New utility: xbps-uunshare(8) - like xbps-uchroot(8) with user_namespaces(7).
This commit is contained in:
parent
927254c43e
commit
58e6d71d24
4
NEWS
4
NEWS
@ -1,5 +1,9 @@
|
|||||||
xbps-0.44 (???):
|
xbps-0.44 (???):
|
||||||
|
|
||||||
|
* xbps-uunshare(8): new utility analogue to xbps-uchroot(8), but uses
|
||||||
|
user namespaces (see user_namespaces(7)) to avoid the need of elevated
|
||||||
|
privileges.
|
||||||
|
|
||||||
* xbps-rindex(8): fix -s short option; was omitted in the short options list.
|
* xbps-rindex(8): fix -s short option; was omitted in the short options list.
|
||||||
|
|
||||||
* xbps-pkgdb(8): added a new mode to set in installed packages: "repolock".
|
* xbps-pkgdb(8): added a new mode to set in installed packages: "repolock".
|
||||||
|
@ -10,6 +10,7 @@ SUBDIRS += xbps-remove
|
|||||||
SUBDIRS += xbps-rindex
|
SUBDIRS += xbps-rindex
|
||||||
SUBDIRS += xbps-uhelper
|
SUBDIRS += xbps-uhelper
|
||||||
SUBDIRS += xbps-checkvers
|
SUBDIRS += xbps-checkvers
|
||||||
|
SUBDIRS += xbps-uunshare
|
||||||
|
|
||||||
ifeq (${XBPS_OS},linux)
|
ifeq (${XBPS_OS},linux)
|
||||||
SUBDIRS += xbps-uchroot
|
SUBDIRS += xbps-uchroot
|
||||||
|
6
bin/xbps-uunshare/Makefile
Normal file
6
bin/xbps-uunshare/Makefile
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
TOPDIR = ../..
|
||||||
|
-include $(TOPDIR)/config.mk
|
||||||
|
|
||||||
|
BIN = xbps-uunshare
|
||||||
|
|
||||||
|
include $(TOPDIR)/mk/prog.mk
|
206
bin/xbps-uunshare/main.c
Normal file
206
bin/xbps-uunshare/main.c
Normal file
@ -0,0 +1,206 @@
|
|||||||
|
/*-
|
||||||
|
* Copyright (c) 2014-2015 Juan Romero Pardines.
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
#define _GNU_SOURCE
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/mount.h>
|
||||||
|
#include <sys/fsuid.h>
|
||||||
|
#include <sys/wait.h>
|
||||||
|
#include <sched.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <signal.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <grp.h>
|
||||||
|
#include <errno.h>
|
||||||
|
#include <limits.h>
|
||||||
|
#include <syscall.h>
|
||||||
|
|
||||||
|
static int errval = 0;
|
||||||
|
|
||||||
|
static void __attribute__((noreturn))
|
||||||
|
die(const char *fmt, ...)
|
||||||
|
{
|
||||||
|
va_list ap;
|
||||||
|
int save_errno = errno;
|
||||||
|
|
||||||
|
va_start(ap, fmt);
|
||||||
|
fprintf(stderr, "ERROR ");
|
||||||
|
vfprintf(stderr, fmt, ap);
|
||||||
|
fprintf(stderr, " (%s)\n", strerror(save_errno));
|
||||||
|
va_end(ap);
|
||||||
|
exit(errval != 0 ? errval : EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void __attribute__((noreturn))
|
||||||
|
usage(const char *p)
|
||||||
|
{
|
||||||
|
printf("Usage: %s [-D dir] [-H dir] [-S dir] <chrootdir> <command>\n\n"
|
||||||
|
"-D <distdir> Directory to be bind mounted at <chrootdir>/void-packages\n"
|
||||||
|
"-H <hostdir> Directory to be bind mounted at <chrootdir>/host\n"
|
||||||
|
"-S <shmdir> Directory to be bind mounted at <chrootdir>/<shmdir>\n", p);
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
bindmount(const char *chrootdir, const char *dir, const char *dest)
|
||||||
|
{
|
||||||
|
char mountdir[PATH_MAX-1];
|
||||||
|
|
||||||
|
snprintf(mountdir, sizeof(mountdir), "%s/%s", chrootdir, dest ? dest : dir);
|
||||||
|
if (mount(".", mountdir, NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) == -1)
|
||||||
|
die("Failed to bind mount %s at %s", dir, mountdir);
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
uid_t uid = getuid();
|
||||||
|
gid_t gid = getgid();
|
||||||
|
const char *chrootdir, *distdir, *hostdir, *shmdir, *cmd, *argv0;
|
||||||
|
char **cmdargs, mountdir[PATH_MAX-1], buf[32];
|
||||||
|
int fd, aidx = 0, clone_flags, child_status = 0;
|
||||||
|
pid_t child;
|
||||||
|
|
||||||
|
chrootdir = distdir = hostdir = shmdir = cmd = NULL;
|
||||||
|
argv0 = argv[0];
|
||||||
|
argc--;
|
||||||
|
argv++;
|
||||||
|
|
||||||
|
if (argc < 2)
|
||||||
|
usage(argv0);
|
||||||
|
|
||||||
|
while (aidx < argc) {
|
||||||
|
if (strcmp(argv[aidx], "-D") == 0) {
|
||||||
|
/* distdir */
|
||||||
|
distdir = argv[aidx+1];
|
||||||
|
aidx += 2;
|
||||||
|
} else if (strcmp(argv[aidx], "-H") == 0) {
|
||||||
|
/* hostdir */
|
||||||
|
hostdir = argv[aidx+1];
|
||||||
|
aidx += 2;
|
||||||
|
} else if (strcmp(argv[aidx], "-S") == 0) {
|
||||||
|
/* shmdir */
|
||||||
|
shmdir = argv[aidx+1];
|
||||||
|
aidx += 2;
|
||||||
|
} else {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ((argc - aidx) < 2)
|
||||||
|
usage(argv0);
|
||||||
|
|
||||||
|
chrootdir = argv[aidx];
|
||||||
|
cmd = argv[aidx+1];
|
||||||
|
cmdargs = argv + aidx + 1;
|
||||||
|
|
||||||
|
/* Never allow chrootdir == / */
|
||||||
|
if (strcmp(chrootdir, "/") == 0)
|
||||||
|
die("/ is not allowed to be used as chrootdir");
|
||||||
|
|
||||||
|
clone_flags = (SIGCHLD|CLONE_NEWUSER|CLONE_NEWNS|CLONE_NEWIPC|CLONE_NEWUTS|CLONE_NEWPID);
|
||||||
|
|
||||||
|
/* Issue the clone(2) syscall with our settings */
|
||||||
|
if ((child = syscall(__NR_clone, clone_flags, NULL)) == -1) {
|
||||||
|
errval = 99;
|
||||||
|
die("clone");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (child == 0) {
|
||||||
|
/*
|
||||||
|
* Setup uid/gid user mappings and restrict setgroups().
|
||||||
|
*/
|
||||||
|
if ((fd = open("/proc/self/uid_map", O_RDWR)) == -1)
|
||||||
|
die("failed to open /proc/self/uidmap rw");
|
||||||
|
if (write(fd, buf, snprintf(buf, sizeof buf, "0 %u 1\n", uid)) == -1)
|
||||||
|
die("failed to write to /proc/self/uid_map");
|
||||||
|
|
||||||
|
close(fd);
|
||||||
|
|
||||||
|
if ((fd = open("/proc/self/setgroups", O_RDWR)) == -1)
|
||||||
|
die("failed to open /proc/self/setgroups rw");
|
||||||
|
if (write(fd, "deny", 4) == -1)
|
||||||
|
die("failed to write to /proc/self/setgroups");
|
||||||
|
|
||||||
|
close(fd);
|
||||||
|
|
||||||
|
if ((fd = open("/proc/self/gid_map", O_RDWR)) == -1)
|
||||||
|
die("failed to open /proc/self/gid_map rw");
|
||||||
|
if (write(fd, buf, snprintf(buf, sizeof buf, "0 %u 1\n", gid)) == -1)
|
||||||
|
die("failed to write to /proc/self/setgroups");
|
||||||
|
|
||||||
|
close(fd);
|
||||||
|
|
||||||
|
/* mount /proc */
|
||||||
|
snprintf(mountdir, sizeof(mountdir), "%s/proc", chrootdir);
|
||||||
|
if (mount("proc", mountdir, "proc", MS_MGC_VAL|MS_PRIVATE, NULL) == -1)
|
||||||
|
die("Failed to mount %s", mountdir);
|
||||||
|
|
||||||
|
/* bind mount /sys */
|
||||||
|
bindmount(chrootdir, "/sys", NULL);
|
||||||
|
|
||||||
|
/* bind mount /dev */
|
||||||
|
bindmount(chrootdir, "/dev", NULL);
|
||||||
|
|
||||||
|
/* bind mount hostdir if set */
|
||||||
|
if (hostdir)
|
||||||
|
bindmount(chrootdir, hostdir, "/host");
|
||||||
|
|
||||||
|
/* bind mount distdir (if set) */
|
||||||
|
if (distdir)
|
||||||
|
bindmount(chrootdir, distdir, "/void-packages");
|
||||||
|
|
||||||
|
/* bind mount shmdir (if set) */
|
||||||
|
if (shmdir)
|
||||||
|
bindmount(chrootdir, shmdir, NULL);
|
||||||
|
|
||||||
|
/* move chrootdir to / and chroot to it */
|
||||||
|
if (chdir(chrootdir) == -1)
|
||||||
|
die("chdir to %s", chrootdir);
|
||||||
|
|
||||||
|
