On Thu, Feb 24, 2022 at 08:28:41AM -0800, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> I'd really love some kind of selftest that exercises the edge cases; do
> you have your tests in some form that could be converted?
There's the original
tools/testing/selftests/rlimits/rlimits-per-userns.c selftest.
I've been rewriting it to cover more situations, I'm sending it as one
monster patch (I'd need spend more time reordering my commits into some
logical patch order) if anyone wishes to try it.
I've tried it on 5c1ee569660d4a205dced9cb4d0306b907fb7599 + this Eric's
patch.
The test rlimit-per-userns-root passes
- together with that I claim this patch
Reviewed-by: Michal Koutný <mkoutny@xxxxxxxx>
The test rlimit-per-userns-nonroot fails. It's similar off-by-one
mistake as was in the fork path, but it's in the do_execveat_common():
if ((current->flags & PF_NPROC_EXCEEDED) &&
is_ucounts_overlimit(current_ucounts(), UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC))) {
retval = -EAGAIN;
goto out_ret;
}
(If RLIMIT_NPROC should be strictly honored, setuid+execve should fail
when given uid's ucount is at the limit already.)
Funnily, the original
tools/testing/selftests/rlimits/rlimits-per-userns.c passes thanks to
the off-by-one check even though it should not pass because unshare(2)
is called after setuid(2).
Michal
-- >8 --
