[CRIU] ZDTM 'uns' Test for Privileged Operations
Andrei Vagin
avagin at gmail.com
Tue Sep 8 18:38:55 MSK 2020
On Sun, Sep 06, 2020 at 06:45:46PM +0530, Abhishek Vijeev wrote:
> Hi,
>
> I have a question about the ZDTM test suite.
>
> I have a test that invokes bpf_map_freeze(). Since this is a
> privileged operation, I have set the SUID flag in ${test_name}.desc.
> Test flavours 'h' and 'ns' pass. However, the user namespace test
> fails with 'Operation not permitted'.
>
> The code change only involves adding the following lines to the
> bpf_array test(https://github.com/checkpoint-restore/criu/blob/criu-dev/test/zdtm/static/bpf_array.c#L97):
>
> ret = bpf_map_freeze(map_fd);
> if (ret) {
> pr_perror("Could not freeze map");
> goto err;
> }
>
> According to my understanding, the 'uns' flavour executes my test
> program in a new user namespace, which has an effective UID of 0
> within this namespace (along with all capabilities). Shouldn't it
> therefore be able to invoke a privileged system call from within the
> new user namespace?
BPF_MAP_FREEZE requires the global (root-userns) CAP_SYS_ADMIN or CAP_BPF:
https://github.com/torvalds/linux/blob/master/kernel/bpf/syscall.c#L1554
https://github.com/torvalds/linux/blob/master/include/linux/capability.h#L261
so BPF_MAP_FREEZE can't be used from non-root user namespaces.
>
> Am I missing something? Is there any way by which I can get this to
> work? If not, would it be acceptable to skip the 'uns' test by setting
> bpf_array.desc to: {'flavour': 'h ns', 'flags': 'suid}?
Yes, it is acceptable.
>
> Thank you,
> Abhishek Vijeev.
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu
More information about the CRIU
mailing list