tests/zfs-tests/cmd/user_ns_exec/user_ns_exec.c

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21
  22 #include <stdio.h>
  23 #include <unistd.h>
  24 #include <string.h>
  25 #include <limits.h>
  26 #include <sys/types.h>
  27 #include <sys/types.h>
  28 #include <sys/socket.h>
  29 #include <sys/wait.h>
  30 #include <fcntl.h>
  31 #include <errno.h>
  32 #include <signal.h>
  33 #include <sched.h>
  34
  35 #define EXECSHELL       "/bin/sh"
  36 #define UIDMAP          "0 100000 65536"
  37
  38 static int
  39 child_main(int argc, char *argv[], int sync_pipe)
  40 {
  41         char sync_buf;
  42         char cmds[BUFSIZ] = { 0 };
  43         char sep[] = " ";
  44         int i, len;
  45
  46         if (unshare(CLONE_NEWUSER | CLONE_NEWNS) != 0) {
  47                 perror("unshare");
  48                 return (1);
  49         }
  50
  51         /* tell parent we entered the new namespace */
  52         if (write(sync_pipe, "1", 1) != 1) {
  53                 perror("write");
  54                 return (1);
  55         }
  56
  57         /* wait for parent to setup the uid mapping */
  58         if (read(sync_pipe, &sync_buf, 1) != 1) {
  59                 (void) fprintf(stderr, "user namespace setup failed\n");
  60                 return (1);
  61         }
  62
  63         close(sync_pipe);
  64
  65         if (setuid(0) != 0) {
  66                 perror("setuid");
  67                 return (1);
  68         }
  69         if (setgid(0) != 0) {
  70                 perror("setgid");
  71                 return (1);
  72         }
  73
  74         len = 0;
  75         for (i = 1; i < argc; i++) {
  76                 (void) snprintf(cmds+len, sizeof (cmds)-len,
  77                     "%s%s", argv[i], sep);
  78                 len += strlen(argv[i]) + strlen(sep);
  79         }
  80
  81         if (execl(EXECSHELL, "sh",  "-c", cmds, (char *)NULL) != 0) {
  82                 perror("execl: " EXECSHELL);
  83                 return (1);
  84         }
  85
  86         return (0);
  87 }
  88
  89 static int
  90 set_idmap(pid_t pid, const char *file)
  91 {
  92         int result = 0;
  93         int mapfd;
  94         char path[PATH_MAX];
  95
  96         (void) snprintf(path, sizeof (path), "/proc/%d/%s", (int)pid, file);
  97
  98         mapfd = open(path, O_WRONLY);
  99         if (mapfd < 0) {
 100                 result = errno;
 101                 perror("open");
 102                 return (errno);
 103         }
 104
 105         if (write(mapfd, UIDMAP, sizeof (UIDMAP)-1) != sizeof (UIDMAP)-1) {
 106                 perror("write");
 107                 result = (errno);
 108         }
 109
 110         close(mapfd);
 111
 112         return (result);
 113 }
 114
 115 int
 116 main(int argc, char *argv[])
 117 {
 118         char sync_buf;
 119         int result, wstatus;
 120         int syncfd[2];
 121         pid_t child;
 122
 123         if (argc < 2 || strlen(argv[1]) == 0) {
 124                 (void) printf("\tUsage: %s <commands> ...\n", argv[0]);
 125                 return (1);
 126         }
 127
 128         if (socketpair(AF_UNIX, SOCK_STREAM, 0, syncfd) != 0) {
 129                 perror("socketpair");
 130                 return (1);
 131         }
 132
 133         child = fork();
 134         if (child == (pid_t)-1) {
 135                 perror("fork");
 136                 return (1);
 137         }
 138
 139         if (child == 0) {
 140                 close(syncfd[0]);
 141                 return (child_main(argc, argv, syncfd[1]));
 142         }
 143
 144         close(syncfd[1]);
 145
 146         result = 0;
 147         /* wait for the child to have unshared its namespaces */
 148         if (read(syncfd[0], &sync_buf, 1) != 1) {
 149                 perror("read");
 150                 kill(child, SIGKILL);
 151                 result = 1;
 152                 goto reap;
 153         }
 154
 155         /* write uid mapping */
 156         if (set_idmap(child, "uid_map") != 0 ||
 157             set_idmap(child, "gid_map") != 0) {
 158                 result = 1;
 159                 kill(child, SIGKILL);
 160                 goto reap;
 161         }
 162
 163         /* tell the child to proceed */
 164         if (write(syncfd[0], "1", 1) != 1) {
 165                 perror("write");
 166                 kill(child, SIGKILL);
 167                 result = 1;
 168                 goto reap;
 169         }
 170         close(syncfd[0]);
 171
 172 reap:
 173         while (waitpid(child, &wstatus, 0) != child)
 174                 kill(child, SIGKILL);
 175         if (result == 0)
 176                 result = WEXITSTATUS(wstatus);
 177
 178         return (result);
 179 }