From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on starla X-Spam-Level: X-Spam-Status: No, score=-1.2 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 10F5F1F44D for ; Fri, 22 Mar 2024 15:33:07 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=pZRd3Ny9; dkim-atps=neutral Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 6E6623858417 for ; Fri, 22 Mar 2024 15:33:05 +0000 (GMT) Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by sourceware.org (Postfix) with ESMTPS id 23F603858D28 for ; Fri, 22 Mar 2024 15:32:36 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 23F603858D28 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=canonical.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=canonical.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 23F603858D28 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=185.125.188.122 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711121566; cv=none; b=QaK1SPoT4KovHbhZmnMzN99fQvo5BXP3zsemcc2V2/7JQusXcFGHyzmBCnA7j46kv2AEn0GBTqnBOEkM++Mk31zGbflHxXlMbECFfaWFYn+MfO/NYOb/ofSebFEH2itc9RpdaH2FYWAGdB55F3dLzsx7sd7jCwOUH2q0lbsxTYM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711121566; c=relaxed/simple; bh=86Uncd68gO/BXnPmQQcMwex9TlvlbKr4OT/TyYwFit0=; h=DKIM-Signature:From:MIME-Version:Date:Message-ID:Subject:To; b=GVg+FL+CumMdUyG8Xsa/Na/zX9Jk+oYvOODYDuaSMk1JvVEKRToVj59BbhePvH5770dPLeQHWwG7VRRRUwDxVGxeoUtqJUWyB312Y6nAtMPfir4DSVumFWTzndUtt0QAoxuo4aWZcw01Vji8Qoi+SwiioQBybw+VbIadwrzU9J8= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 282B2411B9 for ; Fri, 22 Mar 2024 15:32:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1711121553; bh=i1GfjYqa9whxN2uJwCtNYwhRYm7bDzjf2KuX+TqCBe0=; h=From:MIME-Version:In-Reply-To:References:Date:Message-ID:Subject: To:Cc:Content-Type; b=pZRd3Ny9+eRcr9I917LOUYPxxkUxwOXXpbDLbdsTYf1wv9o3Nd9yH493Ua+XLq1H0 fW3dY6qPra8OyYaV2HT7FAgR690dQFz3QCZ6GzI1JsmyclP79v5DwzmVvU1AIy9+JV si/eBeKbzmXM/IYNM6sgrSkOzhttUyyVGQq5kUX3IEVhxxB7svs/b+2ORwAlMjzRL4 GVDThcVKhuDa93FnjfQl6U42qYEB79v1V6i4TYN8BU+ljV/CWndhWFuMcb0HJTTUIv E96U06BD7bw3tPj2WKkm6Xka34NDs0WYobmOlGxWTLQVPwN3+7/nWS9VMMVKog7wCx nVfZE+4AZGegQ== Received: by mail-pj1-f70.google.com with SMTP id 98e67ed59e1d1-29c7932c5f5so1509498a91.1 for ; Fri, 22 Mar 2024 08:32:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711121551; x=1711726351; h=cc:to:subject:message-id:date:references:in-reply-to:mime-version :user-agent:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=i1GfjYqa9whxN2uJwCtNYwhRYm7bDzjf2KuX+TqCBe0=; b=w7KusIp8CtsA4Zc5u6S0upMKpuYyK57w3zyVv1d7ez5mvNDQUddflJqA1JSj0nIC6t qAH2DvY0KDKwW+2+On5DWvJtFNC33UsW2/Yz8qIrFTu54SFVH0T+hx09jVE7R/o4yq7r oJKgwWzfqzPU+fw6LYRfqumDeAfH1Dj0VeGd2H+KVCboacQEv17yqgxwSCeuXLpiK1im 1DuG0XYiW7IzNm+J+7SzyJdn9Nrb+wvU3gQZYWH8vKakPDykqbQ/3dOk3B3tPLnpeu0+ 5PLcKA+q9FnhWOLCY4O2v2n8g9z4jIQ0SxQ7vc3feAJTW2AKbTXDhVQDetsOVEJYbalW V9CA== X-Gm-Message-State: AOJu0YxLya+nBQyurPq92k2p9F2UCZbd5gyJa/nnUizbJ1yC9MxMh/KA ts9lCz6wf3aJQ9ze5sT0FDhpvOz6BZK+qjtyp19YtwgQrJQDXMQkUYpkmsh8JJhVBbZxWqBVZAt Usov89yC8NKky4ox+AcLCzT9EjxHy0SeXGAbLOlhUXoWonczoSQ+m5NpGrlj+b6OFsKncLFGzX3 DhoDIs8UMhhWqK2teZeqMCxZoXGvTl4FW8qli8gwlOqCE0//d+PqglvWtf X-Received: by 2002:a17:90a:df0e:b0:2a0:18c4:3ed2 with SMTP id gp14-20020a17090adf0e00b002a018c43ed2mr3549706pjb.0.1711121551258; Fri, 22 Mar 2024 08:32:31 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGwOJpRCKuznTymFTGGuZzkQHZmwFfQ1GEIQkBu2nexNOCtijBqHB0zS+x7jbgP+BPV6BirjZd1RFLuA7cxG1M= X-Received: by 2002:a17:90a:df0e:b0:2a0:18c4:3ed2 with SMTP id gp14-20020a17090adf0e00b002a018c43ed2mr3549674pjb.0.1711121550884; Fri, 22 Mar 2024 08:32:30 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Fri, 22 Mar 2024 08:32:30 -0700 From: Simon Chopin User-Agent: Dodo MIME-Version: 1.0 In-Reply-To: References: <20240320093135.74043-1-simon.chopin@canonical.com> Date: Fri, 22 Mar 2024 08:32:30 -0700 Message-ID: Subject: Re: [PATCH] tests: handle AppArmor userns mitigation To: Adhemerval Zanella Netto Cc: libc-alpha@sourceware.