[systemd-commits] 2 commits - src/core src/libsystemd-bus src/machine src/shared
Lennart Poettering
lennart at kemper.freedesktop.org
Mon Dec 16 16:05:47 PST 2013
src/core/manager.c | 6 ++++++
src/libsystemd-bus/bus-container.c | 12 ++++++------
src/machine/machinectl.c | 6 +++---
src/shared/logs-show.c | 6 +++---
src/shared/util.c | 36 ++++++++++++++++++++++++------------
src/shared/util.h | 4 ++--
6 files changed, 44 insertions(+), 26 deletions(-)
New commits:
commit a4475f577bd0daf762d6c3b4e58bc484e0cb74af
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Dec 17 01:03:09 2013 +0100
bus: when entering an existing namespace to connect to a container's system bus also switch over PID namespace
This is necessary to ensure that kdbus can collect creds of the
destination namespace when connecting.
diff --git a/src/libsystemd-bus/bus-container.c b/src/libsystemd-bus/bus-container.c
index 5d31f5a..9ad6e65 100644
--- a/src/libsystemd-bus/bus-container.c
+++ b/src/libsystemd-bus/bus-container.c
@@ -29,7 +29,7 @@
#include "bus-container.h"
int bus_container_connect_socket(sd_bus *b) {
- _cleanup_close_ int nsfd = -1, rootfd = -1;
+ _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
pid_t leader, child;
siginfo_t si;
int r;
@@ -42,7 +42,7 @@ int bus_container_connect_socket(sd_bus *b) {
if (r < 0)
return r;
- r = namespace_open(leader, &nsfd, &rootfd);
+ r = namespace_open(leader, &pidnsfd, &mntnsfd, &rootfd);
if (r < 0)
return r;
@@ -62,7 +62,7 @@ int bus_container_connect_socket(sd_bus *b) {
if (child == 0) {
- r = namespace_enter(nsfd, rootfd);
+ r = namespace_enter(pidnsfd, mntnsfd, rootfd);
if (r < 0)
_exit(255);
@@ -95,7 +95,7 @@ int bus_container_connect_socket(sd_bus *b) {
int bus_container_connect_kernel(sd_bus *b) {
_cleanup_close_pipe_ int pair[2] = { -1, -1 };
- _cleanup_close_ int nsfd = -1, rootfd = -1;
+ _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
union {
struct cmsghdr cmsghdr;
uint8_t buf[CMSG_SPACE(sizeof(int))];
@@ -118,7 +118,7 @@ int bus_container_connect_kernel(sd_bus *b) {
if (r < 0)
return r;
- r = namespace_open(leader, &nsfd, &rootfd);
+ r = namespace_open(leader, &pidnsfd, &mntnsfd, &rootfd);
if (r < 0)
return r;
@@ -133,7 +133,7 @@ int bus_container_connect_kernel(sd_bus *b) {
close_nointr_nofail(pair[0]);
pair[0] = -1;
- r = namespace_enter(nsfd, rootfd);
+ r = namespace_enter(pidnsfd, mntnsfd, rootfd);
if (r < 0)
_exit(EXIT_FAILURE);
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
index f5485b3..fd21a0a 100644
--- a/src/machine/machinectl.c
+++ b/src/machine/machinectl.c
@@ -399,7 +399,7 @@ static int terminate_machine(sd_bus *bus, char **args, unsigned n) {
static int openpt_in_namespace(pid_t pid, int flags) {
_cleanup_close_pipe_ int pair[2] = { -1, -1 };
- _cleanup_close_ int nsfd = -1, rootfd = -1;
+ _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
union {
struct cmsghdr cmsghdr;
uint8_t buf[CMSG_SPACE(sizeof(int))];
@@ -413,7 +413,7 @@ static int openpt_in_namespace(pid_t pid, int flags) {
pid_t child;
siginfo_t si;
- r = namespace_open(pid, &nsfd, &rootfd);
+ r = namespace_open(pid, &pidnsfd, &mntnsfd, &rootfd);
if (r < 0)
return r;
@@ -428,7 +428,7 @@ static int openpt_in_namespace(pid_t pid, int flags) {
close_nointr_nofail(pair[0]);
pair[0] = -1;
- r = namespace_enter(nsfd, rootfd);
+ r = namespace_enter(pidnsfd, mntnsfd, rootfd);
if (r < 0)
_exit(EXIT_FAILURE);
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index b24bce5..0f27c4e 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -1117,7 +1117,7 @@ int add_matches_for_user_unit(sd_journal *j, const char *unit, uid_t uid) {
static int get_boot_id_for_machine(const char *machine, sd_id128_t *boot_id) {
