From 671c34195896e89f935d842b13f52a748bd8a5b4 Mon Sep 17 00:00:00 2001 From: Richard Maw Date: Mon, 17 Aug 2015 08:52:13 +0000 Subject: namespace helpers: Allow entering a UID namespace To be able to use `systemd-run` or `machinectl login` on a container that is in a private user namespace, the sub-process must have entered the user namespace before connecting to the container's D-Bus, otherwise the UID and GID in the peer credentials are garbage. So we extend namespace_open and namespace_enter to support UID namespaces, and we enter the UID namespace in bus_container_connect_{socket,kernel}. namespace_open will degrade to a no-op if user namespaces are not enabled in the kernel. Special handling is required for the setns call in namespace_enter with a user namespace, since transitioning to your own namespace is forbidden, as it would result in re-entering your user namespace as root. Arguably it may be valid to check this at the call site, rather than inside namespace_enter, but it is less code to do it inside, and if the intention of calling namespace_enter is to *be* in the target namespace, rather than to transition to the target namespace, it is a reasonable approach. The check for whether the user namespace is the same must happen before entering namespaces, as we may not be able to access /proc during the intermediate transition stage. We can't instead attempt to enter the user namespace and then ignore the failure from it being the same namespace, since the error code is not distinct, and we can't compare namespaces while mid-transition. --- src/core/machine-id-setup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/core') diff --git a/src/core/machine-id-setup.c b/src/core/machine-id-setup.c index 8e26362546..2d5ae3b3b9 100644 --- a/src/core/machine-id-setup.c +++ b/src/core/machine-id-setup.c @@ -325,7 +325,7 @@ int machine_id_commit(const char *root) { fd = safe_close(fd); /* Store current mount namespace */ - r = namespace_open(0, NULL, &initial_mntns_fd, NULL, NULL); + r = namespace_open(0, NULL, &initial_mntns_fd, NULL, NULL, NULL); if (r < 0) return log_error_errno(r, "Can't fetch current mount namespace: %m"); @@ -351,7 +351,7 @@ int machine_id_commit(const char *root) { fd = safe_close(fd); /* Return to initial namespace and proceed a lazy tmpfs unmount */ - r = namespace_enter(-1, initial_mntns_fd, -1, -1); + r = namespace_enter(-1, initial_mntns_fd, -1, -1, -1); if (r < 0) return log_warning_errno(r, "Failed to switch back to initial mount namespace: %m.\nWe'll keep transient %s file until next reboot.", etc_machine_id); -- cgit v1.2.3-54-g00ecf