Re: [LTP] [PATCH 2/3] setns: add new syscall test setns01

[Wanlong Gao <gaowanlong@cn.fujitsu.com>]

On 02/05/2013 11:57 PM, Jan Stancek wrote:
> errno tests for setns(2) - reassociate thread with a namespace
> 
> Signed-off-by: Jan Stancek <jstancek@redhat.com>
> ---
>  runtest/syscalls                          |    2 +
>  testcases/kernel/syscalls/.gitignore      |    1 +
>  testcases/kernel/syscalls/setns/setns.h   |   41 +++++
>  testcases/kernel/syscalls/setns/setns01.c |  245 +++++++++++++++++++++++++++++
>  4 files changed, 289 insertions(+), 0 deletions(-)
>  create mode 100644 testcases/kernel/syscalls/setns/setns.h
>  create mode 100644 testcases/kernel/syscalls/setns/setns01.c
> 
> diff --git a/runtest/syscalls b/runtest/syscalls
> index db5a075..a881479 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -962,6 +962,8 @@ setitimer01 setitimer01
>  setitimer02 setitimer02
>  setitimer03 setitimer03
>  
> +setns01 setns01
> +
>  setpgid01 setpgid01
>  setpgid02 setpgid02
>  setpgid03 setpgid03
> diff --git a/testcases/kernel/syscalls/.gitignore b/testcases/kernel/syscalls/.gitignore
> index 003c5d0..d3bf8b7 100644
> --- a/testcases/kernel/syscalls/.gitignore
> +++ b/testcases/kernel/syscalls/.gitignore
> @@ -763,6 +763,7 @@
>  /setitimer/setitimer01
>  /setitimer/setitimer02
>  /setitimer/setitimer03
> +/setns/setns01
>  /setpgid/setpgid01
>  /setpgid/setpgid02
>  /setpgid/setpgid03
> diff --git a/testcases/kernel/syscalls/setns/setns.h b/testcases/kernel/syscalls/setns/setns.h
> new file mode 100644
> index 0000000..1613e6c
> --- /dev/null
> +++ b/testcases/kernel/syscalls/setns/setns.h
> @@ -0,0 +1,41 @@
> +/*
> + * Copyright (C) 2013 Linux Test Project, Inc.
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of version 2 of the GNU General Public
> + * License as published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it would be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> + *
> + * Further, this software is distributed without any warranty that it
> + * is free of the rightful claim of any third person regarding
> + * infringement or the like.  Any license provided herein, whether
> + * implied or otherwise, applies only to this software file.  Patent
> + * licenses, if any, provided herein do not apply to combinations of
> + * this program with other software, or any other product whatsoever.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, write the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> + * 02110-1301, USA.
> + */
> +
> +static int get_ns_fd(int pid, const char *ns)
> +{
> +	char tmp[PATH_MAX];
> +	struct stat st;
> +	int fd = -1;
> +
> +	sprintf(tmp, "/proc/%d/%s", pid, ns);
> +	if (stat(tmp, &st) == 0) {
> +		fd = open(tmp, O_RDONLY);
> +		if (fd == -1)
> +			tst_brkm(TBROK|TERRNO, NULL, "failed to open %s", tmp);
> +	} else {
> +		if (errno != ENOENT)
> +			tst_brkm(TBROK|TERRNO, NULL, "failed to stat %s", tmp);
> +	}
> +	return fd;
> +}
