == EINVAL || errno == EPERM
+ || errno == ENOSPC || errno == EACCES)
{
int saved_errno = errno;
- if (errno == EPERM || errno == ENOSPC)
+ if (errno == EPERM || errno == ENOSPC || errno == EACCES)
check_for_unshare_hints (require_pidns);
FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
}