1 /* vi: set sw=4 ts=4: */
2 /*
3 * Mini unshare implementation for busybox.
4 *
5 * Copyright (C) 2016 by Bartosz Golaszewski <bartekgola@gmail.com>
6 *
7 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
8 */
9 //config:config UNSHARE
10 //config: bool "unshare"
11 //config: default y
12 //config: depends on LONG_OPTS && !NOMMU
13 //config: select PLATFORM_LINUX
14 //config: help
15 //config: Run program with some namespaces unshared from parent.
16
17 // depends on LONG_OPTS: it is awkward to exclude code which handles --propagation
18 // and --setgroups based on LONG_OPTS, so instead applet requires LONG_OPTS.
19 // depends on !NOMMU: we need fork()
20
21 //applet:IF_UNSHARE(APPLET(unshare, BB_DIR_USR_BIN, BB_SUID_DROP))
22
23 //kbuild:lib-$(CONFIG_UNSHARE) += unshare.o
24
25 //usage:#define unshare_trivial_usage
26 //usage: "[OPTIONS] [PROG [ARGS]]"
27 //usage:#define unshare_full_usage "\n"
28 //usage: "\n -m, --mount[=FILE] Unshare mount namespace"
29 //usage: "\n -u, --uts[=FILE] Unshare UTS namespace (hostname etc.)"
30 //usage: "\n -i, --ipc[=FILE] Unshare System V IPC namespace"
31 //usage: "\n -n, --net[=FILE] Unshare network namespace"
32 //usage: "\n -p, --pid[=FILE] Unshare PID namespace"
33 //usage: "\n -U, --user[=FILE} Unshare user namespace"
34 //usage: "\n -f, --fork Fork before execing PROG"
35 //usage: "\n -r, --map-root-user Map current user to root (implies -u)"
36 //usage: "\n --mount-proc[=DIR] Mount /proc filesystem first (implies -m)"
37 //usage: "\n --propagation slave|shared|private|unchanged"
38 //usage: "\n Modify mount propagation in mount namespace"
39 //usage: "\n --setgroups allow|deny Control the setgroups syscall in user namespaces"
40
41 #include <sched.h>
42 #ifndef CLONE_NEWUTS
43 # define CLONE_NEWUTS 0x04000000
44 #endif
45 #ifndef CLONE_NEWIPC
46 # define CLONE_NEWIPC 0x08000000
47 #endif
48 #ifndef CLONE_NEWUSER
49 # define CLONE_NEWUSER 0x10000000
50 #endif
51 #ifndef CLONE_NEWPID
52 # define CLONE_NEWPID 0x20000000
53 #endif
54 #ifndef CLONE_NEWNET
55 # define CLONE_NEWNET 0x40000000
56 #endif
57
58 #include <sys/mount.h>
59 #ifndef MS_REC
60 # define MS_REC (1 << 14)
61 #endif
62 #ifndef MS_PRIVATE
63 # define MS_PRIVATE (1 << 18)
64 #endif
65 #ifndef MS_SLAVE
66 # define MS_SLAVE (1 << 19)
67 #endif
68 #ifndef MS_SHARED
69 # define MS_SHARED (1 << 20)
70 #endif
71
72 #include "libbb.h"
73
mount_or_die(const char * source,const char * target,const char * fstype,unsigned long mountflags)74 static void mount_or_die(const char *source, const char *target,
75 const char *fstype, unsigned long mountflags)
76 {
77 if (mount(source, target, fstype, mountflags, NULL)) {
78 bb_perror_msg_and_die("can't mount %s on %s (flags:0x%lx)",
79 source, target, mountflags);
80 /* fstype is always either NULL or "proc".
81 * "proc" is only used to mount /proc.
82 * No need to clutter up error message with fstype,
83 * it is easily deductible.
