From aae4748464d3b8a810f88b3f1d65dd7d5b5ff396 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Mon, 17 Mar 2025 16:20:00 +0100 Subject: [PATCH] TEST-07-PID1.delegate-namespaces: Make sure fully visible procfs is available To be able to mount /proc inside an unprivileged user namespace, we have to make sure a fully visible procfs is available on the host, so let's make sure that's the case. --- test/units/TEST-07-PID1.delegate-namespaces.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/test/units/TEST-07-PID1.delegate-namespaces.sh b/test/units/TEST-07-PID1.delegate-namespaces.sh index ed447f15081..8eb9956c2e7 100755 --- a/test/units/TEST-07-PID1.delegate-namespaces.sh +++ b/test/units/TEST-07-PID1.delegate-namespaces.sh @@ -9,6 +9,22 @@ set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh +# IMPORTANT: For /proc/ to be remounted in pid namespace within an unprivileged user namespace, there needs to +# be at least 1 unmasked procfs mount in ANY directory. Otherwise, if /proc/ is masked (e.g. /proc/scsi is +# over-mounted with tmpfs), then mounting a new /proc/ will fail. +# +# Thus, to guarantee PrivatePIDs=yes tests for unprivileged users pass, we mount a new procfs on a temporary +# directory with no masking. This will guarantee an unprivileged user can mount a new /proc/ successfully. +mkdir -p /tmp/TEST-07-PID1-delegate-namespaces-proc +mount -t proc proc /tmp/TEST-07-PID1-delegate-namespaces-proc + +at_exit() { + umount /tmp/TEST-07-PID1-delegate-namespaces-proc + rm -rf /tmp/TEST-07-PID1-delegate-namespaces-proc +} + +trap at_exit EXIT + testcase_mount() { (! systemd-run -p PrivateUsersEx=self -p PrivateMounts=yes --wait --pipe -- mount --bind /usr /home) systemd-run -p PrivateUsersEx=self -p PrivateMounts=yes -p DelegateNamespaces=mnt --wait --pipe -- mount --bind /usr /home -- 2.47.3