blob: bc3280364ef8e75d0fb37422591f7b7f24a322c8
1 | /* vi: set sw=4 ts=4: */ |
2 | /* |
3 | * Mini unshare implementation for busybox. |
4 | * |
5 | * Copyright (C) 2016 by Bartosz Golaszewski <bartekgola@gmail.com> |
6 | * |
7 | * Licensed under GPLv2 or later, see file LICENSE in this source tree. |
8 | */ |
9 | //config:config UNSHARE |
10 | //config: bool "unshare" |
11 | //config: default y |
12 | //config: depends on LONG_OPTS && !NOMMU |
13 | //config: select PLATFORM_LINUX |
14 | //config: help |
15 | //config: Run program with some namespaces unshared from parent. |
16 | |
17 | // depends on LONG_OPTS: it is awkward to exclude code which handles --propagation |
18 | // and --setgroups based on LONG_OPTS, so instead applet requires LONG_OPTS. |
19 | // depends on !NOMMU: we need fork() |
20 | |
21 | //applet:IF_UNSHARE(APPLET(unshare, BB_DIR_USR_BIN, BB_SUID_DROP)) |
22 | |
23 | //kbuild:lib-$(CONFIG_UNSHARE) += unshare.o |
24 | |
25 | //usage:#define unshare_trivial_usage |
26 | //usage: "[OPTIONS] [PROG [ARGS]]" |
27 | //usage:#define unshare_full_usage "\n" |
28 | //usage: "\n -m, --mount[=FILE] Unshare mount namespace" |
29 | //usage: "\n -u, --uts[=FILE] Unshare UTS namespace (hostname etc.)" |
30 | //usage: "\n -i, --ipc[=FILE] Unshare System V IPC namespace" |
31 | //usage: "\n -n, --net[=FILE] Unshare network namespace" |
32 | //usage: "\n -p, --pid[=FILE] Unshare PID namespace" |
33 | //usage: "\n -U, --user[=FILE} Unshare user namespace" |
34 | //usage: "\n -f, --fork Fork before execing PROG" |
35 | //usage: "\n -r, --map-root-user Map current user to root (implies -u)" |
36 | //usage: "\n --mount-proc[=DIR] Mount /proc filesystem first (implies -m)" |
37 | //usage: "\n --propagation slave|shared|private|unchanged" |
38 | //usage: "\n Modify mount propagation in mount namespace" |
39 | //usage: "\n --setgroups allow|deny Control the setgroups syscall in user namespaces" |
40 | |
41 | #include <sched.h> |
42 | #ifndef CLONE_NEWUTS |
43 | # define CLONE_NEWUTS 0x04000000 |
44 | #endif |
45 | #ifndef CLONE_NEWIPC |
46 | # define CLONE_NEWIPC 0x08000000 |
47 | #endif |
48 | #ifndef CLONE_NEWUSER |
49 | # define CLONE_NEWUSER 0x10000000 |
50 | #endif |
51 | #ifndef CLONE_NEWPID |
52 | # define CLONE_NEWPID 0x20000000 |
53 | #endif |
54 | #ifndef CLONE_NEWNET |
55 | # define CLONE_NEWNET 0x40000000 |
56 | #endif |
57 | |
58 | #include <sys/mount.h> |
59 | #ifndef MS_REC |
60 | # define MS_REC (1 << 14) |
61 | #endif |
62 | #ifndef MS_PRIVATE |
63 | # define MS_PRIVATE (1 << 18) |
64 | #endif |
65 | #ifndef MS_SLAVE |
66 | # define MS_SLAVE (1 << 19) |
67 | #endif |
68 | #ifndef MS_SHARED |
69 | # define MS_SHARED (1 << 20) |
70 | #endif |
71 | |
72 | #include "libbb.h" |
73 | |
74 | static void mount_or_die(const char *source, const char *target, |
75 | const char *fstype, unsigned long mountflags) |
76 | { |
77 | if (mount(source, target, fstype, mountflags, NULL)) { |
78 | bb_perror_msg_and_die("can't mount %s on %s (flags:0x%lx)", |
79 | source, target, mountflags); |
80 | /* fstype is always either NULL or "proc". |
81 | * "proc" is only used to mount /proc. |
82 | * No need to clutter up error message with fstype, |
83 | * it is easily deductible. |
84 | */ |
85 | } |
86 | } |
87 | |
88 | #define PATH_PROC_SETGROUPS "/proc/self/setgroups" |
