diff mbox series

[v3] tests: gracefully handle AppArmor userns containment

Message ID	20240216163849.73172-1-simon.chopin@canonical.com
State	Committed
Commit	59e0441d4a1198aa9d21643a6e4f370faec4ffbf
Headers	DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 538AE385800B From: Simon Chopin <simon.chopin@canonical.com> To: libc-alpha@sourceware.org Cc: Maxim Kuvyrkov <maxim.kuvyrkov@linaro.org>, Xi Ruoyao <xry111@xry111.site>, Simon Chopin <simon.chopin@canonical.com> Subject: [PATCH v3] tests: gracefully handle AppArmor userns containment Date: Fri, 16 Feb 2024 17:38:49 +0100 Message-Id: <20240216163849.73172-1-simon.chopin@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org
Series	[v3] tests: gracefully handle AppArmor userns containment \| [v3] tests: gracefully handle AppArmor userns containment

Checks

Context	Check	Description
redhat-pt-bot/TryBot-apply_patch	success	Patch applied to master at the time it was sent
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64	success	Testing passed
redhat-pt-bot/TryBot-32bit	success	Build for i686
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64	success	Testing passed
linaro-tcwg-bot/tcwg_glibc_build--master-arm	success	Testing passed
linaro-tcwg-bot/tcwg_glibc_check--master-arm	success	Testing passed

Commit Message

Simon Chopin Feb. 16, 2024, 4:38 p.m. UTC

  Recent AppArmor containment allows restricting unprivileged user
namespaces, which is enabled by default on recent Ubuntu systems.
When this happens, as is common with Linux Security Modules, the syscall
will fail with -EACCESS.

When that happens, the affected tests will now be considered unsupported
rather than simply failing.

Further information:

* https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
* https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
* https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html (for
  the return code)

V2:
* Fix duplicated line in check_unshare_hints
* Also handle similar failure in tst-pidfd_getpid

V3:
* Comment formatting
* Aded some more documentation on syscall return value

Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
---
 support/test-container.c                   | 7 +++++--
 sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++-
 2 files changed, 7 insertions(+), 3 deletions(-)


base-commit: 155bb9d036646138348fee0ac045de601811e0c5

Comments

Maxim Kuvyrkov Feb. 20, 2024, 12:12 p.m. UTC | #1

Hi Simon,

This is OK to merge.

Thanks!

--
Maxim Kuvyrkov
https://www.linaro.org

> On Feb 16, 2024, at 20:38, Simon Chopin <simon.chopin@canonical.com> wrote:
> 
> Recent AppArmor containment allows restricting unprivileged user
> namespaces, which is enabled by default on recent Ubuntu systems.
> When this happens, as is common with Linux Security Modules, the syscall
> will fail with -EACCESS.
> 
> When that happens, the affected tests will now be considered unsupported
> rather than simply failing.
> 
> Further information:
> 
> * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
> * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
> * https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html (for
>  the return code)
> 
> V2:
> * Fix duplicated line in check_unshare_hints
> * Also handle similar failure in tst-pidfd_getpid
> 
> V3:
> * Comment formatting
> * Aded some more documentation on syscall return value
> 
> Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
> ---
> support/test-container.c                   | 7 +++++--
> sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++-
> 2 files changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/support/test-container.c b/support/test-container.c
> index adf2b30215..ebcc722da5 100644
> --- a/support/test-container.c
> +++ b/support/test-container.c
> @@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns)
>     { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
>     /* ALT Linux has an alternate way of doing the same.  */
>     { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
> +    /* AppArmor can also disable unprivileged user namespaces.  */
> +    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
>     /* Linux kernel >= 4.9 has a configurable limit on the number of
>        each namespace.  Some distros set the limit to zero to disable the
>        corresponding namespace as a "security policy".  */
> @@ -1108,10 +1110,11 @@ main (int argc, char **argv)
>     {
>       /* Older kernels may not support all the options, or security
> policy may block this call.  */
> -      if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
> +      if (errno == EINVAL || errno == EPERM
> +          || errno == ENOSPC || errno == EACCES)
> {
>  int saved_errno = errno;
> -  if (errno == EPERM || errno == ENOSPC)
> +  if (errno == EPERM || errno == ENOSPC || errno == EACCES)
>    check_for_unshare_hints (require_pidns);
>  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
> }
> diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
> index 0354da5abb..ef62fbe941 100644
> --- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
> +++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
> @@ -61,7 +61,8 @@ do_test (void)
>  {
>    /* Older kernels may not support all the options, or security
>       policy may block this call.  */
> -    if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
> +    if (errno == EINVAL || errno == EPERM
> +        || errno == ENOSPC || errno == EACCES)
>      exit (EXIT_UNSUPPORTED);
>    FAIL_EXIT1 ("unshare user/fs/pid failed: %m");
>  }
> 
> base-commit: 155bb9d036646138348fee0ac045de601811e0c5
> -- 
> 2.40.1
>

diff mbox series

Patch

diff --git a/support/test-container.c b/support/test-container.c
index adf2b30215..ebcc722da5 100644
--- a/support/test-container.c
+++ b/support/test-container.c
@@ -682,6 +682,8 @@  check_for_unshare_hints (int require_pidns)
     { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
     /* ALT Linux has an alternate way of doing the same.  */
     { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
+    /* AppArmor can also disable unprivileged user namespaces.  */
+    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
     /* Linux kernel >= 4.9 has a configurable limit on the number of
        each namespace.  Some distros set the limit to zero to disable the
        corresponding namespace as a "security policy".  */
@@ -1108,10 +1110,11 @@  main (int argc, char **argv)
     {
       /* Older kernels may not support all the options, or security
 	 policy may block this call.  */
-      if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+      if (errno == EINVAL || errno == EPERM
+          || errno == ENOSPC || errno == EACCES)
 	{
 	  int saved_errno = errno;
-	  if (errno == EPERM || errno == ENOSPC)
+	  if (errno == EPERM || errno == ENOSPC || errno == EACCES)
 	    check_for_unshare_hints (require_pidns);
 	  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
 	}
diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
index 0354da5abb..ef62fbe941 100644
--- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
+++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
@@ -61,7 +61,8 @@  do_test (void)
 	  {
 	    /* Older kernels may not support all the options, or security
 	       policy may block this call.  */
-	    if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+	    if (errno == EINVAL || errno == EPERM
+	        || errno == ENOSPC || errno == EACCES)
 	      exit (EXIT_UNSUPPORTED);
 	    FAIL_EXIT1 ("unshare user/fs/pid failed: %m");
 	  }