1 /*
2 * nsenter(1) - command-line interface for setns(2)
3 *
4 * Copyright (C) 2012-2013 Eric Biederman <ebiederm@xmission.com>
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; version 2.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
18 */
19
20 #include <dirent.h>
21 #include <errno.h>
22 #include <getopt.h>
23 #include <sched.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <stdbool.h>
27 #include <unistd.h>
28 #include <assert.h>
29 #include <sys/types.h>
30 #include <sys/wait.h>
31 #include <grp.h>
32 #include <sys/stat.h>
33
34 #ifdef HAVE_LIBSELINUX
35 # include <selinux/selinux.h>
36 #endif
37
38 #include "strutils.h"
39 #include "nls.h"
40 #include "c.h"
41 #include "closestream.h"
42 #include "namespace.h"
43 #include "exec_shell.h"
44
45 static struct namespace_file {
46 int nstype;
47 const char *name;
48 int fd;
49 } namespace_files[] = {
50 /* Careful the order is significant in this array.
51 *
52 * The user namespace comes either first or last: first if
53 * you're using it to increase your privilege and last if
54 * you're using it to decrease. We enter the namespaces in
55 * two passes starting initially from offset 1 and then offset
56 * 0 if that fails.
57 */
58 { .nstype = CLONE_NEWUSER, .name = "ns/user", .fd = -1 },
59 { .nstype = CLONE_NEWCGROUP,.name = "ns/cgroup", .fd = -1 },
60 { .nstype = CLONE_NEWIPC, .name = "ns/ipc", .fd = -1 },
61 { .nstype = CLONE_NEWUTS, .name = "ns/uts", .fd = -1 },
62 { .nstype = CLONE_NEWNET, .name = "ns/net", .fd = -1 },
63 { .nstype = CLONE_NEWPID, .name = "ns/pid", .fd = -1 },
64 { .nstype = CLONE_NEWNS, .name = "ns/mnt", .fd = -1 },
65 { .nstype = CLONE_NEWTIME, .name = "ns/time", .fd = -1 },
66 { .nstype = 0, .name = NULL, .fd = -1 }
67 };
68
usage(void)69 static void __attribute__((__noreturn__)) usage(void)
70 {
71 FILE *out = stdout;
72
73 fputs(USAGE_HEADER, out);
74 fprintf(out, _(" %s [options] [<program> [<argument>...]]\n"),
75 program_invocation_short_name);
76
77 fputs(USAGE_SEPARATOR, out);
78 fputs(_("Run a program with namespaces of other processes.\n"), out);
79
80 fputs(USAGE_OPTIONS, out);
81 fputs(_(" -a, --all enter all namespaces\n"), out);
82 fputs(_(" -t, --target <pid> target process to get namespaces from\n"), out);
83 fputs(_(" -m, --mount[=<file>] enter mount namespace\n"), out);
84 fputs(_(" -u, --uts[=<file>] enter UTS namespace (hostname etc)\n"), out);
85 fputs(_(" -i, --ipc[=<file>] enter System V IPC namespace\n"), out);
86 fputs(_(" -n, --net[=<file>] enter network namespace\n"), out);
87 fputs(_(" -p, --pid[=<file>] enter pid namespace\n"), out);
88 fputs(_(" -C, --cgroup[=<file>] enter cgroup namespace\n"), out);
89 fputs(_(" -U, --user[=<file>] enter user namespace\n"), out);
90 fputs(_(" -T, --time[=<file>] enter time namespace\n"), out);
91 fputs(_(" -S, --setuid <uid> set uid in entered namespace\n"), out);
92 fputs(_(" -G, --setgid <gid> set gid in entered namespace\n"), out);
93 fputs(_(" --preserve-credentials do not touch uids or gids\n"), out);
94 fputs(_(" -r, --root[=<dir>] set the root directory\n"), out);
95 fputs(_(" -w, --wd[=<dir>] set the working directory\n"), out);
96 fputs(_(" -F, --no-fork do not fork before exec'ing <program>\n"), out);
97 #ifdef HAVE_LIBSELINUX
98 fputs(_(" -Z, --follow-context set SELinux context according to --target PID\n"), out);
99 #endif
100
101 fputs(USAGE_SEPARATOR, out);
102 printf(USAGE_HELP_OPTIONS(24));
103 printf(USAGE_MAN_TAIL("nsenter(1)"));
104
105 exit(EXIT_SUCCESS);
106 }
107
108 static pid_t namespace_target_pid = 0;