> diff --git a/testcases/kernel/syscalls/setns/setns01.c b/testcases/kernel/syscalls/setns/setns01.c
> new file mode 100644
> index 0000000..6469266
> --- /dev/null
> +++ b/testcases/kernel/syscalls/setns/setns01.c
> @@ -0,0 +1,245 @@
> +/*
> + * Copyright (C) 2013 Linux Test Project, Inc.
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of version 2 of the GNU General Public
> + * License as published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it would be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> + *
> + * Further, this software is distributed without any warranty that it
> + * is free of the rightful claim of any third person regarding
> + * infringement or the like.  Any license provided herein, whether
> + * implied or otherwise, applies only to this software file.  Patent
> + * licenses, if any, provided herein do not apply to combinations of
> + * this program with other software, or any other product whatsoever.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, write the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> + * 02110-1301, USA.
> + */
> +/*
> + * errno tests for setns(2) - reassociate thread with a namespace
> + */
> +#define _GNU_SOURCE
> +#include <sys/stat.h>
> +#include <sys/syscall.h>
> +#include <sys/types.h>
> +#include <errno.h>
> +#include <sched.h>
> +#include <pwd.h>
> +#include <string.h>
> +#include "config.h"
> +#include "test.h"
> +#include "usctest.h"
> +#include "linux_syscall_numbers.h"
> +#include "safe_macros.h"
> +
> +#define NS_TOTAL 3
> +char *TCID = "setns01";
> +
> +#if defined(__NR_setns) && defined(CLONE_NEWIPC) && defined(CLONE_NEWUTS) \
> +	&& defined(CLONE_NEWNET)
> +#include "setns.h"
> +
> +struct testcase_t {
> +	const char *msg;
> +	int fd;
> +	int ns_type;
> +	int exp_ret;
> +	int exp_errno;
> +	int skip;
> +	void (*setup) (struct testcase_t *);
> +	void (*cleanup) (struct testcase_t *);
> +};
> +
> +static void setup(void);
> +static void cleanup(void);
> +static void setup1(struct testcase_t *);
> +static void setup2(struct testcase_t *);
> +static void setup3(struct testcase_t *);
> +static void setup4(struct testcase_t *);
> +static void cleanup1(struct testcase_t *);
> +static void cleanup4(struct testcase_t *);
> +
> +struct testcase_t tdat[] = {
> +	{
> +		.msg = "invalid fd",
> +		.fd = -1,
> +		.ns_type = CLONE_NEWIPC,
> +		.exp_ret = -1,
> +		.exp_errno = EBADF,
> +	},
> +	{
> +		.msg = "regular file fd",
> +		.ns_type = CLONE_NEWIPC,
> +		.exp_ret = -1,
> +		.exp_errno = EINVAL,
> +		.setup = setup1,
> +		.cleanup = cleanup1
> +	},
> +	{
> +		.msg = "invalid ns_type",
> +		.ns_type = -1,
> +		.exp_ret = -1,
> +		.exp_errno = EINVAL,
> +		.setup = setup2,
> +	},
> +	{
> +		.msg = "mismatch ns_type/fd",
> +		.exp_ret = -1,
> +		.exp_errno = EINVAL,
> +		.setup = setup3,
> +	},
> +	{
> +		.msg = "without CAP_SYS_ADMIN",
> +		.exp_ret = -1,
> +		.exp_errno = EPERM,
> +		.setup = setup4,
> +		.cleanup = cleanup4,
> +	}

