From 88441d9cd2753f627b6a1ce0e13378cd25fca684 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Tue, 8 Aug 2023 14:38:36 +0200 Subject: [PATCH] linux: simplify setns with pidfd This caused an issue when the PID 1 didn't execve yet the container process, and joining the user namespace first would cause the user to look access to the container PID 1 namespaces. When running with enough permissions, setns() will allow to join all the namespaces in one shoot, so let's use it. On any error, attempt the fallback mechanism to join each namespace separately. Closes: https://github.com/containers/crun/issues/1264 Signed-off-by: Giuseppe Scrivano --- src/libcrun/linux.c | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c index fed6d2a56..42baf90d7 100644 --- a/src/libcrun/linux.c +++ b/src/libcrun/linux.c @@ -4849,28 +4849,9 @@ try_setns_with_pidfd (pid_t pid_to_join, libcrun_container_t *container, libcrun for (i = 0; namespaces[i].ns_file; i++) all_flags |= namespaces[i].value; - if (all_flags & CLONE_NEWUSER) - { - ret = setns (pidfd_pid_to_join, CLONE_NEWUSER); - if (UNLIKELY (ret < 0)) - { - /* Ignore the EINVAL error code. The kernel might not support setns + pidfd. */ - if (errno == EINVAL) - return 0; - - return crun_make_error (err, errno, "setns(pid=%d, CLONE_NEWUSER)", pid_to_join); - } - } - ret = setns (pidfd_pid_to_join, all_flags); if (UNLIKELY (ret < 0)) - { - /* Ignore the EINVAL error code. The kernel might not support setns + pidfd. */ - if (errno == EINVAL) - return 0; - - return crun_make_error (err, errno, "setns(pid=%d, CLONE_*)", pid_to_join); - } + return 0; return 1; } @@ -4896,7 +4877,7 @@ join_process_namespaces (libcrun_container_t *container, pid_t pid_to_join, libc if (LIKELY (ret > 0)) return 0; - /* If setns with the target pidfd, fall-back to join each namespace individually. */ + /* If setns fails with the target pidfd, fall-back to join each namespace individually. */ if (def->linux->namespaces_len >= MAX_NAMESPACES) return crun_make_error (err, 0, "invalid configuration");