From: Lennart Poettering Date: Tue, 14 Mar 2023 16:22:18 +0000 (+0100) Subject: namespace-util: add helper for allocating an empty userns fd X-Git-Tag: v256-rc1~283^2~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e02fb2099cbac381a63f1816ec04b09a17daae79;p=thirdparty%2Fsystemd.git namespace-util: add helper for allocating an empty userns fd --- diff --git a/src/basic/namespace-util.c b/src/basic/namespace-util.c index fbbaead8f34..347a4ac80a7 100644 --- a/src/basic/namespace-util.c +++ b/src/basic/namespace-util.c @@ -262,6 +262,25 @@ int detach_mount_namespace_harder(uid_t target_uid, gid_t target_gid) { return detach_mount_namespace(); } +int userns_acquire_empty(void) { + _cleanup_(sigkill_waitp) pid_t pid = 0; + _cleanup_close_ int userns_fd = -EBADF; + int r; + + r = safe_fork("(sd-mkuserns)", FORK_CLOSE_ALL_FDS|FORK_DEATHSIG_SIGKILL|FORK_NEW_USERNS, &pid); + if (r < 0) + return r; + if (r == 0) + /* Child. We do nothing here, just freeze until somebody kills us. */ + freeze(); + + r = namespace_open(pid, NULL, NULL, NULL, &userns_fd, NULL); + if (r < 0) + return log_error_errno(r, "Failed to open userns fd: %m"); + + return TAKE_FD(userns_fd); +} + int userns_acquire(const char *uid_map, const char *gid_map) { char path[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(pid_t) + 1]; _cleanup_(sigkill_waitp) pid_t pid = 0; diff --git a/src/basic/namespace-util.h b/src/basic/namespace-util.h index 735df663d10..a15e262edf1 100644 --- a/src/basic/namespace-util.h +++ b/src/basic/namespace-util.h @@ -51,8 +51,11 @@ static inline bool userns_shift_range_valid(uid_t shift, uid_t range) { return true; } +int userns_acquire_empty(void); int userns_acquire(const char *uid_map, const char *gid_map); + int netns_acquire(void); + int in_same_namespace(pid_t pid1, pid_t pid2, NamespaceType type); int parse_userns_uid_range(const char *s, uid_t *ret_uid_shift, uid_t *ret_uid_range);