bus: when entering an existing namespace to connect to a container's system bus also switch over PID namespace

This is necessary to ensure that kdbus can collect creds of the destination namespace when connecting.
author: Lennart Poettering <lennart@poettering.net> 2013-12-17 01:03:09 +0100
committer: Lennart Poettering <lennart@poettering.net> 2013-12-17 01:05:37 +0100
commit: a4475f577bd0daf762d6c3b4e58bc484e0cb74af (patch)
tree: 5dca2abf91be82c72179b9f0ba745d32d4fdc85f /src
parent: d003f514dab2dbf1a66e11800a50aeaf039d036c (diff)
5 files changed, 38 insertions, 26 deletions
diff --git a/src/libsystemd-bus/bus-container.c b/src/libsystemd-bus/bus-container.c
index 5d31f5afa7..9ad6e65c73 100644
--- a/src/libsystemd-bus/bus-container.c
+++ b/src/libsystemd-bus/bus-container.c
@@ -29,7 +29,7 @@
 #include "bus-container.h"
 
 int bus_container_connect_socket(sd_bus *b) {
-        _cleanup_close_ int nsfd = -1, rootfd = -1;
+        _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
         pid_t leader, child;
         siginfo_t si;
         int r;
@@ -42,7 +42,7 @@ int bus_container_connect_socket(sd_bus *b) {
         if (r < 0)
                 return r;
 
-        r = namespace_open(leader, &nsfd, &rootfd);
+        r = namespace_open(leader, &pidnsfd, &mntnsfd, &rootfd);
         if (r < 0)
                 return r;
 
@@ -62,7 +62,7 @@ int bus_container_connect_socket(sd_bus *b) {
 
         if (child == 0) {
 
-                r = namespace_enter(nsfd, rootfd);
+                r = namespace_enter(pidnsfd, mntnsfd, rootfd);
                 if (r < 0)
                         _exit(255);
 
@@ -95,7 +95,7 @@ int bus_container_connect_socket(sd_bus *b) {
 
 int bus_container_connect_kernel(sd_bus *b) {
         _cleanup_close_pipe_ int pair[2] = { -1, -1 };
-        _cleanup_close_ int nsfd = -1, rootfd = -1;
+        _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
         union {
                 struct cmsghdr cmsghdr;
                 uint8_t buf[CMSG_SPACE(sizeof(int))];
@@ -118,7 +118,7 @@ int bus_container_connect_kernel(sd_bus *b) {
         if (r < 0)
                 return r;
 
-        r = namespace_open(leader, &nsfd, &rootfd);
+        r = namespace_open(leader, &pidnsfd, &mntnsfd, &rootfd);
         if (r < 0)
                 return r;
 
@@ -133,7 +133,7 @@ int bus_container_connect_kernel(sd_bus *b) {
                 close_nointr_nofail(pair[0]);
                 pair[0] = -1;
 
-                r = namespace_enter(nsfd, rootfd);
+                r = namespace_enter(pidnsfd, mntnsfd, rootfd);
                 if (r < 0)
                         _exit(EXIT_FAILURE);
 
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
index f5485b3d42..fd21a0a815 100644
--- a/src/machine/machinectl.c
+++ b/src/machine/machinectl.c
@@ -399,7 +399,7 @@ static int terminate_machine(sd_bus *bus, char **args, unsigned n) {
 
 static int openpt_in_namespace(pid_t pid, int flags) {
         _cleanup_close_pipe_ int pair[2] = { -1, -1 };
-        _cleanup_close_ int nsfd = -1, rootfd = -1;
+        _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
         union {
                 struct cmsghdr cmsghdr;
                 uint8_t buf[CMSG_SPACE(sizeof(int))];
@@ -413,7 +413,7 @@ static int openpt_in_namespace(pid_t pid, int flags) {
         pid_t child;
         siginfo_t si;
 
-        r = namespace_open(pid, &nsfd, &rootfd);
+        r = namespace_open(pid, &pidnsfd, &mntnsfd, &rootfd);
         if (r < 0)
                 return r;
 
@@ -428,7 +428,7 @@ static int openpt_in_namespace(pid_t pid, int flags) {
                 close_nointr_nofail(pair[0]);
                 pair[0] = -1;
 
-                r = namespace_enter(nsfd, rootfd);
+                r = namespace_enter(pidnsfd, mntnsfd, rootfd);
                 if (r < 0)
                         _exit(EXIT_FAILURE);
 
