Support containers launched with user namespace

Author: nbdd0121

shell.nix

@@ -8,5 +8,8 @@ pkgs.mkShell {
 
     # For llvm-objdump
     llvmPackages.bintools
+
+    # To aid testing
+    runc
   ];
 }

src/runc/container.rs

@@ -2,8 +2,8 @@ use std::fs::File;
 use std::io::{BufRead, BufReader, Seek};
 use std::path::Path;
 
-use anyhow::{bail, ensure, Context, Result};
-use rustix::fs::{FileType, Gid, Mode, Uid};
+use anyhow::{bail, Context, Result};
+use rustix::fs::{FileType, Mode};
 use rustix::process::{Pid, Signal};
 use tokio::io::unix::AsyncFd;
 use tokio::io::Interest;
@@ -63,8 +63,10 @@ impl CgroupEventNotifier {
 }
 
 pub struct Container {
-    uid: Uid,
-    gid: Gid,
+    // Uid and gid of the primary container user.
+    // Note that they're inside the user namespace (if any).
+    uid: u32,
+    gid: u32,
     pid: Pid,
     wait: tokio::sync::watch::Receiver<bool>,
     cgroup_device_filter: Mutex<Box<dyn DeviceAccessController + Send>>,
@@ -87,11 +89,9 @@ impl Container {
                 Box::new(DeviceAccessControllerV2::new(&state.cgroup_paths.unified)?)
             };
 
-        ensure!(config.process.user.uid != u32::MAX && config.process.user.gid != u32::MAX);
-
         Ok(Self {
-            uid: unsafe { Uid::from_raw(config.process.user.uid) },
-            gid: unsafe { Gid::from_raw(config.process.user.gid) },
+            uid: config.process.user.uid,
+            gid: config.process.user.gid,
             pid: Pid::from_raw(state.init_process_pid.try_into()?).context("Invalid PID")?,
             wait: recv,
             cgroup_device_filter: Mutex::new(cgroup_device_filter),
@@ -113,7 +113,8 @@ impl Container {
     }
 
     pub async fn mknod(&self, node: &Path, (major, minor): (u32, u32)) -> Result<()> {
-        crate::util::namespace::MntNamespace::of_pid(self.pid)?.enter(|| {
+        let ns = crate::util::namespace::MntNamespace::of_pid(self.pid)?;
+        ns.enter(|| {
             if let Some(parent) = node.parent() {
                 let _ = std::fs::create_dir_all(parent);
             }
@@ -125,9 +126,7 @@ impl Container {
                 Mode::from(0o644),
                 rustix::fs::makedev(major, minor),
             )?;
-            if !self.uid.is_root() {
-                rustix::fs::chown(node, Some(self.uid), Some(self.gid))?;
-            }
+            std::os::unix::fs::chown(node, Some(ns.uid(self.uid)?), Some(ns.gid(self.gid)?))?;
             Ok(())
         })?
     }

src/util/namespace.rs

@@ -1,20 +1,70 @@
 use std::fs::File;
 use std::os::fd::AsFd;
+use std::path::Path;
 
-use anyhow::Result;
+use anyhow::{Context, Result};
+use rustix::fs::{Gid, Uid};
 use rustix::process::Pid;
-use rustix::thread::{LinkNameSpaceType, UnshareFlags};
+use rustix::thread::{CapabilitiesSecureBits, LinkNameSpaceType, UnshareFlags};
+
+pub struct IdMap {
+    map: Vec<(u32, u32, u32)>,
+}
+
+impl IdMap {
+    fn read(path: &Path) -> Result<Self> {
+        Self::parse(&std::fs::read_to_string(path)?)
+    }
+
+    fn parse(content: &str) -> Result<Self> {
+        let mut map = Vec::new();
+        for line in content.lines() {
+            let mut words = line.split_ascii_whitespace();
+            let inside = words.next().context("unexpected id_map")?.parse()?;
+            let outside = words.next().context("unexpected id_map")?.parse()?;
+            let count = words.next().context("unexpected id_map")?.parse()?;
+            map.push((inside, outside, count));
+        }
+        Ok(Self { map })
+    }
+
+    fn translate(&self, id: u32) -> Option<u32> {
+        for &(inside, outside, count) in self.map.iter() {
+            if (inside..inside.checked_add(count)?).contains(&id) {
+                return (id - inside).checked_add(outside);
+            }
+        }
+        None
+    }
+}
 
 pub struct MntNamespace {
-    fd: File,
+    mnt_fd: File,
+    uid_map: IdMap,
+    gid_map: IdMap,
 }
 
 impl MntNamespace {
     /// Open the mount namespace of a process.
     pub fn of_pid(pid: Pid) -> Result<MntNamespace> {
-        let path = format!("/proc/{}/ns/mnt", pid.as_raw_nonzero());
-        let fd = File::open(path)?;
-        Ok(MntNamespace { fd })
+        let mnt_fd = File::open(format!("/proc/{}/ns/mnt", pid.as_raw_nonzero()))?;
+        let uid_map = IdMap::read(format!("/proc/{}/uid_map", pid.as_raw_nonzero()).as_ref())?;
+        let gid_map = IdMap::read(format!("/proc/{}/gid_map", pid.as_raw_nonzero()).as_ref())?;
+        Ok(MntNamespace {
+            mnt_fd,
+            uid_map,
+            gid_map,
+        })
+    }
+
+    /// Translate user ID into a UID in the namespace.
+    pub fn uid(&self, uid: u32) -> Result<u32> {
+        Ok(self.uid_map.translate(uid).context("UID overflows")?)
+    }
+
+    /// Translate group ID into a GID in the namespace.
+    pub fn gid(&self, gid: u32) -> Result<u32> {
+        Ok(self.gid_map.translate(gid).context("GID overflows")?)
     }
 
     /// Enter the mount namespace.
@@ -30,9 +80,35 @@ impl MntNamespace {
 
                     // Switch this particular thread to the container's mount namespace.
                     rustix::thread::move_into_link_name_space(
-                        self.fd.as_fd(),
+                        self.mnt_fd.as_fd(),
                         Some(LinkNameSpaceType::Mount),
                     )?;
+
+                    // If user namespace is used, we must act like the root user *inside*
+                    // namespace to be able to create files properly (otherwise EOVERFLOW
+                    // will be returned when creating file).
+                    //
+                    // Entering the user namespace turns out to be problematic.
+                    // The reason seems to be this line [1]:
+                    // which means `CAP_MKNOD` capability of the *init* namespace is needed.
+                    // However task's associated security context is all relative to its current
+                    // user namespace [2], so once you enter a user namespace there's no way of getting
+                    // back `CAP_MKNOD` of the init namespace anymore.
+                    // (Yes this means that even if CAP_MKNOD is granted to the container, you cannot
+                    // create device nodes within it.)
+                    //
+                    // [1]: https://elixir.bootlin.com/linux/v6.11.1/source/fs/namei.c#L4073
+                    // [2]: https://elixir.bootlin.com/linux/v6.11.1/source/include/linux/cred.h#L111
+
+                    // By default `setuid` will drop capabilities when transitioning from root
+                    // to non-root user. This bit prevents it so our code still have superpower.
+                    rustix::thread::set_capabilities_secure_bits(
+                        CapabilitiesSecureBits::NO_SETUID_FIXUP,
+                    )?;
+
+                    rustix::thread::set_thread_uid(unsafe { Uid::from_raw(self.uid(0)?) })?;
+                    rustix::thread::set_thread_gid(unsafe { Gid::from_raw(self.gid(0)?) })?;
+
                     Ok(f())
                 })
                 .join()