@@ -13,7 +13,6 @@
*/
#include <unistd.h>
-#include <sched.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
@@ -41,10 +40,7 @@ static struct msg_policy *p;
static void setup(void)
{
- if (unshare(CLONE_NEWUSER) != 0)
- tst_brk(TCONF, "unshare(CLONE_NEWUSER) failed");
- if (unshare(CLONE_NEWNET) != 0)
- tst_brk(TCONF, "unshare(CLONE_NEWNET) failed");
+ tst_setup_netns();
fd = SAFE_SOCKET(PF_NETLINK, SOCK_RAW, NETLINK_XFRM);
memset(&addr, 0, sizeof(struct sockaddr_nl));
@@ -77,6 +73,15 @@ static void run(void)
static struct tst_test test = {
.setup = setup,
.test_all = run,
+ .needs_kconfigs = (const char *[]) {
+ "CONFIG_USER_NS=y",
+ "CONFIG_NET_NS=y",
+ NULL
+ },
+ .save_restore = (const struct tst_path_val[]) {
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
+ {}
+ },
.tags = (const struct tst_tag[]) {
{"linux-git", "1137b5e2529a"},
{"CVE", "2017-16939"},
@@ -29,12 +29,12 @@
#include <arpa/inet.h>
#include <linux/errqueue.h>
-#include <sched.h>
#include <limits.h>
#include "lapi/if_addr.h"
#include "tst_test.h"
#include "tst_netdevice.h"
+#include "lapi/namespaces_constants.h"
#define DSTNET 0xfa444e00 /* 250.68.78.0 */
#define SRCNET 0xfa444e40 /* 250.68.78.64 */
@@ -53,19 +53,11 @@ static void setup(void)
struct sockaddr_in ipaddr = { .sin_family = AF_INET };
uint32_t addr;
int i;
- int real_uid = getuid();
- int real_gid = getgid();
for (i = 0; i < SRCADDR_COUNT; i++)
fds[i] = -1;
- SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
-
- SAFE_UNSHARE(CLONE_NEWUSER);
- SAFE_UNSHARE(CLONE_NEWNET);
- SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
- SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1\n", real_uid);
- SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1\n", real_gid);
+ tst_setup_netns();
/*
* Create network namespace to hide the destination interface from
@@ -269,7 +261,7 @@ static struct tst_test test = {
NULL
},
.save_restore = (const struct tst_path_val[]) {
- {"/proc/sys/user/max_user_namespaces", NULL, TST_SR_SKIP},
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
{}
},
.tags = (const struct tst_tag[]) {
@@ -14,13 +14,11 @@
* net/packet: fix a race in packet_bind() and packet_notifier()
*/
-#define _GNU_SOURCE
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <linux/if_packet.h>
#include <net/ethernet.h>
#include <net/if.h>
-#include <sched.h>
#include "tst_test.h"
#include "tst_fuzzy_sync.h"
@@ -30,17 +28,9 @@ static struct tst_fzsync_pair fzsync_pair;
static void setup(void)
{
- int real_uid = getuid();
- int real_gid = getgid();
struct ifreq ifr;
- SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
-
- SAFE_UNSHARE(CLONE_NEWUSER);
- SAFE_UNSHARE(CLONE_NEWNET);
- SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
- SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1\n", real_uid);
- SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1\n", real_gid);
+ tst_setup_netns();
fd = SAFE_SOCKET(AF_PACKET, SOCK_DGRAM, PF_PACKET);
strcpy(ifr.ifr_name, "lo");
@@ -110,7 +100,7 @@ static struct tst_test test = {
NULL
},
.save_restore = (const struct tst_path_val[]) {
- {"/proc/sys/user/max_user_namespaces", NULL, TST_SR_SKIP},
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
{}
},
.tags = (const struct tst_tag[]) {
@@ -15,11 +15,9 @@
*
* net: ipv4: fix for a race condition in raw_sendmsg
*/
-#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
-#include <sched.h>
#include "tst_test.h"
#include "tst_fuzzy_sync.h"
@@ -38,8 +36,8 @@ static void setup(void)
{
int i;
- SAFE_UNSHARE(CLONE_NEWUSER);
- SAFE_UNSHARE(CLONE_NEWNET);
+ tst_setup_netns();
+
sockfd = SAFE_SOCKET(AF_INET, SOCK_RAW, IPPROTO_ICMP);
memset(buf, 0xcc, PACKET_SIZE);
@@ -106,6 +104,15 @@ static struct tst_test test = {
.cleanup = cleanup,
.taint_check = TST_TAINT_W | TST_TAINT_D,
.max_runtime = 150,
+ .needs_kconfigs = (const char *[]) {
+ "CONFIG_USER_NS=y",
+ "CONFIG_NET_NS=y",
+ NULL
+ },
+ .save_restore = (const struct tst_path_val[]) {
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
+ {}
+ },
.tags = (const struct tst_tag[]) {
{"linux-git", "8f659a03a0ba"},
{"CVE", "2017-17712"},
@@ -17,7 +17,6 @@
* net/packet: fix overflow in tpacket_rcv
