From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id DB2C35A026D for ; Thu, 6 Apr 2023 05:28:27 +0200 (CEST) Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4PsRm56l5lz4xFm; Thu, 6 Apr 2023 13:28:21 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1680751701; bh=ZJNbKzJjR1Pc7WWrI1jTAIwSMSJq7909Frzs0DDE48A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AY7TSeGK96ZKUiQ22RJm5kQa889f8phej7iP0nsEXIj8h4r3C3Eqe4awm3k1MSRJy R+HS7pNXTPCgSWtst3nuqBIg7Hv9+bG+rNO8s1JrQBNbQ18uV6pr0vrLPbqL+YUMT+ uuvR5D4b7sv02ewbyyUfb8ABUsTvrHlYMo3pz/yE= From: David Gibson To: passt-dev@passt.top, Stefano Brivio Subject: [PATCH v2 09/14] nstool: Add nstool exec command to execute commands in an nstool namespace Date: Thu, 6 Apr 2023 13:28:14 +1000 Message-Id: <20230406032819.707441-10-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230406032819.707441-1-david@gibson.dropbear.id.au> References: <20230406032819.707441-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: J4KD7PHTEPIPF4CCOCTO3FG275CE7PY6 X-Message-ID-Hash: J4KD7PHTEPIPF4CCOCTO3FG275CE7PY6 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This combines nstool info -pw with nsenter with various options for a more convenient and less verbose of entering existing nstool managed namespaces. Signed-off-by: David Gibson --- test/nstool.c | 139 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 137 insertions(+), 2 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index b70b053..5aa14b8 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -18,7 +18,9 @@ #include #include #include +#include #include +#include #include #include @@ -75,6 +77,9 @@ static void usage(void) " socket at SOCK\n" " -p Print just the holder's PID as seen by the caller\n" " -w Retry connecting to SOCK until it is ready\n" + " nstool exec SOCK [COMMAND [ARGS...]]\n" + " Execute command or shell in the namespaces of the nstool hold\n" + " with control socket at SOCK\n" " nstool stop SOCK\n" " Instruct the nstool hold with control socket at SOCK to\n" " terminate.\n"); @@ -84,7 +89,7 @@ static int connect_ctl(const char *sockpath, bool wait, struct holder_info *info, struct ucred *peercred) { - int fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); + int fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, PF_UNIX); struct sockaddr_un addr = { .sun_family = AF_UNIX, }; @@ -135,7 +140,7 @@ static int connect_ctl(const char *sockpath, bool wait, static void cmd_hold(int argc, char *argv[]) { - int fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); + int fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, PF_UNIX); struct sockaddr_un addr = { .sun_family = AF_UNIX, }; @@ -304,6 +309,134 @@ static void cmd_info(int argc, char *argv[]) } } +static int openns(const char *fmt, ...) +{ + char nspath[PATH_MAX]; + va_list ap; + int fd; + + va_start(ap, fmt); + if (vsnprintf(nspath, sizeof(nspath), fmt, ap) >= PATH_MAX) + die("Truncated path \"%s\"\n", nspath); + va_end(ap); + + fd = open(nspath, O_RDONLY | O_CLOEXEC); + if (fd < 0) + die("open() %s: %s\n", nspath, strerror(errno)); + + return fd; +} + +static void wait_for_child(pid_t pid) +{ + int status; + + /* Match the child's exit status, if possible */ + for (;;) { + pid_t rc; + + rc = waitpid(pid, &status, WUNTRACED); + if (rc < 0) + die("waitpid() on %d: %s\n", pid, strerror(errno)); + if (rc != pid) + die("waitpid() on %d returned %d", pid, rc); + if (WIFSTOPPED(status)) { + /* Stop the parent to patch */ + kill(getpid(), SIGSTOP); + /* We must have resumed, resume the child */ + kill(pid, SIGCONT); + continue; + } + + break; + } + + if (WIFEXITED(status)) + exit(WEXITSTATUS(status)); + else if (WIFSIGNALED(status)) + kill(getpid(), WTERMSIG(status)); + + die("Unexpected status for child %d\n", pid); +} + +static void cmd_exec(int argc, char *argv[]) +{ + const char *shargs[] = { NULL, NULL }; + const char *sockpath = argv[1]; + int nfd[ARRAY_SIZE(nstypes)]; + const struct ns_type *nst; + const char *const *xargs; + struct ucred peercred; + int ctlfd, flags, rc; + const char *exe; + pid_t xpid; + + if (argc < 2) + usage(); + + ctlfd = connect_ctl(sockpath, false, NULL, &peercred); + + flags = detect_namespaces(peercred.pid); + + for_each_nst(nst, flags) { + int *fd = &nfd[nst - nstypes]; + *fd = openns("/proc/%d/ns/%s", peercred.pid, nst->name); + } + + /* First pass, will get things where we need the privileges of + * the initial userns */ + for_each_nst(nst, flags) { + int fd = nfd[nst - nstypes]; + + rc = setns(fd, nst->flag); + if (rc == 0) { + flags &= ~nst->flag; + } + } + + /* Second pass, will get things where we need the privileges + * of the target userns */ + for_each_nst(nst, flags) { + int fd = nfd[nst - nstypes]; + + rc = setns(fd, nst->flag); + if (rc < 0) + die("setns() type %s: %s\n", + nst->name, strerror(errno)); + } + + /* Fork to properly enter PID namespace */ + xpid = fork(); + if (xpid < 0) + die("fork(): %s\n", strerror(errno)); + + if (xpid > 0) { + /* Close the control socket so the waiting parent + * doesn't block the holder */ + close(ctlfd); + wait_for_child(xpid); + } + + /* CHILD */ + if (argc > 2) { + exe = argv[2]; + xargs = (const char * const*)(argv + 2); + } else { + exe = getenv("SHELL"); + if (!exe) + exe = "/bin/sh"; + + shargs[0] = exe; + + xargs = shargs; + } + + rc = execvp(exe, (char *const *)xargs); + if (rc < 0) + die("execv() %s: %s\n", exe, strerror(errno)); + die("Returned from exec()\n"); +} + static void cmd_stop(int argc, char *argv[]) { const char *sockpath = argv[1]; @@ -338,6 +471,8 @@ int main(int argc, char *argv[]) cmd_hold(argc - 1, argv + 1); else if (strcmp(subcmd, "info") == 0) cmd_info(argc - 1, argv + 1); + else if (strcmp(subcmd, "exec") == 0) + cmd_exec(argc - 1, argv + 1); else if (strcmp(subcmd, "stop") == 0) cmd_stop(argc - 1, argv + 1); else -- 2.39.2