From 58e6d71d244dcc3d4700ff9201f57c6db6bed4f3 Mon Sep 17 00:00:00 2001 From: Juan RP Date: Thu, 5 Mar 2015 18:44:20 +0100 Subject: [PATCH] New utility: xbps-uunshare(8) - like xbps-uchroot(8) with user_namespaces(7). --- NEWS | 4 + bin/Makefile | 1 + bin/xbps-uunshare/Makefile | 6 + bin/xbps-uunshare/main.c | 206 ++++++++++++++++++++++++++++++ bin/xbps-uunshare/xbps-uunshare.8 | 72 +++++++++++ 5 files changed, 289 insertions(+) create mode 100644 bin/xbps-uunshare/Makefile create mode 100644 bin/xbps-uunshare/main.c create mode 100644 bin/xbps-uunshare/xbps-uunshare.8 diff --git a/NEWS b/NEWS index 0913a3a2..b57b9634 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,9 @@ xbps-0.44 (???): + * xbps-uunshare(8): new utility analogue to xbps-uchroot(8), but uses + user namespaces (see user_namespaces(7)) to avoid the need of elevated + privileges. + * xbps-rindex(8): fix -s short option; was omitted in the short options list. * xbps-pkgdb(8): added a new mode to set in installed packages: "repolock". diff --git a/bin/Makefile b/bin/Makefile index e51be558..c0924f1f 100644 --- a/bin/Makefile +++ b/bin/Makefile @@ -10,6 +10,7 @@ SUBDIRS += xbps-remove SUBDIRS += xbps-rindex SUBDIRS += xbps-uhelper SUBDIRS += xbps-checkvers +SUBDIRS += xbps-uunshare ifeq (${XBPS_OS},linux) SUBDIRS += xbps-uchroot diff --git a/bin/xbps-uunshare/Makefile b/bin/xbps-uunshare/Makefile new file mode 100644 index 00000000..043a19c2 --- /dev/null +++ b/bin/xbps-uunshare/Makefile @@ -0,0 +1,6 @@ +TOPDIR = ../.. +-include $(TOPDIR)/config.mk + +BIN = xbps-uunshare + +include $(TOPDIR)/mk/prog.mk diff --git a/bin/xbps-uunshare/main.c b/bin/xbps-uunshare/main.c new file mode 100644 index 00000000..9fd6a801 --- /dev/null +++ b/bin/xbps-uunshare/main.c @@ -0,0 +1,206 @@ +/*- + * Copyright (c) 2014-2015 Juan Romero Pardines. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static int errval = 0; + +static void __attribute__((noreturn)) +die(const char *fmt, ...) +{ + va_list ap; + int save_errno = errno; + + va_start(ap, fmt); + fprintf(stderr, "ERROR "); + vfprintf(stderr, fmt, ap); + fprintf(stderr, " (%s)\n", strerror(save_errno)); + va_end(ap); + exit(errval != 0 ? errval : EXIT_FAILURE); +} + +static void __attribute__((noreturn)) +usage(const char *p) +{ + printf("Usage: %s [-D dir] [-H dir] [-S dir] \n\n" + "-D Directory to be bind mounted at /void-packages\n" + "-H Directory to be bind mounted at /host\n" + "-S Directory to be bind mounted at /\n", p); + exit(EXIT_FAILURE); +} + +static void +bindmount(const char *chrootdir, const char *dir, const char *dest) +{ + char mountdir[PATH_MAX-1]; + + snprintf(mountdir, sizeof(mountdir), "%s/%s", chrootdir, dest ? dest : dir); + if (mount(".", mountdir, NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) == -1) + die("Failed to bind mount %s at %s", dir, mountdir); +} + +int +main(int argc, char **argv) +{ + uid_t uid = getuid(); + gid_t gid = getgid(); + const char *chrootdir, *distdir, *hostdir, *shmdir, *cmd, *argv0; + char **cmdargs, mountdir[PATH_MAX-1], buf[32]; + int fd, aidx = 0, clone_flags, child_status = 0; + pid_t child; + + chrootdir = distdir = hostdir = shmdir = cmd = NULL; + argv0 = argv[0]; + argc--; + argv++; + + if (argc < 2) + usage(argv0); + + while (aidx < argc) { + if (strcmp(argv[aidx], "-D") == 0) { + /* distdir */ + distdir = argv[aidx+1]; + aidx += 2; + } else if (strcmp(argv[aidx], "-H") == 0) { + /* hostdir */ + hostdir = argv[aidx+1]; + aidx += 2; + } else if (strcmp(argv[aidx], "-S") == 0) { + /* shmdir */ + shmdir = argv[aidx+1]; + aidx += 2; + } else { + break; + } + } + if ((argc - aidx) < 2) + usage(argv0); + + chrootdir = argv[aidx]; + cmd = argv[aidx+1]; + cmdargs = argv + aidx + 1; + + /* Never allow chrootdir == / */ + if (strcmp(chrootdir, "/") == 0) + die("/ is not allowed to be used as chrootdir"); + + clone_flags = (SIGCHLD|CLONE_NEWUSER|CLONE_NEWNS|CLONE_NEWIPC|CLONE_NEWUTS|CLONE_NEWPID); + + /* Issue the clone(2) syscall with our settings */ + if ((child = syscall(__NR_clone, clone_flags, NULL)) == -1) { + errval = 99; + die("clone"); + } + + if (child == 0) { + /* + * Setup uid/gid user mappings and restrict setgroups(). + */ + if ((fd = open("/proc/self/uid_map", O_RDWR)) == -1) + die("failed to open /proc/self/uidmap rw"); + if (write(fd, buf, snprintf(buf, sizeof buf, "0 %u 1\n", uid)) == -1) + die("failed to write to /proc/self/uid_map"); + + close(fd); + + if ((fd = open("/proc/self/setgroups", O_RDWR)) == -1) + die("failed to open /proc/self/setgroups rw"); + if (write(fd, "deny", 4) == -1) + die("failed to write to /proc/self/setgroups"); + + close(fd); + + if ((fd = open("/proc/self/gid_map", O_RDWR)) == -1) + die("failed to open /proc/self/gid_map rw"); + if (write(fd, buf, snprintf(buf, sizeof buf, "0 %u 1\n", gid)) == -1) + die("failed to write to /proc/self/setgroups"); + + close(fd); + + /* mount /proc */ + snprintf(mountdir, sizeof(mountdir), "%s/proc", chrootdir); + if (mount("proc", mountdir, "proc", MS_MGC_VAL|MS_PRIVATE, NULL) == -1) + die("Failed to mount %s", mountdir); + + /* bind mount /sys */ + bindmount(chrootdir, "/sys", NULL); + + /* bind mount /dev */ + bindmount(chrootdir, "/dev", NULL); + + /* bind mount hostdir if set */ + if (hostdir) + bindmount(chrootdir, hostdir, "/host"); + + /* bind mount distdir (if set) */ + if (distdir) + bindmount(chrootdir, distdir, "/void-packages"); + + /* bind mount shmdir (if set) */ + if (shmdir) + bindmount(chrootdir, shmdir, NULL); + + /* move chrootdir to / and chroot to it */ + if (chdir(chrootdir) == -1) + die("chdir to %s", chrootdir); + + if (mount(".", ".", NULL, MS_BIND|MS_PRIVATE, NULL) == -1) + die("Failed to bind mount %s", chrootdir); + + if (mount(chrootdir, "/", NULL, MS_MOVE, NULL) == -1) + die("Failed to move %s as rootfs", chrootdir); + + if (chroot(".") == -1) + die("Failed to chroot to %s", chrootdir); + + if (execvp(cmd, cmdargs) == -1) + die("Failed to execute command %s", cmd); + } + /* Wait until the child terminates */ + while (waitpid(child, &child_status, 0) < 0) { + if (errno != EINTR) + die("waitpid"); + } + if (!WIFEXITED(child_status)) + return -1; + + return WEXITSTATUS(child_status); +} diff --git a/bin/xbps-uunshare/xbps-uunshare.8 b/bin/xbps-uunshare/xbps-uunshare.8 new file mode 100644 index 00000000..63694871 --- /dev/null +++ b/bin/xbps-uunshare/xbps-uunshare.8 @@ -0,0 +1,72 @@ +.Dd March 5, 2015 +.Dt XBPS-UUNSHARE 8 +.Sh NAME +.Nm xbps-uunshare +.Nd XBPS utility to chroot and bind mount with linux user namespaces +.Sh SYNOPSYS +.Nm xbps-uunshare +.Op OPTIONS +.Ar CHROOTDIR +.Ar COMMAND +.Op ARGS +.Sh DESCRIPTION +The +.Nm +utility allows users to chroot and bind mount required pseudo-filesystems +(/dev, /proc and /sys) in the target +.Ar CHROOTDIR +to execute +.Ar COMMAND . +The +.Nm +utility uses by default Linux namespaces to isolate IPC, PIDs and mounts to +the calling process. Thanks to +.Xr user_namespaces 7 +the user does not need any privilege to create an isolated lightweight container. +.Sh OPTIONS +.Bl -tag -width -x +.It Fl D Ar dir +Specifies a full path to a directory that will be bind mounted at +.Ar CHROOTDIR/void-packages . +.It Fl H Ar dir +Specifies a full path to a directory that will be bind mounted at +.Ar CHROOTDIR/host . +.It Fl S Ar dir +Specifies a full path to a directory to allow shm functionality to be used +in the target +.Ar CHROOTDIR/dir . +If your system uses +.Sy /dev/shm +use it, otherwise use +.Sy /run/shm . +.El +.Sh NOTES +The +.Nm +utility uses Linux specific features (namespaces) and it's not meant to be portable to +other Operating Systems. The following kernel options must be enabled: +.Pp +.Bl -tag -width CONFIG_NAMESPACES -compact -offset indent +.It Sy CONFIG_NAMESPACES +.It Sy CONFIG_IPC_NS +.It Sy CONFIG_PID_NS +.It Sy CONFIG_USER_NS +.El +.Sh SEE ALSO +.Xr xbps.d 5 , +.Xr xbps-checkvers 8 , +.Xr xbps-create 8 , +.Xr xbps-dgraph 8 , +.Xr xbps-install 8 , +.Xr xbps-pkgdb 8 , +.Xr xbps-query 8 , +.Xr xbps-reconfigure 8 , +.Xr xbps-rindex 8 , +.Xr xbps-uchroot 8 +.Sh AUTHORS +.An Juan Romero Pardines +.Sh BUGS +Probably, but I try to make this not happen. Use it under your own +responsability and enjoy your life. +.Pp +Report bugs in https://github.com/voidlinux/xbps/issues