1 // SPDX-License-Identifier: GPL-2.0
7 #include <linux/types.h>
14 #include <sys/prctl.h>
17 #include <sys/socket.h>
19 #include <linux/ioctl.h>
22 #include "../clone3/clone3_selftests.h"
23 #include "../kselftest_harness.h"
25 #ifndef PIDFS_IOCTL_MAGIC
26 #define PIDFS_IOCTL_MAGIC 0xFF
29 #ifndef PIDFD_GET_CGROUP_NAMESPACE
30 #define PIDFD_GET_CGROUP_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 1)
33 #ifndef PIDFD_GET_IPC_NAMESPACE
34 #define PIDFD_GET_IPC_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 2)
37 #ifndef PIDFD_GET_MNT_NAMESPACE
38 #define PIDFD_GET_MNT_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 3)
41 #ifndef PIDFD_GET_NET_NAMESPACE
42 #define PIDFD_GET_NET_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 4)
45 #ifndef PIDFD_GET_PID_NAMESPACE
46 #define PIDFD_GET_PID_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 5)
49 #ifndef PIDFD_GET_PID_FOR_CHILDREN_NAMESPACE
50 #define PIDFD_GET_PID_FOR_CHILDREN_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 6)
53 #ifndef PIDFD_GET_TIME_NAMESPACE
54 #define PIDFD_GET_TIME_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 7)
57 #ifndef PIDFD_GET_TIME_FOR_CHILDREN_NAMESPACE
58 #define PIDFD_GET_TIME_FOR_CHILDREN_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 8)
61 #ifndef PIDFD_GET_USER_NAMESPACE
62 #define PIDFD_GET_USER_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 9)
65 #ifndef PIDFD_GET_UTS_NAMESPACE
66 #define PIDFD_GET_UTS_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 10)
83 const struct ns_info {
86 unsigned int pidfd_ioctl;
88 [PIDFD_NS_USER] = { "user", CLONE_NEWUSER, PIDFD_GET_USER_NAMESPACE, },
89 [PIDFD_NS_MNT] = { "mnt", CLONE_NEWNS, PIDFD_GET_MNT_NAMESPACE, },
90 [PIDFD_NS_PID] = { "pid", CLONE_NEWPID, PIDFD_GET_PID_NAMESPACE, },
91 [PIDFD_NS_UTS] = { "uts", CLONE_NEWUTS, PIDFD_GET_UTS_NAMESPACE, },
92 [PIDFD_NS_IPC] = { "ipc", CLONE_NEWIPC, PIDFD_GET_IPC_NAMESPACE, },
93 [PIDFD_NS_NET] = { "net", CLONE_NEWNET, PIDFD_GET_NET_NAMESPACE, },
94 [PIDFD_NS_CGROUP] = { "cgroup", CLONE_NEWCGROUP, PIDFD_GET_CGROUP_NAMESPACE, },
95 [PIDFD_NS_TIME] = { "time", CLONE_NEWTIME, PIDFD_GET_TIME_NAMESPACE, },
96 [PIDFD_NS_PIDCLD] = { "pid_for_children", 0, PIDFD_GET_PID_FOR_CHILDREN_NAMESPACE, },
97 [PIDFD_NS_TIMECLD] = { "time_for_children", 0, PIDFD_GET_TIME_FOR_CHILDREN_NAMESPACE, },
100 FIXTURE(current_nsset)
104 int nsfds[PIDFD_NS_MAX];
105 int child_pidfd_derived_nsfds[PIDFD_NS_MAX];
107 pid_t child_pid_exited;
108 int child_pidfd_exited;
112 int child_nsfds1[PIDFD_NS_MAX];
113 int child_pidfd_derived_nsfds1[PIDFD_NS_MAX];
117 int child_nsfds2[PIDFD_NS_MAX];
118 int child_pidfd_derived_nsfds2[PIDFD_NS_MAX];
121 static int sys_waitid(int which, pid_t pid, int options)
123 return syscall(__NR_waitid, which, pid, NULL, options, NULL);
126 pid_t create_child(int *pidfd, unsigned flags)
128 struct __clone_args args = {
129 .flags = CLONE_PIDFD | flags,
130 .exit_signal = SIGCHLD,
131 .pidfd = ptr_to_u64(pidfd),
134 return sys_clone3(&args, sizeof(struct clone_args));
137 static bool switch_timens(void)
141 if (unshare(CLONE_NEWTIME))
144 fd = open("/proc/self/ns/time_for_children", O_RDONLY | O_CLOEXEC);
