Merge pull request #32945 from bluca/lxc_network_test

Fix tests and services with PrivateNetwork=yes running under LXC with AppArmor

Author: bluca

src/basic/lock-util.c

@@ -139,7 +139,14 @@ static int fcntl_lock(int fd, int operation, bool ofd) {
                 .l_len = 0,
         }));
 
-        if (r == -EACCES) /* Treat EACCESS/EAGAIN the same as per man page. */
+        /* If we are doing non-blocking operations, treat EACCES/EAGAIN the same as per man page. But if
+         * not, propagate EACCES back, as it will likely be due to an LSM denying the operation (for example
+         * LXC with AppArmor when running on kernel < 6.2), and in some cases we want to gracefully
+         * fallback (e.g.: PrivateNetwork=yes). As per documentation, it's only the non-blocking operation
+         * F_SETLK that might return EACCES on some platforms (although the Linux implementation doesn't
+         * seem to), as F_SETLKW and F_OFD_SETLKW block so this is not an issue, and F_OFD_SETLK is documented
+         * to only return EAGAIN if the lock is already held. */
+        if ((operation & LOCK_NB) && r == -EACCES)
                 r = -EAGAIN;
 
         return r;

src/test/test-namespace.c

@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include <fcntl.h>
+#include <sysexits.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 
@@ -84,6 +85,7 @@ TEST(tmpdir) {
 
 static void test_shareable_ns(unsigned long nsflag) {
         _cleanup_close_pair_ int s[2] = EBADF_PAIR;
+        bool permission_denied = false;
         pid_t pid1, pid2, pid3;
         int r, n = 0;
         siginfo_t si;
@@ -100,42 +102,56 @@ static void test_shareable_ns(unsigned long nsflag) {
 
         if (pid1 == 0) {
                 r = setup_shareable_ns(s, nsflag);
-                assert_se(r >= 0);
-                _exit(r);
+                assert_se(r >= 0 || ERRNO_IS_NEG_PRIVILEGE(r));
+                _exit(r >= 0 ? r : EX_NOPERM);
         }
 
         pid2 = fork();
         assert_se(pid2 >= 0);
 
         if (pid2 == 0) {
                 r = setup_shareable_ns(s, nsflag);
-                assert_se(r >= 0);
-                exit(r);
+                assert_se(r >= 0 || ERRNO_IS_NEG_PRIVILEGE(r));
+                _exit(r >= 0 ? r : EX_NOPERM);
         }
 
         pid3 = fork();
         assert_se(pid3 >= 0);
 
         if (pid3 == 0) {
                 r = setup_shareable_ns(s, nsflag);
-                assert_se(r >= 0);
-                exit(r);
+                assert_se(r >= 0 || ERRNO_IS_NEG_PRIVILEGE(r));
+                _exit(r >= 0 ? r : EX_NOPERM);
         }
 
         r = wait_for_terminate(pid1, &si);
         assert_se(r >= 0);
         assert_se(si.si_code == CLD_EXITED);
-        n += si.si_status;
+        if (si.si_status == EX_NOPERM)
+                permission_denied = true;
+        else
+                n += si.si_status;
 
         r = wait_for_terminate(pid2, &si);
         assert_se(r >= 0);
         assert_se(si.si_code == CLD_EXITED);
-        n += si.si_status;
+        if (si.si_status == EX_NOPERM)
+                permission_denied = true;
+        else
+                n += si.si_status;
 
         r = wait_for_terminate(pid3, &si);
         assert_se(r >= 0);
         assert_se(si.si_code == CLD_EXITED);
-        n += si.si_status;
+        if (si.si_status == EX_NOPERM)
+                permission_denied = true;
+        else
+                n += si.si_status;
+
+        /* LSMs can cause setup_shareable_ns() to fail with permission denied, do not fail the test in that
+         * case (e.g.: LXC with AppArmor on kernel < v6.2). */
+        if (permission_denied)
+                return (void) log_tests_skipped("insufficient privileges");
 
         assert_se(n == 1);
 }