From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH 08/22] conf, pasta: Explicitly pass CLONE_{NEWUSER,NEWNET} to setns()
Date: Fri, 28 Jan 2022 19:33:43 +0100 [thread overview]
Message-ID: <20220128183357.3407606-9-sbrivio@redhat.com> (raw)
In-Reply-To: <20220128183357.3407606-1-sbrivio@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2001 bytes --]
Only allow the intended types of namespaces to be joined via setns()
as a defensive measure.
Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
conf.c | 4 ++--
pasta.c | 6 ++++--
util.c | 4 ++--
3 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/conf.c b/conf.c
index ab91b7f..6810144 100644
--- a/conf.c
+++ b/conf.c
@@ -347,8 +347,8 @@ static int conf_ns_check(void *arg)
{
struct ctx *c = (struct ctx *)arg;
- if ((!c->netns_only && setns(c->pasta_userns_fd, 0)) ||
- setns(c->pasta_netns_fd, 0))
+ if ((!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER)) ||
+ setns(c->pasta_netns_fd, CLONE_NEWNET))
c->pasta_userns_fd = c->pasta_netns_fd = -1;
return 0;
diff --git a/pasta.c b/pasta.c
index a2b842b..bcc1261 100644
--- a/pasta.c
+++ b/pasta.c
@@ -148,13 +148,15 @@ static int pasta_wait_for_ns(void *arg)
snprintf(ns, PATH_MAX, "/proc/%i/ns/user", pasta_child_pid);
do
while ((c->pasta_userns_fd = open(ns, O_RDONLY)) < 0);
- while (setns(c->pasta_userns_fd, 0) && !close(c->pasta_userns_fd));
+ while (setns(c->pasta_userns_fd, CLONE_NEWUSER) &&
+ !close(c->pasta_userns_fd));
netns:
snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid);
do
while ((c->pasta_netns_fd = open(ns, O_RDONLY)) < 0);
- while (setns(c->pasta_netns_fd, 0) && !close(c->pasta_netns_fd));
+ while (setns(c->pasta_netns_fd, CLONE_NEWNET) &&
+ !close(c->pasta_netns_fd));
return 0;
}
diff --git a/util.c b/util.c
index d172ad8..7a3ea51 100644
--- a/util.c
+++ b/util.c
@@ -469,10 +469,10 @@ void procfs_scan_listen(char *name, uint8_t *map, uint8_t *exclude)
*/
int ns_enter(struct ctx *c)
{
- if (!c->netns_only && setns(c->pasta_userns_fd, 0))
+ if (!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER))
return -errno;
- if (setns(c->pasta_netns_fd, 0))
+ if (setns(c->pasta_netns_fd, CLONE_NEWNET))
return -errno;
return 0;
--
@@ -469,10 +469,10 @@ void procfs_scan_listen(char *name, uint8_t *map, uint8_t *exclude)
*/
int ns_enter(struct ctx *c)
{
- if (!c->netns_only && setns(c->pasta_userns_fd, 0))
+ if (!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER))
return -errno;
- if (setns(c->pasta_netns_fd, 0))
+ if (setns(c->pasta_netns_fd, CLONE_NEWNET))
return -errno;
return 0;
--
2.33.0
next prev parent reply other threads:[~2022-01-28 18:33 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-28 18:33 [PATCH 00/22] Fixes for non-x86_64, older kernels/glibc, and some more Stefano Brivio
2022-01-28 18:33 ` [PATCH 01/22] tcp: Cover all usages of tcpi_snd_wnd with HAS_SND_WND Stefano Brivio
2022-01-28 18:33 ` [PATCH 02/22] tap, tcp: Fix two comparisons with different signedness reported by gcc 7 Stefano Brivio
2022-01-28 18:33 ` [PATCH 03/22] passt: Drop <linux/ipv6.h> include, carry own ipv6hdr and opt_hdr definitions Stefano Brivio
2022-01-28 18:33 ` [PATCH 04/22] Makefile, seccomp: Fix build for i386, ppc64, ppc64le Stefano Brivio
2022-01-28 18:33 ` [PATCH 05/22] util: Fall-back definitions for SECCOMP_RET_KILL_PROCESS, ETH_{MAX,MIN}_MTU Stefano Brivio
2022-01-28 18:33 ` [PATCH 06/22] seccomp: Introduce mechanism to allow per-arch syscalls Stefano Brivio
2022-01-28 18:33 ` [PATCH 07/22] tcp, netlink, HAS{BYTES_ACKED,MIN_RTT,GETRANDOM} and NETLINK_GET_STRICT_CHK Stefano Brivio
2022-01-28 18:33 ` Stefano Brivio [this message]
2022-01-28 18:33 ` [PATCH 09/22] tcp, udp, util: Fixes for bitmap handling on big-endian, casts Stefano Brivio
2022-01-28 18:33 ` [PATCH 10/22] netlink: Fix swapped v4/v6-only flags in external interface detection Stefano Brivio
2022-01-28 18:33 ` [PATCH 11/22] pasta: Check for zero d_reclen returned by getdents64() syscall Stefano Brivio
2022-01-28 18:33 ` [PATCH 12/22] tcp: Don't round down MSS to >= 64KiB page size, but clamp it in any case Stefano Brivio
2022-01-28 18:33 ` [PATCH 13/22] seccomp: Add a number of alternate and per-arch syscalls Stefano Brivio
2022-01-28 18:33 ` [PATCH 14/22] demo/pasta: Don't wait for pasta to return to a prompt Stefano Brivio
2022-01-28 18:33 ` [PATCH 15/22] test/two_guests: Drop stray spaces after sleep directives Stefano Brivio
2022-01-28 18:33 ` [PATCH 16/22] perf/passt_udp: Lower failure throughput thresholds with big MTUs Stefano Brivio
2022-01-28 18:33 ` [PATCH 17/22] test/lib/setup: Don't rely on IFS to properly separate qemu arguments Stefano Brivio
2022-01-28 18:33 ` [PATCH 18/22] test/lib/video: Drop -preset ultrafast from ffmpeg arguments Stefano Brivio
2022-01-28 18:33 ` [PATCH 19/22] hooks/pre-push: Delete old versions, add -DGLIBC_NO_STATIC_NSS, disable legacy builds Stefano Brivio
2022-01-28 18:33 ` [PATCH 20/22] conf: Fix support for --stderr as short option (-e) Stefano Brivio
2022-01-28 18:33 ` [PATCH 21/22] README: Fix anchor for Performance section Stefano Brivio
2022-01-28 18:33 ` [PATCH 22/22] README: Fix link to IGMP/MLD proxy ticket Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220128183357.3407606-9-sbrivio@redhat.com \
--to=sbrivio@redhat.com \
--cc=passt-dev@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).