84 */
85 }
86 }
87
88 #define PATH_PROC_SETGROUPS "/proc/self/setgroups"
89 #define PATH_PROC_UIDMAP "/proc/self/uid_map"
90 #define PATH_PROC_GIDMAP "/proc/self/gid_map"
91
92 struct namespace_descr {
93 int flag;
94 const char nsfile4[4];
95 };
96
97 struct namespace_ctx {
98 char *path;
99 };
100
101 enum {
102 OPT_mount = 1 << 0,
103 OPT_uts = 1 << 1,
104 OPT_ipc = 1 << 2,
105 OPT_net = 1 << 3,
106 OPT_pid = 1 << 4,
107 OPT_user = 1 << 5, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */
108 OPT_fork = 1 << 6,
109 OPT_map_root = 1 << 7,
110 OPT_mount_proc = 1 << 8,
111 OPT_propagation = 1 << 9,
112 OPT_setgroups = 1 << 10,
113 };
114 enum {
115 NS_MNT_POS = 0,
116 NS_UTS_POS,
117 NS_IPC_POS,
118 NS_NET_POS,
119 NS_PID_POS,
120 NS_USR_POS, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */
121 NS_COUNT,
122 };
123 static const struct namespace_descr ns_list[] = {
124 { CLONE_NEWNS, "mnt" },
125 { CLONE_NEWUTS, "uts" },
126 { CLONE_NEWIPC, "ipc" },
127 { CLONE_NEWNET, "net" },
128 { CLONE_NEWPID, "pid" },
129 { CLONE_NEWUSER, "user" }, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */
130 };
131
132 /*
133 * Upstream unshare doesn't support short options for --mount-proc,
134 * --propagation, --setgroups.
135 * Optional arguments (namespace mountpoints) exist only for long opts,
136 * we are forced to use "fake" letters for them.
137 * '+': stop at first non-option.
138 */
139 static const char opt_str[] ALIGN1 = "+muinpU""fr""\xfd::""\xfe:""\xff:";
140 static const char unshare_longopts[] ALIGN1 =
141 "mount\0" Optional_argument "\xf0"
142 "uts\0" Optional_argument "\xf1"
143 "ipc\0" Optional_argument "\xf2"
144 "net\0" Optional_argument "\xf3"
145 "pid\0" Optional_argument "\xf4"
146 "user\0" Optional_argument "\xf5"
147 "fork\0" No_argument "f"
148 "map-root-user\0" No_argument "r"
149 "mount-proc\0" Optional_argument "\xfd"
150 "propagation\0" Required_argument "\xfe"
151 "setgroups\0" Required_argument "\xff"
152 ;
153
154 /* Ugly-looking string reuse trick */
155 #define PRIVATE_STR "private\0""unchanged\0""shared\0""slave\0"
156 #define PRIVATE_UNCHANGED_SHARED_SLAVE PRIVATE_STR
157
parse_propagation(const char * prop_str)158 static unsigned long parse_propagation(const char *prop_str)
159 {
160 int i = index_in_strings(PRIVATE_UNCHANGED_SHARED_SLAVE, prop_str);
161 if (i < 0)
162 bb_error_msg_and_die("unrecognized: --%s=%s", "propagation", prop_str);
163 if (i == 0)
164 return MS_REC | MS_PRIVATE;
165 if (i == 1)
166 return 0;
167 if (i == 2)
168 return MS_REC | MS_SHARED;
169 return MS_REC | MS_SLAVE;
170 }
171
mount_namespaces(pid_t pid,struct namespace_ctx * ns_ctx_list)172 static void mount_namespaces(pid_t pid, struct namespace_ctx *ns_ctx_list)
173 {
174 const struct namespace_descr *ns;
175 struct namespace_ctx *ns_ctx;
176 int i;
177
178 for (i = 0; i < NS_COUNT; i++) {
179 char nsf[sizeof("/proc/%u/ns/AAAA") + sizeof(int)*3];
180
181 ns = &ns_list[i];
182 ns_ctx = &ns_ctx_list[i];
183 if (!ns_ctx->path)
