diff options
| author | David Gibson <david@gibson.dropbear.id.au> | 2022-10-14 15:25:33 +1100 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2022-10-15 02:10:36 +0200 |
| commit | ceb2061587b5113f58afc6944969ff79512a8767 (patch) | |
| tree | f5d5f527c2646534a235dce054ec0399161ef3d4 | |
| parent | ea5936dd3f6293fb761e3b670a0f40233e5396fd (diff) | |
| download | passt-ceb2061587b5113f58afc6944969ff79512a8767.tar passt-ceb2061587b5113f58afc6944969ff79512a8767.tar.gz passt-ceb2061587b5113f58afc6944969ff79512a8767.tar.bz2 passt-ceb2061587b5113f58afc6944969ff79512a8767.tar.lz passt-ceb2061587b5113f58afc6944969ff79512a8767.tar.xz passt-ceb2061587b5113f58afc6944969ff79512a8767.tar.zst passt-ceb2061587b5113f58afc6944969ff79512a8767.zip | |
isolation: Refactor isolate_user() to allow for a common exit path
Currently, isolate_user() exits early if the --netns-only option is given.
That works for now, but shortly we're going to want to add some logic to
go at the end of isolate_user() that needs to run in all cases: joining a
given userns, creating a new userns, or staying in our original userns
(--netns-only).
To avoid muddying those changes, here we reorganize isolate_user() to have
a common exit path for all cases.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
| -rw-r--r-- | isolation.c | 40 |
1 files changed, 16 insertions, 24 deletions
diff --git a/isolation.c b/isolation.c index af0d33a..a9bd22c 100644 --- a/isolation.c +++ b/isolation.c @@ -130,9 +130,6 @@ void isolate_initial(void) */ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns) { - char uidmap[BUFSIZ]; - char gidmap[BUFSIZ]; - /* First set our UID & GID in the original namespace */ if (setgroups(0, NULL)) { /* If we don't have CAP_SETGID, this will EPERM */ @@ -153,12 +150,7 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns) exit(EXIT_FAILURE); } - /* If we're told not to use a userns, nothing more to do */ - if (!use_userns) - return; - - /* Otherwise, if given a userns, join it */ - if (*userns) { + if (*userns) { /* If given a userns, join it */ int ufd; ufd = open(userns, O_RDONLY | O_CLOEXEC); @@ -175,24 +167,24 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns) } close(ufd); + } else if (use_userns) { /* Create and join a new userns */ + char uidmap[BUFSIZ]; + char gidmap[BUFSIZ]; - return; - } - - /* Otherwise, create our own userns */ - if (unshare(CLONE_NEWUSER) != 0) { - err("Couldn't create user namespace: %s", strerror(errno)); - exit(EXIT_FAILURE); - } + if (unshare(CLONE_NEWUSER) != 0) { + err("Couldn't create user namespace: %s", strerror(errno)); + exit(EXIT_FAILURE); + } - /* Configure user and group mappings */ - snprintf(uidmap, BUFSIZ, "0 %u 1", uid); - snprintf(gidmap, BUFSIZ, "0 %u 1", gid); + /* Configure user and group mappings */ + snprintf(uidmap, BUFSIZ, "0 %u 1", uid); + snprintf(gidmap, BUFSIZ, "0 %u 1", gid); - if (write_file("/proc/self/uid_map", uidmap) || - write_file("/proc/self/setgroups", "deny") || - write_file("/proc/self/gid_map", gidmap)) { - warn("Couldn't configure user namespace"); + if (write_file("/proc/self/uid_map", uidmap) || + write_file("/proc/self/setgroups", "deny") || + write_file("/proc/self/gid_map", gidmap)) { + warn("Couldn't configure user namespace"); + } } } |