Commit Graph

33 Commits

Author SHA1 Message Date
Simon Chopin
59e0441d4a tests: gracefully handle AppArmor userns containment
Recent AppArmor containment allows restricting unprivileged user
namespaces, which is enabled by default on recent Ubuntu systems.
When this happens, as is common with Linux Security Modules, the syscall
will fail with -EACCESS.

When that happens, the affected tests will now be considered unsupported
rather than simply failing.

Further information:

* https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
* https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
* https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html (for
  the return code)

V2:
* Fix duplicated line in check_unshare_hints
* Also handle similar failure in tst-pidfd_getpid

V3:
* Comment formatting
* Aded some more documentation on syscall return value

Signed-off-by: Simon Chopin <simon.chopin@canonical.com>
2024-02-23 08:50:00 -03:00
Paul Eggert
dff8da6b3e Update copyright dates with scripts/update-copyrights 2024-01-01 10:53:40 -08:00
Adhemerval Zanella
aea4ddb871 test-container: Use nftw instead of rm -rf
If the binary to run is 'env', test-containers skips it and adds
any required environment variable on the process envs variables.
This simplifies the required code to spawn new process (no need
to build an env-like program).

However, this is an issue for recursive_remove if there is any
LD_PRELOAD, since test-container will not prepend the loader command
along with required paths.  If the required preloaded library can
not be loaded by the system glibc, the 'post-clean rsync' will
eventually fail.

One example is if system glibc does not support DT_RELR and the
built glibc does, the nss/tst-nss-gai-hv2-canonname test fails
with:

../scripts/evaluate-test.sh nss/tst-nss-gai-hv2-canonname $? false false
86_64-linux-gnu/nss/tst-nss-gai-hv2-canonname.test-result
rm: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_ABI_DT_RELR' not
found (required by x86_64-linux-gnu/malloc/libc_malloc_debug.so)

Instead trying to figure out the required loader arguments on how
to spawn the 'rm -rf', replace the command with a nftw call.

Checked on x86_64-linux-gnu.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Stefan Liebler <stli@linux.ibm.com>
2023-09-28 09:41:05 -03:00
Frédéric Bérat
20b6b8e8a5 tests: replace read by xread
With fortification enabled, read calls return result needs to be checked,
has it gets the __wur macro enabled.

Note on read call removal from  sysdeps/pthread/tst-cancel20.c and
sysdeps/pthread/tst-cancel21.c:
It is assumed that this second read call was there to overcome the race
condition between pipe closure and thread cancellation that could happen
in the original code. Since this race condition got fixed by
d0e3ffb7a5 the second call seems
superfluous. Hence, instead of checking for the return value of read, it
looks reasonable to simply remove it.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-19 09:14:56 -04:00
Paul Pluzhnikov
7f0d9e61f4 Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
Frédéric Bérat
29e25f6f13 tests: fix warn unused results
With fortification enabled, few function calls return result need to be
checked, has they get the __wur macro enabled.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-01 13:01:32 -04:00
Frédéric Bérat
026a84a54d tests: replace write by xwrite
Using write without cheks leads to warn unused result when __wur is
enabled.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-01 12:40:05 -04:00
Andreas Schwab
3bfdc4e2bc support: use 64-bit time_t (bug 30111)
Ensure to use 64-bit time_t in the test infrastructure.
2023-03-02 13:01:32 +01:00
Joseph Myers
6d7e8eda9b Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
Xi Ruoyao
bd0b58837c test-container: return UNSUPPORTED for ENOSPC on clone()
Since Linux 4.9, the kernel provides
/proc/sys/user/max_{mnt,pid,user}_namespace as a limitation of number of
namespaces.  Some distros (for example, Slint Linux 14.2.1) set them (or
only max_user_namespace) to zero as a "security policy" for disabling
namespaces.

The clone() call will set errno to ENOSPC under such a limitation.  We
didn't check ENOSPC in the code so the test will FAIL, and report:

    unable to unshare user/fs: No space left on device

This message is, unfortunately, very unhelpful.  It leads people to
check the memory or disk space, instead of finding the real issue.

To improve the situation, we should check for ENOSPC and return
UNSUPPORTED as the test result.  Also refactor check_for_unshare_hints()
to emit a proper message telling people how to make the test work, if
they really need to run the namespaced tests.

