2 * unshare(1) - command-line interface for unshare(2)
4 * Copyright (C) 2009 Mikhail Gusarov <dottedmag@dottedmag.net>
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2, or (at your option) any
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 #include <sys/eventfd.h>
30 #include <sys/mount.h>
31 #include <sys/types.h>
33 #include <sys/prctl.h>
36 /* we only need some defines missing in sys/mount.h, no libmount linkage */
42 #include "closestream.h"
43 #include "namespace.h"
44 #include "pidfd-utils.h"
45 #include "exec_shell.h"
47 #include "pathnames.h"
53 /* synchronize parent and child by pipe */
54 #define PIPE_SYNC_BYTE 0x06
56 /* 'private' is kernel default */
57 #define UNSHARE_PROPAGATION_DEFAULT (MS_REC | MS_PRIVATE)
59 /* /proc namespace files and mountpoints for binds */
60 static struct namespace_file
{
61 int type
; /* CLONE_NEW* */
62 const char *name
; /* ns/<type> */
63 const char *target
; /* user specified target for bind mount */
64 } namespace_files
[] = {
65 { .type
= CLONE_NEWUSER
, .name
= "ns/user" },
66 { .type
= CLONE_NEWCGROUP
,.name
= "ns/cgroup" },
67 { .type
= CLONE_NEWIPC
, .name
= "ns/ipc" },
68 { .type
= CLONE_NEWUTS
, .name
= "ns/uts" },
69 { .type
= CLONE_NEWNET
, .name
= "ns/net" },
70 { .type
= CLONE_NEWPID
, .name
= "ns/pid_for_children" },
71 { .type
= CLONE_NEWNS
, .name
= "ns/mnt" },
72 { .type
= CLONE_NEWTIME
, .name
= "ns/time_for_children" },
76 static int npersists
; /* number of persistent namespaces */
84 static const char *setgroups_strings
[] =
86 [SETGROUPS_DENY
] = "deny",
87 [SETGROUPS_ALLOW
] = "allow"
90 static int setgroups_str2id(const char *str
)
94 for (i
= 0; i
< ARRAY_SIZE(setgroups_strings
); i
++)
95 if (strcmp(str
, setgroups_strings
[i
]) == 0)
98 errx(EXIT_FAILURE
, _("unsupported --setgroups argument '%s'"), str
);
101 static void setgroups_control(int action
)
103 const char *file
= _PATH_PROC_SETGROUPS
;
107 if (action
< 0 || (size_t) action
>= ARRAY_SIZE(setgroups_strings
))
109 cmd
= setgroups_strings
[action
];
111 fd
= open(file
, O_WRONLY
);
115 err(EXIT_FAILURE
, _("cannot open %s"), file
);
118 if (write_all(fd
, cmd
, strlen(cmd
)))
119 err(EXIT_FAILURE
, _("write failed %s"), file
);
123 static void map_id(const char *file
, uint32_t from
, uint32_t to
)
128 fd
= open(file
, O_WRONLY
);
130 err(EXIT_FAILURE
, _("cannot open %s"), file
);
132 xasprintf(&buf
, "%u %u 1", from
, to
);
133 if (write_all(fd
, buf
, strlen(buf
)))
134 err(EXIT_FAILURE
, _("write failed %s"), file
);
139 static unsigned long parse_propagation(const char *str
)
142 static const struct prop_opts
{
146 { "slave", MS_REC
| MS_SLAVE
},
147 { "private", MS_REC
| MS_PRIVATE
},
148 { "shared", MS_REC
| MS_SHARED
},
152 for (i
= 0; i
< ARRAY_SIZE(opts
); i
++) {
153 if (strcmp(opts
[i
].name
, str
) == 0)
157 errx(EXIT_FAILURE
, _("unsupported propagation mode: %s"), str
);
160 static void set_propagation(unsigned long flags
)
165 if (mount("none", "/", NULL
, flags
, NULL
) != 0)
166 err(EXIT_FAILURE
, _("cannot change root filesystem propagation"));
170 static int set_ns_target(int type
, const char *path
)
172 struct namespace_file
*ns
;
174 for (ns
= namespace_files
; ns
->name
; ns
++) {
175 if (ns
->type
!= type
)
185 static int bind_ns_files(pid_t pid
)
187 struct namespace_file
*ns
;
190 for (ns
= namespace_files
; ns
->name
