[lxc-devel] [PATCH v2] Fix to work lxc-start with unprivileged containers on recent kernel
TAMUKI Shoichi
tamuki at linet.gr.jp
Fri Jun 27 08:29:01 UTC 2014
Change chown_mapped_root() to map in both the root uid and gid, not
just the uid, so as to work lxc-start with unprivileged containers on
recent kernel.
Signed-off-by: TAMUKI Shoichi <tamuki at linet.gr.jp>
Signed-off-by: KATOH Yasufumi <karma at jazz.email.ne.jp>
---
The patch has been revised due to amending the explanation of
chown_mapped_root() a bit. Please ignore the previous one.
src/lxc/conf.c | 93 +++++++++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 72 insertions(+), 21 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index c8b573a..df2f7cc 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3327,7 +3327,8 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
}
/*
- * return the host uid to which the container root is mapped in *val.
+ * return the host uid/gid to which the container root is mapped in
+ * *val.
* Return true if id was found, false otherwise.
*/
bool get_mapped_rootid(struct lxc_conf *conf, enum idtype idtype,
@@ -3338,7 +3339,7 @@ bool get_mapped_rootid(struct lxc_conf *conf, enum idtype idtype,
lxc_list_for_each(it, &conf->id_map) {
map = it->elem;
- if (map->idtype != ID_TYPE_UID)
+ if (map->idtype != idtype)
continue;
if (map->nsid != 0)
continue;
@@ -3492,15 +3493,17 @@ void lxc_delete_tty(struct lxc_tty_info *tty_info)
}
/*
- * chown_mapped_root: for an unprivileged user with uid X to chown a dir
- * to subuid Y, he needs to run chown as root in a userns where
- * nsid 0 is mapped to hostuid Y, and nsid Y is mapped to hostuid
- * X. That way, the container root is privileged with respect to
- * hostuid X, allowing him to do the chown.
+ * chown_mapped_root: for an unprivileged user with uid/gid X to
+ * chown a dir to subuid/subgid Y, he needs to run chown as root
+ * in a userns where nsid 0 is mapped to hostuid/hostgid Y, and
+ * nsid Y is mapped to hostuid/hostgid X. That way, the container
+ * root is privileged with respect to hostuid/hostgid X, allowing
+ * him to do the chown.
*/
int chown_mapped_root(char *path, struct lxc_conf *conf)
{
- uid_t rootid;
+ uid_t rootuid;
+ gid_t rootgid;
pid_t pid;
unsigned long val;
char *chownpath = path;
@@ -3509,7 +3512,12 @@ int chown_mapped_root(char *path, struct lxc_conf *conf)
ERROR("No mapping for container root");
return -1;
}
- rootid = (uid_t) val;
+ rootuid = (uid_t) val;
+ if (!get_mapped_rootid(conf, ID_TYPE_GID, &val)) {
+ ERROR("No mapping for container root");
+ return -1;
+ }
+ rootgid = (gid_t) val;
/*
* In case of overlay, we want only the writeable layer
@@ -3530,14 +3538,14 @@ int chown_mapped_root(char *path, struct lxc_conf *conf)
}
path = chownpath;
if (geteuid() == 0) {
- if (chown(path, rootid, -1) < 0) {
+ if (chown(path, rootuid, rootgid) < 0) {
ERROR("Error chowning %s", path);
return -1;
}
return 0;
}
- if (rootid == geteuid()) {
+ if (rootuid == geteuid()) {
// nothing to do
INFO("%s: container root is our uid; no need to chown" ,__func__);
return 0;
@@ -3549,13 +3557,31 @@ int chown_mapped_root(char *path, struct lxc_conf *conf)
return -1;
}
if (!pid) {
- int hostuid = geteuid(), ret;
- char map1[100], map2[100], map3[100];
- char *args[] = {"lxc-usernsexec", "-m", map1, "-m", map2, "-m",
- map3, "--", "chown", "0", path, NULL};
+ int hostuid = geteuid(), hostgid = getegid(), ret;
+ struct stat sb;
+ char map1[100], map2[100], map3[100], map4[100], map5[100];
+ char ugid[100];
+ char *args1[] = { "lxc-usernsexec", "-m", map1, "-m", map2,
+ "-m", map3, "-m", map5,
+ "--", "chown", ugid, path, NULL };
+ char *args2[] = { "lxc-usernsexec", "-m", map1, "-m", map2,
+ "-m", map3, "-m", map4, "-m", map5,
+ "--", "chown", ugid, path, NULL };
+
+ // save the current gid of "path"
+ if (stat(path, &sb) < 0) {
+ ERROR("Error stat %s", path);
+ return -1;
+ }
- // "u:0:rootid:1"
- ret = snprintf(map1, 100, "u:0:%d:1", rootid);
+ // a trick for chgrp the file that is not owned by oneself
+ if (chown(path, -1, hostgid) < 0) {
+ ERROR("Error chgrp %s", path);
+ return -1;
+ }
+
+ // "u:0:rootuid:1"
+ ret = snprintf(map1, 100, "u:0:%d:1", rootuid);
if (ret < 0 || ret >= 100) {
ERROR("Error uid printing map string");
return -1;
@@ -3568,14 +3594,39 @@ int chown_mapped_root(char *path, struct lxc_conf *conf)
return -1;
}
- // "g:0:hostgid:1"
- ret = snprintf(map3, 100, "g:0:%d:1", getgid());
+ // "g:0:rootgid:1"
+ ret = snprintf(map3, 100, "g:0:%d:1", rootgid);
if (ret < 0 || ret >= 100) {
- ERROR("Error uid printing map string");
+ ERROR("Error gid printing map string");
return -1;
}
- ret = execvp("lxc-usernsexec", args);
+ // "g:pathgid:rootgid+pathgid:1"
+ ret = snprintf(map4, 100, "g:%d:%d:1", sb.st_gid,
+ rootgid + sb.st_gid);
+ if (ret < 0 || ret >= 100) {
+ ERROR("Error gid printing map string");
+ return -1;
+ }
+
+ // "g:hostgid:hostgid:1"
+ ret = snprintf(map5, 100, "g:%d:%d:1", hostgid, hostgid);
+ if (ret < 0 || ret >= 100) {
+ ERROR("Error gid printing map string");
+ return -1;
+ }
+
+ // "0:pathgid" (chown)
+ ret = snprintf(ugid, 100, "0:%d", sb.st_gid);
+ if (ret < 0 || ret >= 100) {
+ ERROR("Error owner printing format string for chown");
+ return -1;
+ }
+
+ if (hostgid == sb.st_gid)
+ ret = execvp("lxc-usernsexec", args1);
+ else
+ ret = execvp("lxc-usernsexec", args2);
SYSERROR("Failed executing usernsexec");
exit(1);
}
--
1.9.0
More information about the lxc-devel
mailing list