1*5554d820SAleksa Sarai // SPDX-License-Identifier: GPL-2.0-or-later 2*5554d820SAleksa Sarai /* 3*5554d820SAleksa Sarai * Author: Aleksa Sarai <cyphar@cyphar.com> 4*5554d820SAleksa Sarai * Copyright (C) 2025 SUSE LLC. 5*5554d820SAleksa Sarai */ 6*5554d820SAleksa Sarai 7*5554d820SAleksa Sarai #include <assert.h> 8*5554d820SAleksa Sarai #include <errno.h> 9*5554d820SAleksa Sarai #include <sched.h> 10*5554d820SAleksa Sarai #include <stdbool.h> 11*5554d820SAleksa Sarai #include <stdlib.h> 12*5554d820SAleksa Sarai #include <string.h> 13*5554d820SAleksa Sarai #include <unistd.h> 14*5554d820SAleksa Sarai #include <stdio.h> 15*5554d820SAleksa Sarai #include <sys/mount.h> 16*5554d820SAleksa Sarai #include <sys/stat.h> 17*5554d820SAleksa Sarai #include <sys/prctl.h> 18*5554d820SAleksa Sarai 19*5554d820SAleksa Sarai #include "../kselftest_harness.h" 20*5554d820SAleksa Sarai 21*5554d820SAleksa Sarai #define ASSERT_ERRNO(expected, _t, seen) \ 22*5554d820SAleksa Sarai __EXPECT(expected, #expected, \ 23*5554d820SAleksa Sarai ({__typeof__(seen) _tmp_seen = (seen); \ 24*5554d820SAleksa Sarai _tmp_seen >= 0 ? _tmp_seen : -errno; }), #seen, _t, 1) 25*5554d820SAleksa Sarai 26*5554d820SAleksa Sarai #define ASSERT_ERRNO_EQ(expected, seen) \ 27*5554d820SAleksa Sarai ASSERT_ERRNO(expected, ==, seen) 28*5554d820SAleksa Sarai 29*5554d820SAleksa Sarai #define ASSERT_SUCCESS(seen) \ 30*5554d820SAleksa Sarai ASSERT_ERRNO(0, <=, seen) 31*5554d820SAleksa Sarai 32*5554d820SAleksa Sarai static int touch(char *path) 33*5554d820SAleksa Sarai { 34*5554d820SAleksa Sarai int fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC, 0644); 35*5554d820SAleksa Sarai if (fd < 0) 36*5554d820SAleksa Sarai return -1; 37*5554d820SAleksa Sarai return close(fd); 38*5554d820SAleksa Sarai } 39*5554d820SAleksa Sarai 40*5554d820SAleksa Sarai FIXTURE(ns) 41*5554d820SAleksa Sarai { 42*5554d820SAleksa Sarai int host_mntns, host_pidns; 43*5554d820SAleksa Sarai int dummy_pidns; 44*5554d820SAleksa Sarai }; 45*5554d820SAleksa Sarai 46*5554d820SAleksa Sarai FIXTURE_SETUP(ns) 47*5554d820SAleksa Sarai { 48*5554d820SAleksa Sarai /* Stash the old mntns. */ 49*5554d820SAleksa Sarai self->host_mntns = open("/proc/self/ns/mnt", O_RDONLY|O_CLOEXEC); 50*5554d820SAleksa Sarai ASSERT_SUCCESS(self->host_mntns); 51*5554d820SAleksa Sarai 52*5554d820SAleksa Sarai /* Create a new mount namespace and make it private. */ 53*5554d820SAleksa Sarai ASSERT_SUCCESS(unshare(CLONE_NEWNS)); 54*5554d820SAleksa Sarai ASSERT_SUCCESS(mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL)); 55*5554d820SAleksa Sarai 56*5554d820SAleksa Sarai /* 57*5554d820SAleksa Sarai * Create a proper tmpfs that we can use and will disappear once we 58*5554d820SAleksa Sarai * leave this mntns. 59*5554d820SAleksa Sarai */ 60*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("tmpfs", "/tmp", "tmpfs", 0, NULL)); 61*5554d820SAleksa Sarai 62*5554d820SAleksa Sarai /* 63*5554d820SAleksa Sarai * Create a pidns we can use for later tests. We need to fork off a 64*5554d820SAleksa Sarai * child so that we get a usable nsfd that we can bind-mount and open. 65*5554d820SAleksa Sarai */ 66*5554d820SAleksa Sarai ASSERT_SUCCESS(mkdir("/tmp/dummy", 0755)); 67*5554d820SAleksa Sarai ASSERT_SUCCESS(touch("/tmp/dummy/pidns")); 68*5554d820SAleksa Sarai ASSERT_SUCCESS(mkdir("/tmp/dummy/proc", 0755)); 69*5554d820SAleksa Sarai 70*5554d820SAleksa Sarai self->host_pidns = open("/proc/self/ns/pid", O_RDONLY|O_CLOEXEC); 71*5554d820SAleksa Sarai ASSERT_SUCCESS(self->host_pidns); 72*5554d820SAleksa Sarai ASSERT_SUCCESS(unshare(CLONE_NEWPID)); 73*5554d820SAleksa Sarai 74*5554d820SAleksa Sarai pid_t pid = fork(); 75*5554d820SAleksa Sarai