Andy Lutomirski <luto@xxxxxxxxxx> writes: > test_execve does rather odd mount manipulations to safely create > temporary setuid and setgid executables that aren't visible to the > rest of the system. Those executables end up in the test's cwd, but > that cwd is MNT_DETACHed. > > The core namespace code considers MNT_DETACHed trees to belong to no > mount namespace at all and, in general, MNT_DETACHed trees are only > barely function. This interacted with commit 380cf5ba6b0a ("fs: > Treat foreign mounts as nosuid") to cause all MNT_DETACHed trees to > act as though they're nosuid, breaking the test. > > Fix it by just not detaching the tree. It's still in a private > mount namespace and is therefore still invisible to the rest of the > system (except via /proc, and the same nosuid logic will protect all > other programs on the system from believing in test_execve's setuid > bits). > > While we're at it, fix some blatant whitespace problems. > > Reported-by: Naresh Kamboju <naresh.kamboju@xxxxxxxxxx> > Fixes: 380cf5ba6b0a ("fs: Treat foreign mounts as nosuid") > Cc: stable@xxxxxxxxxxxxxxx > Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > Cc: Kees Cook <keescook@xxxxxxxxxxxx> > Cc: Shuah Khan <shuahkh@xxxxxxxxxxxxxxx> > Cc: Greg KH <greg@xxxxxxxxx> > Cc: linux-kselftest@xxxxxxxxxxxxxxx > Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxx> Acked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > --- > tools/testing/selftests/capabilities/test_execve.c | 7 ++----- > 1 file changed, 2 insertions(+), 5 deletions(-) > > diff --git a/tools/testing/selftests/capabilities/test_execve.c b/tools/testing/selftests/capabilities/test_execve.c > index 10a21a958aaf..763f37fecfb8 100644 > --- a/tools/testing/selftests/capabilities/test_execve.c > +++ b/tools/testing/selftests/capabilities/test_execve.c > @@ -138,9 +138,6 @@ static void chdir_to_tmpfs(void) > > if (chdir(cwd) != 0) > err(1, "chdir to private tmpfs"); > - > - if (umount2(".", MNT_DETACH) != 0) > - err(1, "detach private tmpfs"); > } > > static void copy_fromat_to(int fromfd, const char *fromname, const char *toname) > @@ -248,7 +245,7 @@ static int do_tests(int uid, const char *our_path) > err(1, "chown"); > if (chmod("validate_cap_sgidnonroot", S_ISGID | 0710) != 0) > err(1, "chmod"); > -} > + } > > capng_get_caps_process(); > > @@ -384,7 +381,7 @@ static int do_tests(int uid, const char *our_path) > } else { > printf("[RUN]\tNon-root +ia, sgidnonroot => i\n"); > exec_other_validate_cap("./validate_cap_sgidnonroot", > - false, false, true, false); > + false, false, true, false); > > if (fork_wait()) { > printf("[RUN]\tNon-root +ia, sgidroot => i\n");