From f41fd946284aa30e7529bd92193632b20d77a2dd Mon Sep 17 00:00:00 2001 From: Ophestra Date: Fri, 14 Mar 2025 17:41:08 +0900 Subject: [PATCH] sandbox: write uid/gid map as init This avoids PR_SET_DUMPABLE in the parent process. Signed-off-by: Ophestra --- internal/sandbox/container.go | 12 ++++++------ internal/sandbox/container_test.go | 11 +++++++++++ internal/sandbox/init.go | 28 ++++++++++++++++++++++++---- 3 files changed, 41 insertions(+), 10 deletions(-) diff --git a/internal/sandbox/container.go b/internal/sandbox/container.go index de71f37..7638935 100644 --- a/internal/sandbox/container.go +++ b/internal/sandbox/container.go @@ -58,10 +58,6 @@ type ( InitParams // Custom [exec.Cmd] initialisation function. CommandContext func(ctx context.Context) (cmd *exec.Cmd) - // mapped uid in user namespace - Uid int - // mapped gid in user namespace - Gid int // param encoder for shim and init setup *gob.Encoder @@ -86,6 +82,10 @@ type ( // Initial process argv. Args []string + // Mapped Uid in user namespace. + Uid int + // Mapped Gid in user namespace. + Gid int // Hostname value in UTS namespace. Hostname string // Sequential container setup ops. @@ -140,8 +140,6 @@ func (p *Container) Start() error { syscall.CLONE_NEWPID | syscall.CLONE_NEWNS, - UidMappings: []syscall.SysProcIDMap{{p.Uid, syscall.Getuid(), 1}}, - GidMappings: []syscall.SysProcIDMap{{p.Gid, syscall.Getgid(), 1}}, // remain privileged for setup AmbientCaps: []uintptr{CAP_SYS_ADMIN}, @@ -200,6 +198,8 @@ func (p *Container) Serve() error { return setup.Encode( &initParams{ p.InitParams, + syscall.Getuid(), + syscall.Getgid(), len(p.ExtraFiles), fmsg.Load(), }, diff --git a/internal/sandbox/container_test.go b/internal/sandbox/container_test.go index 9837e11..082d0dc 100644 --- a/internal/sandbox/container_test.go +++ b/internal/sandbox/container_test.go @@ -9,6 +9,7 @@ import ( "os/exec" "path" "slices" + "syscall" "testing" "time" @@ -65,6 +66,8 @@ func TestContainer(t *testing.T) { container := sandbox.New(ctx, os.Args[0], "-test.v", "-test.run=TestHelperCheckContainer", "--", "check", tc.host) + container.Uid = 1000 + container.Gid = 100 container.Hostname = tc.host container.CommandContext = func(ctx context.Context) *exec.Cmd { return exec.CommandContext(ctx, os.Args[0], "-test.v", @@ -154,6 +157,14 @@ func TestHelperCheckContainer(t *testing.T) { return } + t.Run("user", func(t *testing.T) { + if uid := syscall.Getuid(); uid != 1000 { + t.Errorf("Getuid: %d, want 1000", uid) + } + if gid := syscall.Getgid(); gid != 100 { + t.Errorf("Getgid: %d, want 100", gid) + } + }) t.Run("hostname", func(t *testing.T) { if name, err := os.Hostname(); err != nil { t.Fatalf("cannot get hostname: %v", err) diff --git a/internal/sandbox/init.go b/internal/sandbox/init.go index 83bb168..6bc5270 100644 --- a/internal/sandbox/init.go +++ b/internal/sandbox/init.go @@ -33,6 +33,7 @@ const ( type initParams struct { InitParams + HostUid, HostGid int // extra files count Count int // verbosity pass through @@ -43,10 +44,6 @@ func Init(exit func(code int)) { runtime.LockOSThread() fmsg.Prepare("init") - if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil { - log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err) - } - if os.Getpid() != 1 { log.Fatal("this process must run as pid 1") } @@ -80,6 +77,29 @@ func Init(exit func(code int)) { offsetSetup = int(setupFile.Fd() + 1) } + // write uid/gid map here so parent does not need to set dumpable + if err := internal.SetDumpable(internal.SUID_DUMP_USER); err != nil { + log.Fatalf("cannot set SUID_DUMP_USER: %s", err) + } + if err := os.WriteFile("/proc/self/uid_map", + append([]byte{}, strconv.Itoa(params.Uid)+" "+strconv.Itoa(params.HostUid)+" 1\n"...), + 0); err != nil { + log.Fatalf("%v", err) + } + if err := os.WriteFile("/proc/self/setgroups", + []byte("deny\n"), + 0); err != nil && !os.IsNotExist(err) { + log.Fatalf("%v", err) + } + if err := os.WriteFile("/proc/self/gid_map", + append([]byte{}, strconv.Itoa(params.Gid)+" "+strconv.Itoa(params.HostGid)+" 1\n"...), + 0); err != nil { + log.Fatalf("%v", err) + } + if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil { + log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err) + } + if params.Hostname != "" { if err := syscall.Sethostname([]byte(params.Hostname)); err != nil { log.Fatalf("cannot set hostname: %v", err)