| Message ID | 20171118014113.10984-1-christian.brauner@ubuntu.com |
|---|---|
| State | New |
| Headers | show |
| Series | support_become_root: Don't fail when /proc/<pid/setgroups is missing | expand |
On 11/18/2017 02:41 AM, Christian Brauner wrote: > The requirement to write "deny" to /proc/<pid>/setgroups for a given user > namespace before being able to write a gid mapping was introduced in Linux 3.19. > Before that this requirement including the file did not exist. So don't fail > when errno == ENOENT. The substance of the patch is fine, but please restrict line length to 79 characters (not 80 or more): > + * support/support_become_root.c (setup_uid_gid_mapping): Don't fail when > + /* Linux 3.19 introduced the setgroups file. We need write "deny" to this file > + FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m", O_WRONLY, 0); Please also use two spaces after the period at the end of a sentence, including the period before the closing comment marker, */. This affects three sentences in two comments. Thanks, Florian
On Sat, Nov 18, 2017 at 01:47:28PM +0100, Florian Weimer wrote: > On 11/18/2017 02:41 AM, Christian Brauner wrote: > > The requirement to write "deny" to /proc/<pid>/setgroups for a given user > > namespace before being able to write a gid mapping was introduced in Linux 3.19. > > Before that this requirement including the file did not exist. So don't fail > > when errno == ENOENT. > > The substance of the patch is fine, but please restrict line length to 79 > characters (not 80 or more): > > > + * support/support_become_root.c (setup_uid_gid_mapping): Don't fail when > > > + /* Linux 3.19 introduced the setgroups file. We need write "deny" to this file > > > + FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m", O_WRONLY, 0); > > Please also use two spaces after the period at the end of a sentence, > including the period before the closing comment marker, */. This affects > three sentences in two comments. Thanks! sent v2 of the patch! Christian
diff --git a/ChangeLog b/ChangeLog index 604d571ca6..2f2d3b82ff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2017-11-17 Christian Brauner <christian.brauner@ubuntu.com> + + * support/support_become_root.c (setup_uid_gid_mapping): Don't fail when + /proc/<pid>/setgroups does not exist. + 2017-11-17 Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com> * sysdeps/powerpc/bits/hwcap.h (PPC_FEATURE2_HTM_NO_SUSPEND): New diff --git a/support/support_become_root.c b/support/support_become_root.c index 5086570251..01a386c20c 100644 --- a/support/support_become_root.c +++ b/support/support_become_root.c @@ -18,6 +18,7 @@ #include <support/namespace.h> +#include <errno.h> #include <fcntl.h> #include <sched.h> #include <stdio.h> @@ -50,11 +51,20 @@ setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid) xwrite (fd, buf, ret); xclose (fd); - /* Disable setgroups before mapping groups, otherwise that would - fail with EPERM. */ - fd = xopen ("/proc/self/setgroups", O_WRONLY, 0); - xwrite (fd, "deny\n", strlen ("deny\n")); - xclose (fd); + /* Linux 3.19 introduced the setgroups file. We need write "deny" to this file + otherwise writing to gid_map will fail with EPERM. */ + fd = open64 ("/proc/self/setgroups", O_WRONLY, 0); + if (fd < 0) + { + if (errno != ENOENT) + FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m", O_WRONLY, 0); + /* This kernel doesn't expose the setgroups file so simply move on. */ + } + else + { + xwrite (fd, "deny\n", strlen ("deny\n")); + xclose (fd); + } /* Now map our own GID, like we did for the user ID. */ fd = xopen ("/proc/self/gid_map", O_WRONLY, 0);
The requirement to write "deny" to /proc/<pid>/setgroups for a given user namespace before being able to write a gid mapping was introduced in Linux 3.19. Before that this requirement including the file did not exist. So don't fail when errno == ENOENT. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> --- ChangeLog | 5 +++++ support/support_become_root.c | 20 +++++++++++++++----- 2 files changed, 20 insertions(+), 5 deletions(-)