*/
-#define _GNU_SOURCE
#include <stdio.h>
#include <limits.h>
#include <sys/types.h>
@@ -25,7 +24,6 @@
#include <sys/ioctl.h>
#include <net/if.h>
#include <net/ethernet.h>
-#include <sched.h>
#include "tst_test.h"
#include "tst_net.h"
@@ -39,17 +37,9 @@ static struct sockaddr_ll bind_addr, addr;
static void setup(void)
{
- int real_uid = getuid();
- int real_gid = getgid();
struct ifreq ifr;
- SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
-
- SAFE_UNSHARE(CLONE_NEWUSER);
- SAFE_UNSHARE(CLONE_NEWNET);
- SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
- SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1", real_uid);
- SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1", real_gid);
+ tst_setup_netns();
sock = SAFE_SOCKET(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
strcpy(ifr.ifr_name, "lo");
@@ -218,7 +208,7 @@ static struct tst_test test = {
NULL
},
.save_restore = (const struct tst_path_val[]) {
- {"/proc/sys/user/max_user_namespaces", NULL, TST_SR_SKIP},
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
{}
},
.tags = (const struct tst_tag[]) {
@@ -17,13 +17,11 @@
* udp: consistently apply ufo or fragmentation
*/
-#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/ioctl.h>
#include <net/if.h>
-#include <sched.h>
#include "tst_test.h"
#include "tst_net.h"
@@ -35,18 +33,10 @@ static int dst_sock = -1;
static void setup(void)
{
- int real_uid = getuid();
- int real_gid = getgid();
struct ifreq ifr;
socklen_t addrlen = sizeof(addr);
- SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
-
- SAFE_UNSHARE(CLONE_NEWUSER);
- SAFE_UNSHARE(CLONE_NEWNET);
- SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
- SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1", real_uid);
- SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1", real_gid);
+ tst_setup_netns();
tst_init_sockaddr_inet_bin(&addr, INADDR_LOOPBACK, 0);
dst_sock = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
@@ -102,7 +92,7 @@ static struct tst_test test = {
NULL
},
.save_restore = (const struct tst_path_val[]) {
- {"/proc/sys/user/max_user_namespaces", NULL, TST_SR_SKIP},
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
{}
},
.tags = (const struct tst_tag[]) {
@@ -16,11 +16,9 @@
* packet: fix race condition in packet_set_ring
*/
-#define _GNU_SOURCE
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
-#include <sched.h>
#include "tst_test.h"
#include "tst_fuzzy_sync.h"
@@ -33,17 +31,8 @@ static struct tst_fzsync_pair fzsync_pair;
static void setup(void)
{
- int real_uid = getuid();
- int real_gid = getgid();
-
pagesize = SAFE_SYSCONF(_SC_PAGESIZE);
- SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
-
- SAFE_UNSHARE(CLONE_NEWUSER);
- SAFE_UNSHARE(CLONE_NEWNET);
- SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
- SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1", real_uid);
- SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1", real_gid);
+ tst_setup_netns();
fzsync_pair.exec_loops = 100000;
tst_fzsync_pair_init(&fzsync_pair);
@@ -130,7 +119,7 @@ static struct tst_test test = {
NULL
},
.save_restore = (const struct tst_path_val[]) {
- {"/proc/sys/user/max_user_namespaces", NULL, TST_SR_SKIP},
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
{}
},
.tags = (const struct tst_tag[]) {
@@ -19,11 +19,9 @@
* packet: fix tp_reserve race in packet_set_ring
*/
-#define _GNU_SOURCE
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
-#include <sched.h>
#include "tst_test.h"
#include "tst_fuzzy_sync.h"
@@ -36,17 +34,8 @@ static struct tst_fzsync_pair fzsync_pair;
static void setup(void)
{
- int real_uid = getuid();
- int real_gid = getgid();
-
pagesize = SAFE_SYSCONF(_SC_PAGESIZE);
- SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
-
- SAFE_UNSHARE(CLONE_NEWUSER);
- SAFE_UNSHARE(CLONE_NEWNET);
- SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
- SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1", real_uid);
- SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1", real_gid);
+ tst_setup_netns();
/*
* Reproducing the bug on unpatched system takes <15 loops. The test
@@ -143,7 +132,7 @@ static struct tst_test test = {
