From 55c9b03bafebac0c388966f6c1834108de42f4a6 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 11 Oct 2018 15:17:18 +0200 Subject: rootless: detect when user namespaces are not enabled Signed-off-by: Giuseppe Scrivano --- pkg/rootless/rootless_linux.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index 11c3c32f0..9eb16c1a5 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -13,6 +13,9 @@ #include #include +static const char *_max_user_namespaces = "/proc/sys/user/max_user_namespaces"; +static const char *_unprivileged_user_namespaces = "/proc/sys/kernel/unprivileged_userns_clone"; + static int syscall_setresuid (uid_t ruid, uid_t euid, uid_t suid) { @@ -145,6 +148,25 @@ reexec_userns_join (int userns) _exit (EXIT_FAILURE); } +static void +check_proc_sys_userns_file (const char *path) +{ + FILE *fp; + fp = fopen (path, "r"); + if (fp) + { + char buf[32]; + size_t n_read = fread (buf, 1, sizeof(buf) - 1, fp); + if (n_read > 0) + { + buf[n_read] = '\0'; + if (strtol (buf, NULL, 10) == 0) + fprintf (stderr, "user namespaces are not enabled in %s\n", path); + } + fclose (fp); + } +} + int reexec_in_user_namespace (int ready) { @@ -159,7 +181,12 @@ reexec_in_user_namespace (int ready) pid = syscall_clone (CLONE_NEWUSER|CLONE_NEWNS|SIGCHLD, NULL); if (pid < 0) - fprintf (stderr, "cannot clone: %s\n", strerror (errno)); + { + FILE *fp; + fprintf (stderr, "cannot clone: %s\n", strerror (errno)); + check_proc_sys_userns_file (_max_user_namespaces); + check_proc_sys_userns_file (_unprivileged_user_namespaces); + } if (pid) return pid; -- cgit v1.2.3-54-g00ecf