[lxc-devel] [lxd/master] forksyscall: use nsids for shiftfs syscall intercepts

brauner on Github lxc-bot at linuxcontainers.org
Mon Jun 29 13:30:06 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200629/706575a6/attachment-0001.bin>
-------------- next part --------------
From 53394604dd7a00133f1a80044906ef31429cf05f Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 29 Jun 2020 15:25:38 +0200
Subject: [PATCH] forksyscall: use nsids for shiftfs syscall intercepts

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/main_forksyscall.go | 13 ++++++---
 lxd/seccomp/seccomp.go  | 64 ++++++++++++++++++++++++++++++-----------
 2 files changed, 56 insertions(+), 21 deletions(-)

diff --git a/lxd/main_forksyscall.go b/lxd/main_forksyscall.go
index 14895b6ce0..f807ef5e6b 100644
--- a/lxd/main_forksyscall.go
+++ b/lxd/main_forksyscall.go
@@ -360,8 +360,8 @@ static void mount_emulate(void)
 	__do_close int mnt_fd = -EBADF, pidfd = -EBADF, ns_fd = -EBADF;
 	char *source = NULL, *shiftfs = NULL, *target = NULL, *fstype = NULL;
 	bool use_fuse;
-	uid_t uid = -1, fsuid = -1;
-	gid_t gid = -1, fsgid = -1;
+	uid_t nsuid = -1, uid = -1, nsfsuid = -1, fsuid = -1;
+	gid_t nsgid = -1, gid = -1, nsfsgid = -1, fsgid = -1;
 	int ret;
 	pid_t pid = -1;
 	unsigned long flags = 0;
@@ -385,8 +385,13 @@ static void mount_emulate(void)
 	gid = atoi(advance_arg(true));
 	fsuid = atoi(advance_arg(true));
 	fsgid = atoi(advance_arg(true));
-	if (!use_fuse)
+	if (!use_fuse) {
+		nsuid = atoi(advance_arg(true));
+		nsgid = atoi(advance_arg(true));
+		nsfsuid = atoi(advance_arg(true));
+		nsfsgid = atoi(advance_arg(true));
 		data = advance_arg(false);
+	}
 
 	mnt_fd = preserve_ns(getpid(), "mnt");
 	if (mnt_fd < 0)
@@ -465,7 +470,7 @@ static void mount_emulate(void)
 			_exit(EXIT_FAILURE);
 		}
 
-		if (!acquire_final_creds(pid, uid, gid, fsuid, fsgid)) {
+		if (!acquire_final_creds(pid, nsuid, nsgid, nsfsuid, nsfsgid)) {
 			umount2(target, MNT_DETACH);
 			umount2(target, MNT_DETACH);
 			_exit(EXIT_FAILURE);
diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 025efb3141..d72c97f45b 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -1222,13 +1222,21 @@ func (s *Server) HandleSetxattrSyscall(c Instance, siov *Iovec) int {
 
 // MountArgs arguments for mount.
 type MountArgs struct {
-	source string
-	target string
-	fstype string
-	flags  int
-	data   string
-	pid    int
-	shift  bool
+	source  string
+	target  string
+	fstype  string
+	flags   int
+	data    string
+	pid     int
+	shift   bool
+	uid     int64
+	gid     int64
+	fsuid   int64
+	fsgid   int64
+	nsuid   int64
+	nsgid   int64
+	nsfsuid int64
+	nsfsgid int64
 }
 
 const knownFlags C.ulong = C.MS_BIND | C.MS_LAZYTIME | C.MS_MANDLOCK |
@@ -1445,14 +1453,32 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
 		return 0
 	}
 
-	nsuid, nsgid, nsfsuid, nsfsgid, err := TaskIDs(args.pid)
+	idmapset, err := c.CurrentIdmap()
 	if err != nil {
 		ctx["syscall_continue"] = "true"
 		C.seccomp_notify_update_response(siov.resp, 0, C.uint32_t(seccompUserNotifFlagContinue))
 		return 0
 	}
 
-	err = s.mountHandleHugetlbfsArgs(c, &args, nsuid, nsgid)
+	args.uid, args.gid, args.fsuid, args.fsgid, err = TaskIDs(args.pid)
+	if err != nil {
+		ctx["syscall_continue"] = "true"
+		C.seccomp_notify_update_response(siov.resp, 0, C.uint32_t(seccompUserNotifFlagContinue))
+		return 0
+	}
+	ctx["host_uid"] = args.uid
+	ctx["host_gid"] = args.gid
+	ctx["host_fsuid"] = args.fsuid
+	ctx["host_fsgid"] = args.fsgid
+
+	args.nsuid, args.nsgid = idmapset.ShiftFromNs(args.uid, args.gid)
+	args.nsfsuid, args.nsfsgid = idmapset.ShiftFromNs(args.fsuid, args.fsgid)
+	ctx["ns_uid"] = args.nsuid
+	ctx["ns_gid"] = args.nsgid
+	ctx["ns_fsuid"] = args.nsfsuid
+	ctx["ns_fsgid"] = args.nsfsgid
+
+	err = s.mountHandleHugetlbfsArgs(c, &args, args.uid, args.gid)
 	if err != nil {
 		ctx["syscall_continue"] = "true"
 		C.seccomp_notify_update_response(siov.resp, 0, C.uint32_t(seccompUserNotifFlagContinue))
@@ -1488,10 +1514,10 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
 			fmt.Sprintf("%d", args.pid),
 			fmt.Sprintf("%d", pidFdNr),
 			fmt.Sprintf("%d", 1),
-			fmt.Sprintf("%d", nsuid),
-			fmt.Sprintf("%d", nsgid),
-			fmt.Sprintf("%d", nsfsuid),
-			fmt.Sprintf("%d", nsfsgid),
+			fmt.Sprintf("%d", args.uid),
+			fmt.Sprintf("%d", args.gid),
+			fmt.Sprintf("%d", args.fsuid),
+			fmt.Sprintf("%d", args.fsgid),
 			fmt.Sprintf("%s", fuseSource),
 			fmt.Sprintf("%s", args.target),
 			fmt.Sprintf("%s", fuseOpts))
@@ -1510,10 +1536,14 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
 			fmt.Sprintf("%s", args.fstype),
 			fmt.Sprintf("%d", args.flags),
 			fmt.Sprintf("%t", args.shift),
-			fmt.Sprintf("%d", nsuid),
-			fmt.Sprintf("%d", nsgid),
-			fmt.Sprintf("%d", nsfsuid),
-			fmt.Sprintf("%d", nsfsgid),
+			fmt.Sprintf("%d", args.uid),
+			fmt.Sprintf("%d", args.gid),
+			fmt.Sprintf("%d", args.fsuid),
+			fmt.Sprintf("%d", args.fsgid),
+			fmt.Sprintf("%d", args.nsuid),
+			fmt.Sprintf("%d", args.nsgid),
+			fmt.Sprintf("%d", args.nsfsuid),
+			fmt.Sprintf("%d", args.nsfsgid),
 			fmt.Sprintf("%s", args.data))
 	}
 	if err != nil {

More information about the lxc-devel mailing list