]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-patch-uid.c
projects / thirdparty / systemd.git / blob
? search:


9067d3004dca7e195d0274e61ed2df38a5801fd2
[thirdparty/systemd.git] / src / nspawn / nspawn-patch-uid.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2016 Lennart Poettering
6 ***/
7
8 #include <fcntl.h>
9 #include <linux/magic.h>
10 #if HAVE_ACL
11 #include <sys/acl.h>
12 #endif
13 #include <sys/stat.h>
14 #include <sys/statvfs.h>
15 #include <sys/vfs.h>
16 #include <unistd.h>
17
18 #include "acl-util.h"
19 #include "dirent-util.h"
20 #include "fd-util.h"
21 #include "fs-util.h"
22 #include "missing.h"
23 #include "nspawn-def.h"
24 #include "nspawn-patch-uid.h"
25 #include "stat-util.h"
26 #include "stdio-util.h"
27 #include "string-util.h"
28 #include "strv.h"
29 #include "user-util.h"
30
31 #if HAVE_ACL
32
33 static int get_acl(int fd, const char *name, acl_type_t type, acl_t *ret) {
34 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
35 acl_t acl;
36
37 assert(fd >= 0);
38 assert(ret);
39
40 if (name) {
41 _cleanup_close_ int child_fd = -1;
42
43 child_fd = openat(fd, name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
44 if (child_fd < 0)
45 return -errno;
46
47 xsprintf(procfs_path, "/proc/self/fd/%i", child_fd);
48 acl = acl_get_file(procfs_path, type);
49 } else if (type == ACL_TYPE_ACCESS)
50 acl = acl_get_fd(fd);
51 else {
52 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
53 acl = acl_get_file(procfs_path, type);
54 }
55 if (!acl)
56 return -errno;
57
58 *ret = acl;
59 return 0;
60 }
61
62 static int set_acl(int fd, const char *name, acl_type_t type, acl_t acl) {
63 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
64 int r;
65
66 assert(fd >= 0);
67 assert(acl);
68
69 if (name) {
70 _cleanup_close_ int child_fd = -1;
71
72 child_fd = openat(fd, name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
73 if (child_fd < 0)
74 return -errno;
75
76 xsprintf(procfs_path, "/proc/self/fd/%i", child_fd);
77 r = acl_set_file(procfs_path, type, acl);
78 } else if (type == ACL_TYPE_ACCESS)
79 r = acl_set_fd(fd, acl);
80 else {
81 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
82 r = acl_set_file(procfs_path, type, acl);
83 }
84 if (r < 0)
85 return -errno;
86
87 return 0;
88 }
89
90 static int shift_acl(acl_t acl, uid_t shift, acl_t *ret) {
91 _cleanup_(acl_freep) acl_t copy = NULL;
92 acl_entry_t i;
93 int r;
94
95 assert(acl);
96 assert(ret);
97
98 r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
99 if (r < 0)
100 return -errno;
101 while (r > 0) {
102 uid_t *old_uid, new_uid;
103 bool modify = false;
104 acl_tag_t tag;
105
106 if (acl_get_tag_type(i, &tag) < 0)
107 return -errno;
108
109 if (IN_SET(tag, ACL_USER, ACL_GROUP)) {
110
111 /* We don't distuingish here between uid_t and gid_t, let's make sure the compiler checks that
112 * this is actually OK */
113 assert_cc(sizeof(uid_t) == sizeof(gid_t));
114
115 old_uid = acl_get_qualifier(i);
116 if (!old_uid)
117 return -errno;
118
119 new_uid = shift | (*old_uid & UINT32_C(0xFFFF));
120 if (!uid_is_valid(new_uid))
121 return -EINVAL;
122
123 modify = new_uid != *old_uid;
124 if (modify && !copy) {
125 int n;
126
127 /* There's no copy of the ACL yet? if so, let's create one, and start the loop from the
128 * beginning, so that we copy all entries, starting from the first, this time. */
129
130 n = acl_entries(acl);
