From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on starla X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id BB41C1F44D for ; Thu, 21 Mar 2024 16:25:33 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=mIA00YHs; dkim-atps=neutral Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 039533858419 for ; Thu, 21 Mar 2024 16:25:33 +0000 (GMT) Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by sourceware.org (Postfix) with ESMTPS id 206E63858D28 for ; Thu, 21 Mar 2024 16:25:13 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 206E63858D28 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 206E63858D28 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::62f ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711038315; cv=none; b=FJFbZ1aNVbpsNpgNIAEzAc2GR2TBBxMYp+t+g3piiNM8WLW7R0qOusN+7fOCeU41GdnrG2VXlHShOoOx3A9ZDy/5jmLI3UxYDgRSZX5Ni11GHufkIIgp4nZC1EExHzBPPOFngRVMCcfJAKxlimEJ6SCH6JObbS9hvIHwXacuthE= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711038315; c=relaxed/simple; bh=7f6r7SjAMgjdox8J3akv7ukyaWWerttEkPTmXPalQjE=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=AEIrbPA3NrSvQWcfCAyXcVHOo3OsaSd6evWvJMUppyLJqvxycu+/mMQ3Dp1nn9uus48bDz9jNLhZR9RUtTnEjx412P5Br0UW3KXLzGIM9X8tQ7r0x+joqawIugBGWT8zvQjLzYezfVbWnvkgYqcgY5cOuyUFX49aQOJzpkZ/ypc= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pl1-x62f.google.com with SMTP id d9443c01a7336-1df01161b39so8661825ad.3 for ; Thu, 21 Mar 2024 09:25:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1711038311; x=1711643111; darn=sourceware.org; h=content-transfer-encoding:in-reply-to:organization:from:references :to:content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=7IJGjyk/mImr7FMMDF2Q7im6n/mE+YKEKskuEBWFy58=; b=mIA00YHsPW4T256bUZUv4+StBG44AW1sIWkDvMfk4Lfnuu0QOiFVimtU+KsAqNsAle Q4xTn6EsauBXmXICmqaDS1p1hdHtV5TB0Mylyc2qJF5+umviBuu8x+Yf5E3L0eqXtsEb 9TxITKGLkOV3slrBHAHB3xbIBIvKMeC4mN6T7t+fIx0V80wuBu2jCrsmg3MvMHqeydbp wEMb1837KZ0OXN3NCYlaMOniJiCaEgls3nmASJX/IKyan9HrVrrokeEt3QHqO+z3vv5U r2asxtUgDFRcttkYpcLDGEEjHYOWGa1isUeH6Ack6RgFURmBe1MZJotZc8FgvjoOKr0j z3nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711038311; x=1711643111; h=content-transfer-encoding:in-reply-to:organization:from:references :to:content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7IJGjyk/mImr7FMMDF2Q7im6n/mE+YKEKskuEBWFy58=; b=KhlsMrCii/o0p3dXSohnmKvTJY9g2oZpINXHTMTYc1hS9SFOZCXF0isveUKzbm3IJl fCHCQ/yMe81TOyv8XfZrvQAcpns2TLEb3rXXjWCD1N2WQzhGNbNwItJ3kE3vabZKd4ss Hc6Pwd0hkoBW9VPvaaLEd+pv/4bzT57KLNwhbpMmrzukClVLCYIbDf3lcc7sMxuGWj3T 5ozPVAA4M7JmEcIWe4DxFmKCSvbvgubiCG4/PgmnIkuiIjE0e04Ny7ouo03hIN98kxvx NQQ8JROrSR5e/WhD6S9p1RdFL8/9ZZQndZ2g2Q5YIWo6Flo/SdlwSDmo4rebH0NNX2rq liDQ== X-Gm-Message-State: AOJu0YwVivuXyzFiNFX6Av7x5n141EgC5Y1bfxtsY7q85umg/Spy09wn UKQpD+wZDpC2gd9xVVNeOwe9dxPEBikLV+7H4UGVvNRdo+9a7/8RAY9X9eSGv1MB4RRQWUQU2uL N X-Google-Smtp-Source: AGHT+IFdxA99lhQsr6zpIVn2Ryi42YZAQSN1uHtbT2k+Bj396gtuFX4Ki3oYRVvMlKufa8AjD2bccQ== X-Received: by 2002:a05:6a20:914a:b0:1a3:6954:77d2 with SMTP id x10-20020a056a20914a00b001a3695477d2mr7334309pzc.31.1711037986092; Thu, 21 Mar 2024 09:19:46 -0700 (PDT) Received: from ?IPV6:2804:1b3:a7c3:1d04:bcc1:505d:b612:f9f0? ([2804:1b3:a7c3:1d04:bcc1:505d:b612:f9f0]) by smtp.gmail.com with ESMTPSA id z8-20020aa79e48000000b006e6c10bdc16sm18892pfq.85.2024.03.21.09.19.