_cleanup_close_pipe_ int pair[2] = { -1, -1 };
- _cleanup_close_ int nsfd = -1, rootfd = -1;
+ _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
pid_t pid, child;
siginfo_t si;
char buf[37];
@@ -1134,7 +1134,7 @@ static int get_boot_id_for_machine(const char *machine, sd_id128_t *boot_id) {
if (r < 0)
return r;
- r = namespace_open(pid, &nsfd, &rootfd);
+ r = namespace_open(pid, &pidnsfd, &mntnsfd, &rootfd);
if (r < 0)
return r;
@@ -1151,7 +1151,7 @@ static int get_boot_id_for_machine(const char *machine, sd_id128_t *boot_id) {
close_nointr_nofail(pair[0]);
pair[0] = -1;
- r = namespace_enter(nsfd, rootfd);
+ r = namespace_enter(pidnsfd, mntnsfd, rootfd);
if (r < 0)
_exit(EXIT_FAILURE);
diff --git a/src/shared/util.c b/src/shared/util.c
index c396fc7..cdc58e3 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -6029,18 +6029,24 @@ int container_get_leader(const char *machine, pid_t *pid) {
return 0;
}
-int namespace_open(pid_t pid, int *namespace_fd, int *root_fd) {
- _cleanup_close_ int nsfd = -1;
- const char *ns, *root;
+int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *root_fd) {
+ _cleanup_close_ int pidnsfd = -1, mntnsfd = -1;
+ const char *pidns, *mntns, *root;
int rfd;
assert(pid >= 0);
- assert(namespace_fd);
+ assert(pidns_fd);
+ assert(mntns_fd);
assert(root_fd);
- ns = procfs_file_alloca(pid, "ns/mnt");
- nsfd = open(ns, O_RDONLY|O_NOCTTY|O_CLOEXEC);
- if (nsfd < 0)
+ mntns = procfs_file_alloca(pid, "ns/mnt");
+ mntnsfd = open(mntns, O_RDONLY|O_NOCTTY|O_CLOEXEC);
+ if (mntnsfd < 0)
+ return -errno;
+
+ pidns = procfs_file_alloca(pid, "ns/pid");
+ pidnsfd = open(pidns, O_RDONLY|O_NOCTTY|O_CLOEXEC);
+ if (pidnsfd < 0)
return -errno;
root = procfs_file_alloca(pid, "root");
@@ -6048,18 +6054,24 @@ int namespace_open(pid_t pid, int *namespace_fd, int *root_fd) {
if (rfd < 0)
return -errno;
- *namespace_fd = nsfd;
+ *pidns_fd = pidnsfd;
+ *mntns_fd = mntnsfd;
*root_fd = rfd;
- nsfd = -1;
+ pidnsfd = -1;
+ mntnsfd = -1;
return 0;
}
-int namespace_enter(int namespace_fd, int root_fd) {
- assert(namespace_fd >= 0);
+int namespace_enter(int pidns_fd, int mntns_fd, int root_fd) {
+ assert(pidns_fd >= 0);
+ assert(mntns_fd >= 0);
assert(root_fd >= 0);
- if (setns(namespace_fd, CLONE_NEWNS) < 0)
+ if (setns(pidns_fd, CLONE_NEWPID) < 0)
+ return -errno;
+
+ if (setns(mntns_fd, CLONE_NEWNS) < 0)
return -errno;
if (fchdir(root_fd) < 0)
diff --git a/src/shared/util.h b/src/shared/util.h
index 6fc7780..57689e9 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -793,5 +793,5 @@ int proc_cmdline(char **ret);
int container_get_leader(const char *machine, pid_t *pid);
-int namespace_open(pid_t pid, int *namespace_fd, int *root_fd);
-int namespace_enter(int namespace_fd, int root_fd);
+int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *root_fd);
+int namespace_enter(int pidns_fd, int mntns_fd, int root_fd);
commit d003f514dab2dbf1a66e11800a50aeaf039d036c
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Dec 17 01:02:13 2013 +0100
core: always create /dev/kdbus/ns (and make it private 0700) after setting up the kdbus system bus
diff --git a/src/core/manager.c b/src/core/manager.c
index a2f3570..6a75597 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -427,6 +427,12 @@ static int manager_setup_kdbus(Manager *m) {
}
log_debug("Successfully set up kdbus on %s", p);
+
+ /* Create the namespace directory here, so that the contents
+ * of that directory is not visible to non-root users. This is
+ * necessary to ensure that users cannot get access to busses
+ * of virtualized users when no UID namespacing is used. */
+ mkdir_p_label("/dev/kdbus/ns", 0700);
#endif
return 0;
More information about the systemd-commits
mailing list