aboutsummaryrefslogtreecommitdiff
blob: 9d0505f1ef5382edee123269f8a46a725dd8a28e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
/* Acquire root privileges.
   Copyright (C) 2016-2019 Free Software Foundation, Inc.
   This file is part of the GNU C Library.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   <https://www.gnu.org/licenses/>.  */

#include <support/namespace.h>

#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdio.h>
#include <string.h>
#include <support/check.h>
#include <support/xunistd.h>
#include <unistd.h>

#ifdef CLONE_NEWUSER
/* The necessary steps to allow file creation in user namespaces.  */
static void
setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid)
{
  int fd = open64 ("/proc/self/uid_map", O_WRONLY);
  if (fd < 0)
    {
      printf ("warning: could not open /proc/self/uid_map: %m\n"
              "warning: file creation may not be possible\n");
      return;
    }

  /* We map our original UID to the same UID in the container so we
     own our own files normally.  Without that, file creation could
     fail with EOVERFLOW (sic!).  */
  char buf[100];
  int ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
                      (unsigned long long) original_uid,
                      (unsigned long long) original_uid);
  TEST_VERIFY_EXIT (ret < sizeof (buf));
  xwrite (fd, buf, ret);
  xclose (fd);

  /* Linux 3.19 introduced the setgroups file.  We need write "deny" to this
     file otherwise writing to gid_map will fail with EPERM.  */
  fd = open64 ("/proc/self/setgroups", O_WRONLY, 0);
  if (fd < 0)
    {
      if (errno != ENOENT)
        FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m",
                    O_WRONLY, 0);
      /* This kernel doesn't expose the setgroups file so simply move on.  */
    }
  else
    {
      xwrite (fd, "deny\n", strlen ("deny\n"));
      xclose (fd);
    }

  /* Now map our own GID, like we did for the user ID.  */
  fd = xopen ("/proc/self/gid_map", O_WRONLY, 0);
  ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
                  (unsigned long long) original_gid,
                  (unsigned long long) original_gid);
  TEST_VERIFY_EXIT (ret < sizeof (buf));
  xwrite (fd, buf, ret);
  xclose (fd);
}
#endif /* CLONE_NEWUSER */

bool
support_become_root (void)
{
#ifdef CLONE_NEWUSER
  uid_t original_uid = getuid ();
  gid_t original_gid = getgid ();

  if (unshare (CLONE_NEWUSER | CLONE_NEWNS) == 0)
    {
      setup_uid_gid_mapping (original_uid, original_gid);
      /* Even if we do not have UID zero, we have extended privileges at
         this point.  */
      return true;
    }
#endif
  if (setuid (0) != 0)
    {
      printf ("warning: could not become root outside namespace (%m)\n");
      return false;
    }
  return true;
}