From patchwork Fri Feb 16 16:38:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Chopin X-Patchwork-Id: 85889 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id EAB913857C61 for ; Fri, 16 Feb 2024 16:39:18 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) by sourceware.org (Postfix) with ESMTPS id 538AE385800B for ; Fri, 16 Feb 2024 16:38:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 538AE385800B Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=canonical.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=canonical.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 538AE385800B Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=185.125.188.123 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708101538; cv=none; b=YLODwxLKrPmXcs1zfqNPfAQ/NhEMC35B/Njs4tkKKvrqjdOoAu/jwAYWrAgPY3ka3VqgE1rR1G/Vei+ysHMM52VF33XXhE46MQWJvqjqkOhD4Z+N+P1eJAcZ56E2zxdIGBLT9XHPinF9JLdm6XZTmJYScdni7Vj5vj7IJqY+0lI= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708101538; c=relaxed/simple; bh=vE+c/QdKTt3pziWx0ibrhDo48nraJMHwFVb9nMNmKxs=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=YznYp9WT+zAVVwDBGBmcDQAcRVSbSYcHxQoeVtrMsL2izYSCEUsg58v39HESXfNX8slAKgyjeITaMSdP3p7Aqg4D0A2GPAKW4oky+0MaNp4A+erTPzBCJLuawISa8agQitwnvmPIK2B8sMXn6TBU/gHodwk7pddc6wfenvUwCO0= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 543D040A15 for ; Fri, 16 Feb 2024 16:38:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1708101535; bh=mO+Rd1d/EQXgQIvCfu2/tc+DRBxWa07m908PtynxSlI=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=efo1M+eq9GuPhkNlzEvh7Dbd3wRDzoTR3YgQU+7AqabfRVxdPC3a0dEUnfekVkhln TgoJzjPhz9p/19Bqrr4itXQpr2h8iSo93DcS4y45O8qWeNZGbaVqs87DRdol64i59v N82xTNHdnFsB6kikAer2BHaTI8MxAmPpmQrG5vo6I8PA678esY+66ZOrrQwxBnOGqZ Ba4j2bHxVhQEejZN/hbohaaKVIqSzM3tFZykYO/YuZ+HFVnY/1FCssqOaTh3Cq1J4e bX3bVV7wVTUjmLuqSVsveraq05e24Cs7RKr24v1O5U07tklnLrxWmPUehedWjW8sFa UZL89804sKprA== Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-4120faa1dacso11230105e9.2 for ; Fri, 16 Feb 2024 08:38:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708101534; x=1708706334; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mO+Rd1d/EQXgQIvCfu2/tc+DRBxWa07m908PtynxSlI=; b=VthVN7DDsv/3pSSHiwahSdZZ2s2JMpClq9uubpIiEHO3NdtiaDSkafUXHbCsorB9CO oftybdBav3jvV92dDGETCnYSbCE7N8s3kRXzpceKywJOFfbjSVVLlVtFJRtLjtm+8IFi Ik11sHG9RUuYNxtoyQtxQG53IE0uCQtCROcHkHGMPNV+1bBYWhsXwmRPUxfYLYsRv4ns RzGMQojKAeekxTZ24DXWXOfwGu4QNgtRVZOU/s7PiTg+SvKYzN37LB4LNmXAXyUDjklk Znf+lfn0Lqo/kQGXb/YgJKHMLwkqMx/AbesV9NmYtsMcMq9pmrm62m1XCQNKnqJVaPxF YNUQ== X-Gm-Message-State: AOJu0YwNRKOd5U0q6rsdeGqAyfGwOvi3L9dzod/NncXDkK0Fng4eWAeB ZtxfGEZVvFXpZJa8U7VAsbS5svofHZqjXyh3VBTcwnoHOm2pi51Qmh48bbFymVVvYIlXoVmw//e IvLJHQWlJ8edqPtrYJfkurNEekw+oEusDLS5qapjihKiGmyicGCGuPvD7q5eV/h8ZQqC/fuOdXI U3eSffPTB5 X-Received: by 2002:a05:600c:3595:b0:410:7635:4087 with SMTP id p21-20020a05600c359500b0041076354087mr3705719wmq.6.1708101534498; Fri, 16 Feb 2024 08:38:54 -0800 (PST) X-Google-Smtp-Source: AGHT+IHa7H/ynm71chRTq8PBtgBiPV4qGbp/7MQW8R8zBqAXgX7akR1pKleFdfcSn07w6kBVYuLNDg== X-Received: by 2002:a05:600c:3595:b0:410:7635:4087 with SMTP id p21-20020a05600c359500b0041076354087mr3705710wmq.6.1708101534176; Fri, 16 Feb 2024 08:38:54 -0800 (PST) Received: from localhost ([2a01:e0a:169:7380:2fe7:d27c:6f75:caf3]) by smtp.gmail.com with ESMTPSA id m20-20020a05600c281400b0041214ff06cesm2762657wmb.42.2024.02.16.08.38.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Feb 2024 08:38:53 -0800 (PST) From: Simon Chopin To: libc-alpha@sourceware.org Cc: Maxim Kuvyrkov , Xi Ruoyao , Simon Chopin Subject: [PATCH v3] tests: gracefully handle AppArmor userns containment Date: Fri, 16 Feb 2024 17:38:49 +0100 Message-Id: <20240216163849.73172-1-simon.chopin@canonical.com> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 X-Spam-Status: No, score=-12.2 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Recent AppArmor containment allows restricting unprivileged user namespaces, which is enabled by default on recent Ubuntu systems. When this happens, as is common with Linux Security Modules, the syscall will fail with -EACCESS. When that happens, the affected tests will now be considered unsupported rather than simply failing. Further information: * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces * https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html (for the return code) V2: * Fix duplicated line in check_unshare_hints * Also handle similar failure in tst-pidfd_getpid V3: * Comment formatting * Aded some more documentation on syscall return value Signed-off-by: Simon Chopin --- support/test-container.c | 7 +++++-- sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++- 2 files changed, 7 insertions(+), 3 deletions(-) base-commit: 155bb9d036646138348fee0ac045de601811e0c5 diff --git a/support/test-container.c b/support/test-container.c index adf2b30215..ebcc722da5 100644 --- a/support/test-container.c +++ b/support/test-container.c @@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns) { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 }, /* ALT Linux has an alternate way of doing the same. */ { "/proc/sys/kernel/userns_restrict", 1, 0, 0 }, + /* AppArmor can also disable unprivileged user namespaces. */ + { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 }, /* Linux kernel >= 4.9 has a configurable limit on the number of each namespace. Some distros set the limit to zero to disable the corresponding namespace as a "security policy". */ @@ -1108,10 +1110,11 @@ main (int argc, char **argv) { /* Older kernels may not support all the options, or security policy may block this call. */ - if (errno == EINVAL || errno == EPERM || errno == ENOSPC) + if (errno == EINVAL || errno == EPERM + || errno == ENOSPC || errno == EACCES) { int saved_errno = errno; - if (errno == EPERM || errno == ENOSPC) + if (errno == EPERM || errno == ENOSPC || errno == EACCES) check_for_unshare_hints (require_pidns); FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno)); } diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c index 0354da5abb..ef62fbe941 100644 --- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c +++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c @@ -61,7 +61,8 @@ do_test (void) { /* Older kernels may not support all the options, or security policy may block this call. */ - if (errno == EINVAL || errno == EPERM || errno == ENOSPC) + if (errno == EINVAL || errno == EPERM + || errno == ENOSPC || errno == EACCES) exit (EXIT_UNSUPPORTED); FAIL_EXIT1 ("unshare user/fs/pid failed: %m"); }