From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by sourceware.org (Postfix) with ESMTPS id B9DD538582A5 for ; Fri, 16 Feb 2024 15:57:24 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B9DD538582A5 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=canonical.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=canonical.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B9DD538582A5 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=185.125.188.122 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708099047; cv=none; b=C/9DglRHUBYzVeOWaZ8afSwY3txNRYQpT7F/GLtdPS8WkKJwtHxNZPLHEa9wafpxh0zUqfUH1O2UbRZZKrRRg2dz58e+6rdnW0VoUsBvZ3vghuVVyELgK2S+3m8OPkqFZkcQhCrMLr0Uq5AZnRVwEM74HGzsj+LnrprgUAmFNHQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708099047; c=relaxed/simple; bh=xhOFGmaHfEYNbR3MA7HOtrzGXFlw32P6TAgSTgfG3GI=; h=DKIM-Signature:From:MIME-Version:Date:Message-ID:Subject:To; b=FCISe9sWQ26KPllvmIj/sjSmByg3E0b33XkFf1astINEAfvs/vL+1fi356B/GPVkr9/KeglL2SKXlXDJNaBuhOOV1P6uvRQs6ikVtJdE+RnHJ5Fva4/bt7gzbDuaKgVNHKxPR7MA5wq8Hl8aiS6kC+TG4uqZuxzPaBvJXp3yyPQ= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 4FF1640FBF for ; Fri, 16 Feb 2024 15:57:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1708099043; bh=YC9O//Nx4swPT4D1nCBzLY8DJdbna8dqs5BzTT63atw=; h=From:MIME-Version:In-Reply-To:References:Date:Message-ID:Subject: To:Cc:Content-Type; b=U0OqdjSsmgnhaP9sn27aioX6UCkicqL7AFeT4HF42qy8dI/lOCGKoxcCexJgwtjNJ afMc6AJknVG1qVzvs0yCgkYPXbOTba7y9U708/jnPvEDwTybyWREe6tPhddDK7QQ1+ nXGTogj7sb6aKNblxlpNXfulRB1CecVXGiFHi+eefN/cUG42F9apZunh6oQmMqDh8f koXRUhhZ6nHk4L785h6S83ta8kMbak/n1kYuJUXfzjzCS8nquOXHgFxsiqVu4cd75v JGmANIrJ1xoAsKU0x5tT6YxSgOGZ2sQ/w+dOVUusbOYR294r7hds6HdUh2xpVVI75Q L6NiAtb8UCsJg== Received: by mail-pl1-f198.google.com with SMTP id d9443c01a7336-1d486bce39bso19249635ad.1 for ; Fri, 16 Feb 2024 07:57:23 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708099041; x=1708703841; h=content-transfer-encoding:cc:to:subject:message-id:date:references :in-reply-to:mime-version:user-agent:from:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=YC9O//Nx4swPT4D1nCBzLY8DJdbna8dqs5BzTT63atw=; b=eMKmtxy6FF5KqcHdcRA12OmjvT4YmI7iHJl+ybLVXK+d8qK/h0wcGK06vVdOnZXSPu 1JXKz51WMr5fIQrBgHR7gn+PFHyzeMhJNP8N2jFVh2j6juoWpR+fwoelq3yTd511ofll Hs0PJaLZt4PZ7uj7nu0kkF0xQ8YcK+OnZmTkLcH1mpzdvkWEo5U4CgAJAndz6grMo+FS OK23mNBBWYWWQ2l7WBx+pq8yyU6yFpusq6rirNK0TtqJoISfriESdozfhM7bgjxehMyu 8ty/CaRSAMYDkgeVgke6LdlN7GlqCR1/rYXywvFxx3gIHIl9Or7ZeGVNebBdAzHr7EaK 6vzQ== X-Gm-Message-State: AOJu0YxlFJp1MiIrMD3iBBWJ0wMNPJpOCT8pLO7hXvYzOj0RWEBTEQj5 i2KEGOlSlbU2vs3ZWklc1a7WFz2ahbyt/UcprVpgd0tT4EXMbl6u0O5E5NC14HcgHLVOPMpr63T Vpb/mudkAypxKoKd//Ik1XECkfGsY/E/sdvc2Fo87KO0BJ/87/0Hcusk9n9oY54PeGSStzFbQyt 49XntC09rQOT6KPpbnrC0s1kDLUQdKvW9K+ty/dVZ+2S3OGKgl X-Received: by 2002:a17:903:230b:b0:1d9:5b75:4602 with SMTP id d11-20020a170903230b00b001d95b754602mr7388276plh.7.1708099041413; Fri, 16 Feb 2024 07:57:21 -0800 (PST) X-Google-Smtp-Source: AGHT+IEdM/0rTZXrTELy8gDZn0vvqzXp/D9F0uZ2tDTpnZj3Zcig6aYVUuO/tp2LaXJYDCHvMQvDJlPGslVsIdmXdHU= X-Received: by 2002:a17:903:230b:b0:1d9:5b75:4602 with SMTP id d11-20020a170903230b00b001d95b754602mr7388265plh.7.1708099041105; Fri, 16 Feb 2024 07:57:21 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Fri, 16 Feb 2024 15:57:20 +0000 From: Simon Chopin User-Agent: Dodo MIME-Version: 1.0 In-Reply-To: References: <20240201120104.143973-1-simon.chopin@canonical.com> <20240206105932.127820-1-simon.chopin@canonical.com> Date: Fri, 16 Feb 2024 15:57:20 +0000 Message-ID: Subject: Re: [PATCH v2] tests: gracefully handle AppArmor userns containment To: Maxim Kuvyrkov Cc: GNU C Library , Xi Ruoyao Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-10.