From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id DAA691FF173 for ; Mon, 11 Nov 2024 19:33:08 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5978212737; Mon, 11 Nov 2024 19:33:06 +0100 (CET) Message-ID: <0bb0e050-cde8-4471-86d5-4154afd447eb@proxmox.com> Date: Mon, 11 Nov 2024 19:33:02 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox VE development discussion , Fiona Ebner References: <20241107165146.125935-1-f.ebner@proxmox.com> <20241107165146.125935-11-f.ebner@proxmox.com> Content-Language: en-GB, de-AT From: Thomas Lamprecht Autocrypt: addr=t.lamprecht@proxmox.com; keydata= xsFNBFsLjcYBEACsaQP6uTtw/xHTUCKF4VD4/Wfg7gGn47+OfCKJQAD+Oyb3HSBkjclopC5J uXsB1vVOfqVYE6PO8FlD2L5nxgT3SWkc6Ka634G/yGDU3ZC3C/7NcDVKhSBI5E0ww4Qj8s9w OQRloemb5LOBkJNEUshkWRTHHOmk6QqFB/qBPW2COpAx6oyxVUvBCgm/1S0dAZ9gfkvpqFSD 90B5j3bL6i9FIv3YGUCgz6Ue3f7u+HsEAew6TMtlt90XV3vT4M2IOuECG/pXwTy7NtmHaBQ7 UJBcwSOpDEweNob50+9B4KbnVn1ydx+K6UnEcGDvUWBkREccvuExvupYYYQ5dIhRFf3fkS4+ wMlyAFh8PQUgauod+vqs45FJaSgTqIALSBsEHKEs6IoTXtnnpbhu3p6XBin4hunwoBFiyYt6 YHLAM1yLfCyX510DFzX/Ze2hLqatqzY5Wa7NIXqYYelz7tXiuCLHP84+sV6JtEkeSUCuOiUY virj6nT/nJK8m0BzdR6FgGtNxp7RVXFRz/+mwijJVLpFsyG1i0Hmv2zTn3h2nyGK/I6yhFNt dX69y5hbo6LAsRjLUvZeHXpTU4TrpN/WiCjJblbj5um5eEr4yhcwhVmG102puTtuCECsDucZ jpKpUqzXlpLbzG/dp9dXFH3MivvfuaHrg3MtjXY1i+/Oxyp5iwARAQABzTNUaG9tYXMgTGFt cHJlY2h0IChBdXRoLTQpIDx0LmxhbXByZWNodEBwcm94bW94LmNvbT7CwY4EEwEIADgWIQQO R4qbEl/pah9K6VrTZCM6gDZWBgUCWwuNxgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAK CRDTZCM6gDZWBm/jD/4+6JB2s67eaqoP6x9VGaXNGJPCscwzLuxDTCG90G9FYu29VcXtubH/ bPwsyBbNUQpqTm/s4XboU2qpS5ykCuTjqavrcP33tdkYfGcItj2xMipJ1i3TWvpikQVsX42R G64wovLs/dvpTYphRZkg5DwhgTmy3mRkmofFCTa+//MOcNOORltemp984tWjpR3bUJETNWpF sKGZHa3N4kCNxb7A+VMsJZ/1gN3jbQbQG7GkJtnHlWkw9rKCYqBtWrnrHa4UAvSa9M/XCIAB FThFGqZI1ojdVlv5gd6b/nWxfOPrLlSxbUo5FZ1i/ycj7/24nznW1V4ykG9iUld4uYUY86bB UGSjew1KYp9FmvKiwEoB+zxNnuEQfS7/Bj1X9nxizgweiHIyFsRqgogTvLh403QMSGNSoArk tqkorf1U+VhEncIn4H3KksJF0njZKfilrieOO7Vuot1xKr9QnYrZzJ7m7ZxJ/JfKGaRHXkE1 feMmrvZD1AtdUATZkoeQtTOpMu4r6IQRfSdwm/CkppZXfDe50DJxAMDWwfK2rr2bVkNg/yZI tKLBS0YgRTIynkvv0h8d9dIjiicw3RMeYXyqOnSWVva2r+tl+JBaenr8YTQw0zARrhC0mttu cIZGnVEvQuDwib57QLqMjQaC1gazKHvhA15H5MNxUhwm229UmdH3KM7BTQRbC43GARAAyTkR D6KRJ9Xa2fVMh+6f186q0M3ni+5tsaVhUiykxjsPgkuWXWW9MbLpYXkzX6h/RIEKlo2BGA95 QwG5+Ya2Bo3g7FGJHAkXY6loq7DgMp5/TVQ8phsSv3WxPTJLCBq6vNBamp5hda4cfXFUymsy HsJy4dtgkrPQ/bnsdFDCRUuhJHopnAzKHN8APXpKU6xV5e3GE4LwFsDhNHfH/m9+2yO/trcD txSFpyftbK2gaMERHgA8SKkzRhiwRTt9w5idOfpJVkYRsgvuSGZ0pcD4kLCOIFrer5xXudk6 NgJc36XkFRMnwqrL/bB4k6Pi2u5leyqcXSLyBgeHsZJxg6Lcr2LZ35+8RQGPOw9C0ItmRjtY ZpGKPlSxjxA1WHT2YlF9CEt3nx7c4C3thHHtqBra6BGPyW8rvtq4zRqZRLPmZ0kt/kiMPhTM 8wZAlObbATVrUMcZ/uNjRv2vU9O5aTAD9E5r1B0dlqKgxyoImUWB0JgpILADaT3VybDd3C8X s6Jt8MytUP+1cEWt9VKo4vY4Jh5vwrJUDLJvzpN+TsYCZPNVj18+jf9uGRaoK6W++DdMAr5l gQiwsNgf9372dbMI7pt2gnT5/YdG+ZHnIIlXC6OUonA1Ro/Itg90Q7iQySnKKkqqnWVc+qO9 GJbzcGykxD6EQtCSlurt3/5IXTA7t6sAEQEAAcLBdgQYAQgAIBYhBA5HipsSX+lqH0rpWtNk IzqANlYGBQJbC43GAhsMAAoJENNkIzqANlYGD1sP/ikKgHgcspEKqDED9gQrTBvipH85si0j /Jwu/tBtnYjLgKLh2cjv1JkgYYjb3DyZa1pLsIv6rGnPX9bH9IN03nqirC/Q1Y1lnbNTynPk IflgvsJjoTNZjgu1wUdQlBgL/JhUp1sIYID11jZphgzfDgp/E6ve/8xE2HMAnf4zAfJaKgD0 F+fL1DlcdYUditAiYEuN40Ns/abKs8I1MYx7Yglu3RzJfBzV4t86DAR+OvuF9v188WrFwXCS RSf4DmJ8tntyNej+DVGUnmKHupLQJO7uqCKB/1HLlMKc5G3GLoGqJliHjUHUAXNzinlpE2Vj C78pxpwxRNg2ilE3AhPoAXrY5qED5PLE9sLnmQ9AzRcMMJUXjTNEDxEYbF55SdGBHHOAcZtA kEQKub86e+GHA+Z8oXQSGeSGOkqHi7zfgW1UexddTvaRwE6AyZ6FxTApm8wq8NT2cryWPWTF BDSGB3ujWHMM8ERRYJPcBSjTvt0GcEqnd+OSGgxTkGOdufn51oz82zfpVo1t+J/FNz6MRMcg 8nEC+uKvgzH1nujxJ5pRCBOquFZaGn/p71Yr0oVitkttLKblFsqwa+10Lt6HBxm+2+VLp4Ja 0WZNncZciz3V3cuArpan/ZhhyiWYV5FD0pOXPCJIx7WS9PTtxiv0AOS4ScWEUmBxyhFeOpYa DrEx In-Reply-To: <20241107165146.125935-11-f.ebner@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL -0.050 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [RFC common v3 10/34] env: add module with helpers to run a Perl subroutine in a user namespace X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Am 07.11.24 um 17:51 schrieb Fiona Ebner: > The first use case is running the container backup subroutine for > external providers inside a user namespace. That allows them to see > the filesystem to back-up from the containers perspective and also > improves security because of isolation. > > Copied and adapted the relevant parts from the pve-buildpkg > repository. > > Originally-by: Wolfgang Bumiller > [FE: add $idmap parameter, drop $aux_groups parameter] > Signed-off-by: Fiona Ebner > --- > > New in v3. > > src/Makefile | 1 + > src/PVE/Env.pm | 136 +++++++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 137 insertions(+) > create mode 100644 src/PVE/Env.pm > > diff --git a/src/Makefile b/src/Makefile > index 2d8bdc4..dba26e3 100644 > --- a/src/Makefile > +++ b/src/Makefile > @@ -15,6 +15,7 @@ LIB_SOURCES = \ > Certificate.pm \ > CpuSet.pm \ > Daemon.pm \ > + Env.pm \ > Exception.pm \ > Format.pm \ > INotify.pm \ > diff --git a/src/PVE/Env.pm b/src/PVE/Env.pm > new file mode 100644 > index 0000000..e11bec0 > --- /dev/null > +++ b/src/PVE/Env.pm > @@ -0,0 +1,136 @@ > +package PVE::Env; can this module and it's name be more specific to doing stuff with/in namespaces? e.g. PVE::Namespaces or PVE::Sys::Namespaces (there might be other stuff that might fit well in a future libproxmox-sys-perl and Proxmox::Sys::* respectively, so maybe that module path would be better?) I'd also make all sub's private if not really intended to be used outside this module. If the more general fork/wait-child helpers are needed elsewhere, or deemed to be useful, then they could go in their own module, like e.g. PVE::Sys::Process > + > +use strict; > +use warnings; > + > +use Fcntl qw(O_WRONLY); > +use POSIX qw(EINTR); > +use Socket; > + > +require qw(syscall.ph); > + > +use constant {CLONE_NEWNS => 0x00020000, > + CLONE_NEWUSER => 0x10000000}; > + > +sub unshare($) { > + my ($flags) = @_; > + return 0 == syscall(272, $flags); > +} > + > +sub __set_id_map($$$) { > + my ($pid, $what, $value) = @_; > + sysopen(my $fd, "/proc/$pid/${what}_map", O_WRONLY) > + or die "failed to open child process' ${what}_map\n"; > + my $rc = syswrite($fd, $value); > + if (!