; ns
++) {
194 snprintf(src
, sizeof(src
), "/proc/%u/%s", (unsigned) pid
, ns
->name
);
196 if (mount(src
, ns
->target
, NULL
, MS_BIND
, NULL
) != 0)
197 err(EXIT_FAILURE
, _("mount %s on %s failed"), src
, ns
->target
);
203 static ino_t
get_mnt_ino(pid_t pid
)
208 snprintf(path
, sizeof(path
), "/proc/%u/ns/mnt", (unsigned) pid
);
210 if (stat(path
, &st
) != 0)
211 err(EXIT_FAILURE
, _("stat of %s failed"), path
);
215 static void settime(int64_t offset
, clockid_t clk_id
)
217 char buf
[sizeof(stringify_value(ULONG_MAX
)) * 3];
220 len
= snprintf(buf
, sizeof(buf
), "%d %" PRId64
" 0", clk_id
, offset
);
222 fd
= open("/proc/self/timens_offsets", O_WRONLY
);
224 err(EXIT_FAILURE
, _("failed to open /proc/self/timens_offsets"));
226 if (write(fd
, buf
, len
) != len
)
227 err(EXIT_FAILURE
, _("failed to write to /proc/self/timens_offsets"));
233 * waitchild() - Wait for a process to exit successfully
234 * @pid: PID of the process to wait for
236 * Wait for a process to exit successfully. If it exits with a non-zero return
237 * code, then exit() with the same status.
239 static void waitchild(int pid
)
244 rc
= waitpid(pid
, &status
, 0);
248 err(EXIT_FAILURE
, _("waitpid failed"));
250 if (WIFEXITED(status
) &&
251 WEXITSTATUS(status
) != EXIT_SUCCESS
)
252 exit(WEXITSTATUS(status
));
257 * sync_with_child() - Tell our child we're ready and wait for it to exit
258 * @pid: The pid of our child
259 * @fd: A file descriptor created with eventfd()
261 * This tells a child created with fork_and_wait() that we are ready for it to
262 * continue. Once we have done that, wait for our child to exit.
264 static void sync_with_child(pid_t pid
, int fd
)
266 uint64_t ch
= PIPE_SYNC_BYTE
;
268 write_all(fd
, &ch
, sizeof(ch
));
275 * fork_and_wait() - Fork and wait to be sync'd with
276 * @fd - A file descriptor created with eventfd() which should be passed to
279 * This creates an eventfd and forks. The parent process returns immediately,
280 * but the child waits for a %PIPE_SYNC_BYTE on the eventfd before returning.
281 * This allows the parent to perform some tasks before the child starts its
282 * work. The parent should call sync_with_child() once it is ready for the
285 * Return: The pid from fork()
287 static pid_t
fork_and_wait(int *fd
)
294 err(EXIT_FAILURE
, _("eventfd failed"));
298 err(EXIT_FAILURE
, _("fork failed"));
301 /* wait for the our parent to tell us to continue */
302 if (read_all(*fd
, (char *)&ch
, sizeof(ch
)) != sizeof(ch
) ||
303 ch
!= PIPE_SYNC_BYTE
)
304 err(EXIT_FAILURE
, _("failed to read eventfd"));
311 static pid_t
bind_ns_files_from_child(int *fd
)
313 pid_t child
, ppid
= getpid();
314 ino_t ino
= get_mnt_ino(ppid
);
316 child
= fork_and_wait(fd
);
320 if (get_mnt_ino(ppid
) == ino
)
326 static uid_t
get_user(const char *s
, const char *err
)
332 pw
= xgetpwnam(s
, &buf
);
338 ret
= strtoul_or_err(s
, err
);
344 static gid_t
get_group(const char *s
, const char *err
)
350 gr
= xgetgrnam(s
, &buf
);
356 ret
= strtoul_or_err(s
, err
);
363 * struct map_range - A range of IDs to map
364 * @outer: First ID mapped on the outside of the namespace
365 * @inner: First ID mapped on the inside of the namespace
366 * @count: Length of the inside and outside ranges
367 * @next: Next range of IDs in the chain
369 * A range of uids/gids to map using new[gu]idmap.
