mirror of
				https://github.com/containers/podman.git
				synced 2025-10-26 10:45:26 +08:00 
			
		
		
		
	 807f6f8d8f
			
		
	
	807f6f8d8f
	
	
	
		
			
			change the tests to use chroot to set a numeric UID/GID. Go syscall.Credential doesn't change the effective UID/GID of the process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon
		
			
				
	
	
		
			301 lines
		
	
	
		
			7.6 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			301 lines
		
	
	
		
			7.6 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // +build linux
 | |
| 
 | |
| package rootless
 | |
| 
 | |
| import (
 | |
| 	"fmt"
 | |
| 	"io/ioutil"
 | |
| 	"os"
 | |
| 	"os/exec"
 | |
| 	gosignal "os/signal"
 | |
| 	"os/user"
 | |
| 	"path/filepath"
 | |
| 	"runtime"
 | |
| 	"strconv"
 | |
| 	"syscall"
 | |
| 	"unsafe"
 | |
| 
 | |
| 	"github.com/containers/storage/pkg/idtools"
 | |
| 	"github.com/docker/docker/pkg/signal"
 | |
| 	"github.com/pkg/errors"
 | |
| )
 | |
| 
 | |
| /*
 | |
| extern int reexec_in_user_namespace(int ready);
 | |
| extern int reexec_in_user_namespace_wait(int pid);
 | |
| extern int reexec_userns_join(int userns);
 | |
| */
 | |
| import "C"
 | |
| 
 | |
| func runInUser() error {
 | |
| 	os.Setenv("_LIBPOD_USERNS_CONFIGURED", "done")
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // IsRootless tells us if we are running in rootless mode
 | |
| func IsRootless() bool {
 | |
| 	return os.Geteuid() != 0 || os.Getenv("_LIBPOD_USERNS_CONFIGURED") != ""
 | |
| }
 | |
| 
 | |
| var (
 | |
| 	skipStorageSetup = false
 | |
| )
 | |
| 
 | |
| // SetSkipStorageSetup tells the runtime to not setup containers/storage
 | |
| func SetSkipStorageSetup(v bool) {
 | |
| 	skipStorageSetup = v
 | |
| }
 | |
| 
 | |
| // SkipStorageSetup tells if we should skip the containers/storage setup
 | |
| func SkipStorageSetup() bool {
 | |
| 	return skipStorageSetup
 | |
| }
 | |
| 
 | |
| // GetRootlessUID returns the UID of the user in the parent userNS
 | |
| func GetRootlessUID() int {
 | |
| 	uidEnv := os.Getenv("_LIBPOD_ROOTLESS_UID")
 | |
| 	if uidEnv != "" {
 | |
| 		u, _ := strconv.Atoi(uidEnv)
 | |
| 		return u
 | |
| 	}
 | |
| 	return os.Getuid()
 | |
| }
 | |
| 
 | |
| func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) error {
 | |
| 	path, err := exec.LookPath(tool)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	appendTriplet := func(l []string, a, b, c int) []string {
 | |
| 		return append(l, fmt.Sprintf("%d", a), fmt.Sprintf("%d", b), fmt.Sprintf("%d", c))
 | |
| 	}
 | |
| 
 | |
| 	args := []string{path, fmt.Sprintf("%d", pid)}
 | |
| 	args = appendTriplet(args, 0, hostID, 1)
 | |
| 	if mappings != nil {
 | |
| 		for _, i := range mappings {
 | |
| 			args = appendTriplet(args, i.ContainerID+1, i.HostID, i.Size)
 | |
| 		}
 | |
| 	}
 | |
| 	cmd := exec.Cmd{
 | |
| 		Path: path,
 | |
| 		Args: args,
 | |
| 	}
 | |
| 	return cmd.Run()
 | |
| }
 | |
| 
 | |
| // JoinNS re-exec podman in a new userNS and join the user namespace of the specified
 | |
| // PID.
 | |
| func JoinNS(pid uint) (bool, int, error) {
 | |
| 	if os.Geteuid() == 0 || os.Getenv("_LIBPOD_USERNS_CONFIGURED") != "" {
 | |
| 		return false, -1, nil
 | |
| 	}
 | |
| 
 | |
| 	userNS, err := getUserNSForPid(pid)
 | |
| 	if err != nil {
 | |
| 		return false, -1, err
 | |
| 	}
 | |
| 	defer userNS.Close()
 | |
| 
 | |
| 	pidC := C.reexec_userns_join(C.int(userNS.Fd()))
 | |
| 	if int(pidC) < 0 {
 | |
