\n| <\/td>\n | <\/td>\n | <\/td>\n | \n CapEff:<\/p>\n<\/td>\n | \n 0000001fffffffff<\/p>\n<\/td>\n<\/tr>\n<\/table>\n Program source<\/b>
\/bin \/boot \/dead.letter \/dev \/etc \/home \/initrd \/lib \/lib64 \/lost+found \/media \/mnt \/opt \/proc \/release-notes.html \/release-notes.txt \/root \/run \/sbin \/srv \/sys \/tmp \/usr \/var userns_child_exec.c<\/p>\n Licensed under GNU General Public License v2 or later<\/p>\n Create a child process that executes a shell command in new
namespace(s); allow UID and GID mappings to be specified when
creating a user namespace.
bodies\/ usr\/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include #include <\/p>\n\/* A simple error\u2212handling function: print an error message based
on the value in ‘errno’ and terminate the calling process *\/<\/p>\n #define errExit(msg) do { perror(msg); exit(EXIT_FAILURE);
} while (0)<\/p>\n struct child_args {
char **argv; \/bin \/boot \/dead.letter \/dev \/etc \/home \/initrd \/lib \/lib64 \/lost+found \/media \/mnt \/opt \/proc \/release-notes.html \/release-notes.txt \/root \/run \/sbin \/srv \/sys \/tmp \/usr \/var Command to be executed by child, with args bodies\/ usr\/
int pipe_fd[2]; \/bin \/boot \/dead.letter \/dev \/etc \/home \/initrd \/lib \/lib64 \/lost+found \/media \/mnt \/opt \/proc \/release-notes.html \/release-notes.txt \/root \/run \/sbin \/srv \/sys \/tmp \/usr \/var Pipe used to synchronize parent and child bodies\/ usr\/
};<\/p>\n static int verbose;<\/p>\n static void
usage(char *pname)
{
fprintf(stderr, “Usage: %s [options] cmd [arg…]nn”, pname);
fprintf(stderr, “Create a child process that executes a shell ”
“command in a new user namespace,n”
“and possibly also other new namespace(s).nn”);
fprintf(stderr, “Options can be:nn”);
#define fpe(str) fprintf(stderr, ” %s”, str);
fpe(“\u2212i New IPC namespacen”);
fpe(“\u2212m New mount namespacen”);
fpe(“\u2212n New network namespacen”);
fpe(“\u2212p New PID namespacen”);
fpe(“\u2212u New UTS namespacen”);
fpe(“\u2212U New user namespacen”);
fpe(“\u2212M uid_map Specify UID map for user namespacen”);
fpe(“\u2212G gid_map Specify GID map for user namespacen”);
fpe(“\u2212z Map user’s UID and GID to 0 in user namespacen”);
fpe(” (equivalent to: \u2212M ‘0 1′ \u2212G ‘0 1′)n”);
fpe(“\u2212v Display verbose messagesn”);
fpe(“n”);
fpe(“If \u2212z, \u2212M, or \u2212G is specified, \u2212U is required.n”);
fpe(“It is not permitted to specify both \u2212z and either \u2212M or \u2212G.n”);
fpe(“n”);
fpe(“Map strings for \u2212M and \u2212G consist of records of the form:n”);
fpe(“n”);
fpe(” ID\u2212inside\u2212ns ID\u2212outside\u2212ns lenn”);
fpe(“n”);
fpe(“A map string can contain multiple records, separated”
” by commas;n”);
fpe(“the commas are replaced by newlines before writing”
” to map files.n”);<\/p>\nexit(EXIT_FAILURE);
}<\/p>\n \/* Update the mapping file ‘map_file’, with the value provided in
‘mapping’, a string that defines a UID or GID mapping. A UID or
GID mapping consists of one or more newline\u2212delimited records
of the form:<\/p>\n ID_inside\u2212ns ID\u2212outside\u2212ns length<\/p>\n Requiring the user to supply a string that contains newlines is
of course inconvenient for command\u2212line use. Thus, we permit the
use of commas to delimit records in this string, and replace them
with newlines before writing the string to the file. *\/<\/p>\n static void
update_map(char *mapping, char *map_file)
{
int fd;
