Message ID | 20240201120104.143973-1-simon.chopin@canonical.com |
---|---|
State | New |
Headers | show |
Series | test-container: gracefully handle AppArmor containment | expand |
On Thu, 2024-02-01 at 13:01 +0100, Simon Chopin wrote: > Recent AppArmor containment allows restricting unprivileged user > namespaces, which is enabled by default on recent Ubuntu systems. > > When that happens, the affected tests will now be considered unsupported > rather than simply failing. > > Further information: > > * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction > * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces > > Signed-off-by: Simon Chopin <simon.chopin@canonical.com> > --- > support/test-container.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/support/test-container.c b/support/test-container.c > index adf2b30215..a04ae07807 100644 > --- a/support/test-container.c > +++ b/support/test-container.c > @@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns) > { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 }, > /* ALT Linux has an alternate way of doing the same. */ > { "/proc/sys/kernel/userns_restrict", 1, 0, 0 }, > + /* AppArmor can also disable unprivileged user namespaces */ > + { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 }, > + { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 }, Why are you duplicating this entry?
Hi, On jeu. 01 févr. 2024 20:20:09, Xi Ruoyao wrote: > On Thu, 2024-02-01 at 13:01 +0100, Simon Chopin wrote: > > Recent AppArmor containment allows restricting unprivileged user > > namespaces, which is enabled by default on recent Ubuntu systems. > > > > When that happens, the affected tests will now be considered unsupported > > rather than simply failing. > > > > Further information: > > > > * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction > > * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces > > > > Signed-off-by: Simon Chopin <simon.chopin@canonical.com> > > --- > > support/test-container.c | 8 ++++++-- > > 1 file changed, 6 insertions(+), 2 deletions(-) > > > > diff --git a/support/test-container.c b/support/test-container.c > > index adf2b30215..a04ae07807 100644 > > --- a/support/test-container.c > > +++ b/support/test-container.c > > @@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns) > > { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 }, > > /* ALT Linux has an alternate way of doing the same. */ > > { "/proc/sys/kernel/userns_restrict", 1, 0, 0 }, > > + /* AppArmor can also disable unprivileged user namespaces */ > > + { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 }, > > + { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 }, > > Why are you duplicating this entry? My mistake. This is fixed in the second revision of the patch. Thanks!
diff --git a/support/test-container.c b/support/test-container.c index adf2b30215..a04ae07807 100644 --- a/support/test-container.c +++ b/support/test-container.c @@ -682,6 +682,9 @@ check_for_unshare_hints (int require_pidns) { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 }, /* ALT Linux has an alternate way of doing the same. */ { "/proc/sys/kernel/userns_restrict", 1, 0, 0 }, + /* AppArmor can also disable unprivileged user namespaces */ + { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 }, + { "/proc/sys/user/max_pid_namespaces", 0, 1024, 1 }, /* Linux kernel >= 4.9 has a configurable limit on the number of each namespace. Some distros set the limit to zero to disable the corresponding namespace as a "security policy". */ @@ -1108,10 +1111,11 @@ main (int argc, char **argv) { /* Older kernels may not support all the options, or security policy may block this call. */ - if (errno == EINVAL || errno == EPERM || errno == ENOSPC) + if (errno == EINVAL || errno == EPERM + || errno == ENOSPC || errno == EACCES) { int saved_errno = errno; - if (errno == EPERM || errno == ENOSPC) + if (errno == EPERM || errno == ENOSPC || errno == EACCES) check_for_unshare_hints (require_pidns); FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno)); }
Recent AppArmor containment allows restricting unprivileged user namespaces, which is enabled by default on recent Ubuntu systems. When that happens, the affected tests will now be considered unsupported rather than simply failing. Further information: * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction * https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces Signed-off-by: Simon Chopin <simon.chopin@canonical.com> --- support/test-container.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) base-commit: 42cc619dfbc44e263239c2de870bae11ad65810a