diff options
author | Jörg Thalheim <joerg@thalheim.io> | 2020-12-08 12:10:47 +0100 |
---|---|---|
committer | Jörg Thalheim <joerg@thalheim.io> | 2020-12-27 17:19:49 +0100 |
commit | 66c16e12fa0ba419695369df397e854aa7a3a7d2 (patch) | |
tree | 4151627573d74976a1d76596b3af15fc11c78604 /pkgs/build-support | |
parent | 534a3330a6885eaab301a1d6b4298191be11154b (diff) |
buildFhsUserenv: don't downgrade root user
Diffstat (limited to 'pkgs/build-support')
-rw-r--r-- | pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c b/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c index dcb2e97aa932..a438b80e1829 100644 --- a/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c +++ b/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c @@ -43,6 +43,7 @@ const gchar *create_tmpdir() { void pivot_host(const gchar *guest) { g_autofree gchar *point = g_build_filename(guest, "host", NULL); fail_if(g_mkdir(point, 0755)); + fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0)); fail_if(pivot_root(guest, point)); } @@ -56,6 +57,7 @@ void bind_mount_item(const gchar *host, const gchar *guest, const gchar *name) { void bind(const gchar *host, const gchar *guest) { mount_tmpfs(guest); + pivot_host(guest); g_autofree gchar *host_dir = g_build_filename("/host", host, NULL); @@ -105,7 +107,11 @@ int main(gint argc, gchar **argv) { uid_t uid = getuid(); gid_t gid = getgid(); - if (unshare(CLONE_NEWNS | CLONE_NEWUSER) < 0) { + int namespaces = CLONE_NEWNS; + if (uid != 0) { + namespaces |= CLONE_NEWUSER; + } + if (unshare(namespaces) < 0) { int unshare_errno = errno; g_message("Requires Linux version >= 3.19 built with CONFIG_USER_NS"); @@ -116,9 +122,11 @@ int main(gint argc, gchar **argv) { fail("unshare", unshare_errno); } - spit("/proc/self/setgroups", "deny"); - spit("/proc/self/uid_map", "%d %d 1", uid, uid); - spit("/proc/self/gid_map", "%d %d 1", gid, gid); + if (uid != 0) { + spit("/proc/self/setgroups", "deny"); + spit("/proc/self/uid_map", "%d %d 1", uid, uid); + spit("/proc/self/gid_map", "%d %d 1", gid, gid); + } // If there is a /host directory, assume this is nested chrootenv and use it as host instead. gboolean nested_host = g_file_test("/host", G_FILE_TEST_EXISTS | G_FILE_TEST_IS_DIR); |