From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject:
 [PATCH 08/22] conf, pasta: Explicitly pass CLONE_{NEWUSER,NEWNET} to setns()
Date: Fri, 28 Jan 2022 19:33:43 +0100
Message-ID: <20220128183357.3407606-9-sbrivio@redhat.com>
In-Reply-To: <20220128183357.3407606-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0645564265565216365=="

--===============0645564265565216365==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Only allow the intended types of namespaces to be joined via setns()
as a defensive measure.

Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
 conf.c  | 4 ++--
 pasta.c | 6 ++++--
 util.c  | 4 ++--
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/conf.c b/conf.c
index ab91b7f..6810144 100644
--- a/conf.c
+++ b/conf.c
@@ -347,8 +347,8 @@ static int conf_ns_check(void *arg)
 {
 	struct ctx *c =3D (struct ctx *)arg;
=20
-	if ((!c->netns_only && setns(c->pasta_userns_fd, 0)) ||
-	    setns(c->pasta_netns_fd, 0))
+	if ((!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER)) ||
+	    setns(c->pasta_netns_fd, CLONE_NEWNET))
 		c->pasta_userns_fd =3D c->pasta_netns_fd =3D -1;
=20
 	return 0;
diff --git a/pasta.c b/pasta.c
index a2b842b..bcc1261 100644
--- a/pasta.c
+++ b/pasta.c
@@ -148,13 +148,15 @@ static int pasta_wait_for_ns(void *arg)
 	snprintf(ns, PATH_MAX, "/proc/%i/ns/user", pasta_child_pid);
 	do
 		while ((c->pasta_userns_fd =3D open(ns, O_RDONLY)) < 0);
-	while (setns(c->pasta_userns_fd, 0) && !close(c->pasta_userns_fd));
+	while (setns(c->pasta_userns_fd, CLONE_NEWUSER) &&
+	       !close(c->pasta_userns_fd));
=20
 netns:
 	snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid);
 	do
 		while ((c->pasta_netns_fd =3D open(ns, O_RDONLY)) < 0);
-	while (setns(c->pasta_netns_fd, 0) && !close(c->pasta_netns_fd));
+	while (setns(c->pasta_netns_fd, CLONE_NEWNET) &&
+	       !close(c->pasta_netns_fd));
=20
 	return 0;
 }
diff --git a/util.c b/util.c
index d172ad8..7a3ea51 100644
--- a/util.c
+++ b/util.c
@@ -469,10 +469,10 @@ void procfs_scan_listen(char *name, uint8_t *map, uint8=
_t *exclude)
  */
 int ns_enter(struct ctx *c)
 {
-	if (!c->netns_only && setns(c->pasta_userns_fd, 0))
+	if (!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER))
 		return -errno;
=20
-	if (setns(c->pasta_netns_fd, 0))
+	if (setns(c->pasta_netns_fd, CLONE_NEWNET))
 		return -errno;
=20
 	return 0;
--=20
2.33.0


--===============0645564265565216365==--