]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-patch-uid.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
build-sys: use #if Y instead of #ifdef Y everywhere
[thirdparty/systemd.git] / src / nspawn / nspawn-patch-uid.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2016 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <fcntl.h>
21 #include <linux/magic.h>
22 #if HAVE_ACL
23 #include <sys/acl.h>
24 #endif
25 #include <sys/stat.h>
26 #include <sys/vfs.h>
27 #include <unistd.h>
28
29 #include "acl-util.h"
30 #include "dirent-util.h"
31 #include "fd-util.h"
32 #include "missing.h"
33 #include "nspawn-patch-uid.h"
34 #include "stat-util.h"
35 #include "stdio-util.h"
36 #include "string-util.h"
37 #include "strv.h"
38 #include "user-util.h"
39
40 #if HAVE_ACL
41
42 static int get_acl(int fd, const char *name, acl_type_t type, acl_t *ret) {
43 char procfs_path[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
44 acl_t acl;
45
46 assert(fd >= 0);
47 assert(ret);
48
49 if (name) {
50 _cleanup_close_ int child_fd = -1;
51
52 child_fd = openat(fd, name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
53 if (child_fd < 0)
54 return -errno;
55
56 xsprintf(procfs_path, "/proc/self/fd/%i", child_fd);
57 acl = acl_get_file(procfs_path, type);
58 } else if (type == ACL_TYPE_ACCESS)
59 acl = acl_get_fd(fd);
60 else {
61 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
62 acl = acl_get_file(procfs_path, type);
63 }
64 if (!acl)
65 return -errno;
66
67 *ret = acl;
68 return 0;
69 }
70
71 static int set_acl(int fd, const char *name, acl_type_t type, acl_t acl) {
72 char procfs_path[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
73 int r;
74
75 assert(fd >= 0);
76 assert(acl);
77
78 if (name) {
79 _cleanup_close_ int child_fd = -1;
80
81 child_fd = openat(fd, name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
82 if (child_fd < 0)
83 return -errno;
84
85 xsprintf(procfs_path, "/proc/self/fd/%i", child_fd);
86 r = acl_set_file(procfs_path, type, acl);
87 } else if (type == ACL_TYPE_ACCESS)
88 r = acl_set_fd(fd, acl);
89 else {
90 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
91 r = acl_set_file(procfs_path, type, acl);
92 }
93 if (r < 0)
94 return -errno;
95
96 return 0;
97 }
98
99 static int shift_acl(acl_t acl, uid_t shift, acl_t *ret) {
100 _cleanup_(acl_freep) acl_t copy = NULL;
101 acl_entry_t i;
102 int r;
103
104 assert(acl);
105 assert(ret);
106
107 r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
108 if (r < 0)
109 return -errno;
110 while (r > 0) {
111 uid_t *old_uid, new_uid;
112 bool modify = false;
113 acl_tag_t tag;
114
115 if (acl_get_tag_type(i, &tag) < 0)
116 return -errno;
117
118 if (IN_SET(tag, ACL_USER, ACL_GROUP)) {
119
120 /* We don't distuingish here between uid_t and gid_t, let's make sure the compiler checks that
121 * this is actually OK */
122 assert_cc(sizeof(uid_t) == sizeof(gid_t));
123
124 old_uid = acl_get_qualifier(i);
125 if (!old_uid)
126 return -errno;
127
128 new_uid = shift | (*old_uid & UINT32_C(0xFFFF));
129 if (!uid_is_valid(new_uid))
130 return -EINVAL;
131
132 modify = new_uid != *old_uid;
133 if (modify && !copy) {
134 int n;
135
136 /* There's no copy of the ACL yet? if so, let's create one, and start the loop from the
137 * beginning, so that we copy all entries, starting from the first, this time. */
138
139 n = acl_entries(acl);
140 if (n < 0)
141 return -errno;
142
143 copy = acl_init(n);
144 if (!copy)
145 return -errno;
146
147 /* Seek back to the beginning */
148 r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
149 if (r < 0)
150 return -errno;
151 continue;
152 }
153 }
154
155 if (copy) {
156 acl_entry_t new_entry;
157
158 if (acl_create_entry(&copy, &new_entry) < 0)
159 return -errno;
160
161 if (acl_copy_entry(new_entry, i) < 0)
162 return -errno;
163
164 if (modify)
165 if (acl_set_qualifier(new_entry, &new_uid) < 0)
166 return -errno;
167 }
168
169 r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i);
170 if (r < 0)
171 return -errno;
