[LTP] [PATCH] syscalls/clone09.c: skip this test if net ns is not supported

[LTP] [PATCH] syscalls/clone09.c: skip this test if net ns is not supported

[Xiao Yang]

If net namespace is supported and disable, clone(CLONE_NEWNET) fails
and sets errno to EINVAL as expected.  However, If net namespace is
not supported(e.g. RHEL5.11GA), clone(CLONE_NEWNET) succeeds abnormally.
We add check if a new process has new network namespace to fix it.

Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
---
 testcases/kernel/syscalls/clone/clone09.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/testcases/kernel/syscalls/clone/clone09.c b/testcases/kernel/syscalls/clone/clone09.c
index 870c225..3456748 100644
--- a/testcases/kernel/syscalls/clone/clone09.c
+++ b/testcases/kernel/syscalls/clone/clone09.c
@@ -18,6 +18,9 @@
 #define _GNU_SOURCE
 #include <sched.h>
 #include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <unistd.h>
 #include <errno.h>
 
 #include "tst_test.h"
@@ -28,6 +31,7 @@
 static void *child_stack;
 static int sysctl_net = -1;
 static int sysctl_net_new = -1;
+static int ns_supported = 1;
 static const char sysctl_path[] = "/proc/sys/net/ipv4/conf/lo/tag";
 static const char sysctl_path_def[] = "/proc/sys/net/ipv4/conf/default/tag";
 static int flags = CLONE_NEWNET | CLONE_VM | SIGCHLD;
@@ -47,6 +51,12 @@ static void cleanup(void)
 
 static int newnet(void *arg LTP_ATTRIBUTE_UNUSED)
 {
+	char path[PATH_MAX];
+
+	sprintf(path, "/proc/%d/ns", getpid());
+	if (access(path, F_OK))
+		ns_supported = 0;
+
 	SAFE_FILE_SCANF(sysctl_path, "%d", &sysctl_net_new);
 	tst_syscall(__NR_exit, 0);
 	return 0;
@@ -77,6 +87,9 @@ static void do_test(void)
 	clone_child();
 	tst_reap_children();
 
+	if (!ns_supported)
+		tst_brk(TCONF, "Kernel does not support net ns");
+
 	if (sysctl_net_new == (sysctl_net + 1)) {
 		tst_res(TFAIL, "sysctl params equal: %s=%d",
 			sysctl_path, sysctl_net_new);
-- 
1.8.3.1

[LTP] [PATCH] syscalls/clone09.c: skip this test if net ns is not supported

[Cyril Hrubis]

Hi!
> If net namespace is supported and disable, clone(CLONE_NEWNET) fails
> and sets errno to EINVAL as expected.  However, If net namespace is
> not supported(e.g. RHEL5.11GA), clone(CLONE_NEWNET) succeeds abnormally.

This sounds like a kernel bug. The usuall course of action for unknown
flag is to return EINVAL.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH] syscalls/clone09.c: skip this test if net ns is not supported

[Xiao Yang]

On 2017/07/20 20:17, Cyril Hrubis wrote:
> Hi!
>> If net namespace is supported and disable, clone(CLONE_NEWNET) fails
>> and sets errno to EINVAL as expected.  However, If net namespace is
>> not supported(e.g. RHEL5.11GA), clone(CLONE_NEWNET) succeeds abnormally.
> This sounds like a kernel bug. The usuall course of action for unknown
> flag is to return EINVAL.
>
Hi Cyril,

Usually, a syscall flags should always include a check of the following form
in its implementation:
-------------------------------------------------
	if (flags&   ~(FL_XXX | FL_YYY))
		return -EINVAL;
-------------------------------------------------

This check could verify unknown flags, but clone(2) does not have the check and
just returns 0, this issue has been around for several years, and it is hardly
to be fixed since doing so would break existing applications.

Please see the following URL for detailed information:
https://lwn.net/Articles/588444/

So I feel this issue should not be counted as a kernel bug which leads to some
bad consequences, this kind of ancient syscalls were simply not designed well.

It is hard to make out whether CLONE_NEWNET is supported or not by returned value
and errno, so i think we should skip this case when a kernel does not support
CLONE_NEWNET.

