• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0
2 #define _GNU_SOURCE
3 #include <sched.h>
4 #include <unistd.h>
5 #include <stdio.h>
6 #include <stdlib.h>
7 #include <signal.h>
8 #include <errno.h>
9 #include <sys/types.h>
10 #include <sys/stat.h>
11 #include <fcntl.h>
12 #include <sys/ioctl.h>
13 #include <sys/prctl.h>
14 #include <sys/wait.h>
15 
16 #define NSIO    0xb7
17 #define NS_GET_USERNS   _IO(NSIO, 0x1)
18 
19 #define pr_err(fmt, ...) \
20 		({ \
21 			fprintf(stderr, "%s:%d:" fmt ": %m\n", \
22 				__func__, __LINE__, ##__VA_ARGS__); \
23 			1; \
24 		})
25 
main(int argc,char * argvp[])26 int main(int argc, char *argvp[])
27 {
28 	int pfd[2], ns, uns, init_uns;
29 	struct stat st1, st2;
30 	char path[128];
31 	pid_t pid;
32 	char c;
33 
34 	if (pipe(pfd))
35 		return 1;
36 
37 	pid = fork();
38 	if (pid < 0)
39 		return pr_err("fork");
40 	if (pid == 0) {
41 		prctl(PR_SET_PDEATHSIG, SIGKILL);
42 		if (unshare(CLONE_NEWUTS | CLONE_NEWUSER))
43 			return pr_err("unshare");
44 		close(pfd[0]);
45 		close(pfd[1]);
46 		while (1)
47 			sleep(1);
48 		return 0;
49 	}
50 	close(pfd[1]);
51 	if (read(pfd[0], &c, 1) != 0)
52 		return pr_err("Unable to read from pipe");
53 	close(pfd[0]);
54 
55 	snprintf(path, sizeof(path), "/proc/%d/ns/uts", pid);
56 	ns = open(path, O_RDONLY);
57 	if (ns < 0)
58 		return pr_err("Unable to open %s", path);
59 
60 	uns = ioctl(ns, NS_GET_USERNS);
61 	if (uns < 0)
62 		return pr_err("Unable to get an owning user namespace");
63 
64 	if (fstat(uns, &st1))
65 		return pr_err("fstat");
66 
67 	snprintf(path, sizeof(path), "/proc/%d/ns/user", pid);
68 	if (stat(path, &st2))
69 		return pr_err("stat");
70 
71 	if (st1.st_ino != st2.st_ino)
72 		return pr_err("NS_GET_USERNS returned a wrong namespace");
73 
74 	init_uns = ioctl(uns, NS_GET_USERNS);
75 	if (uns < 0)
76 		return pr_err("Unable to get an owning user namespace");
77 
78 	if (ioctl(init_uns, NS_GET_USERNS) >= 0 || errno != EPERM)
79 		return pr_err("Don't get EPERM");
80 
81 	if (unshare(CLONE_NEWUSER))
82 		return pr_err("unshare");
83 
84 	if (ioctl(ns, NS_GET_USERNS) >= 0 || errno != EPERM)
85 		return pr_err("Don't get EPERM");
86 	if (ioctl(init_uns, NS_GET_USERNS) >= 0 || errno != EPERM)
87 		return pr_err("Don't get EPERM");
88 
89 	kill(pid, SIGKILL);
90 	wait(NULL);
91 	return 0;
92 }
93