* [LTP] [PATCH] containers: override kernel.unprivileged_userns_clone sysctl where needed
@ 2023-03-23 15:45 Seth Forshee (DigitalOcean)
2023-03-23 16:24 ` Petr Vorel
0 siblings, 1 reply; 4+ messages in thread
From: Seth Forshee (DigitalOcean) @ 2023-03-23 15:45 UTC (permalink / raw)
To: ltp; +Cc: Seth Forshee (DigitalOcean)
Some distros have a kernel.unprivileged_userns_clone which when disabled
forbids users without CAP_SYS_ADMIN in the initial user namespace from
creating new user namespaces. When disabled the containers user07 and
user08 tests fail.
Update these tests to ensure that when this sysctl is present it is set
to allow unprivileged user namespace creation while the test is running.
Signed-off-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org>
---
testcases/kernel/containers/userns/userns07.c | 4 ++++
testcases/kernel/containers/userns/userns08.c | 1 +
2 files changed, 5 insertions(+)
diff --git a/testcases/kernel/containers/userns/userns07.c b/testcases/kernel/containers/userns/userns07.c
index 40cc1e26c244..2c946a659278 100644
--- a/testcases/kernel/containers/userns/userns07.c
+++ b/testcases/kernel/containers/userns/userns07.c
@@ -88,4 +88,8 @@ static struct tst_test test = {
"CONFIG_USER_NS",
NULL,
},
+ .save_restore = (const struct tst_path_val[]) {
+ {"/proc/sys/kernel/unprivileged_userns_clone", "1", TST_SR_SKIP},
+ {}
+ },
};
diff --git a/testcases/kernel/containers/userns/userns08.c b/testcases/kernel/containers/userns/userns08.c
index 2697d874b3a0..84f0ce9a92e1 100644
--- a/testcases/kernel/containers/userns/userns08.c
+++ b/testcases/kernel/containers/userns/userns08.c
@@ -136,6 +136,7 @@ static struct tst_test test = {
},
.save_restore = (const struct tst_path_val[]) {
{"/proc/sys/user/max_user_namespaces", NULL, TST_SR_SKIP},
+ {"/proc/sys/kernel/unprivileged_userns_clone", "1", TST_SR_SKIP},
{}
},
.tags = (const struct tst_tag[]) {
---
base-commit: ce8a8edf1c5a917d0fd2f983c36b67e93de0a5c7
change-id: 20230323-override-unpriv-userns-sysctl-078b99372f01
Best regards,
--
Seth Forshee (DigitalOcean) <sforshee@kernel.org>
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [LTP] [PATCH] containers: override kernel.unprivileged_userns_clone sysctl where needed
2023-03-23 15:45 [LTP] [PATCH] containers: override kernel.unprivileged_userns_clone sysctl where needed Seth Forshee (DigitalOcean)
@ 2023-03-23 16:24 ` Petr Vorel
2023-03-23 16:29 ` Petr Vorel
0 siblings, 1 reply; 4+ messages in thread
From: Petr Vorel @ 2023-03-23 16:24 UTC (permalink / raw)
To: Seth Forshee (DigitalOcean); +Cc: ltp
Hi Seth,
> Some distros have a kernel.unprivileged_userns_clone which when disabled
> forbids users without CAP_SYS_ADMIN in the initial user namespace from
> creating new user namespaces. When disabled the containers user07 and
> user08 tests fail.
> Update these tests to ensure that when this sysctl is present it is set
> to allow unprivileged user namespace creation while the test is running.
Good catch, it's indeed a problem on Debian.
Reviewed-by: Petr Vorel Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel Petr Vorel <pvorel@suse.cz>
BTW it took me a while to find out /proc/sys/kernel/unprivileged_userns_clone is
Debian out of tree patch [1] (The funny note from 2013 "This is a short-term patch")
probably refused by upstream kernel (I've only found 3 years later one of Debian
kernel maintainers Ben Hutchings talking about it [2]).
Kind regards,
Petr
[1] https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
[2] https://lore.kernel.org/lkml/1453510799.3734.153.camel@decadent.org.uk/
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LTP] [PATCH] containers: override kernel.unprivileged_userns_clone sysctl where needed
2023-03-23 16:24 ` Petr Vorel
@ 2023-03-23 16:29 ` Petr Vorel
2023-03-24 12:09 ` Petr Vorel
0 siblings, 1 reply; 4+ messages in thread
From: Petr Vorel @ 2023-03-23 16:29 UTC (permalink / raw)
To: Seth Forshee (DigitalOcean), ltp
> BTW it took me a while to find out /proc/sys/kernel/unprivileged_userns_clone is
> Debian out of tree patch [1] (The funny note from 2013 "This is a short-term patch")
> probably refused by upstream kernel (I've only found 3 years later one of Debian
> kernel maintainers Ben Hutchings talking about it [2]).
For curious people the detail about the patch being refused by the Linux kernel
developers:
https://lwn.net/Articles/673597/
Kind regards,
Petr
> Kind regards,
> Petr
> [1] https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
> [2] https://lore.kernel.org/lkml/1453510799.3734.153.camel@decadent.org.uk/
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LTP] [PATCH] containers: override kernel.unprivileged_userns_clone sysctl where needed
2023-03-23 16:29 ` Petr Vorel
@ 2023-03-24 12:09 ` Petr Vorel
0 siblings, 0 replies; 4+ messages in thread
From: Petr Vorel @ 2023-03-24 12:09 UTC (permalink / raw)
To: Seth Forshee (DigitalOcean), ltp
Hi Seth,
thanks, merged!
Kind regards,
Petr
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-03-24 11:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-23 15:45 [LTP] [PATCH] containers: override kernel.unprivileged_userns_clone sysctl where needed Seth Forshee (DigitalOcean)
2023-03-23 16:24 ` Petr Vorel
2023-03-23 16:29 ` Petr Vorel
2023-03-24 12:09 ` Petr Vorel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).