Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nsenter: implement a two-stage join for setns #4492

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

nsenter: implement a two-stage join for setns #4492

wants to merge 4 commits into from

Commits on Nov 13, 2024

  1. cfmt: use the Linux { a, b } decl style 

    Signed-off-by: Aleksa Sarai <[email protected]>
    @cyphar
    cyphar committed Nov 13, 2024
    Configuration menu
    Copy the full SHA
    49bee5c View commit details
    Browse the repository at this point in the history

  2. nsenter: refuse to join unknown namespaces 

    This is basically a no-op change because runc already disallows this,
but it will be needed in future patches when we have to track what
namespaces have already been joined.

Signed-off-by: Aleksa Sarai <[email protected]>
    @cyphar
    cyphar committed Nov 13, 2024
    Configuration menu
    Copy the full SHA
    a97d7cb View commit details
    Browse the repository at this point in the history

  3. nsenter: implement a two-stage join for setns 

    If we are running with privileges and are asked to join an externally
created user namespaces as well as some other namespace that was *not*
created underneath said user namespace, the approach we added in commit
2cd9c31 ("nsenter: guarantee correct user namespace ordering")
doesn't work.

While in theory you would want all externally created namespaces to be
sane, it seems that some tools really do create unrelated namespaces and
ask us to join them. Luckily we can just loosely copy what nsenter(1)
appears to do -- we first try to join any namespaces we can (with host
root privileges), then we join any user namespaces, and then we join any
remaining namespaces (now with the user namespace's privileges).

Note that we *do not* have to try to join namespaces after we create our
own user namespace. Namespace permissions are based purely on the owning
user namespace (not the rootuid) so we will not have access to any extra
namespaces once we unshare(CLONE_NEWUSER) (in fact we will not be able
to setns(2) to anything!).

Fixes: 2cd9c31 ("nsenter: guarantee correct user namespace ordering")
Signed-off-by: Aleksa Sarai <[email protected]>
    @cyphar
    cyphar committed Nov 13, 2024
    Configuration menu
    Copy the full SHA
    fadc55e View commit details
    Browse the repository at this point in the history

  4. tests: add test for 'weird' external namespace joining 

    Signed-off-by: Aleksa Sarai <[email protected]>
    @cyphar
    cyphar committed Nov 13, 2024
    Configuration menu
    Copy the full SHA
    fffc165 View commit details
    Browse the repository at this point in the history