From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: passt-dev@passt.top, David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH v2 10/11] isolation: Only configure UID/GID mappings in userns when spawning shell
Date: Fri, 14 Oct 2022 15:25:36 +1100 [thread overview]
Message-ID: <20221014042537.2466015-11-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20221014042537.2466015-1-david@gibson.dropbear.id.au>
When in passt mode, or pasta mode spawning a command, we create a userns
for ourselves. This is used both to isolate the pasta/passt process itself
and to run the spawned command, if any.
Since eed17a47 "Handle userns isolation and dropping root at the same time"
we've handled both cases the same, configuring the UID and GID mappings in
the new userns to map whichever UID we're running as to root within the
userns.
This mapping is desirable when spawning a shell or other command, so that
the user gets a root shell with reasonably clear abilities within the
userns and netns. It's not necessarily essential, though. When not
spawning a shell, it doesn't really have any purpose: passt itself doesn't
need to be root and can operate fine with an unmapped user (using some of
the capabilities we get when entering the userns instead).
Configuring the uid_map can cause problems if passt is running with any
capabilities in the initial namespace, such as CAP_NET_BIND_SERVICE to
allow it to forward low ports. In this case the kernel makes files in
/proc/pid owned by root rather than the starting user to prevent the user
from interfering with the operation of the capability-enhanced process.
This includes uid_map meaning we are not able to write to it.
Whether this behaviour is correct in the kernel is debatable, but in any
case we might as well avoid problems by only initializing the user mappings
when we really want them.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
conf.c | 3 ++-
isolation.c | 13 -------------
pasta.c | 15 ++++++++++++++-
pasta.h | 3 ++-
4 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/conf.c b/conf.c
index 0be887e..601141c 100644
--- a/conf.c
+++ b/conf.c
@@ -1478,7 +1478,8 @@ void conf(struct ctx *c, int argc, char **argv)
if (*netns) {
pasta_open_ns(c, netns);
} else {
- pasta_start_ns(c, argc - optind, argv + optind);
+ pasta_start_ns(c, uid, gid,
+ argc - optind, argv + optind);
}
}
diff --git a/isolation.c b/isolation.c
index 85a5b62..2656085 100644
--- a/isolation.c
+++ b/isolation.c
@@ -264,23 +264,10 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns,
close(ufd);
} else if (use_userns) { /* Create and join a new userns */
- char uidmap[BUFSIZ];
- char gidmap[BUFSIZ];
-
if (unshare(CLONE_NEWUSER) != 0) {
err("Couldn't create user namespace: %s", strerror(errno));
exit(EXIT_FAILURE);
}
-
- /* Configure user and group mappings */
- snprintf(uidmap, BUFSIZ, "0 %u 1", uid);
- snprintf(gidmap, BUFSIZ, "0 %u 1", gid);
-
- if (write_file("/proc/self/uid_map", uidmap) ||
- write_file("/proc/self/setgroups", "deny") ||
- write_file("/proc/self/gid_map", gidmap)) {
- warn("Couldn't configure user namespace");
- }
}
/* Joining a new userns gives us full capabilities; drop the
diff --git a/pasta.c b/pasta.c
index 6314a29..d165602 100644
--- a/pasta.c
+++ b/pasta.c
@@ -179,15 +179,19 @@ static int pasta_setup_ns(void *arg)
/**
* pasta_start_ns() - Fork command in new namespace if target ns is not given
* @c: Execution context
+ * @uid: UID we're running as in the init namespace
+ * @gid: GID we're running as in the init namespace
* @argc: Number of arguments for spawned command
* @argv: Command to spawn and arguments
*/
-void pasta_start_ns(struct ctx *c, int argc, char *argv[])
+void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid,
+ int argc, char *argv[])
{
struct pasta_setup_ns_arg arg = {
.exe = argv[0],
.argv = argv,
};
+ char uidmap[BUFSIZ], gidmap[BUFSIZ];
char ns_fn_stack[NS_FN_STACK_SIZE];
char *sh_argv[] = { NULL, NULL };
char sh_arg0[PATH_MAX + 1];
@@ -196,6 +200,15 @@ void pasta_start_ns(struct ctx *c, int argc, char *argv[])
if (!c->debug)
c->quiet = 1;
+ /* Configure user and group mappings */
+ snprintf(uidmap, BUFSIZ, "0 %u 1", uid);
+ snprintf(gidmap, BUFSIZ, "0 %u 1", gid);
+
+ if (write_file("/proc/self/uid_map", uidmap) ||
+ write_file("/proc/self/setgroups", "deny") ||
+ write_file("/proc/self/gid_map", gidmap)) {
+ warn("Couldn't configure user mappings");
+ }
if (argc == 0) {
arg.exe = getenv("SHELL");
diff --git a/pasta.h b/pasta.h
index 02df1f6..a8b9893 100644
--- a/pasta.h
+++ b/pasta.h
@@ -7,7 +7,8 @@
#define PASTA_H
void pasta_open_ns(struct ctx *c, const char *netns);
-void pasta_start_ns(struct ctx *c, int argc, char *argv[]);
+void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid,
+ int argc, char *argv[]);
void pasta_ns_conf(struct ctx *c);
void pasta_child_handler(int signal);
int pasta_netns_quit_init(struct ctx *c);
--
@@ -7,7 +7,8 @@
#define PASTA_H
void pasta_open_ns(struct ctx *c, const char *netns);
-void pasta_start_ns(struct ctx *c, int argc, char *argv[]);
+void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid,
+ int argc, char *argv[]);
void pasta_ns_conf(struct ctx *c);
void pasta_child_handler(int signal);
int pasta_netns_quit_init(struct ctx *c);
--
2.37.3
next prev parent reply other threads:[~2022-10-14 4:25 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-14 4:25 [PATCH v2 00/11] Fixes and cleanups for capability handling David Gibson
2022-10-14 4:25 ` [PATCH v2 01/11] test: Move slower tests to end of test run David Gibson
2022-10-14 4:25 ` [PATCH v2 02/11] pasta: More general way of starting spawned shell as a login shell David Gibson
2022-10-14 4:25 ` [PATCH v2 03/11] pasta_start_ns() always ends in parent context David Gibson
2022-10-14 4:25 ` [PATCH v2 04/11] Remove unhelpful drop_caps() call in pasta_start_ns() David Gibson
2022-10-14 4:25 ` [PATCH v2 05/11] isolation: Clarify various self-isolation steps David Gibson
2022-10-14 4:25 ` [PATCH v2 06/11] Replace FWRITE with a function David Gibson
2022-10-14 4:25 ` [PATCH v2 07/11] isolation: Refactor isolate_user() to allow for a common exit path David Gibson
2022-10-14 4:25 ` [PATCH v2 08/11] isolation: Replace drop_caps() with a version that actually does something David Gibson
2022-10-14 4:25 ` [PATCH v2 09/11] isolation: Prevent any child processes gaining capabilities David Gibson
2022-10-14 4:25 ` David Gibson [this message]
2022-10-14 4:25 ` [PATCH v2 11/11] Rename pasta_setup_ns() to pasta_spawn_cmd() David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221014042537.2466015-11-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).