tst-ttyname failure

tst-ttyname failure

[Florian Weimer]

[-- Attachment #1: Type: text/plain, Size: 1027 bytes --]

I need the two attached patches in order to get tst-ttyname to succeed 
when running on Fedora as a non-root user.

info:  entering chroot 1
info:    testcase: basic smoketest
info:      ttyname: PASS {name="/dev/pts/5", errno=0}
info:      ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, 
"deny"): Operation not permitted
info:  entering chroot 2
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, 
"deny"): Operation not permitted
error: 2 test failures

I get the same failure when running the test on 
kernel-3.10.0-768.el7.x86_64 (there I tested as root).

This is on top of master with commit 
ce003e5d4cd94c5380699b0dadeaaf825813afbe (support_become_root: Enable 
file creation in user namespaces).  The test failure was present before 
I pushed that change.

Would you please double-check that they do not break the test on 
whatever distributions you tested on and do not interfere with the test 
objective?

Thanks,
Florian

[-- Attachment #2: enter.patch --]
[-- Type: text/x-patch, Size: 3303 bytes --]

Subject: [PATCH] support_enter_mount_namespace: Unshare with mount --make-rprivate
To: libc-alpha@sourceware.org

System defaults vary, and a mere unshare (CLONE_NEWNS) (which is part of
support_become_root) is no longer sufficient.

2017-11-17  Florian Weimer  <fweimer@redhat.com>

	* support/namespace.h (support_enter_mount_namespace): Declare.
	* support/support_enter_mount_namespace.c: New file.
	* support/Makefile (libsupport-routines): Add
	support_enter_mount_namespace.

diff --git a/support/Makefile b/support/Makefile
index f7a878b950..384fecb65a 100644
--- a/support/Makefile
+++ b/support/Makefile
@@ -42,6 +42,7 @@ libsupport-routines = \
   support_capture_subprocess \
   support_capture_subprocess_check \
   support_chroot \
+  support_enter_mount_namespace \
   support_enter_network_namespace \
   support_format_address_family \
   support_format_addrinfo \
diff --git a/support/namespace.h b/support/namespace.h
index 9eddb1a0e9..b5e2d1474a 100644
--- a/support/namespace.h
+++ b/support/namespace.h
@@ -51,6 +51,11 @@ bool support_can_chroot (void);
    has sufficient privileges.  */
 bool support_enter_network_namespace (void);
 
+/* Enter a mount namespace and mark / as private (not shared).  If
+   this function returns true, mount operations in this process will
+   not affect the host system afterwards.  */
+bool support_enter_mount_namespace (void);
+
 /* Return true if support_enter_network_namespace managed to enter a
    UTS namespace.  */
 bool support_in_uts_namespace (void);
diff --git a/support/support_enter_mount_namespace.c b/support/support_enter_mount_namespace.c
new file mode 100644
index 0000000000..6140692075
--- /dev/null
+++ b/support/support_enter_mount_namespace.c
@@ -0,0 +1,45 @@
+/* Enter a mount namespace.
+   Copyright (C) 2017 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <support/namespace.h>
+
+#include <sched.h>
+#include <stdio.h>
+#include <sys/mount.h>
+
+bool
+support_enter_mount_namespace (void)
+{
+#ifdef CLONE_NEWNS
+  if (unshare (CLONE_NEWNS) == 0)
+    {
+      /* On some systems, / is marked as MS_SHARED, which means that
+         mounts within the namespace leak to the rest of the system,
+         which is not what we want.  */
+      if (mount ("none", "/", NULL, MS_REC | MS_PRIVATE, NULL) != 0)
+        {
+          printf ("warning: making the mount namespace private failed: %m\n");
+          return false;
+        }
+      return true;
+    }
+  else
+    printf ("warning: unshare (CLONE_NEWNS) failed: %m\n");
+#endif /* CLONE_NEWNS */
+  return false;
+}

[-- Attachment #3: ttyname.patch --]
[-- Type: text/x-patch, Size: 3920 bytes --]

Subject: [PATCH] tst-ttyname: Fix namespace setup for Fedora
To: libc-alpha@sourceware.org

On Fedora, the previous initialization sequence did not work and
resulted in failures like:

info:  entering chroot 1
info:    testcase: basic smoketest
info:      ttyname: PASS {name="/dev/pts/5", errno=0}
info:      ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
info:  entering chroot 2
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
error: 2 test failures

