From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=SrME=JZ=canonical.com=simon.chopin@sourceware.org>
Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122])
	by sourceware.org (Postfix) with ESMTPS id B9DD538582A5
	for <libc-alpha@sourceware.org>; Fri, 16 Feb 2024 15:57:24 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B9DD538582A5
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=canonical.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=canonical.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B9DD538582A5
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=185.125.188.122
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708099047; cv=none;
	b=C/9DglRHUBYzVeOWaZ8afSwY3txNRYQpT7F/GLtdPS8WkKJwtHxNZPLHEa9wafpxh0zUqfUH1O2UbRZZKrRRg2dz58e+6rdnW0VoUsBvZ3vghuVVyELgK2S+3m8OPkqFZkcQhCrMLr0Uq5AZnRVwEM74HGzsj+LnrprgUAmFNHQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1708099047; c=relaxed/simple;
	bh=xhOFGmaHfEYNbR3MA7HOtrzGXFlw32P6TAgSTgfG3GI=;
	h=DKIM-Signature:From:MIME-Version:Date:Message-ID:Subject:To; b=FCISe9sWQ26KPllvmIj/sjSmByg3E0b33XkFf1astINEAfvs/vL+1fi356B/GPVkr9/KeglL2SKXlXDJNaBuhOOV1P6uvRQs6ikVtJdE+RnHJ5Fva4/bt7gzbDuaKgVNHKxPR7MA5wq8Hl8aiS6kC+TG4uqZuxzPaBvJXp3yyPQ=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 4FF1640FBF
	for <libc-alpha@sourceware.org>; Fri, 16 Feb 2024 15:57:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20210705; t=1708099043;
	bh=YC9O//Nx4swPT4D1nCBzLY8DJdbna8dqs5BzTT63atw=;
	h=From:MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:
	 To:Cc:Content-Type;
	b=U0OqdjSsmgnhaP9sn27aioX6UCkicqL7AFeT4HF42qy8dI/lOCGKoxcCexJgwtjNJ
	 afMc6AJknVG1qVzvs0yCgkYPXbOTba7y9U708/jnPvEDwTybyWREe6tPhddDK7QQ1+
	 nXGTogj7sb6aKNblxlpNXfulRB1CecVXGiFHi+eefN/cUG42F9apZunh6oQmMqDh8f
	 koXRUhhZ6nHk4L785h6S83ta8kMbak/n1kYuJUXfzjzCS8nquOXHgFxsiqVu4cd75v
	 JGmANIrJ1xoAsKU0x5tT6YxSgOGZ2sQ/w+dOVUusbOYR294r7hds6HdUh2xpVVI75Q
	 L6NiAtb8UCsJg==
Received: by mail-pl1-f198.google.com with SMTP id d9443c01a7336-1d486bce39bso19249635ad.1
        for <libc-alpha@sourceware.org>; Fri, 16 Feb 2024 07:57:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1708099041; x=1708703841;
        h=content-transfer-encoding:cc:to:subject:message-id:date:references
         :in-reply-to:mime-version:user-agent:from:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=YC9O//Nx4swPT4D1nCBzLY8DJdbna8dqs5BzTT63atw=;
        b=eMKmtxy6FF5KqcHdcRA12OmjvT4YmI7iHJl+ybLVXK+d8qK/h0wcGK06vVdOnZXSPu
         1JXKz51WMr5fIQrBgHR7gn+PFHyzeMhJNP8N2jFVh2j6juoWpR+fwoelq3yTd511ofll
         Hs0PJaLZt4PZ7uj7nu0kkF0xQ8YcK+OnZmTkLcH1mpzdvkWEo5U4CgAJAndz6grMo+FS
         OK23mNBBWYWWQ2l7WBx+pq8yyU6yFpusq6rirNK0TtqJoISfriESdozfhM7bgjxehMyu
         8ty/CaRSAMYDkgeVgke6LdlN7GlqCR1/rYXywvFxx3gIHIl9Or7ZeGVNebBdAzHr7EaK
         6vzQ==
X-Gm-Message-State: AOJu0YxlFJp1MiIrMD3iBBWJ0wMNPJpOCT8pLO7hXvYzOj0RWEBTEQj5
	i2KEGOlSlbU2vs3ZWklc1a7WFz2ahbyt/UcprVpgd0tT4EXMbl6u0O5E5NC14HcgHLVOPMpr63T
	Vpb/mudkAypxKoKd//Ik1XECkfGsY/E/sdvc2Fo87KO0BJ/87/0Hcusk9n9oY54PeGSStzFbQyt
	49XntC09rQOT6KPpbnrC0s1kDLUQdKvW9K+ty/dVZ+2S3OGKgl
X-Received: by 2002:a17:903:230b:b0:1d9:5b75:4602 with SMTP id d11-20020a170903230b00b001d95b754602mr7388276plh.7.1708099041413;
        Fri, 16 Feb 2024 07:57:21 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEdM/0rTZXrTELy8gDZn0vvqzXp/D9F0uZ2tDTpnZj3Zcig6aYVUuO/tp2LaXJYDCHvMQvDJlPGslVsIdmXdHU=
X-Received: by 2002:a17:903:230b:b0:1d9:5b75:4602 with SMTP id
 d11-20020a170903230b00b001d95b754602mr7388265plh.7.1708099041105; Fri, 16 Feb
 2024 07:57:21 -0800 (PST)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Fri, 16 Feb 2024 15:57:20 +0000
From: Simon Chopin <simon.chopin@canonical.com>
User-Agent: Dodo
MIME-Version: 1.0
In-Reply-To: <CB9608D8-73AF-4A6F-B07D-B604378E8B5C@linaro.org>
References: <20240201120104.143973-1-simon.chopin@canonical.com>
 <20240206105932.127820-1-simon.chopin@canonical.com> <CB9608D8-73AF-4A6F-B07D-B604378E8B5C@linaro.org>
Date: Fri, 16 Feb 2024 15:57:20 +0000
Message-ID: <CAOOWow1vz=aJ7Jd+_Ry=JMhPYBoSgnYNhK-OW1N_pbnJv57yzw@mail.gmail.com>
Subject: Re: [PATCH v2] tests: gracefully handle AppArmor userns containment
To: Maxim Kuvyrkov <maxim.kuvyrkov@linaro.org>
Cc: GNU C Library <libc-alpha@sourceware.org>, Xi Ruoyao <xry111@xry111.site>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-10.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,RCVD_IN_SORBS_WEB,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

