shared/idmap: Make get_userns_fd configure the userns

Closes lxc#882 Signed-off-by: Stéphane Graber <[email protected]>
stgraber · May 23, 2024 · aa1aeb7 · aa1aeb7
1 parent d2c13e3
commit aa1aeb7
Showing 1 changed file with 52 additions and 1 deletion.
diff --git a/shared/idmap/shift_linux.go b/shared/idmap/shift_linux.go
@@ -280,18 +280,69 @@ static int get_userns_fd_cb(void *data)
 static int get_userns_fd(void)
 {
 	int ret;
+	int fd = -EBADF;
 	pid_t pid;
 	char path[256];
 
+	// Create the namespace.
 	pid = do_clone(get_userns_fd_cb, NULL, CLONE_NEWUSER);
 	if (pid < 0)
 		return -errno;
 
+	// Fetch a reference.
 	snprintf(path, sizeof(path), "/proc/%d/ns/user", pid);
 	ret = open(path, O_RDONLY | O_CLOEXEC);
+
+	// Kill the temporary process.
 	kill(pid, SIGKILL);
 	wait_for_pid(pid);
-	return ret;
+
+	if (ret != 0)
+		return ret;
+
+	// Setup uid_map
+	snprintf(path, sizeof(path), "/proc/%d/uid_map", pid);
+	fd = openat(AT_FDCWD, path, O_WRONLY);
+	if (fd < 0)
+		return -errno;
+
+	if (write(fd, "0 0 1", 5) != 5) {
+		close(fd);
+		return -errno;
+	}
+
+	if (close(fd) < 0)
+		return -errno;
+
+	// Setup setgroups
+	snprintf(path, sizeof(path), "/proc/%d/setgroups", pid);
+	fd = openat(AT_FDCWD, path, O_WRONLY);
+	if (fd < 0)
+		return -errno;
+
+	if (write(fd, "deny", 4) != 4) {
+		close(fd);
+		return -errno;
+	}
+
+	if (close(fd) < 0)
+		return -errno;
+
+	// Setup gid_map
+	snprintf(path, sizeof(path), "/proc/%d/gid_map", pid);
+	fd = openat(AT_FDCWD, path, O_WRONLY);
+	if (fd < 0)
+		return -errno;
+
+	if (write(fd, "0 0 1", 5) != 5) {
+		close(fd);
+		return -errno;
+	}
+
+	if (close(fd) < 0)
+		return -errno;
+
+	return 0;
 }
 
 static int create_detached_idmapped_mount(const char *path, const char *fstype)