2017-11-17  Florian Weimer  <fweimer@redhat.com>

	* sysdeps/unix/sysv/linux/tst-ttyname.c
	(become_root_in_mount_ns): Remove.
	(do_in_chroot_1): Call support_enter_mount_namespace.
	(do_in_chroot_2): Likewise.
	(do_test): Call support_become_root early.

diff --git a/sysdeps/unix/sysv/linux/tst-ttyname.c b/sysdeps/unix/sysv/linux/tst-ttyname.c
index 32d7a65938..0fdf1a8ccb 100644
--- a/sysdeps/unix/sysv/linux/tst-ttyname.c
+++ b/sysdeps/unix/sysv/linux/tst-ttyname.c
@@ -78,65 +78,6 @@ proc_fd_readlink (const char *linkname)
   return target;
 }
 
-static void
-become_root_in_mount_ns (void)
-{
-  uid_t orig_uid = getuid ();
-  gid_t orig_gid = getgid ();
-
-  support_become_root ();
-
-  if (unshare (CLONE_NEWNS) < 0)
-    FAIL_UNSUPPORTED ("could not enter new mount namespace");
-
-  /* support_become_root might have put us in a new user namespace;
-     most filesystems (including tmpfs) don't allow file or directory
-     creation from a user namespace unless uid and gid maps are set,
-     even if we have root privileges in the namespace (failing with
-     EOVERFLOW, since the uid overflows the empty (0-length) uid map).
-
-     Also, stat always reports that uid and gid maps are empty, so we
-     have to try actually reading from them to check if they are
-     empty.  */
-  int fd;
-
-  if ((fd = open ("/proc/self/uid_map", O_RDWR, 0)) >= 0)
-    {
-      char buf;
-      if (read (fd, &buf, 1) == 0)
-	{
-	  char *str = xasprintf ("0 %ld 1\n", (long)orig_uid);
-	  if (write (fd, str, strlen (str)) < 0)
-	    FAIL_EXIT1 ("write (uid_map, \"%s\"): %m", str);
-	  free (str);
-	}
-      xclose (fd);
-    }
-
-  /* Setting the gid map has the additional complexity that we have to
-     first turn off setgroups.  */
-  if ((fd = open ("/proc/self/setgroups", O_WRONLY, 0)) >= 0)
-    {
-      const char *str = "deny";
-      if (write (fd, str, strlen (str)) < 0)
-	FAIL_EXIT1 ("write (setroups, \"%s\"): %m", str);
-      xclose (fd);
-    }
-
-  if ((fd = open ("/proc/self/gid_map", O_RDWR, 0)) >= 0)
-    {
-      char buf;
-      if (read (fd, &buf, 1) == 0)
-	{
-	  char *str = xasprintf ("0 %ld 1\n", (long)orig_gid);
-	  if (write (fd, str, strlen (str)) < 0)
-	    FAIL_EXIT1 ("write (gid_map, \"%s\"): %m", str);
-	  free (str);
-	}
-      xclose (fd);
-    }
-}
-
 /* plain ttyname runner */
 
 struct result
@@ -328,7 +269,8 @@ do_in_chroot_1 (int (*cb)(const char *, int))
     {
       xclose (master);
 
-      become_root_in_mount_ns ();
+      if (!support_enter_mount_namespace ())
+	FAIL_UNSUPPORTED ("could not enter new mount namespace");
 
       VERIFY (mount ("tmpfs", chrootdir, "tmpfs", 0, "mode=755") == 0);
       VERIFY (chdir (chrootdir) == 0);
@@ -395,7 +337,8 @@ do_in_chroot_2 (int (*cb)(const char *, int))
       xclose (pid_pipe[0]);
       xclose (exit_pipe[1]);
 
-      become_root_in_mount_ns ();
+      if (!support_enter_mount_namespace ())
+	FAIL_UNSUPPORTED ("could not enter new mount namespace");
 
       int slave = xopen (slavename, O_RDWR, 0);
       if (!doit (slave, "basic smoketest",
@@ -611,6 +554,8 @@ run_chroot_tests (const char *slavename, int slave)
 static int
 do_test (void)
 {
+  support_become_root ();
+
   int ret1 = do_in_chroot_1 (run_chroot_tests);
   if (ret1 == EXIT_UNSUPPORTED)
     return ret1;

Re: [PATCH] support_enter_mount_namespace: Unshare with mount --make-rprivate

[Christian Brauner]

System defaults vary, and a mere unshare (CLONE_NEWNS) (which is part of
support_become_root) is no longer sufficient.

