Commit 30d53a58 authored by Tycho Andersen's avatar Tycho Andersen Committed by Shuah Khan

selftests: unshare userns in seccomp pidns testcases

The pid ns cannot be unshare()d as an unprivileged user without owning the
userns as well. Let's unshare the userns so that we can subsequently
unshare the pidns.

This also means that we don't need to set the no new privs bit as in the
other test cases, since we're unsharing the userns.
Signed-off-by: default avatarTycho Andersen <tycho@tycho.ws>
Acked-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarShuah Khan <shuah@kernel.org>
parent c7140706
...@@ -3313,7 +3313,7 @@ TEST(user_notification_child_pid_ns) ...@@ -3313,7 +3313,7 @@ TEST(user_notification_child_pid_ns)
struct seccomp_notif req = {}; struct seccomp_notif req = {};
struct seccomp_notif_resp resp = {}; struct seccomp_notif_resp resp = {};
ASSERT_EQ(unshare(CLONE_NEWPID), 0); ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0);
listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER); listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
ASSERT_GE(listener, 0); ASSERT_GE(listener, 0);
...@@ -3416,6 +3416,8 @@ TEST(user_notification_fault_recv) ...@@ -3416,6 +3416,8 @@ TEST(user_notification_fault_recv)
struct seccomp_notif req = {}; struct seccomp_notif req = {};
struct seccomp_notif_resp resp = {}; struct seccomp_notif_resp resp = {};
ASSERT_EQ(unshare(CLONE_NEWUSER), 0);
listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER); listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
ASSERT_GE(listener, 0); ASSERT_GE(listener, 0);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment