]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-patch-uid.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tree-wide: use -EBADF for fd initialization
[thirdparty/systemd.git] / src / nspawn / nspawn-patch-uid.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <fcntl.h>
4 #include <sys/statvfs.h>
5 #include <sys/vfs.h>
6 #include <unistd.h>
7
8 #include "acl-util.h"
9 #include "dirent-util.h"
10 #include "fd-util.h"
11 #include "fileio.h"
12 #include "fs-util.h"
13 #include "missing_magic.h"
14 #include "nspawn-def.h"
15 #include "nspawn-patch-uid.h"
16 #include "stat-util.h"
17 #include "stdio-util.h"
18 #include "string-util.h"
19 #include "strv.h"
20 #include "user-util.h"
21
22 #if HAVE_ACL
23
24 static int get_acl(int fd, const char *name, acl_type_t type, acl_t *ret) {
25 acl_t acl;
26
27 assert(fd >= 0);
28 assert(ret);
29
30 if (name) {
31 _cleanup_close_ int child_fd = -EBADF;
32
33 child_fd = openat(fd, name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
34 if (child_fd < 0)
35 return -errno;
36
37 acl = acl_get_file(FORMAT_PROC_FD_PATH(child_fd), type);
38 } else if (type == ACL_TYPE_ACCESS)
39 acl = acl_get_fd(fd);
40 else
41 acl = acl_get_file(FORMAT_PROC_FD_PATH(fd), type);
42 if (!acl)
43 return -errno;
44
45 *ret = acl;
46 return 0;
47 }
48
49 static int set_acl(int fd, const char *name, acl_type_t type, acl_t acl) {
50 int r;
51
52 assert(fd >= 0);
53 assert(acl);
54
55 if (name) {
56 _cleanup_close_ int child_fd = -EBADF;
57
58 child_fd = openat(fd, name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
59 if (child_fd < 0)
60 return -errno;
61
62 r = acl_set_file(FORMAT_PROC_FD_PATH(child_fd), type, acl);
63 } else if (type == ACL_TYPE_ACCESS)
64 r = acl_set_fd(fd, acl);
65 else
66 r = acl_set_file(FORMAT_PROC_FD_PATH(fd), type, acl);
67 if (r < 0)
68 return -errno;
69
70 return 0;
71 }
72
73 static int shift_acl(acl_t acl, uid_t shift, acl_t *ret) {
74 _cleanup_(acl_freep) acl_t copy = NULL;
75 acl_entry_t i;
76 int r;
77
78 assert(acl);
79 assert(ret);
80
81 r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
82 if (r < 0)
83 return -errno;
84 while (r > 0) {
85 uid_t *old_uid, new_uid;
86 bool modify = false;
87 acl_tag_t tag;
88
89 if (acl_get_tag_type(i, &tag) < 0)
90 return -errno;
91
92 if (IN_SET(tag, ACL_USER, ACL_GROUP)) {
93
94 /* We don't distinguish here between uid_t and gid_t, let's make sure the compiler checks that
95 * this is actually OK */
96 assert_cc(sizeof(uid_t) == sizeof(gid_t));
97
98 old_uid = acl_get_qualifier(i);
99 if (!old_uid)
100 return -errno;
101
102 new_uid = shift | (*old_uid & UINT32_C(0xFFFF));
103 if (!uid_is_valid(new_uid))
104 return -EINVAL;
105
106 modify = new_uid != *old_uid;
107 if (modify && !copy) {
108 int n;
109
110 /* There's no copy of the ACL yet? if so, let's create one, and start the loop from the
111 * beginning, so that we copy all entries, starting from the first, this time. */
112
113 n = acl_entries(acl);
114 if (n < 0)
115 return -errno;
116
117 copy = acl_init(n);
118 if (!copy)
119 return -errno;
120
121 /* Seek back to the beginning */
122 r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
123 if (r < 0)
