1 /* Acquire root privileges.
2 Copyright (C) 2016-2022 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
9
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; if not, see
17 <https://www.gnu.org/licenses/>. */
18
19 #include <support/namespace.h>
20
21 #include <errno.h>
22 #include <fcntl.h>
23 #include <sched.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <support/check.h>
27 #include <support/xunistd.h>
28 #include <unistd.h>
29
30 #ifdef CLONE_NEWUSER
31 /* The necessary steps to allow file creation in user namespaces. */
32 static void
setup_uid_gid_mapping(uid_t original_uid,gid_t original_gid)33 setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid)
34 {
35 int fd = open64 ("/proc/self/uid_map", O_WRONLY);
36 if (fd < 0)
37 {
38 printf ("warning: could not open /proc/self/uid_map: %m\n"
39 "warning: file creation may not be possible\n");
40 return;
41 }
42
43 /* We map our original UID to the same UID in the container so we
44 own our own files normally. Without that, file creation could
45 fail with EOVERFLOW (sic!). */
46 char buf[100];
47 int ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
48 (unsigned long long) original_uid,
49 (unsigned long long) original_uid);
50 TEST_VERIFY_EXIT (ret < sizeof (buf));
51 xwrite (fd, buf, ret);
52 xclose (fd);
53
54 /* Linux 3.19 introduced the setgroups file. We need write "deny" to this
55 file otherwise writing to gid_map will fail with EPERM. */
56 fd = open64 ("/proc/self/setgroups", O_WRONLY, 0);
57 if (fd < 0)
58 {
59 if (errno != ENOENT)
60 FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m",
61 O_WRONLY, 0);
62 /* This kernel doesn't expose the setgroups file so simply move on. */
63 }
64 else
65 {
66 xwrite (fd, "deny\n", strlen ("deny\n"));
67 xclose (fd);
68 }
69
70 /* Now map our own GID, like we did for the user ID. */
71 fd = xopen ("/proc/self/gid_map", O_WRONLY, 0);
72 ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
73 (unsigned long long) original_gid,
74 (unsigned long long) original_gid);
75 TEST_VERIFY_EXIT (ret < sizeof (buf));
76 xwrite (fd, buf, ret);
77 xclose (fd);
78 }
79 #endif /* CLONE_NEWUSER */
80
81 bool
support_become_root(void)82 support_become_root (void)
83 {
84 #ifdef CLONE_NEWUSER
85 uid_t original_uid = getuid ();
86 gid_t original_gid = getgid ();
87
88 if (unshare (CLONE_NEWUSER | CLONE_NEWNS) == 0)
89 {
90 setup_uid_gid_mapping (original_uid, original_gid);
91 /* Even if we do not have UID zero, we have extended privileges at
92 this point. */
93 return true;
94 }
95 #endif
96 if (setuid (0) != 0)
97 {
98 printf ("warning: could not become root outside namespace (%m)\n");
99 return false;
100 }
101 return true;
102 }
103