1 // SPDX-License-Identifier: GPL-2.0
14 #include <linux/bpf.h>
15 #include <linux/sched.h>
16 #include <linux/seccomp.h>
26 #include <sys/syscall.h>
27 #include <sys/types.h>
34 /* A few helpful macros. */
35 #define STRLITERALLEN(x) (sizeof(""x"") - 1)
37 #define INTTYPE_TO_STRLEN(type) \
38 (2 + (sizeof(type) <= 1 \
44 : sizeof(type) <= 8 ? 20 : sizeof(int[-2 * (sizeof(type) > 8)])))
46 #define syserror(format, ...) \
48 fprintf(stderr, format, ##__VA_ARGS__); \
52 #define syserror_set(__ret__, format, ...) \
54 typeof(__ret__) __internal_ret__ = (__ret__); \
55 errno = labs(__ret__); \
56 fprintf(stderr, format, ##__VA_ARGS__); \
66 #define list_for_each(__iterator, __list) \
67 for (__iterator = (__list)->next; __iterator != __list; __iterator = __iterator->next)
69 static inline void list_init(struct list *list)
72 list->next = list->prev = list;
75 static inline int list_empty(const struct list *list)
77 return list == list->next;
80 static inline void __list_add(struct list *new, struct list *prev, struct list *next)
88 static inline void list_add_tail(struct list *head, struct list *list)
90 __list_add(list, head->prev, head);
93 typedef enum idmap_type_t {
99 idmap_type_t map_type;
105 static struct list active_map;
107 static int add_map_entry(__u32 id_host,
110 idmap_type_t map_type)
112 struct list *new_list = NULL;
113 struct id_map *newmap = NULL;
115 newmap = malloc(sizeof(*newmap));
119 new_list = malloc(sizeof(struct list));
125 *newmap = (struct id_map){
129 .map_type = map_type,
132 new_list->elem = newmap;
133 list_add_tail(&active_map, new_list);
137 static int parse_map(char *map)
139 char types[2] = {'u', 'g'};
141 __u32 id_host, id_ns, range;
147 ret = sscanf(map, "%c:%u:%u:%u", &which, &id_ns, &id_host, &range);
151 if (which != 'b' && which != 'u' && which != 'g')
154 for (int i = 0; i < 2; i++) {
155 idmap_type_t map_type;
157 if (which != types[i] && which != 'b')
161 map_type = ID_TYPE_UID;
163 map_type = ID_TYPE_GID;
165 ret = add_map_entry(id_host, id_ns, range, map_type);
173 static int write_id_mapping(idmap_type_t map_type, pid_t pid, const char *buf, size_t buf_size)
175 int fd = -EBADF, setgroups_fd = -EBADF;
178 char path[STRLITERALLEN("/proc/") + INTTYPE_TO_STRLEN(pid_t) +
179 STRLITERALLEN("/setgroups") + 1];
181 if (geteuid() != 0 && map_type == ID_TYPE_GID) {
182 ret = snprintf(path, sizeof(path), "/proc/%d/setgroups", pid);
183 if (ret < 0 || ret >= sizeof(path))
186 setgroups_fd = open(path, O_WRONLY | O_CLOEXEC);
187 if (setgroups_fd < 0 && errno != ENOENT) {
188 syserror("Failed to open \"%s\"", path);
192 if (setgroups_fd >= 0) {
193 ret = write_nointr(setgroups_fd, "deny\n", STRLITERALLEN("deny\n"));
194 if (ret != STRLITERALLEN("deny\n")) {
195 syserror("Failed to write \"deny\" to \"/proc/%d/setgroups\"", pid);
201 ret = snprintf(path, sizeof(path), "/proc/%d/%cid_map", pid, map_type == ID_TYPE_UID ? 'u' : 'g');
202 if (ret < 0 || ret >= sizeof(path))
205 fd = open(path, O_WRONLY | O_CLOEXEC);
207 syserror("Failed to open \"%s\"", path);
211 ret = write_nointr(fd, buf, buf_size);
212 if (ret != buf_size) {
213 syserror("Failed to write %cid mapping to \"%s\"",
214 map_type == ID_TYPE_UID ? 'u' : 'g', path);
222 if (setgroups_fd >= 0)
228 static int map_ids_from_idmap(struct list *idmap, pid_t pid)
231 char mapbuf[4096] = {};
232 bool had_entry = false;
234 for (idmap_type_t map_type = ID_TYPE_UID, u_or_g = 'u';
235 map_type <= ID_TYPE_GID; map_type++, u_or_g = 'g') {
238 struct list *iterator;
241 list_for_each(iterator, idmap) {
242 struct id_map *map = iterator->elem;
243 if (map->map_type != map_type)
248 left = 4096 - (pos - mapbuf);
249 fill = snprintf(pos, left, "%u %u %u\n", map->nsid, map->hostid, map->range);
251 * The kernel only takes <= 4k for writes to
252 * /proc/<pid>/{g,u}id_map
254 if (fill <= 0 || fill >= left)
255 return syserror_set(-E2BIG, "Too many %cid mappings defined", u_or_g);
262 ret = write_id_mapping(map_type, pid, mapbuf, pos - mapbuf);
