Allow for unpriviledged nested containers

If the build itself is run in a container, we may not be able to
fully set up a nested container for test-container testing.
Notably is the mounting of /proc, since it's critical that it
be mounted from within the same PID namespace as its users, and
thus cannot be bind mounted from outside the container like other
mounts.

This patch defaults to using the parent's PID namespace instead of
creating a new one, as this is more likely to be allowed.

If the test needs an isolated PID namespace, it should add the "pidns"
command to its init script.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
This commit is contained in:
DJ Delorie 2022-03-28 23:53:33 -04:00
parent 6ff3c77149
commit 2fe64148a8
7 changed files with 155 additions and 35 deletions

View File

@ -85,6 +85,8 @@ in_str_list (const char *libname, const char *const strlist[])
static int static int
do_test (void) do_test (void)
{ {
support_need_proc ("needs /proc/sys/kernel/yama/ptrace_scope and /proc/$child");
/* Check if our subprocess can be debugged with ptrace. */ /* Check if our subprocess can be debugged with ptrace. */
{ {
int ptrace_scope = support_ptrace_scope (); int ptrace_scope = support_ptrace_scope ();

View File

@ -28,6 +28,8 @@
#include <unistd.h> #include <unistd.h>
#include <inttypes.h> #include <inttypes.h>
#include <support/support.h>
/* There is an obscure bug in the kernel due to which RLIMIT_STACK is sometimes /* There is an obscure bug in the kernel due to which RLIMIT_STACK is sometimes
returned as unlimited when it is not, which may cause this test to fail. returned as unlimited when it is not, which may cause this test to fail.
There is also the other case where RLIMIT_STACK is intentionally set as There is also the other case where RLIMIT_STACK is intentionally set as
@ -153,6 +155,8 @@ check_stack_top (void)
static int static int
do_test (void) do_test (void)
{ {
support_need_proc ("Reads /proc/self/maps to get stack size.");
pagesize = sysconf (_SC_PAGESIZE); pagesize = sysconf (_SC_PAGESIZE);
return check_stack_top (); return check_stack_top ();
} }

View File

@ -95,6 +95,8 @@ do_test (void)
char buf1[PATH_MAX]; char buf1[PATH_MAX];
char buf2[PATH_MAX]; char buf2[PATH_MAX];
support_need_proc ("Our xmkdirp fails if we can't map our uid, which requires /proc.");
sprintf (buf1, "/subdir%s", support_slibdir_prefix); sprintf (buf1, "/subdir%s", support_slibdir_prefix);
xmkdirp (buf1, 0777); xmkdirp (buf1, 0777);

View File

@ -64,6 +64,7 @@ libsupport-routines = \
support_format_netent \ support_format_netent \
support_isolate_in_subprocess \ support_isolate_in_subprocess \
support_mutex_pi_monotonic \ support_mutex_pi_monotonic \
support_need_proc \
support_path_support_time64 \ support_path_support_time64 \
support_process_state \ support_process_state \
support_ptrace \ support_ptrace \

View File

@ -91,6 +91,11 @@ char *support_quote_string (const char *);
regular file open for writing, and initially empty. */ regular file open for writing, and initially empty. */
int support_descriptor_supports_holes (int fd); int support_descriptor_supports_holes (int fd);
/* Predicates that a test requires a working /proc filesystem. This
call will exit with UNSUPPORTED if /proc is not available, printing
WHY_MSG as part of the diagnostic. */
void support_need_proc (const char *why_msg);
/* Error-checking wrapper functions which terminate the process on /* Error-checking wrapper functions which terminate the process on
error. */ error. */

View File

@ -0,0 +1,35 @@
/* Indicate that a test requires a working /proc.
Copyright (C) 2022 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<https://www.gnu.org/licenses/>. */
#include <unistd.h>
#include <support/check.h>
#include <support/support.h>
/* We test for /proc/self/maps since that's one of the files that one
of our tests actually uses, but the general idea is if Linux's
/proc/ (procfs) filesystem is mounted. If not, the process exits
with an UNSUPPORTED result code. */
void
support_need_proc (const char *why_msg)
{
#ifdef __linux__
if (access ("/proc/self/maps", R_OK))
FAIL_UNSUPPORTED ("/proc is not available, %s", why_msg);
#endif
}

