From: DJ Delorie <dj@redhat.com>
To: libc-alpha@sourceware.org
Subject: [patch v1] Allow for unpriviledged nested containers
Date: Tue, 09 Nov 2021 18:02:42 -0500 [thread overview]
Message-ID: <xntugl53vx.fsf@greed.delorie.com> (raw)
When running a "make check" in an untrusted podman container,
we do not have priviledges to mount /proc. Previously, we just
failed to initialize the container and thus all test-container
tests were "unsupported". With this change, we set up as much
of the container as we're allowed, so tests that run in
test-container but do not need /proc will run correctly,
and those that require /proc will go from "unsupported" to (likely)
"fail" (but should give diagnostics that make it obvious that
a missing /proc is responsible).
diff --git a/support/test-container.c b/support/test-container.c
index 94498d39019..53fd7b2b5b6 100644
--- a/support/test-container.c
+++ b/support/test-container.c
@@ -1165,40 +1165,52 @@ main (int argc, char **argv)
/* Now that we're pid 1 (effectively "root") we can mount /proc */
maybe_xmkdir ("/proc", 0777);
- if (mount ("proc", "/proc", "proc", 0, NULL) < 0)
- FAIL_EXIT1 ("Unable to mount /proc: ");
-
- /* We map our original UID to the same UID in the container so we
- can own our own files normally. */
- UMAP = open ("/proc/self/uid_map", O_WRONLY);
- if (UMAP < 0)
- FAIL_EXIT1 ("can't write to /proc/self/uid_map\n");
-
- sprintf (tmp, "%lld %lld 1\n",
- (long long) (be_su ? 0 : original_uid), (long long) original_uid);
- write (UMAP, tmp, strlen (tmp));
- xclose (UMAP);
-
- /* We must disable setgroups () before we can map our groups, else we
- get EPERM. */
- GMAP = open ("/proc/self/setgroups", O_WRONLY);
- if (GMAP >= 0)
+ if (mount ("proc", "/proc", "proc", 0, NULL) != 0)
{
- /* We support kernels old enough to not have this. */
- write (GMAP, "deny\n", 5);
- xclose (GMAP);
+ // This happens if we're trying to create a nested container,
+ // like if the build is running under podman, and we lack
+ // priviledges.
+
+ // Ideally we would WARN here, but that would just add noise to
+ // *every* test-container test, and the ones that care should
+ // have their own relevent diagnostics.
+
+ // FAIL_EXIT1 ("Unable to mount /proc: ");
}
+ else
+ {
+ /* We map our original UID to the same UID in the container so we
+ can own our own files normally. */
+ UMAP = open ("/proc/self/uid_map", O_WRONLY);
+ if (UMAP < 0)
+ FAIL_EXIT1 ("can't write to /proc/self/uid_map\n");
+
+ sprintf (tmp, "%lld %lld 1\n",
+ (long long) (be_su ? 0 : original_uid), (long long) original_uid);
+ write (UMAP, tmp, strlen (tmp));
+ xclose (UMAP);
+
+ /* We must disable setgroups () before we can map our groups, else we
+ get EPERM. */
+ GMAP = open ("/proc/self/setgroups", O_WRONLY);
+ if (GMAP >= 0)
+ {
+ /* We support kernels old enough to not have this. */
+ write (GMAP, "deny\n", 5);
+ xclose (GMAP);
+ }
- /* We map our original GID to the same GID in the container so we
- can own our own files normally. */
- GMAP = open ("/proc/self/gid_map", O_WRONLY);
- if (GMAP < 0)
- FAIL_EXIT1 ("can't write to /proc/self/gid_map\n");
+ /* We map our original GID to the same GID in the container so we
+ can own our own files normally. */
+ GMAP = open ("/proc/self/gid_map", O_WRONLY);
+ if (GMAP < 0)
+ FAIL_EXIT1 ("can't write to /proc/self/gid_map\n");
- sprintf (tmp, "%lld %lld 1\n",
- (long long) (be_su ? 0 : original_gid), (long long) original_gid);
- write (GMAP, tmp, strlen (tmp));
- xclose (GMAP);
+ sprintf (tmp, "%lld %lld 1\n",
+ (long long) (be_su ? 0 : original_gid), (long long) original_gid);
+ write (GMAP, tmp, strlen (tmp));
+ xclose (GMAP);
+ }
if (change_cwd)
{
next reply other threads:[~2021-11-09 23:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-09 23:02 DJ Delorie [this message]
2021-11-10 8:23 ` Florian Weimer
2021-11-10 18:30 ` DJ Delorie
2021-11-12 13:31 ` Florian Weimer
2021-11-15 20:58 ` DJ Delorie
2021-11-15 22:34 ` [patch v2] " DJ Delorie
2021-11-15 22:43 ` DJ Delorie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xntugl53vx.fsf@greed.delorie.com \
--to=dj@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).