124 return -errno;
125 continue;
126 }
127 }
128
129 if (copy) {
130 acl_entry_t new_entry;
131
132 if (acl_create_entry(&copy, &new_entry) < 0)
133 return -errno;
134
135 if (acl_copy_entry(new_entry, i) < 0)
136 return -errno;
137
138 if (modify)
139 if (acl_set_qualifier(new_entry, &new_uid) < 0)
140 return -errno;
141 }
142
143 r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i);
144 if (r < 0)
145 return -errno;
146 }
147
148 *ret = TAKE_PTR(copy);
149
150 return !!*ret;
151 }
152
153 static int patch_acls(int fd, const char *name, const struct stat *st, uid_t shift) {
154 _cleanup_(acl_freep) acl_t acl = NULL, shifted = NULL;
155 bool changed = false;
156 int r;
157
158 assert(fd >= 0);
159 assert(st);
160
161 /* ACLs are not supported on symlinks, there's no point in trying */
162 if (S_ISLNK(st->st_mode))
163 return 0;
164
165 r = get_acl(fd, name, ACL_TYPE_ACCESS, &acl);
166 if (r == -EOPNOTSUPP)
167 return 0;
168 if (r < 0)
169 return r;
170
171 r = shift_acl(acl, shift, &shifted);
172 if (r < 0)
173 return r;
174 if (r > 0) {
175 r = set_acl(fd, name, ACL_TYPE_ACCESS, shifted);
176 if (r < 0)
177 return r;
178
179 changed = true;
180 }
181
182 if (S_ISDIR(st->st_mode)) {
183 acl_free(acl);
184 acl_free(shifted);
185
186 acl = shifted = NULL;
187
188 r = get_acl(fd, name, ACL_TYPE_DEFAULT, &acl);
189 if (r < 0)
190 return r;
191
192 r = shift_acl(acl, shift, &shifted);
193 if (r < 0)
194 return r;
195 if (r > 0) {
196 r = set_acl(fd, name, ACL_TYPE_DEFAULT, shifted);
197 if (r < 0)
198 return r;
199
200 changed = true;
201 }
202 }
203
204 return changed;
205 }
206
207 #else
208
209 static int patch_acls(int fd, const char *name, const struct stat *st, uid_t shift) {
210 return 0;
211 }
212
213 #endif
214
215 static int patch_fd(int fd, const char *name, const struct stat *st, uid_t shift) {
216 uid_t new_uid;
217 gid_t new_gid;
218 bool changed = false;
219 int r;
220
221 assert(fd >= 0);
222 assert(st);
223
224 new_uid = shift | (st->st_uid & UINT32_C(0xFFFF));
225 new_gid = (gid_t) shift | (st->st_gid & UINT32_C(0xFFFF));
226
227 if (!uid_is_valid(new_uid) || !gid_is_valid(new_gid))
228 return -EINVAL;
229
230 if (st->st_uid != new_uid || st->st_gid != new_gid) {
231 if (name)
232 r = fchownat(fd, name, new_uid, new_gid, AT_SYMLINK_NOFOLLOW);
233 else
234 r = fchown(fd, new_uid, new_gid);
235 if (r < 0)
236 return -errno;
237
238 /* The Linux kernel alters the mode in some cases of chown(). Let's undo this. */
239 if (name) {
240 if (!S_ISLNK(st->st_mode))
241 r = fchmodat(fd, name, st->st_mode, 0);
242 else /* AT_SYMLINK_NOFOLLOW is not available for fchmodat() */
243 r = 0;
244 } else
245 r = fchmod(fd, st->st_mode);
246 if (r < 0)
247 return -errno;
248
249 changed = true;
250 }
251
252 r = patch_acls(fd, name, st, shift);
253 if (r < 0)
254 return r;
255
256 return r > 0 || changed;
257 }
258
259 /*
260 * Check if the filesystem is fully compatible with user namespaces or
261 * UID/GID patching. Some filesystems in this list can be fully mounted inside
262 * user namespaces, however their inodes may relate to host resources or only
263 * valid in the global user namespace, therefore no patching should be applied.