172 }
173
174 *ret = copy;
175 copy = NULL;
176
177 return !!*ret;
178 }
179
180 static int patch_acls(int fd, const char *name, const struct stat *st, uid_t shift) {
181 _cleanup_(acl_freep) acl_t acl = NULL, shifted = NULL;
182 bool changed = false;
183 int r;
184
185 assert(fd >= 0);
186 assert(st);
187
188 /* ACLs are not supported on symlinks, there's no point in trying */
189 if (S_ISLNK(st->st_mode))
190 return 0;
191
192 r = get_acl(fd, name, ACL_TYPE_ACCESS, &acl);
193 if (r == -EOPNOTSUPP)
194 return 0;
195 if (r < 0)
196 return r;
197
198 r = shift_acl(acl, shift, &shifted);
199 if (r < 0)
200 return r;
201 if (r > 0) {
202 r = set_acl(fd, name, ACL_TYPE_ACCESS, shifted);
203 if (r < 0)
204 return r;
205
206 changed = true;
207 }
208
209 if (S_ISDIR(st->st_mode)) {
210 acl_free(acl);
211 acl_free(shifted);
212
213 acl = shifted = NULL;
214
215 r = get_acl(fd, name, ACL_TYPE_DEFAULT, &acl);
216 if (r < 0)
217 return r;
218
219 r = shift_acl(acl, shift, &shifted);
220 if (r < 0)
221 return r;
222 if (r > 0) {
223 r = set_acl(fd, name, ACL_TYPE_DEFAULT, shifted);
224 if (r < 0)
225 return r;
226
227 changed = true;
228 }
229 }
230
231 return changed;
232 }
233
234 #else
235
236 static int patch_acls(int fd, const char *name, const struct stat *st, uid_t shift) {
237 return 0;
238 }
239
240 #endif
241
242 static int patch_fd(int fd, const char *name, const struct stat *st, uid_t shift) {
243 uid_t new_uid;
244 gid_t new_gid;
245 bool changed = false;
246 int r;
247
248 assert(fd >= 0);
249 assert(st);
250
251 new_uid = shift | (st->st_uid & UINT32_C(0xFFFF));
252 new_gid = (gid_t) shift | (st->st_gid & UINT32_C(0xFFFF));
253
254 if (!uid_is_valid(new_uid) || !gid_is_valid(new_gid))
255 return -EINVAL;
256
257 if (st->st_uid != new_uid || st->st_gid != new_gid) {
258 if (name)
259 r = fchownat(fd, name, new_uid, new_gid, AT_SYMLINK_NOFOLLOW);
260 else
261 r = fchown(fd, new_uid, new_gid);
262 if (r < 0)
263 return -errno;
264
265 /* The Linux kernel alters the mode in some cases of chown(). Let's undo this. */
266 if (name) {
267 if (!S_ISLNK(st->st_mode))
268 r = fchmodat(fd, name, st->st_mode, 0);
269 else /* AT_SYMLINK_NOFOLLOW is not available for fchmodat() */
270 r = 0;
271 } else
272 r = fchmod(fd, st->st_mode);
273 if (r < 0)
274 return -errno;
275
276 changed = true;
277 }
278
279 r = patch_acls(fd, name, st, shift);
280 if (r < 0)
281 return r;
282
283 return r > 0 || changed;
284 }
285
286 /*
287 * Check if the filesystem is fully compatible with user namespaces or
288 * UID/GID patching. Some filesystems in this list can be fully mounted inside
289 * user namespaces, however their inodes may relate to host resources or only
290 * valid in the global user namespace, therefore no patching should be applied.
291 */
292 static int is_fs_fully_userns_compatible(int fd) {
293 struct statfs sfs;
294
295 assert(fd >= 0);
296
297 if (fstatfs(fd, &sfs) < 0)
298 return -errno;
299
300 return F_TYPE_EQUAL(sfs.f_type, BINFMTFS_MAGIC) ||
301 F_TYPE_EQUAL(sfs.f_type, CGROUP_SUPER_MAGIC) ||
302 F_TYPE_EQUAL(sfs.f_type, CGROUP2_SUPER_MAGIC) ||
303 F_TYPE_EQUAL(sfs.f_type, DEBUGFS_MAGIC) ||
304 F_TYPE_EQUAL(sfs.f_type, DEVPTS_SUPER_MAGIC) ||
305 F_TYPE_EQUAL(sfs.f_type, EFIVARFS_MAGIC) ||
306 F_TYPE_EQUAL(sfs.f_type, HUGETLBFS_MAGIC) ||
307 F_TYPE_EQUAL(sfs.f_type, MQUEUE_MAGIC) ||
308 F_TYPE_EQUAL(sfs.f_type, PROC_SUPER_MAGIC) ||
309 F_TYPE_EQUAL(sfs.f_type, PSTOREFS_MAGIC) ||
310 F_TYPE_EQUAL(sfs.f_type, SELINUX_MAGIC) ||
311 F_TYPE_EQUAL(sfs.f_type, SMACK_MAGIC) ||
312 F_TYPE_EQUAL(sfs.f_type, SECURITYFS_MAGIC) ||
313 F_TYPE_EQUAL(sfs.f_type, BPF_FS_MAGIC) ||
314 F_TYPE_EQUAL(sfs.f_type, TRACEFS_MAGIC) ||
315 F_TYPE_EQUAL(sfs.f_type, SYSFS_MAGIC);
316 }
317
318 static int recurse_fd(int fd, bool donate_fd, const struct stat *st, uid_t shift, bool is_toplevel) {
319 bool changed = false;
320 int r;
321
322 assert(fd >= 0);
323
324 /* We generally want to permit crossing of mount boundaries when patching the UIDs/GIDs. However, we
