From patchwork Sat Nov 18 15:13:11 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christian Brauner <christian.brauner@ubuntu.com>
X-Patchwork-Id: 24346
Received: (qmail 88741 invoked by alias); 18 Nov 2017 15:13:22 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 88725 invoked by uid 89); 18 Nov 2017 15:13:21 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-26.3 required=5.0 tests=AWL, BAYES_00,
	GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	KAM_LAZY_DOMAIN_SECURITY, KB_WAM_FROM_NAME_SINGLEWORD,
	RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 spammy=
X-HELO: mx1.mailbox.org
From: Christian Brauner <christian.brauner@ubuntu.com>
To: libc-alpha@sourceware.org
Cc: fweimer@redhat.com,
	Christian Brauner <christian.brauner@ubuntu.com>
Subject: [PATCH v2] support_become_root: Don't fail when
	/proc/<pid/setgroups is missing
Date: Sat, 18 Nov 2017 16:13:11 +0100
Message-Id: <20171118151311.20305-1-christian.brauner@ubuntu.com>

The requirement to write "deny" to /proc/<pid>/setgroups for a given user
namespace before being able to write a gid mapping was introduced in Linux
3.19.  Before that this requirement including the file did not exist.
So don't fail when errno == ENOENT.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
Changelog 2017-11-18:
* Restrice line length to 79 char instead of 80.
* Use two spaces after a period at the end of a sentence.
* Use two spaces before the closing comment marker "*/".
---
 ChangeLog                     |  5 +++++
 support/support_become_root.c | 21 ++++++++++++++++-----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 604d571ca6..74b77dfa41 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-11-17  Christian Brauner <christian.brauner@ubuntu.com>
+
+	* support/support_become_root.c (setup_uid_gid_mapping): Don't fail
+	when /proc/<pid>/setgroups does not exist.
+
 2017-11-17  Tulio Magno Quites Machado Filho  <tuliom@linux.vnet.ibm.com>
 
 	* sysdeps/powerpc/bits/hwcap.h (PPC_FEATURE2_HTM_NO_SUSPEND): New
diff --git a/support/support_become_root.c b/support/support_become_root.c
index 5086570251..e45c939421 100644
--- a/support/support_become_root.c
+++ b/support/support_become_root.c
@@ -18,6 +18,7 @@
 
 #include <support/namespace.h>
 
+#include <errno.h>
 #include <fcntl.h>
 #include <sched.h>
 #include <stdio.h>
@@ -50,11 +51,21 @@ setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid)
   xwrite (fd, buf, ret);
   xclose (fd);
 
-  /* Disable setgroups before mapping groups, otherwise that would
-     fail with EPERM.  */
-  fd = xopen ("/proc/self/setgroups", O_WRONLY, 0);
-  xwrite (fd, "deny\n", strlen ("deny\n"));
-  xclose (fd);
+  /* Linux 3.19 introduced the setgroups file.  We need write "deny" to this
+   * file otherwise writing to gid_map will fail with EPERM.  */
+  fd = open64 ("/proc/self/setgroups", O_WRONLY, 0);
+  if (fd < 0)
+    {
+      if (errno != ENOENT)
+        FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m",
+                    O_WRONLY, 0);
+      /* This kernel doesn't expose the setgroups file so simply move on.  */
+    }
+  else
+    {
+      xwrite (fd, "deny\n", strlen ("deny\n"));
+      xclose (fd);
+    }
 
   /* Now map our own GID, like we did for the user ID.  */
   fd = xopen ("/proc/self/gid_map", O_WRONLY, 0);