ASSERT_SUCCESS(pid); 76*5554d820SAleksa Sarai if (!pid) { 77*5554d820SAleksa Sarai prctl(PR_SET_PDEATHSIG, SIGKILL); 78*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("/proc/self/ns/pid", "/tmp/dummy/pidns", NULL, MS_BIND, NULL)); 79*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("proc", "/tmp/dummy/proc", "proc", 0, NULL)); 80*5554d820SAleksa Sarai exit(0); 81*5554d820SAleksa Sarai } 82*5554d820SAleksa Sarai 83*5554d820SAleksa Sarai int wstatus; 84*5554d820SAleksa Sarai ASSERT_EQ(waitpid(pid, &wstatus, 0), pid); 85*5554d820SAleksa Sarai ASSERT_TRUE(WIFEXITED(wstatus)); 86*5554d820SAleksa Sarai ASSERT_EQ(WEXITSTATUS(wstatus), 0); 87*5554d820SAleksa Sarai 88*5554d820SAleksa Sarai ASSERT_SUCCESS(setns(self->host_pidns, CLONE_NEWPID)); 89*5554d820SAleksa Sarai 90*5554d820SAleksa Sarai self->dummy_pidns = open("/tmp/dummy/pidns", O_RDONLY|O_CLOEXEC); 91*5554d820SAleksa Sarai ASSERT_SUCCESS(self->dummy_pidns); 92*5554d820SAleksa Sarai } 93*5554d820SAleksa Sarai 94*5554d820SAleksa Sarai FIXTURE_TEARDOWN(ns) 95*5554d820SAleksa Sarai { 96*5554d820SAleksa Sarai ASSERT_SUCCESS(setns(self->host_mntns, CLONE_NEWNS)); 97*5554d820SAleksa Sarai ASSERT_SUCCESS(close(self->host_mntns)); 98*5554d820SAleksa Sarai 99*5554d820SAleksa Sarai ASSERT_SUCCESS(close(self->host_pidns)); 100*5554d820SAleksa Sarai ASSERT_SUCCESS(close(self->dummy_pidns)); 101*5554d820SAleksa Sarai } 102*5554d820SAleksa Sarai 103*5554d820SAleksa Sarai TEST_F(ns, pidns_mount_string_path) 104*5554d820SAleksa Sarai { 105*5554d820SAleksa Sarai ASSERT_SUCCESS(mkdir("/tmp/proc-host", 0755)); 106*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("proc", "/tmp/proc-host", "proc", 0, "pidns=/proc/self/ns/pid")); 107*5554d820SAleksa Sarai ASSERT_SUCCESS(access("/tmp/proc-host/self/", X_OK)); 108*5554d820SAleksa Sarai 109*5554d820SAleksa Sarai ASSERT_SUCCESS(mkdir("/tmp/proc-dummy", 0755)); 110*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("proc", "/tmp/proc-dummy", "proc", 0, "pidns=/tmp/dummy/pidns")); 111*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, access("/tmp/proc-dummy/1/", X_OK)); 112*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, access("/tmp/proc-dummy/self/", X_OK)); 113*5554d820SAleksa Sarai } 114*5554d820SAleksa Sarai 115*5554d820SAleksa Sarai TEST_F(ns, pidns_fsconfig_string_path) 116*5554d820SAleksa Sarai { 117*5554d820SAleksa Sarai int fsfd = fsopen("proc", FSOPEN_CLOEXEC); 118*5554d820SAleksa Sarai ASSERT_SUCCESS(fsfd); 119*5554d820SAleksa Sarai 120*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_SET_STRING, "pidns", "/tmp/dummy/pidns", 0)); 121*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0)); 122*5554d820SAleksa Sarai 123*5554d820SAleksa Sarai int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0); 124*5554d820SAleksa Sarai ASSERT_SUCCESS(mountfd); 125*5554d820SAleksa Sarai 126*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "1/", X_OK, 0)); 127*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "self/", X_OK, 0)); 128*5554d820SAleksa Sarai 129*5554d820SAleksa Sarai ASSERT_SUCCESS(close(fsfd)); 130*5554d820SAleksa Sarai ASSERT_SUCCESS(close(mountfd)); 131*5554d820SAleksa Sarai } 132*5554d820SAleksa Sarai 133*5554d820SAleksa Sarai TEST_F(ns, pidns_fsconfig_fd) 134*5554d820SAleksa Sarai { 135*5554d820SAleksa Sarai int fsfd = fsopen("proc", FSOPEN_CLOEXEC); 136*5554d820SAleksa Sarai ASSERT_SUCCESS(fsfd); 137*5554d820SAleksa Sarai 138*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_SET_FD, "pidns", NULL, self->dummy_pidns)); 139*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0)); 140*5554d820SAleksa Sarai 141*5554d820SAleksa Sarai int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0); 