From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=dj7u=JP=canonical.com=simon.chopin@sourceware.org>
Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122])
	by sourceware.org (Postfix) with ESMTPS id 799DE3858D35
	for <libc-alpha@sourceware.org>; Tue,  6 Feb 2024 11:09:01 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 799DE3858D35
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=canonical.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=canonical.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 799DE3858D35
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=185.125.188.122
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707217743; cv=none;
	b=FpoU9mHtR0vlLN3ki5HtNz0KH0TdvquoQAqVtTPFhQNv09WGewnh9NLvE/raO5aaQV2j2lWGZR0pP7XPxq2t6/UznwV1Wjgs+ZE4vDVwrDUUEQ9HMDLUNIHarfm9TvdK5EqOKyIiQBaEDlBBBbKLPU2D//3RV6RCCzJyItU1k78=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1707217743; c=relaxed/simple;
	bh=p0BuS2yTw3AA2+Gi+lxBrR30/8809r2Dt6vgzra92uE=;
	h=DKIM-Signature:From:MIME-Version:Date:Message-ID:Subject:To; b=ZLScUT6DOgI9TcC7//Y140/JLYFfkfW/XBB9tnvv3CFDkfU47wbHTc/k0opI8Qz+H0/2ZhMtA+Txa/zgg6OEiMEiP1m93+aGyS67WKQkadR7fryeCdbl6+oZEM4fpp9pc9PWc+aKHq0ryh0968mtxQyX+6XOzzOjKurn7S3GBII=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id A81A73F456
	for <libc-alpha@sourceware.org>; Tue,  6 Feb 2024 11:09:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20210705; t=1707217740;
	bh=p0BuS2yTw3AA2+Gi+lxBrR30/8809r2Dt6vgzra92uE=;
	h=From:MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:
	 To:Cc:Content-Type;
	b=dS2n1S7QlZ7q1k/HIzQyfdrs+i1KUAdpWkhhX9nTkPVPwSxNFYcK2gwfZl3kDl3j/
	 fmS1enM7YCBj3B2/CoOxyepwSK+78F9ppS+ynGVQ8bN2y6QeEVheSHJgz2xfzrU8LB
	 Nc97toxGHNYEHlW4qhZp7EpPfO5jP7zsbDX//YKdH0JmPNJeuxbQDLeCrjHenq9BDR
	 8abFZYZPDkX9NKWHg9J1o1zvBWIzhHu/fPbH4pFgffcJ68zqPEb8fKOxolCq8CAzl4
	 EcYyEZmGCivLGXXDxCux2wbaIzi6pRtYppKvL3uervAkqxxZVmKdTjvqbyPiIpi5Qy
	 hlZpehHvWPW9Q==
Received: by mail-qk1-f198.google.com with SMTP id af79cd13be357-7855f31ecb2so80253185a.1
        for <libc-alpha@sourceware.org>; Tue, 06 Feb 2024 03:09:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1707217739; x=1707822539;
        h=content-transfer-encoding:cc:to:subject:message-id:date:references
         :in-reply-to:mime-version:user-agent:from:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=p0BuS2yTw3AA2+Gi+lxBrR30/8809r2Dt6vgzra92uE=;
        b=kvgsIr09qRZ7iYO2klkVixJWOH4Mp01amdd3XAbKLd8yRpPnqiYdMpn+vvhqWmaDIv
         IcdnUdjihtyEdEiVRZ2xITbqak5s4IhHOi5djp5UECBaDsuLCJ5tYkkz9lvAa3a2vtGI
         tMqlCPJEZ7hP6NPTxx1LX0d60AnaMt+iriHs2kBstLJFrtHRzb3Kfl1xYW2u2Vs8W+pC
         +eoGfmIf+8F4yPhVeXXzaPxoRPwhzUB2jpO9ZIMhBcV/aQYcFecEbqihDSPxLCR2BQ2U
         gjj2i0RlBDrQ5n8q/0BGFqDNcJyxShDFk2yAP5ZDbGjgfAAHXlxCqHKybt9eBwhTcGI+
         yYcg==
X-Gm-Message-State: AOJu0YysdwP98PFqPQqcQi26yMDhbtCStlriIFc+V4jd2J7MN54F/BrF
	tgzNLk1+OLIL09ydFQ1sZLVFtpGB1ISj37YYdaQu0VIqcuQDHlGd4b4UO8N28FksjUxYMDraaO9
	b9dv5CSXBjsmcURb5qNmTUjJU2fAAe2ux2klOATigciI6MldaLsE/zNLwg+KQE97nVg5ZPchvaj
	Z1LVmXelI0AtCZwRmpJ7zumhWJTG7EjmtDEhSKZKj+/ASIW8K+Tl8FXdSE
X-Received: by 2002:a05:620a:444f:b0:784:5a6:fd43 with SMTP id w15-20020a05620a444f00b0078405a6fd43mr17475201qkp.29.1707217739253;
        Tue, 06 Feb 2024 03:08:59 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFLiTWaP9b3a3xprNAWJJ4ptsdH1EeS5Mr3MEcpqIo6wEJCfWL2Fv7uAn7EyY4pY4lBR/DiqAVM5txbYvshVdw=
X-Received: by 2002:a17:90a:ff11:b0:296:67b:1894 with SMTP id
 ce17-20020a17090aff1100b00296067b1894mr3298595pjb.0.1707217299530; Tue, 06
 Feb 2024 03:01:39 -0800 (PST)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Tue, 6 Feb 2024 12:01:38 +0100
From: Simon Chopin <simon.chopin@canonical.com>
User-Agent: Dodo
MIME-Version: 1.0
In-Reply-To: <b8321a7ab801899a5d92ac645f5dee063e5a40d7.camel@xry111.site>
References: <20240201120104.143973-1-simon.chopin@canonical.com> <b8321a7ab801899a5d92ac645f5dee063e5a40d7.camel@xry111.site>
Date: Tue, 6 Feb 2024 12:01:38 +0100
Message-ID: <CAOOWow3mPRU9DpSJbLMg-hY2jAAbHjA1opXN_LkjU+P+yUqdKg@mail.gmail.com>
Subject: Re: [PATCH] test-container: gracefully handle AppArmor containment
To: Xi Ruoyao <xry111@xry111.site>
Cc: libc-alpha@sourceware.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,BODY_8BITS,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

