From ceb2061587b5113f58afc6944969ff79512a8767 Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Fri, 14 Oct 2022 15:25:33 +1100
Subject: isolation: Refactor isolate_user() to allow for a common exit path

Currently, isolate_user() exits early if the --netns-only option is given.
That works for now, but shortly we're going to want to add some logic to
go at the end of isolate_user() that needs to run in all cases: joining a
given userns, creating a new userns, or staying in our original userns
(--netns-only).

To avoid muddying those changes, here we reorganize isolate_user() to have
a common exit path for all cases.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 isolation.c | 40 ++++++++++++++++------------------------
 1 file changed, 16 insertions(+), 24 deletions(-)

diff --git a/isolation.c b/isolation.c
index af0d33a..a9bd22c 100644
--- a/isolation.c
+++ b/isolation.c
@@ -130,9 +130,6 @@ void isolate_initial(void)
  */
 void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns)
 {
-	char uidmap[BUFSIZ];
-	char gidmap[BUFSIZ];
-
 	/* First set our UID & GID in the original namespace */
 	if (setgroups(0, NULL)) {
 		/* If we don't have CAP_SETGID, this will EPERM */
@@ -153,12 +150,7 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns)
 		exit(EXIT_FAILURE);
 	}
 
-	/* If we're told not to use a userns, nothing more to do */
-	if (!use_userns)
-		return;
-
-	/* Otherwise, if given a userns, join it */
-	if (*userns) {
+	if (*userns) { /* If given a userns, join it */
 		int ufd;
 
 		ufd = open(userns, O_RDONLY | O_CLOEXEC);
@@ -175,24 +167,24 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns)
 		}
 
 		close(ufd);
+	} else if (use_userns) { /* Create and join a new userns */
+		char uidmap[BUFSIZ];
+		char gidmap[BUFSIZ];
 
-		return;
-	}
-
-	/* Otherwise, create our own userns */
-	if (unshare(CLONE_NEWUSER) != 0) {
-		err("Couldn't create user namespace: %s", strerror(errno));
-		exit(EXIT_FAILURE);
-	}
+		if (unshare(CLONE_NEWUSER) != 0) {
+			err("Couldn't create user namespace: %s", strerror(errno));
+			exit(EXIT_FAILURE);
+		}
 
-	/* Configure user and group mappings */
-	snprintf(uidmap, BUFSIZ, "0 %u 1", uid);
-	snprintf(gidmap, BUFSIZ, "0 %u 1", gid);
+		/* Configure user and group mappings */
+		snprintf(uidmap, BUFSIZ, "0 %u 1", uid);
+		snprintf(gidmap, BUFSIZ, "0 %u 1", gid);
 
-	if (write_file("/proc/self/uid_map", uidmap) ||
-	    write_file("/proc/self/setgroups", "deny") ||
-	    write_file("/proc/self/gid_map", gidmap)) {
-		warn("Couldn't configure user namespace");
+		if (write_file("/proc/self/uid_map", uidmap) ||
+		    write_file("/proc/self/setgroups", "deny") ||
+		    write_file("/proc/self/gid_map", gidmap)) {
+			warn("Couldn't configure user namespace");
+		}
 	}
 }
 
-- 
cgit v1.2.3