375 struct map_range
*next
;
378 static void insert_map_range(struct map_range
**chain
, struct map_range map
)
380 struct map_range
*tail
= *chain
;
381 *chain
= xmalloc(sizeof(**chain
));
382 memcpy(*chain
, &map
, sizeof(**chain
));
383 (*chain
)->next
= tail
;
387 * get_map_range() - Parse a mapping range from a string
388 * @s: A string of the format inner:outer:count or outer,inner,count
390 * Parse a string of the form inner:outer:count or outer,inner,count into
391 * a new mapping range.
393 * Return: A struct map_range
395 static struct map_range
get_map_range(const char *s
)
398 struct map_range ret
;
402 if (sscanf(s
, "%u:%u:%u%n", &ret
.inner
, &ret
.outer
, &ret
.count
,
403 &end
) >= 3 && !s
[end
])
404 return ret
; /* inner:outer:count */
406 if (sscanf(s
, "%u,%u,%u%n", &ret
.outer
, &ret
.inner
, &ret
.count
,
407 &end
) >= 3 && !s
[end
])
408 return ret
; /* outer,inner,count */
410 errx(EXIT_FAILURE
, _("invalid mapping '%s'"), s
);
414 * read_subid_range() - Look up a user's sub[gu]id range
415 * @filename: The file to look up the range from. This should be either
416 * ``/etc/subuid`` or ``/etc/subgid``.
417 * @uid: The uid of the user whose range we should look up.
419 * This finds the first subid range matching @uid in @filename.
421 static struct map_range
read_subid_range(char *filename
, uid_t uid
)
423 char *line
= NULL
, *pwbuf
;
427 struct map_range map
;
432 pw
= xgetpwuid(uid
, &pwbuf
);
434 errx(EXIT_FAILURE
, _("you (user %d) don't exist."), uid
);
436 idmap
= fopen(filename
, "r");
438 err(EXIT_FAILURE
, _("could not open '%s'"), filename
);
441 * Each line in sub[ug]idmap looks like
442 * username:subuid:count
446 while (getline(&line
, &n
, idmap
) != -1) {
449 rest
= strchr(line
, ':');
454 if (strcmp(line
, pw
->pw_name
) &&
455 strtoul(line
, NULL
, 10) != pw
->pw_uid
)
459 rest
= strchr(s
, ':');
463 map
.outer
= strtoul_or_err(s
, _("failed to parse subid map"));
466 rest
= strchr(s
, '\n');
469 map
.count
= strtoul_or_err(s
, _("failed to parse subid map"));
478 errx(EXIT_FAILURE
, _("no line matching user \"%s\" in %s"),
479 pw
->pw_name
, filename
);
483 * add_single_map_range() - Add a single-ID map into a list without overlap
484 * @chain: A linked list of ID range mappings
485 * @outer: ID outside the namespace for a single map.
486 * @inner: ID inside the namespace for a single map, or -1 for no map.
488 * Prepend a mapping to @chain for the single ID @outer to the single ID
489 * @inner. The tricky bit is that we cannot let existing mappings overlap it.
490 * We accomplish this by removing a "hole" from each existing range @map, if
491 * @outer or @inner overlap it. This may result in one less than @map->count
492 * IDs being mapped from @map. The unmapped IDs are always the topmost IDs
493 * of the mapping (either in the parent or the child namespace).
495 * Most of the time, this function will be called with a single mapping range
496 * @map, @map->outer as some large ID, @map->inner as 0, and @map->count as a
497 * large number (at least 1000, but less than @map->outer). Typically, there
498 * will be no conflict with @outer. However, @inner may split the mapping for
499 * e.g. --map-current-user.
502 static void add_single_map_range(struct map_range
**chain
, unsigned int outer
,
505 struct map_range
*map
= *chain
;
508 outer
= (unsigned int) -1;
512 struct map_range lo
, mid
, hi
, *next
= map
->next
;
513 unsigned int inner_offset
, outer_offset
;
516 * Start inner IDs from zero for an auto mapping; otherwise, if
517 * the single mapping exists and overlaps the range, remove an ID
519 if (map
->inner
+ 1 == 0)
521 else if (inner
+ 1 != 0 &&
522 ((outer
>= map
->outer
&& outer
<= map
->outer
+ map
->count
) ||
523 (inner
>= map
->inner
&& inner
<= map
->inner
+ map
->count
)))
526 /* Determine where the splits between lo, mid, and hi will be */
527 outer_offset
= min(outer
> map
->outer
? outer
- map
->outer
: 0,
529 inner_offset
= min(inner
> map
->inner
? inner
- map
->inner
: 0,
533 * In the worst case, we need three mappings:
534 * From the bottom of map to either inner or outer
536 lo
.outer
= map
->outer
;
537 lo
.inner
= map
->inner
;
538 lo
.count
= min(inner_offset
, outer_offset
);
540 /* From the lower of inner or outer to the higher */
541 mid
.outer
= lo
.outer
+ lo
.count
;
542 mid
.outer
+= mid
.outer
== outer
;
543 mid
.inner
= lo
.inner
+ lo
.count
;
544 mid
.inner
+= mid
.inner
== inner
;
545 mid
.count
= abs_diff(outer_offset
, inner_offset
);
547 /* And from the higher of inner or outer to the end of the map */
548 hi
.outer
= mid
.outer
+ mid
.count
;
549 hi
.outer
+= hi
.outer
== outer
;
550 hi
.inner
= mid
.inner
+ mid
.count
;
551 hi
.inner
+= hi
.inner
== inner
;
552 hi
.count
= map
->count
- lo
.count
- mid
.count
;
554 /* Insert non-empty mappings into the output chain */
556 insert_map_range(chain
, hi
);
558 insert_map_range(chain
, mid
);
560 insert_map_range(chain
, lo
);
566 if (inner
+ 1 != 0) {
567 /* Insert single ID mapping as the first entry in the chain */
568 insert_map_range(chain
, (struct map_range
) {
577 * map_ids() - Create a new uid/gid map
578 * @idmapper: Either newuidmap or newgidmap
579 * @ppid: Pid to set the map for
580 * @chain: A linked list of ID range mappings
582 * This creates a new uid/gid map for @ppid using @idmapper to set the
583 * mapping for each of the ranges in @chain.
585 * This function always exec()s or errors out and does not return.
587 static void __attribute__((__noreturn__
))
588 map_ids(const char *idmapper
, int ppid
, struct map_range
*chain
)
590 unsigned int i
= 0, length
= 3;
593 for (struct map_range
*map
= chain
; map
; map
= map
->next
)
595 argv
= xcalloc(length
, sizeof(*argv
));
596 argv
[i
++] = xstrdup(idmapper
);
597 xasprintf(&argv
[i
++], "%u", ppid
);
599 for (struct map_range
*map
= chain
; map
; map
= map
->next
) {
600 xasprintf(&argv
[i
++], "%u", map
->inner
);
601 xasprintf(&argv
[i
++], "%u", map
->outer
);
602 xasprintf(&argv
[i
++], "%u", map
->count
);
606 execvp(idmapper
, argv
);
611 * map_ids_from_child() - Set up a new uid/gid map
612 * @fd: The eventfd to wait on
613 * @mapuser: The user to map the current user to (or -1)
614 * @usermap: The range of UIDs to map (or %NULL)
615 * @mapgroup: The group to map the current group to (or -1)
616 * @groupmap: The range of GIDs to map (or %NULL)
618 * fork_and_wait() for our parent to call sync_with_child() on @fd. Upon
619 * recieving the go-ahead, use newuidmap and newgidmap to set the uid/gid map
620 * for our parent's PID.
622 * Return: The pid of the child.
