unshare user namespace, fork, map uid then execvp failing

chizisch · 09-12-2021, 04:34 PM

Hello,
While trying to tinker with kernel namespaces and create a small container engine. I was trying to do the following sequence of actions:
- unshare the user namespace;
- Map the user in child process to root;
- execvp.

However, when running id, my code outputs the user as a nobody or fails without error.

Code:

#include <sched.h>
#include <cstdio>
#include <cstring>
#include <cerrno>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/mount.h>
#include <system_error>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>

void unshare_user_namespace() {
  if (0 != unshare(CLONE_NEWUSER)) {
    fprintf(stderr, "%s\n", "USER unshare has failed");
    exit(1);
  }
}

void map_id() {
  int pid = getpid();
  char file[100];
  if (0 > sprintf(file, "/proc/%d/uid_map", pid)) {
    printf("Couldn't sprintf uid_map path.");
    exit(1);
  }

  int fd;
  fd = open(file, 1);
  if (fd < 0) {
    printf("Coudln't open file for writing.\n");
    exit(1);
  }

  int uid = getuid();
  char * buf;
  if (0 > sprintf(buf, "0 %d 1", uid)) {
    printf("Couldn't sprintf uid_map content.");
    exit(1);
  }

  if (write(fd, buf, strlen(buf))) {
    printf("Coudln't write mapping into file.\n");
    exit(1);
  }

  free(buf);
  close(fd);
}

void start(char * command, char ** args) {
  unshare_user_namespace();
  int fork_pid = fork();

  if (-1 == fork_pid) {
    fprintf(stderr, "%s\n", "couldn't fork");
    exit(1);
  }

  if (0 == fork_pid) {
    map_id();

    if (-1 == execvp(command, args)) {
      fprintf(stderr, "%s\n", "couldn't execvp");
      exit(1);
    }
  }
}

int main(int argc, char ** argv) {
  start(argv[1], & argv[1]);
  int status;
  wait( & status);
  return 0;
}

I tried reading the man pages for namespaces, unshare etc but couldn't figure out what's wrong with my code.

To run the code:

Code:

$ g++ <file_containing_code> && ./a.out id

Any help, suggestions are welcome.

sundialsvcs · 09-14-2021, 09:09 AM

If you're going to separately use the OS services that container managers do, probably the best thing would be for you to examine their source code to see how they do it correctly.

chizisch · 09-14-2021, 05:25 PM

The problem is that I read the `unshare` command line source code:
- They first `unshare` in here.
- Then, they `fork` if wanted in here.
- Finally, they map the user ID in the child process to root in the parent process, in here.

However, most times, I get stuck at the third step, when mapping to root, due to lack of permissions.
As far as I understood, you can only write the `/proc/pid/map_id` once. After that, it's closed.

Thanks a lot for answering.