mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-25 20:34:52 +03:00
chrootenv-user: don't unshare user namespace if we are root
This commit is contained in:
parent
83a8e8e4ef
commit
230898ceb2
@ -53,6 +53,7 @@ $unshare = make_fcall 'unshare', [Fiddle::TYPE_INT], Fiddle::TYPE_INT
|
|||||||
|
|
||||||
MS_BIND = 0x1000
|
MS_BIND = 0x1000
|
||||||
MS_REC = 0x4000
|
MS_REC = 0x4000
|
||||||
|
MS_SLAVE = 0x80000
|
||||||
$mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP,
|
$mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP,
|
||||||
Fiddle::TYPE_VOIDP,
|
Fiddle::TYPE_VOIDP,
|
||||||
Fiddle::TYPE_VOIDP,
|
Fiddle::TYPE_VOIDP,
|
||||||
@ -92,23 +93,31 @@ root = Dir.mktmpdir 'chrootenv'
|
|||||||
# we don't use threads at all.
|
# we don't use threads at all.
|
||||||
$cpid = $fork.call
|
$cpid = $fork.call
|
||||||
if $cpid == 0
|
if $cpid == 0
|
||||||
# Save user UID and GID
|
# If we are root, no need to create new user namespace.
|
||||||
uid = Process.uid
|
if Process.uid == 0
|
||||||
gid = Process.gid
|
$unshare.call CLONE_NEWNS
|
||||||
|
# Mark all mounted filesystems as slave so changes
|
||||||
|
# don't propagate to the parent mount namespace.
|
||||||
|
$mount.call nil, '/', nil, MS_REC | MS_SLAVE, nil
|
||||||
|
else
|
||||||
|
# Save user UID and GID
|
||||||
|
uid = Process.uid
|
||||||
|
gid = Process.gid
|
||||||
|
|
||||||
# Create new mount and user namespaces
|
# Create new mount and user namespaces
|
||||||
# CLONE_NEWUSER requires a program to be non-threaded, hence
|
# CLONE_NEWUSER requires a program to be non-threaded, hence
|
||||||
# native fork above.
|
# native fork above.
|
||||||
$unshare.call CLONE_NEWNS | CLONE_NEWUSER
|
$unshare.call CLONE_NEWNS | CLONE_NEWUSER
|
||||||
|
|
||||||
# Map users and groups to the parent namespace
|
# Map users and groups to the parent namespace
|
||||||
begin
|
begin
|
||||||
# setgroups is only available since Linux 3.19
|
# setgroups is only available since Linux 3.19
|
||||||
write_file '/proc/self/setgroups', 'deny'
|
write_file '/proc/self/setgroups', 'deny'
|
||||||
rescue
|
rescue
|
||||||
|
end
|
||||||
|
write_file '/proc/self/uid_map', "#{uid} #{uid} 1"
|
||||||
|
write_file '/proc/self/gid_map', "#{gid} #{gid} 1"
|
||||||
end
|
end
|
||||||
write_file '/proc/self/uid_map', "#{uid} #{uid} 1"
|
|
||||||
write_file '/proc/self/gid_map', "#{gid} #{gid} 1"
|
|
||||||
|
|
||||||
# Do rbind mounts.
|
# Do rbind mounts.
|
||||||
mounts.each do |from, rto|
|
mounts.each do |from, rto|
|
||||||
@ -117,6 +126,8 @@ if $cpid == 0
|
|||||||
$mount.call from, to, nil, MS_BIND | MS_REC, nil
|
$mount.call from, to, nil, MS_BIND | MS_REC, nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Don't make root private so privilege drops inside chroot are possible
|
||||||
|
File.chmod(0755, root)
|
||||||
# Chroot!
|
# Chroot!
|
||||||
Dir.chroot root
|
Dir.chroot root
|
||||||
Dir.chdir '/'
|
Dir.chdir '/'
|
||||||
|
Loading…
Reference in New Issue
Block a user