89 | #define PATH_PROC_UIDMAP "/proc/self/uid_map" |
90 | #define PATH_PROC_GIDMAP "/proc/self/gid_map" |
91 | |
92 | struct namespace_descr { |
93 | int flag; |
94 | const char nsfile4[4]; |
95 | }; |
96 | |
97 | struct namespace_ctx { |
98 | char *path; |
99 | }; |
100 | |
101 | enum { |
102 | OPT_mount = 1 << 0, |
103 | OPT_uts = 1 << 1, |
104 | OPT_ipc = 1 << 2, |
105 | OPT_net = 1 << 3, |
106 | OPT_pid = 1 << 4, |
107 | OPT_user = 1 << 5, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */ |
108 | OPT_fork = 1 << 6, |
109 | OPT_map_root = 1 << 7, |
110 | OPT_mount_proc = 1 << 8, |
111 | OPT_propagation = 1 << 9, |
112 | OPT_setgroups = 1 << 10, |
113 | }; |
114 | enum { |
115 | NS_MNT_POS = 0, |
116 | NS_UTS_POS, |
117 | NS_IPC_POS, |
118 | NS_NET_POS, |
119 | NS_PID_POS, |
120 | NS_USR_POS, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */ |
121 | NS_COUNT, |
122 | }; |
123 | static const struct namespace_descr ns_list[] = { |
124 | { CLONE_NEWNS, "mnt" }, |
125 | { CLONE_NEWUTS, "uts" }, |
126 | { CLONE_NEWIPC, "ipc" }, |
127 | { CLONE_NEWNET, "net" }, |
128 | { CLONE_NEWPID, "pid" }, |
129 | { CLONE_NEWUSER, "user" }, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */ |
130 | }; |
131 | |
132 | /* |
133 | * Upstream unshare doesn't support short options for --mount-proc, |
134 | * --propagation, --setgroups. |
135 | * Optional arguments (namespace mountpoints) exist only for long opts, |
136 | * we are forced to use "fake" letters for them. |
137 | * '+': stop at first non-option. |
138 | */ |
139 | static const char opt_str[] ALIGN1 = "+muinpU""fr""\xfd::""\xfe:""\xff:"; |
140 | static const char unshare_longopts[] ALIGN1 = |
141 | "mount\0" Optional_argument "\xf0" |
142 | "uts\0" Optional_argument "\xf1" |
143 | "ipc\0" Optional_argument "\xf2" |
144 | "net\0" Optional_argument "\xf3" |
145 | "pid\0" Optional_argument "\xf4" |
146 | "user\0" Optional_argument "\xf5" |
147 | "fork\0" No_argument "f" |
148 | "map-root-user\0" No_argument "r" |
149 | "mount-proc\0" Optional_argument "\xfd" |
150 | "propagation\0" Required_argument "\xfe" |
151 | "setgroups\0" Required_argument "\xff" |
152 | ; |
153 | |
154 | /* Ugly-looking string reuse trick */ |
155 | #define PRIVATE_STR "private\0""unchanged\0""shared\0""slave\0" |
156 | #define PRIVATE_UNCHANGED_SHARED_SLAVE PRIVATE_STR |
157 | |
158 | static unsigned long parse_propagation(const char *prop_str) |
159 | { |
160 | int i = index_in_strings(PRIVATE_UNCHANGED_SHARED_SLAVE, prop_str); |
161 | if (i < 0) |
162 | bb_error_msg_and_die("unrecognized: --%s=%s", "propagation", prop_str); |
163 | if (i == 0) |
164 | return MS_REC | MS_PRIVATE; |
165 | if (i == 1) |
166 | return 0; |
167 | if (i == 2) |
168 | return MS_REC | MS_SHARED; |
169 | return MS_REC | MS_SLAVE; |
170 | } |
171 | |
172 | static void mount_namespaces(pid_t pid, struct namespace_ctx *ns_ctx_list) |
173 | { |
174 | const struct namespace_descr *ns; |
175 | struct namespace_ctx *ns_ctx; |
176 | int i; |
177 | |
178 | for (i = 0; i < NS_COUNT; i++) { |
179 | char nsf[sizeof("/proc/%u/ns/AAAA") + sizeof(int)*3]; |
180 | |
181 | ns = &ns_list[i]; |
182 | ns_ctx = &ns_ctx_list[i]; |
183 | if (!ns_ctx->path) |
184 | continue; |
185 | sprintf(nsf, "/proc/%u/ns/%.4s", (unsigned)pid, ns->nsfile4); |
186 | mount_or_die(nsf, ns_ctx->path, NULL, MS_BIND); |
187 | } |
