From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id A6DA45A0281 for ; Mon, 22 May 2023 08:01:52 +0200 (CEST) Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4QPmzt4905z4x48; Mon, 22 May 2023 16:01:46 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1684735306; bh=b4u/MKFS5+Kj6uxBkMzouasCh5STLqq4kWWPtx5/kIo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=SpmobvzJKXBeNB+Dkyp/MR0BYSYf85Omx4c7lxpy2kVejw2bNOqCOrL/8qT/f+Kw5 hqVaITskjWZMRC6wvxr13kiBRj5L8A3epF5GDSPteMQb8jvVJy7APgTGhLWX8fCGt4 Q0hoyJyIm5QGLB+BSHC/gtp+b/SCyQKoe+Ztk1wQ= Date: Mon, 22 May 2023 15:41:17 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH 1/3] util, conf: Add and use ns_is_init() helper Message-ID: References: <20230521234158.2769867-1-sbrivio@redhat.com> <20230521234158.2769867-2-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="E7mjAF1h8PYZU/OZ" Content-Disposition: inline In-Reply-To: <20230521234158.2769867-2-sbrivio@redhat.com> Message-ID-Hash: R2VOSNCDPCH3VD33U6VFG7N2WFSWFMIV X-Message-ID-Hash: R2VOSNCDPCH3VD33U6VFG7N2WFSWFMIV X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --E7mjAF1h8PYZU/OZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 22, 2023 at 01:41:56AM +0200, Stefano Brivio wrote: > We'll need this in isolate_initial(). While at it, don't rely on > BUFSIZ: the earlier issue we had with musl reminded me it's not a > magic "everything will fit" value. Size the read buffer to what we > actually need from uid_map. >=20 > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson Although... > --- > conf.c | 16 +--------------- > util.c | 25 +++++++++++++++++++++++++ > util.h | 2 ++ > 3 files changed, 28 insertions(+), 15 deletions(-) >=20 > diff --git a/conf.c b/conf.c > index 447b000..984c3ce 100644 > --- a/conf.c > +++ b/conf.c > @@ -1096,10 +1096,6 @@ static int conf_runas(char *opt, unsigned int *uid= , unsigned int *gid) > */ > static void conf_ugid(char *runas, uid_t *uid, gid_t *gid) > { > - const char root_uid_map[] =3D " 0 0 4294967295"; > - char buf[BUFSIZ]; > - int fd; > - > /* If user has specified --runas, that takes precedence... */ > if (runas) { > if (conf_runas(runas, uid, gid)) > @@ -1116,18 +1112,8 @@ static void conf_ugid(char *runas, uid_t *uid, gid= _t *gid) > return; > =20 > /* ...or at least not root in the init namespace... */ > - if ((fd =3D open("/proc/self/uid_map", O_RDONLY | O_CLOEXEC)) < 0) { > - die("Can't determine if we're in init namespace: %s", > - strerror(errno)); > - } > - > - if (read(fd, buf, BUFSIZ) !=3D sizeof(root_uid_map) || > - strncmp(buf, root_uid_map, sizeof(root_uid_map) - 1)) { > - close(fd); > + if (!ns_is_init()) > return; > - } > - > - close(fd); > =20 > /* ...otherwise use nobody:nobody */ > warn("Don't run as root. Changing to nobody..."); > diff --git a/util.c b/util.c > index c3e3471..5ec8a6c 100644 > --- a/util.c > +++ b/util.c > @@ -390,6 +390,31 @@ int ns_enter(const struct ctx *c) > return 0; > } > =20 > +/** > + * ns_is_init() - Is the caller running in the "init" user namespace? > + * > + * Return: true if caller is in init, false otherwise, won't return on f= ailure > + */ > +bool ns_is_init(void) > +{ > + const char root_uid_map[] =3D " 0 0 4294967295"; > + char buf[sizeof(root_uid_map) + 1]; > + bool ret =3D true; > + int fd; > + > + if ((fd =3D open("/proc/self/uid_map", O_RDONLY | O_CLOEXEC)) < 0) { > + die("Can't determine if we're in init namespace: %s", > + strerror(errno)); > + } > + > + if (read(fd, buf, sizeof(root_uid_map)) !=3D sizeof(root_uid_map) || I don't think it can go bad in practice, but I think you want to pass a slightly larger buffer than root_uid_map[], otherwise this test will succeed if the uid_map contains the expected thing for init, followed by something else. > + strncmp(buf, root_uid_map, sizeof(root_uid_map) - 1)) > + ret =3D false; > + > + close(fd); > + return ret; > +} > + > /** > * pid_file() - Write PID to file, if requested to do so, and close it > * @fd: Open PID file descriptor, closed on exit, -1 to skip writing it > diff --git a/util.h b/util.h > index ba3e3da..26892aa 100644 > --- a/util.h > +++ b/util.h > @@ -8,6 +8,7 @@ > =20 > #include > #include > +#include > =20 > #include "log.h" > =20 > @@ -216,6 +217,7 @@ char *line_read(char *buf, size_t len, int fd); > void procfs_scan_listen(struct ctx *c, uint8_t proto, int ip_version, in= t ns, > uint8_t *map, uint8_t *exclude); > int ns_enter(const struct ctx *c); > +bool ns_is_init(void); > void write_pidfile(int fd, pid_t pid); > int __daemon(int pidfile_fd, int devnull_fd); > int fls(unsigned long x); --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --E7mjAF1h8PYZU/OZ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmRrAGYACgkQzQJF27ox 2Gf2YQ/7B54vOhtujhpLosWIdxMMPFOryX8m2FdrlqNBrcZrjJ6hGlF2N7XOX0Hg DB1/k+LvxHdd3pmL+pXIF0igefPwI4qbrSQci5N5sXIumlhC9ncXdd6mb2ydjigT CMQrHpfsGNPv7qQYJKAqk+KSdbonnY19JrPCXeAxmv3sDHqsys3/XIzbULdbuQr5 wV5fSNkPJ0Rw/kPPgGlQgKngOJkOILmfterL3FU0jQ4NN6GJ7dieYIb8A8ocCuUI oXpRfc7x4ezzk7/8wtEVyGspoGWkFleQEkSicYpI/IPPYKRpxTAShojl2QBq+Mil ZFTJhDAAK+UIM4IxqBryfEvi/HvRBHNZQmpLLEKUW/cEe2Kz8BnOeweNDMKJkcrp nwP6Hsn7bzMs9n2skKvn4yK1IuGyjTFKCQbNhsKEwsgP3bAX3m82WSiTSitoAeBx TC33FqPR10FjjB+B8uZtoRvLjebZ1citqD8PxPCQTv+xJllzm9oczfpm3Mr9agPy bFtsEWud5z9NG951vIsGOnb8L7CCuKMH1Gwd8OK+cacqYxFVy6pqtZA5psFvJRz5 ugreJ8qOyD3u3/62azlRVcEcmt2iWm3S2XsLjJ2yOSdM/qx5NFC5Y5F9qCWrMGJ+ tVjECqoi61xAOLFvUQiC/vKTkel2sraEoPyUwmCWT8QbDZ3bbTU= =kbYg -----END PGP SIGNATURE----- --E7mjAF1h8PYZU/OZ--