| 		return false, -1, errors.Errorf("cannot re-exec process")
 | |
| 	}
 | |
| 
 | |
| 	ret := C.reexec_in_user_namespace_wait(pidC)
 | |
| 	if ret < 0 {
 | |
| 		return false, -1, errors.New("error waiting for the re-exec process")
 | |
| 	}
 | |
| 
 | |
| 	return true, int(ret), nil
 | |
| }
 | |
| 
 | |
| // BecomeRootInUserNS re-exec podman in a new userNS.  It returns whether podman was re-executed
 | |
| // into a new user namespace and the return code from the re-executed podman process.
 | |
| // If podman was re-executed the caller needs to propagate the error code returned by the child
 | |
| // process.
 | |
| func BecomeRootInUserNS() (bool, int, error) {
 | |
| 	if os.Geteuid() == 0 || os.Getenv("_LIBPOD_USERNS_CONFIGURED") != "" {
 | |
| 		if os.Getenv("_LIBPOD_USERNS_CONFIGURED") == "init" {
 | |
| 			return false, 0, runInUser()
 | |
| 		}
 | |
| 		return false, 0, nil
 | |
| 	}
 | |
| 
 | |
| 	runtime.LockOSThread()
 | |
| 	defer runtime.UnlockOSThread()
 | |
| 
 | |
| 	r, w, err := os.Pipe()
 | |
| 	if err != nil {
 | |
| 		return false, -1, err
 | |
| 	}
 | |
| 	defer r.Close()
 | |
| 	defer w.Close()
 | |
| 
 | |
| 	pidC := C.reexec_in_user_namespace(C.int(r.Fd()))
 | |
| 	pid := int(pidC)
 | |
| 	if pid < 0 {
 | |
| 		return false, -1, errors.Errorf("cannot re-exec process")
 | |
| 	}
 | |
| 
 | |
| 	var uids, gids []idtools.IDMap
 | |
| 	username := os.Getenv("USER")
 | |
| 	if username == "" {
 | |
| 		user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid()))
 | |
| 		if err != nil && os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" {
 | |
| 			return false, 0, errors.Wrapf(err, "could not find user by UID nor USER env was set")
 | |
| 		}
 | |
| 		if err == nil {
 | |
| 			username = user.Username
 | |
| 		}
 | |
| 	}
 | |
| 	mappings, err := idtools.NewIDMappings(username, username)
 | |
| 	if err != nil && os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" {
 | |
| 		return false, -1, err
 | |
| 	}
 | |
| 	if err == nil {
 | |
| 		uids = mappings.UIDs()
 | |
| 		gids = mappings.GIDs()
 | |
| 	}
 | |
| 
 | |
| 	uidsMapped := false
 | |
| 	if mappings != nil && uids != nil {
 | |
| 		uidsMapped = tryMappingTool("newuidmap", pid, os.Getuid(), uids) == nil
 | |
| 	}
 | |
| 	if !uidsMapped {
 | |
| 		setgroups := fmt.Sprintf("/proc/%d/setgroups", pid)
 | |
| 		err = ioutil.WriteFile(setgroups, []byte("deny\n"), 0666)
 | |
| 		if err != nil {
 | |
| 			return false, -1, errors.Wrapf(err, "cannot write setgroups file")
 | |
| 		}
 | |
| 
 | |
| 		uidMap := fmt.Sprintf("/proc/%d/uid_map", pid)
 | |
| 		err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getuid())), 0666)
 | |
| 		if err != nil {
 | |
| 			return false, -1, errors.Wrapf(err, "cannot write uid_map")
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	gidsMapped := false
 | |
| 	if mappings != nil && gids != nil {
 | |
| 		gidsMapped = tryMappingTool("newgidmap", pid, os.Getgid(), gids) == nil
 | |
| 	}
 | |
| 	if !gidsMapped {
 | |
| 		gidMap := fmt.Sprintf("/proc/%d/gid_map", pid)
 | |
| 		err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getgid())), 0666)
 | |
| 		if err != nil {
 | |
| 			return false, -1, errors.Wrapf(err, "cannot write gid_map")
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	_, err = w.Write([]byte("1"))
 | |
| 	if err != nil {
 | |
| 		return false, -1, errors.Wrapf(err, "write to sync pipe")
 | |
| 	}
 | |
| 
 | |
| 	c := make(chan os.Signal, 1)
 | |
| 
 | |
| 	gosignal.Notify(c)
