<div dir="ltr">I think it's not just a matter of a new enough kernel but the fact that some Linux distributions disable user namespaces for security reasons, e.g. Arch Linux: <a href="https://bugs.archlinux.org/task/36969">https://bugs.archlinux.org/task/36969</a><div><br></div><div>Peter</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 15, 2017 at 5:03 PM, Kostya Serebryany <span dir="ltr"><<a href="mailto:kcc@google.com" target="_blank">kcc@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Yea, probably. <div>Will this include fresh enough kernels that we care about? </div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 15, 2017 at 4:54 PM, Peter Collingbourne <span dir="ltr"><<a href="mailto:peter@pcc.me.uk" target="_blank">peter@pcc.me.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The test will fail if the kernel does not allow user namespaces, won't it?<div><br></div><div>Peter</div></div><div class="gmail_extra"><div><div class="m_-1342910953500254821h5"><br><div class="gmail_quote">On Mon, May 15, 2017 at 4:37 PM, Kostya Serebryany via llvm-commits <span dir="ltr"><<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: kcc<br>
Date: Mon May 15 18:37:54 2017<br>
New Revision: 303132<br>
<br>
URL: <a href="http://llvm.org/viewvc/llvm-project?rev=303132&view=rev" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-pr<wbr>oject?rev=303132&view=rev</a><br>
Log:<br>
[asan] make asan under sandboxes more robust<br>
<br>
Added:<br>
compiler-rt/trunk/test/asan/Te<wbr>stCases/Linux/sanbox_read_proc<wbr>_self_maps_test.cc<br>
Modified:<br>
compiler-rt/trunk/lib/sanitize<wbr>r_common/sanitizer_procmaps_li<wbr>nux.cc<br>
<br>
Modified: compiler-rt/trunk/lib/sanitize<wbr>r_common/sanitizer_procmaps_li<wbr>nux.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_linux.cc?rev=303132&r1=303131&r2=303132&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-pr<wbr>oject/compiler-rt/trunk/lib/sa<wbr>nitizer_common/sanitizer_procm<wbr>aps_linux.cc?rev=303132&r1=303<wbr>131&r2=303132&view=diff</a><br>
==============================<wbr>==============================<wbr>==================<br>
--- compiler-rt/trunk/lib/sanitize<wbr>r_common/sanitizer_procmaps_li<wbr>nux.cc (original)<br>
+++ compiler-rt/trunk/lib/sanitize<wbr>r_common/sanitizer_procmaps_li<wbr>nux.cc Mon May 15 18:37:54 2017<br>
@@ -18,8 +18,8 @@<br>
namespace __sanitizer {<br>
<br>
void ReadProcMaps(ProcSelfMapsBuff *proc_maps) {<br>
- CHECK(ReadFileToBuffer("/proc/<wbr>self/maps", &proc_maps->data,<br>
- &proc_maps->mmaped_size, &proc_maps->len));<br>
+ ReadFileToBuffer("/proc/self/m<wbr>aps", &proc_maps->data, &proc_maps->mmaped_size,<br>
+ &proc_maps->len);<br>
}<br>
<br>
static bool IsOneOf(char c, char c1, char c2) {<br>
<br>
Added: compiler-rt/trunk/test/asan/Te<wbr>stCases/Linux/sanbox_read_proc<wbr>_self_maps_test.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc_self_maps_test.cc?rev=303132&view=auto" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-pr<wbr>oject/compiler-rt/trunk/test/a<wbr>san/TestCases/Linux/sanbox_rea<wbr>d_proc_self_maps_test.cc?rev=<wbr>303132&view=auto</a><br>
==============================<wbr>==============================<wbr>==================<br>
--- compiler-rt/trunk/test/asan/Te<wbr>stCases/Linux/sanbox_read_proc<wbr>_self_maps_test.cc (added)<br>
+++ compiler-rt/trunk/test/asan/Te<wbr>stCases/Linux/sanbox_read_proc<wbr>_self_maps_test.cc Mon May 15 18:37:54 2017<br>
@@ -0,0 +1,30 @@<br>
+// REQUIRES: x86_64-target-arch<br>
+// RUN: %clangxx_asan %s -o %t<br>
+// RUN: not %run %t 2>&1 | FileCheck %s<br>
+#include <sanitizer/common_interface_de<wbr>fs.h><br>
+#include <sched.h><br>
+#include <unistd.h><br>
+#include <stdio.h><br>
+#include <stdlib.h><br>
+<br>
+int main() {<br>
+ __sanitizer_sandbox_arguments args = {0};<br>
+ // should cache /proc/self/maps<br>
+ __sanitizer_sandbox_on_notify(<wbr>&args);<br>
+<br>
+ if (unshare(CLONE_NEWUSER)) {<br>
+ printf("unshare failed\n");<br>
+ abort();<br>
+ }<br>
+<br>
+ // remove access to /proc/self/maps<br>
+ if (chroot("/tmp")) {<br>
+ printf("chroot failed\n");<br>
+ abort();<br>
+ }<br>
+<br>
+ *(volatile int*)0x42 = 0;<br>
+// CHECK: AddressSanitizer: SEGV on unknown address 0x000000000042<br>
+// CHECK-NOT: AddressSanitizer CHECK failed<br>
+// CHECK: SUMMARY: AddressSanitizer: SEGV<br>
+}<br>
<br>
<br>
______________________________<wbr>_________________<br>
llvm-commits mailing list<br>
<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/<wbr>mailman/listinfo/llvm-commits</a><br>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="m_-1342910953500254821HOEnZb"><font color="#888888">-- <br><div class="m_-1342910953500254821m_-7754538835017016473gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <div>Peter</div></div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <div>Peter</div></div></div>
</div>