From d7da4a69af3cbf9aea97444cee3d8718a1c8eeb9 Mon Sep 17 00:00:00 2001 From: Younes Manton Date: Thu, 2 Feb 2023 09:43:37 -0800 Subject: [PATCH] ci: Add maps00 test in unprivileged mode in user namespace CAP_CHECKPOINT_RESTORE does not give access to /proc/$pid/map_files in user namespaces. In order to test that CRIU in unprivileged mode can dump and restore anonymous shared memory pages we will run the maps00 tests in a user namespace. Signed-off-by: Younes Manton --- scripts/build/Dockerfile.alpine | 4 +++- scripts/ci/run-ci-tests.sh | 15 +++++++++++++++ scripts/ci/vagrant.sh | 5 +++++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/scripts/build/Dockerfile.alpine b/scripts/build/Dockerfile.alpine index eced46c22..19b08315f 100644 --- a/scripts/build/Dockerfile.alpine +++ b/scripts/build/Dockerfile.alpine @@ -21,7 +21,9 @@ RUN apk update && apk add \ py3-pip \ py3-protobuf \ python3 \ - sudo + sudo \ + libcap-utils \ + util-linux COPY . /criu WORKDIR /criu diff --git a/scripts/ci/run-ci-tests.sh b/scripts/ci/run-ci-tests.sh index 7b64c6b06..5b9f6d929 100755 --- a/scripts/ci/run-ci-tests.sh +++ b/scripts/ci/run-ci-tests.sh @@ -289,6 +289,21 @@ ip net add test ./test/zdtm.py run -t zdtm/static/env00 -t zdtm/transition/fork -t zdtm/static/ghost_holes00 -t zdtm/static/socket-tcp -t zdtm/static/msgque -k always ./test/crit-recode.py +# Rootless tests +# Check if cap_checkpoint_restore is supported and also if unshare -c is supported. +if capsh --supports=cap_checkpoint_restore && unshare -c /bin/true; then + make -C test/zdtm/ cleanout + rm -rf test/dump + setcap cap_checkpoint_restore,cap_sys_ptrace+eip criu/criu + # Run it as non-root in a user namespace. Since CAP_CHECKPOINT_RESTORE behaves differently in non-user namespaces (e.g. no access to map_files) this tests that we can dump and restore + # under those conditions. Note that the "... && true" part is necessary; we need at least one statement after the tests so that bash can reap zombies in the user namespace, + # otherwise it will exec the last statement and get replaced and nobody will be left to reap our zombies. + sudo --user=#65534 --group=#65534 unshare -Ucfpm --mount-proc -- bash -c "./test/zdtm.py run -t zdtm/static/maps00 -f h --rootless && true" + setcap -r criu/criu +else + echo "Skipping unprivileged mode tests" +fi + # more crit testing make -C test/others/crit run diff --git a/scripts/ci/vagrant.sh b/scripts/ci/vagrant.sh index a3e4b6937..f0996b01d 100755 --- a/scripts/ci/vagrant.sh +++ b/scripts/ci/vagrant.sh @@ -78,6 +78,11 @@ fedora-non-root() { ssh default 'cd /vagrant/criu; criu/criu check --unprivileged; ./test/zdtm.py run -t zdtm/static/env00 -t zdtm/static/pthread00 -f h --rootless' # Run it as root with '--rootless' ssh default 'cd /vagrant/criu; sudo ./test/zdtm.py run -t zdtm/static/env00 -t zdtm/static/pthread00 -f h; sudo chmod 777 test/dump/zdtm/static/{env00,pthread00}; sudo ./test/zdtm.py run -t zdtm/static/env00 -t zdtm/static/pthread00 -f h --rootless' + # Run it as non-root in a user namespace. Since CAP_CHECKPOINT_RESTORE behaves differently in non-user namespaces (e.g. no access to map_files) this tests that we can dump and restore + # under those conditions. Note that the "... && true" part is necessary; we need at least one statement after the tests so that bash can reap zombies in the user namespace, + # otherwise it will exec the last statement and get replaced and nobody will be left to reap our zombies. + # Note: selinux in Enforcing mode prevents us from calling clone3() or writing to ns_last_pid on restore; hence set to Permissive for the test and then set back. + ssh default 'cd /vagrant/criu; selinuxmode=`getenforce` && sudo setenforce Permissive && unshare -Ucfpm --mount-proc bash -c "./test/zdtm.py run -t zdtm/static/maps00 -f h --rootless && true" && sudo setenforce $selinuxmode' } $1