1*5554d820SAleksa Sarai // SPDX-License-Identifier: GPL-2.0-or-later
2*5554d820SAleksa Sarai /*
3*5554d820SAleksa Sarai * Author: Aleksa Sarai <cyphar@cyphar.com>
4*5554d820SAleksa Sarai * Copyright (C) 2025 SUSE LLC.
5*5554d820SAleksa Sarai */
6*5554d820SAleksa Sarai
7*5554d820SAleksa Sarai #include <assert.h>
8*5554d820SAleksa Sarai #include <errno.h>
9*5554d820SAleksa Sarai #include <sched.h>
10*5554d820SAleksa Sarai #include <stdbool.h>
11*5554d820SAleksa Sarai #include <stdlib.h>
12*5554d820SAleksa Sarai #include <string.h>
13*5554d820SAleksa Sarai #include <unistd.h>
14*5554d820SAleksa Sarai #include <stdio.h>
15*5554d820SAleksa Sarai #include <sys/mount.h>
16*5554d820SAleksa Sarai #include <sys/stat.h>
17*5554d820SAleksa Sarai #include <sys/prctl.h>
18*5554d820SAleksa Sarai
19*5554d820SAleksa Sarai #include "../kselftest_harness.h"
20*5554d820SAleksa Sarai
21*5554d820SAleksa Sarai #define ASSERT_ERRNO(expected, _t, seen) \
22*5554d820SAleksa Sarai __EXPECT(expected, #expected, \
23*5554d820SAleksa Sarai ({__typeof__(seen) _tmp_seen = (seen); \
24*5554d820SAleksa Sarai _tmp_seen >= 0 ? _tmp_seen : -errno; }), #seen, _t, 1)
25*5554d820SAleksa Sarai
26*5554d820SAleksa Sarai #define ASSERT_ERRNO_EQ(expected, seen) \
27*5554d820SAleksa Sarai ASSERT_ERRNO(expected, ==, seen)
28*5554d820SAleksa Sarai
29*5554d820SAleksa Sarai #define ASSERT_SUCCESS(seen) \
30*5554d820SAleksa Sarai ASSERT_ERRNO(0, <=, seen)
31*5554d820SAleksa Sarai
touch(char * path)32*5554d820SAleksa Sarai static int touch(char *path)
33*5554d820SAleksa Sarai {
34*5554d820SAleksa Sarai int fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC, 0644);
35*5554d820SAleksa Sarai if (fd < 0)
36*5554d820SAleksa Sarai return -1;
37*5554d820SAleksa Sarai return close(fd);
38*5554d820SAleksa Sarai }
39*5554d820SAleksa Sarai
FIXTURE(ns)40*5554d820SAleksa Sarai FIXTURE(ns)
41*5554d820SAleksa Sarai {
42*5554d820SAleksa Sarai int host_mntns, host_pidns;
43*5554d820SAleksa Sarai int dummy_pidns;
44*5554d820SAleksa Sarai };
45*5554d820SAleksa Sarai
FIXTURE_SETUP(ns)46*5554d820SAleksa Sarai FIXTURE_SETUP(ns)
47*5554d820SAleksa Sarai {
48*5554d820SAleksa Sarai /* Stash the old mntns. */
49*5554d820SAleksa Sarai self->host_mntns = open("/proc/self/ns/mnt", O_RDONLY|O_CLOEXEC);
50*5554d820SAleksa Sarai ASSERT_SUCCESS(self->host_mntns);
51*5554d820SAleksa Sarai
52*5554d820SAleksa Sarai /* Create a new mount namespace and make it private. */
53*5554d820SAleksa Sarai ASSERT_SUCCESS(unshare(CLONE_NEWNS));
54*5554d820SAleksa Sarai ASSERT_SUCCESS(mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL));
55*5554d820SAleksa Sarai
56*5554d820SAleksa Sarai /*
57*5554d820SAleksa Sarai * Create a proper tmpfs that we can use and will disappear once we
58*5554d820SAleksa Sarai * leave this mntns.
59*5554d820SAleksa Sarai */
60*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("tmpfs", "/tmp", "tmpfs", 0, NULL));
61*5554d820SAleksa Sarai
62*5554d820SAleksa Sarai /*
63*5554d820SAleksa Sarai * Create a pidns we can use for later tests. We need to fork off a
64*5554d820SAleksa Sarai * child so that we get a usable nsfd that we can bind-mount and open.
