From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by sourceware.org (Postfix) with ESMTP id 8C4463857038 for ; Fri, 17 Jul 2020 15:52:24 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 8C4463857038 Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-184-DGMfOLKnNdazWHiIJm6Rwg-1; Fri, 17 Jul 2020 11:52:22 -0400 X-MC-Unique: DGMfOLKnNdazWHiIJm6Rwg-1 Received: by mail-qk1-f198.google.com with SMTP id 1so1683815qkm.19 for ; Fri, 17 Jul 2020 08:52:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=tzASxXFUMXQ+85uNvvdn6E1PhwmG8OF7llMOIL6nNq0=; b=aAaN+aw+hyKIDlMNg8lpryKaEiW9XKzes3kJpz9SpLEcoEIMddMnovEBeccbmDLqC6 Me8suMrxOyKaDMybcl4sD7gwXgbVYenqZEbkCikTnr4KMrGJ6DsC5gOg9X0iDPggtxNK RPOYCw6aruFWaqUiBnDJ+DJukb7VZ4x8FiW+cQgMQJQlRnqIRKctw41dHhYG6H+CtkHl AAgFjqPsQwOQDu5zHqIxD6bzFUtJMtoZ1N+cmzGOup18+PmzUFnjyDn6pNWuewchVIu8 IVx50TxU7dsQxPTj+bcm5S9egXWNJWpe3ApznY44kapi0N6AM5TRC5zY6K7omtvDMaON G4Kg== X-Gm-Message-State: AOAM530YmJ6GkF/ce9hqNKqP8yOZ+N5J61rn+M/6QxKAQLDNxqEPlZ52 nvVQl9j5hqsh04g5N81TrdsuLdAWTmQr24fr2XugQEe0jPJGI/WA5pghQcjErImBHq6IemmiSY6 hUpfkOMMH8MaMQ0O4/cGG X-Received: by 2002:ad4:54e9:: with SMTP id k9mr9070746qvx.193.1595001140873; Fri, 17 Jul 2020 08:52:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwVYFKFcFhcdQZ8v7goiRbcHFiyp53vx1+PlqG+YBVfdB8W9VFEwThSgsEhkJ2wE7BgSmMWMQ== X-Received: by 2002:ad4:54e9:: with SMTP id k9mr9070729qvx.193.1595001140665; Fri, 17 Jul 2020 08:52:20 -0700 (PDT) Received: from [192.168.1.4] (198-84-170-103.cpe.teksavvy.com. [198.84.170.103]) by smtp.gmail.com with ESMTPSA id a28sm9062159qko.45.2020.07.17.08.52.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Jul 2020 08:52:20 -0700 (PDT) Subject: Re: [PATCH] nptl: Zero-extend arguments to SETXID syscalls [BZ #26248] To: Florian Weimer Cc: "H.J. Lu" , "H.J. Lu via Libc-alpha" References: <20200716112651.2257283-1-hjl.tools@gmail.com> <87o8ofy8e7.fsf@oldenburg2.str.redhat.com> <56cafa21-37ea-b39e-8c84-afb258f0d17a@redhat.com> <87sgdqp434.fsf@oldenburg2.str.redhat.com> From: Carlos O'Donell Organization: Red Hat Message-ID: <180ab9db-d012-52c9-736f-437eecafc35b@redhat.com> Date: Fri, 17 Jul 2020 11:52:19 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <87sgdqp434.fsf@oldenburg2.str.redhat.com> Content-Language: en-US X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2020 15:52:25 -0000 On 7/17/20 11:13 AM, Florian Weimer wrote: > * Carlos O'Donell: > >> This test should run in a container, and it should attempt two setgroups >> calls, one with groups and one empty with a bad address. > > Why do you think this needs a container? We are trying to successfully call setgroups(), and to do that we need CAP_SETGID. The way this test is exercising this is by making the test an xtests which can require root and thus you get CAP_SETGID in that way. My suggestion is to move the test from xtests to tests-container to increase the usage of the test. In the container we have a CLONE_NEWUSER so we have a distinct usersnamespace that can be used in conjunction with becoming root, getting CAP_SETGID, and calling setgroups() without restricting this test to `make xcheck`. I see that we don't explicitly say `make xcheck` may require root. Is this something I just taught myself implicitly? :-) Note: We may need to adjust the gid_map writing code in test-container. -- Cheers, Carlos.