[PATCH] test-container: gracefully handle AppArmor containment

[PATCH] test-container: gracefully handle AppArmor containment

[Simon Chopin]

Recent AppArmor containment allows restricting unprivileged user
namespaces, which is enabled by default on recent Ubuntu systems.

When that happens, the affected tests will now be considered unsupported
rather than simply failing.

Further information:

* https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
* https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
---
 support/test-container.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/support/test-container.c b/support/test-container.c
index adf2b30215..a04ae07807 100644
--- a/support/test-container.c
+++ b/support/test-container.c
@@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns)
     { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
     /* ALT Linux has an alternate way of doing the same.  */
     { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
+    /* AppArmor can also disable unprivileged user namespaces */
+    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
+    { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 },
     /* Linux kernel >= 4.9 has a configurable limit on the number of
        each namespace.  Some distros set the limit to zero to disable the
        corresponding namespace as a "security policy".  */
@@ -1108,10 +1111,11 @@ main (int argc, char **argv)
     {
       /* Older kernels may not support all the options, or security
 	 policy may block this call.  */
-      if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+      if (errno == EINVAL || errno == EPERM
+          || errno == ENOSPC || errno == EACCES)
 	{
 	  int saved_errno = errno;
-	  if (errno == EPERM || errno == ENOSPC)
+	  if (errno == EPERM || errno == ENOSPC || errno == EACCES)
 	    check_for_unshare_hints (require_pidns);
 	  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
 	}

base-commit: 42cc619dfbc44e263239c2de870bae11ad65810a
-- 
2.40.1

Re: [PATCH] test-container: gracefully handle AppArmor containment

[Xi Ruoyao]

On Thu, 2024-02-01 at 13:01 +0100, Simon Chopin wrote:
> Recent AppArmor containment allows restricting unprivileged user
> namespaces, which is enabled by default on recent Ubuntu systems.
> 
> When that happens, the affected tests will now be considered unsupported
> rather than simply failing.
> 
> Further information:
> 
> * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
> * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
> 
> Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
> ---
>  support/test-container.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/support/test-container.c b/support/test-container.c
> index adf2b30215..a04ae07807 100644
> --- a/support/test-container.c
> +++ b/support/test-container.c
> @@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns)
>      { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
>      /* ALT Linux has an alternate way of doing the same.  */
>      { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
> +    /* AppArmor can also disable unprivileged user namespaces */
> +    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
> +    { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 },

Why are you duplicating this entry?

-- 
Xi Ruoyao <xry111@xry111.site>
School of Aerospace Science and Technology, Xidian University

[PATCH v2] tests: gracefully handle AppArmor userns containment

[Simon Chopin]

Recent AppArmor containment allows restricting unprivileged user
namespaces, which is enabled by default on recent Ubuntu systems.

When that happens, the affected tests will now be considered unsupported
rather than simply failing.

Further information:

* https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
* https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

V2:
* Fix duplicated line in check_unshare_hints
* Also handle similar failure in tst-pidfd_getpid

Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
---
 support/test-container.c                   | 7 +++++--
 sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/support/test-container.c b/support/test-container.c
index adf2b30215..af66cece51 100644
--- a/support/test-container.c
+++ b/support/test-container.c
@@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns)
     { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
     /* ALT Linux has an alternate way of doing the same.  */
     { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
+    /* AppArmor can also disable unprivileged user namespaces */
+    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
     /* Linux kernel >= 4.9 has a configurable limit on the number of
        each namespace.  Some distros set the limit to zero to disable the
        corresponding namespace as a "security policy".  */
@@ -1108,10 +1110,11 @@ main (int argc, char **argv)
     {
       /* Older kernels may not support all the options, or security
 	 policy may block this call.  */
-      if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+      if (errno == EINVAL || errno == EPERM
+          || errno == ENOSPC || errno == EACCES)
 	{
 	  int saved_errno = errno;
-	  if (errno == EPERM || errno == ENOSPC)
+	  if (errno == EPERM || errno == ENOSPC || errno == EACCES)
 	    check_for_unshare_hints (require_pidns);
 	  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
 	}
diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
index 0354da5abb..ef62fbe941 100644
--- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
+++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
@@ -61,7 +61,8 @@ do_test (void)
 	  {
 	    /* Older kernels may not support all the options, or security
 	       policy may block this call.  */
-	    if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+	    if (errno == EINVAL || errno == EPERM
+	        || errno == ENOSPC || errno == EACCES)
 	      exit (EXIT_UNSUPPORTED);
 	    FAIL_EXIT1 ("unshare user/fs/pid failed: %m");
 	  }

base-commit: fa3eb7d5e7d32ca1ad48b48a7eb6d15b8382c3a7
-- 
2.40.1

Re: [PATCH] test-container: gracefully handle AppArmor containment

[Simon Chopin]

