1 /* vi: set sw=4 ts=4: */
3 * Mini unshare implementation for busybox.
5 * Copyright (C) 2016 by Bartosz Golaszewski <bartekgola@gmail.com>
7 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
9 //config:config UNSHARE
10 //config: bool "unshare (9.2 kb)"
12 //config: depends on !NOMMU
13 //config: select PLATFORM_LINUX
14 //config: select LONG_OPTS
16 //config: Run program with some namespaces unshared from parent.
18 // needs LONG_OPTS: it is awkward to exclude code which handles --propagation
19 // and --setgroups based on LONG_OPTS, so instead applet requires LONG_OPTS.
20 // depends on !NOMMU: we need fork()
22 //applet:IF_UNSHARE(APPLET(unshare, BB_DIR_USR_BIN, BB_SUID_DROP))
24 //kbuild:lib-$(CONFIG_UNSHARE) += unshare.o
26 //usage:#define unshare_trivial_usage
27 //usage: "[OPTIONS] [PROG [ARGS]]"
28 //usage:#define unshare_full_usage "\n"
29 //usage: "\n -m,--mount[=FILE] Unshare mount namespace"
30 //usage: "\n -u,--uts[=FILE] Unshare UTS namespace (hostname etc.)"
31 //usage: "\n -i,--ipc[=FILE] Unshare System V IPC namespace"
32 //usage: "\n -n,--net[=FILE] Unshare network namespace"
33 //usage: "\n -p,--pid[=FILE] Unshare PID namespace"
34 //usage: "\n -U,--user[=FILE] Unshare user namespace"
35 //usage: "\n -f,--fork Fork before execing PROG"
36 //usage: "\n -r,--map-root-user Map current user to root (implies -U)"
37 //usage: "\n --mount-proc[=DIR] Mount /proc filesystem first (implies -m)"
38 //usage: "\n --propagation slave|shared|private|unchanged"
39 //usage: "\n Modify mount propagation in mount namespace"
40 //usage: "\n --setgroups allow|deny Control the setgroups syscall in user namespaces"
44 # define CLONE_NEWUTS 0x04000000
47 # define CLONE_NEWIPC 0x08000000
50 # define CLONE_NEWUSER 0x10000000
53 # define CLONE_NEWPID 0x20000000
56 # define CLONE_NEWNET 0x40000000
59 #include <sys/mount.h>
61 # define MS_REC (1 << 14)
64 # define MS_PRIVATE (1 << 18)
67 # define MS_SLAVE (1 << 19)
70 # define MS_SHARED (1 << 20)
75 static void mount_or_die(const char *source, const char *target,
76 const char *fstype, unsigned long mountflags)
78 if (mount(source, target, fstype, mountflags, NULL)) {
79 bb_perror_msg_and_die("can't mount %s on %s (flags:0x%lx)",
80 source, target, mountflags);
81 /* fstype is always either NULL or "proc".
82 * "proc" is only used to mount /proc.
83 * No need to clutter up error message with fstype,
84 * it is easily deductible.
89 #define PATH_PROC_SETGROUPS "/proc/self/setgroups"
90 #define PATH_PROC_UIDMAP "/proc/self/uid_map"
91 #define PATH_PROC_GIDMAP "/proc/self/gid_map"
93 struct namespace_descr {
95 const char nsfile4[4];
98 struct namespace_ctx {
108 OPT_user = 1 << 5, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */
110 OPT_map_root = 1 << 7,
111 OPT_mount_proc = 1 << 8,
112 OPT_propagation = 1 << 9,
113 OPT_setgroups = 1 << 10,
121 NS_USR_POS, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */
124 static const struct namespace_descr ns_list[] = {
125 { CLONE_NEWNS, "mnt" },
126 { CLONE_NEWUTS, "uts" },
127 { CLONE_NEWIPC, "ipc" },
128 { CLONE_NEWNET, "net" },
129 { CLONE_NEWPID, "pid" },
130 { CLONE_NEWUSER, "user" }, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */
134 * Upstream unshare doesn't support short options for --mount-proc,
135 * --propagation, --setgroups.
