From 80c934a2517f7bfc7642da6555d7ca01bc6f2edd Mon Sep 17 00:00:00 2001 From: Bartosz Golaszewski Date: Fri, 1 Apr 2016 22:17:25 +0200 Subject: [PATCH] nsenter: new applet function old new delta nsenter_main - 663 +663 .rodata 155147 155612 +465 packed_usage 30536 30708 +172 nsenter_longopts - 116 +116 open_by_path_or_target - 58 +58 applet_names 2518 2526 +8 applet_main 2920 2928 +8 ------------------------------------------------------------------------------ (add/remove: 4/0 grow/shrink: 4/0 up/down: 1490/0) Total: 1490 bytes text data bss dec hex filename 827956 4078 9080 841114 cd59a busybox_old 829214 4086 9080 842380 cda8c busybox_unstripped Signed-off-by: Bartosz Golaszewski Signed-off-by: Denys Vlasenko --- util-linux/nsenter.c | 286 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 286 insertions(+) create mode 100644 util-linux/nsenter.c diff --git a/util-linux/nsenter.c b/util-linux/nsenter.c new file mode 100644 index 000000000..9c1dabaa8 --- /dev/null +++ b/util-linux/nsenter.c @@ -0,0 +1,286 @@ +/* vi: set sw=4 ts=4: */ +/* + * Mini nsenter implementation for busybox. + * + * Copyright (C) 2016 by Bartosz Golaszewski + * + * Licensed under GPLv2 or later, see file LICENSE in this source tree. + */ + +//config:config NSENTER +//config: bool "nsenter" +//config: default y +//config: select PLATFORM_LINUX +//config: help +//config: Run program with namespaces of other processes. +//config: +//config:config FEATURE_NSENTER_LONG_OPTS +//config: bool "Enable long options" +//config: default y +//config: depends on NSENTER && LONG_OPTS +//config: help +//config: Support long options for the nsenter applet. This makes +//config: the busybox implementation more compatible with upstream. + +//applet:IF_NSENTER(APPLET(nsenter, BB_DIR_USR_BIN, BB_SUID_DROP)) + +//kbuild:lib-$(CONFIG_NSENTER) += nsenter.o + +//usage:#define nsenter_trivial_usage +//usage: "[OPTIONS] [PROG [ARGS]]" +//usage:#if ENABLE_FEATURE_NSENTER_LONG_OPTS +//usage:#define nsenter_full_usage "\n" +//usage: "\n -t, --target=PID Target process to get namespaces from" +//usage: "\n -m, --mount[=FILE] Enter mount namespace" +//usage: "\n -u, --uts[=FILE] Enter UTS namespace (hostname etc)" +//usage: "\n -i, --ipc[=FILE] Enter System V IPC namespace" +//usage: "\n -n, --net[=FILE] Enter network namespace" +//usage: "\n -p, --pid[=FILE] Enter pid namespace" +//usage: "\n -U, --user[=FILE] Enter user namespace" +//usage: "\n -S, --setuid=UID Set uid in entered namespace" +//usage: "\n -G, --setgid=GID Set gid in entered namespace" +//usage: "\n --preserve-credentials Don't touch uids or gids" +//usage: "\n -r, --root[=DIR] Set root directory" +//usage: "\n -w, --wd[=DIR] Set working directory" +//usage: "\n -F, --no-fork Don't fork before exec'ing PROG" +//usage:#else +//usage:#define nsenter_full_usage "\n" +//usage: "\n -t PID Target process to get namespaces from" +//usage: "\n -m[FILE] Enter mount namespace" +//usage: "\n -u[FILE] Enter UTS namespace (hostname etc)" +//usage: "\n -i[FILE] Enter System V IPC namespace" +//usage: "\n -n[FILE] Enter network namespace" +//usage: "\n -p[FILE] Enter pid namespace" +//usage: "\n -U[FILE] Enter user namespace" +//usage: "\n -S UID Set uid in entered namespace" +//usage: "\n -G GID Set gid in entered namespace" +//usage: "\n -r[DIR] Set root directory" +//usage: "\n -w[DIR] Set working directory" +//usage: "\n -F Don't fork before exec'ing PROG" +//usage:#endif + +#include +#include "libbb.h" + +struct namespace_descr { + int flag; /* value passed to setns() */ + char ns_nsfile8[8]; /* "ns/" + namespace file in process' procfs entry */ +}; + +struct namespace_ctx { + char *path; /* optional path to a custom ns file */ + int fd; /* opened namespace file descriptor */ +}; + +enum { + OPT_user = 1 << 0, + OPT_ipc = 1 << 1, + OPT_uts = 1 << 2, + OPT_network = 1 << 3, + OPT_pid = 1 << 4, + OPT_mount = 1 << 5, + OPT_target = 1 << 6, + OPT_setuid = 1 << 7, + OPT_setgid = 1 << 8, + OPT_root = 1 << 9, + OPT_wd = 1 << 10, + OPT_nofork = 1 << 11, + OPT_prescred = (1 << 12) * ENABLE_FEATURE_NSENTER_LONG_OPTS, +}; +enum { + NS_USR_POS = 0, + NS_IPC_POS, + NS_UTS_POS, + NS_NET_POS, + NS_PID_POS, + NS_MNT_POS, + NS_COUNT, +}; +/* + * The order is significant in nsenter. + * The user namespace comes first, so that it is entered first. + * This gives an unprivileged user the potential to enter other namespaces. + */ +static const struct namespace_descr ns_list[] = { + { CLONE_NEWUSER, "ns/user", }, + { CLONE_NEWIPC, "ns/ipc", }, + { CLONE_NEWUTS, "ns/uts", }, + { CLONE_NEWNET, "ns/net", }, + { CLONE_NEWPID, "ns/pid", }, + { CLONE_NEWNS, "ns/mnt", }, +}; +/* + * Upstream nsenter doesn't support the short option for --preserve-credentials + */ +static const char opt_str[] = "U::i::u::n::p::m::""t+S+G+r::w::F"; + +#if ENABLE_FEATURE_NSENTER_LONG_OPTS +static const char nsenter_longopts[] ALIGN1 = + "user\0" Optional_argument "U" + "ipc\0" Optional_argument "i" + "uts\0" Optional_argument "u" + "network\0" Optional_argument "n" + "pid\0" Optional_argument "p" + "mount\0" Optional_argument "m" + "target\0" Required_argument "t" + "setuid\0" Required_argument "S" + "setgid\0" Required_argument "G" + "root\0" Optional_argument "r" + "wd\0" Optional_argument "w" + "no-fork\0" No_argument "F" + "preserve-credentials\0" No_argument "\xff" + ; +#endif + +/* + * Open a file and return the new descriptor. If a full path is provided in + * fs_path, then the file to which it points is opened. Otherwise (fd_path is + * NULL) the routine builds a path to a procfs file using the following + * template: '/proc//'. + */ +static int open_by_path_or_target(const char *path, + pid_t target_pid, const char *target_file) +{ + char proc_path_buf[sizeof("/proc/%u/1234567890") + sizeof(int)*3]; + + if (!path) { + if (target_pid == 0) { + /* Example: + * "nsenter -p PROG" - neither -pFILE nor -tPID given. + */ + bb_show_usage(); + } + snprintf(proc_path_buf, sizeof(proc_path_buf), + "/proc/%u/%s", (unsigned)target_pid, target_file); + path = proc_path_buf; + } + + return xopen(path, O_RDONLY); +} + +int