conf, pasta: Explicitly pass CLONE_{NEWUSER,NEWNET} to setns()

Only allow the intended types of namespaces to be joined via setns() as a defensive measure. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-01-25 20:08:00 +01:00 · 2022-01-25 20:08:00 +01:00 · 4c7304db85
commit 4c7304db85
parent 1776de0140
3 changed files with 8 additions and 6 deletions
--- a/conf.c
+++ b/conf.c
@ -347,8 +347,8 @@ static int conf_ns_check(void *arg)
 {
 	struct ctx *c = (struct ctx *)arg;

-	if ((!c->netns_only && setns(c->pasta_userns_fd, 0)) ||
-	    setns(c->pasta_netns_fd, 0))
+	if ((!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER)) ||
+	    setns(c->pasta_netns_fd, CLONE_NEWNET))
 		c->pasta_userns_fd = c->pasta_netns_fd = -1;

 	return 0;
--- a/pasta.c
+++ b/pasta.c
@ -148,13 +148,15 @@ static int pasta_wait_for_ns(void *arg)
 	snprintf(ns, PATH_MAX, "/proc/%i/ns/user", pasta_child_pid);
 	do
 		while ((c->pasta_userns_fd = open(ns, O_RDONLY)) < 0);
-	while (setns(c->pasta_userns_fd, 0) && !close(c->pasta_userns_fd));
+	while (setns(c->pasta_userns_fd, CLONE_NEWUSER) &&
+	       !close(c->pasta_userns_fd));

 netns:
 	snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid);
 	do
 		while ((c->pasta_netns_fd = open(ns, O_RDONLY)) < 0);
-	while (setns(c->pasta_netns_fd, 0) && !close(c->pasta_netns_fd));
+	while (setns(c->pasta_netns_fd, CLONE_NEWNET) &&
+	       !close(c->pasta_netns_fd));

 	return 0;
 }
--- a/util.c
+++ b/util.c
@ -469,10 +469,10 @@ void procfs_scan_listen(char *name, uint8_t *map, uint8_t *exclude)
 */
 int ns_enter(struct ctx *c)
 {
-	if (!c->netns_only && setns(c->pasta_userns_fd, 0))
+	if (!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER))
 		return -errno;

-	if (setns(c->pasta_netns_fd, 0))
+	if (setns(c->pasta_netns_fd, CLONE_NEWNET))
 		return -errno;

 	return 0;