From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id X3HcEy/GW2gmuR0AWB0awg (envelope-from ) for ; Wed, 25 Jun 2025 05:49:35 -0400 Authentication-Results: simark.ca; dkim=pass (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=xeOAO92U; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=KTsRzoOe; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=xeOAO92U; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=KTsRzoOe; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id 3BC691E11C; Wed, 25 Jun 2025 05:49:35 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-9.1 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE autolearn=ham autolearn_force=no version=4.0.1 Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 51FD11E089 for ; Wed, 25 Jun 2025 05:49:34 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E4B403857BB6 for ; Wed, 25 Jun 2025 09:49:33 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E4B403857BB6 Authentication-Results: sourceware.org; dkim=pass (1024-bit key, unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=xeOAO92U; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=KTsRzoOe; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=xeOAO92U; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=KTsRzoOe Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by sourceware.org (Postfix) with ESMTPS id E070C3858416 for ; Wed, 25 Jun 2025 09:48:58 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E070C3858416 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.de ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E070C3858416 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1750844939; cv=none; b=BhCueO73neQiiJ020mRw5eJ3pveEeImdMGJXNWSf9r7ZrauCbUxac8nrKTxdRIPkxIyeT86NjvkEeANZC8xe9zoCsi6J/C8woKviS+NLwU8WeE3tZ+zNxUAZPx/W8nf5j0TPZNtfpAk/NzF35VHVN0WjgpLCtx+4CR8PNeScXrA= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1750844939; c=relaxed/simple; bh=S5Fed/k4945Kcjq8DPr2E/2YQLSI9fbaJgxo1+NimHU=; h=DKIM-Signature:DKIM-Signature:DKIM-Signature:DKIM-Signature: Message-ID:Date:MIME-Version:Subject:To:From; b=OaDkgPodCWAnJgWmSgrn8haIh7UtOMi5Drf/GjwbgBvoLZXPxLg1hU4lRiPRGq/P6eT+4V83WFroznDHZyHdTPJBegUW+Xiw/1ZqydoNbbYjXOm2cwD2w/+SMPh9NF9WMIWz9nf3lLzVaXV0VRWUoWv11Xqn3T6artFg38oyHBo= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E070C3858416 Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id C6939211A0; Wed, 25 Jun 2025 09:48:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1750844937; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LJLPl+D6KPzeRjE/O1yleySBNmmM9aBL01A0953iLrM=; b=xeOAO92Ur9mTBnvzY0A+KBKD1oT9dvfmpWsX2kEmdY1jcHLuhl3qEJwSJY1TKYWApk1Nr/ APp3lp/SAaKZDYBN2NjD9qHVN1gYWi7bkuEy20ahezU8tU9ltMlcCCuJGx92K+SFcNOHKv HTwmSrB7E1Or6Sr0ZY7sqKptGoDChwo= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1750844937; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LJLPl+D6KPzeRjE/O1yleySBNmmM9aBL01A0953iLrM=; b=KTsRzoOezIsdrRtlW04lDK0kBnBGLdE1yO3eTM5ch8XsoI5RYRjLB7/f55Xd8mIUyCxZmS lc8dOUB2h+RDDLCg== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1750844937; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LJLPl+D6KPzeRjE/O1yleySBNmmM9aBL01A0953iLrM=; b=xeOAO92Ur9mTBnvzY0A+KBKD1oT9dvfmpWsX2kEmdY1jcHLuhl3qEJwSJY1TKYWApk1Nr/ APp3lp/SAaKZDYBN2NjD9qHVN1gYWi7bkuEy20ahezU8tU9ltMlcCCuJGx92K+SFcNOHKv HTwmSrB7E1Or6Sr0ZY7sqKptGoDChwo= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1750844937; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LJLPl+D6KPzeRjE/O1yleySBNmmM9aBL01A0953iLrM=; b=KTsRzoOezIsdrRtlW04lDK0kBnBGLdE1yO3eTM5ch8XsoI5RYRjLB7/f55Xd8mIUyCxZmS lc8dOUB2h+RDDLCg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id A8D9C13A27; Wed, 25 Jun 2025 09:48:57 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id tH/DJwnGW2ilOQAAD6G6ig (envelope-from ); Wed, 25 Jun 2025 09:48:57 +0000 Message-ID: <68c9f369-bd11-48dd-90c8-8c7a61771de7@suse.de> Date: Wed, 25 Jun 2025 11:48:47 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCHv3] gdb: linux-namespaces: enter user namespace when appropriate To: Andrew Burgess , gdb-patches@sourceware.org Cc: Benjamin Berg References: <824ee908821f07452286730643c1efd5f8b01eb2.1749741769.git.aburgess@redhat.com> <87qzzak1ct.fsf@redhat.com> Content-Language: en-US From: Tom de Vries In-Reply-To: <87qzzak1ct.fsf@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:mid,imap1.dmz-prg2.suse.org:helo] X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces~public-inbox=simark.ca@sourceware.org On 6/23/25 15:56, Andrew Burgess wrote: > Andrew Burgess writes: > >> From: Benjamin Berg >> >> In v2: >> >> - Update the test to ignore a warning seen when