1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42#include <sched.h>
43#ifndef CLONE_NEWUTS
44# define CLONE_NEWUTS 0x04000000
45#endif
46#ifndef CLONE_NEWIPC
47# define CLONE_NEWIPC 0x08000000
48#endif
49#ifndef CLONE_NEWUSER
50# define CLONE_NEWUSER 0x10000000
51#endif
52#ifndef CLONE_NEWPID
53# define CLONE_NEWPID 0x20000000
54#endif
55#ifndef CLONE_NEWNET
56# define CLONE_NEWNET 0x40000000
57#endif
58
59#include <sys/mount.h>
60#ifndef MS_REC
61# define MS_REC (1 << 14)
62#endif
63#ifndef MS_PRIVATE
64# define MS_PRIVATE (1 << 18)
65#endif
66#ifndef MS_SLAVE
67# define MS_SLAVE (1 << 19)
68#endif
69#ifndef MS_SHARED
70# define MS_SHARED (1 << 20)
71#endif
72
73#include "libbb.h"
74
75static void mount_or_die(const char *source, const char *target,
76 const char *fstype, unsigned long mountflags)
77{
78 if (mount(source, target, fstype, mountflags, NULL)) {
79 bb_perror_msg_and_die("can't mount %s on %s (flags:0x%lx)",
80 source, target, mountflags);
81
82
83
84
85
86 }
87}
88
89#define PATH_PROC_SETGROUPS "/proc/self/setgroups"
90#define PATH_PROC_UIDMAP "/proc/self/uid_map"
91#define PATH_PROC_GIDMAP "/proc/self/gid_map"
92
93struct namespace_descr {
94 int flag;
95 const char nsfile4[4];
96};
97
98struct namespace_ctx {
99 char *path;
100};
101
102enum {
103 OPT_mount = 1 << 0,
104 OPT_uts = 1 << 1,
105 OPT_ipc = 1 << 2,
106 OPT_net = 1 << 3,
107 OPT_pid = 1 << 4,
108 OPT_user = 1 << 5,
109 OPT_fork = 1 << 6,
110 OPT_map_root = 1 << 7,
111 OPT_mount_proc = 1 << 8,
112 OPT_propagation = 1 << 9,
113 OPT_setgroups = 1 << 10,
114};
115enum {
116 NS_MNT_POS = 0,
117 NS_UTS_POS,
118 NS_IPC_POS,
119 NS_NET_POS,
120 NS_PID_POS,
121 NS_USR_POS,
122 NS_COUNT,
123};
124static const struct namespace_descr ns_list[] = {
125 { CLONE_NEWNS, "mnt" },
126 { CLONE_NEWUTS, "uts" },
127 { CLONE_NEWIPC, "ipc" },
128 { CLONE_NEWNET, "net" },
129 { CLONE_NEWPID, "pid" },
130 { CLONE_NEWUSER, "user" },
131};
132
133
134
135
136
137
138
139
140#define OPT_STR "+muinpU""fr""\xfd::""\xfe:""\xff:"
141static const char unshare_longopts[] ALIGN1 =
142 "mount\0" Optional_argument "\xf0"
143 "uts\0" Optional_argument "\xf1"
144 "ipc\0" Optional_argument "\xf2"
145 "net\0" Optional_argument "\xf3"
146 "pid\0" Optional_argument "\xf4"
147 "user\0" Optional_argument "\xf5"
148 "fork\0" No_argument "f"
149 "map-root-user\0" No_argument "r"
150 "mount-proc\0" Optional_argument "\xfd"
151 "propagation\0" Required_argument "\xfe"
152 "setgroups\0" Required_argument "\xff"
153;
154
155
156#define PRIVATE_STR "private\0""unchanged\0""shared\0""slave\0"
157#define PRIVATE_UNCHANGED_SHARED_SLAVE PRIVATE_STR
158
159static unsigned long parse_propagation(const char *prop_str)
160{
161 int i = index_in_strings(PRIVATE_UNCHANGED_SHARED_SLAVE, prop_str);
162 if (i < 0)
163 bb_error_msg_and_die("unrecognized: --%s=%s", "propagation", prop_str);
164 if (i == 0)
165 return MS_REC | MS_PRIVATE;
166 if (i == 1)
167 return 0;
168 if (i == 2)
169 return MS_REC | MS_SHARED;
170 return MS_REC | MS_SLAVE;
171}
172
173static void mount_namespaces(pid_t pid, struct namespace_ctx *ns_ctx_list)
174{
175 const struct namespace_descr *ns;
176 struct namespace_ctx *ns_ctx;
177 int i;
178
179 for (i = 0; i < NS_COUNT; i++) {
180 char nsf[sizeof("/proc/%u/ns/AAAA") + sizeof(int)*3];
181
182 ns = &ns_list[i];
183 ns_ctx = &ns_ctx_list[i];
184 if (!ns_ctx->path)
185 continue;
186 sprintf(nsf, "/proc/%u/ns/%.4s", (unsigned)pid, ns->nsfile4);
187 mount_or_die(nsf, ns_ctx->path, NULL, MS_BIND);
188 }
189}
190
191int unshare_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
