[LTP] [PATCH] containers: override kernel.unprivileged_userns_clone sysctl where needed

Seth Forshee (DigitalOcean) sforshee@kernel.org
Thu Mar 23 16:45:37 CET 2023


Some distros have a kernel.unprivileged_userns_clone which when disabled
forbids users without CAP_SYS_ADMIN in the initial user namespace from
creating new user namespaces. When disabled the containers user07 and
user08 tests fail.

Update these tests to ensure that when this sysctl is present it is set
to allow unprivileged user namespace creation while the test is running.

Signed-off-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org>
---
 testcases/kernel/containers/userns/userns07.c | 4 ++++
 testcases/kernel/containers/userns/userns08.c | 1 +
 2 files changed, 5 insertions(+)

diff --git a/testcases/kernel/containers/userns/userns07.c b/testcases/kernel/containers/userns/userns07.c
index 40cc1e26c244..2c946a659278 100644
--- a/testcases/kernel/containers/userns/userns07.c
+++ b/testcases/kernel/containers/userns/userns07.c
@@ -88,4 +88,8 @@ static struct tst_test test = {
 		"CONFIG_USER_NS",
 		NULL,
 	},
+	.save_restore = (const struct tst_path_val[]) {
+		{"/proc/sys/kernel/unprivileged_userns_clone", "1", TST_SR_SKIP},
+		{}
+	},
 };
diff --git a/testcases/kernel/containers/userns/userns08.c b/testcases/kernel/containers/userns/userns08.c
index 2697d874b3a0..84f0ce9a92e1 100644
--- a/testcases/kernel/containers/userns/userns08.c
+++ b/testcases/kernel/containers/userns/userns08.c
@@ -136,6 +136,7 @@ static struct tst_test test = {
 	},
 	.save_restore = (const struct tst_path_val[]) {
 		{"/proc/sys/user/max_user_namespaces", NULL, TST_SR_SKIP},
+		{"/proc/sys/kernel/unprivileged_userns_clone", "1", TST_SR_SKIP},
 		{}
 	},
 	.tags = (const struct tst_tag[]) {

---
base-commit: ce8a8edf1c5a917d0fd2f983c36b67e93de0a5c7
change-id: 20230323-override-unpriv-userns-sysctl-078b99372f01

Best regards,
-- 
Seth Forshee (DigitalOcean) <sforshee@kernel.org>



More information about the ltp mailing list