131 if (n < 0)
132 return -errno;
133
134 copy = acl_init(n);
135 if (!copy)
136 return -errno;
137
138 /* Seek back to the beginning */
139 r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
140 if (r < 0)
141 return -errno;
142 continue;
143 }
144 }
145
146 if (copy) {
147 acl_entry_t new_entry;
148
149 if (acl_create_entry(&copy, &new_entry) < 0)
150 return -errno;
151
152 if (acl_copy_entry(new_entry, i) < 0)
153 return -errno;
154
155 if (modify)
156 if (acl_set_qualifier(new_entry, &new_uid) < 0)
157 return -errno;
158 }
159
160 r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i);
161 if (r < 0)
162 return -errno;
163 }
164
165 *ret = TAKE_PTR(copy);
166
167 return !!*ret;
168 }
169
170 static int patch_acls(int fd, const char *name, const struct stat *st, uid_t shift) {
171 _cleanup_(acl_freep) acl_t acl = NULL, shifted = NULL;
172 bool changed = false;
173 int r;
174
175 assert(fd >= 0);
176 assert(st);
177
178 /* ACLs are not supported on symlinks, there's no point in trying */
179 if (S_ISLNK(st->st_mode))
180 return 0;
181
182 r = get_acl(fd, name, ACL_TYPE_ACCESS, &acl);
183 if (r == -EOPNOTSUPP)
184 return 0;
185 if (r < 0)
186 return r;
187
188 r = shift_acl(acl, shift, &shifted);
189 if (r < 0)
190 return r;
191 if (r > 0) {
192 r = set_acl(fd, name, ACL_TYPE_ACCESS, shifted);
193 if (r < 0)
194 return r;
195
196 changed = true;
197 }
198
199 if (S_ISDIR(st->st_mode)) {
200 acl_free(acl);
201 acl_free(shifted);
202
203 acl = shifted = NULL;
204
205 r = get_acl(fd, name, ACL_TYPE_DEFAULT, &acl);
206 if (r < 0)
207 return r;
208
209 r = shift_acl(acl, shift, &shifted);
210 if (r < 0)
211 return r;
212 if (r > 0) {
213 r = set_acl(fd, name, ACL_TYPE_DEFAULT, shifted);
214 if (r < 0)
215 return r;
216
217 changed = true;
218 }
219 }
220
221 return changed;
222 }
223
224 #else
225
226 static int patch_acls(int fd, const char *name, const struct stat *st, uid_t shift) {
227 return 0;
228 }
229
230 #endif
231
232 static int patch_fd(int fd, const char *name, const struct stat *st, uid_t shift) {
233 uid_t new_uid;
234 gid_t new_gid;
235 bool changed = false;
236 int r;
237
238 assert(fd >= 0);
239 assert(st);
240
241 new_uid = shift | (st->st_uid & UINT32_C(0xFFFF));
242 new_gid = (gid_t) shift | (st->st_gid & UINT32_C(0xFFFF));
243
244 if (!uid_is_valid(new_uid) || !gid_is_valid(new_gid))
245 return -EINVAL;
246
247 if (st->st_uid != new_uid || st->st_gid != new_gid) {
248 if (name)
249 r = fchownat(fd, name, new_uid, new_gid, AT_SYMLINK_NOFOLLOW);
250 else
251 r = fchown(fd, new_uid, new_gid);
252 if (r < 0)
253 return -errno;
254
255 /* The Linux kernel alters the mode in some cases of chown(). Let's undo this. */
256 if (name) {
257 if (!S_ISLNK(st->st_mode))
258 r = fchmodat(fd, name, st->st_mode, 0);
259 else /* AT_SYMLINK_NOFOLLOW is not available for fchmodat() */
260 r = 0;
261 } else
262 r = fchmod(fd, st->st_mode);
263 if (r < 0)
264 return -errno;
265
266 changed = true;
267 }
268
269 r = patch_acls(fd, name, st, shift);
270 if (r < 0)
271 return r;
272
273 return r > 0 || changed;
274 }
275
276 /*
277 * Check if the filesystem is fully compatible with user namespaces or
278 * UID/GID patching. Some filesystems in this list can be fully mounted inside
279 * user namespaces, however their inodes may relate to host resources or only
280 * valid in the global user namespace, therefore no patching should be applied.
