public inbox for glibc-cvs@sourceware.org
help / color / mirror / Atom feed
* [glibc] tests: gracefully handle AppArmor userns containment
@ 2024-02-23 11:50 Adhemerval Zanella
0 siblings, 0 replies; only message in thread
From: Adhemerval Zanella @ 2024-02-23 11:50 UTC (permalink / raw)
To: glibc-cvs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=59e0441d4a1198aa9d21643a6e4f370faec4ffbf
commit 59e0441d4a1198aa9d21643a6e4f370faec4ffbf
Author: Simon Chopin <simon.chopin@canonical.com>
Date: Fri Feb 16 17:38:49 2024 +0100
tests: gracefully handle AppArmor userns containment
Recent AppArmor containment allows restricting unprivileged user
namespaces, which is enabled by default on recent Ubuntu systems.
When this happens, as is common with Linux Security Modules, the syscall
will fail with -EACCESS.
When that happens, the affected tests will now be considered unsupported
rather than simply failing.
Further information:
* https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
* https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
* https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html (for
the return code)
V2:
* Fix duplicated line in check_unshare_hints
* Also handle similar failure in tst-pidfd_getpid
V3:
* Comment formatting
* Aded some more documentation on syscall return value
Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
Diff:
---
support/test-container.c | 7 +++++--
sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/support/test-container.c b/support/test-container.c
index adf2b30215..ebcc722da5 100644
--- a/support/test-container.c
+++ b/support/test-container.c
@@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns)
{ "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
/* ALT Linux has an alternate way of doing the same. */
{ "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
+ /* AppArmor can also disable unprivileged user namespaces. */
+ { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
/* Linux kernel >= 4.9 has a configurable limit on the number of
each namespace. Some distros set the limit to zero to disable the
corresponding namespace as a "security policy". */
@@ -1108,10 +1110,11 @@ main (int argc, char **argv)
{
/* Older kernels may not support all the options, or security
policy may block this call. */
- if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+ if (errno == EINVAL || errno == EPERM
+ || errno == ENOSPC || errno == EACCES)
{
int saved_errno = errno;
- if (errno == EPERM || errno == ENOSPC)
+ if (errno == EPERM || errno == ENOSPC || errno == EACCES)
check_for_unshare_hints (require_pidns);
FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
}
diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
index 0354da5abb..ef62fbe941 100644
--- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
+++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
@@ -61,7 +61,8 @@ do_test (void)
{
/* Older kernels may not support all the options, or security
policy may block this call. */
- if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+ if (errno == EINVAL || errno == EPERM
+ || errno == ENOSPC || errno == EACCES)
exit (EXIT_UNSUPPORTED);
FAIL_EXIT1 ("unshare user/fs/pid failed: %m");
}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-02-23 11:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-23 11:50 [glibc] tests: gracefully handle AppArmor userns containment Adhemerval Zanella
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).