]>
Commit | Line | Data |
---|---|---|
5707a64d | 1 | /* Acquire root privileges. |
2b778ceb | 2 | Copyright (C) 2016-2021 Free Software Foundation, Inc. |
5707a64d FW |
3 | This file is part of the GNU C Library. |
4 | ||
5 | The GNU C Library is free software; you can redistribute it and/or | |
6 | modify it under the terms of the GNU Lesser General Public | |
7 | License as published by the Free Software Foundation; either | |
8 | version 2.1 of the License, or (at your option) any later version. | |
9 | ||
10 | The GNU C Library is distributed in the hope that it will be useful, | |
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
13 | Lesser General Public License for more details. | |
14 | ||
15 | You should have received a copy of the GNU Lesser General Public | |
16 | License along with the GNU C Library; if not, see | |
5a82c748 | 17 | <https://www.gnu.org/licenses/>. */ |
5707a64d FW |
18 | |
19 | #include <support/namespace.h> | |
20 | ||
ea69a5c8 | 21 | #include <errno.h> |
ce003e5d | 22 | #include <fcntl.h> |
5707a64d FW |
23 | #include <sched.h> |
24 | #include <stdio.h> | |
ce003e5d FW |
25 | #include <string.h> |
26 | #include <support/check.h> | |
27 | #include <support/xunistd.h> | |
5707a64d FW |
28 | #include <unistd.h> |
29 | ||
ce003e5d FW |
30 | #ifdef CLONE_NEWUSER |
31 | /* The necessary steps to allow file creation in user namespaces. */ | |
32 | static void | |
33 | setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid) | |
34 | { | |
35 | int fd = open64 ("/proc/self/uid_map", O_WRONLY); | |
36 | if (fd < 0) | |
37 | { | |
38 | printf ("warning: could not open /proc/self/uid_map: %m\n" | |
39 | "warning: file creation may not be possible\n"); | |
40 | return; | |
41 | } | |
42 | ||
43 | /* We map our original UID to the same UID in the container so we | |
44 | own our own files normally. Without that, file creation could | |
45 | fail with EOVERFLOW (sic!). */ | |
46 | char buf[100]; | |
47 | int ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n", | |
48 | (unsigned long long) original_uid, | |
49 | (unsigned long long) original_uid); | |
50 | TEST_VERIFY_EXIT (ret < sizeof (buf)); | |
51 | xwrite (fd, buf, ret); | |
52 | xclose (fd); | |
53 | ||
ea69a5c8 | 54 | /* Linux 3.19 introduced the setgroups file. We need write "deny" to this |
5f9d1949 | 55 | file otherwise writing to gid_map will fail with EPERM. */ |
ea69a5c8 CB |
56 | fd = open64 ("/proc/self/setgroups", O_WRONLY, 0); |
57 | if (fd < 0) | |
58 | { | |
59 | if (errno != ENOENT) | |
60 | FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m", | |
61 | O_WRONLY, 0); | |
62 | /* This kernel doesn't expose the setgroups file so simply move on. */ | |
63 | } | |
64 | else | |
65 | { | |
66 | xwrite (fd, "deny\n", strlen ("deny\n")); | |
67 | xclose (fd); | |
68 | } | |
ce003e5d FW |
69 | |
70 | /* Now map our own GID, like we did for the user ID. */ | |
71 | fd = xopen ("/proc/self/gid_map", O_WRONLY, 0); | |
72 | ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n", | |
73 | (unsigned long long) original_gid, | |
74 | (unsigned long long) original_gid); | |
75 | TEST_VERIFY_EXIT (ret < sizeof (buf)); | |
76 | xwrite (fd, buf, ret); | |
77 | xclose (fd); | |
78 | } | |
79 | #endif /* CLONE_NEWUSER */ | |
80 | ||
5707a64d FW |
81 | bool |
82 | support_become_root (void) | |
83 | { | |
84 | #ifdef CLONE_NEWUSER | |
ce003e5d FW |
85 | uid_t original_uid = getuid (); |
86 | gid_t original_gid = getgid (); | |
87 | ||
5707a64d | 88 | if (unshare (CLONE_NEWUSER | CLONE_NEWNS) == 0) |
ce003e5d FW |
89 | { |
90 | setup_uid_gid_mapping (original_uid, original_gid); | |
91 | /* Even if we do not have UID zero, we have extended privileges at | |
92 | this point. */ | |
93 | return true; | |
94 | } | |
5707a64d FW |
95 | #endif |
96 | if (setuid (0) != 0) | |
97 | { | |
98 | printf ("warning: could not become root outside namespace (%m)\n"); | |
99 | return false; | |
100 | } | |
101 | return true; | |
102 | } |