[CRIU] [PATCH v2 03/36] zdtm: Add userns00 test
Kirill Tkhai
ktkhai at virtuozzo.com
Fri Feb 3 08:12:03 PST 2017
Create two children, and unshare() user_ns in one of them (C1).
The second child creates one more process, which switches to C1's
namespace and unshares.
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
test/zdtm/static/Makefile | 1
test/zdtm/static/userns00.c | 289 ++++++++++++++++++++++++++++++++++++++++
test/zdtm/static/userns00.desc | 1
3 files changed, 291 insertions(+)
create mode 100644 test/zdtm/static/userns00.c
create mode 100644 test/zdtm/static/userns00.desc
diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile
index c24ee8f69..7d773b456 100644
--- a/test/zdtm/static/Makefile
+++ b/test/zdtm/static/Makefile
@@ -172,6 +172,7 @@ TST_NOFILE := \
macvlan \
cr_veth \
sock_peercred \
+ userns00 \
# jobctl00 \
ifneq ($(SRCARCH),arm)
diff --git a/test/zdtm/static/userns00.c b/test/zdtm/static/userns00.c
new file mode 100644
index 000000000..ea98f0b3b
--- /dev/null
+++ b/test/zdtm/static/userns00.c
@@ -0,0 +1,289 @@
+#define _GNU_SOURCE
+#include <stdbool.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <sched.h>
+#include <sys/wait.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <dirent.h>
+
+#include "zdtmtst.h"
+#include "lock.h"
+
+/*
+ * The test creates the following items.
+ *
+ * Processes hierarhy with their namespaces (in brackets):
+ * Parent (ns_p)
+ * / \
+ * (ns_c1) Child1 Child2 (ns_p)
+ * |
+ * GrandChild (ns_gc)
+ *
+ * Namespaces hierarhy:
+ * ns_p
+ * |
+ * ns_c1
+ * |
+ * ns_gc
+ */
+const char *test_doc = "Check user namespaces remain the same over process tree";
+const char *test_author = "Kirill Tkhai <ktkhai at virtuozzo.com>";
+
+enum {
+ FUTEX_INITIALIZED = 0,
+ CHILD1_CREATED,
+ GRAND_CHILD_PID_WRITTEN,
+ GRAND_CHILD_CREATED,
+ GRAND_CHILD_SETUP,
+ POST_RESTORE_CHECK,
+ EMERGENCY_ABORT,
+};
+
+volatile pid_t *grand_child_pid;
+futex_t *futex;
+
+int get_user_ns(pid_t pid, unsigned int *ns_id)
+{
+ char path[PATH_MAX], buf[PATH_MAX];
+ int len;
+
+ sprintf(path, "/proc/%d/ns/user", pid);
+ len = readlink(path, buf, PATH_MAX);
+ if (len < 0) {
+ pr_perror("Can't read link %s\n", path);
+ return -1;
+ }
+
+ buf[len] = '\0';
+ if (sscanf(buf, "user:[%u", ns_id) < 1) {
+ pr_err("Can't get id: %s\n", buf);
+ return -1;
+ }
+
+ return 0;
+}
+
+int write_map(pid_t pid, char *map)
+{
+ char path[PATH_MAX];
+ int fd, ret;
+
+ sprintf(path, "/proc/%d/%s", pid, map);
+ fd = open(path, O_WRONLY);
+ if (fd < 0) {
+ fail("Can't open");
+ return -1;
+ }
+ ret = write(fd, "0 0 1\n", 6);
+ if (ret != 6) {
+ fail("Can't write");
+ return -1;
+ }
+ close(fd);
+
+ return 0;
+}
+
+/* Child1 creates its own namespace */
+int child1(void)
+{
+ int ret;
+
+ ret = unshare(CLONE_NEWUSER);
+ if (ret < 0) {
+ pr_perror("unshare");
+ futex_set_and_wake(futex, EMERGENCY_ABORT);
+ return 1;
+ }
+
+ futex_set_and_wake(futex, CHILD1_CREATED);
+ futex_wait_while_lt(futex, GRAND_CHILD_CREATED);
+
+ if (write_map(*grand_child_pid, "uid_map") < 0 ||
+ write_map(*grand_child_pid, "gid_map") < 0) {
+ fail("write map");
+ futex_set_and_wake(futex, EMERGENCY_ABORT);
+ return 2;
+ }
+
+ futex_set_and_wake(futex, GRAND_CHILD_SETUP);
+ futex_wait_while_lt(futex, POST_RESTORE_CHECK);
+
+ return 0;
+}
+
+/* GrandChild switches to Child1 namespace and unshares */
+int grand_child(pid_t pid1)
+{
+ char path[PATH_MAX];
+ int fd = -1, ret;
+
+ futex_wait_while_lt(futex, GRAND_CHILD_PID_WRITTEN);
+
+ sprintf(path, "/proc/%d/ns/user", pid1);
+ fd = open(path, O_RDONLY);
+ if (fd < 0) {
+ pr_perror("open");
+ ret = 1;
+ goto err;
+ }
+
+ if (setns(fd, CLONE_NEWUSER) < 0) {
+ pr_perror("setns()");
+ ret = 2;
+ goto err;
+ }
+ close(fd);
+ fd = -1;
+
+ if (setuid(0) || setgid(0)) {
+ pr_perror("setxids");
+ ret = 3;
+ goto err;
+ }
+
+ if (unshare(CLONE_NEWUSER) < 0) {
+ pr_perror("unshare");
+ ret = 3;
+ goto err;
+ }
+
+ futex_set_and_wake(futex, GRAND_CHILD_CREATED);
+ futex_wait_while_lt(futex, POST_RESTORE_CHECK);
+
+ return 0;
+err:
+ futex_set_and_wake(futex, EMERGENCY_ABORT);
+ if (fd >= 0)
+ close(fd);
+ return ret;
+}
+
+/*
+ * Child2 remains in the namespace of the parent task,
+ * while its descendant GrandChild enters to Child1's
+ * namespace and unshares.
