conf, pasta: Explicitly pass CLONE_{NEWUSER,NEWNET} to setns()

Only allow the intended types of namespaces to be joined via setns()
as a defensive measure.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio 2022-01-25 20:08:00 +01:00
parent 1776de0140
commit 4c7304db85
3 changed files with 8 additions and 6 deletions

4
conf.c
View file

@ -347,8 +347,8 @@ static int conf_ns_check(void *arg)
{ {
struct ctx *c = (struct ctx *)arg; struct ctx *c = (struct ctx *)arg;
if ((!c->netns_only && setns(c->pasta_userns_fd, 0)) || if ((!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER)) ||
setns(c->pasta_netns_fd, 0)) setns(c->pasta_netns_fd, CLONE_NEWNET))
c->pasta_userns_fd = c->pasta_netns_fd = -1; c->pasta_userns_fd = c->pasta_netns_fd = -1;
return 0; return 0;

View file

@ -148,13 +148,15 @@ static int pasta_wait_for_ns(void *arg)
snprintf(ns, PATH_MAX, "/proc/%i/ns/user", pasta_child_pid); snprintf(ns, PATH_MAX, "/proc/%i/ns/user", pasta_child_pid);
do do
while ((c->pasta_userns_fd = open(ns, O_RDONLY)) < 0); while ((c->pasta_userns_fd = open(ns, O_RDONLY)) < 0);
while (setns(c->pasta_userns_fd, 0) && !close(c->pasta_userns_fd)); while (setns(c->pasta_userns_fd, CLONE_NEWUSER) &&
!close(c->pasta_userns_fd));
netns: netns:
snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid); snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid);
do do
while ((c->pasta_netns_fd = open(ns, O_RDONLY)) < 0); while ((c->pasta_netns_fd = open(ns, O_RDONLY)) < 0);
while (setns(c->pasta_netns_fd, 0) && !close(c->pasta_netns_fd)); while (setns(c->pasta_netns_fd, CLONE_NEWNET) &&
!close(c->pasta_netns_fd));
return 0; return 0;
} }

4
util.c
View file

@ -469,10 +469,10 @@ void procfs_scan_listen(char *name, uint8_t *map, uint8_t *exclude)
*/ */
int ns_enter(struct ctx *c) int ns_enter(struct ctx *c)
{ {
if (!c->netns_only && setns(c->pasta_userns_fd, 0)) if (!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER))
return -errno; return -errno;
if (setns(c->pasta_netns_fd, 0)) if (setns(c->pasta_netns_fd, CLONE_NEWNET))
return -errno; return -errno;
return 0; return 0;