192int unshare_main(int argc UNUSED_PARAM, char **argv)
193{
194 int i;
195 unsigned int opts;
196 int unsflags;
197 uintptr_t need_mount;
198 const char *proc_mnt_target;
199 const char *prop_str;
200 const char *setgrp_str;
201 unsigned long prop_flags;
202 uid_t reuid = geteuid();
203 gid_t regid = getegid();
204 struct fd_pair fdp;
205 pid_t child = child;
206 struct namespace_ctx ns_ctx_list[NS_COUNT];
207
208 memset(ns_ctx_list, 0, sizeof(ns_ctx_list));
209 proc_mnt_target = "/proc";
210 prop_str = PRIVATE_STR;
211 setgrp_str = NULL;
212
213 opts = getopt32long(argv, "^" OPT_STR "\0"
214 "\xf0""m"
215 ":\xf1""u"
216 ":\xf2""i"
217 ":\xf3""n"
218 ":\xf4""p"
219 ":\xf5""U"
220 ":rU"
221 ":\xfd""m"
222 , unshare_longopts,
223 &proc_mnt_target, &prop_str, &setgrp_str,
224 &ns_ctx_list[NS_MNT_POS].path,
225 &ns_ctx_list[NS_UTS_POS].path,
226 &ns_ctx_list[NS_IPC_POS].path,
227 &ns_ctx_list[NS_NET_POS].path,
228 &ns_ctx_list[NS_PID_POS].path,
229 &ns_ctx_list[NS_USR_POS].path
230 );
231 argv += optind;
232
233
234
235
236
237
238
239 if (setgrp_str) {
240 if (strcmp(setgrp_str, "allow") == 0) {
241 if (opts & OPT_map_root) {
242 bb_error_msg_and_die(
243 "--setgroups=allow and --map-root-user "
244 "are mutually exclusive"
245 );
246 }
247 } else {
248
249 if (strcmp(setgrp_str, "deny") != 0)
250 bb_error_msg_and_die("unrecognized: --%s=%s",
251 "setgroups", setgrp_str);
252 }
253 }
254
255 unsflags = 0;
256 need_mount = 0;
257 for (i = 0; i < NS_COUNT; i++) {
258 const struct namespace_descr *ns = &ns_list[i];
259 struct namespace_ctx *ns_ctx = &ns_ctx_list[i];
260
261 if (opts & (1 << i))
262 unsflags |= ns->flag;
263
264 need_mount |= (uintptr_t)(ns_ctx->path);
265 }
266
267
268 prop_flags = MS_REC | MS_PRIVATE;
269
270 if (opts & OPT_mount)
271 prop_flags = parse_propagation(prop_str);
272
273
274
275
276
277
278
279
280 fdp.wr = -1;
281 if (need_mount && (opts & OPT_mount)) {
282
283
284
285
286 pid_t ppid = getpid();
287
288 xpiped_pair(fdp);
289
290 child = xfork();
291 if (child == 0) {
292
293 close(fdp.wr);
294
295
296 read(fdp.rd, ns_ctx_list, 1);
297
298
299
300 mount_namespaces(ppid, ns_ctx_list);
301 return EXIT_SUCCESS;
302 }
303
304 }
305
306 if (unshare(unsflags) != 0)
307 bb_perror_msg_and_die("unshare(0x%x)", unsflags);
308
309 if (fdp.wr >= 0) {
310 close(fdp.wr);
311 close(fdp.rd);
312 }
313
314 if (need_mount) {
315
316 if (opts & OPT_mount) {
317 int exit_status = wait_for_exitstatus(child);
318 if (WIFEXITED(exit_status) &&
319 WEXITSTATUS(exit_status) != EXIT_SUCCESS)
320 return WEXITSTATUS(exit_status);
321 } else {
322
323
324
325
326 mount_namespaces(getpid(), ns_ctx_list);
327 }
328 }
329
330
331
332
333
334
335
336 if (opts & OPT_fork) {
337 xvfork_parent_waits_and_exits();
338
339 }
340
341 if (opts & OPT_map_root) {
342 char uidmap_buf[sizeof("0 %u 1") + sizeof(int)*3];
343
344
345
346
347
348
349
350 xopen_xwrite_close(PATH_PROC_SETGROUPS, "deny");
351 sprintf(uidmap_buf, "0 %u 1", (unsigned)reuid);
352 xopen_xwrite_close(PATH_PROC_UIDMAP, uidmap_buf);
353 sprintf(uidmap_buf, "0 %u 1", (unsigned)regid);
354 xopen_xwrite_close(PATH_PROC_GIDMAP, uidmap_buf);
355 } else
356 if (setgrp_str) {
357
358 xopen_xwrite_close(PATH_PROC_SETGROUPS, setgrp_str);
359 }
360
361 if (opts & OPT_mount) {
362 mount_or_die("none", "/", NULL, prop_flags);
363 }
364
365 if (opts & OPT_mount_proc) {
366
367
368
369
370
371
372
373 mount_or_die("none", proc_mnt_target, NULL, MS_PRIVATE | MS_REC);
374 mount_or_die("proc", proc_mnt_target, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV);
375 }
376
377 exec_prog_or_SHELL(argv);
378}
379