conf, pasta: Explicitly pass CLONE_{NEWUSER,NEWNET} to setns()
Only allow the intended types of namespaces to be joined via setns() as a defensive measure. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
1776de0140
commit
4c7304db85
3 changed files with 8 additions and 6 deletions
4
conf.c
4
conf.c
|
@ -347,8 +347,8 @@ static int conf_ns_check(void *arg)
|
||||||
{
|
{
|
||||||
struct ctx *c = (struct ctx *)arg;
|
struct ctx *c = (struct ctx *)arg;
|
||||||
|
|
||||||
if ((!c->netns_only && setns(c->pasta_userns_fd, 0)) ||
|
if ((!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER)) ||
|
||||||
setns(c->pasta_netns_fd, 0))
|
setns(c->pasta_netns_fd, CLONE_NEWNET))
|
||||||
c->pasta_userns_fd = c->pasta_netns_fd = -1;
|
c->pasta_userns_fd = c->pasta_netns_fd = -1;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
6
pasta.c
6
pasta.c
|
@ -148,13 +148,15 @@ static int pasta_wait_for_ns(void *arg)
|
||||||
snprintf(ns, PATH_MAX, "/proc/%i/ns/user", pasta_child_pid);
|
snprintf(ns, PATH_MAX, "/proc/%i/ns/user", pasta_child_pid);
|
||||||
do
|
do
|
||||||
while ((c->pasta_userns_fd = open(ns, O_RDONLY)) < 0);
|
while ((c->pasta_userns_fd = open(ns, O_RDONLY)) < 0);
|
||||||
while (setns(c->pasta_userns_fd, 0) && !close(c->pasta_userns_fd));
|
while (setns(c->pasta_userns_fd, CLONE_NEWUSER) &&
|
||||||
|
!close(c->pasta_userns_fd));
|
||||||
|
|
||||||
netns:
|
netns:
|
||||||
snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid);
|
snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid);
|
||||||
do
|
do
|
||||||
while ((c->pasta_netns_fd = open(ns, O_RDONLY)) < 0);
|
while ((c->pasta_netns_fd = open(ns, O_RDONLY)) < 0);
|
||||||
while (setns(c->pasta_netns_fd, 0) && !close(c->pasta_netns_fd));
|
while (setns(c->pasta_netns_fd, CLONE_NEWNET) &&
|
||||||
|
!close(c->pasta_netns_fd));
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
4
util.c
4
util.c
|
@ -469,10 +469,10 @@ void procfs_scan_listen(char *name, uint8_t *map, uint8_t *exclude)
|
||||||
*/
|
*/
|
||||||
int ns_enter(struct ctx *c)
|
int ns_enter(struct ctx *c)
|
||||||
{
|
{
|
||||||
if (!c->netns_only && setns(c->pasta_userns_fd, 0))
|
if (!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER))
|
||||||
return -errno;
|
return -errno;
|
||||||
|
|
||||||
if (setns(c->pasta_netns_fd, 0))
|
if (setns(c->pasta_netns_fd, CLONE_NEWNET))
|
||||||
return -errno;
|
return -errno;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
Loading…
Reference in a new issue