From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 2 Aug 2022 14:11:08 +0000 (+0000)
Subject: jail: Fix setting UID/GID in namespace
X-Git-Tag: 0.9.28~636
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=78d7488a9eb845d221b6a4ebfccb07c497d0f185;p=pakfire.git

jail: Fix setting UID/GID in namespace

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/libpakfire/jail.c b/src/libpakfire/jail.c
index 305a912ab..94ebf0d04 100644
--- a/src/libpakfire/jail.c
+++ b/src/libpakfire/jail.c
@@ -234,11 +234,20 @@ static int pakfire_jail_write_uidgid_mapping(struct pakfire_jail* jail,
 
 	// Write configuration
 	int bytes_written = fprintf(f, "%d %d %ld\n", 0, mapped_id, length);
-	if (bytes_written < 0) {
+	if (bytes_written <= 0) {
 		ERROR(jail->pakfire, "Could not write UID/GID mapping: %m\n");
 		goto ERROR;
 	}
 
+	// Close the file
+	r = fclose(f);
+	f = NULL;
+	if (r) {
+		ERROR(jail->pakfire, "Could not write UID/GID mapping: %m\n");
+
+		goto ERROR;
+	}
+
 	// Success
 	r = 0;
 
@@ -285,6 +294,43 @@ static int pakfire_jail_setup_gid_mapping(struct pakfire_jail* jail, pid_t pid)
 	return pakfire_jail_write_uidgid_mapping(jail, path, mapped_gid, length);
 }
 
+static int pakfire_jail_setgroups(struct pakfire_jail* jail, pid_t pid) {
+	char path[PATH_MAX];
+	int r = 1;
+
+	// Make path
+	r = pakfire_string_format(path, "/proc/%d/setgroups", pid);
+	if (r < 0)
+		return 1;
+
+	// Open file for writing
+	FILE* f = fopen(path, "w");
+	if (!f) {
+		ERROR(jail->pakfire, "Could not open %s for writing: %m\n", path);
+		goto ERROR;
+	}
+
+	// Write content
+	int bytes_written = fprintf(f, "deny\n");
+	if (bytes_written <= 0) {
+		ERROR(jail->pakfire, "Could not write to %s: %m\n", path);
+		goto ERROR;
+	}
+
+	r = fclose(f);
+	f = NULL;
+	if (r) {
+		ERROR(jail->pakfire, "Could not close %s: %m\n", path);
+		goto ERROR;
+	}
+
+ERROR:
+	if (f)
+		fclose(f);
+
+	return r;
+}
+
 static int pakfire_jail_send_signal(struct pakfire_jail* jail, int fd) {
 	const int val = 1;
 
@@ -318,6 +364,11 @@ static int pakfire_jail_parent(struct pakfire_jail* jail, pid_t pid, int complet
 	if (r)
 		return r;
 
+	// Write "deny" to /proc/PID/setgroups
+	r = pakfire_jail_setgroups(jail, pid);
+	if (r)
+		return r;
+
 	// Setup GID mapping
 	r = pakfire_jail_setup_gid_mapping(jail, pid);
 	if (r)