+ */
+int child2(pid_t pid1)
+{
+ int status, ret;
+ pid_t gc_pid;
+
+ gc_pid = fork();
+ if (gc_pid < 0) {
+ pr_perror("Can't fork");
+ ret = 1;
+ goto err;
+ } else if (gc_pid == 0)
+ exit(grand_child(pid1));
+
+ *grand_child_pid = gc_pid;
+ futex_set_and_wake(futex, GRAND_CHILD_PID_WRITTEN);
+ futex_wait_while_lt(futex, POST_RESTORE_CHECK);
+
+ if (wait(&status) != *grand_child_pid) {
+ pr_perror("Failed to wait grand child");
+ ret = 3;
+ goto err;
+ }
+
+ if (WEXITSTATUS(status)) {
+ pr_err("Grand child exited with %d\n", WEXITSTATUS(status));
+ ret = 4;
+ goto err;
+ }
+
+ return 0;
+err:
+ futex_set_and_wake(futex, EMERGENCY_ABORT);
+ if (*grand_child_pid > 0)
+ wait(&status);
+ return ret;
+}
+
+
+int main(int argc, char **argv)
+{
+ pid_t my_pid, pid1 = -1, pid2 = -1;
+ unsigned int ns_p, ns_c1, ns_c2;
+ int status;
+
+ test_init(argc, argv);
+ futex = mmap(NULL, sizeof(*futex) + sizeof(*grand_child_pid), PROT_WRITE | PROT_READ,
+ MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ grand_child_pid = (void *)futex + sizeof(*futex);
+ if (futex == MAP_FAILED) {
+ fail("mmap futex\n");
+ return 1;
+ }
+ futex_init(futex);
+ my_pid = getpid();
+
+ pid1 = fork();
+ if (pid1 == -1) {
+ fail("fork");
+ return 1;
+ } else if (pid1 == 0)
+ exit(child1());
+
+ futex_wait_while_lt(futex, CHILD1_CREATED);
+
+ if (write_map(pid1, "uid_map") < 0 ||
+ write_map(pid1, "gid_map") < 0) {
+ fail("write map");
+ goto err;
+ }
+
+ pid2 = fork();
+ if (pid2 == -1) {
+ fail("fork");
+ goto err;
+ } else if (pid2 == 0)
+ exit(child2(pid1));
+
+ futex_wait_while_lt(futex, GRAND_CHILD_SETUP);
+ test_daemon();
+ test_waitsig();
+
+ if (get_user_ns(my_pid, &ns_p) < 0 ||
+ get_user_ns(pid1, &ns_c1) < 0 ||
+ get_user_ns(pid2, &ns_c2) < 0) {
+ fail("Can't get user ns\n");
+ goto err;
+ }
+
+ if (ns_p == ns_c1 || ns_p != ns_c2) {
+ fail("ns_p=%u, ns_c1=%u, ns_c2=%u\n", ns_p, ns_c1, ns_c2);
+ goto err;
+ }
+
+ futex_set_and_wake(futex, POST_RESTORE_CHECK);
+
+ errno = 0;
+ if (waitpid(pid1, &status, 0) < 0 || WEXITSTATUS(status)) {
+ fail("pid1: status=%d\n", WEXITSTATUS(status));
+ goto err;
+ }
+
+ if (waitpid(pid2, &status, 0) < 0 || WEXITSTATUS(status)) {
+ fail("pid2: status=%d\n", WEXITSTATUS(status));
+ goto err;
+ }
+ pass();
+ return 0;
+err:
+ futex_set_and_wake(futex, EMERGENCY_ABORT);
+ if (pid1 > 0)
+ wait(&status);
+ if (pid2 > 0)
+ wait(&status);
+ return 1;
+}
diff --git a/test/zdtm/static/userns00.desc b/test/zdtm/static/userns00.desc
new file mode 100644
index 000000000..1f8bec515
--- /dev/null
+++ b/test/zdtm/static/userns00.desc
@@ -0,0 +1 @@
+{'flavor': 'uns', 'flags': 'suid noauto'}
More information about the CRIU
mailing list