running the test on >> a machine with libc debug information installed, but without the >> libc source being available, e.g.: >> >> warning: 46 ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: No such file or directory >> >> This was causing some CI failures to be reported from Linaro. >> >> - Rebased to current upstream/master. >> >> In v3: >> >> - Same as V2, but fix the test pattern correctly this time. >> >> -- >> >> The use of user namespaces is required for normal users to use mount >> namespaces. Consider trying this as an unprivileged user: >> >> $ unshare --mount /bin/true >> unshare: unshare failed: Operation not permitted >> >> The problem here is that an unprivileged user doesn't have the >> required permissions to create a new mount namespace. If, instead, we >> do this: >> >> $ unshare --mount --map-root-user /bin/true >> >> then this will succeed. The new option causes unshare to create a >> user namespace in which the unprivileged user is mapped to UID/GID 0, >> and so gains all privileges (inside the namespace), the user is then >> able to create the mount namespace as required. >> >> So, how does this relate to GDB? >> >> When a user attaches to a process running in a separate mount >> namespace, GDB makes use of a separate helper process (see >> linux_mntns_get_helper in nat/linux-namespaces.c), which will then use >> the `setns` function to enter (or try to enter) the mount namespace of >> the process GDB is attaching too. The helper process will then handle >> file I/O requests received from GDB, and return the results back to >> GDB, this allows GDB to access files within the mount namespace. >> >> The problem here is that, switching to a mount namespace requires that >> a process hold CAP_SYS_CHROOT and CAP_SYS_ADMIN capabilities within >> its user namespace (actually it's a little more complex, see 'man 2 >> setns'). Assuming GDB is running as an unprivileged user, then GDB >> will not have the required permissions. >> >> However, if GDB enters the user namespace that the `unshare` process >> created, then the current user will be mapped to UID/GID 0, and will >> have the required permissions. >> >> And so, this patch extends linux_mntns_access_fs (in >> nat/linux-namespace.c) to first try and switch to the user namespace >> of the inferior before trying to switch to the mount namespace. If >> the inferior does have a user namespace, and does have elevated >> privileges within that namespace, then this first switch by GDB will >> mean that the second step, into the mount namespace, will succeed. >> >> If there is no user namespace, or the inferior doesn't have elevated >> privileges within the user namespace, then the switch into the mount >> namespace will fail, just as it currently does, and the user will need >> to give elevated privileges to GDB via some other mechanism (e.g. run >> as root). >> >> This work was originally posted here: >> >> https://inbox.sourceware.org/gdb-patches/20230321120126.1418012-1-benjamin@sipsolutions.net >> >> I (Andrew Burgess) have made some cleanups to the code to comply with >> GDB's coding standard, and the test is entirely mine. This commit >> message is also entirely mine -- the original message was very terse >> and required the reader to understand how the various namespaces >> work and interact. The above is my attempt to document what I now >> understand about the problem being fixed. >> >> I've left the original author in place as the core of the GDB change >> itself is largely as originally presented, but any inaccuracies in the >> commit message, or problems with the test, are all mine. >> >> Co-Authored-by: Andrew Burgess > > I've pushed this patch. > The new test-case fails on arm32 (Linaro CI reported this, and I was able to reproduce) due to insufficient permissions: ... (gdb) attach 184732 Attaching to process 184732 warning: process 184732 is a zombie - the process has already terminated ptrace: Operation not permitted. (gdb) FAIL: gdb.base/user-namespace-attach.exp: flags=--mount --map-root-user: attach to inferior ... In essence, the test-case assumes: ... $ unshare --mount --map-root-user /bin/true; echo $? 0 ... but we get instead: ... $ unshare --mount --map-root-user /bin/true; echo $? unshare: unshare failed: Operation not permitted 1 ... Filed here ( https://sourceware.org/bugzilla/show_bug.cgi?id=33108 ). Thanks, - Tom > The GDB changes have been on the list for a couple of years now, and > (except for some comments and formating) are mostly unchanged in my > version. > > My contributions to this work are the test and the commit message. > > Thanks, > Andrew >