src/lxc/attach.c

   1 /*
   2  * lxc: linux Container library
   3  *
   4  * (C) Copyright IBM Corp. 2007, 2008
   5  *
   6  * Authors:
   7  * Daniel Lezcano <dlezcano at fr.ibm.com>
   8  *
   9  * This library is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public
  11  * License as published by the Free Software Foundation; either
  12  * version 2.1 of the License, or (at your option) any later version.
  13  *
  14  * This library is distributed in the hope that it will be useful,
  15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  17  * Lesser General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU Lesser General Public
  20  * License along with this library; if not, write to the Free Software
  21  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  22  */
  23
  24 #define _GNU_SOURCE
  25 #include <unistd.h>
  26 #include <stdio.h>
  27 #include <string.h>
  28 #include <stdlib.h>
  29 #include <errno.h>
  30 #include <fcntl.h>
  31 #include <sys/param.h>
  32 #include <sys/prctl.h>
  33 #include <sys/mount.h>
  34 #include <sys/syscall.h>
  35 #include <linux/unistd.h>
  36
  37 #if !HAVE_DECL_PR_CAPBSET_DROP
  38 #define PR_CAPBSET_DROP 24
  39 #endif
  40
  41 #include "namespace.h"
  42 #include "log.h"
  43 #include "attach.h"
  44 #include "caps.h"
  45 #include "cgroup.h"
  46 #include "config.h"
  47
  48 lxc_log_define(lxc_attach, lxc);
  49
  50 int setns(int fd, int nstype)
  51 {
  52 #ifndef __NR_setns
  53         errno = ENOSYS;
  54         return -1;
  55 #else
  56         return syscall(__NR_setns, fd, nstype);
  57 #endif
  58 }
  59
  60 /* Define getline() if missing from the C library */
  61 #ifndef HAVE_GETLINE
  62 #ifdef HAVE_FGETLN
  63 #include <../include/getline.h>
  64 #endif
  65 #endif
  66
  67 struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid)
  68 {
  69         struct lxc_proc_context_info *info = calloc(1, sizeof(*info));
  70         FILE *proc_file;
  71         char proc_fn[MAXPATHLEN];
  72         char *line = NULL;
  73         size_t line_bufsz = 0;
  74         int ret, found;
  75
  76         if (!info) {
  77                 SYSERROR("Could not allocate memory.");
  78                 return NULL;
  79         }
  80
  81         /* read capabilities */
  82         snprintf(proc_fn, MAXPATHLEN, "/proc/%d/status", pid);
  83
  84         proc_file = fopen(proc_fn, "r");
  85         if (!proc_file) {
  86                 SYSERROR("Could not open %s", proc_fn);
  87                 goto out_error;
  88         }
  89
  90         found = 0;
  91         while (getline(&line, &line_bufsz, proc_file) != -1) {
  92                 ret = sscanf(line, "CapBnd: %llx", &info->capability_mask);
  93                 if (ret != EOF && ret > 0) {
  94                         found = 1;
  95                         break;
  96                 }
  97         }
  98
  99         fclose(proc_file);
 100
 101         if (!found) {
 102                 SYSERROR("Could not read capability bounding set from %s", proc_fn);
 103                 errno = ENOENT;
 104                 goto out_error;
 105         }
 106
 107         /* read personality */
 108         snprintf(proc_fn, MAXPATHLEN, "/proc/%d/personality", pid);
 109
 110         proc_file = fopen(proc_fn, "r");
 111         if (!proc_file) {
 112                 SYSERROR("Could not open %s", proc_fn);
 113                 goto out_error;
 114         }
 115
 116         ret = fscanf(proc_file, "%lx", &info->personality);
 117         fclose(proc_file);
 118
 119         if (ret == EOF || ret == 0) {
 120                 SYSERROR("Could not read personality from %s", proc_fn);
 121                 errno = ENOENT;
 122                 goto out_error;
 123         }
 124
 125         return info;
 126
 127 out_error:
 128         free(info);
 129         free(line);
 130         return NULL;
 131 }
 132
 133 int lxc_attach_to_ns(pid_t pid, int which)
 134 {
 135         char path[MAXPATHLEN];
 136         /* according to <http://article.gmane.org/gmane.linux.kernel.containers.lxc.devel/1429>,
 137          * the file for user namepsaces in /proc/$pid/ns will be called
 138          * 'user' once the kernel supports it
 139          */