624 static pid_t
map_ids_from_child(int *fd
, uid_t mapuser
,
625 struct map_range
*usermap
, gid_t mapgroup
,
626 struct map_range
*groupmap
)
628 pid_t child
, pid
= 0;
629 pid_t ppid
= getpid();
631 child
= fork_and_wait(fd
);
636 add_single_map_range(&usermap
, geteuid(), mapuser
);
638 add_single_map_range(&groupmap
, getegid(), mapgroup
);
640 /* Avoid forking more than we need to */
641 if (usermap
&& groupmap
) {
644 err(EXIT_FAILURE
, _("fork failed"));
650 map_ids("newuidmap", ppid
, usermap
);
652 map_ids("newgidmap", ppid
, groupmap
);
656 static void __attribute__((__noreturn__
)) usage(void)
660 fputs(USAGE_HEADER
, out
);
661 fprintf(out
, _(" %s [options] [<program> [<argument>...]]\n"),
662 program_invocation_short_name
);
664 fputs(USAGE_SEPARATOR
, out
);
665 fputs(_("Run a program with some namespaces unshared from the parent.\n"), out
);
667 fputs(USAGE_OPTIONS
, out
);
668 fputs(_(" -m, --mount[=<file>] unshare mounts namespace\n"), out
);
669 fputs(_(" -u, --uts[=<file>] unshare UTS namespace (hostname etc)\n"), out
);
670 fputs(_(" -i, --ipc[=<file>] unshare System V IPC namespace\n"), out
);
671 fputs(_(" -n, --net[=<file>] unshare network namespace\n"), out
);
672 fputs(_(" -p, --pid[=<file>] unshare pid namespace\n"), out
);
673 fputs(_(" -U, --user[=<file>] unshare user namespace\n"), out
);
674 fputs(_(" -C, --cgroup[=<file>] unshare cgroup namespace\n"), out
);
675 fputs(_(" -T, --time[=<file>] unshare time namespace\n"), out
);
676 fputs(USAGE_SEPARATOR
, out
);
677 fputs(_(" -f, --fork fork before launching <program>\n"), out
);
678 fputs(_(" --map-user=<uid>|<name> map current user to uid (implies --user)\n"), out
);
679 fputs(_(" --map-group=<gid>|<name> map current group to gid (implies --user)\n"), out
);
680 fputs(_(" -r, --map-root-user map current user to root (implies --user)\n"), out
);
681 fputs(_(" -c, --map-current-user map current user to itself (implies --user)\n"), out
);
682 fputs(_(" --map-auto map users and groups automatically (implies --user)\n"), out
);
683 fputs(_(" --map-users=<inneruid>:<outeruid>:<count>\n"
684 " map count users from outeruid to inneruid (implies --user)\n"), out
);
685 fputs(_(" --map-groups=<innergid>:<outergid>:<count>\n"
686 " map count groups from outergid to innergid (implies --user)\n"), out
);
687 fputs(USAGE_SEPARATOR
, out
);
688 fputs(_(" --kill-child[=<signame>] when dying, kill the forked child (implies --fork)\n"
689 " defaults to SIGKILL\n"), out
);
690 fputs(_(" --mount-proc[=<dir>] mount proc filesystem first (implies --mount)\n"), out
);
691 fputs(_(" --propagation slave|shared|private|unchanged\n"
692 " modify mount propagation in mount namespace\n"), out
);
693 fputs(_(" --setgroups allow|deny control the setgroups syscall in user namespaces\n"), out
);
694 fputs(_(" --keep-caps retain capabilities granted in user namespaces\n"), out
);
695 fputs(USAGE_SEPARATOR
, out
);
696 fputs(_(" -R, --root=<dir> run the command with root directory set to <dir>\n"), out
);
697 fputs(_(" -w, --wd=<dir> change working directory to <dir>\n"), out
);
698 fputs(_(" -S, --setuid <uid> set uid in entered namespace\n"), out
);
699 fputs(_(" -G, --setgid <gid> set gid in entered namespace\n"), out
);
700 fputs(_(" --monotonic <offset> set clock monotonic offset (seconds) in time namespaces\n"), out
);
701 fputs(_(" --boottime <offset> set clock boottime offset (seconds) in time namespaces\n"), out