65*5554d820SAleksa Sarai */
66*5554d820SAleksa Sarai ASSERT_SUCCESS(mkdir("/tmp/dummy", 0755));
67*5554d820SAleksa Sarai ASSERT_SUCCESS(touch("/tmp/dummy/pidns"));
68*5554d820SAleksa Sarai ASSERT_SUCCESS(mkdir("/tmp/dummy/proc", 0755));
69*5554d820SAleksa Sarai
70*5554d820SAleksa Sarai self->host_pidns = open("/proc/self/ns/pid", O_RDONLY|O_CLOEXEC);
71*5554d820SAleksa Sarai ASSERT_SUCCESS(self->host_pidns);
72*5554d820SAleksa Sarai ASSERT_SUCCESS(unshare(CLONE_NEWPID));
73*5554d820SAleksa Sarai
74*5554d820SAleksa Sarai pid_t pid = fork();
75*5554d820SAleksa Sarai ASSERT_SUCCESS(pid);
76*5554d820SAleksa Sarai if (!pid) {
77*5554d820SAleksa Sarai prctl(PR_SET_PDEATHSIG, SIGKILL);
78*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("/proc/self/ns/pid", "/tmp/dummy/pidns", NULL, MS_BIND, NULL));
79*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("proc", "/tmp/dummy/proc", "proc", 0, NULL));
80*5554d820SAleksa Sarai exit(0);
81*5554d820SAleksa Sarai }
82*5554d820SAleksa Sarai
83*5554d820SAleksa Sarai int wstatus;
84*5554d820SAleksa Sarai ASSERT_EQ(waitpid(pid, &wstatus, 0), pid);
85*5554d820SAleksa Sarai ASSERT_TRUE(WIFEXITED(wstatus));
86*5554d820SAleksa Sarai ASSERT_EQ(WEXITSTATUS(wstatus), 0);
87*5554d820SAleksa Sarai
88*5554d820SAleksa Sarai ASSERT_SUCCESS(setns(self->host_pidns, CLONE_NEWPID));
89*5554d820SAleksa Sarai
90*5554d820SAleksa Sarai self->dummy_pidns = open("/tmp/dummy/pidns", O_RDONLY|O_CLOEXEC);
91*5554d820SAleksa Sarai ASSERT_SUCCESS(self->dummy_pidns);
92*5554d820SAleksa Sarai }
93*5554d820SAleksa Sarai
FIXTURE_TEARDOWN(ns)94*5554d820SAleksa Sarai FIXTURE_TEARDOWN(ns)
95*5554d820SAleksa Sarai {
96*5554d820SAleksa Sarai ASSERT_SUCCESS(setns(self->host_mntns, CLONE_NEWNS));
97*5554d820SAleksa Sarai ASSERT_SUCCESS(close(self->host_mntns));
98*5554d820SAleksa Sarai
99*5554d820SAleksa Sarai ASSERT_SUCCESS(close(self->host_pidns));
100*5554d820SAleksa Sarai ASSERT_SUCCESS(close(self->dummy_pidns));
101*5554d820SAleksa Sarai }
102*5554d820SAleksa Sarai
TEST_F(ns,pidns_mount_string_path)103*5554d820SAleksa Sarai TEST_F(ns, pidns_mount_string_path)
104*5554d820SAleksa Sarai {
105*5554d820SAleksa Sarai ASSERT_SUCCESS(mkdir("/tmp/proc-host", 0755));
106*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("proc", "/tmp/proc-host", "proc", 0, "pidns=/proc/self/ns/pid"));
107*5554d820SAleksa Sarai ASSERT_SUCCESS(access("/tmp/proc-host/self/", X_OK));
108*5554d820SAleksa Sarai
109*5554d820SAleksa Sarai ASSERT_SUCCESS(mkdir("/tmp/proc-dummy", 0755));
110*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("proc", "/tmp/proc-dummy", "proc", 0, "pidns=/tmp/dummy/pidns"));
111*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, access("/tmp/proc-dummy/1/", X_OK));
112*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, access("/tmp/proc-dummy/self/", X_OK));
113*5554d820SAleksa Sarai }
114*5554d820SAleksa Sarai
TEST_F(ns,pidns_fsconfig_string_path)115*5554d820SAleksa Sarai TEST_F(ns, pidns_fsconfig_string_path)
116*5554d820SAleksa Sarai {
117*5554d820SAleksa Sarai int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
118*5554d820SAleksa Sarai ASSERT_SUCCESS(fsfd);
119*5554d820SAleksa Sarai
120*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_SET_STRING, "pidns", "/tmp/dummy/pidns", 0));
121*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
122*5554d820SAleksa Sarai
123*5554d820SAleksa Sarai int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
124*5554d820SAleksa Sarai ASSERT_SUCCESS(mountfd);
125*5554d820SAleksa Sarai
126*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "1/", X_OK, 0));
127*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "self/", X_OK, 0));
128*5554d820SAleksa Sarai
129*5554d820SAleksa Sarai ASSERT_SUCCESS(close(fsfd));
130*5554d820SAleksa Sarai ASSERT_SUCCESS(close(mountfd));
131*5554d820SAleksa Sarai }
132*5554d820SAleksa Sarai
TEST_F(ns,pidns_fsconfig_fd)133*5554d820SAleksa Sarai TEST_F(ns, pidns_fsconfig_fd)
134*5554d820SAleksa Sarai {
135*5554d820SAleksa Sarai int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
136*5554d820SAleksa Sarai ASSERT_SUCCESS(fsfd);
137*5554d820SAleksa Sarai
