[LTP] [PATCH v2] Confirming EPERM is returned when CAP_SYS_ADMIN is removed from clone3. Signed-off-by: Stephen Bertram <sbertram@redhat.com>

Stephen Bertram sbertram@redhat.com
Tue Nov 11 16:34:51 CET 2025 

---
 runtest/syscalls                            |  1 +
 testcases/kernel/syscalls/clone3/.gitignore |  1 +
 testcases/kernel/syscalls/clone3/clone304.c | 63 +++++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 testcases/kernel/syscalls/clone3/clone304.c

diff --git a/runtest/syscalls b/runtest/syscalls
index 54d94c0ca..b2c4f338e 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -128,6 +128,7 @@ clone10 clone10
 clone301 clone301
 clone302 clone302
 clone303 clone303
++clone304 clone304
 
 close01 close01
 close02 close02
diff --git a/testcases/kernel/syscalls/clone3/.gitignore b/testcases/kernel/syscalls/clone3/.gitignore
index 10369954b..e9b5312f4 100644
--- a/testcases/kernel/syscalls/clone3/.gitignore
+++ b/testcases/kernel/syscalls/clone3/.gitignore
@@ -1,3 +1,4 @@
 clone301
 clone302
 clone303
+clone304
diff --git a/testcases/kernel/syscalls/clone3/clone304.c b/testcases/kernel/syscalls/clone3/clone304.c
new file mode 100644
index 000000000..8d0d85bd4
--- /dev/null
+++ b/testcases/kernel/syscalls/clone3/clone304.c
@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2025 Stephen Bertram <sbertram@redhat.com>
+ */
+
+/*\
+ * This test verifies that clone3() fals with EPERM when CAP_SYS_ADMIN
+ * has been dropped and ``clone_args.set_tid_size`` is greater than zero.
+ */
+
+#define _GNU_SOURCE
+#include "tst_test.h"
+#include "lapi/sched.h"
+
+struct clone_args args = {0};
+
+static struct tcase {
+	uint64_t flags;
+	char *sflags;
+} tcases[] = {
+	{CLONE_NEWPID, "CLONE_NEWPID"},
+	{CLONE_NEWCGROUP, "CLONE_NEWCGROUP"},
+	{CLONE_NEWIPC, "CLONE_NEWIPC"},
+	{CLONE_NEWNET, "CLONE_NEWNET"},
+	{CLONE_NEWNS, "CLONE_NEWNS"},
+	{CLONE_NEWUTS, "CLONE_NEWUTS"},
+};
+
+static void run(unsigned int n)
+{
+	struct tcase *tc = &tcases[n];
+	pid_t tid_array[4] = {0, 0, 0, 0};
+
+	args.flags = tc->flags;
+	args.set_tid = (uint64_t)(uintptr_t)tid_array;
+
+	TST_EXP_FAIL(clone3(&args, sizeof(args)), EPERM, "clone3(%s) should fail with EPERM",tc->sflags);
+}
+
+static void setup(void)
+{
+	clone3_supported_by_kernel();
+
+	args.pidfd = 0;
+	args.child_tid = 0;
+	args.parent_tid = 0;
+	args.exit_signal = 0;
+	args.stack = 0;
+	args.stack_size = 0;
+	args.tls = 0;
+	args.set_tid_size = 4;  // Greater than zero - requires CAP_SYS_ADMIN
+}
+
+static struct tst_test test = {
+	.tcnt = ARRAY_SIZE(tcases),
+	.setup = setup,
+	.test = run,
+	.needs_root = 1,
+	.caps = (struct tst_cap []) {
+				TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
+				{}
+	},
+};
-- 
2.49.0

More information about the ltp mailing list