| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260130091245.3824029-1-sun.jian.kdev@gmail.com>
Date: Fri, 30 Jan 2026 17:12:45 +0800
From: Sun Jian <sun.jian.kdev@...il.com>
To: ast@...nel.org,
daniel@...earbox.net
Cc: andrii@...nel.org,
shuah@...nel.org,
bpf@...r.kernel.org,
linux-kselftest@...r.kernel.org,
linux-kernel@...r.kernel.org,
Sun Jian <sun.jian.kdev@...il.com>
Subject: [PATCH] selftests/bpf: skip deny_namespace when bpf LSM is not enabled
deny_namespace/userns_create_bpf relies on BPF LSM being active in the LSM
chain. When /sys/kernel/security/lsm does not contain "bpf" (e.g. virtme-ng
default), this test can't validate the expected EPERM behavior. Reporting
FAIL in that case is misleading noise for CI.
Detect missing bpf in the active LSM list and skip the test with a short
hint to boot with lsm=...,bpf.
Signed-off-by: Sun Jian <sun.jian.kdev@...il.com>
---
.../selftests/bpf/prog_tests/deny_namespace.c | 38 +++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/deny_namespace.c b/tools/testing/selftests/bpf/prog_tests/deny_namespace.c
index 1bc6241b755b..5fb31912dd98 100644
--- a/tools/testing/selftests/bpf/prog_tests/deny_namespace.c
+++ b/tools/testing/selftests/bpf/prog_tests/deny_namespace.c
@@ -5,6 +5,7 @@
#include <sched.h>
#include "cap_helpers.h"
#include <stdio.h>
+#include <string.h>
static int wait_for_pid(pid_t pid)
{
@@ -46,6 +47,36 @@ static int create_user_ns(void)
return wait_for_pid(pid);
}
+static bool bpf_lsm_enabled(void)
+{
+ FILE *f;
+ char buf[512];
+ bool enabled = false;
+
+ f = fopen("/sys/kernel/security/lsm", "r");
+ if (!f)
+ return false;
+
+ if (!fgets(buf, sizeof(buf), f)) {
+ fclose(f);
+ return false;
+ }
+ fclose(f);
+
+ buf[strcspn(buf, "\n")] = '\0';
+
+ for (char *saveptr = NULL, *tok = strtok_r(buf, ",", &saveptr);
+ tok;
+ tok = strtok_r(NULL, ",", &saveptr)) {
+ if (!strcmp(tok, "bpf")) {
+ enabled = true;
+ break;
+ }
+ }
+
+ return enabled;
+}
+
static void test_userns_create_bpf(void)
{
__u32 cap_mask = 1ULL << CAP_SYS_ADMIN;
@@ -88,6 +119,13 @@ void test_deny_namespace(void)
if (!ASSERT_OK_PTR(skel, "skel load"))
goto close_prog;
+ if (!bpf_lsm_enabled()) {
+ printf("%s:SKIP:bpf LSM not enabled (boot with lsm=...,bpf)\n",
+ __func__);
+ test__skip();
+ goto close_prog;
+ }
+
err = test_deny_namespace__attach(skel);
if (!ASSERT_OK(err, "attach"))
goto close_prog;
--
2.43.0
Powered by blists - more mailing lists