From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from xry111.site (xry111.site [89.208.246.23]) by sourceware.org (Postfix) with ESMTPS id 631F73858D33 for ; Thu, 1 Feb 2024 12:20:15 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 631F73858D33 Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=xry111.site Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=xry111.site ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 631F73858D33 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=89.208.246.23 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706790017; cv=none; b=WwFk6MGGrGWhpBp5ALHn6fQBt0VQeT0BYSrn+qIXurCC57XuD6rEdMI5xFnkqXtSuvrNa0yWB5IcNFokx8/gCt8h6bFswwClVRGmnhiDeKOIfmxeOGPgKZeVBHaSiyAAfuUZs5ZGIbkEa76sC7+0WoNCTWRb3D8+GAUp5VcggfI= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706790017; c=relaxed/simple; bh=9k52RgKtAjP4PqUoGIMTowUs/lHPmq1+ECEk9kNa9SM=; h=DKIM-Signature:Message-ID:Subject:From:To:Date:MIME-Version; b=Jw0LUSBV1yFMgD3IkWOw6L2AFGRdnj9LX+UnFCs5zIaDP0dCQ766erBG2gG9X81pQClbMuVe8cohOFgij52GEZPBL1xSQNCYaw6BLfEDYH1gDp111HuFe44yI3xlEXCACtxSQ1ZZdAl0JmKHH4qNLKjXX8XApX8Db8zXCxUAmVI= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xry111.site; s=default; t=1706790014; bh=9k52RgKtAjP4PqUoGIMTowUs/lHPmq1+ECEk9kNa9SM=; h=Subject:From:To:Date:In-Reply-To:References:From; b=VevBpUocDWLDS6aio6D37Tf8D5lccCCz8BwFhTZqc6WQnluFJ/oGxQlPfyWJM14OB DSCsRIYt6GzzNaDqYl4AmDwW/ZETnpqWydhVCZ4l9JM43H4oseNWQDAoXuPwR2D5Sc 8IMeyaJxu7BdG4nSN3QzAr3iG/Lkc84jy8wWFCJQ= Received: from [192.168.124.3] (unknown [113.200.174.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) (Authenticated sender: xry111@xry111.site) by xry111.site (Postfix) with ESMTPSA id 35D4166B91; Thu, 1 Feb 2024 07:20:13 -0500 (EST) Message-ID: Subject: Re: [PATCH] test-container: gracefully handle AppArmor containment From: Xi Ruoyao To: Simon Chopin , libc-alpha@sourceware.org Date: Thu, 01 Feb 2024 20:20:09 +0800 In-Reply-To: <20240201120104.143973-1-simon.chopin@canonical.com> References: <20240201120104.143973-1-simon.chopin@canonical.com> Autocrypt: addr=xry111@xry111.site; prefer-encrypt=mutual; keydata=mDMEYnkdPhYJKwYBBAHaRw8BAQdAsY+HvJs3EVKpwIu2gN89cQT/pnrbQtlvd6Yfq7egugi0HlhpIFJ1b3lhbyA8eHJ5MTExQHhyeTExMS5zaXRlPoiTBBMWCgA7FiEEkdD1djAfkk197dzorKrSDhnnEOMFAmJ5HT4CGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQrKrSDhnnEOPHFgD8D9vUToTd1MF5bng9uPJq5y3DfpcxDp+LD3joA3U2TmwA/jZtN9xLH7CGDHeClKZK/ZYELotWfJsqRcthOIGjsdAPuDgEYnkdPhIKKwYBBAGXVQEFAQEHQG+HnNiPZseiBkzYBHwq/nN638o0NPwgYwH70wlKMZhRAwEIB4h4BBgWCgAgFiEEkdD1djAfkk197dzorKrSDhnnEOMFAmJ5HT4CGwwACgkQrKrSDhnnEOPjXgD/euD64cxwqDIqckUaisT3VCst11RcnO5iRHm6meNIwj0BALLmWplyi7beKrOlqKfuZtCLbiAPywGfCNg8LOTt4iMD Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.50.3 MIME-Version: 1.0 X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,BODY_8BITS,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,LIKELY_SPAM_FROM,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Thu, 2024-02-01 at 13:01 +0100, Simon Chopin wrote: > Recent AppArmor containment allows restricting unprivileged user > namespaces, which is enabled by default on recent Ubuntu systems. >=20 > When that happens, the affected tests will now be considered unsupported > rather than simply failing. >=20 > Further information: >=20 > * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restri= ction > * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-names= paces >=20 > Signed-off-by: Simon Chopin > --- > =C2=A0support/test-container.c | 8 ++++++-- > =C2=A01 file changed, 6 insertions(+), 2 deletions(-) >=20 > diff --git a/support/test-container.c b/support/test-container.c > index adf2b30215..a04ae07807 100644 > --- a/support/test-container.c > +++ b/support/test-container.c > @@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns) > =C2=A0=C2=A0=C2=A0=C2=A0 { "/proc/sys/kernel/unprivileged_userns_clone", = 0, 1, 0 }, > =C2=A0=C2=A0=C2=A0=C2=A0 /* ALT Linux has an alternate way of doing the s= ame.=C2=A0 */ > =C2=A0=C2=A0=C2=A0=C2=A0 { "/proc/sys/kernel/userns_restrict", 1, 0, 0 }, > +=C2=A0=C2=A0=C2=A0 /* AppArmor can also disable unprivileged user namesp= aces */ > +=C2=A0=C2=A0=C2=A0 { "/proc/sys/kernel/apparmor_restrict_unprivileged_us= erns", 1, 0, 0 }, > +=C2=A0=C2=A0=C2=A0 { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 }, Why are you duplicating this entry? --=20 Xi Ruoyao School of Aerospace Science and Technology, Xidian University