Eric W. Biederman wrote:
[ ... ]
> I guess my meaning is I was expecting.
> child = fork();
> if (child == 0) {
> execve(...);
> }
> waitpid(child);
>
> This puts /bin/sh in the container as well.
>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <syscall.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/param.h>
#define __NR_setns 300
int setns(int nstype, int fd)
{
return syscall (__NR_setns, nstype, fd);
}
int main(int argc, char *argv[])
{
char path[MAXPATHLEN];
char *ns[] = { "pid", "mnt", "net", "pid", "uts" };
const int size = sizeof(ns) / sizeof(char *);
int fd[size];
int i;
pid_t pid;
if (argc != 3) {
fprintf(stderr, "mynsenter <pid> <command>\n");
exit(1);
}
for (i = 0; i < size; i++) {
sprintf(path, "/proc/%s/ns/%s", argv[1], ns[i]);
fd[i] = open(path, O_RDONLY| FD_CLOEXEC);
if (fd[i] < 0) {
perror("open");
return -1;
}
}
for (i = 0; i < size; i++)
if (setns(0, fd[i])) {
perror("setns");
return -1;
}
pid = fork();
if (!pid) {
fprintf(stderr, "mypid is %d\n", syscall(__NR_getpid));
execve(argv[2], &argv[2], NULL);
perror("execve");
}
if (pid < 0) {
perror("fork");
return -1;
}
if (waitpid(&pid, NULL, 0) < 0) {
perror("waitpid");
}
return 0;
}
Waitpid returns an error:
waitpid: No child processes
The pid number returned by fork is the pid from the init pid namespace
but it seems waitpid is waiting for a pid belonging to the child pid
namespace.
waitpid
-> wait4
-> find_get_pid
-> find_vpid
-> find_pid_ns(nr, current->nsproxy->pid_ns);
The current->nsproxy->pid_ns is the one of the namespace we attached to.
So the real pid returned by the fork does not exist in this pid namespace.
Maybe fork should return a pid number belonging to the current pid
namespace we are attached no ?
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
