]> git.ipfire.org Git - thirdparty/util-linux.git/blob - sys-utils/nsenter.c
projects / thirdparty / util-linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'lsfd--misc-tun' of https://github.com/masatake/util-linux
[thirdparty/util-linux.git] / sys-utils / nsenter.c
1 /*
2 * nsenter(1) - command-line interface for setns(2)
3 *
4 * Copyright (C) 2012-2013 Eric Biederman <ebiederm@xmission.com>
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; version 2.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
18 */
19
20 #include <dirent.h>
21 #include <errno.h>
22 #include <getopt.h>
23 #include <sched.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <stdbool.h>
27 #include <unistd.h>
28 #include <assert.h>
29 #include <sys/types.h>
30 #include <sys/wait.h>
31 #include <grp.h>
32 #include <sys/stat.h>
33
34 #include <sys/ioctl.h>
35 #ifdef HAVE_LINUX_NSFS_H
36 # include <linux/nsfs.h>
37 #endif
38 #ifndef NS_GET_USERNS
39 # define NS_GET_USERNS _IO(0xb7, 0x1)
40 #endif
41
42 #ifdef HAVE_LIBSELINUX
43 # include <selinux/selinux.h>
44 #endif
45
46 #include "strutils.h"
47 #include "nls.h"
48 #include "c.h"
49 #include "closestream.h"
50 #include "namespace.h"
51 #include "exec_shell.h"
52 #include "optutils.h"
53 #include "xalloc.h"
54 #include "all-io.h"
55 #include "env.h"
56 #include "caputils.h"
57
58 static struct namespace_file {
59 int nstype;
60 const char *name;
61 int fd;
62 } namespace_files[] = {
63 /* Careful the order is significant in this array.
64 *
65 * The user namespace comes either first or last: first if
66 * you're using it to increase your privilege and last if
67 * you're using it to decrease. We enter the namespaces in
68 * two passes starting initially from offset 1 and then offset
69 * 0 if that fails.
70 */
71 { .nstype = CLONE_NEWUSER, .name = "ns/user", .fd = -1 },
72 { .nstype = CLONE_NEWCGROUP,.name = "ns/cgroup", .fd = -1 },
73 { .nstype = CLONE_NEWIPC, .name = "ns/ipc", .fd = -1 },
74 { .nstype = CLONE_NEWUTS, .name = "ns/uts", .fd = -1 },
75 { .nstype = CLONE_NEWNET, .name = "ns/net", .fd = -1 },
76 { .nstype = CLONE_NEWPID, .name = "ns/pid", .fd = -1 },
77 { .nstype = CLONE_NEWNS, .name = "ns/mnt", .fd = -1 },
78 { .nstype = CLONE_NEWTIME, .name = "ns/time", .fd = -1 },
79 { .nstype = 0, .name = NULL, .fd = -1 }
80 };
81
82 static void __attribute__((__noreturn__)) usage(void)
83 {
84 FILE *out = stdout;
85
86 fputs(USAGE_HEADER, out);
87 fprintf(out, _(" %s [options] [<program> [<argument>...]]\n"),
88 program_invocation_short_name);
89
90 fputs(USAGE_SEPARATOR, out);
91 fputs(_("Run a program with namespaces of other processes.\n"), out);
92
93 fputs(USAGE_OPTIONS, out);
94 fputs(_(" -a, --all enter all namespaces\n"), out);
95 fputs(_(" -t, --target <pid> target process to get namespaces from\n"), out);
96 fputs(_(" -m, --mount[=<file>] enter mount namespace\n"), out);
97 fputs(_(" -u, --uts[=<file>] enter UTS namespace (hostname etc)\n"), out);
98 fputs(_(" -i, --ipc[=<file>] enter System V IPC namespace\n"), out);
99 fputs(_(" -n, --net[=<file>] enter network namespace\n"), out);
100 fputs(_(" -p, --pid[=<file>] enter pid namespace\n"), out);
101 fputs(_(" -C, --cgroup[=<file>] enter cgroup namespace\n"), out);
102 fputs(_(" -U, --user[=<file>] enter user namespace\n"), out);
103 fputs(_(" --user-parent enter parent user namespace\n"), out);
104 fputs(_(" -T, --time[=<file>] enter time namespace\n"), out);
105 fputs(_(" -S, --setuid[=<uid>] set uid in entered namespace\n"), out);
106 fputs(_(" -G, --setgid[=<gid>] set gid in entered namespace\n"), out);
107 fputs(_(" --preserve-credentials do not touch uids or gids\n"), out);
108 fputs(_(" --keep-caps retain capabilities granted in user namespaces\n"), out);
109 fputs(_(" -r, --root[=<dir>] set the root directory\n"), out);
110 fputs(_(" -w, --wd[=<dir>] set the working directory\n"), out);
111 fputs(_(" -W, --wdns <dir> set the working directory in namespace\n"), out);
112 fputs(_(" -e, --env inherit environment variables from target process\n"), out);
113 fputs(_(" -F, --no-fork do not fork before exec'ing <program>\n"), out);
114 #ifdef HAVE_LIBSELINUX
115 fputs(_(" -Z, --follow-context set SELinux context according to --target PID\n"), out);
116 #endif
117
118 fputs(USAGE_SEPARATOR, out);
119 printf(USAGE_HELP_OPTIONS(24));
120 printf(USAGE_MAN_TAIL("nsenter(1)"));
121
122 exit(EXIT_SUCCESS);
123 }
124
125 static pid_t namespace_target_pid = 0;
126 static int root_fd = -1;
127 static int wd_fd = -1;
128 static int env_fd = -1;
129 static int uid_gid_fd = -1;
130
131 static void set_parent_user_ns_fd(void)
132 {
133 struct namespace_file *nsfile = NULL;
134 struct namespace_file *user_nsfile = NULL;
135 int parent_ns = -1;
136
137 for (nsfile = namespace_files; nsfile->nstype; nsfile++) {
138 if (nsfile->nstype == CLONE_NEWUSER)
139 user_nsfile = nsfile;
140
141 if (nsfile->fd == -1)
142 continue;
143
144 parent_ns = ioctl(nsfile->fd, NS_GET_USERNS);
145 if (parent_ns < 0)
146 err(EXIT_FAILURE, _("failed to open parent ns of %s"), nsfile->name);
147
148 break;
149 }
150
151 if (parent_ns < 0)
152 errx(EXIT_FAILURE, _("no namespaces to get parent of"));
153 if (user_nsfile)
154 user_nsfile->fd = parent_ns;
155 }
156
157
158 static void open_target_fd(int *fd, const char *type, const char *path)
159 {
160 char pathbuf[PATH_MAX];
161
162 if (!path && namespace_target_pid) {
163 snprintf(pathbuf, sizeof(pathbuf), "/proc/%u/%s",
164 namespace_target_pid, type);
165 path = pathbuf;
166 }
167 if (!path)
168 errx(EXIT_FAILURE,
169 _("neither filename nor target pid supplied for %s"),
170 type);
171
172 if (*fd >= 0)
173 close(*fd);
174
175 *fd = open(path, O_RDONLY);
176 if (*fd < 0)
177 err(EXIT_FAILURE, _("cannot open %s"), path);
178 }
179
180 static void open_namespace_fd(int nstype, const char *path)
181 {
182 struct namespace_file *nsfile;
183
184 for (nsfile = namespace_files; nsfile->nstype; nsfile++) {
185 if (nstype != nsfile->nstype)
186 continue;
187
188 open_target_fd(&nsfile->fd, nsfile->name, path);
189 return;
190 }
191 /* This should never happen */
192 assert(nsfile->nstype);
193 }
194
195 static int get_ns_ino(const char *path, ino_t *ino)
196 {
197 struct stat st;
198
199 if (stat(path, &st) != 0)
200 return -errno;
201 *ino = st.st_ino;
202 return 0;
203 }
204
205 static int is_usable_namespace(pid_t target, const struct namespace_file *nsfile)
206 {
207 char path[PATH_MAX];
208 ino_t my_ino = 0;
209 int rc;
210
211 /* Check NS accessibility */
212 snprintf(path, sizeof(path), "/proc/%u/%s", getpid(), nsfile->name);
213 rc = get_ns_ino(path, &my_ino);
214 if (rc == -ENOENT)
215 return false; /* Unsupported NS */
216
217 /* It is not permitted to use setns(2) to reenter the caller's
218 * current user namespace; see setns(2) man page for more details.
219 */
220 if (nsfile->nstype & CLONE_NEWUSER) {
221 ino_t target_ino = 0;
222
223 snprintf(path, sizeof(path), "/proc/%u/%s", target, nsfile->name);
224 if (get_ns_ino(path, &target_ino) != 0)
225 err(EXIT_FAILURE, _("stat of %s failed"), path);
226
227 if (my_ino == target_ino)
228 return false;
229 }
230
231 return true; /* All pass */
232 }
233
234 static void continue_as_child(void)
235 {
236 pid_t child;
237 int status;
238 pid_t ret;
239
240 /* Clear any inherited settings */
241 signal(SIGCHLD, SIG_DFL);
242
243 child = fork();
244 if (child < 0)
245 err(EXIT_FAILURE, _("fork failed"));
246
247 /* Only the child returns */
248 if (child == 0)
249 return;
250
251 for (;;) {
252 ret = waitpid(child, &status, WUNTRACED);
253 if ((ret == child) && (WIFSTOPPED(status))) {
254 /* The child suspended so suspend us as well */
255 kill(getpid(), SIGSTOP);
256 kill(child, SIGCONT);
257 } else {
258 break;
259 }
260 }
261 /* Return the child's exit code if possible */
262 if (WIFEXITED(status)) {
263 exit(WEXITSTATUS(status));
264 } else if (WIFSIGNALED(status)) {
265 kill(getpid(), WTERMSIG(status));
266 }
267 exit(EXIT_FAILURE);
268 }
269
270 int main(int argc, char *argv[])
271 {
272 enum {
273 OPT_PRESERVE_CRED = CHAR_MAX + 1,
274 OPT_KEEPCAPS,
275 OPT_USER_PARENT,
276 };
277 static const struct option longopts[] = {
278 { "all", no_argument, NULL, 'a' },
279 { "help", no_argument, NULL, 'h' },
280 { "version", no_argument, NULL, 'V'},
281 { "target", required_argument, NULL, 't' },
282 { "mount", optional_argument, NULL, 'm' },
283 { "uts", optional_argument, NULL, 'u' },
284 { "ipc", optional_argument, NULL, 'i' },
285 { "net", optional_argument, NULL, 'n' },
286 { "pid", optional_argument, NULL, 'p' },
287 { "user", optional_argument, NULL, 'U' },
288 { "cgroup", optional_argument, NULL, 'C' },
289 { "time", optional_argument, NULL, 'T' },
290 { "setuid", required_argument, NULL, 'S' },
291 { "setgid", required_argument, NULL, 'G' },
292 { "root", optional_argument, NULL, 'r' },
293 { "wd", optional_argument, NULL, 'w' },
294 { "wdns", optional_argument, NULL, 'W' },
295 { "env", no_argument, NULL, 'e' },
296 { "no-fork", no_argument, NULL, 'F' },
297 { "preserve-credentials", no_argument, NULL, OPT_PRESERVE_CRED },
298 { "keep-caps", no_argument, NULL, OPT_KEEPCAPS },
299 { "user-parent", no_argument, NULL, OPT_USER_PARENT},
300 #ifdef HAVE_LIBSELINUX
301 { "follow-context", no_argument, NULL, 'Z' },
302 #endif
303 { NULL, 0, NULL, 0 }
304 };
305 static const ul_excl_t excl[] = { /* rows and cols in ASCII order */
306 { 'W', 'w' },
307 { 0 }
308 };
309 int excl_st[ARRAY_SIZE(excl)] = UL_EXCL_STATUS_INIT;
310
311 struct namespace_file *nsfile;
312 int c, pass, namespaces = 0, setgroups_nerrs = 0, preserve_cred = 0;
313 bool do_rd = false, do_wd = false, do_uid = false, force_uid = false,
314 do_gid = false, force_gid = false, do_env = false, do_all = false,
315 do_user_parent = false;
316 int do_fork = -1; /* unknown yet */
317 char *wdns = NULL;
318 uid_t uid = 0;
319 gid_t gid = 0;
320 int keepcaps = 0;
321 struct ul_env_list *envls;
322 #ifdef HAVE_LIBSELINUX
323 bool selinux = 0;
324 #endif
325
326 setlocale(LC_ALL, "");
327 bindtextdomain(PACKAGE, LOCALEDIR);
328 textdomain(PACKAGE);
329 close_stdout_atexit();
330
331 while ((c =
332 getopt_long(argc, argv, "+ahVt:m::u::i::n::p::C::U::T::S:G:r::w::W::eFZ",
333 longopts, NULL)) != -1) {
334
335 err_exclusive_options(c, longopts, excl, excl_st);
336
337 switch (c) {
338 case 'a':
339 do_all = true;
340 break;
341 case 't':
342 namespace_target_pid =
343 strtoul_or_err(optarg, _("failed to parse pid"));
344 break;
345 case 'm':
346 if (optarg)
347 open_namespace_fd(CLONE_NEWNS, optarg);
348 else
349 namespaces |= CLONE_NEWNS;
350 break;
351 case 'u':
352 if (optarg)
353 open_namespace_fd(CLONE_NEWUTS, optarg);
354 else
355 namespaces |= CLONE_NEWUTS;
356 break;
357 case 'i':
358 if (optarg)
359 open_namespace_fd(CLONE_NEWIPC, optarg);
360 else
361 namespaces |= CLONE_NEWIPC;
362 break;
363 case 'n':
364 if (optarg)
365 open_namespace_fd(CLONE_NEWNET, optarg);
366 else
367 namespaces |= CLONE_NEWNET;
368 break;
369 case 'p':
370 if (optarg)
371 open_namespace_fd(CLONE_NEWPID, optarg);
372 else
373 namespaces |= CLONE_NEWPID;
374 break;
375 case 'C':
376 if (optarg)
377 open_namespace_fd(CLONE_NEWCGROUP, optarg);
378 else
379 namespaces |= CLONE_NEWCGROUP;
380 break;
381 case 'U':
382 if (optarg)
383 open_namespace_fd(CLONE_NEWUSER, optarg);
384 else
385 namespaces |= CLONE_NEWUSER;
386 break;
387 case 'T':
388 if (optarg)
389 open_namespace_fd(CLONE_NEWTIME, optarg);
390 else
391 namespaces |= CLONE_NEWTIME;
392 break;
393 case 'S':
394 if (strcmp(optarg, "follow") == 0)
395 do_uid = true;
396 else
397 uid = strtoul_or_err(optarg, _("failed to parse uid"));
398 force_uid = true;
399 break;
400 case 'G':
401 if (strcmp(optarg, "follow") == 0)
402 do_gid = true;
403 else
404 gid = strtoul_or_err(optarg, _("failed to parse gid"));
405 force_gid = true;
406 break;
407 case 'F':
408 do_fork = 0;
409 break;
410 case 'r':
411 if (optarg)
412 open_target_fd(&root_fd, "root", optarg);
413 else
414 do_rd = true;
415 break;
416 case 'w':
417 if (optarg)
418 open_target_fd(&wd_fd, "cwd", optarg);
419 else
420 do_wd = true;
421 break;
422 case 'W':
423 wdns = optarg;
424 break;
425 case 'e':
426 do_env = true;
427 break;
428 case OPT_PRESERVE_CRED:
429 preserve_cred = 1;
430 break;
431 case OPT_KEEPCAPS:
432 keepcaps = 1;
433 break;
434 case OPT_USER_PARENT:
435 do_user_parent = true;
436 break;
437 #ifdef HAVE_LIBSELINUX
438 case 'Z':
439 selinux = 1;
440 break;
441 #endif
442 case 'h':
443 usage();
444 case 'V':
445 print_version(EXIT_SUCCESS);
446 default:
447 errtryhelp(EXIT_FAILURE);
448 }
449 }
450
451 #ifdef HAVE_LIBSELINUX
452 if (selinux && is_selinux_enabled() > 0) {
453 char *scon = NULL;
454
455 if (!namespace_target_pid)
456 errx(EXIT_FAILURE, _("no target PID specified for --follow-context"));
457 if (getpidcon(namespace_target_pid, &scon) < 0)
458 errx(EXIT_FAILURE, _("failed to get %d SELinux context"),
459 (int) namespace_target_pid);
460 if (setexeccon(scon) < 0)
461 errx(EXIT_FAILURE, _("failed to set exec context to '%s'"), scon);
462 freecon(scon);
463 }
464 #endif
465
466 if (do_all) {
467 if (!namespace_target_pid)
468 errx(EXIT_FAILURE, _("no target PID specified for --all"));
469 for (nsfile = namespace_files; nsfile->nstype; nsfile++) {
470 if (nsfile->fd >= 0)
471 continue; /* namespace already specified */
472
473 if (!is_usable_namespace(namespace_target_pid, nsfile))
474 continue;
475
476 namespaces |= nsfile->nstype;
477 }
478 }
479
480 /*
481 * Open remaining namespace and directory descriptors.
482 */
483 for (nsfile = namespace_files; nsfile->nstype; nsfile++)
484 if (nsfile->nstype & namespaces)
485 open_namespace_fd(nsfile->nstype, NULL);
486 if (do_rd)
487 open_target_fd(&root_fd, "root", NULL);
488 if (do_wd)
489 open_target_fd(&wd_fd, "cwd", NULL);
490 if (do_env)
491 open_target_fd(&env_fd, "environ", NULL);
492 if (do_uid || do_gid)
493 open_target_fd(&uid_gid_fd, "", NULL);
494
495 /*
496 * Get parent userns from any available ns.
497 */
498 if (do_user_parent)
499 set_parent_user_ns_fd();
500
501 /*
502 * Update namespaces variable to contain all requested namespaces
503 */
504 for (nsfile = namespace_files; nsfile->nstype; nsfile++) {
505 if (nsfile->fd < 0)
506 continue;
507 namespaces |= nsfile->nstype;
508 }
509
510 /* for user namespaces we always set UID and GID (default is 0)
511 * and clear root's groups if --preserve-credentials is no specified */
512 if ((namespaces & CLONE_NEWUSER) && !preserve_cred) {
513 force_uid = true, force_gid = true;
514
515 /* We call setgroups() before and after we enter user namespace,
516 * let's complain only if both fail */
517 if (setgroups(0, NULL) != 0)
518 setgroups_nerrs++;
519 }
520
521 /*
522 * Now that we know which namespaces we want to enter, enter
523 * them. Do this in two passes, not entering the user
524 * namespace on the first pass. So if we're deprivileging the
525 * container we'll enter the user namespace last and if we're
526 * privileging it then we enter the user namespace first
527 * (because the initial setns will fail).
528 */
529 for (pass = 0; pass < 2; pass ++) {
530 for (nsfile = namespace_files + 1 - pass; nsfile->nstype; nsfile++) {
531 if (nsfile->fd < 0)
532 continue;
533 if (nsfile->nstype == CLONE_NEWPID && do_fork == -1)
534 do_fork = 1;
535 if (setns(nsfile->fd, nsfile->nstype)) {
536 if (pass != 0)
537 err(EXIT_FAILURE,
538 _("reassociate to namespace '%s' failed"),
539 nsfile->name);
540 else
541 continue;
542 }
543
544 close(nsfile->fd);
545 nsfile->fd = -1;
546 }
547 }
548
549 /* Remember the current working directory if I'm not changing it */
550 if (root_fd >= 0 && wd_fd < 0 && wdns == NULL) {
551 wd_fd = open(".", O_RDONLY);
552 if (wd_fd < 0)
553 err(EXIT_FAILURE,
554 _("cannot open current working directory"));
555 }
556
557 /* Change the root directory */
558 if (root_fd >= 0) {
559 if (fchdir(root_fd) < 0)
560 err(EXIT_FAILURE,
561 _("change directory by root file descriptor failed"));
562
563 if (chroot(".") < 0)
564 err(EXIT_FAILURE, _("chroot failed"));
565 if (chdir("/"))
566 err(EXIT_FAILURE, _("cannot change directory to %s"), "/");
567
568 close(root_fd);
569 root_fd = -1;
570 }
571
572 /* working directory specified as in-namespace path */
573 if (wdns) {
574 wd_fd = open(wdns, O_RDONLY);
575 if (wd_fd < 0)
576 err(EXIT_FAILURE,
577 _("cannot open current working directory"));
578 }
579
580 /* Change the working directory */
581 if (wd_fd >= 0) {
582 if (fchdir(wd_fd) < 0)
583 err(EXIT_FAILURE,
584 _("change directory by working directory file descriptor failed"));
585
586 close(wd_fd);
587 wd_fd = -1;
588 }
589
590 /* Pass environment variables of the target process to the spawned process */
591 if (env_fd >= 0) {
592 if ((envls = env_from_fd(env_fd)) == NULL)
593 err(EXIT_FAILURE, _("failed to get environment variables"));
594 clearenv();
595 if (env_list_setenv(envls) < 0)
596 err(EXIT_FAILURE, _("failed to set environment variables"));
597 env_list_free(envls);
598 close(env_fd);
599 }
600
601 if (uid_gid_fd >= 0) {
602 struct stat st;
603
604 if (fstat(uid_gid_fd, &st) > 0)
605 err(EXIT_FAILURE, _("can not get process stat"));
606
607 close(uid_gid_fd);
608 uid_gid_fd = -1;
609
610 if (do_uid)
611 uid = st.st_uid;
612 if (do_gid)
613 gid = st.st_gid;
614 }
615
616 if (do_fork == 1)
617 continue_as_child();
618
619 if (force_uid || force_gid) {
620 if (force_gid && setgroups(0, NULL) != 0 && setgroups_nerrs) /* drop supplementary groups */
621 err(EXIT_FAILURE, _("setgroups failed"));
622 if (force_gid && setgid(gid) < 0) /* change GID */
623 err(EXIT_FAILURE, _("setgid failed"));
624 if (force_uid && setuid(uid) < 0) /* change UID */
625 err(EXIT_FAILURE, _("setuid failed"));
626 }
627
628 if (keepcaps && (namespaces & CLONE_NEWUSER))
629 cap_permitted_to_ambient();
630
631 if (optind < argc) {
632 execvp(argv[optind], argv + optind);
633 errexec(argv[optind]);
634 }
635 exec_shell();
636 }
Unnamed repository; edit this file 'description' to name the repository.