1f08c3bdfSopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 2f08c3bdfSopenharmony_ci/* 3f08c3bdfSopenharmony_ci * Copyright (c) Huawei Technologies Co., Ltd., 2015 4f08c3bdfSopenharmony_ci * Copyright (C) 2022 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com> 5f08c3bdfSopenharmony_ci */ 6f08c3bdfSopenharmony_ci 7f08c3bdfSopenharmony_ci/*\ 8f08c3bdfSopenharmony_ci * [Description] 9f08c3bdfSopenharmony_ci * 10f08c3bdfSopenharmony_ci * Verify that if a namespace isn't another namespace's ancestor, the process in 11f08c3bdfSopenharmony_ci * first namespace does not have the CAP_SYS_ADMIN capability in the second 12f08c3bdfSopenharmony_ci * namespace and the setns() call fails. 13f08c3bdfSopenharmony_ci */ 14f08c3bdfSopenharmony_ci 15f08c3bdfSopenharmony_ci#define _GNU_SOURCE 16f08c3bdfSopenharmony_ci 17f08c3bdfSopenharmony_ci#include <stdio.h> 18f08c3bdfSopenharmony_ci#include "tst_test.h" 19f08c3bdfSopenharmony_ci#include "lapi/sched.h" 20f08c3bdfSopenharmony_ci 21f08c3bdfSopenharmony_cistatic void child_fn1(void) 22f08c3bdfSopenharmony_ci{ 23f08c3bdfSopenharmony_ci TST_CHECKPOINT_WAIT(0); 24f08c3bdfSopenharmony_ci} 25f08c3bdfSopenharmony_ci 26f08c3bdfSopenharmony_cistatic void child_fn2(int fd) 27f08c3bdfSopenharmony_ci{ 28f08c3bdfSopenharmony_ci TST_EXP_FAIL(setns(fd, CLONE_NEWUSER), EPERM); 29f08c3bdfSopenharmony_ci TST_CHECKPOINT_WAIT(1); 30f08c3bdfSopenharmony_ci} 31f08c3bdfSopenharmony_ci 32f08c3bdfSopenharmony_cistatic void run(void) 33f08c3bdfSopenharmony_ci{ 34f08c3bdfSopenharmony_ci const struct tst_clone_args args = { 35f08c3bdfSopenharmony_ci .flags = CLONE_NEWUSER, 36f08c3bdfSopenharmony_ci .exit_signal = SIGCHLD, 37f08c3bdfSopenharmony_ci }; 38f08c3bdfSopenharmony_ci pid_t cpid1, cpid2, cpid3; 39f08c3bdfSopenharmony_ci char path[BUFSIZ]; 40f08c3bdfSopenharmony_ci int fd; 41f08c3bdfSopenharmony_ci 42f08c3bdfSopenharmony_ci cpid1 = SAFE_CLONE(&args); 43f08c3bdfSopenharmony_ci if (!cpid1) { 44f08c3bdfSopenharmony_ci child_fn1(); 45f08c3bdfSopenharmony_ci return; 46f08c3bdfSopenharmony_ci } 47f08c3bdfSopenharmony_ci 48f08c3bdfSopenharmony_ci sprintf(path, "/proc/%d/ns/user", cpid1); 49f08c3bdfSopenharmony_ci 50f08c3bdfSopenharmony_ci fd = SAFE_OPEN(path, O_RDONLY, 0644); 51f08c3bdfSopenharmony_ci 52f08c3bdfSopenharmony_ci cpid2 = SAFE_CLONE(&args); 53f08c3bdfSopenharmony_ci if (!cpid2) { 54f08c3bdfSopenharmony_ci child_fn2(fd); 55f08c3bdfSopenharmony_ci return; 56f08c3bdfSopenharmony_ci } 57f08c3bdfSopenharmony_ci 58f08c3bdfSopenharmony_ci cpid3 = SAFE_FORK(); 59f08c3bdfSopenharmony_ci if (!cpid3) { 60f08c3bdfSopenharmony_ci TST_EXP_PASS(setns(fd, CLONE_NEWUSER)); 61f08c3bdfSopenharmony_ci return; 62f08c3bdfSopenharmony_ci } 63f08c3bdfSopenharmony_ci 64f08c3bdfSopenharmony_ci TST_CHECKPOINT_WAKE(0); 65f08c3bdfSopenharmony_ci TST_CHECKPOINT_WAKE(1); 66f08c3bdfSopenharmony_ci 67f08c3bdfSopenharmony_ci SAFE_CLOSE(fd); 68f08c3bdfSopenharmony_ci} 69f08c3bdfSopenharmony_ci 70f08c3bdfSopenharmony_cistatic struct tst_test test = { 71f08c3bdfSopenharmony_ci .test_all = run, 72f08c3bdfSopenharmony_ci .needs_root = 1, 73f08c3bdfSopenharmony_ci .forks_child = 1, 74f08c3bdfSopenharmony_ci .needs_checkpoints = 1, 75f08c3bdfSopenharmony_ci .needs_kconfigs = (const char *[]) { 76f08c3bdfSopenharmony_ci "CONFIG_USER_NS", 77f08c3bdfSopenharmony_ci NULL, 78f08c3bdfSopenharmony_ci }, 79f08c3bdfSopenharmony_ci}; 80