From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 9B9C21FF136 for ; Mon, 23 Feb 2026 14:09:15 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 33DD0BCFB; Mon, 23 Feb 2026 14:10:10 +0100 (CET) From: Filip Schauer To: pve-devel@lists.proxmox.com Subject: [PATCH container 5/8] namespaces: refactor run_in_userns Date: Mon, 23 Feb 2026 14:04:51 +0100 Message-ID: <20260223130706.90972-6-f.schauer@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260223130706.90972-1-f.schauer@proxmox.com> References: <20260223130706.90972-1-f.schauer@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1771852162160 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.002 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: ACU7JD6VMQ2HHUSBTQ47UKI6BFDZ3PFK X-Message-ID-Hash: ACU7JD6VMQ2HHUSBTQ47UKI6BFDZ3PFK X-MailFrom: f.schauer@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Filip Schauer --- src/PVE/LXC/Namespaces.pm | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/src/PVE/LXC/Namespaces.pm b/src/PVE/LXC/Namespaces.pm index 3b86262..477d0ac 100644 --- a/src/PVE/LXC/Namespaces.pm +++ b/src/PVE/LXC/Namespaces.pm @@ -25,6 +25,19 @@ my sub set_id_map($$) { PVE::Tools::run_command(['newuidmap', $pid, @uid_args]) if scalar(@uid_args); } +my sub sync_send { + my ($fh, $msg) = @_; + + syswrite($fh, $msg) == length($msg) or die "sync write failed: $!\n"; +} + +my sub sync_recv { + my ($fh, $expect) = @_; + + my $received = <$fh>; + die "sync read failed\n" if $received ne $expect; +} + sub run_in_userns($;$) { my ($code, $id_map) = @_; socketpair(my $sp, my $sc, AF_UNIX, SOCK_STREAM, PF_UNSPEC) @@ -32,25 +45,23 @@ sub run_in_userns($;$) { my $child = sub { close($sp); PVE::Tools::unshare(CLONE_NEWUSER | CLONE_NEWNS) or die "unshare(NEWUSER|NEWNS): $!\n"; - syswrite($sc, "1\n") == 2 or die "write: $!\n"; + sync_send($sc, "1\n"); shutdown($sc, 1); - my $two = <$sc>; - die "failed to sync with parent process\n" if $two ne "2\n"; + sync_recv($sc, "2\n"); close($sc); $! = undef; ($(, $)) = (0, 0); - die "$!\n" if $!; + die "setgid(0): $!\n" if $!; ($<, $>) = (0, 0); - die "$!\n" if $!; + die "setuid(0): $!\n" if $!; return $code->(); }; my $parent = sub { my ($pid) = @_; close($sc); - my $one = <$sp>; - die "failed to sync with userprocess\n" if $one ne "1\n"; + sync_recv($sp, "1\n"); set_id_map($pid, $id_map); - syswrite($sp, "2\n") == 2 or die "write: $!\n"; + sync_send($sp, "2\n"); close($sp); }; PVE::Tools::run_fork($child, { afterfork => $parent }); -- 2.47.3