109 static int root_fd = -1;
110 static int wd_fd = -1;
111
open_target_fd(int * fd,const char * type,const char * path)112 static void open_target_fd(int *fd, const char *type, const char *path)
113 {
114 char pathbuf[PATH_MAX];
115
116 if (!path && namespace_target_pid) {
117 snprintf(pathbuf, sizeof(pathbuf), "/proc/%u/%s",
118 namespace_target_pid, type);
119 path = pathbuf;
120 }
121 if (!path)
122 errx(EXIT_FAILURE,
123 _("neither filename nor target pid supplied for %s"),
124 type);
125
126 if (*fd >= 0)
127 close(*fd);
128
129 *fd = open(path, O_RDONLY);
130 if (*fd < 0)
131 err(EXIT_FAILURE, _("cannot open %s"), path);
132 }
133
open_namespace_fd(int nstype,const char * path)134 static void open_namespace_fd(int nstype, const char *path)
135 {
136 struct namespace_file *nsfile;
137
138 for (nsfile = namespace_files; nsfile->nstype; nsfile++) {
139 if (nstype != nsfile->nstype)
140 continue;
141
142 open_target_fd(&nsfile->fd, nsfile->name, path);
143 return;
144 }
145 /* This should never happen */
146 assert(nsfile->nstype);
147 }
148
get_ns_ino(const char * path,ino_t * ino)149 static int get_ns_ino(const char *path, ino_t *ino)
150 {
151 struct stat st;
152
153 if (stat(path, &st) != 0)
154 return -errno;
155 *ino = st.st_ino;
156 return 0;
157 }
158
is_same_namespace(pid_t a,pid_t b,const char * type)159 static int is_same_namespace(pid_t a, pid_t b, const char *type)
160 {
161 char path[PATH_MAX];
162 ino_t a_ino = 0, b_ino = 0;
163
164 snprintf(path, sizeof(path), "/proc/%u/%s", a, type);
165 if (get_ns_ino(path, &a_ino) != 0)
166 err(EXIT_FAILURE, _("stat of %s failed"), path);
167
168 snprintf(path, sizeof(path), "/proc/%u/%s", b, type);
169 if (get_ns_ino(path, &b_ino) != 0)
170 err(EXIT_FAILURE, _("stat of %s failed"), path);
171
172 return a_ino == b_ino;
173 }
174
continue_as_child(void)175 static void continue_as_child(void)
176 {
177 pid_t child = fork();
178 int status;
179 pid_t ret;
180
181 if (child < 0)
182 err(EXIT_FAILURE, _("fork failed"));
183
184 /* Only the child returns */
185 if (child == 0)
186 return;
187
188 for (;;) {
189 ret = waitpid(child, &status, WUNTRACED);
190 if ((ret == child) && (WIFSTOPPED(status))) {
191 /* The child suspended so suspend us as well */
192 kill(getpid(), SIGSTOP);
193 kill(child, SIGCONT);
194 } else {
195 break;
196 }
197 }
198 /* Return the child's exit code if possible */
199 if (WIFEXITED(status)) {
200 exit(WEXITSTATUS(status));
201 } else if (WIFSIGNALED(status)) {
202 kill(getpid(), WTERMSIG(status));
203 }
204 exit(EXIT_FAILURE);
205 }
206
main(int argc,char * argv[])207 int main(int argc, char *argv[])
208 {
209 enum {
210 OPT_PRESERVE_CRED = CHAR_MAX + 1
211 };
212 static const struct option longopts[] = {
213 { "all", no_argument, NULL, 'a' },
214 { "help", no_argument, NULL, 'h' },
215 { "version", no_argument, NULL, 'V'},
216 { "target", required_argument, NULL, 't' },
217 { "mount", optional_argument, NULL, 'm' },
218 { "uts", optional_argument, NULL, 'u' },
219 { "ipc", optional_argument, NULL, 'i' },
220 { "net", optional_argument, NULL, 'n' },
221 { "pid", optional_argument, NULL, 'p' },
222 { "user", optional_argument, NULL, 'U' },
223 { "cgroup", optional_argument, NULL, 'C' },
224 { "time", optional_argument, NULL, 'T' },
225 { "setuid", required_argument, NULL, 'S' },
226 { "setgid", required_argument, NULL, 'G' },
227 { "root", optional_argument, NULL, 'r' },
228 { "wd", optional_argument, NULL, 'w' },
229 { "no-fork", no_argument, NULL, 'F' },
230 { "preserve-credentials", no_argument, NULL, OPT_PRESERVE_CRED },
