ci: Add maps00 test in unprivileged mode in user namespace

CAP_CHECKPOINT_RESTORE does not give access to /proc/$pid/map_files in
user namespaces. In order to test that CRIU in unprivileged mode can
dump and restore anonymous shared memory pages we will run the maps00
tests in a user namespace.

Signed-off-by: Younes Manton <ymanton@ca.ibm.com>

scripts/build/Dockerfile.alpine

@@ -21,7 +21,9 @@ RUN apk update && apk add \
 	py3-pip \
 	py3-protobuf \
 	python3 \
-	sudo
+	sudo \
+	libcap-utils \
+	util-linux
 
 COPY . /criu
 WORKDIR /criu

scripts/ci/run-ci-tests.sh

@@ -289,6 +289,21 @@ ip net add test
 ./test/zdtm.py run -t zdtm/static/env00 -t zdtm/transition/fork -t zdtm/static/ghost_holes00 -t zdtm/static/socket-tcp -t zdtm/static/msgque -k always
 ./test/crit-recode.py
 
+# Rootless tests
+# Check if cap_checkpoint_restore is supported and also if unshare -c is supported.
+if capsh --supports=cap_checkpoint_restore && unshare -c /bin/true; then
+	make -C test/zdtm/ cleanout
+	rm -rf test/dump
+	setcap cap_checkpoint_restore,cap_sys_ptrace+eip criu/criu
+	# Run it as non-root in a user namespace. Since CAP_CHECKPOINT_RESTORE behaves differently in non-user namespaces (e.g. no access to map_files) this tests that we can dump and restore
+	# under those conditions. Note that the "... && true" part is necessary; we need at least one statement after the tests so that bash can reap zombies in the user namespace,
+	# otherwise it will exec the last statement and get replaced and nobody will be left to reap our zombies.
+	sudo --user=#65534 --group=#65534 unshare -Ucfpm --mount-proc -- bash -c "./test/zdtm.py run -t zdtm/static/maps00 -f h --rootless && true"
+	setcap -r criu/criu
+else
+	echo "Skipping unprivileged mode tests"
+fi
+
 # more crit testing
 make -C test/others/crit run
 

scripts/ci/vagrant.sh

@@ -78,6 +78,11 @@ fedora-non-root() {
 	ssh default 'cd /vagrant/criu; criu/criu check --unprivileged; ./test/zdtm.py run -t zdtm/static/env00 -t zdtm/static/pthread00 -f h --rootless'
 	# Run it as root with '--rootless'
 	ssh default 'cd /vagrant/criu; sudo ./test/zdtm.py run -t zdtm/static/env00 -t zdtm/static/pthread00 -f h; sudo chmod 777 test/dump/zdtm/static/{env00,pthread00}; sudo ./test/zdtm.py run -t zdtm/static/env00 -t zdtm/static/pthread00 -f h --rootless'
+	# Run it as non-root in a user namespace. Since CAP_CHECKPOINT_RESTORE behaves differently in non-user namespaces (e.g. no access to map_files) this tests that we can dump and restore
+	# under those conditions. Note that the "... && true" part is necessary; we need at least one statement after the tests so that bash can reap zombies in the user namespace,
+	# otherwise it will exec the last statement and get replaced and nobody will be left to reap our zombies.
+	# Note: selinux in Enforcing mode prevents us from calling clone3() or writing to ns_last_pid on restore; hence set to Permissive for the test and then set back.
+	ssh default 'cd /vagrant/criu; selinuxmode=`getenforce` && sudo setenforce Permissive && unshare -Ucfpm --mount-proc bash -c "./test/zdtm.py run -t zdtm/static/maps00 -f h --rootless && true" && sudo setenforce $selinuxmode'
 }
 
 $1