 140         static char *ns[] = { "mnt", "pid", "uts", "ipc", "user", "net" };
 141         static int flags[] = {
 142                 CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_NEWIPC,
 143                 CLONE_NEWUSER, CLONE_NEWNET
 144         };
 145         static const int size = sizeof(ns) / sizeof(char *);
 146         int fd[size];
 147         int i, j, saved_errno;
 148
 149
 150         snprintf(path, MAXPATHLEN, "/proc/%d/ns", pid);
 151         if (access(path, X_OK)) {
 152                 ERROR("Does this kernel version support 'attach' ?");
 153                 return -1;
 154         }
 155
 156         for (i = 0; i < size; i++) {
 157                 /* ignore if we are not supposed to attach to that
 158                  * namespace
 159                  */
 160                 if (which != -1 && !(which & flags[i])) {
 161                         fd[i] = -1;
 162                         continue;
 163                 }
 164
 165                 snprintf(path, MAXPATHLEN, "/proc/%d/ns/%s", pid, ns[i]);
 166                 fd[i] = open(path, O_RDONLY);
 167                 if (fd[i] < 0) {
 168                         saved_errno = errno;
 169
 170                         /* close all already opened file descriptors before
 171                          * we return an error, so we don't leak them
 172                          */
 173                         for (j = 0; j < i; j++)
 174                                 close(fd[j]);
 175
 176                         errno = saved_errno;
 177                         SYSERROR("failed to open '%s'", path);
 178                         return -1;
 179                 }
 180         }
 181
 182         for (i = 0; i < size; i++) {
 183                 if (fd[i] >= 0 && setns(fd[i], 0) != 0) {
 184                         saved_errno = errno;
 185
 186                         for (j = i; j < size; j++)
 187                                 close(fd[j]);
 188
 189                         errno = saved_errno;
 190                         SYSERROR("failed to set namespace '%s'", ns[i]);
 191                         return -1;
 192                 }
 193
 194                 close(fd[i]);
 195         }
 196
 197         return 0;
 198 }
 199
 200 int lxc_attach_remount_sys_proc()
 201 {
 202         int ret;
 203
 204         ret = unshare(CLONE_NEWNS);
 205         if (ret < 0) {
 206                 SYSERROR("failed to unshare mount namespace");
 207                 return -1;
 208         }
 209
 210         /* assume /proc is always mounted, so remount it */
 211         ret = umount2("/proc", MNT_DETACH);
 212         if (ret < 0) {
 213                 SYSERROR("failed to unmount /proc");
 214                 return -1;
 215         }
 216
 217         ret = mount("none", "/proc", "proc", 0, NULL);
 218         if (ret < 0) {
 219                 SYSERROR("failed to remount /proc");
 220                 return -1;
 221         }
 222
 223         /* try to umount /sys - if it's not a mount point,
 224          * we'll get EINVAL, then we ignore it because it
 225          * may not have been mounted in the first place
 226          */
 227         ret = umount2("/sys", MNT_DETACH);
 228         if (ret < 0 && errno != EINVAL) {
 229                 SYSERROR("failed to unmount /sys");
 230                 return -1;
 231         } else if (ret == 0) {
 232                 /* remount it */
 233                 ret = mount("none", "/sys", "sysfs", 0, NULL);
 234                 if (ret < 0) {
 235                         SYSERROR("failed to remount /sys");
 236                         return -1;
 237                 }
 238         }
 239
 240         return 0;
 241 }
 242
 243 int lxc_attach_drop_privs(struct lxc_proc_context_info *ctx)
 244 {
 245         int last_cap = lxc_caps_last_cap();
 246         int cap;
 247
 248         for (cap = 0; cap <= last_cap; cap++) {
 249                 if (ctx->capability_mask & (1LL << cap))
 250                         continue;
 251
 252                 if (prctl(PR_CAPBSET_DROP, cap, 0, 0, 0)) {
 253                         SYSERROR("failed to remove capability id %d", cap);
 254                         return -1;
 255                 }
 256         }
 257
 258         return 0;
 259 }