nsenter_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; +int nsenter_main(int argc UNUSED_PARAM, char **argv) +{ + int i; + unsigned int opts; + const char *root_dir_str = NULL; + const char *wd_str = NULL; + struct namespace_ctx ns_ctx_list[NS_COUNT]; + int setgroups_failed; + int root_fd, wd_fd; + int target_pid = 0; + int uid = 0; + int gid = 0; + + memset(ns_ctx_list, 0, sizeof(ns_ctx_list)); + + IF_FEATURE_NSENTER_LONG_OPTS(applet_long_options = nsenter_longopts); + opts = getopt32(argv, opt_str, + &ns_ctx_list[NS_USR_POS].path, + &ns_ctx_list[NS_IPC_POS].path, + &ns_ctx_list[NS_UTS_POS].path, + &ns_ctx_list[NS_NET_POS].path, + &ns_ctx_list[NS_PID_POS].path, + &ns_ctx_list[NS_MNT_POS].path, + &target_pid, &uid, &gid, + &root_dir_str, &wd_str + ); + argv += optind; + + root_fd = wd_fd = -1; + if (opts & OPT_root) + root_fd = open_by_path_or_target(root_dir_str, + target_pid, "root"); + if (opts & OPT_wd) + wd_fd = open_by_path_or_target(wd_str, target_pid, "cwd"); + + for (i = 0; i < NS_COUNT; i++) { + const struct namespace_descr *ns = &ns_list[i]; + struct namespace_ctx *ns_ctx = &ns_ctx_list[i]; + + ns_ctx->fd = -1; + if (opts & (1 << i)) + ns_ctx->fd = open_by_path_or_target(ns_ctx->path, + target_pid, ns->ns_nsfile8); + } + + /* + * Entering the user namespace without --preserve-credentials implies + * --setuid & --setgid and clearing root's groups. + */ + setgroups_failed = 0; + if ((opts & OPT_user) && !(opts & OPT_prescred)) { + opts |= (OPT_setuid | OPT_setgid); + /* + * We call setgroups() before and after setns() and only + * bail-out if it fails twice. + */ + setgroups_failed = (setgroups(0, NULL) < 0); + } + + for (i = 0; i < NS_COUNT; i++) { + const struct namespace_descr *ns = &ns_list[i]; + struct namespace_ctx *ns_ctx = &ns_ctx_list[i]; + + if (ns_ctx->fd < 0) + continue; + if (setns(ns_ctx->fd, ns->flag)) { + bb_perror_msg_and_die( + "setns(): can't reassociate to namespace '%s'", + ns->ns_nsfile8 + 3 /* skip over "ns/" */ + ); + } + /*close(ns_ctx->fd);*/ + /*ns_ctx->fd = -1;*/ + } + + if (root_fd >= 0) { + if (wd_fd < 0) { + /* + * Save the current working directory if we're not + * changing it. + */ + wd_fd = xopen(".", O_RDONLY); + } + xfchdir(root_fd); + xchroot("."); + /*close(root_fd);*/ + /*root_fd = -1;*/ + } + + if (wd_fd >= 0) { + xfchdir(wd_fd); + /*close(wd_fd);*/ + /*wd_fd = -1;*/ + } + + /* + * Entering the pid namespace implies forking unless it's been + * explicitly requested by the user not to. + */ + if (!(opts & OPT_nofork) && (opts & OPT_pid)) { + pid_t pid = xvfork(); + if (pid > 0) { + /* Parent */ + int exit_status = wait_for_exitstatus(pid); + if (WIFSIGNALED(exit_status)) + kill_myself_with_sig(WTERMSIG(exit_status)); + return WEXITSTATUS(exit_status); + } + /* Child continues */ + } + + if (opts & OPT_setgid) { + if (setgroups(0, NULL) < 0 && setgroups_failed) + bb_perror_msg_and_die("setgroups"); + xsetgid(gid); + } + if (opts & OPT_setuid) + xsetuid(uid); + + if (*argv) { + BB_EXECVP_or_die(argv); + } + + run_shell(getenv("SHELL"), /*login:*/ 1, NULL, NULL); +} -- 2.25.1