Projects
Mega:23.03
systemd
_service:tar_scm:backport-namespace-util-introd...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-namespace-util-introduce-userns_acquire-as-helper-fo.patch of Package systemd
From 979b0ff2c4dbebb3c04e3bca22be18e82a631098 Mon Sep 17 00:00:00 2001 From: Lennart Poettering <lennart@poettering.net> Date: Wed, 20 Oct 2021 13:15:27 +0200 Subject: [PATCH] namespace-util: introduce userns_acquire() as helper for allocating new unbound userns This returns a namespace fd, and takes a uidmap/gidmap as string. This is split out out mount-util.c's remount_idmap() logic, so that we can allocate a userns independently. --- src/basic/namespace-util.c | 41 ++++++++++++++++++++++++++++++++++++++ src/basic/namespace-util.h | 2 ++ src/shared/mount-util.c | 29 ++++----------------------- 3 files changed, 47 insertions(+), 25 deletions(-) diff --git a/src/basic/namespace-util.c b/src/basic/namespace-util.c index a55b76d..bf3e91c 100644 --- a/src/basic/namespace-util.c +++ b/src/basic/namespace-util.c @@ -5,6 +5,7 @@ #include <sys/mount.h> #include "fd-util.h" +#include "fileio.h" #include "missing_fs.h" #include "missing_magic.h" #include "namespace-util.h" @@ -183,3 +184,43 @@ int detach_mount_namespace(void) { return 0; } + +int userns_acquire(const char *uid_map, const char *gid_map) { + char path[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(pid_t) + 1]; + _cleanup_(sigkill_waitp) pid_t pid = 0; + _cleanup_close_ int userns_fd = -1; + int r; + + assert(uid_map); + assert(gid_map); + + /* Forks off a process in a new userns, configures the specified uidmap/gidmap, acquires an fd to it, + * and then kills the process again. This way we have a userns fd that is not bound to any + * process. We can use that for file system mounts and similar. */ + + r = safe_fork("(sd-mkuserns)", FORK_CLOSE_ALL_FDS|FORK_DEATHSIG|FORK_NEW_USERNS, &pid); + if (r < 0) + return r; + if (r == 0) { + /* Child. We do nothing here, just freeze until somebody kills us. */ + freeze(); + _exit(EXIT_FAILURE); + } + + xsprintf(path, "/proc/" PID_FMT "/uid_map", pid); + r = write_string_file(path, uid_map, WRITE_STRING_FILE_DISABLE_BUFFER); + if (r < 0) + return log_error_errno(r, "Failed to write UID map: %m"); + + xsprintf(path, "/proc/" PID_FMT "/gid_map", pid); + r = write_string_file(path, gid_map, WRITE_STRING_FILE_DISABLE_BUFFER); + if (r < 0) + return log_error_errno(r, "Failed to write GID map: %m"); + + r = namespace_open(pid, NULL, NULL, NULL, &userns_fd, NULL); + if (r < 0) + return log_error_errno(r, "Failed to open netns fd: %m"); + + return TAKE_FD(userns_fd); + +} diff --git a/src/basic/namespace-util.h b/src/basic/namespace-util.h index 39a6a46..24dce09 100644 --- a/src/basic/namespace-util.h +++ b/src/basic/namespace-util.h @@ -24,3 +24,5 @@ static inline bool userns_shift_range_valid(uid_t shift, uid_t range) { return true; } + +int userns_acquire(const char *uid_map, const char *gid_map); diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c index 8ad395c..7a368e7 100644 --- a/src/shared/mount-util.c +++ b/src/shared/mount-util.c @@ -999,39 +999,18 @@ int make_mount_point(const char *path) { } static int make_userns(uid_t uid_shift, uid_t uid_range) { - char uid_map[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(uid_t) + 1], line[DECIMAL_STR_MAX(uid_t)*3+3+1]; - _cleanup_(sigkill_waitp) pid_t pid = 0; + char line[DECIMAL_STR_MAX(uid_t)*3+3+1]; _cleanup_close_ int userns_fd = -1; - int r; /* Allocates a userns file descriptor with the mapping we need. For this we'll fork off a child * process whose only purpose is to give us a new user namespace. It's killed when we got it. */ - r = safe_fork("(sd-mkuserns)", FORK_CLOSE_ALL_FDS|FORK_DEATHSIG|FORK_NEW_USERNS, &pid); - if (r < 0) - return r; - if (r == 0) { - /* Child. We do nothing here, just freeze until somebody kills us. */ - freeze(); - _exit(EXIT_FAILURE); - } - xsprintf(line, UID_FMT " " UID_FMT " " UID_FMT "\n", 0, uid_shift, uid_range); - xsprintf(uid_map, "/proc/" PID_FMT "/uid_map", pid); - r = write_string_file(uid_map, line, WRITE_STRING_FILE_DISABLE_BUFFER); - if (r < 0) - return log_error_errno(r, "Failed to write UID map: %m"); - /* We always assign the same UID and GID ranges */ - xsprintf(uid_map, "/proc/" PID_FMT "/gid_map", pid); - r = write_string_file(uid_map, line, WRITE_STRING_FILE_DISABLE_BUFFER); - if (r < 0) - return log_error_errno(r, "Failed to write GID map: %m"); - - r = namespace_open(pid, NULL, NULL, NULL, &userns_fd, NULL); - if (r < 0) - return r; + userns_fd = userns_acquire(line, line); + if (userns_fd < 0) + return log_debug_errno(userns_fd, "Failed to acquire new userns: %m"); return TAKE_FD(userns_fd); } -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2