188 | } |
189 | |
190 | int unshare_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; |
191 | int unshare_main(int argc UNUSED_PARAM, char **argv) |
192 | { |
193 | int i; |
194 | unsigned int opts; |
195 | int unsflags; |
196 | uintptr_t need_mount; |
197 | const char *proc_mnt_target; |
198 | const char *prop_str; |
199 | const char *setgrp_str; |
200 | unsigned long prop_flags; |
201 | uid_t reuid = geteuid(); |
202 | gid_t regid = getegid(); |
203 | struct fd_pair fdp; |
204 | pid_t child = child; /* for compiler */ |
205 | struct namespace_ctx ns_ctx_list[NS_COUNT]; |
206 | |
207 | memset(ns_ctx_list, 0, sizeof(ns_ctx_list)); |
208 | proc_mnt_target = "/proc"; |
209 | prop_str = PRIVATE_STR; |
210 | setgrp_str = NULL; |
211 | |
212 | opt_complementary = |
213 | "\xf0""m" /* long opts (via their "fake chars") imply short opts */ |
214 | ":\xf1""u" |
215 | ":\xf2""i" |
216 | ":\xf3""n" |
217 | ":\xf4""p" |
218 | ":\xf5""U" |
219 | ":ru" /* --map-root-user or -r implies -u */ |
220 | ":\xfd""m" /* --mount-proc implies -m */ |
221 | ; |
222 | applet_long_options = unshare_longopts; |
223 | opts = getopt32(argv, opt_str, |
224 | &proc_mnt_target, &prop_str, &setgrp_str, |
225 | &ns_ctx_list[NS_MNT_POS].path, |
226 | &ns_ctx_list[NS_UTS_POS].path, |
227 | &ns_ctx_list[NS_IPC_POS].path, |
228 | &ns_ctx_list[NS_NET_POS].path, |
229 | &ns_ctx_list[NS_PID_POS].path, |
230 | &ns_ctx_list[NS_USR_POS].path |
231 | ); |
232 | argv += optind; |
233 | //bb_error_msg("opts:0x%x", opts); |
234 | //bb_error_msg("mount:%s", ns_ctx_list[NS_MNT_POS].path); |
235 | //bb_error_msg("proc_mnt_target:%s", proc_mnt_target); |
236 | //bb_error_msg("prop_str:%s", prop_str); |
237 | //bb_error_msg("setgrp_str:%s", setgrp_str); |
238 | //exit(1); |
239 | |
240 | if (setgrp_str) { |
241 | if (strcmp(setgrp_str, "allow") == 0) { |
242 | if (opts & OPT_map_root) { |
243 | bb_error_msg_and_die( |
244 | "--setgroups=allow and --map-root-user " |
245 | "are mutually exclusive" |
246 | ); |
247 | } |
248 | } else { |
249 | /* It's not "allow", must be "deny" */ |
250 | if (strcmp(setgrp_str, "deny") != 0) |
251 | bb_error_msg_and_die("unrecognized: --%s=%s", |
252 | "setgroups", setgrp_str); |
253 | } |
254 | } |
255 | |
256 | unsflags = 0; |
257 | need_mount = 0; |
258 | for (i = 0; i < NS_COUNT; i++) { |
259 | const struct namespace_descr *ns = &ns_list[i]; |
260 | struct namespace_ctx *ns_ctx = &ns_ctx_list[i]; |
261 | |
262 | if (opts & (1 << i)) |
263 | unsflags |= ns->flag; |
264 | |
265 | need_mount |= (uintptr_t)(ns_ctx->path); |
266 | } |
267 | /* need_mount != 0 if at least one FILE was given */ |
268 | |
269 | prop_flags = MS_REC | MS_PRIVATE; |
270 | /* Silently ignore --propagation if --mount is not requested. */ |
271 | if (opts & OPT_mount) |
272 | prop_flags = parse_propagation(prop_str); |
273 | |
274 | /* |
275 | * Special case: if we were requested to unshare the mount namespace |
276 | * AND to make any namespace persistent (by bind mounting it) we need |
277 | * to spawn a child process which will wait for the parent to call |
278 | * unshare(), then mount parent's namespaces while still in the |
279 | * previous namespace. |
280 | */ |
281 | fdp.wr = -1; |
282 | if (need_mount && (opts & OPT_mount)) { |
283 | /* |
284 | * Can't use getppid() in child, as we can be unsharing the |
