[lxc-devel] [lxd/master] forksyscall: use nsids for shiftfs syscall intercepts
brauner on Github
lxc-bot at linuxcontainers.org
Mon Jun 29 13:30:06 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200629/706575a6/attachment-0001.bin>
-------------- next part --------------
From 53394604dd7a00133f1a80044906ef31429cf05f Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 29 Jun 2020 15:25:38 +0200
Subject: [PATCH] forksyscall: use nsids for shiftfs syscall intercepts
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
lxd/main_forksyscall.go | 13 ++++++---
lxd/seccomp/seccomp.go | 64 ++++++++++++++++++++++++++++++-----------
2 files changed, 56 insertions(+), 21 deletions(-)
diff --git a/lxd/main_forksyscall.go b/lxd/main_forksyscall.go
index 14895b6ce0..f807ef5e6b 100644
--- a/lxd/main_forksyscall.go
+++ b/lxd/main_forksyscall.go
@@ -360,8 +360,8 @@ static void mount_emulate(void)
__do_close int mnt_fd = -EBADF, pidfd = -EBADF, ns_fd = -EBADF;
char *source = NULL, *shiftfs = NULL, *target = NULL, *fstype = NULL;
bool use_fuse;
- uid_t uid = -1, fsuid = -1;
- gid_t gid = -1, fsgid = -1;
+ uid_t nsuid = -1, uid = -1, nsfsuid = -1, fsuid = -1;
+ gid_t nsgid = -1, gid = -1, nsfsgid = -1, fsgid = -1;
int ret;
pid_t pid = -1;
unsigned long flags = 0;
@@ -385,8 +385,13 @@ static void mount_emulate(void)
gid = atoi(advance_arg(true));
fsuid = atoi(advance_arg(true));
fsgid = atoi(advance_arg(true));
- if (!use_fuse)
+ if (!use_fuse) {
+ nsuid = atoi(advance_arg(true));
+ nsgid = atoi(advance_arg(true));
+ nsfsuid = atoi(advance_arg(true));
+ nsfsgid = atoi(advance_arg(true));
data = advance_arg(false);
+ }
mnt_fd = preserve_ns(getpid(), "mnt");
if (mnt_fd < 0)
@@ -465,7 +470,7 @@ static void mount_emulate(void)
_exit(EXIT_FAILURE);
}
- if (!acquire_final_creds(pid, uid, gid, fsuid, fsgid)) {
+ if (!acquire_final_creds(pid, nsuid, nsgid, nsfsuid, nsfsgid)) {
umount2(target, MNT_DETACH);
umount2(target, MNT_DETACH);
_exit(EXIT_FAILURE);
diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 025efb3141..d72c97f45b 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -1222,13 +1222,21 @@ func (s *Server) HandleSetxattrSyscall(c Instance, siov *Iovec) int {
// MountArgs arguments for mount.
type MountArgs struct {
- source string
- target string
- fstype string
- flags int
- data string
- pid int
- shift bool
+ source string
+ target string
+ fstype string
+ flags int
+ data string
+ pid int
+ shift bool
+ uid int64
+ gid int64
+ fsuid int64
+ fsgid int64
+ nsuid int64
+ nsgid int64
+ nsfsuid int64
+ nsfsgid int64
}
const knownFlags C.ulong = C.MS_BIND | C.MS_LAZYTIME | C.MS_MANDLOCK |
@@ -1445,14 +1453,32 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
return 0
}
- nsuid, nsgid, nsfsuid, nsfsgid, err := TaskIDs(args.pid)
+ idmapset, err := c.CurrentIdmap()
if err != nil {
ctx["syscall_continue"] = "true"
C.seccomp_notify_update_response(siov.resp, 0, C.uint32_t(seccompUserNotifFlagContinue))
return 0
}
- err = s.mountHandleHugetlbfsArgs(c, &args, nsuid, nsgid)
+ args.uid, args.gid, args.fsuid, args.fsgid, err = TaskIDs(args.pid)
+ if err != nil {
+ ctx["syscall_continue"] = "true"
+ C.seccomp_notify_update_response(siov.resp, 0, C.uint32_t(seccompUserNotifFlagContinue))
+ return 0
+ }
+ ctx["host_uid"] = args.uid
+ ctx["host_gid"] = args.gid
+ ctx["host_fsuid"] = args.fsuid
+ ctx["host_fsgid"] = args.fsgid
+
+ args.nsuid, args.nsgid = idmapset.ShiftFromNs(args.uid, args.gid)
+ args.nsfsuid, args.nsfsgid = idmapset.ShiftFromNs(args.fsuid, args.fsgid)
+ ctx["ns_uid"] = args.nsuid
+ ctx["ns_gid"] = args.nsgid
+ ctx["ns_fsuid"] = args.nsfsuid
+ ctx["ns_fsgid"] = args.nsfsgid
+
+ err = s.mountHandleHugetlbfsArgs(c, &args, args.uid, args.gid)
if err != nil {
ctx["syscall_continue"] = "true"
C.seccomp_notify_update_response(siov.resp, 0, C.uint32_t(seccompUserNotifFlagContinue))
@@ -1488,10 +1514,10 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
fmt.Sprintf("%d", args.pid),
fmt.Sprintf("%d", pidFdNr),
fmt.Sprintf("%d", 1),
- fmt.Sprintf("%d", nsuid),
- fmt.Sprintf("%d", nsgid),
- fmt.Sprintf("%d", nsfsuid),
- fmt.Sprintf("%d", nsfsgid),
+ fmt.Sprintf("%d", args.uid),
+ fmt.Sprintf("%d", args.gid),
+ fmt.Sprintf("%d", args.fsuid),
+ fmt.Sprintf("%d", args.fsgid),
fmt.Sprintf("%s", fuseSource),
fmt.Sprintf("%s", args.target),
fmt.Sprintf("%s", fuseOpts))
@@ -1510,10 +1536,14 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
fmt.Sprintf("%s", args.fstype),
fmt.Sprintf("%d", args.flags),
fmt.Sprintf("%t", args.shift),
- fmt.Sprintf("%d", nsuid),
- fmt.Sprintf("%d", nsgid),
- fmt.Sprintf("%d", nsfsuid),
- fmt.Sprintf("%d", nsfsgid),
+ fmt.Sprintf("%d", args.uid),
+ fmt.Sprintf("%d", args.gid),
+ fmt.Sprintf("%d", args.fsuid),
+ fmt.Sprintf("%d", args.fsgid),
+ fmt.Sprintf("%d", args.nsuid),
+ fmt.Sprintf("%d", args.nsgid),
+ fmt.Sprintf("%d", args.nsfsuid),
+ fmt.Sprintf("%d", args.nsfsgid),
fmt.Sprintf("%s", args.data))
}
if err != nil {
More information about the lxc-devel
mailing list