size_t map_len; \/bin \/boot \/dead.letter \/dev \/etc \/home \/initrd \/lib \/lib64 \/lost+found \/media \/mnt \/opt \/proc \/release-notes.html \/release-notes.txt \/root \/run \/sbin \/srv \/sys \/tmp \/usr \/var Length of ‘mapping’ *\/<\/p>\n \/* Replace commas in mapping string with newlines *\/<\/p>\n map_len = strlen(mapping);
for (int j = 0; j < map_len; j++)
if (mapping[j] == ‘,’)
mapping[j] = ‘n’;<\/p>\n fd = open(map_file, O_RDWR);
if (fd == \u22121) {
fprintf(stderr, “ERROR: open %s: %sn”, map_file,
strerror(errno));
exit(EXIT_FAILURE);
}<\/p>\n if (write(fd, mapping, map_len) != map_len) {
fprintf(stderr, “ERROR: write %s: %sn”, map_file,
strerror(errno));
exit(EXIT_FAILURE);
}<\/p>\n close(fd);
}<\/p>\n \/* Linux 3.19 made a change in the handling of setgroups(2) and the
‘gid_map’ file to address a security issue. The issue allowed
*unprivileged* users to employ user namespaces in order to drop
The upshot of the 3.19 changes is that in order to update the
‘gid_maps’ file, use of the setgroups() system call in this
user namespace must first be disabled by writing “deny” to one of
the \/proc\/PID\/setgroups files for this namespace. That is the
purpose of the following function. *\/<\/p>\n static void
proc_setgroups_write(pid_t child_pid, char *str)
{
char setgroups_path[PATH_MAX];
int fd;<\/p>\n snprintf(setgroups_path, PATH_MAX, “\/proc\/%jd\/setgroups”,
(intmax_t) child_pid);<\/p>\n fd = open(setgroups_path, O_RDWR);
if (fd == \u22121) {<\/p>\n \/* We may be on a system that doesn’t support
\/proc\/PID\/setgroups. In that case, the file won’t exist,
and the system won’t impose the restrictions that Linux 3.19
added. That’s fine: we don’t need to do anything in order
to permit ‘gid_map’ to be updated.<\/p>\n However, if the error from open() was something other than
the ENOENT error that is expected for that case, let the
user know. *\/<\/p>\n if (errno != ENOENT)
fprintf(stderr, “ERROR: open %s: %sn”, setgroups_path,
strerror(errno));
return;
}<\/p>\n if (write(fd, str, strlen(str)) == \u22121)
fprintf(stderr, “ERROR: write %s: %sn”, setgroups_path,
strerror(errno));<\/p>\n close(fd);
}<\/p>\n static int \/bin \/boot \/dead.letter \/dev \/etc \/home \/initrd \/lib \/lib64 \/lost+found \/media \/mnt \/opt \/proc \/release-notes.html \/release-notes.txt \/root \/run \/sbin \/srv \/sys \/tmp \/usr \/var Start function for cloned child bodies\/ usr\/
childFunc(void *arg)
{
struct child_args *args = arg;
char ch;<\/p>\n \/* Wait until the parent has updated the UID and GID mappings.
See the comment in main(). We wait for end of file on a
pipe that will be closed by the parent process once it has
updated the mappings. *\/<\/p>\n close(args\u2212>pipe_fd[1]); \/bin \/boot \/dead.letter \/dev \/etc \/home \/initrd \/lib \/lib64 \/lost+found \/media \/mnt \/opt \/proc \/release-notes.html \/release-notes.txt \/root \/run \/sbin \/srv \/sys \/tmp \/usr \/var Close our descriptor for the write
end of the pipe so that we see EOF
when parent closes its descriptor bodies\/ usr\/
if (read(args\u2212>pipe_fd[0], &ch, 1) != 0) {
fprintf(stderr,
“Failure in child: read from pipe returned != 0n”);
exit(EXIT_FAILURE);
}<\/p>\n close(args\u2212>pipe_fd[0]);<\/p>\n \/* Execute a shell command *\/<\/p>\n printf(“About to exec %sn”, args\u2212>argv[0]);
execvp(args\u2212>argv[0], args\u2212>argv);
errExit(“execvp”);
}<\/p>\n #define STACK_SIZE (1024 bodies manpages.csv script_extrae_body.sh script.sh usr 1024)<\/p>\n static char child_stack[STACK_SIZE]; \/bin \/boot \/dead.letter \/dev \/etc \/home \/initrd \/lib \/lib64 \/lost+found \/media \/mnt \/opt \/proc \/release-notes.html \/release-notes.txt \/root \/run \/sbin \/srv \/sys \/tmp \/usr \/var Space for child’s stack *\/<\/p>\n int
