canonical-ubuntu-qa team mailing list archive

Thread
Date
[Bug 2031394] Re: unprivileged user namespace related tests failing with J-oem-6.5

To: canonical-ubuntu-qa@xxxxxxxxxxxxxxxxxxx
From: Timo Aaltonen <2031394@xxxxxxxxxxxxxxxxxx>
Date: Tue, 05 Sep 2023 06:00:20 -0000
Reply-to: Bug 2031394 <2031394@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
should be fixed now

** Changed in: linux-oem-6.5 (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Canonical
Platform QA Team, which is subscribed to ubuntu-kernel-tests.
https://bugs.launchpad.net/bugs/2031394

Title:
  unprivileged user namespace related tests failing with J-oem-6.5

Status in ubuntu-kernel-tests:
  New
Status in linux-oem-6.5 package in Ubuntu:
  Invalid
Status in linux-oem-6.5 source package in Jammy:
  Fix Released

Bug description:
  unprivileged user namespace related tests are failing with J-oem-6.5,
  they are:

  * ubuntu_ltp_cve/cve-2018-18955
  INFO: Test start time: Mon Aug 14 08:30:27 UTC 2023
  COMMAND:    /opt/ltp/bin/ltp-pan -q  -e -S   -a 231139     -n 231139  -f /tmp/ltp-fnuZJn5kfn/alltests -l /dev/null  -C /dev/null -T /dev/null
  LOG File: /dev/null
  FAILED COMMAND File: /dev/null
  TCONF COMMAND File: /dev/null
  Running tests.......
  tst_kconfig.c:87: TINFO: Parsing kernel config '/lib/modules/6.5.0-1002-oem/build/.config'
  tst_test.c:1558: TINFO: Timeout per run is 0h 00m 30s
  userns08.c:38: TBROK: clone3 failed: EACCES (13) 

  Summary:
  passed   0
  failed   0
  broken   1
  skipped  0
  warnings 0
  INFO: ltp-pan reported some tests FAIL

  * ubuntu_ltp_stable/containers/userns08
  (same test as ubuntu_ltp_cve/cve-2018-18955)

  * ubuntu_lxc/lxc-test-usernsexec
   Running '/tmp/lxc-pkg-ubuntu/src/tests/lxc-test-usernsexec'
   as test-userns executing /tmp/lxc-pkg-ubuntu/src/tests/lxc-test-usernsexec 
   uid=1001 gid=1001 name=test-userns subuid=165536 subgid=165536 ver=1:5.0.0~git2209-g5a7b9ce67-0ubuntu1
   lxc-utils=1:5.0.0~git2209-g5a7b9ce67-0ubuntu1 kver=6.5.0-1002-oem
   USERNSEXEC=lxc-usernsexec
   nouidgid: FAIL - runtest failed 1
     $ lxc-usernsexec -- /tmp/lxc-pkg-ubuntu/src/tests/lxc-test-usernsexec inside f0
     cmd/lxc_usernsexec.c: 407: main - Permission denied - Failed to unshare mount and user namespace
     cmd/lxc_usernsexec.c: 452: main - Success - Failed to read from pipe file descriptor 3
     kid 99005 is gone 1
   myuidgid: FAIL - runtest failed 1
     $ lxc-usernsexec -mu:0:1001:1 -mg:0:1001:1 -- /tmp/lxc-pkg-ubuntu/src/tests/lxc-test-usernsexec inside f0
     cmd/lxc_usernsexec.c: 407: main - Permission denied - Failed to unshare mount and user namespace
     cmd/lxc_usernsexec.c: 452: main - Inappropriate ioctl for device - Failed to read from pipe file descriptor 3 
     kid 99015 is gone 1
   subuidgid: FAIL - runtest failed 1
     $ lxc-usernsexec -mu:0:165536:1 -mg:0:165536:1 -- /tmp/lxc-pkg-ubuntu/src/tests/lxc-test-usernsexec inside f0:0:0
     cmd/lxc_usernsexec.c: 407: main - Permission denied - Failed to unshare mount and user namespace
     cmd/lxc_usernsexec.c: 452: main - Inappropriate ioctl for device - Failed to read from pipe file descriptor 3
     kid 99025 is gone 1
   bothsets: FAIL - runtest failed 1
     $ lxc-usernsexec -mu:0:1001:1 -mg:0:1001:1 -mu:1:165536:1 -mg:1:165536:1 -- /tmp/lxc-pkg-ubuntu/src/tests/lxc-test-usernsexec inside f0 f1:1:1 f2::1
     cmd/lxc_usernsexec.c: 407: main - Permission denied - Failed to unshare mount and user namespace
     cmd/lxc_usernsexec.c: 452: main - Inappropriate ioctl for device - Failed to read from pipe file descriptor 3
     kid 99035 is gone 1
   mismatch: FAIL - runtest failed 1
     $ lxc-usernsexec -mu:0:1001:1 -mg:0:165536:1 -mu:15:165536:1 -mg:31:1001:1 -- /tmp/lxc-pkg-ubuntu/src/tests/lxc-test-usernsexec inside f0 f1:15:31
     cmd/lxc_usernsexec.c: 407: main - Permission denied - Failed to unshare mount and user namespace
     cmd/lxc_usernsexec.c: 452: main - Inappropriate ioctl for device - Failed to read from pipe file descriptor 3
     kid 99045 is gone 1
   ERRORS: nouidgid myuidgid subuidgid bothsets mismatch

  Kernel config CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS is the key in
  this case. If it's disabled, the unprivileged user namespace
  restrictions will be disabled.

  Reference:
  * https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
  * https://discourse.ubuntu.com/t/mantic-minotaur-release-notes/35534

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2031394/+subscriptions