[lxc-devel] [lxc/master] 2018 02 08/priv
hallyn on Github
lxc-bot at linuxcontainers.org
Thu Feb 8 19:25:52 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 791 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180208/6fe3471d/attachment.bin>
-------------- next part --------------
From 477aa378e9050ed5d7de22b6ff05a83f38824036 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <shallyn at cisco.com>
Date: Thu, 8 Feb 2018 12:06:39 -0600
Subject: [PATCH 1/2] define am_guest_unpriv
Sometimes we want to know whether we are privileged wrt our
namespaces, and sometimes we want to know whether we are priv
wrt init_user_ns.
Signed-off-by: Serge Hallyn <shallyn at cisco.com>
---
src/lxc/utils.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index 4d129d137..048995475 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -435,6 +435,12 @@ extern int lxc_strmunmap(void *addr, size_t length);
/* initialize rand with urandom */
extern int randseed(bool);
+/* are we unprivileged with respect to our namespaces */
+inline static bool am_guest_unpriv(void) {
+ return geteuid() != 0;
+}
+
+/* are we unprivileged with respect to init_user_ns */
inline static bool am_host_unpriv(void)
{
FILE *f;
From e0010464c71ddd81eb36f2532618945d0afe924c Mon Sep 17 00:00:00 2001
From: Serge Hallyn <shallyn at cisco.com>
Date: Thu, 8 Feb 2018 13:04:23 -0600
Subject: [PATCH 2/2] Restore most cases of am_guest_unpriv
The only cases where we really need to be privileged with respect
to the host is when we are trying to mknod, and in some cases
to do with a physical network device. This patch leaves the
detection of the network device cases as a TODO.
This should fix the currently broken case of starting a privileged
container with at least one veth nic, nested inside an unprivileged
container.
Cc: Tycho Andersen <tycho at tycho.ws>
Signed-off-by: Serge Hallyn <shallyn at cisco.com>
---
src/lxc/lxccontainer.c | 21 +++++++++++++--------
src/lxc/network.c | 4 ++--
src/lxc/start.c | 4 ++--
src/lxc/storage/aufs.c | 8 ++++----
src/lxc/storage/btrfs.c | 4 ++--
src/lxc/storage/overlay.c | 12 ++++++------
src/lxc/storage/storage.c | 6 +++---
7 files changed, 32 insertions(+), 27 deletions(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index cca9f89b9..465d27fb8 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -2678,7 +2678,7 @@ static bool has_snapshots(struct lxc_container *c)
static bool do_destroy_container(struct lxc_conf *conf) {
int ret;
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ret = userns_exec_full(conf, storage_destroy_wrapper, conf,
"storage_destroy_wrapper");
if (ret < 0)
@@ -2800,7 +2800,7 @@ static bool container_destroy(struct lxc_container *c,
if (ret < 0 || (size_t)ret >= len)
goto out;
- if (am_host_unpriv())
+ if (am_guest_unpriv())
ret = userns_exec_1(conf, lxc_unlink_exec_wrapper, path,
"lxc_unlink_exec_wrapper");
else
@@ -2819,7 +2819,7 @@ static bool container_destroy(struct lxc_container *c,
ret = snprintf(path, len, "%s/%s", p1, c->name);
if (ret < 0 || (size_t)ret >= len)
goto out;
- if (am_host_unpriv())
+ if (am_guest_unpriv())
ret = userns_exec_full(conf, lxc_rmdir_onedev_wrapper, path,
"lxc_rmdir_onedev_wrapper");
else
@@ -3602,7 +3602,7 @@ static struct lxc_container *do_lxcapi_clone(struct lxc_container *c, const char
}
}
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
if (chown_mapped_root(newpath, c->lxc_conf) < 0) {
ERROR("Error chowning %s to container root", newpath);
goto out;
@@ -3680,7 +3680,7 @@ static struct lxc_container *do_lxcapi_clone(struct lxc_container *c, const char
data.c1 = c2;
data.flags = flags;
data.hookargs = hookargs;
- if (am_host_unpriv())
+ if (am_guest_unpriv())
ret = userns_exec_full(c->lxc_conf, clone_update_rootfs_wrapper,
&data, "clone_update_rootfs_wrapper");
else
@@ -4355,6 +4355,7 @@ static bool add_remove_device_node(struct lxc_container *c, const char *src_path
static bool do_lxcapi_add_device_node(struct lxc_container *c, const char *src_path, const char *dest_path)
{
+ // cannot mknod if we're not privileged wrt init_user_ns
if (am_host_unpriv()) {
ERROR(NOT_SUPPORTED_ERROR, __FUNCTION__);
return false;
@@ -4366,7 +4367,7 @@ WRAP_API_2(bool, lxcapi_add_device_node, const char *, const char *)
static bool do_lxcapi_remove_device_node(struct lxc_container *c, const char *src_path, const char *dest_path)
{
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ERROR(NOT_SUPPORTED_ERROR, __FUNCTION__);
return false;
}
@@ -4382,7 +4383,7 @@ static bool do_lxcapi_attach_interface(struct lxc_container *c,
pid_t init_pid;
int ret = 0;
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ERROR(NOT_SUPPORTED_ERROR, __FUNCTION__);
return false;
}
@@ -4421,7 +4422,11 @@ static bool do_lxcapi_detach_interface(struct lxc_container *c,
int ret;
pid_t pid, pid_outside;
- if (am_host_unpriv()) {
+ /*
+ * TODO - if this is a physical device, then we need am_host_unpriv.