148 ret = setns(fd, CLONE_NEWTIME);
153 static ssize_t read_nointr(int fd, void *buf, size_t count)
158 ret = read(fd, buf, count);
159 } while (ret < 0 && errno == EINTR);
164 static ssize_t write_nointr(int fd, const void *buf, size_t count)
169 ret = write(fd, buf, count);
170 } while (ret < 0 && errno == EINTR);
175 FIXTURE_SETUP(current_nsset)
181 for (i = 0; i < PIDFD_NS_MAX; i++) {
182 self->nsfds[i] = -EBADF;
183 self->child_nsfds1[i] = -EBADF;
184 self->child_nsfds2[i] = -EBADF;
185 self->child_pidfd_derived_nsfds[i] = -EBADF;
186 self->child_pidfd_derived_nsfds1[i] = -EBADF;
187 self->child_pidfd_derived_nsfds2[i] = -EBADF;
190 proc_fd = open("/proc/self/ns", O_DIRECTORY | O_CLOEXEC);
191 ASSERT_GE(proc_fd, 0) {
192 TH_LOG("%m - Failed to open /proc/self/ns");
195 self->pid = getpid();
196 self->pidfd = sys_pidfd_open(self->pid, 0);
197 EXPECT_GT(self->pidfd, 0) {
198 TH_LOG("%m - Failed to open pidfd for process %d", self->pid);
201 for (i = 0; i < PIDFD_NS_MAX; i++) {
202 const struct ns_info *info = &ns_info[i];
203 self->nsfds[i] = openat(proc_fd, info->name, O_RDONLY | O_CLOEXEC);
204 if (self->nsfds[i] < 0) {
205 EXPECT_EQ(errno, ENOENT) {
206 TH_LOG("%m - Failed to open %s namespace for process %d",
207 info->name, self->pid);
211 self->child_pidfd_derived_nsfds[i] = ioctl(self->pidfd, info->pidfd_ioctl, 0);
212 if (self->child_pidfd_derived_nsfds[i] < 0) {
213 EXPECT_EQ(errno, EOPNOTSUPP) {
214 TH_LOG("%m - Failed to derive %s namespace from pidfd of process %d",
215 info->name, self->pid);
220 /* Create task that exits right away. */
221 self->child_pid_exited = create_child(&self->child_pidfd_exited, 0);
222 EXPECT_GE(self->child_pid_exited, 0);
224 if (self->child_pid_exited == 0) {
225 if (self->nsfds[PIDFD_NS_USER] >= 0 && unshare(CLONE_NEWUSER) < 0)
227 if (self->nsfds[PIDFD_NS_NET] >= 0 && unshare(CLONE_NEWNET) < 0)
232 ASSERT_EQ(sys_waitid(P_PID, self->child_pid_exited, WEXITED | WNOWAIT), 0);
234 self->pidfd = sys_pidfd_open(self->pid, 0);
235 EXPECT_GE(self->pidfd, 0) {
236 TH_LOG("%m - Failed to open pidfd for process %d", self->pid);
239 ret = socketpair(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, ipc_sockets);
242 /* Create tasks that will be stopped. */
243 if (self->nsfds[PIDFD_NS_USER] >= 0 && self->nsfds[PIDFD_NS_PID] >= 0)
244 self->child_pid1 = create_child(&self->child_pidfd1, CLONE_NEWUSER | CLONE_NEWPID);
245 else if (self->nsfds[PIDFD_NS_PID] >= 0)
246 self->child_pid1 = create_child(&self->child_pidfd1, CLONE_NEWPID);
247 else if (self->nsfds[PIDFD_NS_USER] >= 0)
248 self->child_pid1 = create_child(&self->child_pidfd1, CLONE_NEWUSER);
250 self->child_pid1 = create_child(&self->child_pidfd1, 0);
251 EXPECT_GE(self->child_pid1, 0);
253 if (self->child_pid1 == 0) {
254 close(ipc_sockets[0]);
256 if (self->nsfds[PIDFD_NS_MNT] >= 0 && unshare(CLONE_NEWNS) < 0) {
257 TH_LOG("%m - Failed to unshare mount namespace for process %d", self->pid);
260 if (self->nsfds[PIDFD_NS_CGROUP] >= 0 && unshare(CLONE_NEWCGROUP) < 0) {
261 TH_LOG("%m - Failed to unshare cgroup namespace for process %d", self->pid);