184 continue;
185 sprintf(nsf, "/proc/%u/ns/%.4s", (unsigned)pid, ns->nsfile4);
186 mount_or_die(nsf, ns_ctx->path, NULL, MS_BIND);
187 }
188 }
189
190 int unshare_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
unshare_main(int argc UNUSED_PARAM,char ** argv)191 int unshare_main(int argc UNUSED_PARAM, char **argv)
192 {
193 int i;
194 unsigned int opts;
195 int unsflags;
196 uintptr_t need_mount;
197 const char *proc_mnt_target;
198 const char *prop_str;
199 const char *setgrp_str;
200 unsigned long prop_flags;
201 uid_t reuid = geteuid();
202 gid_t regid = getegid();
203 struct fd_pair fdp;
204 pid_t child = child; /* for compiler */
205 struct namespace_ctx ns_ctx_list[NS_COUNT];
206
207 memset(ns_ctx_list, 0, sizeof(ns_ctx_list));
208 proc_mnt_target = "/proc";
209 prop_str = PRIVATE_STR;
210 setgrp_str = NULL;
211
212 opt_complementary =
213 "\xf0""m" /* long opts (via their "fake chars") imply short opts */
214 ":\xf1""u"
215 ":\xf2""i"
216 ":\xf3""n"
217 ":\xf4""p"
218 ":\xf5""U"
219 ":ru" /* --map-root-user or -r implies -u */
220 ":\xfd""m" /* --mount-proc implies -m */
221 ;
222 applet_long_options = unshare_longopts;
223 opts = getopt32(argv, opt_str,
224 &proc_mnt_target, &prop_str, &setgrp_str,
225 &ns_ctx_list[NS_MNT_POS].path,
226 &ns_ctx_list[NS_UTS_POS].path,
227 &ns_ctx_list[NS_IPC_POS].path,
228 &ns_ctx_list[NS_NET_POS].path,
229 &ns_ctx_list[NS_PID_POS].path,
230 &ns_ctx_list[NS_USR_POS].path
231 );
232 argv += optind;
233 //bb_error_msg("opts:0x%x", opts);
234 //bb_error_msg("mount:%s", ns_ctx_list[NS_MNT_POS].path);
235 //bb_error_msg("proc_mnt_target:%s", proc_mnt_target);
236 //bb_error_msg("prop_str:%s", prop_str);
237 //bb_error_msg("setgrp_str:%s", setgrp_str);
238 //exit(1);
239
240 if (setgrp_str) {
241 if (strcmp(setgrp_str, "allow") == 0) {
242 if (opts & OPT_map_root) {
243 bb_error_msg_and_die(
244 "--setgroups=allow and --map-root-user "
245 "are mutually exclusive"
246 );
247 }
248 } else {
249 /* It's not "allow", must be "deny" */
250 if (strcmp(setgrp_str, "deny") != 0)
251 bb_error_msg_and_die("unrecognized: --%s=%s",
252 "setgroups", setgrp_str);
253 }
254 }
255
256 unsflags = 0;
257 need_mount = 0;
258 for (i = 0; i < NS_COUNT; i++) {
259 const struct namespace_descr *ns = &ns_list[i];
260 struct namespace_ctx *ns_ctx = &ns_ctx_list[i];
261
262 if (opts & (1 << i))
263 unsflags |= ns->flag;
264
265 need_mount |= (uintptr_t)(ns_ctx->path);
266 }
267 /* need_mount != 0 if at least one FILE was given */
268
269 prop_flags = MS_REC | MS_PRIVATE;
270 /* Silently ignore --propagation if --mount is not requested. */
271 if (opts & OPT_mount)
272 prop_flags = parse_propagation(prop_str);
273
274 /*
275 * Special case: if we were requested to unshare the mount namespace
276 * AND to make any namespace persistent (by bind mounting it) we need
277 * to spawn a child process which will wait for the parent to call
278 * unshare(), then mount parent's namespaces while still in the
279 * previous namespace.