+ * But for other types guest privilege suffices.
+ */
+ if (am_guest_unpriv()) {
ERROR(NOT_SUPPORTED_ERROR, __FUNCTION__);
return false;
}
diff --git a/src/lxc/network.c b/src/lxc/network.c
index 0a23dc3eb..bf06e6f4a 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -2449,7 +2449,7 @@ int lxc_network_move_created_netdev_priv(const char *lxcpath, const char *lxcnam
char ifname[IFNAMSIZ];
struct lxc_list *iterator;
- if (am_host_unpriv())
+ if (am_guest_unpriv())
return 0;
lxc_list_for_each(iterator, network) {
@@ -2487,7 +2487,7 @@ int lxc_create_network_unpriv(const char *lxcpath, const char *lxcname,
{
struct lxc_list *iterator;
- if (!am_host_unpriv())
+ if (!am_guest_unpriv())
return 0;
lxc_list_for_each(iterator, network) {
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 6d43c92b2..1cbfcae35 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -654,11 +654,11 @@ struct lxc_handler *lxc_init_handler(const char *name, struct lxc_conf *conf,
memset(handler, 0, sizeof(*handler));
- /* Note that am_host_unpriv() checks the effective uid. We probably don't
+ /* Note that am_guest_unpriv() checks the effective uid. We probably don't
* care if we are real root only if we are running as root so this
* should be fine.
*/
- handler->am_root = !am_host_unpriv();
+ handler->am_root = !am_guest_unpriv();
handler->data_sock[0] = handler->data_sock[1] = -1;
handler->conf = conf;
handler->lxcpath = lxcpath;
diff --git a/src/lxc/storage/aufs.c b/src/lxc/storage/aufs.c
index 0d53c3d8d..c275f88b3 100644
--- a/src/lxc/storage/aufs.c
+++ b/src/lxc/storage/aufs.c
@@ -89,7 +89,7 @@ int aufs_clonepaths(struct lxc_storage *orig, struct lxc_storage *new,
if (mkdir_p(new->dest, 0755) < 0)
return -1;
- if (am_host_unpriv() && chown_mapped_root(new->dest, conf) < 0)
+ if (am_guest_unpriv() && chown_mapped_root(new->dest, conf) < 0)
WARN("Failed to update ownership of %s", new->dest);
if (strcmp(orig->type, "dir") == 0) {
@@ -116,7 +116,7 @@ int aufs_clonepaths(struct lxc_storage *orig, struct lxc_storage *new,
free(delta);
return -1;
}
- if (am_host_unpriv() && chown_mapped_root(delta, conf) < 0)
+ if (am_guest_unpriv() && chown_mapped_root(delta, conf) < 0)
WARN("Failed to update ownership of %s", delta);
// the src will be 'aufs:lowerdir:upperdir'
@@ -157,13 +157,13 @@ int aufs_clonepaths(struct lxc_storage *orig, struct lxc_storage *new,
free(ndelta);
return -1;
}
- if (am_host_unpriv() && chown_mapped_root(ndelta, conf) < 0)
+ if (am_guest_unpriv() && chown_mapped_root(ndelta, conf) < 0)
WARN("Failed to update ownership of %s", ndelta);
struct rsync_data_char rdata;
rdata.src = odelta;
rdata.dest = ndelta;
- if (am_host_unpriv())
+ if (am_guest_unpriv())
ret = userns_exec_full(conf, lxc_rsync_delta_wrapper,
&rdata, "lxc_rsync_delta_wrapper");
else
diff --git a/src/lxc/storage/btrfs.c b/src/lxc/storage/btrfs.c
index 4e21020fd..3b6b8d96e 100644
--- a/src/lxc/storage/btrfs.c
+++ b/src/lxc/storage/btrfs.c
@@ -434,7 +434,7 @@ bool btrfs_create_clone(struct lxc_conf *conf, struct lxc_storage *orig,
/* rsync the contents from source to target */
data.orig = orig;
data.new = new;
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ret = userns_exec_full(conf, lxc_storage_rsync_exec_wrapper,
&data, "lxc_storage_rsync_exec_wrapper");