264 if (self->nsfds[PIDFD_NS_IPC] >= 0 && unshare(CLONE_NEWIPC) < 0) {
265 TH_LOG("%m - Failed to unshare ipc namespace for process %d", self->pid);
268 if (self->nsfds[PIDFD_NS_UTS] >= 0 && unshare(CLONE_NEWUTS) < 0) {
269 TH_LOG("%m - Failed to unshare uts namespace for process %d", self->pid);
272 if (self->nsfds[PIDFD_NS_NET] >= 0 && unshare(CLONE_NEWNET) < 0) {
273 TH_LOG("%m - Failed to unshare net namespace for process %d", self->pid);
276 if (self->nsfds[PIDFD_NS_TIME] >= 0 && !switch_timens()) {
277 TH_LOG("%m - Failed to unshare time namespace for process %d", self->pid);
281 if (write_nointr(ipc_sockets[1], "1", 1) < 0)
284 close(ipc_sockets[1]);
290 close(ipc_sockets[1]);
291 ASSERT_EQ(read_nointr(ipc_sockets[0], &c, 1), 1);
292 close(ipc_sockets[0]);
294 ret = socketpair(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, ipc_sockets);
297 if (self->nsfds[PIDFD_NS_USER] >= 0 && self->nsfds[PIDFD_NS_PID] >= 0)
298 self->child_pid2 = create_child(&self->child_pidfd2, CLONE_NEWUSER | CLONE_NEWPID);
299 else if (self->nsfds[PIDFD_NS_PID] >= 0)
300 self->child_pid2 = create_child(&self->child_pidfd2, CLONE_NEWPID);
301 else if (self->nsfds[PIDFD_NS_USER] >= 0)
302 self->child_pid2 = create_child(&self->child_pidfd2, CLONE_NEWUSER);
304 self->child_pid2 = create_child(&self->child_pidfd2, 0);
305 EXPECT_GE(self->child_pid2, 0);
307 if (self->child_pid2 == 0) {
308 close(ipc_sockets[0]);
310 if (self->nsfds[PIDFD_NS_MNT] >= 0 && unshare(CLONE_NEWNS) < 0) {
311 TH_LOG("%m - Failed to unshare mount namespace for process %d", self->pid);
314 if (self->nsfds[PIDFD_NS_CGROUP] >= 0 && unshare(CLONE_NEWCGROUP) < 0) {
315 TH_LOG("%m - Failed to unshare cgroup namespace for process %d", self->pid);
318 if (self->nsfds[PIDFD_NS_IPC] >= 0 && unshare(CLONE_NEWIPC) < 0) {
319 TH_LOG("%m - Failed to unshare ipc namespace for process %d", self->pid);
322 if (self->nsfds[PIDFD_NS_UTS] >= 0 && unshare(CLONE_NEWUTS) < 0) {
323 TH_LOG("%m - Failed to unshare uts namespace for process %d", self->pid);
326 if (self->nsfds[PIDFD_NS_NET] >= 0 && unshare(CLONE_NEWNET) < 0) {
327 TH_LOG("%m - Failed to unshare net namespace for process %d", self->pid);
330 if (self->nsfds[PIDFD_NS_TIME] >= 0 && !switch_timens()) {
331 TH_LOG("%m - Failed to unshare time namespace for process %d", self->pid);
335 if (write_nointr(ipc_sockets[1], "1", 1) < 0)
338 close(ipc_sockets[1]);
344 close(ipc_sockets[1]);
345 ASSERT_EQ(read_nointr(ipc_sockets[0], &c, 1), 1);
346 close(ipc_sockets[0]);
348 for (i = 0; i < PIDFD_NS_MAX; i++) {
351 const struct ns_info *info = &ns_info[i];
353 self->nsfds[i] = openat(proc_fd, info->name, O_RDONLY | O_CLOEXEC);
354 if (self->nsfds[i] < 0) {
355 EXPECT_EQ(errno, ENOENT) {
356 TH_LOG("%m - Failed to open %s namespace for process %d",
357 info->name, self->pid);
361 ret = snprintf(p, sizeof(p), "/proc/%d/ns/%s",
362 self->child_pid1, info->name);
364 EXPECT_LT(ret, sizeof(p));
366 self->child_nsfds1[i] = open(p, O_RDONLY | O_CLOEXEC);
367 if (self->child_nsfds1[i] < 0) {
368 EXPECT_EQ(errno, ENOENT) {
369 TH_LOG("%m - Failed to open %s namespace for process %d",
370 info->name, self->child_pid1);
374 ret = snprintf(p, sizeof(p), "/proc/%d/ns/%s",
