LXC: introduce virLXCControllerSetupUserns and lxcContainerSetID

This patch introduces new helper function virLXCControllerSetupUserns, in this function, we set the files uid_map and gid_map of the init task of container. lxcContainerSetID is used for creating cred for tasks running in container. Since after setuid/setgid, we may be a new user. This patch calls lxcContainerSetUserns at first to make sure the new created files belong to right user. Signed-off-by: N Gao feng <gaofeng@cn.fujitsu.com>

LXC: introduce virLXCControllerSetupUserns and lxcContainerSetID
This patch introduces new helper function virLXCControllerSetupUserns, in this function, we set the files uid_map and gid_map of the init task of container. lxcContainerSetID is used for creating cred for tasks running in container. Since after setuid/setgid, we may be a new user. This patch calls lxcContainerSetUserns at first to make sure the new created files belong to right user. Signed-off-by: N Gao feng <gaofeng@cn.fujitsu.com>
9a085a22 · Gao feng · Daniel P. Berrange · 43d4f46a · 9a085a22 · 9a085a22
隐藏空白更改
内联并排

Showing with 111 addition and 8 deletion

src/lxc/lxc_container.c src/lxc/lxc_container.c +37 -8

src/lxc/lxc_controller.c src/lxc/lxc_controller.c +74 -0

未找到文件。
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -334,6 +334,30 @@ int lxcContainerWaitForContinue(int control)
 }


+/**
+ * lxcContainerSetID:
+ *
+ * This function calls setuid and setgid to create proper
+ * cred for tasks running in container.
+ *
+ * Returns 0 on success or -1 in case of error
+ */
+static int lxcContainerSetID(virDomainDefPtr def)
+{
+    /* Only call virSetUIDGID when user namespace is enabled
+     * for this container. And user namespace is only enabled
+     * when nuidmap&ngidmap is not zero */
+
+    if (def->idmap.nuidmap && virSetUIDGID(0, 0) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("setuid or setgid failed"));
+        return -1;
+    }
+
+    return 0;
+}
+
+
 /**
 * lxcContainerRenameAndEnableInterfaces:
 * @nveths: number of interfaces
@@ -1920,12 +1944,25 @@ static int lxcContainerChild(void *data)
        goto cleanup;
    }

+    /* Wait for controller to finish setup tasks, including
+     * things like move of network interfaces, uid/gid mapping
+     */
+    if (lxcContainerWaitForContinue(argv->monitor) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Failed to read the container continue message"));
+        goto cleanup;
+    }
+    VIR_DEBUG("Received container continue message");
+
    if ((hasReboot = lxcContainerHasReboot()) < 0)
        goto cleanup;

    cmd = lxcContainerBuildInitCmd(vmDef);
    virCommandWriteArgLog(cmd, 1);

+    if (lxcContainerSetID(vmDef) < 0)
+        goto cleanup;
+
    root = virDomainGetRootFilesystem(vmDef);

    if (argv->nttyPaths) {
@@ -1966,14 +2003,6 @@ static int lxcContainerChild(void *data)
        goto cleanup;
    }

-    /* Wait for interface devices to show up */
-    if (lxcContainerWaitForContinue(argv->monitor) < 0) {
-        virReportSystemError(errno, "%s",
-                             _("Failed to read the container continue message"));
-        goto cleanup;
-    }
-    VIR_DEBUG("Received container continue message");
-
    /* rename and enable interfaces */
    if (lxcContainerRenameAndEnableInterfaces(!!(vmDef->features &
                                                 (1 << VIR_DOMAIN_FEATURE_PRIVNET)),

--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -1122,6 +1122,77 @@ cleanup2:
 }


+static int
+virLXCControllerSetupUsernsMap(virDomainIdMapEntryPtr map,
+                               int num,
+                               char *path)
+{
+    virBuffer map_value = VIR_BUFFER_INITIALIZER;
+    int i, ret = -1;
+
+    for (i = 0; i < num; i++)
+        virBufferAsprintf(&map_value, "%u %u %u\n",
+                          map[i].start, map[i].target, map[i].count);
+
+    if (virBufferError(&map_value))
+        goto no_memory;
+
+    if (virFileWriteStr(path, virBufferCurrentContent(&map_value), 0) < 0) {
+        virReportSystemError(errno, _("unable write to %s"), path);
+        goto cleanup;
+    }
+
+    ret = 0;
+cleanup:
+    virBufferFreeAndReset(&map_value);
+    return ret;
+
+no_memory:
+    virReportOOMError();
+    goto cleanup;
+}
+
+/**
+ * virLXCControllerSetupUserns
+ *
+ * Set proc files for user namespace
+ *
+ * Returns 0 on success or -1 in case of error
+ */
+static int virLXCControllerSetupUserns(virLXCControllerPtr ctrl)
+{
+    char *uid_map = NULL;
+    char *gid_map = NULL;
+    int ret = -1;
+
+    /* User namespace is disabled for container */
+    if (ctrl->def->idmap.nuidmap == 0)
+        return 0;
+
+    if (virAsprintf(&uid_map, "/proc/%d/uid_map", ctrl->initpid) < 0)
+        goto cleanup;
+
+    if (virLXCControllerSetupUsernsMap(ctrl->def->idmap.uidmap,
+                                       ctrl->def->idmap.nuidmap,
+                                       uid_map) < 0)
+        goto cleanup;
+
+    if (virAsprintf(&gid_map, "/proc/%d/gid_map", ctrl->initpid) < 0)
+        goto cleanup;
+
+    if (virLXCControllerSetupUsernsMap(ctrl->def->idmap.gidmap,
+                                       ctrl->def->idmap.ngidmap,
+                                       gid_map) < 0)
+        goto cleanup;
+
+    ret = 0;
+cleanup:
+    VIR_FREE(uid_map);
+    VIR_FREE(gid_map);
+    return ret;
+}
+
+

 /**
 * virLXCControllerMoveInterfaces
@@ -1544,6 +1615,9 @@ virLXCControllerRun(virLXCControllerPtr ctrl)
    VIR_FORCE_CLOSE(control[1]);
    VIR_FORCE_CLOSE(containerhandshake[1]);

+    if (virLXCControllerSetupUserns(ctrl) < 0)
+        goto cleanup;
+
    if (virLXCControllerMoveInterfaces(ctrl) < 0)
        goto cleanup;