search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
1:255.16-alt1
[systemd_ALT.git] / src / nspawn / nspawn-patch-uid.c
blobb8918a2315f0d1fb1a167134ac55385cbaa16a62
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <fcntl.h>
4 #include <sys/statvfs.h>
5 #include <sys/vfs.h>
6 #include <unistd.h>
7
8 #include "acl-util.h"
9 #include "dirent-util.h"
10 #include "fd-util.h"
11 #include "fileio.h"
12 #include "fs-util.h"
13 #include "missing_magic.h"
14 #include "nspawn-def.h"
15 #include "nspawn-patch-uid.h"
16 #include "stat-util.h"
17 #include "stdio-util.h"
18 #include "string-util.h"
19 #include "strv.h"
20 #include "user-util.h"
21
22 #if HAVE_ACL
23
24 static int get_acl(int fd, const char *name, acl_type_t type, acl_t *ret) {
25 acl_t acl;
26
27 assert(fd >= 0);
28 assert(ret);
29
30 if (name) {
31 _cleanup_close_ int child_fd = -EBADF;
32
33 child_fd = openat(fd, name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
34 if (child_fd < 0)
35 return -errno;
36
37 acl = acl_get_file(FORMAT_PROC_FD_PATH(child_fd), type);
38 } else if (type == ACL_TYPE_ACCESS)
39 acl = acl_get_fd(fd);
40 else
41 acl = acl_get_file(FORMAT_PROC_FD_PATH(fd), type);
42 if (!acl)
43 return -errno;
44
45 *ret = acl;
46 return 0;
47 }
48
49 static int set_acl(int fd, const char *name, acl_type_t type, acl_t acl) {
50 int r;
51
52 assert(fd >= 0);
53 assert(acl);
54
55 if (name) {
56 _cleanup_close_ int child_fd = -EBADF;
57
58 child_fd = openat(fd, name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
59 if (child_fd < 0)
60 return -errno;
61
62 r = acl_set_file(FORMAT_PROC_FD_PATH(child_fd), type, acl);
63 } else if (type == ACL_TYPE_ACCESS)
64 r = acl_set_fd(fd, acl);
65 else
66 r = acl_set_file(FORMAT_PROC_FD_PATH(fd), type, acl);
67 if (r < 0)
68 return -errno;
69
70 return 0;
71 }
72
73 static int shift_acl(acl_t acl, uid_t shift, acl_t *ret) {
74 _cleanup_(acl_freep) acl_t copy = NULL;
75 acl_entry_t i;
76 int r;
77
78 assert(acl);
79 assert(ret);
80
81 r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
82 if (r < 0)
83 return -errno;
84 while (r > 0) {
85 uid_t *old_uid, new_uid;
86 bool modify = false;
87 acl_tag_t tag;
88
89 if (acl_get_tag_type(i, &tag) < 0)
90 return -errno;
91
92 if (IN_SET(tag, ACL_USER, ACL_GROUP)) {
93
94 /* We don't distinguish here between uid_t and gid_t, let's make sure the compiler checks that
95 * this is actually OK */
96 assert_cc(sizeof(uid_t) == sizeof(gid_t));
97
98 old_uid = acl_get_qualifier(i);
99 if (!old_uid)
100 return -errno;
101
102 new_uid = shift | (*old_uid & UINT32_C(0xFFFF));
103 if (!uid_is_valid(new_uid))
104 return -EINVAL;
105
106 modify = new_uid != *old_uid;
107 if (modify && !copy) {
108 int n;
109
110 /* There's no copy of the ACL yet? if so, let's create one, and start the loop from the
111 * beginning, so that we copy all entries, starting from the first, this time. */
112
113 n = acl_entries(acl);
114 if (n < 0)
115 return -errno;
116
117 copy = acl_init(n);
118 if (!copy)
119 return -errno;
120
121 /* Seek back to the beginning */
122 r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
123 if (r < 0)
124 return -errno;
125 continue;
126 }
127 }
128
129 if (copy) {