264 */
265 static int is_fs_fully_userns_compatible(const struct statfs *sfs) {
266
267 assert(sfs);
268
269 return F_TYPE_EQUAL(sfs->f_type, BINFMTFS_MAGIC) ||
270 F_TYPE_EQUAL(sfs->f_type, CGROUP_SUPER_MAGIC) ||
271 F_TYPE_EQUAL(sfs->f_type, CGROUP2_SUPER_MAGIC) ||
272 F_TYPE_EQUAL(sfs->f_type, DEBUGFS_MAGIC) ||
273 F_TYPE_EQUAL(sfs->f_type, DEVPTS_SUPER_MAGIC) ||
274 F_TYPE_EQUAL(sfs->f_type, EFIVARFS_MAGIC) ||
275 F_TYPE_EQUAL(sfs->f_type, HUGETLBFS_MAGIC) ||
276 F_TYPE_EQUAL(sfs->f_type, MQUEUE_MAGIC) ||
277 F_TYPE_EQUAL(sfs->f_type, PROC_SUPER_MAGIC) ||
278 F_TYPE_EQUAL(sfs->f_type, PSTOREFS_MAGIC) ||
279 F_TYPE_EQUAL(sfs->f_type, SELINUX_MAGIC) ||
280 F_TYPE_EQUAL(sfs->f_type, SMACK_MAGIC) ||
281 F_TYPE_EQUAL(sfs->f_type, SECURITYFS_MAGIC) ||
282 F_TYPE_EQUAL(sfs->f_type, BPF_FS_MAGIC) ||
283 F_TYPE_EQUAL(sfs->f_type, TRACEFS_MAGIC) ||
284 F_TYPE_EQUAL(sfs->f_type, SYSFS_MAGIC);
285 }
286
287 static int recurse_fd(int fd, bool donate_fd, const struct stat *st, uid_t shift, bool is_toplevel) {
288 _cleanup_closedir_ DIR *d = NULL;
289 bool changed = false;
290 struct statfs sfs;
291 int r;
292
293 assert(fd >= 0);
294
295 if (fstatfs(fd, &sfs) < 0)
296 return -errno;
297
298 /* We generally want to permit crossing of mount boundaries when patching the UIDs/GIDs. However, we probably
299 * shouldn't do this for /proc and /sys if that is already mounted into place. Hence, let's stop the recursion
300 * when we hit procfs, sysfs or some other special file systems. */
301
302 r = is_fs_fully_userns_compatible(&sfs);
303 if (r < 0)
304 goto finish;
305 if (r > 0) {
306 r = 0; /* don't recurse */
307 goto finish;
308 }
309
310 /* Also, if we hit a read-only file system, then don't bother, skip the whole subtree */
311 if ((sfs.f_flags & ST_RDONLY) ||
312 access_fd(fd, W_OK) == -EROFS)
313 goto read_only;
314
315 if (S_ISDIR(st->st_mode)) {
316 if (!donate_fd) {
317 int copy;
318
319 copy = fcntl(fd, F_DUPFD_CLOEXEC, 3);
320 if (copy < 0) {
321 r = -errno;
322 goto finish;
323 }
324
325 fd = copy;
326 donate_fd = true;
327 }
328
329 d = take_fdopendir(&fd);
330 if (!d) {
331 r = -errno;
332 goto finish;
333 }
334
335 FOREACH_DIRENT_ALL(de, d, r = -errno; goto finish) {
336 struct stat fst;
337
338 if (dot_or_dot_dot(de->d_name))
339 continue;
340
341 if (fstatat(dirfd(d), de->d_name, &fst, AT_SYMLINK_NOFOLLOW) < 0) {
342 r = -errno;
343 goto finish;
344 }
345
346 if (S_ISDIR(fst.st_mode)) {
347 int subdir_fd;
348
349 subdir_fd = openat(dirfd(d), de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
350 if (subdir_fd < 0) {
351 r = -errno;
352 goto finish;
353
354 }
355
356 r = recurse_fd(subdir_fd, true, &fst, shift, false);
357 if (r < 0)
358 goto finish;
359 if (r > 0)
360 changed = true;
361
362 } else {
363 r = patch_fd(dirfd(d), de->d_name, &fst, shift);
364 if (r < 0)
365 goto finish;
366 if (r > 0)
367 changed = true;
368 }
369 }
370 }
371
372 /* After we descended, also patch the directory itself. It's key to do this in this order so that the top-level
373 * directory is patched as very last object in the tree, so that we can use it as quick indicator whether the
