diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2018-06-11 16:03:34 +0200 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-06-27 14:07:17 +0000 |
commit | 5ff90677c83b78366554493e10f7615119f7e0a1 (patch) | |
tree | 094685755b891f5813a458cfadb5374e68f732fb /pkg/rootless/rootless_linux.c | |
parent | 8ee8f847340c3ac2264e183655fb7cdcbbfbb2cd (diff) | |
download | podman-5ff90677c83b78366554493e10f7615119f7e0a1.tar.gz podman-5ff90677c83b78366554493e10f7615119f7e0a1.tar.bz2 podman-5ff90677c83b78366554493e10f7615119f7e0a1.zip |
rootless: add management for the userNS
When running podman as non root user always create an userNS and let
the OCI runtime use it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #936
Approved by: rhatdan
Diffstat (limited to 'pkg/rootless/rootless_linux.c')
-rw-r--r-- | pkg/rootless/rootless_linux.c | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c new file mode 100644 index 000000000..f107af7c7 --- /dev/null +++ b/pkg/rootless/rootless_linux.c @@ -0,0 +1,128 @@ +#define _GNU_SOURCE +#include <sched.h> +#include <stdio.h> +#include <unistd.h> +#include <sys/syscall.h> +#include <stdlib.h> +#include <errno.h> +#include <sys/stat.h> +#include <limits.h> +#include <sys/types.h> +#include <signal.h> +#include <fcntl.h> +#include <sys/wait.h> + +static int +syscall_clone (unsigned long flags, void *child_stack) +{ + return (int) syscall (__NR_clone, flags, child_stack); +} + +static char ** +get_cmd_line_args (pid_t pid) +{ + int fd; + char path[PATH_MAX]; + char *buffer; + size_t allocated; + size_t used = 0; + int ret; + int i, argc = 0; + char **argv; + + sprintf (path, "/proc/%d/cmdline", pid); + fd = open (path, O_RDONLY); + if (fd < 0) + return NULL; + + allocated = 512; + buffer = malloc (allocated); + if (buffer == NULL) + return NULL; + for (;;) + { + do + ret = read (fd, buffer + used, allocated - used); + while (ret < 0 && errno == EINTR); + if (ret < 0) + return NULL; + + if (ret == 0) + break; + + used += ret; + if (allocated == used) + { + allocated += 512; + buffer = realloc (buffer, allocated); + if (buffer == NULL) + return NULL; + } + } + close (fd); + + for (i = 0; i < used; i++) + if (buffer[i] == '\0') + argc++; + + argv = malloc (sizeof (char *) * (argc + 1)); + argc = 0; + + argv[argc++] = buffer; + for (i = 0; i < used - 1; i++) + if (buffer[i] == '\0') + argv[argc++] = buffer + i + 1; + + argv[argc] = NULL; + + return argv; +} + +int +reexec_in_user_namespace(int ready) +{ + int ret; + pid_t pid; + char b; + pid_t ppid = getpid (); + char **argv; + + pid = syscall_clone (CLONE_NEWUSER|SIGCHLD, NULL); + if (pid) + return pid; + + argv = get_cmd_line_args (ppid); + + setenv ("_LIBPOD_USERNS_CONFIGURED", "init", 1); + + do + ret = read (ready, &b, 1) < 0; + while (ret < 0 && errno == EINTR); + if (ret < 0) + _exit (1); + close (ready); + + execv (argv[0], argv); + + _exit (1); +} + +int +reexec_in_user_namespace_wait (int pid) +{ + pid_t p; + int status; + + do + p = waitpid (pid, &status, 0); + while (p < 0 && errno == EINTR); + + if (p < 0) + return -1; + + if (WIFEXITED (status)) + return WEXITSTATUS (status); + if (WIFSIGNALED (status)) + return 128 + WTERMSIG (status); + return -1; +} |