[v1,0/6] seccomp test fixes

Message ID	20190119001217.12660-1-tycho@tycho.ws (mailing list archive)
Headers	show Return-Path: <linux-kselftest-owner@kernel.org> From: Tycho Andersen <tycho@tycho.ws> To: Shuah Khan <shuah@kernel.org>, Kees Cook <keescook@chromium.org> Cc: linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, Tycho Andersen <tycho@tycho.ws> Subject: [PATCH v1 0/6] seccomp test fixes Date: Fri, 18 Jan 2019 17:12:11 -0700 Message-Id: <20190119001217.12660-1-tycho@tycho.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk
Series	seccomp test fixes \| expand [v1,0/6] seccomp test fixes [1/6] selftests: don't kill child immediately in get_metadata() test [2/6] selftests: fix typo in seccomp_bpf.c [3/6] selftest: include stdio.h in kselftest.h [4/6] selftests: skip seccomp get_metadata test if not real root [5/6] selftests: set NO_NEW_PRIVS bit in seccomp user tests [6/6] selftests: unshare userns in seccomp pidns testcases

Message ID

20190119001217.12660-1-tycho@tycho.ws (mailing list archive)

Headers

From: Tycho Andersen <tycho@tycho.ws>
To: Shuah Khan <shuah@kernel.org>, Kees Cook <keescook@chromium.org>
Cc: linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
        Tycho Andersen <tycho@tycho.ws>
Subject: [PATCH v1 0/6] seccomp test fixes
Date: Fri, 18 Jan 2019 17:12:11 -0700
Message-Id: <20190119001217.12660-1-tycho@tycho.ws>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kselftest-owner@vger.kernel.org
Precedence: bulk

Series

seccomp test fixes | expand

Message

Tycho Andersen Jan. 19, 2019, 12:12 a.m. UTC

Hi all,

Here are the fixes I previously mentioned I would send. I previously
assumed that the tests were mostly run as root, but it turns out
everything else besides the stuff I wrote in the seccomp tests either
sets NNP and doesn't require real root, so it all actually works. This
set of fixes should make most of the other tests work unprivileged,
while XFAIL-ing the one that requires real root.

Cheers,

Tycho

Tycho Andersen (6):
  selftests: don't kill child immediately in get_metadata() test
  selftests: fix typo in seccomp_bpf.c
  selftest: include stdio.h in kselftest.h
  selftests: skip seccomp get_metadata test if not real root
  selftests: set NO_NEW_PRIVS bit in seccomp user tests
  selftests: unshare userns in seccomp pidns testcases

 tools/testing/selftests/kselftest.h           |  1 +
 tools/testing/selftests/seccomp/seccomp_bpf.c | 42 ++++++++++++++++---
 2 files changed, 38 insertions(+), 5 deletions(-)

Comments

Kees Cook Jan. 20, 2019, 12:43 a.m. UTC | #1

On Fri, Jan 18, 2019 at 4:12 PM Tycho Andersen <tycho@tycho.ws> wrote:
>
> Hi all,
>
> Here are the fixes I previously mentioned I would send. I previously
> assumed that the tests were mostly run as root, but it turns out
> everything else besides the stuff I wrote in the seccomp tests either
> sets NNP and doesn't require real root, so it all actually works. This
> set of fixes should make most of the other tests work unprivileged,
> while XFAIL-ing the one that requires real root.

Awesome. This all looks good to me. :)

Acked-by: Kees Cook <keescook@chromium.org>

Shuah, can you take this series?

-Kees

>
> Cheers,
>
> Tycho
>
> Tycho Andersen (6):
>   selftests: don't kill child immediately in get_metadata() test
>   selftests: fix typo in seccomp_bpf.c
>   selftest: include stdio.h in kselftest.h
>   selftests: skip seccomp get_metadata test if not real root
>   selftests: set NO_NEW_PRIVS bit in seccomp user tests
>   selftests: unshare userns in seccomp pidns testcases
>
>  tools/testing/selftests/kselftest.h           |  1 +
>  tools/testing/selftests/seccomp/seccomp_bpf.c | 42 ++++++++++++++++---
>  2 files changed, 38 insertions(+), 5 deletions(-)
>
> --
> 2.19.1
>

Shuah Jan. 20, 2019, 7:28 p.m. UTC | #2

On 1/19/19 5:43 PM, Kees Cook wrote:
> On Fri, Jan 18, 2019 at 4:12 PM Tycho Andersen <tycho@tycho.ws> wrote:
>>
>> Hi all,
>>
>> Here are the fixes I previously mentioned I would send. I previously
>> assumed that the tests were mostly run as root, but it turns out
>> everything else besides the stuff I wrote in the seccomp tests either
>> sets NNP and doesn't require real root, so it all actually works. This
>> set of fixes should make most of the other tests work unprivileged,
>> while XFAIL-ing the one that requires real root.

Tycho, Thanks for a quick response in fixing the problems.
> 
> Awesome. This all looks good to me. :)
> 
> Acked-by: Kees Cook <keescook@chromium.org>
> 
> Shuah, can you take this series?
> 


Yes. I will take these in for rc5.

thanks,
-- Shuah