Hi,

On jeu. 01 févr. 2024 20:20:09, Xi Ruoyao wrote:
> On Thu, 2024-02-01 at 13:01 +0100, Simon Chopin wrote:
> > Recent AppArmor containment allows restricting unprivileged user
> > namespaces, which is enabled by default on recent Ubuntu systems.
> >
> > When that happens, the affected tests will now be considered unsupported
> > rather than simply failing.
> >
> > Further information:
> >
> > * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
> > * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
> >
> > Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
> > ---
> >  support/test-container.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/support/test-container.c b/support/test-container.c
> > index adf2b30215..a04ae07807 100644
> > --- a/support/test-container.c
> > +++ b/support/test-container.c
> > @@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns)
> >      { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
> >      /* ALT Linux has an alternate way of doing the same.  */
> >      { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
> > +    /* AppArmor can also disable unprivileged user namespaces */
> > +    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
> > +    { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 },
>
> Why are you duplicating this entry?

My mistake. This is fixed in the second revision of the patch.

Thanks!

Re: [PATCH v2] tests: gracefully handle AppArmor userns containment

[Maxim Kuvyrkov]

> On Feb 6, 2024, at 14:59, Simon Chopin <simon.chopin@canonical.com> wrote:
> 
> Recent AppArmor containment allows restricting unprivileged user
> namespaces, which is enabled by default on recent Ubuntu systems.
> 
> When that happens, the affected tests will now be considered unsupported
> rather than simply failing.
> 
> Further information:
> 
> * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
> * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
> 
> V2:
> * Fix duplicated line in check_unshare_hints
> * Also handle similar failure in tst-pidfd_getpid

Looks good, with below comments addressed.

Please CC reviewers of the previous versions of the patch -- Xi Ruoyao in this case.

> 
> Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
> ---
> support/test-container.c                   | 7 +++++--
> sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++-
> 2 files changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/support/test-container.c b/support/test-container.c
> index adf2b30215..af66cece51 100644
> --- a/support/test-container.c
> +++ b/support/test-container.c
> @@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns)
>     { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
>     /* ALT Linux has an alternate way of doing the same.  */
>     { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
> +    /* AppArmor can also disable unprivileged user namespaces */

GNU coding style is to finish comment sentences with a dot, followed by two spaces.  E.g.,
/* My new comment.  */

> +    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
>     /* Linux kernel >= 4.9 has a configurable limit on the number of
>        each namespace.  Some distros set the limit to zero to disable the
>        corresponding namespace as a "security policy".  */
> @@ -1108,10 +1110,11 @@ main (int argc, char **argv)
>     {
>       /* Older kernels may not support all the options, or security
> policy may block this call.  */
> -      if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
> +      if (errno == EINVAL || errno == EPERM
> +          || errno == ENOSPC || errno == EACCES)

Where is EACCES coming from?  I could not find documentation mentioning EACCES as a possible error condition for unshare().

> {
>  int saved_errno = errno;
> -  if (errno == EPERM || errno == ENOSPC)
> +  if (errno == EPERM || errno == ENOSPC || errno == EACCES)
>    check_for_unshare_hints (require_pidns);
>  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
> }
> diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
> index 0354da5abb..ef62fbe941 100644
> --- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
> +++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
> @@ -61,7 +61,8 @@ do_test (void)
>  {
>    /* Older kernels may not support all the options, or security
>       policy may block this call.  */
> -    if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
> +    if (errno == EINVAL || errno == EPERM
> +        || errno == ENOSPC || errno == EACCES)
>      exit (EXIT_UNSUPPORTED);
>    FAIL_EXIT1 ("unshare user/fs/pid failed: %m");
>  }
> 
> base-commit: fa3eb7d5e7d32ca1ad48b48a7eb6d15b8382c3a7
> -- 
> 2.40.1
> 

Thanks,

--
Maxim Kuvyrkov
https://www.linaro.org

Re: [PATCH v2] tests: gracefully handle AppArmor userns containment

[Florian Weimer]

* Maxim Kuvyrkov:

> Where is EACCES coming from?  I could not find documentation
> mentioning EACCES as a possible error condition for unshare().