2017-11-17  Florian Weimer  <fweimer@redhat.com>

	* support/namespace.h (support_enter_mount_namespace): Declare.
	* support/support_enter_mount_namespace.c: New file.
	* support/Makefile (libsupport-routines): Add
	support_enter_mount_namespace.

Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/support/Makefile b/support/Makefile
index f7a878b950..384fecb65a 100644
--- a/support/Makefile
+++ b/support/Makefile
@@ -42,6 +42,7 @@ libsupport-routines = \
   support_capture_subprocess \
   support_capture_subprocess_check \
   support_chroot \
+  support_enter_mount_namespace \
   support_enter_network_namespace \
   support_format_address_family \
   support_format_addrinfo \
diff --git a/support/namespace.h b/support/namespace.h
index 9eddb1a0e9..b5e2d1474a 100644
--- a/support/namespace.h
+++ b/support/namespace.h
@@ -51,6 +51,11 @@ bool support_can_chroot (void);
    has sufficient privileges.  */
 bool support_enter_network_namespace (void);
 
+/* Enter a mount namespace and mark / as private (not shared).  If
+   this function returns true, mount operations in this process will
+   not affect the host system afterwards.  */
+bool support_enter_mount_namespace (void);
+
 /* Return true if support_enter_network_namespace managed to enter a
    UTS namespace.  */
 bool support_in_uts_namespace (void);
diff --git a/support/support_enter_mount_namespace.c b/support/support_enter_mount_namespace.c
new file mode 100644
index 0000000000..6140692075
--- /dev/null
+++ b/support/support_enter_mount_namespace.c
@@ -0,0 +1,45 @@
+/* Enter a mount namespace.
+   Copyright (C) 2017 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <support/namespace.h>
+
+#include <sched.h>
+#include <stdio.h>
+#include <sys/mount.h>
+
+bool
+support_enter_mount_namespace (void)
+{
+#ifdef CLONE_NEWNS
+  if (unshare (CLONE_NEWNS) == 0)
+    {
+      /* On some systems, / is marked as MS_SHARED, which means that
+         mounts within the namespace leak to the rest of the system,
+         which is not what we want.  */
+      if (mount ("none", "/", NULL, MS_REC | MS_PRIVATE, NULL) != 0)
+        {

Right, this I remember we need to do something similar because systemd mounts /
MS_SHARED although we use MS_REC | MS_SLAVE but since you likely don't care
about propagation into the peer here this is fine.

+          printf ("warning: making the mount namespace private failed: %m\n");
+          return false;
+        }
+      return true;
+    }
+  else
+    printf ("warning: unshare (CLONE_NEWNS) failed: %m\n");
+#endif /* CLONE_NEWNS */
+  return false;
+}

Re: [PATCH] tst-ttyname: Fix namespace setup for Fedora

[Christian Brauner]

[-- Attachment #1: Type: text/plain, Size: 4012 bytes --]

On Fedora, the previous initialization sequence did not work and
resulted in failures like:

info:  entering chroot 1
info:    testcase: basic smoketest
info:      ttyname: PASS {name="/dev/pts/5", errno=0}
info:      ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
info:  entering chroot 2
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
error: 2 test failures

2017-11-17  Florian Weimer  <fweimer@redhat.com>

	* sysdeps/unix/sysv/linux/tst-ttyname.c
	(become_root_in_mount_ns): Remove.
	(do_in_chroot_1): Call support_enter_mount_namespace.
	(do_in_chroot_2): Likewise.
	(do_test): Call support_become_root early.

Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/sysdeps/unix/sysv/linux/tst-ttyname.c b/sysdeps/unix/sysv/linux/tst-ttyname.c
index 32d7a65938..0fdf1a8ccb 100644
--- a/sysdeps/unix/sysv/linux/tst-ttyname.c
+++ b/sysdeps/unix/sysv/linux/tst-ttyname.c
@@ -78,65 +78,6 @@ proc_fd_readlink (const char *linkname)
   return target;
 }
 