Reported-by: Philippe Delavalade <philippe.delavalade@orange.fr>
URL: https://lists.linuxfromscratch.org/sympa/arc/lfs-support/2022-06/msg00022.html
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
Reviewed-by: DJ Delorie <dj@redhat.com>
2022-07-05 22:34:51 -04:00
DJ Delorie
d2263bf50a test-container: Fix "unused code" warnings on HURD
Comment out bits of code that are only used when we *have* pid
namespaces, to avoid "unused code" warnings.

Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

Message-Id: <xno817tnds.fsf@greed.delorie.com>
2022-04-12 01:28:41 +02:00
DJ Delorie
2fe64148a8 Allow for unpriviledged nested containers
If the build itself is run in a container, we may not be able to
fully set up a nested container for test-container testing.
Notably is the mounting of /proc, since it's critical that it
be mounted from within the same PID namespace as its users, and
thus cannot be bind mounted from outside the container like other
mounts.

This patch defaults to using the parent's PID namespace instead of
creating a new one, as this is more likely to be allowed.

If the test needs an isolated PID namespace, it should add the "pidns"
command to its init script.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2022-04-04 14:17:08 -04:00
Paul Eggert
581c785bf3 Update copyright dates with scripts/update-copyrights
I used these shell commands:

../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")

and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 7061 files FOO.

I then removed trailing white space from math/tgmath.h,
support/tst-support-open-dev-null-range.c, and
sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following
obscure pre-commit check failure diagnostics from Savannah.  I don't
know why I run into these diagnostics whereas others evidently do not.

remote: *** 912-#endif
remote: *** 913:
remote: *** 914-
remote: *** error: lines with trailing whitespace found
...
remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
2022-01-01 11:40:24 -08:00
DJ Delorie
20bee71348 test-container: Always copy test-specific support files [BZ #27537]
There's a small chance that a fresh checkout will result in some of
the test-specific container files will have the same timestamp and
size, which breaks the rsync logic in test-container, resulting in
tests running with the wrong support files.

This patch changes the rsync logic to always copy the test-specific
files, which normally would always be copied anyway.  The rsync logic
for the testroot itself is unchanged.
2021-03-11 17:04:12 -05:00
Adhemerval Zanella
a50a080f6b elf: Fix tests that rely on ld.so.cache for cross-compiling
For configurations with cross-compiling equal to 'maybe' or 'no',
ldconfig will not run and thus the ld.so.cache will not be created
on the container testroot.pristine.

This lead to failures on both tst-glibc-hwcaps-prepend-cache and
tst-ldconfig-ld_so_conf-update on environments where the same
compiler can be used to build different ABIs (powerpc and x86 for
instance).

This patch addas a new test-container hook, ldconfig.run, that
triggers a ldconfig execution prior the test execution.

Checked on x86_64-linux-gnu and i686-linux-gnu.
2021-01-29 14:08:18 -03:00
Paul Eggert
2b778ceb40 Update copyright dates with scripts/update-copyrights
I used these shell commands:

../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")

and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 6694 files FOO.
I then removed trailing white space from benchtests/bench-pthread-locks.c
and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this
diagnostic from Savannah:
remote: *** pre-commit check failed ...
remote: *** error: lines with trailing whitespace found
remote: error: hook declined to update refs/heads/master
2021-01-02 12:17:34 -08:00
Girish Joshi
9e2dc874e6 build: Use FAIL_EXIT1 () on failure to exec child [BZ #23990]
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2020-05-29 10:15:26 -03:00
Carlos O'Donell
183083c359 support: Set errno before testing it.
In test-conainer we should set errno to 0 before calling strtol,
and check after with TEST_COMPARE.

In tst-support_capture_subprocess we should set errno to 0 before
checking it after the call to strtol.

Tested on x86_64.

Reviewed-by: DJ Delorie <dj@redhat.com>
2020-04-30 16:28:07 -04:00
Carlos O'Donell
033362cfd7 test-container: Support $(complocaledir) and mkdirp.
Expand the support infrastructure:
- Create $(complocaledir) in the testroot.pristine to support localedef.
- Add the variable $complocaledir to script support.
- Add the script command 'mkdirp'.

All localedef tests which run with default paths need to have the
$(complocaledir) created in testroot.pristine. The localedef binary
will not by itself create the default path, but it will write into
the path. By adding this we can simplify the localedef tests.

The variable $complocaledir is the value of the configured
$(complocaledir) which is the location of the compiled locales that
will be searched by the runtime by default.

