path: root/tools/testing/selftests/filesystems/empty_mntns/clone3_empty_mntns_test.c

// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * Tests for empty mount namespace creation via clone3() CLONE_EMPTY_MNTNS
 *
 * These tests exercise the clone3() code path for creating empty mount
 * namespaces, which is distinct from the unshare() path tested in
 * empty_mntns_test.c.  With clone3(), CLONE_EMPTY_MNTNS (0x2000000000ULL)
 * is a 64-bit flag that implies CLONE_NEWNS.  The implication happens in
 * kernel_clone() before copy_process(), unlike unshare() where it goes
 * through UNSHARE_EMPTY_MNTNS -> CLONE_EMPTY_MNTNS conversion in
 * unshare_nsproxy_namespaces().
 *
 * Copyright (c) 2024 Christian Brauner <brauner@kernel.org>
 */

#define _GNU_SOURCE
#include <fcntl.h>
#include <linux/mount.h>
#include <linux/stat.h>
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#include "../utils.h"
#include "../wrappers.h"
#include "clone3/clone3_selftests.h"
#include "empty_mntns.h"
#include "kselftest_harness.h"

static pid_t clone3_empty_mntns(uint64_t extra_flags)
{
	struct __clone_args args = {
		.flags		= CLONE_EMPTY_MNTNS | extra_flags,
		.exit_signal	= SIGCHLD,
	};

	return sys_clone3(&args, sizeof(args));
}

static bool clone3_empty_mntns_supported(void)
{
	pid_t pid;
	int status;

	pid = fork();
	if (pid < 0)
		return false;

	if (pid == 0) {
		if (enter_userns())
			_exit(1);

		pid = clone3_empty_mntns(0);
		if (pid < 0)
			_exit(1);

		if (pid == 0)
			_exit(0);

		_exit(wait_for_pid(pid) != 0);
	}

	if (waitpid(pid, &status, 0) != pid)
		return false;

	if (!WIFEXITED(status))
		return false;

	return WEXITSTATUS(status) == 0;
}

FIXTURE(clone3_empty_mntns) {};

FIXTURE_SETUP(clone3_empty_mntns)
{
	if (!clone3_empty_mntns_supported())
		SKIP(return, "CLONE_EMPTY_MNTNS via clone3 not supported");
}

FIXTURE_TEARDOWN(clone3_empty_mntns) {}

/*
 * Basic clone3() with CLONE_EMPTY_MNTNS: child gets empty mount namespace
 * with exactly 1 mount and root == cwd.
 */
TEST_F(clone3_empty_mntns, basic)
{
	pid_t pid, inner;

	pid = fork();
	ASSERT_GE(pid, 0);

	if (pid == 0) {
		if (enter_userns())
			_exit(1);

		inner = clone3_empty_mntns(0);
		if (inner < 0)
			_exit(2);

		if (inner == 0) {
			uint64_t root_id, cwd_id;

			if (count_mounts() != 1)
				_exit(3);

			root_id = get_unique_mnt_id("/");
			cwd_id = get_unique_mnt_id(".");
			if (root_id == 0 || cwd_id == 0)
				_exit(4);

			if (root_id != cwd_id)
				_exit(5);

			_exit(0);
		}

		_exit(wait_for_pid(inner));
	}

	ASSERT_EQ(wait_for_pid(pid), 0);
}

/*
 * CLONE_EMPTY_MNTNS implies CLONE_NEWNS.  Verify that it works without
 * explicitly setting CLONE_NEWNS (tests fork.c:2627-2630).
 */
TEST_F(clone3_empty_mntns, implies_newns)
{
	pid_t pid, inner;

	pid = fork();
	ASSERT_GE(pid, 0);

	if (pid == 0) {
		ssize_t parent_mounts;

		if (enter_userns())
			_exit(1);

		/* Verify we have mounts in our current namespace. */
		parent_mounts = count_mounts();
		if (parent_mounts < 1)
			_exit(2);

		/* Only CLONE_EMPTY_MNTNS, no explicit CLONE_NEWNS. */
		inner = clone3_empty_mntns(0);
		if (inner < 0)
			_exit(3);

		if (inner == 0) {
			if (count_mounts() != 1)
				_exit(4);

			_exit(0);
		}

		/* Parent still has its mounts. */
		if (count_mounts() != parent_mounts)
			_exit(5);

		_exit(wait_for_pid(inner));
	}

	ASSERT_EQ(wait_for_pid(pid), 0);
}

/*
 * Helper macro: generate a test that clones with CLONE_EMPTY_MNTNS |
 * @extra_flags and verifies the child has exactly one mount.
 */
#define TEST_CLONE3_FLAGS(test_name, extra_flags)			\
TEST_F(clone3_empty_mntns, test_name)					\
{									\
	pid_t pid, inner;						\
									\
	pid = fork();							\
	ASSERT_GE(pid, 0);						\
									\
	if (pid == 0) {							\
		if (enter_userns())					\
			_exit(1);					\
									\
		inner = clone3_empty_mntns(extra_flags);		\
		if (inner < 0)						\
			_exit(2);					\
									\
		if (inner == 0) {					\
			if (count_mounts() != 1)			\
				_exit(3);				\
			_exit(0);					\
		}							\
									\
		_exit(wait_for_pid(inner));				\
	}								\
									\
	ASSERT_EQ(wait_for_pid(pid), 0);				\
}

/* Redundant CLONE_NEWNS | CLONE_EMPTY_MNTNS should succeed. */
TEST_CLONE3_FLAGS(with_explicit_newns, CLONE_NEWNS)

/* CLONE_EMPTY_MNTNS combined with CLONE_NEWUSER. */
TEST_CLONE3_FLAGS(with_newuser, CLONE_NEWUSER)

/* CLONE_EMPTY_MNTNS combined with other namespace flags. */
TEST_CLONE3_FLAGS(with_other_ns_flags, CLONE_NEWUTS | CLONE_NEWIPC)

/*
 * CLONE_EMPTY_MNTNS combined with CLONE_NEWPID.
 */
TEST_F(clone3_empty_mntns, with_newpid)
{
	pid_t pid, inner;

	pid = fork();
	ASSERT_GE(pid, 0);

	if (pid == 0) {
		if (enter_userns())
			_exit(1);

		inner =