Presumably a seccomp filter or a Linux security module.  We don't do
that error code translation in the main library (e.g., for clone3), but
it has crept into the test suite over time.

Thanks,
Florian

Re: [PATCH v2] tests: gracefully handle AppArmor userns containment

[Simon Chopin]

Hi Maxim,

On mar. 13 févr. 2024 11:36:34, Maxim Kuvyrkov wrote:
> > On Feb 6, 2024, at 14:59, Simon Chopin <simon.chopin@canonical.com> wrote:
> >
> > Recent AppArmor containment allows restricting unprivileged user
> > namespaces, which is enabled by default on recent Ubuntu systems.
> >
> > When that happens, the affected tests will now be considered unsupported
> > rather than simply failing.
> >
> > Further information:
> >
> > * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
> > * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
> >
> > V2:
> > * Fix duplicated line in check_unshare_hints
> > * Also handle similar failure in tst-pidfd_getpid
>
> Looks good, with below comments addressed.
>
> Please CC reviewers of the previous versions of the patch -- Xi Ruoyao in this case.

ACK

>
> >
> > Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
> > ---
> > support/test-container.c                   | 7 +++++--
> > sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++-
> > 2 files changed, 7 insertions(+), 3 deletions(-)
> >
> > diff --git a/support/test-container.c b/support/test-container.c
> > index adf2b30215..af66cece51 100644
> > --- a/support/test-container.c
> > +++ b/support/test-container.c
> > @@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns)
> >     { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
> >     /* ALT Linux has an alternate way of doing the same.  */
> >     { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
> > +    /* AppArmor can also disable unprivileged user namespaces */
>
> GNU coding style is to finish comment sentences with a dot, followed by two spaces.  E.g.,
> /* My new comment.  */

ACK

>
> > +    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
> >     /* Linux kernel >= 4.9 has a configurable limit on the number of
> >        each namespace.  Some distros set the limit to zero to disable the
> >        corresponding namespace as a "security policy".  */
> > @@ -1108,10 +1110,11 @@ main (int argc, char **argv)
> >     {
> >       /* Older kernels may not support all the options, or security
> > policy may block this call.  */
> > -      if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
> > +      if (errno == EINVAL || errno == EPERM
> > +          || errno == ENOSPC || errno == EACCES)
>
> Where is EACCES coming from?  I could not find documentation mentioning EACCES as a possible error condition for unshare().

This is injected by AppArmor when it prevents a syscall. According to
coworkers it's a fairly standard value for LSM modules, and some cursory
code source sleuthing goes in that sense, but the only instance of
actual documentation that mentions this is a mention in passing in
https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html

I'll add some more info about it in the commit log.

>
> > {
> >  int saved_errno = errno;
> > -  if (errno == EPERM || errno == ENOSPC)
> > +  if (errno == EPERM || errno == ENOSPC || errno == EACCES)
> >    check_for_unshare_hints (require_pidns);
> >  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
> > }
> > diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
> > index 0354da5abb..ef62fbe941 100644
> > --- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
> > +++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
> > @@ -61,7 +61,8 @@ do_test (void)
> >  {
> >    /* Older kernels may not support all the options, or security
> >       policy may block this call.  */
> > -    if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
> > +    if (errno == EINVAL || errno == EPERM
> > +        || errno == ENOSPC || errno == EACCES)
> >      exit (EXIT_UNSUPPORTED);
> >    FAIL_EXIT1 ("unshare user/fs/pid failed: %m");
> >  }
> >
> > base-commit: fa3eb7d5e7d32ca1ad48b48a7eb6d15b8382c3a7
> > --
> > 2.40.1
> >
>
> Thanks,
>
> --
> Maxim Kuvyrkov
> https://www.linaro.org
>
>