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,RCVD_IN_SORBS_WEB,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi Maxim, On mar. 13 f=C3=A9vr. 2024 11:36:34, Maxim Kuvyrkov wrote: > > On Feb 6, 2024, at 14:59, Simon Chopin wro= te: > > > > Recent AppArmor containment allows restricting unprivileged user > > namespaces, which is enabled by default on recent Ubuntu systems. > > > > When that happens, the affected tests will now be considered unsupporte= d > > rather than simply failing. > > > > Further information: > > > > * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_rest= riction > > * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-nam= espaces > > > > V2: > > * Fix duplicated line in check_unshare_hints > > * Also handle similar failure in tst-pidfd_getpid > > Looks good, with below comments addressed. > > Please CC reviewers of the previous versions of the patch -- Xi Ruoyao in= this case. ACK > > > > > Signed-off-by: Simon Chopin > > --- > > support/test-container.c | 7 +++++-- > > sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++- > > 2 files changed, 7 insertions(+), 3 deletions(-) > > > > diff --git a/support/test-container.c b/support/test-container.c > > index adf2b30215..af66cece51 100644 > > --- a/support/test-container.c > > +++ b/support/test-container.c > > @@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns) > > { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 }, > > /* ALT Linux has an alternate way of doing the same. */ > > { "/proc/sys/kernel/userns_restrict", 1, 0, 0 }, > > + /* AppArmor can also disable unprivileged user namespaces */ > > GNU coding style is to finish comment sentences with a dot, followed by t= wo spaces. E.g., > /* My new comment. */ ACK > > > + { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, = 0 }, > > /* Linux kernel >=3D 4.9 has a configurable limit on the number of > > each namespace. Some distros set the limit to zero to disable t= he > > corresponding namespace as a "security policy". */ > > @@ -1108,10 +1110,11 @@ main (int argc, char **argv) > > { > > /* Older kernels may not support all the options, or security > > policy may block this call. */ > > - if (errno =3D=3D EINVAL || errno =3D=3D EPERM || errno =3D=3D EN= OSPC) > > + if (errno =3D=3D EINVAL || errno =3D=3D EPERM > > + || errno =3D=3D ENOSPC || errno =3D=3D EACCES) > > Where is EACCES coming from? I could not find documentation mentioning E= ACCES as a possible error condition for unshare(). This is injected by AppArmor when it prevents a syscall. According to coworkers it's a fairly standard value for LSM modules, and some cursory code source sleuthing goes in that sense, but the only instance of actual documentation that mentions this is a mention in passing in https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html I'll add some more info about it in the commit log. > > > { > > int saved_errno =3D errno; > > - if (errno =3D=3D EPERM || errno =3D=3D ENOSPC) > > + if (errno =3D=3D EPERM || errno =3D=3D ENOSPC || errno =3D=3D EACCES= ) > > check_for_unshare_hints (require_pidns); > > FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_err= no)); > > } > > diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/= sysv/linux/tst-pidfd_getpid.c > > index 0354da5abb..ef62fbe941 100644 > > --- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c > > +++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c > > @@ -61,7 +61,8 @@ do_test (void) > > { > > /* Older kernels may not support all the options, or security > > policy may block this call. */ > > - if (errno =3D=3D EINVAL || errno =3D=3D EPERM || errno =3D=3D ENOS= PC) > > + if (errno =3D=3D EINVAL || errno =3D=3D EPERM > > + || errno =3D=3D ENOSPC || errno =3D=3D EACCES) > > exit (EXIT_UNSUPPORTED); > > FAIL_EXIT1 ("unshare user/fs/pid failed: %m"); > > } > > > > base-commit: fa3eb7d5e7d32ca1ad48b48a7eb6d15b8382c3a7 > > -- > > 2.40.1 > > > > Thanks, > > -- > Maxim Kuvyrkov > https://www.linaro.org > >