From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Gibson To: passt-dev@passt.top Subject: [PATCH v3 04/10] Safer handling if we can't open /proc/self/uid_map Date: Mon, 12 Sep 2022 22:24:02 +1000 Message-ID: <20220912122408.1372372-5-david@gibson.dropbear.id.au> In-Reply-To: <20220912122408.1372372-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4424023402699309521==" --===============4424023402699309521== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable passt is allowed to run as "root" (UID 0) in a user namespace, but notas real root in the init namespace. We read /proc/self/uid_map to determine if we're in the init namespace or not. If we're unable to open /proc/self/uid_map we assume we're ok and continue running as UID 0. This seems unwise. The only instances I can think of where uid_map won't be available are if the host kernel doesn't support namespaces, or /proc is not mounted. In neither case is it safe to assume we're "not really" root and continue (although in practice we'd likely fail for other reasons pretty soon anyway). Therefore, fail with an error in this case, instead of carrying on. Signed-off-by: David Gibson --- conf.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/conf.c b/conf.c index a97e055..b669f5d 100644 --- a/conf.c +++ b/conf.c @@ -1054,8 +1054,12 @@ static int conf_ugid(const char *runas, uid_t *uid, gi= d_t *gid) return 0; =20 /* ...or at least not root in the init namespace... */ - if ((fd =3D open("/proc/self/uid_map", O_RDONLY | O_CLOEXEC)) < 0) - return 0; + if ((fd =3D open("/proc/self/uid_map", O_RDONLY | O_CLOEXEC)) < 0) { + ret =3D -errno; + err("Can't determine if we're in init namespace: %s", + strerror(-ret)); + return ret; + } =20 if (read(fd, buf, BUFSIZ) !=3D sizeof(root_uid_map) || strncmp(buf, root_uid_map, sizeof(root_uid_map) - 1)) { --=20 2.37.3 --===============4424023402699309521==--