aboutgitcodebugslistschat
diff options
context:
space:
mode:
-rw-r--r--isolation.c17
-rw-r--r--pasta.c4
-rw-r--r--util.c33
-rw-r--r--util.h13
4 files changed, 45 insertions, 22 deletions
diff --git a/isolation.c b/isolation.c
index a3ea842..af0d33a 100644
--- a/isolation.c
+++ b/isolation.c
@@ -130,7 +130,8 @@ void isolate_initial(void)
*/
void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns)
{
- char nsmap[BUFSIZ];
+ char uidmap[BUFSIZ];
+ char gidmap[BUFSIZ];
/* First set our UID & GID in the original namespace */
if (setgroups(0, NULL)) {
@@ -185,14 +186,14 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns)
}
/* Configure user and group mappings */
- snprintf(nsmap, BUFSIZ, "0 %u 1", uid);
- FWRITE("/proc/self/uid_map", nsmap, "Cannot set uid_map in namespace");
+ snprintf(uidmap, BUFSIZ, "0 %u 1", uid);
+ snprintf(gidmap, BUFSIZ, "0 %u 1", gid);
- FWRITE("/proc/self/setgroups", "deny",
- "Cannot write to setgroups in namespace");
-
- snprintf(nsmap, BUFSIZ, "0 %u 1", gid);
- FWRITE("/proc/self/gid_map", nsmap, "Cannot set gid_map in namespace");
+ if (write_file("/proc/self/uid_map", uidmap) ||
+ write_file("/proc/self/setgroups", "deny") ||
+ write_file("/proc/self/gid_map", gidmap)) {
+ warn("Couldn't configure user namespace");
+ }
}
/**
diff --git a/pasta.c b/pasta.c
index a6e49eb..d135f1b 100644
--- a/pasta.c
+++ b/pasta.c
@@ -167,8 +167,8 @@ static int pasta_setup_ns(void *arg)
{
const struct pasta_setup_ns_arg *a;
- FWRITE("/proc/sys/net/ipv4/ping_group_range", "0 0",
- "Cannot set ping_group_range, ICMP requests might fail");
+ if (write_file("/proc/sys/net/ipv4/ping_group_range", "0 0"))
+ warn("Cannot set ping_group_range, ICMP requests might fail");
a = (const struct pasta_setup_ns_arg *)arg;
execvp(a->exe, a->argv);
diff --git a/util.c b/util.c
index 76057be..514bd44 100644
--- a/util.c
+++ b/util.c
@@ -449,3 +449,36 @@ int fls(unsigned long x)
return y;
}
+
+/**
+ * write_file() - Replace contents of file with a string
+ * @path: File to write
+ * @buf: String to write
+ *
+ * Return: 0 on success, -1 on any error
+ */
+int write_file(const char *path, const char *buf)
+{
+ int fd = open(path, O_WRONLY | O_TRUNC | O_CLOEXEC);
+ size_t len = strlen(buf);
+
+ if (fd < 0) {
+ warn("Could not open %s: %s", path, strerror(errno));
+ return -1;
+ }
+
+ while (len) {
+ ssize_t rc = write(fd, buf, len);
+
+ if (rc <= 0) {
+ warn("Couldn't write to %s: %s", path, strerror(errno));
+ break;
+ }
+
+ buf += rc;
+ len -= rc;
+ }
+
+ close(fd);
+ return len == 0 ? 0 : -1;
+}
diff --git a/util.h b/util.h
index 4d1b375..27829b1 100644
--- a/util.h
+++ b/util.h
@@ -53,18 +53,6 @@
#define TMPDIR "/tmp"
#endif
-#define FWRITE(path, buf, str) \
- do { \
- int flags = O_WRONLY | O_CLOEXEC; \
- int fd = open(path, flags); \
- \
- if (fd < 0 || \
- write(fd, buf, strlen(buf)) != (int)strlen(buf)) \
- warn(str); \
- if (fd >= 0) \
- close(fd); \
- } while (0)
-
#define V4 0
#define V6 1
#define IP_VERSIONS 2
@@ -212,5 +200,6 @@ int ns_enter(const struct ctx *c);
void write_pidfile(int fd, pid_t pid);
int __daemon(int pidfile_fd, int devnull_fd);
int fls(unsigned long x);
+int write_file(const char *path, const char *buf);
#endif /* UTIL_H */