@@ -58,6 +58,11 @@ static void setup(void)
for (i = 0; i < SRCADDR_COUNT; i++)
fds[i] = -1;
+ /* The default value of max_user_namespaces is set to 0 on some distros,
+ * We need to change the default value to call clone().
+ */
+ SAFE_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
+
SAFE_UNSHARE(CLONE_NEWUSER);
SAFE_UNSHARE(CLONE_NEWNET);
SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
@@ -265,6 +270,10 @@ static struct tst_test test = {
"CONFIG_NET_NS=y",
NULL
},
+ .save_restore = (const char * const[]) {
+ "?/proc/sys/user/max_user_namespaces",
+ NULL,
+ },
.tags = (const struct tst_tag[]) {
{"linux-git", "b38e7819cae9"},
{"CVE", "2020-25705"},
@@ -120,6 +120,11 @@ static void setup(void)
SAFE_WRITE(fd, 1, "\n", 1);
SAFE_CLOSE(fd);
+
+ /* The default value of max_user_namespaces is set to 0 on some distros,
+ * We need to change the default value to call clone().
+ */
+ SAFE_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
}
static struct tst_test test = {
@@ -133,6 +138,10 @@ static struct tst_test test = {
"CONFIG_USER_NS",
NULL
},
+ .save_restore = (const char * const[]) {
+ "?/proc/sys/user/max_user_namespaces",
+ NULL,
+ },
.tags = (const struct tst_tag[]) {
{"linux-git", "d2f007dbe7e4"},
{"CVE", "CVE-2018-18955"},
@@ -34,6 +34,11 @@ static void setup(void)
int real_gid = getgid();
struct ifreq ifr;
+ /* The default value of max_user_namespaces is set to 0 on some distros,
+ * We need to change the default value to call clone().
+ */
+ SAFE_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
+
SAFE_UNSHARE(CLONE_NEWUSER);
SAFE_UNSHARE(CLONE_NEWNET);
SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
@@ -107,6 +112,10 @@ static struct tst_test test = {
"CONFIG_NET_NS=y",
NULL
},
+ .save_restore = (const char * const[]) {
+ "?/proc/sys/user/max_user_namespaces",
+ NULL,
+ },
.tags = (const struct tst_tag[]) {
{"linux-git", "15fe076edea7"},
{"CVE", "2018-18559"},
@@ -43,6 +43,11 @@ static void setup(void)
int real_gid = getgid();
struct ifreq ifr;
+ /* The default value of max_user_namespaces is set to 0 on some distros,
+ * We need to change the default value to call clone().
+ */
+ SAFE_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
+
SAFE_UNSHARE(CLONE_NEWUSER);
SAFE_UNSHARE(CLONE_NEWNET);
SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
@@ -215,6 +220,10 @@ static struct tst_test test = {
"CONFIG_NET_NS=y",
NULL
},
+ .save_restore = (const char * const[]) {
+ "?/proc/sys/user/max_user_namespaces",
+ NULL,
+ },
.tags = (const struct tst_tag[]) {
{"linux-git", "bcc5364bdcfe"},
{"linux-git", "acf69c946233"},
@@ -40,6 +40,11 @@ static void setup(void)
struct ifreq ifr;
socklen_t addrlen = sizeof(addr);
+ /* The default value of max_user_namespaces is set to 0 on some distros,
+ * We need to change the default value to call clone().
+ */
+ SAFE_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
+
SAFE_UNSHARE(CLONE_NEWUSER);
SAFE_UNSHARE(CLONE_NEWNET);
SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
@@ -99,6 +104,10 @@ static struct tst_test test = {
"CONFIG_NET_NS=y",
NULL
},
+ .save_restore = (const char * const[]) {
+ "?/proc/sys/user/max_user_namespaces",
+ NULL,
+ },
.tags = (const struct tst_tag[]) {
{"linux-git", "85f1bd9a7b5a"},
{"CVE", "2017-1000112"},
@@ -35,6 +35,11 @@ static void setup(void)
int real_uid = getuid();
int real_gid = getgid();
+ /* The default value of max_user_namespaces is set to 0 on some distros,
+ * We need to change the default value to call clone().
+ */
+ SAFE_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
+
SAFE_UNSHARE(CLONE_NEWUSER);
SAFE_UNSHARE(CLONE_NEWNET);
SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
@@ -125,6 +130,10 @@ static struct tst_test test = {
"CONFIG_NET_NS=y",
NULL
},
+ .save_restore = (const char * const[]) {
+ "?/proc/sys/user/max_user_namespaces",
+ NULL,
+ },
.tags = (const struct tst_tag[]) {
{"linux-git", "84ac7260236a"},
{"CVE", "2016-8655"},
@@ -38,6 +38,11 @@ static void setup(void)
int real_uid = getuid();
int real_gid = getgid();
+ /* The default value of max_user_namespaces is set to 0 on some distros,
+ * We need to change the default value to call clone().
+ */
+ SAFE_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
+
SAFE_UNSHARE(CLONE_NEWUSER);
SAFE_UNSHARE(CLONE_NEWNET);
SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
@@ -137,6 +142,10 @@ static struct tst_test test = {
"CONFIG_NET_NS=y",
NULL
},
+ .save_restore = (const char * const[]) {
+ "?/proc/sys/user/max_user_namespaces",
+ NULL,
+ },
.tags = (const struct tst_tag[]) {
{"linux-git", "c27927e372f0"},
{"CVE", "2017-1000111"},
@@ -95,6 +95,11 @@ void setup(void)
"The vulnerability was only present in 32-bit compat mode");
}
+ /* The default value of max_user_namespaces is set to 0 on some distros,
+ * We need to change the default value to call clone().
+ */
+ SAFE_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
+
SAFE_UNSHARE(CLONE_NEWUSER);
SAFE_UNSHARE(CLONE_NEWNET);
}
@@ -156,6 +161,10 @@ static struct tst_test test = {
"CONFIG_NET_NS=y",
NULL
},
+ .save_restore = (const char * const[]) {
+ "?/proc/sys/user/max_user_namespaces",
+ NULL,
+ },
.tags = (const struct tst_tag[]) {
{"linux-git", "b29c457a6511"},
{"CVE", "2021-22555"},
On old distros ie centos7, the default value of max_user_namespaces is set to 0. Enable it by increasing this value. Signed-off-by: Yang Xu <xuyang2018.jy@fujitsu.com> --- testcases/cve/icmp_rate_limit01.c | 9 +++++++++ testcases/kernel/containers/userns/userns08.c | 9 +++++++++ testcases/kernel/syscalls/bind/bind06.c | 9 +++++++++ testcases/kernel/syscalls/sendto/sendto03.c | 9 +++++++++ testcases/kernel/syscalls/setsockopt/setsockopt05.c | 9 +++++++++ testcases/kernel/syscalls/setsockopt/setsockopt06.c | 9 +++++++++ testcases/kernel/syscalls/setsockopt/setsockopt07.c | 9 +++++++++ testcases/kernel/syscalls/setsockopt/setsockopt08.c | 9 +++++++++ 8 files changed, 72 insertions(+)