Hi,

On jeu. 01 f=C3=A9vr. 2024 20:20:09, Xi Ruoyao wrote:
> On Thu, 2024-02-01 at 13:01 +0100, Simon Chopin wrote:
> > Recent AppArmor containment allows restricting unprivileged user
> > namespaces, which is enabled by default on recent Ubuntu systems.
> >
> > When that happens, the affected tests will now be considered unsupporte=
d
> > rather than simply failing.
> >
> > Further information:
> >
> > * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_rest=
riction
> > * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-nam=
espaces
> >
> > Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
> > ---
> > =C2=A0support/test-container.c | 8 ++++++--
> > =C2=A01 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/support/test-container.c b/support/test-container.c
> > index adf2b30215..a04ae07807 100644
> > --- a/support/test-container.c
> > +++ b/support/test-container.c
> > @@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns)
> > =C2=A0=C2=A0=C2=A0=C2=A0 { "/proc/sys/kernel/unprivileged_userns_clone"=
, 0, 1, 0 },
> > =C2=A0=C2=A0=C2=A0=C2=A0 /* ALT Linux has an alternate way of doing the=
 same.=C2=A0 */
> > =C2=A0=C2=A0=C2=A0=C2=A0 { "/proc/sys/kernel/userns_restrict", 1, 0, 0 =
},
> > +=C2=A0=C2=A0=C2=A0 /* AppArmor can also disable unprivileged user name=
spaces */
> > +=C2=A0=C2=A0=C2=A0 { "/proc/sys/kernel/apparmor_restrict_unprivileged_=
userns", 1, 0, 0 },
> > +=C2=A0=C2=A0=C2=A0 { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 }=
,
>
> Why are you duplicating this entry?

My mistake. This is fixed in the second revision of the patch.

Thanks!