[scarthgap,12/12] sanity: check for working user namespaces

Message ID	3577ceca39c7c3be81563de9ccf06a805f61d3ca.1733863624.git.steve@sakoman.com
State	RFC
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.215.177, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 12/12] sanity: check for working user namespaces Date: Tue, 10 Dec 2024 12:56:28 -0800 Message-Id: <3577ceca39c7c3be81563de9ccf06a805f61d3ca.1733863624.git.steve@sakoman.com> In-Reply-To: <cover.1733863624.git.steve@sakoman.com> References: <cover.1733863624.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,01/12] ffmpeg: fix CVE-2023-49501 \| expand [scarthgap,01/12] ffmpeg: fix CVE-2023-49501 [scarthgap,02/12] ffmpeg: fix CVE-2024-28661 [scarthgap,03/12] ffmpeg: fix CVE-2023-50007 [scarthgap,04/12] ffmpeg: fix CVE-2023-49528 [scarthgap,05/12] ffmpeg: fix CVE-2024-7055 [scarthgap,06/12] qemu: set CVE-2024-6505 to fixed [scarthgap,07/12] libpam: fix CVE-2024-10041 [scarthgap,08/12] systemd: drop intltool-native from DEPENDS [scarthgap,09/12] systemd-boot: drop intltool-native from DEPENDS [scarthgap,10/12] python3-poetry-core: drop python3-six from RDEPENDS [scarthgap,11/12] dnf: drop python3-iniparse from DEPENDS and RDEPENDS [scarthgap,12/12] sanity: check for working user namespaces

Message ID

3577ceca39c7c3be81563de9ccf06a805f61d3ca.1733863624.git.steve@sakoman.com

State

RFC

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 12/12] sanity: check for working user namespaces
Date: Tue, 10 Dec 2024 12:56:28 -0800
Message-Id: 
 <3577ceca39c7c3be81563de9ccf06a805f61d3ca.1733863624.git.steve@sakoman.com>
In-Reply-To: <cover.1733863624.git.steve@sakoman.com>
References: <cover.1733863624.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,01/12] ffmpeg: fix CVE-2023-49501 | expand

Commit Message

Steve Sakoman Dec. 10, 2024, 8:56 p.m. UTC

From: Ross Burton <ross.burton@arm.com>

If user namespaces are not available (typically because AppArmor is
blocking them), alert the user.

We consider network isolation sufficiently important that this is a fatal
error, and the user will need to configure AppArmor to allow bitbake to
create a user namespace.

[ YOCTO #15592 ]

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b6af956fe6e876957a49d4abf425e8c789bf0459)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes-global/sanity.bbclass | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-global/sanity.bbclass
index 1d242f0f0a..72dab0fea2 100644
--- a/meta/classes-global/sanity.bbclass
+++ b/meta/classes-global/sanity.bbclass
@@ -475,6 +475,29 @@  def check_wsl(d):
             bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
     return None
 
+def check_userns():
+    """
+    Check that user namespaces are functional, as they're used for network isolation.
+    """
+
+    # There is a known failure case with AppAmrmor where the unshare() call
+    # succeeds (at which point the uid is nobody) but writing to the uid_map
+    # fails (so the uid isn't reset back to the user's uid). We can detect this.
+    parentuid = os.getuid()
+    pid = os.fork()
+    if not pid:
+        try:
+            bb.utils.disable_network()
+        except:
+            pass
+        os._exit(parentuid != os.getuid())
+
+    ret = os.waitpid(pid, 0)[1]
+    if ret:
+        bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
+                 "See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
+
+
 # Require at least gcc version 8.0
 #
 # This can be fixed on CentOS-7 with devtoolset-6+
@@ -641,6 +664,7 @@  def check_sanity_version_change(status, d):
     status.addresult(check_git_version(d))
     status.addresult(check_perl_modules(d))
     status.addresult(check_wsl(d))
+    status.addresult(check_userns())
 
     missing = ""

[scarthgap,12/12] sanity: check for working user namespaces

Commit Message

Patch