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 21 Mar 2024 09:19:45 -0700 (PDT) Message-ID: Date: Thu, 21 Mar 2024 13:19:41 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] tests: handle AppArmor userns mitigation Content-Language: en-US To: libc-alpha@sourceware.org, Simon Chopin References: <20240320093135.74043-1-simon.chopin@canonical.com> From: Adhemerval Zanella Netto Organization: Linaro In-Reply-To: <20240320093135.74043-1-simon.chopin@canonical.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org On 20/03/24 06:31, Simon Chopin wrote: > Support for flat denial of user namespace creation from AppArmor was > added in commit 59e0441d4a ("tests: gracefully handle AppArmor userns > containment"). However, AppArmor supports another mode where it allows > the namespace creation but denies privileged actions within that > namespace. > > The mitigation mode will be enabled by default in Ubuntu 24.04. > > This patch adds support for properly skipping the tests when that > happens (usually when calling mount() or writing to /proc/self/uid_map) As a side-note, is there a way to easily disable it? It would be good to avoid less test coverage. > > Further info: > * AppArmor user namespace restriction modes: > https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction#two-types-of-restrictions > * Error codes for AppArmor-denied syscals: > https://gitlab.com/apparmor/apparmor/-/wikis/manpage_apparmor.d.5#profile-mode > > Signed-off-by: Simon Chopin > --- > support/support_become_root.c | 41 ++++++++++++++----- > support/test-container.c | 12 +++++- > .../unix/sysv/linux/tst-getcwd-smallbuff.c | 17 +++++--- > sysdeps/unix/sysv/linux/tst-pidfd_getpid.c | 2 +- > 4 files changed, 54 insertions(+), 18 deletions(-) > > diff --git a/support/support_become_root.c b/support/support_become_root.c > index 5920fc8236..f744886037 100644 > --- a/support/support_become_root.c > +++ b/support/support_become_root.c > @@ -28,6 +28,34 @@ > #include > > #ifdef CLONE_NEWUSER > +static void > +write_id_map (int map_fd, unsigned long long src, > + unsigned long long dst, unsigned long long range) > +{ > + char map_buf[100]; > + int size = snprintf (map_buf, sizeof (map_buf), "%llu %llu %llu\n", src, dst, > + range); Maybe use xasprintf here: char *map_buf = xasprintf ("%llu %llu %llu\n", src, dst, range); [...] free (map_buf); > + TEST_VERIFY_EXIT (size < sizeof (map_buf)); > + int ret = write (map_fd, map_buf, size); > + if (ret < 0) > + { > + if (errno == EPERM || errno == EACCES) > + { > + /* Likely a LSM deny. */ > + FAIL_UNSUPPORTED ( > + "Could not write ID map file, check security settings: %m\n"); > + } > + else > + FAIL_EXIT1 ("Could not write ID map file: %m\n"); > + } > + else if (ret < size) > + { > + /* Retrying would just fail with EPERM, see user_namespaces(7). */ > + FAIL_EXIT1 ( > + "couldn't write the entire buffer at once to the ID file: %m\n"); > + } > +} > + Ok. > /* The necessary steps to allow file creation in user namespaces. */ > static void > setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid) > @@ -43,12 +71,7 @@ setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid) > /* We map our original UID to the same UID in the container so we > own our own files normally. Without that, file creation could > fail with EOVERFLOW (sic!). */ > - char buf[100]; > - int ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n", > - (unsigned