From patchwork Tue Feb 6 10:59:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Chopin X-Patchwork-Id: 85344 X-Patchwork-Delegate: maxim.kuvyrkov@gmail.com Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 500793858C98 for ; Tue, 6 Feb 2024 11:00:23 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by sourceware.org (Postfix) with ESMTPS id D55F53858D33 for ; Tue, 6 Feb 2024 10:59:54 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D55F53858D33 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=canonical.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=canonical.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D55F53858D33 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=185.125.188.122 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707217197; cv=none; b=QIUaSYM218RwnbeVsfHEVNX0HJv69HFJ3MsC5lQqNpext+7nW+lYnsz6OUuht5+nZRzBrSViUWNASxjdaSF9ytfMiaagb2XmiHkpLOlSfbdIzf9bYxKD+Ui3rO8jhwcsftbqomOHsf3ICVdqZR3Cf8zoXs6hiejBbA3q1PDQZiE= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707217197; c=relaxed/simple; bh=UosAZFFsWhWFxSacst+h+q6uAeTCblBhPd3fljYKNVA=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=MDCmboQ/851qnHAn3J8XAh9lk8J7MNzPEwoaRWQeHgzb//4uZIqEPxQ4cPSqGWBTrp9npOmkFk5r/1FiWC1X5hRUQ2GkhHATejTqsg3sdm13N1D/90DIi0h2iBUSCPuqCIpu01hXywGNWIdV77q9hzaGoP7qRcJvFRggDX+AeEk= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from mail-lf1-f72.google.com (mail-lf1-f72.google.com [209.85.167.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 781553F456 for ; Tue, 6 Feb 2024 10:59:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1707217193; bh=7tunEYDKM9VjC/DKa4QLRqA2dPQCfObTUghX/qb98R4=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=XOCsTHGDLT9xCHeakJhcdWvf2XYLoUSz7Y9287DOXsd70hj+xkTsFazMN1VoF7GoC tBOmthwD8gkks0fulmMyYyZb3VVoAajR7nCIdkbfxPgUIvw/Wgk/x8zV9rBHlzX1Cr SmoMLgIEutUkX+w6GEdG37DRCyWb3U283gd66+KdAl/+zGe2QgtqyykEd653TmQwk+ 3Ip9Vt2bClqw56qPQPXGPW1mNfuDg7xDQNuRsB3I7oiPEU9LZ3HlKtCR0f4KLt0gMr 83S8cBFdVoBKlZFJZyekmluXP85ag4LEazEk4R2MYprbJzN+c2eHxAPqSxeNQiOjEk RXYAkVoCicjRw== Received: by mail-lf1-f72.google.com with SMTP id 2adb3069b0e04-51144722c56so2883593e87.2 for ; Tue, 06 Feb 2024 02:59:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707217192; x=1707821992; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7tunEYDKM9VjC/DKa4QLRqA2dPQCfObTUghX/qb98R4=; b=ZRkqSxGpl5fSN+Yb4AVtjHzSFJivFCxG7EHYhgmY7qZWa2eG5PPdE7q+aAhSlm6JxM rBoLNEKVHiAfBYsAetk/WovaZfnMAkGepBR3J1EnK1+MEWpKwBvMrp00NtDQPU6La6Sm Wi2qraWm+cy1zu/Eb8G6rpJAS+Ziqa4UwiJjaU9yUUBVHZ5Ch8imj+PFD4WP7zdLp6w0 i5SAmKrNJQvydqX2g65y8E+6Jbcn1kX812Qo1DhaBRK0ojPVPxWrzkjkjRDrnw+0OeJe 5hAMvCeLt6h7iBeNXMig5FhJy9cucgPzJGQXHYbD/sXEdNAPxvGgQfM3vwoirSP0vwV9 4uXw== X-Gm-Message-State: AOJu0YxR2+el58EnoeY5i//6BOQL8p6gAP5Oa58G+3X1o77b6F6dGw4m M3HPvf11DSc5JuCuedNK/rHGg8sSqc4tPoKed9PbSW93LpgtKKucSi4uYnYGruSqxRDsij+4uk/ qf3fpd5lH34lQFzov2Meh9UWEAqyCAokQ1Pl01hA3GvPJ3ssht7g170SUWhJ7gQ8JaeoBeRslXZ OJEltkYw== X-Received: by 2002:a05:6512:3d0a:b0:50e:6e7a:fabd with SMTP id d10-20020a0565123d0a00b0050e6e7afabdmr2143273lfv.1.1707217192026; Tue, 06 Feb 2024 02:59:52 -0800 (PST) X-Google-Smtp-Source: AGHT+IF1hoJ8j/UEraEhMo07bCouxzBZxV4aXAzL6wBsiG0jjfuUpmk997zW08QbOrt3UMrwSQQDXQ== X-Received: by 2002:a05:6512:3d0a:b0:50e:6e7a:fabd with SMTP id d10-20020a0565123d0a00b0050e6e7afabdmr2143255lfv.1.1707217191664; Tue, 06 Feb 2024 02:59:51 -0800 (PST) Received: from localhost ([2a01:e0a:169:7380:c7fc:5e7f:c65e:e7ae]) by smtp.gmail.com with ESMTPSA id l4-20020a05600c1d0400b0040fdd18f6fasm1642830wms.39.2024.02.06.02.59.