Thanks,
Xiao Yang.

[LTP] [PATCH v2] syscalls/clone09.c: add kernel version check

[Xiao Yang]

1) On all kernels which support CONFIG_NET_NS, clone(2) only could return
   EINVAL due to disabled CONFIG_NET_NS instead of unknown flags.  Please
   see the following kernel code in net/core/net_namespace.c:
   --------------------------------------------------------------------
   struct net *copy_net_ns(unsigned long flags, struct net *old_net)
   ...
        #ifndef CONFIG_NET_NS
                return ERR_PTR(-EINVAL);
        #endif
   --------------------------------------------------------------------

   The support is introduced in kernel:
   '9dd776b ("[NET]: Add network namespace clone & unshare support.")'

2) Usually, a syscall flags should always include a check of the following
   form in its implementation:
   ---------------------------------
   if (flags & ~(FL_XXX | FL_YYY))
        return -EINVAL;
   ---------------------------------

   This check could verify unknown flags, but clone(2) does not have the
   check and just returns 0, this issue has been around for several years,
   and it is hardly to be fixed since doing so would break existing applications.

   Please see the following URL for detailed information:
   https://lwn.net/Articles/588444/

   It is hard to make out whether CLONE_NEWNET is supported or not by
   returned value and errno.

   According to above reasons and clone()'s manpage, i think we should
   add kernel version check to skip this case on an old kernel and update
   description about EINVAL.

Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
---
 testcases/kernel/syscalls/clone/clone09.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/syscalls/clone/clone09.c b/testcases/kernel/syscalls/clone/clone09.c
index 1528be4..a6ebdd7 100644
--- a/testcases/kernel/syscalls/clone/clone09.c
+++ b/testcases/kernel/syscalls/clone/clone09.c
@@ -57,7 +57,7 @@ static long clone_child(void)
 	TEST(ltp_clone(flags, newnet, NULL, CHILD_STACK_SIZE, child_stack));
 
 	if (TEST_RETURN == -1 && TEST_ERRNO == EINVAL)
-		tst_brk(TCONF, "CLONE_NEWNET not supported, CONFIG_NET_NS?");
+		tst_brk(TCONF, "CONFIG_NET_NS was disabled");
 
 	if (TEST_RETURN == -1)
 		tst_brk(TBROK | TTERRNO, "clone(CLONE_NEWNET) failed");
@@ -100,4 +100,5 @@ static struct tst_test test = {
 	.setup = setup,
 	.cleanup = cleanup,
 	.needs_root = 1,
+	.min_kver = "2.6.24",
 };
-- 
1.8.3.1

[LTP] [PATCH v2] syscalls/clone09.c: add kernel version check

[Jan Stancek]

----- Original Message -----
> 1) On all kernels which support CONFIG_NET_NS, clone(2) only could return
>    EINVAL due to disabled CONFIG_NET_NS instead of unknown flags.  Please
>    see the following kernel code in net/core/net_namespace.c:
>    --------------------------------------------------------------------
>    struct net *copy_net_ns(unsigned long flags, struct net *old_net)
>    ...
>         #ifndef CONFIG_NET_NS
>                 return ERR_PTR(-EINVAL);
>         #endif
>    --------------------------------------------------------------------
> 
>    The support is introduced in kernel:
>    '9dd776b ("[NET]: Add network namespace clone & unshare support.")'
> 
> 2) Usually, a syscall flags should always include a check of the following
>    form in its implementation:
>    ---------------------------------
>    if (flags & ~(FL_XXX | FL_YYY))
>         return -EINVAL;
>    ---------------------------------
> 
>    This check could verify unknown flags, but clone(2) does not have the
>    check and just returns 0, this issue has been around for several years,
>    and it is hardly to be fixed since doing so would break existing
>    applications.
> 
>    Please see the following URL for detailed information:
>    https://lwn.net/Articles/588444/
> 
>    It is hard to make out whether CLONE_NEWNET is supported or not by
>    returned value and errno.
> 
>    According to above reasons and clone()'s manpage, i think we should
>    add kernel version check to skip this case on an old kernel and update
>    description about EINVAL.
> 

Pushed.

Thanks,
Jan