375 self->child_pid2, info->name);
377 EXPECT_LT(ret, sizeof(p));
379 self->child_nsfds2[i] = open(p, O_RDONLY | O_CLOEXEC);
380 if (self->child_nsfds2[i] < 0) {
381 EXPECT_EQ(errno, ENOENT) {
382 TH_LOG("%m - Failed to open %s namespace for process %d",
383 info->name, self->child_pid1);
387 self->child_pidfd_derived_nsfds1[i] = ioctl(self->child_pidfd1, info->pidfd_ioctl, 0);
388 if (self->child_pidfd_derived_nsfds1[i] < 0) {
389 EXPECT_EQ(errno, EOPNOTSUPP) {
390 TH_LOG("%m - Failed to derive %s namespace from pidfd of process %d",
391 info->name, self->child_pid1);
395 self->child_pidfd_derived_nsfds2[i] = ioctl(self->child_pidfd2, info->pidfd_ioctl, 0);
396 if (self->child_pidfd_derived_nsfds2[i] < 0) {
397 EXPECT_EQ(errno, EOPNOTSUPP) {
398 TH_LOG("%m - Failed to derive %s namespace from pidfd of process %d",
399 info->name, self->child_pid2);
407 FIXTURE_TEARDOWN(current_nsset)
411 ASSERT_EQ(sys_pidfd_send_signal(self->child_pidfd1,
412 SIGKILL, NULL, 0), 0);
413 ASSERT_EQ(sys_pidfd_send_signal(self->child_pidfd2,
414 SIGKILL, NULL, 0), 0);
416 for (i = 0; i < PIDFD_NS_MAX; i++) {
417 if (self->nsfds[i] >= 0)
418 close(self->nsfds[i]);
419 if (self->child_nsfds1[i] >= 0)
420 close(self->child_nsfds1[i]);
421 if (self->child_nsfds2[i] >= 0)
422 close(self->child_nsfds2[i]);
423 if (self->child_pidfd_derived_nsfds[i] >= 0)
424 close(self->child_pidfd_derived_nsfds[i]);
425 if (self->child_pidfd_derived_nsfds1[i] >= 0)
426 close(self->child_pidfd_derived_nsfds1[i]);
427 if (self->child_pidfd_derived_nsfds2[i] >= 0)
428 close(self->child_pidfd_derived_nsfds2[i]);
431 if (self->child_pidfd1 >= 0)
432 EXPECT_EQ(0, close(self->child_pidfd1));
433 if (self->child_pidfd2 >= 0)
434 EXPECT_EQ(0, close(self->child_pidfd2));
435 ASSERT_EQ(sys_waitid(P_PID, self->child_pid_exited, WEXITED), 0);
436 ASSERT_EQ(sys_waitid(P_PID, self->child_pid1, WEXITED), 0);
437 ASSERT_EQ(sys_waitid(P_PID, self->child_pid2, WEXITED), 0);
440 static int preserve_ns(const int pid, const char *ns)
445 ret = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
446 if (ret < 0 || (size_t)ret >= sizeof(path))
449 return open(path, O_RDONLY | O_CLOEXEC);
452 static int in_same_namespace(int ns_fd1, pid_t pid2, const char *ns)
456 struct stat ns_st1, ns_st2;
458 ret = fstat(ns_fd1, &ns_st1);
462 ns_fd2 = preserve_ns(pid2, ns);
466 ret = fstat(ns_fd2, &ns_st2);
471 /* processes are in the same namespace */
472 if ((ns_st1.st_dev == ns_st2.st_dev) &&
473 (ns_st1.st_ino == ns_st2.st_ino))
476 /* processes are in different namespaces */
480 /* Test that we can't pass garbage to the kernel. */
481 TEST_F(current_nsset, invalid_flags)
483 ASSERT_NE(setns(self->pidfd, 0), 0);
484 EXPECT_EQ(errno, EINVAL);
486 ASSERT_NE(setns(self->pidfd, -1), 0);
487 EXPECT_EQ(errno, EINVAL);
489 ASSERT_NE(setns(self->pidfd, CLONE_VM), 0);
490 EXPECT_EQ(errno, EINVAL);
492 ASSERT_NE(setns(self->pidfd, CLONE_NEWUSER | CLONE_VM), 0);
493 EXPECT_EQ(errno, EINVAL);
496 /* Test that we can't attach to a task that has already exited. */
497 TEST_F(current_nsset, pidfd_exited_child)
502 ASSERT_NE(setns(self->child_pidfd_exited, CLONE_NEWUSER | CLONE_NEWNET),