130 acl_entry_t new_entry;
131
132 if (acl_create_entry(&copy, &new_entry) < 0)
133 return -errno;
134
135 if (acl_copy_entry(new_entry, i) < 0)
136 return -errno;
137
138 if (modify)
139 if (acl_set_qualifier(new_entry, &new_uid) < 0)
140 return -errno;
141 }
142
143 r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i);
144 if (r < 0)
145 return -errno;
146 }
147
148 *ret = TAKE_PTR(copy);
149
150 return !!*ret;
151 }
152
153 static int patch_acls(int fd, const char *name, const struct stat *st, uid_t shift) {
154 _cleanup_(acl_freep) acl_t acl = NULL, shifted = NULL;
155 bool changed = false;
156 int r;
157
158 assert(fd >= 0);
159 assert(st);
160
161 /* ACLs are not supported on symlinks, there's no point in trying */
162 if (S_ISLNK(st->st_mode))
163 return 0;
164
165 r = get_acl(fd, name, ACL_TYPE_ACCESS, &acl);
166 if (r == -EOPNOTSUPP)
167 return 0;
168 if (r < 0)
169 return r;
170
171 r = shift_acl(acl, shift, &shifted);
172 if (r < 0)
173 return r;
174 if (r > 0) {
175 r = set_acl(fd, name, ACL_TYPE_ACCESS, shifted);
176 if (r < 0)
177 return r;
178
179 changed = true;
180 }
181
182 if (S_ISDIR(st->st_mode)) {
183 acl_free(acl);
184
185 if (shifted)
186 acl_free(shifted);
187
188 acl = shifted = NULL;
189
190 r = get_acl(fd, name, ACL_TYPE_DEFAULT, &acl);
191 if (r < 0)
192 return r;
193
194 r = shift_acl(acl, shift, &shifted);
195 if (r < 0)
196 return r;
197 if (r > 0) {
198 r = set_acl(fd, name, ACL_TYPE_DEFAULT, shifted);
199 if (r < 0)
200 return r;
201
202 changed = true;
203 }
204 }
205
206 return changed;
207 }
208
209 #else
210
211 static int patch_acls(int fd, const char *name, const struct stat *st, uid_t shift) {
212 return 0;
213 }
214
215 #endif
216
217 static int patch_fd(int fd, const char *name, const struct stat *st, uid_t shift) {
218 uid_t new_uid;
219 gid_t new_gid;
220 bool changed = false;
221 int r;
222
223 assert(fd >= 0);
224 assert(st);
225
226 new_uid = shift | (st->st_uid & UINT32_C(0xFFFF));
227 new_gid = (gid_t) shift | (st->st_gid & UINT32_C(0xFFFF));
228
229 if (!uid_is_valid(new_uid) || !gid_is_valid(new_gid))
230 return -EINVAL;
231
232 if (st->st_uid != new_uid || st->st_gid != new_gid) {
233 if (name)
234 r = fchownat(fd, name, new_uid, new_gid, AT_SYMLINK_NOFOLLOW);
235 else
236 r = fchown(fd, new_uid, new_gid);
237 if (r < 0)
238 return -errno;
239
240 /* The Linux kernel alters the mode in some cases of chown(). Let's undo this. */
241 if (name) {
242 if (!S_ISLNK(st->st_mode))
243 r = fchmodat(fd, name, st->st_mode, 0);
244 else /* Changing the mode of a symlink is not supported by Linux kernel. Don't bother. */
245 r = 0;
246 } else
247 r = fchmod(fd, st->st_mode);
248 if (r < 0)
249 return -errno;
250
251 changed = true;
252 }
253
254 r = patch_acls(fd, name, st, shift);
255 if (r < 0)
256 return r;
257
258 return r > 0 || changed;
259 }
260
261 /*
262 * Check if the filesystem is fully compatible with user namespaces or
263 * UID/GID patching. Some filesystems in this list can be fully mounted inside
264 * user namespaces, however their inodes may relate to host resources or only
265 * valid in the global user namespace, therefore no patching should be applied.
