1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Author: Aleksa Sarai <cyphar@cyphar.com>
4 * Copyright (C) 2025 SUSE LLC.
5 */
6
7 #include <assert.h>
8 #include <errno.h>
9 #include <sched.h>
10 #include <stdbool.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <unistd.h>
14 #include <stdio.h>
15 #include <sys/mount.h>
16 #include <sys/stat.h>
17 #include <sys/prctl.h>
18
19 #include "../kselftest_harness.h"
20
21 #define ASSERT_ERRNO(expected, _t, seen) \
22 __EXPECT(expected, #expected, \
23 ({__typeof__(seen) _tmp_seen = (seen); \
24 _tmp_seen >= 0 ? _tmp_seen : -errno; }), #seen, _t, 1)
25
26 #define ASSERT_ERRNO_EQ(expected, seen) \
27 ASSERT_ERRNO(expected, ==, seen)
28
29 #define ASSERT_SUCCESS(seen) \
30 ASSERT_ERRNO(0, <=, seen)
31
touch(char * path)32 static int touch(char *path)
33 {
34 int fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC, 0644);
35 if (fd < 0)
36 return -1;
37 return close(fd);
38 }
39
FIXTURE(ns)40 FIXTURE(ns)
41 {
42 int host_mntns, host_pidns;
43 int dummy_pidns;
44 };
45
FIXTURE_SETUP(ns)46 FIXTURE_SETUP(ns)
47 {
48 /* Stash the old mntns. */
49 self->host_mntns = open("/proc/self/ns/mnt", O_RDONLY|O_CLOEXEC);
50 ASSERT_SUCCESS(self->host_mntns);
51
52 /* Create a new mount namespace and make it private. */
53 ASSERT_SUCCESS(unshare(CLONE_NEWNS));
54 ASSERT_SUCCESS(mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL));
55
56 /*
57 * Create a proper tmpfs that we can use and will disappear once we
58 * leave this mntns.
59 */
60 ASSERT_SUCCESS(mount("tmpfs", "/tmp", "tmpfs", 0, NULL));
61
62 /*
63 * Create a pidns we can use for later tests. We need to fork off a
64 * child so that we get a usable nsfd that we can bind-mount and open.
65 */
66 ASSERT_SUCCESS(mkdir("/tmp/dummy", 0755));
67 ASSERT_SUCCESS(touch("/tmp/dummy/pidns"));
68 ASSERT_SUCCESS(mkdir("/tmp/dummy/proc", 0755));
69
70 self->host_pidns = open("/proc/self/ns/pid", O_RDONLY|O_CLOEXEC);
71 ASSERT_SUCCESS(self->host_pidns);
72 ASSERT_SUCCESS(unshare(CLONE_NEWPID));
73
74 pid_t pid = fork();
75 ASSERT_SUCCESS(pid);
76 if (!pid) {
77 prctl(PR_SET_PDEATHSIG, SIGKILL);
78 ASSERT_SUCCESS(mount("/proc/self/ns/pid", "/tmp/dummy/pidns", NULL, MS_BIND, NULL));
79 ASSERT_SUCCESS(mount("proc", "/tmp/dummy/proc", "proc", 0, NULL));
80 exit(0);
81 }
82
83 int wstatus;
84 ASSERT_EQ(waitpid(pid, &wstatus, 0), pid);
85 ASSERT_TRUE(WIFEXITED(wstatus));
86 ASSERT_EQ(WEXITSTATUS(wstatus), 0);
87
88 ASSERT_SUCCESS(setns(self->host_pidns, CLONE_NEWPID));
89
90 self->dummy_pidns = open("/tmp/dummy/pidns", O_RDONLY|O_CLOEXEC);
91 ASSERT_SUCCESS(self->dummy_pidns);
92 }
93
FIXTURE_TEARDOWN(ns)94 FIXTURE_TEARDOWN(ns)
95 {
96 ASSERT_SUCCESS(setns(self->host_mntns, CLONE_NEWNS));
97 ASSERT_SUCCESS(close(self->host_mntns));
98
99 ASSERT_SUCCESS(close(self->host_pidns));
100 ASSERT_SUCCESS(close(self->dummy_pidns));
101 }
102
TEST_F(ns,pidns_mount_string_path)103 TEST_F(ns, pidns_mount_string_path)
104 {
105 ASSERT_SUCCESS(mkdir("/tmp/proc-host", 0755));
106 ASSERT_SUCCESS(mount("proc", "/tmp/proc-host", "proc", 0, "pidns=/proc/self/ns/pid"));
107 ASSERT_SUCCESS(access("/tmp/proc-host/self/", X_OK));
108
109 ASSERT_SUCCESS(mkdir("/tmp/proc-dummy", 0755));
110 ASSERT_SUCCESS(mount("proc", "/tmp/proc-dummy", "proc", 0, "pidns=/tmp/dummy/pidns"));
111 ASSERT_ERRNO_EQ(-ENOENT, access("/tmp/proc-dummy/1/", X_OK));
112 ASSERT_ERRNO_EQ(-ENOENT, access("/tmp/proc-dummy/self/", X_OK));
113 }
114
TEST_F(ns,pidns_fsconfig_string_path)115 TEST_F(ns, pidns_fsconfig_string_path)
