1 // SPDX-License-Identifier: GPL-2.0
14 #include <linux/bpf.h>
15 #include <linux/sched.h>
16 #include <linux/seccomp.h>
26 #include <sys/syscall.h>
27 #include <sys/types.h>
34 /* A few helpful macros. */
35 #define STRLITERALLEN(x) (sizeof(""x"") - 1)
37 #define INTTYPE_TO_STRLEN(type) \
38 (2 + (sizeof(type) <= 1 \
44 : sizeof(type) <= 8 ? 20 : sizeof(int[-2 * (sizeof(type) > 8)])))
46 #define syserror(format, ...) \
48 fprintf(stderr, format, ##__VA_ARGS__); \
52 #define syserror_set(__ret__, format, ...) \
54 typeof(__ret__) __internal_ret__ = (__ret__); \
55 errno = labs(__ret__); \
56 fprintf(stderr, format, ##__VA_ARGS__); \
66 #define list_for_each(__iterator, __list) \
67 for (__iterator = (__list)->next; __iterator != __list; __iterator = __iterator->next)
69 static inline void list_init(struct list *list)
72 list->next = list->prev = list;
75 static inline int list_empty(const struct list *list)
77 return list == list->next;
80 static inline void __list_add(struct list *new, struct list *prev, struct list *next)
88 static inline void list_add_tail(struct list *head, struct list *list)
90 __list_add(list, head->prev, head);
93 typedef enum idmap_type_t {
99 idmap_type_t map_type;
105 static struct list active_map;
107 static int add_map_entry(__u32 id_host,
110 idmap_type_t map_type)
112 struct list *new_list = NULL;
113 struct id_map *newmap = NULL;
115 newmap = malloc(sizeof(*newmap));
119 new_list = malloc(sizeof(struct list));
125 *newmap = (struct id_map){
129 .map_type = map_type,
132 new_list->elem = newmap;
133 list_add_tail(&active_map, new_list);
137 static int parse_map(char *map)
139 char types[2] = {'u', 'g'};
141 __u32 id_host, id_ns, range;
147 ret = sscanf(map, "%c:%u:%u:%u", &which, &id_ns, &id_host, &range);
151 if (which != 'b' && which != 'u' && which != 'g')
154 for (i = 0; i < 2; i++) {
155 idmap_type_t map_type;
157 if (which != types[i] && which != 'b')
161 map_type = ID_TYPE_UID;
163 map_type = ID_TYPE_GID;
165 ret = add_map_entry(id_host, id_ns, range, map_type);
173 static int write_id_mapping(idmap_type_t map_type, pid_t pid, const char *buf, size_t buf_size)
175 int fd = -EBADF, setgroups_fd = -EBADF;
178 char path[STRLITERALLEN("/proc/") + INTTYPE_TO_STRLEN(pid_t) +
179 STRLITERALLEN("/setgroups") + 1];
181 if (geteuid() != 0 && map_type == ID_TYPE_GID) {
182 ret = snprintf(path, sizeof(path), "/proc/%d/setgroups", pid);
183 if (ret < 0 || ret >= sizeof(path))
186 setgroups_fd = open(path, O_WRONLY | O_CLOEXEC);
187 if (setgroups_fd < 0 && errno != ENOENT) {
188 syserror("Failed to open \"%s\"", path);
192 if (setgroups_fd >= 0) {
193 ret = write_nointr(setgroups_fd, "deny\n", STRLITERALLEN("deny\n"));
194 if (ret != STRLITERALLEN("deny\n")) {
195 syserror("Failed to write \"deny\" to \"/proc/%d/setgroups\"", pid);
201 ret = snprintf(path, sizeof(path), "/proc/%d/%cid_map", pid, map_type == ID_TYPE_UID ? 'u' : 'g');
202 if (ret < 0 || ret >= sizeof(path))
205 fd = open(path, O_WRONLY | O_CLOEXEC);
207 syserror("Failed to open \"%s\"", path);
211 ret = write_nointr(fd, buf, buf_size);
212 if (ret != buf_size) {
213 syserror("Failed to write %cid mapping to \"%s\"",
214 map_type == ID_TYPE_UID ? 'u' : 'g', path);
222 if (setgroups_fd >= 0)
228 static int map_ids_from_idmap(struct list *idmap, pid_t pid)
231 char mapbuf[4096] = {};
232 bool had_entry = false;
233 idmap_type_t map_type, u_or_g;
235 for (map_type = ID_TYPE_UID, u_or_g = 'u';
236 map_type <= ID_TYPE_GID; map_type++, u_or_g = 'g') {
239 struct list *iterator;
242 list_for_each(iterator, idmap) {
243 struct id_map *map = iterator->elem;
244 if (map->map_type != map_type)
249 left = 4096 - (pos - mapbuf);
250 fill = snprintf(pos, left, "%u %u %u\n", map->nsid, map->hostid, map->range);
252 * The kernel only takes <= 4k for writes to
253 * /proc/<pid>/{g,u}id_map
255 if (fill <= 0 || fill >= left)
256 return syserror_set(-E2BIG, "Too many %cid mappings defined", u_or_g);
