On Wed, Apr 05, 2023 at 01:59:02PM +0200, Stefano Brivio wrote:
> On Tue,  4 Apr 2023 11:46:34 +1000
> David Gibson <david@gibson.dropbear.id.au> wrote:
> 
> > This allows you to run commands within a user namespace with the
> > privilege that comes from owning that userns.
> > 
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > ---
> >  test/nstool.c | 89 +++++++++++++++++++++++++++++++++++++++++++++------
> >  1 file changed, 79 insertions(+), 10 deletions(-)
> > 
> > diff --git a/test/nstool.c b/test/nstool.c
> > index 25079aa..3ecc456 100644
> > --- a/test/nstool.c
> > +++ b/test/nstool.c
> > @@ -18,11 +18,15 @@
> >  #include <getopt.h>
> >  #include <stdarg.h>
> >  #include <fcntl.h>
> > +#include <limits.h>
> > +#include <unistd.h>
> >  #include <sys/socket.h>
> >  #include <sys/wait.h>
> > +#include <sys/syscall.h>
> > +#include <sys/prctl.h>
> >  #include <linux/un.h>
> > -#include <linux/limits.h>
> >  #include <sched.h>
> > +#include <linux/capability.h>
> >  
> >  #define	ARRAY_SIZE(a)	((int)(sizeof(a) / sizeof((a)[0])))
> >  
> > @@ -75,11 +79,13 @@ static void usage(void)
> >  	    "  nstool info [-pw] pid SOCK\n"
> >  	    "    Print information about the nstool hold process with control\n"
> >  	    "    socket at SOCK\n"
> > -	    "      -p    Print just the holder's PID as seen by the caller\n"
> > -	    "      -w    Retry connecting to SOCK until it is ready\n"
> > -	    "  nstool exec SOCK [COMMAND [ARGS...]]\n"
> > +	    "      -p          Print just the holder's PID as seen by the caller\n"
> > +	    "      -w          Retry connecting to SOCK until it is ready\n"
> > +	    "  nstool exec [--keep-caps] SOCK [COMMAND [ARGS...]]\n"
> >  	    "    Execute command or shell in the namespaces of the nstool hold\n"
> >  	    "    with control socket at SOCK\n"
> > +	    "      --keep-caps Give all possible capabilities to COMMAND via\n"
> > +	    "                  the ambient capability mask\n"
> >  	    "  nstool stop SOCK\n"
> >  	    "    Instruct the nstool hold with control socket at SOCK to\n"
> >  	    "    terminate.\n");
> > @@ -275,7 +281,6 @@ static void cmd_info(int argc, char *argv[])
> >  	} while (opt != -1);
> >  
> >  	if (optind != argc - 1) {
> > -		fprintf(stderr, "B\n");
> >  		usage();
> >  	}
> >  
> > @@ -356,21 +361,82 @@ static void wait_for_child(pid_t pid)
> >  	die("Unexpected status for child %d\n", pid);
> >  }
> >  
> > +static void caps_to_ambient(void)
> > +{
> > +        /* Use raw system calls to avoid the overly complex caps
> > +	 * libraries. */
> 
> Bad indentation here.

More pasted spaces.  Fixing.

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson