Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 1 | /* vi: set sw=4 ts=4: */ |
| 2 | /* |
| 3 | * Mini unshare implementation for busybox. |
| 4 | * |
| 5 | * Copyright (C) 2016 by Bartosz Golaszewski <bartekgola@gmail.com> |
| 6 | * |
| 7 | * Licensed under GPLv2 or later, see file LICENSE in this source tree. |
| 8 | */ |
Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 9 | //config:config UNSHARE |
| 10 | //config: bool "unshare" |
| 11 | //config: default y |
| 12 | //config: depends on LONG_OPTS && !NOMMU |
| 13 | //config: select PLATFORM_LINUX |
| 14 | //config: help |
| 15 | //config: Run program with some namespaces unshared from parent. |
| 16 | |
| 17 | // depends on LONG_OPTS: it is awkward to exclude code which handles --propagation |
| 18 | // and --setgroups based on LONG_OPTS, so instead applet requires LONG_OPTS. |
| 19 | // depends on !NOMMU: we need fork() |
| 20 | |
| 21 | //applet:IF_UNSHARE(APPLET(unshare, BB_DIR_USR_BIN, BB_SUID_DROP)) |
| 22 | |
| 23 | //kbuild:lib-$(CONFIG_UNSHARE) += unshare.o |
| 24 | |
| 25 | //usage:#define unshare_trivial_usage |
| 26 | //usage: "[OPTIONS] [PROG [ARGS]]" |
| 27 | //usage:#define unshare_full_usage "\n" |
Denys Vlasenko | bbc7bee | 2017-01-21 02:49:58 +0100 | [diff] [blame] | 28 | //usage: "\n -m,--mount[=FILE] Unshare mount namespace" |
| 29 | //usage: "\n -u,--uts[=FILE] Unshare UTS namespace (hostname etc.)" |
| 30 | //usage: "\n -i,--ipc[=FILE] Unshare System V IPC namespace" |
| 31 | //usage: "\n -n,--net[=FILE] Unshare network namespace" |
| 32 | //usage: "\n -p,--pid[=FILE] Unshare PID namespace" |
| 33 | //usage: "\n -U,--user[=FILE] Unshare user namespace" |
| 34 | //usage: "\n -f,--fork Fork before execing PROG" |
| 35 | //usage: "\n -r,--map-root-user Map current user to root (implies -u)" |
Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 36 | //usage: "\n --mount-proc[=DIR] Mount /proc filesystem first (implies -m)" |
| 37 | //usage: "\n --propagation slave|shared|private|unchanged" |
| 38 | //usage: "\n Modify mount propagation in mount namespace" |
| 39 | //usage: "\n --setgroups allow|deny Control the setgroups syscall in user namespaces" |
| 40 | |
| 41 | #include <sched.h> |
Denys Vlasenko | 8b0f459 | 2016-04-02 19:00:44 +0200 | [diff] [blame] | 42 | #ifndef CLONE_NEWUTS |
| 43 | # define CLONE_NEWUTS 0x04000000 |
| 44 | #endif |
| 45 | #ifndef CLONE_NEWIPC |
| 46 | # define CLONE_NEWIPC 0x08000000 |
| 47 | #endif |
| 48 | #ifndef CLONE_NEWUSER |
| 49 | # define CLONE_NEWUSER 0x10000000 |
| 50 | #endif |
| 51 | #ifndef CLONE_NEWPID |
| 52 | # define CLONE_NEWPID 0x20000000 |
| 53 | #endif |
| 54 | #ifndef CLONE_NEWNET |
| 55 | # define CLONE_NEWNET 0x40000000 |
| 56 | #endif |
| 57 | |
Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 58 | #include <sys/mount.h> |
Denys Vlasenko | 8b0f459 | 2016-04-02 19:00:44 +0200 | [diff] [blame] | 59 | #ifndef MS_REC |
| 60 | # define MS_REC (1 << 14) |
| 61 | #endif |
| 62 | #ifndef MS_PRIVATE |
| 63 | # define MS_PRIVATE (1 << 18) |
| 64 | #endif |
| 65 | #ifndef MS_SLAVE |
| 66 | # define MS_SLAVE (1 << 19) |
| 67 | #endif |
| 68 | #ifndef MS_SHARED |
| 69 | # define MS_SHARED (1 << 20) |
| 70 | #endif |
| 71 | |
Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 72 | #include "libbb.h" |
| 73 | |
| 74 | static void mount_or_die(const char *source, const char *target, |
| 75 | const char *fstype, unsigned long mountflags) |
| 76 | { |
| 77 | if (mount(source, target, fstype, mountflags, NULL)) { |
| 78 | bb_perror_msg_and_die("can't mount %s on %s (flags:0x%lx)", |
| 79 | source, target, mountflags); |
| 80 | /* fstype is always either NULL or "proc". |
| 81 | * "proc" is only used to mount /proc. |
| 82 | * No need to clutter up error message with fstype, |
| 83 | * it is easily deductible. |
| 84 | */ |
| 85 | } |
| 86 | } |
| 87 | |
Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 88 | #define PATH_PROC_SETGROUPS "/proc/self/setgroups" |
| 89 | #define PATH_PROC_UIDMAP "/proc/self/uid_map" |
| 90 | #define PATH_PROC_GIDMAP "/proc/self/gid_map" |
| 91 | |
| 92 | struct namespace_descr { |
| 93 | int flag; |
| 94 | const char nsfile4[4]; |
| 95 | }; |
| 96 | |
| 97 | struct namespace_ctx { |
| 98 | char *path; |
| 99 | }; |
| 100 | |
| 101 | enum { |
| 102 | OPT_mount = 1 << 0, |
| 103 | OPT_uts = 1 << 1, |
| 104 | OPT_ipc = 1 << 2, |
Denys Vlasenko | 2cf9fa6 | 2016-08-22 20:19:34 +0200 | [diff] [blame] | 105 | OPT_net = 1 << 3, |
Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 106 | OPT_pid = 1 << 4, |
| 107 | OPT_user = 1 << 5, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */ |
| 108 | OPT_fork = 1 << 6, |
| 109 | OPT_map_root = 1 << 7, |
| 110 | OPT_mount_proc = 1 << 8, |
| 111 | OPT_propagation = 1 << 9, |
| 112 | OPT_setgroups = 1 << 10, |
| 113 | }; |
| 114 | enum { |
| 115 | NS_MNT_POS = 0, |
| 116 | NS_UTS_POS, |
| 117 | NS_IPC_POS, |
| 118 | NS_NET_POS, |
| 119 | NS_PID_POS, |
| 120 | NS_USR_POS, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */ |
| 121 | NS_COUNT, |
| 122 | }; |
| 123 | static const struct namespace_descr ns_list[] = { |
| 124 | { CLONE_NEWNS, "mnt" }, |
| 125 | { CLONE_NEWUTS, "uts" }, |
| 126 | { CLONE_NEWIPC, "ipc" }, |
| 127 | { CLONE_NEWNET, "net" }, |
| 128 | { CLONE_NEWPID, "pid" }, |
| 129 | { CLONE_NEWUSER, "user" }, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */ |
| 130 | }; |
| 131 | |
| 132 | /* |
| 133 | * Upstream unshare doesn't support short options for --mount-proc, |
| 134 | * --propagation, --setgroups. |
| 135 | * Optional arguments (namespace mountpoints) exist only for long opts, |
| 136 | * we are forced to use "fake" letters for them. |
| 137 | * '+': stop at first non-option. |
| 138 | */ |
Denys Vlasenko | 3e134eb | 2016-04-22 18:09:21 +0200 | [diff] [blame] | 139 | static const char opt_str[] ALIGN1 = "+muinpU""fr""\xfd::""\xfe:""\xff:"; |
Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 140 | static const char unshare_longopts[] ALIGN1 = |
| 141 | "mount\0" Optional_argument "\xf0" |
| 142 | "uts\0" Optional_argument "\xf1" |
| 143 | "ipc\0" Optional_argument "\xf2" |
Denys Vlasenko | 2cf9fa6 | 2016-08-22 20:19:34 +0200 | [diff] [blame] | 144 | "net\0" Optional_argument "\xf3" |
Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 145 | "pid\0" Optional_argument "\xf4" |
| 146 | "user\0" Optional_argument "\xf5" |
| 147 | "fork\0" No_argument "f" |
| 148 | "map-root-user\0" No_argument "r" |
| 149 | "mount-proc\0" Optional_argument "\xfd" |
| 150 | "propagation\0" Required_argument "\xfe" |
| 151 | "setgroups\0" Required_argument "\xff" |
| 152 | ; |
| 153 | |
| 154 | /* Ugly-looking string reuse trick */ |
| 155 | #define PRIVATE_STR "private\0""unchanged\0""shared\0""slave\0" |
| 156 | #define PRIVATE_UNCHANGED_SHARED_SLAVE PRIVATE_STR |
| 157 | |
| 158 | static unsigned long parse_propagation(const char *prop_str) |
| 159 | { |
| 160 | int i = index_in_strings(PRIVATE_UNCHANGED_SHARED_SLAVE, prop_str); |
| 161 | if (i < 0) |
| 162 | bb_error_msg_and_die("unrecognized: --%s=%s", "propagation", prop_str); |
| 163 | if (i == 0) |
| 164 | return MS_REC | MS_PRIVATE; |
| 165 | if (i == 1) |
| 166 | return 0; |
| 167 | if (i == 2) |
| 168 | return MS_REC | MS_SHARED; |
| 169 | return MS_REC | MS_SLAVE; |
| 170 | } |
| 171 | |
| 172 | static void mount_namespaces(pid_t pid, struct namespace_ctx *ns_ctx_list) |
| 173 | { |
| 174 | const struct namespace_descr *ns; |
| 175 | struct namespace_ctx *ns_ctx; |
| 176 | int i; |
| 177 | |
| 178 | for (i = 0; i < NS_COUNT; i++) { |
| 179 | char nsf[sizeof("/proc/%u/ns/AAAA") + sizeof(int)*3]; |
| 180 | |
| 181 | ns = &ns_list[i]; |
| 182 | ns_ctx = &ns_ctx_list[i]; |
| 183 | if (!ns_ctx->path) |
| 184 | continue; |
| 185 | sprintf(nsf, "/proc/%u/ns/%.4s", (unsigned)pid, ns->nsfile4); |
| 186 | mount_or_die(nsf, ns_ctx->path, NULL, MS_BIND); |
| 187 | } |
| 188 | } |
| 189 | |
| 190 | int unshare_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; |
| 191 | int unshare_main(int argc UNUSED_PARAM, char **argv) |
| 192 | { |
| 193 | int i; |
| 194 | unsigned int opts; |
| 195 | int unsflags; |
| 196 | uintptr_t need_mount; |
| 197 | const char *proc_mnt_target; |
| 198 | const char *prop_str; |
| 199 | const char *setgrp_str; |
| 200 | unsigned long prop_flags; |
| 201 | uid_t reuid = geteuid(); |
| 202 | gid_t regid = getegid(); |
| 203 | struct fd_pair fdp; |
| 204 | pid_t child = child; /* for compiler */ |
| 205 | struct namespace_ctx ns_ctx_list[NS_COUNT]; |
| 206 | |
| 207 | memset(ns_ctx_list, 0, sizeof(ns_ctx_list)); |
| 208 | proc_mnt_target = "/proc"; |
| 209 | prop_str = PRIVATE_STR; |
| 210 | setgrp_str = NULL; |
| 211 | |
| 212 | opt_complementary = |
| 213 | "\xf0""m" /* long opts (via their "fake chars") imply short opts */ |
| 214 | ":\xf1""u" |
| 215 | ":\xf2""i" |
| 216 | ":\xf3""n" |
| 217 | ":\xf4""p" |
| 218 | ":\xf5""U" |
| 219 | ":ru" /* --map-root-user or -r implies -u */ |
| 220 | ":\xfd""m" /* --mount-proc implies -m */ |
| 221 | ; |
| 222 | applet_long_options = unshare_longopts; |
| 223 | opts = getopt32(argv, opt_str, |
| 224 | &proc_mnt_target, &prop_str, &setgrp_str, |
| 225 | &ns_ctx_list[NS_MNT_POS].path, |