116 {
117 int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
118 ASSERT_SUCCESS(fsfd);
119
120 ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_SET_STRING, "pidns", "/tmp/dummy/pidns", 0));
121 ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
122
123 int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
124 ASSERT_SUCCESS(mountfd);
125
126 ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "1/", X_OK, 0));
127 ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "self/", X_OK, 0));
128
129 ASSERT_SUCCESS(close(fsfd));
130 ASSERT_SUCCESS(close(mountfd));
131 }
132
TEST_F(ns,pidns_fsconfig_fd)133 TEST_F(ns, pidns_fsconfig_fd)
134 {
135 int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
136 ASSERT_SUCCESS(fsfd);
137
138 ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_SET_FD, "pidns", NULL, self->dummy_pidns));
139 ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
140
141 int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
142 ASSERT_SUCCESS(mountfd);
143
144 ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "1/", X_OK, 0));
145 ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "self/", X_OK, 0));
146
147 ASSERT_SUCCESS(close(fsfd));
148 ASSERT_SUCCESS(close(mountfd));
149 }
150
TEST_F(ns,pidns_reconfigure_remount)151 TEST_F(ns, pidns_reconfigure_remount)
152 {
153 ASSERT_SUCCESS(mkdir("/tmp/proc", 0755));
154 ASSERT_SUCCESS(mount("proc", "/tmp/proc", "proc", 0, ""));
155
156 ASSERT_SUCCESS(access("/tmp/proc/1/", X_OK));
157 ASSERT_SUCCESS(access("/tmp/proc/self/", X_OK));
158
159 ASSERT_ERRNO_EQ(-EBUSY, mount(NULL, "/tmp/proc", NULL, MS_REMOUNT, "pidns=/tmp/dummy/pidns"));
160
161 ASSERT_SUCCESS(access("/tmp/proc/1/", X_OK));
162 ASSERT_SUCCESS(access("/tmp/proc/self/", X_OK));
163 }
164
TEST_F(ns,pidns_reconfigure_fsconfig_string_path)165 TEST_F(ns, pidns_reconfigure_fsconfig_string_path)
166 {
167 int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
168 ASSERT_SUCCESS(fsfd);
169
170 ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
171
172 int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
173 ASSERT_SUCCESS(mountfd);
174
175 ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
176 ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
177
178 ASSERT_ERRNO_EQ(-EBUSY, fsconfig(fsfd, FSCONFIG_SET_STRING, "pidns", "/tmp/dummy/pidns", 0));
179 ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0)); /* noop */
180
181 ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
182 ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
183
184 ASSERT_SUCCESS(close(fsfd));
185 ASSERT_SUCCESS(close(mountfd));
186 }
187
TEST_F(ns,pidns_reconfigure_fsconfig_fd)188 TEST_F(ns, pidns_reconfigure_fsconfig_fd)
189 {
190 int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
191 ASSERT_SUCCESS(fsfd);
192
193 ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
194
195 int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
196 ASSERT_SUCCESS(mountfd);
197
198 ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
199 ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
200
201 ASSERT_ERRNO_EQ(-EBUSY, fsconfig(fsfd, FSCONFIG_SET_FD, "pidns", NULL, self->dummy_pidns));
202 ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0)); /* noop */
203
204 ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
205 ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
206
207 ASSERT_SUCCESS(close(fsfd));
208 ASSERT_SUCCESS(close(mountfd));
209 }
210
211 TEST_HARNESS_MAIN
212