From patchwork Tue Aug 28 12:03:14 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 962889
Return-Path: 
 <libc-alpha-return-95544-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=sourceware.org
	(client-ip=209.132.180.131; helo=sourceware.org;
	envelope-from=libc-alpha-return-95544-incoming=patchwork.ozlabs.org@sourceware.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=redhat.com
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	secure) header.d=sourceware.org header.i=@sourceware.org
	header.b="pclD8bIY"; dkim-atps=neutral
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4206ph4PYqz9ryt
	for <incoming@patchwork.ozlabs.org>;
	Tue, 28 Aug 2018 22:03:24 +1000 (AEST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:to:subject:mime-version:content-type
	:content-transfer-encoding:message-id:from; q=dns; s=default; b=
	XRrJ+gGR8raYnYogt6UHcFmMHBvyrF3YTyhsQ62wwrS125QvOUwrj5tW3jqcOGh2
	KIraLT/+RLrCGd+Fz7+GrWAGCQivMUAnmniGhsFL3bFKFTuUeYr8mmTeVyvZ2aeU
	HcJS5ixBS2DxvIoAIOEbDi9HmNhypJAnkQJs+NS2Mfs=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:to:subject:mime-version:content-type
	:content-transfer-encoding:message-id:from; s=default; bh=PN0bVS
	McZ/L+AiY13FCZUp7C1hs=; b=pclD8bIY5TEScg7jdteS/3J3WI0rsxuSHk9CgQ
	pS67FOcAU4OKjqRDLuvwyTnRm+kf9ITzMHQnivCISExfyos2FiJaVs5P94KosHDA
	Cs0dP3WhlcPYzWTklEJ4Yh0W1byOHsdPsiePnShj0MMkAlQRkJ8Rk749iWnvQZf0
	IWdaI=
Received: (qmail 50946 invoked by alias); 28 Aug 2018 12:03:18 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 50932 invoked by uid 89); 28 Aug 2018 12:03:18 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	KAM_LAZY_DOMAIN_SECURITY,
	SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=our
X-HELO: mx1.redhat.com
Date: Tue, 28 Aug 2018 14:03:14 +0200
To: libc-alpha@sourceware.org
Subject: [PATCH] test-container: EPERM from unshare is UNSUPPORTED
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Message-Id: <20180828120314.EA92540E22B36@oldenburg.str.redhat.com>
From: fweimer@redhat.com (Florian Weimer)

For example, the security policy on the Fedora build daemons results in
this EPERM error.

2018-08-28  Florian Weimer  <fweimer@redhat.com>

	* support/test-container.c (main): Treat unshare failure with
	EPERM as an unsupported test.

diff --git a/support/test-container.c b/support/test-container.c
index ce16e061e7..2e91bdf9ec 100644
--- a/support/test-container.c
+++ b/support/test-container.c
@@ -871,8 +871,9 @@ main (int argc, char **argv)
   /* The unshare here gives us our own spaces and capabilities.  */
   if (unshare (CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS) < 0)
     {
-      /* Older kernels may not support all the options.  */
-      if (errno == EINVAL)
+      /* Older kernels may not support all the options, or security
+	 policy may block this call.  */
+      if (errno == EINVAL || errno == EPERM)
 	FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (errno));
       else
 	FAIL_EXIT1 ("unable to unshare user/fs: %s", strerror (errno));