File _service:tar_scm:backport-namespace-util-introd... of Package systemd

File _service:tar_scm:backport-namespace-util-introduce-userns_acquire-as-helper-fo.patch of Package systemd

From 979b0ff2c4dbebb3c04e3bca22be18e82a631098 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 20 Oct 2021 13:15:27 +0200
Subject: [PATCH] namespace-util: introduce userns_acquire() as helper for
 allocating new unbound userns

This returns a namespace fd, and takes a uidmap/gidmap as string. This
is split out out mount-util.c's remount_idmap() logic, so that we can
allocate a userns independently.
---
 src/basic/namespace-util.c | 41 ++++++++++++++++++++++++++++++++++++++
 src/basic/namespace-util.h |  2 ++
 src/shared/mount-util.c    | 29 ++++-----------------------
 3 files changed, 47 insertions(+), 25 deletions(-)

diff --git a/src/basic/namespace-util.c b/src/basic/namespace-util.c
index a55b76d..bf3e91c 100644
--- a/src/basic/namespace-util.c
+++ b/src/basic/namespace-util.c
@@ -5,6 +5,7 @@
 #include <sys/mount.h>
 
 #include "fd-util.h"
+#include "fileio.h"
 #include "missing_fs.h"
 #include "missing_magic.h"
 #include "namespace-util.h"
@@ -183,3 +184,43 @@ int detach_mount_namespace(void) {
 
         return 0;
 }
+
+int userns_acquire(const char *uid_map, const char *gid_map) {
+        char path[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(pid_t) + 1];
+        _cleanup_(sigkill_waitp) pid_t pid = 0;
+        _cleanup_close_ int userns_fd = -1;
+        int r;
+
+        assert(uid_map);
+        assert(gid_map);
+
+        /* Forks off a process in a new userns, configures the specified uidmap/gidmap, acquires an fd to it,
+         * and then kills the process again. This way we have a userns fd that is not bound to any
+         * process. We can use that for file system mounts and similar. */
+
+        r = safe_fork("(sd-mkuserns)", FORK_CLOSE_ALL_FDS|FORK_DEATHSIG|FORK_NEW_USERNS, &pid);
+        if (r < 0)
+                return r;
+        if (r == 0) {
+                /* Child. We do nothing here, just freeze until somebody kills us. */
+                freeze();
+                _exit(EXIT_FAILURE);
+        }
+
+        xsprintf(path, "/proc/" PID_FMT "/uid_map", pid);
+        r = write_string_file(path, uid_map, WRITE_STRING_FILE_DISABLE_BUFFER);
+        if (r < 0)
+                return log_error_errno(r, "Failed to write UID map: %m");
+
+        xsprintf(path, "/proc/" PID_FMT "/gid_map", pid);
+        r = write_string_file(path, gid_map, WRITE_STRING_FILE_DISABLE_BUFFER);
+        if (r < 0)
+                return log_error_errno(r, "Failed to write GID map: %m");
+
+        r = namespace_open(pid, NULL, NULL, NULL, &userns_fd, NULL);
+        if (r < 0)
+                return log_error_errno(r, "Failed to open netns fd: %m");
+
+        return TAKE_FD(userns_fd);
+
+}
diff --git a/src/basic/namespace-util.h b/src/basic/namespace-util.h
index 39a6a46..24dce09 100644
--- a/src/basic/namespace-util.h
+++ b/src/basic/namespace-util.h
@@ -24,3 +24,5 @@ static inline bool userns_shift_range_valid(uid_t shift, uid_t range) {
 
         return true;
 }
+
+int userns_acquire(const char *uid_map, const char *gid_map);
diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c
index 8ad395c..7a368e7 100644
--- a/src/shared/mount-util.c
+++ b/src/shared/mount-util.c
@@ -999,39 +999,18 @@ int make_mount_point(const char *path) {
 }
 
 static int make_userns(uid_t uid_shift, uid_t uid_range) {
-        char uid_map[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(uid_t) + 1], line[DECIMAL_STR_MAX(uid_t)*3+3+1];
-        _cleanup_(sigkill_waitp) pid_t pid = 0;
+        char line[DECIMAL_STR_MAX(uid_t)*3+3+1];
         _cleanup_close_ int userns_fd = -1;
-        int r;
 
         /* Allocates a userns file descriptor with the mapping we need. For this we'll fork off a child
          * process whose only purpose is to give us a new user namespace. It's killed when we got it. */
 
-        r = safe_fork("(sd-mkuserns)", FORK_CLOSE_ALL_FDS|FORK_DEATHSIG|FORK_NEW_USERNS, &pid);
-        if (r < 0)
-                return r;
-        if (r == 0) {
-                /* Child. We do nothing here, just freeze until somebody kills us. */
-                freeze();
-                _exit(EXIT_FAILURE);
-        }
-
         xsprintf(line, UID_FMT " " UID_FMT " " UID_FMT "\n", 0, uid_shift, uid_range);
 
-        xsprintf(uid_map, "/proc/" PID_FMT "/uid_map", pid);
-        r = write_string_file(uid_map, line, WRITE_STRING_FILE_DISABLE_BUFFER);
-        if (r < 0)
-                return log_error_errno(r, "Failed to write UID map: %m");
-
         /* We always assign the same UID and GID ranges */
-        xsprintf(uid_map, "/proc/" PID_FMT "/gid_map", pid);
-        r = write_string_file(uid_map, line, WRITE_STRING_FILE_DISABLE_BUFFER);
-        if (r < 0)
-                return log_error_errno(r, "Failed to write GID map: %m");
-
-        r = namespace_open(pid, NULL, NULL, NULL, &userns_fd, NULL);
-        if (r < 0)
-                return r;
+        userns_fd = userns_acquire(line, line);
+        if (userns_fd < 0)
+                return log_debug_errno(userns_fd, "Failed to acquire new userns: %m");
 
         return TAKE_FD(userns_fd);
 }
-- 
2.33.0