$rc || $rc != length($value)) { > + die "failed to set sub$what: $!\n"; > + } > + close($fd); > +} > + > +sub set_id_map($$) { > + my ($pid, $id_map) = @_; > + > + my $gid_map = ''; > + my $uid_map = ''; > + > + for my $map ($id_map->@*) { > + my ($type, $ct, $host, $length) = $map->@*; > + > + $gid_map .= "$ct $host $length\n" if $type eq 'g'; > + $uid_map .= "$ct $host $length\n" if $type eq 'u'; > + } > + > + __set_id_map($pid, 'gid', $gid_map) if $gid_map; > + __set_id_map($pid, 'uid', $uid_map) if $uid_map; > +} > + > +sub wait_for_child($;$) { > + my ($pid, $noerr) = @_; > + my $interrupts = 0; > + while (waitpid($pid, 0) != $pid) { > + if ($! == EINTR) { > + warn "interrupted...\n"; > + kill(($interrupts > 3 ? 9 : 15), $pid); > + $interrupts++; > + } > + } > + my $status = POSIX::WEXITSTATUS($?); > + return $status if $noerr; > + > + if ($? == -1) { > + die "failed to execute\n"; > + } elsif (POSIX::WIFSIGNALED($?)) { > + my $sig = POSIX::WTERMSIG($?); > + die "got signal $sig\n"; > + } elsif ($status != 0) { > + warn "exit code $status\n"; > + } > + return $status; > +} > + > +sub forked(&%) { FWIW, there's some "forked" method in test/lock_file.pl that this might replace too, if it stay public. > + my ($code, %opts) = @_; > + > + pipe(my $except_r, my $except_w) or die "pipe: $!\n"; > + > + my $pid = fork(); > + die "fork failed: $!\n" if !defined($pid); > + > + if ($pid == 0) { > + close($except_r); > + eval { $code->() }; > + if ($@) { > + print {$except_w} $@; > + $except_w->flush(); > + POSIX::_exit(1); > + } > + POSIX::_exit(0); > + } > + close($except_w); > + > + my $err; > + if (my $afterfork = $opts{afterfork}) { > + eval { $afterfork->($pid); }; > + if ($err = $@) { > + kill(15, $pid); > + $opts{noerr} = 1; > + } > + } > + if (!$err) { > + $err = do { local $/ = undef; <$except_r> }; > + } > + my $rv = wait_for_child($pid, $opts{noerr}); > + die $err if $err; > + die "an unknown error occurred\n" if $rv != 0; > + return $rv; > +} > + > +sub run_in_userns(&;$) { > + my ($code, $id_map) = @_; > + socketpair(my $sp, my $sc, AF_UNIX, SOCK_STREAM, PF_UNSPEC) > + or die "socketpair: $!\n"; > + forked(sub { > + close($sp); > + unshare(CLONE_NEWUSER|CLONE_NEWNS) or die "unshare(NEWUSER|NEWNS): $!\n"; > + syswrite($sc, "1\n") == 2 or die "write: $!\n"; > + shutdown($sc, 1); > + my $two = <$sc>; > + die "failed to sync with parent process\n" if $two ne "2\n"; > + close($sc); > + $! = undef; > + ($(, $)) = (0, 0); die "$!\n" if $!; > + ($<, $>) = (0, 0); die "$!\n" if $!; > + $code->(); > + }, afterfork => sub { > + my ($pid) = @_; > + close($sc); > + my $one = <$sp>; > + die "failed to sync with userprocess\n" if $one ne "1\n"; > + set_id_map($pid, $id_map); > + syswrite($sp, "2\n") == 2 or die "write: $!\n"; > + close($sp); > + }); > +} > + > +1; _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel