Re: [PATCH v3]LXC: Helper function for checking permission of dir when userns enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ping?

> -----Original Message-----
> From: Chen Hanxiao [mailto:chenhanxiao@xxxxxxxxxxxxxx]
> Sent: Tuesday, September 10, 2013 4:18 PM
> To: libvir-list@xxxxxxxxxx
> Cc: chenhanxiao@xxxxxxxxxxxxxx
> Subject: [PATCH v3]LXC: Helper function for checking permission of dir
> when userns enabled
> 
> From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
> 
> If we enable userns, the process with uid/gid in idmap
> should have enough permission to access dir we provided
> for containers.
> Currently, the debug log is very implicit
> or misleading sometimes.
> This patch will help clarify this for us
> when using debug log or virsh.
> 
> v2: syntax-check clean
> 
> v3: reliable method for checking permission of dir
> 
> Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
> ---
>  src/lxc/lxc_container.c | 88
> +++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 88 insertions(+)
> 
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 8abaea0..9a05e30 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -110,6 +110,13 @@ struct __lxc_child_argv {
>      int handshakefd;
>  };
> 
> +typedef struct __lxc_userns_DirPermCheck_argv
> lxc_userns_DirPermCheck_argv_t;
> +struct __lxc_userns_DirPermCheck_argv {
> +    uid_t uid;
> +    gid_t gid;
> +    virDomainDefPtr vmDef;
> +};
> +
>  static int lxcContainerMountFSBlock(virDomainFSDefPtr fs,
>                                      const char *srcprefix);
> 
> @@ -1829,6 +1836,84 @@ lxcNeedNetworkNamespace(virDomainDefPtr def)
>      return false;
>  }
> 
> +static
> +int lxcContainerCheckDirPermissionChild(void *argv)
> +{
> +    size_t i;
> +    lxc_userns_DirPermCheck_argv_t *args = argv;
> +    uid_t uid = args->uid;
> +    uid_t gid = args->gid;
> +    virDomainDefPtr vmDef = args->vmDef;
> +    char *path;
> +
> +    if (virSetUIDGID(uid, gid, NULL, 0) < 0) {
> +        virReportSystemError(errno, "%s",
> +                              _("setuid or setgid failed"));
> +        _exit(-1);
> +    }
> +
> +    for (i = 0; i < vmDef->nfss; i++) {
> +        path = vmDef->fss[i]->src;
> +        if (access(path, R_OK) || access(path, W_OK) ||
> virFileIsExecutable(path)) {
> +            VIR_DEBUG("Src dir '%s' does not belong to uid/gid: %d/%d",
> +                      vmDef->fss[i]->src, uid, gid);
> +            _exit(-1);
> +        }
> +    }
> +
> +    _exit(0);
> +}
> +
> +/*
> + * Helper function for helping check
> + * whether we have enough privilege
> + * to operate the source dir when userns enabled
> + * @vmDef: pointer to vm definition structure
> + * Returns 0 on success or -1 in case of error
> + */
> +static int
> +lxcContainerCheckDirPermission(virDomainDefPtr vmDef)
> +{
> +    uid_t uid;
> +    gid_t gid;
> +    int cpid = 0;
> +    int status;
> +    char *childStack;
> +    char *stack;
> +    int flags =  SIGCHLD;
> +
> +    uid = vmDef->idmap.uidmap[0].target;
> +    gid = vmDef->idmap.gidmap[0].target;
> +
> +    lxc_userns_DirPermCheck_argv_t args = {
> +        .uid = uid,
> +        .gid = gid,
> +        .vmDef = vmDef
> +    };
> +
> +    if (VIR_ALLOC_N(stack, getpagesize() * 4) < 0)
> +        return -1;
> +
> +    childStack = stack + (getpagesize() * 4);
> +    cpid = clone(lxcContainerCheckDirPermissionChild, childStack, flags,
> &args);
> +    VIR_FREE(stack);
> +    if (cpid < 0) {
> +        virReportSystemError(errno, "%s",
> +                             _("Unable to clone to check permission of
> directory"));
> +        return -1;
> +    } else if (virProcessWait(cpid, &status) < 0) {
> +        return -1;
> +    }
> +
> +    if (WEXITSTATUS(status) != 0) {
> +        virReportSystemError(errno, "%s",
> +                             _("Check the permission of source dir
> provided for container"));
> +        return -1;
> +    }
> +
> +    return 0;
> +}
> +
>  /**
>   * lxcContainerStart:
>   * @def: pointer to virtual machine structure
> @@ -1880,6 +1965,9 @@ int lxcContainerStart(virDomainDefPtr def,
>          if (userns_supported()) {
>              VIR_DEBUG("Enable user namespace");
>              cflags |= CLONE_NEWUSER;
> +            if (lxcContainerCheckDirPermission(def) < 0) {
> +                return -1;
> +            }
>          } else {
>              virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED,
> "%s",
>                                   _("Kernel doesn't support user
> namespace"));
> --
> 1.8.2.1




--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]