proc-pidns.c 5.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /*
  3. * Author: Aleksa Sarai <cyphar@cyphar.com>
  4. * Copyright (C) 2025 SUSE LLC.
  5. */
  6. #include <assert.h>
  7. #include <errno.h>
  8. #include <sched.h>
  9. #include <stdbool.h>
  10. #include <stdlib.h>
  11. #include <string.h>
  12. #include <unistd.h>
  13. #include <stdio.h>
  14. #include <sys/mount.h>
  15. #include <sys/stat.h>
  16. #include <sys/prctl.h>
  17. #include "kselftest_harness.h"
  18. #define ASSERT_ERRNO(expected, _t, seen) \
  19. __EXPECT(expected, #expected, \
  20. ({__typeof__(seen) _tmp_seen = (seen); \
  21. _tmp_seen >= 0 ? _tmp_seen : -errno; }), #seen, _t, 1)
  22. #define ASSERT_ERRNO_EQ(expected, seen) \
  23. ASSERT_ERRNO(expected, ==, seen)
  24. #define ASSERT_SUCCESS(seen) \
  25. ASSERT_ERRNO(0, <=, seen)
  26. static int touch(char *path)
  27. {
  28. int fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC, 0644);
  29. if (fd < 0)
  30. return -1;
  31. return close(fd);
  32. }
  33. FIXTURE(ns)
  34. {
  35. int host_mntns, host_pidns;
  36. int dummy_pidns;
  37. };
  38. FIXTURE_SETUP(ns)
  39. {
  40. /* Stash the old mntns. */
  41. self->host_mntns = open("/proc/self/ns/mnt", O_RDONLY|O_CLOEXEC);
  42. ASSERT_SUCCESS(self->host_mntns);
  43. /* Create a new mount namespace and make it private. */
  44. ASSERT_SUCCESS(unshare(CLONE_NEWNS));
  45. ASSERT_SUCCESS(mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL));
  46. /*
  47. * Create a proper tmpfs that we can use and will disappear once we
  48. * leave this mntns.
  49. */
  50. ASSERT_SUCCESS(mount("tmpfs", "/tmp", "tmpfs", 0, NULL));
  51. /*
  52. * Create a pidns we can use for later tests. We need to fork off a
  53. * child so that we get a usable nsfd that we can bind-mount and open.
  54. */
  55. ASSERT_SUCCESS(mkdir("/tmp/dummy", 0755));
  56. ASSERT_SUCCESS(touch("/tmp/dummy/pidns"));
  57. ASSERT_SUCCESS(mkdir("/tmp/dummy/proc", 0755));
  58. self->host_pidns = open("/proc/self/ns/pid", O_RDONLY|O_CLOEXEC);
  59. ASSERT_SUCCESS(self->host_pidns);
  60. ASSERT_SUCCESS(unshare(CLONE_NEWPID));
  61. pid_t pid = fork();
  62. ASSERT_SUCCESS(pid);
  63. if (!pid) {
  64. prctl(PR_SET_PDEATHSIG, SIGKILL);
  65. ASSERT_SUCCESS(mount("/proc/self/ns/pid", "/tmp/dummy/pidns", NULL, MS_BIND, NULL));
  66. ASSERT_SUCCESS(mount("proc", "/tmp/dummy/proc", "proc", 0, NULL));
  67. exit(0);
  68. }
  69. int wstatus;
  70. ASSERT_EQ(waitpid(pid, &wstatus, 0), pid);
  71. ASSERT_TRUE(WIFEXITED(wstatus));
  72. ASSERT_EQ(WEXITSTATUS(wstatus), 0);
  73. ASSERT_SUCCESS(setns(self->host_pidns, CLONE_NEWPID));
  74. self->dummy_pidns = open("/tmp/dummy/pidns", O_RDONLY|O_CLOEXEC);
  75. ASSERT_SUCCESS(self->dummy_pidns);
  76. }
  77. FIXTURE_TEARDOWN(ns)
  78. {
  79. ASSERT_SUCCESS(setns(self->host_mntns, CLONE_NEWNS));
  80. ASSERT_SUCCESS(close(self->host_mntns));
  81. ASSERT_SUCCESS(close(self->host_pidns));
  82. ASSERT_SUCCESS(close(self->dummy_pidns));
  83. }
  84. TEST_F(ns, pidns_mount_string_path)
  85. {
  86. ASSERT_SUCCESS(mkdir("/tmp/proc-host", 0755));
  87. ASSERT_SUCCESS(mount("proc", "/tmp/proc-host", "proc", 0, "pidns=/proc/self/ns/pid"));
  88. ASSERT_SUCCESS(access("/tmp/proc-host/self/", X_OK));
  89. ASSERT_SUCCESS(mkdir("/tmp/proc-dummy", 0755));
  90. ASSERT_SUCCESS(mount("proc", "/tmp/proc-dummy", "proc", 0, "pidns=/tmp/dummy/pidns"));
  91. ASSERT_ERRNO_EQ(-ENOENT, access("/tmp/proc-dummy/1/", X_OK));
