selftests: unshare userns in seccomp pidns testcases

The pid ns cannot be unshare()d as an unprivileged user without owning the
userns as well. Let's unshare the userns so that we can subsequently
unshare the pidns.

This also means that we don't need to set the no new privs bit as in the
other test cases, since we're unsharing the userns.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Shuah Khan <shuah@kernel.org>

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index abff7afd3345366a5d07d41875266fe852a0a73a..54587b0819796d37c5cf7bbd03791be2660e0cee 100644 (file)
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -3313,7 +3313,7 @@ TEST(user_notification_child_pid_ns)
        struct seccomp_notif req = {};
        struct seccomp_notif_resp resp = {};
 
-       ASSERT_EQ(unshare(CLONE_NEWPID), 0);
+       ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0);
 
        listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
        ASSERT_GE(listener, 0);
@@ -3416,6 +3416,8 @@ TEST(user_notification_fault_recv)
        struct seccomp_notif req = {};
        struct seccomp_notif_resp resp = {};
 
+       ASSERT_EQ(unshare(CLONE_NEWUSER), 0);
+
        listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
        ASSERT_GE(listener, 0);