[OE-core][kirkstone 5/7] sanity: check for working user namespaces

Steve Sakoman Wed, 11 Dec 2024 06:47:54 -0800

From: Ross Burton <ross.bur...@arm.com>

If user namespaces are not available (typically because AppArmor is
blocking them), alert the user.


We consider network isolation sufficiently important that this is a fatal
error, and the user will need to configure AppArmor to allow bitbake to
create a user namespace.

[ YOCTO #15592 ]

Signed-off-by: Ross Burton <ross.bur...@arm.com>
Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
(cherry picked from commit b6af956fe6e876957a49d4abf425e8c789bf0459)
Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
 meta/classes/sanity.bbclass | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 293e405f62..3b13ba647e 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -469,6 +469,29 @@ def check_wsl(d):
             bb.warn("You are running bitbake under WSLv2, this works properly 
but you should optimize your VHDX file eventually to avoid running out of 
storage space")
     return None
 
+def check_userns():
+    """
+    Check that user namespaces are functional, as they're used for network 
isolation.
+    """
+
+    # There is a known failure case with AppAmrmor where the unshare() call
+    # succeeds (at which point the uid is nobody) but writing to the uid_map
+    # fails (so the uid isn't reset back to the user's uid). We can detect 
this.
+    parentuid = os.getuid()
+    pid = os.fork()
+    if not pid:
+        try:
+            bb.utils.disable_network()
+        except:
+            pass
+        os._exit(parentuid != os.getuid())
+
+    ret = os.waitpid(pid, 0)[1]
+    if ret:
+        bb.fatal("User namespaces are not usable by BitBake, possibly due to 
AppArmor.\n"
+                 "See 
https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions
 for more information.")
+
+
 # Require at least gcc version 7.5.
 #
 # This can be fixed on CentOS-7 with devtoolset-6+
@@ -634,6 +657,7 @@ def check_sanity_version_change(status, d):
     status.addresult(check_git_version(d))
     status.addresult(check_perl_modules(d))
     status.addresult(check_wsl(d))
+    status.addresult(check_userns())
 
     missing = ""
 
-- 
2.34.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#208590): 
https://lists.openembedded.org/g/openembedded-core/message/208590
Mute This Topic: https://lists.openembedded.org/mt/110062332/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 5/7] sanity: check for working user namespaces

Reply via email to