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org On jeu. 21 mars 2024 13:19:41, Adhemerval Zanella Netto wrote: > On 20/03/24 06:31, Simon Chopin wrote: > > Support for flat denial of user namespace creation from AppArmor was > > added in commit 59e0441d4a ("tests: gracefully handle AppArmor userns > > containment"). However, AppArmor supports another mode where it allows > > the namespace creation but denies privileged actions within that > > namespace. > > > > The mitigation mode will be enabled by default in Ubuntu 24.04. > > > > This patch adds support for properly skipping the tests when that > > happens (usually when calling mount() or writing to /proc/self/uid_map) > > As a side-note, is there a way to easily disable it? It would be good to > avoid less test coverage. This was already handled in 59e0441d4a, tests using test-container will display a hint before exiting: UNSUPPORTED: nss/tst-reload2 original exit status 77 To enable test-container, please run this as root: echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns error: test-container.c:1141: could not create a private mount namespace (security policy?: Permission denied) > > > > > Further info: > > * AppArmor user namespace restriction modes: > > https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction#two-types-of-restrictions > > * Error codes for AppArmor-denied syscals: > > https://gitlab.com/apparmor/apparmor/-/wikis/manpage_apparmor.d.5#profile-mode > > > > Signed-off-by: Simon Chopin > > --- > > support/support_become_root.c | 41 ++++++++++++++----- > > support/test-container.c | 12 +++++- > > .../unix/sysv/linux/tst-getcwd-smallbuff.c | 17 +++++--- > > sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 2 +- > > 4 files changed, 54 insertions(+), 18 deletions(-) > > > > diff --git a/support/support_become_root.c b/support/support_become_root.c > > index 5920fc8236..f744886037 100644 > > --- a/support/support_become_root.c > > +++ b/support/support_become_root.c > > @@ -28,6 +28,34 @@ > > #include > > > > #ifdef CLONE_NEWUSER > > +static void > > +write_id_map (int map_fd, unsigned long long src, > > + unsigned long long dst, unsigned long long range) > > +{ > > + char map_buf[100]; > > + int size = snprintf (map_buf, sizeof (map_buf), "%llu %llu %llu\n", src, dst, > > + range); > > Maybe use xasprintf here: > > char *map_buf = xasprintf ("%llu %llu %llu\n", src, dst, range); > [...] > free (map_buf); > > > + TEST_VERIFY_EXIT (size < sizeof (map_buf)); > > + int ret = write (map_fd, map_buf, size); > > + if (ret < 0) > > + { > > + if (errno == EPERM || errno == EACCES) > > + { > > + /* Likely a LSM deny. */ > > + FAIL_UNSUPPORTED ( > > + "Could not write ID map file, check security settings: %m\n"); > > + } > > + else > > + FAIL_EXIT1 ("Could not write ID map file: %m\n"); > > + } > > + else if (ret < size) > > + { > > + /* Retrying would just fail with EPERM, see user_namespaces(7). */ > > + FAIL_EXIT1 ( > > + "couldn't write the entire buffer at once to the ID file: %m\n"); > > + } > > +} > > + > > Ok. > > > /* The necessary steps to allow file creation in user namespaces. */ > > static void > > setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid) > > @@ -43,12 +71,7 @@ setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid) > > /* We map our original UID to the same UID in the container so we > > own our own files normally. Without that, file