[6/6] selftests: unshare userns in seccomp pidns testcases

Message ID	20190119001217.12660-7-tycho@tycho.ws (mailing list archive)
State	Mainlined
Commit	30d53a5860cf6743db011719d414456b10773d6a
Headers	show Return-Path: <linux-kselftest-owner@kernel.org> From: Tycho Andersen <tycho@tycho.ws> To: Shuah Khan <shuah@kernel.org>, Kees Cook <keescook@chromium.org> Cc: linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, Tycho Andersen <tycho@tycho.ws> Subject: [PATCH 6/6] selftests: unshare userns in seccomp pidns testcases Date: Fri, 18 Jan 2019 17:12:17 -0700 Message-Id: <20190119001217.12660-7-tycho@tycho.ws> In-Reply-To: <20190119001217.12660-1-tycho@tycho.ws> References: <20190119001217.12660-1-tycho@tycho.ws> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk
Series	seccomp test fixes \| expand [v1,0/6] seccomp test fixes [1/6] selftests: don't kill child immediately in get_metadata() test [2/6] selftests: fix typo in seccomp_bpf.c [3/6] selftest: include stdio.h in kselftest.h [4/6] selftests: skip seccomp get_metadata test if not real root [5/6] selftests: set NO_NEW_PRIVS bit in seccomp user tests [6/6] selftests: unshare userns in seccomp pidns testcases

Message ID

20190119001217.12660-7-tycho@tycho.ws (mailing list archive)

State

Mainlined

Commit

30d53a5860cf6743db011719d414456b10773d6a

Headers

From: Tycho Andersen <tycho@tycho.ws>
To: Shuah Khan <shuah@kernel.org>, Kees Cook <keescook@chromium.org>
Cc: linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
        Tycho Andersen <tycho@tycho.ws>
Subject: [PATCH 6/6] selftests: unshare userns in seccomp pidns testcases
Date: Fri, 18 Jan 2019 17:12:17 -0700
Message-Id: <20190119001217.12660-7-tycho@tycho.ws>
In-Reply-To: <20190119001217.12660-1-tycho@tycho.ws>
References: <20190119001217.12660-1-tycho@tycho.ws>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kselftest-owner@vger.kernel.org
Precedence: bulk

Series

seccomp test fixes | expand

Commit Message

Tycho Andersen Jan. 19, 2019, 12:12 a.m. UTC

The pid ns cannot be unshare()d as an unprivileged user without owning the
userns as well. Let's unshare the userns so that we can subsequently
unshare the pidns.

This also means that we don't need to set the no new privs bit as in the
other test cases, since we're unsharing the userns.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
---
 tools/testing/selftests/seccomp/seccomp_bpf.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index a4a7dce1a91b..8f6e95773225 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -3271,7 +3271,7 @@  TEST(user_notification_child_pid_ns)
 	struct seccomp_notif req = {};
 	struct seccomp_notif_resp resp = {};
 
-	ASSERT_EQ(unshare(CLONE_NEWPID), 0);
+	ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0);
 
 	listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
 	ASSERT_GE(listener, 0);
@@ -3308,6 +3308,8 @@  TEST(user_notification_sibling_pid_ns)
 	struct seccomp_notif req = {};
 	struct seccomp_notif_resp resp = {};
 
+	ASSERT_EQ(unshare(CLONE_NEWUSER), 0);
+
 	listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
 	ASSERT_GE(listener, 0);

[6/6] selftests: unshare userns in seccomp pidns testcases

Commit Message

Patch