Hi Maxim,

On mar. 13 f=C3=A9vr. 2024 11:36:34, Maxim Kuvyrkov wrote:
> > On Feb 6, 2024, at 14:59, Simon Chopin <simon.chopin@canonical.com> wro=
te:
> >
> > Recent AppArmor containment allows restricting unprivileged user
> > namespaces, which is enabled by default on recent Ubuntu systems.
> >
> > When that happens, the affected tests will now be considered unsupporte=
d
> > rather than simply failing.
> >
> > Further information:
> >
> > * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_rest=
riction
> > * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-nam=
espaces
> >
> > V2:
> > * Fix duplicated line in check_unshare_hints
> > * Also handle similar failure in tst-pidfd_getpid
>
> Looks good, with below comments addressed.
>
> Please CC reviewers of the previous versions of the patch -- Xi Ruoyao in=
 this case.

ACK

>
> >
> > Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
> > ---
> > support/test-container.c                   | 7 +++++--
> > sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++-
> > 2 files changed, 7 insertions(+), 3 deletions(-)
> >
> > diff --git a/support/test-container.c b/support/test-container.c
> > index adf2b30215..af66cece51 100644
> > --- a/support/test-container.c
> > +++ b/support/test-container.c
> > @@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns)
> >     { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
> >     /* ALT Linux has an alternate way of doing the same.  */
> >     { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
> > +    /* AppArmor can also disable unprivileged user namespaces */
>
> GNU coding style is to finish comment sentences with a dot, followed by t=
wo spaces.  E.g.,
> /* My new comment.  */

ACK

>
> > +    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, =
0 },
> >     /* Linux kernel >=3D 4.9 has a configurable limit on the number of
> >        each namespace.  Some distros set the limit to zero to disable t=
he
> >        corresponding namespace as a "security policy".  */
> > @@ -1108,10 +1110,11 @@ main (int argc, char **argv)
> >     {
> >       /* Older kernels may not support all the options, or security
> > policy may block this call.  */
> > -      if (errno =3D=3D EINVAL || errno =3D=3D EPERM || errno =3D=3D EN=
OSPC)
> > +      if (errno =3D=3D EINVAL || errno =3D=3D EPERM
> > +          || errno =3D=3D ENOSPC || errno =3D=3D EACCES)
>
> Where is EACCES coming from?  I could not find documentation mentioning E=
ACCES as a possible error condition for unshare().

This is injected by AppArmor when it prevents a syscall. According to
coworkers it's a fairly standard value for LSM modules, and some cursory
code source sleuthing goes in that sense, but the only instance of
actual documentation that mentions this is a mention in passing in
https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html

I'll add some more info about it in the commit log.

>
> > {
> >  int saved_errno =3D errno;
> > -  if (errno =3D=3D EPERM || errno =3D=3D ENOSPC)
> > +  if (errno =3D=3D EPERM || errno =3D=3D ENOSPC || errno =3D=3D EACCES=
)
> >    check_for_unshare_hints (require_pidns);
> >  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_err=
no));
> > }
> > diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/=
sysv/linux/tst-pidfd_getpid.c
> > index 0354da5abb..ef62fbe941 100644
> > --- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
> > +++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
> > @@ -61,7 +61,8 @@ do_test (void)
> >  {
> >    /* Older kernels may not support all the options, or security
> >       policy may block this call.  */
> > -    if (errno =3D=3D EINVAL || errno =3D=3D EPERM || errno =3D=3D ENOS=
PC)
> > +    if (errno =3D=3D EINVAL || errno =3D=3D EPERM
> > +        || errno =3D=3D ENOSPC || errno =3D=3D EACCES)
> >      exit (EXIT_UNSUPPORTED);
> >    FAIL_EXIT1 ("unshare user/fs/pid failed: %m");
> >  }
> >
> > base-commit: fa3eb7d5e7d32ca1ad48b48a7eb6d15b8382c3a7
> > --
> > 2.40.1
> >
>
> Thanks,
>
> --
> Maxim Kuvyrkov
> https://www.linaro.org
>
>