colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: implement (but disable) setns and pidfd_open syscalls

Browse Source 
i thought i could use this to drop into a new PID NS, and then return back, but it is not so simple; i think one cannot setns into a PID NS unless you're owner of that namespace (i.e. CAP_SYS_ADMIN for the user ns which created that pid ns ...?

so it works *sometimes*, but not in the times where i'd actually want it
This commit is contained in:
Colin
2024-12-23 06:05:45 +00:00
parent 73b31cb085
commit d64f273ead
1 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
pkgs/by-name/bunpen/rt/ext/unshare.ha
View File

@@ -1,6 +1,9 @@
// vim: set shiftwidth=2 :
use rt;
// hare defines this for riscv and aarch64, but not x86
// const __NR_pidfd_open: u64 = 434;
// for use with `setns`, `unshare`, `clone` syscalls
export type clone_flag = enum u64 {
// new time namespace. calling process is NOT moved into the namespace.
@@ -34,10 +37,19 @@ export type clone_flag = enum u64 {
// union of `clone_flag`
export type clone_flags = u64;
// export fn setns(ns_fd: i32, nstype: i32) (rt::errno | u64) = {
// return syscall(rt::SYS_setns, ns_fd: u64, nstype: u64);
// };
export fn unshare(flags: clone_flags) (void | rt::errno) = {
return syscall_0_on_success(rt::SYS_unshare, flags);
};
// // ns_fd can come from `open("/proc/$PID/ns/<ns>")` OR
// // `pidfd_open(PID, flags)`
// export fn setns(ns_fd: u64, nstype: clone_flags) (rt::errno | void) = {
// return syscall_0_on_success(rt::SYS_setns, ns_fd: u64, nstype: u64);
// };
//
// // return a file descriptor that represents the PID namespace of the given process.
// // this can be used with `setns`.
// // the CLOSE_ON_EXEC flag is implicitly set.
// export fn pidfd_open(pid: rt::pid_t, flags: u64 = 0) (rt::errno | u64) = {
// return syscall(__NR_pidfd_open, pid: u64, flags);
// };