Commit d7d2e5bb authored by Kees Cook's avatar Kees Cook
Browse files

selftests/seccomp: Add SKIPs for failed unshare() 



Running the seccomp tests as a regular user shouldn't just fail tests
that require CAP_SYS_ADMIN (for getting a PID namespace). Instead,
detect those cases and SKIP them. Additionally, gracefully SKIP missing
CONFIG_USER_NS (and add to "config" since we'd prefer to actually test
this case).

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent 8b1bc88c

tools/testing/selftests/seccomp/config

+1 −0
Original line number Diff line number Diff line 
CONFIG_SECCOMP=y

CONFIG_SECCOMP_FILTER=y

CONFIG_USER_NS=y

tools/testing/selftests/seccomp/seccomp_bpf.c

+8 −2
Original line number Diff line number Diff line
@@ -3444,7 +3444,10 @@ TEST(user_notification_child_pid_ns) 
	struct seccomp_notif req = {};

	struct seccomp_notif_resp resp = {};



	ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0);

	ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0) {

		if (errno == EINVAL)

			SKIP(return, "kernel missing CLONE_NEWUSER support");

	};



	listener = user_trap_syscall(__NR_getppid,

				     SECCOMP_FILTER_FLAG_NEW_LISTENER);
@@ -3509,7 +3512,10 @@ TEST(user_notification_sibling_pid_ns) 
	}



	/* Create the sibling ns, and sibling in it. */

	ASSERT_EQ(unshare(CLONE_NEWPID), 0);

	ASSERT_EQ(unshare(CLONE_NEWPID), 0) {

		if (errno == EPERM)

			SKIP(return, "CLONE_NEWPID requires CAP_SYS_ADMIN");

	}

	ASSERT_EQ(errno, 0);



	pid2 = fork();