From patchwork Thu Feb  1 12:01:04 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Chopin <simon.chopin@canonical.com>
X-Patchwork-Id: 85126
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id B6B4D3858296
	for <patchwork@sourceware.org>; Thu,  1 Feb 2024 12:01:47 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from smtp-relay-internal-1.canonical.com
 (smtp-relay-internal-1.canonical.com [185.125.188.123])
 by sourceware.org (Postfix) with ESMTPS id B8A2738582B7
 for <libc-alpha@sourceware.org>; Thu,  1 Feb 2024 12:01:15 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B8A2738582B7
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=canonical.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=canonical.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B8A2738582B7
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=185.125.188.123
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706788877; cv=none;
 b=Hkg7EkkP9C1xEAIc5J3lt+juDvd20t162BiYp7vZjDGK7O5dgJnSzmE7hoyXErgXLmnzHVWnMw/YawADg9RMHrWIlksTD3KYQo4pOQYES7+E04NL7K3TpvCTFjVvA8qiQVPr/p7i1+6xe4GOkz+Kn0AYy1Ybd7L2G/XoWDC741E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1706788877; c=relaxed/simple;
 bh=UoME8zcS71e4Lz25YC70b0qNY7P4wmDsbvYj1ZnUYRo=;
 h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version;
 b=RYxj5HSo7NOSLjSUXlklJw3WeRBvAhdMXZAXW8O++AADBju7E2xQgKlTaRh7b7No+SKCH5RYkLYQDkKs7Phor9vk08IR/ql3dPgd2AVsrbczCx+Rrye+dT3qrdVZ9GDLKP2OX0hKeB7/EiKJihjvZOQKzyKHgNvWBxHSGHziPFQ=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com
 [209.85.128.71])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id D29733F17F
 for <libc-alpha@sourceware.org>; Thu,  1 Feb 2024 12:01:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1706788874;
 bh=UhTDSryf0CQTaSxMBgP4BNQ/iOG3oaCjR7234CpAe7k=;
 h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=Zwr3Qdnfw9H+DV9JsTWFIW/s+7+M7cimZOLv8pP2cz9KvUnKtq0gegNEYklQCj2G5
 LFe/J6TALw80omziB3C714A0x2RqPSNX/FntHNUh1Ik+U+wLDrBCO8tpavy0J+5mpF
 z/DUNI5pE96UtgzsS4rHVZ0FFDZVm275kqseyKFhdnF9iG8+7z7e8FS/cwvG8vl3/d
 HQwPQFqypZW3qSTdIskg7VMUmQySoir3XftGqEMess4zOy12P/dGD99+YqfUp/Z9Jj
 S7kMNDYBBr2QXC8LvbZGdFp4G+toDrvw3j9DqjTRe9qejtH+v1EYw09NINjnYREhiD
 61QYHBkDji+ig==
Received: by mail-wm1-f71.google.com with SMTP id
 5b1f17b1804b1-40d62d3ae0cso4590565e9.2
 for <libc-alpha@sourceware.org>; Thu, 01 Feb 2024 04:01:14 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1706788873; x=1707393673;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=UhTDSryf0CQTaSxMBgP4BNQ/iOG3oaCjR7234CpAe7k=;
 b=s8VR5PFvC95ecSaOCkD7wvtu2mlgP7s/6dCzpaahXF0WoudlrByEakGLJm6BnmCjjk
 H8OeuDn8YKSjNALcaob+vGzdhwh2d5Tjn6erkKPBpHlgXgZa84+nJSkZ76mFQ4xZsNgT
 5NFUX1NKcYvhDn5nRhLwakS7SR3+4538RjFwj29UYbfVemya/LW8mcUAUWGpj9fswYtj
 p1STg2a8qP7gxYV9v1o9QOEITpvqhee1U5g09y3cpx2fcl2uKfLWrKcY09lgVAtBIHCo
 qCnp+GR+uOPAT4Z0kMCmtW3X+LgZVu/1+ajoI+rUfu5UurWqkAhn4ndIvws+TXQlqie4
 Z5cg==
X-Gm-Message-State: AOJu0Yw0BCj6nFjwRHvStQf4amtxZiW+kuMQpdLOA9v/o8GaMbQ+CgT+
 STs6yNOlJP4C8ygic0UAUlgBKaF+kgWfUaWXq7RspM38lYRh7w685v79EUNC7v+cQb55qiBkrZ4
 5HzNNdptlMUIZdPDnzTBtyioUn1Dzm1nUwb70qTcCXNU0QtNaZUSTlMdAqugQgHf+QV5Gzmpw6P
 AXfSxF5f1T
X-Received: by 2002:a05:600c:45d1:b0:40d:8562:aa87 with SMTP id
 s17-20020a05600c45d100b0040d8562aa87mr3255064wmo.21.1706788873792;
 Thu, 01 Feb 2024 04:01:13 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEEq1ymg5SZ4gB2yaj+Ga2j7EuwZp5aLLcYhDQpOrIJtuvAkeDEjmzwlS76rBxd9SSOXwH5UQ==
X-Received: by 2002:a05:600c:45d1:b0:40d:8562:aa87 with SMTP id
 s17-20020a05600c45d100b0040d8562aa87mr3255035wmo.21.1706788873277;
 Thu, 01 Feb 2024 04:01:13 -0800 (PST)
Received: from localhost ([2a01:e0a:169:7380:4c3f:2b32:6913:f7d1])
 by smtp.gmail.com with ESMTPSA id
 f7-20020a05600c4e8700b0040ef95e1c78sm4284060wmq.3.2024.02.01.04.01.12
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 01 Feb 2024 04:01:12 -0800 (PST)
From: Simon Chopin <simon.chopin@canonical.com>
To: libc-alpha@sourceware.org
Cc: Simon Chopin <simon.chopin@canonical.com>
Subject: [PATCH] test-container: gracefully handle AppArmor containment
Date: Thu,  1 Feb 2024 13:01:04 +0100
Message-Id: <20240201120104.143973-1-simon.chopin@canonical.com>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org

Recent AppArmor containment allows restricting unprivileged user
namespaces, which is enabled by default on recent Ubuntu systems.

When that happens, the affected tests will now be considered unsupported
rather than simply failing.

Further information:

* https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
* https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
---
 support/test-container.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)


base-commit: 42cc619dfbc44e263239c2de870bae11ad65810a

diff --git a/support/test-container.c b/support/test-container.c
index adf2b30215..a04ae07807 100644
--- a/support/test-container.c
+++ b/support/test-container.c
@@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns)
     { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
     /* ALT Linux has an alternate way of doing the same.  */
     { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
+    /* AppArmor can also disable unprivileged user namespaces */
+    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
+    { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 },
     /* Linux kernel >= 4.9 has a configurable limit on the number of
        each namespace.  Some distros set the limit to zero to disable the
        corresponding namespace as a "security policy".  */
@@ -1108,10 +1111,11 @@ main (int argc, char **argv)
     {
       /* Older kernels may not support all the options, or security
 	 policy may block this call.  */
-      if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+      if (errno == EINVAL || errno == EPERM
+          || errno == ENOSPC || errno == EACCES)
 	{
 	  int saved_errno = errno;
-	  if (errno == EPERM || errno == ENOSPC)
+	  if (errno == EPERM || errno == ENOSPC || errno == EACCES)
 	    check_for_unshare_hints (require_pidns);
 	  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
 	}