The command mkdirp will be available in script setup and will
be equivalent to running `mkdir -p`.

The variable and command can be used to write more complex tests.

Reviewed-by: DJ Delorie <dj@redhat.com>
2020-04-30 16:28:07 -04:00
Michael Hudson-Doyle
083d644d42 test-container: print errno when execvp fails
I'm debugging a situation where lots of tests using test-container fail
and it's possible knowing errno would help understand why.

Reviewed-by: DJ Delorie <dj@redhat.com>
2020-03-11 16:00:58 -04:00
DJ Delorie
4f79b3e2fb test-container: add exec, cwd
exec <path_to_test_binary> [optional_argv_0]

  copies test binary to specified location and runs it from
  there.  If the second argument is provided, that will
  be used for argv[0]

cwd <directory>

  attempts to chdir(directory) before running test

Note: "cwd" not "cd" as it takes effect just before the
test binary runs, not when it's encountered in the script,
so it can't be used as a path shortcut like "cd" would imply.

cleanup: use xstrdup() instead of strdup()

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2020-02-03 14:49:25 -05:00
Joseph Myers
d614a75396 Update copyright dates with scripts/update-copyrights. 2020-01-01 00:14:33 +00:00
DJ Delorie
4052fa22f6 Add wait-for-debugger test harness hooks
If WAIT_FOR_DEBUGGER is set to a non-zero value in the environment,
any test that runs will print some useful gdb information and wait
for gdb to attach to it and clear the "wait_for_debugger" variable.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2019-10-24 16:32:32 -04:00
Paul Eggert
5a82c74822 Prefer https to http for gnu.org and fsf.org URLs
Also, change sources.redhat.com to sourceware.org.
This patch was automatically generated by running the following shell
script, which uses GNU sed, and which avoids modifying files imported
from upstream:

sed -ri '
  s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g
  s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g
' \
  $(find $(git ls-files) -prune -type f \
      ! -name '*.po' \
      ! -name 'ChangeLog*' \
      ! -path COPYING ! -path COPYING.LIB \
      ! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \
      ! -path manual/texinfo.tex ! -path scripts/config.guess \
      ! -path scripts/config.sub ! -path scripts/install-sh \
      ! -path scripts/mkinstalldirs ! -path scripts/move-if-change \
      ! -path INSTALL ! -path  locale/programs/charmap-kw.h \
      ! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \
      ! '(' -name configure \
            -execdir test -f configure.ac -o -f configure.in ';' ')' \
      ! '(' -name preconfigure \
            -execdir test -f preconfigure.ac ';' ')' \
      -print)

and then by running 'make dist-prepare' to regenerate files built
from the altered files, and then executing the following to cleanup:

  chmod a+x sysdeps/unix/sysv/linux/riscv/configure
  # Omit irrelevant whitespace and comment-only changes,
  # perhaps from a slightly-different Autoconf version.
  git checkout -f \
    sysdeps/csky/configure \
    sysdeps/hppa/configure \
    sysdeps/riscv/configure \
    sysdeps/unix/sysv/linux/csky/configure
  # Omit changes that caused a pre-commit check to fail like this:
  # remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines
  git checkout -f \
    sysdeps/powerpc/powerpc64/ppc-mcount.S \
    sysdeps/unix/sysv/linux/s390/s390-64/syscall.S
  # Omit change that caused a pre-commit check to fail like this:
  # remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline
  git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
2019-09-07 02:43:31 -07:00
Joseph Myers
86140c6223 Avoid fall-through in test-container if execlp fails.
One of the implicit-fallthrough warnings from compiling glibc with
-Wextra appears to indicate an actual bug: the test-container code
could fall through inappropriately if execlp returns (which only
occurs on error).  This patch adds appropriate error handling in this
case to avoid that fall-through.

Tested for x86_64.

	* support/test-container.c (recursive_remove): Use FAIL_EXIT1 if
	execlp returns.
2019-02-13 13:34:24 +00:00
Joseph Myers
04277e02d7 Update copyright dates with scripts/update-copyrights.
* All files with FSF copyright notices: Update copyright dates
	using scripts/update-copyrights.
	* locale/programs/charmap-kw.h: Regenerated.
	* locale/programs/locfile-kw.h: Likewise.
2019-01-01 00:11:28 +00:00
DJ Delorie
304c61a24f test-container: move postclean outside of namespace changes
During postclean.req testing it was found that the fork in the
parent process (after the unshare syscall) would fail with ENOMEM
(see recursive_remove() in test-container.c).  While failing with
ENOMEM is certainly unexpected, it is simply easier to refactor
the design and have the parent remain outside of the namespace.
This change moves the postclean.req processing to a distinct
process (the parent) that then forks the test process (which will
have to fork once more to complete uid/gid transitions). When the
test process exists the cleanup process will ensure all files are
deleted when a post clean is requested.