);
703 fputs(USAGE_SEPARATOR
, out
);
704 fprintf(out
, USAGE_HELP_OPTIONS(27));
705 fprintf(out
, USAGE_MAN_TAIL("unshare(1)"));
710 int main(int argc
, char *argv
[])
713 OPT_MOUNTPROC
= CHAR_MAX
+ 1,
726 static const struct option longopts
[] = {
727 { "help", no_argument
, NULL
, 'h' },
728 { "version", no_argument
, NULL
, 'V' },
730 { "mount", optional_argument
, NULL
, 'm' },
731 { "uts", optional_argument
, NULL
, 'u' },
732 { "ipc", optional_argument
, NULL
, 'i' },
733 { "net", optional_argument
, NULL
, 'n' },
734 { "pid", optional_argument
, NULL
, 'p' },
735 { "user", optional_argument
, NULL
, 'U' },
736 { "cgroup", optional_argument
, NULL
, 'C' },
737 { "time", optional_argument
, NULL
, 'T' },
739 { "fork", no_argument
, NULL
, 'f' },
740 { "kill-child", optional_argument
, NULL
, OPT_KILLCHILD
},
741 { "mount-proc", optional_argument
, NULL
, OPT_MOUNTPROC
},
742 { "map-user", required_argument
, NULL
, OPT_MAPUSER
},
743 { "map-users", required_argument
, NULL
, OPT_MAPUSERS
},
744 { "map-group", required_argument
, NULL
, OPT_MAPGROUP
},
745 { "map-groups", required_argument
, NULL
, OPT_MAPGROUPS
},
746 { "map-root-user", no_argument
, NULL
, 'r' },
747 { "map-current-user", no_argument
, NULL
, 'c' },
748 { "map-auto", no_argument
, NULL
, OPT_MAPAUTO
},
749 { "propagation", required_argument
, NULL
, OPT_PROPAGATION
},
750 { "setgroups", required_argument
, NULL
, OPT_SETGROUPS
},
751 { "keep-caps", no_argument
, NULL
, OPT_KEEPCAPS
},
752 { "setuid", required_argument
, NULL
, 'S' },
753 { "setgid", required_argument
, NULL
, 'G' },
754 { "root", required_argument
, NULL
, 'R' },
755 { "wd", required_argument
, NULL
, 'w' },
756 { "monotonic", required_argument
, NULL
, OPT_MONOTONIC
},
757 { "boottime", required_argument
, NULL
, OPT_BOOTTIME
},
761 int setgrpcmd
= SETGROUPS_NONE
;
762 int unshare_flags
= 0;
766 struct map_range
*usermap
= NULL
;
767 struct map_range
*groupmap
= NULL
;
768 int kill_child_signo
= 0; /* 0 means --kill-child was not used */
769 const char *procmnt
= NULL
;
770 const char *newroot
= NULL
;
771 const char *newdir
= NULL
;
772 pid_t pid_bind
= 0, pid_idmap
= 0;
775 int fd_parent_pid
= -1;
777 int fd_idmap
, fd_bind
= -1;
778 sigset_t sigset
, oldsigset
;
780 unsigned long propagation
= UNSHARE_PROPAGATION_DEFAULT
;
781 int force_uid
= 0, force_gid
= 0;
782 uid_t uid
= 0, real_euid
= geteuid();
783 gid_t gid
= 0, real_egid
= getegid();
785 int64_t monotonic
= 0;
786 int64_t boottime
= 0;
787 int force_monotonic
= 0;
788 int force_boottime
= 0;
790 setlocale(LC_ALL
, "");
791 bindtextdomain(PACKAGE
, LOCALEDIR
);
793 close_stdout_atexit();
795 while ((c
= getopt_long(argc
, argv
, "+fhVmuinpCTUrR:w:S:G:c", longopts
, NULL
)) != -1) {
801 unshare_flags
|= CLONE_NEWNS
;
803 set_ns_target(CLONE_NEWNS
, optarg
);
806 unshare_flags
|= CLONE_NEWUTS
;
808 set_ns_target(CLONE_NEWUTS
, optarg
);
811 unshare_flags
|= CLONE_NEWIPC
;
813 set_ns_target(CLONE_NEWIPC
, optarg
);
816 unshare_flags
|= CLONE_NEWNET
;
818 set_ns_target(CLONE_NEWNET
, optarg
);
821 unshare_flags
|= CLONE_NEWPID
;
823 set_ns_target(CLONE_NEWPID
, optarg
);
826 unshare_flags
|= CLONE_NEWUSER
;
828 set_ns_target(CLONE_NEWUSER
, optarg
);
831 unshare_flags
|= CLONE_NEWCGROUP
;
833 set_ns_target(CLONE_NEWCGROUP
, optarg
);
836 unshare_flags
|= CLONE_NEWTIME
;
838 set_ns_target(CLONE_NEWTIME
, optarg
);
841 unshare_flags
|= CLONE_NEWNS
;
842 procmnt
