[Toybox] [PATCH] unshare: fix -r

Samuel Holland samuel at sholland.net
Sun Apr 12 11:52:52 PDT 2015


Calling unshare(2) immediately puts us in the new namespace
with the "overflow" user and group ID. By calling geteuid()
and getegid() in handle_r() after calling unshare(), we try
to map that to root, which Linux refuses to let us do.

What we really want to map to root is the caller's uid/gid
in the original namespace. So we have to save them before
calling unshare().
---
  toys/other/nsenter.c | 39 +++++++++++++++++++--------------------
  1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/toys/other/nsenter.c b/toys/other/nsenter.c
index d0a5cd6..18a2cd2 100644
--- a/toys/other/nsenter.c
+++ b/toys/other/nsenter.c
@@ -79,31 +79,27 @@ GLOBALS(
  static void write_ugid_map(char *map, unsigned eugid)
  {
    int bytes = sprintf(toybuf, "0 %u 1", eugid), fd = xopen(map, O_WRONLY);
-
+
    xwrite(fd, toybuf, bytes);
    xclose(fd);
  }

-
-static int handle_r(int test)
+static void handle_r(int euid, int egid)
  {
    int fd;

-  if (!CFG_UNSHARE || !(toys.optflags & FLAG_r) || *toys.which->name!='u')
-    return 0;
-  if (!test) return 1;
-
-  if (toys.optflags & FLAG_r) {
-    if ((fd = open("/proc/self/setgroups", O_WRONLY)) >= 0) {
-      xwrite(fd, "deny", 4);
-      close(fd);
-    }
-
-    write_ugid_map("/proc/self/uid_map", geteuid());
-    write_ugid_map("/proc/self/gid_map", getegid());
+  if ((fd = open("/proc/self/setgroups", O_WRONLY)) >= 0) {
+    xwrite(fd, "deny", 4);
+    close(fd);
    }

-  return 0;
+  write_ugid_map("/proc/self/uid_map", euid);
+  write_ugid_map("/proc/self/gid_map", egid);
+}
+
+static int test_r()
+{
+  return toys.optflags & FLAG_r;
  }

  // Shift back to the context GLOBALS lives in (I.E. matching the 
filename).
@@ -117,16 +113,19 @@ void unshare_main(void)
                      CLONE_NEWNS, CLONE_NEWIPC}, f = 0;
    int i, fd;

-  // unshare -U does not imply -r, so we cannot use [+rU]
-  if (handle_r(0))  toys.optflags |= FLAG_U;
-
    // Create new namespace(s)?
    if (CFG_UNSHARE && *toys.which->name=='u') {
+    // For -r, we have to save our original [ug]id before calling unshare()
+    int euid = geteuid(), egid = getegid();
+
+    // unshare -U does not imply -r, so we cannot use [+rU]
+    if (test_r()) toys.optflags |= FLAG_U;
+
      for (i = 0; i<ARRAY_LEN(flags); i++)
        if (toys.optflags & (1<<i)) f |= flags[i];

      if (unshare(f)) perror_exit(0);
-    handle_r(1);
+    if (test_r()) handle_r(euid, egid);

    // Bind to existing namespace(s)?
    } else if (CFG_NSENTER) {
-- 
2.2.1


 1428864772.0


More information about the Toybox mailing list