Re: generic/633 failing without CONFIG_USER_NS

Christian Brauner <brauner@xxxxxxxxxx> · Thu, 31 Mar 2022 11:04:18 +0200

On Thu, Mar 31, 2022 at 11:00:51AM +0200, Christian Brauner wrote:
> On Thu, Mar 31, 2022 at 10:28:46AM +0200, Jan Kara wrote:
> > Hello,
> > 
> > I have noticed that when I build a kernel without CONFIG_USER_NS,
> > generic/633 is failing. This is because despite it properly detects
> > idmapped mounts are not supported, it still tries to execute some tests
> > (such as fscaps test) and they rely on bits of user namespace support (e.g.
> > /proc/<pid>/ns/user existing). I could hack some additional support check
> > into the test but then I figured I'm not sure whether all the tests are OK
> > to skip without CONFIG_USER_NS or whether there are not some more subtle
> > dependencies... So I'm asking here :).
> 
> Hey Jan,
> 
> Thank your for detecting and reporting this. So the only ones we can
> reasonably run are the ones that don't require idmapped mount support
> and of this the actual subset that should be runnable without userns is:
> 
> { hardlink_crossing_mounts,					false,	"cross mount hardlink",										},
> { io_uring,							false,	"io_uring",											},
> { protected_symlinks,						false,	"following protected symlinks on regular mounts",						},
> { rename_crossing_mounts,					false,	"cross mount rename",										},
> { setattr_truncate,						false,	"setattr truncate",										},
> { setgid_create,						false,	"create operations in directories with setgid bit set",						},
> { setid_binaries,						false,	"setid binaries on regular mounts",								},
> { sticky_bit_unlink,						false,	"sticky bit unlink operations on regular mounts",						},
> { sticky_bit_rename,						false,	"sticky bit rename operations on regular mounts",						},
> { symlink_regular_mounts,					false,	"symlink from regular mounts",									},
> 
> I think currently we're doing:
> 
> struct t_idmapped_mounts {
> 	int (*test)(void);
> 	bool require_fs_allow_idmap;
> 	const char *description;
> };
> 
> which defines
> bool require_fs_allow_idmap
> which gets set for each test and then we can skip or execute tests
> depending on whether or not they require that.
> 
> One possible way to deal with the userns thing in there might be to make
> this a flags argument:
> 
> unsigned int required_flags;
> 
> then
> 
> #define T_REQUIRE_IDMAPPED_MOUNTS (0 << 1)
> #define T_REQUIRE_USERNS (0 << 2)

Well ok, usually when I'm not temporarily insane I tend to use:

#define T_REQUIRE_IDMAPPED_MOUNTS (1U << 0)
#define T_REQUIRE_USERNS (1U << 1)

Sorry about that.