Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:43 +0200
committerJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:46 +0200
commitb83db21c221a6bf8b7fbcb648c0e003f6d53fbf4 (patch)
tree41a5fb260a5b4db5fa0ba07b4496247fb8417206
parent7d77ba3c9bb4cd17cce7379bb8082ac87b62169f (diff)
selftests/seccomp: Handle namespace failures gracefully
-rw-r--r--patches.kernel.org/5.1.3-006-selftests-seccomp-Handle-namespace-failures-gra.patch194
-rw-r--r--series.conf1
2 files changed, 195 insertions, 0 deletions
diff --git a/patches.kernel.org/5.1.3-006-selftests-seccomp-Handle-namespace-failures-gra.patch b/patches.kernel.org/5.1.3-006-selftests-seccomp-Handle-namespace-failures-gra.patch
new file mode 100644
index 0000000000..8e5194eb74
--- /dev/null
+++ b/patches.kernel.org/5.1.3-006-selftests-seccomp-Handle-namespace-failures-gra.patch
@@ -0,0 +1,194 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 11 Apr 2019 16:56:31 -0700
+Subject: [PATCH] selftests/seccomp: Handle namespace failures gracefully
+References: bnc#1012628
+Patch-mainline: 5.1.3
+Git-commit: 9dd3fcb0ab73cb1e00b8562ef027a38521aaff87
+
+commit 9dd3fcb0ab73cb1e00b8562ef027a38521aaff87 upstream.
+
+When running without USERNS or PIDNS the seccomp test would hang since
+it was waiting forever for the child to trigger the user notification
+since it seems the glibc() abort handler makes a call to getpid(),
+which would trap again. This changes the getpid filter to getppid, and
+makes sure ASSERTs execute to stop from spawning the listener.
+
+Reported-by: Shuah Khan <shuah@kernel.org>
+Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace")
+Cc: stable@vger.kernel.org # > 5.0
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Tycho Andersen <tycho@tycho.ws>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 43 ++++++++++---------
+ 1 file changed, 23 insertions(+), 20 deletions(-)
+
+diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
+index 5019cdae5d0b..0fad0dc62338 100644
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -3095,9 +3095,9 @@ TEST(user_notification_basic)
+
+ /* Check that we get -ENOSYS with no listener attached */
+ if (pid == 0) {
+- if (user_trap_syscall(__NR_getpid, 0) < 0)
++ if (user_trap_syscall(__NR_getppid, 0) < 0)
+ exit(1);
+- ret = syscall(__NR_getpid);
++ ret = syscall(__NR_getppid);
+ exit(ret >= 0 || errno != ENOSYS);
+ }
+
+@@ -3112,12 +3112,12 @@ TEST(user_notification_basic)
+ EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
+
+ /* Check that the basic notification machinery works */
+- listener = user_trap_syscall(__NR_getpid,
++ listener = user_trap_syscall(__NR_getppid,
+ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+ /* Installing a second listener in the chain should EBUSY */
+- EXPECT_EQ(user_trap_syscall(__NR_getpid,
++ EXPECT_EQ(user_trap_syscall(__NR_getppid,
+ SECCOMP_FILTER_FLAG_NEW_LISTENER),
+ -1);
+ EXPECT_EQ(errno, EBUSY);
+@@ -3126,7 +3126,7 @@ TEST(user_notification_basic)
+ ASSERT_GE(pid, 0);
+
+ if (pid == 0) {
+- ret = syscall(__NR_getpid);
++ ret = syscall(__NR_getppid);
+ exit(ret != USER_NOTIF_MAGIC);
+ }
+
+@@ -3144,7 +3144,7 @@ TEST(user_notification_basic)
+ EXPECT_GT(poll(&pollfd, 1, -1), 0);
+ EXPECT_EQ(pollfd.revents, POLLOUT);
+
+- EXPECT_EQ(req.data.nr, __NR_getpid);
++ EXPECT_EQ(req.data.nr, __NR_getppid);
+
+ resp.id = req.id;
+ resp.error = 0;
+@@ -3176,7 +3176,7 @@ TEST(user_notification_kill_in_middle)
+ TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
+ }
+
+- listener = user_trap_syscall(__NR_getpid,
++ listener = user_trap_syscall(__NR_getppid,
+ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+@@ -3188,7 +3188,7 @@ TEST(user_notification_kill_in_middle)
+ ASSERT_GE(pid, 0);
+
+ if (pid == 0) {
+- ret = syscall(__NR_getpid);
++ ret = syscall(__NR_getppid);
+ exit(ret != USER_NOTIF_MAGIC);
+ }
+
+@@ -3298,7 +3298,7 @@ TEST(user_notification_closed_listener)
+ TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
+ }
+
+- listener = user_trap_syscall(__NR_getpid,
++ listener = user_trap_syscall(__NR_getppid,
+ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+@@ -3309,7 +3309,7 @@ TEST(user_notification_closed_listener)
+ ASSERT_GE(pid, 0);
+ if (pid == 0) {
+ close(listener);
+- ret = syscall(__NR_getpid);
++ ret = syscall(__NR_getppid);
+ exit(ret != -1 && errno != ENOSYS);
+ }
+
+@@ -3332,14 +3332,15 @@ TEST(user_notification_child_pid_ns)
+
+ ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0);
+
+- listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
++ listener = user_trap_syscall(__NR_getppid,
++ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+ pid = fork();
+ ASSERT_GE(pid, 0);
+
+ if (pid == 0)
+- exit(syscall(__NR_getpid) != USER_NOTIF_MAGIC);
++ exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
+
+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
+ EXPECT_EQ(req.pid, pid);
+@@ -3371,7 +3372,8 @@ TEST(user_notification_sibling_pid_ns)
+ TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
+ }
+
+- listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
++ listener = user_trap_syscall(__NR_getppid,
++ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+ pid = fork();
+@@ -3384,7 +3386,7 @@ TEST(user_notification_sibling_pid_ns)
+ ASSERT_GE(pid2, 0);
+
+ if (pid2 == 0)
+- exit(syscall(__NR_getpid) != USER_NOTIF_MAGIC);
++ exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
+
+ EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
+ EXPECT_EQ(true, WIFEXITED(status));
+@@ -3393,11 +3395,11 @@ TEST(user_notification_sibling_pid_ns)
+ }
+
+ /* Create the sibling ns, and sibling in it. */
+- EXPECT_EQ(unshare(CLONE_NEWPID), 0);
+- EXPECT_EQ(errno, 0);
++ ASSERT_EQ(unshare(CLONE_NEWPID), 0);
++ ASSERT_EQ(errno, 0);
+
+ pid2 = fork();
+- EXPECT_GE(pid2, 0);
++ ASSERT_GE(pid2, 0);
+
+ if (pid2 == 0) {
+ ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
+@@ -3405,7 +3407,7 @@ TEST(user_notification_sibling_pid_ns)
+ * The pid should be 0, i.e. the task is in some namespace that
+ * we can't "see".
+ */
+- ASSERT_EQ(req.pid, 0);
++ EXPECT_EQ(req.pid, 0);
+
+ resp.id = req.id;
+ resp.error = 0;
+@@ -3435,14 +3437,15 @@ TEST(user_notification_fault_recv)
+
+ ASSERT_EQ(unshare(CLONE_NEWUSER), 0);
+
+- listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
++ listener = user_trap_syscall(__NR_getppid,
++ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+ pid = fork();
+ ASSERT_GE(pid, 0);
+
+ if (pid == 0)
+- exit(syscall(__NR_getpid) != USER_NOTIF_MAGIC);
++ exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
+
+ /* Do a bad recv() */
+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, NULL), -1);
+--
+2.21.0
+
diff --git a/series.conf b/series.conf
index ff3e4f2ac9..3ba5acfc13 100644
--- a/series.conf
+++ b/series.conf
@@ -91,6 +91,7 @@
patches.kernel.org/5.1.3-003-platform-x86-dell-laptop-fix-rfkill-functionali.patch
patches.kernel.org/5.1.3-004-hwmon-pwm-fan-Disable-PWM-if-fetching-cooling-d.patch
patches.kernel.org/5.1.3-005-hwmon-occ-Fix-extended-status-bits.patch
+ patches.kernel.org/5.1.3-006-selftests-seccomp-Handle-namespace-failures-gra.patch
########################################################
# Build fixes that apply to the vanilla kernel too.