504 EXPECT_EQ(errno, ESRCH);
507 for (i = 0; i < PIDFD_NS_MAX; i++) {
508 const struct ns_info *info = &ns_info[i];
509 /* Verify that we haven't changed any namespaces. */
510 if (self->nsfds[i] >= 0)
511 ASSERT_EQ(in_same_namespace(self->nsfds[i], pid, info->name), 1);
515 TEST_F(current_nsset, pidfd_incremental_setns)
521 for (i = 0; i < PIDFD_NS_MAX; i++) {
522 const struct ns_info *info = &ns_info[i];
525 if (self->child_nsfds1[i] < 0)
529 ASSERT_EQ(setns(self->child_pidfd1, info->flag), 0) {
530 TH_LOG("%m - Failed to setns to %s namespace of %d via pidfd %d",
531 info->name, self->child_pid1,
536 /* Verify that we have changed to the correct namespaces. */
537 if (info->flag == CLONE_NEWPID)
538 nsfd = self->nsfds[i];
540 nsfd = self->child_nsfds1[i];
541 ASSERT_EQ(in_same_namespace(nsfd, pid, info->name), 1) {
542 TH_LOG("setns failed to place us correctly into %s namespace of %d via pidfd %d",
543 info->name, self->child_pid1,
546 TH_LOG("Managed to correctly setns to %s namespace of %d via pidfd %d",
547 info->name, self->child_pid1, self->child_pidfd1);
551 TEST_F(current_nsset, nsfd_incremental_setns)
557 for (i = 0; i < PIDFD_NS_MAX; i++) {
558 const struct ns_info *info = &ns_info[i];
561 if (self->child_nsfds1[i] < 0)
565 ASSERT_EQ(setns(self->child_nsfds1[i], info->flag), 0) {
566 TH_LOG("%m - Failed to setns to %s namespace of %d via nsfd %d",
567 info->name, self->child_pid1,
568 self->child_nsfds1[i]);
572 /* Verify that we have changed to the correct namespaces. */
573 if (info->flag == CLONE_NEWPID)
574 nsfd = self->nsfds[i];
576 nsfd = self->child_nsfds1[i];
577 ASSERT_EQ(in_same_namespace(nsfd, pid, info->name), 1) {
578 TH_LOG("setns failed to place us correctly into %s namespace of %d via nsfd %d",
579 info->name, self->child_pid1,
580 self->child_nsfds1[i]);
582 TH_LOG("Managed to correctly setns to %s namespace of %d via nsfd %d",
583 info->name, self->child_pid1, self->child_nsfds1[i]);
587 TEST_F(current_nsset, pidfd_derived_nsfd_incremental_setns)
593 for (i = 0; i < PIDFD_NS_MAX; i++) {
594 const struct ns_info *info = &ns_info[i];
597 if (self->child_pidfd_derived_nsfds1[i] < 0)
601 ASSERT_EQ(setns(self->child_pidfd_derived_nsfds1[i], info->flag), 0) {
602 TH_LOG("%m - Failed to setns to %s namespace of %d via nsfd %d",
603 info->name, self->child_pid1,
604 self->child_pidfd_derived_nsfds1[i]);
608 /* Verify that we have changed to the correct namespaces. */
609 if (info->flag == CLONE_NEWPID)
610 nsfd = self->child_pidfd_derived_nsfds[i];
612 nsfd = self->child_pidfd_derived_nsfds1[i];
613 ASSERT_EQ(in_same_namespace(nsfd, pid, info->name), 1) {
614 TH_LOG("setns failed to place us correctly into %s namespace of %d via nsfd %d",
615 info->name, self->child_pid1,
616 self->child_pidfd_derived_nsfds1[i]);
618 TH_LOG("Managed to correctly setns to %s namespace of %d via nsfd %d",
619 info->name, self->child_pid1, self->child_pidfd_derived_nsfds1[i]);
623 TEST_F(current_nsset, pidfd_one_shot_setns)
629 for (i = 0; i < PIDFD_NS_MAX; i++) {
630 const struct ns_info *info = &ns_info[i];
632 if (self->child_nsfds1[i] < 0)
636 TH_LOG("Adding %s namespace of %d to list of namespaces to attach to",
