Add tests for the new CLONE_NNP flag: - nnp_sets_no_new_privs: Verify a child created with CLONE_NNP has no_new_privs set while the parent does not. - nnp_rejects_thread: Verify CLONE_NNP | CLONE_THREAD is rejected with -EINVAL since threads share credentials. - autoreap_no_new_privs_unset: Verify a plain CLONE_AUTOREAP child does not get no_new_privs. Signed-off-by: Christian Brauner --- .../testing/selftests/pidfd/pidfd_autoreap_test.c | 126 +++++++++++++++++++++ 1 file changed, 126 insertions(+) diff --git a/tools/testing/selftests/pidfd/pidfd_autoreap_test.c b/tools/testing/selftests/pidfd/pidfd_autoreap_test.c index e230d2fe4a64..5fb11230fb07 100644 --- a/tools/testing/selftests/pidfd/pidfd_autoreap_test.c +++ b/tools/testing/selftests/pidfd/pidfd_autoreap_test.c @@ -26,6 +26,10 @@ #define CLONE_AUTOREAP 0x400000000ULL #endif +#ifndef CLONE_NNP +#define CLONE_NNP 0x1000000000ULL +#endif + static pid_t create_autoreap_child(int *pidfd) { struct __clone_args args = { @@ -493,4 +497,126 @@ TEST(autoreap_no_inherit) close(pidfd); } +/* + * Test that CLONE_NNP sets no_new_privs on the child. + * The child checks via prctl(PR_GET_NO_NEW_PRIVS) and reports back. + * The parent must NOT have no_new_privs set afterwards. + */ +TEST(nnp_sets_no_new_privs) +{ + struct __clone_args args = { + .flags = CLONE_PIDFD | CLONE_AUTOREAP | CLONE_NNP, + .exit_signal = 0, + }; + struct pidfd_info info = { .mask = PIDFD_INFO_EXIT }; + int pidfd = -1, ret; + struct pollfd pfd; + pid_t pid; + + /* Ensure parent does not already have no_new_privs. */ + ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0); + ASSERT_EQ(ret, 0) { + TH_LOG("Parent already has no_new_privs set, cannot run test"); + } + + args.pidfd = ptr_to_u64(&pidfd); + + pid = sys_clone3(&args, sizeof(args)); + if (pid < 0 && errno == EINVAL) + SKIP(return, "CLONE_NNP not supported"); + ASSERT_GE(pid, 0); + + if (pid == 0) { + /* + * Child: check no_new_privs. Exit 0 if set, 1 if not. + */ + ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0); + _exit(ret == 1 ? 0 : 1); + } + + ASSERT_GE(pidfd, 0); + + /* Parent must still NOT have no_new_privs. */ + ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0); + ASSERT_EQ(ret, 0) { + TH_LOG("Parent got no_new_privs after creating CLONE_NNP child"); + } + + /* Wait for child to exit. */ + pfd.fd = pidfd; + pfd.events = POLLIN; + ret = poll(&pfd, 1, 5000); + ASSERT_EQ(ret, 1); + + /* Verify child exited with 0 (no_new_privs was set). */ + ret = ioctl(pidfd, PIDFD_GET_INFO, &info); + ASSERT_EQ(ret, 0); + ASSERT_TRUE(info.mask & PIDFD_INFO_EXIT); + ASSERT_TRUE(WIFEXITED(info.exit_code)); + ASSERT_EQ(WEXITSTATUS(info.exit_code), 0) { + TH_LOG("Child did not have no_new_privs set"); + } + + close(pidfd); +} + +/* + * Test that CLONE_NNP with CLONE_THREAD fails with EINVAL. + */ +TEST(nnp_rejects_thread) +{ + struct __clone_args args = { + .flags = CLONE_NNP | CLONE_THREAD | + CLONE_SIGHAND | CLONE_VM, + .exit_signal = 0, + }; + pid_t pid; + + pid = sys_clone3(&args, sizeof(args)); + ASSERT_EQ(pid, -1); + ASSERT_EQ(errno, EINVAL); +} + +/* + * Test that a plain CLONE_AUTOREAP child does NOT get no_new_privs. + * Only CLONE_NNP should set it. + */ +TEST(autoreap_no_new_privs_unset) +{ + struct pidfd_info info = { .mask = PIDFD_INFO_EXIT }; + int pidfd = -1, ret; + struct pollfd pfd; + pid_t pid; + + pid = create_autoreap_child(&pidfd); + if (pid < 0 && errno == EINVAL) + SKIP(return, "CLONE_AUTOREAP not supported"); + ASSERT_GE(pid, 0); + + if (pid == 0) { + /* + * Child: check no_new_privs. Exit 0 if NOT set, 1 if set. + */ + ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0); + _exit(ret == 0 ? 0 : 1); + } + + ASSERT_GE(pidfd, 0); + + pfd.fd = pidfd; + pfd.events = POLLIN; + ret = poll(&pfd, 1, 5000); + ASSERT_EQ(ret, 1); + + ret = ioctl(pidfd, PIDFD_GET_INFO, &info); + ASSERT_EQ(ret, 0); + ASSERT_TRUE(info.mask & PIDFD_INFO_EXIT); + ASSERT_TRUE(WIFEXITED(info.exit_code)); + ASSERT_EQ(WEXITSTATUS(info.exit_code), 0) { + TH_LOG("Plain autoreap child unexpectedly has no_new_privs"); + } + + close(pidfd); +} + TEST_HARNESS_MAIN -- 2.47.3