[lxc-devel] [lxd/master] forksyscall: introduce acquire_basic_creds()

brauner on Github lxc-bot at linuxcontainers.org
Tue Jul 23 09:23:35 UTC 2019


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190723/669b3271/attachment.bin>
-------------- next part --------------
From 1d2b1e92da8fdfecdb195e05a9e6980d1e39f4e8 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Tue, 23 Jul 2019 11:22:18 +0200
Subject: [PATCH] forksyscall: introduce acquire_basic_creds()

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/main_forksyscall.go | 86 ++++++++++++++---------------------------
 1 file changed, 30 insertions(+), 56 deletions(-)

diff --git a/lxd/main_forksyscall.go b/lxd/main_forksyscall.go
index 0e352d234c..188b0e2c3e 100644
--- a/lxd/main_forksyscall.go
+++ b/lxd/main_forksyscall.go
@@ -67,11 +67,37 @@ static bool chdirchroot_in_mntns(int cwd_fd, int root_fd)
 	return true;
 }
 
+static bool acquire_basic_creds(pid_t pid)
+{
+	__do_close_prot_errno int cwd_fd = -EBADF, mnt_fd = -EBADF, root_fd = -EBADF;
+	char buf[256];
+
+	snprintf(buf, sizeof(buf), "/proc/%d/ns/mnt", pid);
+	mnt_fd = open(buf, O_RDONLY | O_CLOEXEC);
+	if (mnt_fd < 0)
+		return false;
+
+	snprintf(buf, sizeof(buf), "/proc/%d/root", pid);
+	root_fd = open(buf, O_PATH | O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
+	if (root_fd < 0)
+		return false;
+
+	snprintf(buf, sizeof(buf), "/proc/%d/cwd", pid);
+	cwd_fd = open(buf, O_PATH | O_RDONLY | O_CLOEXEC);
+	if (cwd_fd < 0)
+		return false;
+
+	if (setns(mnt_fd, CLONE_NEWNS))
+		return false;
+
+	return chdirchroot_in_mntns(cwd_fd, root_fd);
+}
+
 // Expects command line to be in the form:
 // <PID> <root-uid> <root-gid> <path> <mode> <dev>
 static void forkmknod()
 {
-	__do_close_prot_errno int cwd_fd = -EBADF, mnt_fd = -EBADF, root_fd = -EBADF, target_dir_fd = -EBADF;
+	__do_close_prot_errno int target_dir_fd = -EBADF;
 	char *cur = NULL, *target = NULL, *target_dir = NULL, *target_host = NULL;
 	int ret;
 	char path[PATH_MAX];
@@ -93,33 +119,7 @@ static void forkmknod()
 	fsuid = atoi(advance_arg(true));
 	fsgid = atoi(advance_arg(true));
 
-	snprintf(path, sizeof(path), "/proc/%d/ns/mnt", pid);
-	mnt_fd = open(path, O_RDONLY | O_CLOEXEC);
-	if (mnt_fd < 0) {
-		fprintf(stderr, "%d", ENOANO);
-		_exit(EXIT_FAILURE);
-	}
-
-	snprintf(path, sizeof(path), "/proc/%d/root", pid);
-	root_fd = open(path, O_PATH | O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
-	if (root_fd < 0) {
-		fprintf(stderr, "%d", ENOANO);
-		_exit(EXIT_FAILURE);
-	}
-
-	snprintf(path, sizeof(path), "/proc/%d/cwd", pid);
-	cwd_fd = open(path, O_PATH | O_RDONLY | O_CLOEXEC);
-	if (cwd_fd < 0) {
-		fprintf(stderr, "%d", ENOANO);
-		_exit(EXIT_FAILURE);
-	}
-
-	if (setns(mnt_fd, CLONE_NEWNS)) {
-		fprintf(stderr, "%d", ENOANO);
-		_exit(EXIT_FAILURE);
-	}
-
-	if (!chdirchroot_in_mntns(cwd_fd, root_fd)) {
+	if (!acquire_basic_creds(pid)) {
 		fprintf(stderr, "%d", ENOANO);
 		_exit(EXIT_FAILURE);
 	}
@@ -237,7 +237,7 @@ static bool change_creds(int ns_fd, cap_t caps, uid_t nsuid, gid_t nsgid, uid_t
 
 static void forksetxattr()
 {
-	__do_close_prot_errno int cwd_fd = -EBADF, mnt_fd = -EBADF, ns_fd = -EBADF, root_fd = -EBADF, target_fd = -EBADF;
+	__do_close_prot_errno int ns_fd = -EBADF, target_fd = -EBADF;
 	int flags = 0;
 	char *name, *target;
 	char path[PATH_MAX];
@@ -269,33 +269,7 @@ static void forksetxattr()
 		_exit(EXIT_FAILURE);
 	}
 
-	snprintf(path, sizeof(path), "/proc/%d/root", pid);
-	root_fd = open(path, O_PATH | O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
-	if (root_fd < 0) {
-		fprintf(stderr, "%d", ENOANO);
-		_exit(EXIT_FAILURE);
-	}
-
-	snprintf(path, sizeof(path), "/proc/%d/ns/mnt", pid);
-	mnt_fd = open(path, O_RDONLY | O_CLOEXEC);
-	if (mnt_fd < 0) {
-		fprintf(stderr, "%d", ENOANO);
-		_exit(EXIT_FAILURE);
-	}
-
-	snprintf(path, sizeof(path), "/proc/%d/cwd", pid);
-	cwd_fd = open(path, O_PATH | O_RDONLY | O_CLOEXEC);
-	if (cwd_fd < 0) {
-		fprintf(stderr, "%d", ENOANO);
-		_exit(EXIT_FAILURE);
-	}
-
-	if (setns(mnt_fd, CLONE_NEWNS)) {
-		fprintf(stderr, "%d", ENOANO);
-		_exit(EXIT_FAILURE);
-	}
-
-	if (!chdirchroot_in_mntns(cwd_fd, root_fd)) {
+	if (!acquire_basic_creds(pid)) {
 		fprintf(stderr, "%d", ENOANO);
 		_exit(EXIT_FAILURE);
 	}


More information about the lxc-devel mailing list