main(int argc, char *argv[])
{
int flags, opt, map_zero;
pid_t child_pid;
struct child_args args;
char *uid_map, *gid_map;
const int MAP_BUF_SIZE = 100;
char map_buf[MAP_BUF_SIZE];
char map_path[PATH_MAX];<\/p>\n \/* Parse command\u2212line options. The initial ‘+’ character in
the final getopt() argument prevents GNU\u2212style permutation
of command\u2212line options. That’s useful, since sometimes
the ‘command’ to be executed by this program itself
has command\u2212line options. We don’t want getopt() to treat
those as options to this program. *\/<\/p>\n flags = 0;
verbose = 0;
gid_map = NULL;
uid_map = NULL;
map_zero = 0;
while ((opt = getopt(argc, argv, “+imnpuUM:G:zv”)) != \u22121) {
switch (opt) {
case ‘i’: flags |= CLONE_NEWIPC; break;
case ‘m’: flags |= CLONE_NEWNS; break;
case ‘n’: flags |= CLONE_NEWNET; break;
case ‘p’: flags |= CLONE_NEWPID; break;
case ‘u’: flags |= CLONE_NEWUTS; break;
case ‘v’: verbose = 1; break;
case ‘z’: map_zero = 1; break;
case ‘M’: uid_map = optarg; break;
case ‘G’: gid_map = optarg; break;
case ‘U’: flags |= CLONE_NEWUSER; break;
default: usage(argv[0]);
}
}<\/p>\n \/* \u2212M or \u2212G without \u2212U is nonsensical *\/<\/p>\n if (((uid_map != NULL || gid_map != NULL || map_zero) &&
!(flags & CLONE_NEWUSER)) ||
(map_zero && (uid_map != NULL || gid_map != NULL)))
usage(argv[0]);<\/p>\n args.argv = &argv[optind];<\/p>\n \/* We use a pipe to synchronize the parent and child, in order to
ensure that the parent sets the UID and GID maps before the child
calls execve(). This ensures that the child maintains its
capabilities during the execve() in the common case where we
want to map the child’s effective user ID to 0 in the new user
namespace. Without this synchronization, the child would lose
its capabilities if it performed an execve() with nonzero
user IDs (see the capabilities(7) man page for details of the
transformation of a process’s capabilities during execve()). *\/<\/p>\n if (pipe(args.pipe_fd) == \u22121)
errExit(“pipe”);<\/p>\n \/* Create the child in new namespace(s) *\/<\/p>\n child_pid = clone(childFunc, child_stack + STACK_SIZE,
flags | SIGCHLD, &args);
if (child_pid == \u22121)
errExit(“clone”);<\/p>\n \/* Parent falls through to here *\/<\/p>\n if (verbose)
printf(“%s: PID of child created by clone() is %jdn”,
argv[0], (intmax_t) child_pid);<\/p>\n \/* Update the UID and GID maps in the child *\/<\/p>\n if (uid_map != NULL || map_zero) {
snprintf(map_path, PATH_MAX, “\/proc\/%jd\/uid_map”,
(intmax_t) child_pid);
if (map_zero) {
snprintf(map_buf, MAP_BUF_SIZE, “0 %jd 1”,
(intmax_t) getuid());
uid_map = map_buf;
}
update_map(uid_map, map_path);
}<\/p>\n if (gid_map != NULL || map_zero) {
proc_setgroups_write(child_pid, “deny”);<\/p>\n snprintf(map_path, PATH_MAX, “\/proc\/%jd\/gid_map”,
(intmax_t) child_pid);
if (map_zero) {
snprintf(map_buf, MAP_BUF_SIZE, “0 %ld 1”,
(intmax_t) getgid());
gid_map = map_buf;
}
update_map(gid_map, map_path);
}<\/p>\n \/* Close the write end of the pipe, to signal to the child that we
have updated the UID and GID maps *\/<\/p>\n close(args.pipe_fd[1]);<\/p>\n if (waitpid(child_pid, NULL, 0) == \u22121) \/bin \/boot \/dead.letter \/dev \/etc \/home \/initrd \/lib \/lib64 \/lost+found \/media \/mnt \/opt \/proc \/release-notes.html \/release-notes.txt \/root \/run \/sbin \/srv \/sys \/tmp \/usr \/var Wait for child bodies\/ usr\/
errExit(“waitpid”);<\/p>\n if (verbose)
printf(“%s: terminatingn”, argv[0]);<\/p>\n exit(EXIT_SUCCESS);
}<\/p>\n |