From patchwork Sat Jan 19 00:12:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tycho Andersen X-Patchwork-Id: 10771851 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 10269139A for ; Sat, 19 Jan 2019 00:13:10 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F14D130764 for ; Sat, 19 Jan 2019 00:13:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E261A307A4; Sat, 19 Jan 2019 00:13:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7A1A930764 for ; Sat, 19 Jan 2019 00:13:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730142AbfASANI (ORCPT ); Fri, 18 Jan 2019 19:13:08 -0500 Received: from mail-qk1-f195.google.com ([209.85.222.195]:44388 "EHLO mail-qk1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730249AbfASAMz (ORCPT ); Fri, 18 Jan 2019 19:12:55 -0500 Received: by mail-qk1-f195.google.com with SMTP id o8so9032249qkk.11 for ; Fri, 18 Jan 2019 16:12:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho-ws.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=9RQC9GQYGMjS04/OX/HL+1Aa64AraxU97YP1oqqM470=; b=SxMKlJgEiEDCapbrsD7h9fDUHr4ZdgsvQWwYnG+8/dMDxLVeXt/X4Q15j8z+j5ZBej HUMUmy+NnO2Wrs+YHlso4gznpG3au2PA7hUNdSzR5RZhCLBb8RH79xedrLYYXr+Cp4WU 4fz7A/x9XTP4HKWJLgjtfGMjxYuSIs/Hz9uPQwJmzXi5by5L5blp6twGBvBLecxQnBJn otOqvsd04zWcxfotypx/KKsItiUpWwpFgDXUvt/YE8tylaApmFVIXoW2aZu1JRCkyhG/ vSQYe8gp86Kgh0Wu/7Llxk8X7YAfc1X96soH7Cmpduv783sH2yKBzqjot5Hck1wMwqFW e6dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9RQC9GQYGMjS04/OX/HL+1Aa64AraxU97YP1oqqM470=; b=EKNB1/OL9e96XxGY/luPcrkUUHhEprfSg+X+iNX+q9t5WgSa2jhCTf4NQSSFsdc6Me AynGGc3xVS70aEYcpF7zVyfN/dVbwoO/2abdVq9wXr0ByBrRUEj9afQBiwD04yGVPSCK q0fiaIXY8fZti/m23DQaDKmFZjpUIO5rUsrt8BFyfI63BMC8sL9SokSDv1Hgml318mpR 6vB1KLZrXcB+SYF9FdumjFuJ1x1E+v6SQBTsWBK8afwUW45PbzfbMvkAvQ4Iv2i5soQQ 8dncekQAX1bUcNRAewKnliuWPaJQ2FivsL35T0rluti9oVcMzmy7zomYeKCkkwHxdLE/ KUVw== X-Gm-Message-State: AJcUukeXqYTWnWA156IlE6KNYa9AakwwWy5cNILItepHOj3R8Toa9Ah7 Oo0n4uyndQJEpYF4M3IFg+Xraw== X-Google-Smtp-Source: ALg8bN6jksQLcJVrddEiaIYydzlZ/pxAS0QyRVnrLKRgJB+XFO3L/3l2G2w+2Iy1HQ2OA523S/VvPw== X-Received: by 2002:a37:b381:: with SMTP id c123mr16849070qkf.346.1547856774668; Fri, 18 Jan 2019 16:12:54 -0800 (PST) Received: from localhost.localdomain ([64.125.109.186]) by smtp.gmail.com with ESMTPSA id m14sm41140501qka.21.2019.01.18.16.12.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Jan 2019 16:12:54 -0800 (PST) From: Tycho Andersen To: Shuah Khan , Kees Cook Cc: linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, Tycho Andersen Subject: [PATCH 6/6] selftests: unshare userns in seccomp pidns testcases Date: Fri, 18 Jan 2019 17:12:17 -0700 Message-Id: <20190119001217.12660-7-tycho@tycho.ws> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190119001217.12660-1-tycho@tycho.ws> References: <20190119001217.12660-1-tycho@tycho.ws> MIME-Version: 1.0 Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The pid ns cannot be unshare()d as an unprivileged user without owning the userns as well. Let's unshare the userns so that we can subsequently unshare the pidns. This also means that we don't need to set the no new privs bit as in the other test cases, since we're unsharing the userns. Signed-off-by: Tycho Andersen --- tools/testing/selftests/seccomp/seccomp_bpf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index a4a7dce1a91b..8f6e95773225 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -3271,7 +3271,7 @@ TEST(user_notification_child_pid_ns) struct seccomp_notif req = {}; struct seccomp_notif_resp resp = {}; - ASSERT_EQ(unshare(CLONE_NEWPID), 0); + ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0); listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER); ASSERT_GE(listener, 0); @@ -3308,6 +3308,8 @@ TEST(user_notification_sibling_pid_ns) struct seccomp_notif req = {}; struct seccomp_notif_resp resp = {}; + ASSERT_EQ(unshare(CLONE_NEWUSER), 0); + listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER); ASSERT_GE(listener, 0);