NULL
},
.save_restore = (const struct tst_path_val[]) {
- {"/proc/sys/user/max_user_namespaces", NULL, TST_SR_SKIP},
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
{}
},
.tags = (const struct tst_tag[]) {
@@ -84,7 +84,6 @@
#include "tst_test.h"
#include "tst_safe_net.h"
#include "lapi/ip_tables.h"
-#include "lapi/namespaces_constants.h"
static void *buffer;
@@ -95,10 +94,7 @@ void setup(void)
"The vulnerability was only present in 32-bit compat mode");
}
- SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
-
- SAFE_UNSHARE(CLONE_NEWUSER);
- SAFE_UNSHARE(CLONE_NEWNET);
+ tst_setup_netns();
}
void run(void)
@@ -159,7 +155,7 @@ static struct tst_test test = {
NULL
},
.save_restore = (const struct tst_path_val[]) {
- {"/proc/sys/user/max_user_namespaces", NULL, TST_SR_SKIP},
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
{}
},
.tags = (const struct tst_tag[]) {
@@ -26,11 +26,9 @@
* packet: fix use-after-free in prb_retire_rx_blk_timer_expired()
*/
-#define _GNU_SOURCE
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
-#include <sched.h>
#include "tst_test.h"
#include "lapi/if_packet.h"
@@ -40,17 +38,8 @@ static unsigned int pagesize;
static void setup(void)
{
- int real_uid = getuid();
- int real_gid = getgid();
-
pagesize = SAFE_SYSCONF(_SC_PAGESIZE);
- SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
-
- SAFE_UNSHARE(CLONE_NEWUSER);
- SAFE_UNSHARE(CLONE_NEWNET);
- SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
- SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1", real_uid);
- SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1", real_gid);
+ tst_setup_netns();
}
static void run(void)
@@ -124,7 +113,7 @@ static struct tst_test test = {
NULL
},
.save_restore = (const struct tst_path_val[]) {
- {"/proc/sys/user/max_user_namespaces", NULL, TST_SR_SKIP},
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
{}
},
.tags = (const struct tst_tag[]) {
@@ -13,7 +13,6 @@
* See blogpost in copyright notice for more details.
*/
#include <errno.h>
-#include <sched.h>
#include <sys/types.h>
#include <net/if.h>
#include <linux/if_packet.h>
@@ -22,7 +21,6 @@
#include "tst_test.h"
#include "tst_fuzzy_sync.h"
#include "lapi/if_packet.h"
-#include "lapi/namespaces_constants.h"
static struct tst_fzsync_pair pair;
static int fd;
@@ -30,21 +28,7 @@ static struct sockaddr_ll addr;
void setup(void)
{
- int real_uid = getuid();
- int real_gid = getgid();
-
- TEST(unshare(CLONE_NEWUSER));
- if (TST_RET)
- tst_brk(TBROK | TTERRNO, "Can't create new user namespace");
-
- TEST(unshare(CLONE_NEWNET));
- if (TST_RET)
- tst_brk(TBROK | TTERRNO, "Can't create new net namespace");
-
- FILE_PRINTF("/proc/self/setgroups", "deny");
- FILE_PRINTF("/proc/self/uid_map", "0 %d 1\n", real_uid);
- FILE_PRINTF("/proc/self/gid_map", "0 %d 1\n", real_gid);
-
+ tst_setup_netns();
tst_fzsync_pair_init(&pair);
}
@@ -107,6 +91,15 @@ static struct tst_test test = {
.cleanup = cleanup,
.needs_root = 1,
.max_runtime = 180,
+ .needs_kconfigs = (const char *[]) {
+ "CONFIG_USER_NS=y",
+ "CONFIG_NET_NS=y",
+ NULL
+ },
+ .save_restore = (const struct tst_path_val[]) {
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
+ {}
+ },
.tags = (const struct tst_tag[]) {
{"CVE", "2017-15649"},
{"linux-git", "4971613c1639"},
Removing explicit writes into max_user_namespaces sysfile also restores the ability to run these tests without root privileges. Signed-off-by: Martin Doucha <mdoucha@suse.cz> --- testcases/cve/cve-2017-16939.c | 15 +++++++---- testcases/cve/icmp_rate_limit01.c | 14 +++------- testcases/kernel/syscalls/bind/bind06.c | 14 ++-------- testcases/kernel/syscalls/sendmsg/sendmsg03.c | 15 ++++++++--- testcases/kernel/syscalls/sendto/sendto03.c | 14 ++-------- .../kernel/syscalls/setsockopt/setsockopt05.c | 14 ++-------- .../kernel/syscalls/setsockopt/setsockopt06.c | 15 ++--------- .../kernel/syscalls/setsockopt/setsockopt07.c | 15 ++--------- .../kernel/syscalls/setsockopt/setsockopt08.c | 8 ++---- .../kernel/syscalls/setsockopt/setsockopt09.c | 15 ++--------- testcases/network/packet/fanout01.c | 27 +++++++------------ 11 files changed, 48 insertions(+), 118 deletions(-)