From nobody Sat Feb  7 15:22:11 2026
Received: from mail-yx1-f44.google.com (mail-yx1-f44.google.com
 [74.125.224.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D53C232B984
	for <linux-kernel@vger.kernel.org>; Fri, 30 Jan 2026 09:12:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=74.125.224.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769764377; cv=none;
 b=ad6gYzOTPc65Bth5LwEh0treMCMEiz1Z7IX7Sc2KVBsACfNTzcvyY9p6ou0nkau2Jk7O1GWzNuOzza/FOjmFae6lggmYIUipkwesDuTL4/Q6afwaOYzAWQe6X86bC6bAoejODHJ47Wn4icZsD43oK99+8bHT7DX33IjZc1mkWf8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769764377; c=relaxed/simple;
	bh=tVSU1w5x5sqFlUfPefz5QPNvQ7ShmBvFI0HEu15jk9I=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=BcA1Wsymdj6+M266FQ/+TUtQClCy4Ls8iaXTGMheWycoC0wATw31epy6wXuS43kxg/Jj7iZiZRGHE9ieASQbMzhiu3RivZK2eaFwCt4FJqK0hpD8mSxoGbLkWBmKlrJClFz31gvFdiIF7mss+suSl4M2F8ww5h+X5Hjrn0Tgy3g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=hHkYlsOJ; arc=none smtp.client-ip=74.125.224.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="hHkYlsOJ"
Received: by mail-yx1-f44.google.com with SMTP id
 956f58d0204a3-6495d592c10so1804138d50.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 30 Jan 2026 01:12:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769764375; x=1770369175;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=BqsnWikU7Lohq8AD8p2s7XQz/GMEbrveKNhDBDZTgGs=;
        b=hHkYlsOJkVN2yOPWTIzxlQSqBnib6rCkTSb9hSkp7dQ9iaqChv44lPVraJsUrvh439
         WsIHIGSIjVBtrjwHolr4GnjmP9mqOsB3s2mW7rYa/i6u4cBRaYeDMHFk+UabTcL13sbN
         Y1sm4628cS93WkafOwCiZr0s5z7+3JY2XAaSG3gx6Nwm/Fwc4t1i6MmEbyMdtTkuhHvn
         3EOyAeQlxkZsqDAfCMKwpeaiv5zybwtZ+o6OUtl6pQdDK7ntX+frTfv4KaorL+fAFRso
         TW/fla1ecuWSG15jCp/H/af7DdoGuCaOIr+mJZqf7kjWM6uC7II28H++6R/gXfLKeyzo
         zKcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769764375; x=1770369175;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=BqsnWikU7Lohq8AD8p2s7XQz/GMEbrveKNhDBDZTgGs=;
        b=p3bE14eJgWPDkv8ypXZVJuLF9p+3t67oUTGeW/gc7V9mTY1MzapmjYt8yhbKh/4in/
         rKlNi7XcwZACzRXkLGDDtg/NFCrd0WmrR4Q/F7wj/Ea0RJksy057xPMl64tZFouS9mh6
         pWGO5cRayZLfJO4GHrIkFf4vVeDAnPTXsmaUMuSyeUcPdTJwHtCeJkOy/sloL1sXMKUI
         iAN7yB/MwNqwfTY1ioxccbcB+yxSdhyy4Vy0KTQ6aCioqzhdH3jAzusCT2iKtK17OTWD
         3GhQ5mChVgxc/D5MkmMJ4h/9JodaCwDwmj6ZvESgnxZ4+DLLtg0kyAgK9DiK6OuaA7+3
         vurg==
X-Forwarded-Encrypted: i=1;
 AJvYcCXIoQmS3CSoyRdSi1xB92/g22z0eV7DXWLG669QafCq78UC4ZH+29jbtqFpBCrdkOtxw23hBDjEL51FfwA=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz+1e2FzEHfMsWHEq/0/83oQahnATQ3ifw7lp5gE2mF7y+j4R0S
	u3XrN7dEydRJMWUF6mzy3f9WnVuGDX0HanwtglFo1IW0kZm98n7AmSTs
X-Gm-Gg: AZuq6aJutJKs07wokfWqfB14FONuFUZW3MUhcnyix4r1jC5oTnLLDK/ZoKyN2iYTXJ6
	i8UMPjXJ298DCjplcVqyUdm4VBjxffVd1E81WPwZPq0lSgydM6bLeLYOHf1ztr2CtBsH4O9jlJT
	cYFnIO5pIkKh0FYDa9T4hk4zJi0dVrteeK1SuzLSRZD1r1SJp9mw2Kh/JU9aj448KihX4LvGywg
	i5ntSIj9I04U2JklWu3Qa62VS7K5dTZR3IAKzr+GGed56Tz95rCQIt0Zho33+ufFHmX75EHMBQm
	jBrlkoBYhnmO+bxbD41/eyM+BKv+sfzOkv33Rjewrd19u5PFm2+RmtZcB7Tiy7BO2nCx1gSmZ9G
	ensofJ8ii9zpSnvOzEaR6dNgfTU5kQtUbbLtWVq46YygOebWMK6Npj6uSCE+IIU96kDgHGtYHuW
	0kQU7dXuZ2IRZ2FaCcIp+gCuTMMuHVj/a6K5RfUU/3Zgk6BlqYDk8zRypay35y1kBGd0cJun8Ja
	gfYIJDG3vf7dpFtIS3Sv3KtkRuu974z/XzylOi/mvDaCWc=
X-Received: by 2002:a05:690e:1688:b0:644:6ad4:fdfd with SMTP id
 956f58d0204a3-649a84ee166mr1735838d50.71.1769764374801;
        Fri, 30 Jan 2026 01:12:54 -0800 (PST)
Received: from u2404-VMware-Virtual-Platform.localdomain
 (108-214-96-168.lightspeed.sntcca.sbcglobal.net. [108.214.96.168])
        by smtp.gmail.com with ESMTPSA id
 956f58d0204a3-64996063f90sm3436470d50.2.2026.01.30.01.12.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 30 Jan 2026 01:12:54 -0800 (PST)
From: Sun Jian <sun.jian.kdev@gmail.com>
To: ast@kernel.org,
	daniel@iogearbox.net
Cc: andrii@kernel.org,
	shuah@kernel.org,
	bpf@vger.kernel.org,
	linux-kselftest@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Sun Jian <sun.jian.kdev@gmail.com>
Subject: [PATCH] selftests/bpf: skip deny_namespace when bpf LSM is not
 enabled
Date: Fri, 30 Jan 2026 17:12:45 +0800
Message-ID: <20260130091245.3824029-1-sun.jian.kdev@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

