Support containers launched with user namespace

nbdd0121 · nbdd0121 · commit c6b8b21f1592 · 2024-10-04T00:00:04.000+01:00
diff --git a/src/util/namespace.rs b/src/util/namespace.rs
@@ -1,9 +1,11 @@
 use std::fs::File;
 use std::os::fd::AsFd;
+use std::os::unix::fs::MetadataExt;
 
 use anyhow::Result;
+use rustix::fs::{Gid, Uid};
 use rustix::process::Pid;
-use rustix::thread::{LinkNameSpaceType, UnshareFlags};
+use rustix::thread::{CapabilitiesSecureBits, LinkNameSpaceType, UnshareFlags};
 
 pub struct MntNamespace {
     fd: File,
@@ -33,6 +35,35 @@ impl MntNamespace {
                         self.fd.as_fd(),
                         Some(LinkNameSpaceType::Mount),
                     )?;
+
+                    // If user namespace is used, we must act like the root user *inside*
+                    // namespace to be able to create files properly (otherwise EOVERFLOW
+                    // will be returned when creating file).
+                    //
+                    // Entering the user namespace turns out to be problematic.
+                    // The reason seems to be this line [1]:
+                    // which means `CAP_MKNOD` capability of the *init* namespace is needed.
+                    // However task's associated security context is all relative to its current
+                    // user namespace [2], so once you enter a user namespace there's no way of getting
+                    // back `CAP_MKNOD` of the init namespace anymore.
+                    // (Yes this means that even if CAP_MKNOD is granted to the container, you canot
+                    // create device nodes within it.)
+                    //
+                    // https://elixir.bootlin.com/linux/v6.11.1/source/fs/namei.c#L4073
+                    // https://elixir.bootlin.com/linux/v6.11.1/source/include/linux/cred.h#L111
+                    let metadata = std::fs::metadata("/")?;
+                    let uid = metadata.uid();
+                    let gid = metadata.gid();
+
+                    // By default `setuid` will drop capabilities when transitioning from root
+                    // to non-root user. This bit prevents it so our code still have superpower.
+                    rustix::thread::set_capabilities_secure_bits(
+                        CapabilitiesSecureBits::NO_SETUID_FIXUP,
+                    )?;
+
+                    rustix::thread::set_thread_uid(unsafe { Uid::from_raw(uid) })?;
+                    rustix::thread::set_thread_gid(unsafe { Gid::from_raw(gid) })?;
+
                     Ok(f())
                 })
                 .join()
