conf: write "deny" to /proc/[pid]/setgroups

When fully unprivileged users run a container that only maps their own {g,u}id
and they do not have access to setuid new{g,u}idmap binaries we will write the
idmapping directly. This however requires us to write "deny" to
/proc/[pid]/setgroups otherwise any write to /proc/[pid]/gid_map will be
denied.

On a sidenote, this patch enables fully unprivileged containers. If you now set
lxc.net.[i].type = empty no privilege whatsoever is required to run a container.

Enhances #2033.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Felix Abecassis <fabecassis@nvidia.com>
Cc: Jonathan Calmels <jcalmels@nvidia.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index c0367ee859e5e122db67399529daee5119d816dd..e3e5bc1df3a3da1c8094113a026613508bec15f0 100644 (file)
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1261,7 +1261,7 @@ static int rmdir_wrapper(void *data)
                SYSERROR("Failed to setgid to 0");
        if (setresuid(nsuid, nsuid, nsuid) < 0)
                SYSERROR("Failed to setuid to 0");
-       if (setgroups(0, NULL) < 0)
+       if (setgroups(0, NULL) < 0 && errno != EPERM)
                SYSERROR("Failed to clear groups");
 
        return cgroup_rmdir(arg->path);
@@ -1459,7 +1459,7 @@ static int chown_cgroup_wrapper(void *data)
                SYSERROR("Failed to setgid to 0");
        if (setresuid(nsuid, nsuid, nsuid) < 0)
                SYSERROR("Failed to setuid to 0");
-       if (setgroups(0, NULL) < 0)
+       if (setgroups(0, NULL) < 0 && errno != EPERM)
                SYSERROR("Failed to clear groups");
 
        destuid = get_ns_uid(arg->origuid);

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 6212c1170637187a8573860884120b59913793d4..85648b10b41828007cd1fce8c97767c1eee9199b 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2381,28 +2381,54 @@ struct lxc_conf *lxc_conf_init(void)
 }
 
 int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf,
-                           size_t buf_size)
+                    size_t buf_size)
 {
        char path[MAXPATHLEN];
        int fd, ret;
 
+       if (geteuid() != 0 && idtype == ID_TYPE_GID) {
+               size_t buflen;
+
+               ret = snprintf(path, MAXPATHLEN, "/proc/%d/setgroups", pid);
+               if (ret < 0 || ret >= MAXPATHLEN) {
+                       ERROR("Failed to create string");
+                       return -E2BIG;
+               }
+
+               fd = open(path, O_WRONLY);
+               if (fd < 0 && errno != ENOENT) {
+                       SYSERROR("Failed to open \"%s\"", path);
+                       return -1;
+               }
+
+               buflen = sizeof("deny\n") - 1;
+               errno = 0;
+               ret = lxc_write_nointr(fd, "deny\n", buflen);
+               if (ret != buflen) {
+                       SYSERROR("Failed to write \"deny\" to \"/proc/%d/setgroups\"", pid);
+                       close(fd);
+                       return -1;
+               }
+               close(fd);
+       }
+
        ret = snprintf(path, MAXPATHLEN, "/proc/%d/%cid_map", pid,
                       idtype == ID_TYPE_UID ? 'u' : 'g');
        if (ret < 0 || ret >= MAXPATHLEN) {
-               ERROR("failed to create path \"%s\"", path);
+               ERROR("Failed to create string");
                return -E2BIG;
        }
 
        fd = open(path, O_WRONLY);
        if (fd < 0) {
-               SYSERROR("failed to open \"%s\"", path);
+               SYSERROR("Failed to open \"%s\"", path);
                return -1;
        }
 
        errno = 0;
        ret = lxc_write_nointr(fd, buf, buf_size);
        if (ret != buf_size) {
-               SYSERROR("failed to write %cid mapping to \"%s\"",
+               SYSERROR("Failed to write %cid mapping to \"%s\"",
                         idtype == ID_TYPE_UID ? 'u' : 'g', path);
                close(fd);
                return -1;

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 306056105a4ca799b8d5c2956c04fc09188212ad..f010c567a1742cd571f6ed71347e092d7a28f5c1 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -295,7 +295,7 @@ struct lxc_conf {
        unsigned int ephemeral;
 };
 
-int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf,
+extern int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf,
                            size_t buf_size);
 
 #ifdef HAVE_TLS

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 2494c49c2e979322b58a0cb70e3ab443854db560..0bd1a4b351c9165b2234c744ced841eb92787996 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1056,7 +1056,7 @@ static int do_start(void *data)
                 * user namespace.
                 */
                ret = lxc_setgroups(0, NULL);
-               if (ret < 0)
+               if (ret < 0 && (handler->am_root || errno != EPERM))
                        goto out_warn_father;
 
                if (!handler->am_root) {