374 * tree is properly chown()ed already. */
375 r = patch_fd(d ? dirfd(d) : fd, NULL, st, shift);
376 if (r == -EROFS)
377 goto read_only;
378 if (r > 0)
379 changed = true;
380
381 r = changed;
382 goto finish;
383
384 read_only:
385 if (!is_toplevel) {
386 _cleanup_free_ char *name = NULL;
387
388 /* When we hit a ready-only subtree we simply skip it, but log about it. */
389 (void) fd_get_path(fd, &name);
390 log_debug("Skipping read-only file or directory %s.", strna(name));
391 r = changed;
392 }
393
394 finish:
395 if (donate_fd)
396 safe_close(fd);
397
398 return r;
399 }
400
401 static int fd_patch_uid_internal(int fd, bool donate_fd, uid_t shift, uid_t range) {
402 struct stat st;
403 int r;
404
405 assert(fd >= 0);
406
407 /* Recursively adjusts the UID/GIDs of all files of a directory tree. This is used to automatically fix up an
408 * OS tree to the used user namespace UID range. Note that this automatic adjustment only works for UID ranges
409 * following the concept that the upper 16bit of a UID identify the container, and the lower 16bit are the actual
410 * UID within the container. */
411
412 if ((shift & 0xFFFF) != 0) {
413 /* We only support containers where the shift starts at a 2^16 boundary */
414 r = -EOPNOTSUPP;
415 goto finish;
416 }
417
418 if (shift == UID_BUSY_BASE) {
419 r = -EINVAL;
420 goto finish;
421 }
422
423 if (range != 0x10000) {
424 /* We only support containers with 16bit UID ranges for the patching logic */
425 r = -EOPNOTSUPP;
426 goto finish;
427 }
428
429 if (fstat(fd, &st) < 0) {
430 r = -errno;
431 goto finish;
432 }
433
434 if ((uint32_t) st.st_uid >> 16 != (uint32_t) st.st_gid >> 16) {
435 /* We only support containers where the uid/gid container ID match */
436 r = -EBADE;
437 goto finish;
438 }
439
440 /* Try to detect if the range is already right. Of course, this a pretty drastic optimization, as we assume
441 * that if the top-level dir has the right upper 16bit assigned, then everything below will have too... */
442 if (((uint32_t) (st.st_uid ^ shift) >> 16) == 0)
443 return 0;
444
445 /* Before we start recursively chowning, mark the top-level dir as "busy" by chowning it to the "busy"
446 * range. Should we be interrupted in the middle of our work, we'll see it owned by this user and will start
447 * chown()ing it again, unconditionally, as the busy UID is not a valid UID we'd everpick for ourselves. */
448
449 if ((st.st_uid & UID_BUSY_MASK) != UID_BUSY_BASE) {
450 if (fchown(fd,
451 UID_BUSY_BASE | (st.st_uid & ~UID_BUSY_MASK),
452 (gid_t) UID_BUSY_BASE | (st.st_gid & ~(gid_t) UID_BUSY_MASK)) < 0) {
453 r = -errno;
454 goto finish;
455 }
456 }
457
458 return recurse_fd(fd, donate_fd, &st, shift, true);
459
460 finish:
461 if (donate_fd)
462 safe_close(fd);
463
464 return r;
465 }
466
467 int path_patch_uid(const char *path, uid_t shift, uid_t range) {
468 int fd;
469
470 fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
471 if (fd < 0)
472 return -errno;
473
474 return fd_patch_uid_internal(fd, true, shift, range);
475 }
Unnamed repository; edit this file 'description' to name the repository.