| 226 | &ns_ctx_list[NS_UTS_POS].path, |
| 227 | &ns_ctx_list[NS_IPC_POS].path, |
| 228 | &ns_ctx_list[NS_NET_POS].path, |
| 229 | &ns_ctx_list[NS_PID_POS].path, |
| 230 | &ns_ctx_list[NS_USR_POS].path |
| 231 | ); |
| 232 | argv += optind; |
| 233 | //bb_error_msg("opts:0x%x", opts); |
| 234 | //bb_error_msg("mount:%s", ns_ctx_list[NS_MNT_POS].path); |
| 235 | //bb_error_msg("proc_mnt_target:%s", proc_mnt_target); |
| 236 | //bb_error_msg("prop_str:%s", prop_str); |
| 237 | //bb_error_msg("setgrp_str:%s", setgrp_str); |
| 238 | //exit(1); |
| 239 | |
| 240 | if (setgrp_str) { |
| 241 | if (strcmp(setgrp_str, "allow") == 0) { |
| 242 | if (opts & OPT_map_root) { |
| 243 | bb_error_msg_and_die( |
| 244 | "--setgroups=allow and --map-root-user " |
| 245 | "are mutually exclusive" |
| 246 | ); |
| 247 | } |
| 248 | } else { |
| 249 | /* It's not "allow", must be "deny" */ |
| 250 | if (strcmp(setgrp_str, "deny") != 0) |
| 251 | bb_error_msg_and_die("unrecognized: --%s=%s", |
| 252 | "setgroups", setgrp_str); |
| 253 | } |
| 254 | } |
| 255 | |
| 256 | unsflags = 0; |
| 257 | need_mount = 0; |
| 258 | for (i = 0; i < NS_COUNT; i++) { |
| 259 | const struct namespace_descr *ns = &ns_list[i]; |
| 260 | struct namespace_ctx *ns_ctx = &ns_ctx_list[i]; |
| 261 | |
| 262 | if (opts & (1 << i)) |
| 263 | unsflags |= ns->flag; |
| 264 | |
| 265 | need_mount |= (uintptr_t)(ns_ctx->path); |
| 266 | } |
| 267 | /* need_mount != 0 if at least one FILE was given */ |
| 268 | |
| 269 | prop_flags = MS_REC | MS_PRIVATE; |
| 270 | /* Silently ignore --propagation if --mount is not requested. */ |
| 271 | if (opts & OPT_mount) |
| 272 | prop_flags = parse_propagation(prop_str); |
| 273 | |
| 274 | /* |
| 275 | * Special case: if we were requested to unshare the mount namespace |
| 276 | * AND to make any namespace persistent (by bind mounting it) we need |
| 277 | * to spawn a child process which will wait for the parent to call |
| 278 | * unshare(), then mount parent's namespaces while still in the |
| 279 | * previous namespace. |
| 280 | */ |
| 281 | fdp.wr = -1; |
| 282 | if (need_mount && (opts & OPT_mount)) { |
| 283 | /* |
| 284 | * Can't use getppid() in child, as we can be unsharing the |
| 285 | * pid namespace. |
| 286 | */ |
| 287 | pid_t ppid = getpid(); |
| 288 | |
| 289 | xpiped_pair(fdp); |
| 290 | |
| 291 | child = xfork(); |
| 292 | if (child == 0) { |
| 293 | /* Child */ |
| 294 | close(fdp.wr); |
| 295 | |
| 296 | /* Wait until parent calls unshare() */ |
| 297 | read(fdp.rd, ns_ctx_list, 1); /* ...using bogus buffer */ |
| 298 | /*close(fdp.rd);*/ |
| 299 | |
| 300 | /* Mount parent's unshared namespaces. */ |
| 301 | mount_namespaces(ppid, ns_ctx_list); |
| 302 | return EXIT_SUCCESS; |
| 303 | } |
| 304 | /* Parent continues */ |
| 305 | } |
| 306 | |
| 307 | if (unshare(unsflags) != 0) |
| 308 | bb_perror_msg_and_die("unshare(0x%x)", unsflags); |
| 309 | |
| 310 | if (fdp.wr >= 0) { |
| 311 | close(fdp.wr); /* Release child */ |