long long) original_uid, > - (unsigned long long) original_uid); > - TEST_VERIFY_EXIT (ret < sizeof (buf)); > - xwrite (fd, buf, ret); > + write_id_map (fd, original_uid, original_uid, 1); > xclose (fd); > > /* Linux 3.19 introduced the setgroups file. We need write "deny" to this > @@ -69,11 +92,7 @@ setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid) > > /* Now map our own GID, like we did for the user ID. */ > fd = xopen ("/proc/self/gid_map", O_WRONLY, 0); > - ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n", > - (unsigned long long) original_gid, > - (unsigned long long) original_gid); > - TEST_VERIFY_EXIT (ret < sizeof (buf)); > - xwrite (fd, buf, ret); > + write_id_map (fd, original_gid, original_gid, 1); > xclose (fd); > } > #endif /* CLONE_NEWUSER */ > diff --git a/support/test-container.c b/support/test-container.c > index ebcc722da5..fd45cbfa57 100644 > --- a/support/test-container.c > +++ b/support/test-container.c > @@ -1133,7 +1133,17 @@ main (int argc, char **argv) > > /* Some systems, by default, all mounts leak out of the namespace. */ > if (mount ("none", "/", NULL, MS_REC | MS_PRIVATE, NULL) != 0) > - FAIL_EXIT1 ("could not create a private mount namespace\n"); > + { > + int saved_errno = errno; > + if (errno == EPERM || errno == EACCES) > + { > + check_for_unshare_hints (require_pidns); > + FAIL_UNSUPPORTED ("could not create a private mount namespace " > + "(security policy?: %s)", > + strerror (saved_errno)); > + } > + FAIL_EXIT1 ("could not create a private mount namespace\n"); > + } > > trymount (support_srcdir_root, new_srcdir_path); > trymount (support_objdir_root, new_objdir_path); Ok. > diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c > index 55362f6060..f564be6a63 100644 > --- a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c > +++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c > @@ -133,7 +133,13 @@ child_func (void * const arg) > TEST_VERIFY_EXIT (ch == '1'); > > if (mount ("/", MOUNT_NAME, NULL, MS_BIND | MS_REC, NULL)) > - FAIL_EXIT1 ("mount failed: %m\n"); > + { > + /* Probably rejected by local security policy. */ > + if (errno == EPERM || errno == EACCES) > + FAIL_UNSUPPORTED ("mount failed (security policy?): %m\n"); > + else > + FAIL_EXIT1 ("mount failed: %m\n"); > + } > const int fd = xopen ("mpoint", > O_RDONLY | O_PATH | O_DIRECTORY | O_NOFOLLOW, 0); > > @@ -194,10 +200,11 @@ do_test (void) > pid_t pid = xfork (); > if (pid == 0) > { > - if (unshare (CLONE_NEWUSER | CLONE_NEWNS) != 0) > - _exit (EXIT_UNSUPPORTED); > - else > - _exit (0); > + if (unshare (CLONE_NEWUSER | CLONE_NEWNS) != 0 > + || mount ("none", "/", NULL, MS_REC | MS_PRIVATE, NULL) != 0) > + _exit (EXIT_UNSUPPORTED); > + else > + _exit (0); > } > int status; > xwaitpid (pid, &status, 0); > diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c > index ef62fbe941..89233ac4a1 100644 > --- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c > +++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c > @@ -72,7 +72,7 @@ do_test (void) > /* This happens if we're trying to create a nested container, > like if the build is running under podman, and we lack > priviledges. */ > - if (errno == EPERM) > + if (errno == EPERM || errno == EACCES) > _exit (EXIT_UNSUPPORTED); > else > _exit (EXIT_FAILURE); > > base-commit: 1ea051145612f199d8716ecdf78b084b00b5a727 Ok.