281 */
282 static int is_fs_fully_userns_compatible(const struct statfs *sfs) {
283
284 assert(sfs);
285
286 return F_TYPE_EQUAL(sfs->f_type, BINFMTFS_MAGIC) ||
287 F_TYPE_EQUAL(sfs->f_type, CGROUP_SUPER_MAGIC) ||
288 F_TYPE_EQUAL(sfs->f_type, CGROUP2_SUPER_MAGIC) ||
289 F_TYPE_EQUAL(sfs->f_type, DEBUGFS_MAGIC) ||
290 F_TYPE_EQUAL(sfs->f_type, DEVPTS_SUPER_MAGIC) ||
291 F_TYPE_EQUAL(sfs->f_type, EFIVARFS_MAGIC) ||
292 F_TYPE_EQUAL(sfs->f_type, HUGETLBFS_MAGIC) ||
293 F_TYPE_EQUAL(sfs->f_type, MQUEUE_MAGIC) ||
294 F_TYPE_EQUAL(sfs->f_type, PROC_SUPER_MAGIC) ||
295 F_TYPE_EQUAL(sfs->f_type, PSTOREFS_MAGIC) ||
296 F_TYPE_EQUAL(sfs->f_type, SELINUX_MAGIC) ||
297 F_TYPE_EQUAL(sfs->f_type, SMACK_MAGIC) ||
298 F_TYPE_EQUAL(sfs->f_type, SECURITYFS_MAGIC) ||
299 F_TYPE_EQUAL(sfs->f_type, BPF_FS_MAGIC) ||
300 F_TYPE_EQUAL(sfs->f_type, TRACEFS_MAGIC) ||
301 F_TYPE_EQUAL(sfs->f_type, SYSFS_MAGIC);
302 }
303
304 static int recurse_fd(int fd, bool donate_fd, const struct stat *st, uid_t shift, bool is_toplevel) {
305 _cleanup_closedir_ DIR *d = NULL;
306 bool changed = false;
307 struct statfs sfs;
308 int r;
309
310 assert(fd >= 0);
311
312 if (fstatfs(fd, &sfs) < 0)
313 return -errno;
314
315 /* We generally want to permit crossing of mount boundaries when patching the UIDs/GIDs. However, we probably
316 * shouldn't do this for /proc and /sys if that is already mounted into place. Hence, let's stop the recursion
317 * when we hit procfs, sysfs or some other special file systems. */
318
319 r = is_fs_fully_userns_compatible(&sfs);
320 if (r < 0)
321 goto finish;
322 if (r > 0) {
323 r = 0; /* don't recurse */
324 goto finish;
325 }
326
327 /* Also, if we hit a read-only file system, then don't bother, skip the whole subtree */
328 if ((sfs.f_flags & ST_RDONLY) ||
329 access_fd(fd, W_OK) == -EROFS)
330 goto read_only;
331
332 if (S_ISDIR(st->st_mode)) {
333 struct dirent *de;
334
335 if (!donate_fd) {
336 int copy;
337
338 copy = fcntl(fd, F_DUPFD_CLOEXEC, 3);
339 if (copy < 0) {
340 r = -errno;
341 goto finish;
342 }
343
344 fd = copy;
345 donate_fd = true;
346 }
347
348 d = fdopendir(fd);
349 if (!d) {
350 r = -errno;
351 goto finish;
352 }
353 fd = -1;
354
355 FOREACH_DIRENT_ALL(de, d, r = -errno; goto finish) {
356 struct stat fst;
357
358 if (dot_or_dot_dot(de->d_name))
359 continue;
360
361 if (fstatat(dirfd(d), de->d_name, &fst, AT_SYMLINK_NOFOLLOW) < 0) {
362 r = -errno;
363 goto finish;
364 }
365
366 if (S_ISDIR(fst.st_mode)) {
367 int subdir_fd;
368
369 subdir_fd = openat(dirfd(d), de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
370 if (subdir_fd < 0) {
371 r = -errno;
372 goto finish;
373
374 }
375
376 r = recurse_fd(subdir_fd, true, &fst, shift, false);
377 if (r < 0)
378 goto finish;
379 if (r > 0)
380 changed = true;
381
382 } else {
383 r = patch_fd(dirfd(d), de->d_name, &fst, shift);
384 if (r < 0)
385 goto finish;
386 if (r > 0)
387 changed = true;
388 }
389 }
390 }
391
392 /* After we descended, also patch the directory itself. It's key to do this in this order so that the top-level
393 * directory is patched as very last object in the tree, so that we can use it as quick indicator whether the
394 * tree is properly chown()ed already. */
