[PATCH] security: Add KUnit tests for kuid_root_in_ns and vfsuid_root_in_currentns

[Paul Moore]

On Thu, Dec 4, 2025 at 4:56 PM Ryan Foster <foster.ryan.r at gmail.com> wrote:
>
> Add comprehensive KUnit tests for the namespace-related capability
> functions that Serge Hallyn refactored in commit 9891d2f79a9f
> ("Clarify the rootid_owns_currentns").
>
> The tests verify:
> - Basic functionality: UID 0 in init namespace, invalid vfsuid, non-zero UIDs
> - Actual namespace traversal: Creating user namespaces with different UID
>   mappings where uid 0 maps to different kuids (e.g., 1000, 2000, 3000)
> - Hierarchy traversal: Testing multiple nested namespaces to verify
>   correct namespace hierarchy traversal
>
> This addresses the feedback to "test the actual functionality" by creating
> real user namespaces with different values for the namespace's uid 0, rather
> than just basic input validation.
>
> The test file is included at the end of commoncap.c when
> CONFIG_SECURITY_COMMONCAP_KUNIT_TEST is enabled, following the standard
> kernel pattern (e.g., scsi_lib.c, ext4/mballoc.c). This allows tests to
> access static functions in the same compilation unit without modifying
> production code based on test configuration.
>
> All 7 tests pass:
> - test_vfsuid_root_in_currentns_init_ns
> - test_vfsuid_root_in_currentns_invalid
> - test_vfsuid_root_in_currentns_nonzero
> - test_kuid_root_in_ns_init_ns_uid0
> - test_kuid_root_in_ns_init_ns_nonzero
> - test_kuid_root_in_ns_with_mapping
> - test_kuid_root_in_ns_with_different_mappings
> ---
>  security/Kconfig          |  17 +++
>  security/commoncap.c      |   4 +
>  security/commoncap_test.c | 290 ++++++++++++++++++++++++++++++++++++++
>  3 files changed, 311 insertions(+)
>  create mode 100644 security/commoncap_test.c

You'll need to sort this out with Serge, but I would suggest adding
security/commoncap_test.c to the CAPABILITIES entry in the MAINTAINERS
file so it has a proper home.

-- 
paul-moore.com