deny_namespace/userns_create_bpf relies on BPF LSM being active in the LSM
chain. When /sys/kernel/security/lsm does not contain "bpf" (e.g. virtme-ng
default), this test can't validate the expected EPERM behavior. Reporting
FAIL in that case is misleading noise for CI.

Detect missing bpf in the active LSM list and skip the test with a short
hint to boot with lsm=3D...,bpf.

Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
---
 .../selftests/bpf/prog_tests/deny_namespace.c | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/deny_namespace.c b/tool=
s/testing/selftests/bpf/prog_tests/deny_namespace.c
index 1bc6241b755b..5fb31912dd98 100644
--- a/tools/testing/selftests/bpf/prog_tests/deny_namespace.c
+++ b/tools/testing/selftests/bpf/prog_tests/deny_namespace.c
@@ -5,6 +5,7 @@
 #include <sched.h>
 #include "cap_helpers.h"
 #include <stdio.h>
+#include <string.h>
=20
 static int wait_for_pid(pid_t pid)
 {
@@ -46,6 +47,36 @@ static int create_user_ns(void)
 	return wait_for_pid(pid);
 }
=20
+static bool bpf_lsm_enabled(void)
+{
+	FILE *f;
+	char buf[512];
+	bool enabled =3D false;
+
+	f =3D fopen("/sys/kernel/security/lsm", "r");
+	if (!f)
+		return false;
+
+	if (!fgets(buf, sizeof(buf), f)) {
+		fclose(f);
+		return false;
+	}
+	fclose(f);
+
+	buf[strcspn(buf, "\n")] =3D '\0';
+
+	for (char *saveptr =3D NULL, *tok =3D strtok_r(buf, ",", &saveptr);
+		tok;
+		tok =3D strtok_r(NULL, ",", &saveptr)) {
+		if (!strcmp(tok, "bpf")) {
+			enabled =3D true;
+			break;
+		}
+	}
+
+	return enabled;
+}
+
 static void test_userns_create_bpf(void)
 {
 	__u32 cap_mask =3D 1ULL << CAP_SYS_ADMIN;
@@ -88,6 +119,13 @@ void test_deny_namespace(void)
 	if (!ASSERT_OK_PTR(skel, "skel load"))
 		goto close_prog;
=20
+	if (!bpf_lsm_enabled()) {
+		printf("%s:SKIP:bpf LSM not enabled (boot with lsm=3D...,bpf)\n",
+		       __func__);
+		test__skip();
+		goto close_prog;
+	}
+
 	err =3D test_deny_namespace__attach(skel);
 	if (!ASSERT_OK(err, "attach"))
 		goto close_prog;
--=20
2.43.0