unplugged-system/external/ltp/testcases/kernel/containers/userns/userns01.c

// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * Copyright (c) Huawei Technologies Co., Ltd., 2015
 * Copyright (C) 2022 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
 */

/*\
 * [Description]
 *
 * Verify that if a user ID has no mapping inside the namespace, user ID and
 * group ID will be the value defined in the file /proc/sys/kernel/overflowuid
 * (defaults to 65534) and /proc/sys/kernel/overflowgid (defaults to 65534). A
 * child process has a full set of permitted and effective capabilities, even
 * though the program was run from an unprivileged account.
 */

#include "tst_test.h"

#ifdef HAVE_LIBCAP
#define _GNU_SOURCE

#include <stdio.h>
#include "common.h"
#include "config.h"
#include <sys/capability.h>

#define OVERFLOWUIDPATH "/proc/sys/kernel/overflowuid"
#define OVERFLOWGIDPATH "/proc/sys/kernel/overflowgid"

static long overflowuid;
static long overflowgid;

/*
 * child_fn1() - Inside a new user namespace
 */
static int child_fn1(LTP_ATTRIBUTE_UNUSED void *arg)
{
	int uid, gid;
	cap_t caps;
	int i, last_cap;
	cap_flag_value_t flag_val;

	uid = geteuid();
	gid = getegid();

	tst_res(TINFO, "USERNS test is running in a new user namespace.");

	if (uid != overflowuid || gid != overflowgid)
		tst_res(TFAIL, "got unexpected uid=%d gid=%d", uid, gid);
	else
		tst_res(TPASS, "got expected uid and gid");

	caps = cap_get_proc();

	SAFE_FILE_SCANF("/proc/sys/kernel/cap_last_cap", "%d", &last_cap);

	for (i = 0; i <= last_cap; i++) {
		cap_get_flag(caps, i, CAP_EFFECTIVE, &flag_val);
		if (!flag_val)
			break;

		cap_get_flag(caps, i, CAP_PERMITTED, &flag_val);
		if (!flag_val)
			break;
	}

	if (!flag_val)
		tst_res(TFAIL, "unexpected effective/permitted caps at %d", i);
	else
		tst_res(TPASS, "expected capabilities");

	return 0;
}

static void setup(void)
{
	check_newuser();

	SAFE_FILE_SCANF(OVERFLOWUIDPATH, "%ld", &overflowuid);
	SAFE_FILE_SCANF(OVERFLOWGIDPATH, "%ld", &overflowgid);
}

static void run(void)
{
	int pid;

	pid = ltp_clone_quick(CLONE_NEWUSER | SIGCHLD, child_fn1, NULL);
	if (pid < 0)
		tst_brk(TBROK | TTERRNO, "clone failed");
}

static struct tst_test test = {
	.setup = setup,
	.test_all = run,
	.needs_root = 1,
	.caps = (struct tst_cap []) {
		TST_CAP(TST_CAP_DROP, CAP_NET_RAW),
		{}
	},
	.needs_kconfigs = (const char *[]) {
		"CONFIG_USER_NS",
		NULL,
	},
};

#else
TST_TEST_TCONF("System is missing libcap");
#endif
Initial commit: AOSP 14 with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00			`// SPDX-License-Identifier: GPL-2.0-or-later`
			`/*`
			`* Copyright (c) Huawei Technologies Co., Ltd., 2015`
			`* Copyright (C) 2022 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>`
			`*/`

			`/*\`
			`* [Description]`
			`*`
			`* Verify that if a user ID has no mapping inside the namespace, user ID and`
			`* group ID will be the value defined in the file /proc/sys/kernel/overflowuid`
			`* (defaults to 65534) and /proc/sys/kernel/overflowgid (defaults to 65534). A`
			`* child process has a full set of permitted and effective capabilities, even`
			`* though the program was run from an unprivileged account.`
			`*/`

			`#include "tst_test.h"`

			`#ifdef HAVE_LIBCAP`
			`#define _GNU_SOURCE`

			`#include <stdio.h>`
			`#include "common.h"`
			`#include "config.h"`
			`#include <sys/capability.h>`

			`#define OVERFLOWUIDPATH "/proc/sys/kernel/overflowuid"`
			`#define OVERFLOWGIDPATH "/proc/sys/kernel/overflowgid"`

			`static long overflowuid;`
			`static long overflowgid;`

			`/*`
			`* child_fn1() - Inside a new user namespace`
			`*/`
			`static int child_fn1(LTP_ATTRIBUTE_UNUSED void *arg)`
			`{`
			`int uid, gid;`
			`cap_t caps;`
			`int i, last_cap;`
			`cap_flag_value_t flag_val;`

			`uid = geteuid();`
			`gid = getegid();`

			`tst_res(TINFO, "USERNS test is running in a new user namespace.");`

			`if (uid != overflowuid \|\| gid != overflowgid)`
			`tst_res(TFAIL, "got unexpected uid=%d gid=%d", uid, gid);`
			`else`
			`tst_res(TPASS, "got expected uid and gid");`

			`caps = cap_get_proc();`

			`SAFE_FILE_SCANF("/proc/sys/kernel/cap_last_cap", "%d", &last_cap);`

			`for (i = 0; i <= last_cap; i++) {`
			`cap_get_flag(caps, i, CAP_EFFECTIVE, &flag_val);`
			`if (!flag_val)`
			`break;`

			`cap_get_flag(caps, i, CAP_PERMITTED, &flag_val);`
			`if (!flag_val)`
			`break;`
			`}`

			`if (!flag_val)`
			`tst_res(TFAIL, "unexpected effective/permitted caps at %d", i);`
			`else`
			`tst_res(TPASS, "expected capabilities");`

			`return 0;`
			`}`

			`static void setup(void)`
			`{`
			`check_newuser();`

			`SAFE_FILE_SCANF(OVERFLOWUIDPATH, "%ld", &overflowuid);`
			`SAFE_FILE_SCANF(OVERFLOWGIDPATH, "%ld", &overflowgid);`
			`}`

			`static void run(void)`
			`{`
			`int pid;`

			`pid = ltp_clone_quick(CLONE_NEWUSER \| SIGCHLD, child_fn1, NULL);`
			`if (pid < 0)`
			`tst_brk(TBROK \| TTERRNO, "clone failed");`
			`}`

			`static struct tst_test test = {`
			`.setup = setup,`
			`.test_all = run,`
			`.needs_root = 1,`
			`.caps = (struct tst_cap []) {`
			`TST_CAP(TST_CAP_DROP, CAP_NET_RAW),`
			`{}`
			`},`
			`.needs_kconfigs = (const char *[]) {`
			`"CONFIG_USER_NS",`
			`NULL,`
			`},`
			`};`

			`#else`
			`TST_TEST_TCONF("System is missing libcap");`
			`#endif`