| Message ID | 20240216163849.73172-1-simon.chopin@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] tests: gracefully handle AppArmor userns containment | expand |
Hi Simon, This is OK to merge. Thanks! -- Maxim Kuvyrkov https://www.linaro.org > On Feb 16, 2024, at 20:38, Simon Chopin <simon.chopin@canonical.com> wrote: > > Recent AppArmor containment allows restricting unprivileged user > namespaces, which is enabled by default on recent Ubuntu systems. > When this happens, as is common with Linux Security Modules, the syscall > will fail with -EACCESS. > > When that happens, the affected tests will now be considered unsupported > rather than simply failing. > > Further information: > > * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction > * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces > * https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html (for > the return code) > > V2: > * Fix duplicated line in check_unshare_hints > * Also handle similar failure in tst-pidfd_getpid > > V3: > * Comment formatting > * Aded some more documentation on syscall return value > > Signed-off-by: Simon Chopin <simon.chopin@canonical.com> > --- > support/test-container.c | 7 +++++-- > sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++- > 2 files changed, 7 insertions(+), 3 deletions(-) > > diff --git a/support/test-container.c b/support/test-container.c > index adf2b30215..ebcc722da5 100644 > --- a/support/test-container.c > +++ b/support/test-container.c > @@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns) > { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 }, > /* ALT Linux has an alternate way of doing the same. */ > { "/proc/sys/kernel/userns_restrict", 1, 0, 0 }, > + /* AppArmor can also disable unprivileged user namespaces. */ > + { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 }, > /* Linux kernel >= 4.9 has a configurable limit on the number of > each namespace. Some distros set the limit to zero to disable the > corresponding namespace as a "security policy". */ > @@ -1108,10 +1110,11 @@ main (int argc, char **argv) > { > /* Older kernels may not support all the options, or security > policy may block this call. */ > - if (errno == EINVAL || errno == EPERM || errno == ENOSPC) > + if (errno == EINVAL || errno == EPERM > + || errno == ENOSPC || errno == EACCES) > { > int saved_errno = errno; > - if (errno == EPERM || errno == ENOSPC) > + if (errno == EPERM || errno == ENOSPC || errno == EACCES) > check_for_unshare_hints (require_pidns); > FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno)); > } > diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c > index 0354da5abb..ef62fbe941 100644 > --- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c > +++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c > @@ -61,7 +61,8 @@ do_test (void) > { > /* Older kernels may not support all the options, or security > policy may block this call. */ > - if (errno == EINVAL || errno == EPERM || errno == ENOSPC) > + if (errno == EINVAL || errno == EPERM > + || errno == ENOSPC || errno == EACCES) > exit (EXIT_UNSUPPORTED); > FAIL_EXIT1 ("unshare user/fs/pid failed: %m"); > } > > base-commit: 155bb9d036646138348fee0ac045de601811e0c5 > -- > 2.40.1 >
diff --git a/support/test-container.c b/support/test-container.c index adf2b30215..ebcc722da5 100644 --- a/support/test-container.c +++ b/support/test-container.c @@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns) { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 }, /* ALT Linux has an alternate way of doing the same. */ { "/proc/sys/kernel/userns_restrict", 1, 0, 0 }, + /* AppArmor can also disable unprivileged user namespaces. */ + { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 }, /* Linux kernel >= 4.9 has a configurable limit on the number of each namespace. Some distros set the limit to zero to disable the corresponding namespace as a "security policy". */ @@ -1108,10 +1110,11 @@ main (int argc, char **argv) { /* Older kernels may not support all the options, or security policy may block this call. */ - if (errno == EINVAL || errno == EPERM || errno == ENOSPC) + if (errno == EINVAL || errno == EPERM + || errno == ENOSPC || errno == EACCES) { int saved_errno = errno; - if (errno == EPERM || errno == ENOSPC) + if (errno == EPERM || errno == ENOSPC || errno == EACCES) check_for_unshare_hints (require_pidns); FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno)); } diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c index 0354da5abb..ef62fbe941 100644 --- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c +++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c @@ -61,7 +61,8 @@ do_test (void) { /* Older kernels may not support all the options, or security policy may block this call. */ - if (errno == EINVAL || errno == EPERM || errno == ENOSPC) + if (errno == EINVAL || errno == EPERM + || errno == ENOSPC || errno == EACCES) exit (EXIT_UNSUPPORTED); FAIL_EXIT1 ("unshare user/fs/pid failed: %m"); }
Recent AppArmor containment allows restricting unprivileged user namespaces, which is enabled by default on recent Ubuntu systems. When this happens, as is common with Linux Security Modules, the syscall will fail with -EACCESS. When that happens, the affected tests will now be considered unsupported rather than simply failing. Further information: * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces * https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html (for the return code) V2: * Fix duplicated line in check_unshare_hints * Also handle similar failure in tst-pidfd_getpid V3: * Comment formatting * Aded some more documentation on syscall return value Signed-off-by: Simon Chopin <simon.chopin@canonical.com> --- support/test-container.c | 7 +++++-- sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 3 ++- 2 files changed, 7 insertions(+), 3 deletions(-) base-commit: 155bb9d036646138348fee0ac045de601811e0c5