[PATCHv5] tst-pidfd.c: UNSUPPORTED if we get EPERM on valid pidfd_getfd call

[PATCHv5] tst-pidfd.c: UNSUPPORTED if we get EPERM on valid pidfd_getfd call

[Mark Wielaard]

pidfd_getfd can fail for a valid pidfd with errno EPERM for various
reasons in a restricted environment. Use FAIL_UNSUPPORTED in that case.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---

v5: Add comment why the EPERM check is needed and which credential
    checks are performed
v4: Drop all EPERM checks except on the actual (valid) pidfd_getfd
v3: Also test for EPERM on pidfd_open, don't mention
    PTRACE_MODE_ATTACH_REALCREDS since it is just one reason for
    getting EPERM.
v2: separate ENOSYS and EPERM checks and FAIL_UNSUPPORTED messages

https://code.wildebeest.org/git/user/mjw/glibc/commit/?h=container-perms&id=435a8361ef3e2ce64bb7a48760adea577797967e

 sysdeps/unix/sysv/linux/tst-pidfd.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sysdeps/unix/sysv/linux/tst-pidfd.c b/sysdeps/unix/sysv/linux/tst-pidfd.c
index d93b6faa6f..037af22290 100644
--- a/sysdeps/unix/sysv/linux/tst-pidfd.c
+++ b/sysdeps/unix/sysv/linux/tst-pidfd.c
@@ -142,6 +142,13 @@ do_test (void)
     xrecvfrom (sockets[0], &remote_fd, sizeof (remote_fd), 0, NULL, 0);
 
     int fd = pidfd_getfd (pidfd, remote_fd, 0);
+    /* pidfd_getfd may fail with EPERM if the process does not have
+       PTRACE_MODE_ATTACH_REALCREDS permissions. This means the call
+       may be denied if the process doesn't have CAP_SYS_PTRACE or
+       if a LSM security_ptrace_access_check denies access.  */
+    if (fd == -1 && errno == EPERM)
+      FAIL_UNSUPPORTED ("don't have permission to use pidfd_getfd on pidfd, "
+			"skipping test");
     TEST_VERIFY (fd > 0);
 
     char *path = xasprintf ("/proc/%d/fd/%d", pid, remote_fd);
-- 
2.30.2

Re: [PATCHv5] tst-pidfd.c: UNSUPPORTED if we get EPERM on valid pidfd_getfd call

[Carlos O'Donell]

On 7/19/22 09:14, Mark Wielaard wrote:
> pidfd_getfd can fail for a valid pidfd with errno EPERM for various
> reasons in a restricted environment. Use FAIL_UNSUPPORTED in that case.
> 
> Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

OK for 2.36. OK from the RM (me).

This is very limited in scope and solves the problem with downstream buildbot testing
for the 2.36 release.

Thanks for working through this issue!

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

> ---
> 
> v5: Add comment why the EPERM check is needed and which credential
>     checks are performed
> v4: Drop all EPERM checks except on the actual (valid) pidfd_getfd
> v3: Also test for EPERM on pidfd_open, don't mention
>     PTRACE_MODE_ATTACH_REALCREDS since it is just one reason for
>     getting EPERM.
> v2: separate ENOSYS and EPERM checks and FAIL_UNSUPPORTED messages
> 
> https://code.wildebeest.org/git/user/mjw/glibc/commit/?h=container-perms&id=435a8361ef3e2ce64bb7a48760adea577797967e
> 
>  sysdeps/unix/sysv/linux/tst-pidfd.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/sysdeps/unix/sysv/linux/tst-pidfd.c b/sysdeps/unix/sysv/linux/tst-pidfd.c
> index d93b6faa6f..037af22290 100644
> --- a/sysdeps/unix/sysv/linux/tst-pidfd.c
> +++ b/sysdeps/unix/sysv/linux/tst-pidfd.c
> @@ -142,6 +142,13 @@ do_test (void)
>      xrecvfrom (sockets[0], &remote_fd, sizeof (remote_fd), 0, NULL, 0);
>  
>      int fd = pidfd_getfd (pidfd, remote_fd, 0);
> +    /* pidfd_getfd may fail with EPERM if the process does not have
> +       PTRACE_MODE_ATTACH_REALCREDS permissions. This means the call
> +       may be denied if the process doesn't have CAP_SYS_PTRACE or
> +       if a LSM security_ptrace_access_check denies access.  */
> +    if (fd == -1 && errno == EPERM)
> +      FAIL_UNSUPPORTED ("don't have permission to use pidfd_getfd on pidfd, "
> +			"skipping test");
>      TEST_VERIFY (fd > 0);
>  
>      char *path = xasprintf ("/proc/%d/fd/%d", pid, remote_fd);


-- 
Cheers,
Carlos.