138*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_SET_FD, "pidns", NULL, self->dummy_pidns));
139*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
140*5554d820SAleksa Sarai
141*5554d820SAleksa Sarai int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
142*5554d820SAleksa Sarai ASSERT_SUCCESS(mountfd);
143*5554d820SAleksa Sarai
144*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "1/", X_OK, 0));
145*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-ENOENT, faccessat(mountfd, "self/", X_OK, 0));
146*5554d820SAleksa Sarai
147*5554d820SAleksa Sarai ASSERT_SUCCESS(close(fsfd));
148*5554d820SAleksa Sarai ASSERT_SUCCESS(close(mountfd));
149*5554d820SAleksa Sarai }
150*5554d820SAleksa Sarai
TEST_F(ns,pidns_reconfigure_remount)151*5554d820SAleksa Sarai TEST_F(ns, pidns_reconfigure_remount)
152*5554d820SAleksa Sarai {
153*5554d820SAleksa Sarai ASSERT_SUCCESS(mkdir("/tmp/proc", 0755));
154*5554d820SAleksa Sarai ASSERT_SUCCESS(mount("proc", "/tmp/proc", "proc", 0, ""));
155*5554d820SAleksa Sarai
156*5554d820SAleksa Sarai ASSERT_SUCCESS(access("/tmp/proc/1/", X_OK));
157*5554d820SAleksa Sarai ASSERT_SUCCESS(access("/tmp/proc/self/", X_OK));
158*5554d820SAleksa Sarai
159*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-EBUSY, mount(NULL, "/tmp/proc", NULL, MS_REMOUNT, "pidns=/tmp/dummy/pidns"));
160*5554d820SAleksa Sarai
161*5554d820SAleksa Sarai ASSERT_SUCCESS(access("/tmp/proc/1/", X_OK));
162*5554d820SAleksa Sarai ASSERT_SUCCESS(access("/tmp/proc/self/", X_OK));
163*5554d820SAleksa Sarai }
164*5554d820SAleksa Sarai
TEST_F(ns,pidns_reconfigure_fsconfig_string_path)165*5554d820SAleksa Sarai TEST_F(ns, pidns_reconfigure_fsconfig_string_path)
166*5554d820SAleksa Sarai {
167*5554d820SAleksa Sarai int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
168*5554d820SAleksa Sarai ASSERT_SUCCESS(fsfd);
169*5554d820SAleksa Sarai
170*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
171*5554d820SAleksa Sarai
172*5554d820SAleksa Sarai int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
173*5554d820SAleksa Sarai ASSERT_SUCCESS(mountfd);
174*5554d820SAleksa Sarai
175*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
176*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
177*5554d820SAleksa Sarai
178*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-EBUSY, fsconfig(fsfd, FSCONFIG_SET_STRING, "pidns", "/tmp/dummy/pidns", 0));
179*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0)); /* noop */
180*5554d820SAleksa Sarai
181*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
182*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
183*5554d820SAleksa Sarai
184*5554d820SAleksa Sarai ASSERT_SUCCESS(close(fsfd));
185*5554d820SAleksa Sarai ASSERT_SUCCESS(close(mountfd));
186*5554d820SAleksa Sarai }
187*5554d820SAleksa Sarai
TEST_F(ns,pidns_reconfigure_fsconfig_fd)188*5554d820SAleksa Sarai TEST_F(ns, pidns_reconfigure_fsconfig_fd)
189*5554d820SAleksa Sarai {
190*5554d820SAleksa Sarai int fsfd = fsopen("proc", FSOPEN_CLOEXEC);
191*5554d820SAleksa Sarai ASSERT_SUCCESS(fsfd);
192*5554d820SAleksa Sarai
193*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0));
194*5554d820SAleksa Sarai
195*5554d820SAleksa Sarai int mountfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
196*5554d820SAleksa Sarai ASSERT_SUCCESS(mountfd);
197*5554d820SAleksa Sarai
198*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
199*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
200*5554d820SAleksa Sarai
201*5554d820SAleksa Sarai ASSERT_ERRNO_EQ(-EBUSY, fsconfig(fsfd, FSCONFIG_SET_FD, "pidns", NULL, self->dummy_pidns));
202*5554d820SAleksa Sarai ASSERT_SUCCESS(fsconfig(fsfd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0)); /* noop */
203*5554d820SAleksa Sarai
204*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "1/", X_OK, 0));
205*5554d820SAleksa Sarai ASSERT_SUCCESS(faccessat(mountfd, "self/", X_OK, 0));
206*5554d820SAleksa Sarai
207*5554d820SAleksa Sarai ASSERT_SUCCESS(close(fsfd));
208*5554d820SAleksa Sarai ASSERT_SUCCESS(close(mountfd));
209*5554d820SAleksa Sarai }
210*5554d820SAleksa Sarai
211*5554d820SAleksa Sarai TEST_HARNESS_MAIN
212