266 */
267 static int is_fs_fully_userns_compatible(const struct statfs *sfs) {
268
269 assert(sfs);
270
271 return F_TYPE_EQUAL(sfs->f_type, BINFMTFS_MAGIC) ||
272 F_TYPE_EQUAL(sfs->f_type, CGROUP_SUPER_MAGIC) ||
273 F_TYPE_EQUAL(sfs->f_type, CGROUP2_SUPER_MAGIC) ||
274 F_TYPE_EQUAL(sfs->f_type, DEBUGFS_MAGIC) ||
275 F_TYPE_EQUAL(sfs->f_type, DEVPTS_SUPER_MAGIC) ||
276 F_TYPE_EQUAL(sfs->f_type, EFIVARFS_MAGIC) ||
277 F_TYPE_EQUAL(sfs->f_type, HUGETLBFS_MAGIC) ||
278 F_TYPE_EQUAL(sfs->f_type, MQUEUE_MAGIC) ||
279 F_TYPE_EQUAL(sfs->f_type, PROC_SUPER_MAGIC) ||
280 F_TYPE_EQUAL(sfs->f_type, PSTOREFS_MAGIC) ||
281 F_TYPE_EQUAL(sfs->f_type, SELINUX_MAGIC) ||
282 F_TYPE_EQUAL(sfs->f_type, SMACK_MAGIC) ||
283 F_TYPE_EQUAL(sfs->f_type, SECURITYFS_MAGIC) ||
284 F_TYPE_EQUAL(sfs->f_type, BPF_FS_MAGIC) ||
285 F_TYPE_EQUAL(sfs->f_type, TRACEFS_MAGIC) ||
286 F_TYPE_EQUAL(sfs->f_type, SYSFS_MAGIC);
287 }
288
289 static int recurse_fd(int fd, bool donate_fd, const struct stat *st, uid_t shift, bool is_toplevel) {
290 _cleanup_closedir_ DIR *d = NULL;
291 bool changed = false;
292 struct statfs sfs;
293 int r;
294
295 assert(fd >= 0);
296
297 if (fstatfs(fd, &sfs) < 0)
298 return -errno;
299
300 /* We generally want to permit crossing of mount boundaries when patching the UIDs/GIDs. However, we probably
301 * shouldn't do this for /proc and /sys if that is already mounted into place. Hence, let's stop the recursion
302 * when we hit procfs, sysfs or some other special file systems. */
303
304 r = is_fs_fully_userns_compatible(&sfs);
305 if (r < 0)
306 goto finish;
307 if (r > 0) {
308 r = 0; /* don't recurse */
309 goto finish;
310 }
311
312 /* Also, if we hit a read-only file system, then don't bother, skip the whole subtree */
313 if ((sfs.f_flags & ST_RDONLY) ||
314 access_fd(fd, W_OK) == -EROFS)
315 goto read_only;
316
317 if (S_ISDIR(st->st_mode)) {
318 if (!donate_fd) {
319 int copy;
320
321 copy = fcntl(fd, F_DUPFD_CLOEXEC, 3);
322 if (copy < 0) {
323 r = -errno;
324 goto finish;
325 }
326
327 fd = copy;
328 donate_fd = true;
329 }
330
331 d = take_fdopendir(&fd);
332 if (!d) {
333 r = -errno;
334 goto finish;
335 }
336
337 FOREACH_DIRENT_ALL(de, d, r = -errno; goto finish) {
338 struct stat fst;
339
340 if (dot_or_dot_dot(de->d_name))
341 continue;
342
343 if (fstatat(dirfd(d), de->d_name, &fst, AT_SYMLINK_NOFOLLOW) < 0) {
344 r = -errno;
345 goto finish;
346 }
347
348 if (S_ISDIR(fst.st_mode)) {
349 int subdir_fd;
350
351 subdir_fd = openat(dirfd(d), de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
352 if (subdir_fd < 0) {
353 r = -errno;
354 goto finish;
355
356 }
357
358 r = recurse_fd(subdir_fd, true, &fst, shift, false);
359 if (r < 0)
360 goto finish;
361 if (r > 0)
362 changed = true;
363
364 } else {
365 r = patch_fd(dirfd(d), de->d_name, &fst, shift);
366 if (r < 0)
367 goto finish;
368 if (r > 0)
369 changed = true;
370 }
371 }
372 }
373
374 /* After we descended, also patch the directory itself. It's key to do this in this order so that the top-level
375 * directory is patched as very last object in the tree, so that we can use it as quick indicator whether the
