[systemd-commits] src/libsystemd-bus
Lennart Poettering
lennart at kemper.freedesktop.org
Mon Dec 16 16:58:27 PST 2013
src/libsystemd-bus/bus-container.c | 79 +++++++++++++++++++++++++++++--------
1 file changed, 64 insertions(+), 15 deletions(-)
New commits:
commit 5d6cf65f09ab8df16bee9f2c8909cb90e710a00a
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Dec 17 01:57:27 2013 +0100
bus: when connecting to a container's system bus, double fork after joining the container's namespace
setns(CLONE_NEWPID) only applies to child processes, hence let's fork
once after joining the container's namespace.
diff --git a/src/libsystemd-bus/bus-container.c b/src/libsystemd-bus/bus-container.c
index 9ad6e65..02886c4 100644
--- a/src/libsystemd-bus/bus-container.c
+++ b/src/libsystemd-bus/bus-container.c
@@ -61,20 +61,44 @@ int bus_container_connect_socket(sd_bus *b) {
return -errno;
if (child == 0) {
+ pid_t grandchild;
r = namespace_enter(pidnsfd, mntnsfd, rootfd);
if (r < 0)
_exit(255);
- r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
- if (r < 0) {
- if (errno == EINPROGRESS)
- _exit(1);
+ /* We just changed PID namespace, however it will only
+ * take effect on the children we now fork. Hence,
+ * let's fork another time, and connect from this
+ * grandchild, so that SO_PEERCRED of our connection
+ * comes from a process from within the container, and
+ * not outside of it */
+ grandchild = fork();
+ if (grandchild < 0)
_exit(255);
+
+ if (grandchild == 0) {
+
+ r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
+ if (r < 0) {
+ if (errno == EINPROGRESS)
+ _exit(1);
+
+ _exit(255);
+ }
+
+ _exit(EXIT_SUCCESS);
}
- _exit(EXIT_SUCCESS);
+ r = wait_for_terminate(grandchild, &si);
+ if (r < 0)
+ _exit(255);
+
+ if (si.si_code != CLD_EXITED)
+ _exit(255);
+
+ _exit(si.si_status);
}
r = wait_for_terminate(child, &si);
@@ -130,6 +154,8 @@ int bus_container_connect_kernel(sd_bus *b) {
return -errno;
if (child == 0) {
+ pid_t grandchild;
+
close_nointr_nofail(pair[0]);
pair[0] = -1;
@@ -137,22 +163,45 @@ int bus_container_connect_kernel(sd_bus *b) {
if (r < 0)
_exit(EXIT_FAILURE);
- fd = open(b->kernel, O_RDWR|O_NOCTTY|O_CLOEXEC);
- if (fd < 0)
+ /* We just changed PID namespace, however it will only
+ * take effect on the children we now fork. Hence,
+ * let's fork another time, and connect from this
+ * grandchild, so that kdbus only sees the credentials
+ * of this process which comes from within the
+ * container, and not outside of it */
+
+ grandchild = fork();
+ if (grandchild < 0)
_exit(EXIT_FAILURE);
- cmsg = CMSG_FIRSTHDR(&mh);
- cmsg->cmsg_level = SOL_SOCKET;
- cmsg->cmsg_type = SCM_RIGHTS;
- cmsg->cmsg_len = CMSG_LEN(sizeof(int));
- memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
+ if (grandchild == 0) {
+
+ fd = open(b->kernel, O_RDWR|O_NOCTTY|O_CLOEXEC);
+ if (fd < 0)
+ _exit(EXIT_FAILURE);
+
+ cmsg = CMSG_FIRSTHDR(&mh);
+ cmsg->cmsg_level = SOL_SOCKET;
+ cmsg->cmsg_type = SCM_RIGHTS;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+ memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
+
+ mh.msg_controllen = cmsg->cmsg_len;
- mh.msg_controllen = cmsg->cmsg_len;
+ if (sendmsg(pair[1], &mh, MSG_NOSIGNAL) < 0)
+ _exit(EXIT_FAILURE);
+
+ _exit(EXIT_SUCCESS);
+ }
+
+ r = wait_for_terminate(grandchild, &si);
+ if (r < 0)
+ _exit(EXIT_FAILURE);
- if (sendmsg(pair[1], &mh, MSG_NOSIGNAL) < 0)
+ if (si.si_code != CLD_EXITED)
_exit(EXIT_FAILURE);
- _exit(EXIT_SUCCESS);
+ _exit(si.si_status);
}
close_nointr_nofail(pair[1]);
More information about the systemd-commits
mailing list