[LTP] [PATCH v1] Confirming EPERM is returned when CAP_SYS_ADMIN is removed from clone3. Signed-off-by: Stephen Bertram <sbertram@redhat.com>

[Stephen Bertram]

---
 runtest/syscalls                            |  1 +
 testcases/kernel/syscalls/clone3/.gitignore |  1 +
 testcases/kernel/syscalls/clone3/clone304.c | 70 +++++++++++++++++++++
 3 files changed, 72 insertions(+)
 create mode 100644 testcases/kernel/syscalls/clone3/clone304.c

diff --git a/runtest/syscalls b/runtest/syscalls
index 54d94c0ca..b2c4f338e 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -128,6 +128,7 @@ clone10 clone10
 clone301 clone301
 clone302 clone302
 clone303 clone303
++clone304 clone304
 
 close01 close01
 close02 close02
diff --git a/testcases/kernel/syscalls/clone3/.gitignore b/testcases/kernel/syscalls/clone3/.gitignore
index 10369954b..e9b5312f4 100644
--- a/testcases/kernel/syscalls/clone3/.gitignore
+++ b/testcases/kernel/syscalls/clone3/.gitignore
@@ -1,3 +1,4 @@
 clone301
 clone302
 clone303
+clone304
diff --git a/testcases/kernel/syscalls/clone3/clone304.c b/testcases/kernel/syscalls/clone3/clone304.c
new file mode 100644
index 000000000..8968b0144
--- /dev/null
+++ b/testcases/kernel/syscalls/clone3/clone304.c
@@ -0,0 +1,70 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2025 Stephen Bertram <sbertram@redhat.com>
+ */
+
+/*
+ * Test for clone3() EPERM error when set_tid_size > 0 without CAP_SYS_ADMIN
+ *
+ * This test verifies that clone3() returns EPERM when:
+ * - set_tid_size is greater than zero
+ * - The caller lacks the CAP_SYS_ADMIN capability in one or more of the
+ *   user namespaces that own the corresponding PID namespaces.
+ *
+ */
+
+#define _GNU_SOURCE
+#include "tst_test.h"
+#include "lapi/sched.h"
+
+static struct tcase {
+	uint64_t flags;
+	char *sflags;
+} tcases[] = {
+	{CLONE_NEWPID, "CLONE_NEWPID"},
+	{CLONE_NEWCGROUP, "CLONE_NEWCGROUP"},
+	{CLONE_NEWIPC, "CLONE_NEWIPC"},
+	{CLONE_NEWNET, "CLONE_NEWNET"},
+	{CLONE_NEWNS, "CLONE_NEWNS"},
+	{CLONE_NEWUTS, "CLONE_NEWUTS"},
+};
+
+static void run(unsigned int n)
+{
+	struct tcase *tc = &tcases[n];
+	struct clone_args args = {0};
+	pid_t tid_array[4] = {0, 0, 0, 0};
+	pid_t pid;
+
+	args.flags = tc->flags;
+	args.pidfd = 0;
+	args.child_tid = 0;
+	args.parent_tid = 0;
+	args.exit_signal = 0;
+	args.stack = 0;
+	args.stack_size = 0;
+	args.tls = 0;
+	args.set_tid = (uint64_t)(uintptr_t)tid_array;
+	args.set_tid_size = 4;  // Greater than zero - requires CAP_SYS_ADMIN
+
+	errno = 0;
+	TEST(pid = clone3(&args, sizeof(args)));
+
+	if (pid > 0)
+		tst_res(TFAIL | TTERRNO, "clone3(%s) worked and it shouldn't", tc->sflags);
+	else
+		if (errno != EPERM)
+			tst_res(TFAIL | TTERRNO, "clone3(%s) expected EPERM.", tc->sflags);
+		else
+			tst_res(TPASS | TTERRNO, "clone3(%s) failed as expected", tc->sflags);
+}
+
+static struct tst_test test = {
+	.tcnt = ARRAY_SIZE(tcases),
+	.test = run,
+	.needs_root = 1,
+	.caps = (struct tst_cap []) {
+				TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
+				{}
+	},
+};
-- 
2.49.0