if (mount(".", ".", NULL, MS_BIND|MS_PRIVATE, NULL) == -1)
|
||||||
|
die("Failed to bind mount %s", chrootdir);
|
||||||
|
|
||||||
|
if (mount(chrootdir, "/", NULL, MS_MOVE, NULL) == -1)
|
||||||
|
die("Failed to move %s as rootfs", chrootdir);
|
||||||
|
|
||||||
|
if (chroot(".") == -1)
|
||||||
|
die("Failed to chroot to %s", chrootdir);
|
||||||
|
|
||||||
|
if (execvp(cmd, cmdargs) == -1)
|
||||||
|
die("Failed to execute command %s", cmd);
|
||||||
|
}
|
||||||
|
/* Wait until the child terminates */
|
||||||
|
while (waitpid(child, &child_status, 0) < 0) {
|
||||||
|
if (errno != EINTR)
|
||||||
|
die("waitpid");
|
||||||
|
}
|
||||||
|
if (!WIFEXITED(child_status))
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
return WEXITSTATUS(child_status);
|
||||||
|
}
|
72
bin/xbps-uunshare/xbps-uunshare.8
Normal file
72
bin/xbps-uunshare/xbps-uunshare.8
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
.Dd March 5, 2015
|
||||||
|
.Dt XBPS-UUNSHARE 8
|
||||||
|
.Sh NAME
|
||||||
|
.Nm xbps-uunshare
|
||||||
|
.Nd XBPS utility to chroot and bind mount with linux user namespaces
|
||||||
|
.Sh SYNOPSYS
|
||||||
|
.Nm xbps-uunshare
|
||||||
|
.Op OPTIONS
|
||||||
|
.Ar CHROOTDIR
|
||||||
|
.Ar COMMAND
|
||||||
|
.Op ARGS
|
||||||
|
.Sh DESCRIPTION
|
||||||
|
The
|
||||||
|
.Nm
|
||||||
|
utility allows users to chroot and bind mount required pseudo-filesystems
|
||||||
|
(/dev, /proc and /sys) in the target
|
||||||
|
.Ar CHROOTDIR
|
||||||
|
to execute
|
||||||
|
.Ar COMMAND .
|
||||||
|
The
|
||||||
|
.Nm
|
||||||
|
utility uses by default Linux namespaces to isolate IPC, PIDs and mounts to
|
||||||
|
the calling process. Thanks to
|
||||||
|
.Xr user_namespaces 7
|
||||||
|
the user does not need any privilege to create an isolated lightweight container.
|
||||||
|
.Sh OPTIONS
|
||||||
|
.Bl -tag -width -x
|
||||||
|
.It Fl D Ar dir
|
||||||
|
Specifies a full path to a directory that will be bind mounted at
|
||||||
|
.Ar CHROOTDIR/void-packages .
|
||||||
|
.It Fl H Ar dir
|
||||||
|
Specifies a full path to a directory that will be bind mounted at
|
||||||
|
.Ar CHROOTDIR/host .
|
||||||
|
.It Fl S Ar dir
|
||||||
|
Specifies a full path to a directory to allow shm functionality to be used
|
||||||
|
in the target
|
||||||
|
.Ar CHROOTDIR/dir .
|
||||||
|
If your system uses
|
||||||
|
.Sy /dev/shm
|
||||||
|
use it, otherwise use
|
||||||
|
.Sy /run/shm .
|
||||||
|
.El
|
||||||
|
.Sh NOTES
|
||||||
|
The
|
||||||
|
.Nm
|
||||||
|
utility uses Linux specific features (namespaces) and it's not meant to be portable to
|
||||||
|
other Operating Systems. The following kernel options must be enabled:
|
||||||
|
.Pp
|
||||||
|
.Bl -tag -width CONFIG_NAMESPACES -compact -offset indent
|
||||||
|
.It Sy CONFIG_NAMESPACES
|
||||||
|
.It Sy CONFIG_IPC_NS
|
||||||
|
.It Sy CONFIG_PID_NS
|
||||||
|
.It Sy CONFIG_USER_NS
|
||||||
|
.El
|
||||||
|
.Sh SEE ALSO
|
||||||
|
.Xr xbps.d 5 ,
|
||||||
|
.Xr xbps-checkvers 8 ,
|
||||||
|
.Xr xbps-create 8 ,
|
||||||
|
.Xr xbps-dgraph 8 ,
|
||||||
|
.Xr xbps-install 8 ,
|
||||||
|
.Xr xbps-pkgdb 8 ,
|
||||||
|
.Xr xbps-query 8 ,
|
||||||
|
.Xr xbps-reconfigure 8 ,
|
||||||
|
.Xr xbps-rindex 8 ,
|
||||||
|
.Xr xbps-uchroot 8
|
||||||
|
.Sh AUTHORS
|
||||||
|
.An Juan Romero Pardines <xtraeme@gmail.com>
|
||||||
|
.Sh BUGS
|
||||||
|
Probably, but I try to make this not happen. Use it under your own
|
||||||
|
responsability and enjoy your life.
|
||||||
|
.Pp
|
||||||
|
Report bugs in https://github.com/voidlinux/xbps/issues
|
Loading…
Reference in New Issue
Block a user