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Feb 2024 02:59:51 -0800 (PST) From: Simon Chopin To: libc-alpha@sourceware.org Cc: Simon Chopin Subject: [PATCH v2] tests: gracefully handle AppArmor userns containment Date: Tue, 6 Feb 2024 11:59:32 +0100 Message-Id: <20240206105932.127820-1-simon.chopin@canonical.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20240201120104.143973-1-simon.chopin@canonical.com> References: <20240201120104.143973-1-simon.chopin@canonical.com> MIME-Version: 1.0 X-Spam-Status: No, score=-11.5 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Recent AppArmor containment allows restricting unprivileged user namespaces, which is enabled by default on recent Ubuntu systems. When that happens, the affected tests will now be considered unsupported rather than simply failing. Further information: * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces V2: * Fix duplicated line in check_unshare_hints * Also handle similar failure in tst-pidfd_getpid Signed-off-by: Simon Chopin --- support/test-container.c | 7 +++++-- sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++- 2 files changed, 7 insertions(+), 3 deletions(-) base-commit: fa3eb7d5e7d32ca1ad48b48a7eb6d15b8382c3a7 diff --git a/support/test-container.c b/support/test-container.c index adf2b30215..af66cece51 100644 --- a/support/test-container.c +++ b/support/test-container.c @@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns) { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 }, /* ALT Linux has an alternate way of doing the same. */ { "/proc/sys/kernel/userns_restrict", 1, 0, 0 }, + /* AppArmor can also disable unprivileged user namespaces */ + { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 }, /* Linux kernel >= 4.9 has a configurable limit on the number of each namespace. Some distros set the limit to zero to disable the corresponding namespace as a "security policy". */ @@ -1108,10 +1110,11 @@ main (int argc, char **argv) { /* Older kernels may not support all the options, or security policy may block this call. */ - if (errno == EINVAL || errno == EPERM || errno == ENOSPC) + if (errno == EINVAL || errno == EPERM + || errno == ENOSPC || errno == EACCES) { int saved_errno = errno; - if (errno == EPERM || errno == ENOSPC) + if (errno == EPERM || errno == ENOSPC || errno == EACCES) check_for_unshare_hints (require_pidns); FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno)); } diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c index 0354da5abb..ef62fbe941 100644 --- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c +++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c @@ -61,7 +61,8 @@ do_test (void) { /* Older kernels may not support all the options, or security policy may block this call. */ - if (errno == EINVAL || errno == EPERM || errno == ENOSPC) + if (errno == EINVAL || errno == EPERM + || errno == ENOSPC || errno == EACCES) exit (EXIT_UNSUPPORTED); FAIL_EXIT1 ("unshare user/fs/pid failed: %m"); }