231 #ifdef HAVE_LIBSELINUX
232 { "follow-context", no_argument, NULL, 'Z' },
233 #endif
234 { NULL, 0, NULL, 0 }
235 };
236
237 struct namespace_file *nsfile;
238 int c, pass, namespaces = 0, setgroups_nerrs = 0, preserve_cred = 0;
239 bool do_rd = false, do_wd = false, force_uid = false, force_gid = false;
240 bool do_all = false;
241 int do_fork = -1; /* unknown yet */
242 uid_t uid = 0;
243 gid_t gid = 0;
244 #ifdef HAVE_LIBSELINUX
245 bool selinux = 0;
246 #endif
247
248 setlocale(LC_ALL, "");
249 bindtextdomain(PACKAGE, LOCALEDIR);
250 textdomain(PACKAGE);
251 close_stdout_atexit();
252
253 while ((c =
254 getopt_long(argc, argv, "+ahVt:m::u::i::n::p::C::U::T::S:G:r::w::FZ",
255 longopts, NULL)) != -1) {
256 switch (c) {
257 case 'a':
258 do_all = true;
259 break;
260 case 't':
261 namespace_target_pid =
262 strtoul_or_err(optarg, _("failed to parse pid"));
263 break;
264 case 'm':
265 if (optarg)
266 open_namespace_fd(CLONE_NEWNS, optarg);
267 else
268 namespaces |= CLONE_NEWNS;
269 break;
270 case 'u':
271 if (optarg)
272 open_namespace_fd(CLONE_NEWUTS, optarg);
273 else
274 namespaces |= CLONE_NEWUTS;
275 break;
276 case 'i':
277 if (optarg)
278 open_namespace_fd(CLONE_NEWIPC, optarg);
279 else
280 namespaces |= CLONE_NEWIPC;
281 break;
282 case 'n':
283 if (optarg)
284 open_namespace_fd(CLONE_NEWNET, optarg);
285 else
286 namespaces |= CLONE_NEWNET;
287 break;
288 case 'p':
289 if (optarg)
290 open_namespace_fd(CLONE_NEWPID, optarg);
291 else
292 namespaces |= CLONE_NEWPID;
293 break;
294 case 'C':
295 if (optarg)
296 open_namespace_fd(CLONE_NEWCGROUP, optarg);
297 else
298 namespaces |= CLONE_NEWCGROUP;
299 break;
300 case 'U':
301 if (optarg)
302 open_namespace_fd(CLONE_NEWUSER, optarg);
303 else
304 namespaces |= CLONE_NEWUSER;
305 break;
306 case 'T':
307 if (optarg)
308 open_namespace_fd(CLONE_NEWTIME, optarg);
309 else
310 namespaces |= CLONE_NEWTIME;
311 break;
312 case 'S':
313 uid = strtoul_or_err(optarg, _("failed to parse uid"));
314 force_uid = true;
315 break;
316 case 'G':
317 gid = strtoul_or_err(optarg, _("failed to parse gid"));
318 force_gid = true;
319 break;
320 case 'F':
321 do_fork = 0;
322 break;
323 case 'r':
324 if (optarg)
325 open_target_fd(&root_fd, "root", optarg);
326 else
327 do_rd = true;
328 break;
329 case 'w':
330 if (optarg)
331 open_target_fd(&wd_fd, "cwd", optarg);
332 else
333 do_wd = true;
334 break;
335 case OPT_PRESERVE_CRED:
336 preserve_cred = 1;
337 break;
338 #ifdef HAVE_LIBSELINUX
339 case 'Z':
340 selinux = 1;
341 break;
342 #endif
343 case 'h':
344 usage();
345 case 'V':
346 print_version(EXIT_SUCCESS);
347 default:
348 errtryhelp(EXIT_FAILURE);
349 }
350 }
351
352 #ifdef HAVE_LIBSELINUX
353 if (selinux && is_selinux_enabled() > 0) {
354 char *scon = NULL;
355
356 if (!namespace_target_pid)
357 errx(EXIT_FAILURE, _("no target PID specified for --follow-context"));
358 if (getpidcon(namespace_target_pid, &scon) < 0)
359 errx(EXIT_FAILURE, _("failed to get %d SELinux context"),
360 (int) namespace_target_pid);
361 if (setexeccon(scon) < 0)
362 errx(EXIT_FAILURE, _("failed to set exec context to '%s'"), scon);
363 freecon(scon);
364 }
365 #endif
366
367 if (do_all) {
368 if (!namespace_target_pid)
369 errx(EXIT_FAILURE, _("no target PID specified for --all"));
370 for (nsfile = namespace_files; nsfile->nstype; nsfile++) {
371 if (nsfile->fd >= 0)
372 continue; /* namespace already specified */
373
374 /* It is not permitted to use setns(2) to reenter the caller's
375 * current user namespace; see setns(2) man page for more details.