142*5554d820SAleksa Sarai ASSERT_SUCCESS(mountfd); 143*5554d820SAleksa Sarai 144*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "1/", X_OK, 0)); 145*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "self/", X_OK, 0)); 146*5554d820SAleksa Sarai 147*5554d820SAleksa Sarai ASSERT_SUCCESS(close(fsfd)); 148*5554d820SAleksa Sarai ASSERT_SUCCESS(close(mountfd)); 149*5554d820SAleksa Sarai } 150*5554d820SAleksa Sarai 151*5554d820SAleksa Sarai TEST_F(ns, pidns_reconfigure_remount) 152*5554d820SAleksa Sarai { 153*5554d820SAleksa Sarai ASSERT_SUCCESS(mkdir("/tmp/proc", 0755)); 154*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("proc", "/tmp/proc", "proc", 0, "")); 155*5554d820SAleksa Sarai 156*5554d820SAleksa Sarai ASSERT_SUCCESS(access("/tmp/proc/1/", X_OK)); 157*5554d820SAleksa Sarai ASSERT_SUCCESS(access("/tmp/proc/self/", X_OK)); 158*5554d820SAleksa Sarai 159*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-EBUSY, mount(NULL, "/tmp/proc", NULL, MS_REMOUNT, "pidns=/tmp/dummy/pidns")); 160*5554d820SAleksa Sarai 161*5554d820SAleksa Sarai ASSERT_SUCCESS(access("/tmp/proc/1/", X_OK)); 162*5554d820SAleksa Sarai ASSERT_SUCCESS(access("/tmp/proc/self/", X_OK)); 163*5554d820SAleksa Sarai } 164*5554d820SAleksa Sarai 165*5554d820SAleksa Sarai TEST_F(ns, pidns_reconfigure_fsconfig_string_path) 166*5554d820SAleksa Sarai { 167*5554d820SAleksa Sarai int fsfd = fsopen("proc", FSOPEN_CLOEXEC); 168*5554d820SAleksa Sarai ASSERT_SUCCESS(fsfd); 169*5554d820SAleksa Sarai 170*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0)); 171*5554d820SAleksa Sarai 172*5554d820SAleksa Sarai int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0); 173*5554d820SAleksa Sarai ASSERT_SUCCESS(mountfd); 174*5554d820SAleksa Sarai 175*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0)); 176*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0)); 177*5554d820SAleksa Sarai 178*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-EBUSY, fsconfig(fsfd, FSCONFIG_SET_STRING, "pidns", "/tmp/dummy/pidns", 0)); 179*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0)); /* noop */ 180*5554d820SAleksa Sarai 181*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0)); 182*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0)); 183*5554d820SAleksa Sarai 184*5554d820SAleksa Sarai ASSERT_SUCCESS(close(fsfd)); 185*5554d820SAleksa Sarai ASSERT_SUCCESS(close(mountfd)); 186*5554d820SAleksa Sarai } 187*5554d820SAleksa Sarai 188*5554d820SAleksa Sarai TEST_F(ns, pidns_reconfigure_fsconfig_fd) 189*5554d820SAleksa Sarai { 190*5554d820SAleksa Sarai int fsfd = fsopen("proc", FSOPEN_CLOEXEC); 191*5554d820SAleksa Sarai ASSERT_SUCCESS(fsfd); 192*5554d820SAleksa Sarai 193*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0)); 194*5554d820SAleksa Sarai 195*5554d820SAleksa Sarai int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0); 196*5554d820SAleksa Sarai ASSERT_SUCCESS(mountfd); 197*5554d820SAleksa Sarai 198*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0)); 199*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0)); 200*5554d820SAleksa Sarai 201*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-EBUSY, fsconfig(fsfd, FSCONFIG_SET_FD, "pidns", NULL, self->dummy_pidns)); 202*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0)); /* noop */ 203*5554d820SAleksa Sarai 204*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0)); 205*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0)); 206*5554d820SAleksa Sarai 207*5554d820SAleksa Sarai ASSERT_SUCCESS(close(fsfd)); 208*5554d820SAleksa Sarai ASSERT_SUCCESS(close(mountfd)); 209*5554d820SAleksa Sarai } 210*5554d820SAleksa Sarai 211*5554d820SAleksa Sarai TEST_HARNESS_MAIN 212