-static void
-become_root_in_mount_ns (void)
-{
-  uid_t orig_uid = getuid ();
-  gid_t orig_gid = getgid ();
-
-  support_become_root ();
-
-  if (unshare (CLONE_NEWNS) < 0)
-    FAIL_UNSUPPORTED ("could not enter new mount namespace");
-
-  /* support_become_root might have put us in a new user namespace;
-     most filesystems (including tmpfs) don't allow file or directory
-     creation from a user namespace unless uid and gid maps are set,
-     even if we have root privileges in the namespace (failing with
-     EOVERFLOW, since the uid overflows the empty (0-length) uid map).
-
-     Also, stat always reports that uid and gid maps are empty, so we
-     have to try actually reading from them to check if they are
-     empty.  */
-  int fd;
-
-  if ((fd = open ("/proc/self/uid_map", O_RDWR, 0)) >= 0)
-    {
-      char buf;
-      if (read (fd, &buf, 1) == 0)
-	{
-	  char *str = xasprintf ("0 %ld 1\n", (long)orig_uid);
-	  if (write (fd, str, strlen (str)) < 0)
-	    FAIL_EXIT1 ("write (uid_map, \"%s\"): %m", str);
-	  free (str);
-	}
-      xclose (fd);
-    }
-
-  /* Setting the gid map has the additional complexity that we have to
-     first turn off setgroups.  */
-  if ((fd = open ("/proc/self/setgroups", O_WRONLY, 0)) >= 0)
-    {
-      const char *str = "deny";
-      if (write (fd, str, strlen (str)) < 0)
-	FAIL_EXIT1 ("write (setroups, \"%s\"): %m", str);
-      xclose (fd);
-    }
-
-  if ((fd = open ("/proc/self/gid_map", O_RDWR, 0)) >= 0)
-    {
-      char buf;
-      if (read (fd, &buf, 1) == 0)
-	{
-	  char *str = xasprintf ("0 %ld 1\n", (long)orig_gid);
-	  if (write (fd, str, strlen (str)) < 0)
-	    FAIL_EXIT1 ("write (gid_map, \"%s\"): %m", str);
-	  free (str);
-	}
-      xclose (fd);
-    }
-}
-
 /* plain ttyname runner */
 
 struct result
@@ -328,7 +269,8 @@ do_in_chroot_1 (int (*cb)(const char *, int))
     {
       xclose (master);
 
-      become_root_in_mount_ns ();
+      if (!support_enter_mount_namespace ())
+	FAIL_UNSUPPORTED ("could not enter new mount namespace");
 
       VERIFY (mount ("tmpfs", chrootdir, "tmpfs", 0, "mode=755") == 0);
       VERIFY (chdir (chrootdir) == 0);
@@ -395,7 +337,8 @@ do_in_chroot_2 (int (*cb)(const char *, int))
       xclose (pid_pipe[0]);
       xclose (exit_pipe[1]);
 
-      become_root_in_mount_ns ();
+      if (!support_enter_mount_namespace ())
+	FAIL_UNSUPPORTED ("could not enter new mount namespace");
 
       int slave = xopen (slavename, O_RDWR, 0);
       if (!doit (slave, "basic smoketest",
@@ -611,6 +554,8 @@ run_chroot_tests (const char *slavename, int slave)
 static int
 do_test (void)
 {
+  support_become_root ();
+
   int ret1 = do_in_chroot_1 (run_chroot_tests);
   if (ret1 == EXIT_UNSUPPORTED)
     return ret1;

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: tst-ttyname failure

[Christian Brauner]

[-- Attachment #1: Type: text/plain, Size: 1534 bytes --]

On Fri, Nov 17, 2017 at 10:28:44PM +0100, Florian Weimer wrote:
> I need the two attached patches in order to get tst-ttyname to succeed when
> running on Fedora as a non-root user.
> 
> info:  entering chroot 1
> info:    testcase: basic smoketest
> info:      ttyname: PASS {name="/dev/pts/5", errno=0}
> info:      ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups,
> "deny"): Operation not permitted
> info:  entering chroot 2
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups,
> "deny"): Operation not permitted
> error: 2 test failures
> 
> I get the same failure when running the test on kernel-3.10.0-768.el7.x86_64
> (there I tested as root).

This is all fine. However, I'm going to send a small patch for
setup_uid_gid_mapping. Unless I'm reading this wrong you still exit with a
failure when you fail to open the setgroups file. However, the setgroups "deny"
restriction and the corresponding file were only added in 3.19. Before that you
could simply write to gid_map. Sending a patch for this.