285 | * pid namespace. |
286 | */ |
287 | pid_t ppid = getpid(); |
288 | |
289 | xpiped_pair(fdp); |
290 | |
291 | child = xfork(); |
292 | if (child == 0) { |
293 | /* Child */ |
294 | close(fdp.wr); |
295 | |
296 | /* Wait until parent calls unshare() */ |
297 | read(fdp.rd, ns_ctx_list, 1); /* ...using bogus buffer */ |
298 | /*close(fdp.rd);*/ |
299 | |
300 | /* Mount parent's unshared namespaces. */ |
301 | mount_namespaces(ppid, ns_ctx_list); |
302 | return EXIT_SUCCESS; |
303 | } |
304 | /* Parent continues */ |
305 | } |
306 | |
307 | //if (unshare(unsflags) != 0) |
308 | // bb_perror_msg_and_die("unshare(0x%x)", unsflags); |
309 | |
310 | if (fdp.wr >= 0) { |
311 | close(fdp.wr); /* Release child */ |
312 | close(fdp.rd); /* should close fd, to not confuse exec'ed PROG */ |
313 | } |
314 | |
315 | if (need_mount) { |
316 | /* Wait for the child to finish mounting the namespaces. */ |
317 | if (opts & OPT_mount) { |
318 | int exit_status = wait_for_exitstatus(child); |
319 | if (WIFEXITED(exit_status) && |
320 | WEXITSTATUS(exit_status) != EXIT_SUCCESS) |
321 | return WEXITSTATUS(exit_status); |
322 | } else { |
323 | /* |
324 | * Regular way - we were requested to mount some other |
325 | * namespaces: mount them after the call to unshare(). |
326 | */ |
327 | mount_namespaces(getpid(), ns_ctx_list); |
328 | } |
329 | } |
330 | |
331 | /* |
332 | * When we're unsharing the pid namespace, it's not the process that |
333 | * calls unshare() that is put into the new namespace, but its first |
334 | * child. The user may want to use this option to spawn a new process |
335 | * that'll become PID 1 in this new namespace. |
336 | */ |
337 | if (opts & OPT_fork) { |
338 | xvfork_parent_waits_and_exits(); |
339 | /* Child continues */ |
340 | } |
341 | |
342 | if (opts & OPT_map_root) { |
343 | char uidmap_buf[sizeof("%u 0 1") + sizeof(int)*3]; |
344 | |
345 | /* |
346 | * Since Linux 3.19 unprivileged writing of /proc/self/gid_map |
347 | * has been disabled unless /proc/self/setgroups is written |
348 | * first to permanently disable the ability to call setgroups |
349 | * in that user namespace. |
350 | */ |
351 | xopen_xwrite_close(PATH_PROC_SETGROUPS, "deny"); |
352 | sprintf(uidmap_buf, "%u 0 1", (unsigned)reuid); |
353 | xopen_xwrite_close(PATH_PROC_UIDMAP, uidmap_buf); |
354 | sprintf(uidmap_buf, "%u 0 1", (unsigned)regid); |
355 | xopen_xwrite_close(PATH_PROC_GIDMAP, uidmap_buf); |
356 | } else |
357 | if (setgrp_str) { |
358 | /* Write "allow" or "deny" */ |
359 | xopen_xwrite_close(PATH_PROC_SETGROUPS, setgrp_str); |
360 | } |
361 | |
362 | if (opts & OPT_mount) { |
363 | mount_or_die("none", "/", NULL, prop_flags); |
364 | } |
365 | |
366 | if (opts & OPT_mount_proc) { |
367 | /* |
368 | * When creating a new pid namespace, we might want the pid |
369 | * subdirectories in /proc to remain consistent with the new |
370 | * process IDs. Without --mount-proc the pids in /proc would |
371 | * still reflect the old pid namespace. This is why we make |
372 | * /proc private here and then do a fresh mount. |
373 | */ |
374 | mount_or_die("none", proc_mnt_target, NULL, MS_PRIVATE | MS_REC); |
375 | mount_or_die("proc", proc_mnt_target, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV); |
376 | } |
377 | |
378 | exec_prog_or_SHELL(argv); |
379 | } |
380 |