Skip to content

Commit

Permalink
Detect user NS restrictions in container.py and output an error messa…
Browse files Browse the repository at this point in the history
…ge only once
  • Loading branch information
younghojan committed May 27, 2024
1 parent 277ab8b commit ce27511
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 37 deletions.
20 changes: 5 additions & 15 deletions benchexec/container.py
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,11 @@
)
"""Whether we use generated native code for clone or an unsafe Python fallback"""

USER_NS_RESTRICTION = (
util.try_read_file("/proc/sys/kernel/apparmor_restrict_unprivileged_userns") == "1"
)
"""Whether the kernel restricts unprivileged user namespaces"""


@contextlib.contextmanager
def allocate_stack(size=DEFAULT_STACK_SIZE):
Expand Down Expand Up @@ -347,21 +352,6 @@ def setup_user_mapping(
logging.warning("Creating GID mapping into container failed: %s", e)
exception_occurred = True

# Ubuntu 24.04 (and possibly later versions) restricts user namespaces,
# output error message here
if (
exception_occurred
and util.try_read_file("/proc/sys/kernel/apparmor_restrict_unprivileged_userns")
== "1"
):
logging.warning(
"Ubuntu 24.04 restircts user namespaces, "
"preventing UID/GID mapping into container. "
"Please try 'echo 0 | sudo tee "
"/proc/sys/kernel/apparmor_restrict_unprivileged_userns' "
"as a temporary workaround, or disable container mode."
)


_SIOCGIFFLAGS = 0x8913 # /usr/include/bits/ioctls.h
_SIOCSIFFLAGS = 0x8914 # /usr/include/bits/ioctls.h
Expand Down
33 changes: 11 additions & 22 deletions benchexec/containerexecutor.py
Original file line number Diff line number Diff line change
Expand Up @@ -713,28 +713,11 @@ def child():
try:
socket.sethostname(container.CONTAINER_HOSTNAME)
except PermissionError:
# Ubuntu 24.04 (and possibly later versions) restricts user namespaces,
# output error message here
if (
util.try_read_file(
"/proc/sys/kernel/apparmor_restrict_unprivileged_userns"
)
== "1"
):
logging.warning(
"Ubuntu 24.04 restircts user namespaces, "
"preventing changing hostname in container, "
"real hostname will leak into the container. "
"Please try 'echo 0 | sudo tee "
"/proc/sys/kernel/apparmor_restrict_unprivileged_userns' "
"as a temporary workaround, or disable container mode."
)
else:
logging.warning(
"Changing hostname in container prevented "
"by system configuration, "
"real hostname will leak into the container."
)
logging.warning(
"Changing hostname in container prevented "
"by system configuration, "
"real hostname will leak into the container."
)

if not self._allow_network:
container.activate_network_interface("lo")
Expand Down Expand Up @@ -771,6 +754,12 @@ def child():
traceback.extract_tb(e.__traceback__, limit=-1)[0].line,
e,
)
if container.USER_NS_RESTRICTION:
logging.warning(
"Ubuntu 24.04 restircts unprivileged user namespaces,"
" please try 'echo 0 | sudo tee /proc/sys/kernel/"
"apparmor_restrict_unprivileged_userns' as a temporary workaround."
)
return CHILD_OSERROR

try:
Expand Down
6 changes: 6 additions & 0 deletions benchexec/containerized_tool.py
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,12 @@ def _init_container_and_load_tool(tool_module, *args, **kwargs):
try:
_init_container(*args, **kwargs)
except OSError as e:
if container.USER_NS_RESTRICTION:
logging.warning(
"Ubuntu 24.04 restircts unprivileged user namespaces,"
" please try 'echo 0 | sudo tee /proc/sys/kernel/"
"apparmor_restrict_unprivileged_userns' as a temporary workaround."
)
raise BenchExecException(f"Failed to configure container: {e}")
return _load_tool(tool_module)

Expand Down

0 comments on commit ce27511

Please sign in to comment.