lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAHC9VhQ0MZamekAi-2kXgVv9qhSw16jpTyJ1CrfvQ+7Tp9GW6w@mail.gmail.com>
Date: Tue, 16 Dec 2025 17:57:32 -0500
From: Paul Moore <paul@...l-moore.com>
To: Ryan Foster <foster.ryan.r@...il.com>, serge@...lyn.com
Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] security: Add KUnit tests for kuid_root_in_ns and vfsuid_root_in_currentns

On Thu, Dec 4, 2025 at 4:56 PM Ryan Foster <foster.ryan.r@...il.com> wrote:
>
> Add comprehensive KUnit tests for the namespace-related capability
> functions that Serge Hallyn refactored in commit 9891d2f79a9f
> ("Clarify the rootid_owns_currentns").
>
> The tests verify:
> - Basic functionality: UID 0 in init namespace, invalid vfsuid, non-zero UIDs
> - Actual namespace traversal: Creating user namespaces with different UID
>   mappings where uid 0 maps to different kuids (e.g., 1000, 2000, 3000)
> - Hierarchy traversal: Testing multiple nested namespaces to verify
>   correct namespace hierarchy traversal
>
> This addresses the feedback to "test the actual functionality" by creating
> real user namespaces with different values for the namespace's uid 0, rather
> than just basic input validation.
>
> The test file is included at the end of commoncap.c when
> CONFIG_SECURITY_COMMONCAP_KUNIT_TEST is enabled, following the standard
> kernel pattern (e.g., scsi_lib.c, ext4/mballoc.c). This allows tests to
> access static functions in the same compilation unit without modifying
> production code based on test configuration.
>
> All 7 tests pass:
> - test_vfsuid_root_in_currentns_init_ns
> - test_vfsuid_root_in_currentns_invalid
> - test_vfsuid_root_in_currentns_nonzero
> - test_kuid_root_in_ns_init_ns_uid0
> - test_kuid_root_in_ns_init_ns_nonzero
> - test_kuid_root_in_ns_with_mapping
> - test_kuid_root_in_ns_with_different_mappings
> ---
>  security/Kconfig          |  17 +++
>  security/commoncap.c      |   4 +
>  security/commoncap_test.c | 290 ++++++++++++++++++++++++++++++++++++++
>  3 files changed, 311 insertions(+)
>  create mode 100644 security/commoncap_test.c

You'll need to sort this out with Serge, but I would suggest adding
security/commoncap_test.c to the CAPABILITIES entry in the MAINTAINERS
file so it has a proper home.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