diff options
| -rw-r--r-- | conf.c | 3 | ||||
| -rw-r--r-- | isolation.c | 13 | ||||
| -rw-r--r-- | pasta.c | 15 | ||||
| -rw-r--r-- | pasta.h | 3 |
4 files changed, 18 insertions, 16 deletions
@@ -1556,7 +1556,8 @@ void conf(struct ctx *c, int argc, char **argv) if (*netns) { pasta_open_ns(c, netns); } else { - pasta_start_ns(c, argc - optind, argv + optind); + pasta_start_ns(c, uid, gid, + argc - optind, argv + optind); } } diff --git a/isolation.c b/isolation.c index 3a4ec9f..4e6637d 100644 --- a/isolation.c +++ b/isolation.c @@ -265,23 +265,10 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns, close(ufd); } else if (use_userns) { /* Create and join a new userns */ - char uidmap[BUFSIZ]; - char gidmap[BUFSIZ]; - if (unshare(CLONE_NEWUSER) != 0) { err("Couldn't create user namespace: %s", strerror(errno)); exit(EXIT_FAILURE); } - - /* Configure user and group mappings */ - snprintf(uidmap, BUFSIZ, "0 %u 1", uid); - snprintf(gidmap, BUFSIZ, "0 %u 1", gid); - - if (write_file("/proc/self/uid_map", uidmap) || - write_file("/proc/self/setgroups", "deny") || - write_file("/proc/self/gid_map", gidmap)) { - warn("Couldn't configure user namespace"); - } } /* Joining a new userns gives us full capabilities; drop the @@ -180,15 +180,19 @@ static int pasta_setup_ns(void *arg) /** * pasta_start_ns() - Fork command in new namespace if target ns is not given * @c: Execution context + * @uid: UID we're running as in the init namespace + * @gid: GID we're running as in the init namespace * @argc: Number of arguments for spawned command * @argv: Command to spawn and arguments */ -void pasta_start_ns(struct ctx *c, int argc, char *argv[]) +void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid, + int argc, char *argv[]) { struct pasta_setup_ns_arg arg = { .exe = argv[0], .argv = argv, }; + char uidmap[BUFSIZ], gidmap[BUFSIZ]; char ns_fn_stack[NS_FN_STACK_SIZE]; char *sh_argv[] = { NULL, NULL }; char sh_arg0[PATH_MAX + 1]; @@ -197,6 +201,15 @@ void pasta_start_ns(struct ctx *c, int argc, char *argv[]) if (!c->debug) c->quiet = 1; + /* Configure user and group mappings */ + snprintf(uidmap, BUFSIZ, "0 %u 1", uid); + snprintf(gidmap, BUFSIZ, "0 %u 1", gid); + + if (write_file("/proc/self/uid_map", uidmap) || + write_file("/proc/self/setgroups", "deny") || + write_file("/proc/self/gid_map", gidmap)) { + warn("Couldn't configure user mappings"); + } if (argc == 0) { arg.exe = getenv("SHELL"); @@ -7,7 +7,8 @@ #define PASTA_H void pasta_open_ns(struct ctx *c, const char *netns); -void pasta_start_ns(struct ctx *c, int argc, char *argv[]); +void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid, + int argc, char *argv[]); void pasta_ns_conf(struct ctx *c); void pasta_child_handler(int signal); int pasta_netns_quit_init(struct ctx *c); |