Merge pull request #1979 from marcosps/issue_494

lxc_unshare: Add uid_mapping when creating userns

Merge pull request #1979 from marcosps/issue_494
68eeee2f · Christian Brauner · GitHub · 7ded3c18 · 344c9d81 · 68eeee2f
Unverified Commit 68eeee2f authored Dec 04, 2017 by Christian Brauner Committed by GitHub Dec 04, 2017
Show whitespace changes
Inline Side-by-side

Showing with 57 additions and 2 deletions

conf.c src/lxc/conf.c +1 -1

conf.h src/lxc/conf.h +3 -0

lxc_unshare.c src/lxc/tools/lxc_unshare.c +53 -1

No files found.
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2431,7 +2431,7 @@ struct lxc_conf *lxc_conf_init(void)
 	return new;
 }
-static int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf,
+int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf,
 			    size_t buf_size)
 {
 	char path[MAXPATHLEN];

--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -361,6 +361,9 @@ struct lxc_conf {
 	char *inherit_ns[LXC_NS_MAX];
 };
+int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf,
+			    size_t buf_size);
 #ifdef HAVE_TLS
 extern __thread struct lxc_conf *current_config;
 #else

--- a/src/lxc/tools/lxc_unshare.c
+++ b/src/lxc/tools/lxc_unshare.c
@@ -31,6 +31,7 @@
 #include <signal.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/eventfd.h>
 #include <sys/socket.h>
 #include <sys/types.h>
 #include <sys/wait.h>
@@ -93,24 +94,37 @@ static bool lookup_user(const char *optarg, uid_t *uid)
 	return true;
 }
 struct start_arg {
 	char ***args;
 	int *flags;
 	uid_t *uid;
 	bool setuid;
 	int want_default_mounts;
+	int wait_fd;
 	const char *want_hostname;
 };
 static int do_start(void *arg)
 {
+	int ret;
+	uint64_t wait_val;
 	struct start_arg *start_arg = arg;
 	char **args = *start_arg->args;
 	int flags = *start_arg->flags;
 	uid_t uid = *start_arg->uid;
 	int want_default_mounts = start_arg->want_default_mounts;
 	const char *want_hostname = start_arg->want_hostname;
+	int wait_fd = start_arg->wait_fd;
+	if (start_arg->setuid) {
+		/* waiting until uid maps is set */
+		ret = read(wait_fd, &wait_val, sizeof(wait_val));
+		if (ret == -1) {
+			close(wait_fd);
+			fprintf(stderr, "read eventfd failed\n");
+			exit(EXIT_FAILURE);
+		}
+	}
 	if ((flags & CLONE_NEWNS) && want_default_mounts)
 		lxc_setup_fs();
@@ -143,6 +157,7 @@ int main(int argc, char *argv[])
 	int flags = 0, daemonize = 0;
 	uid_t uid = 0; /* valid only if (flags & CLONE_NEWUSER) */
 	pid_t pid;
+	uint64_t wait_val = 1;
 	struct my_iflist *tmpif, *my_iflist = NULL;
 	struct start_arg start_arg = {
 		.args = &args,
@@ -241,12 +256,49 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
+	if (start_arg.setuid) {
+		start_arg.wait_fd = eventfd(0, EFD_CLOEXEC);
+		if (start_arg.wait_fd < 0) {
+			fprintf(stderr, "failed to create eventfd\n");
+			exit(EXIT_FAILURE);
+		}
+	}
 	pid = lxc_clone(do_start, &start_arg, flags);
 	if (pid < 0) {
 		fprintf(stderr, "failed to clone\n");
 		exit(EXIT_FAILURE);
 	}
+	if (start_arg.setuid) {
+		/* enough space to accommodate uids */
+		char *umap = (char *)alloca(100);
+		/* create new uid mapping using current UID and the one
+		 * specified as parameter
+		 */
+		ret = snprintf(umap, 100, "%d %d 1\n" , *(start_arg.uid), getuid());
+		if (ret < 0 || ret >= 100) {
+			close(start_arg.wait_fd);
+			fprintf(stderr, "snprintf failed");
+			exit(EXIT_FAILURE);
+		}
+		ret = write_id_mapping(ID_TYPE_UID, pid, umap, strlen(umap));
+		if (ret < 0) {
+			close(start_arg.wait_fd);
+			fprintf(stderr, "uid mapping failed\n");
+			exit(EXIT_FAILURE);
+		}
+		ret = write(start_arg.wait_fd, &wait_val, sizeof(wait_val));
+		if (ret < 0) {
+			close(start_arg.wait_fd);
+			fprintf(stderr, "write to eventfd failed\n");
+			exit(EXIT_FAILURE);
+		}
+	}
 	if (my_iflist) {
 		for (tmpif = my_iflist; tmpif; tmpif = tmpif->mi_next) {
 			if (lxc_netdev_move_by_name(tmpif->mi_ifname, pid, NULL) < 0)