637 info->name, self->child_pid1);
640 ASSERT_EQ(setns(self->child_pidfd1, flags), 0) {
641 TH_LOG("%m - Failed to setns to namespaces of %d",
646 for (i = 0; i < PIDFD_NS_MAX; i++) {
647 const struct ns_info *info = &ns_info[i];
650 if (self->child_nsfds1[i] < 0)
653 /* Verify that we have changed to the correct namespaces. */
654 if (info->flag == CLONE_NEWPID)
655 nsfd = self->nsfds[i];
657 nsfd = self->child_nsfds1[i];
658 ASSERT_EQ(in_same_namespace(nsfd, pid, info->name), 1) {
659 TH_LOG("setns failed to place us correctly into %s namespace of %d",
660 info->name, self->child_pid1);
662 TH_LOG("Managed to correctly setns to %s namespace of %d",
663 info->name, self->child_pid1);
667 TEST_F(current_nsset, no_foul_play)
672 for (i = 0; i < PIDFD_NS_MAX; i++) {
673 const struct ns_info *info = &ns_info[i];
675 if (self->child_nsfds1[i] < 0)
679 if (info->flag) /* No use logging pid_for_children. */
680 TH_LOG("Adding %s namespace of %d to list of namespaces to attach to",
681 info->name, self->child_pid1);
684 ASSERT_EQ(setns(self->child_pidfd1, flags), 0) {
685 TH_LOG("%m - Failed to setns to namespaces of %d vid pidfd %d",
686 self->child_pid1, self->child_pidfd1);
690 * Can't setns to a user namespace outside of our hierarchy since we
691 * don't have caps in there and didn't create it. That means that under
692 * no circumstances should we be able to setns to any of the other
693 * ones since they aren't owned by our user namespace.
695 for (i = 0; i < PIDFD_NS_MAX; i++) {
696 const struct ns_info *info = &ns_info[i];
698 if (self->child_nsfds2[i] < 0 || !info->flag)
701 ASSERT_NE(setns(self->child_pidfd2, info->flag), 0) {
702 TH_LOG("Managed to setns to %s namespace of %d via pidfd %d",
703 info->name, self->child_pid2,
706 TH_LOG("%m - Correctly failed to setns to %s namespace of %d via pidfd %d",
707 info->name, self->child_pid2,
710 ASSERT_NE(setns(self->child_nsfds2[i], info->flag), 0) {
711 TH_LOG("Managed to setns to %s namespace of %d via nsfd %d",
712 info->name, self->child_pid2,
713 self->child_nsfds2[i]);
715 TH_LOG("%m - Correctly failed to setns to %s namespace of %d via nsfd %d",
716 info->name, self->child_pid2,
717 self->child_nsfds2[i]);
721 * Can't setns to a user namespace outside of our hierarchy since we
722 * don't have caps in there and didn't create it. That means that under
723 * no circumstances should we be able to setns to any of the other
724 * ones since they aren't owned by our user namespace.
726 for (i = 0; i < PIDFD_NS_MAX; i++) {
727 const struct ns_info *info = &ns_info[i];
729 if (self->child_pidfd_derived_nsfds2[i] < 0 || !info->flag)
732 ASSERT_NE(setns(self->child_pidfd_derived_nsfds2[i], info->flag), 0) {
733 TH_LOG("Managed to setns to %s namespace of %d via nsfd %d",
734 info->name, self->child_pid2,
735 self->child_pidfd_derived_nsfds2[i]);
737 TH_LOG("%m - Correctly failed to setns to %s namespace of %d via nsfd %d",
738 info->name, self->child_pid2,
739 self->child_pidfd_derived_nsfds2[i]);
747 fd = sys_memfd_create("rostock", 0);
750 ASSERT_NE(setns(fd, 0), 0);
751 EXPECT_EQ(errno, EINVAL);
projects / linux.git / blob