| Message ID | 20230531131643.3776181-1-siddhesh@sourceware.org |
|---|---|
| State | New |
| Headers | show |
| Series | support: Don't fail on fchown when spawning sgid processes | expand |
On Wed, May 31, 2023 at 3:34 PM Siddhesh Poyarekar <siddhesh@sourceware.org> wrote: > > In some cases (e.g. when podman creates user containers), the only other > group assigned to the executing user is nobody and fchown fails with it > because the group is not mapped. Do not fail the test in this case, > instead exit as unsupported. > > Reported-by: Frederic Berat <fberat@redhat.com> > Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> > --- > support/support_capture_subprocess.c | 14 +++++++++++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/support/support_capture_subprocess.c b/support/support_capture_subprocess.c > index bae7d5fb20..ad1da9fd97 100644 > --- a/support/support_capture_subprocess.c > +++ b/support/support_capture_subprocess.c > @@ -153,9 +153,15 @@ copy_and_spawn_sgid (char *child_id, gid_t gid) > p += wrcount; > } > } > - TEST_VERIFY (fchown (outfd, getuid (), gid) == 0); > + > + int chowned = 0; > + TEST_VERIFY ((chowned = fchown (outfd, getuid (), gid)) == 0 > + || errno == EPERM); > if (support_record_failure_is_failed ()) > goto err; > + else if (chowned != 0) > + ret = 77; Shouldn't you "goto err" here instead of continuing the execution ? During my test the reported reason for UNSUPPORTED is: "error: tst-secure-getenv.c:78: SGID failed: GID and EGID match (1000)" instead of the expected "Failed to make sgid executable for test" below. I assume that is because of the missing goto here. > + > TEST_VERIFY (fchmod (outfd, 02750) == 0); > if (support_record_failure_is_failed ()) > goto err; > @@ -192,8 +198,10 @@ err: > free (dirname); > } > > - if (ret != 0) > - FAIL_EXIT1("Failed to make sgid executable for test\n"); > + if (ret == 77) > + FAIL_UNSUPPORTED ("Failed to make sgid executable for test\n"); > + else if (ret != 0) > + FAIL_EXIT1 ("Failed to make sgid executable for test\n"); Minor comment: Since FAIL_UNSUPPORTED exits, the "else" seems superfluous. > > return status; > } > -- > 2.40.1 >
On 2023-05-31 10:32, Frederic Berat wrote: > On Wed, May 31, 2023 at 3:34 PM Siddhesh Poyarekar > <siddhesh@sourceware.org> wrote: >> >> In some cases (e.g. when podman creates user containers), the only other >> group assigned to the executing user is nobody and fchown fails with it >> because the group is not mapped. Do not fail the test in this case, >> instead exit as unsupported. >> >> Reported-by: Frederic Berat <fberat@redhat.com> >> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> >> --- >> support/support_capture_subprocess.c | 14 +++++++++++--- >> 1 file changed, 11 insertions(+), 3 deletions(-) >> >> diff --git a/support/support_capture_subprocess.c b/support/support_capture_subprocess.c >> index bae7d5fb20..ad1da9fd97 100644 >> --- a/support/support_capture_subprocess.c >> +++ b/support/support_capture_subprocess.c >> @@ -153,9 +153,15 @@ copy_and_spawn_sgid (char *child_id, gid_t gid) >> p += wrcount; >> } >> } >> - TEST_VERIFY (fchown (outfd, getuid (), gid) == 0); >> + >> + int chowned = 0; >> + TEST_VERIFY ((chowned = fchown (outfd, getuid (), gid)) == 0 >> + || errno == EPERM); >> if (support_record_failure_is_failed ()) >> goto err; >> + else if (chowned != 0) >> + ret = 77; > > Shouldn't you "goto err" here instead of continuing the execution ? Oops, yes. > During my test the reported reason for UNSUPPORTED is: > > "error: tst-secure-getenv.c:78: SGID failed: GID and EGID match (1000)" > instead of the expected "Failed to make sgid executable for test" below. > > I assume that is because of the missing goto here. > >> + >> TEST_VERIFY (fchmod (outfd, 02750) == 0); >> if (support_record_failure_is_failed ()) >> goto err; >> @@ -192,8 +198,10 @@ err: >> free (dirname); >> } >> >> - if (ret != 0) >> - FAIL_EXIT1("Failed to make sgid executable for test\n"); >> + if (ret == 77) >> + FAIL_UNSUPPORTED ("Failed to make sgid executable for test\n"); >> + else if (ret != 0) >> + FAIL_EXIT1 ("Failed to make sgid executable for test\n"); > > Minor comment: Since FAIL_UNSUPPORTED exits, the "else" seems superfluous. Ack, fixed. v2 coming up. Thanks, Sid > >> >> return status; >> } >> -- >> 2.40.1 >> >
diff --git a/support/support_capture_subprocess.c b/support/support_capture_subprocess.c index bae7d5fb20..ad1da9fd97 100644 --- a/support/support_capture_subprocess.c +++ b/support/support_capture_subprocess.c @@ -153,9 +153,15 @@ copy_and_spawn_sgid (char *child_id, gid_t gid) p += wrcount; } } - TEST_VERIFY (fchown (outfd, getuid (), gid) == 0); + + int chowned = 0; + TEST_VERIFY ((chowned = fchown (outfd, getuid (), gid)) == 0 + || errno == EPERM); if (support_record_failure_is_failed ()) goto err; + else if (chowned != 0) + ret = 77; + TEST_VERIFY (fchmod (outfd, 02750) == 0); if (support_record_failure_is_failed ()) goto err; @@ -192,8 +198,10 @@ err: free (dirname); } - if (ret != 0) - FAIL_EXIT1("Failed to make sgid executable for test\n"); + if (ret == 77) + FAIL_UNSUPPORTED ("Failed to make sgid executable for test\n"); + else if (ret != 0) + FAIL_EXIT1 ("Failed to make sgid executable for test\n"); return status; }
In some cases (e.g. when podman creates user containers), the only other group assigned to the executing user is nobody and fchown fails with it because the group is not mapped. Do not fail the test in this case, instead exit as unsupported. Reported-by: Frederic Berat <fberat@redhat.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> --- support/support_capture_subprocess.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)