 | |
| 	defer gosignal.Reset()
 | |
| 	go func() {
 | |
| 		for s := range c {
 | |
| 			if s == signal.SIGCHLD || s == signal.SIGPIPE {
 | |
| 				continue
 | |
| 			}
 | |
| 
 | |
| 			syscall.Kill(int(pidC), s.(syscall.Signal))
 | |
| 		}
 | |
| 	}()
 | |
| 
 | |
| 	ret := C.reexec_in_user_namespace_wait(pidC)
 | |
| 	if ret < 0 {
 | |
| 		return false, -1, errors.New("error waiting for the re-exec process")
 | |
| 	}
 | |
| 
 | |
| 	return true, int(ret), nil
 | |
| }
 | |
| 
 | |
| func readUserNs(path string) (string, error) {
 | |
| 	b := make([]byte, 256)
 | |
| 	_, err := syscall.Readlink(path, b)
 | |
| 	if err != nil {
 | |
| 		return "", err
 | |
| 	}
 | |
| 	return string(b), nil
 | |
| }
 | |
| 
 | |
| func readUserNsFd(fd uintptr) (string, error) {
 | |
| 	return readUserNs(filepath.Join("/proc/self/fd", fmt.Sprintf("%d", fd)))
 | |
| }
 | |
| 
 | |
| func getParentUserNs(fd uintptr) (uintptr, error) {
 | |
| 	const nsGetParent = 0xb702
 | |
| 	ret, _, errno := syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(nsGetParent), 0)
 | |
| 	if errno != 0 {
 | |
| 		return 0, errno
 | |
| 	}
 | |
| 	return (uintptr)(unsafe.Pointer(ret)), nil
 | |
| }
 | |
| 
 | |
| // getUserNSForPid returns an open FD for the first direct child user namespace that created the process
 | |
| // Each container creates a new user namespace where the runtime runs.  The current process in the container
 | |
| // might have created new user namespaces that are child of the initial namespace we created.
 | |
| // This function finds the initial namespace created for the container that is a child of the current namespace.
 | |
| //
 | |
| //                                     current ns
 | |
| //                                       /     \
 | |
| //                           TARGET ->  a   [other containers]
 | |
| //                                     /
 | |
| //                                    b
 | |
| //                                   /
 | |
| //        NS READ USING THE PID ->  c
 | |
| func getUserNSForPid(pid uint) (*os.File, error) {
 | |
| 	currentNS, err := readUserNs("/proc/self/ns/user")
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	path := filepath.Join("/proc", fmt.Sprintf("%d", pid), "ns/user")
 | |
| 	u, err := os.Open(path)
 | |
| 	if err != nil {
 | |
| 		return nil, errors.Wrapf(err, "cannot open %s", path)
 | |
| 	}
 | |
| 
 | |
| 	fd := u.Fd()
 | |
| 	ns, err := readUserNsFd(fd)
 | |
| 	if err != nil {
 | |
| 		return nil, errors.Wrapf(err, "cannot read user namespace")
 | |
| 	}
 | |
| 	if ns == currentNS {
 | |
| 		return nil, errors.New("process running in the same user namespace")
 | |
| 	}
 | |
| 
 | |
| 	for {
 | |
| 		nextFd, err := getParentUserNs(fd)
 | |
| 		if err != nil {
 | |
| 			return nil, errors.Wrapf(err, "cannot get parent user namespace")
 | |
| 		}
 | |
| 
 | |
| 		ns, err = readUserNsFd(nextFd)
 | |
| 		if err != nil {
 | |
| 			return nil, errors.Wrapf(err, "cannot read user namespace")
 | |
| 		}
 | |
| 
 | |
| 		if ns == currentNS {
 | |
| 			syscall.Close(int(nextFd))
 | |
| 
 | |
| 			// Drop O_CLOEXEC for the fd.
 | |
| 			_, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_SETFD, 0)
 | |
| 			if errno != 0 {
 | |
| 				syscall.Close(int(fd))
 | |
| 				return nil, errno
 | |
| 			}
 | |
| 
 | |
| 			return os.NewFile(fd, "userns child"), nil
 | |
| 		}
 | |
| 		syscall.Close(int(fd))
 | |
| 		fd = nextFd
 | |
| 	}
 | |
| }
 |