[LTP] [PATCH v2] Confirming EPERM is returned when CAP_SYS_ADMIN is removed from clone3. Signed-off-by: Stephen Bertram <sbertram@redhat.com>

Stephen Bertram sbertram@redhat.com
Wed Nov 12 15:40:30 CET 2025 

Hi Li,

On Wed, Nov 12, 2025 at 5:34 AM Li Wang <liwang@redhat.com> wrote:

> Hi Stephen,
>
> According to the clone3() manual page:
>
>        "EPERM  CLONE_NEWCGROUP, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS,
> CLONE_NEWPID, or CLONE_NEWUTS was specified by an unprivileged process
> (process without CAP_SYS_ADMIN).
>
I mis-interpreted this and thought it is only for clone3, will add a test
for clone as well.

>
>        EPERM (clone3() only)
>               set_tid_size was greater than zero, and the caller lacks the
> CAP_SYS_ADMIN capability in one or more of the user namespaces that own the
> corresponding PID namespaces."
>
>
> Shouldn't we separately test both? In your test, we don't know the EPERM
>
See setup
args.set_tid_size = 4;  // Greater than zero - requires CAP_SYS_ADMIN

> comes from "set_tid_size>0" (or CLONE_NEW*) with no CAP_SYS_ADMIN.
>
That is exactly what this test does.
 See run results:

> [root@localhost clone3]# ./clone304
> tst_test.c:2025: TINFO: LTP version: 20250930
> tst_test.c:2028: TINFO: Tested kernel: 6.12.0-xxx.xxx.aarch64 #1 SMP
> PREEMPT_RT Mon Nov 10 10:56:27 EST 2025 aarch64
> tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> tst_test.c:1846: TINFO: Overall timeout per run is 0h 00m 30s
>
> *tst_capability.c:29: TINFO: Dropping CAP_SYS_ADMIN(21)*clone304.c:37:
> TPASS: clone3(CLONE_NEWPID) should fail with EPERM : EPERM (1)
> clone304.c:37: TPASS: clone3(CLONE_NEWCGROUP) should fail with EPERM :
> EPERM (1)
> clone304.c:37: TPASS: clone3(CLONE_NEWIPC) should fail with EPERM : EPERM
> (1)
> clone304.c:37: TPASS: clone3(CLONE_NEWNET) should fail with EPERM : EPERM
> (1)
> clone304.c:37: TPASS: clone3(CLONE_NEWNS) should fail with EPERM : EPERM
> (1)
> clone304.c:37: TPASS: clone3(CLONE_NEWUTS) should fail with EPERM : EPERM
> (1)


Summary:
> passed   6
> failed   0
> broken   0
> skipped  0
> warnings 0

Let me know if I missed anything.

Hi Cyril and Andrea,

I received your input and I will make updates accordingly.

Thank you all,

stephen

More information about the ltp mailing list