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index b24bce50c0..0f27c4ee41 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -1117,7 +1117,7 @@ int add_matches_for_user_unit(sd_journal *j, const char *unit, uid_t uid) {
 
 static int get_boot_id_for_machine(const char *machine, sd_id128_t *boot_id) {
         _cleanup_close_pipe_ int pair[2] = { -1, -1 };
-        _cleanup_close_ int nsfd = -1, rootfd = -1;
+        _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
         pid_t pid, child;
         siginfo_t si;
         char buf[37];
@@ -1134,7 +1134,7 @@ static int get_boot_id_for_machine(const char *machine, sd_id128_t *boot_id) {
         if (r < 0)
                 return r;
 
-        r = namespace_open(pid, &nsfd, &rootfd);
+        r = namespace_open(pid, &pidnsfd, &mntnsfd, &rootfd);
         if (r < 0)
                 return r;
 
@@ -1151,7 +1151,7 @@ static int get_boot_id_for_machine(const char *machine, sd_id128_t *boot_id) {
                 close_nointr_nofail(pair[0]);
                 pair[0] = -1;
 
-                r = namespace_enter(nsfd, rootfd);
+                r = namespace_enter(pidnsfd, mntnsfd, rootfd);
                 if (r < 0)
                         _exit(EXIT_FAILURE);
 
diff --git a/src/shared/util.c b/src/shared/util.c
index c396fc7c6d..cdc58e394f 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -6029,18 +6029,24 @@ int container_get_leader(const char *machine, pid_t *pid) {
         return 0;
 }
 
-int namespace_open(pid_t pid, int *namespace_fd, int *root_fd) {
-        _cleanup_close_ int nsfd = -1;
-        const char *ns, *root;
+int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *root_fd) {
+        _cleanup_close_ int pidnsfd = -1, mntnsfd = -1;
+        const char *pidns, *mntns, *root;
         int rfd;
 
         assert(pid >= 0);
-        assert(namespace_fd);
+        assert(pidns_fd);
+        assert(mntns_fd);
         assert(root_fd);
 
-        ns = procfs_file_alloca(pid, "ns/mnt");
-        nsfd = open(ns, O_RDONLY|O_NOCTTY|O_CLOEXEC);
-        if (nsfd < 0)
+        mntns = procfs_file_alloca(pid, "ns/mnt");
+        mntnsfd = open(mntns, O_RDONLY|O_NOCTTY|O_CLOEXEC);
+        if (mntnsfd < 0)
+                return -errno;
+
+        pidns = procfs_file_alloca(pid, "ns/pid");
+        pidnsfd = open(pidns, O_RDONLY|O_NOCTTY|O_CLOEXEC);
+        if (pidnsfd < 0)
                 return -errno;
 
         root = procfs_file_alloca(pid, "root");
@@ -6048,18 +6054,24 @@ int namespace_open(pid_t pid, int *namespace_fd, int *root_fd) {
         if (rfd < 0)
                 return -errno;
 
-        *namespace_fd = nsfd;
+        *pidns_fd = pidnsfd;
+        *mntns_fd = mntnsfd;
         *root_fd = rfd;
-        nsfd = -1;
+        pidnsfd = -1;
+        mntnsfd = -1;
 
         return 0;
 }
 
-int namespace_enter(int namespace_fd, int root_fd) {
-        assert(namespace_fd >= 0);
+int namespace_enter(int pidns_fd, int mntns_fd, int root_fd) {
+        assert(pidns_fd >= 0);
+        assert(mntns_fd >= 0);
         assert(root_fd >= 0);
 
-        if (setns(namespace_fd, CLONE_NEWNS) < 0)
+        if (setns(pidns_fd, CLONE_NEWPID) < 0)
+                return -errno;
+
+        if (setns(mntns_fd, CLONE_NEWNS) < 0)
                 return -errno;
 
         if (fchdir(root_fd) < 0)
diff --git a/src/shared/util.h b/src/shared/util.h
index 6fc77808d4..57689e9cf3 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -793,5 +793,5 @@ int proc_cmdline(char **ret);
 
 int container_get_leader(const char *machine, pid_t *pid);
 
-int namespace_open(pid_t pid, int *namespace_fd, int *root_fd);
-int namespace_enter(int namespace_fd, int root_fd);
+int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *root_fd);
+int namespace_enter(int pidns_fd, int mntns_fd, int root_fd);
author	Lennart Poettering <lennart@poettering.net>	2013-12-17 01:03:09 +0100
committer	Lennart Poettering <lennart@poettering.net>	2013-12-17 01:05:37 +0100
commit	a4475f577bd0daf762d6c3b4e58bc484e0cb74af (patch)
tree	5dca2abf91be82c72179b9f0ba745d32d4fdc85f /src
parent	d003f514dab2dbf1a66e11800a50aeaf039d036c (diff)