From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 16 Aug 2022 12:43:47 +0000 (+0000)
Subject: jail: Use read SUB{U,G}IDs
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4896e62c196edca9bb431af53d1f39fffbf9c38b;p=people%2Fstevee%2Fpakfire.git

jail: Use read SUB{U,G}IDs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/libpakfire/jail.c b/src/libpakfire/jail.c
index 584eae41..16c3fc8c 100644
--- a/src/libpakfire/jail.c
+++ b/src/libpakfire/jail.c
@@ -46,6 +46,7 @@
 #include <pakfire/mount.h>
 #include <pakfire/pakfire.h>
 #include <pakfire/private.h>
+#include <pakfire/pwd.h>
 #include <pakfire/util.h>
 
 #define BUFFER_SIZE      1024 * 64
@@ -882,7 +883,7 @@ static int pakfire_jail_write_uidgid_mapping(struct pakfire_jail* jail,
 	}
 
 	// Write configuration
-	int bytes_written = fprintf(f, "%d %d %ld\n", 0, mapped_id, length);
+	int bytes_written = fprintf(f, "%d %u %lu\n", 0, mapped_id, length);
 	if (bytes_written <= 0) {
 		ERROR(jail->pakfire, "Could not write UID/GID mapping: %m\n");
 		goto ERROR;
@@ -911,60 +912,48 @@ static int pakfire_jail_setup_uid_mapping(struct pakfire_jail* jail, pid_t pid)
 	char path[PATH_MAX];
 	int r;
 
-	uid_t mapped_uid = 0;
-	const size_t length = 1;
-
-	// Fetch the UID of the calling process
-	uid_t uid = getuid();
-
-	// Have we been called by root?
-	if (uid == 0) {
-		mapped_uid = 0;
+	// Skip mapping anything when running on /
+	if (pakfire_on_root(jail->pakfire))
+		return 0;
 
-	// Have we been called by an unprivileged user?
-	} else {
-		// XXX fetch SUBUID
-		mapped_uid = uid;
-	}
+	// Fetch SUBUID
+	const struct pakfire_subuid* subuid = pakfire_subuid(jail->pakfire);
+	if (!subuid)
+		return 1;
 
 	// Make path
 	r = pakfire_string_format(path, "/proc/%d/uid_map", pid);
 	if (r < 0)
 		return 1;
 
-	DEBUG(jail->pakfire, "Mapping UID range (%u - %lu)\n", mapped_uid, mapped_uid + length);
+	DEBUG(jail->pakfire, "Mapping UID range (%u - %lu)\n",
+		subuid->uid, subuid->uid + subuid->length);
 
-	return pakfire_jail_write_uidgid_mapping(jail, path, mapped_uid, length);
+	return pakfire_jail_write_uidgid_mapping(jail, path, subuid->uid, subuid->length);
 }
 
 static int pakfire_jail_setup_gid_mapping(struct pakfire_jail* jail, pid_t pid) {
 	char path[PATH_MAX];
 	int r;
 
-	gid_t mapped_gid = 0;
-	const size_t length = 1;
-
-	// Fetch the GID of the calling process
-	gid_t gid = getgid();
-
-	// Have we been called from the root group?
-	if (gid == 0) {
-		mapped_gid = 0;
+	// Skip mapping anything when running on /
+	if (pakfire_on_root(jail->pakfire))
+		return 0;
 
-	// Have we been called by an unprivileged group?
-	} else {
-		// XXX fetch SUBGID
-		mapped_gid = gid;
-	}
+	// Fetch SUBGID
+	const struct pakfire_subgid* subgid = pakfire_subgid(jail->pakfire);
+	if (!subgid)
+		return 1;
 
 	// Make path
 	r = pakfire_string_format(path, "/proc/%d/gid_map", pid);
 	if (r < 0)
 		return 1;
 
-	DEBUG(jail->pakfire, "Mapping GID range (%u - %lu)\n", mapped_gid, mapped_gid + length);
+	DEBUG(jail->pakfire, "Mapping GID range (%u - %lu)\n",
+		subgid->gid, subgid->gid + subgid->length);
 
-	return pakfire_jail_write_uidgid_mapping(jail, path, mapped_gid, length);
+	return pakfire_jail_write_uidgid_mapping(jail, path, subgid->gid, subgid->length);
 }
 
 static int pakfire_jail_setgroups(struct pakfire_jail* jail, pid_t pid) {