Re: [PATCH for-next/seccomp 1/2] selftests/seccomp: Add SKIPs for failed unshare()

From: Kees Cook
Date: Fri Jul 10 2020 - 18:53:08 EST

Next message: Gustavo A. R. Silva: "Re: [PATCH v3] CodingStyle: Inclusive Terminology"
Previous message: Brendan Shanks: "[PATCH v5] x86/umip: Add emulation/spoofing for SLDT and STR instructions"
In reply to: Tycho Andersen: "Re: [PATCH for-next/seccomp 1/2] selftests/seccomp: Add SKIPs for failed unshare()"
Next in thread: Kees Cook: "[PATCH for-next/seccomp 2/2] selftests/seccomp: Set NNP for TSYNC ESRCH flag test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jul 10, 2020 at 01:10:23PM -0600, Tycho Andersen wrote:
> On Fri, Jul 10, 2020 at 11:51:55AM -0700, Kees Cook wrote:
> > Running the seccomp tests as a regular user shouldn't just fail tests
> > that require CAP_SYS_ADMIN (for getting a PID namespace). Instead,
> > detect those cases and SKIP them.
>
> But if we unshare NEWUSER at the same time as NEWPID, shouldn't we
> always be ns_capable(CAP_SYS_ADMIN)?

Oh! Yes, you're quite right. :)

Instead I guess I should actually check for EINVAL if CONFIG_USER_NS is
missing.

--
Kees Cook

Next message: Gustavo A. R. Silva: "Re: [PATCH v3] CodingStyle: Inclusive Terminology"
Previous message: Brendan Shanks: "[PATCH v5] x86/umip: Add emulation/spoofing for SLDT and STR instructions"
In reply to: Tycho Andersen: "Re: [PATCH for-next/seccomp 1/2] selftests/seccomp: Add SKIPs for failed unshare()"
Next in thread: Kees Cook: "[PATCH for-next/seccomp 2/2] selftests/seccomp: Set NNP for TSYNC ESRCH flag test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]