colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: simplify the /proc/self/{u,g}id_map logic

Browse Source
This commit is contained in:
Colin
2024-09-04 01:47:22 +00:00
parent 6193f347e7
commit 04ac2ada05
1 changed files with 16 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
pkgs/additional/bunpen/restrict/namespace.ha
View File

@@ -329,27 +329,29 @@ fn pivot_into(new_root: str, stash_old_root: (str|void) = void) void = {
errors::ext::check("[namespace] cd /", os::chdir("/"));
};
// these id maps are writable *once*.
// - uid_map, gid_map: tell the kernel how uid's from the parent namespace
// should be presented to members of the current namespace,
// AND vice-versa.
// - each line has the format:
// `ID-inside-ns ID-outside-ns number-of-ids-to-map`
// - multiple lines are allowed
// - it seems as those ID-outside-ns can only be an ID controlled by the user
// that created the namespace (else: EPERM), which would make sense if this is a bidirectional mapping
fn write_id_maps(uid: unix::uid, gid: unix::gid) void = {
errors::ext::swallow("[namespace] write /proc/self/uid_map", write_uid_map(uid));
errors::ext::swallow("[namespace] write /proc/self/uid_map", write_id_map("/proc/self/uid_map", uid));
errors::ext::swallow("[namespace] write /proc/self/setgroups", write_setgroups());
errors::ext::swallow("[namespace] write /proc/self/gid_map", write_gid_map(gid));
errors::ext::swallow("[namespace] write /proc/self/gid_map", write_id_map("/proc/self/gid_map", gid));
};
fn write_uid_map(uid: unix::uid) (void | rt::errno | io::error) = {
let uid_fd = rt::open("/proc/self/uid_map", rt::O_RDWR | rt::O_CLOEXEC, 0)?;
let uid_buf: [4096]u8 = [0...];
let uid_str = fmt::bsprintf(uid_buf, "{0} {0} 1\n", uid: uint);
io::write(uid_fd, strings::toutf8(uid_str))?;
fn write_id_map(which: str, id: uint) (void | rt::errno | io::error) = {
let id_fd = rt::open(which, rt::O_RDWR | rt::O_CLOEXEC, 0)?;
let id_buf: [4096]u8 = [0...];
let id_str = fmt::bsprintf(id_buf, "{0} {0} 1\n", id);
io::write(id_fd, strings::toutf8(id_str))?;
};
fn write_setgroups() (void | rt::errno | io::error) = {
let setgroups_fd = rt::open("/proc/self/setgroups", rt::O_RDWR | rt::O_CLOEXEC, 0)?;
io::write(setgroups_fd, &['d': u8, 'e', 'n', 'y', '\n', 0])?;
};
fn write_gid_map(gid: unix::gid) (void | rt::errno | io::error) = {
let gid_fd = rt::open("/proc/self/gid_map", rt::O_RDWR | rt::O_CLOEXEC, 0)?;
let gid_buf: [4096]u8 = [0...];
let gid_str = fmt::bsprintf(gid_buf, "{0} {0} 1\n", gid: uint);
io::write(gid_fd, strings::toutf8(gid_str))?;
};