kernel/tools/testing/selftests/bpf/progs/test_deny_namespace.c, branch linux-6.2.yHosts the 0x221E linux distro kernel.https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-6.2.y2022-08-16T21:39:59Zselftests/bpf: Add tests verifying bpf lsm userns_create hook2022-08-16T21:39:59ZFrederick Lawlerfred@cloudflare.com2022-08-15T16:20:27Zurn:sha1:d5810139cca39cf2854728b465f8bada4a445302
The LSM hook userns_create was introduced to provide LSM's an
opportunity to block or allow unprivileged user namespace creation. This
test serves two purposes: it provides a test eBPF implementation, and
tests the hook successfully blocks or allows user namespace creation.
This tests 3 cases:
1. Unattached bpf program does not block unpriv user namespace
creation.
2. Attached bpf program allows user namespace creation given
CAP_SYS_ADMIN privileges.
3. Attached bpf program denies user namespace creation for a
user without CAP_SYS_ADMIN.
Acked-by: KP Singh <kpsingh@kernel.org>
Signed-off-by: Frederick Lawler <fred@cloudflare.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>