From 140936fd73937b105051f978f9443c3b1c7253dc Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 23 Feb 2023 10:00:47 +0000 Subject: [PATCH 1/2] tests: Explicitly unshare userns when testing --disable-userns If we're running the tests as uid 0 with capabilities, then bwrap will not create a new user namespace by default, which means the limit won't be exceeded and the test will fail. Make sure we always try to create the new user namespace. Signed-off-by: Simon McVittie --- tests/test-run.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/test-run.sh b/tests/test-run.sh index 979480e2..171e5d42 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -129,9 +129,9 @@ else ! $BWRAP --assert-userns-disabled --dev-bind / / -- true $BWRAP --unshare-user --disable-userns --dev-bind / / -- true ! $BWRAP --unshare-user --disable-userns --dev-bind / / -- $BWRAP --dev-bind / / -- true - $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 2 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --dev-bind / / -- true" - $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 100 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --dev-bind / / -- true" - $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "! $BWRAP --dev-bind / / --assert-userns-disabled -- true" + $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 2 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true" + $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 100 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true" + $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "! $BWRAP --unshare-user --dev-bind / / --assert-userns-disabled -- true" echo "ok - can disable nested userns" fi From 2ba9a9af913ffdb319f9523074e4863849ba5065 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 23 Feb 2023 10:02:01 +0000 Subject: [PATCH 2/2] tests: Try harder to evade --disable-userns The worst-case scenario in terms of enforcing --disable-userns is that we're retaining all capabilities, so test that too, to make sure that the option is genuinely restricting even a privileged user. Signed-off-by: Simon McVittie --- tests/test-run.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/test-run.sh b/tests/test-run.sh index 171e5d42..a90f0b1f 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -132,6 +132,15 @@ else $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 2 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true" $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 100 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true" $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "! $BWRAP --unshare-user --dev-bind / / --assert-userns-disabled -- true" + + $BWRAP_RECURSE --dev-bind / / -- true + ! $BWRAP_RECURSE --assert-userns-disabled --dev-bind / / -- true + $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- true + ! $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- /proc/self/exe --dev-bind / / -- true + $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 2 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true" + $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 100 > /proc/sys/user/max_user_namespaces || true; ! $BWRAP --unshare-user --dev-bind / / -- true" + $BWRAP_RECURSE --unshare-user --disable-userns --dev-bind / / -- sh -c "! $BWRAP --unshare-user --dev-bind / / --assert-userns-disabled -- true" + echo "ok - can disable nested userns" fi