= optarg
? optarg
: "/proc";
845 unshare_flags
|= CLONE_NEWUSER
;
846 mapuser
= get_user(optarg
, _("failed to parse uid"));
849 unshare_flags
|= CLONE_NEWUSER
;
850 mapgroup
= get_group(optarg
, _("failed to parse gid"));
853 unshare_flags
|= CLONE_NEWUSER
;
858 unshare_flags
|= CLONE_NEWUSER
;
860 mapgroup
= real_egid
;
863 unshare_flags
|= CLONE_NEWUSER
;
864 if (!strcmp(optarg
, "auto"))
865 insert_map_range(&usermap
,
866 read_subid_range(_PATH_SUBUID
, real_euid
));
868 insert_map_range(&usermap
, get_map_range(optarg
));
871 unshare_flags
|= CLONE_NEWUSER
;
872 if (!strcmp(optarg
, "auto"))
873 insert_map_range(&groupmap
,
874 read_subid_range(_PATH_SUBGID
, real_euid
));
876 insert_map_range(&groupmap
, get_map_range(optarg
));
879 unshare_flags
|= CLONE_NEWUSER
;
880 insert_map_range(&usermap
, read_subid_range(_PATH_SUBUID
, real_euid
));
881 insert_map_range(&groupmap
, read_subid_range(_PATH_SUBGID
, real_euid
));
884 setgrpcmd
= setgroups_str2id(optarg
);
886 case OPT_PROPAGATION
:
887 propagation
= parse_propagation(optarg
);
892 if ((kill_child_signo
= signame_to_signum(optarg
)) < 0)
893 errx(EXIT_FAILURE
, _("unknown signal: %s"),
896 kill_child_signo
= SIGKILL
;
901 cap_last_cap(); /* Force last cap to be cached before we fork. */
904 uid
= strtoul_or_err(optarg
, _("failed to parse uid"));
908 gid
= strtoul_or_err(optarg
, _("failed to parse gid"));
918 monotonic
= strtos64_or_err(optarg
, _("failed to parse monotonic offset"));
922 boottime
= strtos64_or_err(optarg
, _("failed to parse boottime offset"));
929 print_version(EXIT_SUCCESS
);
931 errtryhelp(EXIT_FAILURE
);
935 if ((force_monotonic
|| force_boottime
) && !(unshare_flags
& CLONE_NEWTIME
))
936 errx(EXIT_FAILURE
, _("options --monotonic and --boottime require "
937 "unsharing of a time namespace (-T)"));
939 /* clear any inherited settings */
940 signal(SIGCHLD
, SIG_DFL
);
942 if (npersists
&& (unshare_flags
& CLONE_NEWNS
))
943 pid_bind
= bind_ns_files_from_child(&fd_bind
);
945 if (usermap
|| groupmap
)
946 pid_idmap
= map_ids_from_child(&fd_idmap
, mapuser
, usermap
,
949 if (-1 == unshare(unshare_flags
))
950 err(EXIT_FAILURE
, _("unshare failed"));
952 /* Tell child we've called unshare() */
953 if (usermap
|| groupmap
)
954 sync_with_child(pid_idmap
, fd_idmap
);
957 settime(boottime
, CLOCK_BOOTTIME
);
960 settime(monotonic
, CLOCK_MONOTONIC
);
963 if (sigemptyset(&sigset
) != 0 ||
964 sigaddset(&sigset
, SIGINT
) != 0 ||
965 sigaddset(&sigset
, SIGTERM
) != 0 ||
966 sigprocmask(SIG_BLOCK
, &sigset
, &oldsigset
) != 0)
967 err(EXIT_FAILURE
, _("sigprocmask block failed"));
969 if (kill_child_signo
!= 0) {
970 /* make a connection to the original process (parent) */
971 fd_parent_pid
= pidfd_open(getpid(), 0);
972 if (0 > fd_parent_pid
)
973 err(EXIT_FAILURE
, _("pidfd_open failed"));
976 /* force child forking before mountspace binding so
977 * pid_for_children is populated */
982 err(EXIT_FAILURE
, _("fork failed"));
984 if (sigprocmask(SIG_SETMASK
, &oldsigset
, NULL
))
986 _("sigprocmask restore failed"));
987 if (npersists
&& (unshare_flags
& CLONE_NEWNS
))
990 default: /* parent */
995 if (npersists
&& (pid
|| !forkit
)) {
997 if (pid_bind
&& (unshare_flags
& CLONE_NEWNS
))
998 sync_with_child(pid_bind
, fd_bind
);
1000 /* simple way, just bind */
1001 bind_ns_files(getpid());
1005 if (waitpid(pid
, &status
, 0) == -1)
1006 err(EXIT_FAILURE
, _("waitpid failed"));
