GNU bug report logs - #24108
CLONE_NEWUSER tests fail with EPERM instead of being skipped on Grsecurity kernels

Previous Next

Package: guix;

Reported by: sapientech <at> openmailbox.org

Date: Fri, 29 Jul 2016 23:51:01 UTC

Severity: normal

Tags: notabug

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Dylan Jeffers <sapientech <at> openmailbox.org>
Cc: 24108 <at> debbugs.gnu.org
Subject: bug#24108: guix make tests failure
Date: Sat, 30 Jul 2016 23:31:54 +0200

Dylan Jeffers <sapientech <at> openmailbox.org> skribis:

> On Sat, 30 Jul 2016 15:07:25 +0200
> ludo <at> gnu.org (Ludovic Courtès) wrote:

[...]

>> > test-name: clone
>> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
>> > source:
>> > + (test-assert
>> > +   "clone"
>> > +   (match (clone (logior CLONE_NEWUSER SIGCHLD))
>> > +          (0 (primitive-exit 42))
>> > +          (pid (and (not (equal?
>> > +                           (readlink (user-namespace pid))
>> > +                           (readlink (user-namespace (getpid)))))
>> > +                    (match (waitpid pid)
>> > +                           ((_ . status) (= 42 (status:exit-val
>> > status)))))))) actual-value: #f
>> > actual-error:
>> > + (system-error
>> > +   "clone"
>> > +   "~d: ~A"
>> > +   (268435473 "Operation not permitted")
>> > +   (1))
>> > result: FAIL  
>> 
>> What does “uname -srv” report on this machine?  It seems this kernel
>> does not support namespaces.
>> 
>> Thanks,
>> Ludo’.
>
> Hi Ludo,
>
> Thanks for getting back so quick.
> Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> PREEMPT Wed Jul 20 15:37:34 UYT 2016

These tests are skipped when user namespaces are not supported, as per
this condition:

  (define perform-container-tests?
    (and (user-namespace-supported?)
         (unprivileged-user-namespace-supported?)))

… which is true iff (1) /proc/self/ns/user exists, and (2)
/proc/sys/kernel/unprivileged_userns_clone does not exist, or it exists
and contains “1”.

Do these files exist on this system?

Maybe we should just ignore EPERM from (clone CLONE_NEWUSER) but it’s
annoying to annotate every single test that uses it.

From a user viewpoint, this test failure simply mean that you cannot use
the ‘--container’ option ‘guix environment’ on your system.

Thanks,
Ludo’.
This bug report was last modified 5 years and 30 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.