From ce27511e241d198565fe9bcfee366dc0150b14de Mon Sep 17 00:00:00 2001 From: younghojan Date: Mon, 27 May 2024 19:09:06 +0800 Subject: [PATCH] Detect user NS restrictions in container.py and output an error message only once --- benchexec/container.py | 20 +++++--------------- benchexec/containerexecutor.py | 33 +++++++++++---------------------- benchexec/containerized_tool.py | 6 ++++++ 3 files changed, 22 insertions(+), 37 deletions(-) diff --git a/benchexec/container.py b/benchexec/container.py index aa6dea6e6..b23dc8bf0 100644 --- a/benchexec/container.py +++ b/benchexec/container.py @@ -115,6 +115,11 @@ ) """Whether we use generated native code for clone or an unsafe Python fallback""" +USER_NS_RESTRICTION = ( + util.try_read_file("/proc/sys/kernel/apparmor_restrict_unprivileged_userns") == "1" +) +"""Whether the kernel restricts unprivileged user namespaces""" + @contextlib.contextmanager def allocate_stack(size=DEFAULT_STACK_SIZE): @@ -347,21 +352,6 @@ def setup_user_mapping( logging.warning("Creating GID mapping into container failed: %s", e) exception_occurred = True - # Ubuntu 24.04 (and possibly later versions) restricts user namespaces, - # output error message here - if ( - exception_occurred - and util.try_read_file("/proc/sys/kernel/apparmor_restrict_unprivileged_userns") - == "1" - ): - logging.warning( - "Ubuntu 24.04 restircts user namespaces, " - "preventing UID/GID mapping into container. " - "Please try 'echo 0 | sudo tee " - "/proc/sys/kernel/apparmor_restrict_unprivileged_userns' " - "as a temporary workaround, or disable container mode." - ) - _SIOCGIFFLAGS = 0x8913 # /usr/include/bits/ioctls.h _SIOCSIFFLAGS = 0x8914 # /usr/include/bits/ioctls.h diff --git a/benchexec/containerexecutor.py b/benchexec/containerexecutor.py index 7db17c3a1..80baad2a9 100644 --- a/benchexec/containerexecutor.py +++ b/benchexec/containerexecutor.py @@ -713,28 +713,11 @@ def child(): try: socket.sethostname(container.CONTAINER_HOSTNAME) except PermissionError: - # Ubuntu 24.04 (and possibly later versions) restricts user namespaces, - # output error message here - if ( - util.try_read_file( - "/proc/sys/kernel/apparmor_restrict_unprivileged_userns" - ) - == "1" - ): - logging.warning( - "Ubuntu 24.04 restircts user namespaces, " - "preventing changing hostname in container, " - "real hostname will leak into the container. " - "Please try 'echo 0 | sudo tee " - "/proc/sys/kernel/apparmor_restrict_unprivileged_userns' " - "as a temporary workaround, or disable container mode." - ) - else: - logging.warning( - "Changing hostname in container prevented " - "by system configuration, " - "real hostname will leak into the container." - ) + logging.warning( + "Changing hostname in container prevented " + "by system configuration, " + "real hostname will leak into the container." + ) if not self._allow_network: container.activate_network_interface("lo") @@ -771,6 +754,12 @@ def child(): traceback.extract_tb(e.__traceback__, limit=-1)[0].line, e, ) + if container.USER_NS_RESTRICTION: + logging.warning( + "Ubuntu 24.04 restircts unprivileged user namespaces," + " please try 'echo 0 | sudo tee /proc/sys/kernel/" + "apparmor_restrict_unprivileged_userns' as a temporary workaround." + ) return CHILD_OSERROR try: diff --git a/benchexec/containerized_tool.py b/benchexec/containerized_tool.py index bcd0259b7..a1e53ecb6 100644 --- a/benchexec/containerized_tool.py +++ b/benchexec/containerized_tool.py @@ -124,6 +124,12 @@ def _init_container_and_load_tool(tool_module, *args, **kwargs): try: _init_container(*args, **kwargs) except OSError as e: + if container.USER_NS_RESTRICTION: + logging.warning( + "Ubuntu 24.04 restircts unprivileged user namespaces," + " please try 'echo 0 | sudo tee /proc/sys/kernel/" + "apparmor_restrict_unprivileged_userns' as a temporary workaround." + ) raise BenchExecException(f"Failed to configure container: {e}") return _load_tool(tool_module)