> 
> This is on top of master with commit
> ce003e5d4cd94c5380699b0dadeaaf825813afbe (support_become_root: Enable file
> creation in user namespaces).  The test failure was present before I pushed
> that change.
> 
> Would you please double-check that they do not break the test on whatever
> distributions you tested on and do not interfere with the test objective?
> 
> Thanks,
> Florian




[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

[PATCH] support_become_root: Don't fail when /proc/<pid/setgroups is missing

[Christian Brauner]

The requirement to write "deny" to /proc/<pid>/setgroups for a given user
namespace before being able to write a gid mapping was introduced in Linux 3.19.
Before that this requirement including the file did not exist. So don't fail
when errno == ENOENT.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 ChangeLog                     |  5 +++++
 support/support_become_root.c | 20 +++++++++++++++-----
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 604d571ca6..2f2d3b82ff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-11-17  Christian Brauner <christian.brauner@ubuntu.com>
+
+	* support/support_become_root.c (setup_uid_gid_mapping): Don't fail when
+	/proc/<pid>/setgroups does not exist.
+
 2017-11-17  Tulio Magno Quites Machado Filho  <tuliom@linux.vnet.ibm.com>
 
 	* sysdeps/powerpc/bits/hwcap.h (PPC_FEATURE2_HTM_NO_SUSPEND): New
diff --git a/support/support_become_root.c b/support/support_become_root.c
index 5086570251..01a386c20c 100644
--- a/support/support_become_root.c
+++ b/support/support_become_root.c
@@ -18,6 +18,7 @@
 
 #include <support/namespace.h>
 
+#include <errno.h>
 #include <fcntl.h>
 #include <sched.h>
 #include <stdio.h>
@@ -50,11 +51,20 @@ setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid)
   xwrite (fd, buf, ret);
   xclose (fd);
 
-  /* Disable setgroups before mapping groups, otherwise that would
-     fail with EPERM.  */
-  fd = xopen ("/proc/self/setgroups", O_WRONLY, 0);
-  xwrite (fd, "deny\n", strlen ("deny\n"));
-  xclose (fd);
+  /* Linux 3.19 introduced the setgroups file. We need write "deny" to this file
+     otherwise writing to gid_map will fail with EPERM. */
+  fd = open64 ("/proc/self/setgroups", O_WRONLY, 0);
+  if (fd < 0)
+    {
+      if (errno != ENOENT)
+        FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m", O_WRONLY, 0);
+      /* This kernel doesn't expose the setgroups file so simply move on. */
+    }
+  else
+    {
+      xwrite (fd, "deny\n", strlen ("deny\n"));
+      xclose (fd);
+    }
 
   /* Now map our own GID, like we did for the user ID.  */
   fd = xopen ("/proc/self/gid_map", O_WRONLY, 0);
-- 
2.14.1

Re: [PATCH] support_become_root: Don't fail when /proc/<pid/setgroups is missing

[Florian Weimer]

On 11/18/2017 02:41 AM, Christian Brauner wrote:
> The requirement to write "deny" to /proc/<pid>/setgroups for a given user
> namespace before being able to write a gid mapping was introduced in Linux 3.19.
> Before that this requirement including the file did not exist. So don't fail
> when errno == ENOENT.

The substance of the patch is fine, but please restrict line length to 
79 characters (not 80 or more):

> +	* support/support_become_root.c (setup_uid_gid_mapping): Don't fail when

> +  /* Linux 3.19 introduced the setgroups file. We need write "deny" to this file

> +        FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m", O_WRONLY, 0);

Please also use two spaces after the period at the end of a sentence, 
including the period before the closing comment marker, */.  This 
affects three sentences in two comments.

Thanks,
Florian

Re: [PATCH] support_become_root: Don't fail when /proc/<pid/setgroups is missing

[Christian Brauner]

[-- Attachment #1: Type: text/plain, Size: 1009 bytes --]

On Sat, Nov 18, 2017 at 01:47:28PM +0100, Florian Weimer wrote:
> On 11/18/2017 02:41 AM, Christian Brauner wrote:
> > The requirement to write "deny" to /proc/<pid>/setgroups for a given user
> > namespace before being able to write a gid mapping was introduced in Linux 3.19.
> > Before that this requirement including the file did not exist. So don't fail
> > when errno == ENOENT.
> 
> The substance of the patch is fine, but please restrict line length to 79
> characters (not 80 or more):
> 
> > +	* support/support_become_root.c (setup_uid_gid_mapping): Don't fail when
> 
> > +  /* Linux 3.19 introduced the setgroups file. We need write "deny" to this file
> 
> > +        FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m", O_WRONLY, 0);
> 
> Please also use two spaces after the period at the end of a sentence,
> including the period before the closing comment marker, */.  This affects
> three sentences in two comments.