Signed-off-by: DJ Delorie <dj@redhat.com>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>

[BZ #23948]
* support/test-container.c: Move postclean step to before we
change namespaces.
2018-12-10 22:37:58 -05:00
DJ Delorie
b2e93de0ff test-container: add "su" command to run test as root, add unshare hints
* support/test-container.c (check_for_unshare_hints): New.
(main): Call it if unshare fails.  Add support for "su" scriptlet
command.
2018-12-04 00:03:12 -05:00
Florian Weimer
599f7beee7 support/test-container.c: Include <libc-pointer-arith.h>
Reviewed-by: DJ Delorie <dj@redhat.com>
2018-11-02 18:14:58 +01:00
Stefan Liebler
e7624d708d Adjust name of ld.so in test-container.c.
The test-container.c file assumes that ld.so is always named
something like /elf/ld-linux-*.
But e.g. on s390x it is named ld64.so.1 or ld.so.1 on s390.
There are other architectures like power or mips with similar names.

This patch introduces the new global variable support_objdir_elf_ldso
which contains the absolute path to the runtime linker used by the
testsuite, e.g. OBJDIR_PATH/elf/ld-linux-x86-64.so.2.
The check in test-container.c is now comparing against this path.
Without this patch, test-container.c is searching invalid files / directories
and fails to find glibc/nss/tst-nss-test3.root/tst-nss-test3.script.
Then the test tst-nss-test3 fails!

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

ChangeLog:

	* support/support.h (support_objdir_elf_ldso): New variable.
	* support/support_paths.c (support_objdir_elf_ldso): Likewise.
	* support/Makefile (CFLAGS-support_paths.c): Add definition
	for OBJDIR_ELF_LDSO_PATH.
	* support/test-container.c (main): Search for the ld.so
	which is also used by the testsuite.
2018-10-04 13:07:29 +02:00
H.J. Lu
81b9d87bae test-container: Use xcopy_file_range for cross-device copy [BZ #23597]
copy_file_range can't be used to copy a file from glibc source directory
to glibc build directory since they may be on different filesystems.
This patch adds xcopy_file_range for cross-device copy.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

	[BZ #23597]
	* support/Makefile (libsupport-routines): Add
	support_copy_file_range and xcopy_file_range.
	* support/support.h: Include <sys/types.h>.
	(support_copy_file_range): New prototype.
	* support/support_copy_file_range.c: New file.  Copied and
	modified from io/copy_file_range-compat.c.
	* support/test-container.c (copy_one_file): Call xcopy_file_rang
	instead of copy_file_range.
	* support/xcopy_file_range.c: New file.
	* support/xunistd.h (xcopy_file_range): New prototype.
2018-08-31 13:08:02 -07:00
Florian Weimer
d6c44c3d0c test-container: EPERM from unshare is UNSUPPORTED
For example, the security policy on the Fedora build daemons results in
this EPERM error.
2018-08-28 14:02:47 +02:00
DJ Delorie
561b0bec44 Add test-in-container infrastructure.
* Makefile (testroot.pristine): New rules to initialize the
test-in-container "testroot".
* Makerules (all-testsuite): Add tests-container.
* Rules (tests-expected): Add tests-container.
(binaries-all-tests): Likewise.
(tests-container): New, run these tests in the testroot container.
* support/Makefile (others): Add *-container, support_paths.c,
xmkdirp, and links-dso-program.
* support/links-dso-program-c.c: New.
* support/links-dso-program.cc: New.
* support/test-container.c: New.
* support/shell-container.c: New.
* support/echo-container.c: New.
* support/true-container.c: New.
* support/xmkdirp.c: New.
* support/xsymlink.c: New.
* support/support_paths.c: New.
* support/support.h: Add support paths prototypes.
* support/xunistd.h: Add xmkdirp () and xsymlink ().

* nss/tst-nss-test3.c: Convert to test-in-container.
* nss/tst-nss-test3.root/: New.
2018-08-22 21:20:37 -04:00