1008 if (WIFEXITED(status
))
1009 return WEXITSTATUS(status
);
1010 if (WIFSIGNALED(status
)) {
1012 /* Ensure the signal that terminated the child will
1013 * also terminate the parent. */
1015 int termsig
= WTERMSIG(status
);
1017 if (signal(termsig
, SIG_DFL
) == SIG_ERR
||
1018 sigemptyset(&sigset
) != 0 ||
1019 sigaddset(&sigset
, termsig
) != 0 ||
1020 sigprocmask(SIG_UNBLOCK
, &sigset
, NULL
) != 0)
1022 _("sigprocmask unblock failed"));
1024 kill(getpid(), termsig
);
1026 err(EXIT_FAILURE
, _("child exit failed"));
1029 if (kill_child_signo
!= 0) {
1030 if (prctl(PR_SET_PDEATHSIG
, kill_child_signo
) < 0)
1031 err(EXIT_FAILURE
, "prctl failed");
1032 #ifdef UL_HAVE_PIDFD
1033 /* Use poll() to check that there is still the original parent. */
1034 if (fd_parent_pid
!= -1) {
1035 struct pollfd pollfds
[1] = {
1036 { .fd
= fd_parent_pid
, .events
= POLLIN
}
1038 int nfds
= poll(pollfds
, 1, 0);
1041 err(EXIT_FAILURE
, "poll parent pidfd failed");
1043 /* If the child was re-parented before prctl(2) was called, the
1044 * new parent will likely not be interested in the precise exit
1045 * status of the orphan.
1050 close(fd_parent_pid
);
1056 if (mapuser
!= (uid_t
) -1 && !usermap
)
1057 map_id(_PATH_PROC_UIDMAP
, mapuser
, real_euid
);
1059 /* Since Linux 3.19 unprivileged writing of /proc/self/gid_map
1060 * has been disabled unless /proc/self/setgroups is written
1061 * first to permanently disable the ability to call setgroups
1062 * in that user namespace. */
1063 if (mapgroup
!= (gid_t
) -1 && !groupmap
) {
1064 if (setgrpcmd
== SETGROUPS_ALLOW
)
1065 errx(EXIT_FAILURE
, _("options --setgroups=allow and "
1066 "--map-group are mutually exclusive"));
1067 setgroups_control(SETGROUPS_DENY
);
1068 map_id(_PATH_PROC_GIDMAP
, mapgroup
, real_egid
);
1071 if (setgrpcmd
!= SETGROUPS_NONE
)
1072 setgroups_control(setgrpcmd
);
1074 if ((unshare_flags
& CLONE_NEWNS
) && propagation
)
1075 set_propagation(propagation
);
1078 if (chroot(newroot
) != 0)
1080 _("cannot change root directory to '%s'"), newroot
);
1081 newdir
= newdir
?: "/";
1083 if (newdir
&& chdir(newdir
))
1084 err(EXIT_FAILURE
, _("cannot chdir to '%s'"), newdir
);
1087 /* When not changing root and using the default propagation flags
1088 then the recursive propagation change of root will
1089 automatically change that of an existing proc mount. */
1090 if (!newroot
&& propagation
!= (MS_PRIVATE
|MS_REC
)) {
1091 int rc
= mount("none", procmnt
, NULL
, MS_PRIVATE
|MS_REC
, NULL
);
1093 /* Custom procmnt means that proc is very likely not mounted, causing EINVAL.
1094 Ignoring the error in this specific instance is considered safe. */
1095 if(rc
!= 0 && errno
!= EINVAL
)
1096 err(EXIT_FAILURE
, _("cannot change %s filesystem propagation"), procmnt
);
1099 if (mount("proc", procmnt
, "proc", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, NULL
) != 0)
1100 err(EXIT_FAILURE
, _("mount %s failed"), procmnt
);
1104 if (setgroups(0, NULL
) != 0) /* drop supplementary groups */
1105 err(EXIT_FAILURE
, _("setgroups failed"));
1106 if (setgid(gid
) < 0) /* change GID */
1107 err(EXIT_FAILURE
, _("setgid failed"));
1109 if (force_uid
&& setuid(uid
) < 0) /* change UID */
1110 err(EXIT_FAILURE
, _("setuid failed"));
1112 if (keepcaps
&& (unshare_flags
& CLONE_NEWUSER
))
1113 cap_permitted_to_ambient();
1115 if (optind
< argc
) {
1116 execvp(argv
[optind
], argv
+ optind
);
1117 errexec(argv
[optind
]);