Compare commits

...

4 Commits

Author SHA1 Message Date
Yu Watanabe f84a91315a
Merge 9f2f185c40 into 4b356c90dc 2024-11-23 14:05:59 +01:00
Yu Watanabe 9f2f185c40 namespace-util: introduce pidref_namespace_open_by_type() helper function
Then, let's make pidref_namespace_open() handle ENOENT correctly
when procfs is not mounted.
2024-11-23 03:03:38 +09:00
Yu Watanabe fbc90f199d namespace-util: introduce pid_namespace_stat() helper function
It correctly handles ENOENT correctly when procfs is not mounted.
2024-11-23 03:02:56 +09:00
Yu Watanabe 4eb7ca115d namespace-util: refuse remote pidref in pidref_namespace_open() 2024-11-23 02:29:17 +09:00
1 changed files with 69 additions and 55 deletions

View File

@ -47,6 +47,28 @@ static NamespaceType clone_flag_to_namespace_type(unsigned long clone_flag) {
return _NAMESPACE_TYPE_INVALID;
}
static int pidref_namespace_open_by_type(const PidRef *pidref, NamespaceType type) {
assert(type >= 0);
assert(type < _NAMESPACE_TYPE_MAX);
/* Here, pidref can be NULL or unset, but cannot be remote. */
if (pidref_is_remote(pidref))
return -EREMOTE;
const char *p = pid_namespace_path(pidref ? pidref->pid : 0, type);
int fd = RET_NERRNO(open(p, O_RDONLY|O_NOCTTY|O_CLOEXEC));
if (fd == -ENOENT && proc_mounted() == 0)
return -ENOSYS;
/* Here, we do not call pidref_verify(). The caller should call it on success. */
return fd;
}
int namespace_open_by_type(NamespaceType type) {
return pidref_namespace_open_by_type(NULL, type);
}
int pidref_namespace_open(
const PidRef *pidref,
int *ret_pidns_fd,
@ -59,51 +81,47 @@ int pidref_namespace_open(
userns_fd = -EBADF, root_fd = -EBADF;
int r;
assert(pidref_is_set(pidref));
assert(pidref);
if (!pidref_is_set(pidref))
return -ESRCH;
if (pidref_is_remote(pidref))
return -EREMOTE;
if (ret_pidns_fd) {
const char *pidns;
pidns = pid_namespace_path(pidref->pid, NAMESPACE_PID);
pidns_fd = open(pidns, O_RDONLY|O_NOCTTY|O_CLOEXEC);
pidns_fd = pidref_namespace_open_by_type(pidref, NAMESPACE_PID);
if (pidns_fd < 0)
return -errno;
return pidns_fd;
}
if (ret_mntns_fd) {
const char *mntns;
mntns = pid_namespace_path(pidref->pid, NAMESPACE_MOUNT);
mntns_fd = open(mntns, O_RDONLY|O_NOCTTY|O_CLOEXEC);
mntns_fd = pidref_namespace_open_by_type(pidref, NAMESPACE_MOUNT);
if (mntns_fd < 0)
return -errno;
return mntns_fd;
}
if (ret_netns_fd) {
const char *netns;
netns = pid_namespace_path(pidref->pid, NAMESPACE_NET);
netns_fd = open(netns, O_RDONLY|O_NOCTTY|O_CLOEXEC);
netns_fd = pidref_namespace_open_by_type(pidref, NAMESPACE_NET);
if (netns_fd < 0)
return -errno;
return netns_fd;
}
if (ret_userns_fd) {
const char *userns;
userns = pid_namespace_path(pidref->pid, NAMESPACE_USER);
userns_fd = open(userns, O_RDONLY|O_NOCTTY|O_CLOEXEC);
if (userns_fd < 0 && errno != ENOENT)
return -errno;
userns_fd = pidref_namespace_open_by_type(pidref, NAMESPACE_USER);
if (userns_fd < 0 && userns_fd != -ENOENT)
return userns_fd;
}
if (ret_root_fd) {
const char *root;
root = procfs_file_alloca(pidref->pid, "root");
root_fd = open(root, O_RDONLY|O_NOCTTY|O_CLOEXEC|O_DIRECTORY);
root_fd = RET_NERRNO(open(root, O_RDONLY|O_NOCTTY|O_CLOEXEC|O_DIRECTORY));
if (root_fd == -ENOENT)
return proc_mounted() > 0 ? -ENOENT : -ENOSYS;
if (root_fd < 0)
return -errno;
return root_fd;
}
r = pidref_verify(pidref);
@ -401,9 +419,25 @@ int netns_acquire(void) {
return TAKE_FD(netns_fd);
}
static int pid_namespace_stat(pid_t pid, NamespaceType type, struct stat *ret) {
assert(type >= 0);
assert(type < _NAMESPACE_TYPE_MAX);
assert(ret);
const char *p = pid_namespace_path(pid, type);
if (stat(p, ret) < 0) {
if (errno == ENOENT)
return proc_mounted() == 0 ? -ENOSYS : -ENOENT;
return -errno;
}
return 0;
}
int in_same_namespace(pid_t pid1, pid_t pid2, NamespaceType type) {
const char *ns_path;
struct stat ns_st1, ns_st2;
int r;
if (pid1 == 0)
pid1 = getpid_cached();
@ -414,13 +448,13 @@ int in_same_namespace(pid_t pid1, pid_t pid2, NamespaceType type) {
if (pid1 == pid2)
return 1;
ns_path = pid_namespace_path(pid1, type);
if (stat(ns_path, &ns_st1) < 0)
return -errno;
r = pid_namespace_stat(pid1, type, &ns_st1);
if (r < 0)
return r;
ns_path = pid_namespace_path(pid2, type);
if (stat(ns_path, &ns_st2) < 0)
return -errno;
r = pid_namespace_stat(pid2, type, &ns_st2);
if (r < 0)
return r;
return stat_inode_same(&ns_st1, &ns_st2);
}
@ -463,24 +497,8 @@ int parse_userns_uid_range(const char *s, uid_t *ret_uid_shift, uid_t *ret_uid_r
return 0;
}
int namespace_open_by_type(NamespaceType type) {
const char *p;
int fd;
assert(type >= 0);
assert(type < _NAMESPACE_TYPE_MAX);
p = pid_namespace_path(0, type);
fd = RET_NERRNO(open(p, O_RDONLY|O_NOCTTY|O_CLOEXEC));
if (fd == -ENOENT && proc_mounted() == 0)
return -ENOSYS;
return fd;
}
int is_our_namespace(int fd, NamespaceType request_type) {
int clone_flag;
int r, clone_flag;
assert(fd >= 0);
@ -499,13 +517,9 @@ int is_our_namespace(int fd, NamespaceType request_type) {
if (fstat(fd, &st_fd) < 0)
return -errno;
const char *p = pid_namespace_path(0, found_type);
if (stat(p, &st_ours) < 0) {
if (errno == ENOENT)
return proc_mounted() == 0 ? -ENOSYS : -ENOENT;
return -errno;
}
r = pid_namespace_stat(0, found_type, &st_ours);
if (r < 0)
return r;
return stat_inode_same(&st_ours, &st_fd);
}