[RFC PATCH 2/6] LXC: introduce virLXCControllerSetupUserns and lxcContainerSetUserns

[Gao feng <gaofeng@xxxxxxxxxxxxxx>]

This patch introduces new helper function
virLXCControllerSetupUserns, in this function,
we set the files uid_map and gid_map of process
libvirt_lxc.

lxcContainerSetUserns is used for creating cred for
tasks running in container. Since after setuid/setgid,
we may be a new user. This patch calls lxcContainerSetUserns
at first to make sure the new created files belong to
right user.

Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
---
 src/lxc/lxc_container.c  | 55 ++++++++++++++++++++++++++++++----------
 src/lxc/lxc_controller.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 107 insertions(+), 14 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 1d7bc1e..5c66ae3 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -329,6 +329,29 @@ int lxcContainerWaitForContinue(int control)
 
 
 /**
+ * lxcContainerSetUserns:
+ *
+ * This function calls setuid and setgid to create proper
+ * cred for tasks running in container.
+ *
+ * Returns 0 on success or -1 in case of error
+ */
+static int lxcContainerSetUserns(virDomainDefPtr def)
+{
+    if (def->os.userns != VIR_DOMAIN_USER_NS_ENABLED)
+        return 0;
+
+    if (virSetUIDGID(def->os.uidmap.first,
+                     def->os.gidmap.first) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("setuid or setgid failed"));
+        return -1;
+    }
+
+    return 0;
+}
+
+/**
  * lxcContainerRenameAndEnableInterfaces:
  * @nveths: number of interfaces
  * @veths: interface names
@@ -2221,6 +2244,24 @@ static int lxcContainerChild(void *data)
         }
     }
 
+    if (!virFileExists(vmDef->os.init)) {
+        virReportSystemError(errno,
+                    _("cannot find init path '%s' relative to container root"),
+                    vmDef->os.init);
+        goto cleanup;
+    }
+
+    /* Wait for interface devices to show up */
+    if (lxcContainerWaitForContinue(argv->monitor) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Failed to read the container continue message"));
+        goto cleanup;
+    }
+    VIR_DEBUG("Received container continue message");
+
+    if (lxcContainerSetUserns(vmDef) < 0)
+        goto cleanup;
+
     VIR_DEBUG("Container TTY path: %s", ttyPath);
 
     ttyfd = open(ttyPath, O_RDWR|O_NOCTTY);
@@ -2236,20 +2277,6 @@ static int lxcContainerChild(void *data)
                                 argv->securityDriver) < 0)
         goto cleanup;
 
-    if (!virFileExists(vmDef->os.init)) {
-        virReportSystemError(errno,
-                    _("cannot find init path '%s' relative to container root"),
-                    vmDef->os.init);
-        goto cleanup;
-    }
-
-    /* Wait for interface devices to show up */
-    if (lxcContainerWaitForContinue(argv->monitor) < 0) {
-        virReportSystemError(errno, "%s",
-                             _("Failed to read the container continue message"));
-        goto cleanup;
-    }
-    VIR_DEBUG("Received container continue message");
 
     /* rename and enable interfaces */
     if (lxcContainerRenameAndEnableInterfaces(!!(vmDef->features &
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index 15aa334..f17142f 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -1028,6 +1028,69 @@ cleanup2:
 }
 
 
+/**
+ * virLXCControllerSetupUserns
+ *
+ * Set proc files for user namespace
+ *
+ * Returns 0 on success or -1 in case of error
+ */
+static int virLXCControllerSetupUserns(virLXCControllerPtr ctrl)
+{
+    char *uid_map = NULL;
+    char *gid_map = NULL;
+    char *uidmap_value = NULL;
+    char *gidmap_value = NULL;
+    int ret = -1;
+
+    if (ctrl->def->os.userns != VIR_DOMAIN_USER_NS_ENABLED)
+        return 0;
+
+    if (virAsprintf(&uid_map, "/proc/%d/uid_map", ctrl->initpid) < 0)
+        goto cleanup;
+
+    if (virAsprintf(&gid_map, "/proc/%d/gid_map", ctrl->initpid) < 0)
+        goto cleanup;
+
+    if (virAsprintf(&uidmap_value, "%u %u %u",
+                    ctrl->def->os.uidmap.first,
+                    ctrl->def->os.uidmap.low_first,
+                    ctrl->def->os.uidmap.count) < 0)
+        goto cleanup;
+
+    if (virAsprintf(&gidmap_value, "%u %u %u",
+                    ctrl->def->os.gidmap.first,
+                    ctrl->def->os.gidmap.low_first,
+                    ctrl->def->os.gidmap.count) < 0)
+        goto cleanup;
+
+    if (virFileWriteStr(uid_map, uidmap_value, 0) < 0) {
+        if (errno == -ENOENT)
+            virReportSystemError(errno,
+                                 _("%s doesn't exist, please disable userns"),
+                                 uid_map);
+        virReportSystemError(errno, _("unable write to %s"), uid_map);
+        goto cleanup;
+    }
+
+    if (virFileWriteStr(gid_map, gidmap_value, 0) < 0) {
+        if (errno == -ENOENT)
+            virReportSystemError(errno,
+                                 _("%s doesn't exist, please disable userns"),
+                                 gid_map);
+        virReportSystemError(errno, _("unable write to %s"), gid_map);
+        goto cleanup;
+    }
+
+    ret = 0;
+cleanup:
+    VIR_FREE(uidmap_value);
+    VIR_FREE(gidmap_value);
+    VIR_FREE(uid_map);
+    VIR_FREE(gid_map);
+    return ret;
+}
+
 
 /**
  * virLXCControllerMoveInterfaces
@@ -1454,6 +1517,9 @@ virLXCControllerRun(virLXCControllerPtr ctrl)
     VIR_FORCE_CLOSE(control[1]);
     VIR_FORCE_CLOSE(containerhandshake[1]);
 
+    if (virLXCControllerSetupUserns(ctrl) < 0)
+        goto cleanup;
+
     if (virLXCControllerMoveInterfaces(ctrl) < 0)
         goto cleanup;
 
-- 
1.7.11.7

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list