376 */
377 if (nsfile->nstype & CLONE_NEWUSER
378 && is_same_namespace(getpid(), namespace_target_pid, nsfile->name))
379 continue;
380
381 namespaces |= nsfile->nstype;
382 }
383 }
384
385 /*
386 * Open remaining namespace and directory descriptors.
387 */
388 for (nsfile = namespace_files; nsfile->nstype; nsfile++)
389 if (nsfile->nstype & namespaces)
390 open_namespace_fd(nsfile->nstype, NULL);
391 if (do_rd)
392 open_target_fd(&root_fd, "root", NULL);
393 if (do_wd)
394 open_target_fd(&wd_fd, "cwd", NULL);
395
396 /*
397 * Update namespaces variable to contain all requested namespaces
398 */
399 for (nsfile = namespace_files; nsfile->nstype; nsfile++) {
400 if (nsfile->fd < 0)
401 continue;
402 namespaces |= nsfile->nstype;
403 }
404
405 /* for user namespaces we always set UID and GID (default is 0)
406 * and clear root's groups if --preserve-credentials is no specified */
407 if ((namespaces & CLONE_NEWUSER) && !preserve_cred) {
408 force_uid = true, force_gid = true;
409
410 /* We call setgroups() before and after we enter user namespace,
411 * let's complain only if both fail */
412 if (setgroups(0, NULL) != 0)
413 setgroups_nerrs++;
414 }
415
416 /*
417 * Now that we know which namespaces we want to enter, enter
418 * them. Do this in two passes, not entering the user
419 * namespace on the first pass. So if we're deprivileging the
420 * container we'll enter the user namespace last and if we're
421 * privileging it then we enter the user namespace first
422 * (because the initial setns will fail).
423 */
424 for (pass = 0; pass < 2; pass ++) {
425 for (nsfile = namespace_files + 1 - pass; nsfile->nstype; nsfile++) {
426 if (nsfile->fd < 0)
427 continue;
428 if (nsfile->nstype == CLONE_NEWPID && do_fork == -1)
429 do_fork = 1;
430 if (setns(nsfile->fd, nsfile->nstype)) {
431 if (pass != 0)
432 err(EXIT_FAILURE,
433 _("reassociate to namespace '%s' failed"),
434 nsfile->name);
435 else
436 continue;
437 }
438
439 close(nsfile->fd);
440 nsfile->fd = -1;
441 }
442 }
443
444 /* Remember the current working directory if I'm not changing it */
445 if (root_fd >= 0 && wd_fd < 0) {
446 wd_fd = open(".", O_RDONLY);
447 if (wd_fd < 0)
448 err(EXIT_FAILURE,
449 _("cannot open current working directory"));
450 }
451
452 /* Change the root directory */
453 if (root_fd >= 0) {
454 if (fchdir(root_fd) < 0)
455 err(EXIT_FAILURE,
456 _("change directory by root file descriptor failed"));
457
458 if (chroot(".") < 0)
459 err(EXIT_FAILURE, _("chroot failed"));
460
461 close(root_fd);
462 root_fd = -1;
463 }
464
465 /* Change the working directory */
466 if (wd_fd >= 0) {
467 if (fchdir(wd_fd) < 0)
468 err(EXIT_FAILURE,
469 _("change directory by working directory file descriptor failed"));
470
471 close(wd_fd);
472 wd_fd = -1;
473 }
474
475 if (do_fork == 1)
476 continue_as_child();
477
478 if (force_uid || force_gid) {
479 if (force_gid && setgroups(0, NULL) != 0 && setgroups_nerrs) /* drop supplementary groups */
480 err(EXIT_FAILURE, _("setgroups failed"));
481 if (force_gid && setgid(gid) < 0) /* change GID */
482 err(EXIT_FAILURE, _("setgid failed"));
483 if (force_uid && setuid(uid) < 0) /* change UID */
484 err(EXIT_FAILURE, _("setuid failed"));
485 }
486
487 if (optind < argc) {
488 execvp(argv[optind], argv + optind);
489 errexec(argv[optind]);
490 }
491 exec_shell();
492 }
493