  92. ASSERT_ERRNO_EQ(-ENOENT, access("/tmp/proc-dummy/self/", X_OK));
  93. }
  94. TEST_F(ns, pidns_fsconfig_string_path)
  95. {
  96. int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
  97. ASSERT_SUCCESS(fsfd);
  98. ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_SET_STRING, "pidns", "/tmp/dummy/pidns", 0));
  99. ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
  100. int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
  101. ASSERT_SUCCESS(mountfd);
  102. ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "1/", X_OK, 0));
  103. ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "self/", X_OK, 0));
  104. ASSERT_SUCCESS(close(fsfd));
  105. ASSERT_SUCCESS(close(mountfd));
  106. }
  107. TEST_F(ns, pidns_fsconfig_fd)
  108. {
  109. int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
  110. ASSERT_SUCCESS(fsfd);
  111. ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_SET_FD, "pidns", NULL, self->dummy_pidns));
  112. ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
  113. int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
  114. ASSERT_SUCCESS(mountfd);
  115. ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "1/", X_OK, 0));
  116. ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "self/", X_OK, 0));
  117. ASSERT_SUCCESS(close(fsfd));
  118. ASSERT_SUCCESS(close(mountfd));
  119. }
  120. TEST_F(ns, pidns_reconfigure_remount)
  121. {
  122. ASSERT_SUCCESS(mkdir("/tmp/proc", 0755));
  123. ASSERT_SUCCESS(mount("proc", "/tmp/proc", "proc", 0, ""));
  124. ASSERT_SUCCESS(access("/tmp/proc/1/", X_OK));
  125. ASSERT_SUCCESS(access("/tmp/proc/self/", X_OK));
  126. ASSERT_ERRNO_EQ(-EBUSY, mount(NULL, "/tmp/proc", NULL, MS_REMOUNT, "pidns=/tmp/dummy/pidns"));
  127. ASSERT_SUCCESS(access("/tmp/proc/1/", X_OK));
  128. ASSERT_SUCCESS(access("/tmp/proc/self/", X_OK));
  129. }
  130. TEST_F(ns, pidns_reconfigure_fsconfig_string_path)
  131. {
  132. int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
  133. ASSERT_SUCCESS(fsfd);
  134. ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
  135. int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
  136. ASSERT_SUCCESS(mountfd);
  137. ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
  138. ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
  139. ASSERT_ERRNO_EQ(-EBUSY, fsconfig(fsfd, FSCONFIG_SET_STRING, "pidns", "/tmp/dummy/pidns", 0));
  140. ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0)); /* noop */
  141. ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
  142. ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
  143. ASSERT_SUCCESS(close(fsfd));
  144. ASSERT_SUCCESS(close(mountfd));
  145. }
  146. TEST_F(ns, pidns_reconfigure_fsconfig_fd)
  147. {
  148. int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
  149. ASSERT_SUCCESS(fsfd);
  150. ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
  151. int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
  152. ASSERT_SUCCESS(mountfd);
  153. ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
  154. ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
  155. ASSERT_ERRNO_EQ(-EBUSY, fsconfig(fsfd, FSCONFIG_SET_FD, "pidns", NULL, self->dummy_pidns));
  156. ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0)); /* noop */
  157. ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
  158. ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
  159. ASSERT_SUCCESS(close(fsfd));
  160. ASSERT_SUCCESS(close(mountfd));
  161. }
  162. TEST_HARNESS_MAIN