sanity: check for working user namespaces

If user namespaces are not available (typically because AppArmor is blocking them), alert the user. We consider network isolation sufficiently important that this is a fatal error, and the user will need to configure AppArmor to allow bitbake to create a user namespace. [ YOCTO #15592 ] (From OE-Core rev: 3577ceca39c7c3be81563de9ccf06a805f61d3ca) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b6af956fe6e876957a49d4abf425e8c789bf0459) Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Ross Burton <ross.burton@arm.com> 2024-09-12 17:57:36 +0100
committer: Steve Sakoman <steve@sakoman.com> 2024-12-13 05:21:54 -0800
commit: 61ec07c6cf2c1cd35eb1f0d4b904b45ac965724f (patch)
tree: bff72c09bf6b63c43d6bd88eaf18f6a82682641b
parent: 6ae367c861f108a7415786dec8a5eaf4b5d773f1 (diff)
download: poky-61ec07c6cf2c1cd35eb1f0d4b904b45ac965724f.tar.gz
1 files changed, 24 insertions, 0 deletions
diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-global/sanity.bbclass
index 1d242f0f0a..72dab0fea2 100644
--- a/meta/classes-global/sanity.bbclass
+++ b/meta/classes-global/sanity.bbclass
@@ -475,6 +475,29 @@ def check_wsl(d):
            bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
    return None
+def check_userns():
+    """
+    Check that user namespaces are functional, as they're used for network isolation.
+    """
+    # There is a known failure case with AppAmrmor where the unshare() call
+    # succeeds (at which point the uid is nobody) but writing to the uid_map
+    # fails (so the uid isn't reset back to the user's uid). We can detect this.
+    parentuid = os.getuid()
+    pid = os.fork()
+    if not pid:
+        try:
+            bb.utils.disable_network()
+        except:
+            pass
+        os._exit(parentuid != os.getuid())
+    ret = os.waitpid(pid, 0)[1]
+    if ret:
+        bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
+                 "See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
 # Require at least gcc version 8.0
 #
 # This can be fixed on CentOS-7 with devtoolset-6+
@@ -641,6 +664,7 @@ def check_sanity_version_change(status, d):
    status.addresult(check_git_version(d))
    status.addresult(check_perl_modules(d))
    status.addresult(check_wsl(d))
+    status.addresult(check_userns())
    missing = ""
author	Ross Burton <ross.burton@arm.com>	2024-09-12 17:57:36 +0100
committer	Steve Sakoman <steve@sakoman.com>	2024-12-13 05:21:54 -0800
commit	61ec07c6cf2c1cd35eb1f0d4b904b45ac965724f (patch)
tree	bff72c09bf6b63c43d6bd88eaf18f6a82682641b
parent	6ae367c861f108a7415786dec8a5eaf4b5d773f1 (diff)
download	poky-61ec07c6cf2c1cd35eb1f0d4b904b45ac965724f.tar.gz

diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-global/sanity.bbclass index 1d242f0f0a..72dab0fea2 100644 --- a/meta/classes-global/sanity.bbclass +++ b/meta/classes-global/sanity.bbclass
@@ -475,6 +475,29 @@ def check_wsl(d):
475	bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")	475	bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
476	return None	476	return None
477		477
		478	def check_userns():
		479	"""
		480	Check that user namespaces are functional, as they're used for network isolation.
		481	"""
		482
		483	# There is a known failure case with AppAmrmor where the unshare() call
		484	# succeeds (at which point the uid is nobody) but writing to the uid_map
		485	# fails (so the uid isn't reset back to the user's uid). We can detect this.
		486	parentuid = os.getuid()
		487	pid = os.fork()
		488	if not pid:
		489	try:
		490	bb.utils.disable_network()
		491	except:
		492	pass
		493	os._exit(parentuid != os.getuid())
		494
		495	ret = os.waitpid(pid, 0)[1]
		496	if ret:
		497	bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
		498	"See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
		499
		500
478	# Require at least gcc version 8.0	501	# Require at least gcc version 8.0
479	#	502	#
480	# This can be fixed on CentOS-7 with devtoolset-6+	503	# This can be fixed on CentOS-7 with devtoolset-6+
@@ -641,6 +664,7 @@ def check_sanity_version_change(status, d):
641	status.addresult(check_git_version(d))	664	status.addresult(check_git_version(d))
642	status.addresult(check_perl_modules(d))	665	status.addresult(check_perl_modules(d))
643	status.addresult(check_wsl(d))	666	status.addresult(check_wsl(d))
		667	status.addresult(check_userns())
644		668
645	missing = ""	669	missing = ""
646		670