selftests/seccomp: Handle EINVAL on unshare(CLONE_NEWPID)

unshare(CLONE_NEWPID) can return EINVAL if the kernel does not have the
CONFIG_PID_NS option enabled.

Add a check on these calls to skip the test if we receive EINVAL.

Signed-off-by: Terry Tritton <terry.tritton@linaro.org>
Link: https://lore.kernel.org/r/20240124141357.1243457-2-terry.tritton@linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 38f6514699682b8f318e7a1d80c0faf299fe1eba..5e705674b7067079d07384253212e14207264991 100644 (file)
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -3709,7 +3709,12 @@ TEST(user_notification_sibling_pid_ns)
        ASSERT_GE(pid, 0);
 
        if (pid == 0) {
-               ASSERT_EQ(unshare(CLONE_NEWPID), 0);
+               ASSERT_EQ(unshare(CLONE_NEWPID), 0) {
+                       if (errno == EPERM)
+                               SKIP(return, "CLONE_NEWPID requires CAP_SYS_ADMIN");
+                       else if (errno == EINVAL)
+                               SKIP(return, "CLONE_NEWPID is invalid (missing CONFIG_PID_NS?)");
+               }
 
                pid2 = fork();
                ASSERT_GE(pid2, 0);
@@ -3727,6 +3732,8 @@ TEST(user_notification_sibling_pid_ns)
        ASSERT_EQ(unshare(CLONE_NEWPID), 0) {
                if (errno == EPERM)
                        SKIP(return, "CLONE_NEWPID requires CAP_SYS_ADMIN");
+               else if (errno == EINVAL)
+                       SKIP(return, "CLONE_NEWPID is invalid (missing CONFIG_PID_NS?)");
        }
        ASSERT_EQ(errno, 0);