264 return syserror("Failed to write mapping: %s", mapbuf);
266 memset(mapbuf, 0, sizeof(mapbuf));
272 static int get_userns_fd_from_idmap(struct list *idmap)
276 char path_ns[STRLITERALLEN("/proc/") + INTTYPE_TO_STRLEN(pid_t) +
277 STRLITERALLEN("/ns/user") + 1];
279 pid = do_clone(get_userns_fd_cb, NULL, CLONE_NEWUSER | CLONE_NEWNS);
283 ret = map_ids_from_idmap(idmap, pid);
287 ret = snprintf(path_ns, sizeof(path_ns), "/proc/%d/ns/user", pid);
288 if (ret < 0 || (size_t)ret >= sizeof(path_ns))
291 ret = open(path_ns, O_RDONLY | O_CLOEXEC | O_NOCTTY);
293 (void)kill(pid, SIGKILL);
294 (void)wait_for_pid(pid);
298 static inline bool strnequal(const char *str, const char *eq, size_t len)
300 return strncmp(str, eq, len) == 0;
303 static void usage(void)
305 const char *text = "\
306 mount-idmapped --map-mount=<idmap> <source> <target>\n\
308 Create an idmapped mount of <source> at <target>\n\
310 --map-mount=<idmap>\n\
311 Specify an idmap for the <target> mount in the format\n\
312 <idmap-type>:<id-from>:<id-to>:<id-range>\n\
313 The <idmap-type> can be:\n\
314 \"b\" or \"both\" -> map both uids and gids\n\
315 \"u\" or \"uid\" -> map uids\n\
316 \"g\" or \"gid\" -> map gids\n\
317 For example, specifying:\n\
318 both:1000:1001:1 -> map uid and gid 1000 to uid and gid 1001 in <target> and no other ids\n\
319 uid:20000:100000:1000 -> map uid 20000 to uid 100000, uid 20001 to uid 100001 [...] in <target>\n\
320 Currently up to 340 separate idmappings may be specified.\n\n\
321 --map-mount=/proc/<pid>/ns/user\n\
322 Specify a path to a user namespace whose idmap is to be used.\n\n\
324 Copy the whole mount tree from <source> and apply the idmap to everyone at <target>.\n\n\
326 - Create an idmapped mount of /source on /target with both ('b') uids and gids mapped:\n\
327 mount-idmapped --map-mount b:0:10000:10000 /source /target\n\n\
328 - Create an idmapped mount of /source on /target with uids ('u') and gids ('g') mapped separately:\n\
329 mount-idmapped --map-mount u:0:10000:10000 g:0:20000:20000 /source /target\n\n\
331 fprintf(stderr, "%s", text);
335 #define exit_usage(format, ...) \
337 fprintf(stderr, format, ##__VA_ARGS__); \
341 #define exit_log(format, ...) \
343 fprintf(stderr, format, ##__VA_ARGS__); \
344 exit(EXIT_FAILURE); \
347 static const struct option longopts[] = {
348 {"map-mount", required_argument, 0, 'a'},
349 {"help", no_argument, 0, 'c'},
350 {"recursive", no_argument, 0, 'd'},
354 int main(int argc, char *argv[])
356 int fd_userns = -EBADF;
358 const char *source = NULL, *target = NULL;
359 bool recursive = false;
360 int fd_tree, new_argc, ret;
361 char *const *new_argv;
363 list_init(&active_map);
364 while ((ret = getopt_long_only(argc, argv, "", longopts, &index)) != -1) {
367 if (strnequal(optarg, "/proc/", STRLITERALLEN("/proc/"))) {
368 fd_userns = open(optarg, O_RDONLY | O_CLOEXEC);
370 exit_log("%m - Failed top open user namespace path %s\n", optarg);
374 ret = parse_map(optarg);
376 exit_log("Failed to parse idmaps for mount\n");
388 new_argv = &argv[optind];
389 new_argc = argc - optind;
391 exit_usage("Missing source or target mountpoint\n\n");
392 source = new_argv[0];
393 target = new_argv[1];
395 fd_tree = sys_open_tree(-EBADF, source,
399 (recursive ? AT_RECURSIVE : 0));
401 exit_log("%m - Failed to open %s\n", source);
405 if (!list_empty(&active_map) || fd_userns >= 0) {
406 struct mount_attr attr = {
407 .attr_set = MOUNT_ATTR_IDMAP,
411 attr.userns_fd = fd_userns;
413 attr.userns_fd = get_userns_fd_from_idmap(&active_map);
414 if (attr.userns_fd < 0)
415 exit_log("%m - Failed to create user namespace\n");
417 ret = sys_mount_setattr(fd_tree, "", AT_EMPTY_PATH | AT_RECURSIVE,
418 &attr, sizeof(attr));
420 exit_log("%m - Failed to change mount attributes\n");
421 close(attr.userns_fd);
424 ret = sys_move_mount(fd_tree, "", -EBADF, target,
425 MOVE_MOUNT_F_EMPTY_PATH);
427 exit_log("%m - Failed to attach mount to %s\n", target);
projects / xfstests-dev.git / blob