if (ret < 0) {
@@ -466,7 +466,7 @@ bool btrfs_create_snapshot(struct lxc_conf *conf, struct lxc_storage *orig,
if (ret < 0 && errno != ENOENT)
return false;
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
struct rsync_data_char args;
args.src = orig->src;
diff --git a/src/lxc/storage/overlay.c b/src/lxc/storage/overlay.c
index e3aae8a29..35214af52 100644
--- a/src/lxc/storage/overlay.c
+++ b/src/lxc/storage/overlay.c
@@ -73,7 +73,7 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char
return -1;
}
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ret = chown_mapped_root(new->dest, conf);
if (ret < 0)
WARN("Failed to update ownership of %s", new->dest);
@@ -120,7 +120,7 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char
return -1;
}
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ret = chown_mapped_root(delta, conf);
if (ret < 0)
WARN("Failed to update ownership of %s", delta);
@@ -153,7 +153,7 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char
return -1;
}
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ret = chown_mapped_root(work, conf);
if (ret < 0)
WARN("Failed to update ownership of %s", work);
@@ -224,7 +224,7 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char
return -1;
}
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ret = chown_mapped_root(ndelta, conf);
if (ret < 0)
WARN("Failed to update ownership of %s",
@@ -265,7 +265,7 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char
return -1;
}
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ret = chown_mapped_root(work, conf);
if (ret < 0)
WARN("Failed to update ownership of %s", work);
@@ -960,7 +960,7 @@ static int ovl_do_rsync(const char *src, const char *dest,
rdata.src = (char *)src;
rdata.dest = (char *)dest;
- if (am_host_unpriv())
+ if (am_guest_unpriv())
ret = userns_exec_full(conf, lxc_rsync_exec_wrapper, &rdata,
"lxc_rsync_exec_wrapper");
else
diff --git a/src/lxc/storage/storage.c b/src/lxc/storage/storage.c
index 6cb98f6b7..c453fe744 100644
--- a/src/lxc/storage/storage.c
+++ b/src/lxc/storage/storage.c
@@ -406,7 +406,7 @@ struct lxc_storage *storage_copy(struct lxc_container *c, const char *cname,
if (!bdevtype && !keepbdevtype && snap && !strcmp(orig->type, "dir"))
bdevtype = "overlay";
- if (am_host_unpriv() && !unpriv_snap_allowed(orig, bdevtype, snap, maybe_snap)) {
+ if (am_guest_unpriv() && !unpriv_snap_allowed(orig, bdevtype, snap, maybe_snap)) {
ERROR("Unsupported snapshot type \"%s\" for unprivileged users",
bdevtype ? bdevtype : "(null)");
goto on_error_put_orig;
@@ -505,7 +505,7 @@ struct lxc_storage *storage_copy(struct lxc_container *c, const char *cname,
else
src_no_prefix = lxc_storage_get_path(new->src, new->type);
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ret = chown_mapped_root(src_no_prefix, c->lxc_conf);
if (ret < 0)
WARN("Failed to chown \"%s\"", new->src);
@@ -518,7 +518,7 @@ struct lxc_storage *storage_copy(struct lxc_container *c, const char *cname,
/* rsync the contents from source to target */
data.orig = orig;
data.new = new;
- if (am_host_unpriv())
+ if (am_guest_unpriv())
ret = userns_exec_full(c->lxc_conf,
lxc_storage_rsync_exec_wrapper, &data,
"lxc_storage_rsync_exec_wrapper");
More information about the lxc-devel
mailing list