In order to allow unprivileged use of namespace, Eric has changed the permission
check to the install methods. Then, the fd and nstype check will go before the
core permission check. So, in order to test the permission, you should set an
valid fd and nstype first. Please see the following commit in kernel.

commit 142e1d1d5f088e7a38659daca6e84a730967774a
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Jul 26 01:13:20 2012 -0700

    userns: Allow unprivileged use of setns.
    
    - Push the permission check from the core setns syscall into
      the setns install methods where the user namespace of the
      target namespace can be determined, and used in a ns_capable
      call.
    
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>


Thanks,
Wanlong Gao


> +};
> +
> +static const char *ns_names[NS_TOTAL] = {"ns/ipc", "ns/net", "ns/uts"};
> +static int ns_types[NS_TOTAL] = { CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWUTS };
> +static int ns_fds[NS_TOTAL];
> +static int TST_TOTAL = sizeof(tdat) / sizeof(tdat[0]);
> +static const char nobody_uid[] = "nobody";
> +static struct passwd *ltpuser;
> +
> +static void setup1(struct testcase_t *t)
> +{
> +	t->fd = open("dummy", O_CREAT);
> +	if (t->fd == -1)
> +		tst_brkm(TFAIL|TERRNO, cleanup, "setup1:open failed");
> +	unlink("dummy");
> +}
> +
> +static void cleanup1(struct testcase_t *t)
> +{
> +	close(t->fd);
> +}
> +
> +static void setup2(struct testcase_t *t)
> +{
> +	int i;
> +	for (i = 0; i < NS_TOTAL; i++)
> +		if (ns_fds[i] != -1) {
> +			t->fd = ns_fds[i];
> +			return;
> +		}
> +	t->skip = 1;
> +}
> +
> +static void setup3(struct testcase_t *t)
> +{
> +	int i;
> +	for (i = 0; i < NS_TOTAL; i++)
> +		if (ns_fds[i] != -1) {
> +			t->fd = ns_fds[i];
> +			t->ns_type = ns_types[(i+1) % NS_TOTAL];
> +			return;
> +		}
> +	t->skip = 1;
> +}
> +
> +static void setup4(struct testcase_t *t)
> +{
> +	if (seteuid(ltpuser->pw_uid) == -1)
> +		tst_brkm(TBROK | TERRNO, NULL, "seteuid failed");
> +}
> +
> +static void cleanup4(struct testcase_t *t)
> +{
> +	if (seteuid(0) == -1)
> +		tst_brkm(TBROK | TERRNO, NULL, "seteuid restore failed");
> +}
> +
> +static void test_setns(struct testcase_t *t)
> +{
> +	int ret;
> +
> +	if (t->setup)
> +		t->setup(t);
> +
> +	if (t->skip) {
> +		tst_resm(TINFO, "skip %s", tdat->msg);
> +		return;
> +	}
> +
> +	ret = syscall(__NR_setns, t->fd, t->ns_type);
> +	if (ret == t->exp_ret) {
> +		if (ret == -1 && errno == t->exp_errno)
> +			tst_resm(TPASS, "%s exp_errno=%d", t->msg,
> +				t->exp_errno);
> +		else
> +			tst_resm(TFAIL|TERRNO, "%s exp_errno=%d", t->msg,
> +				t->exp_errno);
> +	} else {
> +		tst_resm(TFAIL, "%s ret=%d expected=%d", t->msg,
> +			ret, t->exp_ret);
> +	}
> +
> +	if (t->cleanup)
> +		t->cleanup(t);
> +}
> +
> +int main(int argc, char *argv[])
> +{
> +	int lc, testno;
> +	char *msg;
> +
> +	msg = parse_opts(argc, argv, NULL, NULL);
> +	if (msg != NULL)
> +		tst_brkm(TBROK, tst_exit, "OPTION PARSING ERROR - %s", msg);
> +
> +	setup();
> +	for (lc = 0; TEST_LOOPING(lc); lc++) {
> +		for (testno = 0; testno < TST_TOTAL; testno++)
> +			test_setns(&tdat[testno]);
> +	}
> +	cleanup();
> +	tst_exit();
> +}
> +
> +static void setup(void)
> +{
> +	int i;
> +
> +	tst_require_root(NULL);
> +
> +	/* runtime check if syscall is supported */
> +	syscall(__NR_setns, -1, 0);
> +
> +	ltpuser = getpwnam(nobody_uid);
> +	if (ltpuser == NULL)
> +		tst_brkm(TBROK | TERRNO, NULL, "getpwnam failed");
> +
> +	for (i = 0; i < NS_TOTAL; i++)
> +		ns_fds[i] = get_ns_fd(getpid(), ns_names[i]);
> +
> +	tst_tmpdir();
> +	TEST_PAUSE;
> +}
> +
> +static void cleanup(void)
> +{
> +	int i;
> +
> +	for (i = 0; i < NS_TOTAL; i++)
> +		if (ns_fds[i] != -1)
> +			close(ns_fds[i]);
> +	tst_rmdir();
> +	TEST_CLEANUP;
> +}
> +#else
> +int main(int argc, char *argv[])
> +{
> +	tst_brkm(TCONF, NULL, "__NR_setns, CLONE_NEWIPC, CLONE_NEWNET or "
> +		"CLONE_NEWUTS is not defined on your system.");
> +
> +}
> +#endif
> 


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list