| Message ID | 20230307114507.332309-5-rodrigo@sdfg.com.ar (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Tests for idmapped tmpfs | expand |
On Tue, Mar 07, 2023 at 12:45:00PM +0100, Rodrigo Campos wrote: > We need PR_SET_DUMPABLE in order to write the mapping files when > creating a userns. From prctl(2) PR_SET_DUMPABLE is reset when the > process's effective user or group ID is changed. > > As we are changing the EUID here, we also reset it to allow creating > nested userns with subsequent switch_users() calls. > > This was not causing any issues because we weren't using switch_users() > to create nested userns. Nested userns were created with > userns_fd_cb()/create_userns_hierarchy() that set PR_SET_DUMPABLE. > > Future patches will rely on switch_users() to create nested userns. So > this patch fixes that. > > Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar> > --- Looks good, Reviewed-by: Christian Brauner <brauner@kernel.org>
diff --git src/vfs/utils.c src/vfs/utils.c index 67779e83..ab92c743 100644 --- src/vfs/utils.c +++ src/vfs/utils.c @@ -285,6 +285,10 @@ bool switch_ids(uid_t uid, gid_t gid) if (setresuid(uid, uid, uid)) return syserror("failure: setresuid"); + /* Ensure we can access proc files from processes we can ptrace. */ + if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0)) + return syserror("failure: make dumpable"); + return true; } @@ -302,11 +306,6 @@ static int userns_fd_cb(void *data) if (c == '1') { if (!switch_ids(0, 0)) return syserror("failure: switch ids to 0"); - - /* Ensure we can access proc files from processes we can ptrace. */ - ret = prctl(PR_SET_DUMPABLE, 1, 0, 0, 0); - if (ret < 0) - return syserror("failure: make dumpable"); } ret = write_nointr(h->fd_event, "1", 1);
We need PR_SET_DUMPABLE in order to write the mapping files when creating a userns. From prctl(2) PR_SET_DUMPABLE is reset when the process's effective user or group ID is changed. As we are changing the EUID here, we also reset it to allow creating nested userns with subsequent switch_users() calls. This was not causing any issues because we weren't using switch_users() to create nested userns. Nested userns were created with userns_fd_cb()/create_userns_hierarchy() that set PR_SET_DUMPABLE. Future patches will rely on switch_users() to create nested userns. So this patch fixes that. Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar> --- src/vfs/utils.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)