1 /* Acquire root privileges.
2    Copyright (C) 2016-2022 Free Software Foundation, Inc.
3    This file is part of the GNU C Library.
4 
5    The GNU C Library is free software; you can redistribute it and/or
6    modify it under the terms of the GNU Lesser General Public
7    License as published by the Free Software Foundation; either
8    version 2.1 of the License, or (at your option) any later version.
9 
10    The GNU C Library is distributed in the hope that it will be useful,
11    but WITHOUT ANY WARRANTY; without even the implied warranty of
12    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
13    Lesser General Public License for more details.
14 
15    You should have received a copy of the GNU Lesser General Public
16    License along with the GNU C Library; if not, see
17    <https://www.gnu.org/licenses/>.  */
18 
19 #include <support/namespace.h>
20 
21 #include <errno.h>
22 #include <fcntl.h>
23 #include <sched.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <support/check.h>
27 #include <support/xunistd.h>
28 #include <unistd.h>
29 
30 #ifdef CLONE_NEWUSER
31 /* The necessary steps to allow file creation in user namespaces.  */
32 static void
setup_uid_gid_mapping(uid_t original_uid,gid_t original_gid)33 setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid)
34 {
35   int fd = open64 ("/proc/self/uid_map", O_WRONLY);
36   if (fd < 0)
37     {
38       printf ("warning: could not open /proc/self/uid_map: %m\n"
39               "warning: file creation may not be possible\n");
40       return;
41     }
42 
43   /* We map our original UID to the same UID in the container so we
44      own our own files normally.  Without that, file creation could
45      fail with EOVERFLOW (sic!).  */
46   char buf[100];
47   int ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
48                       (unsigned long long) original_uid,
49                       (unsigned long long) original_uid);
50   TEST_VERIFY_EXIT (ret < sizeof (buf));
51   xwrite (fd, buf, ret);
52   xclose (fd);
53 
54   /* Linux 3.19 introduced the setgroups file.  We need write "deny" to this
55      file otherwise writing to gid_map will fail with EPERM.  */
56   fd = open64 ("/proc/self/setgroups", O_WRONLY, 0);
57   if (fd < 0)
58     {
59       if (errno != ENOENT)
60         FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m",
61                     O_WRONLY, 0);
62       /* This kernel doesn't expose the setgroups file so simply move on.  */
63     }
64   else
65     {
66       xwrite (fd, "deny\n", strlen ("deny\n"));
67       xclose (fd);
68     }
69 
70   /* Now map our own GID, like we did for the user ID.  */
71   fd = xopen ("/proc/self/gid_map", O_WRONLY, 0);
72   ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
73                   (unsigned long long) original_gid,
74                   (unsigned long long) original_gid);
75   TEST_VERIFY_EXIT (ret < sizeof (buf));
76   xwrite (fd, buf, ret);
77   xclose (fd);
78 }
79 #endif /* CLONE_NEWUSER */
80 
81 bool
support_become_root(void)82 support_become_root (void)
83 {
84 #ifdef CLONE_NEWUSER
85   uid_t original_uid = getuid ();
86   gid_t original_gid = getgid ();
87 
88   if (unshare (CLONE_NEWUSER | CLONE_NEWNS) == 0)
89     {
90       setup_uid_gid_mapping (original_uid, original_gid);
91       /* Even if we do not have UID zero, we have extended privileges at
92          this point.  */
93       return true;
94     }
95 #endif
96   if (setuid (0) != 0)
97     {
98       printf ("warning: could not become root outside namespace (%m)\n");
99       return false;
100     }
101   return true;
102 }
103