creation could > > fail with EOVERFLOW (sic!). */ > > - char buf[100]; > > - int ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n", > > - (unsigned long long) original_uid, > > - (unsigned long long) original_uid); > > - TEST_VERIFY_EXIT (ret < sizeof (buf)); > > - xwrite (fd, buf, ret); > > + write_id_map (fd, original_uid, original_uid, 1); > > xclose (fd); > > > > /* Linux 3.19 introduced the setgroups file. We need write "deny" to this > > @@ -69,11 +92,7 @@ setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid) > > > > /* Now map our own GID, like we did for the user ID. */ > > fd = xopen ("/proc/self/gid_map", O_WRONLY, 0); > > - ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n", > > - (unsigned long long) original_gid, > > - (unsigned long long) original_gid); > > - TEST_VERIFY_EXIT (ret < sizeof (buf)); > > - xwrite (fd, buf, ret); > > + write_id_map (fd, original_gid, original_gid, 1); > > xclose (fd); > > } > > #endif /* CLONE_NEWUSER */ > > diff --git a/support/test-container.c b/support/test-container.c > > index ebcc722da5..fd45cbfa57 100644 > > --- a/support/test-container.c > > +++ b/support/test-container.c > > @@ -1133,7 +1133,17 @@ main (int argc, char **argv) > > > > /* Some systems, by default, all mounts leak out of the namespace. */ > > if (mount ("none", "/", NULL, MS_REC | MS_PRIVATE, NULL) != 0) > > - FAIL_EXIT1 ("could not create a private mount namespace\n"); > > + { > > + int saved_errno = errno; > > + if (errno == EPERM || errno == EACCES) > > + { > > + check_for_unshare_hints (require_pidns); > > + FAIL_UNSUPPORTED ("could not create a private mount namespace " > > + "(security policy?: %s)", > > + strerror (saved_errno)); > > + } > > + FAIL_EXIT1 ("could not create a private mount namespace\n"); > > + } > > > > trymount (support_srcdir_root, new_srcdir_path); > > trymount (support_objdir_root, new_objdir_path); > > Ok. > > > diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c > > index 55362f6060..f564be6a63 100644 > > --- a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c > > +++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c > > @@ -133,7 +133,13 @@ child_func (void * const arg) > > TEST_VERIFY_EXIT (ch == '1'); > > > > if (mount ("/", MOUNT_NAME, NULL, MS_BIND | MS_REC, NULL)) > > - FAIL_EXIT1 ("mount failed: %m\n"); > > + { > > + /* Probably rejected by local security policy. */ > > + if (errno == EPERM || errno == EACCES) > > + FAIL_UNSUPPORTED ("mount failed (security policy?): %m\n"); > > + else > > + FAIL_EXIT1 ("mount failed: %m\n"); > > + } > > const int fd = xopen ("mpoint", > > O_RDONLY | O_PATH | O_DIRECTORY | O_NOFOLLOW, 0); > > > > @@ -194,10 +200,11 @@ do_test (void) > > pid_t pid = xfork (); > > if (pid == 0) > > { > > - if (unshare (CLONE_NEWUSER | CLONE_NEWNS) != 0) > > - _exit (EXIT_UNSUPPORTED); > > - else > > - _exit (0); > > + if (unshare (CLONE_NEWUSER | CLONE_NEWNS) != 0 > > + || mount ("none", "/", NULL, MS_REC | MS_PRIVATE, NULL) != 0) > > + _exit (EXIT_UNSUPPORTED); > > + else > > + _exit (0); > > } > > int status; > > xwaitpid (pid, &status, 0); > > diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c > > index ef62fbe941..89233ac4a1 100644 > > --- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c > > +++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c > > @@ -72,7 +72,7 @@ do_test (void) > > /* This happens if we're trying to create a nested container, > > like if the build is running under podman, and we lack > > priviledges. */ > > - if (errno == EPERM) > > + if (errno == EPERM || errno == EACCES) > > _exit (EXIT_UNSUPPORTED); > > else > > _exit (EXIT_FAILURE); > > > > base-commit: 1ea051145612f199d8716ecdf78b084b00b5a727 > > Ok.