mirror of
https://github.com/opencontainers/runc.git
synced 2025-12-24 11:50:58 +08:00
482e56379a
Using ints for all of our mapping structures means that a 32-bit binary
errors out when trying to parse /proc/self/*id_map:
failed to cache mappings for userns: failed to parse uid_map of userns /proc/1/ns/user:
parsing id map failed: invalid format in line " 0 0 4294967295": integer overflow on token 4294967295
This issue was unearthed by commit 1912d5988b ("*: actually support
joining a userns with a new container") but the underlying issue has
been present since the docker/libcontainer days.
In theory, switching to uint32 (to match the spec) instead of int64
would also work, but keeping everything signed seems much less
error-prone. It's also important to note that a mapping might be too
large for an int on 32-bit, so we detect this during the mapping.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
98 lines
3.2 KiB
Go
98 lines
3.2 KiB
Go
package configs
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"math"
|
|
)
|
|
|
|
var (
|
|
errNoUIDMap = errors.New("user namespaces enabled, but no uid mappings found")
|
|
errNoGIDMap = errors.New("user namespaces enabled, but no gid mappings found")
|
|
)
|
|
|
|
// Please check https://man7.org/linux/man-pages/man2/personality.2.html for const details.
|
|
// https://raw.githubusercontent.com/torvalds/linux/master/include/uapi/linux/personality.h
|
|
const (
|
|
PerLinux = 0x0000
|
|
PerLinux32 = 0x0008
|
|
)
|
|
|
|
type LinuxPersonality struct {
|
|
// Domain for the personality
|
|
// can only contain values "LINUX" and "LINUX32"
|
|
Domain int `json:"domain"`
|
|
}
|
|
|
|
// HostUID gets the translated uid for the process on host which could be
|
|
// different when user namespaces are enabled.
|
|
func (c Config) HostUID(containerId int) (int, error) {
|
|
if c.Namespaces.Contains(NEWUSER) {
|
|
if len(c.UIDMappings) == 0 {
|
|
return -1, errNoUIDMap
|
|
}
|
|
id, found := c.hostIDFromMapping(int64(containerId), c.UIDMappings)
|
|
if !found {
|
|
return -1, fmt.Errorf("user namespaces enabled, but no mapping found for uid %d", containerId)
|
|
}
|
|
// If we are a 32-bit binary running on a 64-bit system, it's possible
|
|
// the mapped user is too large to store in an int, which means we
|
|
// cannot do the mapping. We can't just return an int64, because
|
|
// os.Setuid() takes an int.
|
|
if id > math.MaxInt {
|
|
return -1, fmt.Errorf("mapping for uid %d (host id %d) is larger than native integer size (%d)", containerId, id, math.MaxInt)
|
|
}
|
|
return int(id), nil
|
|
}
|
|
// Return unchanged id.
|
|
return containerId, nil
|
|
}
|
|
|
|
// HostRootUID gets the root uid for the process on host which could be non-zero
|
|
// when user namespaces are enabled.
|
|
func (c Config) HostRootUID() (int, error) {
|
|
return c.HostUID(0)
|
|
}
|
|
|
|
// HostGID gets the translated gid for the process on host which could be
|
|
// different when user namespaces are enabled.
|
|
func (c Config) HostGID(containerId int) (int, error) {
|
|
if c.Namespaces.Contains(NEWUSER) {
|
|
if len(c.GIDMappings) == 0 {
|
|
return -1, errNoGIDMap
|
|
}
|
|
id, found := c.hostIDFromMapping(int64(containerId), c.GIDMappings)
|
|
if !found {
|
|
return -1, fmt.Errorf("user namespaces enabled, but no mapping found for gid %d", containerId)
|
|
}
|
|
// If we are a 32-bit binary running on a 64-bit system, it's possible
|
|
// the mapped user is too large to store in an int, which means we
|
|
// cannot do the mapping. We can't just return an int64, because
|
|
// os.Setgid() takes an int.
|
|
if id > math.MaxInt {
|
|
return -1, fmt.Errorf("mapping for gid %d (host id %d) is larger than native integer size (%d)", containerId, id, math.MaxInt)
|
|
}
|
|
return int(id), nil
|
|
}
|
|
// Return unchanged id.
|
|
return containerId, nil
|
|
}
|
|
|
|
// HostRootGID gets the root gid for the process on host which could be non-zero
|
|
// when user namespaces are enabled.
|
|
func (c Config) HostRootGID() (int, error) {
|
|
return c.HostGID(0)
|
|
}
|
|
|
|
// Utility function that gets a host ID for a container ID from user namespace map
|
|
// if that ID is present in the map.
|
|
func (c Config) hostIDFromMapping(containerID int64, uMap []IDMap) (int64, bool) {
|
|
for _, m := range uMap {
|
|
if (containerID >= m.ContainerID) && (containerID <= (m.ContainerID + m.Size - 1)) {
|
|
hostID := m.HostID + (containerID - m.ContainerID)
|
|
return hostID, true
|
|
}
|
|
}
|
|
return -1, false
|
|
}
|