View File

@ -97,6 +97,7 @@ int verbose = 0;
* mytest.root/mytest.script has a list of "commands" to run: * mytest.root/mytest.script has a list of "commands" to run:
syntax: syntax:
# comment # comment
pidns <comment>
su su
mv FILE FILE mv FILE FILE
cp FILE FILE cp FILE FILE
@ -122,6 +123,8 @@ int verbose = 0;
details: details:
- '#': A comment. - '#': A comment.
- 'pidns': Require a separate PID namespace, prints comment if it can't
(default is a shared pid namespace)
- 'su': Enables running test as root in the container. - 'su': Enables running test as root in the container.
- 'mv': A minimal move files command. - 'mv': A minimal move files command.
- 'cp': A minimal copy files command. - 'cp': A minimal copy files command.
@ -148,7 +151,7 @@ int verbose = 0;
* Simple, easy to review code (i.e. prefer simple naive code over * Simple, easy to review code (i.e. prefer simple naive code over
complex efficient code) complex efficient code)
* The current implementation ist parallel-make-safe, but only in * The current implementation is parallel-make-safe, but only in
that it uses a lock to prevent parallel access to the testroot. */ that it uses a lock to prevent parallel access to the testroot. */
@ -227,11 +230,37 @@ concat (const char *str, ...)
return bufs[n]; return bufs[n];
} }
/* Like the above, but put spaces between words. Caller frees. */
static char *
concat_words (char **words, int num_words)
{
int len = 0;
int i;
char *rv, *p;
for (i = 0; i < num_words; i ++)
{
len += strlen (words[i]);
len ++;
}
p = rv = (char *) xmalloc (len);
for (i = 0; i < num_words; i ++)
{
if (i > 0)
p = stpcpy (p, " ");
p = stpcpy (p, words[i]);
}
return rv;
}
/* Try to mount SRC onto DEST. */ /* Try to mount SRC onto DEST. */
static void static void
trymount (const char *src, const char *dest) trymount (const char *src, const char *dest)
{ {
if (mount (src, dest, "", MS_BIND, NULL) < 0) if (mount (src, dest, "", MS_BIND | MS_REC, NULL) < 0)
FAIL_EXIT1 ("can't mount %s onto %s\n", src, dest); FAIL_EXIT1 ("can't mount %s onto %s\n", src, dest);
} }
@ -726,6 +755,9 @@ main (int argc, char **argv)
gid_t original_gid; gid_t original_gid;
/* If set, the test runs as root instead of the user running the testsuite. */ /* If set, the test runs as root instead of the user running the testsuite. */
int be_su = 0; int be_su = 0;
int require_pidns = 0;
const char *pidns_comment = NULL;
int do_proc_mounts = 0;
int UMAP; int UMAP;
int GMAP; int GMAP;
/* Used for "%lld %lld 1" so need not be large. */ /* Used for "%lld %lld 1" so need not be large. */
@ -1011,6 +1043,12 @@ main (int argc, char **argv)
{ {
be_su = 1; be_su = 1;
} }
else if (nt >= 1 && strcmp (the_words[0], "pidns") == 0)
{
require_pidns = 1;
if (nt > 1)
pidns_comment = concat_words (the_words + 1, nt - 1);
}
else if (nt == 3 && strcmp (the_words[0], "mkdirp") == 0) else if (nt == 3 && strcmp (the_words[0], "mkdirp") == 0)
{ {
long int m; long int m;
@ -1068,7 +1106,8 @@ main (int argc, char **argv)
#ifdef CLONE_NEWNS #ifdef CLONE_NEWNS
/* The unshare here gives us our own spaces and capabilities. */ /* The unshare here gives us our own spaces and capabilities. */
if (unshare (CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS) < 0) if (unshare (CLONE_NEWUSER | CLONE_NEWNS
| (require_pidns ? CLONE_NEWPID : 0)) < 0)
{ {
/* Older kernels may not support all the options, or security /* Older kernels may not support all the options, or security
policy may block this call. */ policy may block this call. */
@ -1079,6 +1118,11 @@ main (int argc, char **argv)
check_for_unshare_hints (); check_for_unshare_hints ();
FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno)); FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
} }
/* We're about to exit anyway, it's "safe" to call unshare again
just to see if the CLONE_NEWPID caused the error. */
else if (require_pidns && unshare (CLONE_NEWUSER | CLONE_NEWNS) >= 0)
FAIL_EXIT1 ("unable to unshare pid ns: %s : %s", strerror (errno),
pidns_comment ? pidns_comment : "required by test");
else else
FAIL_EXIT1 ("unable to unshare user/fs: %s", strerror (errno)); FAIL_EXIT1 ("unable to unshare user/fs: %s", strerror (errno));
} }
@ -1094,6 +1138,15 @@ main (int argc, char **argv)
trymount (support_srcdir_root, new_srcdir_path); trymount (support_srcdir_root, new_srcdir_path);
trymount (support_objdir_root, new_objdir_path); trymount (support_objdir_root, new_objdir_path);
/* It may not be possible to mount /proc directly. */
if (! require_pidns)
{
char *new_proc = concat (new_root_path, "/proc", NULL);
xmkdirp (new_proc, 0755);
trymount ("/proc", new_proc);
do_proc_mounts = 1;
}
xmkdirp (concat (new_root_path, "/dev", NULL), 0755); xmkdirp (concat (new_root_path, "/dev", NULL), 0755);
devmount (new_root_path, "null"); devmount (new_root_path, "null");
devmount (new_root_path, "zero"); devmount (new_root_path, "zero");
@ -1163,11 +1216,28 @@ main (int argc, char **argv)
maybe_xmkdir ("/tmp", 0755); maybe_xmkdir ("/tmp", 0755);
if (require_pidns)
{
/* Now that we're pid 1 (effectively "root") we can mount /proc */ /* Now that we're pid 1 (effectively "root") we can mount /proc */
maybe_xmkdir ("/proc", 0777); maybe_xmkdir ("/proc", 0777);
if (mount ("proc", "/proc", "proc", 0, NULL) < 0) if (mount ("proc", "/proc", "proc", 0, NULL) != 0)
FAIL_EXIT1 ("Unable to mount /proc: "); {
/* This happens if we're trying to create a nested container,
like if the build is running under podman, and we lack
priviledges.
Ideally we would WARN here, but that would just add noise to
*every* test-container test, and the ones that care should
have their own relevent diagnostics.
FAIL_EXIT1 ("Unable to mount /proc: "); */
}
else
do_proc_mounts = 1;
}
if (do_proc_mounts)
{
/* We map our original UID to the same UID in the container so we /* We map our original UID to the same UID in the container so we
can own our own files normally. */ can own our own files normally. */
UMAP = open ("/proc/self/uid_map", O_WRONLY); UMAP = open ("/proc/self/uid_map", O_WRONLY);
@ -1199,6 +1269,7 @@ main (int argc, char **argv)
(long long) (be_su ? 0 : original_gid), (long long) original_gid); (long long) (be_su ? 0 : original_gid), (long long) original_gid);
write (GMAP, tmp, strlen (tmp)); write (GMAP, tmp, strlen (tmp));
xclose (GMAP); xclose (GMAP);
}
if (change_cwd) if (change_cwd)
{ {