tests: gracefully handle AppArmor userns containment

Recent AppArmor containment allows restricting unprivileged user
namespaces, which is enabled by default on recent Ubuntu systems.
When this happens, as is common with Linux Security Modules, the syscall
will fail with -EACCESS.

When that happens, the affected tests will now be considered unsupported
rather than simply failing.

Further information:

* https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
* https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
* https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html (for
  the return code)

V2:
* Fix duplicated line in check_unshare_hints
* Also handle similar failure in tst-pidfd_getpid

V3:
* Comment formatting
* Aded some more documentation on syscall return value

Signed-off-by: Simon Chopin <simon.chopin@canonical.com>

diff --git a/support/test-container.c b/support/test-container.c
index adf2b30215273936d572a1149119061dd332b5c3..ebcc722da5824d9f5c8811a485535d5a41a288ab 100644 (file)
--- a/support/test-container.c
+++ b/support/test-container.c
@@ -682,6 +682,8 @@ check_for_unshare_hints (int require_pidns)
     { "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
     /* ALT Linux has an alternate way of doing the same.  */
     { "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
+    /* AppArmor can also disable unprivileged user namespaces.  */
+    { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
     /* Linux kernel >= 4.9 has a configurable limit on the number of
        each namespace.  Some distros set the limit to zero to disable the
        corresponding namespace as a "security policy".  */
@@ -1108,10 +1110,11 @@ main (int argc, char **argv)
     {
       /* Older kernels may not support all the options, or security
         policy may block this call.  */
-      if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+      if (errno == EINVAL || errno == EPERM
+          || errno == ENOSPC || errno == EACCES)
        {
          int saved_errno = errno;
-         if (errno == EPERM || errno == ENOSPC)
+         if (errno == EPERM || errno == ENOSPC || errno == EACCES)
            check_for_unshare_hints (require_pidns);
          FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
        }

diff --git a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
index 0354da5abb4159873f492c917e8d46ff509fd07b..ef62fbe9413c959fe20fc04552b39ea59d4a74a1 100644 (file)
--- a/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
+++ b/sysdeps/unix/sysv/linux/tst-pidfd_getpid.c
@@ -61,7 +61,8 @@ do_test (void)
          {
            /* Older kernels may not support all the options, or security
               policy may block this call.  */
-           if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+           if (errno == EINVAL || errno == EPERM
+               || errno == ENOSPC || errno == EACCES)
              exit (EXIT_UNSUPPORTED);
            FAIL_EXIT1 ("unshare user/fs/pid failed: %m");
          }