263 ret = write_id_mapping(map_type, pid, mapbuf, pos - mapbuf);
265 return syserror("Failed to write mapping: %s", mapbuf);
267 memset(mapbuf, 0, sizeof(mapbuf));
273 static int get_userns_fd_from_idmap(struct list *idmap)
277 char path_ns[STRLITERALLEN("/proc/") + INTTYPE_TO_STRLEN(pid_t) +
278 STRLITERALLEN("/ns/user") + 1];
280 pid = do_clone(get_userns_fd_cb, NULL, CLONE_NEWUSER | CLONE_NEWNS);
284 ret = map_ids_from_idmap(idmap, pid);
288 ret = snprintf(path_ns, sizeof(path_ns), "/proc/%d/ns/user", pid);
289 if (ret < 0 || (size_t)ret >= sizeof(path_ns))
292 ret = open(path_ns, O_RDONLY | O_CLOEXEC | O_NOCTTY);
294 (void)kill(pid, SIGKILL);
295 (void)wait_for_pid(pid);
299 static inline bool strnequal(const char *str, const char *eq, size_t len)
301 return strncmp(str, eq, len) == 0;
304 static void usage(void)
306 const char *text = "\
307 mount-idmapped --map-mount=<idmap> <source> <target>\n\
309 Create an idmapped mount of <source> at <target>\n\
311 --map-mount=<idmap>\n\
312 Specify an idmap for the <target> mount in the format\n\
313 <idmap-type>:<id-from>:<id-to>:<id-range>\n\
314 The <idmap-type> can be:\n\
315 \"b\" or \"both\" -> map both uids and gids\n\
316 \"u\" or \"uid\" -> map uids\n\
317 \"g\" or \"gid\" -> map gids\n\
318 For example, specifying:\n\
319 both:1000:1001:1 -> map uid and gid 1000 to uid and gid 1001 in <target> and no other ids\n\
320 uid:20000:100000:1000 -> map uid 20000 to uid 100000, uid 20001 to uid 100001 [...] in <target>\n\
321 Currently up to 340 separate idmappings may be specified.\n\n\
322 --map-mount=/proc/<pid>/ns/user\n\
323 Specify a path to a user namespace whose idmap is to be used.\n\n\
325 Copy the whole mount tree from <source> and apply the idmap to everyone at <target>.\n\n\
327 - Create an idmapped mount of /source on /target with both ('b') uids and gids mapped:\n\
328 mount-idmapped --map-mount b:0:10000:10000 /source /target\n\n\
329 - Create an idmapped mount of /source on /target with uids ('u') and gids ('g') mapped separately:\n\
330 mount-idmapped --map-mount u:0:10000:10000 g:0:20000:20000 /source /target\n\n\
332 fprintf(stderr, "%s", text);
336 #define exit_usage(format, ...) \
338 fprintf(stderr, format, ##__VA_ARGS__); \
342 #define exit_log(format, ...) \
344 fprintf(stderr, format, ##__VA_ARGS__); \
345 exit(EXIT_FAILURE); \
348 static const struct option longopts[] = {
349 {"map-mount", required_argument, 0, 'a'},
350 {"help", no_argument, 0, 'c'},
351 {"recursive", no_argument, 0, 'd'},
355 int main(int argc, char *argv[])
357 int fd_userns = -EBADF;
359 const char *source = NULL, *target = NULL;
360 bool recursive = false;
361 int fd_tree, new_argc, ret;
362 char *const *new_argv;
364 list_init(&active_map);
365 while ((ret = getopt_long_only(argc, argv, "", longopts, &index)) != -1) {
368 if (strnequal(optarg, "/proc/", STRLITERALLEN("/proc/"))) {
369 fd_userns = open(optarg, O_RDONLY | O_CLOEXEC);
371 exit_log("%m - Failed top open user namespace path %s\n", optarg);
375 ret = parse_map(optarg);
377 exit_log("Failed to parse idmaps for mount\n");
389 new_argv = &argv[optind];
390 new_argc = argc - optind;
392 exit_usage("Missing source or target mountpoint\n\n");
393 source = new_argv[0];
394 target = new_argv[1];
396 fd_tree = sys_open_tree(-EBADF, source,
400 (recursive ? AT_RECURSIVE : 0));
402 exit_log("%m - Failed to open %s\n", source);
406 if (!list_empty(&active_map) || fd_userns >= 0) {
407 struct mount_attr attr = {
408 .attr_set = MOUNT_ATTR_IDMAP,
412 attr.userns_fd = fd_userns;
414 attr.userns_fd = get_userns_fd_from_idmap(&active_map);
415 if (attr.userns_fd < 0)
416 exit_log("%m - Failed to create user namespace\n");
418 ret = sys_mount_setattr(fd_tree, "", AT_EMPTY_PATH | AT_RECURSIVE,
419 &attr, sizeof(attr));
421 exit_log("%m - Failed to change mount attributes\n");
422 close(attr.userns_fd);
425 ret = sys_move_mount(fd_tree, "", -EBADF, target,
426 MOVE_MOUNT_F_EMPTY_PATH);
428 exit_log("%m - Failed to attach mount to %s\n", target);