136 * Optional arguments (namespace mountpoints) exist only for long opts,
137 * we are forced to use "fake" letters for them.
138 * '+': stop at first non-option.
140 #define OPT_STR "+muinpU""fr""\xfd::""\xfe:""\xff:"
141 static const char unshare_longopts[] ALIGN1 =
142 "mount\0" Optional_argument "\xf0"
143 "uts\0" Optional_argument "\xf1"
144 "ipc\0" Optional_argument "\xf2"
145 "net\0" Optional_argument "\xf3"
146 "pid\0" Optional_argument "\xf4"
147 "user\0" Optional_argument "\xf5"
148 "fork\0" No_argument "f"
149 "map-root-user\0" No_argument "r"
150 "mount-proc\0" Optional_argument "\xfd"
151 "propagation\0" Required_argument "\xfe"
152 "setgroups\0" Required_argument "\xff"
155 /* Ugly-looking string reuse trick */
156 #define PRIVATE_STR "private\0""unchanged\0""shared\0""slave\0"
157 #define PRIVATE_UNCHANGED_SHARED_SLAVE PRIVATE_STR
159 static unsigned long parse_propagation(const char *prop_str)
161 int i = index_in_strings(PRIVATE_UNCHANGED_SHARED_SLAVE, prop_str);
163 bb_error_msg_and_die("unrecognized: --%s=%s", "propagation", prop_str);
165 return MS_REC | MS_PRIVATE;
169 return MS_REC | MS_SHARED;
170 return MS_REC | MS_SLAVE;
173 static void mount_namespaces(pid_t pid, struct namespace_ctx *ns_ctx_list)
175 const struct namespace_descr *ns;
176 struct namespace_ctx *ns_ctx;
179 for (i = 0; i < NS_COUNT; i++) {
180 char nsf[sizeof("/proc/%u/ns/AAAA") + sizeof(int)*3];
183 ns_ctx = &ns_ctx_list[i];
186 sprintf(nsf, "/proc/%u/ns/%.4s", (unsigned)pid, ns->nsfile4);
187 mount_or_die(nsf, ns_ctx->path, NULL, MS_BIND);
191 int unshare_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
192 int unshare_main(int argc UNUSED_PARAM, char **argv)
197 uintptr_t need_mount;
198 const char *proc_mnt_target;
199 const char *prop_str;
200 const char *setgrp_str;
201 unsigned long prop_flags;
202 uid_t reuid = geteuid();
203 gid_t regid = getegid();
205 pid_t child = child; /* for compiler */
206 struct namespace_ctx ns_ctx_list[NS_COUNT];
208 memset(ns_ctx_list, 0, sizeof(ns_ctx_list));
209 proc_mnt_target = "/proc";
210 prop_str = PRIVATE_STR;
213 opts = getopt32long(argv, "^" OPT_STR "\0"
214 "\xf0""m" /* long opts (via their "fake chars") imply short opts */
220 ":rU" /* --map-root-user or -r implies -U */
221 ":\xfd""m" /* --mount-proc implies -m */
223 &proc_mnt_target, &prop_str, &setgrp_str,
224 &ns_ctx_list[NS_MNT_POS].path,
225 &ns_ctx_list[NS_UTS_POS].path,
226 &ns_ctx_list[NS_IPC_POS].path,
227 &ns_ctx_list[NS_NET_POS].path,
228 &ns_ctx_list[NS_PID_POS].path,
229 &ns_ctx_list[NS_USR_POS].path
232 //bb_error_msg("opts:0x%x", opts);
233 //bb_error_msg("mount:%s", ns_ctx_list[NS_MNT_POS].path);
234 //bb_error_msg("proc_mnt_target:%s", proc_mnt_target);
235 //bb_error_msg("prop_str:%s", prop_str);
236 //bb_error_msg("setgrp_str:%s", setgrp_str);
240 if (strcmp(setgrp_str, "allow") == 0) {
241 if (opts & OPT_map_root) {
242 bb_error_msg_and_die(
243 "--setgroups=allow and --map-root-user "
244 "are mutually exclusive"
248 /* It's not "allow", must be "deny" */
249 if (strcmp(setgrp_str, "deny") != 0)
250 bb_error_msg_and_die("unrecognized: --%s=%s",
251 "setgroups", setgrp_str);
257 for (i = 0; i < NS_COUNT; i++) {
258 const struct namespace_descr *ns = &ns_list[i];
259 struct namespace_ctx *ns_ctx = &ns_ctx_list[i];
262 unsflags |= ns->flag;
264 need_mount |= (uintptr_t)(ns_ctx->path);
266 /* need_mount != 0 if at least one FILE was given */
268 prop_flags = MS_REC | MS_PRIVATE;
269 /* Silently ignore --propagation if --mount is not requested. */
270 if (opts & OPT_mount)
271 prop_flags = parse_propagation(prop_str);
274 * Special case: if we were requested to unshare the mount namespace
275 * AND to make any namespace persistent (by bind mounting it) we need
276 * to spawn a child process which will wait for the parent to call
277 * unshare(), then mount parent's namespaces while still in the
278 * previous namespace.
