This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.26.9000-782-gce003e5
- From: fw at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 17 Nov 2017 21:12:35 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.26.9000-782-gce003e5
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via ce003e5d4cd94c5380699b0dadeaaf825813afbe (commit)
from e7df6c5c79458dc042a8c967bafa6e8eca88ae0d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ce003e5d4cd94c5380699b0dadeaaf825813afbe
commit ce003e5d4cd94c5380699b0dadeaaf825813afbe
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Nov 17 22:11:28 2017 +0100
support_become_root: Enable file creation in user namespaces
Without UID/GID maps, file creation will file with EOVERFLOW.
This patch is based on DJ Delorie's work on container testing.
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
diff --git a/ChangeLog b/ChangeLog
index 4ab52b2..a553097 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-11-17 Florian Weimer <fweimer@redhat.com>
+
+ support_become_root: Enable file creation in namespaces.
+ * support/support_become_root.c (setup_mapping): New function.
+ (support_become_root): Call it.
+
2017-11-17 Joseph Myers <joseph@codesourcery.com>
* sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h (HWCAP_DCPOP): New
diff --git a/support/support_become_root.c b/support/support_become_root.c
index 3fa0bd4..5086570 100644
--- a/support/support_become_root.c
+++ b/support/support_become_root.c
@@ -18,18 +18,69 @@
#include <support/namespace.h>
+#include <fcntl.h>
#include <sched.h>
#include <stdio.h>
+#include <string.h>
+#include <support/check.h>
+#include <support/xunistd.h>
#include <unistd.h>
+#ifdef CLONE_NEWUSER
+/* The necessary steps to allow file creation in user namespaces. */
+static void
+setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid)
+{
+ int fd = open64 ("/proc/self/uid_map", O_WRONLY);
+ if (fd < 0)
+ {
+ printf ("warning: could not open /proc/self/uid_map: %m\n"
+ "warning: file creation may not be possible\n");
+ return;
+ }
+
+ /* We map our original UID to the same UID in the container so we
+ own our own files normally. Without that, file creation could
+ fail with EOVERFLOW (sic!). */
+ char buf[100];
+ int ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
+ (unsigned long long) original_uid,
+ (unsigned long long) original_uid);
+ TEST_VERIFY_EXIT (ret < sizeof (buf));
+ xwrite (fd, buf, ret);
+ xclose (fd);
+
+ /* Disable setgroups before mapping groups, otherwise that would
+ fail with EPERM. */
+ fd = xopen ("/proc/self/setgroups", O_WRONLY, 0);
+ xwrite (fd, "deny\n", strlen ("deny\n"));
+ xclose (fd);
+
+ /* Now map our own GID, like we did for the user ID. */
+ fd = xopen ("/proc/self/gid_map", O_WRONLY, 0);
+ ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
+ (unsigned long long) original_gid,
+ (unsigned long long) original_gid);
+ TEST_VERIFY_EXIT (ret < sizeof (buf));
+ xwrite (fd, buf, ret);
+ xclose (fd);
+}
+#endif /* CLONE_NEWUSER */
+
bool
support_become_root (void)
{
#ifdef CLONE_NEWUSER
+ uid_t original_uid = getuid ();
+ gid_t original_gid = getgid ();
+
if (unshare (CLONE_NEWUSER | CLONE_NEWNS) == 0)
- /* Even if we do not have UID zero, we have extended privileges at
- this point. */
- return true;
+ {
+ setup_uid_gid_mapping (original_uid, original_gid);
+ /* Even if we do not have UID zero, we have extended privileges at
+ this point. */
+ return true;
+ }
#endif
if (setuid (0) != 0)
{
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++
support/support_become_root.c | 57 ++++++++++++++++++++++++++++++++++++++--
2 files changed, 60 insertions(+), 3 deletions(-)
hooks/post-receive
--
GNU C Library master sources