diff options
author | David Gibson <david@gibson.dropbear.id.au> | 2023-04-06 13:28:15 +1000 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2023-04-08 01:12:03 +0200 |
commit | 329149d51a7f8132beefcafc688812e2926607e1 (patch) | |
tree | b80e00d4bdd8d71e33f1dd1f01e7572cdc6d49a2 /test | |
parent | 0b669446482e110719b3935aa4819396dea4d1ab (diff) | |
download | passt-329149d51a7f8132beefcafc688812e2926607e1.tar passt-329149d51a7f8132beefcafc688812e2926607e1.tar.gz passt-329149d51a7f8132beefcafc688812e2926607e1.tar.bz2 passt-329149d51a7f8132beefcafc688812e2926607e1.tar.lz passt-329149d51a7f8132beefcafc688812e2926607e1.tar.xz passt-329149d51a7f8132beefcafc688812e2926607e1.tar.zst passt-329149d51a7f8132beefcafc688812e2926607e1.zip |
nstool: Add --keep-caps option to nstool exec
This allows you to run commands within a user namespace with the
privilege that comes from owning that userns.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'test')
-rw-r--r-- | test/nstool.c | 87 |
1 files changed, 78 insertions, 9 deletions
diff --git a/test/nstool.c b/test/nstool.c index c3479f5..e48a9c0 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -19,10 +19,15 @@ #include <stdarg.h> #include <limits.h> #include <fcntl.h> +#include <limits.h> +#include <unistd.h> #include <sys/socket.h> #include <sys/wait.h> +#include <sys/syscall.h> +#include <sys/prctl.h> #include <linux/un.h> #include <sched.h> +#include <linux/capability.h> #define ARRAY_SIZE(a) ((int)(sizeof(a) / sizeof((a)[0]))) @@ -75,11 +80,13 @@ static void usage(void) " nstool info [-pw] pid SOCK\n" " Print information about the nstool hold process with control\n" " socket at SOCK\n" - " -p Print just the holder's PID as seen by the caller\n" - " -w Retry connecting to SOCK until it is ready\n" - " nstool exec SOCK [COMMAND [ARGS...]]\n" + " -p Print just the holder's PID as seen by the caller\n" + " -w Retry connecting to SOCK until it is ready\n" + " nstool exec [--keep-caps] SOCK [COMMAND [ARGS...]]\n" " Execute command or shell in the namespaces of the nstool hold\n" " with control socket at SOCK\n" + " --keep-caps Give all possible capabilities to COMMAND via\n" + " the ambient capability mask\n" " nstool stop SOCK\n" " Instruct the nstool hold with control socket at SOCK to\n" " terminate.\n"); @@ -278,7 +285,6 @@ static void cmd_info(int argc, char *argv[]) } while (opt != -1); if (optind != argc - 1) { - fprintf(stderr, "B\n"); usage(); } @@ -359,21 +365,81 @@ static void wait_for_child(pid_t pid) die("Unexpected status for child %d\n", pid); } +static void caps_to_ambient(void) +{ + /* Use raw system calls to avoid the overly complex caps + * libraries. */ + struct __user_cap_header_struct header = { + .version = _LINUX_CAPABILITY_VERSION_3, + .pid = 0, + }; + struct __user_cap_data_struct payload[_LINUX_CAPABILITY_U32S_3] = + {{ 0 }}; + uint64_t effective, cap; + + if (syscall(SYS_capget, &header, payload) < 0) + die("capget(): %s\n", strerror(errno)); + + /* First make caps inheritable */ + payload[0].inheritable = payload[0].permitted; + payload[1].inheritable = payload[1].permitted; + + if (syscall(SYS_capset, &header, payload) < 0) + die("capset(): %s\n", strerror(errno)); + + effective = ((uint64_t)payload[1].effective << 32) | (uint64_t)payload[0].effective; + + for (cap = 0; cap < (sizeof(effective) * 8); cap++) { + /* Skip non-existent caps */ + if (prctl(PR_CAPBSET_READ, cap, 0, 0, 0) < 0) + continue; + + if ((effective & (1 << cap)) + && prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0) + die("prctl(PR_CAP_AMBIENT): %s\n", strerror(errno)); + } +} + static void cmd_exec(int argc, char *argv[]) { + enum { + OPT_EXEC_KEEPCAPS = CHAR_MAX + 1, + }; + const struct option options[] = { + {"keep-caps", no_argument, NULL, OPT_EXEC_KEEPCAPS }, + { 0 }, + }; const char *shargs[] = { NULL, NULL }; const char *sockpath = argv[1]; int nfd[ARRAY_SIZE(nstypes)]; + const char *optstring = ""; const struct ns_type *nst; + int ctlfd, flags, opt, rc; const char *const *xargs; + bool keepcaps = false; struct ucred peercred; - int ctlfd, flags, rc; const char *exe; pid_t xpid; - if (argc < 2) + do { + opt = getopt_long(argc, argv, optstring, options, NULL); + + switch (opt) { + case OPT_EXEC_KEEPCAPS: + keepcaps = true; + break; + case -1: + break; + default: + usage(); + } + } while (opt != -1); + + if (argc < optind + 1) usage(); + sockpath = argv[optind]; + ctlfd = connect_ctl(sockpath, false, NULL, &peercred); flags = detect_namespaces(peercred.pid); @@ -418,9 +484,9 @@ static void cmd_exec(int argc, char *argv[]) } /* CHILD */ - if (argc > 2) { - exe = argv[2]; - xargs = (const char * const*)(argv + 2); + if (argc > optind + 1) { + exe = argv[optind + 1]; + xargs = (const char * const*)(argv + optind + 1); } else { exe = getenv("SHELL"); if (!exe) @@ -431,6 +497,9 @@ static void cmd_exec(int argc, char *argv[]) xargs = shargs; } + if (keepcaps) + caps_to_ambient(); + rc = execvp(exe, (char *const *)xargs); if (rc < 0) die("execv() %s: %s\n", exe, strerror(errno)); |