281 if (need_mount && (opts & OPT_mount)) {
283 * Can't use getppid() in child, as we can be unsharing the
286 pid_t ppid = getpid();
295 /* Wait until parent calls unshare() */
296 read(fdp.rd, ns_ctx_list, 1); /* ...using bogus buffer */
299 /* Mount parent's unshared namespaces. */
300 mount_namespaces(ppid, ns_ctx_list);
303 /* Parent continues */
306 if (unshare(unsflags) != 0)
307 bb_perror_msg_and_die("unshare(0x%x)", unsflags);
310 close(fdp.wr); /* Release child */
311 close(fdp.rd); /* should close fd, to not confuse exec'ed PROG */
315 /* Wait for the child to finish mounting the namespaces. */
316 if (opts & OPT_mount) {
317 int exit_status = wait_for_exitstatus(child);
318 if (WIFEXITED(exit_status) &&
319 WEXITSTATUS(exit_status) != EXIT_SUCCESS)
320 return WEXITSTATUS(exit_status);
323 * Regular way - we were requested to mount some other
324 * namespaces: mount them after the call to unshare().
326 mount_namespaces(getpid(), ns_ctx_list);
331 * When we're unsharing the pid namespace, it's not the process that
332 * calls unshare() that is put into the new namespace, but its first
333 * child. The user may want to use this option to spawn a new process
334 * that'll become PID 1 in this new namespace.
336 if (opts & OPT_fork) {
337 xvfork_parent_waits_and_exits();
338 /* Child continues */
341 if (opts & OPT_map_root) {
342 char uidmap_buf[sizeof("0 %u 1") + sizeof(int)*3];
345 * Since Linux 3.19 unprivileged writing of /proc/self/gid_map
346 * has been disabled unless /proc/self/setgroups is written
347 * first to permanently disable the ability to call setgroups
348 * in that user namespace.
350 xopen_xwrite_close(PATH_PROC_SETGROUPS, "deny");
351 sprintf(uidmap_buf, "0 %u 1", (unsigned)reuid);
352 xopen_xwrite_close(PATH_PROC_UIDMAP, uidmap_buf);
353 sprintf(uidmap_buf, "0 %u 1", (unsigned)regid);
354 xopen_xwrite_close(PATH_PROC_GIDMAP, uidmap_buf);
357 /* Write "allow" or "deny" */
358 xopen_xwrite_close(PATH_PROC_SETGROUPS, setgrp_str);
361 if (opts & OPT_mount) {
362 mount_or_die("none", "/", NULL, prop_flags);
365 if (opts & OPT_mount_proc) {
367 * When creating a new pid namespace, we might want the pid
368 * subdirectories in /proc to remain consistent with the new
369 * process IDs. Without --mount-proc the pids in /proc would
370 * still reflect the old pid namespace. This is why we make
371 * /proc private here and then do a fresh mount.
373 mount_or_die("none", proc_mnt_target, NULL, MS_PRIVATE | MS_REC);
374 mount_or_die("proc", proc_mnt_target, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV);
377 exec_prog_or_SHELL(argv);
projects / oweals / busybox.git / blob