376 * tree is properly chown()ed already. */
377 r = patch_fd(d ? dirfd(d) : fd, NULL, st, shift);
378 if (r == -EROFS)
379 goto read_only;
380 if (r > 0)
381 changed = true;
382
383 r = changed;
384 goto finish;
385
386 read_only:
387 if (!is_toplevel) {
388 _cleanup_free_ char *name = NULL;
389
390 /* When we hit a ready-only subtree we simply skip it, but log about it. */
391 (void) fd_get_path(fd, &name);
392 log_debug("Skipping read-only file or directory %s.", strna(name));
393 r = changed;
394 }
395
396 finish:
397 if (donate_fd)
398 safe_close(fd);
399
400 return r;
401 }
402
403 static int fd_patch_uid_internal(int fd, bool donate_fd, uid_t shift, uid_t range) {
404 struct stat st;
405 int r;
406
407 assert(fd >= 0);
408
409 /* Recursively adjusts the UID/GIDs of all files of a directory tree. This is used to automatically fix up an
410 * OS tree to the used user namespace UID range. Note that this automatic adjustment only works for UID ranges
411 * following the concept that the upper 16-bit of a UID identify the container, and the lower 16-bit are the actual
412 * UID within the container. */
413
414 if ((shift & 0xFFFF) != 0) {
415 /* We only support containers where the shift starts at a 2^16 boundary */
416 r = -EOPNOTSUPP;
417 goto finish;
418 }
419
420 if (shift == UID_BUSY_BASE) {
421 r = -EINVAL;
422 goto finish;
423 }
424
425 if (range != 0x10000) {
426 /* We only support containers with 16-bit UID ranges for the patching logic */
427 r = -EOPNOTSUPP;
428 goto finish;
429 }
430
431 if (fstat(fd, &st) < 0) {
432 r = -errno;
433 goto finish;
434 }
435
436 if ((uint32_t) st.st_uid >> 16 != (uint32_t) st.st_gid >> 16) {
437 /* We only support containers where the uid/gid container ID match */
438 r = -EBADE;
439 goto finish;
440 }
441
442 /* Try to detect if the range is already right. Of course, this a pretty drastic optimization, as we assume
443 * that if the top-level dir has the right upper 16-bit assigned, then everything below will have too... */
444 if (((uint32_t) (st.st_uid ^ shift) >> 16) == 0)
445 return 0;
446
447 /* Before we start recursively chowning, mark the top-level dir as "busy" by chowning it to the "busy"
448 * range. Should we be interrupted in the middle of our work, we'll see it owned by this user and will start
449 * chown()ing it again, unconditionally, as the busy UID is not a valid UID we'd everpick for ourselves. */
450
451 if ((st.st_uid & UID_BUSY_MASK) != UID_BUSY_BASE) {
452 if (fchown(fd,
453 UID_BUSY_BASE | (st.st_uid & ~UID_BUSY_MASK),
454 (gid_t) UID_BUSY_BASE | (st.st_gid & ~(gid_t) UID_BUSY_MASK)) < 0) {
455 r = -errno;
456 goto finish;
457 }
458 }
459
460 return recurse_fd(fd, donate_fd, &st, shift, true);
461
462 finish:
463 if (donate_fd)
464 safe_close(fd);
465
466 return r;
467 }
468
469 int path_patch_uid(const char *path, uid_t shift, uid_t range) {
470 int fd;
471
472 fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
473 if (fd < 0)
474 return -errno;
475
476 return fd_patch_uid_internal(fd, true, shift, range);
477 }
A System and Session Manager (ALT Linux package)