280 */
281 fdp.wr = -1;
282 if (need_mount && (opts & OPT_mount)) {
283 /*
284 * Can't use getppid() in child, as we can be unsharing the
285 * pid namespace.
286 */
287 pid_t ppid = getpid();
288
289 xpiped_pair(fdp);
290
291 child = xfork();
292 if (child == 0) {
293 /* Child */
294 close(fdp.wr);
295
296 /* Wait until parent calls unshare() */
297 read(fdp.rd, ns_ctx_list, 1); /* ...using bogus buffer */
298 /*close(fdp.rd);*/
299
300 /* Mount parent's unshared namespaces. */
301 mount_namespaces(ppid, ns_ctx_list);
302 return EXIT_SUCCESS;
303 }
304 /* Parent continues */
305 }
306
307 if (unshare(unsflags) != 0)
308 bb_perror_msg_and_die("unshare(0x%x)", unsflags);
309
310 if (fdp.wr >= 0) {
311 close(fdp.wr); /* Release child */
312 close(fdp.rd); /* should close fd, to not confuse exec'ed PROG */
313 }
314
315 if (need_mount) {
316 /* Wait for the child to finish mounting the namespaces. */
317 if (opts & OPT_mount) {
318 int exit_status = wait_for_exitstatus(child);
319 if (WIFEXITED(exit_status) &&
320 WEXITSTATUS(exit_status) != EXIT_SUCCESS)
321 return WEXITSTATUS(exit_status);
322 } else {
323 /*
324 * Regular way - we were requested to mount some other
325 * namespaces: mount them after the call to unshare().
326 */
327 mount_namespaces(getpid(), ns_ctx_list);
328 }
329 }
330
331 /*
332 * When we're unsharing the pid namespace, it's not the process that
333 * calls unshare() that is put into the new namespace, but its first
334 * child. The user may want to use this option to spawn a new process
335 * that'll become PID 1 in this new namespace.
336 */
337 if (opts & OPT_fork) {
338 xvfork_parent_waits_and_exits();
339 /* Child continues */
340 }
341
342 if (opts & OPT_map_root) {
343 char uidmap_buf[sizeof("%u 0 1") + sizeof(int)*3];
344
345 /*
346 * Since Linux 3.19 unprivileged writing of /proc/self/gid_map
347 * has been disabled unless /proc/self/setgroups is written
348 * first to permanently disable the ability to call setgroups
349 * in that user namespace.
350 */
351 xopen_xwrite_close(PATH_PROC_SETGROUPS, "deny");
352 sprintf(uidmap_buf, "%u 0 1", (unsigned)reuid);
353 xopen_xwrite_close(PATH_PROC_UIDMAP, uidmap_buf);
354 sprintf(uidmap_buf, "%u 0 1", (unsigned)regid);
355 xopen_xwrite_close(PATH_PROC_GIDMAP, uidmap_buf);
356 } else
357 if (setgrp_str) {
358 /* Write "allow" or "deny" */
359 xopen_xwrite_close(PATH_PROC_SETGROUPS, setgrp_str);
360 }
361
362 if (opts & OPT_mount) {
363 mount_or_die("none", "/", NULL, prop_flags);
364 }
365
366 if (opts & OPT_mount_proc) {
367 /*
368 * When creating a new pid namespace, we might want the pid
369 * subdirectories in /proc to remain consistent with the new
370 * process IDs. Without --mount-proc the pids in /proc would
371 * still reflect the old pid namespace. This is why we make
372 * /proc private here and then do a fresh mount.
373 */
374 mount_or_die("none", proc_mnt_target, NULL, MS_PRIVATE | MS_REC);
375 mount_or_die("proc", proc_mnt_target, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV);
376 }
377
378 exec_prog_or_SHELL(argv);
379 }
380