395 r = patch_fd(d ? dirfd(d) : fd, NULL, st, shift);
396 if (r == -EROFS)
397 goto read_only;
398 if (r > 0)
399 changed = true;
400
401 r = changed;
402 goto finish;
403
404 read_only:
405 if (!is_toplevel) {
406 _cleanup_free_ char *name = NULL;
407
408 /* When we hit a ready-only subtree we simply skip it, but log about it. */
409 (void) fd_get_path(fd, &name);
410 log_debug("Skippping read-only file or directory %s.", strna(name));
411 r = changed;
412 }
413
414 finish:
415 if (donate_fd)
416 safe_close(fd);
417
418 return r;
419 }
420
421 static int fd_patch_uid_internal(int fd, bool donate_fd, uid_t shift, uid_t range) {
422 struct stat st;
423 int r;
424
425 assert(fd >= 0);
426
427 /* Recursively adjusts the UID/GIDs of all files of a directory tree. This is used to automatically fix up an
428 * OS tree to the used user namespace UID range. Note that this automatic adjustment only works for UID ranges
429 * following the concept that the upper 16bit of a UID identify the container, and the lower 16bit are the actual
430 * UID within the container. */
431
432 if ((shift & 0xFFFF) != 0) {
433 /* We only support containers where the shift starts at a 2^16 boundary */
434 r = -EOPNOTSUPP;
435 goto finish;
436 }
437
438 if (shift == UID_BUSY_BASE) {
439 r = -EINVAL;
440 goto finish;
441 }
442
443 if (range != 0x10000) {
444 /* We only support containers with 16bit UID ranges for the patching logic */
445 r = -EOPNOTSUPP;
446 goto finish;
447 }
448
449 if (fstat(fd, &st) < 0) {
450 r = -errno;
451 goto finish;
452 }
453
454 if ((uint32_t) st.st_uid >> 16 != (uint32_t) st.st_gid >> 16) {
455 /* We only support containers where the uid/gid container ID match */
456 r = -EBADE;
457 goto finish;
458 }
459
460 /* Try to detect if the range is already right. Of course, this a pretty drastic optimization, as we assume
461 * that if the top-level dir has the right upper 16bit assigned, then everything below will have too... */
462 if (((uint32_t) (st.st_uid ^ shift) >> 16) == 0)
463 return 0;
464
465 /* Before we start recursively chowning, mark the top-level dir as "busy" by chowning it to the "busy"
466 * range. Should we be interrupted in the middle of our work, we'll see it owned by this user and will start
467 * chown()ing it again, unconditionally, as the busy UID is not a valid UID we'd everpick for ourselves. */
468
469 if ((st.st_uid & UID_BUSY_MASK) != UID_BUSY_BASE) {
470 if (fchown(fd,
471 UID_BUSY_BASE | (st.st_uid & ~UID_BUSY_MASK),
472 (gid_t) UID_BUSY_BASE | (st.st_gid & ~(gid_t) UID_BUSY_MASK)) < 0) {
473 r = -errno;
474 goto finish;
475 }
476 }
477
478 return recurse_fd(fd, donate_fd, &st, shift, true);
479
480 finish:
481 if (donate_fd)
482 safe_close(fd);
483
484 return r;
485 }
486
487 int fd_patch_uid(int fd, uid_t shift, uid_t range) {
488 return fd_patch_uid_internal(fd, false, shift, range);
489 }
490
491 int path_patch_uid(const char *path, uid_t shift, uid_t range) {
492 int fd;
493
494 fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
495 if (fd < 0)
496 return -errno;
497
498 return fd_patch_uid_internal(fd, true, shift, range);
499 }
Unnamed repository; edit this file 'description' to name the repository.