325 * probably shouldn't do this for /proc and /sys if that is already mounted into place. Hence, let's
326 * stop the recursion when we hit procfs, sysfs or some other special file systems. */
327 r = is_fs_fully_userns_compatible(fd);
328 if (r < 0)
329 goto finish;
330 if (r > 0) {
331 r = 0; /* don't recurse */
332 goto finish;
333 }
334
335 r = patch_fd(fd, NULL, st, shift);
336 if (r == -EROFS) {
337 _cleanup_free_ char *name = NULL;
338
339 if (!is_toplevel) {
340 /* When we hit a ready-only subtree we simply skip it, but log about it. */
341 (void) fd_get_path(fd, &name);
342 log_debug("Skippping read-only file or directory %s.", strna(name));
343 r = 0;
344 }
345
346 goto finish;
347 }
348 if (r < 0)
349 goto finish;
350 if (r > 0)
351 changed = true;
352
353 if (S_ISDIR(st->st_mode)) {
354 _cleanup_closedir_ DIR *d = NULL;
355 struct dirent *de;
356
357 if (!donate_fd) {
358 int copy;
359
360 copy = fcntl(fd, F_DUPFD_CLOEXEC, 3);
361 if (copy < 0) {
362 r = -errno;
363 goto finish;
364 }
365
366 fd = copy;
367 donate_fd = true;
368 }
369
370 d = fdopendir(fd);
371 if (!d) {
372 r = -errno;
373 goto finish;
374 }
375 fd = -1;
376
377 FOREACH_DIRENT_ALL(de, d, r = -errno; goto finish) {
378 struct stat fst;
379
380 if (dot_or_dot_dot(de->d_name))
381 continue;
382
383 if (fstatat(dirfd(d), de->d_name, &fst, AT_SYMLINK_NOFOLLOW) < 0) {
384 r = -errno;
385 goto finish;
386 }
387
388 if (S_ISDIR(fst.st_mode)) {
389 int subdir_fd;
390
391 subdir_fd = openat(dirfd(d), de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
392 if (subdir_fd < 0) {
393 r = -errno;
394 goto finish;
395
396 }
397
398 r = recurse_fd(subdir_fd, true, &fst, shift, false);
399 if (r < 0)
400 goto finish;
401 if (r > 0)
402 changed = true;
403
404 } else {
405 r = patch_fd(dirfd(d), de->d_name, &fst, shift);
406 if (r < 0)
407 goto finish;
408 if (r > 0)
409 changed = true;
410 }
411 }
412 }
413
414 r = changed;
415
416 finish:
417 if (donate_fd)
418 safe_close(fd);
419
420 return r;
421 }
422
423 static int fd_patch_uid_internal(int fd, bool donate_fd, uid_t shift, uid_t range) {
424 struct stat st;
425 int r;
426
427 assert(fd >= 0);
428
429 /* Recursively adjusts the UID/GIDs of all files of a directory tree. This is used to automatically fix up an
430 * OS tree to the used user namespace UID range. Note that this automatic adjustment only works for UID ranges
431 * following the concept that the upper 16bit of a UID identify the container, and the lower 16bit are the actual
432 * UID within the container. */
433
434 if ((shift & 0xFFFF) != 0) {
435 /* We only support containers where the shift starts at a 2^16 boundary */
436 r = -EOPNOTSUPP;
437 goto finish;
438 }
439
440 if (range != 0x10000) {
441 /* We only support containers with 16bit UID ranges for the patching logic */
442 r = -EOPNOTSUPP;
443 goto finish;
444 }
445
446 if (fstat(fd, &st) < 0) {
447 r = -errno;
448 goto finish;
449 }
450
451 if ((uint32_t) st.st_uid >> 16 != (uint32_t) st.st_gid >> 16) {
452 /* We only support containers where the uid/gid container ID match */
453 r = -EBADE;
454 goto finish;
455 }
456
457 /* Try to detect if the range is already right. Of course, this a pretty drastic optimization, as we assume
458 * that if the top-level dir has the right upper 16bit assigned, then everything below will have too... */
459 if (((uint32_t) (st.st_uid ^ shift) >> 16) == 0)
460 return 0;
461
462 return recurse_fd(fd, donate_fd, &st, shift, true);
463
464 finish:
465 if (donate_fd)
466 safe_close(fd);
467
468 return r;
469 }
470
471 int fd_patch_uid(int fd, uid_t shift, uid_t range) {
472 return fd_patch_uid_internal(fd, false, shift, range);
473 }
474
475 int path_patch_uid(const char *path, uid_t shift, uid_t range) {
476 int fd;
477
478 fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
479 if (fd < 0)
480 return -errno;
481
482 return fd_patch_uid_internal(fd, true, shift, range);
483 }
Unnamed repository; edit this file 'description' to name the repository.