| 1 | /* Acquire root privileges. |
|---|---|
| 2 | Copyright (C) 2016-2022 Free Software Foundation, Inc. |
| 3 | This file is part of the GNU C Library. |
| 4 | |
| 5 | The GNU C Library is free software; you can redistribute it and/or |
| 6 | modify it under the terms of the GNU Lesser General Public |
| 7 | License as published by the Free Software Foundation; either |
| 8 | version 2.1 of the License, or (at your option) any later version. |
| 9 | |
| 10 | The GNU C Library is distributed in the hope that it will be useful, |
| 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 13 | Lesser General Public License for more details. |
| 14 | |
| 15 | You should have received a copy of the GNU Lesser General Public |
| 16 | License along with the GNU C Library; if not, see |
| 17 | <https://www.gnu.org/licenses/>. */ |
| 18 | |
| 19 | #include <support/namespace.h> |
| 20 | |
| 21 | #include <errno.h> |
| 22 | #include <fcntl.h> |
| 23 | #include <sched.h> |
| 24 | #include <stdio.h> |
| 25 | #include <string.h> |
| 26 | #include <support/check.h> |
| 27 | #include <support/xunistd.h> |
| 28 | #include <unistd.h> |
| 29 | |
| 30 | #ifdef CLONE_NEWUSER |
| 31 | /* The necessary steps to allow file creation in user namespaces. */ |
| 32 | static void |
| 33 | setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid) |
| 34 | { |
| 35 | int fd = open64 ("/proc/self/uid_map", O_WRONLY); |
| 36 | if (fd < 0) |
| 37 | { |
| 38 | printf ("warning: could not open /proc/self/uid_map: %m\n" |
| 39 | "warning: file creation may not be possible\n"); |
| 40 | return; |
| 41 | } |
| 42 | |
| 43 | /* We map our original UID to the same UID in the container so we |
| 44 | own our own files normally. Without that, file creation could |
| 45 | fail with EOVERFLOW (sic!). */ |
| 46 | char buf[100]; |
| 47 | int ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n", |
| 48 | (unsigned long long) original_uid, |
| 49 | (unsigned long long) original_uid); |
| 50 | TEST_VERIFY_EXIT (ret < sizeof (buf)); |
| 51 | xwrite (fd, buf, ret); |
| 52 | xclose (fd); |
| 53 | |
| 54 | /* Linux 3.19 introduced the setgroups file. We need write "deny" to this |
| 55 | file otherwise writing to gid_map will fail with EPERM. */ |
| 56 | fd = open64 ("/proc/self/setgroups", O_WRONLY, 0); |
| 57 | if (fd < 0) |
| 58 | { |
| 59 | if (errno != ENOENT) |
| 60 | FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m", |
| 61 | O_WRONLY, 0); |
| 62 | /* This kernel doesn't expose the setgroups file so simply move on. */ |
| 63 | } |
| 64 | else |
| 65 | { |
| 66 | xwrite (fd, "deny\n", strlen ( "deny\n")); |
| 67 | xclose (fd); |
| 68 | } |
| 69 | |
| 70 | /* Now map our own GID, like we did for the user ID. */ |
| 71 | fd = xopen ("/proc/self/gid_map", O_WRONLY, 0); |
| 72 | ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n", |
| 73 | (unsigned long long) original_gid, |
| 74 | (unsigned long long) original_gid); |
| 75 | TEST_VERIFY_EXIT (ret < sizeof (buf)); |
| 76 | xwrite (fd, buf, ret); |
| 77 | xclose (fd); |
| 78 | } |
| 79 | #endif /* CLONE_NEWUSER */ |
| 80 | |
| 81 | bool |
| 82 | support_become_root (void) |
| 83 | { |
| 84 | #ifdef CLONE_NEWUSER |
| 85 | uid_t original_uid = getuid (); |
| 86 | gid_t original_gid = getgid (); |
| 87 | |
| 88 | if (unshare (CLONE_NEWUSER | CLONE_NEWNS) == 0) |
| 89 | { |
| 90 | setup_uid_gid_mapping (original_uid, original_gid); |
| 91 | /* Even if we do not have UID zero, we have extended privileges at |
| 92 | this point. */ |
| 93 | return true; |
| 94 | } |
| 95 | #endif |
| 96 | if (setuid (0) != 0) |
| 97 | { |
| 98 | printf ("warning: could not become root outside namespace (%m)\n"); |
| 99 | return false; |
| 100 | } |
| 101 | return true; |
| 102 | } |
| 103 |
Generated on 2022-Feb-09 from project glibc
Powered by 
Code Browser 2.1
Generator usage only permitted with license.