[CRIU] ZDTM 'uns' Test for Privileged Operations

Abhishek Vijeev abhishek.vijeev at gmail.com
Tue Sep 8 18:41:26 MSK 2020


Thank you very much.

On Tue, Sep 8, 2020 at 9:08 PM Andrei Vagin <avagin at gmail.com> wrote:
>
> On Sun, Sep 06, 2020 at 06:45:46PM +0530, Abhishek Vijeev wrote:
> > Hi,
> >
> > I have a question about the ZDTM test suite.
> >
> > I have a test that invokes bpf_map_freeze(). Since this is a
> > privileged operation, I have set the SUID flag in ${test_name}.desc.
> > Test flavours 'h' and 'ns' pass. However, the user namespace test
> > fails with 'Operation not permitted'.
> >
> > The code change only involves adding the following lines to the
> > bpf_array test(https://github.com/checkpoint-restore/criu/blob/criu-dev/test/zdtm/static/bpf_array.c#L97):
> >
> > ret = bpf_map_freeze(map_fd);
> > if (ret) {
> >     pr_perror("Could not freeze map");
> >     goto err;
> > }
> >
> > According to my understanding, the 'uns' flavour executes my test
> > program in a new user namespace, which has an effective UID of 0
> > within this namespace (along with all capabilities). Shouldn't it
> > therefore be able to invoke a privileged system call from within the
> > new user namespace?
>
> BPF_MAP_FREEZE requires the global (root-userns) CAP_SYS_ADMIN or CAP_BPF:
>
> https://github.com/torvalds/linux/blob/master/kernel/bpf/syscall.c#L1554
> https://github.com/torvalds/linux/blob/master/include/linux/capability.h#L261
>
> so BPF_MAP_FREEZE can't be used from non-root user namespaces.
>
> >
> > Am I missing something? Is there any way by which I can get this to
> > work? If not, would it be acceptable to skip the 'uns' test by setting
> > bpf_array.desc to: {'flavour': 'h ns', 'flags': 'suid}?
>
> Yes, it is acceptable.
>
> >
> > Thank you,
> > Abhishek Vijeev.
> > _______________________________________________
> > CRIU mailing list
> > CRIU at openvz.org
> > https://lists.openvz.org/mailman/listinfo/criu


More information about the CRIU mailing list