jail: Fix setting UID/GID in namespace

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/libpakfire/jail.c b/src/libpakfire/jail.c
index 305a912ab387864a048711c4498c75f382ded089..94ebf0d047445dad14daf95afb18057b6a1b5740 100644 (file)
--- a/src/libpakfire/jail.c
+++ b/src/libpakfire/jail.c
@@ -234,11 +234,20 @@ static int pakfire_jail_write_uidgid_mapping(struct pakfire_jail* jail,
 
        // Write configuration
        int bytes_written = fprintf(f, "%d %d %ld\n", 0, mapped_id, length);
-       if (bytes_written < 0) {
+       if (bytes_written <= 0) {
                ERROR(jail->pakfire, "Could not write UID/GID mapping: %m\n");
                goto ERROR;
        }
 
+       // Close the file
+       r = fclose(f);
+       f = NULL;
+       if (r) {
+               ERROR(jail->pakfire, "Could not write UID/GID mapping: %m\n");
+
+               goto ERROR;
+       }
+
        // Success
        r = 0;
 
@@ -285,6 +294,43 @@ static int pakfire_jail_setup_gid_mapping(struct pakfire_jail* jail, pid_t pid)
        return pakfire_jail_write_uidgid_mapping(jail, path, mapped_gid, length);
 }
 
+static int pakfire_jail_setgroups(struct pakfire_jail* jail, pid_t pid) {
+       char path[PATH_MAX];
+       int r = 1;
+
+       // Make path
+       r = pakfire_string_format(path, "/proc/%d/setgroups", pid);
+       if (r < 0)
+               return 1;
+
+       // Open file for writing
+       FILE* f = fopen(path, "w");
+       if (!f) {
+               ERROR(jail->pakfire, "Could not open %s for writing: %m\n", path);
+               goto ERROR;
+       }
+
+       // Write content
+       int bytes_written = fprintf(f, "deny\n");
+       if (bytes_written <= 0) {
+               ERROR(jail->pakfire, "Could not write to %s: %m\n", path);
+               goto ERROR;
+       }
+
+       r = fclose(f);
+       f = NULL;
+       if (r) {
+               ERROR(jail->pakfire, "Could not close %s: %m\n", path);
+               goto ERROR;
+       }
+
+ERROR:
+       if (f)
+               fclose(f);
+
+       return r;
+}
+
 static int pakfire_jail_send_signal(struct pakfire_jail* jail, int fd) {
        const int val = 1;
 
@@ -318,6 +364,11 @@ static int pakfire_jail_parent(struct pakfire_jail* jail, pid_t pid, int complet
        if (r)
                return r;
 
+       // Write "deny" to /proc/PID/setgroups
+       r = pakfire_jail_setgroups(jail, pid);
+       if (r)
+               return r;
+
        // Setup GID mapping
        r = pakfire_jail_setup_gid_mapping(jail, pid);
        if (r)