Denys Vlasenko | 8220399 | 2016-04-02 18:06:24 +0200 | [diff] [blame] | 312 | close(fdp.rd); /* should close fd, to not confuse exec'ed PROG */ |
Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 313 | } |
| 314 | |
| 315 | if (need_mount) { |
| 316 | /* Wait for the child to finish mounting the namespaces. */ |
| 317 | if (opts & OPT_mount) { |
| 318 | int exit_status = wait_for_exitstatus(child); |
| 319 | if (WIFEXITED(exit_status) && |
| 320 | WEXITSTATUS(exit_status) != EXIT_SUCCESS) |
| 321 | return WEXITSTATUS(exit_status); |
| 322 | } else { |
| 323 | /* |
| 324 | * Regular way - we were requested to mount some other |
| 325 | * namespaces: mount them after the call to unshare(). |
| 326 | */ |
| 327 | mount_namespaces(getpid(), ns_ctx_list); |
| 328 | } |
| 329 | } |
| 330 | |
| 331 | /* |
| 332 | * When we're unsharing the pid namespace, it's not the process that |
| 333 | * calls unshare() that is put into the new namespace, but its first |
| 334 | * child. The user may want to use this option to spawn a new process |
| 335 | * that'll become PID 1 in this new namespace. |
| 336 | */ |
| 337 | if (opts & OPT_fork) { |
Denys Vlasenko | 8220399 | 2016-04-02 18:06:24 +0200 | [diff] [blame] | 338 | xvfork_parent_waits_and_exits(); |
Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 339 | /* Child continues */ |
| 340 | } |
| 341 | |
| 342 | if (opts & OPT_map_root) { |
| 343 | char uidmap_buf[sizeof("%u 0 1") + sizeof(int)*3]; |
| 344 | |
| 345 | /* |
| 346 | * Since Linux 3.19 unprivileged writing of /proc/self/gid_map |
| 347 | * has been disabled unless /proc/self/setgroups is written |
| 348 | * first to permanently disable the ability to call setgroups |
| 349 | * in that user namespace. |
| 350 | */ |
| 351 | xopen_xwrite_close(PATH_PROC_SETGROUPS, "deny"); |
| 352 | sprintf(uidmap_buf, "%u 0 1", (unsigned)reuid); |
| 353 | xopen_xwrite_close(PATH_PROC_UIDMAP, uidmap_buf); |
| 354 | sprintf(uidmap_buf, "%u 0 1", (unsigned)regid); |
| 355 | xopen_xwrite_close(PATH_PROC_GIDMAP, uidmap_buf); |
| 356 | } else |
| 357 | if (setgrp_str) { |
| 358 | /* Write "allow" or "deny" */ |
| 359 | xopen_xwrite_close(PATH_PROC_SETGROUPS, setgrp_str); |
| 360 | } |
| 361 | |
| 362 | if (opts & OPT_mount) { |
| 363 | mount_or_die("none", "/", NULL, prop_flags); |
| 364 | } |
| 365 | |
| 366 | if (opts & OPT_mount_proc) { |
| 367 | /* |
| 368 | * When creating a new pid namespace, we might want the pid |
| 369 | * subdirectories in /proc to remain consistent with the new |
| 370 | * process IDs. Without --mount-proc the pids in /proc would |
| 371 | * still reflect the old pid namespace. This is why we make |
| 372 | * /proc private here and then do a fresh mount. |
| 373 | */ |
| 374 | mount_or_die("none", proc_mnt_target, NULL, MS_PRIVATE | MS_REC); |
| 375 | mount_or_die("proc", proc_mnt_target, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV); |
| 376 | } |
| 377 | |
Denys Vlasenko | 8220399 | 2016-04-02 18:06:24 +0200 | [diff] [blame] | 378 | exec_prog_or_SHELL(argv); |
Bartosz Golaszewski | 29b33b6 | 2016-04-01 19:41:13 +0200 | [diff] [blame] | 379 | } |