Thanks! sent v2 of the patch!
Christian

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: tst-ttyname failure

[Luke Shumaker]

On Fri, 17 Nov 2017 16:28:44 -0500,
Florian Weimer wrote:
> I need the two attached patches in order to get tst-ttyname to succeed
> when running on Fedora as a non-root user.
> 
> info:  entering chroot 1
> info:    testcase: basic smoketest
> info:      ttyname: PASS {name="/dev/pts/5", errno=0}
> info:      ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups,
> "deny"): Operation not permitted
> info:  entering chroot 2
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups,
> "deny"): Operation not permitted
> error: 2 test failures
> 
> I get the same failure when running the test on
> kernel-3.10.0-768.el7.x86_64 (there I tested as root).
> 
> This is on top of master with commit
> ce003e5d4cd94c5380699b0dadeaaf825813afbe (support_become_root: Enable
> file creation in user namespaces).  The test failure was present
> before I pushed that change.
> 
> Would you please double-check that they do not break the test on
> whatever distributions you tested on and do not interfere with the
> test objective?

I'm a bit confused why being mounted MS_SHARED caused writing to (but
not opening) /proc/self/setgroups to fail; and not some other issues.
But, I don't believe that this affects the test objectives, and I have
verified that it doesn't break the test here on Parabola.

(Sorry I didn't reply on Friday, I'm traveling.)

-- 
Happy hacking,
~ Luke Shumaker

Re: tst-ttyname failure

[Adhemerval Zanella]

On 17/11/2017 19:28, Florian Weimer wrote:
> I need the two attached patches in order to get tst-ttyname to succeed when running on Fedora as a non-root user.
> 
> info:  entering chroot 1
> info:    testcase: basic smoketest
> info:      ttyname: PASS {name="/dev/pts/5", errno=0}
> info:      ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
> info:  entering chroot 2
> error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
> error: 2 test failures
> 
> I get the same failure when running the test on kernel-3.10.0-768.el7.x86_64 (there I tested as root).
> 
> This is on top of master with commit ce003e5d4cd94c5380699b0dadeaaf825813afbe (support_become_root: Enable file creation in user namespaces).  The test failure was present before I pushed that change.
> 
> Would you please double-check that they do not break the test on whatever distributions you tested on and do not interfere with the test objective?
> 
> Thanks,
> Florian

I am still seeing failures on Ubuntu 16.04 (4.4.0-71-generic) on master:

info:  entering chroot 1
info:    testcase: basic smoketest
info:      ttyname: PASS {name="/dev/pts/38", errno=0}
info:      ttyname_r: PASS {name="/dev/pts/38", ret=0, errno=0}
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:285: mount ("devpts", "dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, "newinstance,ptmxmode=0666,mode=620") == 0: Invalid argument
info:  entering chroot 2
info:    testcase: basic smoketest
info:      ttyname: PASS {name="/dev/pts/38", errno=0}
info:      ttyname_r: PASS {name="/dev/pts/38", ret=0, errno=0}
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:357: mount ("devpts", "dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, "newinstance,ptmxmode=0666,mode=620") == 0: Invalid argument

I noted, at least on my environment, it requires running as a more privileged user
to avoid the above failure. Is it the expected behaviour? Should we move it to
xcheck and add the a possible requirement [1]?

[1] https://sourceware.org/glibc/wiki/Testing/Testsuite#Details_about_make_xcheck_specific_tests

Re: tst-ttyname failure

[Florian Weimer]

On 11/23/2017 01:22 PM, Adhemerval Zanella wrote:
> I noted, at least on my environment, it requires running as a more privileged user
> to avoid the above failure. Is it the expected behaviour? Should we move it to
> xcheck and add the a possible requirement [1]?

There might be a magic incantation which makes this work with kernel 4.4 
in this particular configuration.  Can you use kernel tracing to figure 
out where the EINVAL error comes from?

Thanks,
Florian

Re: tst-ttyname failure

[Adhemerval Zanella]

On 23/11/2017 10:27, Florian Weimer wrote:
> On 11/23/2017 01:22 PM, Adhemerval Zanella wrote:
>> I noted, at least on my environment, it requires running as a more privileged user
>> to avoid the above failure. Is it the expected behaviour? Should we move it to
>> xcheck and add the a possible requirement [1]?
> 
> There might be a magic incantation which makes this work with kernel 4.4 in this particular configuration.  Can you use kernel tracing to figure out where the EINVAL error comes from?
I will debug this a little more today.