2020-07-10 18:52:38

by Kees Cook

[permalink] [raw]
Subject: [PATCH for-next/seccomp 1/2] selftests/seccomp: Add SKIPs for failed unshare()

Running the seccomp tests as a regular user shouldn't just fail tests
that require CAP_SYS_ADMIN (for getting a PID namespace). Instead,
detect those cases and SKIP them.

Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index bd97a985c9e6..08bfbb7fc1c2 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -3420,7 +3420,10 @@ TEST(user_notification_child_pid_ns)
struct seccomp_notif req = {};
struct seccomp_notif_resp resp = {};

- ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0);
+ ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0) {
+ if (errno == EPERM)
+ SKIP(return, "CLONE_NEWPID requires CAP_SYS_ADMIN");
+ };

listener = user_notif_syscall(__NR_getppid,
SECCOMP_FILTER_FLAG_NEW_LISTENER);
@@ -3485,7 +3488,10 @@ TEST(user_notification_sibling_pid_ns)
}

/* Create the sibling ns, and sibling in it. */
- ASSERT_EQ(unshare(CLONE_NEWPID), 0);
+ ASSERT_EQ(unshare(CLONE_NEWPID), 0) {
+ if (errno == EPERM)
+ SKIP(return, "CLONE_NEWPID requires CAP_SYS_ADMIN");
+ }
ASSERT_EQ(errno, 0);

pid2 = fork();
--
2.25.1


2020-07-10 19:13:05

by Tycho Andersen

[permalink] [raw]
Subject: Re: [PATCH for-next/seccomp 1/2] selftests/seccomp: Add SKIPs for failed unshare()

On Fri, Jul 10, 2020 at 11:51:55AM -0700, Kees Cook wrote:
> Running the seccomp tests as a regular user shouldn't just fail tests
> that require CAP_SYS_ADMIN (for getting a PID namespace). Instead,
> detect those cases and SKIP them.

But if we unshare NEWUSER at the same time as NEWPID, shouldn't we
always be ns_capable(CAP_SYS_ADMIN)?

Tycho

2020-07-10 22:53:14

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH for-next/seccomp 1/2] selftests/seccomp: Add SKIPs for failed unshare()

On Fri, Jul 10, 2020 at 01:10:23PM -0600, Tycho Andersen wrote:
> On Fri, Jul 10, 2020 at 11:51:55AM -0700, Kees Cook wrote:
> > Running the seccomp tests as a regular user shouldn't just fail tests
> > that require CAP_SYS_ADMIN (for getting a PID namespace). Instead,
> > detect those cases and SKIP them.
>
> But if we unshare NEWUSER at the same time as NEWPID, shouldn't we
> always be ns_capable(CAP_SYS_ADMIN)?

Oh! Yes, you're quite right. :)

Instead I guess I should actually check for EINVAL if CONFIG_USER_NS is
missing.

--
Kees Cook